RISKS-LIST: RISKS-FORUM Digest Monday, 14 December 1987 Volume 5 : Issue 74 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Rounding error costs DHSS 100 million pounds (Robert Stroud) Computers' Role in Stock Market Crash (Rodney Hoffman) The Infarmation Age (Ivan M. Milman) Virus programs and Chain letters (David G. Grubbs) Baby monitors can also be very efficient "jammers", too. (Rob Warnock) The Saga of the Lost ATM Card (Alan Wexelblat) Interchange of ATM Cards (Ted Lee) PacBell Calling Card Security (or lack thereof) (Brent Chapman) IBM invaded by a Christmas virus (Franklin Davis) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, nonrepetitious. Diversity is welcome. Contributions to RISKS@CSL.SRI.COM, Requests to RISKS-Request@CSL.SRI.COM. For Vol i issue j, FTP SRI.COM, CD STRIPE:<RISKS>, GET RISKS-i.j. Volume summaries for each i in max j: (i,j) = (1,46),(2,57),(3,92),(4,97). ---------------------------------------------------------------------- From: Robert Stroud <robert%cheviot.newcastle.ac.uk@NSS.Cs.Ucl.AC.UK> Date: Mon, 14 Dec 87 09:45:00 GMT To: risks@csl.sri.com Subject: Rounding error costs DHSS 100 million pounds This is an extract from a front-page report in the Independent (12 Dec 1987). It would appear that for over a year, due to a programming error, the government have been underestimating inflation by 0.1%. The cumulative effect of this error on index-linked payments such as pensions amounts to 100 million pounds which they have a statutory obligation to pay back. The interesting question this poses is what level of error would be considered reasonable in calculating inflation. Even a 0.001% error would cost 1 million pounds by this reckoning, and yet averaging the price of commodities introduces spurious accuracy when in practice prices will be to the nearest 0.5p. Robert Stroud, Computing Laboratory, University of Newcastle upon Tyne. UUCP ...!ukc!cheviot!robert "DHSS in 100m pounds inflation blunder - pensioners to get payment after computer error" by Steve Levinson and Colin Hughes Reproduced without permission from The Independent (Sat 12th Dec 1987) Copyright (c) Newspaper Publishing PLC 1987 More than nine million pensioners are shortly to receive a tax-free lump sum bonus of between 7.50 and 12.00 pounds after the Government yesterday admitted that a computer error had led to publication of incorrect inflation figures for the past 21 months. The pay out to pensioners will cost an estimated 100 million pounds, but other social security recipients, who include some of the poorest, will not be reimbursed for the error which has meant that benefit increases have not kept pace with inflation. [... Lots of stuff about how the government will only reimburse those benefits for which it has a legal obligation or has made a pledge to keep pace with inflation, despite the fact that most other forms of benefit are usually raised in line with inflation, and how this is likely to cause a political row(!) ...] Although the computer error at the Department of Employment has meant an understatement of only 0.1% in inflation, it is difficult to conceive of a more embarrassing mistake or one that affects more people. Pay negotiators, taxpayers, savers, and pensioners are all caught up in its implications. The department does not intend recalculating past inflation figures, but says that yesterday's 4.1% rate for the year to November is correct. The error itself is put down to a mistake made early last year when a programmer, seeking to speed up the process of analysing each month's prices, entered details for household goods which omitted everything after the decimal point. [I assume this means pence rather than pounds!] Nobody noticed and from January this year the new program was given wider application to other goods, including clothing. The effect was that all Retail Price Index numbers [the official measure of inflation] between February 1986 and January 1987 were 0.06 points too low, and after January 1987, a further 0.09 understatement was added. The error was spotted purely by chance only last month when a new attempt was made to speed up the process of analysing price information. ------------------------------ Date: 13 Dec 87 22:05:59 PST (Sunday) Subject: Computers' Role in Stock Market Crash To: RISKS@csl.sri.com From: Rodney Hoffman <Hoffman.es@Xerox.COM> The Friday, Dec. 11 'Wall Street Journal' ran a story headlined "Were Computers a Help or a Hindrance? Securities Industry Asks After the Crash" by Michael W. Miller. It was one of several articles trying to put the recent crash in perspective. What's particularly interesting is that the piece is not narrowly focused on the role of computers in the crash. Instead, it's a thoughtful questioning of "the ways computers changed Wall Street". The whole article is well worth reading. A few edited excerpts: Portfolio insurance, index arbitrage and other modern Wall Street trading innovations that depend on ever speedier and more complex trades ... wouldn't have been possible with the more than 200 Tandem TNX and TXP computers of Securities Industry Automation Corp. (SIAC), run by the New York and American stock exchanges.... SIAC's system is one of the biggest collections of computer power gathered under a single roof. Its workings have grown so vast that today SIAC uses computers to keep track of all its computers. Did electronic analysis and trading produce a whole new breed of high-tech investors whose criteria have nothing to do with the traditional corporate and economic forces behind stock movements? "I think there is a tendency today to substitute trading for investment," says former U.S. Attorney General Nicholas deB. Katzenbach, who was commissioned last spring to study program trading for the Big Board. "Computers are an element of that, sure. but I don't think it's just because of computers." Which came first?... One way or another, the computer has transformed the stock market in ways unimaginable even a few years ago. ... The volatile growth is "a real monster, and it's obviously one that we cannot control," a top SIAC official says. In many ways, Wall Street was an unusually ripe target for computerization. Nowhere does faster, better information command such a high premium.... In hindsight, it seems that computers on Wall Street created an appetite they ultimately couldn't satisfy. Following the classic addicts' pattern, each time investors got more powerful computers, they developed investment techniques that needed even more powerful computers.... A rethinking of computer-aided trading in inevitable... But curtailing powerful technology already in wide use isn't easy -- as any arms negotiator can attest.... Moreover, Wall Street is worried about what the Japanese may come up with. A state-of-the-art futures market is scheduled to open in Tokyo in March. Observes Ramon Villareal or Tandem: "Once you've got the tools, if you don't use them, someone else will." ------------------------------ Date: Mon, 14 Dec 87 23:00:50 CST From: ivan@sally.utexas.edu (Ivan M. Milman) To: risks@csl.sri.com Subject: The Infarmation Age The business section of the December 14th (Monday) edition of the Austin American-Statesman had a 4-column feature article entitled "Modern farmers plow profit with computers." The article discussed at great length all the benefits farmers are receiving by using computers. Directly below the article is a section called "In Brief", and the first headline is "Computer Trouble." The paragraph described how the report of humidity and soil temperatures provided every week by Blackland Research Center was interrupted due to computer troubles. Ivan Milman [Perhaps the computer was affected by humidity? PGN] ------------------------------ Date: Sun, 13 Dec 87 20:50:57 est From: dandelion.CI!dgg@husc6.harvard.edu (David G. Grubbs) To: risks@csl.sri.com Subject: Virus programs and Chain letters When do we start treating these foolish, destructive, puerile acts as they deserve? Virus programs and Chain letters are not harmless pranks, as most of the comments I've read lately seem to imply. They waste immense amounts of our two most precious resources: time and effort. And they are, to my mind, evidence of an anti-social behavior which deserves to be actively suppressed, even attacked. Persons caught sending a chain letter should have their mail privileges suspended for some period, as a first offense, then removed entirely if the idiocy continues. Persons writing or distributing Virus programs should be warned, then kicked out of whatever organization is affected, from a place of employment to whatever social group is involved. A prank without an appreciative and approving audience is an anomaly. Remove the audience and the act becomes meaningless. It is not possible to legislate maturity, termperance or responsibility, but it IS possible to influence one's peers through social pressure. These acts are intolerable and it is up to YOU to do something about it. Stop chuckling at juvenile acts of destruction. Let the perpetrators know they are out of line, take steps to stop them and share the ideas that work with the rest of us. "If you aren't part of the solution, you will become part of the precipitate." David G. Grubbs, Cognition Inc., 900 Tech Park Drive, Billerica, MA 01821 UUCP: ...!{mit-eddie,talcott,necntc}!dandelion!dgg (617) 667-4800 ------------------------------ From: amdcad!amdcad.AMD!rpw3@ames.arpa (rpw3) (Rob Warnock) Subject: More risks of "baby monitors" [when you wear your "jammers"?] Date: 7 Dec 87 20:25:16 GMT Subject: Baby monitors can also be very efficient "jammers", too. I was recently involved in helping with the logistics and security for a large (several K people) outdoor event in Vermont, and we decided to use a bunch of those Radio Shack "bug ears" short-range FM transceivers for communications among monitors who would be spaced throughout the crowd to handle medical emergencies, lost children, etc. Well, everything worked just fine, until some VIPs started showing up a day or two ahead of the main event. Suddenly, the 49 MHz band that the transceivers use began to be jammed with a strong carrier, with a lot of 60 Hz "hum" and no (apparent) modulation. The "jamming" came and went at various times, for several hours at a time. We began to be worried that our careful public safety plan was going to be destroyed by this "jamming"! Finally, during a period of "jamming", we heard a loud baby cry, followed by a door opening and the soothing tones of a mother. Problem solved! (...after some diplomacy, that is.) We were able to recover our public safety plan by convincing the parents (who were fortunately part of the sponsering group) to leave the baby monitor "off" during our practice drills, and during the entire day of the main event. What's the "Risk"? Both the short-range transceivers and the baby monitor use the 49 MHz "public domain" band, which is the same band used by many cordless telephones. (We had in fact thought that the "jamming" was a cordless phone.) Who is to adjudicate conflicts when they arise? The FCC regulations specifically state that any such device "(1) May not cause any harmful interference to any other service; and (2) Must accept whatever interference [that arises] from any other [licensed] service." As more and more "deregulation" occurs and more and more "consumer" R.F. (and infrared) devices show up on the market, conflicts of this type will increase. I only know that not all of them will be settled so amicably as the one described above. Rob Warnock, Systems Architecture Consultant UUCP: {amdcad,fortune,sun,attmail}!redwood!rpw3 ATTmail: !rpw3 DDD: (415)572-2607 USPS: 627 26th Ave, San Mateo, CA 94403 ------------------------------ Date: Mon, 14 Dec 87 10:06:09 CST From: Alan Wexelblat <wex%SW.MCC.COM@MCC.COM> To: risks@csl.sri.com Subject: The Saga of the Lost ATM Card Last week, I went to my bank to order a new ATM card. Here's why: First, some background. Austin is served by two major ATM networks, Pulse and MBank. Each accepts the others' cards for purposes of withdrawals and transfers, but not deposits. Very convenient - Pulse is a national network and friends from Philly have been able to get cash while in town. Saturday night I was in a supermarket buying food to bring to a friends' dinner. I realized I didn't have enough cash, so I used the ATM. It was MBank, but it had a big sticker indicating it would accept my Pulse card, so I tried. I got the cash and the receipt, but the machine didn't return my card. I went to the supermarket service desk. They helpfully informed me that they had no way of retreiving my card, but if I was willing to hang around for a while "...the machine will probably spit it out." Does this happen often, I asked. "All the time. Usually the card comes back in less than 10 minutes. Sometimes it comes back when the next person tries to do a transaction." Well, I'm late for dinner, so I can't wait around. Fortunately, I'm with a friend and he has bank cards. First, he tries one for an account he knows is defunct. The machine rejects it. Then he tries his MBank card (brave fellow - how does he know his card won't get swallowed, too?). Both are returned by the machine, but my card stays gone. After a useless call to the MBank service number (answered by a security guard who knows nothing) we leave. I'm told that they empty the machines first thing Monday morning, and I should get a phone call then. When Wednesday rolls around and I haven't heard, I put in a call to MBank's service number. I explain my situation to a service rep who, upon finding that I'm not an MBank customer clams up. I have to call *my* bank, she says, and get the card back from them. Can she check and see if my bank has the card? No. Does she care that her bank's machine is regularly eating cards and spitting them back at random intervals? No. So I call my bank's central customer service number and I'm told that they still don't have the card. But even if I did, I'd have to get a new one. MBank returns them cut up, you see. Why? Because they consider it too risky to mail the cards intact to my bank. My bank has no trouble mailing the cards to me. But I'm a reasonable person, perhaps I can go to MBank and identify myself and get my card back directly from them? No... "Customer identification is the problem of the owning bank." Not that I can explain to this imbecile that it doesn't matter whether my bank can identify me, since all they could give me would be useless plastic scraps... So now I have to wait 4-6 weeks for the central office to produce another card. Fortunately, the PIN is not on the card, so my wife's card is still usable. Anyone want to guess at the number of MBank machines I'll be using in the future? --Alan Wexelblat UUCP: {harvard, gatech, pyramid, &c.}!sally!im4u!milano!wex ------------------------------ Date: Mon, 14 Dec 87 00:32 EST From: TMPLee@DOCKMASTER.ARPA Subject: Interchange of ATM Cards To: risks@csl.sri.com Although the details, especially the time period, are now fuzzy (perhaps someone else from Minnesota can fill them in), it seems appropriate to note that sometime after ATM's and competing ATM networks started to become popular the Minnesota legislature passed a law REQUIRING that ALL ATM's accept each other's cards. The law was virtually unheralded. I seem to recall being quite surprised when, either by accident or out of idle curiosity, I first discovered that the card for one network would work on another. Most of the machines now carry notices listing all of the other cards they will take; originally there was no such notice. ------------------------------ To: risks@kl.sri.com Subject: PacBell Calling Card Security (or lack thereof) Date: Sun, 13 Dec 87 21:36:14 PST From: Brent Chapman <chapman%mica.Berkeley.EDU@violet.berkeley.edu> I just recently got my new Pacific Bell Calling Card. On the sheet describing where, how, and why to use your card, there is a section (quoted): It's Secure. Your Calling Card Number is made up of your billing number and a four-digit Security Code. Your Calling Card cannot be used without this Security Code, so you are protected from unauthorized calling as long as you keep your code safe. Sounds good, right? Standard stuff. _BUT_, elsewhere ON THE VERY SAME PAGE, in the descriptions of where you can use your card, you find (emphasis mine): At Pacific Bell Credit Card Phones: You'll find new Pacific Bell Credit Card Phones at airports and hotels near other Pacific Bell coin and coinless phones. These, which will be appearing at many other locations as well, allow you to simply insert your Calling Card and press the number you want. YOU DON'T EVEN NEED TO GIVE YOUR SECURITY CODE, BECAUSE THE MACHINE READS IT FROM THE CARD. Gee, ain't technology wonderful? Any bets that only PacBell can read the code from the card? Brent Chapman Capital Market Technology, Inc. Senior Programmer/Analyst 1995 University Ave., Suite 390 {lll-tis,ucbvax!cogsci}!capmkt!brent Berkeley, CA 94704 capmkt!brent@{lll-tis.arpa,cogsci.berkeley.edu} Phone: 415/540-6400 [If your card is lost or stolen, who needs to read the security code? By the way, there were several other messages along these lines, including one from David Robinson. PGN] ------------------------------ Date: Mon, 14 Dec 87 09:38:55 est From: Franklin Davis <fad@Think.COM> To: risks@kl.sri.com Subject: IBM invaded by a Christmas virus This article seems to have a lot of things in it that the reporter didn't understand. I assume that the "terminals" in question are really PC's connected to the mainframes; for one thing. Probably the users were connected by 3270 type terminals (or emulations on a PC) which use a half-duplex block mode protocol. If you turn off such a terminal your session is aborted, and you lose current edits. It is also very difficult to interrupt an executing program, since it "owns" the line. There is a "system-attention" key, but a busy system may take literally minutes to respond. (I'm glad I don't have to use an IBM mainframe any more!! :-) --Franklin Davis Thinking Machines Corp. fad@think.com ------------------------------ End of RISKS-FORUM Digest ************************