Subject: RISKS DIGEST 11.09 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Thursday 14 February 1991 Volume 11 : Issue 09 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: [A CALL-BY-VALentine saves "nein"?] Vote-by-fax plan before [CA] Legislature (clarinews via Eric Postpischil) Douglas goes fly-by-wire (Martyn Thomas) Vietnam Vet's Memorial article ambiguous (Sam Levitin) Tax Preparation (Peter Jones) Collection of Evaded Taxes (Cameron Laird) Singacard anyone? (Bill J Biesty) Re: the new CA driver license (Ian Clements, Curt Sampson) Re: automatic flight and seasickness (Lars-Henrik Eriksson) Follow-up to wireless network (Frank Letts) 4th Annual Ides-of-March Virus & Security Conference (Judy S. Brand) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line. Others ignored! REQUESTS to RISKS-Request@CSL.SRI.COM. FTP VOL i ISSUE j: ftp CRVAX.sri.comlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j (where i=1 to 11, j is always TWO digits. Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: 6 Feb 91 02:49:14 GMT From: clarinews@clarinet.com Subject: Vote-by-fax plan before Legislature Newsgroups: clari.tw.telecom,clari.news.hot.iraq,alt.desert-storm Keywords: state government, government, election, politics, fighting, Reply-To: info@clarinet.com (For More Information) Article 6531 of alt.desert-storm: Path: shlump.nac.dec.com!news.crl.dec.com!deccrl!bloom-beacon!snorkelwacker. mit.edu!hsdndev!wuarchive!uwm.edu!lll-winken!looking!clarinews [Provided for USENET readers by ClariNet Communications Corp. This copyrighted material is for one-time USENET distribution only.] [SEE END OF MESSAGE!] SACRAMENTO (UPI) -- Troops fighting in the Persian Gulf could vote in California elections by using fax machines to cast their ballots under legislation announced Tuesday. The measure, SB293, would amend the state Elections Code to allow members of the military and other California voters temporarily living outside the United States to fax absentee ballot applications to county election officials. County officials would then use fax machines to send absentee ballots to overseas voters, who could return the completed ballots by fax. ``Even when applications for overseas absentee ballots are received early in the process, ballots sent halfway around the world sometimes arrive too late to be returned by mail before the close of polls on Election Day,'' Secretary of State March Fong Eu said. ``This legislation would allow overseas voters, such as those members of the armed forces stationed in the Middle East as part of Operation Desert Storm, to fax their voted ballots back in time to be counted,'' she said. The bill is coauthored by state Sen. Milton Marks, D-San Francisco, and Assemblyman Peter Chacon, D-San Diego. Only a few people stationed at U.S. embassies, working at projects overseas, and members of the military would be expected to take advantage of the vote-by-fax program, Eu's spokeswoman Melissa Warren said. ``The numbers aren't huge. We aren't expecting large numbers of people to participate,'' she said. Several states accepted vote-by-fax ballots during last November's elections, Warren said. If the measure is quickly passed by the Legislature and signed by Gov. Pete Wilson, the first California election with fax voting would be the March 19 special elections for two state Senate seats and one Assembly seat. Marks said he would rush the measure through the Legislature. ``It seems only fitting that at a time when we are engaged in a military struggle with a ruthless despot, we make this effort to provide our servicemen and women with the most important franchise of our democratic system -- the right to vote,'' he said. [This item submitted to RISKS by Eric Postpischil . THE RESPONSE FROM clarinews@clarinet.com TO PGN's REQUEST FOR PERMISSION TO REUSE THE ABOVE IN RISKS IS From: Brad Templeton : "The one time statement indicates you have to ask for more. You did, so I'll grant permission for RISKS in electronic form. (We are unable to grant permission for print forms). Brad"] [Nice phrase, "take advantage" of it!!! Nice opportunities for voter fraud? I hope some sort of authentication is planned... PGN] ------------------------------ Date: Thu, 14 Feb 91 13:19:09 GMT From: Martyn Thomas Subject: Douglas goes fly-by-wire McDonnell Douglas has switched to a full fly-by-wire flight control system for its MD-12X, reports Flight International (13-19 Feb 1991, p4). "With fly-by-wire we are able to retain the flying qualities of the aircraft and more easily resemble MD-11 [handling]". "The benefit is predominately in the area of cross-crew training". "A fly-by-wire aircraft should also be cheaper to produce". [quotes from MD-12X management]. The control system will be modelled on that developed by GE aerospace for the USAF C-17 airlifter. Martyn Thomas, Praxis plc, 20 Manvers Street, Bath BA1 1PX UK. Tel: +44-225-444700. Email: mct@praxis.co.uk ------------------------------ Date: Thu, 14 Feb 91 06:39:12 PST From: Go Mossad! 14-Feb-1991 0938 Subject: Vietnam Vet's Memorial article ambiguous (Johnson, RISKS-11.08) RE: Jeff Johnson's article in RISKS 11.08 about the Vietnam Vets' memorial and a photo in the SF Chronicle, I didn't see the photo, but I do know that there is a possibility that this situation is *not* due to a typo. On the Vietnam Veterans' Memorial in DC, there is a set of symbols: one to denote "Killed" (a cross?), one for "Missing in Action", and "Formerly MIA but now known to have survived" (a circle?). The symbol used for MIA can be further carved in one way to become the symbol for Killed in Action, and can be further carved in a different way to become the symbol for "Formerly MIA". Because I don't know which symbol appeared next to Eugene J. Toni's name on the monument, I won't comment on the possibility of a typographical error, as reported by the Chronicle. However, the language in the caption (or perhaps the title of Johnson's RISKS article) makes it too easy for the reader to believe that Toni was formerly believed killed. Sam Levitin Digital Equipment Corporation ------------------------------ Date: Thu, 14 Feb 91 12:12:12 EST From: Peter Jones Subject: Tax Preparation Today, I saw an advertisement in the mail about a new service on Bell's ALEX service offering income tax preparation assistance. Customers can supply income tax information and then order completed forms by mail. The RISKS I see are: 1) Transmitting confidential data in the clear over public phone lines. 2) Giving the service provider potential access to a lot of confidential information: SIN (SSN in the US), income, address, credit card number,... I found no mention of safeguards of confidential information when I browsed the literature. 3) Possible loss of all data entered if the phone connection is broken (unless the system provides a checkpoint facility. I don't want to spend $$$ to find out. 4) Underestimation of costs. The literature quotes about $12 for mailing, and this ALEX service costs $0.15/min. The literature estimates connect time to be 30 minutes for a couple. So we're talking about $35 or so here, and this may be optimistic (see 3, especially if the phone has Call Waiting.) 5) The system only covers certain basic forms (this is stated in the literature. So you have to be fairly knowledgeable about income tax to decide if the system is worth using. Peter Jones (514)-987-3542 UUCP: ...psuvax1!uqam.bitnet!maint Internet:Peter Jones ------------------------------ Date: Mon, 11 Feb 91 09:47:17 CST From: news@lgc.com (Cameron Laird) Subject: Collection of Evaded Taxes Comp.risks supports continuing discussions on advantages and disadvantages of automation of financial transactions; most recent was a proposal for an AmeriCard, which would facilitate or enforce movement of all purchases to equipment which would record those purchases. One of the advantages claimed for such schemes, including Mr. Gorbachev's latest "monetary reform", is that they'll flush not-fully-taxed activities into the spotlight of tax enforcement agencies. For example, if you rebuild your neighbor's carburetor in exchange for him removing the dying tree in your backyard, the Internal Revenue Service expects you both to declare those (imputed) incomes and pay corresponding taxes on them. Thus, as an article in the 21 January 1991 *Forbes* asks, "Politicians of all stripes love to claim the federal deficit can be cut by cracking down on tax cheats. Why cut spending when the IRS has $78 billion in total accounts receivable and is losing $100 billion a year to tax evasion?" The article's conclusion: "The argument ... grossly exaggerates the IRS' ability to raise more money through tougher enforcement." Note that the Agency has strong institutional pressures to overestimate its capabilities. Most interesting from the point of view of economic science is the (unsupported) assertion that, "As for outright cheating, even the IRS' toughest audits find less than half the evasion it claims goes on." In the midst of tendentious estimates and murkiness, there's a real value in looking at the actual operating experience of, for example, the IRS. I've marked the distribution of this note for "world" because it's at least as great an issue outside the USA. France, for example, sometimes prides itself on the vigor with which its citizens fail to co-operate with tax agencies; from my little experience there, though, I can report that people were generally more law-abiding than they should have to be, given the confusion those agencies generate. The article does make one incomplete reference to a scholarly study. The reporter might be willing to help someone pursue the subject; I've known some who do, and some who don't. I summarize: for the reasons others have already stated in comp.risks, tax enforcement does *not* yield the windfalls some expect of it; in particular, the IRS' own records suggest much lower returns than they estimate in their reports to Congress. Cameron Laird USA 713-579-4613 USA 713-996-8546 ------------------------------ Date: Thu, 14 Feb 91 09:33:35 CST From: wjb@edsr.UUCP (Bill J Biesty) Subject: Singacard anyone? >From the Wall Street Journal Wednesday, February 13, 1991, p.A7 c.1 "Singapore Equals Push Buttons" From cashless shopping to electronic paperwork and even a computerized pig auction, Singapore is plugging its 2.6 million people into electronic grids linking the entire island nation. It plans to build grids for shopping, booking tickets, checking data and sending documents. Singapore's small size and centralized bureaucracy simplified establishing the electronic groundwork. All citizens carry a numbered identification card, allowing cross-indexing of data. "The purpose ... is to turn Singapore into an intelligent island in which IT [information technology] will be fully exploited to improve business competiveness and, more importantly, to enhance the quality of life," and education ministry official said. A master plan, IT 2000, will be unveiled at year end. Already, TRadeNet lets companies submit data electronically to the state and accounts for 90% of all trade documents. The Network for Electronic Transfers, a cashless shopping system, has been operating for five years and is used by more than one-third of the population. Other networks include StarNet for air cargo, MedNet for Medical claims, and LawNet for company registry. Coming next: "Smart Town," linking households. I think it was mentioned in Risks, but was mentioned in WSJ that Singapore plans to install sensors in cars and roads and start taxing vehicle owners based on usage rather than an average fee to cover maintenance costs of roads. Considering Singapore's government, widely considered autocratic, though it is democratically elected, this will probably be less than beneficial to the entire populace. (The Editorial and Letters pages of the WSJ recently had a debate on this. Nepotism seems to be one indicator. Sorry no dates.) The risk envolved is for those people whose idea of "quality of life" has nothing to do with feeding the commercial/consumer dynamo. Then again they probably don't live in Singapore. Another is as long as you're a good little consumer and a good little entrepreneur you're ok. The ability to catch laggards and other non-productive types cannot be underestimated. You've heard of sin taxes, Lazy Tax anyone? What the article doesn't mention is how much independence exists for the businesses that use the Nets. Are the Nets a government service or control of all players using them? Will the Nets provide a situation similar to the national airline reservation system(s) or will they nationalize industries under monarchical control. Bill Biesty, Electronic Data Systems Corp., Research and Advanced Dev., 7223 Forest Lane, Dallas, TX 75230 edsr.eds.com!wjb wjb@edsr.eds.com 214-661-6058 ------------------------------ Date: Mon, 11 Feb 91 8:00:32 PST From: ian@lassen.wpd.sgi.com (Ian Clements) Subject: The new CA driver license (RISKS-11.07) In RISKS 11.04 Mark Gabriel writes about privacy issues concerning the new CA drivers license. In issue 11.07 David Redell responds with two points concerning recent privacy legislation and the clerks right to certain parts of the information. Like many modern marvels, the magnetic strip is easily defeated. If you're concerned about what a clerk may or may not record or know about you, run a magnet down the stripe. This will render the stripe useless and the clerk (or police officer) will once again have to rely on mechanical recording. I would be more concerned about the possibilities for abuse of this new technology. Insurance companies will surely ask potential customers for a drivers license to check the driving record (given CA's new insurance rules, there is much incentive to bit twiddle)--how long will it be before someone figures out how to rearrange bits on the stripe? --ian Ian Clements ian@sgi.com 415/962-3410 ------------------------------ Date: Sat, 09 Feb 91 10:40:56 PST From: curt@cynic.wimsey.bc.ca (Curt Sampson) Subject: Re: The new California licenses (Hibbert, RISKS-11.03) > This track will only contain 40 bytes of information, and will only > contain the name, driver' license number, and expiration date. This would not likely leave more than 32 bytes for the person's name. Yet another problem. Coercivity is a measure of how much magnetic energy it takes to imprint or erase a magnetic medium, and it is measured in oersteds. The typical coercivity of a cassette tape would be in the 280-380 oersted range. The typical coercivity of a high-coercivity tape (such as DAT or 8 mm video) would be 1000-1400 oersteds. 30 orsteds is quite low (surprisingly low, in fact). That may explain why my bank card has been "zapped" twice in the past year. 3600 is quite high, but a standard videotape eraser might be able to affect it if you put the stripe right up against the surface. (An audiotape eraser would not affect it.) I have little doubt that a dedicated hardware hacker would be able to come up with a unit to read from and write to the cards with little difficulty. The hardest part would probably be machining a head to read the stripe. I wonder if the data is going to be encrypted in any way? cjs curt@cynic.wimsey.bc.ca curt@cynic.uucp {uunet|ubc-cs}!van-bc!cynic!curt ------------------------------ Date: Sun, 10 Feb 91 11:33:17 GMT From: lhe@sics.se (Lars-Henrik Eriksson) Subject: Re: automatic flight and seasickness (Bryant, RISKS-11.07) [Re: Bryant on Olivier M.J. Crepin-Leblond" in RISKS-10.83] I believe the original poster is right. I am a private pilot, and I have noticed numerous times, that I do have a tendency to get sick when I go along a a passenger. I have even noticed this tendency when flying the aircraft myself with an instructor who tells me what to do. When a fly as the pilot-in-command, I have *no* problems with airsickness even on extended flights in rough weather. Lars-Henrik Eriksson, Swedish Institute of Computer Science, Box 1263, S-164 28 KISTA, SWEDEN +46 8 752 15 09 ------------------------------ Date: Sun Feb 10 13:16:10 1991 From: frank letts Subject: follow-up to wireless network There seems to be some question regarding the legality of the radio telemetry testing I described in an earlier post. The story was presented with a bent toward the (objectively) humorous and the obvious risks presented by the wireless network. Left out was some information that, by its absence, led some to believe the the operation was an illegal one carried out by "sickos" and technically incompetent bozos. The oil company held a valid FCC license for data transmission over the frequency in its normal operation mode, and a temporary permit for same at low power in the Houston facility. While looking for the source of the interference we did find some bad dummy loads which we replaced, but, following that, our installation was on spec and fully legal. We did determine that the delivery driver(s) were running linear amps and were bleeding over onto adjacent frequencies when transmitting. That would explain their interfering with our operation, but not our interfering with them. Odds were that the driver(s) only heard the buzzing while driving directly past our building. They should have had no problem receiving or transmitting. As far as the personnel are concerned, the engineer and technicians all held FCC tickets, were highly qualified for the work, and had been in the business for many years. I have been doing data acquisition and communications software for about twenty years and consider myself somewhat competent in the area. None of us are necessarily sickos. One of the techs probably qualifies as a bozo, but he's a nice enough fellow and a decent tech. I hope that this quiets any unrest out there. Frank Letts, Ferranti International Controls Corp., Sugar Land, Texas (713)274-5509 ------------------------------ Date: Fri, 8 Feb 91 08:54:37 -0500 From: news@cs.purdue.edu (News Knower) From: jsb@well.sf.ca.us (Judy S. Brand) Subject: 4th Annual Ides-of-March Virus & Security Conference Who SHOULD attend this year's Ides-of-March Fourth Annual Computer VIRUS & SECURITY Conference at the New York World Trade Center? MIS Directors, Security Analysts, Software Engineers, Operations Managers, Academic Researchers, Technical Writers, Criminal Investigators, Hardware Manufacturers, Lead Programmers who are interested in: WORLD-RENOWNED SECURITY EXPERTS: CRIMINAL JUSTICE LEADERS: Dorothy Denning - DEC Bill Cook - US Justice Dept Harold Highland - Comp & Security Donn Parker - SRI Intl Bill Murray - Deloitte & Touche Steve Purdy - US Secret Service Dennis Steinauer - NIST Gail Thackeray - AZ Attorney UNIVERSITY RESEARCH LEADERS: LEGAL/SOCIAL ISSUES EXPERTS: Klaus Brunnstein - Hamburg Mike Godwin & Mitch Kapor - EFF Lance Hoffman - GWU Emmanuel Goldstein - 2600 Magazine Eugene Spafford - SERC/Purdue Tom Guidoboni - (R.Morris' lawyer) Ken van Wyk - CERT/CMU Marc Rotenberg - CPSR PLUS Fred Cohen, Ross (FluShot) Greenberg, Andy (DrPanda) Hopkins, and over 40 MORE! Over 35 PRODUCT DEMOS including: include Candle's Deltamon, HJC's Virex, McAfeeSCAN, Symantec's SAM, ASP 3.0, DDI's Physician, Gilmore's FICHEK, Certus, FluShot Plus, Iris's Virus Free, 5D/Mace's Vaccine, Norton Utilities, PC Tools, Quarantine, Viruscan, Panda's Bear Trap, Disk Defender, Top Secret, Omni, ACF2, RACF and OTHERS AS REGISTRANTS REQUEST. FIFTY PRESENTATIONS INCLUDE: Security on UNIX Platforms, Tips for Investigators, HURRICANE Recovery, Dissecting/Disassembling Viruses, 6 Bytes for Detection, LAN Recovery, ISDN/X.25/VOICE Security, Encryption, Apple's Security, EARTHQUAKE Recovery, IBM's High-Integrity Computing Lab, US/Export Issues, 22-ALARM Fire Recovery, Publicly Available Help, Adding 66% More Security, NETWARE VIRUS Recovery, Next Generation of Computer Creatures, THE WALL STREET BLACKOUT Recovery, Mini Course in Computer Crime, Great Hacker Debate, REDUCING Recovery Costs, S&L Crisis: Missing DP Controls, OSI and the Security Standard, Virus Myths, Viruses in Electronic Warfare, US Armed Forces Contracts for New Ideas.... INTERESTED? ONLY $275 one day (Thurs 3/14 - Fri 3/15) or $375 both days: * Bound, 600-page Proceedings containing ALL materials - no loose paper! * Eight meal breaks, including Meet-the-Experts cocktail party 107th Floor * 2-day track of product demo's * 2-day course for ICCP Security exam * Full-day Legal & Justice Track * Full-day disaster Recoveries Track There is a $25 discount for ACM/IEEE/DPMA members. Fourth member in each group gets in for no charge! To register by mail, send check payable to DPMA, credit card number (VISA/MC/AMEX), or purchase order to: Virus Conference DPMA Financial Industries Chapter Box 894 New York, NY 10268 or FAX to (202) 728-0884. Be sure to include your member number if requesting the discounted rate. Registrations received after 2/28/91 are $375/$395, so register now! For registration information/assistance, call (202) 371-1013 Discounted rates available at the Penta Hotel. $89 per night. Call (212) 736-5000, code "VIRUS" Discounted airfares on Continental Airlines, call (800) 468-7022, code EZ3P71 Sponsored by DPMA Financial Industries Chapter, in cooperation with ACM SIGSAC and IEEE-CS. ------------------------------ End of RISKS-FORUM Digest 11.09 ************************