Subject: RISKS DIGEST 10.67 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Friday 7 December 1990 Volume 10 : Issue 67 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Airline safety (Donald A Norman) Voter identity and Dial-A-Vote (Lauren Weinstein, Glen Overby, Paul Peters, Andrew Klossner, Dan Sandin, Frank Kuiper, Adams Douglas) "Little pitchers have big ears": yet another ATM RISK (zowie) Billing software wastes money (Phil R.M.) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line. Others ignored! REQUESTS to RISKS-Request@CSL.SRI.COM. FTP VOL i ISSUE j: ftp CRVAX.sri.comlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j; j is TWO digits. Vol summaries in risks-i.00 (j=0); "dir risks-*.*" gives directory; bye logs out. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Fri, 7 Dec 90 08:00:20 PST From: danorman@UCSD.EDU (Donald A Norman-UCSD Cog Sci Dept) Subject: Airline safety I apologize in advance: this is a sermon. The note in RISKS on the Economist's suggestions for aviation safety prompts this note. The problem is that the suggestions were all aimed at the pilots. The myth of crashes caused by single individuals, usually the pilot, persists. Accidents in aviation is a system problem. Accidents occur because the system is faulty. Note that an accident almost never involves a single error: there must be a chain of events, each of them usually unlikely by themselves, before an accident happens. The Economist's suggestions seem to me to be without merit, save for their last -- that we should get more information from the cockpit. I was pleased and surprised to see the NTSB (the U.S. National Transportation Safety Board) just recommend increasing the voice cockpit recorder tape to longer than 30 minutes (now it is a repeating loop of tape of duration 30 minutes), increasing the number of parameters measured by the black box that records airplane and engine state, and hurrah! adding video cameras and recorders so you could see if critical controls were actually used. Accidents will continue as long as people treat this as something that can be cured by concentration on the pilots. In my opinion, the flight-deck instrumentation -- especially the automation, such as the "flight management computer" and "mode control panels" are classic examples of poor design from the human side of things, the maps and approach charts are unbelievably cluttered and complex (a recent accident in which a landing aircraft clipped the power lines, thus turning off the airport's landing lights (among other things) was partially attributed to incorrect reading of the charts), and the interactions with air traffic control (ATC) and the equipment and limitations that ATC face add to the problem. The new addition of "datalink" to the cockpit will only create new problems. Datalink is digital transmission of ATC information to be received somewhere in the cockpit on a CRT display. This replaces some of the voice communication on the now overcrowded channels. In principle it has merits, but it is yet another complex piece of equipment, yet another change in procedures, yet another bandaid and ill-considered addition to cockpit clutter. I used the word "somewhere" because nobody yet knows quite where to fit the thing into the already crowded cockpit, and all the current suggestions seem to lead to foreseeable future problems. The lack of positive confirmation form pilots will also lead to other (foreseeable) problems. Basically, one cannot fix a system problem by adding local patches. In fact, that tends to make things worse. These difficulties have been known for a long time. The only surprise about the recent runway collision in Detroit (where a plane taxiing on the runway collided with a plane taking off on the same runway) is that it hasn't happened frequently before. The NTSB had warned about these problems. Pilots know they get lost on runways and taxiways, and the Tenerife crash that destroyed two fully-loaded 747's some years ago was almost identical. It is a system problem. As long as we try to solve the problem by arguing that pilots need better decision rules or better warning systems, then we are going to continue to have the problem. Human error is almost always a result of system or design error, and unless you attack that, you don't attack the causes. The Economist urged the introduction of a new decision speed. Sigh. Loss of an engine on takeoff is what every pilot practices and what almost never happens, and the current decision speed of V1 should probably be degraded, but it is NOT the main culprit. The Economist said that the current ground proximity warning systems (GPWS) are faulty. The last thing a pilot needs is yet another warning system in the cockpit. And I don't recall any recent incidents where a faulty GPWS was a contributors. By the way, substitute "computer" or "ship or "oil refinery" or "chemical plant" for "airplane" and substitute "operator" for "pilot" and you get the same message. Society tends to try to find single individuals to blame for accidents. Students of human error blame the system. And unless we fix the system, we will continue to have these accidents as a mater of course. "Normal accidents" is what Charles Perrow called them in his brilliant book by that title. Credentials: I study aviation safety under a grant from NASA. No, I am not a pilot. Don Norman, Department of Cognitive Science 0515, University of California, San Diego La Jolla, California 92093 USA BITNET: dnorman@ucsd ------------------------------ Date: Wed, 21 Nov 90 22:55:20 PST From: lauren@vortex.com (Lauren Weinstein) Subject: Voter identity and Dial-A-Vote One risk that I don't think I saw mentioned in the discussion of "Dial-A-Vote" systems relates to the identity of voters. Such a system, by definition, would need to know the identity of each caller to check registration and avoid duplications. Caller-ID would require people's presence at particular phones and is a can of worms for many other reasons. Personal ID codes could also be used, but, uh, I *wonder* what number would be most likely used for this purpose? Can you say "SS"? I knew you could! In any case, you'd have to identify yourself to the system, and then it would be trivial for a file to be kept on how you voted. Of course, we'd be told that this wouldn't be done, that there would be adequate safeguards, and that it was *impossible* to subvert the system. This is a significant new risk. With current voting techniques, picking out an individual's vote is essentially impossible without a great deal of illicit goings on at the polling place. Paper ballots and punch card ballots have no identifications, and are thrown into common bins. Voting machines increment internal counters that keep running totals only, not individual votes. But with Dial-A-Vote, all this low-tech privacy goes out the proverbial window. --Lauren-- ------------------------------ Date: Sun, 25 Nov 90 02:01:47 -0600 From: Glen Overby Subject: Voting electronically from home I have a few items to contribute to the vote-by-phone discussion. First, how do you identify legitimate voters? While most states require voters to register before an election, North Dakota does not, and I don't believe we're alone in that aspect. In fact, I have never been asked to show any type of identification; I am merely asked my name and address (the first time I voted I was asked to sign a form stating that I was using my real name, of voting age, had not voted in another precinct, etc.). Telephone voting could be possible if you have voted in a previous election, and are thus in your precinct's records. This does not permit a complete transition over to automated voting, but could allow it's addition as a convenience. You will, nonetheless, have to identify yourself on the telephone with some sort of number. There will have to be laws passed insuring your privacy as well as illegitimate use of someone else's voter-id number; imagine how some phreak with an autodialer could wreak havoc with an election by voting "for" people. The other thing missing from the vote-by-phone system is the provision for write-in candidates. I'm not certain if all states require a provision for write-in candidates, but many years ago the mechanical voting machines here were replaced with fill-in-the-dot forms that are optically scanned by a couple of IBM scanners down at the courthouse. I recall the issue of the switchover was not one of mechanical reliability (those machines were OLD), but that there was no way for you to write-in a candidate. Glen Overby uunet!plains!overby (UUCP) overby@plains (Bitnet) ------------------------------ Date: Mon, 26 Nov 90 08:43 EST From: Paul Peters Subject: Voting from home electronically The emphasis of RISKS 10.64 on telephonic voting taking rights away from the population without telephones is misplaced. Of all the problems with telephonic voting, this is the least. One could say that the current locations of polling places takes rights away from those without automobiles, but we have found ways to provide alternate transportation for those folks. With some creativity, we could find ways to provide voting capability to those without telephones also. Paul Peters ------------------------------ Date: Thu, 29 Nov 90 10:59:07 PST From: Andrew Klossner Subject: remote voting: the Oregon experience Experience in Oregon with remote voting may shed some light on proposals for vote-by-telephone. Oregon has used vote-by-mail for special elections for a few years. A few weeks before the election, each registered voter receives, by mail, a perforated punch card and explanatory material. To vote, we punch the card appropriately (using a pencil to poke out perforated holes), seal the card in a special envelope, sign the envelope, and mail it. We have to pay for the stamp. Only one ballot per envelope. During such elections, the usual polling places are not established. Anybody who objects to vote-by-mail must go to the county seat on election day to vote in person. Not only is this a potential hardship, but so few people do this that they lose the anonymity of large numbers. This system is subject to many of the potential pitfalls mentioned by other contributors. Perhaps the greatest of these is that the dominant member of the household can punch all the cards, coerce signatures from other members, and thus influence several votes. Another is that we, the electorate, have no guarantee of ballot secrecy other than the solemn promise of the bureacracy. Reported public opinion is unanimously in favor of vote-by-mail because it reduces the cost of an election (no polling place expenses) and because we get much greater voter participation. -=- Andrew Klossner (uunet!tektronix!frip.WV.TEK!andrew) [UUCP] (andrew%frip.wv.tek.com@relay.cs.net) [ARPA] ------------------------------ Date: Thu, 29 Nov 90 22:45:46 GMT From: sandin@uicbert.eecs.uic.edu (Dan Sandin) Subject: Re: Voting (Re: RISKS-10.61) OK, my response to what has gone down so far: making election day a national holiday, or whatever, still would not make it better for every person to get to the polls. I mean, think about all the people who still have to work on national holidays, or even have to work MORE (liquor store employees spring immediately to mind) or cases when unforeseen circumstances prevent one from voting. A sick sister in another state, a boiler explodes, whatever. The point is simply to make legitimate voting EASIER. As we know from working with computers, plenty of people would prefer to vote the old-fashioned way, physically showing up at the polls, who don't trust, don't understand, or just don't like the phone-in system, that's just fine. Someone suggested it would make blackmail voting, etc, easier. Remember, though, that usually "stealing" one vote, or even a thousand votes will make very little difference (depending on the size of the election) Ordering hundreds of little old ladies to vote by gunpoint would be very difficult to hide, and would only make a difference in a very small election. It is much safer and cost-effective to use the tried and true method of getting votes - getting the voters drunk. Indeed, with this system, I would think that the regular polling places would just be custom terminals with leased lines direct to the same polling computer that one dials in with from home. I would hope that one of the effects would be to encourage more voting, and perhaps for our government to have regular referenda on issues, rather than waiting for regularly scheduled elections. Just dial 1-800-PRO-CHOI or 1-800-PRO_ABRT Some posters have suggested that a segment of the population would be favoured by this, that poor people would find it harder to vote than rich. True. However, I think you will find that the percentage of people who have telephones is greater than the percentage of registered voters who vote, let alone the percentage of the population as a whole who vote. I would guess that telephone market penetration is over 90%, and I would further guess that, considering payphones, work phones, a friend's phone, etc, >99.999 % of the population has phone access. In fact, since voter registration requires an address, I bet more people have access to phones than have legal residence addresses. I think it is safe to say that if voting could be accomplished by phone as well as in a polling place, voting attendance would go up. And by definition with the tenets of Democracy, this is a Good Thing. stephan meyers c/o dan sandin sandin@uicbert.eecs.uic.edu p.s. someone mentioned the problem of tying up the phone lines, as in "I'm sorry, all voting lines are busy now, please try again later" This is a real problem, and probably no cheap way out of it. ------------------------------ Date: 30 Nov 90 11:15:16 GMT From: frankk@cwi.nl (Frank Kuiper) Subject: Re: Voting (Re: RISKS-10.61) In the Netherlands we have the following system, wich works quite well. Everyone has a residents registration, no matter where in the Netherelands you live. This registeres, amongst other things, your name, address, date and place of birth. With this information the councel (gemeente) knows who are eligible to vote. Every voter, some weeks before an election, is send a voting-card, with details on when and where (which polling station) to vote. The polling stations are open from 7am until 7pm (always on a Wednesday; no disturbance of the "Sunday peace" ;-), thereby giving everyone the opportunity to vote before, during or after work. It is possible to vote in another polling station, if you declare to want that. You will have to do that well in advance. Also, it is possible to have someone else vote for you, in which case you can easily transfer the received voting-card to the other voter, by mentiong his/her name on the card, and signing it yourself. One can only vote for two others (thereby making it very difficult to just buy all the voting cards). Unless you're out of the country, have no friends or relatives and are dying somewhere, you always have the opportunity to have your vote cast. Residents outside the Netherlands can vote (by mail) via the local Dutch embassy. All I have to do is pass the polling station on my way to work, and vote. Frank Kuiper AppleLink: HOL0042 ------------------------------ Date: Wed Nov 21 22:57:14 1990 From: adamsd@crash.cts.com (Adams Douglas) Subject: Re: Becoming over-sensitive to risks (vote by phone) I was thinking about phone voting systems myself this last election. Specifically, I thought about the idea of having a centralized polling system which would allow you to enter your vote preferences during the campaign. This information could be used as official pre-election polls are used now. On election day, you would either call again and re-vote, or you could have specified earlier that if you did not call on election day, the system should use your last poll as your vote. This would solve a lot of absentee delays (and I know people will say there are problems with it, but it's just an idea). ------------------------------ Date: Sun, 25 Nov 90 00:32:54 PST From: zowie@banneker.Stanford.EDU Subject: "Little pitchers have big ears": yet another ATM RISK Today, I went with a friend into a local bank [Wells Fargo], to activate his (newly-arrived) ATM card. This ritual involves the selection of a password [PIN] for for the account. He gave his card to the clerk, who swiped it through a magnetic reader and typed something on a keyboard. Then my friend typed his new PIN on a special, hooded keyboard out of view of the clerk (and, hopefully, from other bank clients). A speaker clicked on, and, to my surprise, we (me; my friend; the clerk; and, in fact, nearly everyone in the building) were treated to the sounds of a dial tone, some touch-tone dial sounds, a (surprise!) normal-sounding 300-baud modem query and connection, and, in fact, the entire [300-baud] exchange, complete with hangup sounds. The RISKS of this audible broadcast should be clear: anyone with a good pocket microcassette recorder should be able to record the entire modem transaction, simply by being near someone who is activating his ATM card. With a little ingenuity (or, eg, a DSP such as that onboard a NeXT machine), it would be trivial to decode the entire 'dialogue', which presumably includes not only the person's account number and PIN, but also a password to make changes to an arbitrary ATM card! The information would be particularly easy to extract because of the robust nature of the 300-baud Bell standard. I spoke with several colleagues (including joe@hanauma.stanford.edu) about the broadcast of the computer dialogue: it appears that many Wells Fargo branches follow this practice, and have been for at least three years. The moral of the story is perhaps that one should not shout out sensitive information, even in supposedly unintelligible languages. --zowie ------------------------------ Date: Wed, 28 Nov 90 10:13:41 EST From: prm@ecn.purdue.edu Subject: Billing software wastes money Last year my wife and I bought a chair at Michael's Furniture, a store here in West Lafayette. We financed the chair, and Michael's promptly sold the contract to Security Pacific Financial Corporation. Everything went fine; no problems. A month ago, we made our regular monthy payment, after which, our balance was some small amount (like 20 or 30 dollars). A week after we mailed our original payment my wife suggested that we just pay off the acocunt. I agreed. She wrote out a check for the balance due and mailed it off. Fine, no problem. A week ago, we got a bill from Security Pacific. For four cents. Apparently, some interest and accrued on the account in the week or so between checks. Clearly, it never occured to the people writing Security Pacific's billing software that if the balance due was less than the cost of mailing a bill then they should just write off the balance due. Sigh. We mailed them their four cents. Phil ------------------------------ End of RISKS-FORUM Digest 10.67 ************************