University of Bielefeld -  Faculty of technology
Networks and distributed Systems
Research group of Prof. Peter B. Ladkin, Ph.D.
Back to Abstracts of References and Incidents Back to Root
This page was copied from:

Previous Issue Index Next Issue Info Searching Submit Article

The Risks Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 18, Issue 51

Weds 9 October 1996


o $850 Million Social Security Problem
Scott Lucero
o "ATMs chew up 400 bank cards"
Daniel P. B. Smith
o Crisps (chips), football (soccer) & the web
Geert Jan van Oldenborgh
o A Premature Comment on the Aeroperu Flight 603 B757 accident
Peter Ladkin
o You think this database anonymizes entries?
Identity withheld by request
o Re: RISKS of temporary change-of-addresses
Leonard Erickson
o Another mail-forwarding problem
Adrian Howard
o Risks of deferred ISDN charges
Bob Frankston
o Re: Queensland Police put Wanted Poster on the Web
Mark Eckenwiler
o Mailing list/vacation/autoresponder
Daniel P. B. Smith
o Re: USPS Mail Forwarding
Frank Caggiano
Jonathan I. Kamens
o Re: politics and safety
Steven Philipson
o Communications Unleashed - CPSR conference program
Susan Evoy
o Info on RISKS (comp.risks)

$850 Million Social Security Problem

lucero <>
Fri, 04 Oct 1996 11:11:15 EST
     In the Daily Brief, the *Los Angeles Times* reported that, according to
     Social Security Administration officials, some 695,000 Social Security
     recipients have been underpaid since 1972, due to a computer program error.
       - total unpaid benefits are estimated at $850 million, with
         and average amount per affected recipient of $1,500.
       - the SSA says about 400,000 of those affected have been
         identified and will be getting the back payments.
     One RISK of latent bugs in financial systems is that dollars and interest
     really pile up after awhile.
     Scott Lucero, U.S. Army OPTEC
       [Note: RISKS-16.67, 23 Dec 1994, had an item contributed by Mike Manos
       from *Federal Computer Week, 21 Nov 1994, on the discovery of this
       problem, which at the time was estimated at $478.5 million.  That item
       says that the problem occurred in 1978, when employers began reporting
       earnings annually rather than quarterly.  The item I saw on 04 Oct 1996
       said the software flaw was introduced in 1972.  In any event, the problem
       was evidently first detected in 1994, as reported in RISKS-16.67.  PGN].

"ATMs chew up 400 bank cards"

"Daniel P. B. Smith" <>
Sat, 5 Oct 1996 13:39:06 -0400 (EDT)
     *The Boston Globe*, 5 Oct 1996, p. B5:
     > About 400 US Trust customers had their automated teller machine cards
     > eaten Thursday night when the bank's linkup with the regional ATM network
     > broke down for two hours.  Bank officials said they still are trying to
     > find out what went wrong....  Customers trying to use their ATM cards
     > between 6:30 p.m. and 8:30 p.m. were told that their personal
     > identification numbers had been keyed in incorrectly.  When they tried it
     > again, the machine ate their card.  [A US trust spokesperson] said only
     > US Trust customer's using another bank's ATM machine were affected.
     You'd think "you have entered the wrong password" and "the network is down"
     would be distinguishable conditions with different error handling, wouldn't
     Daniel P. B. Smith

Crisps (chips), football (soccer) & the web

Geert Jan van Oldenborgh <>
Thu, 3 Oct 1996 23:20:13 +0200
     Two weeks ago, one of the largest potato-cutters in the Netherlands started
     a competition.  Building on the typical couch-potato's perceived expertise
     in football (soccer) they announced they would put a 'scorecard' into an
     unspecified proportion of their bags of crisps (chips).  It has two
     scratchable pictures of a football game, without ball, and a superimposed
     grid.  The idea was that the expert would guess where the ball was, verify
     that guess by scratching off the protective layer of that gridsquare only,
     and claim fl 10 (~US$ 6) when both were right.
     However, the inevitable happened: two students set up a web site with the
     information gathered so far, and a request for anybody who had guessed right
     or wrong to share the information.  Within two weeks the database had the
     correct ball position all 1445 pictures, and the crisp-fryer called off the
     competition, muttering things about unsportmanlike behaviour.
     The RISK?  Assuming knowledge does not spread is clearly not appropriate
     with the web around...
     Geert Jan van Oldenborgh

A Premature Comment on the Aeroperu Flight 603 B757 accident

Peter Ladkin <ladkin@TechFak.Uni-Bielefeld.DE>
Mon, 7 Oct 1996 21:05:59 +0200
     On 2 Oct 1996, Aeroperu Flight 603, a Boeing B757, took off from Lima at
     12.45am en route to Santiago, Chile, and disappeared from radar at 1.10am.
     According to CNN, the pilot had reported mechanical problems, that he was
     turning back, and had declared an emergency before radio and radar contact
     was lost. I do not normally report details of accidents so early, for
     reasons discussed recently in RISKS (Mills, 18.42; Dorsett, 18.43; Ladkin,
     18.44; Mills, 18.45, Dorsett, 18.46) and am somewhat uncomfortable about
     feeling a need to comment so soon on this case.
     The Peruvian Transport Minister, Elsa Carrera de Escalante, declared
     to The Times that "it seems there was a blockage in the computer
     system".  According to CNN, she told a news conference that "it is not
     the first time that one of these planes has had this kind of fault. We
     have to find out why the computers went crazy". The Times reported the
     story as `Computers Blamed...' and CNN as `Computer Failure
     Puzzling...'  The Electronic Telegaph reported that Gen Juan Piperes,
     fire chief of the Peruvian port of Callao, said: "The plane's whole
     system completely failed."
     I am thus concerned about a rumor starting that attributes the cause
     of the crash to be a computer failure. It has not been so determined.
     The information available so far to anyone is gleaned from the
     transcript of pilot/controller conversation, and radar plots. These,
     by themselves, are insufficient to determine the nature of the
     problems. Until the digital flight data recorder (DFDR) and cockpit
     voice recorder (CVR) are recovered and analysed, very little can be
     determined about the sequence of events leading to the accident.
     The B757 was introduced into service in January 1983 [*] and flew until
     December 1995 with an unblemished safety record. There have been accidents
     on 20 December 1995 (near Cali, Colombia) and 6 February 1996 (near Puerto
     Plata, Dominican Republic), and now this one. In both of the previous
     accidents, pilot procedural errors, including errors in interacting with the
     flight management systems, played the decisive role. There were no technical
     failures, whether of structure or of flight management systems, involved in
     the Cali accident; the sole technical system failure in the Birgenair
     accident is (so far) presumed to have been caused by a blocked pitot tube.
     The B757 has three physically independent pitot-static systems, of which two
     seem to have been operating normally. It seems that normal procedures to
     cope with the single pitot-static failure were not followed by the Birgenair
     crew. The final report on the Puerto Plata accident is not yet published. If
     a computer failure `caused' the Aeroperu crash, it would be the first time.
     There is no precedent for computer failure in a B757 accident, contrary to
     what Senora Carrera's statement would seem to suggest.
     When the data from the CVR and DFDR are in, they might show that it
     would be worth questioning if the pilot's interaction with automated
     flight management may have contributed to the accident, as it did with
     both the previous accidents. Although this would be an HCI question,
     it's not a computer system failure per se. All sorts of hypothetical
     questions such as this may arise.
     In any case, if computers were involved, it's exceptionally unlikely
     that they could be the sole cause, as I shall demonstrate.  The B757
     aircraft uses computer systems for displaying air data, for
     navigation, and for autopilot control and flight management. It does
     not use computers for flight control, which is achieved by
     conventional hydromechanical systems. Furthermore, the air data
     computer systems are backed up by conventional electromechanical
     `standby' instruments of highly reliable design used for over half a
     century.  The integrity of these physically-operated standby systems
     along with that of the physically-operated flight controls, as well as
     structural integrity, suffices to conduct safe flight in this
     airplane. From this fact, we may already draw some broad conclusions.
     Let me thus divide the possible sequences of events into three.
     First, suppose normal control of the aircraft was lost. The B757 is
     conventionally controlled (not computer-controlled), and the air data
     systems have electromechanical backups. Therefore, in the event
     control was lost, either these backup systems would have had to fail
     also (in which case there would be a physical contributing factor), or
     the pilot would have to have made ineffective use of these backup
     systems (in which case either inappropriate pilot action or some other
     cognitive confusion would also be a contributing factor), or the
     autopilot flew the aircraft into an out-of-control situation (as in
     the Birgenair accident), in which case the pilot's behavior in
     engaging and not disengaging the autopilot would be a factor, or the
     pilot would somehow otherwise have allowed control to be lost. No one has
     yet determined whether any of these situations occurred.
     Second, if normal control was not lost, then either the aircraft must have
     suffered some form of structural failure in normal flight, which
     computers alone could not have been responsible for (structures can fail
     under normal control inputs if the aircraft is in an overspeed condition,
     but normally not otherwise); or the aircraft flew under control into the
     water (i.e., a CFIT, Controlled Flight Into Terrain, accident), in which
     case pilot behavior or engine failure must also have played a role.
     These alternatives cover, grossly, all the possible scenarios.  Since
     computers alone could not cause any of them, we may conclude that
     singling out computer failure of any kind cannot be the whole story.
     Since no one is able yet even to determine which of the above alternatives
     occurred (or one that I missed:-), it is certainly premature to attribute
     a cause of the accident.
     More information on the accident, press reports, and the aircraft, as well as
     links to original sources and reports on the Cali and Puerto Plata
     accidents, may be found in my Compendium `Computer-Related Incidents
     and Accidents With Commercial Aircraft', available through
     Peter Ladkin
        [* 1983 is correct.  This is a correction in the archive copy.  PGN]

You think this database anonymizes entries?

<[Identity withheld by request]>
Wed, 9 Oct 1996 11:38:58 PDT
     Here's an interesting example of Info-War.
     Many of us have seen and heard the television and radio commercials for a
     new in-home HIV test that is accurate, fast, and anonymous.
     The test works as follows:
     You buy the kit.  Go home and follow the directions and obtain a sample.
     Mail the sample to the lab.  In 3 days, call the lab and enter in the
     `secret' code and the results of the test performed on the sample matching
     your `secret' code will be revealed to you.  The secret code is used to
     ensure anonymity so the user doesn't have to reveal their name.
     Accurate? I believe so..
     Fast? Three days is pretty fast..
     Anonymous? Not at all!!! And here's why.
     Whenever you call a 1-800 number, your phone number is captured and
     forwarded to the company for billing purposes.  It is also available to the
     PBX in the form of ANI which can the be sent to the automated phone system
     that processes the request.  In the HIV test scenario, the company that is
     called has a record of the calling phone number (ANI), and the requested
     `secret' code.  Since they already have the test results, the company is now
     able to match the phone number, which can be looked up, and the HIV status.
     In effect, the company is capable of covertly developing a database
     containing the names, addresses, phone number, and HIV status of the people
     who purchase and take the test.
     Who would want this database?
     Government, insurance companies, employers, you name it.  Most health
     related information is considered confidential and will not be released by
     either the government nor the physicians.  If someone had a `secret'
     database that contained the HIV status of millions of people, then the
     interested organisations would have a discreet way of `checking-out'
     potential clients, or employees.

Re: RISKS of temporary change-of-addresses (McFadden, RISKS-18.50)

Leonard Erickson <>
Fri, 4 Oct 1996 23:33:29 PST
     Try this one on for size.
     I have the bad luck to have moved into an apartment where the previous
     tenant had the same last name. Other than that we have nothing in common as
     far as I can tell. I'm male, she was female. First names aren't at all
     But I still get her mail and have to be *very* careful about how I turn it
     over to the post office. The first time I just marked it "Not at this
     address, and it wasn't until a check didn't appear that I found out the post
     office had just blithely started bouncing my mail!
     It's currently "handled" by my having had a talk with the carrier, and being
     careful to circle the first name *only* when writing not at this address...
     >From comments nade in this forum in the past, I'm not certain that the
     system the post office uses for tracking forwarding orders can deal with
     this properly. Anyone know for sure?
     Oh yeah, to add insult to injury, I got a card from the previous previous
     tenant's dentist reminding him to come in for a checkup. I wrote "not at
     this address" on it and dropped it in the outgoing box.  Several days later,
     it was back again. That's *really* stupid!
     Leonard Erickson (aka Shadow)

Another mail-forwarding problem

Adrian Howard <>
Fri, 4 Oct 1996 11:50:48 +0100
     Another mail-forwarding problem with a slightly different (and older) cause.
     I've recently moved to flat numbered 03. Note that leading zero because, for
     various historical reasons I've yet to fathom, there is also a separate flat
     3 at the same address.
     I arranged mail forwarding from my previous address --- no prizes for
     guessing where the mail actually arrived.
     After several phone calls, the operator at the post office finally realised
     that the software was stripping the leading zero as he typed it in...  I now
     live at "flat zero three" as this seemed the only solution to the problem.
     Since then I have encountered similar problems with various utility and
     delivery companies.
     Risks: a variation of the old theme of making assumptions about the format
     of input data "nobody has an street name with more than 20 characters",
     "everybody has a middle initial", etc.  Although in this case I think the
     person who came up with the foolish numbering system for the flats has to
     share some of the blame.
     Adrian Howard. Head Techie. Victoria Real Ltd.
     e. - v. +44 (0) 1273 774469 - f. +44 (0) 1273 779960

Risks of deferred ISDN charges

Sat, 5 Oct 1996 15:13 -0400
     This is in response to a query about why I received a year's worth of Long
     Distance charges all at once. The name of the carrier has been omitted to
     protect the very large long-distance carrier (or the remaining third). The
     original was sent all upper case, this is an OCRed version.
     DEAR ***
     AT .1-800-***-****

Re: Queensland Police put Wanted Poster on the Web (Roberts, R-18.50)

Mark Eckenwiler <>
Fri, 4 Oct 1996 12:57:12 -0400 (EDT)
     Of course, the FBI has had the Ten Most Wanted up in a web page here
     in the US for some time; see
     I wrote Director Freeh a letter many months ago pointing out that the
     FBI ought to a) digitally sign these mug shots and b) embed expiry
     dates, given the problems of forgery, ease-of-duplication/
     dissemination, and persistence.  Risks include not only the
     inconvenience to wrongly apprehended persons, but also the cost to law
     enforcement of responding to citizen reports based on forged/stale
     Wanted notices.
     I did not receive a reply.

Mailing list/vacation/autoresponder

"Daniel P. B. Smith" <>
Sun, 6 Oct 1996 11:13:47 -0400 (EDT)
     So this guy goes on vacation, see, and he's on this mailing list that sends
     out a 32K digest approximately daily, see, so when his autoreplier gets the
     mailing it sends back a chatty little personal note to the whole list,
     quoting the entire digest in full each time which, of course, creates a
     loop... and about the time someone gets THAT shut off, a very highly-placed
     honcho who is a _user-interface guru_ and _internet expert_ decides to send
     a chide-o-gram to this guy.  Who's on vacation.  Actually, it's his
     honeymoon, as he's mentioned.  Repeatedly.  So we _hope_ he isn't going to
     be hopping up every five minutes to check e-mail, right?
     But accidentally, the highly-placed honcho sends this note to the whole
     list.  Helpfully quoting the entire digest.  In full.
     Fortunately, this is a great mailing list and the back issues are well
     worth repeated rereading.
     Yeah, it happens all the time, to all of us.  And exactly how long have we
     been building e-mail software and mailing lists and using the network and
     reading and writing books about user interface design?  Don't you sometimes
     think we're all too stupid to be trusted with anything important?
     Daniel P. B. Smith

Re: USPS Mail Forwarding (Smith, RISKS 18.50)

Frank Caggiano <>
Fri, 04 Oct 1996 15:24:01 -0400
     The web page
     mentioned in RISKS-18.50 for postal change of address does not send the
     change of address form electronically. (At least not as of 4 Oct).  After
     reading the message in Risks, I thought I would try it out.  Figuring that
     there would be a confirmation after filling out the form, I put in a change
     of address for myself.  After entering information on a number of pages you
     are finally directed to print out the form and give it to your letter
     carrier or to mail it to your postmaster.  There is some mention of their
     work on coming up with a secure system to allow the form to be filed via
     As for the suggestion that all change of addresses be done in person, I
     don't see how this would solve anything.  A photo id would be required to
     confirm your identity (as a minimum) and we all know how easy it is to
     obtain a false one.  Also any system is only as good as the people running
     it.  On numerous occasions I have gone to the post office to pick up mail
     that they were holding for me and not once was I asked for ID (different
     offices, different clerks).
     Frank Caggiano

Re: USPS Mail Forwarding (Smith, RISKS 18.50)

"Jonathan I. Kamens" <>
Fri, 4 Oct 1996 08:44:00 -0400
     I see no risks from the WWW USPS Change of Address form that are not already
     present in the printed form available in any Post Office.  In both cases,
     you never have to deal with a person or show any ID, and in both cases,
     submission of the form constitutes the claim that it is valid.  Quite
     frankly, I don't see much of a "Risk to the Public in Computers and Related
     Systems" here -- if anything, it's simply a "Risk to the Public".
     I will concede that since it's a lot easier to visit a WWW site and type in
     some information than it is to visit a Post Office, pick up a form, fill it
     out and mail it, the WWW form makes it easier for obnoxious people to submit
     false forwarding requests for other people.  But I don't see that as a very
     big deal, especially because of the verification step outlined in the
     following paragraph.
     Those of you who think that there isn't sufficient verification in the
     USPS mail-forwarding system should perhaps have read the <A
     HREF="">Q&A About Mail
     Forwarding</A> page available on the USPS WWW site.  Quoting from it:
     >How will the Postal Service verify that it received a Change of
     >Address Order from me?
     >The Postal Service will promptly mail you a confirmation letter to the
     >address you are leaving, regardless of the date of your move. (For
     >your privacy, it will not mention what your new mail forwarding
     >address will be.) Another confirmation letter will be sent to you at
     >your new address after the date of your move.
     Yes, this does really happen -- I recently field a Change of Address
     order and did receive the two confirmation letters.
     I assume that the USPS has sufficiently good "exception handling" that if
     you get a letter about a Change of Address Order you never filed and go to
     your Post Office and protest it, they can put a stop on the Change of
     Address.  There is still some room for mischief, e.g., it's possible that
     some mail will be lost before you stop the forwarding, especially if someone
     is clever enough to file it while you are out of town or something, but the
     addition of this step still makes things a heck of a lot more secure than
     they were before.
     I confess that I'm baffled about one thing.... When I put my mail on hold
     when I go out of town, and then go to the Post Office when I get back to
     pick it up, they require me to show ID before they'll give me the mail.  I
     simply do not understand why they don't require people to show ID when
     submitting a Change of Address Order.  The only explanation I can come up
     with is that right now, the minimal number of forged requests is outweighed
     by the increased convenience (and the less USPS-employee time consumed) of
     the current system; this presumably means that if forging Change of Address
     requests for other people ever becomes an "in" thing to do, the USPS is
     going to have to ditch the convenience and start requiring that forms be
     filed in person with ID and notarized by a USPS employee.
     Jonathan Kamens  |  OpenVision Technologies, Inc.  |

Re: politics and safety (Mills, RISKS-18.45)

Steven Philipson <>
Fri, 4 Oct 1996 16:26:40 -0700 (PDT)
     In RISKS-18.45, Dick Mills <> continued his argument on
     public speculation about the causes of airline disasters.  He states:
     >Mr. Dorsett expands on that theme when he says "It's a political world, not
     >a technical one."  I say no, never.  Mixing demagoguery and science is
     >irresponsible.  It must never be tolerated.
        That's a nice philosophy, but it has no connection to reality.
     Public safety is *never* a technical matter.  It is always and primarily
     political.  If you are a technologist (as are most of us who read RISKS)
     then it is critical that you understand this *if* you want to have an effect
     on public policy.  If there is no political force driving a public issue
     then nothing is done no matter how compelling the technical case.  Technical
     changes are virtually never implemented unless someone has a political (or
     financial) motivation to do so.
     Here's a case in point.  In 1985 two friends of mine were killed while
     flying a light aircraft.  When the details of the accident were released it
     became obvious to me and several others that a major technical error was
     committed by the pilots.  This was an error attributable to lack of
     knowledge/training.  Unfortunately, the NTSB investigators on the case were
     also not familiar with the critical technical issue of the accident
     (dynamics of low-performance aircraft in mountain wave conditions) and
     omitted any mention of this error in the accident report.  No
     recommendations have been issued which could help prevent additional
     accidents of this type, and they continue to occur with painful regularity
     I have expended a significant amount of effort over the last 11 years in
     trying to get the NTSB and FAA to recognize the problem and to modify pilot
     and controller training such that accidents from this cause could be reduced
     or eliminated.  There have been some encouraging results, but in the large
     the government has not moved.
     The problem is *not* technical; the solution to the problem is well known.
     Rather, the problem is that there is not enough political force involved to
     motivate key government players.  It likely will take either a major
     accident or the death of a prominent person before changes will be mandated.
     In the meantime, public discussion of the issues is the *only* means
     available to disseminate this information and influence public safety.  To
     that end, I have several web pages
     that are intended to inform people interested in the subject and keep the
     matter in the public eye.  I also regularly speak on the subject at local
     venues and deliberately note the problem of political apathy on this matter.
     I am working on various political moves in an attempt to force the issue,
     but in the meantime all I can do is discuss the problem in public to the
     maximum extent possible.
     Mr. Mills states: "Mixing demagoguery and science is irresponsible.  It must
     never be tolerated."  On the contrary.  In this case and in others, mixing
     politics and technology is likely the *only* way in which public safety will
     be served.  It is the only responsible course of action at my disposal.
     Steve Philipson

Communications Unleashed - CPSR conference program [RISKS-abridged]

Susan Evoy <sevoy@Sunnyside.COM>
Wed, 2 Oct 1996 11:39:02 -0700
                         presents a conference on
                         COMMUNICATIONS UNLEASHED
            What's At Stake? Who Benefits? How To Get Involved!
                            OCTOBER 19-20, 1996
                     Georgetown University, Washington, DC
       Co-sponsored by the Communication, Culture, and Technology program
       of the Graduate School of Arts and Sciences at Georgetown University
     Saturday sessions:
     10:45 - 12:00  TOOLKITS FOR ACTIVISTS
      3:00 -  4:15  INFORMATION RIGHTS
      6:30 -  8:00  Dinner and presentation of the Norbert Wiener Award to
             Phil Zimmermann, inventor of PGP (Pretty Good Privacy)
     Sunday sessions:
      9:15 - 10:30   Concurrent workshops
                    A. Using the Internet for progressive political action
                    B. Internet legal issues
                    C. Broadcasting and mass media
     10:45 - 12:00  Concurrent workshops
                    A. Communications access and the consumer
                    B. Media tactics and outreach
                    C. Civic networking
     PM: CPSR ANNUAL MEETING (Attendance is free and open to the public)
          at 415-322-3778, 703-739-9320 or or
     Computer Professionals for Social Responsibility, P.O. Box 717, Palo Alto CA
     94302  Phone: (415) 322-3778  Fax: (415) 322-4748

Previous Issue Index Next Issue Info Searching Submit Article

Report problems with the web pages to
This page was copied from:
Last modification on 1999-06-15
by Michael Blume