Subject: RISKS DIGEST 12.15 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Thursday 22 August 1991 Volume 12 : Issue 15 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Electronic mail beams shuttle's message home (Joe Abernathy, PGN) The RISKS of a national computerized entertainment ticketing network (KJPhelan) Personal data in California (Phil Agre) Electronic Library Systems in Airliners (Robert Dorsett) Microsoft, IBM demonstrating faults in each other's products (Jon Jacky) "Citicorp Creates Controversy With Plan To Sell Data ..." (Jerry Leichter) NY Times Letter on Fake Documents (Sanford Sherizen) ATM videotapes (Jyrki Kuoppala) Re: Bell V22 Osprey crash -- assembly error (Henry Spencer) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line. Others ignored! REQUESTS to RISKS-Request@CSL.SRI.COM. For vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 12, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1". =CarriageReturn; FTPs may differ; UNIX prompts for username, password. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Wed, 7 Aug 91 20:11:05 CDT From: edtjda@magic322.chron.com (Joe Abernathy) Subject: Electronic mail beams shuttle's message home [I have abridged the following article for RISKS relevance, although I presume its submission by an author could be considered tantamount to our being able to use the entirety with permission. I unfortunately did not get to see it until 22 Aug, or this posting would have been more timely. But, please see the message following this one. Joe, MANY THANKS for sending it in. PGN] Electronic mail beams shuttle's message home By JOE ABERNATHY and MARK CARREAU 05AUG91, Houston Chronicle, Page 1A, Copyright 1991, Houston Chronicle Electronic mail networks, the message medium of the information age, made their debut in the space age Sunday aboard the shuttle Atlantis as part of an effort to develop a communications system for a future space station. Details of the test were being closely guarded because of concerns over a possible hacker incident or "public free-for-all'' on the nation's computer networks, according to one engineer involved with the project. Privacy and medical ethics also loom large as issues. [...] Electronic mail offers a new way for astronauts to stay in touch with their families, Mission Control, and potentially, the millions of people who use the nation's interlinked computer networks. It could produce far-reaching change in the way scientists and others interact with the space program. Currently, only the shuttle communicator is allowed to talk with the astronauts during a flight, except for a private medical conference each day. E-mail could change that by letting any number of people exchange information, while scientists and engineers on the ground could assume direct control over their experiments in space. [Bryon] Han and fellow Apple employees Michael Silver and James Beninghaus have donated their time to the project. They are using low-cost, commercially available products, rather than the costly custom products often used in science. [!!!] The e-mail will play a role in controlling experiments, electronic flight information, and transfer of experiment results to the ground, Han said, as well as sending data up to the shuttle. In the future, the system might be used to transmit and manipulate information from the many medical experiments NASA conducts. But this raises a number of problems regarding privacy and medical ethics. For example, one experiment in this flight seeks to correct a blood-flow problem associated with weightless ness that causes some astronauts to faint upon their return to Earth. But this experiment is being monitored with the same Apple computer that is playing host to the e-mail system. Even though the results aren't being transmitted over computer networks this time, they might be next time -- and computer networks are notoriously insecure. Inquisitive computer enthusiasts -- hackers -- are in fact one of NASA's chief concerns in regard to the use of electronic mail. The space agency initially sought to conduct the tests without publicity, but word quickly percolated around the nation's computer networks -- perhaps indicating that the concerns were justified. A chorus of calls was heard requesting the e-mail address of the astronauts -- but that raised another problem more pressing than any threat from malicious hacking, that of capacity. "We have things we need to accomplish with the limited amount of time we have, and we do have a very limited amount of data we can move between Mission Control and the orbiter,'' said Deborah Muratore, an engineer in the space station support office at Johnson Space Center and the experiment manager. In addition to voice communication, the shuttles are equipped with Teletype and fax machines for the transmis sion and reception of printed material and even photo graphs. "Conceivably, everything they move that way could be moved from computer to computer,'' Muratore said. "From a space station standpoint it would be much preferable to transfer the information electronically without paper in the loop the way we do today on the shuttle.'' "Paper is going to be a limited resource, something that has to be thrown away or reused on the space station,'' she said. "It becomes trash. So the more we can eliminate on the space station the better off we are.'' The current experiment does not represent the first time that civilians have had a direct communications link with those in space. Since January, the Soviet space station Mir has maintained a "mail drop'' for ham radio operators to use in leaving messages for the cosmonauts. "It's very similar'' in function, said Gary Morris, a former member of the Johnson Space Center Amateur Radio Club who now lives in San Diego. "The packet bulletin board system on Mir allows an amateur (ham radio operator) on the ground to leave mail messages. "What they're doing with the Mac is different in that they're going through the whole (electronic mail) network. It's much more complex.'' -- Joe Abernathy [By the way, a sidebar (see next message) is omitted here. PGN] ------------------------------ Date: 22 Aug 91 09:00:20 PDT From: "Peter G. Neumann" Subject: Re: Electronic mail beams shuttle's message home It is worth noting that Joe Abernathy's Houston Chronicle article (the previous message in this issue) included a sidebar (omitted above). This sidebar actually included the EMail address for the shuttle (which I have consciously not included here -- we wouldn't want RISKS to be accused of subverting the Shuttle, even though the address had been widely circulated!). In RISKS-12.13, Peter J. Scott cited an article by Joshua Quittner (*Junk Mail in Outer Space*) and noted that the test of EMail was threatened by "unauthorized" EMail. "The leak behind the E-mail address remains a mystery." Some mystery! Things like that don't stay "secret" for very long. This is another example of an ostrich-oriented protection policy (OOPP) -- stick your head in the sand and pretend no one will find out what you know. Furthermore, the old "authorization" paradox has reared its ugly head again. ... ``threatened by "unauthorized" EMail'', eh??? Sending EMail to someone REQUIRES NO AUTHORIZATION. (You all recall that in the Internet Worm, the use and misuse of the sendmail debug option, finger and gets, .rhosts, and copying an encrypted password file REQUIRED NO AUTHORIZATION, irrespective of whether they were appropriate acts.) If authorization is to be required, then some form of hard-to-forge identification and authentication must be imposed. It's high time that was better understood. On the other hand, if no authorization is required, no one should be surprised if a mechanism requiring no authorization is misused!!! ------------------------------ Date: Wed, 21 Aug 1991 3:08:50 EDT From: KJPHELAN@SUNRISE.ACS.SYR.EDU Subject: The RISKS of a national computerized entertainment ticketing network The RISK I wish to address is perhaps much lighter than those we usually consider, but it is one I contend is actually a very serious risk posed by a national computerized netword. This summer the federal government cleared the way for the privately held Ticketmaster Corporation to aquire Ticketron, its rival. This has led to the existance of one company's computer network having control over the seating of every major entertainment or sporting event in the country. While many would consider this a very inconsequential risk, I contend that the risks are in fact severe. There are more than 8,000 Ticketmaster locations across the country, each with access to every seat in almost every arena in the country. They are everywhere from convience shops to record stores, each with several people with access to its functions. Unlike other national networks, there are few restictions on employees use of the network. With most employees at terminal locations making not much over minimum wage, organized crime, among others have realized that for a few hundred dollars they can buy choice seats that can be brokered for ten times their face value and up. (For more information refer to recent articles in Forbes, The Wall Street Journal, and Rolling Stone Magazine.) I see a risk here to the principle of fair play, that being first come first served. I would like to know more about the systems that make up these networks. The RISK is obvious: the next time you end up in the upper tier in Yankee Stadium, or find that seats to a broadway show are only available from brokers for $200, it may be because of unauthorized access to a computer network. ------------------------------ Date: Tue, 20 Aug 91 18:46:07 pdt From: pagre@weber.ucsd.edu (Phil Agre) Subject: Personal data in California Three brief notes on the privacy of personal data in California. 1. Having just moved to San Diego, I called the phone and gas&electric companies to get service turned on at my new house. When the clerks on the phone asked me my social security number, I very politely asked them why the wanted that information. Whereupon they both became incredibly hostile, haranguing me and accusing me of disrupting their jobs and giving me pointedly useless answers to the effect of ``because it's on the form''. After two or three times round this, it finally transpired that there are other established ways to proceed without my SSN, by paying a deposit (to avoid a gas-company credit check) or by showing a picture ID at a company storefront (the phone company wanted my SSN to *verify my name*). But to find this out, I had to calmly repeat questions, cite laws (says the phone company person, without skipping a beat: ``but those laws are antiquated''), and suffer snide tones of voice for some time. And I'm sure these companies happily tell reporters and members of congress about their established procedures for people who do not want to supply their SSN's. 2. Rodney Hoffman's useful summary of the LA Times article on the failure of measures intended to prevent abuse of personal information in DMV databases did not mention what I found the most amazing part of the article, the complete indifference of the DMV to the problem. Those who've been following this issue are aware that the DMV has been fighting tooth and nail to avoid having to keep any personal data confidential. (Whether this is because they don't want the attendant legal liability or because they are in cahoots with the people who profit from that data is not clear, at least to me.) I would provide some of the quotes from interviews with DMV officials, but they are so extreme that they ought to be read in full context. 3. It is useful to keep this DMV business in mind when considering the new edition of the state Department of Transportation (Caltrans) proposal (previously described on RISKS) to affix transponders to cars that broadcast VIN's when pinged by roadside transmitters. I'll let others evaluate the technical details and just mention two points. (1) The section specifying the cryptographic scheme to be used is empty. (2) The text, as usual with technical specs, does not address the civil-liberties issues it raises, but it does make a big point of explaining that it's up to *other* parts of the government to decide what to do with the data. ``Hey, we just send them up. The legislature decides where they come down.'' In my own opinion, this device and all other personal tracking devices are wrong and cannot possibly be more beneficial than dangerous, especially given the frightening tendencies of the current Supreme Court majority. Please write a letter to someone in the California state government right away. Phil Agre, UCSD ------------------------------ Date: Tue, 6 Aug 91 20:18:43 CDT From: rdd@cactus.org (Robert Dorsett) Subject: Electronic Library Systems in Airliners Airbus Industrie and Boeing have petitioned the FAA for permission to develop an automated "reference system" for use in airliner cockpits. Thus far, automation in airlinrs has been of a purely functional basis: controlling or displaying systems information. In some cases, a crew alerting system has been integrated to display what corrective measures to take by displaying an emergency checklist. What the Electronic Library System will do is replace most of the normal cockpit paperwork with a computer-based reference system. This would include aircraft operations manuals, maintenance information, checklists, cabin management tools, all systems logs, etc. This would all be integrated into a hypertext database, with a graphics interface. It could potentially be driven by existing Flight Management System components to provide a dynamic, "nice-to-know" information system. In the case of an engine emergency, for instance, the system could produce relevant checklists *and* the secondary ability to step down into relevant Operations Manual pages, to review the relevant systems. The 24 July 1991 FLIGHT INTERNATIONAL has a two-page article detailing aspects of this system. Relevant portions: - An ELS will be integrated into United Airlines 777's after first delivery in 1995. United intends to retrofit its entire fleet with the system soon thereafter. [ We may soon be able to spot United pilots by the heavy briefcases they *aren't* hauling everywhere. :-) ] - Being developed by Honeywell, Bendix, Rockwell-Collins, Sextant Avionique, and Smiths Industries (front-runner Rockwell). - A "total storage capacity" of "60,000 pages." of information. [ This has to be assumed to include graphics information as well. An airliner usually comes with about 50,000 paper pages of integrated text and graphics in the form of operations, training, and maintenance manuals.] - No existing standard for the format, display, or control of the data. - Will use Line-Replaceable Modules (hard avionics, including power module, processor, "magnetic mass-memory" and "magneto-optic" modules), connected to terminals via fiber-optic links. - Will be developed using a modular approach, adding memory [processors?] as necessary. - Will use "dispatch disks," created by the airline dispatch department, and carried by pilots and inserted into the system to update meteorological information, flight plans, etc. - Collins is investigating a hardware interface that would plug into the aircraft at the gate, and download information that way. - Data enumerated by the magazine is subdivided into operations, maintenance, and cabin applications. Operations: Taxi diagrams, Ops manual, Minimum Equipment List, Preflight info, Company policies and procedures, flight manual, performance data, flight log, check-lists, systems diagrams, appraoch plates, and navigation charts. Maintenance information includes a maintenance log, illustrated parts list, maintenance manuals, fault isolation and reporting data, trouble-shooting procedures, and equipment location. Cabin data includes check-lists, special passenger needs, announcement scripts, cabin maintenance log, flight schedules, reservations, reaccomodation, and supply inventory. Personal comments: The concept is quite exciting. It can potentially give pilots access to an overwhelming quantity of information, only a fraction of which they currently have access to at the moment. The main problems are that it will undoubtedly promote even more of a heads-down attitude, and that a great deal of tangible "paper" data will be locked up in a computer. Combine this with the obvious complexities of data collection, formatting, and the software reliability issues of the user interface, and we have a potential situation of ELS failures or omissions leaving the flight crew high and dry. I'd like to see--at the very minimum--an independent, "portable" backup for the operations component of the information. I'm sure some vendor would be more than happy to sell a $50,000 laptop to the airlines. :-) The FLIGHT illustration of the top-level user interface is of an overpoweringly primitive touch-screen format. Touch-screens are totally unsuitable for this, IMHO. They need to use trackballs. No comment is made, but I'd bet they plan on using ABCDE keyboards, instead of QWERTY keyboards, too. Avionics manufacturers appear to still be wallowing in the 1970's when it comes to designing user interfaces. Robert Dorsett Internet: rdd@cactus.org UUCP: ...cs.utexas.edu!cactus.org!rdd ------------------------------ Date: Mon, 5 Aug 1991 22:14:53 PDT From: JON@GAFFER.RAD.WASHINGTON.EDU (Jon Jacky) Subject: Microsoft, IBM demonstrating faults in each other's products This excerpt appeared in a long article about the rift between Microsoft and IBM in the business section of the NEW YORK TIMES, Sunday August 4, 1991, pages 1 and 6 (section 3). The article is "One Day, Junior Got Too Big" by Andrew Pollack: "... Mr. (William) Gates said he is angry about a demonstration by I.B.M. a few months ago in which it showed how easy it was to make (Microsoft's software product) Windows "crash" or stall. Microsoft responded last month by showing securities analysts how easy it was to crash (I.B.M.'s software product) OS/2 as well. ..." - Jon Jacky, University of Washington, Seattle [People who fliv in crass grouses shouldn't foe knowns. The crashability of both are well known to most enlightened people. Into the crash can you go. Do YOU do Windows? You might WIN DEC'S disapproval. Or else, let the SUN shine in. But don't put all your X in one window. PGN] ------------------------------ Date: Thu, 22 Aug 91 10:08:42 EDT From: Jerry Leichter Subject: "Citicorp Creates Controversy With Plan To Sell Data on ... Purchases" The Wall Street Journal (21 Aug 91, page B1) reports that Citicorp has proposed to give marketers access to files on its 21 million customers. The marketers could use the records of purchases in creating targeted mailing lists. Privacy advocates "are aghast that outsiders could have access to data as revealing as credit-card records." Georgetown University professor Mary Culnan cited Citicorp's plans in testimony to Congress earlier this year, saying that "These transaction records reflect the most intimate details of our personal lives, yet they do not receive any legal protection." Citicorp says it intends to disclose data only in broad categories - for example, it might release a list of cardholders who buy goods for children. It does not intend to disclose store-by-store details. American Express has offered a similar program for ten years, apparently without controversy. Banks and industry officials say they know of no other such programs; however, the Direct Marketing Association says it suspects that similar programs exist. In a curious turn, members of the DMA, and other sellers, are concerned about the privacy aspects of such programs - and about their impact on property rights. Citicorp is, in effect, selling a marketer's customer lists to its competitors. "`The most valuable asset you have is that list,' says John Roberts, president of After the Stork, a mail-order company.... He thinks it's unfair for a credit card company to exploit `data not generated by them but just recorded and captured by them.' After the Stork rents lists of its 500,000 customers for about 10 cents a name." (Apparently Roberts isn't willing to apply the same kind of standard to the information his customers provide to him.) Citicorp's point of view is that someone who charges an order from After the Stork is as much Citicorp's customer as After the Stork's. Privacy advocates are very concerned that customers at least understand how their information will be used and have the ability to opt out. American Express explicitly tells its cardholders that it prepares mailing lists "for solicitations from American Express and/or other selected companies" - selected, presumably, but ability to pay. It says surveys show that 85% of AMEX card holders know how to get off its mailing lists. Citibank claims it also tells its customers how to get off mailing lists. However, its sample notice doesn't mention that outsiders may have access to its lists, offering customers "the option of removing your name from the list we use to inform cardmembers of special Citibank offers...." -- Jerry ------------------------------ Date: Tue, 20 Aug 91 15:38 GMT From: Sanford Sherizen <0003965782@mcimail.com> Subject: NY Times Letter on Fake Documents I have posted several comments on desktop publishing fraud on RISKS. The following is my letter to the editor that was published in the New York Times on Friday, Aug. 16, 1991. BEWARE OF A BLIZZARD OF FAKE DOCUMENTS To the Editor: Your article on the use of computers in photo fakery (July 24) discusses only a relatively small aspect of a much larger computer-fraud problem. Desktop forgery is joining computer crime and computer viruses as negative byproducts of the Information Age. I have been giving my clients an early-warning alert to be prepared for an onslaught of computerized forgery of important documents that can easily pass as originals. The problem is serious. Documents previously difficult to forge are now being reproduced at professional printing levels by people using inexpensive computers, printers, scanning devices, and desktop publishing technology. There are two major aspects to the problem. The first is using computers to make duplicate copies of important documents. Examples of documents that can be copied exactly include checks, identification papers, certificates of deposit, immigration papers, Social Security cards and other valuable documents that are at the heart of business and government. To foil reproduction of U.S. currency on color copiers, the Bureau of Engraving and Printing has announced that it will begin to alter paper money starting this summer. A related issue is the modification of documents, so that unauthorized changes can be made and distributed on what appears to be authentic official information. Employees and others can obtain documents or create their own documents using computer-generated corporate letterhead and copies of signatures. Official-looking documents can be produced containing false statements, illegal offers and libelous comments that can cause problems for companies or government. The traditional legal and technical restrictions against this counterfeiting and forgery provide limited protections. Some new techniques are being developed to protect documents from being copied, as well as to detect counterfeit documents. However, there continue to be serious limitations on determining and legally proving which were the originals and which the illegally made copies. Seeing is believing may soon become an anachronism from the pre-computer days. Sanford Sherizen, President, Data Security Systems, Natick, Mass ------------------------------ Date: Tue, 20 Aug 1991 03:05:53 +0300 From: Jyrki Kuoppala Subject: ATM videotapes In RISKS 12.13, there's an article about a wrong picture from an ATM tape being published in New York Daily News, trying to catch a person who had committed a crime. Rather than the mixup with the tape, what seems very shocking and RISKy to me is the reported fact that the police requested and got "all relevant records and materials with respect to ATM transactions on the night in question". Anybody still remember what was the meaning of the year `1984' ? ------------------------------ Date: Thu, 22 Aug 91 01:26:20 EDT From: henry@zoo.toronto.edu Subject: Re: Bell V22 Osprey crash -- assembly error >From the Aug 5 issue of Aviation Week: The Navy has found an assembly error caused the fifth Bell-Boeing V-22 full-scale development aircraft to crash June 11 on its first flight... Reversed polarity on a gyro-type device that provided inputs to the flight control system was blamed. The assembly problem was difficult to detect, but it was verified as the cause in a flight simulator and isolated to the one aircraft... V-22 aircraft should resume flying soon. Tsk. While this doesn't seem to have been a computer problem per se, it does make one wonder about a design that could be mis-assembled like that. The military usually tries to avoid this; somebody goofed. (To digress slightly... one of the most impressive cases of design-for- correct-assembly I've ever seen was the inside of the Canon CX print engine used in the HP LaserJet and other first-generation small laser printers. We service our own LaserJets, and we've had to dig fairly deep at times. It's complicated and messy and has a lot of connectors... no two of which are alike. I don't mean just little keying pins that are easily forced or overlooked; no two of those connectors are the same *size* even. And this is in a unit manufactured by the millions at rock-bottom prices.) Henry Spencer at U of Toronto Zoology henry@zoo.toronto.edu utzoo!henry [Also commented on by Bob Rahe and Tim_Diebert.PARC@xerox.com. PGN] ------------------------------ End of RISKS-FORUM Digest 12.15 ************************