The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 10 Issue 81

Monday 28 January 1991


o Risks in forensic use of dental and medical records
Sanford Sherizen
o Kinking Foreign-sold Military Equipment
Karl Lehenbauer
o Patriot missiles
Phil Agre
o Electronic cash completely replacing cash
David 'Witt'
o Re: San Francisco taxes its computer people ...
Bill Davidsen
o Re: Random Voting IDs and Bogus Votes (Vote by Phone)
Li Gong
Kathy Vincent
o Re: Lotus Marketplace
Samuel Bates
o Re: Superloo
Lars-Henrik Eriksson
o Info on RISKS (comp.risks)

Risks in forensic use of dental and medical records

Sanford Sherizen <>
Fri, 25 Jan 91 21:06 GMT
A recent review of a book on developments in forensics mentioned that the use of
dental records to reconstruct the identities of bodies was not as successful as
once thought.  The technological developments for the reconstructing of
identities has advanced but the limits are from the original dental records.
Some dentists have not been recording the true dental history of patients but
have structured their records to reflect the categories that insurance and other
third party coverage plans use for repayment.  This is also a problem with
physicians, who have been treating patients for one problem but reporting
patient treatments with an eye toward what payment structures allow.

This does not have to mean that proper assistance is withheld.  It just points
to the social limits to relying upon technology.

Sandy        Sanford Sherizen, Data Security Systems, Inc., 5 Keane Terrace,
             Natick, MA 01760                                 (508) 655-9888

Kinking Foreign-sold Military Equipment

Karl Lehenbauer <>
26 Jan 91 03:16:47 CST (Sat)
As the complexity of software in military equipment increases, it will be ever
easier for a contractor to slip a kink in.  For example, a special message,
cleverly sent, turns off a jet's engines, changes a missile's course, etc.

As today's allies can quickly become tomorrow's enemies, and hardware a country
exports can end up being used against it, there is some incentive to code in an
"insurance policy."

This would be a two-edged sword because an enemy of your client-customer could
discover a kink in something you sold them, and use it against them.

I have often wondered whether the Star Wars people plan to include a way to
turn off the several thousand "Brilliant Pebble" space-based anti- ballistic
missiles, if they were ever to be deployed.  Being able to update the software
remotely would be desirable too, to put it mildly.  It would seem an essential
requirement, yet it is easy to imagine our guys building and launching
thousands of these things without an off switch for fear that the Soviets would
figure out how to turn them off or reprogram them, and some terrible possible
consequences (of not having a way to switch them off), like bugs causing the
pebbles to attack satellites and spacecraft.                   uunet!sugar!karl

Patriot missiles

Phil Agre <>
Sat, 26 Jan 91 18:22:50 GMT
The Patriot missiles genuinely seem to be working well, at least in the desert
environment.  Yet a few years ago the Patriot was the very prototype of the
incompetent high-tech military development program.  Its testing in particular
came in for congressional ridicule.  What happened?  According to its
manufacturer and to various other experts quoted in the press, its software was
greatly improved through the application of software technology developed for
SDI.  These experts regard the success of the Patriot as evidence that the
SDI's software nay-sayers were wrong.  I am willing to calm down for a minute
and give this proposition a serious hearing.  Has anybody got any details?

Phil Agre, University of Sussex

Electronic cash completely replacing cash

"David 'Witt' DTN 226-6044" <>
Fri, 25 Jan 91 12:16:14 PST
I'm sure I don't have to go into all the RISKS of this, but it is very scary.
The comments at the end that are meant to be reassuring are the scariest part.
He seems to be completely oblivious to people's desire to keep some information
private, even from the govenment.

The problems of reliability are also obvious.

--David Wittenberg

[I didn't see the original article, so I only trust that this is transcribed
accurately.  --dkw]

        The New York Times, Saturday, December 29, 1990

Three Radical Proposals that could transform New York City, the nation
and maybe, the world.                by Harvey F. Wachsman

Abolish Cash (Great Neck, N.Y.)

    With the nation's economic tailspin causing the loss of tax revenues,
the President and the Congress are going to be considering a variety of options
that no one will like: raising taxes, cutting services or both.  But before
they increase the burden on the American people, they should consider a system
that would collect all the taxes that are already owed.
    If all the people who do business in cash were forced to report their
incomes accurately - if the under-ground economy were forced to the surface -
the Government could collect an additional $100 billion a year for the nationl
treasury - without raising taxes.  States and cities, many in serious financial
trouble, would also benefit from collecting previously unpaid income and sales
    How do we create a system to keep cash businesses honest ??  Eliminate
cash.  That may sound revolutionary, but the exchange of cash for electronic
currency is already used in nearly all legitimate international business
    The expansion and application of this concept to domestic transactions
would have tremendous benefits, and not just budgetary ones.  In addition to
forcing cash businesses to report their actual income, it would allow law
enforcement agencies to crack down on illicit enterprises.
    Think about it.  Drug deals, muggings, corruption, businesses
concealing their income - they all require cash and secrecy.  A monetary system
bases solely on electronic currency would leave a trail that would cripple such
    Here's how it would work.  The Government would change the color of the
currency and require all old money to be exchanged at the Treasury.
    Then, all the new currency would be returned by its owners to the bank
of their choice.  All banks would be required to open accounts, free of charge,
to all depositers. (Banks would surely be delighted to provide this service at
it would result in increased deposits.)
    We would offer a period of tax amnesty to encourage compliance, but as
a practical matter compliance would be assured because after a certain date all
currency would be worthless.
    In place of paper money, we would receive new cards - let's call them
Americards - each bio-mechanically impregnated with the owner's hand and retina
prints to insure virtually foolproof identification.
    The Government would supply all homes and businesses, free of charge,
with machines, to read the card, certify the holder's identity, and make
instantaneous electronic debits and credits.  Regardless of what such machines
would cost, the Government, with $100 billion in new revenues and no more
printing and mining costs, would come out ahead.
    And think of the benefits to the average American.  No one would have
to write a check again.  Bills could be paid electronically from home.  Such a
system is already available through banks and businesses on a limited, optional
    Credit cards would function as they do now.  Americard would simply be
a way of transferring funds from one account to another, without cash.
    For example, on payday, instead of receiving a paycheck, your salary
would be electronically transferred into your account.  At lunch- time, you
would go to your favorite resteraunt - or the local hot dog stand -and instead
of paying cash, you'd use your Americard.  You'd get a receipt instantly and
could get a cumulative record from you bank (or your personal computer) as
often as you like.
    The benefits would be tremendous.  Individuals and businesses would no
longer be able to conceal income.  All transactions would be recorded in a
computerized bank file and would be easy for the I.R.S.  to check.  Muggers and
buglars would be out of business: no one would be carrying cash and stolen
property would be difficult to sell because there would be records of all
    Fugitives would be easier to track down, legal judgements easier to
enforce, illegal aliens simpler to spot, debtors unable to avoid their
responsibilities by skipping town.  The census wouln't overlook households.
    The Federal Reserve would be better able to follow the economy, helping
to stabilize the financial markets.  The current series of economic indicators
would be replaced by instant access to solid information.  And with all income
being reported for tax purposes, we could not only balance the budget but
actually cut taxes.
    Some people might be concerned about possible abuses of civil
liberties.  But there would be a record of anyone who entered another's account
- officials would be granted access only after electronic verification of their
hand and retina prints.  Civil and criminal penalties for theft of information
would be devistatingly severe.  Government agencies and prosecutors would be
subject to the same Constitutional contraints that currently exist for access
to bank information or for the granting of wiretaps.
    And there would be no information on the Americard computer that
doesn't already exist in other forms today.  If anything, our rights to privacy
would be more secured with the protections that the Americard would offer.
    And besides, I'd like to ask every parent whose child walks to school
through a gauntlet of drug dealers, everyone whose home has been robbed,
whether they think that their rights have been jeopardized by a system that
could solve all these problems ??
    Since computer systems occasionally fail, Americard would be contained
on several connected secure computers: at the local bank branch, the main bank,
the regional office of the Federal Reserve and the Federal Reserve in
Washington, D.C.
    Americard may seem like a drastic approach but its advent is
inevitable.  In the days of the telegraph and the pony express, who could have
imagined that one day there would be a phone on every street corner in
Manhattan ??

    [Harvey F. Wachsman, a neurosurgeon and lawyer, is president
    of the American Board of Professional Liability Attorneys.]

                [Also noted by Martin Minow,]

San Francisco taxes its computer people ... (PGN, RISKS-10.80)

Fri, 25 Jan 91 15:17:57 EST
  Nope, the tax collector is right. People either pay their taxes on
time without fail, or they let them go as long as possible, particularly
when they are thinking of selling the structure and put the money into
either fixup or their pocket.

  The people who are behind are probably not going to pay right away, if at
all. Rebilling them a little later won't lose anthing, the city charges (I
assume) more interest than the banks pay, so better late, actually.

bill davidsen   (davidsen@crdos1.crd.GE.COM -or- uunet!crdgw1!crdos1!davidsen)

California's DMV licenses (Re: RISKS-10.79)

The Polymath <>
26 Jan 91 03:03:30 GMT
The state of California Dept. of Motor Vehicles (DMV) announced its new format
driver's license last week.  The license appears to be a standard magnetic
stripe (MS) card with the usual driver's license information on the front
including the licensee's photograph as a hologram.  The DMV claims these
licenses will be much harder to fake and forge.  They did not say what specific
information was on the MS.

The risks of MS cards have been discussed here before.  The fact that I'll
probably know what's on my license's MS the day I get it should give some idea
of how insecure that information is.  It takes little more to alter it.

The specifications for MS cards and data are part of a published ANSI/ISO
standard.  The hardware to build an MS reader/writer can be purchased at Radio

Further, I can imagine retailers demanding to run my license through their MS
readers along with my credit card or to verify a check.  I'm not happy about
that prospect at all.

The Polymath (aka: Jerry Hollombe, M.A., CDP, aka:
Head Robot Wrangler at Citicorp(+)TTI             Illegitimis non
3100 Ocean Park Blvd.   (213) 450-9111, x2483       Carborundum
Santa Monica, CA  90405 {rutgers|pyramid|philabs|psivax}!ttidca!hollombe

Random Voting IDs and Bogus Votes (Vote by Phone)

Fri, 25 Jan 91 14:16:48 EST
The lastest RISKS discussed a proposal of "vote by phone" -- registered voters
are assigned random numbers as ids, and the ids with the corresponding votes
are published afterwards so that voters can verify that their votes are
included correctly.

(1) Talking about the use of randomization techniques, one might also want to
randomize the ballot papers so that on each individual paper, candidiates are
listed in random order.  The gains are obvious -- many people just vote for the
first name (or the last ?).

(2) PGN rightly pointed out the risk that bogus votes can be inserted because
there are no voters who check them.  On this front, bogus votes are sometimes
useful.  David Wheeler and I once thought up the idea of "inserting controled
bogus votes" in the following manner.

Each voter is given an id number to vote, but is told that the number is either
positive or negative.  Suppose there are two candidates, Alice and Bob.  If the
number is negative, a vote for Alice is actually counted as a vote for Bob.
This has the advantage that a third (malicious) party who forces a voter to
vote cannot verify (from the published list) if the vote is indeed the desired
one.  It is easy to generalize to multiple-candidates.  An additional advantage
is that people can write their numbers on papers.  One can steal a number, but
won't be sure how to use it (even if I write down +1234567, I could have
mentally remembered it to be a negative number.  Now I remember 1 bit
information, not a long random number).

Of course, there must be some measures to control (and verify ?) the process of
counting the ballots.  Maybe we are talking about conflicting requirements :-)

Li Gong, ORA Corp., Ithaca, New York.

Re: Voting by Phone (RISKS-10.80)

Kathy Vincent <kathy@rbdc.UUCP>
Thu, 24 Jan 91 13:47:04 GMT
That's like saying no one can hack your bank account because you have a
personal security code.  And no numbers are so anonymous that someone so
inclined couldn't find out exactly who placed what vote for whom.  You may not
be so inclined, but some people are -- esp people who want to control outcomes,
which is what our secret ballot system is specifically supposed to guard
against.  If information connecting a person with a vote is stored in such a
manner as to prevent fradulent voting, no matter how fragile the linkage,
someone or someones with enough determination can easily find the linkage and
exploit it to their own advantage.

Not to mention ... people with the right kind of electronic equipment can sit
outside your house and monitor your computer keyboard clicks and know exactly
what you're typing.  They can monitor your touch-tone phone tones and know
exactly what numbers you're dialing.  Or what numbers you're using to place
your vote -- including your password and anonymous ID number.  People with
cordless or cellular phones are esp vulnerable.  And with the kind of
technology that makes caller ID possible, well ...

Re: Lotus Marketplace (Schumacher, RISKS-10.80)

Samuel Bates <>
Fri, 25 Jan 91 14:03:49 CDT
I would venture to say that the uproar is due to the fact that people heard
about the Lotus product, whereas they didn't hear about the others.  I would be
interested to hear about other ways of getting the same information; if we
object to Lotus putting together the product, then we should object to other
companies doing the same.  If you can get names of companies that produce the
information, I would like to know them.  Barring that, will you tell me the
names of the academics with whom you spoke?

Samuel Bates  University of Wisconsin-Madison

Re: Superloo (Campin, RISKS-10.80)

Lars-Henrik Eriksson <>
Sat, 26 Jan 91 19:37:57 GMT
There is an obvious risk here. In fact, I have read a newspaper report
(although it was several years ago so I can't give any sources), that
this "disinfecting cycle" once started while a girl was still inside.
She later died because of lung damages after having inhaled the
disinfectant fluid.

Lars-Henrik Eriksson, Swedish Institute of Computer Science, Box 1263
S-164 28  KISTA, SWEDEN    +46 8 752 15 09

Please report problems with the web pages to the maintainer