RISKS-LIST: RISKS-FORUM Digest Wednesday, 6 January 1988 Volume 6 : Issue 4 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: PCs die of New Year Cerebration (Scot E. Wilcoxon) More on Missouri Voting Decision (Charles Youman) Market for prankster programs? (Geoff Goodfellow) Ham radio operators and cancer (Mark Fulk, Steve Philipson) Getting into ATM rooms (Mark A. R.) Re: Knowing Source Code is not Sufficient (Michael Wagner) Trust and quoting and write-only hard disks (Michael Wagner) [** A mess of marginally moderatable messages on mothers' maiden names makes my mal-de-mere miserable. Sorry to those nonincluded contributors. PGN **] The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, nonrepetitious. Diversity is welcome. Contributions to RISKS@CSL.SRI.COM, Requests to RISKS-Request@CSL.SRI.COM. > > > > > > > > > PLEASE GIVE SUBJECT IN subject: LINE. < < < < < < < < < For Vol i issue j, FTP SRI.COM, CD STRIPE:, GET RISKS-i.j. Volume summaries in (i, max j) = (1,46),(2,57),(3,92),(4,97),(5,85). ---------------------------------------------------------------------- Date: Tue, 5 Jan 88 23:35:36 CST Subject: PCs die of New Year Cerebration From: sewilco@datapg.mn.org (Scot E. Wilcoxon) One of my clients has just reported to me that a certain brand of PC-compatibles which they sold in 1984 suddenly stopped working when 1988 was reached. They were flooded with calls on Monday and the manufacturer of the equipment also got many reports then. If your PC-compatible suddenly stopped working on New Years' Day and the first letter of its name is "S", you may want your dealer to check for this unlikely problem. Scot E. Wilcoxon sewilco@DataPg.MN.ORG ihnp4!meccts!datapg!sewilco Data Progress C and UNIX consulting +1 612-825-2607 ------------------------------ Subject: More on Missouri Voting Decision Date: Wed, 06 Jan 88 09:52:53 EST From: Charles Youman (youman@mitre.arpa) Organization: The MITRE Corp., Washington, D.C. Thanks to my mother-in-law and the USPS, I now have the article I mentioned in RISKS 5.84. The article is from the December 24, 1987 edition of the St. Louis Post-Dispatch. The page 1 article is titled "Decision Threatens Punch-Card Elections" and is quoted without permission. "If a federal judge's order this week is upheld, it could eliminate the punch- card voting system, throw elections here [i.e., in Missouri] into chaos and cost taxpayers missions of dollars, election officials said Wednesday. But civil-rights groups hailed the decision as a landmark that they say will increase the participation of blacks in elections. U.S. District Judge William L. Hungate ordered Tuesday that the St. Louis Election Board 'take appropriate steps' for a manual count of ballots that are cast but uncounted by the city's automatic tabulating equipment due to such problems as double voting in one category and not pushing the pin all the way through the ballot. Representatives of the Election Board criticized Hungate's ruling and said they expected it to be overturned on appeal... Garvin [an attorney for the board] said the board might ask the 8th U.S. Circuit Court of Appeals to postpone the effect of Hungate's order until after the Missouri presidential primary March 8. The punch-card voting system is used throughout Missouri. But Garvin said he thought no other jurisdiction would follow Hungate's ruling unless it was affirmed on appeal... In the judge's order, he said it was not the punch-card voting system but the board's actions that violated federal voting laws. But election officials said the ruling could have the same effect... Punch-card voting accounted for 70 percent of the votes in the last presidential election in Missouri. Hungate gave his order in a suit filed by Michael V. Roberts, an unsuccessful candidate in the primary March 3 for the president of the St. Louis Board of Aldermen. Roberts, who is black, lost by 171 votes to Thomas A. Villa, who is white. Roberts claimed the punch-card voting system discriminated against blacks because most of the votes cast but not counted by the Election Board's computers came from wards where most of the voters are black. In his order Tuesday, Hungate said the board's failure to review by hand ballots left uncounted by the machines violated the federal Voting Rights Act and resulted in the disenfranchisement of voters. Garvin said that in most elections, a large number of voters do not vote on every ballot issue. He said that while the board's computers could be programmed to identify ballots for which no votes register on some issues, the number would be so great that it would make the punch-card system unworkable. . . Kenneth Warren, a political science professor at St. Louis University, called Hungate's ruling 'devastating for the punch-card voting system; in effect, it is doing away with the system. . . Warren [who testified for the board at the trial] said about 60 percent of voters in the United States used the punch-card system. . . Miriam Raskin, the assistant executive director of the American Civil Liberties Union of Eastern Missouri, said she was thrilled by the decision. the ACLU had entered the case on behalf of Roberts." Charles Youman (youman@mitre.arpa) ------------------------------ Date: 6 Jan 1988 09:45-PST Subject: Market for prankster programs? From: the terminal of Geoff Goodfellow Snippet on a software developer who wants to prove there is a market for computer prank hacks, from PC Week, 22/29 Dec 1987, Pg 28: "Weirdware, a division of Mainland Machine, a software developer in San Luis Obisbo Calif., markets for $19.95 a practical joke generator it calls PC Prankster. The software includes 10 pranks that the owner can play on unsuspecting friends or prospective enemies. "The pranks weren't designed to be malicious or destructive, said John Ames, a software engineer at Mainland Machine. First, the jokester has to store one of the prank files on the intended victim's hard disk or boot disk. Once that's done, the perpetrator can set the joke to go into action after a certain number of keystrokes right in the middle of whatever program the victim is running at the time. "In one joke, the figure of a huge one-eyed monster appears on the screen, blinks and disappears, allowing the program to resume operation unaltered. Other pranks briefly scrambles the PC character set, or makes the monitor screen appear to be cracking. ------------------------------ Date: Wed, 6 Jan 88 10:33:34 EST From: fulk@cs.rochester.edu Subject: Ham radio operators and cancer One must ask whether Milham controlled for the age of his subjects; amateur radio is very popular among retired persons and advanced age is one of the major risk factors for all kinds of cancer (rates go up roughly as the 4th power of age, if I recall correctly). Amateur radio operators are also fairly likely to build some of their own equipment; in the process they are exposed to the fumes of over-heated solder flux (I remember a considerable burning sensation in my nose when using rosin-core solder) and are exposed to considerable levels of lead. Finally, it seems to me that hams smoke a lot (a study would be required to really know); and the effects would be worsened by a tendency to spend a lot of time in a small room huddled over a Morse code key. With respect to power lines: I think that high-voltage long-distance power lines were probably what was meant. I went to high school and college in North Carolina (location of one of the studies); it seems to me that such power lines indeed seemed to cluster near other sorts of cancer-causing facilities. For example, they frequently ran near highways (I-40 from Statesville to Morganton had power lines along its whole length). Furthermore, they (of course) ran mostly through rural areas; people living near them were likely to be engaged in agriculture, meaning the use of pesticides, meaning that they were exposed to a high and well-documented risk of various sorts of cancer. In North Carolina, in particular, they would likely be growing tobacco! This is not to say that non-ionizing radiation cannot contribute to cancer rates, although, based on my current (lay) understanding of the mechanisms of cancer induction, I am inclined to doubt that the effect could be strong. Nor do I wish to cast doubt on the meaningfulness of all such studies: one can never control all the variables, and thus can never prove anything beyond all doubt; however, one must certainly control those variables which have been established to have significant effects on one's independent variable (cancer risk in this case). ex-WB4FLO Mark Fulk ------------------------------ Date: Wed, 6 Jan 88 11:32:45 PST From: Steve Philipson Subject: Shielding (Re: RISKS-6.3) From: flatline!erict@uunet.UU.NET (eric townsend) Date: 4 Jan 88 03:37:47 GMT > 3. I realise that ham radio gear is not always shielded properly, etc, > but how safe are we hackers from the stuff our 'puters put out? ... Ham radio gear is usually very well sheilded. The equipment itself may not be the problem. Operators are frequently in close proximity to the transmitting antennae, and thus can be on the receiving end of a large amount of radiated energy. I observed this phenomenom first hand in 1973 after I had installed a new beam antenna on the roof of my house. With the antenna pointed in my direction, full power output would cause both florescent and incandescent bulbs in the room to light up. (Some specifics: appx. 800 watts output into a 9 db gain beam located about 20 feet higher and 30 feet away from my location.) I found the effect quite disconcerting and avoided high transmission power levels in my direction. This may seem an unusually high level of exposure, but it is far more common than most people realize. What is important is not total power but power density. Hand held portable radios are widely used now, in public service and private operations alike. Typically, these radios use "rubber duck" antennae that are mounted to the top of the unit, only inches from the eyes. At this distance, power densities are quite high, even with power output levels below 5 watts. Some reports have pointed to increased risk of glaucoma from use of these radios. As far as home computers go, the risk is probably very small. About two years ago both the SIGGRAPH and SIGCHI groups of ACM ran technical sessions in their national conferences on the human factors / risks involved in using computer displays. For reasonably modern equipment, the emmitted radiation levels were typically less than background levels. As an example, broadcast radio stations several miles away showed up in spectrum analysis at power density levels much higher than CRTs at the screen surface. More significant risks from the use of computer systems included back pain from poor ergonomic design of workstations, and skin irritations. The latter occur as CRTs tend to precipitate out airborne particulates due to static charge on the screen. People will touch the screen and spread such material on their skin. The "high tech" solution for this problem was to clean the screens daily. The terminal screen I'm using right now looks somewhat dusty -- time to get out the anti-static screen cleaner! Steve Philipson steve@ames-aurora.arpa WB2EUZ/6 ------------------------------ From: mar@ATHENA.MIT.EDU Date: Tue, 5 Jan 88 16:16:44 EST Subject: getting into ATM rooms -- Play-Safe: it could save your life Many ATMs are in small rooms which you enter by putting your bank card into a card reader. I had been wondering how it knew to let you in, since cards from out-of-town banks work, and there's no noticible pause for it to look up your institution to see if you should have access. Yesterday I tried an experiment, and discovered that my AT&T calling card, and even a rapid transit pass would open the door. I think their algorithm is "if there are bits on the card, unlock the door". What's the interest to RISKS (besides sharing more ATM trivia, which flourishes here)? The reverence people hold for technology. The magnetic stripe and card reader imply a computer, so people think that they have controlled access. Most people would never think to question it, and don't know what shortcuts are taken. The mistake will come when someone wants to use one of those cardreaders to control access to a room where the security really does matter. -Mark ------------------------------ Date: 06 Jan 88 12:30:46 From: Michael Wagner Subject: Re: Knowing Source Code is not Sufficient In Risks 6.3, William Smith wrote: > > IF YOU CAN'T READ IT, DON'T RUN IT > > Unfortunately, this is not sufficient if the vendor of your > software is not trustworthy. We seem to be trying to solve several different problems here, and that may be part of the confusion. Having the source to a piece of public domain software might help you find out what it's going to do to you. At least it's better than a kick in the pants. You generally have little other recourse in the case of a piece of software the originator won't support. On the other hand, untrustworthy vendors have entered into a contract with you, and the fact that they (or one of their employees) injected a virus into the program they sold you is quite a different matter. > When you buy a tool such as an automobile, you do not ask to see all > of the engineering drawings and analyses to decide that the car is > safe. An amount of trust is necessary when using any technology. But surely not blind trust. There are whole organizations set up to judge cars on their abilities to perform according to specification, and the informed buyer is always able to read those reports and make the appropriate judgement. Since testing isn't always enough, there is also a legal mechanism to sue in cases where the product fails to perform. It seems no one cares enough yet to test software thoroughly (not even mass-market stuff). Not sure why. Michael ------------------------------ Date: 06 Jan 88 11:41:03 Subject: Trust and quoting and write-only hard disks. From: Michael Wagner Since we are talking about trusting code (and implictly, other people), how trusting are we about documents we get from elsewhere? In Risks 6.2, "guthery%asc@sdr.slb.com" wrote: > As a little bit of reflection ... will show, there is no > protection in trying programs out with write-only harddisks or > with privileges turned off. When I first saw this, I wondered what good a write-only hard disk would be in this application (or in any other, for that matter). I had to read on a bit, and then backtrack, to guess that this probably should have been a read-only hard disk. Seemingly, no one else wondered about this, because the line was quoted two times in the next issue of Risks, without any signal (the usual one is to write 'sic' in parenthesis after the word) that this may be an error in the original. If you think this is quibbling, then you must answer the question: how well can you proof-read a piece of source code for subtleties? Consider: the original author missed it, the moderator missed it, and at least those two who quoted it (and can therefore be assumed to have spent some time considering the quote) in Risks 6.2 missed it. Each read what they wanted to read there, and not what really was there. Exactly how I would disguise a Trojan horse in a source (a horse in a source? A horse, of course. Sounds like Dr. Seuss!) were I to so desire. Michael ------------------------------ End of RISKS-FORUM Digest ************************