Subject: RISKS DIGEST 11.28 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Thursday 14 March 1991 Volume 11 : Issue 28 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: BeeperScam (Jake Livni) The Mailing List Business (Mary Culnan) Census Bureau Seeks Changes [anonymous] Roadway information base risk (John McMahon) How to deal with "DROIDS" (Greeny) Re: EM solution for new buildings - risk solved? (Christopher Owens) Computer Obtuseness File (Medical Division) (Anthony E. Siegman) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line. Others ignored! REQUESTS to RISKS-Request@CSL.SRI.COM. For vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 11, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Tue, 12 Mar 91 18:58:27 EST From: jake@mars.bony.com (Jake Livni ) Subject: BeeperScam I just saw a news item describing the arrest, today, of someone in New York City on possible wire-fraud and mail-fraud charges. Apparently, he used a computer to dial common beeper exchanges and left a return phone number on as many beepers as he could. Those people who called the number heard a message stating that they were being billed $55.00 for this call. There weren't many more details in the report - except that the Secret Service didn't have much difficulty finding this guy. Maybe that explains a strange return number my boss got a few weeks ago, I think a 900-number. I knew that some FAX-supply companies were sending out junk-FAXes to FAX-numbers but what could a beeper-supply company try and sell?! On a slightly divergent note, should there perhaps be some kind of restriction on phone numbers that cost umpteen-dollars after the first second of connect time? It's not so difficult for a misdialled call to cost plenty. Jake jake@bony1.bony.com [An anonymous RISKS reader noted that their company phone switches are protected from making outgoing calls on 900 and 540 numbers. However, their employees may use phones at customer sites in response to a page. Their New York office has alerted employees to this scam. They expect similar activities in other areas in the future. PGN] ------------------------------ Date: 14 Mar 91 13:38:00 EST From: "Mary Culnan" Subject: The Mailing List Business In today's Wall Street Journal (3/14/91, p. A1;A8), there is an extended article describing the extent to which the mailing list business extends its tentacles into the details of our private lives. The article by Mike Miller not only provides extensive examples of individual lists which many people are likely to find offensive, but also provides information on some of the largest mailing list firms in the country and the ways they gather data about all of us. Evan Hendricks of the Privacy Times is quoted as saying, "You go through life dropping little bits of data about yourself everywhere. Most people don't know there a big vacuum cleaners sucking it up." Specific lists cited in the article include: * Metromail's "Young Family Index Plus" which lists about 67,000 new births each week compiled from clipped birth announcements, referrals from Lamaze coaches and names acquired from companies that deal in baby supplies * America List Corp sells lists based on high school yearbook listings about virtually every high school class in the U.S. * Benadryl bought names and addresses (based on phone numbers sold to them) of people calling an 800 number for pollen count information * The Big 3 credit bureaus sell mailing lists based on aggregated credit data, e.g. "Credit Seekers Hotline" of people who recently applied for credit and are "prospects who want to make new purchases" Finally, an Atlanta-based company which prepares marketing questionnaires asks if there has been a recent death in the family. The company's President is quoted, "Death has always been a negative life style change nobody thought could be sold, but I differ. I think it's a very good market." The RISKS are clear. If you aren't aware that personal information is being collected, i.e. you thought you had an expectation of privacy, ignorance makes it impossible to exercise the options that exist for getting one's name taken off of lists. However, even these mechanisms are not foolproof if companies are not committed to privacy on principle. One example was cited of a company who mailed to people who had signed up for a "delete me" list because these people would have uncluttered mailboxes. [A lot of the info came from the same public sources I mentioned in my earlier RISKS posting and also in the handout I sent to the 10 or so people who wrote me. MC] [Roger.Pick@UC.Edu (Roger Pick) also noted this article, headlined "Data Mills Delve Deep To Find Information About U.S. Consumers: Folks Inadvertently Supply It By Buying Cars, Mailing Coupons, Moving, Dying: Treasure for Direct Marketers." He highly recommends it. PGN] ------------------------------ Date: Tue, 12 Mar 91 12:37:37 XST From: [anonymous] Subject: Census Bureau Seeks Changes Today's AP reports that the Census Bureau is already asking for $10.1M next year for needed modernization of the census process for the year 2000. Census Director Barbara Bryant told the census and population subcommittee of the House Post Office and Civil Service Committee that "The increasing diversity in ethnic and language groups will certainly make data collection in the 2000 census more difficult." Bryant said the bureau is considering changes such as the following: * A "user-friendly short questionnaire" that would include only the questions needed to redraw voting districts. The agency hopes more people will fill out the census form if it is shorter. * Distributing forms at public locations, much as tax returns are, and using computers to weed out duplicate mailings. * Using new technologies to produce forms in languages other than English and Spanish. * Allowing people to file their census forms by home computer directly into the agency's data banks. * Obtaining information about people from other government agencies rather than from the people themselves. ------------------------------ Date: Thu, 14 Mar 91 16:03:00 PST From: mcmahon@TGV.COM (John 'Fast-Eddie' McMahon) Subject: Let your fingers do the walking thought the roadway information base In the 3/13/91 issue of the San Francisco Examiner, a columnist (I have forgotten the name) describes the new transportation department service where you can use your phone to dial up and request information on the status of a particular roadway. From a touch tone phone, you answer the prompt with the highway number. It appears the default for any given road is a message which states that "no construction/detour information is available". This was the information that the columnist received when he punched in "480", the code for Interstate Highway 480 in downtown San Francisco. The problem is that I-480 (a.k.a. The Embarcadero Freeway) was closed after the 1989 Loma Prieta Earthquake earthquake and is in the process of being torn down. Anyone who reads a San Francisco newspaper know this. Obviously no one bothered to tell the computer... John 'Fast-Eddie' McMahon, TGV, Inc., 603 Mission Street, Santa Cruz CA 95060 408-427-4366 or 800-TGV-3440 : MCMAHON@TGV.COM ------------------------------ Date: Thu, 14 Mar 91 19:05:53 -0600 From: MISS026@BOGECNVE.BITNET Subject: How to deal with "DROIDS" The recent discussions on "droid" workers has prompted me to pass along a bit of "wisdom" that I've acquired from dealing with many "droid-related" problems. Feel free to quote the following: "Excuse me, you have been quite helpful, however, I would like to take this matter up with the President of your company. Please provide me with the name/address/phone number of the President." Just forget about dealing with STEWPID [sic] people altogether, and send a CERTIFIED letter to the President, RESTRICTED DELIVERY REQUESTED. It costs about $2.80 to send it this way, but the President must physically sign for the letter, and you are just about guaranteed at getting a favorable response from the President (or at least a vice-president). These people know why they you are writing to them, and how to solve your problem to retain your business (along with all of your word-of-mouth business as well), and will help you. It's worked for me for years, and years.....start at the top and work down rather than working upward thru stupidity.....(gravity works wonders in bureaucracies...) And remember to wear your "I HATE STEWPID PEOPLE" T-shirt with pride! :-> (yes I have one....) Greeny Internet: MISS026@VE.BOGECN.EDU BITNET: MISS026@BOGECNVE [Although not really computer related, this message is brought to you as a service to the public (instead of a risk?). PGN] ------------------------------ Date: 14 Mar 91 16:08:53 GMT From: owens@lust.uchicago.edu (Christopher Owens) Subject: Re: EM solution for new buildings - risk solved? > ... which stops any electromagnetic radiation from leaving the building. ^^^ > It is therefore impossible to hack inside information from outside ... ^^^^^^^^^^ It appears that the author of the magazine article uses the term "any" to mean "some", and "impossible" to mean "more difficult". Clearly (bad pun) the stuff can't stop *all* electromagnetic radiation, else you couldn't see through it. Christopher Owens, Department of Computer Science, The University of Chicago owens@gargoyle.uchicago.edu (312) 702-2505 ------------------------------ Date: Sun, 10 Mar 91 16:27:10 PST From: Anthony E. Siegman Subject: Computer Obtuseness File (Medical Division) My wife's father, elderly and ill, has had many medical bills lately. These bills are sent by the medical providers (doctors, hospitals, etc.) directly to Medicare, which pays part of the charges, leaving a balance to be paid by supplementary insurance or his personal funds. Because so many patients in this situation have supplementary Blue Cross/Blue Shield coverage, Medicare has set up an automatic forwarding procedure to transmit the unpaid portions of these bills directly to Blue Cross. My wife's father has supplementary coverage with another carrier, however, and no Blue Cross coverage; yet it turns out this automatic forwarding feature can be neither redirected to his carrier nor turned off. For every single bill, therefore -- and there are dozens -- the unpaid portion gets forwarded to Blue Cross, which tries to process it and discovers he has no coverage. So after a suitable delay they mail him (really, us) a form letter (a separate one for each bill) saying they are unable to identify his coverage. There seems to be no way to turn this process off or short-circuit it. --AES ------------------------------ End of RISKS-FORUM Digest 11.28 ************************