The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 8 Issue 78

Sunday 11 June 1989


o NY Telephone Freebies
o Nielsen Raidings — A risk?
John Rushby
o C-17 Overrun
Gary Chapman
o COMPASS '89 reminder
Al Friend
o Re: Big Brother is watching your posting in RISKS
Amos Shapir
o How Rumors Mutate, Lesson 2
Rich Fritzson
o The computer didn't commit the crime
Michael Doob
o An ATM gets it right
Steve Anthony
o Justice Department wary in Computer Case
Dave Bozak
o Info on RISKS (comp.risks)

NY Telephone Freebies

Peter Neumann <>
Sat, 10 Jun 1989 15:53:55 PDT
24 pay phones along the Long Island Expressway were in fact free phones
because of a programming/database screw-up.  They were being heavily used
for long distance calls by those who had discovered the oversight, including
many to Pakistan.  (Police found 15 Pakistani men using the phones when they
went to investigate after a shooting.)  There were no estimates on the
unrecovered cost of the phone calls. [10 June 1989, San Francisco Chronicle,
p. 2.]

Nielsen Raidings — A risk?

John Rushby <>
Tue 2 May 89 22:11:44-PDT
c.1989 N.Y. Times News Service, 2 May 1989

   NEW YORK — Soon, some people may be watching television sets that will be
watching them back.  Nielsen Media Research disclosed plans Wednesday to
develop a ``passive people meter'' in conjunction with the David Sarnoff
Research Center at Princeton.  The device would measure television viewing
without relying on the participation of viewers — a marked departure from
Nielsen's current ``people meter'' system, which requires viewers to
identify themselves by pushing buttons whenever they watch television.
   Since it began measuring television audiences in 1950, Nielsen has been
able to tell when sets in a sample household are on and what channels they
are tuned to.  The problem has been determining who in the family is
watching at any given time. Two years ago Nielsen introduced the people
meter to provide that information.
   The crucial component of the new system is an image-recognition device
that would identify members of a household and record, second by second,
when they are watching television, when they leave the room and even when
they avert their eyes to read a newspaper.
   Nielsen and Sarnoff demonstrated a working model of the device at a news
conference Wednesday, at which the issue of invasion of privacy was raised.
   Nielsen executives faced questions about the system's similarities to the
surveillance of Big Brother in George Orwell's novel ``1984.''  But Nielsen
executives argued that the system will not be intrusive.  ``I don't think
we're talking about Big Brother here at all,'' said John A. Dimling,
executive vice president of Nielsen Media Research. ``We're not scanning the
room to find out what people are doing. We're sensitive to the issue of
privacy.''  Dimling said it will be at least three years before the system
goes into service.
   The system will consist of a camera-like device and a computer attached
to the top of each set in the households in Nielsen's sample group of
television viewers.  The computer will be programmed to store the facial
images of each family member. The camera will be activated each time the set
is turned on and will scan the room for faces it recognizes.
   The same image-recognition technique has other possible applications, say
in medicine and policework.  Using a more sophisticated image-recognition
system, police could, in theory, scan an airport for known terrorists or
drug dealers.
   If tested successfully, the passive system would replace the current
people meter, which is only two years old. It was meant to provide more
precise information about which members of the household were watching
particular programs.
   The people meters replaced a system, used for 37 years, that relied on
viewers filling out diaries.  The three major television networks have
complained that people meters underestimate actual viewership.
   Research executives at the television networks have said that the
button-pushing task becomes boring quickly, leading to inaccuracies; that
many households refuse to cooperate, and that children cannot reasonably be
expected to push the buttons to indicate when they are watching.
   Nielsen now has 4,000 homes in its people-meter survey. But the networks
have complained that the current two-year period each household participates
in the survey is too long and leads to fatigue.
   The network reaction to the people meter is at least partly derived from
the effect the system has had on their business.
   Nielsen measurements of the networks' share of the audience declined 9
percent immediately after people meters were installed; a decline in ratings
means a decline in advertising revenues.  A passive system would address most
of these complaints, Dimling said.  He called the proposed system the ultimate
audience measurement, ``primarily because the respondents don't have to do
   The response to the Nielsen announcement at the networks and in the
advertising community Wednesday was favorable.  Bart McHugh, senior vice
president of DDB Needham, said, ``A passive system is what we've all been
screaming about.''
   Alan Wurtzel, senior vice president of research at ABC, said:  ``I really
believe a passive system would be much better. I would hope they would get
this out and in place as quickly as possible.''
   Nielsen reports to clients will include both the number of viewers and
demographic data on the makeup of a show's audience.  Eventually, Dimling
said, networks could know almost instantly which sections of a show the
audience was most responsive to, and which bored them enough to make them
leave the room, pick up a magazine or fall asleep.  Dimling said that only
families that agree to participate will be included in the survey.
   Under the current people-meter system families are paid a small fee to begin
the metering process and are rewarded occasionally with small gifts.  Dimling
would not say what the monetary incentive for the passive meter system would be.
   Curtis Carlson, the director of information systems at Sarnoff, said, ``The
only information sent back to the Nielsen computers will be whether people are
watching television.''  He said the device will not actually record any other
activity.  It focuses only on facial features, he said, and decides first if it
is a face it recognizes and then if that face is directed toward the set.
Unfamiliar faces or even possibly the family dog will be recorded as
``visitors.''  The system, based on a technique the Sarnoff researchers have
labeled ``smart sensing,'' relies on visual tracking similar to the operation
of the human eye, Carlson said. Images on the periphery are screened out, and
the camera centers on only the most compelling features.
   The current prototype is about as big as a breadbox, Carlson said, and
the next step in the development process will be to miniaturize the entire
system. The goal is to have a machine about the size and shape of a
videocassette recorder.
   Nielsen and Sarnoff will also do an extended study and national testing
to ensure that the system can meet Nielsen needs before putting it into use.
   Nielsen has plans to use the technology in other ways.  For example,
Nielsen now conducts a market research project in which consumers are asked
to use a scanning device to read the product code on articles they buy. But
because the people meter requires so much work, Nielsen never asks the same
household to participate in both the scanning and people-meter surveys.
   Robert R. Brown, president of information services and technology for
Nielsen, said the passive people meter could be combined with the scanning
survey so Nielsen could track ``market stimuli with buying patterns.''
   Nielsen clients could in theory learn whether television advertising had
a direct influence on viewers' buying decisions.
   Nielsen has contracted with Sarnoff Research for exclusive use of the
technology in the media and marketing area.
   Carlson said a different version of the same technology has been applied
in at least one other business.  He said it was against company policy to
disclose which business, but he did say the federal government has expressed
interest in the technology.  He conceded that as the technology becomes more
sophisticated it could open up more questions of privacy.  ``Every
technology can be abused,'' he said.  But he stressed that his laboratory is
more interested in possible medical applications. He said, for instance,
that the system could eventually be used to increase the reliability of pap
smears by using image recognition to identify abnormal cells and could
provide a sophisticated object-recognition aid to the blind.  Development of
both is far down the road, he said.

C-17 [Overrun with No Remorse]

Gary Chapman <chapman@csli.Stanford.EDU>
Tue, 6 Jun 89 12:47:39 PDT
The June issue of Defense Electronics reports that the manufacturer of the C-17
transport plane, Douglas Aircraft, estimates that software problems in the
avionics system of the plane will require a cost overrun of about *$500
million.* The figure was actually an estimate of a Congressional investigation,
then confirmed by Douglas.  The software is a package with an estimated 750,000
lines of code, as compared to the 25,000 lines of code in a C-5A.

The C-17 is supposed to replace the Air Force's transport aircraft, the C-5A,
the C-131, and the C-141.  The program was started in 1982, and there are
supposed to be 210 C-17s purchased by 1998 at a cost of $35.7 billion.

There is no detailed information in the short article on what the avionics
software problems entail.
                                           — Gary


Al Friend <>
Fri, 9 Jun 89 22:29:04 edt
                             COMPASS '89 IS COMING
                                One week to go!

   =>        Learn about software safety, risks, and computer assurance.
   =>        Meet others who are working in these areas.
   =>        See RISKS-8.66 for advance program.

   PLACE:    National Institute of Standards and Technology *
             Gaithersburg, MD  (suburban Washington, DC)
             * formerly National Bureau of Standards

   TIME:     June 20 - 22  (tutorials on 23rd, other meetings 19th)

   CONTACT:  Nettie Quartana or Holly Mays at (703) 486-3500

   OR:       Come directly to COMPASS '89 at NIST.
             Register at the door.

   FEE:      MEMBER/SPONSOR = $ 225     NONMEMBER = $ 275

                                [Let me know if you would like a copy 
                                of RISKS-8.66 and cannot FTP it.  PGN]

Re: Big Brother is watching your posting in RISKS

Amos Shapir <amos@taux01.UUCP>
11 Jun 89 10:46:25 GMT
I have just received an anonymous threat to notify my company of my posting in
comp.risks (``Big Brother is watching your magnetic card'', RISKS-8.77).  Let
me clarify two points:

-  My article was just a summary of what has been published in the local
 press, and does not necessarily reflect my opinions of the matter.

- My opinions are my own, and in no way represent a policy and/or stand
 of National Semiconductor Corporation or National Semiconductor (IC) Ltd.

    Amos Shapir   
National Semiconductor (Israel) P.O.B. 3007, Herzlia 46104, Israel

                                     [Another Risks of RISKS item!  PGN]

How Rumors Mutate, Lesson 2

Fri, 2 Jun 89 08:50:17 -0400
>RISKS-FORUM Digest  Wednesday 31 May 1989   Volume 8 : Issue 76
>Subject: State computer system scrapped (RISKS-8.73)
>Rumor:  AI Causes $20M Loss to Pennsylvania
>How Rumors Get Started, Lesson 1 (Excerpts from Seattle Times article quoted b
>Bruce Forstall in Risks 8.73):

The article in question was in the Seattle Times because the state that lost
the money was Washington, not Pennsylvania.
                                                    -Rich Fritzson

The computer didn't commit the crime

Michael Doob <>
2 Jun 89 10:40 -0500
The Bank of Montreal has two types of billing for checking accounts:
(1) a per check charge, or (2) flat rate for an unlimited number of
checks.  This month, in a burst of creative billing, both charges were
applied to the account.  What a chance to call it a computer error.
Here is what the bank said in a form letter:

          We are using the most immediate method to advise that we are
     correcting an error in the service fees charged to your last True
     Chequing Account Statement.

          We take great care to ensure all account entries are correct
     and we sincerely regret the human error which caused both monthly
                                 ^^^^^ ^^^^^
     plan fees and per item fees to be charged to some of our customer's
     accounts.  Your next statement will include the appropriate corrections.

Does this mean that blaming the computer will reflect poorly (in the
customers' view) on ATM?

An ATM gets it right

Steve Anthony <steveo@Think.COM>
Fri, 2 Jun 89 11:49:26 EDT
Had an interesting experience with ATM's in the Boston Area last year.  I was
going on vacation and the mortgage needed to be paid during the vacation. So I
made a transfer, at a human teller, from savings to checking to cover it, wrote
the check and left for vacation.  Upon returning, I got some cash from the ATM
and noticed that the balances were not what I expected; savings was too high
and checking was too high also.  I went thru my receipts and found that I had
erred; I made the transfer from checking to savings rather that the other way
around.  This meant that my mortgage check was going to or had already bounced.
I called the mortage bank (different from the checking/savings bank) and
inquired about the mortgage payment.  I was told that everything was fine; the
payment was made.  Mystified, I went to my savings/checking bank and asked what
happened.  I had made the transfer at a BayBank Merrimack Valley branch office
and my account is thru BayBank Harvard Trust.  As background, in eastern Mass,
there is a banking company, BayBanks, that is really a holding company for a
variety of individual BayBank companies, two of which are BB Merrimack Valley
and BB Harvard Trust.  What I was told was that the erroneous transfer had
never been made (from checking to savings).  I inquired as to why this was so.
The person told me that when a transfer is done thru a human teller for an
account that is for a different BB company, the transaction may, or maynot get
processed; ie it drops into the bit bucket.  In order to make sure that a
transfer takes place, she suggested that I use the ATM, since there were no
known problems with transactions of this type.

So score one for the ATMs.

Justice Department wary in Computer Case

Dave Bozak <>
Fri, 2 Jun 89 09:48:41 EDT
Justice Department Wary in Computer Case:
Is Washington fearful of losing a landmark trial?
by Matthew Spina, Staff Writer

    Some computer experts theorize that the Justice Department, afraid of
bungling what could become a landmark computer case, still doesn't know
how to treat the Cornell student whose computer worm slithered nationwide
in November.
    A further concern in Washington: A trial in the case might embarrass
the Department of Defense if its scientists are asked to detail how their
computers were among the thousands crippled by the worm.
    For several months, the decision on how to charge 23-year-old Robert T.
Morris, Jr. had been before Mark Richard, a deputy assistant attorney 
general.  Within the last few weeks, Richard made a decision that now is
being reviewed by an assistant attorney general, according to a computer
professional who has been talking with the Justice Department.
    "I thought we would have heard something from Washington by now," said
Andrew Baxtoer, the assistant U.S. attorney who in November and
December presented the case to a grand jury in Syracuse.
    The grand jury's report was sent on the the Justice Department, which
refuses to comment publicly on the matter because Morris has not been
    "Within the next two weeks I assume that a decision will be made,"
said one official.
    "If they decide to begin an expensive trial, they have to make sure
they win so as not to damage future attempts to prosecute under that law," said
Eugene H. Spafford, an assistant professor at Purdue University whose analysis
of the worm has helped federal investigators.  "If they decide not to
prosecute, and the total thing that happens is he gets suspended (from
Cornell), I will be outraged."
    So far, Cornell has taken the only disciplinary measure against
Morris, suspending him for the 1989-90 academic year.  But the graduate
student left the computer science department early in November, the day 
after the worm spread out of a computer in Upson Hall.
    Morris, a computer science graduate student, has been called the 
author of a rogue computer program, called a worm, that was spread from
a Cornell University computer.  The program was designed to reproduce
and infect any computer linked to the Internet, a network shared by
colleges, research centers and military institutions.
    However, experts say an error caused the program to replicate out of
control, sending thousands of copies into thousands of computers.
    If Morris is to be charged with a felony, prosecutors would then
have to show he intended to destroy or extract information.
    Proving that would be difficult since the program neither destroyed nor
removed information from any computer.
    To convict Morris on most lesser charges, prosecutors would have 
to show he intended to harm computers.
    Prosecutors also could use a misdemeanor charge requiring them to 
prove only that Morris gained access to a federal government computer.
The worm did reach computers at the Army Ballistics Research Laboratory 
and NASA's Langley Research Center, among others.
    Some computer experts wonder, though, if Defense Department officials
will be reluctant to testify publicly about how their computers were 
penetrated - even those computers holding non-classified information.
In February, at a computer convention in San Diego, Defense Department
computer experts detailed some security improvements made to the 
network since November, but then refused to release copies of their 
presentation to people at the seminar.
    The FBI - which enforces the Computer Fraud and Abuse Act of 1986 -
and some people in the computer industry are pushing for a vigorous 
prosecution to display a strong case against computer hacking.  Others in 
the industry, including some of Morris' friends from Harvard University
and Cornell, urge leniency because he was trying to demonstrate security
flaws with computers.

Please report problems with the web pages to the maintainer