RISKS-LIST: RISKS-FORUM Digest Sunday 11 June 1989 Volume 8 : Issue 78 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: NY Telephone Freebies (PGN) Nielsen Raidings -- A risk? (John Rushby) C-17 Overrun (Gary Chapman) COMPASS '89 reminder (Al Friend) Re: Big Brother is watching your posting in RISKS (Amos Shapir) How Rumors Mutate, Lesson 2 (Rich Fritzson) The computer didn't commit the crime (Michael Doob) An ATM gets it right (Steve Anthony) Justice Department wary in Computer Case (Dave Bozak) ---------------------------------------------------------------------- Date: Sat, 10 Jun 1989 15:53:55 PDT From: Peter Neumann Subject: NY Telephone Freebies 24 pay phones along the Long Island Expressway were in fact free phones because of a programming/database screw-up. They were being heavily used for long distance calls by those who had discovered the oversight, including many to Pakistan. (Police found 15 Pakistani men using the phones when they went to investigate after a shooting.) There were no estimates on the unrecovered cost of the phone calls. [10 June 1989, San Francisco Chronicle, p. 2.] ------------------------------ Date: Tue 2 May 89 22:11:44-PDT From: John Rushby Subject: Nielsen Raidings -- A risk? NEW NIELSEN SYSTEM WILL WATCH THE WATCHERS WATCHING By BILL CARTER c.1989 N.Y. Times News Service, 2 May 1989 NEW YORK -- Soon, some people may be watching television sets that will be watching them back. Nielsen Media Research disclosed plans Wednesday to develop a ``passive people meter'' in conjunction with the David Sarnoff Research Center at Princeton. The device would measure television viewing without relying on the participation of viewers -- a marked departure from Nielsen's current ``people meter'' system, which requires viewers to identify themselves by pushing buttons whenever they watch television. Since it began measuring television audiences in 1950, Nielsen has been able to tell when sets in a sample household are on and what channels they are tuned to. The problem has been determining who in the family is watching at any given time. Two years ago Nielsen introduced the people meter to provide that information. The crucial component of the new system is an image-recognition device that would identify members of a household and record, second by second, when they are watching television, when they leave the room and even when they avert their eyes to read a newspaper. Nielsen and Sarnoff demonstrated a working model of the device at a news conference Wednesday, at which the issue of invasion of privacy was raised. Nielsen executives faced questions about the system's similarities to the surveillance of Big Brother in George Orwell's novel ``1984.'' But Nielsen executives argued that the system will not be intrusive. ``I don't think we're talking about Big Brother here at all,'' said John A. Dimling, executive vice president of Nielsen Media Research. ``We're not scanning the room to find out what people are doing. We're sensitive to the issue of privacy.'' Dimling said it will be at least three years before the system goes into service. The system will consist of a camera-like device and a computer attached to the top of each set in the households in Nielsen's sample group of television viewers. The computer will be programmed to store the facial images of each family member. The camera will be activated each time the set is turned on and will scan the room for faces it recognizes. The same image-recognition technique has other possible applications, say in medicine and policework. Using a more sophisticated image-recognition system, police could, in theory, scan an airport for known terrorists or drug dealers. If tested successfully, the passive system would replace the current people meter, which is only two years old. It was meant to provide more precise information about which members of the household were watching particular programs. The people meters replaced a system, used for 37 years, that relied on viewers filling out diaries. The three major television networks have complained that people meters underestimate actual viewership. Research executives at the television networks have said that the button-pushing task becomes boring quickly, leading to inaccuracies; that many households refuse to cooperate, and that children cannot reasonably be expected to push the buttons to indicate when they are watching. Nielsen now has 4,000 homes in its people-meter survey. But the networks have complained that the current two-year period each household participates in the survey is too long and leads to fatigue. The network reaction to the people meter is at least partly derived from the effect the system has had on their business. Nielsen measurements of the networks' share of the audience declined 9 percent immediately after people meters were installed; a decline in ratings means a decline in advertising revenues. A passive system would address most of these complaints, Dimling said. He called the proposed system the ultimate audience measurement, ``primarily because the respondents don't have to do anything.'' The response to the Nielsen announcement at the networks and in the advertising community Wednesday was favorable. Bart McHugh, senior vice president of DDB Needham, said, ``A passive system is what we've all been screaming about.'' Alan Wurtzel, senior vice president of research at ABC, said: ``I really believe a passive system would be much better. I would hope they would get this out and in place as quickly as possible.'' Nielsen reports to clients will include both the number of viewers and demographic data on the makeup of a show's audience. Eventually, Dimling said, networks could know almost instantly which sections of a show the audience was most responsive to, and which bored them enough to make them leave the room, pick up a magazine or fall asleep. Dimling said that only families that agree to participate will be included in the survey. Under the current people-meter system families are paid a small fee to begin the metering process and are rewarded occasionally with small gifts. Dimling would not say what the monetary incentive for the passive meter system would be. Curtis Carlson, the director of information systems at Sarnoff, said, ``The only information sent back to the Nielsen computers will be whether people are watching television.'' He said the device will not actually record any other activity. It focuses only on facial features, he said, and decides first if it is a face it recognizes and then if that face is directed toward the set. Unfamiliar faces or even possibly the family dog will be recorded as ``visitors.'' The system, based on a technique the Sarnoff researchers have labeled ``smart sensing,'' relies on visual tracking similar to the operation of the human eye, Carlson said. Images on the periphery are screened out, and the camera centers on only the most compelling features. The current prototype is about as big as a breadbox, Carlson said, and the next step in the development process will be to miniaturize the entire system. The goal is to have a machine about the size and shape of a videocassette recorder. Nielsen and Sarnoff will also do an extended study and national testing to ensure that the system can meet Nielsen needs before putting it into use. Nielsen has plans to use the technology in other ways. For example, Nielsen now conducts a market research project in which consumers are asked to use a scanning device to read the product code on articles they buy. But because the people meter requires so much work, Nielsen never asks the same household to participate in both the scanning and people-meter surveys. Robert R. Brown, president of information services and technology for Nielsen, said the passive people meter could be combined with the scanning survey so Nielsen could track ``market stimuli with buying patterns.'' Nielsen clients could in theory learn whether television advertising had a direct influence on viewers' buying decisions. Nielsen has contracted with Sarnoff Research for exclusive use of the technology in the media and marketing area. Carlson said a different version of the same technology has been applied in at least one other business. He said it was against company policy to disclose which business, but he did say the federal government has expressed interest in the technology. He conceded that as the technology becomes more sophisticated it could open up more questions of privacy. ``Every technology can be abused,'' he said. But he stressed that his laboratory is more interested in possible medical applications. He said, for instance, that the system could eventually be used to increase the reliability of pap smears by using image recognition to identify abnormal cells and could provide a sophisticated object-recognition aid to the blind. Development of both is far down the road, he said. ------------------------------ Date: Tue, 6 Jun 89 12:47:39 PDT From: chapman@csli.Stanford.EDU (Gary Chapman) Subject: C-17 [Overrun with No Remorse] The June issue of Defense Electronics reports that the manufacturer of the C-17 transport plane, Douglas Aircraft, estimates that software problems in the avionics system of the plane will require a cost overrun of about *$500 million.* The figure was actually an estimate of a Congressional investigation, then confirmed by Douglas. The software is a package with an estimated 750,000 lines of code, as compared to the 25,000 lines of code in a C-5A. The C-17 is supposed to replace the Air Force's transport aircraft, the C-5A, the C-131, and the C-141. The program was started in 1982, and there are supposed to be 210 C-17s purchased by 1998 at a cost of $35.7 billion. There is no detailed information in the short article on what the avionics software problems entail. -- Gary ------------------------------ Date: Fri, 9 Jun 89 22:29:04 edt From: friend@csr.itd.nrl.navy.mil (Al Friend) Subject: COMPASS '89 reminder (COMPUTER ASSURANCE) [See RISKS-8.66] COMPASS '89 IS COMING One week to go! => Learn about software safety, risks, and computer assurance. => Meet others who are working in these areas. => See RISKS-8.66 for advance program. PLACE: National Institute of Standards and Technology * Gaithersburg, MD (suburban Washington, DC) * formerly National Bureau of Standards TIME: June 20 - 22 (tutorials on 23rd, other meetings 19th) CONTACT: Nettie Quartana or Holly Mays at (703) 486-3500 OR: Come directly to COMPASS '89 at NIST. Register at the door. FEE: MEMBER/SPONSOR = $ 225 NONMEMBER = $ 275 [Let me know if you would like a copy of RISKS-8.66 and cannot FTP it. PGN] ------------------------------ Date: 11 Jun 89 10:46:25 GMT From: amos@taux01.UUCP (Amos Shapir) Subject: Re: Big Brother is watching your posting in RISKS I have just received an anonymous threat to notify my company of my posting in comp.risks (``Big Brother is watching your magnetic card'', RISKS-8.77). Let me clarify two points: - My article was just a summary of what has been published in the local press, and does not necessarily reflect my opinions of the matter. - My opinions are my own, and in no way represent a policy and/or stand of National Semiconductor Corporation or National Semiconductor (IC) Ltd. Amos Shapir amos@nsc.com National Semiconductor (Israel) P.O.B. 3007, Herzlia 46104, Israel [Another Risks of RISKS item! PGN] ------------------------------ Date: Fri, 2 Jun 89 08:50:17 -0400 From: fritzson@PRC.Unisys.COM Subject: How Rumors Mutate, Lesson 2 >RISKS-FORUM Digest Wednesday 31 May 1989 Volume 8 : Issue 76 >Subject: State computer system scrapped (RISKS-8.73) >Rumor: AI Causes $20M Loss to Pennsylvania >How Rumors Get Started, Lesson 1 (Excerpts from Seattle Times article quoted b >Bruce Forstall in Risks 8.73): The article in question was in the Seattle Times because the state that lost the money was Washington, not Pennsylvania. -Rich Fritzson ---------------------------------------- Date: 2 Jun 89 10:40 -0500 From: Michael Doob Subject: The computer didn't commit the crime The Bank of Montreal has two types of billing for checking accounts: (1) a per check charge, or (2) flat rate for an unlimited number of checks. This month, in a burst of creative billing, both charges were applied to the account. What a chance to call it a computer error. Here is what the bank said in a form letter: We are using the most immediate method to advise that we are correcting an error in the service fees charged to your last True Chequing Account Statement. We take great care to ensure all account entries are correct and we sincerely regret the human error which caused both monthly ^^^^^ ^^^^^ plan fees and per item fees to be charged to some of our customer's accounts. Your next statement will include the appropriate corrections. Does this mean that blaming the computer will reflect poorly (in the customers' view) on ATM? ------------------------------ Date: Fri, 2 Jun 89 11:49:26 EDT From: Steve Anthony Subject: An ATM gets it right Had an interesting experience with ATM's in the Boston Area last year. I was going on vacation and the mortgage needed to be paid during the vacation. So I made a transfer, at a human teller, from savings to checking to cover it, wrote the check and left for vacation. Upon returning, I got some cash from the ATM and noticed that the balances were not what I expected; savings was too high and checking was too high also. I went thru my receipts and found that I had erred; I made the transfer from checking to savings rather that the other way around. This meant that my mortgage check was going to or had already bounced. I called the mortage bank (different from the checking/savings bank) and inquired about the mortgage payment. I was told that everything was fine; the payment was made. Mystified, I went to my savings/checking bank and asked what happened. I had made the transfer at a BayBank Merrimack Valley branch office and my account is thru BayBank Harvard Trust. As background, in eastern Mass, there is a banking company, BayBanks, that is really a holding company for a variety of individual BayBank companies, two of which are BB Merrimack Valley and BB Harvard Trust. What I was told was that the erroneous transfer had never been made (from checking to savings). I inquired as to why this was so. The person told me that when a transfer is done thru a human teller for an account that is for a different BB company, the transaction may, or maynot get processed; ie it drops into the bit bucket. In order to make sure that a transfer takes place, she suggested that I use the ATM, since there were no known problems with transactions of this type. So score one for the ATMs. ------------------------------ Date: Fri, 2 Jun 89 09:48:41 EDT From: dab@oswego.oswego.edu (Dave Bozak) Subject: Justice Department wary in Computer Case Reprinted from the Syracuse Herald-American, 5/28/89: Justice Department Wary in Computer Case: Is Washington fearful of losing a landmark trial? by Matthew Spina, Staff Writer Some computer experts theorize that the Justice Department, afraid of bungling what could become a landmark computer case, still doesn't know how to treat the Cornell student whose computer worm slithered nationwide in November. A further concern in Washington: A trial in the case might embarrass the Department of Defense if its scientists are asked to detail how their computers were among the thousands crippled by the worm. For several months, the decision on how to charge 23-year-old Robert T. Morris, Jr. had been before Mark Richard, a deputy assistant attorney general. Within the last few weeks, Richard made a decision that now is being reviewed by an assistant attorney general, according to a computer professional who has been talking with the Justice Department. "I thought we would have heard something from Washington by now," said Andrew Baxtoer, the assistant U.S. attorney who in November and December presented the case to a grand jury in Syracuse. The grand jury's report was sent on the the Justice Department, which refuses to comment publicly on the matter because Morris has not been indicted. "Within the next two weeks I assume that a decision will be made," said one official. "If they decide to begin an expensive trial, they have to make sure they win so as not to damage future attempts to prosecute under that law," said Eugene H. Spafford, an assistant professor at Purdue University whose analysis of the worm has helped federal investigators. "If they decide not to prosecute, and the total thing that happens is he gets suspended (from Cornell), I will be outraged." So far, Cornell has taken the only disciplinary measure against Morris, suspending him for the 1989-90 academic year. But the graduate student left the computer science department early in November, the day after the worm spread out of a computer in Upson Hall. Morris, a computer science graduate student, has been called the author of a rogue computer program, called a worm, that was spread from a Cornell University computer. The program was designed to reproduce and infect any computer linked to the Internet, a network shared by colleges, research centers and military institutions. However, experts say an error caused the program to replicate out of control, sending thousands of copies into thousands of computers. If Morris is to be charged with a felony, prosecutors would then have to show he intended to destroy or extract information. Proving that would be difficult since the program neither destroyed nor removed information from any computer. To convict Morris on most lesser charges, prosecutors would have to show he intended to harm computers. Prosecutors also could use a misdemeanor charge requiring them to prove only that Morris gained access to a federal government computer. The worm did reach computers at the Army Ballistics Research Laboratory and NASA's Langley Research Center, among others. Some computer experts wonder, though, if Defense Department officials will be reluctant to testify publicly about how their computers were penetrated - even those computers holding non-classified information. In February, at a computer convention in San Diego, Defense Department computer experts detailed some security improvements made to the network since November, but then refused to release copies of their presentation to people at the seminar. The FBI - which enforces the Computer Fraud and Abuse Act of 1986 - and some people in the computer industry are pushing for a vigorous prosecution to display a strong case against computer hacking. Others in the industry, including some of Morris' friends from Harvard University and Cornell, urge leniency because he was trying to demonstrate security flaws with computers. ------------------------------ End of RISKS-FORUM Digest 8.78 ************************ -------