Subject: RISKS DIGEST 10.81 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Monday 28 January 1991 Volume 10 : Issue 81 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Risks in forensic use of dental and medical records (Sanford Sherizen) Kinking Foreign-sold Military Equipment (Karl Lehenbauer) Patriot missiles (Phil Agre) Electronic cash completely replacing cash (David 'Witt') Re: San Francisco taxes its computer people ... (Bill Davidsen) Re: Random Voting IDs and Bogus Votes (Vote by Phone) (Li Gong, Kathy Vincent) Re: Lotus Marketplace (Samuel Bates) Re: Superloo (Lars-Henrik Eriksson) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line. Others ignored! REQUESTS to RISKS-Request@CSL.SRI.COM. FTP VOL i ISSUE j: ftp CRVAX.sri.comlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j (where i=1 to 10, j is always TWO digits. Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Fri, 25 Jan 91 21:06 GMT From: Sanford Sherizen <0003965782@mcimail.com> Subject: Risks in forensic use of dental and medical records A recent review of a book on developments in forensics mentioned that the use of dental records to reconstruct the identities of bodies was not as successful as once thought. The technological developments for the reconstructing of identities has advanced but the limits are from the original dental records. Some dentists have not been recording the true dental history of patients but have structured their records to reflect the categories that insurance and other third party coverage plans use for repayment. This is also a problem with physicians, who have been treating patients for one problem but reporting patient treatments with an eye toward what payment structures allow. This does not have to mean that proper assistance is withheld. It just points to the social limits to relying upon technology. Sandy Sanford Sherizen, Data Security Systems, Inc., 5 Keane Terrace, Natick, MA 01760 (508) 655-9888 ------------------------------ Date: 26 Jan 91 03:16:47 CST (Sat) From: karl@sugar.hackercorp.com (Karl Lehenbauer) Subject: Kinking Foreign-sold Military Equipment As the complexity of software in military equipment increases, it will be ever easier for a contractor to slip a kink in. For example, a special message, cleverly sent, turns off a jet's engines, changes a missile's course, etc. As today's allies can quickly become tomorrow's enemies, and hardware a country exports can end up being used against it, there is some incentive to code in an "insurance policy." This would be a two-edged sword because an enemy of your client-customer could discover a kink in something you sold them, and use it against them. I have often wondered whether the Star Wars people plan to include a way to turn off the several thousand "Brilliant Pebble" space-based anti- ballistic missiles, if they were ever to be deployed. Being able to update the software remotely would be desirable too, to put it mildly. It would seem an essential requirement, yet it is easy to imagine our guys building and launching thousands of these things without an off switch for fear that the Soviets would figure out how to turn them off or reprogram them, and some terrible possible consequences (of not having a way to switch them off), like bugs causing the pebbles to attack satellites and spacecraft. uunet!sugar!karl ------------------------------ Date: Sat, 26 Jan 91 18:22:50 GMT From: Phil Agre Subject: Patriot missiles The Patriot missiles genuinely seem to be working well, at least in the desert environment. Yet a few years ago the Patriot was the very prototype of the incompetent high-tech military development program. Its testing in particular came in for congressional ridicule. What happened? According to its manufacturer and to various other experts quoted in the press, its software was greatly improved through the application of software technology developed for SDI. These experts regard the success of the Patriot as evidence that the SDI's software nay-sayers were wrong. I am willing to calm down for a minute and give this proposition a serious hearing. Has anybody got any details? Phil Agre, University of Sussex ------------------------------ Date: Fri, 25 Jan 91 12:16:14 PST From: "David 'Witt' DTN 226-6044" Subject: Electronic cash completely replacing cash I'm sure I don't have to go into all the RISKS of this, but it is very scary. The comments at the end that are meant to be reassuring are the scariest part. He seems to be completely oblivious to people's desire to keep some information private, even from the govenment. The problems of reliability are also obvious. --David Wittenberg [I didn't see the original article, so I only trust that this is transcribed accurately. --dkw] The New York Times, Saturday, December 29, 1990 Three Radical Proposals that could transform New York City, the nation and maybe, the world. by Harvey F. Wachsman Abolish Cash (Great Neck, N.Y.) With the nation's economic tailspin causing the loss of tax revenues, the President and the Congress are going to be considering a variety of options that no one will like: raising taxes, cutting services or both. But before they increase the burden on the American people, they should consider a system that would collect all the taxes that are already owed. If all the people who do business in cash were forced to report their incomes accurately - if the under-ground economy were forced to the surface - the Government could collect an additional $100 billion a year for the nationl treasury - without raising taxes. States and cities, many in serious financial trouble, would also benefit from collecting previously unpaid income and sales taxes. How do we create a system to keep cash businesses honest ?? Eliminate cash. That may sound revolutionary, but the exchange of cash for electronic currency is already used in nearly all legitimate international business transactions. The expansion and application of this concept to domestic transactions would have tremendous benefits, and not just budgetary ones. In addition to forcing cash businesses to report their actual income, it would allow law enforcement agencies to crack down on illicit enterprises. Think about it. Drug deals, muggings, corruption, businesses concealing their income - they all require cash and secrecy. A monetary system bases solely on electronic currency would leave a trail that would cripple such enterprises. Here's how it would work. The Government would change the color of the currency and require all old money to be exchanged at the Treasury. Then, all the new currency would be returned by its owners to the bank of their choice. All banks would be required to open accounts, free of charge, to all depositers. (Banks would surely be delighted to provide this service at it would result in increased deposits.) We would offer a period of tax amnesty to encourage compliance, but as a practical matter compliance would be assured because after a certain date all currency would be worthless. In place of paper money, we would receive new cards - let's call them Americards - each bio-mechanically impregnated with the owner's hand and retina prints to insure virtually foolproof identification. The Government would supply all homes and businesses, free of charge, with machines, to read the card, certify the holder's identity, and make instantaneous electronic debits and credits. Regardless of what such machines would cost, the Government, with $100 billion in new revenues and no more printing and mining costs, would come out ahead. And think of the benefits to the average American. No one would have to write a check again. Bills could be paid electronically from home. Such a system is already available through banks and businesses on a limited, optional basis. Credit cards would function as they do now. Americard would simply be a way of transferring funds from one account to another, without cash. For example, on payday, instead of receiving a paycheck, your salary would be electronically transferred into your account. At lunch- time, you would go to your favorite resteraunt - or the local hot dog stand -and instead of paying cash, you'd use your Americard. You'd get a receipt instantly and could get a cumulative record from you bank (or your personal computer) as often as you like. The benefits would be tremendous. Individuals and businesses would no longer be able to conceal income. All transactions would be recorded in a computerized bank file and would be easy for the I.R.S. to check. Muggers and buglars would be out of business: no one would be carrying cash and stolen property would be difficult to sell because there would be records of all transactions. Fugitives would be easier to track down, legal judgements easier to enforce, illegal aliens simpler to spot, debtors unable to avoid their responsibilities by skipping town. The census wouln't overlook households. The Federal Reserve would be better able to follow the economy, helping to stabilize the financial markets. The current series of economic indicators would be replaced by instant access to solid information. And with all income being reported for tax purposes, we could not only balance the budget but actually cut taxes. Some people might be concerned about possible abuses of civil liberties. But there would be a record of anyone who entered another's account - officials would be granted access only after electronic verification of their hand and retina prints. Civil and criminal penalties for theft of information would be devistatingly severe. Government agencies and prosecutors would be subject to the same Constitutional contraints that currently exist for access to bank information or for the granting of wiretaps. And there would be no information on the Americard computer that doesn't already exist in other forms today. If anything, our rights to privacy would be more secured with the protections that the Americard would offer. And besides, I'd like to ask every parent whose child walks to school through a gauntlet of drug dealers, everyone whose home has been robbed, whether they think that their rights have been jeopardized by a system that could solve all these problems ?? Since computer systems occasionally fail, Americard would be contained on several connected secure computers: at the local bank branch, the main bank, the regional office of the Federal Reserve and the Federal Reserve in Washington, D.C. Americard may seem like a drastic approach but its advent is inevitable. In the days of the telegraph and the pony express, who could have imagined that one day there would be a phone on every street corner in Manhattan ?? [Harvey F. Wachsman, a neurosurgeon and lawyer, is president of the American Board of Professional Liability Attorneys.] [Also noted by Martin Minow, minow@bolt.enet.dec.com] ------------------------------ Date: Fri, 25 Jan 91 15:17:57 EST From: davidsen@crdos1.crd.ge.com Subject: San Francisco taxes its computer people ... (PGN, RISKS-10.80) Nope, the tax collector is right. People either pay their taxes on time without fail, or they let them go as long as possible, particularly when they are thinking of selling the structure and put the money into either fixup or their pocket. The people who are behind are probably not going to pay right away, if at all. Rebilling them a little later won't lose anthing, the city charges (I assume) more interest than the banks pay, so better late, actually. bill davidsen (davidsen@crdos1.crd.GE.COM -or- uunet!crdgw1!crdos1!davidsen) ------------------------------ Date: 26 Jan 91 03:03:30 GMT From: hollombe@ttidca.tti.com (The Polymath) Subject: California's DMV licenses (Re: RISKS-10.79) The state of California Dept. of Motor Vehicles (DMV) announced its new format driver's license last week. The license appears to be a standard magnetic stripe (MS) card with the usual driver's license information on the front including the licensee's photograph as a hologram. The DMV claims these licenses will be much harder to fake and forge. They did not say what specific information was on the MS. The risks of MS cards have been discussed here before. The fact that I'll probably know what's on my license's MS the day I get it should give some idea of how insecure that information is. It takes little more to alter it. The specifications for MS cards and data are part of a published ANSI/ISO standard. The hardware to build an MS reader/writer can be purchased at Radio Shack. Further, I can imagine retailers demanding to run my license through their MS readers along with my credit card or to verify a check. I'm not happy about that prospect at all. The Polymath (aka: Jerry Hollombe, M.A., CDP, aka: hollombe@ttidca.tti.com) Head Robot Wrangler at Citicorp(+)TTI Illegitimis non 3100 Ocean Park Blvd. (213) 450-9111, x2483 Carborundum Santa Monica, CA 90405 {rutgers|pyramid|philabs|psivax}!ttidca!hollombe ------------------------------ Date: Fri, 25 Jan 91 14:16:48 EST From: li@helen.oracorp.com Subject: Random Voting IDs and Bogus Votes (Vote by Phone) The lastest RISKS discussed a proposal of "vote by phone" -- registered voters are assigned random numbers as ids, and the ids with the corresponding votes are published afterwards so that voters can verify that their votes are included correctly. (1) Talking about the use of randomization techniques, one might also want to randomize the ballot papers so that on each individual paper, candidiates are listed in random order. The gains are obvious -- many people just vote for the first name (or the last ?). (2) PGN rightly pointed out the risk that bogus votes can be inserted because there are no voters who check them. On this front, bogus votes are sometimes useful. David Wheeler and I once thought up the idea of "inserting controled bogus votes" in the following manner. Each voter is given an id number to vote, but is told that the number is either positive or negative. Suppose there are two candidates, Alice and Bob. If the number is negative, a vote for Alice is actually counted as a vote for Bob. This has the advantage that a third (malicious) party who forces a voter to vote cannot verify (from the published list) if the vote is indeed the desired one. It is easy to generalize to multiple-candidates. An additional advantage is that people can write their numbers on papers. One can steal a number, but won't be sure how to use it (even if I write down +1234567, I could have mentally remembered it to be a negative number. Now I remember 1 bit information, not a long random number). Of course, there must be some measures to control (and verify ?) the process of counting the ballots. Maybe we are talking about conflicting requirements :-) Li Gong, ORA Corp., Ithaca, New York. li@oracorp.com ------------------------------ Date: Thu, 24 Jan 91 13:47:04 GMT From: kathy@rbdc.UUCP (Kathy Vincent) Subject: Re: Voting by Phone (RISKS-10.80) That's like saying no one can hack your bank account because you have a personal security code. And no numbers are so anonymous that someone so inclined couldn't find out exactly who placed what vote for whom. You may not be so inclined, but some people are -- esp people who want to control outcomes, which is what our secret ballot system is specifically supposed to guard against. If information connecting a person with a vote is stored in such a manner as to prevent fradulent voting, no matter how fragile the linkage, someone or someones with enough determination can easily find the linkage and exploit it to their own advantage. Not to mention ... people with the right kind of electronic equipment can sit outside your house and monitor your computer keyboard clicks and know exactly what you're typing. They can monitor your touch-tone phone tones and know exactly what numbers you're dialing. Or what numbers you're using to place your vote -- including your password and anonymous ID number. People with cordless or cellular phones are esp vulnerable. And with the kind of technology that makes caller ID possible, well ... ------------------------------ Date: Fri, 25 Jan 91 14:03:49 CDT From: samuel@cs.wisc.edu (Samuel Bates) Subject: Re: Lotus Marketplace (Schumacher, RISKS-10.80) I would venture to say that the uproar is due to the fact that people heard about the Lotus product, whereas they didn't hear about the others. I would be interested to hear about other ways of getting the same information; if we object to Lotus putting together the product, then we should object to other companies doing the same. If you can get names of companies that produce the information, I would like to know them. Barring that, will you tell me the names of the academics with whom you spoke? Samuel Bates samuel@cs.wisc.edu University of Wisconsin-Madison ------------------------------ Date: Sat, 26 Jan 91 19:37:57 GMT From: lhe@sics.se (Lars-Henrik Eriksson) Subject: Re: Superloo (Campin, RISKS-10.80) There is an obvious risk here. In fact, I have read a newspaper report (although it was several years ago so I can't give any sources), that this "disinfecting cycle" once started while a girl was still inside. She later died because of lung damages after having inhaled the disinfectant fluid. Lars-Henrik Eriksson, Swedish Institute of Computer Science, Box 1263 S-164 28 KISTA, SWEDEN +46 8 752 15 09 ------------------------------ End of RISKS-FORUM Digest 10.81 ************************