Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
I was talking recently to someone who told me about his experience taking a
multiple-choice test. There were a lot of questions, most of which he knew, but
some of which were so poorly designed that he could not tell which of several
alternatives was the right answer. Of course, he left those blank on his first
pass.
After he had answered the ones he knew for sure, he noticed a pattern beginning
to emerge on the answer sheet. The spaces for answers were arranged in two
columns, and he saw that the left column had exactly the same pattern of
answers as the right column, not counting the gaps, except that it was inverted
and reversed. The pattern was too consistent to be a coincidence, so he used
that information to fill in the rest of the answers. Sure enough, each answer
indicated by the pattern matched one of the answers he had considered possible
for that question.
When it came time to grade the test, the grading procedure explained
everything. The grader took a sheet of opaque plastic with a bunch of holes in
it, placed it over the answer sheet, and marked as wrong all the questions
where an answer didn't show through a hole. He then flipped the template over,
turned it upside down, and repeated the process for the second column.
--Andrew Koenig, ark@europa.att.com
Following the report in RISKS-11.52 from ClariNet I thought that the Forum readers might like to know that the trains were not both under computer control at the time. The train which was on the receiving end of the bang was under manual control at the time because of "previous failures" according to the UK Daily Telegraph. The question which occurs to us is "Why did the computer driving the second train not know where the first one was?" No answers available in the UK at the moment because the inquiry is still in progress. The speed of impact was about 5mph and no one was hurt but the whole line was down for 7 hours.
>But most of these folks in question are otherwise legitimate cable subscribers >who have been "sold" a modification to their cable boxes, MOST OFTEN BY A >CROOKED CABLE COMPANY INSTALLER Note that the installer need not be crooked, but may be merely incompetent or generous. When I was in high school, before everyone had cable-ready equipment, it was common to have a cable box fail, call for service, and end up with unaccounted-for and unrequested cable services. In fact, of the three households I was aware of with cable, all three eventually had the full set of movie channels without paying for them or in some cases even wanting them. To have this sort of case turn into a ``theft of cable services'' prosecution seems ridiculous.
Larry's response to Jerry Leichter's earlier post on this topic is
well-reasoned and compelling. Yet, while it may generally be the case, as Larry
states, that "commercial entities do not have the same free speech rights that
individuals do," this observation must, perhaps unfortunately, be qualified in
part by the little matter of "corporate First Amendment rights." Amazing what
you can do after defining "corporation" as "person" in legal terms. See, for
example, THE INCORPORATION OF AMERICA.
Peter Marshall
halcyon!peterm@seattleu.edu
The 23:00 News and Mail Service - +1 206 292 9048 - Seattle, WA USA
Bob Frankston commented on the relative utility of data when provided in "the original machine readable tape format or on 'more than 1 million sheets of paper.'" Paper is becoming ever more machine-readable these days. It won't be long before these decisions can again be made solely on the basis of the message, not the medium.
Considering yesterday's issue of the RISKS-Forum Digest (volume 11, No. 56) on breach of privacy, email censoring, and improper `small print' in contract clauses, I am reposting part of my note of last February on public access to email facilities. [...] > Date: Sat, 23 Feb 91 11:10:00 N > Sender: Biomechanics and Movement Science listserver <BIOMCH-L@HEARN> > From: Herman J. Woltring" <ELERCAMA@HEITUE5.BITNET> > Subject: Public access to Internet etc. > > Dear Biomch-L readers, > > While email communication is usually available for free to account holders > on EARN/BITNET, Internet, etc., (log-on time, disk usage, paper output > typically being charged), it may be useful to mention that email access is > also becoming increasingly available through PC and modem facilities by > telephone [...; typically, number of transmitted bytes and/or logon time > being charged — HJW]. > > Interestingly, one such service (PRODIGY) has been accused of censoring > email to and from its subscribers. Whether this allegation is true or > not, such issues do raise concern about freedom of opinion, free access > to information, and similar fundamental rights in a networking context, > especially if (with some justification, perhaps) `network harrassment' is > used as an argument to counter network `flaming'. As said at a previous > occasion: "verba volent, scripta manent" ... The allegations in RISKS-11.56 against Prodigy and GEnie, two commercial email service providers in North America, warrant considering the question whether it is about time that Postal legislation (i.e., postal services are not entitled to refuse, (unnecessarily) delay, read, or censor your mail, or to divert it from its destination without a proper court order) shall also apply to electronic mail, whether through private or public channels. I do not propose to have this topic as a debate on this list; however, I think that a pointer to the relevant debate is not out of place even on a discussion list like ours, and I shall be happy to consider any comments sent to me privately. I might mention in this respect that the Dutch legislative is currently considering a Computer Crime Bill in which unauthorized access to computers, e.g., by networking, is considered a felony, and that some of the proposals remind more of the U.K.'s Official Secrets Act than of the U.S.A.'s Freedom of Information Act. One heavily debated topic is to what extent computer trespassing will be declared a criminal offence if no appropriate security is provided by system management. If not, private (and public) interests can afford to neglect system security and yet call upon public authorities for free to protect their interests once they observe that their sloppyness has been `used'. This is unusual in Civil Law as any insurance company will be happy to point out, and not very compatible with the classical view that Criminal Law is the Ultimate Resort, `when all else fails'. Herman J. Woltring, Biomch-L co-moderator & (former) member, Study-committees on s/w & chips protection / Computer crime, Neth. Society for Computers and Law
I found the comments on Prodigy very enlightening. I'm glad I'm not a subscriber. However, I was very concerned by one comment: > I invited you to look at your own STAGE.DAT file, if you're a Prodigy >user, and see if you found anything suspect. Since then I have had numerous >calls with reports of similar finds, everything from private patient medical >information to classified government information. If you have classified government information on your PC, you should not be using it to call *anywhere* using *any* comm package. That's just good sense (and it may even be the law, I'm not sure). I'm certainly not defending Prodigy...if what was described is accurate, it certainly sounds like a mass invasion of privacy, theft, and some nice big lawsuits. Has any of this made it into the non-technical press (e.g., Wall Street Journal, NY Times, LA Times). Jeremy Epstein, Trusted X Research Group, TRW Systems Division, Fairfax VA +1 703/876-8776 epstein@trwacs.fp.trw.com
The simplest explanation for private customer data appearing quasirandomly in the Prodigy STAGE.DAT file is that the access program may allocate buffers without clearing them, then write a comparatively little bit of binary data into them and flush to disk. The unused buffer areas still contain whatever was lying around in memory before Prodigy was started, and this "garbage" will end up on disk. This neither proves malfeasance or innocence on Prodigy's part; but, at worst, carelessness. Clearly their program *could*, if it wished, transmit your computer's entire memory and/or disk contents back home to the Prodigy host. And it could do so *without* storing anything in a file like STAGE.DAT! That's simply a RISK of accepting some black box piece of software in the mail and running it. "Run me," Alice?
WRT the controversies over censoring e-mail and selectively denying service to customers who complain, there already are some laws that should be applicable. It seems to me that there's nothing all that different between an e-mail service and a phone company--except the format of the data being carried. The various phone and long-distance companies are common carriers, and governed by FCC rules. Am I wrong in thinking that a common carrier is not allowed to interfere with the communications they carry, and that they cannot easedrop without a court order? Now, broadcast mail may be open for public scrutiny and rebuttal, but if a carrier offers a "conference call" service, I don't believe that they can restrict anyone from using it, or from saying what they like in the course of such a call. Bulletin board postings seem to me to be analogous to conference calls in the same way that private e-mail messages are akin to private calls. A sharp lawyer ought to be able to convince a judge or jury in a civil suit (where a preponderance of evidence is all that is necessary to win) that Prodigy and the others, in offering their e-mail and BBS services, are operating as de-facto carriers for electronic communications. As such, they should be held accountable under the same rules as any other carrier, and liable for any breaches. Esp. when they are run by large corporations with legal staffs. They can't plead ignorance. I can't understand why they'd risk legal exposure in this way, not to mention the negative publicity of a trial! A risk in obtaining such a ruling would be that all BBS operators--at least those using the phone lines, might have to be licensed. But then, if there are enough of them who write enough letters to legislators, a new class of licenses for "amateur e-mail and BBS carriers" could be mandated. We could even make it an automatically-granted license, so long as there is no charge for the service. As far as the issue of Prodigy uploading private data goes, this sounds like a clear case of wire fraud to me. Wish I were the lawyer to get that case! Can you spell "class action?" I knew you could. Mr. and Mrs. Middle Class America will be mightily annoyed if this is true.
I have a hard time accepting this. I have designed and programmed applications for the military, for banks, for large corporations, for government administrations, and even for a hospital. I have never encountered a situation where this limitation could have been a problem. If a 9 position field was required, it showed on the screen as a 9 position field, or the analyst (and later the users) would catch it. Testing would also take care of internal field truncations (due to programming errors rather than design weaknesses). Blaming the language for poor discipline is like blaming Henry Ford for road casualties. From a different perspective, there is no way to garantee that a program will be error free (in respect to field truncation) simply by mandating dynamic field length. There can be other sources for this kind of error. And we should remember that it is not possible to outlaw human failures or plain stupidity. > How about legislation concerning responsible display and capture of > COMPLETE information? And legislation concerning the proper use of toilet seats... > Or, at the level of civil lawsuits, the fact that a > defendant's system truncates data should always weigh against the defendant. It is very probable that, should such error be documented, a civil court judge would find sufficient ground against the defendant. Alain UUCP: alain@elevia.UUCP
Ed Nilges reports on the death of a man in NYC because the computer system
which dispatches emergency personnel was not programmed to handle 5 digit
addresses. Ed goes on to make a well-reasoned argument on what might and might
not be done about this.
I have another suggestion: I believe that cases such as this argue my theses
that there should be less "programming," in the traditional sense of the word.
It seems to me that spreadsheet and database tools which permit a limited
number of "well-defined" and "obvious" operations by the user may well inhibit
many of the errors permitted, even encouraged, by so-called "powerful"
languages.
This is just a hunch; I wonder if Risks folks know of data to refute or
support this bias?
_Brint
One RISK of using C and unix extensively, so it would seem, is that it makes it hard for some people to distinguish between "C does this incredibly stupid thing" and "most languages do this incredibly stupid thing." For example, since C is a de-facto standard, these people make so-called "general-purpose" CPU's, saying "of course it's general-purpose, it's optimized to run C, isn't it?"
In Risks 11.55, Ed Nilges comments that only a few programming languages
allow completely variable-length strings.
The problem isn't quite as bad as Ed suggests. In addition to "REXX and
certain Basic interpreters," one might add Ansi Mumps (which is quite
suitable for database applications), Pascal (which supports variable
length strings up to 255 bytes), PL/I, the VMS command language,
and many, if not all, personal computer database packages.
In many cases, however, the problem is not due to the programming language,
but to the original database design. Many of these systems grew, one
small step at a time, from punch-card based address lists, without the
benefit of — or opportunity for — a redesign.
Martin Minow
* CPSR Seminar Series *
"The Social Importance of Privacy"
Priscella M. Regan, Department of Public Affairs, George Mason University
CPSR Washington Office, Friday, May 3, 1991, noon - 2 pm
Most legal and philosophical writing views privacy as important to the
individual, as a safeguard that allows for personal self-development, and a
political freedom that protects private or intimate relationships. But this
emphasis on the importance of the individual has concealed another aspect of
privacy P its social importance. Professor Regan will explore the
philosophical and legal basis for the social or public importance of privacy,
and will examine the policy implications of viewing privacy from a social
perspective.
CPSR Washington Office, 666 Pennsylvania Ave., SE, Suite 303, Washington, DC,
202/544-9240 (one block from the Eastern Market metro)
In cooperation with The United States Privacy Council
[if you would like to be notified of future CPSR Seminars, please send a note
with e-mail address to mrotenberg@csli.stanford.edu]
Please report problems with the web pages to the maintainer