From:	CSBVAX::MRGATE!NEUMANN@KL.SRI.COM@SMTP 13-SEP-1988 16:36
To:	ARISIA::EVERHART
Subj:	RISKS DIGEST 7.50 


Date: Mon, 12 Sep 88 10:17:15 PDT
From: RISKS FORUM    (Peter G. Neumann -- Coordinator) <RISKS@KL.SRI.COM>
Subject: RISKS DIGEST 7.50 
Sender: NEUMANN@KL.SRI.COM
To: RISKS-LIST@KL.SRI.COM
Message-ID: <12430008731.25.NEUMANN@KL.SRI.COM>

RISKS-LIST: RISKS-FORUM Digest  Monday 12 September 1988   Volume 7 : Issue 50

        FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS 
   ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Contents:
  Computer glitch costs AA $50M ..." (Ken Calvert)
  Risks of Motel Computers (Brint Cooper)
  IFF and the Vincennes (Geoff. Lane.)
  "Single keystroke" (Philip E. Agre)
  `Credit doctors' (Donn Seeley)
  Scientific Safety (WHMurray)
  Bev Littlewood's message in RISKS-7.48 (PGN)
  Calculations with Wrapped Numbers 
    (Mark Brader, Bennet Yee, Jan Wolitzky, Roger Goun)

The RISKS Forum is moderated.  Contributions should be relevant, sound, in good
taste, objective, coherent, concise, and nonrepetitious.  Diversity is welcome.
CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line
(otherwise they may be ignored).  REQUESTS to RISKS-Request@CSL.SRI.COM.
FOR VOL i ISSUE j / ftp kl.sri.com / login anonymous (ANY NONNULL PASSWORD) /
  get stripe:<risks>risks-i.j ... (OR TRY cd stripe:<risks> / get risks-i.j ...
  Volume summaries in (i, max j) = (1,46),(2,57),(3,92),(4,97),(5,85),(6,95).

----------------------------------------------------------------------

Date: Mon, 12 Sep 88 10:36:29 CDT
From: calvert@cs.utexas.edu
Subject: "Computer glitch costs AA $50M ..."

  >From the Austin American-Statesman, Sun., 11 Sept. without permission:

  Computer glitch costs American $50 million in lost ticket sales
  by Martin Zimmerman, Dallas Morning News

  FORT WORTH- American Airlines, Inc. lost as much as $50 million in potential
  revenue this year when its computerized reservations system mistakenly
  restricted the sale of discount tickets, driving price-conscious travelers to
  American's competitors, the airline's chairman told industry analysts this
  week.  
    According to analysts who attended the metting in New York with Robert
  Crandell, American's chairman, president and CEO, the revenue loss was due
  to a foul-up in the airline's yield-management system.  "(Crandell) said
  that early in the second quarter they had implemented a new software program,
  which appears to have backfired," said one investment company analyst, who
  asked not to be named. "It did not do what it was intended to do."
    Yield management involves the use of sophisticated computer programs to
  determine how many seats on an airplane should be sold at various prices,
  squeezing the greatest possible revenue out of each ticket sold.
  On flights where there is heavy demand for seats, for instance, the program
  will instruct that fewer tickts should be sold at discount prices. On
  less-popular flights, more tickets will be sold at discount fares to fill
  what otherwise would be empty seats.
    American is considered an industry leader in yield management. But when the
  airline modified its system this year, the new program contained a serious
  flaw.
    According to the analysts, Crandall said the modified program prematurely
  stopped the sale of discount tickets for American flights, even though more
  seats would normally have been offered at lower fares.  Travelers searching
  for a cheap fare -- told that none were available on American -- presumably
  then went to another airline to buy a ticket.
    Lowell Duncan, American's vice president-corporate communications, said the
  problem went on for 30 to 60 days before it was discovered and corrected.  It
  came to light when wide discrepancies cropped up in the number of discount
  tickets sold during the second quarter of 1988 compared to previous
  quarters....
    News of the foul-up apparently didn't cause much of a stir among the
  analysts, who study airlines' financial performance and then make
  recommendations on whether investors should buy their stock....  "Had
  American had a poor quarter, this glitch might have been more of a problem,"
  said Timothy Pettee, an airline analyst...  As it was, American's yields --
  the amount of money collected per passenger -- increased 13 percent in the
  second quarter, Pettee said.  "They might've been up 15 to 17 percent without
  this glitch, which would've been phenomenal," he said.

This seems relevant to the recent discussions on quantitative risk assessment.

The $50 million figure must be regarded with suspicion in the absence of
further information.  (Does anybody besides me have a problem with phrases like
"losses" in "potential" revenue?)  Such numbers are meaningful only in context,yet it seems to be unavoidable in our society that, once crea
ted, they take on
a life of their own and appear in isolation.  In my experience the problem is
not limited to the media.  (Hence I am generally skeptical about quantitative
methods in system design and certification.)

Ken Calvert

------------------------------

Date:     Mon, 12 Sep 88 9:46:21 EDT
From:     Brint Cooper <abc@BRL.MIL>
Subject:  Risks of Motel Computers

	The following illustrates just how ignorant the "general public"
remains of issues that the Risks community almost take for granted.

	Last month, with a friend my wife and I were touring Southern Maryland.
We stopped unannounced at a new Holiday Inn and booked two rooms in my name.
With both rooms' keys in hand, we proceeded to our friend's room; I opened the
door to check out her room and found that the room was not vacant.  While no
one was actually in the room, briefcases, books, and clothes made it evident
that someone else was already booked therein.

	Angrily, I returned to the desk, explaining to the very young night
staff there the real risk of such an error:  that the room might be occupied by
a handgun-toting paranoid who would shoot first and ask questions later.  The
young woman offered that "the computer must have made a mistake."  I slightly
mis-represented myself as a "computer scientist" and told her that this was no
excuse and repeated all the arguments that are more than familiar to readers of
"Risks Digest."  We were assigned another room.

	At checkout the next morning, I reported the mistake to the morning
staff, so that "management" would become aware.  After the expected profuse
apologies, the desk manager said, "The computer shouldn't have allowed that.
The night clerk must have made a mistake."

	What could I say?
                                                  Brint Cooper

------------------------------

Date:       Mon, 12 Sep 88 09:32:13 BST
From: "Geoff. Lane. Tel UK-061 275 6051" <ZZASSGL@CMS.UMRCC.AC.UK>
Subject:    IFF and the Vincennes

  Once upon a  time I worked on  the IFF software of  the Nimrod project.
  (Nimrod was a British Airborne Early Warning system which got cancelled
  - to be replaced by AWACS). As part of the design process we were given
  a few lectures on the purposes and uses of IFF in general. During these
  we found out that

     a) NO  combat fighter plane  will ever go  into combat with  its IFF
     system operating - for obvious reasons!

     b) If you are  in a combat zone and a planes' IFF  claims it to be a
     civilian assume that it is a counterfeit signal.

  These policies were not, to my  knowledge built into the software. They
  were left for the pilot to act upon. This was about 10 years ago now. I
  doubt if the  general policy of the UK air  defence people has changed.
  It would appear  that the Captain of the Vincennes  worked to a similar
  set of assumptions.

  BTW,  The Nimrod  project was  done  by GEC-Marconi  Space and  Defence
  Systems. This is a part of the  same company that is currently being so
  unlucky with suicides and strange accidental deaths.

  Geoff. Lane.,  University of Manchester Regional Computer Centre

------------------------------

Date: Mon, 12 Sep 88 03:50:09 EDT
From: "Philip E. Agre" <AGRE@AI.AI.MIT.EDU>
Subject: "Single keystroke"

PGN attaches the following comment onto a message about the Soviet's loss of
a Phobos spacecraft.

  [Several people reported on radio items that attributed the problem to a
  console operator's single keystroke in error, which it was speculated
  might have triggered the Mars probe's self-destruct signal.  After the
  command was sent, contact with the probe was lost completely.  PGN]

I have no reliable information about this particular case, but I am struck
by the high proportion of operator mistakes which get reported as `single
keystroke' errors.  I strongly suspect that single-keystroke errors are
largely an urban myth (you know, poodles in microwaves and the like).  I'm
sure that in this world of crummy user interfaces you can often do plenty of
damage with a single keystroke, but the image of a single mistaken keystroke
leading to disaster has got to be a very tempting trope for journalists and
cartoonists and rumor-passers whether it's accurate or not.  Besides, it'll
always have a certain tenuous relation to the truth: the single keystroke
that does the damage is the final Return you hit after your two hundred
keystrokes of wrongheadedness.

------------------------------

Date: Mon, 12 Sep 88 00:46:26 MDT
From: donn@cs.utah.edu (Donn Seeley)
Subject: `Credit doctors'

Clean Credit for Sale: A growing illegal racket
by Larry Reibstein with Lisa Drew, Newsweek 9/12/88 p. 49

Houston schoolteacher Darlene Alexander thought she had a clean credit record.
Then in June she applied for a $75,000 mortgage, and the lender told her she
had too much debt to qualify.  Her records showed accounts for American
Express, MasterCard and Visa.  The biggest balance was a $22,800 loan for a
1988 Chevrolet Camaro.  All this baffled Alexander.  None of the accounts were
hers; she drives a paid-up 1983 Datsun.  Alexander was a victim of 'credit
doctors,' people who use computers to steal good credit histories and then sell
that information to people with bad credit.  Using Darlene Alexander's name and
history, an impostor opened charge accounts and got loans with almost no risk.
The real Alexander, who was also turned down for a vacation loan, is angry.
'You try for years to get good credit,' she says, 'and then someone else just
takes it away from you.'

Credit doctors -- thieves, really -- are starting to surface in a big way.  In
Houston, where the depressed economy has created plenty of willing customers,
about 30 people have been arrested, and 20 convicted, for credit-doctoring
schemes in the last year.  Among them were 'patients' -- consumers -- who paid
up to $2,000 for stolen or fake credit identities.  Houston police have
identified $7 million to $10 million in merchandise and homes bought with the
help of fraudulent accounts.  Similar cases have cropped up in Chicago and Los
Angeles.  In an era when everyone seems intent on building up their credit one
way or another, Secret Service agent Neal Findley says, 'An industry has risen
up based on getting into other people's credit files.'

The thieves work by tapping credit-bureau computers that contain histories on
millions of consumers.  It's surprisingly easy.  Credit doctors usually buy the
computer-access code from a contact who works in a legitimate business, such as
a mortgage company.  Using a personal computer, the credit doctor searches for
someone who has his client's name -- and good credit.  He then copies that
person's credit history -- including the all-important social security number
[[argh! -- Donn]] -- and furnishes the information to the client, who uses it
when applying for credit.  Houston police say some consumers have been offered
a choice of credit histories at a range of prices, depending on the 'quality'
of the stolen credit.  ...

Authorities believe many credit-doctoring scams remain undetected.  People
whose histories have been stolen may never know it -- until a lot of debt is
entered in their names.  Merchants often look the other way as long as the
impostor is keeping up with payments, says Houston police lieutenant J. F.
Rabago.  Many credit bureaus say that no safeguards can completely block
unauthorized access to their computers.  For now, a consumer can only hope that
someone with the same name isn't in the market for a new credit history.

[[Are credit bureaus' security measures really this lax?  It's not hard
to believe, just appalling.  -- Donn]]

------------------------------

Date:  Sun, 11 Sep 88 13:22 EDT
From: WHMurray@DOCKMASTER.ARPA
Subject:  Scientific Safety

Since I only speak American, I often have a difficult time understanding
things originating across the pond.  For esmaple, Bev Littlewood writes:

>The system is certificated in Europe, the thing is carrying passengers,
>yet, I believe, it cannot be asserted in any scientifcally meaningful
>way that it has an "acceptable level of safety". 

It is not clear to me whether "scientifically meaningful" modifies
"can be asserted" or "acceptable level of safety."  It seems to me that
a great part of this discussion has turned on whether "acceptable level
of safety" can ever be a scientific term.

It sounds to me as though it is being asserted that in the UK it is a
scientific and, even legal, term.  I would assert that in the US it is neither.
It is at best political, and at worst journalistic.  The toleration of a risk
in the US is inversely proportional to its novelty or its mystery.

We do not tolerate the risk of the medicinal use of marijuana or heroin in
terminally ill patients.  On the other hand we tolerate 300,000 premature,
painful and slow deaths a year from the use of tobacco.  We tolerate 1500 to
10,000 measureable deaths a year from the burning of fossil fuels.  Much lower
risks of alternatives cannot be tolerated because of the absence of political
courage.  We kill 40,000 people a year on our highways, and maim for life
another 2-400,000, while programs in other countries suggest to us that least
half of those are avoidable.

Novel technology, such as fly-by-wire, would not be tolerated here unless it
could be "proved" to be safer than the technology in use.  (The opposition to
the A320 in the US revolves around the fact that it contributes to an
unfavorable balance of trade and has a two man cocpit.  The opposition has
missed a good bet.  The risk of new foods and drugs here are measured
absolutely, in terms of their risk in small animals; not against the risk of
the alternatives.  Better the devil we know.

One can say little "scientific" about safety and risk in such a society.

William Hugh Murray, Fellow, Information System Security, Ernst & Whinney
2000 National City Center Cleveland, Ohio 44114                          
21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840                

------------------------------

Date: Sun, 11 Sep 88 20:28:20 PDT
From: Peter G. Neumann <Neumann@KL.SRI.COM>
Subject: Bev Littlewood's message in RISKS-7.48

Somewhere between Bev's transmission to Brian Randell and Brian's
retransmission to me, Bev's lines longer than 80 characters got truncated.
Sorry.  [Probably at the border?  Customs?  Round up the usual characters?]
  [By the way, I sometimes get messages from within the U.S.A. whose text has 
  NO line breaks -- just rampant character strings.  The UK/USA 80-character
  filter would truncate the entire message except for the first 80 characters!]

------------------------------

Date: 	Fri, 9 Sep 88 17:41:38 EDT
From: Mark Brader <msb@sq.sq.com>
Subject: Calculations with Wrapped Numbers

> > The problem occurs when the previous value is -175 or so and the new
> > value is +175.  What is the average?

> A good way to estimate an average angle, A, from a set of angle measurements
> a[i] 0<=i<N, is ....

The reason that this problem is a problem is that in modular arithmetic --
which is what we're talking about here -- there *is* no such thing as an
"average", at least not in the usual sense of "arithmetic mean".

It would probably help, then, if people would be careful to define their
terminology.

The "average" algorithm that the second-cited poster gave arises as follows.
Represent the modular arithmetic as a circle (the original physical
representation in this case); take each angle value as a vector, all of equal
length; sum (or average, doesn't matter) all the vectors; and translate the
direction (if any) of the resultant back into a numeric angle value.  I guess
this is indeed correct for problems where it makes sense to speak of an average
angle, but it may be useless for other problems involving "averaged" modular
numbers.

Mark Brader, SoftQuad Inc., Toronto	

------------------------------

Date: Tue, 06 Sep 88 10:03:56 EDT
From: Bennet.Yee@PLAY.MACH.CS.CMU.EDU
Subject: Calculations with wrapped numbers (Re: RISKS-7.44)

karsh@sgi.com suggests using trig

                       sum_i_from_1_to_N sin(a[i])
	a = arctangent ---------------------------
                       sum_i_from_1_to_N cos(a[i])

to average angles.  This forces us to perform consistency checks to figure
out which quadrant the angle is really in.  Otherwise, we may get incorrect
results (risk of using posted algorithms?).   Perhaps a simpler algorithm
would be to view the angle measurements as [unit] vectors and average the
vectors together.  Not only is this conceptually simple, it also allows
incorporation of measurement reliability by scaling the vectors.

    [Similar comment from Mark Mandel...]

------------------------------

Date: Tue, 6 Sep 88 16:28 EDT
From: wolit@research.att.com
Subject: Re: Calculations with wrapped numbers

You take the average of the sines of the angles and the average of the
cosines of the angles, divide, and take the arctangent of the result.

Jan Wolitzky, AT&T Bell Labs, Murray Hill, NJ; 201 582-2998; mhuxd!wolit

------------------------------

Date: 6 Sep 88 15:24
From: goun%evetpu.DEC@decwrl.dec.com (Magister ludorum)
Subject: RE: Calculations with wrapped numbers and risks of roundoff

>> Imagine trying to compute the average position of the second hand on a
>> clock.  You sample the position once a second for sixty seconds.  Ok, now
>> what is the average?

I made a deliberately naive attempt to determine the average position of a 
second hand, using the above formula and a spreadsheet program that shall 
remain nameless.  I assumed N = 60, 0 <= a[i] <= 354.  The spreadsheet 
dutifully reported that sum_i_from_1_to_N sin(a[i]) = -7.173E-10, 
sum_i_from_1_to_N cos(a[i]) = .000000014, and a = -3.0000006.

This example is obviously contrived to "make the computer look bad."  But it's
not hard to imagine a scenario in which such a completely bogus answer might
seem plausible to an unsophisticated consumer of information, especially if he
or she was not shown the intermediate results of the calculation.
                             					    Roger Goun

------------------------------

End of RISKS-FORUM Digest 7.50
************************
-------