RISKS@CSL.SRI.COM (RISKS FORUM, Peter G. Neumann -- Coordinator) (07/31/87)
RISKS-LIST: RISKS-FORUM Digest Thursday, 30 July 1987 Volume 5 : Issue 20
FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
Contents:
Lack of sanity at the IRS (Victor S. Miller)
Hot Stuff (Burch Seymour)
Re: Nuclear power plant monitoring and engineering (Brian Douglass)
Re: Credit card risks (Ross Patterson)
Re: Passwords and telephone numbers (Brian Randell, Keith F. Lynch)
The RISKS Forum is moderated. Contributions should be relevant, sound, in good
taste, objective, coherent, concise, nonrepetitious. Diversity is welcome.
Contributions to RISKS@CSL.SRI.COM, Requests to RISKS-Request@CSL.SRI.COM.
FTP back issues Vol i Issue j from F4.CSL.SRI.COM:<RISKS>RISKS-i.j.
Volume summaries for each i in max j: (i,j) = (1,46),(2,57),(3,92),(4,97).
----------------------------------------------------------------------
Date: 30 Jul 1987 16:41:11-EDT (Thursday)
From: "Victor S. Miller" <VICTOR%YKTVMZ.BITNET@wiscvm.wisc.edu>
To: risks@csl.sri.com
Subject: Lack of sanity at the IRS
The following incident may seem familiar, but given the extreme dread and
terror that many people find in the IRS, it could be quite serious:
My father-in-law is retired (and has been for a few years), but ocasionally
works. My mother-in-law is still working. When she filled out their
tax returns this year, she filled in the amount of social security payments
received in the calendar year (as required), which was the maximum of
$10,400 (I think). However, in transcribing the rough copy of the tax
return to the final copy, she made a mistake and copied the vertical
line between dollars and cents as a 1. Thus she filled in 104001.
About a month later they received a letter from the IRS stating that
recomputation of their taxes showed that they owed another $4,500! Needless
to say, they were quite upset until they realized what had happened. After
it was pointed out, the IRS eventually cleared things up. It would seem
that the simplest sort of sanity check in the figures would have eliminated
such behavior. The amount of social security benefits for a tax return with
two dependents can't be anywhere in the neighborhood of $104,001. I wonder
if there any sanity checks at all in the code?
Victor S. Miller -- IBM Research victor@ibm.com
[I thought you knew:
When it comes to the IRS, there is no Sanity Clause. PGN]
------------------------------
Date: Thu, 30 Jul 87 15:33:53 EDT
From: gould!augusta!bs@seismo.CSS.GOV (Burch Seymour)
To: risks@csl.sri.com
Subject: Hot Stuff [and Air-Cooled Gould?]
I spent a year working at Large Manufacturer of Space Craft. One of my
duties was system manager of a large Gould Supermini-computer system.
This was a dual processor ECL based system with 16 Megabytes of memory
and about 2 Gigabytes of disk, plus lots of I/O controllers. One of the
last things I did before leaving was start the paper work to get the
system certified for classified operation.
Two years later.. I am talking to my former boss there and he says that
the computer had been very unreliable lately. I am surprised as it was
*extremely* reliable during the time I was there and ask what happened.
It seems when the system went classified, they put locks on the doors --
which precluded normal security patrol checks. They also put the only
audible temperature alarm in the room with the computer. One Friday
night, the A/C went out. Monday morning (according to the report I got)
the machine's cabinet was too hot to touch. This is not hard to believe
as an 18 board ECL CPU puts out LOTS of heat, and this is a dual CPU
system. Anyway ever since that incident, the machine has been flaky.
Gee, I wonder why? I'm amazed that it works at all. -Burch Seymour-
------------------------------
To: risks@csl.sri.com
Subject: Re: Nuclear power plant monitoring and engineering
Organization: Applied Systems Consultants, Inc. Las Vegas
Date: 29 Jul 87 10:04:07 PDT (Wed)
From: Brian Douglass <brian%asci.uucp@RELAY.CS.NET>
This article is in regards to Leff's article in RISKS-5.17.
>If nuclear power plants were removed and replaced with coal burning plants,
>more people would die from the radiation released into the atmosphere by the
>burning coal. This ignores the death toll from coal mine accidents and air
>pollution. In short nuclear power plants are about as risk free as one can
>get in this society and our energies are much better off being devoted to
>automobile accidents, cigarrette smoking and alcohol addiction.
I've often heard these statistics and believe in their validity, as a
statistic. However, what is not talked about is the potential death per
accident. If a car crashes there is a reasonable chance somebody can survive
(seat belts, luck), but that probably someone will die. In an airliner crash,
your chances of surviving are nearly nonexistent, with the body count surely
in the hundreds. Although the chances of an accident in a nuclear plant are
small, the potential body count is astronomical.
After Chernobyl, I heard an engineer say the odds of a nuclear accident was
once in 10,000 years, but that the accumulated operating time of all reactors
world wide was over 10,000 years! Does this mean we should expect a major
accident about once every 30 or 40 years? Yes, nuclear plants are the safest
overall, and offer better long term energy resources (look at France), but
the chances of surviving the accident and potential body count of an
accident must also be factored into the safety equation. I don't think you
can say nuclear power is safer than say coal power when you compare the
number of coal related deaths (mining, processing, burning) versus the
potential death from a nuclear power station accident. It does mean we must
be much more careful with this fire than we have with other fires we've
harnessed before, but we should not walk away from it. That would be a
greater burden for future generations then we have the right to inflict.
Brian Douglass, Applied Systems Consultants, Inc. (ASCI), P.O. Box 13301
Las Vegas, NV 89103, Office: (702) 733-6761, Home: (702) 871-8182
brian@asci.uucp
UUCP: {akgua,ihnp4,mirror,psivax,sdcrdcf}!otto!jimi!asci!brian
[Don't forget nuclear wastes in your calculations! PGN]
------------------------------
Date: Thu, 30 Jul 87 14:25:02 EDT
From: Ross Patterson <A024012%RUTVM1.BITNET@wiscvm.wisc.edu>
Subject: Re: Credit card risks (Michael Wagner, RISKS 5.15)
To: RISKS@csl.sri.com
Amos Shapir is quite correct. AT&T credit card numbers consist of your
10 digit telephone number, followed by 4 random digits. Indeed, this is the
basis for one of their "features" - the ability to "phone home". One can
dial one's own phone number, and when prompted to key in the credit card
number (by an otherwise unidentified "bong"), simply type the last four
digits. The call will be accepted and your wife/husband says "Hi!".
This risk Amos mentions, involved in someone knowing your name, is
obviously that, given the AT&T card numbers, all but the last four digits
can be derived by "letting your fingers do the walking".
As to the Internation Number, at least in the AT&T case it's just a two
character prefix to your phone number and a one digit suffix. Hi tech, right?
_
Incidentally, US Sprint does it much better. I just received my FONCARD
(pronounced with a long O, e.g. PhoneCard) from them. The card number is
14 digits, none of which relate to my phone number, account number, or even
area code. In addition, the card is bright silver, highly reflective, and
the imprint is *not* in a contrasting color - it's the same silver. I have
trouble reading it from 12 inches away, and I doubt it's possible to read
over someone's shoulder.
Ross Patterson, Rutgers University
------------------------------
From: Brian Randell <br%kelpie.newcastle.ac.uk@Cs.Ucl.AC.UK>
Date: Thu, 30 Jul 87 16:20:54 BST
To: RISKS@csl.sri.com
Subject: Re Passwords and telephone numbers (RISKS 5.19)
Jonathan Thornburg's comment ignores the point that people do not normally
expect to change their telephone frequently, and that when the number does
change, it takes quite a while to memorise it again.
------------------------------
Date: Thu, 30 Jul 87 00:56:46 EDT
From: "Keith F. Lynch" <KFL@AI.AI.MIT.EDU>
Subject: Passwords
To: Jonathan_Thornburg%UBC.MAILNET@MULTICS.MIT.EDU
Cc: KFL@AI.AI.MIT.EDU, RISKS@csl.sri.com
> From: Jonathan_Thornburg%UBC.MAILNET@MIT-Multics.ARPA
> (A) What's your office phone number?
> (B) What's your home phone number?
> I suspect almost everyone can answer both questions correctly. The
> two together give 14 fairly patternless digits, ...
But I have only one phone and one office, and neither number has
changed for years. I have accounts on about ten computers, with a
different password on each. Passwords sometimes change as often as
monthly. However, the only ones I write down are those that I cannot
set myself.
It isn't difficult to think of passwords that is easy to remember but
hard to guess. Run two words together, or use the initials of some
phrase, or misspell some word or name. Of course you should never
have the same password on two machines.
Another password risk is terminal programs which offer to remember your
password for you. These should come with strong warning messages.
...Keith
------------------------------
End of RISKS-FORUM Digest
************************
-------