Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
I just had an interesting visit from the FBI. It seems that a posting I made to sci.space several months ago had filtered through channels, caused the FBI to open (or re-open) a file on me, and an agent wanted to interview me, which I did voluntarily. My posting concerned destruct systems for missiles. I had had a chance to look at the manual on the destruct system used on the Poseidon and Polaris A3 missiles, and was shocked at the vulnerability of the system which triggers the system. In my posting, I commented that the system seemed less secure than many garage-door openers. It uses a set of three tones, in which two tones are presented, then one tone is taken away and the third tone is applied. The only classified parts of the system are the frequencies of the second and third tones. On the net, I asked whether tone control systems like this are still used for missile destruct systems. By e-mail, I received an answer from a person who was currently designing a destruct system, and he indeed confirmed that not only are tone-control destruct systems still used, they are a requirement of some test ranges. (However, he thought it would be difficult to send a bogus destruct command because of the need to blot out one of the tones which is transmitted continuously from ground control; it would be far easier to insert a bogus flight control command and send the missile toward a city.) A few months later, I received a message from my sysop asking me to call a person at Patrick Air Force Base who wanted to get in touch with me. This guy was real concerned that I had revealed "sensitive" information. He said he kept his copy of my posting in his safe! I guess he didn't know that it had already been distributed throughout the industrialized world. He didn't want to say anything about the subject over the phone. He asked whether I would be willing to be interviewed by an investigator. I agreed, and he said I would be contacted within 24 hours by someone locally. That was the last I heard of him. I suppose he talked to someone who knew more about destruct systems, and was reassured that it isn't possible because it hasn't happened yet. Two days ago, more than half a year after my original posting, I got a message that someone from the Palo Alto office of the FBI wanted to talk to me. I called him, and we agreed to meet this morning. He didn't seem too concerned with the technical aspects of my posting — I guess he also had his own experts to consult. He mostly seemed to be checking me out to see if I was plotting to blow up a missile. He was also very interested in how the net works. I told him all about the net. He wanted to know if there was any sort of censorship or control over what goes on the net, and I explained it was mostly after-the-fact control, for example if you post a commercial advertisement the management of your site will get a ton of e-mail asking that your account be cancelled. He asked whether someone could post an offer for $10,000 for blueprints of a missile or something, and I said there isn't any sort of censorship that would prevent that sort of thing. But the closest thing to a request for information on performing a crime that I knew of was a couple years ago when someone asked in the chemistry newsgroup about methods for electrically igniting a chemical. I told him about the controversy that caused, though I omitted my role in answering the original poster's question :-) I also told him about newsgroups like alt.drugs, rec.pyrotech, etc. He took copious notes. He asked about the equipment needed to access the net. I told him about computers and modems and Portal. I should contact Portal management to see if I get a bonus if he signs up as a customer :-) The only surprise came at the end of the interview. He asked if I had any questions. I said I was curious how my posting ended up in his hands. Before he could answer, I said I suppose you were contacted by that guy at Patrick Air Force Base. This surprised him, and he said he knew of no involvement by anyone at Patrick Air Force Base. I asked how he _did_ know about my posting, and he said he couldn't answer that. I then went on to tell him about the controversy over Uunet, and their role in supplying archives of Usenet traffic on tape to the FBI, and he seemed surprised by that also. So what's the RISK here? None to me, because I was a perfectly innocent party. I suppose some people would be really concerned to learn that their postings to the net are being monitored for possible illegal activity. But I would be far more concerned if they weren't. The fact that two independent investigations were started is reassuring to me, because it shows that the government is not totally brain-dead with regard to possible threats to their big projects. Certainly if _I_ were FBI director, I would consider Usenet to be a great resource. I'd learn all about computer crime, recreational drugs that aren't illegal yet, low-tech ways of building bombs, how to contact Earth First!, etc., etc.
There has been plenty of discussion about SB266 requiring all communication
equipment to provide the plaintext to the government on demand. Well, I've
decided if they want plaintext, give them plaintext. I've written a program
that will convert any file into strings from a context-free grammar. The bits
are recovered by parsing. To test it's viability, I created two grammars and a
program to do the work.
The first converts any file into the radio commentary of a baseball game
between two teams, The Blogs and the Whappers. Could something as American as
baseball be hiding something?
The second converts a file into something approximating a speech by Neil
Kinnock . I chose Neil Kinnock because SB266's sponsor, Joe Biden, is fond of
borrowing liberally from Mr. Kinnock's impressive oratory. Unfortunately, the
only really substantive chunks of Mr. Kinnock's speeches I could find were from
a NYT article by Maureen Dowd in 1987 about the striking similarities between
the speeches of Joe Biden and Neil Kinnock. The limited sample leads to a
"broken record" effect. (The libraries in America don't seem to contain
collected speeches by Mr. Kinnock. If anyone has a video tape of his impressive
10 minute commercial of Brahms and anti-Bromides, I'd love to see it.)
I managed to encode information using this text by slightly permuting the word
choices. I've been wondering if Senator Biden wasn't doing the same thing when
he didn't quote verbatim. Perhaps he was sending messages to someone?
My apologies to Mr. Kinnock for mutilating his careful diction and rhythm.
If anyone in the United States would like to experiment with the programs,
please drop me a line. I'll send you the source code. It is written Think
Pascal 3.0 for the Mac, but it should be a breeze to convert to other Pascal's
or even C. The offer only extends to electronic addresses in the United States
because the Commerace department restricts the distribution of cryptographic
protocols beyond the borders. The security of the system is a bit hard to
assess (breaking it is, in some senses, a PSPACE-complete problem), so I'd
rather abide by an annoying rule than spend time in the can. If you would
rather receive it by disk, send me one with a properly franked envelope, and
I'll mail it out.
If you want a copy of a Tech Report describing the topic, send me a paper
address and I'll send it out. This document can cross borders. Thank god for
the first amendment.
Finally, here are two examples of the program at work:
-------------------------------------------------------------
Baseball
-------------------------------------------------------------
It's time for another game between the Whappers and the Blogs in scenic
downtown Blovonia . I've just got to say that the Blog fans have come to
support their team and rant and rave . Let's get going ! Another new inning .
Ain't life great, Ted ? Yup. How about those players . The pitcher spits.
Prince Albert von Carmicheal comes to the plate . He's trying the curveball .
He pops it up to Harrison "Harry" Hanihan . One out against the Whappers. Now,
Parry Posteriority swings the baseball bat to stretch and enters the batter's
box . Here we go . OOOh, that's almost in the dirt . Definitely a ball . The
next pitch is a bouncing knuckleball . Short and away . The umpire calls a ball
. It's a change-up . and it's ... La Bomba ! HomeRun ! Yup, got to love this
stadium. Now, Mark Cloud swings the baseball bat to stretch and enters the
batter's box . Yeah. He's uncorking a toaster . No contact in Mudsville ! It's
a fastball with wings . No wood on that one . He's uncorking what looks like a
spitball . Whooooosh! Strike ! He's out of there . These are the times that
make baseball special . Now, Parry Posteriority swings the baseball bat to
stretch and enters the batter's box . Another fastball . No contact on that one
. A full windup and it's a split-fingered fastball . He pops it up to Orville
Baskethands . Well, that's the end of their chances in this inning, Rich .
-------------------------------------------------------------
Neil Kinnock
-------------------------------------------------------------
Why were the Coal Mines all my ancestors had ? These people who could write
poetry ? My people who could make wonderful things with their hands ? Why
didn't they get the chance ? Were they too weak? The people who would work
underground for 8 hours and come out to play football for the evening ? Do you
think that they didn't get what we had because they didn't have the drive ?
Never . It was because they never had a platform on which to stand . Why am I
the first man in my family to go to University ? Was it because our ancestors
were too thick ? Why were my ancestors shut out of life ? My people who could
dream dreams and recite poetry and dance and make wonderful things with their
hands and dream dreams ? My parents who could make wonderful things with their
hands and sing and write epic poems and make beautiful things and see visions ?
Why didn't they get the chance ? Were they too weak? Those people who worked
underground for 8 hours and come up to play football ? Does anybody really
think that they didn't get what we had because they didn't have the stamina ?
No . There was no platform on which they could stand .
-------------------------------------------------------------
Both of these examples are just small portions of the result of encoding the
message:
Paul is dead! I am the walrus!
Buy something right now. Don't shoplift. Buy! Buy!
Here are the plans to the Overthruster, Sergei.
Yoyodyne forever.
This afternoon, during the Senate's debate on the Campaign Finance Reform Act, Senator Robert Dole (R-Kansas) offered an amendment (which was agreed to by the Senate) directing the Federal Election Commission to conduct a study regarding the feasibility of allowing disabled voters to vote by telephone in federal elections. The main motivation behind the amendment was to provide easier ways to vote for disabled Americans who may find it difficult to reach a polling place. The amendment does not require the FEC to immediately implement voting by phone, but only to study it. Previous issues of RISKS have discussed the risks of voting by phone at length, but one risk stands out in this particular case. If the danger of coerced votes in "normal" phone votes is substantial, I believe it is even higher in this situation, where the threat of physical violence against the physically disabled voter would be greater than normal. Jim Huggins, Univ. of Michigan (huggins@zip.eecs.umich.edu)
Buried in an article in the 23-May-91 Wall Street Journal was a reference to an
interesting computer-related risk. The article, entitled "Travelers From
Abroad Face Summer of Extra-Long Delays at U.S. Airports," reported that
incoming travelers may face delays of up to 5 hours in clearing immigration at
some airports.
Previously, "selective screening" and "citizen bypass" plans have been used by
customs and immigration officials to expedite inspections of arriving
passengers. The Immigration and Naturalization Service (INS) now is taking the
position that all persons entering the U.S. must be checked. After
interviewing Michael Cronin, assistant INS commissioner for inspection, the WSJ
reported, "He notes that the U.S., unlike many other countries where
immigration inspections are looser, doesn't require national identification
cards or have a national police force to stop people on the street and enforce
immigration laws. Thus, he argues, port of entry must keep tight control."
One of these controls is the new Advanced Passenger Information Program. Under
this program, airlines transmit data about arriving passengers to the INS
before passengers arrive. The government adds this information to its
databases and uses these databases to help determine who gets inspected. This
program is currently in place for U.S.-Japan flights and will be implemented
soon for U.S.-European flights.
I am unhappy with the idea of the government augmenting its surveillance of me
by tapping commercial databases. What other uses will they make of this
information? What's next? Should the government get copies of my phone bills
to see if I'm talking to the wrong people?
An aside: I find the treatment of foreign travelers by the INS embarrassing
when compared to the way I am treated by officials in other countries. The
evil hacker-condoning Dutch, for example, seem to process everyone coming in to
their country with courtesy, efficiency, and fairness. I've never noticed
Dutch police randomly stopping people on the street and examing their identity
papers, either.
Brad Dolan pine_ridge%oak.span@sds.sdsc.edu B.DOLAN (GEnie)
For those of you who don't sign for UPS packages, UPS is now switching over to an electronic clipboard for their drivers. This device is called the Delivery Information Acquisition Device (DIAD) [_Network World_, May 6, p. 15]. I had my first experience with one the other day when a package was delivered. The most unique part of this device is a pad which is signed by the customer with a stylus and stores the signature electronically. You can see your signature appear on the DIAD's LCD display. I visited UPS R&D about a year ago when they were still testing this device. They explained the logic behind this. Not only does it get rid of paper for signatures, but when the information is downloaded into a mainframe, it can be used by a central customer service organization. When a customer calls in claiming a package was not delivered, they can look it up on the computer and check if it was delivered, and who signed for it (not noting, however, that many people's signatures are unreadable!). So, how many of you like the idea of your signature being stored electronically somewhere in the bowels of someone else's computer? Alex L. Bangs, Oak Ridge National Laboratory/CESAR, Autonomous Robotic Systems Group bangsal@ornl.gov
This thread reminds me of a suggestion a co-worker made for our new laboratory (Lots of high energy capacitors, switches, etc). We would install a large red pushbutton, with a lighted label above it reading "Push to Test". When the button was pushed, the label would change to "Release to Detonate". Well, I liked it... tom coradeschi
Note that the 1403 printer itself also had a "STOP" button on its control
panel (I don't remember if it was red, or some other color). Amazingly
enough, if the printer went into the "high speed paper slew" mode due to
an — er, — unfortunate choice of carriage control character, the
printer's "STOP" button would have NO EFFECT WHATSOEVER! (I discovered
this when the printer was loaded with continuous-form payroll checks!)
Unfortunately, the function of the "STOP" button was to tell the printer
to stop accepting commands from the channel *after* the completion of the
current command (e.g., "skip to channel 5"). Sigh...
(There *was* a second button on the panel labelled "Carriage Stop", or
something like that, which *would* stop the fountain of paper. Not
immediately obvious to a panicked junior programmer...)
John Pershing, IBM Research, Yorktown Heights
Mary Culnan ("Of Two Minds About Privacy" RISKS 11.69) and Jerry
Leichter ("The Death of Privacy?" RISKS 11.69) detail some of the
problems associated with automated systems that detail specific
information about our personal and financial lives. To summarize:
1) Undesired access to data
2) Undesired manipulation of data
3) Undesired offerings of data (Mary) and
4) Undesired large-scale changes of public opinion (Jerry)
{nota bene: That is my reading - you might have meant something
else. Also, by "undesired" I mean "undesired by the subject"
(me, specifically).}
It seems this is just the tip of the iceberg, though. Recently released
footage from the Persian Gulf conflict show a sophisticated airborne
battle-management system capable of spotting movement, location, and
identification of literally everything within several hundred miles.
Several states are experimenting with bar codes for vehicle location, speed
detection, and identification. While officially not for criminal investigation
purposes, I doubt most anyone would object to a search of the records to locate
the perpetrator of say, a felony hit-and-run.
Birth, death, marriage, licenses, education, service, and major property
occasions are all publicly recorded, and often _required_.
Our employers often know where to find us, even when we are not at work. Our
neighbors often know the roads we use to drive to work. Our grocers often know
the days we get paid, and the times we like to shop.
The problem is not just technology. The problem is how much an individual is
willing to waive control of information about her (him) self. If we don't
actively guard our privacy, we shall surely fall prey to those who would profit
from that information — perhaps at our expense.
Richard Johnson
To my mind there is a more serious problem responsible for our loss of privacy (not to mention other rights). It's the attitudes towards convenience. Every time you use one of the Electronic Fund Transfer (EFT) devices at a Lucky's store, gas station, etc., you are giving up significant portions of your privacy. By buying gas this way someone can closely figure your driving habits: did you go somewhere this weekend? Where did you go (where did you use EFT to buy gas?)? What kind of mileage did you get? Is it possible you took a side trip where you used gas, but didn't buy any until later? What kind of food do you buy (I'm not sure if this is tracked)? How much do you normally spend on food, versus getting cash back? Why do you get so much cash back from a grocery store instead of a bank (trying to hide something?)? We are well on our way to a cashless society. I predict that it will eventually be illegal to own cash. Certainly whenever a drug dealer is busted today, you hear all about the (gasp!) several thousand dollars in cash found. Heck, *I* know people who keep that much at home, and they are definately not drug dealers. Once we become cashless, operating on "credits", the only people with any true freedom will be the hackers who are able to crack the systems and pilfer. You-all and I will be at the mercy of both the hackers, and the gov't. By that time it will be impossible to break the sequence, since literally EVERY purchase you make, from birth-control, to books, to how much you give to your church, will be tracked, and you will be at the mercy of any future laws passed, such as, say, anti-birth control, anti-gun, anti-drug, anti-"pornography", etc. It's already happening today, and it will only get worse.
Please report problems with the web pages to the maintainer