24-Jun-86 01:43:55-PDT,12569;000000000000 Mail-From: NEUMANN created at 24-Jun-86 01:41:53 Date: Tue 24 Jun 86 01:41:53-PDT From: RISKS FORUM (Peter G. Neumann, Coordinator) Subject: RISKS-3.12 Sender: NEUMANN@SRI-CSL.ARPA To: RISKS-LIST@SRI-CSL.ARPA RISKS-LIST: RISKS-FORUM Digest, Tuesday, 24 June 1986 Volume 3 : Issue 12 **** This is indeed Issue 12. The previous issue should have been labelled **** Monday, 23 June 1986 Volume 3 : Issue 11 <=== FORUM ON RISKS TO THE PUBLIC IN COMPUTER SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: License Plate Risks (Chuck Price) SDI is for ICBMs, Not Terrorists (Mark Day) Still another kind of clock problem (Rodney Hoffman) Estimating Unreported Incidents (Ken Laws) Estimating Unreported Incidents -- and the risks of using statistics (PGN) Re: Privacy legislation (RISKS-3.8) and radio eavesdropping (Jerry Mungle, Jeff Mogul, Jim Aspnes) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, nonrepetitious. Diversity is welcome. (Contributions to RISKS@SRI-CSL.ARPA, Requests to RISKS-Request@SRI-CSL.ARPA.) (Back issues Vol i Issue j available in SRI-CSL:RISKS-i.j. Summary Contents in MAXj for each i; Vol 1: RISKS-1.46; Vol 2: RISKS-2.57.) ---------------------------------------------------------------------- Date: Mon, 23 Jun 86 09:56:05 pdt From: price@src.DEC.COM (Chuck Price) To: RISKS@SRI-CSL.ARPA Subject: License Plate Risks I heard the following tale on KCBS this morning. [I intersperse a few details from the SF Chron, 23 Jun 86. PGN] It seems that this fellow [Robert Barbour] desired personalized license plates for his car. Since he loved sailing, he applied for ``SAILING'' and ``BOATING'' as his first two choices [seven years ago]. He couldn't think of a third name of NAUTICAL intent, so he wrote ``NO PLATE'' in as his third choice. You guessed it. He got ``NO PLATE''. A week or so later, he received his first parking ticket in the mail. This was followed by more and more tickets, from all over the state [2500 in all!]. It seems that when a police officer writes a parking ticket for a car with no license plates, he writes ``NO PLATE'' on the ticket. Our friend took his problem to the DMV, which informed him that he should change his plates. The DMV also changed their procedures. They now instruct officers to write the word ``NONE'' on the unplated parking tickets. Wonder who's gonna get those tickets now? -chuck price [Obviously some poor sap whose license plate says ``NONE''!] ------------------------------ Date: Mon 23 Jun 86 12:04:46-EDT From: Mark S. Day Subject: SDI is for ICBMs, Not Terrorists To: RISKS@SRI-CSL.ARPA Bob Estell states that "SDI does not equate to ICBM defense." This is simply not true. Even in Reagan's first speech about rendering nuclear weapons "impotent and obsolete" (Mar 23, 1983), he went on to say that he was "directing a long-term research and development program to begin to achieve our ultimate goal of eliminating the threat posed by STRATEGIC NUCLEAR MISSILES." [Emphasis added] From its inception, SDI has been intended to defend against and deter a massive attack by ICBMs. As others have previously pointed out in RISKS, terrorists don't need to deal with ICBMs and would be foolish to try. At the Stanford debate on SDI feasibility, Maj. Pete Worden (special asst. to the Director of SDIO) answered a question about terrorists and smuggling bombs into the country by saying "We are trying to deter something that is reasonably military, not a terrorist act." SDI is intended as a defense against Soviet ICBMs and (on particularly optimistic days at SDIO) Soviet cruise missiles. It is not intended to save the United States population from every nuclear threat. --Mark ------------------------------ Date: 23 Jun 86 10:00:39 PDT (Monday) From: Hoffman.es@Xerox.COM Subject: Still another kind of clock problem To: RISKS-Request@SRI-CSL.ARPA You might be amused by the anomalous dates [in an earlier message from Rodney to me, not included]. Our power was off all weekend for some work. When I came in this morning, no computer servers were working yet -- including the time servers. So I set the date and time on my machine myself, including stuff like "Hours offset from Greenwich Mean Time" and "First day of Daylight Savings Time"! (Luckily they have proper default values.) I then interrupted (instead of booted) into another volume. Because of that, this volume's clock tried unsuccessfully to locate a time server and, by default, resumed ticking from when I left Friday evening! And once it begins ticking, it apparently never checks again for a time server. When I typed in my RISKS contribution and sent it, it had that Friday timestamp, though it was Monday and I was (correctly) citing a Sunday news article. --Rodney ------------------------------ Date: Fri 20 Jun 86 16:21:04-PDT From: Ken Laws Subject: Estimating Unreported Incidents To: Risks-Request@SRI-CSL.ARPA [In RISKS-3.8, I noted how rarely I get two reports of the same incident, and wondered how many do not get reported at all. PGN] There is actually a statistical technique (based on the Poisson distribution, I'm sure) for estimating the number of unreported items from the frequencies of multiply reported ones. It was developed for estimating true numbers of Malaysian butterfly species from collected ones, and has recently been used to validate a newly discovered Shakespeare poem from the percentages of words that were used 0, 1, ... times in the accepted Shakespearean literature. -- Ken Laws ------------------------------ Date: Tue 24 Jun 86 01:09:31-PDT From: Peter G. Neumann Subject: Estimating Unreported Incidents -- and risks of using statistics To: RISKS@SRI-CSL.ARPA Ah, Ken's message brings us to the risks of computer authentication! The poem in question really did not read like authentic "Shakespeare" to me; it seemed vastly too pedestrian, childish, and uncharacteristically repetitive. But then, don't get us started on who actually wrote the works attributed to William Shakespeare. That might be a little risky for this Forum. (However, for some fascinating background, see Charlton Ogburn's book "The Mysterious William Shakespeare -- the Myth & the Reality", pursuing the case that the man known as "William Shakspere" was functionally illiterate, with almost no documents bearing his signature or handwriting and no known contemporary literary activity, and that he could not possibly have written the works attributed to "Shakespeare".) (By the way, I don't think it was Marlowe, Bacon, or -- as Ogburn contends -- Edward de Vere who wrote the works of Shakespeare. But, there are also some multi-ghost-author theories that would make the use of computer analysis for style comparisons to authenticate the alleged poem as belonging to the works of supposedly a single author quite speculative!) [You thought I was drifting away from computer risks, didn't you?] At any rate, let us be very careful with such statistical arguments in that case -- and in other computer-related cases as well. For example, with respect to computers in banking and credit applications, the cases of intentionally undocumented internal frauds are known to be very considerable; using such statistical arguments to estimate unreported incidents is very suspicious. People certainly aren't "normal". Why should distributions of unknown or extraordinary cases be expected to be normal? PGN ------------------------------ Date: 16 Jun 1986 06:09:22 PDT Subject: Re: Privacy legislation (RISKS-3.8) and radio eavesdropping From: Jerry Mungle To: RISKS FORUM (Peter G. Neumann, Coordinator) Re: Michael Wagner's query about privacy of radio telephone... [Here are THREE more messages on this subject. Each adds a little more to what Dan Franklin contributed in RISKS-3.10. This time I did not have the patience to edit each one down to its nub, so please read them accordingly... PGN] For quite a while telephone traffic has been carried by satellite links. It is quite easy to receive such transmissions using nothing more sophisticated than a backyard dish antenna, and the demultiplexing needed to recover a conversation is doable by undergraduate EEs. I believe it is quite illegal to "intercept" phone conversations (or data transmissions via phone lines) in this fashion. However, it is *very* difficult to detect such activities. I do not believe it should be illegal to monitor ANY radio communication, as the airways are public property. But there seems to me to be precedence for laws regulating reception of radio transmissions (beware, I am not a lawyer). The risks to computer systems lies in the ease with which data transmitted over phone lines may be intercepted. This relative ease is offset to some degree by the difficulty of finding the particular phone link one wishes to monitor. But, given a reasonable level of support, it should be possible to eavesdrop on conversations/data transmission which one desires to hear. Sales figures, marketing info, experimental data.... lots of valuable data go unencrypted over the phones every day. ------------------------------ Date: 17 Jun 1986 1128-PDT (Tuesday) From: Jeff Mogul To: RISKS@sri-csl.arpa Subject: Re: Privacy legislation (RISKS-3.8) and radio eavesdropping In RISKS-3.8, ubc-vision!utcs!wagner@seismo.CSS.GOV (Michael Wagner) asks: Does anyone have any idea how the last part (radio telephones) could be legally supported in view of other legal freedoms? I thought that one was free to listen to any frequency one wished in the US (Canada too). You don't have to trespass to receive radio signals. It's been a decade or so since I was familiar with current US communications law (as a licensed Amateur Radio operator, I had to pass several exams covering this sort of thing), but I recall that although there is no prohibition against receiving radio signals, there is a prohibition against divulging what you receive to any other party. Of course, this doesn't apply to all radio services (it's not against the law to reveal baseball scores you heard on an AM broadcast station) and I doubt it's often enforced. Compare this to what a computer system manager might face when unraveling a mail snafu. I might not be able to avoid seeing the text of an unencrypted message (as I watch packets moving between hosts) but it would certainly be unethical for me to reveal what I saw, or indeed to make any use of it. Ideally, the technology would be such that I could not accidentally see the contents of a message while performing a management function, but in today's world I think the only enforceable prohibition is against divulging or using electronic mail, not against seeing it. (Of course, seeing by means of unauthorized access is also prohibitable.) -Jeff Mogul ------------------------------ Date: Mon, 23 Jun 86 11:39:45 EDT From: Jim Aspnes To: RISKS FORUM (Peter G. Neumann, Coordinator) Subject: Re: Privacy Legislation (RISKS-3.10) Date: Tue, 17 Jun 1986 00:32 EDT From: LIN@XX.LCS.MIT.EDU To: ubc-vision!utcs!wagner@SEISMO.CSS.GOV (Michael Wagner) Cc: RISKS-LIST:@XX.LCS.MIT.EDU, risks@SRI-CSL.ARPA Subject: Privacy legislation (RISKS-3.6) [On the same topic...] Not true. States routinely ban the use of radar detectors, and that is nothing more than "listening to a frequency." Most states do not actually ban the use of radar detectors, but rather the operation of a motor vehicle containing one; as I understand it, if you want to sit at home and detect your burglar alarm, you are entirely within the law. There is no constitutional or federal restriction on how states can regulate your driving. ------------------------------ End of RISKS-FORUM Digest ************************ -------