The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 12 Issue 15

Thursday 22 August 1991

Contents

o Electronic mail beams shuttle's message home
Joe Abernathy
PGN
o The RISKS of a national computerized entertainment ticketing network
KJPhelan
o Personal data in California
Phil Agre
o Electronic Library Systems in Airliners
Robert Dorsett
o Microsoft, IBM demonstrating faults in each other's products
Jon Jacky
o "Citicorp Creates Controversy With Plan To Sell Data ..."
Jerry Leichter
o NY Times Letter on Fake Documents
Sanford Sherizen
o ATM videotapes
Jyrki Kuoppala
o Re: Bell V22 Osprey crash -- assembly error
Henry Spencer
o Info on RISKS (comp.risks)

Electronic mail beams shuttle's message home

Joe Abernathy <edtjda@magic322.chron.com>
Wed, 7 Aug 91 20:11:05 CDT
[I have abridged the following article for RISKS relevance, although I presume
its submission by an author could be considered tantamount to our being able to
use the entirety with permission.  I unfortunately did not get to see it until
22 Aug, or this posting would have been more timely.  But, please see the
message following this one.  Joe, MANY THANKS for sending it in.  PGN]

Electronic mail beams shuttle's message home
By JOE ABERNATHY and MARK CARREAU
05AUG91, Houston Chronicle, Page 1A, Copyright 1991, Houston Chronicle

   Electronic mail networks, the message medium of the information age, made
their debut in the space age Sunday aboard the shuttle Atlantis as part of an
effort to develop a communications system for a future space station.
   Details of the test were being closely guarded because of concerns over a
possible hacker incident or "public free-for-all'' on the nation's computer
networks, according to one engineer involved with the project. Privacy and
medical ethics also loom large as issues.  [...]
   Electronic mail offers a new way for astronauts to stay in touch with their
families, Mission Control, and potentially, the millions of people who use the
nation's interlinked computer networks. It could produce far-reaching change in
the way scientists and others interact with the space program.  Currently, only
the shuttle communicator is allowed to talk with the astronauts during a
flight, except for a private medical conference each day. E-mail could change
that by letting any number of people exchange information, while scientists and
engineers on the ground could assume direct control over their experiments in
space.
   [Bryon] Han and fellow Apple employees Michael Silver and James Beninghaus
have donated their time to the project.  They are using low-cost, commercially
available products, rather than the costly custom products often used in
science. [!!!]  The e-mail will play a role in controlling experiments,
electronic flight information, and transfer of experiment results to the
ground, Han said, as well as sending data up to the shuttle.
   In the future, the system might be used to transmit and manipulate
information from the many medical experiments NASA conducts. But this raises a
number of problems regarding privacy and medical ethics.  For example, one
experiment in this flight seeks to correct a blood-flow problem associated with
weightless ness that causes some astronauts to faint upon their return to
Earth.  But this experiment is being monitored with the same Apple computer
that is playing host to the e-mail system.  Even though the results aren't
being transmitted over computer networks this time, they might be next time --
and computer networks are notoriously insecure.
   Inquisitive computer enthusiasts -- hackers -- are in fact one of NASA's
chief concerns in regard to the use of electronic mail.  The space agency
initially sought to conduct the tests without publicity, but word quickly
percolated around the nation's computer networks -- perhaps indicating that the
concerns were justified.  A chorus of calls was heard requesting the e-mail
address of the astronauts -- but that raised another problem more pressing than
any threat from malicious hacking, that of capacity.
  "We have things we need to accomplish with the limited amount of time we
have, and we do have a very limited amount of data we can move between Mission
Control and the orbiter,'' said Deborah Muratore, an engineer in the space
station support office at Johnson Space Center and the experiment manager.
   In addition to voice communication, the shuttles are equipped with Teletype
and fax machines for the transmis sion and reception of printed material and
even photo graphs.
    "Conceivably, everything they move that way could be moved from computer to
computer,'' Muratore said. "From a space station standpoint it would be much
preferable to transfer the information electronically without paper in the loop
the way we do today on the shuttle.''  "Paper is going to be a limited
resource, something that has to be thrown away or reused on the space
station,'' she said. "It becomes trash. So the more we can eliminate on the
space station the better off we are.''
   The current experiment does not represent the first time that civilians have
had a direct communications link with those in space. Since January, the Soviet
space station Mir has maintained a "mail drop'' for ham radio operators to use
in leaving messages for the cosmonauts.  "It's very similar'' in function, said
Gary Morris, a former member of the Johnson Space Center Amateur Radio Club who
now lives in San Diego. "The packet bulletin board system on Mir allows an
amateur (ham radio operator) on the ground to leave mail messages.  "What
they're doing with the Mac is different in that they're going through the whole
(electronic mail) network.  It's much more complex.''

-- Joe Abernathy

   [By the way, a sidebar (see next message) is omitted here.  PGN]


Re: Electronic mail beams shuttle's message home

"Peter G. Neumann" <neumann@csl.sri.com>
22 Aug 91 09:00:20 PDT
It is worth noting that Joe Abernathy's Houston Chronicle article (the previous
message in this issue) included a sidebar (omitted above).  This sidebar
actually included the EMail address for the shuttle (which I have consciously
not included here -- we wouldn't want RISKS to be accused of subverting the
Shuttle, even though the address had been widely circulated!).

In RISKS-12.13, Peter J. Scott cited an article by Joshua Quittner (*Junk Mail
in Outer Space*) and noted that the test of EMail was threatened by
"unauthorized" EMail.  "The leak behind the E-mail address remains a mystery."

Some mystery!  Things like that don't stay "secret" for very long.  This is
another example of an ostrich-oriented protection policy (OOPP) -- stick your
head in the sand and pretend no one will find out what you know.

Furthermore, the old "authorization" paradox has reared its ugly head again.
...  ``threatened by "unauthorized" EMail'', eh???  Sending EMail to someone
REQUIRES NO AUTHORIZATION.  (You all recall that in the Internet Worm, the use
and misuse of the sendmail debug option, finger and gets, .rhosts, and copying
an encrypted password file REQUIRED NO AUTHORIZATION, irrespective of whether
they were appropriate acts.)  If authorization is to be required, then some
form of hard-to-forge identification and authentication must be imposed.  It's
high time that was better understood.  On the other hand, if no authorization
is required, no one should be surprised if a mechanism requiring no
authorization is misused!!!


The RISKS of a national computerized entertainment ticketing network

<KJPHELAN@SUNRISE.ACS.SYR.EDU>
Wed, 21 Aug 1991 3:08:50 EDT
     The RISK I wish to address is perhaps much lighter than those we usually
consider, but it is one I contend is actually a very serious risk posed by a
national computerized netword.

     This summer the federal government cleared the way for the privately held
Ticketmaster Corporation to aquire Ticketron, its rival.  This has led to the
existance of one company's computer network having control over the seating of
every major entertainment or sporting event in the country.  While many would
consider this a very inconsequential risk, I contend that the risks are in fact
severe.

     There are more than 8,000 Ticketmaster locations across the country, each
with access to every seat in almost every arena in the country.  They are
everywhere from convience shops to record stores, each with several people with
access to its functions.  Unlike other national networks, there are few
restictions on employees use of the network.  With most employees at terminal
locations making not much over minimum wage, organized crime, among others have
realized that for a few hundred dollars they can buy choice seats that can be
brokered for ten times their face value and up. (For more information refer to
recent articles in Forbes, The Wall Street Journal, and Rolling Stone
Magazine.)

     I see a risk here to the principle of fair play, that being first come
first served. I would like to know more about the systems that make up these
networks.

     The RISK is obvious: the next time you end up in the upper tier in Yankee
Stadium, or find that seats to a broadway show are only available from brokers
for $200, it may be because of unauthorized access to a computer network.


Personal data in California

Phil Agre <pagre@weber.ucsd.edu>
Tue, 20 Aug 91 18:46:07 pdt
Three brief notes on the privacy of personal data in California.

1. Having just moved to San Diego, I called the phone and gas&electric
companies to get service turned on at my new house.  When the clerks on the
phone asked me my social security number, I very politely asked them why the
wanted that information.  Whereupon they both became incredibly hostile,
haranguing me and accusing me of disrupting their jobs and giving me pointedly
useless answers to the effect of ``because it's on the form''.  After two or
three times round this, it finally transpired that there are other established
ways to proceed without my SSN, by paying a deposit (to avoid a gas-company
credit check) or by showing a picture ID at a company storefront (the phone
company wanted my SSN to *verify my name*).  But to find this out, I had to
calmly repeat questions, cite laws (says the phone company person, without
skipping a beat: ``but those laws are antiquated''), and suffer snide tones of
voice for some time.  And I'm sure these companies happily tell reporters and
members of congress about their established procedures for people who do not
want to supply their SSN's.

2. Rodney Hoffman's useful summary of the LA Times article on the failure of
measures intended to prevent abuse of personal information in DMV databases did
not mention what I found the most amazing part of the article, the complete
indifference of the DMV to the problem.  Those who've been following this issue
are aware that the DMV has been fighting tooth and nail to avoid having to keep
any personal data confidential.  (Whether this is because they don't want the
attendant legal liability or because they are in cahoots with the people who
profit from that data is not clear, at least to me.)  I would provide some of
the quotes from interviews with DMV officials, but they are so extreme that
they ought to be read in full context.

3. It is useful to keep this DMV business in mind when considering the new
edition of the state Department of Transportation (Caltrans) proposal
(previously described on RISKS) to affix transponders to cars that broadcast
VIN's when pinged by roadside transmitters.  I'll let others evaluate the
technical details and just mention two points.  (1) The section specifying the
cryptographic scheme to be used is empty.  (2) The text, as usual with
technical specs, does not address the civil-liberties issues it raises, but it
does make a big point of explaining that it's up to *other* parts of the
government to decide what to do with the data.  ``Hey, we just send them up.
The legislature decides where they come down.''  In my own opinion, this device
and all other personal tracking devices are wrong and cannot possibly be more
beneficial than dangerous, especially given the frightening tendencies of the
current Supreme Court majority.  Please write a letter to someone in the
California state government right away.
                                                Phil Agre, UCSD


Electronic Library Systems in Airliners

Robert Dorsett <rdd@cactus.org>
Tue, 6 Aug 91 20:18:43 CDT
Airbus Industrie and Boeing have petitioned the FAA for permission to develop
an automated "reference system" for use in airliner cockpits.  Thus far,
automation in airlinrs has been of a purely functional basis: controlling or
displaying systems information.  In some cases, a crew alerting system has been
integrated to display what corrective measures to take by displaying an
emergency checklist.

What the Electronic Library System will do is replace most of the normal
cockpit paperwork with a computer-based reference system.  This would include
aircraft operations manuals, maintenance information, checklists, cabin
management tools, all systems logs, etc.  This would all be integrated into a
hypertext database, with a graphics interface.

It could potentially be driven by existing Flight Management System components
to provide a dynamic, "nice-to-know" information system.  In the case of an
engine emergency, for instance, the system could produce relevant checklists
*and* the secondary ability to step down into relevant Operations Manual pages,
to review the relevant systems.

The 24 July 1991 FLIGHT INTERNATIONAL has a two-page article detailing aspects
of this system.  Relevant portions:

- An ELS will be integrated into United Airlines 777's after first delivery in
1995.  United intends to retrofit its entire fleet with the system soon
thereafter.  [ We may soon be able to spot United pilots by the heavy
briefcases they *aren't* hauling everywhere. :-) ]

- Being developed by Honeywell, Bendix, Rockwell-Collins, Sextant Avionique,
and Smiths Industries (front-runner Rockwell).

- A "total storage capacity" of "60,000 pages." of information.  [ This has to
be assumed to include graphics information as well.  An airliner usually comes
with about 50,000 paper pages of integrated text and graphics in the form of
operations, training, and maintenance manuals.]

- No existing standard for the format, display, or control of the
data.

- Will use Line-Replaceable Modules (hard avionics, including power module,
processor, "magnetic mass-memory" and "magneto-optic" modules), connected to
terminals via fiber-optic links.

- Will be developed using a modular approach, adding memory [processors?] as
necessary.

- Will use "dispatch disks," created by the airline dispatch department, and
carried by pilots and inserted into the system to update meteorological
information, flight plans, etc.

- Collins is investigating a hardware interface that would plug into the
aircraft at the gate, and download information that way.

- Data enumerated by the magazine is subdivided into operations, maintenance,
and cabin applications.  Operations: Taxi diagrams, Ops manual, Minimum
Equipment List, Preflight info, Company policies and procedures, flight manual,
performance data, flight log, check-lists, systems diagrams, appraoch plates,
and navigation charts.  Maintenance information includes a maintenance log,
illustrated parts list, maintenance manuals, fault isolation and reporting
data, trouble-shooting procedures, and equipment location.  Cabin data includes
check-lists, special passenger needs, announcement scripts, cabin maintenance
log, flight schedules, reservations, reaccomodation, and supply inventory.


Personal comments:

The concept is quite exciting.  It can potentially give pilots access to an
overwhelming quantity of information, only a fraction of which they currently
have access to at the moment.

The main problems are that it will undoubtedly promote even more of a
heads-down attitude, and that a great deal of tangible "paper" data will be
locked up in a computer.  Combine this with the obvious complexities of data
collection, formatting, and the software reliability issues of the user
interface, and we have a potential situation of ELS failures or omissions
leaving the flight crew high and dry.

I'd like to see--at the very minimum--an independent, "portable" backup for the
operations component of the information.  I'm sure some vendor would be more
than happy to sell a $50,000 laptop to the airlines. :-)

The FLIGHT illustration of the top-level user interface is of an overpoweringly
primitive touch-screen format.  Touch-screens are totally unsuitable for this,
IMHO.  They need to use trackballs.  No comment is made, but I'd bet they plan
on using ABCDE keyboards, instead of QWERTY keyboards, too.  Avionics
manufacturers appear to still be wallowing in the 1970's when it comes to
designing user interfaces.

Robert Dorsett  Internet: rdd@cactus.org  UUCP: ...cs.utexas.edu!cactus.org!rdd


Microsoft, IBM demonstrating faults in each other's products

Jon Jacky <JON@GAFFER.RAD.WASHINGTON.EDU>
Mon, 5 Aug 1991 22:14:53 PDT
This excerpt appeared in a long article about the rift between Microsoft and
IBM in the business section of the NEW YORK TIMES, Sunday August 4, 1991, pages
1 and 6 (section 3).  The article is "One Day, Junior Got Too Big" by Andrew
Pollack:

"... Mr. (William) Gates said he is angry about a demonstration by I.B.M. a few
months ago in which it showed how easy it was to make (Microsoft's software
product) Windows "crash" or stall.  Microsoft responded last month by showing
securities analysts how easy it was to crash (I.B.M.'s software product) OS/2
as well. ..."

- Jon Jacky, University of Washington, Seattle

        [People who fliv in crass grouses shouldn't foe knowns.
        The crashability of both are well known to most enlightened people.

             Into the crash can you go.
             Do YOU do Windows?
             You might WIN DEC'S disapproval.
             Or else, let the SUN shine in.
             But don't put all your X in one window.
             PGN]


"Citicorp Creates Controversy With Plan To Sell Data on ... Purchases"

Jerry Leichter <leichter@lrw.com>
Thu, 22 Aug 91 10:08:42 EDT
The Wall Street Journal (21 Aug 91, page B1) reports that Citicorp has proposed
to give marketers access to files on its 21 million customers.  The marketers
could use the records of purchases in creating targeted mailing lists.

Privacy advocates "are aghast that outsiders could have access to data as
revealing as credit-card records."  Georgetown University professor Mary
Culnan cited Citicorp's plans in testimony to Congress earlier this year,
saying that "These transaction records reflect the most intimate details of
our personal lives, yet they do not receive any legal protection."

Citicorp says it intends to disclose data only in broad categories - for
example, it might release a list of cardholders who buy goods for children.  It
does not intend to disclose store-by-store details.

American Express has offered a similar program for ten years, apparently
without controversy.  Banks and industry officials say they know of no other
such programs; however, the Direct Marketing Association says it suspects that
similar programs exist.  In a curious turn, members of the DMA, and other
sellers, are concerned about the privacy aspects of such programs - and about
their impact on property rights.  Citicorp is, in effect, selling a marketer's
customer lists to its competitors.  "`The most valuable asset you have is that
list,' says John Roberts, president of After the Stork, a mail-order
company....  He thinks it's unfair for a credit card company to exploit `data
not generated by them but just recorded and captured by them.'  After the Stork
rents lists of its 500,000 customers for about 10 cents a name."  (Apparently
Roberts isn't willing to apply the same kind of standard to the information his
customers provide to him.)  Citicorp's point of view is that someone who
charges an order from After the Stork is as much Citicorp's customer as After
the Stork's.

Privacy advocates are very concerned that customers at least understand how
their information will be used and have the ability to opt out.  American
Express explicitly tells its cardholders that it prepares mailing lists "for
solicitations from American Express and/or other selected companies" -
selected, presumably, but ability to pay.  It says surveys show that 85% of
AMEX card holders know how to get off its mailing lists.

Citibank claims it also tells its customers how to get off mailing lists.
However, its sample notice doesn't mention that outsiders may have access to
its lists, offering customers "the option of removing your name from the list
we use to inform cardmembers of special Citibank offers...."
                                    -- Jerry


NY Times Letter on Fake Documents

Sanford Sherizen <0003965782@mcimail.com>
Tue, 20 Aug 91 15:38 GMT
I have posted several comments on desktop publishing fraud on RISKS.  The
following is my letter to the editor that was published in the New York Times
on Friday, Aug. 16, 1991.


BEWARE OF A BLIZZARD OF FAKE DOCUMENTS

To the Editor:

Your article on the use of computers in photo fakery (July 24) discusses only a
relatively small aspect of a much larger computer-fraud problem.  Desktop
forgery is joining computer crime and computer viruses as negative byproducts of
the Information Age.

I have been giving my clients an early-warning alert to be prepared for an
onslaught of computerized forgery of important documents that can easily pass as
originals.  The problem is serious.

Documents previously difficult to forge are now being reproduced at professional
printing levels by people using inexpensive computers, printers, scanning
devices, and desktop publishing technology.  There are two major aspects to the
problem.

The first is using computers to make duplicate copies of important documents.
Examples of documents that can be copied exactly include checks, identification
papers, certificates of deposit, immigration papers, Social Security cards and
other valuable documents that are at the heart of business and government.  To
foil reproduction of U.S. currency on color copiers, the Bureau of Engraving and
Printing has announced that it will begin to alter paper money starting this
summer.

A related issue is the modification of documents, so that unauthorized changes
can be made and distributed on what appears to be authentic official
information.  Employees and others can obtain documents or create their own
documents using computer-generated corporate letterhead and copies of
signatures.  Official-looking documents can be produced containing false
statements, illegal offers and libelous comments that can cause problems for
companies or government.

The traditional legal and technical restrictions against this counterfeiting and
forgery provide limited protections.  Some new techniques are being developed to
protect documents from being copied, as well as to detect counterfeit documents.
 However, there continue to be serious limitations on determining and legally
proving which were the originals and which the illegally made copies.

Seeing is believing may soon become an anachronism from the pre-computer days.

        Sanford Sherizen, President, Data Security Systems, Natick, Mass


ATM videotapes

Jyrki Kuoppala <jkp@cs.hut.fi>
Tue, 20 Aug 1991 03:05:53 +0300
In RISKS 12.13, there's an article about a wrong picture from an ATM tape being
published in New York Daily News, trying to catch a person who had committed a
crime.

Rather than the mixup with the tape, what seems very shocking and RISKy to me
is the reported fact that the police requested and got "all relevant records
and materials with respect to ATM transactions on the night in question".

Anybody still remember what was the meaning of the year `1984' ?


Re: Bell V22 Osprey crash -- assembly error

<henry@zoo.toronto.edu>
Thu, 22 Aug 91 01:26:20 EDT
>From the Aug 5 issue of Aviation Week:

    The Navy has found an assembly error caused the fifth
    Bell-Boeing V-22 full-scale development aircraft to crash
    June 11 on its first flight...  Reversed polarity on a
    gyro-type device that provided inputs to the flight control
    system was blamed.  The assembly problem was difficult to
    detect, but it was verified as the cause in a flight
    simulator and isolated to the one aircraft...  V-22 aircraft
    should resume flying soon.

Tsk.  While this doesn't seem to have been a computer problem per se,
it does make one wonder about a design that could be mis-assembled
like that.  The military usually tries to avoid this; somebody goofed.

(To digress slightly... one of the most impressive cases of design-for-
correct-assembly I've ever seen was the inside of the Canon CX print engine
used in the HP LaserJet and other first-generation small laser printers.
We service our own LaserJets, and we've had to dig fairly deep at times.
It's complicated and messy and has a lot of connectors... no two of which
are alike.  I don't mean just little keying pins that are easily forced
or overlooked; no two of those connectors are the same *size* even.  And
this is in a unit manufactured by the millions at rock-bottom prices.)

                                         Henry Spencer at U of Toronto Zoology
                                          henry@zoo.toronto.edu   utzoo!henry

   [Also commented on by Bob Rahe <CES00661@udelvm.bitnet> and
   Tim_Diebert.PARC@xerox.com.  PGN]

Please report problems with the web pages to the maintainer

Top