1-Aug-87 20:11:47-PDT,15165;000000000000
Return-Path: <NEUMANN@f4.csl.sri.com>
Received: from csl.csl.sri.com (CSL.SRI.COM) by F4.CSL.SRI.COM with TCP; Sat 1 Aug 87 20:09:00-PDT
Received: from F4.CSL.SRI.COM by csl.csl.sri.com (3.2/4.16)
	id AA00784 for RISKS-LIST@f4.csl.sri.com; Sat, 1 Aug 87 20:11:21 PDT
Message-Id: <8708020311.AA00784@csl.csl.sri.com>
Date: Sat 1 Aug 87 20:08:23-PDT
From: RISKS FORUM    (Peter G. Neumann -- Coordinator) <RISKS@csl.sri.com>
Subject: RISKS DIGEST 5.21 
Sender: NEUMANN@csl.sri.com
To: RISKS-LIST@csl.sri.com

RISKS-LIST: RISKS-FORUM Digest  Saturday, 1 August 1987  Volume 5 : Issue 21

        FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS 
   ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

  ============================================================================
  = TODAY IS THE SECOND ANNIVERSARY OF RISKS (and the beginning of our third =
  = year, if you prefer to count from ONE instead of ZERO).  Thanks to all.  =
  = (I am astonished that there were 181 issues in our second year!  Maybe   =
  = it is time to take pity on you all [and me] and slow down a little!) PGN =
  ============================================================================

Contents:                                          
  Macaquepit Monkey Business on 747 (PGN)
  Re: IRS Sanity Checks (Willis Ware, Joseph Beckman)
  Re: Telephone access cards (Willis Ware, Robert Hartman)
  Re: Origin of term "artificial intelligence" (Dave Benson)
  FDA opportunity for system safety person (Frank Houston)

The RISKS Forum is moderated.  Contributions should be relevant, sound, in good
taste, objective, coherent, concise, nonrepetitious.  Diversity is welcome. 
Contributions to RISKS@CSL.SRI.COM, Requests to RISKS-Request@CSL.SRI.COM.
FTP back issues Vol i Issue j from F4.CSL.SRI.COM:<RISKS>RISKS-i.j.  
Volume summaries for each i in max j: (i,j) = (1,46),(2,57),(3,92),(4,97).

----------------------------------------------------------------------

Date: Fri 31 Jul 87 13:01:04-PDT
From: Peter G. Neumann <Neumann@csl.sri.com>
Subject: Macaquepit Monkey Business on 747
To: RISKS@csl.sri.com

A monkey slipped out of its cage aboard a China Airlines cargo plane [before
landing] at Kennedy Airport, forced the crew from the cockpit, and played
with the controls before it was nabbed.  ``He wasn't making any demands --
he wasn't trying to take the plane back home,'' said John Schneider, an
animal control officer from the Port Authority who netted the 15-pound
macaque monkey after a 90-minute game of hide-and-seek through the 747 jet.
(The monkey had crawled out of the cargo area and into the flight deck.)
[UPI, in SF Chronicle, 31 July 1987]

------------------------------

To: RISKS FORUM (Peter G. Neumann -- Coordinator) <RISKS@csl.sri.com>
Subject: Re: IRS Sanity Checks (RISKS-5.20)
Date: Fri, 31 Jul 87 10:30:34 PDT
From: willis@rand-unix.ARPA

Re the IRS ADP procedures.  Several years ago I participated with a
committee that reviewed the IRS long range planning for ADP upgrades.  So
the group got to know something about general procedures, although not
intimate software details.

In these comments, I'm only offering perspective.  I am neither defending
nor criticizing what the IRS or other record-keeping organizations do.

The IRS obviously runs an enormous financial operation.  The accounts
receivable is huge so that there is a high motivation to get tax payments
processed and into the bank.  Similarly the IRS is obligated under law to
pay interest on delayed rebates, so there is a corresponding motivation to
process tax returns rapidly.  Both motivations are really in the citizen's
best interest.

The first thing that happens to any personal tax return (at the regional
processing center -- Fresno for California and the western states) is data
entry directly from the submitted form and as written.  The data entry
clerks have no authority to change anything.  The system then runs out the
numbers according to the rules that go along with the tax forms and tax
law.  All the system does is check arithmetic, and probably verify the
presence of required parameters (e.g., SSNs).

If it finds any variance, the computer generates an appropriate letter
which is then mailed, sofar as I know without human review.  A lot of
people have been the subject of a completely automated action -- including
a computer generated letter -- from detection of a problem to mailing of a
letter.

At some point (I don't recall exactly when), all tax records are mag-taped
to West Virginia to the IRS national processing center where they get
additional checking, verification, examination, extraction of statistical
data, etc.  It's from this 2nd stage process that returns are selected for
audit, and that produces the statistical parameters which go into the
famous "computer evaluation" for audit selection.

The IRS motivation is to collect taxes accurately, according to law, and
in timely fashion.  While I don't know this from first hand evidence, I
can imagine that there is little management motivation to include
reasonableness checks on the taxpayer-submitted numbers and forms.  Among
other things, it could be a legal misstep to guess what the taxpayer
intended to write, as opposed to what was actually written; and one can
readily conceive circumstances under which the IRS -- or many other
recordkeeping organizations -- could get into hot water by second guessing
what a person intended to do on some form or in some transaction.

So, we're not likely to see many computer-based reasonableness checks in
record-keeping systems, especially finanical ones.  The error-correction
feedback loop will continue to be external and through the individual
concerned, as it has been for a long time with paper-based systems.  Such
a decision is partly legally based, partly because there is generally
little basis for guessing what was intended, and partly because the
operational costs will always act to minimize the amount of software that
must execute to process each transaction.

While any computer-wise person can imagine all sorts of checks to improve
the lot of individuals who have to deal with a records system, I'm afraid
that managers of record-keeping activities are just not going to be
motivated to implement subscriber-courteous safeguards.

PGN - your parenthetical comment about "There is no Sanity Clause" goes
for many record-keeping organizations, not just Federal institutions.

					 Willis H. Ware, Santa Monica, CA

----------------------------

Date:  Fri, 31 Jul 87 08:58 EDT
From: Beckman@DOCKMASTER.ARPA
Subject:  IRS Income
To: Risks@csl.sri.com

I am under the impression that the IRS is not supposed to release
information they receive to other agencies.  Hence, if someone says that
there are receiving $104001 from SS, the IRS is apt to accept that,
believing, perhaps, that these people are fraudently obtaining multiple
checks to which they are not legally entitled, but report such income so as
not to be in violation of the law under income-tax evasion sections.  I am
reminded of the story of the pest exterminator who put "Hired killer" under
the occupation block.
                                        Joseph

     [The point of the message was that a reasonableness check on the SS
     field would certainly indicate that this return might deserve special 
     attention -- without having to consult the SSA.  PGN]

------------------------------

To: RISKS FORUM (Peter G. Neumann -- Coordinator) <RISKS@csl.sri.com>
Subject: Re: Telephone access cards (RISKS-5.20)
Date: Fri, 31 Jul 87 10:30:34 PDT
From: willis@rand-unix.ARPA

Re telephone cards, SPRINT, et al.  Originally the GTE/SPRINT access code
for making calls was just 7-digits for local calls, plus 2 additional
ones when out of area.  After getting the SPRINT switch via the local
access number, the procedure was to dial the access code and then the
desired number.  The same thing was continued when it became US/SPRINT.

Penetrators of the SPRINT system have long been a problem, and all sorts of
ways have been suggested for acquiring the access code.  Among them was just
plain automated PC-based exhaustive trials searching for a good one.  At one
time, my SPRINT business account got over 300 unauthorized calls in one month,
ALL from Joliet, Illinois -- the location of a well-known prison.  Given
that I had always been extremely cautious about using the memorized number
at a public phone, I never did find out how it got so popular in Illinois.

Recently, as noted in RISKS, the access code has become 14-digits but
there has also been a procedural change.  After getting the SPRINT switch
through the local access number, now the desired number is dialed first;
after a couple of beeps from the switch, the access code is then dialed.
It's a slight nuisance sometimes if one is using a phone that has the
buttons in the handset; he better get the receiver back to his ear fast or
the acknowledging beep-beep from the switch can be unheard.

One wonders why the inversion of parameters; here is a possible explanation
based solely on my conjecture, not on any first hand knowledge.

Given that penetrators will continue to be a problem, one would like to have
some data to help track them down or to have system characteristics that
will deter them.  Clearly the 14-digit number makes guessing much more
tedious and possibly slow enough to turn away trouble makers.  In addition,
if someone is trying to guess numbers, perhaps already knowing part of a
legitimate one, the system now knows what number is being sought when the bad
access code is given.  As telephone companies have done for years, the called 
party can then be contacted and asked who might be trying to make a call.

But the technique is at the same time so easily spoofed by calling any
number, or some public number (like an office building), or always calling
a different number each time while guessing at access codes.  It's a minor
software extension to make the penetrator's PC generate a number to be
called in addition to generating a trial access code.  Of course the
generated called number might not be a valid one which could mean that a
guessed access code would erroneously be discarded, but one can imagine
ways around such a small problem.

Perhaps there is no security connotation to the new SPRINT procedure;
perhaps it really stems from some software convenience, or some billing
requirement.  Perhaps, also, the system designers bet on a security
safeguard that has little to offer.  Perhaps the state-of-art for (what is
really) computer security in the telephone business is not as well advanced
as it is in mainframe world.
  				   Willis H. Ware, Santa Monica, CA

------------------------------

To: seismo!comp-risks@seismo.CSS.GOV
From: sun!rdh@seismo.CSS.GOV (Robert Hartman)
Subject: Another comment on passwords (Re: RISKS DIGEST 5.19)
Date: 31 Jul 87 07:14:30 GMT
Organization: Sun Microsystems, Mountain View

In response to Jonathan Thornburg's peeve/idea/complaint, it should be obvious
that any string of digits that can be attributed to an individual by a few
simple database lookups isn't a good candidate for a secure password.  Your
random hacker might miss, but your diligent government could get right in.

Perhaps not the most reassuring thought.  -bob.

   [Like the "Yes, Virginia, there is a Santa Claus" letter that reappears
   once a year in the European edition of the Herald Tribune, this
   discussion keeps recurring in RISKS.  I try to staunch it, but it seems
   to take on a life of its own.  PASSWORDS ARE INTRINSICALLY WEAK.  THERE ARE
   TOO MANY WAYS TO FIND COMPROMISES.  Passwords might be considered better
   than nothing, but only if people don't believe in them blindly -- in which
   case NOTHING might be even better, relying primarily on establishing
   communities of equal trustworthiness.  At any rate, I have closed the
   spigot on several other messages on this subject that get into second-
   and third-order ramifications without confronting the deeper issues.  

   [While on the subject of spigots, we also received a flood of messages on
   nuclear power.  They have been getting farther and farther from RISKS
   relevance, and thus are not included here.  Jef Poskanzer 
   [unisoft!jef@ucbvax.Berkeley.Edu ...ucbvax!unisoft!jef] suggests that the
   sci.misc USENET newsgroup is a more appropriate place for the not 
   immediately RISKS related contributions.  PGN]

------------------------------

Date: Thu, 30 Jul 87 14:36:22 PDT
From: Dave Benson <benson%cs1.wsu.edu@RELAY.CS.NET>
To: risks%csl.sri.com@RELAY.CS.NET
Subject: Re: Origin of term "artificial intelligence"

Jon Jacky (>>):
>>... the term
>>"artificial intelligence" was originated in the 1950's by John McCarthy,
>>generally regarded as one of the most important computer scientists (he
>>invented LISP, among other things).  The story goes that he created the term
>>in a grant application in order to kindle funders' interest in topics like
>>symbolic logic with otherwise seemed rather esoteric and impractical.

That's not the way John McCarthy tells the story.  He indeed wanted to
create <intelligent machines>.

The term "machine intelligence" was in use for a while at the University
of Edinburgh, which at one time had both a department of Machine Intelligence
and a department of Artificial Inlligence.

The earliest popularization I can recall was entitled "Giant Brains, or
Machines That Think", written by One Of Us. (Edmund C. Berkeley, if I recall
correctly).

Unthoughtful scientists and engineers have often in the last 70 years been
carried away in explaining the delights of their subject to others.  This
is a risk in any enterprise and we needn't be surprised at its occurrence
in fields of computing.  Like any other risk, we indeed ought to avoid
overly extravagant claims.
         				David B. Benson

                     [Always look a gift expert system in the mouth.  PGN]

------------------------------

Date: Fri, 31 Jul 87 11:18:05 edt
From: houston@nrl-csr.arpa (Frank Houston)
To: RISKS@csl.sri.com
Subject: FDA opportunity for system safety person

FDA is seeking a person versed in system safety, especially computer system
safety, to help advance the state of the art in medical systems.  The job
will involve both research and routine and requires a fair amount of
experience in software.  FDA would be willing to help train in the medical
part.

Anyone interested should contact me at (301)443-5020 or mail a resume soon to
my attention at Food and Drug Administration, Center for Devices and
Radiological Health HFZ-142, 12720 Twinbrook Parkway, Rockville, MD 20857.

Frank Houston, Biomedical Engineer, Food and Drug Administration

------------------------------

End of RISKS-FORUM Digest
************************
-------