14-Nov-86 16:45:20-PST,15665;000000000000 Mail-From: NEUMANN created at 14-Nov-86 16:42:46 Date: Fri 14 Nov 86 16:42:46-PST From: RISKS FORUM (Peter G. Neumann -- Coordinator) Subject: RISKS DIGEST 4.11 Sender: NEUMANN@CSL.SRI.COM To: RISKS-LIST@CSL.SRI.COM RISKS-LIST: RISKS-FORUM Digest, Friday, 14 November 1986 Volume 4 : Issue 11 FORUM ON RISKS TO THE PUBLIC IN COMPUTER SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Computers don't kill people, people kill people (Howard Israel) Open microphone in the sky (Bob Parnass) Computerized Voting in Texas (Jerry Leichter) Problems with HNN (Alan Wexelblat) Post-hacker-era computer crime (Talk by Sandy Sherizen) Re: They almost got me! [A motor-vehicle database saga] (Doug Hardie) Re: information replacing knowledge (G.L. Sicherman) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, nonrepetitious. Diversity is welcome. (Contributions to RISKS@CSL.SRI.COM, Requests to RISKS-Request@CSL.SRI.COM) (Back issues Vol i Issue j available in CSL.SRI.COM:RISKS-i.j. MAXj: Summary Contents Vol 1: RISKS-1.46; Vol 2: RISKS-2.57; Vol 3: RISKS-3.92.) ---------------------------------------------------------------------- Date: Tue, 11 Nov 86 11:45 EST From: Howard Israel Subject: Computers don't kill people, people kill people To: risks@CSL.SRI.COM "Child Dies of Grill's Fumes In House Without Utilities" Employee Error Kept Power Turned Off (Washington Post, Sunday, November 9, 1986, pg A46) (AP) NEW BRITIAN, Conn., Nov. 8--A mistake by a utility employe deprived a house of power and a 7-year-old girl suffocated from the fumes of a charcoal grill being used to heat the residence, state investigators said. The Department of Public Utility Control said the family of Lucita Morales had requested and been granted "hardship status", which is intended to guarantee service to needy customers. Gas and electric service should have been turned on Nov. 1, the report said, but a Northeast Utilities computer operator recorded the order incorrectly, punching a "no print" button instead of a "print". As a result, service was not restored until Nov 3., the day after the girl was found asphyxiated in an upstairs bedroom. Police said a habachi that the girl's mother, Paula Craig, was using to cook and heat the room generated carbon monoxide. Electric service to the home in Bristol had been shut off Sept. 30, and gas was discontinued Oct. 7. Utility Spokeswoman Jane Strachan said no action would be taken against the employe, whom she declined to identify. A department spokeswoman, Toni Blood, said the incident would be reviewed to determine whether the system for tracking the hardship cases needs improving, but no action was pending against the utility. Avila Craig, Lucita's grandmother and the owner of the two-story house, said she did not blame Northeast for the girl's death. "It's sad so many people get caught up in the bureaucracy," she said. "It's about time people in Bristol wake up and realize people are hungry." "I don't feel victimized," she added. "My daughter was just caught up in what is happening in America .... She represents all the girls that have babies and no income." ------------------------------ Date: Thu, 13 Nov 86 09:29:38 PST From: ihnp4!ihuxz!parnass@ucbvax.Berkeley.EDU To: ucbvax!CSL.SRI.COM!RISKS Subject: Open microphone in the sky NBC News reported last night [Nov. 12], and CBS News reported today, that a Braniff passenger jet nearly collided with a United passenger jet over Tennessee. An air traffic controller in Atlanta witnessed the situation on his radar screen, attempted to warn the pilots, but was thwarted because the frequency was blocked by an "open microphone". Bob Parnass, Bell Telephone Laboratories - ihnp4!ihuxz!parnass - (312)979-5414 ------------------------------ Date: 14 NOV 1986 12:44:15 EST From: To: risks@csl.sri.com Subject: Computerized voting in Texas - from 4-Nov-86 New York Times [Remailed after delay due to Yale network-table problems.] Computer Fraud Fought in Texas Official Orders More Security for All Counties That Tally Ballots Electronically By Robert Reinhold Houston, Nov. 3 -- The Secretary of State of Texas has ordered "additional security" procedures in Tuesday's election to prevent fraud in the 40 or so counties that use computerized vote counting and reporting. Under the directive issued by the Secretary, Myra A. McDaniel, the computer- generated printed log of the vote tabulation must record all operator commands and the "inputs," and the log may not be turned off at any time. The Attorney General of Texas, Jim Mattox, is investigating charges of vote fraud arising from last year's mayoral election in Dallas. No findings have yet been issued in the inquiry, for which the state has hired Arthur Anderson & Company, the accounting and consulting concern. According to Karen Gladney, Director of Elections in the Secretary of State's office, no significant changes in local vote-counting procedures are expected because of the directive. "Basically what we've done is ask counties if they do not already have them in place, to make sure these procedures are in place," she said, adding that state inspectors will be dispatched, as usual, to a number of counties throughout the state. She said that while the Secretary was aware of the Dallas inquiry, the order was not issued as a direct result of it. In Dallas, Bruce Sherbet, elections coordinator for Dallas County, said the county already practiced "99 percent" of the precautions. But he said there would be a few changes at local precincts, where additional signatures from election judges and clerks would be required to validate computer tapes holding vote counts. In Houston, where, unlike Dallas, ballots are tallied at a central station, officials said there would be no difference. "There is nothing in the directive that we don't do all the time," said Anita Rodeheaver, a voting official in Harris County. In Texas counties using electronic tally systems, people vote either by punching holes in a card that is read by a machine or by marking boxes that are read by optical scanning. Among the other security procedures ordered, computer terminals outside the central counting station are to be permitted only to make inquiries, and the county clerk or election administrator must produce at least three cumulative reports in the course of tabulation and prepare a report on the number of ballots cast in each precinct. As a final measure, the Secretary of State said she had the authority to order a manual count of the original paper ballots to verify the accuracy of electronic counts. ------------------------------ Date: Thu, 13 Nov 86 09:34:23 CST From: Alan Wexelblat To: risks@csl.sri.com Subject: Problems with HNN Last night, at around 6:40PM CST, the Headline News Network (HNN) signal was disrupted for about 10 minutes. The picture that replaced it was too distorted to see but the audio was fairly clear. It was an advertisement for satellite-signal de-scramblers. Does anyone have any info on why/how this happened? Did someone deliberately spoof the HNN signal? Or was it just an accidental foulup? Alan Wexelblat UUCP: {seismo, harvard, gatech, pyramid, &c.}!ut-sally!im4u!milano!wex ------------------------------ Date: Thu, 13 Nov 86 09:09 EST From: Mandel@BCO-MULTICS.ARPA Subject: Post-hacker-era computer crime To: RISKS@BCO-MULTICS.ARPA Predicting Future Trends in Computer Crime: The Post-Hacker Era Dr. Sandy Sherizen President, Data Security Systems, Inc. Wednesday, November 19, 1986, 7:30 PM at MIT (see below) Abstract: This talk is based on a paper that examines computer crime patterns and suggests the factors which will lead to increasingly sophisticated computer crimes and criminals in the future. There are several recent aspects of computer crime which indicate that computer crime has turned a corner, dramatically changing from earlier and possibly less serious versions. As we enter what can be called the post-hacker era of computer crime, we need a social road map which will guide us in preparing information security measures and computer crime laws. The information in the paper/talk is from a series that Sherizen is preparing on criminological models of computer crime. Dr. Sherizen, a criminologist, consults with corporations, banks, and governments on computer crime prevention. He specializes in information security, providing executives with a translation of complex technical requirements into managerially relevant policies and controls. Author of "How to Protect Your Computer" and numerous articles, he has written reports for the U.S. Congress' office of Technology Assessment and conducted seminars around the U.S. and Asia. (Sponsored by Computer Professionals for Social Responsibility) CPSR/Boston meets on the third Wednesday of each month, at 545 Technology Square, in the lounge on the 8th floor. 545 Tech Square is located at the corner of Main and Vassar Streets in Cambridge, near the Kendall Square stop on the red line. Meetings are free and open to the public, and free parking is available. For more information, contact CPSR/Boston at P.O. Box 962, Cambridge, MA, 02142, or call (617) 666-2777. ------------------------------ Date: Wed, 12 Nov 86 09:50 EST From: "Maj. Doug Hardie" To: risks@CSL.SRI.COM Subject: They almost got me! [A motor-vehicle database saga] (Mark Hittinger) I had a similar situation in college many years ago. However, the associated risks were much different. The school had a honors program in humanities that replaced al the undergraduate general requirements with one two-year course. Competition to get in the program was stiff. As I remember the requirements, you had to have all A's in English etc., plus outstanding scores on the entrance exams. Only 1 percent or so of each new class was selected for this program. It was a real honor and a big deal was made at our hign school graduation for those who were accepted. I graduated from highschool with 2 D's in English and never expected to be considered for this program. However, the day after graduation, I received an invitation which I accepted immediately. It was a great program. However, 4 or so years later, I was running the school's computer center. The admissions people asked me to rewrite their program which selected new students for the humanities program. Since they paid real money, I took the job. The original program was written in machine language, not assembler language. It had one instruction per card in numeric form. That was a common approach in the school. Since the program was unintelligible, they provided the old algorithm and the new. It took a few hours to get the new program working. Basically, each student had a card which contained the necessary information. All that had to be done was to compare the various values on the card with the criteria and select only those that met the criteria. The admissions people provided a deck that had been run earlier so it was simple to test the new program by running it and comparing the outputs. After doing that, we found the new program selected one less person than the old. After extensive analysis, we discovered that the extra should never have been selected in the first place. That caused some consternation in the school as it meant that someone who was not qualified had taken a valuable slot in the program. So the immediate question was how many times could this have occurred? The analysis indicated that there was only one possible way to be selected improperly and it required a specific set of values for some 20 different items (including 2 D's in English). That set off a bell, and I went back to my hysterical records and found my copy of my card from years earlier. There were at least two who made it through that filter. -- Doug ------------------------------ Date: Wed, 12 Nov 86 14:16:08 EST From: "Col. G. L. Sicherman" Subject: Re: information replacing knowledge To: risks@csl.sri.com I sympathize with Daniel G. Rabe's argument about communication: > As I see it, one > of the greatest risks of widespread computing is that we'll all stop > learning. We've got spelling checkers, so why bother learning to > spell? We've got calculators and home computers, so why bother learning > any math? We've got electronic mail and conferencing, so why bother > to learn or practice the art of public speaking? But I doubt that the millions of otherwise intelligent people who cannot spell right will agree with this characterization of learning! Indeed, all his examples belong to specific media of communication. "Standard" spelling did not exist in Shakespeare's day; words were spelled out ad hoc. The pressure to spell each word in just one way came from printing, when people discovered that they could read faster than they could listen. Standard spelling is invaluable for the efficiency of reading print. The flip side is that standard spelling is _not_ invaluable for electronic communication, because efficiency no longer matters--it's a measure left over from the machine age. Efficient absorption is important only in one- way, bulk media like print. Electronic communication is interactive. Similar arguments about the nature of mathematics turn up now and then in journals like _Mathematics Magazine._ Modern mathematics is designed for the page; its methods don't allow for a Ramanujan. As for public speaking, print killed it long ago! Listen to any political debate and you'll know what I mean. Oratory is just a toy these days. All technological progress alters us. "Why learn to walk great distances when we have trains? Why learn beautiful handwriting when we have typewriters? Why learn to use tinder and flint when we have matches?" And of course the ancient "Why learn to remember everything we hear when we have paper, ink, and alphabet?" Just remember: 1. You don't have to go along with it. Dijkstra is said to write his books with pen and ink. [Knuth too!] 2. If you don't like how progress alters people, you can associate with resisters like yourself--if you can find them. For example, people who believe that the prevalence of clothing weakens the body's natural defenses tend to congregate. 3. Let others choose for themselves; don't moralize about it. I for one intend to go on using spelling checkers, e-mail, and clothes. [I rejected a bunch of other messages on this topic, as we begin to get into second-order points and some repetition. Thanks, anyway. PGN] ------------------------------ End of RISKS-FORUM Digest ************************ -------