Subject: RISKS DIGEST 18.43 RISKS-LIST: Risks-Forum Digest Weds 11 September 1996 Volume 18 : Issue 43 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** Contents: IRS drops Internet tax filing plan (PGN) RISKS of newspaper publishing (Rachelle Heller via Lance Hoffman, John Schwartz) Safety of real-time systems (PC versus SPS) (Andreas Huennebeck) Re: Accidental shootdown of F15 plane revisited (Robert Dorsett) Lexis-Nexis personal information database (Larry Hunter from Privacy Forum) Nebraska Automobile Title/Registration Records (Paul W Schleck) Re: RISK: Dangerous core dumps (James Bonfield) Re: Locating the position of cellular phones (Peter Campbell Smith) Re: AOL curbs incoming spams (Fred K Herr) AOL spamming case and direct e-mail in general (Lance J. Hoffman) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Wed, 11 Sep 1996 11:42:11 PDT From: "Peter G. Neumann" Subject: IRS drops Internet tax filing plan The IRS has apparently pulled the plug on its plans for Cyberfile, an electronic system that would have enabled taxpayers to file their returns directly without going through third-party service providers. An earlier launch of Cyberfile for April 1996 was put on hold when the Government Accounting Office identified some security weaknesses. The decision to abandon the project was evidently made in July. A GAO report just released blamed mismanagement and shoddy contracting practices. It also noted that the central computer was located in a dusty subbasement of the Agriculture Department subject to flooding, the computer-room doors had locks installed backwards (to keep the bad guys in?), and sprinkler pipes were too low. The report also observed that use of the World Wide Web (rather than toll-free direct dialups) represented security problems for taxpayers and for the IRS alike. At a 10 Sep 1996 hearing of the Senate Governmental Affairs Committee considering the Tax Systems Modernization effort more broadly, Senator Ted Stevens said, "It's an absolute fiasco." [Source: a *Los Angeles Times* article in the *San Francisco Chronicle*, 11 Sep 1996, p.A3] ------------------------------ Date: Tue, 10 Sep 1996 19:20:36 -0400 (EDT) From: "Lance J. Hoffman" Subject: RISKS of newspaper publishing > Date: Tue, 10 Sep 1996 17:14:19 -0400 (EDT) > From: Rachelle Heller > Subject: What do you know about the WP Sunday break-in? > To: hoffman@seas.gwu.edu (Lance J. Hoffman) > > Matt tells me that the Style section for Sunday's WP had a break-in and > someone changed the masthead prior to publication and it was published > without anyone's knowing it. [...] Yep, I have it in front of me, freshly rescued from the recycle bag. The Sunday Style Section of *The Washington Post* for 8 Sep 1996 has in its masthead at the upper right corner of page F1: "Published for You by a Large, Uncaring, Conglomerate". Lance Hoffman ------------------------------ Date: Tue, 10 Sep 1996 19:33:23 -0400 (EDT) From: schwartj Subject: RISKS of newspaper publishing The Sunday Style editor, Gene Weingarten, does this every week. It is a deeply subversive act, but it comes from within. Weingarten is a deeply twisted man, and a treasure. Sorry if this disappoints you. A few favorite previous "ears," as they are called: * Mitnick was here * 25 Years of Error-Free Journalism * It's Not Very Good This Week * As Unbiased As the Next Pinko Rag * The Only Thing In This Newspaper That is On The Far Right * One was printed upside down and it said, "Hey, Why Am I on the Bottom?" * Another one printed upside down said, "Number One in Quality Control." * Another personal favorite: "Nice Bathrobe." In fact, 90-95 percent of them are submitted by readers as part of the ongoing Style Invitational, the *Post*'s weekly, off-color humor competition. The Ear author is thanked in the fine print. It's a great thing -- a big corporation that (at least in one corner of one page one day a week) laughs at itself. John Schwartz, speaking only for myself here at *The Washington Post*. ------------------------------ Date: Fri, 6 Sep 1996 14:12:48 +0200 (MESZ) From: ah@bruker.de (Andreas Huennebeck) Subject: Safety of real-time systems (PC versus SPS) In the German newspaper "Elektronik" no. 18/1996 from 3 Sep 1996, intended for professional electronics hardware and software developers, appeared an article containing the views of several companies regarding the usage of PCs (personal computers) running Windows NT versus SPS (Speicher-Programmierbare Steuerung = programmable control unit) for real-time applications. One of the views from the CEO of a company selling PC-based systems said (I translate and make shortcuts): "Regarding the poor safety of a system running under Windows, my point of view is that every system has limited safety. Even the praised SPS will eventually cease to work - maybe not as soon as a PC, but sometime or other there is an end. But in most application cases the safety of a PC based system is high enough." I think this is a strange kind of safety judgement. Andreas Huennebeck Bruker Analytische Messtechnik GmbH ah@bruker.de ------------------------------ Date: Wed, 11 Sep 1996 14:04:06 GMT From: rdd@netcom.com (Robert Dorsett) Subject: Re: Accidental shootdown of F15 plane revisited (Mills, RISKS-18.42) > There are several reasons why just airplane disasters are exceptional. All good reasons. However, one also has to deal with the political dynamics of a crash, both good and bad. The fact is, public safety can be affected by the results of a crash investigation. Therefore, to coin an old phrase, "the public has a right to know." Even premature information can be accurate, and even, if misleading or wrong, can have unintended beneficial effects by putting pressure on both manufacturers and investigators to address specific public concerns. Examples: - The early grounding and microscopic probing after the American Airlines DC-10 crash at ORD in 1979 resulted in everyone in the industry becoming very familiar with the technical issues at hand. I doubt if anyone will ever use a forklift to mount an engine ever again. - The author of _Unheeded Warning_ notes his concerns (as a pilot) of the safety of the ATR-72 in icing conditions long prior to the eventual October 1994 crash. His book notes explicit steps taken to keep the issue alive in the media and thereby bringing political pressure to bear on the NTSB and FAA to maintain appropriate perspective in both the investigation and regulation of the aircraft. This pressure arguably resulted in FAA mandates to adjust the design of the anti-ice system on the airplane. Similar pressure was absent after a similar crash in 1988 in the Italian Alps. - Each A320 crash ignites intense discussions on software reliability. No A320 has crashed as a result of a flight control system failure, but even incorrect speculation helps educate budding and practicing software engineers and discussion of the pros and cons of this implementation, which reflected the state of the art at the time, will hopefully help encourage a sense of pragmatism when it comes to installing and developing safety-critical systems. In addition, since everyone has a personal computer these days, and therefore considers themselves experts, USENET discussions also have the effect of educating the lay public. An educated public is the enemy of political and corporate opportunists everywhere. - I think we can all agree that the microscopic examination of ValuJet will have the eventual effect of making it the safest airline in the air, even though the scrutiny is politically motivated and arguably very unfair when compared to the operational reality of other airlines. That is, ValuJet will be safe if the airline isn't driven out of business. - The NTSB frequently holds open hearings on major crashes. In at least one situation recently (in regards to the UAL 737 crash at Colorado Springs) they invited public comment. It's difficult for even the technical public (in this industry, several million people in and affiliated with the field) to comment if they aren't provided with "premature" factual information. Lastly, let's keep in mind that the TWA crash, which I suspect may have helped shape your comments, is kind of exceptional. It crashed over the media capital of the United States, and likely of the world. Individuals coordinating the "victims' families" press conferences involved members associated with "victims rights" movements in other contexts, thus imparting some of their special skills and thus helping influence the political dynamics of this crash (compare family coverage of this crash with any other in recent memory). This extraordinary combination actually resulted in officials stating that the crash/crime investigation would be put on hold until bodies were all recovered. In the mean time, public safety was potentially compromised as physical evidence was lost: nobody *knows* whether a bomber might be running around. In addition, since terrorism seems very likely, the crash provides a longer-term interest than is typical for our usual mass-media reporting, which is designed for a 45-second attention span. It's a political world, not a technical one. Unfortunately, the real risk comes from a cultural propensity to encourage the ignorant to speak loudly and assertively. That does not mean basic data should be restricted, only that those who glibly assert expertise from fluff seen on the nightly news should be shushed. Robert Dorsett rdd@netcom.com Moderator, sci.aeronautics.simulation aero-simulation@wilbur.pr.erau.edu ftp://wilbur.pr.erau.edu/pub/av ------------------------------ Date: Tue, 3 Sep 96 12:01 PDT From: privacy@vortex.com (PRIVACY Forum) Subject: Lexis-Nexis personal information database (PRIVACY Forum Digest 05 17) [PRIVACY Forum Digest Tuesday, 3 September 1996 Volume 05 : Issue 17] Date: Tue, 3 Sep 1996 11:22:15 -0400 (EDT) >From: Larry Hunter Subject: Lexis-Nexis personal information database Lexis-Nexis sells a commercial database called "Ptrax" which holds detailed personal information on nearly all Americans (L-N claims it contains 300 million names). This database includes name, current address, up to two previous addresses, phone number, birth-date, social security number, mother's maiden name and possible other personal information. This database is kept quite current. Through the Nexis Express service, this information could be available to any individual with a credit card. As most readers will are aware, such information could easily be used for theft of identity and other frauds. It is possible to have one's name removed from this database by making a telephone request. Call (800)543-6862, select option 4 ("all other questions") and tell the representative answering that you wish to remove your name from the Ptrax database. You may also send a fax to (513)865-7360, or physical mail to LEXIS-NEXIS / P.O. Box 933 / Dayton, Ohio 45401-0933. Sending physical mail to confirm your name has been removed is always a good idea. As word of the existence of this database has spread on the net, Lexis-Nexis has been inundated with calls, and has set up a special set of operators to handle the volume. In addition, Andrew Bleh (rhymes with "Play") is a manager responsible for this product, and is the person to whom complaints about the service could be directed. He can be reached at the above 800 number, selection option 4 and then ask for extension 3385. The information in this note has been been confirmed by me, and was originally provided in forwarded messages from Russell Whitaker, Jason Werner, Vern Winters, Katherine Florman and Reuben Snipper. Larry Hunter hunter@intr.net [For info on Lauren Weinstein's PRIVACY Forum Digest, see risks.info or risksinfo.html, or http://www.vortex.com . PGN] ------------------------------ Date: Fri, 6 Sep 1996 15:09:57 -0500 (CDT) From: "Paul W Schleck KD3FU" Subject: Nebraska Automobile Title/Registration Records Here in Nebraska, automobile titles and registrations are handled at the county courthouse level by the county clerk's and treasurer's offices. Residing in the city of Bellevue, I received a renewal notice for a car of mine that I've owned for a number of years (I bought it for cash, so I've always had clear title). Strange thing was, the postcard had already been returned by the post office as undeliverable, finally reaching me after being resent. The name and address on it was: Sarpy County (my address) This was curious, but I didn't think much of it at the time. Near the end of the month, I went down to the Sarpy County courthouse in Papillion, paperwork in hand, expecting this to be a routine renewal. The clerk at the renewal counter noted amusingly that my name had been changed to "Sarpy County." She apologized for this, saying that they had recently gone to a statewide system and a lot of records were in error. She then noticed that the title number of my last year's registration card did not match the title number on my renewal notice. Attempting to look up my records on-line found that I was not listed as the owner of this car, Sarpy County was. The date of the new title was February of 1993. She called someone at the state and after a brief phone conversation, turned to me and asked: "Was this an abandoned vehicle?" Uh-oh. Everything suddenly clicked in my mind. My car was never abandoned, but I did leave it parked on a city street during snow removal in January of 1993. Though the street was not a snow emergency route, there is apparently a rarely-enforced ordinance that cars parked on public streets must be moved every 24 hours. Mine hadn't been moved in at least a week (it's an operational vehicle, I just don't drive it every day), and the small collection of snow around it made this obvious. I realized it had been towed after noticing it missing the same evening after I got home. After promptly retrieving the vehicle from the impound lot the next day, I received a letter in the mail from the Sarpy County Sherrif's office indicating that the car had been towed and that I had 5 days to claim the vehicle before forfeiting it to the county. Concerned, I called the Sheriff's office and was assured that as long as I had reclaimed the vehicle such that the county was not in possession of it anymore, I had nothing to worry about (Physical possession of the vehicle struck me as an obvious sanity check against incorrectly initiating title claim proceedings against non-abandoned vehicles. For some unexplained reason, this sanity check was not performed). Operating under this assurance, and easily able to re-register and (re-insure) my car in 1993, 1994, and 1995, I was happily oblivious to the fact that the county claimed my title in error almost 4 years ago. I only became aware of this now, in August of 1996, at the registration renewal counter after the state finally synchronized its records. Armed with this information, I was referred to the title counter, and then the Sheriff's office, the upshot being was that I had to ask the Sheriff's office to title the vehicle back to me. Fortunately, they were willing to do so without any hassles or significant delays. I signed their "Duplicate" title as "purchaser" and the Sheriff's office wrote out a $10 check to the county treasurer (avoiding the insult that would have been added to injury if I had actually had to pay the title fee as a result of their mistake). I now hold an "Original" Nebraska title on my vehicle, once again. With this new title safe in my hands, and following good legal advice regarding the risks of having duplicate, and contradictory, "original" legal documents lying around, I turned my original "Original" title over to be destroyed. Identifiable Risky Behaviors: - There seems to be at least a partial lack of obvious human sanity checks in the procedures for taking possession of abandoned vehicles. One would be whether or not the county is actually *in possession* of the vehicle. A corollary to this is, having decided they did own the vehicle, that the county did not seem to do a reasonable amount of tracking (and auditing after the fact) regarding the disposition of (alleged) county property, leaving the status of this vehicle indeterminate for years. One has to wonder if the same oversight would have happened if the title said "1996 Mercedes." - Keeping records in at least two different places, and subjecting them to inconsistent, and rare updates, is just begging for trouble. I'm not sure how long the county and state records were out of whack, but I do know that I was able to get registration renewals in 1993, 1994, and 1995, even though the state records indicated that I was not the owner of the vehicle during that time. This suggests that at least part of the records have gone unsynchronized for years. - The implicit data flow in old the system was correct in principle (propagate updates from the county level to a central clearinghouse, i.e. the state, then propagating those changes back downward to the county), and the move to a new, single, integrated statewide system was an appropriate one. However, the apparent inconsistency of, and long delays between, record updates in the old system created the absurd situation where the government agencies in buildings less than a few hundred feet apart (the Sarpy County Sheriff's office, which took possession of the vehicle, and the Sarpy County Courthouse, which tracked title and registration records) had dramatically different versions of reality. Risk Mitigations: - Any sensible information system should save historical (i.e., "deleted") records for auditing purposes. Having historical title records on-line made it very easy for the employees at the title counter to quickly track down my old title and determine its disposition (issuance of a new title to Sarpy County). The date of the new title (early 1993) connected it in my mind to the towing incident. - The new system had an interesting (and perhaps unanticipated) soft failure mode in that, even though the records showed that the car was not mine, I still got a renewal notice which reminded me to go down to the courthouse. I probably would have remembered anyway, but having a mismatch in title number between my registration card and the renewal notice brought the error to the attention of courthouse employees more quickly. and, most importantly: - Situations like these are often aggravated by customer service representatives who do not understand that computer-generated data can ever be in error, leaving the hapless customer to prove that it is incorrect. Fortunately, the human employees at the Sarpy County Courthouse and Sherrif's Office understood the limitations of their computer systems, particularly in light of a move to a statewide system that introduced (or at least brought to light) a lot of errors. Sarpy County Clerk Debra Houghtling, Captain Dan Jackson of the Sarpy County Sheriff's Office, and many others got personally involved in working out this problem and reaching a solution within an hour (The car was retitled back to me at no expense, and minimal effort, within a few days). Epilogue: Later discussions with Sarpy County Treasurer Rich James (both by me and by a friend of mine with courthouse contacts) indicated that this is a known problem with the new statewide system. Sometimes the error is with the government (as in my case), sometimes the error is with the owner (as the old system tracked driver's license, registration, and title information in multiple places, and sometimes the motorist forgot to update all of them). The new statewide system will at least catch these errors, and prevent new ones from happening in the future. Though he noted that mine was a rare case, he did acknowledge that it is possible that similar ones are lying around in the records and won't be discovered until the motorist tries to re-register the vehicle. Warning to Nebraska Residents: The recent transition to a single, integrated statewide system for tracking automobile title and registration information has either introduced errors, or brought to light incorrect title actions and inconsistent updates that have been lying undiscovered at the state level for as much as several years. If the ownership of your vehicle is in *any* doubt (such as if it was towed like in my example), or you have changed your name or address and failed to notify all appropriate government agencies, check with your county courthouse. Any errors won't be brought to your attention until you try to renew your registration. My experiences in Sarpy County seem to indicate that they will acknowledge the error and promptly correct it with the issuance of a new title, if necessary (If it was the county's or state's fault, and you are politely assertive about it, it appears likely that the agency responsible will pay any fees involved in correcting the records). Your registration can't be renewed until this new title is received, so go down early in your renewal month to avoid possible interruption in your vehicle registration. Paul W. Schleck pschleck@novia.net http://www.novia.net/~pschleck/ ------------------------------ Date: Wed, 11 Sep 1996 09:53:08 +0100 (BST) From: James Bonfield Subject: Re: RISK: Dangerous core dumps (Abigail, RISKS-18.42) If the core file is in a users own directory then it's almost certain that telnet crashed, not the server (ftpd). As such a telnet core is likely to contain buffers of recently typed actions including your password. It is perhaps preferable for core files to be dumped with mode 600. I don't know of any systems that will do this without also changing umask for all your other files. On a related topic, really crashing the ftpd can also be dangerous. On our Solaris 2.5 box connecting via telnet and simply typing 'pasv' causes a core dump to be dumped to the remote systems root directory. This has two effects - it overwrites any existing core even on systems where you have no login (or root) access. Secondly it uses more disk space which may have implications for system logs if they're not on a separate file system. James Bonfield, Medical Research Council - Laboratory of Molecular Biology, Hills Road, Cambridge, CB2 2QH, England. 01223 402499 jkb@mrc-lmb.cam.ac.uk ------------------------------ Date: Mon, 09 Sep 96 17:41:31 GMT From: campbellp@logica.com (Peter Campbell Smith) Subject: Re: Locating the position of cellular phones (Stover, RISKS-18.41) There is an interesting article in Traffic Technology International, Aug/Sept 96 issue about a system called CAPITAL that uses cellular phone calls as a probe to monitor road traffic around Washington DC. It describes an experiment which has been running for two years and which has demonstrated that this is an extremely cost-effective alternative to conventional means of traffic monitoring. The system is independent of the cellular phone system per se, but has antennae on the cellular phone masts which listen to the cellular frequencies. Every time a call is initiated, CAPITAL locates the caller by a combination of directional multi-element antennae and time-of-arrival analysis between different masts. The geographical accuracy is reported to be to about 115m, and subsequent tracking allows the speed of the vehicle to be established within 30 to 50sec to an accuracy of 5mi/h. At any time only less than 5% of vehicles are making calls, but this is a sufficient sample for analysing the traffic speed (though not presumably the traffic density). Moreover, when the traffic slows down even more people make calls, so there is a better density of data from the areas most interesting to those monitoring traffic flows. It is claimed that the boxes ignore the voice content of the call and that the data they deliver has randomly assigned identifiers for each call, so that nothing leaves the system which would allow calls to be associated with specific phones. Peter Campbell Smith, Logica, London, UK campbellp@logica.com ------------------------------ Date: Wed, 11 Sep 96 10:39:00 EDT From: "Herr, Fred K TR" Subject: Re: AOL curbs incoming spams (RISKS-18.41 et al.) The judge's injunction to prevent AOL from interfering with the subject spams seemed to rest on a comparison of free speech expressed via the USPS as against free speech expressed via on line message services, with the assumption, pending at least until the trial in November, that there is no essential difference. There is, of course, a significant economic difference - which may have no relevance in discussing the constitutional issues - but which highlights a risk of computer and network technology to itself and its users. The risk is that the rapid reduction in costs and rapid growth in capability changes the economic balance so quickly that the system's stability, even survival, is dependent on the good manners (or common sense) of its user community until the entire system evolves to a new state of economic equilibrium. Free speech via the USPS is anything but free, in the financial sense. The junk mail that I so readily send to the trash-to-steam plant without opening has at least four real financial costs associated with it. A payment to the postal service to deliver it. Payment to a printer to produce it and deliver it to the postal service. Payment to a mailing list provider so it can be sent to a real address. And payment of the costs related to creating the content (text and graphics). Thus the sender spends a few dozen cents to a few dollars to irritate me for a second and generate an ounce of steam. The spam advertiser, on the other hand, may have to bear some creative expense, but the other three costs are practically zero (divide a modest network access fee by a few million messages). The paper mailer has to carefully balance the costs of "free speech" against the profit expected to result, and he is using a resource that is in equilibrium, more or less balancing the postal rates against the people and tools needed to handle a predictable volume of paper. The spammer has no concern for balancing cost against profit - the potential profit of each additional message delivered is always greater than the minuscule incremental cost of the additional message. But the risk to the delivery system becomes quite large as the load rapidly exceeds the service capacity that assumed good manners would be the norm. To restore equilibrium perhaps the delivery system could learn to recognize spams. When it does, it could credit the account of each receiving mailbox with a few cents, and debit the sender's account a similar amount. If spammers can still figure out how to make a profit in this new environment, well at least the rest of us will pay less for access, and we may even make a profit if we receive enough junk mail. Oops! That will tip the equilibrium the other way as individuals start getting multiple mailboxes in hopes of attracting lots of junk e-mail. Fred Herr fkh1@trpo6.tr.unisys.com ------------------------------ Date: Wed, 11 Sep 1996 07:19:13 -0400 (EDT) From: "Lance J. Hoffman" Subject: AOL spamming case and direct e-mail in general For those who wish to see some of the key players in action, a videotape of the following event is available for $50 from GWTV (The George Washington University TV station) (attn Paul Caffrey, GWTV, 801 22nd St NW, Washington DC 20052, 202 994-8233). While the discussion is now a year old, the passion of the players is captioned on tape (or the non-passion in the case of the computer-impaired lawyer from the DMA). It might be of interest to some RISKS readers. Those in the Washington area might consider coming to the seminar series this year (third Tuesdays of each month, info at http://www.cpi.seas.gwu.edu/Activities/) Lance Hoffman CONSUMER RIGHTS WITH DIRECT MARKETING ON AND OFF THE INTERNET: DOES JUNK (E-)MAIL REALLY BYTE? Panel Discussion, 21 Nov 1995 Marc Rotenberg, Electronic Privacy Information Center Ram Avrahami, Concerned Consumer Sanford Wallace, Promo Enterprises Robert Sherman, Direct Marketing Association ------------------------------ Date: 15 Aug 1996 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Or use Bitnet LISTSERV. Alternatively, (via majordomo) DIRECT REQUESTS to with one-line, SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:] or INFO [for unabridged version of RISKS information] => The INFO file (submissions, default disclaimers, archive sites, .mil/.uk subscribers, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks or http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. The ftp.sri.com site risks directory also contains the most recent PostScript copy of PGN's comprehensive historical summary of one liners: get illustrative.PS ------------------------------ End of RISKS-FORUM Digest 18.43 ************************