Subject: RISKS DIGEST 16.20 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Weds 6 July 1994 Volume 16 : Issue 20 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for information on RISKS (comp.risks) ***** Contents: EM RF RISK turns into life-saver (Ralph Moonen) Mosaic risks (Faisal Nameer Jawdat) Airbus (Robert Morrell Jr.) ACM crypto policy panel chairman's statement (Steve Kent) Re: Physical Location via Cell Phone (A. Harry Williams) Phone records (Lauren Weinstein) Video cameras in City Centres (Scott A. McIntyre) Re: AI to screen bad from good cops in Chicago (Piers Thompson) Re: Scary (Jim Horning) Environmentally Aware Computing (JAN Lee) "Repetitive Strain Injury" by Pascarelli (Reviewed by Rob Slade) "Computer Ethics" by Forester/Morrison (Reviewed by Rob Slade) "A Short Course on Computer Viruses" by Fred Cohen (Reviewed by Rob Slade) Re: Rob Slade's review of "The Hacker Crackdown" (Richard Schroeppel) Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc. ---------------------------------------------------------------------- Date: Wed, 6 Jul 1994 09:52:04 +0200 From: ralph@inter.nl.net (Ralph Moonen) Subject: EM RF RISK turns into life-saver The oft discussed risk of EM RF radiation to devices like pacemakers can now sport a case of anti-risk. A 42-year old man of The Hague (Netherlands) collapsed in front of a swimming pool when his pacemaker failed. A police officer in the vicinity radioed for help, and as soon as he did, the pacemaker started working again. The officer was able to keep the man alive until an ambulance arrived by using his transceiver..... --Ralph [The remote jumpstart has all sorts of interesting possibilities. Next we will find a way to remotely beam an electrical charge into a car ignition when the battery is low, without jumper cables. PGN] ------------------------------ Date: Wed, 6 Jul 1994 09:29:14 -0400 (EDT) From: Faisal Nameer Jawdat Subject: Mosaic risks Clarinet reports that Spyglass, Inc. has signed a licensing agreement with the NCSA for the right to work with, enhance, and redistribute versions of Mosaic as a commercial product. The obvious risk comes in the confusion that could ensue with some people thinking that their commercial version is also freeware, and distributing it, or some people getting in trouble for distributing the free version because someone else thinks it's the commercial version. Also, there are risks due to the differing feature sets provided by each. The more menacing risks (to my thinking, at least) come from the fact that Spyglass will be working on some security and authentication systems to allow credit card transactions over the net. I am highly dubious of the www's ability to safely protect credit card transactions (although I could think of ways this could be handled, I do not trust a browser system that was not originally designed with highly secure transmission in mind). Also, sources to various NCSA projects are not particularly difficult to find (I found Telnet on wuarchive, and I've seen Mosaic at CMU) - with access to Mosaic sources people could build fakes of the commercialized Mosaic to trap credit card numbers. --faisal ------------------------------ Date: Tue, 5 Jul 1994 23:13:19 -0400 (EDT) From: "Robert Morrell Jr." Subject: Airbus I recently had the opportunity to discuss at length the various RISKS Digest pieces on air safety and computer controls with a relative who is an experienced military and civilian industry pilot. He agreed with the thrust of the threads here, but added a specific and general comment about the A-320. Specifically he noted that the greatest problem with the aircraft is that it is unique in lacking a unified "off switch" for the autopilots. All other aircraft have one control that can be flipped or pressed that will turn off the computer pilot(s) and return control to the aircraft. Apparently doing this in the A-320 is no small matter. Generally, though he and other pilots like the A-320, it is known for having a "mind of its own" literally. Most pilots, according to my relative, have stories of the plane suddenly "up and deciding to begin an approach, go around or enter a traffic pattern" It seems amusing usually, but then my relative had never had it happen low to the ground.... ------------------------------ Date: Wed, 29 Jun 94 10:15:09 -0400 From: Steve Kent Subject: ACM crypto policy panel chairman's statement [See RISKS-16.19] [The following statement could have been included along with the crypto policy panel message and the USACM message in RISKS-16.19, providing an explanation of the distinction between the two messages and their origins. Steve's statement was read as part of the press conference noted in RISKS-16.19, which Steve could not attend. I have chosen to reproduce it here. PGN] Barbara Simons, chair of the USACM committee recruited me to organize this panel a little over a year ago, after the announcement of the escrowed encryption initiative. Barbara provided suggestions for candidate panel members, but allowed me complete freedom in inviting panel members. Barbara also pointed me towards Susan Landau as a candidate staff member to support the panel, and I am especially grateful for that recommendation as Susan has done a tremendous job in writing this report, from inputs provided by the panel members, from her own research, and through extensive editing sessions including all of the panel members. The panel I assembled is intentionally a mix of individuals with represent differing perspectives on the complex issues surrounding crypto policy. These individuals work for a variety of organizations, including government agencies, academia, commercial and non-profit organizations. These organizations graciously donated the participants' time so that they could participate in this activity. The panel members did not represent these organizations in the production of this report, but rather contributed as individuals. The panel members worked together in a cooperative effort to produce a consensus report. Not all panel members agree with all of the statements contained in this report and the report contains no policy recommendations, because of the diverse panel membership. The report distinguishes between facts, opinions and speculation. It provides a very balanced discussion of many of the issues that surround the debate on crypto policy, and we hope that it will serve as a foundation for further public debate on this topic. I personally became better informed about some of these issues as a result of working on this report and I suspect many of the panel members also gained personally from their participation. The statement of the USACM committee, which Barbara will read, and which is available in hardcopy form, should be viewed as independent of this report. The USACM committee reviewed this report, and suggested a variety of changes, some of which were acted upon while others were not. Both the panel and the USACM committee agree on the need for continued public debate on this topic. However, the specific recommendations of the USACM committee do not reflect the consensus views of the panel nor are they necessarily supported by the contents of this report. The press, policy makers, and the public should read the report and use it as a starting point in reaching their own conclusions about these issues. ------------------------------ Date: Sun, 03 Jul 94 20:46:10 EDT From: "A. Harry Williams" Subject: Re: Physical Location via Cell Phone (Atkins, RISKS-16.18) >And as the cells get smaller, the location detail gets better. ... While recently cruising the WWW, one of the people here discovered a location in England using active pagers to track their staff in the building. While some of it was best guess on our part, There was definitely some kind of meeting going on, since many of the staff were identified as being in a conference room(even which phone was closest to their location.) From our observations, it looks like there is no "cell" for either the hallways, or the rest rooms. There was however, identification of those last spotted at the car park exit, and how long they had been out of the building. /ahw ------------------------------ Date: Wed, 6 Jul 94 00:24 PDT From: lauren@vortex.com (Lauren Weinstein) Subject: Phone records The question of phone records is an interesting one. On one hand, there's the release of records to law enforcement under court action. There are many cases where this is important to the solving of a crime and the merits need to be determined in each individual case. What I found disturbing in the recent Simpson situation was the *television station* getting the records and airing them (complete with numbers exposed) so rapidly. I've been unable to determine if the release of these records to the station was somehow legal, or was completely under the table. The station had what appeared to be complete, detailed computer printouts in hand. If you read your phone bill inserts carefully, you may have already received a notice allowing you to choose whether or not you want your called number information released to VENDORS of telecommunication services! Apparently a new FCC ruling requires this choice be made by subscribers--I believe it defaults to "no call info" if the subscriber doesn't respond and has no prior instructions on file. Of course, this begs the issue of how widespread the practice was of telcos and long distance companies handing out this info for commercial purposes in the past. This is an appropriate area for discussion over in the PRIVACY Forum Digest. Send the line: information privacy as the only text in the body of a message to: privacy-request@vortex.com for details. --Lauren-- ------------------------------ Date: Wed, 6 Jul 1994 11:50:25 +0100 (BST) From: "Scott A. McIntyre" Subject: Video cameras in City Centres In a report on the BBC last night (Tue July 5, 1994) the merits and RISKS of the recent installation of a city centre wide television monitoring system in Liverpool was discussed. After the abduction and murder of James Bulger a year or so ago, most of the residents of Liverpool were all in favour of having their movements monitored by the bank of high resolution cameras, covering all streets in the main centre of town. A private company is in charge of the system, but the police (both local, and as the report suggested, national) have instant access to any of the camera views. There was some discussion as to the dangers of companies, organisations, and even the government obtaining access to these tapes to discover who shops where, buys what, etc; yet by and large people seemed willing to allow Big Brother to move in to combat crime and make the streets safer. The RISKS are obvious. With enough crime, poverty, social decay, people may be willing to assign away all personal freedom in the perhaps futile attempt to recover the lost days of leaving your front door open and unlocked, and your car window rolled down whilst you shop. Scott ------------------------------ Date: Wed, 6 Jul 94 11:21:49 BST From: pjt1@scigen.co.uk (Piers Thompson) Subject: Re: AI to screen bad from good cops in Chicago What is the legal position on this? The article lists the factors used by the program to make decisions: it does not consider the weighting given to these factors. The software could quite possibly be ignoring one or more of the factors. In the worst case, the software might just be considering the race or sex of a police officer. This would be blatent racism/sexism. When race and sex are combined with other factors to produce a criminality estimate does not their inclusion still amount to sexism/racism? If the program's output were to have any influence on the promotion prospects of an individual and that individual could demonstrate that changing only their race or sex (as inputs to the program rather than genetically!) moved them into the non-potential-criminal group then would that not provide grounds for them to claim discrimination and take whatever legal action was appropriate? Piers Thompson pjt1@scigen.co.uk [Also a good topic for PRIVACY... PGN] ------------------------------ Date: Tue, 21 Jun 94 10:12:59 -0700 From: horning@src.dec.com Subject: Re: Scary (Denning on Agre, RISKS-16.18) I suspect that what Phil finds scary is that an unknown candidate (a la Perot) can appear to each voter to be promising exactly what that voter wants, and diametrically opposed voters could wind up voting for a candidate who actually didn't intend to satisfy either of them. With broadcast media, there is some chance that everybody will see what the candidate is promising other people. It's not quite so scary when applied to a brand of perfume or motor oil, maybe because they don't have fixed terms of office. Jim H. ------------------------------ Date: Wed, 6 Jul 1994 14:06:53 -0400 (EDT) Subject: Environmentally Aware Computing From: J. A. N. Lee [This would be a useful item for RISKS, so I am including JAN's request here. Please respond to him and CC: RISKS. PGN] I am interested in having our students in our Computer Professionalism course do a homework writing assignment related to the development of environmentally favorable machines, systems, etc. While there has been some newspaper articles about the "clean-up" of Silicon Valley and the hazards of working in computer manufacturing environments, there seems to be little in the "technical" press. I am looking therefore to collecting a bibliography of articles which address these topics -- including not only hazards and clean up, but also references to "Green Machines". Along the same line there has been some references to VDT radiation and RSI but I do not know of a bibliography in this area. Your assistance is sought. John A. N.(JAN) Lee, Dept. of Computer Science, Virginia Tech, Blacksburg VA 24061-0106, Ph: (703) 231-5780 FAX: (703) 231-6075 E-mail: janlee@cs.vt.edu ------------------------------ Date: Sat, 02 Jul 1994 12:43:58 -0600 (MDT) From: "Rob Slade, Ed. DECrypt & ComNet, VARUG rep, 604-984-4067" Subject: "Repetitive Strain Injury" by Pascarelli BKRSI.RVW 940401 Wiley 5353 Dundas Street West, 4th Floor Etobicoke, ON M9B 6H8 416-236-4433 fax: 416-236-4448 or 22 Worchester Road Rexdale, Ontario M9W 9Z9 800-263-1590 800-567-4797 fax: 800-565-6802 or 605 Third Avenue New York, NY 10158-0012 USA 800-263-1590 800-CALL-WILEY 212-850-6630 Fax: 212-850-6799 jdemarra@wiley.com aponnamm@jwiley.com "Repetitive Strain Injury", Pascarelli, 1994, 0-471-59533-0, U$18.50 My first actual case of repetitive strain injury (or RSI), as a first aid attendant, was not in the logging camps, railway gangs or spacing crews, but with a young student athlete at an outdoor school. He had, literally, outdone himself the day before on a steep downhill hike. He was one of the best jocks in the school and had no problems with stairs and hill climbs--none of which had prepared him for the repeated extension of his foot which downhill walking required. Work-related repetitive strain injury has been known for a long time now. Writer's cramp shows up in an Italian treatise almost three hundred years old. Research and treatment, however, has lagged. For one thing, RSI generally involves soft tissue damage which does not show up on x-rays (or, indeed, on anything much besides microscopic examination of the tissue). For another, few jobs up until this century have required the kind of environment where actions had to be repeated so often without variation. Until very recently, the most common repetitive strain situations involved gross motor activities, where strains showed up early and responded well to exercise. With the advent of the computer keyboard and data entry as major factors in job situations, RSI has become a serious issue in the workforce. This is a comprehensive, factual and practical guide to RSI. It is directed primarily to the computer user or repetitive strain injury sufferer, covering facts about RSI, symptoms and warning signs, diagnosis, choosing a physician, recovery, legal aspects, maintenance and prevention. A major emphasis is to put users/sufferers in charge of, and responsible for, their own health. The book continually counsels patience. My student athlete, when asked if he could walk out with the rest of the group, visibly tried to calculate how much better he could be in the three days before they had to leave. I had to ask him if he could do it right then, since I knew it wasn't going to heal very fast, and he had to admit he couldn't. His case was actually extremely mild, after only a few hours, and would have faded within a week or so of reduced activity. Most RSI cases, however, traumatize the area for months or even years, and the healing process is correspondingly lengthy. Although the book is written for users, I would strongly recommend that every manager get a copy. Averaged over all employees, RSI accounts for about $200 expense per year and per person. If you have four people working for you, using computers, it is almost certain that at least one will develop RSI at some point. RSI is almost entirely preventable, and is almost entirely caused by ignorance. Most of you reading this are probably nodding your heads and muttering something about carpal tunnel syndrome--unaware that this over- diagnosed syndrome actually accounts for only one percent of RSI, according to one study cited in the book. Highly recommended. A very minor investment in keeping free of an ailment which could severely affect your job--not to mention everything else you do with your hands and body. copyright Robert M. Slade, 1994 BKRSI.RVW 940401 Vancouver Institute for Research into User Security Canada V7K 2G6 Robert_Slade@sfu.ca rslade@cue.bc.ca p1@CyberStore.ca p1@arkham.wimsey.bc.ca ------------------------------ Date: Wed, 22 Jun 1994 13:15:55 -0600 (MDT) From: "Rob Slade, Ed. DECrypt & ComNet, VARUG rep, 604-984-4067" Subject: "Computer Ethics" by Forester/Morrison BKCPTETH.RVW 940406 The MIT Press 55 Hayward Street Cambridge, MA 02142 USA Robert V. Prior, Editor - Computer Science prior@mitvma.mit.edu Maureen Curtin, Int'l Promo. - curtin@mit.edu "Computer Ethics", Forester/Morrison, 1994, 0-262-56073-9, U$14.95 As a collection of stories on computer crime and problems, this is fascinating and wide ranging. As a text on the social, ethical and professional issues facing the information technology community, it is interesting and possibly provoking. As a textbook for a course on computer ethics it lacks analysis, ethical background and structure. The sub-title, "Cautionary Tales and Ethical Dilemmas in Computering," is much more descriptive of the book. It is full of "tales"; a cross between "Spectacular Computer Crimes" and "Digital Woes". The ethical dilemmas are an add-on, but generally well written. As a adjunct in a course on computer ethics, or the social implications of technology, it would certainly hold students' attention. The authors seem to be slightly too aware of this. The preface states that the authors found computing students to lack "awareness of social trends, global problems, or organizational issues," and that the book had been correspondingly directed to the closer details of what students would face on a daily basis. One can sympathize with the frustrations the authors must have felt, but this very example would seem to indicate that students must be given a broader view of society rather than a narrower one. Chapter one gives a good introduction and overview, as well as a brief explanation of the major current ethical philosophies. It is, unfortunately, the last statement on ethics that is made. Until chapter nine, a set of scenarios for classroom discussion, the remainder of the book is the various tales, padded with a thin structure of observations from other writings. Chapter two covers computer crime. It has a slight tendency to edge towards the border of the hacking/cracking/phone phreak topic, but the discriminating reader will note what law enforcement agencies generally find: most computer crime is an inside job. Chapter three deals with software theft and notes, perhaps a bit smugly, the litigious mess of the American software industry. (The authors hail from Australia and Singapore, respectively.) Chapter four explores "Hacking and Viruses" and, given the confusion of hacking with computer abuse, is more than slightly confused. Chapter five looks at issues of computer reliability or the lack thereof. Chapter six purports to deal with invasion of privacy, but spends much of its time with computer errors and, then, a significant space talking about workplace surveillance (which anticipates chapter eight). The examination of artificial intelligence, in chapter seven, seems mostly to have been a recap of the reliability issues from chapter five. Instructors, even when simply using the book as a discussion starter, should be on top of the subject. The MacMag/Brandow virus appears, not in chapter four, but in chapter three as an illustration of software piracy. This indicates that the authors have no understanding of viral spread. Indeed, the authors define a virus as a self-replicating program that causes damage--even though three out of the five specific examples do no "damage". A "trojan horse" is also defined as a program that allows access to an already penetrated system-- with no mention of pretense, deceit or damage at all. (The authors also report the "Twelve Nasty (sic) Tricks" trojan as a virus, the "AIDS" extortion attempt as a virus and the "Desert Storm" virus as fact.) This book is definitely a good adjunct text for a social, ethical or professional computing course. It will definitely provide interesting material. It does not, however, provide the necessary background for such a course without other materials. copyright Robert M. Slade, 1994 BKCPTETH.RVW 940406 DECUS Canada Communications, Desktop, Education and Security group newsletters Editor and/or reviewer ROBERTS@decus.ca, RSlade@sfu.ca, Rob Slade at 1:153/733 ------------------------------ Date: Tue, 05 Jul 1994 13:22:51 -0600 (MDT) From: "Rob Slade, Ed. DECrypt & ComNet, VARUG rep, 604-984-4067" Subject: "A Short Course on Computer Viruses" by Cohen BKSHRTVR.RVW 940329 Wiley 5353 Dundas Street West, 4th Floor Etobicoke, ON M9B 6H8 416-236-4433 fax: 416-236-4448 or 22 Worchester Road Rexdale, Ontario M9W 9Z9 800-263-1590 800-567-4797 fax: 800-565-6802 or 605 Third Avenue New York, NY 10158-0012 USA 800-263-1590 800-CALL-WILEY 212-850-6630 Fax: 212-850-6799 jdemarra@wiley.com aponnamm@jwiley.com "A Short Course on Computer Viruses", Cohen, 1994, 0-471-00768-4, $34.95 fc@jupiter.saic.com This book is fun. I mean, it starts out with the statement, "I would like to start with a formal definition," followed by about a paragraph's worth of symbolic logic, followed by, "So, much for that!" I assume that the surface joke is accessible to all: for those who know of the troubles Dr. Cohen has had over the years with those who insist on an informal translation of his work, it is doubly funny. From that beginning right through to Appendix A (a joke) the light tone is maintained throughout, and it makes for a thoroughly enjoyable read. Besides being fun, though, the book is solid material. Possibly one could raise quibbles over certain terms or minor details, but almost nothing of substance. The only halfway controversial point in the book is Dr. Cohen's continued crusade on behalf of "benevolent" viral programs. While I agree that the concept is worth further study, Dr. Cohen has not yet applied the rigour of his earlier work to proofs that such programming can be guaranteed safe or that benevolent viral programs are the best way to accomplish the examples used. The material in the book will be accessible to any intelligent reader, regardless of the level of computer knowledge. The most benefit, however, will be to those planning data security or antiviral policies and procedures. They will find here a thoughtful, provoking and insightful analysis. copyright Robert M. Slade, 1994 BKSHRTVR.RVW 940329 Vancouver Institute for Research into User Security Canada V7K 2G6 Robert_Slade@sfu.ca rslade@cue.bc.ca p1@CyberStore.ca p1@arkham.wimsey.bc.ca ------------------------------ Date: Wed, 29 Jun 1994 15:03:11 MST From: "Richard Schroeppel" Subject: Rob Slade's review of "The Hacker Crackdown" THC is available for downloading from Project Gutenberg for free. Courtesy of Bruce Sterling, who deliberately retained the electronic distribution rights. Rich Schroeppel rcs@cs.arizona.edu ------------------------------ Date: 31 May 1994 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc. The RISKS Forum is a moderated digest. Its USENET equivalent is comp.risks. Undigestifiers are available throughout the Internet, but not from RISKS. SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) on your system, if possible and convenient for you. BITNET folks may use a LISTSERV (e.g., LISTSERV@UGA): SUBSCRIBE RISKS or UNSUBSCRIBE RISKS. U.S. users on .mil or .gov domains should contact (Dennis Rears ). UK subscribers please contact . Local redistribution services are provided at many other sites as well. Check FIRST with your local system or netnews wizards. If that does not work, THEN please send requests to (which is not automated). CONTRIBUTIONS: to risks@csl.sri.com, with appropriate, substantive Subject: line, otherwise they may be ignored. Must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. PLEASE DO NOT INCLUDE ENTIRE PREVIOUS MESSAGES in responses to them. Contributions will not be ACKed; the load is too great. **PLEASE** include your name & legitimate Internet FROM: address, especially from .UUCP and .BITNET folks. Anonymized mail is not accepted. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ARCHIVES: "ftp crvax.sri.comlogin anonymousYourName cd risks: Issue j of volume 16 is in that directory: "get risks-16.j". For issues of earlier volumes, "get [.i]risks-i.j" (where i=1 to 15, j always TWO digits) for Vol i Issue j. Vol i summaries in j=00, in both main directory and [.i] subdirectory; "dir" (or "dir [.i]") lists (sub)directory; "bye" logs out. CRVAX.SRI.COM = [128.18.30.65]; =CarriageReturn; FTPs may differ; UNIX prompts for username, password; bitftp@pucc.Princeton.EDU and WAIS are alternative repositories. See risks-15.75 for WAIS info. To search back issues with WAIS, use risks-digest.src. With Mosaic, use http://www.wais.com/wais-dbs/risks-digest.html. FAX: ONLY IF YOU CANNOT GET RISKS ON-LINE, you may be interested in receiving it via fax; phone +1 (818) 225-2800, or fax +1 (818) 225-7203 for info regarding fax delivery. PLEASE DO NOT USE THOSE NUMBERS FOR GENERAL RISKS COMMUNICATIONS; as a last resort you may try phone PGN at +1 (415) 859-2375 if you cannot E-mail risks-request@CSL.SRI.COM . ------------------------------ End of RISKS-FORUM Digest 16.20 ************************