The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 7 Issue 68

Monday 31 October 1988

Contents

o Conspiracy to Defraud
Martyn Thomas
o `Runaway' Computer Projects
Rodney Hoffman
o Perceived risk
James F. Carter
o "TCA pushes for privacy on corporate networks"
Jerry Leichter
o Risks in Answering Machines
Andy Glew
o Ear-itation
Ed Ravin
o Info on RISKS (comp.risks)

Conspiracy to Defraud

Martyn Thomas <mct@praxis.UUCP>
Wed, 26 Oct 88 15:04:46 BST
The Confederation of British Industry has submitted a proposal to the Law
Commission proposing changes to the law on conspiracy to defraud.

They propose (inter alia) that current offences involving "deception"
(which require that a human mind is deceived) should be extended to include
deception of machines, including (in particular) computers.

This sounds risky - can anyone think of good examples of unintended
consequences?

Martyn Thomas               !uunet!mcvax!ukc!praxis!mct


`Runaway' Computer Projects

Rodney Hoffman <Hoffman.es@Xerox.COM>
30 Oct 88 13:20:56 PST (Sunday)
In the November 7, 1988 issue, 'Business Week' has a two-page story headlined
"IT'S LATE, COSTLY, INCOMPETENT -- BUT TRY FIRING A COMPUTER SYSTEM: Companies
get stuck with 'runaways' that trample all over their budgets and reputations."
Nothing amazingly new, but a good summary of the problems, with several case
histories.

From the article:  "A recent Peat Marwick Mitchell & Co. survey of 600 of
the accounting firm's largest clients highlighted the problem:  Some 35%
currently have major runaways.... In 1986, [a management consultant] set up
a group at Peat Marwick to rein in runaways.  Since then, he has had $30
million in revenues from nearly 20 clients...."

Two sidebars are of interest:

            A SAMPLING OF `RUNAWAY' PROJECTS

  * ALLSTATE INSURANCE.  In 1982, with software from Electronic Data
    Systems, the insurer began to build an $8 million computer
    system that would automate it from top to bottom.  Completion
    date: 1987.  An assortment of problems developed, delaying
    completion until 1993.  The new estimated price: $100 million.
  * CITY OF RICHMOND.  In 1984 it hired Arthur Young to develop a
    $1.2 million billing and information sytem for its water and 
    gas utilities.  Completion date: March, 1987.  After paying
    out close to $1 million, Richmond recently canceled the contract,
    saying no system had been delivered.  Arthur Young has filed
    a $2 million breach of contract suit against the city.
  * BUSINESS MEN'S ASSURANCE.  In 1985 the reinsurer began a one-
    year project to build a $500,000 system to help minimize the 
    risk of buying insurance policies held by major insurers.  The
    company has spent nearly $2 million to date on the project, which
    is in disarray.  The new completion date is early 1990.
  * STATE OF OKLAHOMA.  In 1983 it hired a Big Eight accounting firm
    to design a $500,000 system to handle explosive growth in workers'
    compensation claims.  Two years and more than $2 million later, 
    the system still didn't exist.  It finally was finished last year
    at a price of nearly $4 million.
  * BLUE CROSS AND BLUE SHIELD UNITED OF WISCONSIN.  In late 1983 it
    hired Electronic Data Systems to build a $200 million computer
    sytem.  It was ready 18 months later -- on time.  But it didn't
    work.  The system spewed out some $60 million in overpayments
    and duplicate checks before it was harnessed last year.  By 
    then, Blue Cross says, it had lost 35,000 policyholders.

  [Several of these are discussed in more detail in the article.]

---

           HOW TO KEEP A PROJECT UNDER CONTROL

  * Before designing the system, get suggestions from the people
    who will use it.
  * Put senior, nontechnical management in charge of the project
    to help ensure that it is finished on time and within budget
  * Set up 12-month milestones -- interim deadlines for various 
    parts of the project
  * Insist on performance clauses that hold suppliers legally
    responsible for meeting deadlines
  * Don't try to update the system in midstream, before the original
    plan is finished


Perceived risk

<jimc@math.ucla.edu>
Wed, 26 Oct 88 16:22:19 PDT
Freudenburg, William R, "Perceived Risk, Real Risk: Social Science and the
Art of Probabilistic Risk Assessment", Science, vol 242 #4875 (10/7/88) p.44.
A very interesting article.  The author's thesis is that risks computed
from "hard scientific evidence" frequently inadequately predict both the 
probability and the consequences of a risk, because human factors are 
inadequately modelled.  Risk estimation workers suffer from non-obvious
human errors.  The general public are not as irrational as they sometimes
seem to technical people, when their concerns, values and experience 
history are taken into account.  

Readers of this newsgroup may already "know" all this, but it's useful
to have our noses rubbed in it yet again.

James F. Carter        (213) 825-2897
UCLA-Mathnet;  6608B MSA; 405 Hilgard Ave.; Los Angeles, CA  90024-1555


"TCA pushes for privacy on corporate networks"

LEICHTER-JERRY@CS.YALE.EDU <"Jerry Leichter>
Wed, 19 Oct 88 14:54 EST
[Entered without permission from Computerworld, 3 Oct 88, page 133]

By Kathy Chin Leong, CW Staff

SAN DIEGO --- As more and more confidential data winds its way across computer
networks, users are expressing alarm over how much of that information is safe
from subsidiaries of the Bell operating companies and long-distance firms
providing transmission services.

This fear has prompted the Tele-Communications Association (TCA) and large
network users to appeal to the Federal Communications Commission to clarify
exactly what network data is available to these vendors.

Users with large networks, such as banks and insurance companies, are
concerned that published details even of where a circuit is routed can be
misused.  "We don't what someone like AT&T to use our information and then
turn around and compete against us," said Leland Fong, a network planner at
Visa International in San Francisco.  Users are demanding that the FCC
establish a set of rules and regulations so that information is not abused.

At issue is the term "customer proprietary network information" (CPNI), which
encompasses packet data, address and circuit information and traffic
statistics on networks.  Under the FCC's Computer Inquiry III rules,
long-distance carriers and Bell operating companies --- specifically,
marketing personnel --- can get access to their own customers' CPNI unless
users request confidentiality.  What his group wants, TCA President Jerry
Appleby said, is the FCC to clarify exactly what falls under the category of
CPNI.

Fong added that users can be at the mercy of the Bell operating companies and
long-distance vendors if there are no safeguards established.  Customer
information such as calling patterns can be used by the operating companies
for thier own competitive advantage.  "At this time, there are no controls
over CPNI, and the users need to see some action on this," Fong said.

SPREAD THE CONCERN

At a meeting here during the TCA show, TCA officials and the association's
government liason committee met with AT&T to discuss the issue; the group will
also voice its concerns to other vendors.

Appleby said the issue should not be of concern just to network managers but
to the entire company.  Earlier this month, several banks, including Chase
Manhattan Bank and Security Pacific National Bank, and credit card companies
met with the FCC to urge it to come up with a standard definition for CPNI,
Appleby said.

While the customer information is generally confidential, it is available to
the transmission carrier that is supplying the line.  The data is also
available to marketing departments of that vendor unless a company asks for
confidentiality.  Fong said that there is no regulation that prevents a
company from passing the data along to its subsidiaries.

[Comment:  What I find particularly fascinating about this article is its
perfect illustration of the world-view of large businesses.  Banks, insurance
companies and credit agencies collect tons of information about individuals,
which they then wish to treat as their private property, to do with as they
see fit.  They fight "government interference" intended to protect the privacy
of that data as expensive, burdensome and unnecessary.

But when their precious data is moved over AT&T's lines, all of a sudden they
are very concerned that AT&T not abuse it.  Not only that, but they want the
government to make SURE that AT&T remains on its best behavior!
                                             -- Jerry]


Risks in Answering Machines (revisited)

Andy-Krazy-Glew <aglew%vger@xenurus.gould.com>
Tue, 25 Oct 88 20:12:54 CDT
Recently I went to purchase an answering machine. Modern answering machines
have all sorts of remote features, features that can be exercised from another
phone, by generating touch tones. These features include the ability to listen
to already recorded messages, erase already recorded messages, change the
outgoing message that answers the phone, etc.
    There is almost no security for these remote features. The machine I bought
has a two digit code, with one digit factory set, and the second digit set by a
switch on the machine. The user settable digit can only be set to 3 values!
    Now, I don't have many secrets, so the idea of people listening to
my recorded messages doesn't bother me too much (except for the possibility
that a criminal watching my house and knowing my number could intercept
a message from me telling my wife that I won't be home for several hours).
    But I do not like the possibility that someone could, maliciously
or accidentally, erase messages, or change my answering message.
    And I most emphatically do not like the remote listen feature, whereby 
anyone can call my answering machine, press a dial tone, and listen to 
anything going on in my apartment.

I spent some time looking for a basic answering machine that had only the most
basic remote feature, the ability to listen to recorded messages remotely,
*without* having them erased. There doesn't seem to be such a system -- if you
can remotely listen, you can remotely erase.  Unfortunately, it does not seem
possible to selectively disable these remote features.
    Most salespeople were surprised by my concern, but one gave me the service
numbers for Panasonic and GE. The Panasonic service was distinctly unhelpful,
unable to understand why one might want more than the 256 password
possibilities in their top of the line model (a model that uses 3 digits, only
one of which is user settable).  The Panasonic service refused even to give me
an address to which I might write to describe what I think a secure answering
machine should be.  The GE service was much more sympathetic - but,
unfortunately, GE's consumer electronics was sold to Thomson a while back, and
the GE service didn't know where to forward consumer suggestions.

All this leads me to several questions:
    (1) Are there any answering machines that have redefinable passwords
        that are long enough for an acceptable level of security?
    (2) Are there any answering machines that have only non-destructive
        remote commands, ie. that only allow messages to be listened to remotely,
        not reset and overwritten?
    (3) Have there been any incidents of remote sabotage of answering machines,
        or, worse, criminal interception of messages, or bugging, as I describe
        above?

Andy "Krazy" Glew, Motorola Microcomputer Division, Champaign-Urbana
Development Center  [lengthy trailer and disclaimer deleted.  PGN]


Ear-itation

Ed Ravin <eravin@dasys1.UUCP>
24 Oct 88 15:10:19 GMT
I've got my own story to tell about high frequency noises crawling out of
computer related devices, and since I'm new to RISKS, my apologies if any
or all of this has been discussed before.

It all started back in college, when I went to a little office in the computing
center.  I walked into the room and immediately clapped my hands two my ears
and shouted in aversion to the awful sound I was hearing.  The two techs in the
room, who worked in there most of the day, looked at me like I was crazy,
because they didn't hear anything.  It turned out to be the high-frequency
whining from a Televideo terminal's flyback transformer.  The two technicians
never reported any ill effects from it.  The few times I visited them again I
had to stay outside of the office because of the direct pain I would experience
walking in there when that terminal was turned on.

After that I began noticing the sounds made by all the other CRT's in my
life.  They were high pitched and slightly irritating, but not painful.
I had always, even before meeting computers, noticed the 15khz whine from a
TV set, but it had never bothered me.

My next experience was with a DEC VT-100.  I visited a friend of mine who had
an operating VT-100 in a little room in his house.  Again, I heard a loud, high
pitched whine that I felt as pressure in my ears and pain.  He noticed nothing,
but said that that particular VT-100 was stacked with option boards and might
be overloading its power supply.  I've worked with other VT-100 terminals and
noticed noise, but not anywhere near as bad as that sample.

And the best story of all is the AT&T Unix PC.  All of the Unix PC's I ever
worked with had a high-frequency noise problem to one extent or another, but
the worst offenders were the ones with 40 meg disk drives installed.  As soon
as I turned on of them on, I would hear a high pitched noise that would slowly
rise in pitch until it either went beyond my audible range or got lost in the
fan noise.  I thought nothing more of it until I realized that I was getting
headaches, stomachaches, and feeling irritable without knowing why.  I moved
the machine to a closet and used it remotely.  I polled everyone else at the
office, as well as a few visitors from AT&T:  almost noone could hear the noise
from it, but anyone who had to work in the same room as the machine would
eventually start complaining, even if the machine was parked in a noisy machine
room.  This wasn't limited to one sample, because we returned the machine and
got it replaced two or three times, and none of them were acceptable to me.  It
wasn't just me, because we tried it out on a few other employees, who
complained of irritation, stomachaches and toothaches after being in the same
room as the Unix PC after a few days.  This noise was definitely associated
with the hard drive (as opposed to the flyback transformer who is the usual
culprit), and was in the 20khz or above range, since I couldn't directly hear
it, but felt it as a slight pressure in my ears.

I have walked up to airline reservation counters, car rental counters, and
other service desks where the ubiquitous VDT is part of the worker's routine,
where the worker must sit in front of the terminal all day, and blanched from
the whine coming out of the back of the CRT.  As a white collar employeee in a
technical office, with a moderately eloquent speaking ability, I was able to
explain to my managers why I couldn't use certain equipment and they understood
and assisted me.  The information industry service worker has no such options:
you can work on the machine or you can get another job.  Managers over 40
probably can't even hear at 15khz, and will not understand what you're talking
about.  There have been numerous studies of "cluster miscarriages", where a
high proportion of pregnant women using a particular brand of VDT all
experience miscarriages, but most studies of VDT hazards seem to focus on low
level radiation and ignore sound emissions completely.

There are no OSHA or NIOSH standards on high-frequency sound or ultrasound
emmissions from devices in the workplace: the engineers who build these things
are used to listening to 15 or 20 khz whines all day long and no longer notice
such things.  Maybe my problem is that I never listened to loud rock music and
my hearing above 15khz is mostly intact.  But even when you can't hear it, that
noise can still bother you, as witnessed by the Stevie Wonder experience (if
not my own).  And I wouldn't be surprised if it has a factor in miscarriages:
one of the things ultrasound can do is heat up the tissue under your skin,
which is related to the hospital uses of ultrasound devices.  The scary thing
is that so many people just dismiss this problem because they "can't hear it".

Ed Ravin                  | cucard!dasys1!eravin
(BigElectricCatPublicUNIX)| eravin@dasys1.UUCP  
Reader bears responsibility for all opinions expressed in this article.

Please report problems with the web pages to the maintainer

Top