Subject: RISKS DIGEST 13.39 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Monday 13 April 1992 Volume 13 : Issue 39 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Federal Reserve Bank snafu delays bank deposits (PGN) St. Petersburg issues credit cards to protect bank deposits (PGN) The Tyranny of Truncation (Mark Jackson) Re: U.S. Dept of Justice Rulings about Keystroke Capturing (Jim Griffith) Re: Risks of on-line documents dated April 1 (Robert Ebert) Re: Tapping phones, encrypting communication, and trust (Jerry Leichter) FBI Phone Taps (George Yanos) Fuzzy logic in cars (PGN) Compression and Encryption (Douglas W. Jones) Re: Telephone system foibles (James Zuchelli) Risks of Friends and Family (Fred Cohen) Re: The makers of the PBS series respond (Brian Tompsett) Re: Correcting Erroneous Database Listings (Steven S. Davis) Query: academic transcripts (William Nico) Microsoft Windows(tm) 3.1 write cache (Andrew Birner) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line. Others may be ignored! Contributions will not be ACKed. The load is too great. **PLEASE** INCLUDE YOUR NAME & INTERNET FROM: ADDRESS, especially .UUCP folks. REQUESTS please to RISKS-Request@CSL.SRI.COM. Vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 13, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1". =CarriageReturn; FTPs may differ; UNIX prompts for username, password. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Mon, 13 Apr 92 10:10:46 PDT From: "Peter G. Neumann" Subject: Federal Reserve Bank snafu delays bank deposits A computer failure at a Federal Reserve Bank data center in Los Angeles shut down computers for 12 hours on Friday, 10 Apr 1992 (payday) during the processing of debits and credits for about 90 banks, credit unions and S&Ls in California and Arizona. The unprocessed tapes were flown to San Francisco, but the data for at least 15 institutions were still not going to be processed until Monday. Some bounced checks were expected as a result of the missing payroll deposits. [Source: an article by Kenneth Howe, San Francisco Chronicle, 11 Apr 1992, p.B1] ------------------------------ Date: Mon, 13 Apr 92 11:15:49 PDT From: "Peter G. Neumann" Subject: St. Petersburg issues credit cards to protect bank deposits St. Petersburg, 13 April, TASS By ITAR-TASS correspondent Lev Frolov: St. Petersburg has begun issuing credit cards to business people and bankers in an attempt to protect bank deposits from thefts. Unlike their western analogues, new plastic cards use holographic coding instead of traditional magnetic strips, which ensures 100 per cent guarantee from illegal withdrawals. The SPACARD system of credit cards developed by local specialists is part of the computer network "LEK TELECOM," which will include banks, insurance companies, exchanges and brokerage offices in Russia and other commonwealth states. [ENSURES 100 PER CENT GUARANTEE, eh? And of course no one would ever misuse the computers...] ------------------------------ Date: Mon, 13 Apr 1992 04:38:16 PDT From: Mark_Jackson.wbst147@xerox.com Subject: The Tyranny of Truncation According to the Rochester, NY, /Democrat & Chronicle/ of April 11, the Community College of the Finger Lakes is changing its name to Finger Lakes Community College. Although the changeover is expected to cost $50,000, college officials say that greater expenses have arisen from confusion and omission of the two-year school from state and federal college registries. According to college president Charles Mader, CCFL often gets short-changed by computerized listings that identify it as "Community College of the Finger." Mark ------------------------------ Date: Thu, 09 Apr 92 11:08:06 -0700 From: griffith@dweeb.fx.com Subject: Re: U.S. Dept of Justice Rulings about Keystroke Capturing Marc Horowitz (marc@MIT.EDU) questions the requirement of warning condo tenants about security TV cameras and the observation of someone committing an illegal act. It would probably be best if someone with more than a "Perry Mason" knowledge of law would answer this. But as I understand it, a person cannot have a audio- or videotape used against them unless the person either knew that the tape was being made at the time the crime was committed or the taping was done after a warrant was obtained based on probable cause. My guess is that prior knowledge followed by a deliberate illegal act or confession against interest constitutes consent. I don't fully understand this, because this doesn't seem to uniformly apply - there was a case recently where a man was a victim of gay-bashing on his front lawn, he captured it on videotape without the attacker knowing it, and the tape was used in court. I think the law says that without a warrant, one of the involved parties must have knowledge, with law enforcement agencies never being considered an "involved party". Anyways, applying this to the issue at hand, a person electronically monitoring a login session in an automated manner would be treated the same way - without prior knowledge of the monitoring or a warrant, the evidence couldn't be used. If a user was on at the same time, issuing commands and determining from the result that something illegal was happening, then that user could act as a witness. But if a user sets up automated monitoring, then there are grounds for contesting it as illegal search and seizure. Jim Griffith griffith@dweeb.fx.com ------------------------------ Date: Wed, 8 Apr 1992 17:51:30 PDT From: Robert_Ebert.OsBU_North@xerox.com Subject: Re: Risks of on-line documents dated April 1 (Tarabar, RISKS-13.37) dtarabar@hstbme.mit.edu (David Tarabar) writes: >Not getting an April Fools joke might be more of a risk in on-line documents >because often they are not read until some time after the first of April. I actually did read the TidBITS article on the 1st... call me slow, call me gullible. In way of clarification, the two "inclusions" I sent from the #114 TidBITS were things purported to be the "truth", the *rest* of the article was the joke. Strangely, when I knew it was a joke and went back to look at it, I would have rated the IBM distribution article as "most likely to be false." What's next? Blue suits in airports singing, dancing, and giving away OS/2 in exchange for a "small donation"? The joke articles consisted of: Microsoft & NeXT?: An article about MicroSoft products for NeXT machines, and the pros and cons of such an arrangement. NeXT gets credibility as a business machine, MS gets stuff from the NeXT environment. Digs against Windows technology, NeXT popularity, and even ACE productivity. (All of which are, IMHO, deserved.) Future Finder: A long article about a new Finder replacement by Bruce Tognazzini. Lots of whizzy features, a DiskBox icon for unmounted floppies, groups of files called "collections", a super folder which launches everything inside when you double- click it, improved balloon help, and additionally fixing everything that's wrong with the Finder today. I don't care if it's a joke, I want it. I'll even take it in little pieces, via extensions. New Life for Old Macs: Okay, this is really the most obvious joke. Take your toaster Macs, swap out the motherboard, and put in a IIfx-like machine and maybe even a color LCD display with some weird back- back BUS extensions. Nifty and impossible stuff here, but I was skimming at this point. --Bob (bebert.osbu_north@xerox.com) ------------------------------ Date: Fri, 10 Apr 92 23:52:43 EDT From: Jerry Leichter Subject: Tapping phones, encrypting communication, and trust I'm disturbed by the tenor of the entire debate about phone tapping, privacy, and such. The general approach seems to be based on the idea that government is not to be trusted, ever, with anything. Nothing government says is to be believed. Let's take the FBI "phone tapping" proposal. Everyone is absolutely sure that no technical changes are needed to tap any phone. The little the FBI has said contains no detailed information, so it's hard to tell exactly what they have in mind. But I submit that there is a clear instance today in which it would be difficult to insert an authorized tap. Suppose a company has a PBX, and the FBI has a court order to tap the line of the president of the company. Since the technicians running the PBX are employees of the company, the FBI can't work through them. Hence, they must go to the Telco side of the PBX. Unfortunately, calls coming out the PBX side need carry no identifying information about the calling extension - many PBX's are set up to return some fixed billing number for the whole company. So: It's easy to tap ALL calls coming out of the company - but how to you fulfill a court order allowing you to tap only those of the president? Do you really want the outcome to be that, in this case, the FBI is allowed to monitor ALL calls from the company? Then there's the matter of "people shouldn't pay to have their own phones tapped." The lack of rationality in this argument is astonishing. It's like the argument: "Don't bill the taxpayers for the S&L bailout - let the government pay for it." If the FBI were to pay for the taps, where do you think its money would come from? Would you rather have the funding hidden in an anonymous budget paid for out of general revenues, or out there for all to see? Object to the amount of money involved; object to this as a way around a "no new taxes" pledge; object to the very principle of the FBI EVER tapping phone conversations - but stop believing that government can give you some- thing for nothing. I submit that the right way to approach these issues is to first decide what authority we consider it desirable and proper to grant the FBI and other government agencies, then consider the effect of technological choices on their ability to exercise that authority. Here's an example: The much-argued proposed requirement that carriers have the capability to provide the government with the cleartext of encrypted messages. Suppose we decide that the current approach to tapping is correct: Upon presentation of appropriate evidence, the FBI is authorized to tap a line from some point on. Note that they cannot require the telephone company to record calls on the theory that they might later get a warrant to listen to them. We can retain exactly this policy in a carrier-provided encryption system by requiring that the carrier, upon receipt of an appropriate court order, record and provide to the FBI all session keys created for the person being tapped. Unless a person was being tapped, the carrier would be under no obligation to record the keys; in fact, it should probably be obligated NOT to do so, just to avoid a temptation to implicitly expand the tapping authority. It is quite true that people can use encryption devices outside of the carrier-provided system, thus rendering any aid the carrier can provide to the FBI useless. But there's nothing new here - that can be done today. Any decisions about security and privacy must start with one fundamental decision: Whether we wish to provide privacy and security THROUGH LAW, or whether we wish an absolute security and privacy INDEPENDENT OF LAW. The working bias I see in virtually all submissions on these subjects is toward the latter approach. I would urge those who take this approach to examine their assumptions. Do they, for example, take the same approach to other kinds of protection provided by the government? Do they believe, for example, that we should banish policy departments and arm ourselves for our own protection against criminals, since some police have been shown to be corrupt? -- Jerry ------------------------------ Date: Sat, 11 Apr 92 08:50:55 CDT From: George Yanos Subject: FBI Phone Taps "Disappointment" might be a better word, but in deference to the forum I'll ask: Which is the bigger risk, that nobody with the FBI is reading this, or that some of them are but that they refuse to join the discussion? ------------------------------ Date: Sat, 11 Apr 92 12:10:50 PDT From: "Peter G. Neumann" Subject: fuzzy logic Fuzzy-Mitsubishi: Mitsubishi motors to use fuzzy logic to make cars safer (Tokyo, 9 april 1992, kyodo) Mitsubishi Motors Corp. said Thursday it has developed a new automobile safety feature that incorporates fuzzy logic chips to help reduce driver error and fatigue. Company officials said the system, called the Intelligent and Innovative Vehicle Electronic Control System (INVECS), uses fuzzy logic to control automatic transmissions, four-wheel drive and four-wheel steering systems, traction control systems, and electronically controlled suspension systems. Fuzzy logic is a mathematical technique which, like human logic, deals with imprecise data that could lead to many solutions rather than one. The new transmission system automatically downshifts gears to improve braking when the car is going downhill or when moving uphill shifts to a higher gear to eliminate sluggishness, the officials said. Currently, such shifting decisions must be made by the driver. Traction control systems will adjust engine power to handle flat, uphill, and downhill roads, while four-wheel drive controls vary the torque ratio between front and rear wheels to match driving conditions. The new four-wheel steering system moves the rear wheels in the opposite direction of the front wheels to enhance low-speed steering maneuvers. The new suspension system, which involves a sensor fitted to the front of the car body, improves riding comfort by adjusting the car to height differences in the road and lateral movement in the suspension system. The officials said Mitsubishi plans to introduce the new safety system in a future car model. ------------------------------ Date: 12 Apr 92 21:32:43 GMT From: jones@pyrite.cs.uiowa.edu (Douglas W. Jones) Subject: Compression and Encryption > Could use of "non-standard" or uncommon compression techniques to > facilitate high-speed data transmission also be undesirable for the NSA/FBI? In my CACM article "Application of Splay Trees to Data Compression," CACM 31, 8 (Aug. 1988) 996-1007, I pointed out that many compression algorithms have cryptographic applications. Adaptive model based compression algorithms start from an initial model state that converges as the data stream presented. The initial state of the model can be used as a key, and I proposed a trivial way to do this by throwing the key string at the model used in the compression and expansion programs prior to using those models to compress or expand data. Here's the cryptographic algorithm, spelled out in painful detail: Encrypt: Decrypt: Initialize-model Initialize-model for each ch in key loop for each ch in key loop update-model(ch) update-model(ch) end loop end loop loop loop get(ch) uncompress-and-receive(ch) compress-and-send(ch) update-model(ch) update-model(ch) put(ch) end loop when ch=eof end loop when ch=eof The above cryptographic algorithm works with my splay-tree-based codes, it works with Whitten Neal and Cleary's arithmetic codes, and it can even be fixed to work with such non-model-based adaptive compression schemes as LZW. Of course, some compression algorithms will make better encryption schemes than others, but I am aware of only a small amount of research on this. It is worth noting that although most compression algorithms can be trivially modified to make them serve cryptographic purposes, I know of no attempt by the US government to limit the export of such code. Doug Jones jones@cs.uiowa.edu ------------------------------ Date: 12 Apr 92 11:52 GMT From: TMUG@applelink.apple.com (Tri-Valley Macintosh Users Group,UG) Subject: Telephone system foibles (RISKS-13.38) I recently had two experiences with the telephone systems that leave me wondering if anyone knows what they are doing. I tried to make a call from a pay phone outside a restaurant in Sunnyvale, CA, using my calling card. The call wouldn't go through. The operator (from an alternative phone service) said that their computer showed I was trying to make a call from a correctional institution. I guess to avoid toll fraud, prisoners aren't allowed to make calling card calls. In my next phone bill, (from an alternative phone service) there was a billing on my calling card for two calls made from Ada Mich. I've never been there and so had the charges deleted and changed my pin number. However after looking at the numbers listed, I found one was to a friend in San Jose. I now believe that the alternative phone service's computers somehow read some local calls as being made from Ada Mich. What I'd like to know is how I can get all my calls misread so my phone bill will be cut in half? However, even though this seems amusing, it makes one wonder just how inaccurate the alternative systems are. If they make these screwups, how many more do they make that are not detected? James Zuchelli ------------------------------ Date: Sun, 12 Apr 92 18:42 EDT From: fc Subject: Risks of Friends and Family AT+T finally caught on, but they really didn't make the point very well. The "friends and family" database being built by that other phone company will no doubt be sold so that when collecting a bill I will be ab;le to dial in and find your relatives and friends - in case you skip town. When I market something to you successfully, I will be able to claim your name when marketing to your friends and family. You can think of a lot of other examples of how this database might be abused. It is somehow deeply offensive to me to be solicited to give the names of my friends and family in order to save money. I almost feel as if I am selling them out - literally! Tell me what birth control you use, and I will give you 10 bucks. Tell me how you have sex with your wife and I will give you 20! But be careful - I may get you arrested for having illegal sex! I have an idea - How about royalties on all data stored in databases. If you keep data on me, I want you to pay me a dime per 80 bytes of info. If you sell it to someone else, I want 20% of gross as royalties. If it is inaccurate, I want to sue for damages. This would of course be the best way to control databases. After all, why shouldn't I be able to sell you the right to keep info on me. This would also clarify the relationship - I own all information about me, and you have to pay me to use it. If you don't keep accurate info, you are responsible for it - financially! To make certain it's right, you have to get my approval for its use. No waivers permitted, and no including this stuff in other agreements. Otherwise it will all be put into the standard contracts and people will hardly know it exists - but even that would be better than the current situation. ------------------------------ Date: Mon, 13 Apr 92 14:18:09 GMT From: Brian Tompsett Subject: Re: The makers of the PBS series respond (Tompsett, RISKS-13.37) In RISKS-13.38 Dave Marvit (WGBH Associate Producer) writes that there is nothing Orwellian in the multi-versioning of TV programmes, and "The machine that changed the world/The dream machine" in particular. Contrariwise, I feel that there is some element of "Newspeak" involved in the programmes to (I quote) "reflect the interests and knowledge of the different audiences". When, for example, I see documented in programmes such as this "locals" such as Clive Sinclair and Joe Lyons Tea Shops I begin to wonder whether items about Bletchley Park Collossus, Manchester MADM, Cambridge EDSAC and other UK contributions to history are also there "to reflect the interests and knowledge of the different audiences". I can extend this analogy to imagine that the WGBH transmission reflects local Massachusetts "interest and knowledge" and is in some minor way different from the West coast and Central US transmissions for the same reasons. These programs can then be shown to local undergrads and every graduate will believe that "their" alma mater made *the* contribution to world development, because they saw it on TV. If this is not the Orwellian view of history then its pretty damn close. We are drifting away from computer risks here, so let me attempt to bring the discussion back on track. If I applied my paranoid imagination to the Risks mailing list itself I can easily ask the same question. How do we know that the items we receive in the UK on Risks are the same that arrive in the US? We don't, and in fact they are not the same. There are local UK postings to Risks readers that do not go to the US list. I can imagine for you an implementation where Risks articles from the US are put through a "jive" filter before going to the UK readership and vice-versa all UK contributions to the US list go through a "biffa" filter. This would have the effect of making each country think the other one was filled with yokels with a expletive filled vocabulary. Luckily for us, Risks is also published in paper form which helps to authenticate many of the contributions. For those of you who are interested in these things, there is a US court case over the changing of TV programmes to "reflect the interests and knowledge of the different audiences". It involves the first US airing of "Monty Pythons Flying Circus" by a US network. The networks made "minor" changes to some sketches (removing some expletives) for a US audience. The python team sued and won, on the grounds that the changes substantially damaged their reputation. PBS, as the US readers now know, eventually broadcast Python in its unexpurgated form (BBC logos and all). Thanks should go to PBS for rendering this public service. I hope readers don't think I'm trivialising the issue, or unnecessarily attacking reputable programme makers. On the contrary I think these issues are ones we should be aware of. We should "question" the media, and ensure that makers of exemplary documentary programmes such as "Nova/Horizon" do not cross that fine line between truth and ratings or history and Newspeak. When in the US I showed my support of WGBH at pledge time. Brian Tompsett, Computer Science, University of Hull, UK. ------------------------------ Date: Mon Apr 13 13:04:55 1992 From: paa1338@dpsc.dla.mil (Steven S. Davis) Subject: Re: Correcting Erroneous Database Listings (Davis, RISKS-13.36) In Risks 13.37, Fred Gilham, responded to a proposal ( in Risks 13.36 ) that an authoritative central database would provide protection against the spread of inaccurate data through different databases. >... I think promulgation of inaccurate information should be legally >treated as a form of libel, ... > -Fred Gilham gilham@csl.sri.com That libel laws should be revised to take in to account libel by false inputs into databases is undeniably true. The problem with sole reliance on such laws to protect people against false information is threefold. It requires the wronged person to file suit each time the false data is promulgated, it does not set in place anything to stop further promulgations ( clearly, it's better to prevent damages than to collect them ), and it does not provide any protection to the operators of databases. Though my proposal emphasized the protection of people from the information in databases, I do not think it is in the public interest to impede the dissemination of correct data, which I fear successful libel prosecutions would, if they resulted in punitive damages sufficient to be a deterrent. The central database, once a correction were placed in it, would reduce further spread of the false data while greatly simplifying any actions for promulgating false data that still became necessary. It would also clarify the responsibility of the owners of databases to check for false information while providing a way of doing so. The database operator who has diligently checked the data received ( this would include checking the central database, but would not exclude other reasonable means of checking for errors ) should not be subject to the punitive damages that a more careless operator would richly deserve. Steven S. Davis (ssdavis@dpsc.dla.mil) ------------------------------ Date: Mon, 13 Apr 92 00:01:45 -0700 From: William Nico Subject: Query: academic transcripts I have just learned from (senior and middle level) administrators at our campus, Cal. State U., Hayward, that serious consideration is being given to electronic exchange of academic transcripts between universities (actually between all levels of colleges, from community colleges on up). Our campus is apparently examining vendor information on such products, and I am told that San Jose State is actually involved in a pilot project (? alpha test ?) on this. I have been able to get virtually no technical information from the administrators involved, except that discussion of such a process has been going on for some time among university admissions officers nation-wide and that there is even a recent (or proposed) ANSI standard (in X12?) on the matter. I am also told, naturally, that there are real products out there under development to implement such interchange. The system seems fraught with risks to me, especially since universities form a much more heterogeneous (even anarchistic) community than, say, the banking community. My fragmentary information also indicates that there have been made (or are being made) some possibly strange design decisions. For example, it is reported that the products -- or the standard -- only allow 3 digits for a "course number" field; since our campus has traditionally used 4 digit course number, this would require renumbering the whole campus in order to participate is such a system. Perhaps my main question is what sort of authentication/integrity mechanisms are to be used in such a system. the proposed new DSS? something DES based? something ad hoc? Will it require universities to purchase special hardware, or will it be software-based? I think this issue may be of interest to a number of RISKS readers and that some of those readers may have good information to provide about what is being developed for transcript interchange. I, for one, would be very interested in hearing more on this topic. -- Bill Nico W.R. Nico Mathematics and Computer Science California State University, Hayward Hayward, CA 94542-3092 e-mail: nico@csuhayward.edu PS. --Moderator: This ran longer that I thought it would when I started. Feel free to edit it appropriately if you decide to use it to raise the issue. (Clearly, as moderator, you don't need my permission to edit, or delete, but it seemed like a nice thing to say.) ------------------------------ Date: Mon, 13 Apr 92 14:27:29 CDT From: scsabir@tvgurus.hdtv.zenithe.com (Andrew Birner) Subject: Microsoft Windows(tm) 3.1 write cache Microsoft's new version of Windows includes an "enhanced" version of the SmartDrv disk cache utility. The primary enhancement is the addition of a write-behind write cache. The RISKy part of this is that the default for the program is to enable the write cache on all hard drives; this is what the Setup utility suggests as the "preferred" configuration! Now, maybe I'm paranoid, but it seems to me that this is going to cause LOTS of problems for naive users. I'm especially worried because I don't believe that most casual users are going to bother reading through the documentation to find the little notice that says (on page 540): CAUTION Check that SMARTDrive has completed all write-caching before you turn off your computer. To make sure this has happened, type SMARTDRV /C at the MS-DOS prompt. After all disk activity has stopped, you can safely turn off your computer. Personally, I think Microsoft has an incredible amount of confidence in the stability of 3.1, and in the diligence of the casual users; the decision to make this the default mode of operation was, in my view, ill advised. - Andrew E. Birner, Zenith Electronics Corporation - ------------------------------ End of RISKS-FORUM Digest 13.39 ************************