Subject: RISKS DIGEST 16.21 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Thursday 7 July 1994 Volume 16 : Issue 21 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for information on RISKS (comp.risks) ***** Contents: Risks of REDIAL (via Lance Hoffman and others) Online services taking big hits (Alan Wexelblat) Tax Software to Avoid: CA Simply Tax (Smith Craig) IRS SSN risks may abate (Michael Gerlek) Re: Fraud on the Internet (Jeff Barber) Signatures in electronic commerce (Benjamin Wright via Mich Kabay) Re: Scary (Peter J. Denning) Just the Facts, Ma'am (AI to screen bad from good cops) (David Honig) Re: Video cameras in City Centres (Robert Allen) Digitized CC Signatures (Eric Richards) Re: Shopping Risks... (Jane Anna LANGLEY) Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc. ---------------------------------------------------------------------- Date: Thu, 7 Jul 1994 09:53:59 -0400 (EDT) From: "Lance J. Hoffman" Subject: Risks of REDIAL [via various intermediaries... PGN] WIRES CROSS AS LOVERS DIAL M FOR MOTHER LONDON, July 2 (Reuter) - A terrified British mother put police on red alert after mistaking the sound of lovemaking for a cry for help from her daughter. *The Independent* newspaper said on [July 2] that two accidental phone calls woke the woman in Devizes, southern England, in the small hours of the morning. Hearing moaning, groaning and shouting, she dismissed the first as an obscene call, but in the second she recognised her daughter crying: "Oh my God," and heard a man's voice. Convinced her daughter was being attacked in her bedroom 100 miles (160 km) away, she dialed the emergency number 999 and a police squad sped to the daughter's home to investigate. "Officers rushed round and found she wasn't being attacked -- in fact she was quite willing," a police spokesman said. "They explained that during the moments of passion one of the couple accidentally pushed the last-number redial button on the bedside telephone with a toe. Unfortunately on both occasions it was the girl's mother's phone number," he said. "This is a warning for other people -- if you're going to indulge in this sort of thing, move the phone." The mother and daughter have apologized to police for the confusion. [Reach out and toe someone? This gives new meaning to "having your buttons pushed". And the mother was left to her own Devizes. PGN] ------------------------------ Date: Wed, 29 Jun 94 12:15:22 -0400 From: "Alan (Miburi-san) Wexelblat" Subject: Online services taking big hits On Saturday night, during Game 6 of the Stanley Cup Finals on ESPN, a commercial for the Prodigy on-line computer service came on. They were talking about how great the hockey game was, but it didn't compare to the excitement available on Prodigy. They cut to the computer screen showing Prodigy, and all of the sudden a big window came up on the screen, saying "COMMUNICATION ERROR". Users of Prodigy say that when that happened, the system locked up for almost a minute, then their screen went completely blank. ESPN quickly cut away to another commercial. The curse of the live demo! On another ranch, AOL managed to get its main server building flooded, knocking out the whole network for hours and denying email service for hours more after that. No word yet on lost data... [You'd think after the mess in Chicago a few years back they'd've learned something.] --Alan Wexelblat, Reality Hacker, Author, and Cyberspace Bard, Media Lab Advanced Human Interface Group wex@media.mit.edu 617-258-9168 ------------------------------ Date: 1 Jul 1994 16:42:38 U From: "Smith Craig" Subject: Tax Software to Avoid: CA Simply Tax This time of year, taxes are far from mind. That is until I received a letter from the IRS stating that I had incorrectly figured the credit for child care expenses on my 1993 return. This is the first year my tax preparer, an enrolled agent (EA), used the 1040PC format: only the necessary lines are printed without descriptive text. My EA checked and reports that the software, Simply Tax by Computer Associates (CA) of MD, carried the incorrect figure to line 4 of form 2441. To my surprise, he said there were a number of such bugs resulting in incorrect line transfers on other forms, but he corrected them manually. What's the point of software that's automatically wrong? Interestingly, the software can print either the 1040PC version or a graphic facsimile of the IRS forms. When the graphic facsimile was printed, Simply Tax calculated a second _different_ set of incorrect numbers. I would have assumed the program implemented a single algorithm, with different output options. It now appears that the software implements independent (and different) calculations, depending on which output format is selected! This complicates the debugging task. The RISK? Aside from reliance on software that is revised every year (never debugged?), the 1040PC version threatens to further obfuscate our tax system and create a new elite of tax preparers. Since I have my taxes prepared professionally, the IRS no longer sends the forms and instructions. How comfortable will I be signing next years 1040PC, which I can not decipher, in the face of suspected bugs? The IRS is moving away from graphic facsimiles, so that may no longer be an option. In future, expect to file taxes by hand, 1040PC, or electronically. Graphic facsimiles will be allowed only if identical to the IRS form including the color of the ink (you'll need a full color printer). My EA believes that the programmer was not a tax expert. Unlike straight line programming, tax forms have backwards references (to whit, my incorrect transfer from line 25 to line 4 on the same form). He suggests tax software be tested by former IRS agents with experience preparing taxes for the public (there are many such qualified individuals). The IRS, with uncharacteristic understanding, is requiring only the tax and interest, waiving the penalty for an "honest" error. Have they recognized a software bug? My EA insisted on paying the interest (a paltry 0.5% per month). Apparently there is a preparer's code covering this. CA, on the other hand, is under no such obligation. In most industries, a defective product is exchanged, refunded or repaired by the seller. With the short use life of tax software, CA assumes no such liability. According to one theory, profits are maximized when the cost of quality assurance equals the cost of defective returns. When there is no cost to the seller for defects, quality will be minimized :-( Craig A. Smith, Solid State Electronics Center, Honeywell Inc., 12001 State Hwy 55 Plymouth, MN 55441-4799 (612)954-2895 smithc@ccsvax.ssec.honeywell.com [By the way, the IRS endorses none of the tax preparation programs, and is not responsible for any errors they may cause. PGN] ------------------------------ Date: Wed, 6 Jul 94 13:13 PDT From: gerlek@cse.ogi.edu (Michael Gerlek) Subject: IRS SSN risks may abate >From the Wall Street Journal, 6 Jul 94 (pg A1, col 5): IRS officials are considering removing Social Security numbers from the mailing labels taxpayers stick on their returns. The reason: "Some concerns about privacy," an IRS spokesman says. -[mpg] gerlek@cse.ogi.edu [Good news! I raised that topic along with some related problems raised by RISKS readers (such as the amount of the check peeking through the envelope window) at my IRS Commissioner's Advisory Group meeting in DC three weeks ago. I'm delighted to see a speedy reaction! PGN] ------------------------------ Date: Wed, 6 Jul 1994 09:03:50 -0400 (EDT) From: Jeff Barber Subject: Re: Fraud on the Internet (Kabay, RISKS-16.19) >[Comment from Michel E. Kabay:] >[...] perhaps these frauds will eventually lead to requirements for >effective identification and authentication of users. Ultimately, it would be >helpful to see non-repudiation as a feature of all electronic communications. >For the time being, caveat lector.] I find it distressing though not necessarily surprising that Dr. Kabay would "solve" this "problem" by requiring more stringent I&A. My own reaction was that the "unscrupulous" investors got exactly what they deserved. Do we really need to require users to show their identification papers before they can participate on the Internet? Jeff Barber jeffb@sware.com ------------------------------ Date: 05 Jul 94 23:26:34 EDT From: "Mich Kabay [NCSA Sys_Op]" <75300.3232@compuserve.com> Subject: Signatures in electronic commerce [Ben Wright, an attorney teaching the online seminar on The Law of Electronic Commerce in the NCSAFORUM of CompuServe, has granted permission to post the following article on signatures. I recommend that it be posted in RISKS because it addresses assumptions about the need for non-repudiation of contracts--an area which has been fuzzy for many of us. I hope it will be as useful for others as it has been for me. --MK] <> THE VERDICT ON PLAINTEXT SIGNATURES: THEY'RE LEGAL Summary: Contrary to conventional wisdom, commercial law generally does not require that a signature be "secure" to be legally effective. That is good news for e-mail, and electronic commerce in general. By Benjamin Wright According to the digital cognoscenti, the only legally effective way to sign an e-mail message is to run it through a cryptographic algorithm (such as that for DES or RSA), compute a mathematically unique authentication code,<1> and append it to the message. But if that's true, it will be many years before real (legal) electronic commerce comes to e-mail users because very few people authenticate their e-mail with cryptography. But fortunately, that reading of the law is not true. Many business e-mail users already practice electronic commerce. What's more, the law should generally recognize and enforce it. Forming Contracts In commerce the central transaction is the contract. Classically speaking, a contract is born any time an offer (e-mail from Joe Nightclub owner: "Will you make me three custom discs for $1000 and deliver next week?") meets acceptance (e-mail from Artist: "Yes!"). Once a contract is formed, the law gives one party a remedy if the other backs out. The orthodox view is that a simple, wholly plaintext e-mail contract cannot be enforced because it is not signed in a secure way and it will be impossible to prove in court. This excerpt from a popular magazine exemplifies the orthodoxy: [C]onsider an attempt to create an enforceable contract by exchanging an E-mail offer and acceptance. In the real world, exchanging letters of offer and acceptance does create an enforceable contract (assuming something of value is also eventually exchanged). Unfortunately, without authentication techniques (e.g., digital signatures), E-mail agreements are probably unenforceable in court. Under legal rules governing evidence and contracts, it's hard to prove the existence of a contract based on E-mail; fabricating an E-mail message is just too easy.<2> With all professional respect to the author of this passage, I disagree. The orthodoxy is wrong. Many types of contracts do have to be signed, says a law called the Statute of Frauds (which dates back to Seventeenth Century England),<3> but that law is admirably liberal in its use of the term _signed_. One signs a document when he adopts a symbol (any symbol) on the document as his signature. A signature need not be in ink; it need not be an autograph; and it need not be the least bit secure against forgery. Remember the illiterate geezer in the western movies who couldn't write his name? He just marked an X on the document. The law recognizes that X as his signature. A signature can be the ASCII characters "Joe Nightclub" appearing in plaintext in the From line of an e-mail message. "Joe Nightclub" need not even be the sender's real name. What is important is not the nature of the symbol Joe uses to identify himself, but rather the intent behind the symbol. If Joe intends the characters to be a token of his responsibility, then they are his signature. When Joe sends e-mail offering to buy discs, he intends the characters in the From line to show he is responsible for the message and the consequences that flow from it. If that's not his intent, what is it? Along with Canada, Australia and many other countries, the United States inherits the common law tradition of ancient England -- a set of living, breathing principles that are more limber than you might think. The common law, being the law of the leading industrial civilization over the past several centuries, has ample experience negotiating waves of new technology -- handwriting, printing press, typewriter, telegraph, telephone, telex, fax -- and it is today suffering no particular problems digesting e-mail as a medium for transacting commerce. Given how many thousands of courts and judges there are, it is possible that the odd one will disagree with my reading of the law. If this worries you (and those conducting more valuable transactions might be worried), you can minimize the risk by insisting that the e-mail sender include a statement that his name in the e-mail is his signature. This makes it very difficult for him later to claim in court that his name, written in plaintext, is not his signature. Proving It "But wait!" cry the advocates of cryptographic authentication. You can't prove that e-mail came from Joe Nightclub. Anyone could have sent it. The Artist herself could have fabricated it. True. You can write e-mail and make it appear to come from someone else. You can easily send e-mail from an address opened under a false name. But just as you can send fake e-mail, so you can send fake letters, telegrams, telexes, and faxes. Nonetheless, regardless of the medium through which a business message is carried, the origin and genuineness of the message can usually be proven in court. Rarely are they proven from the signature that happens to be attached to the message (or document), despite what you may think from watching _Perry Mason_. Much more often, origin and genuineness are determined in court from all the facts and circumstances that surround the message -- the full relationship of the people involved. We don't do business in vacuums. We do business based on relationships. When the Artist receives e-mail from Joe Nightclub, she wants to learn more before she parts with her precious discs. If she's never dealt with this customer before, she's going to check the guy out: call him on the phone, go meet him, ask for references, or ask for advance payment. Lest she be a fool, the Artist wants to collect evidence that this is a bona fide customer who is very likely to pay as promised. All the mundane facts and circumstances she collects can be, through testimony and otherwise, used in court to lend credence to Joe's e-mail. Sure, there will be disputed evidence. And under no circumstances are the judge and jury guaranteed to believe that any given message is genuine. But that is just the way commercial law works. Proving things in law is much more sloppy than proving things in science. Forgeries A supposed virtue of paper over e-mail as a legal medium is that it is hard to make inconspicuous changes to paper, whereas plaintext ASCII can easily be changed. Upon receipt of Joe's e-mail offering $1000, the Artist could change it to say the offer is for $2000. If she took this e-mail to court, there would be no way to tell from the face of the message whether it originally said $1000 or $2000. Yet paper suffers the same infirmity. If the Artist receives a letter from Joe offering $1000, she could rip it up and write a replacement, offering $2000, on a sheet of cheap, fake letterhead. She could then scribble something that purports to be Joe's handwritten signature. Later, a court could not tell from the face of the document whether Joe did or did not send it. Although Joe would repudiate it, sternly declaring that neither the letterhead nor the signature is his, the Artist would swear that this is indeed the letter she received. If this is not Joe's normal letterhead and signature, she'd contend, then Joe must have sought to deceive her, and the court, by sending an offer using unusual letterhead and signature. Although the Artist would be lying, the court would not know it just from inspecting the letter. Indeed, we can play the same authentication games with paper that we can with plaintext e-mail. When you receive a paper letter in the mail, bearing what looks to be an original autograph, you have no technical proof of its origin. Neither do you have technical proof of origin when you get a telegram or telex (unless you require it be authenticated with a cipher code, which is rarely done). So the reality is that routine business communications are, and have always been, risky. Still, business traders seem to have compensated for this risk. Cryptography's Role Don't misunderstand. I'm not denigrating cryptography as a means for ensuring the authenticity of messages or denying its rightful role in electronic commerce. Just as the engraved and magnetized paper used for currency is necessary for financial transactions in the world of paper, so cryptographic authentication is needed for electronic funds transfers. But just as we don't securely engrave and magnetize the pulp on which we write business letters and contracts, so we don't need to cryptographically authenticate most of our business e-mail. Sure, if you use e-mail for business you should keep complete records, and the more secure the records, the better. Consult your own lawyer. If you work for a large organization, records can be secured by placing them under the control of an independent department (e.g., internal audit).<4> But if you work solo, you can just establish a routine for making a log of business messages on your PC. Yes, someone could claim you falsified your log. But if you faithfully keep the log as a regular business practice, you can, if ever called to court, confidently vouch for the integrity of your records, and your story will more likely jibe with the ambient facts and circumstances. It is ironic that some of the most ardent champions of e-mail are so quick to assume that plaintext e-mail is somehow deficient. If, as they suggest, it is necessary to use fancy cryptographic methods to make e-mail legal, then they ask much more of digital media than we do of its predecessors. ========= NOTES: <1> The proponents of cryptography often refer to unique authentication codes as "message authentication codes" or "digital signatures." These are streams of scrambled numbers that, when unscrambled using the necessary cryptographic keys, give mathematically supportable evidence as to who created a message and whether the message has changed. See Larry Oyama, "Using Encryption and Authentication for Securing Data," EDI Forum, Special Edition on EDI Legal and Audit Issues (1992) p. 111. <2> Victor J. Cosentino, Virtual Legality, BYTE (March 1994) p. 278. <3> For example, the statute of frauds, as rendered in Section 2- 201 of the Uniform Commercial Code, says that a contract for the sale of goods worth $500 or more is generally not enforceable unless it is supported by a "writing" that is "signed." <4> See, Benjamin Wright, The Law of Electronic Commerce (Boston: Little, Brown and Company) Section 6.4. ============ Benjamin Wright (bwrigh01@reach.com) is a Dallas-based attorney and author of _The Law of Electronic Commerce: EDI, Fax and E-mail_. He is the instructor for a series of "virtual" seminars on the law of electronic commerce, sponsored by the National Computer Security Association (75300.2557@compuserve.com or (800) 488-4595). These seminars will be delivered via online computer conference. This article provides general information and is not legal advice for any specific situation. The formation of contracts is inherently risky, and this article does not advise which level of risk is appropriate for you. If you plan to conduct legal transactions, you should consult your own attorney. Copyright (c) 1994 by Benjamin Wright. All Rights Reserved. This article may be reprinted or redistributed as a whole, but only with the above information. <> Michel E. Kabay, Ph.D. / Dir Education / Natl Computer Security Assn ------------------------------ Date: Wed, 6 Jul 94 15:34:19 EDT From: pjd@cne.gmu.edu (Peter J. Denning) Subject: Re: Scary (Horning, RISKS-16.19) Political prevarication is part of the scene, unfortunately, and part of the reason that politicians are finding themselves faced with term-limit referenda around the country. (I support those movements.) At the same time, I am not "scared" by the prospect that Perot (or any other) might tell me "promises" that are tailored for me and antithetical to the "promises" that he makes to you. Why? The same technology that enables him to do that enables him to be revealed. Many of the people who get such tailored notes are going to compare notes on public bulletin boards. Prevarications, if they exist, will be instantly revealed and the candidate discredited. This will help prevent them from getting elected. Let them reveal their stripes early, I say. Let the prevaricators be detected before election, not after. Peter ------------------------------ Date: Wed, 06 Jul 1994 13:08:00 -0700 From: David Honig Subject: Just the Facts, Ma'am (was Re: AI to screen bad from good cops) In Volume 16 : Issue 20 : pjt1@scigen.co.uk (Piers Thompson) worries about the legal implications of screening cops for attributes shared with bad cops, when attributes include race and gender. In machine learning work I once came across, techniques that automaticly build decision processes were applied to known data to estimate students' expected performance in college. These techniques find the most information-theoreticly useful attributes and use these to sort new instances. It turned out that race was found to be a very useful attribute in making predictions in this domain, but for political reasons the decision process had to be doctored to exclude this. I think similar things have been found in financial areas, eg., predicting loan defaults. (NB: Since present politics allows age and geographical discrimination, auto insurance companies can and do use these properties in their assessments.) ------------------------------ Date: 6 Jul 1994 20:24:40 GMT From: Robert.Allen@eng.sun.com (Robert Allen) Subject: Re: Video cameras in City Centres (RISKS-16.20) An interesting report. Even more interesting to me because I first read about the efforts to instrument society w/ video cameras in a comic book about 5 years ago, and the comic had been written at least 10 years ago. For those interested in seeking it out, the comic was a limited series (perhaps 10 issues) called V for Vendetta. It was written by an English author (I believe it was Alan Moore) who had a 1 page editorial in one of the issues wherein he decried the slide of English society into what he saw as facism. In his preface he wrote that he hoped to get himself and his family out of England as soon as possible because of what he saw happening to society. I believe he specifically mentioned TV cameras on street corners, and these were definitely central to the story. They also had audio pickup capability, and vandalizing them was a capital crime. The story dealt with how the English gov't became facist after a 3rd world war. "V" is a lone hero (?) who bucks the system, assassinating various gov't figures, with an ending I won't spoil for you. Life imitates art. The complete series is available at any decent comic book store (check your yellow pages) or even a large book store, in bound, graphic novel format. Robert Allen, rja@sun.com ------------------------------ Date: Wed, 6 Jul 94 13:29:03 PDT From: Eric Richards Subject: Digitized CC Signatures While buying a bag of cat food at a local PetCo, I was asked to sign my credit card receipt upon the machine that printed the receipt out. After the receipt was torn from the machine, I noticed that I had written my signature on a rubber pad of some sort. I asked the young lady what exactly this was. She then went into a cheerful explanation of this machine, showing me how it keeps a low resolution digitized "picture" of the customer's signature. She put it into test mode and had it print her signature back out. Her final comment raised my eyebrows: the full system will simply digitize the customer's signature and keep it as proof of purchase. No second copy at all -- the customer keeps what the customer signs. There are, however, a few bugs to fix first, she admitted. I haven't seen discussion of this machine before and casual examination of the machine didn't reveal the name of the company that makes it. I'm not especially thrilled of the notion that someone can have a digitized version of my signature. Does anyone else have information about the machine and/or comments on risks of this CC machine's use? ------------------------------ Date: Fri, 1 Jul 1994 11:47:13 +1000 From: squirrel@mundil.cs.mu.OZ.AU (Jane Anna LANGLEY) Subject: Re: Shopping Risks... (Banks, RISKs-16.18) In Australia there is a code of practice for supermarkets that use scanners. Here if the item scans at a price higher than the price shown on the shelf you are entitled to receive that item free. If you are purchasing several of the same item and this happens, you get one free and the rest at the lower price. Of course supermarkets do not go out of their way to draw your attention to this, although some state it on a tiny sticker at each checkout. A few months ago an elderly couple who had some difficulty with English were ahead of me in the checkout queue when one of their items scanned at a higher price they complained, and the checkout operator's did not know about the code of practice. I pointed out the store's stated policy to both the customers and the operator, who then referred it to the supervisor. If you want to avoid being ripped off at the checkout, find out if there is such a code of practice in your area, and make sure your supermarket sticks to it. If they don't, make a complaint or go someplace else. Jane ------------------------------ Date: 31 May 1994 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc. The RISKS Forum is a moderated digest. Its USENET equivalent is comp.risks. Undigestifiers are available throughout the Internet, but not from RISKS. SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) on your system, if possible and convenient for you. BITNET folks may use a LISTSERV (e.g., LISTSERV@UGA): SUBSCRIBE RISKS or UNSUBSCRIBE RISKS. U.S. users on .mil or .gov domains should contact (Dennis Rears ). UK subscribers please contact . Local redistribution services are provided at many other sites as well. Check FIRST with your local system or netnews wizards. If that does not work, THEN please send requests to (which is not automated). CONTRIBUTIONS: to risks@csl.sri.com, with appropriate, substantive Subject: line, otherwise they may be ignored. Must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. PLEASE DO NOT INCLUDE ENTIRE PREVIOUS MESSAGES in responses to them. Contributions will not be ACKed; the load is too great. **PLEASE** include your name & legitimate Internet FROM: address, especially from .UUCP and .BITNET folks. Anonymized mail is not accepted. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ARCHIVES: "ftp crvax.sri.comlogin anonymousYourName cd risks: Issue j of volume 16 is in that directory: "get risks-16.j". For issues of earlier volumes, "get [.i]risks-i.j" (where i=1 to 15, j always TWO digits) for Vol i Issue j. Vol i summaries in j=00, in both main directory and [.i] subdirectory; "dir" (or "dir [.i]") lists (sub)directory; "bye" logs out. CRVAX.SRI.COM = [128.18.30.65]; =CarriageReturn; FTPs may differ; UNIX prompts for username, password; bitftp@pucc.Princeton.EDU and WAIS are alternative repositories. See risks-15.75 for WAIS info. To search back issues with WAIS, use risks-digest.src. With Mosaic, use http://www.wais.com/wais-dbs/risks-digest.html. FAX: ONLY IF YOU CANNOT GET RISKS ON-LINE, you may be interested in receiving it via fax; phone +1 (818) 225-2800, or fax +1 (818) 225-7203 for info regarding fax delivery. PLEASE DO NOT USE THOSE NUMBERS FOR GENERAL RISKS COMMUNICATIONS; as a last resort you may try phone PGN at +1 (415) 859-2375 if you cannot E-mail risks-request@CSL.SRI.COM . ------------------------------ End of RISKS-FORUM Digest 16.21 ************************