RISKS-LIST: RISKS-FORUM Digest Wednesday 23 November 1988 Volume 7 : Issue 82 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Troubles with automatic vote counting in Toronto (Mark Brader) Risks of remote registration (anonymous) The risks of using CACM inserts (Eric Hughes) Computer Breakin article [San Antonio] (Maj. Doug Hardie) Ethics and Software (Brian Kahin via Ezra Zubrow and Bruce O'Neel) Teaching Children Ethics (Homer W. Smith) Re: toll road speed checking (Brent Laminack) Privacy vs UK vehicle-identification systems (Andrew Klossner) RightTouch service (Scott C. Crumpton) Cordless Telephones (Walker) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line (otherwise they may be ignored). REQUESTS to RISKS-Request@CSL.SRI.COM. FOR VOL i ISSUE j / ftp kl.sri.com / login anonymous (ANY NONNULL PASSWORD) / get stripe:risks-i.j ... (OR TRY cd stripe: / get risks-i.j ... Volume summaries in (i, max j) = (1,46),(2,57),(3,92),(4,97),(5,85),(6,95). ---------------------------------------------------------------------- Date: Tue, 22 Nov 88 15:00:59 EST From: Mark Brader Subject: Troubles with automatic vote counting in Toronto [Background: In Canada, voting in all levels of election has been done by the voter pencilling an X on a paper ballot, which is then counted by hand. Municipal elections are normally the only ones where multiple offices are voted on at once, with several X's on the ballot. In Ontario, all municipal elections are synchronized and they were held last week. For the first time, the elections in Toronto used an auto- matic technique. The voter had to blacken a circle to vote for a candidate; obviously optical mark recognition.] Toronto Star, November 22, 1983: Toronto is going to make doubly sure that a recount of last Monday's municipal election ballots is correct. At an emergency meeting of the outgoing city council yesterday, politicians ordered staff to recount all 142,107 ballots by hand as well as by automatic voting machine -- an arduous task that could take several days. Although provincial law only recognizes the machine count, councillors said the unofficial manual recount will [!] help to restore confidence in the city's new $1.6 million automated system. The recount was recommended by City Clerk Roy Henderson last week after his staff discovered that a record 1,408 ballots were rejected by the city's new automated voting machines. The machines are programmed to reject spoiled ballots, but Henderson says he finds "it hard to believe that there were 1,408 spoiled ballots". Because the rejected ballots were not singled out when they were initially fed through the machines [sigh!] on Monday, a recount is needed to find the rejected ballots and examine them, he told council. Henderson said he believes that the high number of rejected or "unread" ballots was not the fault of the machines, but due to a cutting error on the ballots. Staff ran some ballots through the machine as a test last week and found that some ballots were not cut properly, but correctly filled out, were rejected, he told council. "Any variance of 25 thousandths of an inch would cause the machine to reject a ballot", he said, quoting information from the Business Records Corporation, the American company that supplies the city's voting machines and ballots. The only race in Toronto that could be affected and which wasn't already so close that recounts had already been called is the contest for public school board trustee in Wards 9 and 10. Sandra Bussin beat Anne Ferguson by 217 votes, but the number of "unread" ballots in those wards was 238. ... Some alderman questioned why the city should do a full recount of all the wards if the outcome of the election won't be changed and staff already know what caused the error. "The electorate has to be confident that the vote tabulation machines do the job they are supposed to do", city solicitor Dennis Perlin replied. [There were no such reports of problems from other municipalities in Metropolitan Toronto which also used the voting machines.] Mark Brader, Toronto utzoo!sq!msb, msb@sq.com ------------------------------ Date: Mon, 21 Nov 88 21:44:24 PST From: Subject: Risks of remote registration "Touchtone registration" is what many universities are going to, including the one I work for. This allows students to register, drop, and add classes from the comfort of any available touchtone phone. (There are some on campus for students that don't have access to one normally.) Unlike the previous early registration system, it allows students to choose their own alternatives when classes are filled or are not allowed. (class full, conflicting times, not authorized, etc.) What worries me is the choice of 9 digit student ID (one will be assigned in the 900 range for students not supplying their SSN) and 6 digit access code (the student's birthday). With this information about any student, it is possible to rearange their schedule. (Confirmation of the change is sent in the mail, assuming that your address is up to date.) Pranks (register someone for "human sexuality") and dropping someone from a full class so you can get in are possible abuses, as is changing your mind about a schedule rearrangement then complaining that you didn't do it. [Supposedly, ethically minded students would not entertain such pranks? But, historically, pranks abound among college kids. On the other hand, designing a system to prevent such malicious misuse is not easy. Note that audit trails would not help much, because the record will say that the victim was the person who authorized the change! A written notification might help, with some period allowed for appeals that it was not legitimate, but that too could be abused intentionally -- e.g., to give you a deferred option... PGN] ------------------------------ Date: Wed, 23 Nov 88 13:56 EST From: "Maj. Doug Hardie" Subject: Computer Breakin article The following is taken from Intercom, Vol 28, No 24, Nov, 11, 1988, an Air Force Communications Command newsletter: Computer break-in By Special Agent Mike Forche, AFOSI computer crime investigator A computer hacker penetrated an Air Force Sperry 1160 computer system in the San Antonio, Texas, area. The hacker was discovered by alert Air Force Communications Command computer operators who notified the data base administrator than an un-authorized user was in the system. The data base administrator was able to identify the terminal, password, and USERID (system level) used by the hacker. The data base administrator quickly disabled the USERID/password (which belonged to a computer system monitor). The data base administrator then observed the hacker trying to get into the system using the old USERID/password. He watched as the hacker successfully gained entry into the system using another unauthorized USERID/password (which was also a system administrator level password). The hacker was an authorized common user in the computer system; however, he obtained system administrator access level to the government computer on both occasions. Review of the audit trail showed that the hacker had successfully gained unauthorized access to the computer every day during the two weeks the audit was run. In addition, the hacker got unauthorized access to a pay file and instructed the computer floor operator to load a specific magnetic tape (pay tape). The hacker was investigated by Air Force Office of Special Investigation computer crime investigators for violation of federal crimes (Title 18 US Codes 1030 computer fraud, and 641 wrongful conversion of government property), Texas state crimes (Title 7, Section 33.02 Texas computer crime wrongful access) and military crimes (obtaining services under false pretense, Uniform Code of Military Justice, Article 134). The computer crime investigators made the following observations: - USERIDs used by the hacker were the same ones he used at his last base when he had authorized system access in his job. The use of acronyms and abbreviations of job titles will hardly fool anyone; plus the use of standard USERID base to base is dangerous. - The passwords the hacker used were the first names of the monitors who owned the USERIDs. The use of names, phone numbers, and other common easily-guessed items have time and time again been beaten by even the unsophisticated hackers. ------------------------------ Date: Tue, 22 Nov 88 22:05:29 PST From: hughes%math.Berkeley.EDU@cartan.berkeley.edu Subject: The risks of using CACM inserts In the November 1988 issue of CACM, at page A-17 there is a tear-out postcard for ordering ACM Press book. On the back of the postcard there is a blank for one's credit card number and expiration date. Yes, on a postcard. Eric Hughes hughes@math.berkeley.edu ucbvax!math!hughes ------------------------------ Date: Mon, 21 Nov 88 16:46:00 EST Sender: General Anthropology Bulletin Board From: Ezra Zubrow Subject: ETHICS AND SOFTWARE Forwarded-By: BRUCE O'NEEL From: IN%"KAHIN@hulaw1.HARVARD.EDU" "Brian Kahin 617-864-6606" 18-NOV-1988 17 : 5 3 Return-path: info-law-request@sem.brl.MIL Date: Tue, 15 Nov 88 16:36 EST From: Brian Kahin 617-864-6606 Subject: EDUCOM white paper Readers of this list may be interested in the white paper, "Property and Propriety in the Digital Environment: Towards an Examination Copy License," just published by the EDUCOM Software Initiative. The paper, which I prepared for ESI, proposes to two model licenses to encourage faculty evaluation of software programs while maintaining respect for the rights of copyright owners. The first model license is for "circulating evaluation copies" -- i.e. copies which can be circulated by libraries or other campus facilities. It is targeted to commercial publishers of tools and courseware. The second model license is for "distributable evaluation copies" -- copies which may be downloaded or duplicated subject to certain conditions. In effect, it proposes a standard for "academic shareware" that is more rigorous than conventional shareware licenses. It addresses the differences among shareware licenses by offering a kind of lowest common denominator. It is hoped that the model license -- and the kind of user environment that the EDUCOM Software Initiative is trying to foster -- will encourage academic authors to disseminate evaluation versions of their software over the academic networks. The white paper will appear in the next issue of the EDUCOM Bulletin. A specially published version is available on request from the EDUCOM Software Initiative: EDUCOM Software Initiative, PO Box 364, Princeton, NJ 08540 609-520-3340 BITNET: esi@educom ------------------------------ Date: Mon, 21 Nov 88 23:05:40 EST From: "Homer W. Smith" Subject: Teaching Children Ethics There is much apathy about teaching ethics to our children. Some have suggested this is because the ethics that is being taught is really only in the self interest of the teacher at the expense of the child. 'It is your DUTY to die for your country whenever the government calls', etc. Others have suggested it is because religions of various sort have given it a bad name by making ethics some sort of absolute code of behavior independant of any external circumstances. If you are married and there is an atomic war and you and someone else who is NOT your wife are the only two people left alive, is it immoral to have sex with them to restart the human race even if there is no preacher to marry you? Maybe there is something to be said for these ideas that years of misuse of teaching ethics for ulterior motives has given it a bad taste in everyones mouth, but it seems to me that there is still away to revitalize the subject as long as we leave the religious fanactics and the parents telling their kids its unethical to talk back out of the picture. One of the most effective ways of teaching new drivers to slow down and drive carefully is to show them movies of mangled corpses from accidents. Sometimes movies are not enough. After having seen a few real cars that had been wrapped around a telephone pole, I got a message through to my brain about something or other that I will never forget. Cars are fragile and should be driven with care. Maybe by indoctrinating kids with the RESULTS of unethical behavior in its goriest details and letting THEM decide and vote on how it came about and what was unethical and how to avoid it, we will form young adults who are capable of determining ethics for themselves from the data of the consequences. Show them the consequences and let them figure it out, rather than tell them the answer (what is and is not ethical) and hope they never have to see the consequences. How many kids develope sexual tragedies (pregnancy, disease etc.) because their well meaning (?!) parents never talked to them about sex for fear they would HAVE sex if they knew about it. Are we not ALL suffering from this kind of mentality in America today? Christ, kids don't WANT to hurt. Don't you think we can solve the teaching problem just as we have solved so many others? Some would tell you that people are bascially bad, certainly seems this way sometimes. Maybe people look into their own hearts and they see THEY are basically bad so they teach that others are also. But maybe this is all wrong. Maybe people are basically GOOD. Even bad people. Maybe something went wrong. Maybe it is up to us to figure it out and do it right. The solution to apathy is to realize that there IS a problem, and there IS an answer, and WE WILL find it. You just keep going until you do. The only other answer is to lock everyone up at birth. Homer W. Smith Senior Programmer Hubbard Fractal Research Facility Cornell National Supercomputer Facility ------------------------------ Date: 22 Nov 88 14:05:48 GMT From: brent@itm.UUCP (Brent) Subject: Re: toll road speed checking Pennsylvania has been using entry-exit tolls on the Penn Turnpike for a good many years now. One of the main problems they ran into when they first cut over about a decade ago hasn't been mentioned here yet: Unsynchronized clocks. That's right. There was no "master clock" for all the toll booths. The problems are obvious. On short trips you found yourself exiting *before* you got on (does this mean they pay YOU a toll?) or on medium-length trips, it was common to average somewhere over 400 miles per hour between two certain booths. This was during the era of mechanical clocks, but such problems could easily carry over to the electronic age. brent laminack (gatech!itm!brent), In Touch Ministries, Atlanta, GA ------------------------------ Date: 22 Nov 88 16:46:36 GMT From: Andrew Klossner Subject: Privacy vs UK vehicle-identification systems "Why not make use of such a system voluntary? ... The principle seems to me to be that if you are potentially diminishing someone's privacy, they should have a choice about it, and the costs and benefits should be made clear." In the proposed scheme, people who desire privacy must single themselves out by entering the queue of those who want privacy. This alone diminishes their privacy. It's similar to a (fanciful) scheme in which voters can choose the "express, no privacy" line, where others can see their choices, or can select a standard voting booth. Those who choose to vote in privacy may be stigmatized as those who have "something to hide." Andrew Klossner, Tektronix, Wilsonville, Oregon (uunet!tektronix!hammer!frip!andrew) [UUCP] ------------------------------ Date: Wed, 23 Nov 1988 09:12:05 LCL From: NESCC@NERVM.NERDC.UFL.EDU (Scott C. Crumpton) Subject: RightTouch service The following blurb along with a flyer appeared in my phone bill yesterday (Upper/lower case added by me): Suspend, restore and disconnect with RightTouch(SM) service You can suspend, restore or disconnect your Florida home telephone service at your convenience with Southern Bell's RightTouch service. You can use RightTouch service 24 hours a day, seven days a week by dialing 1 800 826-6290 from a touch-tone telephone. There is no additional charge for using the service, although the normal charge for restoring your phone service still applies. To access RightTouch service, you will need the personal access code (PAC) shown below. This code has been assigned to your telephone number and should be protected as you would a credit card. ***Personal access code xxxx*** Once you dial the RightTouch service number, easy-to-follow verbal instructions will guide you through the ordering processing to suspend, restore or disconnect your phone service. Yet another 'service' I can do without, but there's a positive side to this one. It's currently possible to initiate some types phone company service orders via a simple verbal phone call. No significant attempt is made to identify that the caller is who they claim to be. If RightTouch eventually *replaces* that process then it may actually be an improvement. It depends on how well it handles repeated invalid password attempts. ---Scott. ------------------------------ Date: Mon Nov 21 14:28:06 1988 From: walker@ficc.UUCP Subject: Cordless Telephones Last week I purchased and installed a cordless telephone. It is marketed as the "Freedom Phone" by Southwestern Bell (the local AT&T spinoff). After one phone conversation, I noticed that, for a very brief interval, I could hear what sounded like another conversation. I've experienced cross-talk on long-distance calls, but this was a local call. Anyway, I suspected that I was hearing another cordless telephone. To verify this, I unplugged the base unit (to kill its carrier signal), and, by golly, I could hear *both ends* of on of my neighbor's phone conversations (I recognized my neighbor's voice!) I checked the manual to see what to do about this - after all, if I can hear my neighbor, couldn't he hear me? The "Freedom Phone" transceiver uses any one of 10 channels in the 46-49 MHz range, selectable by an internal rotary switch. Well, I switched the handset to each of the 10 possible channels, and could hear conversations on EVERY CHANNEL! The unit has a 9-bit "security" DIP-switch, but this seems to only prevent another handset on the same frequency from accessing my base unit. The unit advertises a range of 1000 ft., and I'm sure that range is for usable access of the base unit. Actual audible signal range appears to be MUCH farther. When actually using the phone properly, with the handset in close proximity to the base unit, the relative signal strength of the units is much stronger than a neighbor's more distant unit, so you are normally unaware of a neighbor on the same channel. However, when using the cordless phone, I now always consider that others may be listening! ------------------------------ End of RISKS-FORUM Digest 7.82 ************************