Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
I received a flyer in the mail today that seems to pose a major risk... Orbit Enterprises, Inc. of Glen Ellyn, IL offers to scan your signature into an HP Laserjet format so that you'll "never again sign a letter, memo, note, or any other laser printed document." This seems to pose a number of threats: 1) If I had my neighbor's signature scanned and then produced a promissory note for $1000 to myself, I could make lots of trouble for him/her. 2) How do I know that Orbit Enterprises does not have nefarious designs on my signature? Is it possible to detect a laser printed signature easily? What is the legality of a laser printed signature? This has been a potential problem for a long time, but the low cost involved ($60) opens up a new criminal method to the masses. Your comments? Al Berg 117-7220@mci.com
On Tuesday March 5, the City of Montreal approved a motion to install equipment to record incoming calls to its municipal information service, which is called Access Montreal. A couple of opposition councillors are planning to go to court in order to challenge the decision to record callers' voices. I hope they succeed. Coincidentally, I also learned from an equipment designer that Bell Canada is planning to introduce Automatic Caller Identification (the caller's phone number is flashed to the called phone between rings using a special modulation scheme). I don't know if callers will be able to block this service. By combining these technologies, it would be possible to construct a file of which phones called the city, and what was said. Peter Jones <MAINT%UQAM.bitnet@ugw.utcs.utoronto.ca> UUCP: ...psuvax1!uqam.bitnet!maint (514)-987-3542
The insidious risks of telco centralized voice mail services aren't really when they don't work--it's when they DO work! True, nice long PINs being available for the users are nice, but how many people will ever bother using them? Given the choice, most people pick short, simple sequences. One must wonder how many choose 1234 or 4321 as their PINs. It might be argued that given the increasingly short PINs available on newer answering machines (3 digits is typical, 2 is not rare, and sometimes not even all of those digits can be changed by the user) the telco PINs are more secure. Potentially true, if used properly. But the real danger is all those nice messages spinning around on the disks down at telco. Of course, we all trust the phone company completely, and when they tell us that nobody will have access to those messages but "authorized persons", we believe them don't we? Sure, encryption systems with the user entering a key could be implemented that would be moderately more secure (though of course, you'd have no way to know that the system isn't recording your keys) but even that level of security is not implemented (nor planned, apparently) in any of the telco offerings. In any case, telco personnel would never just snoop on people's messages, right? The fact that for years it was common for speakers to be hooked up in central offices so that night-shift workers could listen in on "interesting" lines (just for laughs, right?) shouldn't impact our thinking about today's totally honest and upright telcos! And of course, nobody who isn't doing something wrong should be concerned about the potential for law enforcement or other agencies to go to telco and demand access to the messages (probably using the same sort of court orders used to do wiretaps in the case of legal taps, and we all know the government never does "illegal" taps--don't worry about the stories in "The Puzzle Palace"...) But just think--all those nice messages all in one place. And even better, assuming telco keeps (or is ordered to keep) backups and archivals of their data (and what diligent telco wouldn't keep backups?) it could be possible for an agency to go in and not only pick up a person's current messages, but their *past* messages as well, perhaps going back for months or even years! Now that's service! But these sorts of things would never happen, right? And after all, you *were* able to get rid of your answering machine, and you don't *really* care who listens to your boring old personal messages anyway, do you? And if you can't trust the phone company, who *can* you trust?
[*prune? Look MAddi, the Tandem Mailer Shrunk Your Address! Nonstop, too. PGN] The Discussion of droid thinking by Nick Andrew (RISKS 11.21) reminds me of what I went through at Charles Schwab, with the same Telebroker service that was mentioned in RISKS last month. I too had some problems with Telebroker. In particular, I could not add a stock option to a Stock List (a collection of eight stock tickers). The manual did not explain that options cannot be added. In addition, I wanted to add the ticker for Wang Labs to my stock list. Wang's tickers is WAN.B since the stock is Class B. According to the manual, I should enter it as "WANB", e.g. stock name with the B designation appended. However, this did not work. I pressed *7 to speak to a representative. While he was able to get the Wang problem resolved (use a space between the ticker and the designator; of course nowhere in the manual is a code for space given), it took quite a few iterations of people to find out that stock options cannot be added to a stock list. Most annoying was the series of questions he asked me. It was clear he was following a standard flow-chart on problem-solving, rather than listening to what I was saying. Now, having gone through all this nonsense with the Schwab representatives, I went to my local Schwab office and asked for a new manual. They don't have one. So, I asked for a contact who was an expert on Telebroker so I could call that person directly and not deal with the "droids". I thought if I could talk techno-gack-speak directly with a non-droid I'd get some answers. Well, they don't give out contact names. You got questions, go through channels. The office still hasn't gotten back to me on getting a new manual. I didn't let this drop, though. I dropped a note to the President of Schwab, who I met in my job-seeking days. I included the RISKS posting with my letter. He referred me to the head of Telebroker, who happens to be yet ANOTHER Princeton alum (yes, the old-boy/girl network really DOES work). Maybe I'll have a happy ending to this for everyone, or, at least some fixes to the manual.
I received the following letter a few days ago from North Shore
Agency ("A National Collection and Debt Recovery Service" as they bill
themselves) on behalf of US Sprint Long Distance. The original is in
all uppercase, but I'll spare the gentle reader the annoyance. Bad
grammar and punctuation is verbatim:
> We know a lot about you, David Blank
> We know where you live. We know your telephone number. In many cases,
> we even know where you work.
>
> After all, that information was requested when US Sprint extended
> credit to you. And you know a lot about US Sprint long distance
> telephone service. Otherwise you wouldn't have placed an order for
> that service.
>
> Since we know so much about each other, how about paying what you owe
> US Sprint. [3 more collection blather sentences deleted]
This was all in reference to a $14.95 sum which had been paid two weeks before
the letter was sent. After I spent my anger in a phone call to US Sprint, I
realized the humor in the situation. This was an effective public campaign to
educate the public in the abuse of a commercial personal information database
(an anti-risk, if you will). I hope the US Sprint customers (who aren't
card-carrying CPSR members already) learn that they can be threatened with the
very information they gave away to a vendor innocently.
dNb
The personal computer revolution have brought huge amounts of computer power into "ordinary homes." I'm acutely aware of this as I started my career on Illiac-I (1024 words of memory, and a 10K word drum). Now I have a 4 Mips machine (whatever that means) with 8 Mbyte main memory and 300 Mbytes of disk sitting on my dining room table (and it probably costs less than Illiac's daily electric bill). This has led to an incredible price-crunch in the marketplace, and I'm afraid that quality has often been left behind. Consider SCSI: the drive mechanisms are wonderously reliable, but the interconnection has only single-bit parity error detection. There is no end-to-end data block error detection (on the data bus itself). To make matters worse, some manufacturers are abandoning the standard 50 pin SCSI cable in favor of using a DB-25 "modem" cable. This means that the individual signal wires are not independently shielded, yielding increased cross-talk. They do this in the name of "cost savings." (Note that I am not complaining about the disk mechanisms, but about the boxes they are sold in.) This problem may be made worse by the proliferation of compression software (mostly built on the public-domain implementation of the Lempel-Ziv algorithm that was distributed on Usenet some years back). One of the negative side-effects of Lempel-Ziv is that a single bit error in the data stream may turn *all* subsequent data to garbage. In a poor implementation, it will also crash the decompression program. I don't know the right solution to the hardware problem: perhaps Consumer Reports should hire an electrical engineer with an analog oscilloscope (remember analog?) and test end-market SCSI disks. I don't know if there is a decent solution to the software problem — I don't think "education is the answer" recognizes the reality that the users don't know about computers, and don't care: they're only interested in their invoices and medical records and illustrations and books and love letters. Martin Minow minow@ranger.enet.dec.com (New address)
From _The Times_ (London) 5th March 1990
Auditors press for wider computer data security
An audit report published today is expected to say that there have been
improvements in how the government administers the security of its networks.
Nevertheless, some experts believe there is little room for complacency and
that, given the breakneck pace of computerisation of everything from social
security offices to the health service, more money needs to be urgently spent.
More than three years ago, the independent National Audit Office issued a
warning of the dangers to government computer systems from floods, fires and
frauds.
Security and so-called disaster recovery was too low across government
departments, with gaps identified everywhere from the Driver and Vehicle
Licensing Centre to the National Savings department — gaps which, it was
claimed, put at risk huge stores of confidential and commercially sensitive
data and defence information.
Emma Nicholson, Conservative MP for Devon West and Torridge and a former
computer consultant, said that the government, its agencies and quangos[1]
needed to mirror the spending of industry and commerce on disaster recovery.
The private sector spent up to a fifth of budgets on securing computer systems
against fire, floods and fraud, and the public sector should be doing the same,
Miss Nicholson said.
The publication of the audit report brings into focus an area of government
policy which some experts claim is in turmoil amid concern that a serious
review of the way government specifies and buys information technology should
be reviewed[2]. It follows difficulties in implementing the computerisation of
the social security and health service systems.
Up to eight social security offices are on strike because, it is claimed, the
computerisation of the benefits service was made hastily without any notion of
the technical difficulties involved. Michael Meacher, the shadow social
security spokesman, said.
Some experts believe that the government, which spends \pounds 2 billion a year
on information technology, should now consider an information technology
minister to oversee the technical ramifications of legislation. The
computerised community charge[3], which in some cases has needed more staff to
administer than the old rates[3] might never have been passed so swiftly if an
assessment of the computing complexities had been made. Others believe that
there is a need for a panel of industry experts to advise the government and
its own advisers, the Central Computer and Telecommunications Agency.
What concerns some firms is that, in spite of a greater emphasis on competition,
it can take up to three years for the government and the agency to approve a
system, whereas, in the private sector, the time frame is often a few months.
------
Footnotes (by pcl, not in the original).
[1] Quango — acronym for quasi-autonomous national governmental organisations.
[2] This turgid and repetitious phrasing is how it appears in the original.
[3] Two methods of financing local government. Roughly speaking, the
"community charge" (popularly termed the poll tax) is a universal charge on
adults (with 80% discounts for low income groups such as students, unemployed,
etc), whereas the "rates" is a property tax levied on property owners. In both
cases, the level of the charge is set by the local government, subject to
central government imposed maxima. The old rates system was widely regarded as
corrupt; the newer community charge is even more widely held to be unfair.
It's not yet clear what an acceptable method of local government finance will
be.
This book might be of interest. I'll just make a few descriptive comments,
but the book deserves a more detailed analysis by someone who knows about the
social psychology of addictions.
Margaret A. Shotton, {\em Computer Addiction?: A Study of Computer
Dependency}, London: Taylor and Francis: 1989.
A survey-based sociological study of computer addiction. She defines three
classes of computer-dependent people (Networker, Worker, Explorer), according
to the degree to which computer activity connects with, or displaces, social
relationships, with particular attention to marriage problems. The final
chapter's analysis presents a more or less conventional account of computer
addiction as a safe substitute for social relationships that are experienced
as dangerous, by analogy to a variety of other hobbies, such as auto repair.
Phil Agre, University of Sussex
Computerization & Controversy, an anthology of articles about social issues of
computing (including risks), by Charles Dunlop and Rob Kling is now available.
Computerization and Controversy: Value Conflicts and Social Choices
Charles Dunlop and Rob Kling (Editors)
Univ. of Michigan - Flint Univ. of California - Irvine
Many students, professionals, managers, and laymen are hungry for honest,
probing discussions of the opportunities and problems of computerization. This
book introduces some of the major social controversies about the
computerization of society. It highlights some of the key value conflicts and
social choices about computerization. It helps readers recognize the social
processes that drive and shape computerization, and to understand the paradoxes
and ironies of computerization.
Some of the controversies about computerization covered in this collection
include:
* the appropriateness of utopian and anti-utopian scenarios for understanding
the future
* whether computerization demonstrably improves the productivity of
organizations
* how computerization transforms work
* how computerized systems can be designed with social principles in view
* whether electronic mail facilitates the formation of new
communities or undermines intimate interaction
* whether computerization is likely to reduce privacy and personal freedom
* the risks raised by computerized systems in health care
* the ethical issues when computer science researchers accept military
funding
* the extent to which organizations, rather than "hackers,"
are significant perpetrators of computer abuse
The authors include Paul Attewell, Carl Barus, Wendell Berry, James Beninger,
John Bennett*, Alan Borning, Niels Bjorn-Anderson*, Chris Bullen*, Roger
Clarke, Peter Denning, Pelle Ehn, Edward Feigenbaum, Linda Garcia, Suzanne
Iacono, Jon Jacky*, Rob Kling, Kenneth Kraemer*, John Ladd, Kenneth Laudon,
Pamela McCorduck, David Parnas, Judith Perrolle*, James Rule, John Sculley,
John Shattuck, Brian Smith, Clifford Stoll, Lindsy Van Gelder, Fred Weingarten,
Joseph Weizenbaum, and Terry Winograd. (*'d authors have contributed new
essays for the book.)
Each of the seven sections opens with a 20 page analytical essay which
identifies major controversies and places the articles in the context of key
questions and debates. These essays also point the reader to recent additional
research and debate about the controversies.
Published by Academic Press (Boston). 758 pp. Available: March 5 1991. $34.95
ISBN: 0-12-224356-0 Phone: 1-800-321-5068
Individuals may purchase copies directly from Academic Press by calling
1-800-321-5068 or by writing to: Academic Press Ordering Academic Press
Wharehouse, Order Dept., 465 S. Lincoln, Troy, Missouri 63379.
[as in SoftWhare?]
Faculty who offer courses about social issues in computing may order
examination copies from Academic Press. Write on university letterhead or
enclose a business card, and include the following information about your
course: class name and number, department, # of students, books used --in the
past, adoption deadline.
Send your requests for examination copies to: Amy Yodannis, College and
Commercial Sales Supervisor, Academic Press, 1250 Sixth Avenue, San Diego, CA
92101, tel: 619-699-6547, fax: 619-699-6715
Please report problems with the web pages to the maintainer