|University of Bielefeld - Faculty of technology|
Networks and distributed Systems
Research group of Prof. Peter B. Ladkin, Ph.D.
|Back to Abstracts of References and Incidents||Back to Root|
|This page was copied from: http://catless.ncl.ac.uk/Risks/18.51.html|
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
In the Daily Brief, the *Los Angeles Times* reported that, according to Social Security Administration officials, some 695,000 Social Security recipients have been underpaid since 1972, due to a computer program error. - total unpaid benefits are estimated at $850 million, with and average amount per affected recipient of $1,500. - the SSA says about 400,000 of those affected have been identified and will be getting the back payments. One RISK of latent bugs in financial systems is that dollars and interest really pile up after awhile. Scott Lucero, U.S. Army OPTEC [Note: RISKS-16.67, 23 Dec 1994, had an item contributed by Mike Manos from *Federal Computer Week, 21 Nov 1994, on the discovery of this problem, which at the time was estimated at $478.5 million. That item says that the problem occurred in 1978, when employers began reporting earnings annually rather than quarterly. The item I saw on 04 Oct 1996 said the software flaw was introduced in 1972. In any event, the problem was evidently first detected in 1994, as reported in RISKS-16.67. PGN].
*The Boston Globe*, 5 Oct 1996, p. B5: > About 400 US Trust customers had their automated teller machine cards > eaten Thursday night when the bank's linkup with the regional ATM network > broke down for two hours. Bank officials said they still are trying to > find out what went wrong.... Customers trying to use their ATM cards > between 6:30 p.m. and 8:30 p.m. were told that their personal > identification numbers had been keyed in incorrectly. When they tried it > again, the machine ate their card. [A US trust spokesperson] said only > US Trust customer's using another bank's ATM machine were affected. You'd think "you have entered the wrong password" and "the network is down" would be distinguishable conditions with different error handling, wouldn't you? Daniel P. B. Smith firstname.lastname@example.org
Two weeks ago, one of the largest potato-cutters in the Netherlands started a competition. Building on the typical couch-potato's perceived expertise in football (soccer) they announced they would put a 'scorecard' into an unspecified proportion of their bags of crisps (chips). It has two scratchable pictures of a football game, without ball, and a superimposed grid. The idea was that the expert would guess where the ball was, verify that guess by scratching off the protective layer of that gridsquare only, and claim fl 10 (~US$ 6) when both were right. However, the inevitable happened: two students set up a web site with the information gathered so far, and a request for anybody who had guessed right or wrong to share the information. Within two weeks the database had the correct ball position all 1445 pictures, and the crisp-fryer called off the competition, muttering things about unsportmanlike behaviour. The RISK? Assuming knowledge does not spread is clearly not appropriate with the web around... Geert Jan van Oldenborgh email@example.com
On 2 Oct 1996, Aeroperu Flight 603, a Boeing B757, took off from Lima at 12.45am en route to Santiago, Chile, and disappeared from radar at 1.10am. According to CNN, the pilot had reported mechanical problems, that he was turning back, and had declared an emergency before radio and radar contact was lost. I do not normally report details of accidents so early, for reasons discussed recently in RISKS (Mills, 18.42; Dorsett, 18.43; Ladkin, 18.44; Mills, 18.45, Dorsett, 18.46) and am somewhat uncomfortable about feeling a need to comment so soon on this case. The Peruvian Transport Minister, Elsa Carrera de Escalante, declared to The Times that "it seems there was a blockage in the computer system". According to CNN, she told a news conference that "it is not the first time that one of these planes has had this kind of fault. We have to find out why the computers went crazy". The Times reported the story as `Computers Blamed...' and CNN as `Computer Failure Puzzling...' The Electronic Telegaph reported that Gen Juan Piperes, fire chief of the Peruvian port of Callao, said: "The plane's whole system completely failed." I am thus concerned about a rumor starting that attributes the cause of the crash to be a computer failure. It has not been so determined. The information available so far to anyone is gleaned from the transcript of pilot/controller conversation, and radar plots. These, by themselves, are insufficient to determine the nature of the problems. Until the digital flight data recorder (DFDR) and cockpit voice recorder (CVR) are recovered and analysed, very little can be determined about the sequence of events leading to the accident. The B757 was introduced into service in January 1983 [*] and flew until December 1995 with an unblemished safety record. There have been accidents on 20 December 1995 (near Cali, Colombia) and 6 February 1996 (near Puerto Plata, Dominican Republic), and now this one. In both of the previous accidents, pilot procedural errors, including errors in interacting with the flight management systems, played the decisive role. There were no technical failures, whether of structure or of flight management systems, involved in the Cali accident; the sole technical system failure in the Birgenair accident is (so far) presumed to have been caused by a blocked pitot tube. The B757 has three physically independent pitot-static systems, of which two seem to have been operating normally. It seems that normal procedures to cope with the single pitot-static failure were not followed by the Birgenair crew. The final report on the Puerto Plata accident is not yet published. If a computer failure `caused' the Aeroperu crash, it would be the first time. There is no precedent for computer failure in a B757 accident, contrary to what Senora Carrera's statement would seem to suggest. When the data from the CVR and DFDR are in, they might show that it would be worth questioning if the pilot's interaction with automated flight management may have contributed to the accident, as it did with both the previous accidents. Although this would be an HCI question, it's not a computer system failure per se. All sorts of hypothetical questions such as this may arise. In any case, if computers were involved, it's exceptionally unlikely that they could be the sole cause, as I shall demonstrate. The B757 aircraft uses computer systems for displaying air data, for navigation, and for autopilot control and flight management. It does not use computers for flight control, which is achieved by conventional hydromechanical systems. Furthermore, the air data computer systems are backed up by conventional electromechanical `standby' instruments of highly reliable design used for over half a century. The integrity of these physically-operated standby systems along with that of the physically-operated flight controls, as well as structural integrity, suffices to conduct safe flight in this airplane. From this fact, we may already draw some broad conclusions. Let me thus divide the possible sequences of events into three. First, suppose normal control of the aircraft was lost. The B757 is conventionally controlled (not computer-controlled), and the air data systems have electromechanical backups. Therefore, in the event control was lost, either these backup systems would have had to fail also (in which case there would be a physical contributing factor), or the pilot would have to have made ineffective use of these backup systems (in which case either inappropriate pilot action or some other cognitive confusion would also be a contributing factor), or the autopilot flew the aircraft into an out-of-control situation (as in the Birgenair accident), in which case the pilot's behavior in engaging and not disengaging the autopilot would be a factor, or the pilot would somehow otherwise have allowed control to be lost. No one has yet determined whether any of these situations occurred. Second, if normal control was not lost, then either the aircraft must have suffered some form of structural failure in normal flight, which computers alone could not have been responsible for (structures can fail under normal control inputs if the aircraft is in an overspeed condition, but normally not otherwise); or the aircraft flew under control into the water (i.e., a CFIT, Controlled Flight Into Terrain, accident), in which case pilot behavior or engine failure must also have played a role. These alternatives cover, grossly, all the possible scenarios. Since computers alone could not cause any of them, we may conclude that singling out computer failure of any kind cannot be the whole story. Since no one is able yet even to determine which of the above alternatives occurred (or one that I missed:-), it is certainly premature to attribute a cause of the accident. More information on the accident, press reports, and the aircraft, as well as links to original sources and reports on the Cali and Puerto Plata accidents, may be found in my Compendium `Computer-Related Incidents and Accidents With Commercial Aircraft', available through http://www.techfak.uni-bielefeld.de/~ladkin/ Peter Ladkin [* 1983 is correct. This is a correction in the archive copy. PGN]
Here's an interesting example of Info-War. Many of us have seen and heard the television and radio commercials for a new in-home HIV test that is accurate, fast, and anonymous. The test works as follows: You buy the kit. Go home and follow the directions and obtain a sample. Mail the sample to the lab. In 3 days, call the lab and enter in the `secret' code and the results of the test performed on the sample matching your `secret' code will be revealed to you. The secret code is used to ensure anonymity so the user doesn't have to reveal their name. Accurate? I believe so.. Fast? Three days is pretty fast.. Anonymous? Not at all!!! And here's why. Whenever you call a 1-800 number, your phone number is captured and forwarded to the company for billing purposes. It is also available to the PBX in the form of ANI which can the be sent to the automated phone system that processes the request. In the HIV test scenario, the company that is called has a record of the calling phone number (ANI), and the requested `secret' code. Since they already have the test results, the company is now able to match the phone number, which can be looked up, and the HIV status. In effect, the company is capable of covertly developing a database containing the names, addresses, phone number, and HIV status of the people who purchase and take the test. Who would want this database? Government, insurance companies, employers, you name it. Most health related information is considered confidential and will not be released by either the government nor the physicians. If someone had a `secret' database that contained the HIV status of millions of people, then the interested organisations would have a discreet way of `checking-out' potential clients, or employees.
Try this one on for size. I have the bad luck to have moved into an apartment where the previous tenant had the same last name. Other than that we have nothing in common as far as I can tell. I'm male, she was female. First names aren't at all alike. But I still get her mail and have to be *very* careful about how I turn it over to the post office. The first time I just marked it "Not at this address, and it wasn't until a check didn't appear that I found out the post office had just blithely started bouncing my mail! It's currently "handled" by my having had a talk with the carrier, and being careful to circle the first name *only* when writing not at this address... >From comments nade in this forum in the past, I'm not certain that the system the post office uses for tracking forwarding orders can deal with this properly. Anyone know for sure? Oh yeah, to add insult to injury, I got a card from the previous previous tenant's dentist reminding him to come in for a checkup. I wrote "not at this address" on it and dropped it in the outgoing box. Several days later, it was back again. That's *really* stupid! Leonard Erickson (aka Shadow) firstname.lastname@example.org
Another mail-forwarding problem with a slightly different (and older) cause. I've recently moved to flat numbered 03. Note that leading zero because, for various historical reasons I've yet to fathom, there is also a separate flat 3 at the same address. I arranged mail forwarding from my previous address --- no prizes for guessing where the mail actually arrived. After several phone calls, the operator at the post office finally realised that the software was stripping the leading zero as he typed it in... I now live at "flat zero three" as this seemed the only solution to the problem. Since then I have encountered similar problems with various utility and delivery companies. Risks: a variation of the old theme of making assumptions about the format of input data "nobody has an street name with more than 20 characters", "everybody has a middle initial", etc. Although in this case I think the person who came up with the foolish numbering system for the flats has to share some of the blame. Adrian Howard. Head Techie. Victoria Real Ltd. e. email@example.com - v. +44 (0) 1273 774469 - f. +44 (0) 1273 779960
This is in response to a query about why I received a year's worth of Long Distance charges all at once. The name of the carrier has been omitted to protect the very large long-distance carrier (or the remaining third). The original was sent all upper case, this is an OCRed version. DEAR *** WHEN ISDN LINES APE ESTABLISHED, A CARRIER FOR THE LONG DISTANCE PORTION OF THIS SERVICE IS CHOSEN EITHER BY CHOICE OR BY CHANCE. AT THIS TIME, THE LONG DISTANCE CARRIER IS SUPPOSE TO BE NOTIFIED THAT THEY HAVE BEEN CHOSEN TO PROVIDE THIS SERVICE BY THE CUSTOMER. OFTEN, NEITHER THE CUSTOMER NOR THE LOCAL TELEPHONE COMPANY INFORM THE LONG DISTANCE CARRIER THAT THEY HAVE BEEN PICKED. THIS RESULTS IN UNIDENTIFIED AND UNBILLED USAGE TO ACCUMULATE UNTIL THE USER CAN BE LOCATED AND DETERMINED BY THE LONG DISTANCE CARRIER. THIS IS WHY YOU HAVE A RECEIVED A BILL FROM *** FOR USAGE THAT IS ALMOST A YEAR OLD. SINCE THIS PARTICULAR SERVICE IS UNDER TARRIF (TARRIF F.C.C. NO.4), WE ARE REQUIRED BY LAW TO BACK BILL WHEN IT HAS BEEN DETERMINED WHO USED OUR SERVICE, I HOPE THAT THIS EXPLANATION ANSWERS YOUR QUESTIONS REGUARDING THE BILL THAT YOU HAVE RECEIVED. IF YOU HAVE ANY FURTHER QUESTIONS, PLEASE GIVE US A CALL AT .1-800-***-****
Of course, the FBI has had the Ten Most Wanted up in a web page here in the US for some time; see http://www.fbi.gov/mostwant/tenlist.htm I wrote Director Freeh a letter many months ago pointing out that the FBI ought to a) digitally sign these mug shots and b) embed expiry dates, given the problems of forgery, ease-of-duplication/ dissemination, and persistence. Risks include not only the inconvenience to wrongly apprehended persons, but also the cost to law enforcement of responding to citizen reports based on forged/stale Wanted notices. I did not receive a reply.
So this guy goes on vacation, see, and he's on this mailing list that sends out a 32K digest approximately daily, see, so when his autoreplier gets the mailing it sends back a chatty little personal note to the whole list, quoting the entire digest in full each time which, of course, creates a loop... and about the time someone gets THAT shut off, a very highly-placed honcho who is a _user-interface guru_ and _internet expert_ decides to send a chide-o-gram to this guy. Who's on vacation. Actually, it's his honeymoon, as he's mentioned. Repeatedly. So we _hope_ he isn't going to be hopping up every five minutes to check e-mail, right? But accidentally, the highly-placed honcho sends this note to the whole list. Helpfully quoting the entire digest. In full. Fortunately, this is a great mailing list and the back issues are well worth repeated rereading. Yeah, it happens all the time, to all of us. And exactly how long have we been building e-mail software and mailing lists and using the network and reading and writing books about user interface design? Don't you sometimes think we're all too stupid to be trusted with anything important? Daniel P. B. Smith firstname.lastname@example.org
The web page http://www.usps.gov/moversnet/coa.html mentioned in RISKS-18.50 for postal change of address does not send the change of address form electronically. (At least not as of 4 Oct). After reading the message in Risks, I thought I would try it out. Figuring that there would be a confirmation after filling out the form, I put in a change of address for myself. After entering information on a number of pages you are finally directed to print out the form and give it to your letter carrier or to mail it to your postmaster. There is some mention of their work on coming up with a secure system to allow the form to be filed via e-mail. As for the suggestion that all change of addresses be done in person, I don't see how this would solve anything. A photo id would be required to confirm your identity (as a minimum) and we all know how easy it is to obtain a false one. Also any system is only as good as the people running it. On numerous occasions I have gone to the post office to pick up mail that they were holding for me and not once was I asked for ID (different offices, different clerks). Frank Caggiano email@example.com http://innet.com/~caggiano
I see no risks from the WWW USPS Change of Address form that are not already present in the printed form available in any Post Office. In both cases, you never have to deal with a person or show any ID, and in both cases, submission of the form constitutes the claim that it is valid. Quite frankly, I don't see much of a "Risk to the Public in Computers and Related Systems" here -- if anything, it's simply a "Risk to the Public". I will concede that since it's a lot easier to visit a WWW site and type in some information than it is to visit a Post Office, pick up a form, fill it out and mail it, the WWW form makes it easier for obnoxious people to submit false forwarding requests for other people. But I don't see that as a very big deal, especially because of the verification step outlined in the following paragraph. Those of you who think that there isn't sufficient verification in the USPS mail-forwarding system should perhaps have read the <A HREF="http://www.usps.gov/moversnet/q_and_a.html">Q&A About Mail Forwarding</A> page available on the USPS WWW site. Quoting from it: >How will the Postal Service verify that it received a Change of >Address Order from me? > >The Postal Service will promptly mail you a confirmation letter to the >address you are leaving, regardless of the date of your move. (For >your privacy, it will not mention what your new mail forwarding >address will be.) Another confirmation letter will be sent to you at >your new address after the date of your move. Yes, this does really happen -- I recently field a Change of Address order and did receive the two confirmation letters. I assume that the USPS has sufficiently good "exception handling" that if you get a letter about a Change of Address Order you never filed and go to your Post Office and protest it, they can put a stop on the Change of Address. There is still some room for mischief, e.g., it's possible that some mail will be lost before you stop the forwarding, especially if someone is clever enough to file it while you are out of town or something, but the addition of this step still makes things a heck of a lot more secure than they were before. I confess that I'm baffled about one thing.... When I put my mail on hold when I go out of town, and then go to the Post Office when I get back to pick it up, they require me to show ID before they'll give me the mail. I simply do not understand why they don't require people to show ID when submitting a Change of Address Order. The only explanation I can come up with is that right now, the minimal number of forged requests is outweighed by the increased convenience (and the less USPS-employee time consumed) of the current system; this presumably means that if forging Change of Address requests for other people ever becomes an "in" thing to do, the USPS is going to have to ditch the convenience and start requiring that forms be filed in person with ID and notarized by a USPS employee. Jonathan Kamens | OpenVision Technologies, Inc. | firstname.lastname@example.org
In RISKS-18.45, Dick Mills <email@example.com> continued his argument on public speculation about the causes of airline disasters. He states: >Mr. Dorsett expands on that theme when he says "It's a political world, not >a technical one." I say no, never. Mixing demagoguery and science is >irresponsible. It must never be tolerated. That's a nice philosophy, but it has no connection to reality. Public safety is *never* a technical matter. It is always and primarily political. If you are a technologist (as are most of us who read RISKS) then it is critical that you understand this *if* you want to have an effect on public policy. If there is no political force driving a public issue then nothing is done no matter how compelling the technical case. Technical changes are virtually never implemented unless someone has a political (or financial) motivation to do so. Here's a case in point. In 1985 two friends of mine were killed while flying a light aircraft. When the details of the accident were released it became obvious to me and several others that a major technical error was committed by the pilots. This was an error attributable to lack of knowledge/training. Unfortunately, the NTSB investigators on the case were also not familiar with the critical technical issue of the accident (dynamics of low-performance aircraft in mountain wave conditions) and omitted any mention of this error in the accident report. No recommendations have been issued which could help prevent additional accidents of this type, and they continue to occur with painful regularity I have expended a significant amount of effort over the last 11 years in trying to get the NTSB and FAA to recognize the problem and to modify pilot and controller training such that accidents from this cause could be reduced or eliminated. There have been some encouraging results, but in the large the government has not moved. The problem is *not* technical; the solution to the problem is well known. Rather, the problem is that there is not enough political force involved to motivate key government players. It likely will take either a major accident or the death of a prominent person before changes will be mandated. In the meantime, public discussion of the issues is the *only* means available to disseminate this information and influence public safety. To that end, I have several web pages http://www.wco.com/~shp/waveforatc.html and http://www.wco.com/~shp/speedtofly.html that are intended to inform people interested in the subject and keep the matter in the public eye. I also regularly speak on the subject at local venues and deliberately note the problem of political apathy on this matter. I am working on various political moves in an attempt to force the issue, but in the meantime all I can do is discuss the problem in public to the maximum extent possible. Mr. Mills states: "Mixing demagoguery and science is irresponsible. It must never be tolerated." On the contrary. In this case and in others, mixing politics and technology is likely the *only* way in which public safety will be served. It is the only responsible course of action at my disposal. Steve Philipson firstname.lastname@example.org
COMPUTER PROFESSIONALS FOR SOCIAL RESPONSIBILITY presents a conference on COMMUNICATIONS UNLEASHED What's At Stake? Who Benefits? How To Get Involved! OCTOBER 19-20, 1996 Georgetown University, Washington, DC Co-sponsored by the Communication, Culture, and Technology program of the Graduate School of Arts and Sciences at Georgetown University Saturday sessions: 9:15 - 10:30 THE COMMUNICATIONS TSUNAMI 10:45 - 12:00 TOOLKITS FOR ACTIVISTS 1:30 - 2:45 THE INTERNET: COMMERCIALIZATION, GLOBALIZATION AND GOVERNANCE 3:00 - 4:15 INFORMATION RIGHTS 4:30 - 5:45 COMPUTERS AND ELECTIONS: RISKS, RELIABILITY AND REFORM 6:30 - 8:00 Dinner and presentation of the Norbert Wiener Award to Phil Zimmermann, inventor of PGP (Pretty Good Privacy) Sunday sessions: 9:15 - 10:30 Concurrent workshops A. Using the Internet for progressive political action B. Internet legal issues C. Broadcasting and mass media 10:45 - 12:00 Concurrent workshops A. Communications access and the consumer B. Media tactics and outreach C. Civic networking PM: CPSR ANNUAL MEETING (Attendance is free and open to the public) FOR MORE INFORMATION ON THE CONFERENCE, CONTACT CPSR at 415-322-3778, 703-739-9320 or email@example.com or http://www.cpsr.org/home.html http://www.georgetown.edu/grad/CCT Computer Professionals for Social Responsibility, P.O. Box 717, Palo Alto CA 94302 Phone: (415) 322-3778 Fax: (415) 322-4748 firstname.lastname@example.org
|This page was copied from:||http://catless.ncl.ac.uk/Risks/18.51.html|
by Michael Blume