The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 10 Issue 22

Wednesday 22 August 1990


o Re: NYC Parking Violations Computer ... "Rogue"
Christopher Jewell
o Debt collector proposes "total knowlege" credit database
o More on Computerized Monitoring of "House Arrest" Detainees
Li Gong
o Thailand computer system
Simson L. Garfinkel
o A backup that worked
Steve Bellovin
o NCSC to be shut down
Dave Curry
o How to Lie with Statistics
N H. Cole
o Something good about Automatic Bank Tellers
Pete Mellor
o 13th National Computer Security Conference, October 1-4, 1990, Washington DC
Jack Holleran
o Info on RISKS (comp.risks)

Re: NYC Parking Violations Computer ... "Rogue" (Davis, RISKS-10.20)

Christopher Jewell <chrisj@netcom.UUCP>
Wed, 15 Aug 90 16:09:21 PDT
1.  I'm glad that the New York Times headline put quotes around `Rogue
Computer': it's surely a matter of lousy software design or persistent
operational errors, rather than some real-life HAL from the movie _2001_, and
the Times seems to know that.  (I _hope_ that the readers caught the

2.  The Times quotes PVB spokescritter Stephanie Pinto, as saying that if you
divide 42,000 (errors) by 12 million (tickets) you get 0.003, (0.0035 actually)
and asking ``Is three-tenths of one percent reckless?''.  If my bank posted 3
out of every thousand transactions to the wrong account, I'd certainly take my
money elsewhere.  You'd better believe that the bank's CEO would transfer the
operations VP to the mailroom in short order, too.

3.  Stein's rhetoric (``... rogue computer ... terrorizing ...'') is overblown
headline-grabbing, but the problem is real, and both bringing in an outside
auditor and installing safeguards sound like good, albeit sadly overdue, ideas.

American Management Systems of Arlington, VA was hired in 1984 to design the
new system.  A document written by the bureau's computer managers in 1985
outlined ``critical structural deficiencies'' and warned of ``profound and
far-reaching implications.''

4.  The contractor was not competent to do the job.  They have delivered trash
in return for their $11 million so far.  (That is for developing the software
*and* running the system for the PVB.)  Would a grep of the RISKS archives find
other stories about lousy work by American Management Systems?  That name rings
a bell.                   [No bell prizes that I could find since Vol 7.  PGN]

5.  If PVB management permitted the contractor to implement the design after
their own computer folks pointed out serious deficiencies, it's hard to avoid a
choice between the hypotheses of stupidity and bribery.  If, on the other hand,
the contractor was required to correct the errors in the design, then the same
choice of hypotheses applies to those responsible for monitoring contract

6.  Once the system had been implemented, it is possible that management
decided to install the system, not due to either stupidity or corruption, but
rather on the basis that 42,000 errors/year is better than 85,000.

Note that #6 does not contradict #5: the ``lesser evil'' hypothesis may apply
to the decision to install the new piece of @#$%, but it cannot excuse a
decision to permit the contractor to implement a known bad design in the first

7.  Speaking now as a former New Yorker, the PVB has been one of the more
obvious centers of corruption in that corrupt city gov't for decades.  This is
not `whisper behind the hand' stuff: during the Koch administration, a county
leader of the Democratic Party committed suicide when his part in PVB
corruption came to light in an investigation that was making headlines even
without the suicide.  If #5 turns out to be a matter of corruption, rather than
mere stupidity, few New Yorkers will be surprised.

On the other hand, stupidity about computing is *also* a tradition in the NYC
gov't: the NYC Human Resources Administration used to pay tens of thousands of
employees with a payroll system written in OS/360 Fortran, using type REAL*8
for money, and wonder why the pennies never seemed to balance.  :-( (No, they
were not smart enough to avoid fractional parts by storing amounts in pennies
rather than dollars.)

Chris   (Christopher T. Jewell)   chrisj@netcom.uucp   apple!netcom!chrisj

Debt collector proposes "total knowlege" credit database

Ret.) Tue, 21 Aug 90 11:56:59 EST
>From the Sydney [Australia] Morning Herald, August 20th, 1990

"Sorry, you can't afford it"

CANBERRA: Debt collectors believe that in the not too distant future there will
be "total knowledge" about all individuals and envisage the Government allowing
financiers to build enormous data banks which would include confidential tax
file number information.  In fact, they believe banks and other lenders will
have so much information that debt collectors will be made redundant.

The Orwellian vision is contained in an article "Back to the Future for
Commercial Agents", published in the Institute of Mercantile Agents' journal,
The Mercantile Agent.  Its author, Mr Norman Owens, a former president of the
institute and owner of a debt-collecting agency, told the Herald that
governments would one day see it as "desirable" to link together and make
public all the enormous data bases containing highly sensitive personal

"Tomorrow's credit grantor will be extending credit in a perfect market with
total knowledge of the debtor," Mr Owens asserted.  "The credit grantor in the
future will have access to all the debtor information. This will be made
available through linked data bases in the manner of George Orwell's 1984. "

Credit cards will be of the "smart card" variety which will be
"genetically engineered implants" that capture all transactions from
cradle to grave. (In fact, Westpac [a major Australian bank] is
working on a smart card which has a small computer chip that records
all transactions and makes credit cards more secure.)

Credit files, like those held by the Credit Reference Association,
will be linked to the Government's tax file number data base.
"Some time in the future," he told the Herald, "mercantile agents
won't exist. This is because there would be total knowledge about
every individual including assets, income, credit history, and any
future liabilities. The debt collector exists to catch those debtors
that escape the creditor's receivable system. For most part the holes
in that system will disappear in a business society armed with
perfect knowledge about all transactions," he said.

Mr Owens conceded that this may sound like science fiction, but insisted that
it was "science possible".  He acknowledged that the community was horrified by
such Orwellian plans and said the Government was adamantly opposed to it, but
he was confident that one day people and governments would realise that such
measures were of benefit to society.

[The thing I personally found most frightening about Norman Owens' comments -
aside from the total lack of concern about possible risks - was his choice of
words. Words like "perfect market", "total knowlege", "genetically engineered
implants", and - of course - "benefit to society". I also must add that the
basis for his Orwellian vision is the inclusion of tax file number information
currently retained by the federal government. Under current laws, this
information is confidential, so his proposed scheme would be illegal. — PH]

More on Computerized Monitoring of "House Arrest" Detainees

Li Gong <li@diomedes.UUCP>
Thu, 16 Aug 90 17:22:38 EDT
Monitoring "house arrest" detainees is equivalent to a common issue in computer
security.  It is known as user authentication — determinating that a
particular person is at a particular location at a particular time.

Reading the research literature on the subject of user authentication shows
that the current solutions depend on co-operation of a typical user.  For
example, he won't reveal passwords to others, and won't comprise physical
security in case he uses auxiliary devices such as smart cards or credit cards.
And maybe more important, he stands to lose something if someone else can
successfully masquerade as him.

In the case of detainees, none of these assumptions holds.  Plus the easy and
wide availability of such devices as master remote control unit, which can
learn signals generated by other devices of a similar type, it seems that no
cheap (and thus practical) solution is in sight, unless one can assume that no
one would attempt to grasp the potential forgery market.

Li GONG,        Odyssey Research Associates, Inc.

Thailand computer system

Simson L. Garfinkel <>
Fri, 17 Aug 90 10:18:23 EDT
(From July 1990 Privacy Journal, Vol. XVI, No 9, Page 1)

                 TRUE COLORS

Thailand — a constitutional monarchy with a parliament largely dominated by
the military — has taken the Orwellian step that most Western democracies have
been afraid to take.  The Thai government this month inaugurated a centralized
database system to track and to cross-reference vital information on each of
its 55 million citizens.

The system includes a Population Identification Number (PIN) with a required
computer-readable ID card with photo, thumbprint, and imbedded personal data.
The system will store date of birth, ancestral history, and family make-up and
was designed to track voting patterns, domestic and foreign travel, and social
welfare.  Eventually 12,000 users, including law enforcement, will have access
by network terminals.  It is the largest governmental relational database
system in the world.  In the private sector, only the Church of Jesus Christ of
Later-Day Saints, the Mormon Church, has a larger one.  "The people feel that
the system will protect them," says the director of the Central Population
Database Center in Bangkok.

*What is more curious than the ambitious system itself is the fact that the
federally-sponsored Smithsonian Institute chose — on behalf of all Americans
-- to honor the Thais for their efforts*.  The second annual Computerworld
Smithsonian Award for innovative information technology in the governmental
sector went last month to the Thailand Ministry of Interior for its oppressive
system for keeping tabs on its citizens.  Something to ponder: Two of the three
judges making the award have major computer responsibility in the U.S.

[The Privacy Journal, an independent monthly on privacy in a computer
age, is a wonderful source for this stuff.  Individual subscriptions
are $35/year; Privacy Journal, P.O. Box 28577, Providence RI, 02908.]

A backup that worked

Fri, 17 Aug 90 09:34:50 EDT
Amidst all our stories of systems that have screwed up, it's worth noting one
that did work as planned.  The New York Federal Reserve bank's Fedwire EFT
system was in the area blacked out by the New York power outage.  Its backup
diesel generators kept things running for several days.  When one showed signs
of faltering, they moved operations to a backup site outside of the city.  That
backup site had been established 3 years ago for exactly such contingencies.

        --Steve Bellovin

NCSC to be shut down

Sun, 19 Aug 90 12:13:42 -0700
By John Markoff, New York Times
Reprinted in the San Jose Mercury News, 8/19/90
                                                 [Starkly excerpted by PGN.]

Reagan-era drive targeted espionage

  President Bush has ordered a quiet dismantling of an agressive effort to
restrict sources of computerized information, including data bases, collections
of commercial satellite photographs and information compiled by university
researchers.  [...]

Agency being disbanded

  This month the security agency began disbanding its National Computer
Security Center, moving most of its 300 employees into new jobs in the more
secret communications security section inside the agency.  [...]

     [Most of the functions of NCSC are intended to remain, however.  PGN]

How to Lie with Statistics [once again]

"N H. Cole" &>
Mon, 20 Aug 90 13:28:24 BST
With regard to the unreliability of statistics, the only solution is to make
Darrell Huff`s book "How to lie with statistics" a compulsory text at all
schools. It is, I believe, the source of the quote "97.43% of all statistics
are made up."

Nigel Cole

Something good about Automatic Bank Tellers

Pete Mellor <>
Tue, 21 Aug 90 11:03:20 PDT
Despite the danger of severe shock to RISKS readers who see this, I thought
that someone should give due credit to the designers of a particular ABT which
is run by the National Westminster Bank, and an example of which is installed
at City University.

Last week I drew some money on my way to lunch. As usual, I requested a
receipt.  When my service card popped out, I put it back in my wallet, but
(being a bit more preoccupied than usual) walked away without collecting the
money or the receipt. I realised my mistake one minute later when I reached
into my pocket to pay for a beer, and sprinted back to the machine, only to
find the receipt dangling out of the slot, but no cash. I had no option but to
draw some more money and make the best of it.

I was puzzled that there had been nobody around at the time who would have been
likely to have seen my mistake, and made off with the cash, so I rang the bank.
They explained that this type of till, in which the money comes out through
rollers, gobbles the money back if it is not pulled out of the rollers within
ten seconds. Sure enough, when they 'agreed' the till the next day, they found
it in credit by the amount I had forgotten, and a record of a 'customer
time-out'. So they promptly credited my account with that amount.

Now, *that's* what I call user-friendly! :-)

Peter Mellor, Centre for Software Reliability, City University,
Northampton Square, London EC1V 0HB

13th National Computer Security Conference, October 1-4, 1990

Jack Holleran &olleran@DOCKMASTER.NCSC.MIL>
Thu, 16 Aug 90 23:58 EDT
  [Jack sent me the entire registration packet for the conference on-line.
  It is much longer than just about any previous RISKS issue, so I
  have highlighted the program here.  This is generally the definitive
  get-together for security developers and practitioners.
  For those of you wishing the packet, please send him mail or FTP
  it from CRVAX.SRI.COM in the usual directory as RISKS-10.NCS90 .
  Registrations before 1 Sept 90 save $25; otherwise $250.  PGN]

Omni Shoreham Hotel, 2500 Calvert Street, NW, Washington, DC  20008
   (100 yards from Woodley Park Metro Station)

October 2, 1990

Opening Plenary Session
0900     Welcoming Remarks
   Keynote Address, Robert G. Torricelli, U.S. Representative (D - NJ)
1830     Conference Reception
          Smithsonian American History Museum

October 3, 1990
1800     Conference Banquet (Omni Shoreham Regency Ballroom)
          Speaker:  Ms. Michelle K. VanCleave
          Assistant Director for National Security Affairs
          Office of Science and Technology Policy
          Executive Office of the President

October 4, 1990

1100     Closing Plenary Session

Panel:  Towards Harmonized International Security Criteria

1225     Closing Remarks

TRACK A - Research & Development


1600     Panel:  Commercial Development & Evaluation of Trusted
             Systems:  An Open Discussion — Our Success to Date


1030     PAPERS
   Covert Storage Channel Analysis:  A Worked Example
   Verification of the C/30 Microcode Using the State Delta Verification System
   UNIX System V with B2 Security

1400     PANEL:     Access Control:  Time for A Retrospective

Electronic Authentication & Biometrics
1600     PAPERS
   Key Management Systems Combining X9.17 and Public Key Techniques
   Electronic Document Authorization
   The Place of Biometrics in a User Authentication Taxonomy
   Non-Forgeable Personal Identification System Using Cryptography and


Intelligent Tools I: Auditing
   An Audit Trail Reduction Paradigm Based on Trusted Processes
   The Computerwatch Data Reduction Tool
   Analysis of Audit and Protocol Data Using Methods from AI

Intelligent Tools II:  Intrusion Detection
   A UNIX Prototype for Intrusion and Anomaly Detection in Secure Networks
   A Neural Network Approach Towards Intrusion Detection
     PANEL:  Data Categorization and Labeling

1600     Panel:  R&D Activities


   A Generalized Framework for  Access Control:  An Informal Description
   Automated Extensibility in THETA
   Controlling Security Overrides
   Lattices, Policies, and Implementations

TRACK B - Systems


0900 PAPER NIST/NSA Services & Publications

1400 PANEL: Computer Security Standards

Embedded Systems
   The Role of "System Build" in Trusted Embedded Systems
   Combining Security, Embedded Systems and Ada Puts the Emphasis on the RTE


1030 PANEL:  Disclosure Protection of Sensitive Information

Network Security I
   Considerations for VSLAN(TM) Integrators and DAAs
   Introduction to the Gemini Trusted Network Processor
   An Overview of the USAFE Guard System

Network Security II
   Mutual Suspicion for Network Security
   A Security Policy for Trusted Client-Server Distributed Networks
   Network Security and the Graphical Representation Model


System Test & Integration
   Testing a Secure Operating System
   An Assertion-Mapping Approach to Software Test Design
   Security Testing:  The Albatross of Secure System Integration?

Network Standards
   Low Cost Outboard Cryptographic Support for SILS and SP4
   Layer 2  Security Services for Local Area Networks

Operating Systems
   Trusted MINIX:  A Worked Example
   Security for Real-Time Systems
   Trusted XENIX(TM) Interpretation: Phase  I
1600 PANEL:  Vendors' Activities


   PACL's:  An Access Control List Approach to Anti-Viral Security
   Static Analysis Virus Detection Tools for UNIX Systems
   The Virus Intervention and Control Experiment
   Classification of Computer Anomalies

TRACK C-I - Management & Administration


Contingency Planning & Disaster Recovery   (Part I)
0900 PAPER
   Disaster Recovery / Contingency Planning
1100 PANEL:  Professional Development

Contingency Planning & Disaster Recovery   (Part II)
1400 PAPER
   Disaster Recovery from $138 Million Fire
1600 PANEL:  Plans and Assistance


Criteria:  National & International
   Harmonised Criteria for the Security Evaluation of IT Systems and Products
   The VME High Security Option
   Rainbows and Arrows:  How the Security Criteria Address Computer Misuse
   Civil and Military Application of Trusted Systems Criteria

1400 PANEL:  Implementation of the Computer Security Act of 1987

Approaches to Trust
   The CSO's Role in Computer Security
   Implementation and Usage of Mandatory Access Controls in an Operational
   Building Trust into a Multilevel File System


Risk Management
0900 PANEL:  Risk Management
   LAVA/CIS Version 2.0: A Software System for Vulnerability and Risk
   WORKFLOW:  A Methodology for Performing a Qualitative Risk Assessment
   Critical Risk Certification Methodology

   Factors Effecting the Availability of Security Measures in Data Processing
   Integrating Computer Security and Software Safety in the Life Cycle of Air
     Force Systems
1500 PANEL:  Acquisition Discussion

   Integrity Mechanisms in Database Management Systems
   A Taxonomy of Integrity Models, Implementations and Mechanisms

0900 PANEL:  National Computer Security Policy

TRACK C-II - Management & Administration



0900 TUTORIAL: Database Management Systems and Secure Database Management
1100 PANEL:  A Year of Progress in Trusted Database Systems
1400 PANEL: Trusted Database Systems: The Tough Issues
1600 PANEL:  Multilevel Object Oriented Database Systems


C2 Microcomputer Security
   C2 Security and Microcomputers
   Functional Implementation of C2 by 92 for Microcomputers
1400 PANEL: Electronic Certification: Has Its Time Come?
1600 PANEL:  Defense Message System (DMS) Security


0900 PANEL: IEEE Computer Society
           Limited Access to Knowledge and Information
1100 PANEL: Computer Emergency Response Team: Lessons Learned

   Discerning an Ethos for the INFOSEC Community:  What Ought We Do?
   VIRUS ETHICS:  Concerns and Resonsibilities of Individuals and Institutions
   Concerning Hackers Who Break into Computer Systems
1600 PANEL: National Institute of Standards and Technology Activities


0900 PANEL: Hackers: "Who are They?"

Track D - The Computer Security Tutorial Track

MONDAY, October 1

   Automated Information Security:  Overview of the Tutorial
   Security Overview and Threat
   Information Security
   Life Cycle Management Requirements
   Risk Management

TUESDAY, October 2, 1990

   Data Security
   Physical, Personnel and Administrative Security
   Office Automation Security

WEDNESDAY, October 3, 1990

   Telecommunications Security
   Software Controls
   Trusted Systems Concepts
   Trusted Network Concepts

THURSDAY, October 4, 1990

0900     Tutorial Panel

Also a collection of Educator Sessions:

Tuesday, October 2, 1990
1400     Should Computer Security Awareness Replace Training?
         A Reassessment of Computer Security Training Needs
1600     Components of an Effective Training Program
         Information Security:  The Development of Training Modules
         Determining Your Training Needs
         Panel:  Lauresa Stillwell, Adele Suchinsky, Corey Schou, Roger Quane

Wednesday, October 3, 1990
0900    Training Vehicles:  Cost Versus Effectiveness
        Computer Based Training:  The Right Choice?
1100    Training on a Shoe-String Budget
        Awareness and Training in a World of Reduced Resources

Please report problems with the web pages to the maintainer