Subject: RISKS DIGEST 14.72 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Wednesday 9 June 1993 Volume 14 : Issue 72 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Phone lottery in Phoenix (Kriss A. Hougland) Grassroots vs. Astroturf Movements (Shyamal Jajodia) RISK of undefined abbr., Re: Health effects of VDTs (Mark A. Hull-Richter) Citibank ATM risk (Steve Kass) Re: Fake ATM Machine Steals PINs (Debora Weber-Wulff) What's in it for the grocer? (Dave Kristol) Re: French Fry Robots! (Dean Kling, Jerry Hollombe) Error in DSRNS workshop announcement (Paul Robinson, Bruce Limber) Re: White House Electronic Mail (Nick Rothwell) Cryptography, Free Speech, and so on (Jerry Leichter) Re: Denning on NIST/NSA Revelations (Kevin S. McCurley) The RISKS Forum is a moderated digest discussing risks; comp.risks is its Usenet counterpart. Undigestifiers are available throughout the Internet, but not from RISKS. Contributions should be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with appropriate, substantive "Subject:" line. Others may be ignored! Contributions will not be ACKed. The load is too great. **PLEASE** INCLUDE YOUR NAME & INTERNET FROM: ADDRESS, especially .UUCP folks. REQUESTS please to RISKS-Request@CSL.SRI.COM. Vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 14, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1". =CarriageReturn; FTPs may differ; UNIX prompts for username, password. For information regarding delivery of RISKS by FAX, phone 310-455-9300 (or send FAX to RISKS at 310-455-2364, or EMail to risks-fax@vortex.com). ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Wed, 9 Jun 93 11:08:33 MST From: "Kriss A. Hougland" Subject: Phone lottery in Phoenix Since the Suns here in Phoenix are in the NBA playoffs, one of the ticket offices discovered that something was amiss. Since the only way to get any of the remaining tickets is by calling up either of the two ticket offices, this happened for one of the games... On one of our local channels, they reported that employees from the company that installed the phone for the ticket office (I believe it was Dillard's) had been discovered to have "fixed" (I don't know the proper term they used) the phone lines so the callers (employees of the installing phone equipment) would be the first to get through to place orders for the tickets. The news show went on to add that disciplined action(s) had been taken by the company and the company would not comment on the situation. The "modification" to the phone system was detected by the ticket office. (I thought rigging/modifying the odds of a dial-in only event was cardinal. (sorry for the pun) No No.) ------------------------------ Date: Wed, 09 Jun 93 17:31:27 EDT From: Shyamal Jajodia Subject: Grassroots vs. Astroturf Movements This morning there was a report on National Public Radio on what it called Astroturf letter writing campaigns. Apparently some lobbying firms have started offering this service to clients likely to be affected by legislation about to come up for vote. For a fee they will generate a large number of letters which will put forward the client's case to several selected mailing lists. These letters also contain an exhortation to sign and mail the included PROTEST letters which are pre-addressed to the area congressional rep. Such campaigns were found by several congressmen who are in favor of the Clinton Administration's proposed BTU tax. On the face of it it seems like the good old American democratic system. The risk identified by one of the Congressman was that the high levels of noise generated by these computer aided campaigns are making it difficult for them to identify the genuine missive from Mrs Bramley in Peoria. SHYAM ------------------------------ Date: Wed, 9 Jun 93 14:31:30 PDT From: Mark A. Hull-Richter Subject: RISK of undefined abbreviations, RE Health effects of VDTs - an update Mr. Rogers' article is most certainly both welcome and informative on an otherwise overreported and underanalyzed area of potential health risk. Unfortunately, he uses an abbreviation in the article whose meaning is undefined, at best, and ambiguous at worst. In reference to the strength of the magnetic fields measured at 30cm distance from a VDT, he lists the strength of the magnetic fields as "4-7 Mg," and elsewhere repeats the use of this abbreviation. By the normal standard abbreviation scheme that I am familiar with (and I believe most people are as well), the abbreviation "Mg" should be interpreted as "Megagauss", which is absurd in the context. The average strength of the Earth's magnetic radiation field at ground level ranges between 2-2.5 mg (that's milligauss), and even the dangers supposedly related to magnetic fields have been generally associated with fields in excess of 10mg, coupled with continuous exposure over long periods of time. (A good discussion of this subject can be found in the book "Cross-Currents," the name of whose author escapes me at the moment, and also his sequel on a similar subject, the title of which also escapes me at the moment.) As a side note, I had our electric company send a representative out to my house a couple of years ago, specifically to measure the EMF radiation from various instruments and equipment in my house. This was largely in response to a scare about power line proximity and the fact that my house overlooks a freeway, on the other side of which are power transmission lines totalling 506 kilovolts of electricity. It turned out that the EMF level outside the house at chest height was 1.5-2.5 mg, whereas the average EMF level _inside_ the house, mid-room at chest height, was around 5mg. Our waterbed heater generated over 10mg at bed surface level, and the most dangerous room in the house was the kitchen, with a reading of 6-9mg mid-room. Surprisingly, the highest radiation levels were from electric alarm clocks, ranging 140-300+mg at the face, down to somewhere between 40-50mg at a distance of 3 feet. The VDTs? My wife's EGA read 15mg at the screen, down to 1.5mg at 3 feet, and my monochrome was slightly higher (I forgot the exact reading). Now, Mr. Rogers, what did _you_ mean by "Mg?" Mark A. Hull-Richter, NCR Teradata, 100 N. Sepulveda Blvd., # 11-257 El Segundo, CA 90245 (310) 524-5782 mhr@ElSegundoCA.NCR.com ------------------------------ Date: Tue, 08 Jun 1993 23:44:13 -0400 (EDT) From: No gas will be sold to anyone in a glass container Subject: Citibank ATM risk Yesterday, I walked up to a Citibank ATM (a relatively new one at 2nd Ave. and 4th St. in Manhattan) and the screen displayed the question "What language would you like to use for your transaction," a question I usually get only after inserting my card and entering my PIN. I was a bit puzzled, but think I have an answer. Two "features" of this particular ATM in combination may present quite a risk. Feature 1: Citibank ATMs don't swallow cards. You insert, then immediately withdraw them to start a transaction. I appreciate this feature, having left my card in an ATM before. Feature 2: After selecting your transaction, but before receiving cash or a balance or making a deposit, you must answer the question "After this transaction, can we help you with anything else?" This question is very oddly placed. I don't want to think about my next transaction until this one is finished. What may have happened: The previous customer (call her Maria), inserted and withdrew her card, entered her PIN, chose a language, selected a transaction, and was then perhaps confused by the question about an additional transaction (Feature 2), or just slipped on the touch screen. Between having to answer questions like "Is this correct?" and "Would you like a receipt?" it would be easy to keep hitting the Yes button. When Maria finished her first transaction, she took her receipt, and having already retrieved her card, turned and walked out, not realizing she had pre-ordered another transaction. Presumably I could have effected a second transaction on her account, withdrawing some large sum of money. I've never made two transactions in a row on a Citibank ATM, so I can't be sure that the language question is routinely presented again, but nothing else seems to make sense, especially since when I pressed the Cancel button right off, I got the message "Your transaction has been cancelled," then the usual "Insert your card, then withdraw it quickly" opening message. Any Citibank programmers out there who care to comment? Even if I've misread the situation, this scenario is all too plausible. Feature 1 and Dubious Feature 2 (a programming hack, I'd almost have to guess) just don't work together. Steve Kass (skass@drew.drew.edu), Department of Mathematics and Computer Science Drew University, Madison, NJ 07940 ------------------------------ Date: Sun, 6 Jun 1993 12:42:13 GMT From: dww@math.fu-berlin.de (Debora Weber-Wulff) Subject: Re: Fake ATM Machine Steals PINs >Another method that might allow you to "authenticate" an ATM machine: > Enter an incorrect PIN as your first attempt. > Try a balance query if the ATM seems to accept the bad PIN. Won't work in Germany. You don't get 3 tries per card insert, you get 3 tries on the *lifetime of the card*! If you goof up 3 times, the card is marked invalid and has to be sent in to a special office for resetting. Takes about 2-3 weeks. And balance queries are usually not done with ATM machines, but with extra boxes that give a list of transactions since the last query - this has shifted the costs and work of preparing statements to the user. You have to stand there and wait while the silly thing grinds out 3-4 pages, usually with a page of advertising (Grrrrrrrr....). This also saves postage for the banks. Debora Weber-Wulff, Professorin fuer Softwaretechnik, Technische Fachhochschule Berlin, FB Informatik, Luxemburgerstr. 10, 1000 Berlin 65 [Thanks, Debora. One of the joys of RISKS is that our international contributors keep the U.S. folks on their toes. For example, John Oliver in Wollongong, Australia, chided me for my item in RISKS-14.71 about RISKS "Summer Slowdown Time". He said "Shame on you. This is WINTER! John Oliver" PGN] ------------------------------ Date: Tue, 8 Jun 93 22:02:23 EDT From: dmk@allegra.att.com (Dave Kristol) Subject: What's in it for the grocer? Margins on sales in supermarkets are reputed to be very low. Credit card companies usually charge a couple of percent on transactions with their cards. So, credit card sales in supermarkets would wipe out the retailers' profits. Yet, payment by credit cards in supermarkets is expanding. Obviously the credit card companies are offering the grocers lower than usual rates. What do they get in return? Are they accumulating buying profiles on people who use credit? If so, how do they use the information they gather? Can I expect a letter from Proctor and Gamble: "We see you bought Crest in March and May of 1992, but you haven't bought it since. How come? (And here's a 50 cent coupon to encourage you to buy it again.)" In a similar vein, supermarkets around here offer various forms of "price clubs", whereby you get an extra discount on selected items if you present your card at check-out. Are THEY accumulating buying profiles? How are THEY using the information? [Have I become excessively paranoid about invasions of privacy?] Dave Kristol ------------------------------ Date: 8 Jun 1993 16:28:40 -0700 From: dkling@ornews.intel.com (Dean Kling) Subject: Re: French Fry Robots! (McKay, RISKS-14.71) >The risks? When the drink robot fails to work some soft drink gets spilt, but >what happens if there's a problem with a machine that is working around hot >oil? Such technology is being used successfully in the semiconductor industry. Similar robots handle automated wet stations, wherein silicon wafers are dunked into a variety of etchants, including hydrofluoric and sulfuric acids. It takes a competent design and reasonable control limits, but is capable of being done successfully. Dean F. Kling dkling@ptd.intel.com (503) 642-6829 No, I don't speak for Intel ------------------------------ Date: Tue, 8 Jun 93 17:39:43 PDT From: hollombe@polymath.tti.com (The Polymath) Subject: Re: French Fry Robots! (McKay, RISKS-14.71) Most likely the robot's work cell is protected by light beam barriers, floor mat switches or both. Tripping either system should cause the robot to immediately stop moving until the system is reset. This sort of setup is required by ANSI/OSHA regulations for robot work cells. }The risks? ... Some hot oil gets splashed (the robot isn't pouring oil, just dipping things in it). Not a good thing, to be sure, but not likely a tragedy, either. I note the (required) manual cutoff button is located away from the hot oil tanks. The Polymath (aka: Jerry Hollombe, M.A., CDP, Head Robot Wrangler at Citicorp 3100 Ocean Park Blvd., Santa Monica, CA 90405 (310) 450-9111, x2483 ------------------------------ Date: Tue, 8 Jun 1993 22:44:57 -0400 (EDT) From: Paul Robinson Subject: And yet, a Risks report contains more errors! (Camp, RISKS-14.71) Organization: Tansin A. Darcos & Company, Silver Spring, MD USA John Camp Writes in Risks 14.71: Subject: Workshop on Digital Systems Reliability and Nuclear Safety > >From Washington National Airport > The Washington Metro has subway service to Rockville from National > Airport. Take a Yellow Line train marked ~Gallery Place~ to Metro > Center and transfer to a Red Line train marked ~Shady Grove~ to > ~Twinbrook~. This worries me when even minor details can't be gotten right. In Washington DC, the Yellow Line train at National Airport goes in two directions. The one going toward Washington is labeled "U Street/Cardoza" and goes THROUGH Gallery Place! This isn't a new event; the extension to the Yellow line has been running for more than a year. Also, one transfers from the Yellow to the Red Line AT GALLERY PLACE. The Yellow Line does not and never has run to Metro Center! There is, however, a Blue Line that DOES go to Metro Center from National Airport, at which point one can also transfer to the Red Line. But THAT train - the Blue Line - would be labelled "New Carrolton" and doesn't go anywhere near Gallery Place! This worries me that if small details like this are wrong, what other things could also be wrong? Maybe they'll run an ad for this symposium in the {Washington Star}! :) (The :) is because The Star Folded many years ago.) Paul Robinson - TDARCOS@MCIMAIL.COM ------------------------------ Date: Wed, 9 Jun 1993 12:35:01 -0400 (EDT) From: Bruce Limber Subject: Re: RISKS-14.71 error The conference announcement in RISKS-14.71 contains incorrect directions for taking the Metro from National Airport to the Holiday Inn Crowne Plaza. I'm sending a correction to lammerin@cs.utwente.nl and, should you wish to publish it separately, the correct directions are these: There is a free shuttle bus between the terminal and the National Airport Metro station. At the station, purchase a farecard to Twinbrook. (Fare varies according to the day of week and the time you enter, and will be either $2.00 or $3.15 one way.) Take the yellow train marked "Mt. Vernon Sq." to the Gallery Place station; there, transfer to a train marked "Shady Grove" and ride to the Twinbrook station; the hotel is beside the station. (Be sure to take a "Shady Grove" train; trains at the same platform marked "Grosvenor" do not go all the way to Twinbrook.) ------------------------------ Date: Wed, 9 Jun 1993 07:33:18 +0000 From: Nick Rothwell Subject: Re: White House Electronic Mail >> ... The White House will be connected to the Internet as well as >> several on-line commercial vendors, thus making us more >> accessible and more in touch with people across this country. Only a minor item of risk-interest, perhaps, but: which people and which country? I have an email address ending in ".uk", but the more generic ".com" is available to people outside the US for a small sum (I'll have access to one soon). I don't see anything to stop (for example) groups from outside the US lobbying this email service by pretending to be "the people" from "this country." The Internet is international. Nothing to lose sleep over, I don't think, but I did sense a wee bit of parochialism in this announcement and thought I'd point out something that's probably obvious. Nick Rothwell | cassiel@cassiel.demon.co.uk CASSIEL Contemporary Music/Dance | cassiel@cix.compulink.co.uk [By the way, jim@mpl.UCSD.EDU (Jim Easton) reported that mail to vice.president@whitehouse.gov was rejected. Let him know if you have a good address. And thanks to all of you who reported on Gedanken Experiments with the the White House Internet connections. They are vastly too numerous (and some to off-color) to be included here. PGN] ------------------------------ Date: Fri, 4 Jun 93 17:32:38 EDT From: Jerry Leichter Subject: Cryptography, Free Speech, and so on In RISKS-14.69, Peter Junger responds to comments I'd made earlier. I'd like to look a bit at the broader issues. The Constitution may protect speech, but espionage, a crime which may involve "nothing more" than speech, has been illegal since before the Constitution was written, and you wouldn't have much success challenging it on First Amendment grounds. There are two interesting things about cryptography: - It's one of only two examples of cases where things can be treated as secret even if you invent them yourself. (The other is information about nuclear technology.) If you were to become aware of classified information about existing cryptosystems, the espionage statutes would apply to you just as they would were you to come into possession of plans for a fighter plane. If you can be forbidden from discussing one, you can be forbidden from discussing the other. (Actually, "discussing" for espionage purposes doesn't even have to be with foreign nationals, but it does have to be with the intent of making the information available to foreign nationals, or something like that.) So what we come down to is the claim that the fact that you invented something yourself automatically gives it First Amendment protection, even though had you gotten it by other means it might not be so protected. Well, maybe. It's an argument worth making, but personally I think more on social policy grounds than Constitutional ones - I see nothing in the Constitution that makes a distinction based on authorship, and in fact such distinctions can be very hazardous: If I have a right to say something, but my publisher does not have the right to publish it for me, my rights are being honored more in the breach than in reality. - Cryptographic systems can easily be embodied as software. As Mr. Junger point out, software is inherently both speech and object. One gets the feeling on the net that people wish to see it purely as speech because that gets them to final re- sults they like, right now. Along the way, they make various questionable assumptions, such as identifying the description of an algorithm with efficient (or just WORKABLE!) code for it. That was the point of my 500-man-year example. The code for such a monstrosity would clearly be a manufactured object, difficult to duplicate from scratch. A broad description of that object might help someone duplicate it to a very limited extent. A detailed design specification would help a lot more. But the code itself remains much more usable than any description. Building a fighter jet is difficult for many reasons. Even with the proper equipment and materials, detailed drawings and specifications remain necessary. Code is like those detailed drawings and specifications. It just happens that for pro- grams, once you have the code, you don't need to do much more (while for a fighter you've still got a great deal of work). Plans for fighters have always been considered very sensitive. I see no reason why code, or specifications for code, should not be. Our ideas about free speech were developed at a time when "information" and "objects" were separate universes. Speech might affect PEOPLE, but it could not directly affect the physical world. It's exactly because of its effect on people that dictatorships wish to control it; and it's exactly because our system of government is based on the idea that people, in effect, have the right to be affected, that we so strongly protect speech rights. These days, the borderline between "information" and "object" is getting fuzzy. A computer virus is "information", but it can pretty directly affect the real, physical world. Should it be given the same protection as speech that is aimed at people? People are moral actors, and are assumed to be res- ponsible for the outcomes of their acting on speech they hear. A computer that "hears" a virus is NOT a moral actor; the responsibility for any damage it does lies entirely on the creator of the virus. Actions certainly have consequences. We like to say that ideas have consequences, too, but those consequences are always filtered through other people, other moral actors. This is very different from the growing potential for certain ideas, expressed in software rather than words, to have DIRECT consequences. I believe it's foolish to claim that just because we use the word "information" to describe both traditional speech and this new class of thing that we should automatically apply the same standards to each. I have no love for the existing cryptographic export regulations. However, I refuse to close my eyes to the problems they are trying to solve. Rather than tossing our hands up and saying "there's no perfect solution, so let's not try to find ANY solution," we should try to come up with better approaches. Perhaps in the long run we are destined to fail; even so, we have to survive in the short run. -- Jerry ------------------------------ Date: Wed, 19 May 93 22:46:52 MDT From: mccurley@cs.sandia.gov (Kevin S. McCurley) Subject: Re: Denning on NIST/NSA Revelations Let's review a RISKS discussion that's gotten out of hand: David Sobel, originally wrote in RISKS DIGEST 14.59: >> The proposed DSS was widely criticized within the computer >> industry for its perceived weak security and inferiority to an >> existing authentication technology known as the RSA algorithm. >> Many observers have speculated that the RSA technique was >> disfavored by NSA because it was, in fact, more secure than the >> NSA-proposed algorithm and because the RSA technique could also >> be used to encrypt data very securely. Dorothy Denning responded in RISKS 14.60: > This is terribly misleading. NIST issued the DSS proposal along with a > public call for comments as part of their normal practice with proposed > standards. The community responded, and NIST promptly addressed the > security concerns. Among other things, the DSS now accommodates longer > keys (up to 1024 bits). As a result of the revisions, the DSS is now > considered to be just as strong as RSA. Marc Rotenberg commented in RISKS 14.62: > Denning has to be kidding. The comments on the proposed DSS were uniformly > critical. Both Marty Hellman and Ron Rivest questioned the desirability of > the proposed standard. Most recently, Eric Raymond wrote in RISKS 14.64: > As a long-time RISKS reader and contributor, I observe that that this is not > the first time that Ms. Denning has apparently operated as a mouthpiece for > the NSA's anti-privacy party line on DES and related issues. > >I believe Ms. Denning's remarks must be understood as part of a continuing >propaganda campaign to marginalize and demonize advocates of electronic >privacy rights. I have no link to the FBI, NSA, or NIST, and I agree with this particular statement of Dorothy's, that DSS is regarded to be as strong as RSA. Mobs often believe the words that are shouted the loudest, and this may have warped the public perception of DSS. Some people will refuse to accept DSS because of where it came from, but let's be clear on this specific issue: NOBODY HAS PRESENTED A CREDIBLE SCIENTIFIC ARGUMENT THAT DSS CAN BE BROKEN! I spent a couple of years using some of the most powerful machines in the world to compute discrete logarithms, and I published a survey paper in 1990 on the discrete logarithm problem. I am quite sure that there is no publicly known technique that will compromise DSS with 1024 bit keys, and I think both Rivest and Hellman will agree on this point. There are technical issues of some dispute, but this issue is not among them. If anything, factoring is regarded as easier than computing discrete logarithms because of the linear algebra involved. People are apparently getting so steamed over Clipper and the notion of key escrowing that their glasses are getting fogged. It's gotten so no matter what Dorothy says, she is demonized as a stooge of the Feds. It appears that there are legitimate issues to be debated here, but let's try to clean up the discussion surrounding Clipper, Skipjack, Capstone, DSS, SHA, NSA, NIST, and RSA, to distinguish between the different scientific, business, and governmental policy issues. If you disagree with Dorothy's statements regarding key escrow policy, then say so explicitly. If you believe that DSS is cryptographically weak, then let's see somebody break it. I maintain that unless somebody pulls a new algorithmic trick out of their sleeve, we won't see a 1024-bit DSS signature forged until long after we are all pushing up daisies. Kevin S. McCurley Massively Parallel Computing Research Laboratory Sandia National Laboratories ------------------------------ End of RISKS-FORUM Digest 14.72 ************************