Subject: RISKS DIGEST 11.80 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Tuesday 4 June 1991 Volume 11 : Issue 80 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Another Procrustes bed (Anastasios Vergis) Privacy and Network Monitoring [anonymous] Can printing public information be actionable? (Jerry Leichter) Re: the FBI and computer networks (Steven Philipson, Rob Nagler, John Gilmore) Re: vote by phone (Geoffrey H. Cooper, Paul Nulsen) Lottery bar codes no risk, spokesman says (D. King, Alayne McGregor) Re: Lossy compression (Jerry Leichter, Geoffrey H. Cooper, Phil Ngai) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line. Others ignored! REQUESTS to RISKS-Request@CSL.SRI.COM. For vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 11, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1". =CarriageReturn; FTPs may differ; UNIX prompts for username, password. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Tue, 4 Jun 91 17:53:49 GMT From: plains!umn-cs!LOCAL!vergis@uunet.UU.NET (Anastasios Vergis) Subject: Another Procrustes bed I had my first encounter with the Procrustes bed, when trying to give my forwarding address to Paragon Cable in Minneapolis, MN. No matter how much it was squeezed or stretched, their computer would accept it. You see, it was not a U.S. address. Being physically present there (I was returning the decoder box) I could observe exactly what was happening. The address was in Athens, Greece, zip code: 15235. When he pressed , it would automatically erase "Athens, Greece" and put there "Pittsburgh, PA". Most certainly, the zip code was "soft-wired" with the city & state info. It was disturbing that the program would not simply issue a warning. I offered to pay the outstanding balance (about two weeks service) on the spot, but they could not accept it as "a bill had to be mailed by the computer", and this would take 10 days or so. As I was moving in a week, most definitely the operator had a problem in his hands. It is interesting how the operator resolved the problem: he simply backdated the disconnection date, to coincide with the last day of the last bill, so there was no need any more for a forwarding address. Can't complain, as I got two weeks' free service ... Surely a good deal for Paragon Cable as well (think of the cost to upgrade the software). I can't help wondering how often they encounter this problem. The phone company, however, had no trouble accepting this overseas address. -- Anastasios Vergis, University of Minnesota, CSci Dept. ------------------------------ Date: Mon, 3 Jun 1991 12:07:33 xxx From: [anonymous] Subject: Privacy and Network Monitoring By some odd coincidence, the recent privacy thread in Risks comes along right on the heels of an ugly incident at the company I work for. We have a very large internal network along with a system of newsgroups on a wide variety of topics. One of these is called "grumps" which is designed essentially for the venting of curmudgeonly humor. It is generally considered to be the electronic equivalent of the occasional water-cooler gripe session. Although humorous in intent, sometimes issues important to the running of the company surface there. I posted a satirical message last month, taking the company to task for some bit of silly official pomposity, and thought nothing more of it. Imagine my surprise when two weeks later, my manager's boss called me into his office, with a copy of that message on his desk. He informed me that I should think carefully about sending out this sort of thing and that it reflected poorly on me and could jeopardize my professional advancement. Upon investigation, I discovered that our personnel department has very quietly taken on the job of surreptitiously monitoring traffic on certain internal "recreational" distribution lists. When something "offensive" is detected, it gets back, via the personnel system, to the offender's management. I had a long talk with our VP of personnel who explained that they weren't "spying", they were just trying to keep "offensive" mail off the net. Of course, *they* decide what is offensive or not. There is a risk here, one which I don't recall having seen mentioned here before, and it is that personnel/management people operate under a very different set of values than the people in the technical community with whom I normally share such postings. For example, this VP pointed with pride to the fact that she doesn't have a computer in her office. The manager I talked to insisted that posting to a dl is a public act, whereas I view it as private in the same way as a conversation around the lunch table in a group of friends. These people have now set themselves up as social arbiters of a system which they themselves never use. After thinking about this incident, I implemented an anonymous mail forwarding system, which would allow people to express their opinions openly without fear of retribution on unspecified charges. Not surprisingly, word of this got around too. This system proved to be intolerable to Personnel. They could not stand the idea that anyone could say what they liked and couldn't be traced, despite the fact that the company itself operates a "Comment" system, which is designed to allow people to send anonymous comments to management. I was politely asked to stop my forwarding service. After thinking it over, I agreed, and I now regret that decision. The net result has been greatly decreased traffic on the grumps dl, and a major loss of faith on my part in the goodwill of the management of our company toward the people who work here. ------------------------------ Date: Sun, 2 Jun 91 13:14:43 EDT From: Jerry Leichter Subject: Can printing public information be actionable? In classic "life imitates art" tradition, a case has been filed that resembles my "Mr. M" hypothetical (of the person who, for "numerological" reasons, publishes things like PIN's, private phone numbers, and so on). The following is summarized from the Wall Street Journal (29 May 91, Page B6): American Airlines (AMR) has sued Travel Confidential newsletter and its publisher, Paul Edwards, to stop it from publishing lists of discount codes. The codes, which travelers are supposed to mention when making reservations, entitle them to discounts of 5% to 40% on airfare, car rentals, and hotel rooms. They are intended for people attending conventions. AMR charges Travel Confidential and Edwards with fraud and racketeering for publicizing its codes, and asks for a court order banning such publication, $750,000 in punitive damages, and unspecified losses. "Travel Confidential is published with the sole purpose of facilitating, aiding and inducing the commission of fraud on American and other airlines, hotels, and car rental agencies," AMR claims. Mr. Edwards says he is doing nothing illegal by pulling together information that is publicly announced by convention sponsors. "Every word comes from publicly available sources. There is not one iota of confidential or private information in this newsletter." He also denies that he is encouraging his readers to commit fraud. Edwards claims that airlines rarely even ask whether a traveler is attending the event that matches the code. "If they don't want people to abuse it, they should police it." (Where have we heard *that* before?) AMR says they are considering doing just that, and also claims that they could go after individual travelers for committing fraud by using the discount fairs. -- Jerry PS The same issue of the Journal, on page B8, discusses new voice-activated computer systems for bond trading. The risks that arise from traders perhaps being able to activate each other's computers are discussed (but of course dismissed by those who want the system as not a problem). ------------------------------ Date: Fri, 31 May 91 12:48:21 -0700 From: stevenp@kodak.pa.dec.com (Steven Philipson) Subject: Re: the FBI and computer networks (D'Uva, RISKS-11.76) >For example, a policeman does not need >"probable cause" to stop your car when you are driving in an unsafe manner. >The law has been broken, and that is enough to warrant the law enforcement The policeman's observance of you driving in an unsafe or illegal manner constitutes probable cause. You cannot be stopped without probable cause (with the constitutionally questionable exception of sobriety checkpoints). Search after a stop for a traffic offense requires additional justification. It may not be a good idea for people to post about illegal activities, but it does happen regularly. At least one newsgroup contains frequent postings in which persons report violating Federal regulations (usually inadvertently). Such postings are of questionable legal value as authentication is difficult (did Jones make the posting, or did someone who used his account make it?). Systematic monitoring issues aside, does a posting on the net constitute probable cause for real-world surveillance of the author? I don't have an answer for this. Is there case law that establishes precedent? Arnie Urken writes [ Re: Voting by phone] > voting by phone enables a citizen to verify that his/her vote is > actually counted, [...] Does it? How is the voter to know that his vote is not routed to the bit bucket, or that a later disk crash doesn't obliterate it. California's antiquated Hollerith-card method produces a physical record of a vote. Which is more reliable? Which gives the voter a higher level of confidence? Steve Philipson ------------------------------ Date: Tue, 4 Jun 91 11:40:42 +0200 From: nagler@olsen.UUCP (Rob Nagler) Subject: Re: the FBI and computer networks (D'Uva, RISKS-11.76) The FBI are not just "law enforcement officials", they are public servants. The "public" are their employers. Suppose your house servant decides to look through your belongings, because they believe you might be doing something illegal. Do you have the right to tell them not to do it (even if you are doing something illegal)? My analogy is certainly trivial. The point is that many people seem to forget that the FBI, DoD, &c are working for us and not the other way around. 200 years have passed since "unreasonable search" was added to the US Constitution. The government of our "global village" must take into account the intent of the Founding Fathers, not just their words. In 1792 a "grep of /usr/spool/news" was the house-to-house search of a city. Rob nagler@olsen.ch ------------------------------ Date: Tue, 4 Jun 91 04:51:54 PDT From: gnu@toad.com (John Gilmore) Subject: Government should have less access than everyone else In RISKS 11.74, Andrew D'Uva asks, "Why should the U.S. Government have less access than a student at an American university (or a foreign one)?" I've been rethinking privacy of electronic communications, particularly radio communications, since Congress is thinking about amending ECPA sometime this session. (No bills yet, but...) My conclusion is that the government should be prohibited from intercepting *ALL* civilian radio communications, except in certain bands like AM and FM, while third parties should have full freedom to listen in on any band, as they did before 1986 and ECPA. Jerry Berman of ACLU tells me that the real concern in ECPA was to prevent the government from spying on people. My proposal addresses that concern even more fully than his ECPA -- which only protects a minority of the transmissions. More importantly, a ban on the government monitoring communications is enforceable -- e.g. by the exclusionary rule, as well as by existing laws giving citizens the right to sue the government for collecting dossiers on their exercise of First Amendment rights like free speech. Speech over a cellphone is still speech and is still free. A ban on interception by third parties is clearly not enforceable without direct confiscation of radio receivers. Then what's next? Typewriters and copiers, as in USSR? Shortwave radios that receive Radio Baghdad, when they only want you to hear their side of a war? Before ECPA, if you transmitted information over the air and wanted to prevent its being overheard, it was *your* responsibility. You could encrypt it, use low power, hide it in noise, whatever. ECPA created classes of users who are absolved of this responsibility, such as cellular phone providers; the government picks up the tab for "enforcing" your privacy. Only trouble is that they are incapable of providing real privacy by passing laws, so the user ends up with no privacy at all. Had the onus rested on the transmitting party, it would be clear that it was up to cellular manufacturers to provide the privacy that people assume about "phones", or to stop marketing cellular walkie-talkies as "phones". But lobbyists were cheaper than privacy technology, so we started putting our personal lives on the air. Think about it -- ------------------------------ Date: Fri, 31 May 91 13:26:55 PDT From: geof@aurora.com (Geoffrey H. Cooper) Subject: Re: vote by phone In the vein of recent discussions about the "dumbing" of the work force, I note that the vote-by-phone proposal is good, but a little verbose and pedantic for my taste. I fear that the proposal is trying to out-stoopid the voters. (on the other hand, you have to be pretty good to listen to a list of ten choices and come up with the right number (ever try getting a pizza parlor to list how you can have it?). Maybe candidates will now try to be listed LAST on the ballot). My belief is that vote-by-phone can be as complicated as filling out a regular ballot (as mentioned, in CA this can be a challenge). Also, it doesn't have to be an enjoyable experience (any more than is standing in line at the polling booth). My twist on what was mentioned: 1. Voter requests vote-by-phone by mail. 2. Confirmation letter contains ballot with PIN on it. 3. Voter calls to vote and uses the PIN given. The voter is warned that the PIN is the voter's right to vote: you lose it, you lost it; you show it to someone, you may have lost it. Suitable warnings are given about possible scam's to get PIN's. Reasonable mechanisms exist to deal with ballots that are lost or stolen a reasonable time before the election. The ballot contains all the contests, numbered, and all the choices in each contest, numbered. Any choice is selectable by dialing a 3 (4?) digit number (2 digits => contest, 1 digit => choice). The voter is advised to fill in the ballot to obtain the numbers of the people he/she is interested in voting for. Note that many voters do not vote in all the contests available (abstaining, or in some obscure local contests (or obtuse CA voter initiatives), a voter might not feel that he/she can make non-random decision). The computer you call up is generally re-active, not pro-active. Thus: - The user enters the code of the contest and his vote, selecting contest in his own order. This is faster, and makes it easy to not have a vote on something. It is also analogous to the way you vote by paper. As pointed out, the user can more effectively get the choices from the ballot than over the phone. If he doesn't have the ballot, what is he doing phoning the system? - The entire ballot is constructed by making selections, but is not committed until the user specifically indicates that he is finished. Up until this time, the user may disconnect (accidentally or on purpose) and try again later. Here is my vision of a phone call, which probably needs to be simplified: beep-beep... beep-beep... beep-beep... beep-beep... ... beep-beep...(0000) Maybe a special code runs through them all in order, so that you can check what you've done. Or maybe dialing 569 tells what was selected for contest 56. [By the way, the supposedly anonymous messages might still be traceable based on the audit log that itemizes all e-mail to and from with a time stamp. So if your automatic reforwarder left the original time stamp, that was enough to nail the original sender!!! PGN] ------------------------------ Date: Tue, 4 Jun 91 00:23:11 GMT From: pejn@cc.uow.edu.au (Paul Nulsen) Subject: Re: Voting-by-phone (Campbell, RISKS-11.78) Larry Campbell asks: Electronic voting? Who needs it? Although electing people to represent us in parliament is the generally accepted model for democracy at present, it is not full democracy. In a full democracy every voter should be able to vote on every issue, and this would be possible with electronic voting. Such a system would clearly require checks and balances well beyond those needed for electronic voting alone. In practice parliaments and politicians would probably need to be retained to keep the political system operating day-to-day. There would also need to be stringent systems of review, to prevent hot-headed decisions and to prevent interest groups from hijacking the vote on particular issues. This may not be Utopia, but anyone who complains about the voting of their representative should take heart that such a system may be achievable. Paul Nulsen pejn@wampyr.cc.uow.edu.au ------------------------------ Date: Mon, 03 Jun 91 16:12:35 BST From: king@ukulele.reasoning.com Subject: Lottery bar codes no risk, spokesman says (Minow, RISKS-11.78) >> A. Lottery spokesman David Ellis tells us that, once an instant >> ticket is "read" by a bar-code reader, it is invalidated... That doesn't prevent people with access to unsold tickets from stealing winners and selling only losers. Presumably losing tickets seldom if ever get read by the barcode reader even once, so an agent who sells one will not be trapped by the invalidation performed when he culls his supply of tickets. However, since indeed reading a losing ticket should be rare, I would hope that the security system will be suspicious of the operator of any barcode reader that gets too big a dose of losing tickets. -dk ------------------------------ Date: Tue, 4 Jun 91 13:52:42 EDT From: alayne@geas.gandalf.ca (Alayne McGregor) Subject: Bar-codes on lottery tickets In RISKS-11.78, Martin Minow quoted a representative of the Massachusetts state lottery as saying that as soon as an instant ticket is read by a bar-code reader, it will be flagged so that it cannot not be cashed again. What was not clear was a) whether the physical ticket itself was flagged, b) the number of the ticket was stored in the card reader, or c) the number was stored in a central computer? In case a), what is to prevent an unscrupulous person from xeroxing the ticket (perhaps onto the correct weight of card stock, if necessary) and bar-code-reading the xerox? In case b), what is to prevent the person from going to another bar-code-reader for the next reading? In case c), could not a bar-code-reader unconnected to the central computer read the stored information, which could then be decrypted? The system's security would then depend on the security of that encryption algorithm. Alayne McGregor alayne@gandalf.ca ------------------------------ Date: Sat, 1 Jun 91 08:38:48 EDT From: Jerry Leichter Subject: Lossy compression: Knowing versus guessing In Risks 11.77, David Reisner comments on the effects of using "lossy" compression techniques. His comments are quite interesting, but I think he, and many others commenting on this issue early, miss an important point: What is new here is not the FACT of losses, but what we KNOW about them. Reisner's example of the new Phillips Digital Compact Cassette (DCC) compression scheme provides an excellent example of this. It is quite true that such a system throws away information. On the other hand, *so does every recording scheme ever invented*. All recording schemes are bandwidth limited. All will saturate at high amplitudes. All analogue systems add noise. It's easy to contrast DCC with CD's and say "aha, they've thrown away some information" - but in fact CD's ALSO throw away information: The Nyquist limit means that they absolutely cannot record any information about about 22Khz, the 14-bit encoding places a limit on their amplitude resolution. In addition, CD's used for audio purposes use error correction schemes - what you hear may not be what was recorded, and will even vary from playback system to playback system. Of course, all these "losses" - sounds above 22Khz, the error correction "patches", and so on - have been chosen to be "unnoticeable" to the human ear. This is no different from the DCC scheme; the DCC scheme is just more clever about it. It's also no different from many older schemes, from FM (limited to 15Khz) to Dolby encoding. A traditional photograph or X-ray isn't "exact" in any sense either. There is a finite grain size, a limited amplitude resolution (and a generally quite non-linear amplitude response), and so on. Grain size is chosen to be small enough to (mainly) be ignored by the human visual system. The details of response to different light levels and colors in film is chosen for its appropriateness in a particular use. Color snapshot film is built to "look pleasing", not to be "highly accurate" in any objective sense. X-ray film is built to produce high contrast of "medically interesting" things. NTSC color television encoding uses less transmitted energy and bandwidth for chrominance than for luminance information because the human eye has much less sensitivity to loss of high spatial frequencies for chrominance. The color encoding used is inherently unable to represent some colors that the eye can perceive (certain dark browns). All of these choices were made based on studies of the human eye's abilities. In fact, JPEG is just uses more sophisticated versions of the same tricks - and interestingly JPEG is NOT necessarily lossy: JPEG is a class of parameterized compression algorithms, with the parameters chosen by whoever does the compression, and it is possible to set the parameters to avoid any (deliberate) losses. What's the point of all this? Just that there is actually nothing new in losses in representation: They've been with us from the first time we sketched on cave walls. Early losses came about as inherent, uncontrolled side-effects of poorly understood processes. As we've become more technologically sophisticated, we've been able to understand the origins of these losses and ultimately either eliminate them (hiss, rumble, wow and such are non-issues for CD's) or deliberately choose where they will occur. Today's recording technologies, losses and all, are orders of magnitude better than what was available in the past. However, from a political/legal/social point of view, there is one significant difference: What no one could understand or control, no one could be blamed or penalized for. If an important distinction is lost in a X-ray because the film's grain size can't represent it, well, that's the way it is. But when the loss can be attributed to someone's particular, definite decision, all of a sudden blame can be attached: "If they hadn't chosen to save a few bucks on storage by compressing the image, my client would be healthy today." Once you can name the chemical added to the food, you can sue someone for adding it - and never mind all the thousands of chemicals already there that have never been analyzed. Systems have to be built appropriately for their intended use. The more we understand and can control about a system, the more choices we can make - and the more choices we HAVE to make. When we were not in a position to make the choice, "nature" made it for us - but it WAS made. -- Jerry ------------------------------ Date: Mon, 3 Jun 91 13:06:27 PDT From: geof@aurora.com (Geoffrey H. Cooper) Subject: More on Lossy Compression => Rendering errors >From: synthesis!dar@UCSD.EDU (David Reisner) >There are, in fact, lots of compression algorithms that ARE lossy. ... This is a part of a much more pervasive problem: rendering errors. For example, a digitally encoded image is ALWAYS an approximation of the continuous input. There are mathematical constraints for getting the right results out of a digital display system without encountering aliasing effects, but these require filtering -- and this filtering is generally assumed to be done by the viewer's eyes. I'll talk about rendering of images, but the same applies to any area of digital signal processing. The challenge of image processing is to play around as much as you can without exceeding a JND (just noticeable difference). Sometimes we go a bit further (e.g., 300 dpi laser printers, most computer displays) and accept what I'll call a JID (just ignorable difference), and some people end up pulling their hair out because they can't ignore what we want them to. Many RISKs enter, in that the JND is a physiological concept, not a physical concept. Hence: - JND is an averaged measurement, some people notice more (like people who can hear TV sets -- ouch!). - Sometimes the JND is not a constant parameter, so a subtle change in the application can wreak havoc. For example, visual flicker sensitivity depends on frequency, brightness, and the part of the retina that is receiving the signal. When Cinemascope was tried out some years ago (a very wide curved screen), it was found necessary to decrease the intensity of the bulbs used in projectors or viewers would complain of flicker in the corners of the screen when they looked at its center. - Multiple JND's typically apply to a situation; you have to take them all into account. For example, the set of pictures of Mars from the Viking I lander included an impressive sunrise with rings around the sun. The New York Times printed this picture in a two page spread. Actually, the lines were spurious contours (optical illusion), deriving from a linear quantization of gray levels in the digital camera. How many million people thought that there really WERE lines around the sun on Mars? (Moral: rendering errors can ADD to, as well as subtract from, detail in a picture) - Sometimes the result is not processed by the unaided human eye. For example, if a doctor uses a magnifying glass (or a microscope!) to better see some fine detail on a rendered picture (especially with lossy compression, but even a photo will do), he may violate the limitations of resolution imposed by the imaging process. In this case, who knows what he might or might not see? The solutions that I come up with: - Over-engineer rendering so that the user is unlikely to exceed the limitations unknowingly imposed on him. This is what we do in photography. Obviously, this is what computer compression schemes are specifically trying to avoid... - Educate the users to understand what they have. For example, a medical imaging system might have a warning notice on the screen that an enlargement of the image is not guaranteed to be accurate, or (better) may provide "safe" enlargement primitives that are guaranteed not to exceed the limitations of the compression scheme. Any other ideas? geof@aurora.com / aurora!geof@decwrl.dec.com / geof%aurora.com@decwrl.dec.com ------------------------------ Date: Tue, 4 Jun 1991 17:53:38 GMT From: phil@brahms.amd.com (Phil Ngai) Subject: Re: More on Lossy Compression I consider image compression schemes which take advantage of the eye's limited color resolution to be about as dangerous as audio systems which cut off at 20 KHz. As long as the data is to be used by humans, there are physiological limitations that are universal and exploitable. Of course, there are people who still think vinyl records are better than CDs. ------------------------------ End of RISKS-FORUM Digest 11.80 ************************