The RISKS Digest
Volume 11 Issue 09

Thursday, 14th February 1991

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


o Vote-by-fax plan before [CA] Legislature
clarinews via Eric Postpischil
o Douglas goes fly-by-wire
Martyn Thomas
o Vietnam Vet's Memorial article ambiguous
Sam Levitin
o Tax Preparation
Peter Jones
o Collection of Evaded Taxes
Cameron Laird
o Singacard anyone?
Bill J Biesty
o Re: the new CA driver license
Ian Clements
Curt Sampson
o Re: automatic flight and seasickness
Lars-Henrik Eriksson
o Follow-up to wireless network
Frank Letts
o 4th Annual Ides-of-March Virus & Security Conference
Judy S. Brand
o Info on RISKS (comp.risks)

Vote-by-fax plan before Legislature

6 Feb 91 02:49:14 GMT!hsdndev!wuarchive!!lll-winken!looking!clarinews

[Provided for USENET readers by ClariNet Communications Corp.  This copyrighted
material is for one-time USENET distribution only.]       [SEE END OF MESSAGE!]
    SACRAMENTO (UPI) — Troops fighting in the Persian Gulf could vote in
California elections by using fax machines to cast their ballots under
legislation announced Tuesday.
    The measure, SB293, would amend the state Elections Code to allow
members of the military and other California voters temporarily living outside
the United States to fax absentee ballot applications to county election
    County officials would then use fax machines to send absentee ballots
to overseas voters, who could return the completed ballots by fax.
    ``Even when applications for overseas absentee ballots are received
early in the process, ballots sent halfway around the world sometimes arrive
too late to be returned by mail before the close of polls on Election Day,''
Secretary of State March Fong Eu said.
    ``This legislation would allow overseas voters, such as those members
of the armed forces stationed in the Middle East as part of Operation Desert
Storm, to fax their voted ballots back in time to be counted,'' she said.
    The bill is coauthored by state Sen. Milton Marks, D-San Francisco, and
Assemblyman Peter Chacon, D-San Diego.
    Only a few people stationed at U.S. embassies, working at projects
overseas, and members of the military would be expected to take advantage of
the vote-by-fax program, Eu's spokeswoman Melissa Warren said.
    ``The numbers aren't huge. We aren't expecting large numbers of people
to participate,'' she said.
    Several states accepted vote-by-fax ballots during last November's
elections, Warren said. If the measure is quickly passed by the Legislature and
signed by Gov. Pete Wilson, the first California election with fax voting would
be the March 19 special elections for two state Senate seats and one Assembly
    Marks said he would rush the measure through the Legislature. ``It
seems only fitting that at a time when we are engaged in a military struggle
with a ruthless despot, we make this effort to provide our servicemen and women
with the most important franchise of our democratic system — the right to
vote,'' he said.

    [This item submitted to RISKS by Eric Postpischil <>.
    REUSE THE ABOVE IN RISKS IS From: Brad Templeton <>:
      "The one time statement indicates you have to ask for more.  You did, so
      I'll grant permission for RISKS in electronic form.  (We are unable to
      grant permission for print forms).  Brad"]

         [Nice phrase, "take advantage" of it!!! Nice opportunities for
         voter fraud?  I hope some sort of authentication is planned...  PGN]

Douglas goes fly-by-wire

Martyn Thomas <>
Thu, 14 Feb 91 13:19:09 GMT
McDonnell Douglas has switched to a full fly-by-wire flight control system
for its MD-12X, reports Flight International (13-19 Feb 1991, p4).

"With fly-by-wire we are able to retain the flying qualities of the aircraft
and more easily resemble MD-11 [handling]". "The benefit is predominately in
the area of cross-crew training". "A fly-by-wire aircraft should also be
cheaper to produce". [quotes from MD-12X management].

The control system will be modelled on that developed by GE aerospace for the
USAF C-17 airlifter.

Martyn Thomas, Praxis plc, 20 Manvers Street, Bath BA1 1PX UK.
Tel:    +44-225-444700.   Email:

Vietnam Vet's Memorial article ambiguous (Johnson, RISKS-11.08)

Go Mossad! 14-Feb-1991 0938 <>
Thu, 14 Feb 91 06:39:12 PST
RE: Jeff Johnson's article in RISKS 11.08 about the Vietnam Vets' memorial and
a photo in the SF Chronicle, I didn't see the photo, but I do know that there
is a possibility that this situation is *not* due to a typo. On the Vietnam
Veterans' Memorial in DC, there is a set of symbols: one to denote "Killed" (a
cross?), one for "Missing in Action", and "Formerly MIA but now known to have
survived" (a circle?).  The symbol used for MIA can be further carved in one
way to become the symbol for Killed in Action, and can be further carved in a
different way to become the symbol for "Formerly MIA".

Because I don't know which symbol appeared next to Eugene J. Toni's name on the
monument, I won't comment on the possibility of a typographical error, as
reported by the Chronicle. However, the language in the caption (or perhaps the
title of Johnson's RISKS article) makes it too easy for the reader to believe
that Toni was formerly believed killed.

Sam Levitin Digital Equipment Corporation

Tax Preparation

Peter Jones <MAINT@UQAM.bitnet>
Thu, 14 Feb 91 12:12:12 EST
Today, I saw an advertisement in the mail about a new service on Bell's ALEX
service offering income tax preparation assistance. Customers can supply income
tax information and then order completed forms by mail. The RISKS I see are:

1) Transmitting confidential data in the clear over public phone lines.

2) Giving the service provider potential access to a lot of confidential
   information: SIN (SSN in the US), income, address, credit card number,...
   I found no mention of safeguards of confidential information when I
   browsed the literature.

3) Possible loss of all data entered if the phone connection is broken
   (unless the system provides a checkpoint facility. I don't want to
   spend $$$ to find out.

4) Underestimation of costs. The literature quotes about $12 for mailing,
   and this ALEX service costs $0.15/min. The literature estimates connect
   time to be 30 minutes for a couple. So we're talking about $35 or so here,
   and this may be optimistic (see 3, especially if the phone has Call

5) The system only covers certain basic forms (this is stated in the
   literature. So you have to be fairly knowledgeable about income tax to
   decide if the system is worth using.

Peter Jones  (514)-987-3542    UUCP: ...psuvax1!uqam.bitnet!maint
Internet:Peter Jones <>

Collection of Evaded Taxes

Cameron Laird <>
Mon, 11 Feb 91 09:47:17 CST
Comp.risks supports continuing discussions on advantages and disadvantages of
automation of financial transactions; most recent was a proposal for an
AmeriCard, which would facilitate or enforce movement of all purchases to
equipment which would record those purchases.  One of the advantages claimed
for such schemes, including Mr. Gorbachev's latest "monetary reform", is that
they'll flush not-fully-taxed activities into the spotlight of tax enforcement
agencies.  For example, if you rebuild your neighbor's carburetor in exchange
for him removing the dying tree in your backyard, the Internal Revenue Service
expects you both to declare those (imputed) incomes and pay corresponding taxes
on them.  Thus, as an article in the 21 January 1991 *Forbes* asks,
"Politicians of all stripes love to claim the federal deficit can be cut by
cracking down on tax cheats.  Why cut spending when the IRS has $78 billion in
total accounts receivable and is losing $100 billion a year to tax evasion?"

The article's conclusion: "The argument ... grossly exaggerates the IRS'
ability to raise more money through tougher enforcement."  Note that the Agency
has strong institutional pressures to overestimate its capabilities.  Most
interesting from the point of view of economic science is the (unsupported)
assertion that, "As for outright cheating, even the IRS' toughest audits find
less than half the evasion it claims goes on."  In the midst of tendentious
estimates and murkiness, there's a real value in looking at the actual
operating experience of, for example, the IRS.

I've marked the distribution of this note for "world" because it's at least as
great an issue outside the USA.  France, for example, sometimes prides itself
on the vigor with which its citizens fail to co-operate with tax agencies; from
my little experience there, though, I can report that people were generally
more law-abiding than they should have to be, given the confusion those
agencies generate.

The article does make one incomplete reference to a scholarly study.  The
reporter might be willing to help someone pursue the subject; I've known some
who do, and some who don't.

I summarize: for the reasons others have already stated in comp.risks, tax
enforcement does *not* yield the windfalls some expect of it; in particular,
the IRS' own records suggest much lower returns than they estimate in their
reports to Congress.

Cameron Laird       USA 713-579-4613    USA 713-996-8546

Singacard anyone?

Bill J Biesty <wjb@edsr.UUCP>
Thu, 14 Feb 91 09:33:35 CST
>From the Wall Street Journal Wednesday, February 13, 1991, p.A7 c.1

  "Singapore Equals Push Buttons"
    From cashless shopping to electronic paperwork and even a computerized
  pig auction, Singapore is plugging its 2.6 million people into electronic
  grids linking the entire island nation.  It plans to build grids for
  shopping, booking tickets, checking data and sending documents.
    Singapore's small size and centralized bureaucracy simplified
  establishing the electronic groundwork.  All citizens carry a numbered
  identification card, allowing cross-indexing of data.  "The purpose ... is to
  turn Singapore into an intelligent island in which IT [information
  technology] will be fully exploited to improve business competiveness and,
  more importantly, to enhance the quality of life," and education ministry
  official said.  A master plan, IT 2000, will be unveiled at year end.
    Already, TRadeNet lets companies submit data electronically to the
  state and accounts for 90% of all trade documents.  The Network for
  Electronic Transfers, a cashless shopping system, has been operating for five
  years and is used by more than one-third of the population.
    Other networks include StarNet for air cargo, MedNet for Medical
  claims, and LawNet for company registry.  Coming next: "Smart Town," linking

I think it was mentioned in Risks, but was mentioned in WSJ that Singapore
plans to install sensors in cars and roads and start taxing vehicle owners
based on usage rather than an average fee to cover maintenance costs of roads.

Considering Singapore's government, widely considered autocratic, though it is
democratically elected, this will probably be less than beneficial to the entire
populace.  (The Editorial and Letters pages of the WSJ recently had a debate on
this.  Nepotism seems to be one indicator. Sorry no dates.)

The risk envolved is for those people whose idea of "quality of life" has
nothing to do with feeding the commercial/consumer dynamo.  Then again they
probably don't live in Singapore.

Another is as long as you're a good little consumer and a good little
entrepreneur you're ok.  The ability to catch laggards and other non-productive
types cannot be underestimated.  You've heard of sin taxes, Lazy Tax anyone?

What the article doesn't mention is how much independence exists for the
businesses that use the Nets.  Are the Nets a government service or control of
all players using them?  Will the Nets provide a situation similar to the
national airline reservation system(s) or will they nationalize industries
under monarchical control.

Bill Biesty, Electronic Data Systems Corp., Research and Advanced Dev., 7223
Forest Lane, Dallas, TX 75230!wjb 214-661-6058

The new CA driver license (RISKS-11.07)

Ian Clements <>
Mon, 11 Feb 91 8:00:32 PST
 In RISKS 11.04 Mark Gabriel writes about privacy issues concerning the new CA
drivers license.  In issue 11.07 David Redell responds with two points
concerning recent privacy legislation and the clerks right to certain parts of
the information.

 Like many modern marvels, the magnetic strip is easily defeated.  If you're
concerned about what a clerk may or may not record or know about you, run a
magnet down the stripe.  This will render the stripe useless and the clerk (or
police officer) will once again have to rely on mechanical recording.

 I would be more concerned about the possibilities for abuse of this new
technology.  Insurance companies will surely ask potential customers for a
drivers license to check the driving record (given CA's new insurance rules,
there is much incentive to bit twiddle)--how long will it be before someone
figures out how to rearrange bits on the stripe?

--ian   Ian Clements 415/962-3410

Re: The new California licenses (Hibbert, RISKS-11.03)

Curt Sampson <>
Sat, 09 Feb 91 10:40:56 PST
> This track will only contain 40 bytes of information, and will only
> contain the name, driver' license number, and expiration date.

This would not likely leave more than 32 bytes for the person's name.
Yet another problem.  <Sigh>

Coercivity is a measure of how much magnetic energy it takes to imprint or
erase a magnetic medium, and it is measured in oersteds.  The typical
coercivity of a cassette tape would be in the 280-380 oersted range.  The
typical coercivity of a high-coercivity tape (such as DAT or 8 mm video) would
be 1000-1400 oersteds.

30 orsteds is quite low (surprisingly low, in fact).  That may explain why my
bank card has been "zapped" twice in the past year.  3600 is quite high, but a
standard videotape eraser might be able to affect it if you put the stripe
right up against the surface.  (An audiotape eraser would not affect it.)

I have little doubt that a dedicated hardware hacker would be able to
come up with a unit to read from and write to the cards with little
difficulty.  The hardest part would probably be machining a head to read
the stripe.  I wonder if the data is going to be encrypted in any way?

cjs curt@cynic.uucp {uunet|ubc-cs}!van-bc!cynic!curt

Re: automatic flight and seasickness (Bryant, RISKS-11.07)

Lars-Henrik Eriksson <>
Sun, 10 Feb 91 11:33:17 GMT
   [Re: Bryant on Olivier M.J. Crepin-Leblond" <>
   in RISKS-10.83]

I believe the original poster is right. I am a private pilot, and I have
noticed numerous times, that I do have a tendency to get sick when I go along a
a passenger. I have even noticed this tendency when flying the aircraft myself
with an instructor who tells me what to do.  When a fly as the
pilot-in-command, I have *no* problems with airsickness even on extended
flights in rough weather.

Lars-Henrik Eriksson, Swedish Institute of Computer Science, Box 1263, S-164 28
KISTA, SWEDEN      +46 8 752 15 09

follow-up to wireless network

frank letts <>
Sun Feb 10 13:16:10 1991
There seems to be some question regarding the legality of the radio telemetry
testing I described in an earlier post.  The story was presented with a bent
toward the (objectively) humorous and the obvious risks presented by the
wireless network.  Left out was some information that, by its absence, led some
to believe the the operation was an illegal one carried out by "sickos" and
technically incompetent bozos.

The oil company held a valid FCC license for data transmission over the
frequency in its normal operation mode, and a temporary permit for same at low
power in the Houston facility.  While looking for the source of the
interference we did find some bad dummy loads which we replaced, but, following
that, our installation was on spec and fully legal.  We did determine that the
delivery driver(s) were running linear amps and were bleeding over onto
adjacent frequencies when transmitting.  That would explain their interfering
with our operation, but not our interfering with them.  Odds were that the
driver(s) only heard the buzzing while driving directly past our building.
They should have had no problem receiving or transmitting.

As far as the personnel are concerned, the engineer and technicians all held
FCC tickets, were highly qualified for the work, and had been in the business
for many years.  I have been doing data acquisition and communications software
for about twenty years and consider myself somewhat competent in the area.
None of us are necessarily sickos.  One of the techs probably qualifies as a
bozo, but he's a nice enough fellow and a decent tech.

I hope that this quiets any unrest out there.

Frank Letts, Ferranti International Controls Corp., Sugar Land, Texas

4th Annual Ides-of-March Virus & Security Conference

Judy S. Brand <>
Fri, 8 Feb 91 08:54:37 -0500
         Who SHOULD attend this year's Ides-of-March
      Fourth Annual Computer VIRUS & SECURITY Conference
         at the New York World Trade Center?

MIS Directors, Security Analysts, Software Engineers, Operations
Managers, Academic Researchers, Technical Writers, Criminal
Investigators, Hardware Manufacturers, Lead Programmers
who are interested in:

     Dorothy Denning - DEC                  Bill Cook - US Justice Dept
     Harold Highland - Comp & Security      Donn Parker - SRI Intl
     Bill Murray - Deloitte & Touche        Steve Purdy - US Secret Service
     Dennis Steinauer - NIST                Gail Thackeray - AZ Attorney

     Klaus Brunnstein - Hamburg          Mike Godwin & Mitch Kapor - EFF
     Lance Hoffman - GWU                 Emmanuel Goldstein - 2600 Magazine
     Eugene Spafford - SERC/Purdue       Tom Guidoboni - (R.Morris' lawyer)
     Ken van Wyk - CERT/CMU              Marc Rotenberg - CPSR

PLUS Fred Cohen, Ross (FluShot) Greenberg, Andy (DrPanda) Hopkins, and
over 40 MORE!

Over 35 PRODUCT DEMOS including: include Candle's Deltamon, HJC's
 Virex, McAfeeSCAN, Symantec's SAM, ASP 3.0, DDI's Physician,
 Gilmore's FICHEK, Certus, FluShot Plus, Iris's Virus Free, 5D/Mace's
 Vaccine, Norton Utilities, PC Tools, Quarantine, Viruscan, Panda's
 Bear Trap, Disk Defender, Top Secret, Omni, ACF2, RACF and OTHERS AS

 Security on UNIX Platforms, Tips for Investigators, HURRICANE Recovery,
 Dissecting/Disassembling Viruses, 6 Bytes for Detection, LAN Recovery,
 ISDN/X.25/VOICE Security, Encryption, Apple's Security, EARTHQUAKE Recovery,
 IBM's High-Integrity Computing Lab, US/Export Issues, 22-ALARM Fire Recovery,
 Publicly Available Help, Adding 66% More Security, NETWARE VIRUS Recovery,
 Next Generation of Computer Creatures, THE WALL STREET BLACKOUT Recovery,
 Mini Course in Computer Crime, Great Hacker Debate, REDUCING Recovery Costs,
 S&L Crisis: Missing DP Controls, OSI and the Security Standard, Virus Myths,
 Viruses in Electronic Warfare, US Armed Forces Contracts for New Ideas....

INTERESTED? ONLY $275 one day (Thurs 3/14 - Fri 3/15) or $375 both days:
 *  Bound, 600-page Proceedings containing ALL materials - no loose paper!
 *  Eight meal breaks, including Meet-the-Experts cocktail party 107th Floor
 *  2-day track of product demo's     *  2-day course for ICCP Security exam
 *  Full-day Legal & Justice Track    *  Full-day disaster Recoveries Track
There is a $25 discount for ACM/IEEE/DPMA members.
Fourth member in each group gets in for no charge!

To register by mail, send check payable to DPMA, credit card number
 (VISA/MC/AMEX), or purchase order to:
      Virus Conference
      Financial Industries Chapter
      Box 894
      New York, NY 10268
 or FAX to (202) 728-0884.  Be sure to include your member number if
 requesting the discounted rate.  Registrations received after 2/28/91
 are $375/$395, so register now!

For registration information/assistance, call (202) 371-1013

Discounted rates available at the Penta Hotel.  $89 per night.  Call
 (212) 736-5000, code "VIRUS"
Discounted airfares on Continental Airlines, call (800) 468-7022, code EZ3P71

Sponsored by DPMA Financial Industries Chapter, in cooperation with

Please report problems with the web pages to the maintainer