The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 11 Issue 80

Tuesday 4 June 1991

Contents

o Another Procrustes bed
Anastasios Vergis
o Privacy and Network Monitoring
anonymous
o Can printing public information be actionable?
Jerry Leichter
o Re: the FBI and computer networks
Steven Philipson
Rob Nagler
John Gilmore
o Re: vote by phone
Geoffrey H. Cooper
Paul Nulsen
o Lottery bar codes no risk, spokesman says
D. King
Alayne McGregor
o Re: Lossy compression
Jerry Leichter
Geoffrey H. Cooper
Phil Ngai
o Info on RISKS (comp.risks)

Another Procrustes bed

Anastasios Vergis <plains!umn-cs!LOCAL!vergis@uunet.UU.NET>
Tue, 4 Jun 91 17:53:49 GMT
I had my first encounter with the Procrustes bed, when trying to give my
forwarding address to Paragon Cable in Minneapolis, MN.  No matter how much it
was squeezed or stretched, their computer would accept it. You see, it was not
a U.S. address.  Being physically present there (I was returning the decoder
box) I could observe exactly what was happening. The address was in Athens,
Greece, zip code: 15235. When he pressed <return>, it would automatically erase
"Athens, Greece" and put there "Pittsburgh, PA". Most certainly, the zip code
was "soft-wired" with the city & state info.  It was disturbing that the
program would not simply issue a warning.  I offered to pay the outstanding
balance (about two weeks service) on the spot, but they could not accept it as
"a bill had to be mailed by the computer", and this would take 10 days or so.
As I was moving in a week, most definitely the operator had a problem in his
hands.  It is interesting how the operator resolved the problem: he simply
backdated the disconnection date, to coincide with the last day of the last
bill, so there was no need any more for a forwarding address. Can't complain,
as I got two weeks' free service ...  Surely a good deal for Paragon Cable as
well (think of the cost to upgrade the software). I can't help wondering how
often they encounter this problem.  The phone company, however, had no trouble
accepting this overseas address.

-- Anastasios Vergis, University of Minnesota, CSci Dept.


Privacy and Network Monitoring

<[anonymous]>
Mon, 3 Jun 1991 12:07:33 xxx
By some odd coincidence, the recent privacy thread in Risks comes along right
on the heels of an ugly incident at the company I work for.  We have a very
large internal network along with a system of newsgroups on a wide variety of
topics.  One of these is called "grumps" which is designed essentially for the
venting of curmudgeonly humor.  It is generally considered to be the electronic
equivalent of the occasional water-cooler gripe session.  Although humorous in
intent, sometimes issues important to the running of the company surface there.
I posted a satirical message last month, taking the company to task for some
bit of silly official pomposity, and thought nothing more of it.

Imagine my surprise when two weeks later, my manager's boss called me into his
office, with a copy of that message on his desk.  He informed me that I should
think carefully about sending out this sort of thing and that it reflected
poorly on me and could jeopardize my professional advancement.  Upon
investigation, I discovered that our personnel department has very quietly
taken on the job of surreptitiously monitoring traffic on certain internal
"recreational" distribution lists.  When something "offensive" is detected, it
gets back, via the personnel system, to the offender's management.

I had a long talk with our VP of personnel who explained that they weren't
"spying", they were just trying to keep "offensive" mail off the net.  Of
course, *they* decide what is offensive or not.  There is a risk here, one
which I don't recall having seen mentioned here before, and it is that
personnel/management people operate under a very different set of values than
the people in the technical community with whom I normally share such postings.
For example, this VP pointed with pride to the fact that she doesn't have a
computer in her office.  The manager I talked to insisted that posting to a dl
is a public act, whereas I view it as private in the same way as a conversation
around the lunch table in a group of friends.  These people have now set
themselves up as social arbiters of a system which they themselves never use.

After thinking about this incident, I implemented an anonymous mail forwarding
system, which would allow people to express their opinions openly without fear
of retribution on unspecified charges.  Not surprisingly, word of this got
around too.  This system proved to be intolerable to Personnel.  They could not
stand the idea that anyone could say what they liked and couldn't be traced,
despite the fact that the company itself operates a "Comment" system, which is
designed to allow people to send anonymous comments to management.  I was
politely asked to stop my forwarding service.  After thinking it over, I
agreed, and I now regret that decision.  The net result has been greatly
decreased traffic on the grumps dl, and a major loss of faith on my part in the
goodwill of the management of our company toward the people who work here.


Can printing public information be actionable?

Jerry Leichter <leichter@lrw.com>
Sun, 2 Jun 91 13:14:43 EDT
In classic "life imitates art" tradition, a case has been filed that resembles
my "Mr. M" hypothetical (of the person who, for "numerological" reasons,
publishes things like PIN's, private phone numbers, and so on).

The following is summarized from the Wall Street Journal (29 May 91, Page B6):
American Airlines (AMR) has sued Travel Confidential newsletter and its
publisher, Paul Edwards, to stop it from publishing lists of discount codes.
The codes, which travelers are supposed to mention when making reservations,
entitle them to discounts of 5% to 40% on airfare, car rentals, and hotel
rooms.  They are intended for people attending conventions.

AMR charges Travel Confidential and Edwards with fraud and racketeering for
publicizing its codes, and asks for a court order banning such publication,
$750,000 in punitive damages, and unspecified losses.  "Travel Confidential
is published with the sole purpose of facilitating, aiding and inducing the
commission of fraud on American and other airlines, hotels, and car rental
agencies," AMR claims.

Mr. Edwards says he is doing nothing illegal by pulling together information
that is publicly announced by convention sponsors.  "Every word comes from
publicly available sources.  There is not one iota of confidential or private
information in this newsletter."  He also denies that he is encouraging his
readers to commit fraud.  Edwards claims that airlines rarely even ask whether
a traveler is attending the event that matches the code.  "If they don't want
people to abuse it, they should police it."  (Where have we heard *that*
before?)  AMR says they are considering doing just that, and also claims that
they could go after individual travelers for committing fraud by using the
discount fairs.
                            -- Jerry

PS  The same issue of the Journal, on page B8, discusses new voice-activated
computer systems for bond trading.  The risks that arise from traders perhaps
being able to activate each other's computers are discussed (but of course
dismissed by those who want the system as not a problem).


Re: the FBI and computer networks

Steven Philipson <stevenp@kodak.pa.dec.com>
Fri, 31 May 91 12:48:21 -0700
 (D'Uva, RISKS-11.76)
>For example, a policeman does not need
>"probable cause" to stop your car when you are driving in an unsafe manner.
>The law has been broken, and that is enough to warrant the law enforcement

   The policeman's observance of you driving in an unsafe or illegal manner
constitutes probable cause.  You cannot be stopped without probable cause (with
the constitutionally questionable exception of sobriety checkpoints).  Search
after a stop for a traffic offense requires additional justification.

   It may not be a good idea for people to post about illegal activities, but
it does happen regularly.  At least one newsgroup contains frequent postings in
which persons report violating Federal regulations (usually inadvertently).
Such postings are of questionable legal value as authentication is difficult
(did Jones make the posting, or did someone who used his account make it?).
Systematic monitoring issues aside, does a posting on the net constitute
probable cause for real-world surveillance of the author?  I don't have an
answer for this.  Is there case law that establishes precedent?

 Arnie Urken writes [ Re: Voting by phone]

> voting by phone enables a citizen to verify that his/her vote is
> actually counted, [...]

   Does it?  How is the voter to know that his vote is not routed to the bit
bucket, or that a later disk crash doesn't obliterate it.  California's
antiquated Hollerith-card method produces a physical record of a vote.  Which
is more reliable?  Which gives the voter a higher level of confidence?

                Steve Philipson


Re: the FBI and computer networks (D'Uva, RISKS-11.76)

Rob Nagler <nagler@olsen.UUCP>
Tue, 4 Jun 91 11:40:42 +0200
The FBI are not just "law enforcement officials", they are public servants.
The "public" are their employers.  Suppose your house servant decides to look
through your belongings, because they believe you might be doing something
illegal.  Do you have the right to tell them not to do it (even if you are
doing something illegal)?  My analogy is certainly trivial.  The point is that
many people seem to forget that the FBI, DoD, &c are working for us and not the
other way around.

200 years have passed since "unreasonable search" was added to the US
Constitution.  The government of our "global village" must take into account
the intent of the Founding Fathers, not just their words.  In 1792 a "grep of
/usr/spool/news" was the house-to-house search of a city.

Rob nagler@olsen.ch


Government should have less access than everyone else

John Gilmore <gnu@toad.com>
Tue, 4 Jun 91 04:51:54 PDT
In RISKS 11.74, Andrew D'Uva asks, "Why should the U.S. Government have less
access than a student at an American university (or a foreign one)?"

I've been rethinking privacy of electronic communications, particularly radio
communications, since Congress is thinking about amending ECPA sometime this
session.  (No bills yet, but...)

My conclusion is that the government should be prohibited from intercepting
*ALL* civilian radio communications, except in certain bands like AM and FM,
while third parties should have full freedom to listen in on any band, as they
did before 1986 and ECPA.

Jerry Berman of ACLU tells me that the real concern in ECPA was to prevent the
government from spying on people.  My proposal addresses that concern even more
fully than his ECPA -- which only protects a minority of the transmissions.
More importantly, a ban on the government monitoring communications is
enforceable -- e.g. by the exclusionary rule, as well as by existing laws
giving citizens the right to sue the government for collecting dossiers on
their exercise of First Amendment rights like free speech.  Speech over a
cellphone is still speech and is still free.

A ban on interception by third parties is clearly not enforceable without
direct confiscation of radio receivers.  Then what's next?  Typewriters and
copiers, as in USSR?  Shortwave radios that receive Radio Baghdad, when they
only want you to hear their side of a war?

Before ECPA, if you transmitted information over the air and wanted to prevent
its being overheard, it was *your* responsibility.  You could encrypt it, use
low power, hide it in noise, whatever.  ECPA created classes of users who are
absolved of this responsibility, such as cellular phone providers; the
government picks up the tab for "enforcing" your privacy.  Only trouble is that
they are incapable of providing real privacy by passing laws, so the user ends
up with no privacy at all.  Had the onus rested on the transmitting party, it
would be clear that it was up to cellular manufacturers to provide the privacy
that people assume about "phones", or to stop marketing cellular walkie-talkies
as "phones".  But lobbyists were cheaper than privacy technology, so we started
putting our personal lives on the air.

Think about it --


Re: vote by phone

Geoffrey H. Cooper <geof@aurora.com>
Fri, 31 May 91 13:26:55 PDT
In the vein of recent discussions about the "dumbing" of the work force, I note
that the vote-by-phone proposal is good, but a little verbose and pedantic for
my taste.  I fear that the proposal is trying to out-stoopid the voters. (on
the other hand, you have to be pretty good to listen to a list of ten choices
and come up with the right number (ever try getting a pizza parlor to list how
you can have it?).  Maybe candidates will now try to be listed LAST on the
ballot).

My belief is that vote-by-phone can be as complicated as filling out
a regular ballot (as mentioned, in CA this can be a challenge).
Also, it doesn't have to be an enjoyable experience (any more
than is standing in line at the polling booth).

My twist on what was mentioned:

    1. Voter requests vote-by-phone by mail.
    2. Confirmation letter contains ballot with PIN on it.
    3. Voter calls to vote and uses the PIN given.

The voter is warned that the PIN is the voter's right to vote: you
lose it, you lost it; you show it to someone, you may have lost it.
Suitable warnings are given about possible scam's to get PIN's.
Reasonable mechanisms exist to deal with ballots that are lost or
stolen a reasonable time before the election.

The ballot contains all the contests, numbered, and all the choices in
each contest, numbered.  Any choice is selectable by dialing a 3 (4?)
digit number (2 digits => contest, 1 digit => choice).

The voter is advised to fill in the ballot to obtain the numbers of
the people he/she is interested in voting for.  Note that many voters
do not vote in all the contests available (abstaining, or in some
obscure local contests (or obtuse CA voter initiatives), a voter might
not feel that he/she can make non-random decision).

The computer you call up is generally re-active, not pro-active.  Thus:

    - The user enters the code of the contest and his vote,
      selecting contest in his own order.  This is faster, and
      makes it easy to not have a vote on something.  It is also
      analogous to the way you vote by paper.

      As pointed out, the user can more effectively get the choices
      from the ballot than over the phone.  If he doesn't have the
      ballot, what is he doing phoning the system?

    - The entire ballot is constructed by making selections, but
      is not committed until the user specifically indicates that
      he is finished.  Up until this time, the user may disconnect
      (accidentally or on purpose) and try again later.

Here is my vision of a phone call, which probably needs to be
simplified:

    <Welcome to phone-a-vote, over XX million served.
         Please enter your PIN now>
    beep-beep...
    <Please vote>
    beep-beep...
    <Contest 23, District vice-scoundrel, you selected Bud Bundy>
    beep-beep...
    <Contest 56, Clean Sewers Initiative, you selected YES>
    beep-beep...
    <Contest 56, Clean Sewers Initiative, you selected twice.  The
        selection has been erased.  Please vote again.>
    ...
    beep-beep...(0000)
    <Your ballot has been accepted.  Thank-you for voting.>
    <click>

Maybe a special code runs through them all in order, so that you can check what
you've done.  Or maybe dialing 569 tells what was selected for contest 56.

   [By the way, the supposedly anonymous messages might still be traceable
   based on the audit log that itemizes all e-mail to and from with a time
   stamp.  So if your automatic reforwarder left the original time stamp, that
   was enough to nail the original sender!!!  PGN]


Re: Voting-by-phone (Campbell, RISKS-11.78)

Paul Nulsen <pejn@cc.uow.edu.au>
Tue, 4 Jun 91 00:23:11 GMT
Larry Campbell asks: Electronic voting? Who needs it?

Although electing people to represent us in parliament is the generally
accepted model for democracy at present, it is not full democracy.  In a
full democracy every voter should be able to vote on every issue, and this
would be possible with electronic voting.

Such a system would clearly require checks and balances well beyond those
needed for electronic voting alone.  In practice parliaments and politicians
would probably need to be retained to keep the political system operating
day-to-day.  There would also need to be stringent systems of review, to
prevent hot-headed decisions and to prevent interest groups from hijacking the
vote on particular issues.

This may not be Utopia, but anyone who complains about the voting of their
representative should take heart that such a system may be achievable.

Paul Nulsen     pejn@wampyr.cc.uow.edu.au


Lottery bar codes no risk, spokesman says (Minow, RISKS-11.78)

<king@ukulele.reasoning.com>
Mon, 03 Jun 91 16:12:35 BST
<>   A. Lottery spokesman David Ellis tells us that, once an instant
<>   ticket is "read" by a bar-code reader, it is invalidated...

That doesn't prevent people with access to unsold tickets from stealing winners
and selling only losers.

Presumably losing tickets seldom if ever get read by the barcode reader even
once, so an agent who sells one will not be trapped by the invalidation
performed when he culls his supply of tickets.  However, since indeed reading a
losing ticket should be rare, I would hope that the security system will be
suspicious of the operator of any barcode reader that gets too big a dose of
losing tickets.
                                        -dk


Bar-codes on lottery tickets

Alayne McGregor <alayne@geas.gandalf.ca>
Tue, 4 Jun 91 13:52:42 EDT
In RISKS-11.78, Martin Minow quoted a representative of the Massachusetts state
lottery as saying that as soon as an instant ticket is read by a bar-code
reader, it will be flagged so that it cannot not be cashed again. What was not
clear was a) whether the physical ticket itself was flagged, b) the number of
the ticket was stored in the card reader, or c) the number was stored in a
central computer?

In case a), what is to prevent an unscrupulous person from xeroxing the ticket
(perhaps onto the correct weight of card stock, if necessary) and
bar-code-reading the xerox?

In case b), what is to prevent the person from going to another bar-code-reader
for the next reading?

In case c), could not a bar-code-reader unconnected to the central computer
read the stored information, which could then be decrypted? The system's
security would then depend on the security of that encryption algorithm.

Alayne McGregor   alayne@gandalf.ca


Lossy compression: Knowing versus guessing

Jerry Leichter <leichter@lrw.com>
Sat, 1 Jun 91 08:38:48 EDT
In Risks 11.77, David Reisner comments on the effects of using "lossy"
compression techniques.  His comments are quite interesting, but I think he,
and many others commenting on this issue early, miss an important point: What
is new here is not the FACT of losses, but what we KNOW about them.

Reisner's example of the new Phillips Digital Compact Cassette (DCC)
compression scheme provides an excellent example of this.  It is quite true
that such a system throws away information.  On the other hand, *so does every
recording scheme ever invented*.  All recording schemes are bandwidth limited.
All will saturate at high amplitudes.  All analogue systems add noise.  It's
easy to contrast DCC with CD's and say "aha, they've thrown away some
information" - but in fact CD's ALSO throw away information: The Nyquist limit
means that they absolutely cannot record any information about about 22Khz, the
14-bit encoding places a limit on their amplitude resolution.  In addition,
CD's used for audio purposes use error correction schemes - what you hear may
not be what was recorded, and will even vary from playback system to playback
system.  Of course, all these "losses" - sounds above 22Khz, the error
correction "patches", and so on - have been chosen to be "unnoticeable" to the
human ear.  This is no different from the DCC scheme; the DCC scheme is just
more clever about it.  It's also no different from many older schemes, from FM
(limited to 15Khz) to Dolby encoding.

A traditional photograph or X-ray isn't "exact" in any sense either.  There is
a finite grain size, a limited amplitude resolution (and a generally quite
non-linear amplitude response), and so on.  Grain size is chosen to be small
enough to (mainly) be ignored by the human visual system.  The details of
response to different light levels and colors in film is chosen for its
appropriateness in a particular use.  Color snapshot film is built to "look
pleasing", not to be "highly accurate" in any objective sense.  X-ray film is
built to produce high contrast of "medically interesting" things.

NTSC color television encoding uses less transmitted energy and bandwidth for
chrominance than for luminance information because the human eye has much less
sensitivity to loss of high spatial frequencies for chrominance.  The color
encoding used is inherently unable to represent some colors that the eye can
perceive (certain dark browns).  All of these choices were made based on
studies of the human eye's abilities.  In fact, JPEG is just uses more
sophisticated versions of the same tricks - and interestingly JPEG is NOT
necessarily lossy: JPEG is a class of parameterized compression algorithms,
with the parameters chosen by whoever does the compression, and it is possible
to set the parameters to avoid any (deliberate) losses.

What's the point of all this?  Just that there is actually nothing new in
losses in representation: They've been with us from the first time we sketched
on cave walls.  Early losses came about as inherent, uncontrolled side-effects
of poorly understood processes.  As we've become more technologically
sophisticated, we've been able to understand the origins of these losses and
ultimately either eliminate them (hiss, rumble, wow and such are non-issues for
CD's) or deliberately choose where they will occur.  Today's recording
technologies, losses and all, are orders of magnitude better than what was
available in the past.

However, from a political/legal/social point of view, there is one significant
difference: What no one could understand or control, no one could be blamed or
penalized for.  If an important distinction is lost in a X-ray because the
film's grain size can't represent it, well, that's the way it is.  But when the
loss can be attributed to someone's particular, definite decision, all of a
sudden blame can be attached: "If they hadn't chosen to save a few bucks on
storage by compressing the image, my client would be healthy today."  Once you
can name the chemical added to the food, you can sue someone for adding it -
and never mind all the thousands of chemicals already there that have never
been analyzed.

Systems have to be built appropriately for their intended use.  The more we
understand and can control about a system, the more choices we can make - and
the more choices we HAVE to make.  When we were not in a position to make the
choice, "nature" made it for us - but it WAS made.
                            -- Jerry


More on Lossy Compression => Rendering errors

Geoffrey H. Cooper <geof@aurora.com>
Mon, 3 Jun 91 13:06:27 PDT
>From: synthesis!dar@UCSD.EDU (David Reisner)
>There are, in fact, lots of compression algorithms that ARE lossy. ...

This is a part of a much more pervasive problem: rendering errors.
For example, a digitally encoded image is ALWAYS an approximation of
the continuous input.  There are mathematical constraints for getting
the right results out of a digital display system without encountering
aliasing effects, but these require filtering -- and this filtering is
generally assumed to be done by the viewer's eyes.

I'll talk about rendering of images, but the same applies to any area
of digital signal processing.

The challenge of image processing is to play around as much as you can
without exceeding a JND (just noticeable difference).  Sometimes we go
a bit further (e.g., 300 dpi laser printers, most computer displays)
and accept what I'll call a JID (just ignorable difference), and some
people end up pulling their hair out because they can't ignore
what we want them to.

Many RISKs enter, in that the JND is a physiological concept, not a
physical concept.  Hence:

- JND is an averaged measurement, some people notice more (like people
  who can hear TV sets -- ouch!).

- Sometimes the JND is not a constant parameter, so a subtle change
  in the application can wreak havoc.  For example, visual flicker
  sensitivity depends on frequency, brightness, and the part of the retina
  that is receiving the signal.  When Cinemascope was tried out some years
  ago (a very wide curved screen), it was found necessary to decrease
  the intensity of the bulbs used in projectors or viewers would complain
  of flicker in the corners of the screen when they looked at its center.

- Multiple JND's typically apply to a situation; you have to take them
  all into account.  For example, the set of pictures of Mars from the
  Viking I lander included an impressive sunrise with rings around the sun.
  The New York Times printed this picture in a two page spread.  Actually,
  the lines were spurious contours (optical illusion), deriving from a
  linear quantization of gray levels in the digital camera.  How many
  million people thought that there really WERE lines around the sun on Mars?

  (Moral: rendering errors can ADD to, as well as subtract from, detail in
  a picture)

- Sometimes the result is not processed by the unaided human eye.  For
  example, if a doctor uses a magnifying glass (or a microscope!) to
  better see some fine detail on a rendered picture (especially with
  lossy compression, but even a photo will do), he may violate the
  limitations of resolution imposed by the imaging process.  In this
  case, who knows what he might or might not see?

The solutions that I come up with:

- Over-engineer rendering so that the user is unlikely to exceed the
  limitations unknowingly imposed on him.  This is what we do in
  photography.  Obviously, this is what computer compression schemes
  are specifically trying to avoid...

- Educate the users to understand what they have.  For example, a
  medical imaging system might have a warning notice on the screen
  that an enlargement of the image is not guaranteed to be accurate,
  or (better) may provide "safe" enlargement primitives that are
  guaranteed not to exceed the limitations of the compression scheme.

Any other ideas?

geof@aurora.com / aurora!geof@decwrl.dec.com / geof%aurora.com@decwrl.dec.com


Re: More on Lossy Compression

Phil Ngai <phil@brahms.amd.com>
Tue, 4 Jun 1991 17:53:38 GMT
I consider image compression schemes which take advantage of the eye's
limited color resolution to be about as dangerous as audio systems
which cut off at 20 KHz. As long as the data is to be used by humans,
there are physiological limitations that are universal and exploitable.
Of course, there are people who still think vinyl records are better than CDs.

Please report problems with the web pages to the maintainer

Top