Subject: RISKS DIGEST 16.40 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Monday 12 September 1994 Volume 16 : Issue 40 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for information on RISKS (comp.risks) ***** Contents: Highest Quality Company Logos for Inclusion in Software (Dennis Lawrence) German Parking Violators Accused of War Crimes (Scott Mincey) Enola Gay: Another text substitution (from alt.folklore.urban) (Henry Troup) More daring tales of address disasters! (Peter Ladkin) Risks of duality in electronic media (Bob Mehlman) Unique way to find bugs: be investigated for breaking the rules [McLaren Peugot Formula One] (Bjorn Freeman-Benson) Neural Redlining == Plausible Deniability ? (Fred Baube) Reply to New indecency rules proposed for all online services (Julian Meadow) CPSR Annual Meeting (Phil Agre) Proceedings on Assurance and Trustworthiness (Marshall D. Abrams) Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc. ---------------------------------------------------------------------- Date: Wed, 7 Sep 1994 08:05 PST From: Dennis Lawrence Subject: Highest Quality Company Logos for Inclusion in Software I received an ad from TigerDirect, Florida, offering a set of "650 High-Quality Logos" of major corporations. The ad suggests using "these logos in newspaper and yellow page ads, brochures and cross-promotions." It goes on to say "all images displayed are the registered trademarks or trademarks of their respective companies." Can be used by Macintoshes or Windows applications. What a wonderful gift for con artists! -- Dennis Lawrence ------------------------------ Date: Sat, 10 Sep 1994 22:47:31 -0400 (edt) From: Scott_Mincey Subject: German Parking Violators Accused of War Crimes Bayreuth, Germany - Three violators of the municipal parking code became war criminals when an official entered the wrong code number. According to the "Nordbayerischen Kurier" the three Bayreuth residents received summonses for "Conspiracy to prepare agressive warfare," when they should have only received citations for parking violations. According to the paper, the official, who had just served ten hours on the night shift, filled out the forms relating to the minor offenses and incorrectly entered the code number of the violation. (Deutsche Presse Agentur) ------------------------------ Date: Wed, 7 Sep 1994 11:55:00 -0400 From: "henry (h.w.) troup" Subject: Enola Gay: Another text substitution (found in alt.folklore.urban) (amusing, not very new) The Dragon De Monsyne (dragondm@netcom.com) wrote: ... :Well, I can vouch fer it REALLY happening. In today's (Sept. 5, 1994, Final :Edition) Northwest Herald (a local paper in ithe far northwest Chicago Suburbs :(McHenry County, fer those who know where that is), on pg 3, bottom, left hand :corner, I found this gem. : "Atomic bombers criticize Enola homosexual exhibit" Nicely documented, for UL hunters. Henry Troup - H.Troup@BNR.CA (Canada) ------------------------------ Date: Thu, 8 Sep 1994 18:32:55 +0200 From: Peter Ladkin Subject: More daring tales of address disasters! A colleague, Paul Gibson, arrived at INRIA Lorraine in France from Scotland at the beginning of July. He set up an account with a local branch of the Banque Populaire de Lorraine in Haussonville, a district of Villers in the Nancy conurbation. The address on his account is that of our host, who lives in a tiny village 75km from here. The bank put a false postal code on his address, consequently his mail from the bank arrives either very late or, in the case of important items such as his bankcard PIN code and checkbook, not at all (I wonder if the important mail has a `Do Not Forward' instruction on the envelope?). However, whenever he notifies the branch and they check, the correct postal code appears with his account information. The bank employees claim not to understand how the two addresses can be different and seem to be at a loss to rectify the situation, even though he's been physically to see them about it three times in the last two months. There's an easy fix. Close the account and open another one. But there should be an easier fix - ensure the right address. Either way, the bank lacks effective procedures for troubleshooting. He still has no checkbook and no functioning cash card. Peter Ladkin ------------------------------ Date: Sat, 10 Sep 1994 14:29:50 PDT From: rmehlman%grumpy.decnet@UCLASP.IGPP.UCLA.EDU Subject: Risks of duality in electronic media A new teleconferencing system installed at JPL still has some bugs. Participants are told to dial into the telecon themselves. Two numbers are provided: an area 818 local number, and an 800 number for distant callers. I dialed the local number for a NASA/Galileo project telecon which turned out to be seriously depleted; half the expected participants, including the convener, were missing. Attempts to reach the convener by phone failed; the line was always busy. We went ahead and had our discussion anyway, only to learn later that a dual telecon, among the people who had dialed the 800 number, had taken place simultaneously. This reminds me of a curiously similar situation on Telemail about ten years ago. A user complained of often missing important mail. Months later, investigation showed him to have two accounts, differing only by the appended organization. His default login went to one of these, but the group mail distribution list went to the other. About a hundred messages were there waiting for him. "The Black Hole of Telemail", we always called it. Bob Mehlman, UCLA/IGPP ------------------------------ Date: Fri, 9 Sep 94 13:04:45 EDT From: bnfb@ursaminor.scs.carleton.ca (Bjorn Freeman-Benson) Subject: Unique way to find bugs: be investigated for breaking the rules Here's an interesting positive-risk (rather than negative-risk)... The McLaren Peugot Formula One racing team was investigated for breaking the rule against computerized driver aids. During the investigation, the governing body (FIA) contracted with LDRA Ltd to decode MacLaren's software and determine if the rules were broken. According to the press release: PRESS RELEASE FROM THE FEDERATION INTERNATIONALE DE L'AUTOMOBILE (FIA) ...lots of stuff...and then the interesting paragraph... The World Council noted that during the course of the investigation, LDRA Ltd discovered a bug (fault) in the McLaren software which was producing a power loss in the engine (due to a faulty signal from the gearbox control unit to the engine control unit). McLaren will now be able to correct this problem. Paris 7 September 1994 Bjorn N. Freeman-Benson ------------------------------ Date: Sun, 11 Sep 94 18:15:52 EET From: flb@flb.optiplan.fi (F.Baube[tm]) Subject: Neural Redlining == Plausible Deniability ? My understanding of neural nets is hazy, so someone please correct me if I'm way off-base. Neural nets are being used more and more in commercial applications, for example in evaluating mortgage applications. It occurs to me that since the internal state of a neural net, and its decision-making "process", is essentially opaque, a lender could depend on a neural net to implement redlining in a manner such that, if the bank were in fact to be accused of redlining, the bank could reply, "We don't redline, we rely on objective computer programs to evaluate applications." The training set for the net could itself contain redlining, and the net would learn it. Then the training set is discarded, and there is no proof of intent to evade the law. Any applications receives a final yes/no from a live human being, but how easy is it for the lending officer to let a neural net do his or her "dirty work" ? * Fred Baube(tm) GU/MSFS/88 baube@optiplan.fi ------------------------------ Date: Wed, 07 Sep 1994 17:17:42 +0000 (GMT) From: Julian Meadow Subject: Reply to New indecency rules proposed for all online services Don't you just love it when you read about something that might happen, happens! After reading Daniel J. Weitzner's comments about the proposed new indecency rules, I read the following article on the front page of this weeks New Zealand COMPUTERWORLD (dated Sept 5, 1994): INTERNET SEX GOES OFF-LINE, by Rob Hosking The prospect of being the target of an indecency test case has caused Internet service provider ICONZ (Internet Company of New Zealand) to pull its pornographic news groups and bulletin boards off line. "We've pumped hundreds of thousands of dollars into ICONZ and I'm not going to see that go in a test case," says systems administrator Jon Clarke. The company pre-empted the impending litigation after hearing "through the grapevine" that an Auckland religious group was planning a lawsuit following an item on television news about the Internet. Approximately 20 news groups were taken off the wire, out of about 440, and only two users had complained since their removal, says Clarke. "To put it into some sort of perspective, it's effectively stopped us transmitting 100Kb out of 150Mb a day," he says. The action would have been under the Films, Videos and Publications Classifications Act, passed earlier this year. There is some doubt as to whether the Internet is covered by the act, and the issue has yet to be decided in court. Clarke says the material being carried is tamer than that available over the counter in most dairies >> This article raises several interesting questions: 1. Do we really want local network providers to become our censors? 2. How does the network provider filter 150Mb of data a day, especially when he doesn't know what the law states is and isn't allowed? 3. If a network provider, whilst censoring the days 150Mb of information, reads that a "religious group" was planning a lawsuit against him because they didn't agree with one of his services, what should he do? The internet provider doesn't lose either way, since as Jon Clarke points out himself, his users just have to go further afield, and I'm sure he'll be happy to charge for this. ------------------------------ Date: Tue, 6 Sep 1994 19:02:42 -0700 From: Phil Agre Subject: CPSR Annual Meeting The 1994 CPSR Annual Meeting will be held on the weekend of October 8th and 9th at UC San Diego. One focus of the meeting this year is teaching people how to actually do something about computer-related Risks to privacy and the like. We'll have a workshop on privacy activism by Christine Harbs from the Privacy Rights Clearinghouse and Dave Redell from CPSR's Civil Liberties Working Group. We'll also have a workshop on legal issues for BBS operators from Mike Godwin of EFF, and a panel discussion on the issues that arise when protecting privacy and intellectual freedom in various professions. Everyone is welcome to attend. The Annual Meeting Web pages are now ready to go. Just aim your Web client at http://www.cpsr.org/dox/am/program.html and look around. Or, if you prefer, you can get the program and registration information from an autoresponder by sending a message to cpsr-annmtg@cpsr.org. Phil Agre, UCSD ------------------------------ Date: Wed, 7 Sep 1994 10:47:43 -0500 From: abrams@mwunix.mitre.org (Marshall D. Abrams) Subject: Proceedings on Assurance and Trustworthiness Announcing the availability of the Proceedings of an Invitational Workshop on Information Technology (IT) Assurance and Trustworthiness held March 21-23, 1994 at George Washington Inn Williamsburg, Virginia. The proceedings are available by FTP as an ASCII document from csrc.nist.gov. The path is /pub/nistir/assure.txt Hardcopy was published by the National Institute of Standards and Technology numbered NISTIR 5472. ABSTRACT The purpose of the 1994 Invitational Workshop on Information Technology (IT) Assurance and Trustworthiness was to identify crucial issues on assurance in IT systems and to provide input into the development of policy guidance on determining the type and level of assurance appropriate in a given environment. The readers of these proceedings include those who handle sensitive information involving national security, privacy, commercial value, integrity, and availability. Existing IT security policy guidance is based on computer and communications architectures of the early 1980s. Technological changes since that time mandate a review and revision of policy guidance on assurance and trustworthiness, especially since the changes encompass such technologies as distributed systems, local area networks, the worldwide Internet, policy-enforcing applications, and public key cryptography. 1995 WORKSHOP A call for participation for the 1995 workshop will be available in October. You may request a copy by sending e-mail to witat-info@cs.umd.edu. Marshall D. Abrams, Info Systems Security Division, The MITRE Corporation, 7525 Colshire Drive, McLean, VA 22102-3481 703.883.6938 abrams@mitre.org ------------------------------ Date: 31 May 1994 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc. The RISKS Forum is a moderated digest. Its USENET equivalent is comp.risks. Undigestifiers are available throughout the Internet, but not from RISKS. SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) on your system, if possible and convenient for you. BITNET folks may use a LISTSERV (e.g., LISTSERV@UGA): SUBSCRIBE RISKS or UNSUBSCRIBE RISKS. U.S. users on .mil or .gov domains should contact (Dennis Rears ). UK subscribers please contact . Local redistribution services are provided at many other sites as well. Check FIRST with your local system or netnews wizards. If that does not work, THEN please send requests to (which is not automated). CONTRIBUTIONS: to risks@csl.sri.com, with appropriate, substantive Subject: line, otherwise they may be ignored. Must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. PLEASE DO NOT INCLUDE ENTIRE PREVIOUS MESSAGES in responses to them. Contributions will not be ACKed; the load is too great. **PLEASE** include your name & legitimate Internet FROM: address, especially from .UUCP and .BITNET folks. Anonymized mail is not accepted. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. All other reuses of RISKS material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using RISKS material should obtain permission from the contributors. ARCHIVES: "ftp crvax.sri.comlogin anonymousYourName cd risks: Issue j of volume 16 is in that directory: "get risks-16.j". For issues of earlier volumes, "get [.i]risks-i.j" (where i=1 to 15, j always TWO digits) for Vol i Issue j. Vol i summaries in j=00, in both main directory and [.i] subdirectory; "dir" (or "dir [.i]") lists (sub)directory; "bye" logs out. CRVAX.SRI.COM = [128.18.30.65]; =CarriageReturn; FTPs may differ; UNIX prompts for username, password; bitftp@pucc.Princeton.EDU and WAIS are alternative repositories. See risks-15.75 for WAIS info. To search back issues with WAIS, use risks-digest.src. With Mosaic, use http://www.wais.com/wais-dbs/risks-digest.html. FAX: ONLY IF YOU CANNOT GET RISKS ON-LINE, you may be interested in receiving it via fax; phone +1 (818) 225-2800, or fax +1 (818) 225-7203 for info regarding fax delivery. PLEASE DO NOT USE THOSE NUMBERS FOR GENERAL RISKS COMMUNICATIONS; as a last resort you may try phone PGN at +1 (415) 859-2375 if you cannot E-mail risks-request@CSL.SRI.COM . ------------------------------ End of RISKS-FORUM Digest 16.40 ************************