The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 10 Issue 68

Friday 14 December 1990


o Recent RISKS Mail to CSL.SRI.COM
o Many Bills Are Found Incorrect on Adjustable Rate Mortgages
Saul Tannenbaum
o Loughborough
Rob Thirlby via Brian Randell
o Gender and computer anxiety
Rob Gross
o Computerized USA Phone Directory
Allan Meers
o Getting out of Lotus' "Household Marketplace"
o Re: a fondness for turkeys
o Call for Papers - 14th National Computer Security Conference
Jack Holleran
o Info on RISKS (comp.risks)

Recent RISKS Mail to CSL.SRI.COM

"Peter G. Neumann" <>
Thu, 13 Dec 1990 15:52:40 PST
Well, we survived the move to another building (I'm now in EL-243), although
for a variety of reasons the servers could not be moved on schedule and getting
everything working again was decidedly nontrivial.  But the resulting outage of
five days meant that some mail to CSL.SRI.COM was rejected.  So, if you got
BARFmail indicating your mail to CSL was undeliverable, PLEASE TRY AGAIN NOW.
Sorry for the inconvenience.  Peter

Many Bills Are Found Incorrect on Adjustable Rate Mortgages

Saul Tannenbaum <>
Wed, 12 Dec 90 19:30 EDT
The New York Times reports (13 Dec 90) that, according to a General Accounting
Office study, as many as 25% of all adjustable rate mortgage bills may
be incorrect as a result of bank errors in calculating their interest
rates. These error were found as part of routine audits done as failed
savings and loan institutions were taken over by Federal regulators.

A former Federal mortgage banking auditor says that that estimate is
too low, putting the problem at 30-35% of adjustable rate mortgages.
In some cases, this auditor says, the errors resulted from "human mistakes" at
small S&Ls, that often calculated adjustable mortgages by hand. In other
cases the problems were caused by "computer glitches." One failed S&L,
the Victor Federal Savings and Loan of Muskogee, Okla, was audited
by the Bennington Group for the Federal Saving and Loan Insurance Corp.
The audit, which sampled 96 adjustable mortgages, found that the
bank's computer system contained logic error. The bank, among other
things, rounded rates upward, instead of downward and "pulled" the
index on the wrong date, when it might be higher or lower than on
the correct date. Other errors resulted from "poor recordkeeping",
where the indices on which the adjustable rates wer based couldn't be found,
or did not match the FSLIC computer programs [which begs an obvious
question]. Some adjustable mortgages have never been adjusted.

In one example given, a woman took out 3 identical adjustable rate mortgages
from the same bank at the same time. Now, all three have wandered off in
different directions. She has 3 different monthly payments, 3 different
balances, and 2 payment schedules.

According to the article, it is the opinion of Federal regulators that the
Truth In Lending Law "probably does not" require lenders to repay overcharges
in any form.

Saul Tannenbaum, USDA Human Nutrition Research Center on Aging at Tufts
University, 711 Washington St., Boston, MA 02111 STANNENB@TUFTS.BITNET

A White Xmas?

Brian Randell &>
Tue, 11 Dec 90 16:38:05 GMT
Date:     Tue, 11 Dec 90 11:03:24 GMT
>From:    Rob Thirlby &>
Subject:  Loughborough
To:       uk-mail-managers @

We are back in the world, the little, forgotten, black hole in the East
Midlands is now up and running after over 60 hours of no electricity, often no
water, dodgy phones, and just to finish it off this morning a suspected gas
leak and a heating fault (or at least I presume its a fault its not very

Many of the surrounding villages are still without power and in some cases
water and phones.  And all this in the Soar valley with one of the lowest
average snowfalls in England!  The University cedar tree which features on much
of our publicity has lost its top half and I suspect there has been more
arborial damage than in the hurricane year.

For the technically minded the main problem was due to the incredibly wet
sudden snowfall which stuck to anything it touched even in a gale.  The
Loughborough 132KV grid feed wires and gear fell onto a host of lower voltage
feeders causing massive damage to both.  It must have made firework night look
tame.  All our water is pumped by (non backed-up) electric pumps from
Derbyshire and hence the chaos.  There's nothing more irritating than being
told on the radio to boil all the water when you havent any means of heating
it.  Mind you we can see the plumes of vapour from some of the countries
largest power stations on the Trent and that doesnt improve ones temper when
trying to bake potatoes on a log effect, real-flame, gas fire!

I hope you all had a nice week-end.

Rob Thirlby, Postmaster@lut

Gender and computer anxiety

Sat, 8 Dec 90 00:22 EST
The following is excerpted from the "Faculty File" column in the
Princeton Alumni Weekly of December 5, 1990:

    In general, [Joel] Cooper [chairman of the psychology department
    at Princeton] has found, females are more subject to computer
    anxiety than males are, and as a result, they perform
    computer-related tasks worse.  But there's an important contextual
    component to these findings:  the performance differential appears
    only when there's someone else in the room with the female who's
    using the computer.  Just the presence of another person-male or
    female, no matter what he or she is doing-seems to be enough to
    generate computer anxiety.  By contrast, when they're alone in a
    room with a computer, females generally show no appreciable
    difference in performance compared to males.

    In the course of this study, Cooper examined a group of
    middle-school children in Princeton...The children were asked to
    solve arithmetic problems on a computer.  In group settings, the
    girls in the class often did worse than the boys, whose
    performance actually improved when other people were around.  In a
    test of university students, Cooper had groups of men and women
    play an adventure game called Zork on a computer; some played with
    other people present, other were alone.  The middle school results
    were replicated.

    ``We tried to get a fix on what the other people in the room had
    to do to provoke the computer anxiety,'' Cooper recalls.  ``It
    turned out to be almost nothing.  They could be writing a letter
    in the corner, totally ignoring the woman at the keyboard, but
    still her performance would drop.  They just had to be there.''

Rob Gross
Department of Mathematics   BITNET: GROSS@BCVMS
Boston College              Internet: GROSS%BCVMS.BITNET@MITVMA.MIT.EDU
Chestnut Hill, MA 02167

Computerized USA Phone Directory

Allan Meers - Sun Education <>
Thu, 13 Dec 90 00:03:32 PST
Mercury News - 90-Dec-12

Compuserve has introduced the FIRST computerized national phone book, listing
the name, address, ZIP, and phone number of 80 million households in the US who
have a listed number.  As of December 1, the Phonefile service allows the
725,000 Compuserve subscribers to search the phone lists of the USA by:

    name & address  - for updating your christmas card list or
              for telemarketing reasons.  This is
              just a computerized version of the
              current phone book - but without needing
              hundreds of phone books for the whole USA.

    name & state    - to find long-lost relatives or to find
              someone who has relocated (out of state).
              Examples include old classmates for class
              reunions, and birth parents of adoptees.

    phone number    - like a "reverse" directory, where you can
              get any listed name & address just by
              looking up the phone number.

The cost of retrieving the information is 25 cents per minute in
addition to Compuserve's standard on-line charge of $12.80 per hour
(21 cents per minute).  The cost is considered not much more than
a call to directory assistance, and can be even cheaper considering
the aquiring and search costs of all the phone books for the USA.

The Phonefile database is compiled by a direct marketing company, Metro Mail
Corp. of Illinois, from phone directories, computerized real estate
transactions, and other sources.  It was not speculated on what the "other"
sources might be, but I would suspect other telemarketing databases, magazine
subscriptions, credit services, Usenet email alias lists :^}) , and other
public sources of name/address information.

A Bellcore New Jersey privacy issues expert, James E. Katz, indicated that a
likely consequence of the directory will be an even greater increase in the
number of unlisted phone numbers in the United States.  It was noted that Japan
and European countries have practically no unlisted numbers, while the United
States runs about 25% of its phone number unlisted, with 33% of California
numbers unlisted.

While Compuserve assures that the directory was designed to discourage the
compilation of marketing lists for junk mail and telemarketing, privacy experts
assume that such use is inevitable.  A magazine for instance, could compile
phone numbers for a telemarketing campaign targeted at reader's whose
subscriptions have lapsed.

Getting out of Lotus' "Household Marketplace"

Wed, 12 Dec 90 09:44:29 -0800
If you don't want to be listed in the "Household Marketplace" database but you
don't have enough energy to write a letter, you can also do the following:

    Dial    1-800-343-5414
    press 3, then 2  (I don't know what to do if you don't have a
            touch-tone phone.)

This will get you a human who will want to send you information about
"Household Marketplace."  However, you can also say that you want to
be removed from the database.  You will then be given the choice of mailing
to Lotus or you can tell them your name and address and they say they will
remove you from the database and send you written confirmation.   I did this
yesterday, so I know they will take your name and address.  I can't vouch that
they send the confirmation, the U.S. Mail isn't that fast.

If you are energetically opposed to this product, here are some names
and addresses you might want to have for your own database:
    Lotus Development Corp.
    55 Cambridge Pkwy.
    Cambridge, MA 02142
    (Mary Ann Malloy Coffey, Marketing Programs Manager)
    (Jim P. Manzi, Chairman, President, and CEO)

    Equifax, Inc.
    1600 Peachtree St. N.W.
    Atlanta, GA 30309
    (Jeff V. White, Chairman of the Board)
    (C.B. Rogers, Jr., President and CEO)

Equifax is the original collector of the data which Lotus is selling.   /tdn

update on Lotus

Wed, 12 Dec 90 13:54:14 -0800
Someone told me that they phoned Lotus today about getting off the Marketplace
Household database and were told something different than I was told yesterday.
Apparently, today's story is that if you want written confirmation that you've
been removed from the database, you have to send mail to:
    Lotus Development Corp.
    Attn: Marketplace Name Removal
    55 Cambridge Pkwy.
    Cambridge, MA 02142

If you just phone them, they now say they won't send written confirmation.
I wonder what they'll say tomorrow.                                   /tdn

Re: a fondness for turkeys (Re: Mellor, RISKS-10.65)

99700000 <haynes@ucscc.UCSC.EDU>
Fri, 7 Dec 90 23:30:41 -0800
I'll suggest a third reason [for the problems Pete Mellor discussed in modern
weapons system development], that I like to call Model Railroading.  Designing
a complex electronic system to solve some warfare problem is interesting,
challenging, and fun; and somebody else is paying the bills.  As long as we're
not in a war, as long as the system doesn't have to solve some real problem, it
is a delightful toy; and as with a model railroad we get to keep arranging the
scenery so it appears to be doing the Real Thing.

Call for Papers - 14th National Computer Security Conference

Jack Holleran &olleran@DOCKMASTER.NCSC.MIL>
Sat, 8 Dec 90 23:32 EST
 National Computer Security Center and
 National Institute of Standards and Technology

 Theme:  Information Systems Security:  Requirements & Practices


 The focus of the 14th NCS Conference will be on the "Experiences in our
Applications".  These applications include, but are not limited to, efforts to
meet the policy requirements required by law or corporate policy.  We would
like you to share your learning curve with the Computer Security Community.  We
also encourage submission of papers on the following topics of high interest:

Systems Application
 * Access Control Strategies
 * Achieving Network Security
 * Application of Trusted Technology
 * Integrating INFOSEC into Systems
 * User Experience with Trusted Systems
 * Secure Architectures
 * Securing Heterogeneous Networks
 * Small Systems Security

Criteria, Evaluation and Certification
 * Assurance and Analytic Techniques
 * Conducting Security Evaluations
 * Federal Computer Security Criteria
 * Experiences in Applying Verification
 * Integrity and Availability
 * Formal Policy Models

Management and Administration
 * Accrediting Information Systems and Networks
 * Specifying Computer Security Requirements
 * Life Cycle Management
 * Managing Risk
 * Role of Standards
 * Preparing Security Plans

International Computer Security Activities
 * Conformance Test Development and Evaluation
 * Harmonized Criteria
 * International Evaluation Infrastructure
 * Prototype Development
 * Research Activities

Innovations and New Products
 * Approved/Endorsed Products
 * Audit Reduction Tools and Techniques
 * Biometric Authentication
 * Data Base Security
 * Personal Identification and Authentication
 * Smart Card Applications
 * Tools and Technology

Awareness, Training and Education
 * Building Security Awareness
 * COMPUSEC Training:  Curricula, Effectiveness, Media
 * Curriculum for Differing Levels of Users
 * Keeping Security In Step With Technology
 * Policies, Standards, and Guidelines
 * Understanding the Threat

Disaster Prevention and Recovery
 * Assurance of Service
 * Computer Viruses
 * Contingency Planning
 * Disaster Recovery
 * Malicious Code
 * Survivability

Privacy and Ethical Issues
 * Computer Abuse/Misuse
 * Ethics in the Workplace
 * Laws
 * Privacy and Individual Rights
 * Relationship of Ethics to Technology
 * Standards of Ethics in Information Technology

     We are pleased to invite academic Professors to recommend Student papers
in the application of Computer Security methodology.  Three student submissions
will be selected by the Technical Committee for publication in the 14th NCS
Conference Proceedings.  To be considered, the submission must be solely
authored by an individual student and be recommended by an Academic Professor.
Only one copy for student submission is required.

  BY FEBRUARY 15, 1991: Send eight copies of your draft paper* or panel
suggestions to one of the following addresses.  Include the topical category of
your submission, author name(s), address, and telephone number on the cover
sheet only.  (* Government employees or those under Government sponsorship must
so identify their papers.)

  BY MAY 11, 1991: Speakers selected to participate in the conference will be
notified when their camera-ready paper is due to the Conference Committee.
All referee comments will be forwarded to the primary author at this time.

For additional information on submissions, please call (301) 850-0272.

Mailing Information:
 1.  FOR PAPERS SENT VIA U.S. or Foreign Government MAIL ONLY:

 National Computer Security Conference
  ATTN:  NCS Conference Secretary
  National Computer Security Center
  9800 Savage Road
  Fort George G. Meade, MD 20755-6000


 National Computer Security Conference
  c/o NCS Conference Secretary
  National Computer Security Center
  911 Elkridge Landing Road
  Linthicum, MD  21090

  Please note that the US Government Postal System does not deliver to
Elkridge Landing Road.

    3.  FOR Electronic Mail:
            (1 copy only; no figures or diagrams)

Preparation Instructions for the Authors
          To assist the Technical Review Committee, the following is required
for all submissions:

Page 1:  Title of paper, submission, or panel suggestion
     Focus & keywords (e.g. - Innovations and New Products - Biometric
                               Authentication, Tools and Technology)
     Phone number(s)
     Net address(es), if available
     Point of Contact

  Additionally, submissions sponsored by the U.S.  Government must provide the
following information:
  U.S. Government Program Sponsor or Procuring Element
  Contract number (if applicable)
  U.S. Government Publication Release Authority
    Note: Responsibility for U.S.  Government pre-publication review lies with
the author(s).

  Page 2:
   Title of paper or submission - do not include author(s) or organization(s)
     Abstract (with keywords)
     The paper (Suggested Length: 8 pages, double columns, including figures
and diagrams; pitch: no smaller than 8 point.)

     A Technical Review Committee, composed of Government and Industry
Computer Security experts, will referee submissions only for technical merit
for publication and presentation at the National Computer Security (NCS)
Conference.  No classified submissions will be accepted for review.

     The Conference Committee provides for a double "blind" refereeing.
Please place your names and organizations on page 1 of your submission, as
defined above.  Failure to COMPLY with the instructions above may result in
non-selection BEFORE the referee process.

     Papers drafted as part of the author's official U.S.  Government duties
may not be subject to copyright.  Papers submitted that are subject to
copyright must be accompanied by a written assignment to the NCS Conference
Committee or written authorization to publish and release the paper at the
Committee's discretion.  Papers selected for presentation at the NCS
Conference requiring U.S.  Government pre-publication review must include,
with the submission of the final paper to the committee, a written release
from the U.S.  Government Department or Agency responsible for pre-publication
review.  Failure to comply may result in rescinding selection for publication
and for presentation at the 14th NCS Conference.

     Technical questions can be addressed to the NCS Conference Committee by
mail (see Mailing Information) or by phone, (301) 850-0CSC [0272].

Please report problems with the web pages to the maintainer