The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 13 Issue 39

Monday 13 April 1992

Contents

o Federal Reserve Bank snafu delays bank deposits
PGN
o St. Petersburg issues credit cards to protect bank deposits
PGN
o The Tyranny of Truncation
Mark Jackson
o Re: U.S. Dept of Justice Rulings about Keystroke Capturing
Jim Griffith
o Re: Risks of on-line documents dated April 1
Robert Ebert
o Re: Tapping phones, encrypting communication, and trust
Jerry Leichter
o FBI Phone Taps
George Yanos
o Fuzzy logic in cars
PGN
o Compression and Encryption
Douglas W. Jones
o Re: Telephone system foibles
James Zuchelli
o Risks of Friends and Family
Fred Cohen
o Re: The makers of the PBS series respond
Brian Tompsett
o Re: Correcting Erroneous Database Listings
Steven S. Davis
o Query: academic transcripts
William Nico
o Microsoft Windows(tm) 3.1 write cache
Andrew Birner
o Info on RISKS (comp.risks)

Federal Reserve Bank snafu delays bank deposits

"Peter G. Neumann" <neumann@csl.sri.com>
Mon, 13 Apr 92 10:10:46 PDT
A computer failure at a Federal Reserve Bank data center in Los Angeles shut
down computers for 12 hours on Friday, 10 Apr 1992 (payday) during the
processing of debits and credits for about 90 banks, credit unions and S&Ls in
California and Arizona.  The unprocessed tapes were flown to San Francisco, but
the data for at least 15 institutions were still not going to be processed
until Monday.  Some bounced checks were expected as a result of the missing
payroll deposits.  [Source: an article by Kenneth Howe, San Francisco
Chronicle, 11 Apr 1992, p.B1]


St. Petersburg issues credit cards to protect bank deposits

"Peter G. Neumann" <neumann@csl.sri.com>
Mon, 13 Apr 92 11:15:49 PDT
St. Petersburg, 13 April, TASS

    By ITAR-TASS correspondent Lev Frolov: St. Petersburg has begun issuing
credit cards to business people and bankers in an attempt to protect bank
deposits from thefts.  Unlike their western analogues, new plastic cards use
holographic coding instead of traditional magnetic strips, which ensures 100
per cent guarantee from illegal withdrawals.  The SPACARD system of credit
cards developed by local specialists is part of the computer network "LEK
TELECOM," which will include banks, insurance companies, exchanges and
brokerage offices in Russia and other commonwealth states.

       [ENSURES 100 PER CENT GUARANTEE, eh?  And of
       course no one would ever misuse the computers...]


The Tyranny of Truncation

<Mark_Jackson.wbst147@xerox.com>
Mon, 13 Apr 1992 04:38:16 PDT
According to the Rochester, NY, /Democrat & Chronicle/ of April 11, the
Community College of the Finger Lakes is changing its name to Finger Lakes
Community College.  Although the changeover is expected to cost $50,000,
college officials say that greater expenses have arisen from confusion and
omission of the two-year school from state and federal college registries.

According to college president Charles Mader, CCFL often gets short-changed by
computerized listings that identify it as "Community College of the Finger."

Mark <MJackson.Wbst147@Xerox.COM>


Re: U.S. Dept of Justice Rulings about Keystroke Capturing

<griffith@dweeb.fx.com>
Thu, 09 Apr 92 11:08:06 -0700
Marc Horowitz (marc@MIT.EDU) questions the requirement of warning condo
tenants about security TV cameras and the observation of someone committing
an illegal act.  It would probably be best if someone with more than a
"Perry Mason" knowledge of law would answer this.  But as I understand it, a
person cannot have a audio- or videotape used against them unless the person
either knew that the tape was being made at the time the crime was committed
or the taping was done after a warrant was obtained based on probable
cause.  My guess is that prior knowledge followed by a deliberate illegal
act or confession against interest constitutes consent.  I don't fully
understand this, because this doesn't seem to uniformly apply - there was a
case recently where a man was a victim of gay-bashing on his front lawn, he
captured it on videotape without the attacker knowing it, and the tape was
used in court.  I think the law says that without a warrant, one of the
involved parties must have knowledge, with law enforcement agencies never
being considered an "involved party".

Anyways, applying this to the issue at hand, a person electronically
monitoring a login session in an automated manner would be treated the same
way - without prior knowledge of the monitoring or a warrant, the evidence
couldn't be used.  If a user was on at the same time, issuing commands and
determining from the result that something illegal was happening, then that
user could act as a witness.  But if a user sets up automated monitoring,
then there are grounds for contesting it as illegal search and seizure.

Jim Griffith   griffith@dweeb.fx.com


Re: Risks of on-line documents dated April 1 (Tarabar, RISKS-13.37)

<Robert_Ebert.OsBU_North@xerox.com>
Wed, 8 Apr 1992 17:51:30 PDT
dtarabar@hstbme.mit.edu (David Tarabar) writes:
>Not getting an April Fools joke might be more of a risk in on-line documents
>because often they are not read until some time after the first of April.

I actually did read the TidBITS article on the 1st...  call me slow, call me
gullible.

In way of clarification, the two "inclusions" I sent from the #114 TidBITS were
things purported to be the "truth", the *rest* of the article was the joke.
Strangely, when I knew it was a joke and went back to look at it, I would have
rated the IBM distribution article as "most likely to be false."  What's next?
Blue suits in airports singing, dancing, and giving away OS/2 in exchange for a
"small donation"?

The joke articles consisted of:
   Microsoft & NeXT?:
    An article about MicroSoft products for NeXT machines, and
    the pros and cons of such an arrangement.  NeXT gets credibility
    as a business machine, MS gets stuff from the NeXT environment.
    Digs against Windows technology, NeXT popularity, and even ACE
    productivity.  (All of which are, IMHO, deserved.)

    Future Finder:
        A long article about a new Finder replacement by Bruce
    Tognazzini.  Lots of whizzy features, a DiskBox icon for
    unmounted floppies, groups of files called "collections", a
    super folder which launches everything inside when you double-
    click it, improved balloon help, and additionally fixing everything
    that's wrong with the Finder today.  I don't care if it's a joke,
    I want it.  I'll even take it in little pieces, via extensions.

    New Life for Old Macs:
        Okay, this is really the most obvious joke.  Take your toaster
    Macs, swap out the motherboard, and put in a IIfx-like
    machine and maybe even a color LCD display with some weird back-
    back BUS extensions.  Nifty and impossible stuff here, but I was
    skimming at this point.
                                --Bob (bebert.osbu_north@xerox.com)


Tapping phones, encrypting communication, and trust

Jerry Leichter <leichter@lrw.com>
Fri, 10 Apr 92 23:52:43 EDT
I'm disturbed by the tenor of the entire debate about phone tapping, privacy,
and such.  The general approach seems to be based on the idea that government
is not to be trusted, ever, with anything.  Nothing government says is to be
believed.

Let's take the FBI "phone tapping" proposal.  Everyone is absolutely sure
that no technical changes are needed to tap any phone.  The little the FBI
has said contains no detailed information, so it's hard to tell exactly what
they have in mind.  But I submit that there is a clear instance today in which
it would be difficult to insert an authorized tap.  Suppose a company has a
PBX, and the FBI has a court order to tap the line of the president of the
company.  Since the technicians running the PBX are employees of the company,
the FBI can't work through them.  Hence, they must go to the Telco side of the
PBX.  Unfortunately, calls coming out the PBX side need carry no identifying
information about the calling extension - many PBX's are set up to return some
fixed billing number for the whole company.  So:  It's easy to tap ALL calls
coming out of the company - but how to you fulfill a court order allowing you
to tap only those of the president?  Do you really want the outcome to be
that, in this case, the FBI is allowed to monitor ALL calls from the company?

Then there's the matter of "people shouldn't pay to have their own phones
tapped."  The lack of rationality in this argument is astonishing.  It's
like the argument:  "Don't bill the taxpayers for the S&L bailout - let the
government pay for it."  If the FBI were to pay for the taps, where do you
think its money would come from?  Would you rather have the funding hidden in
an anonymous budget paid for out of general revenues, or out there for all to
see?  Object to the amount of money involved; object to this as a way around
a "no new taxes" pledge; object to the very principle of the FBI EVER tapping
phone conversations - but stop believing that government can give you some-
thing for nothing.

I submit that the right way to approach these issues is to first decide what
authority we consider it desirable and proper to grant the FBI and other
government agencies, then consider the effect of technological choices on their
ability to exercise that authority.  Here's an example: The much-argued
proposed requirement that carriers have the capability to provide the
government with the cleartext of encrypted messages.  Suppose we decide that
the current approach to tapping is correct: Upon presentation of appropriate
evidence, the FBI is authorized to tap a line from some point on.  Note that
they cannot require the telephone company to record calls on the theory that
they might later get a warrant to listen to them.

We can retain exactly this policy in a carrier-provided encryption system by
requiring that the carrier, upon receipt of an appropriate court order, record
and provide to the FBI all session keys created for the person being tapped.
Unless a person was being tapped, the carrier would be under no obligation to
record the keys; in fact, it should probably be obligated NOT to do so, just
to avoid a temptation to implicitly expand the tapping authority.

It is quite true that people can use encryption devices outside of the
carrier-provided system, thus rendering any aid the carrier can provide to
the FBI useless.  But there's nothing new here - that can be done today.

Any decisions about security and privacy must start with one fundamental
decision:  Whether we wish to provide privacy and security THROUGH LAW, or
whether we wish an absolute security and privacy INDEPENDENT OF LAW.  The
working bias I see in virtually all submissions on these subjects is toward
the latter approach.  I would urge those who take this approach to examine
their assumptions.  Do they, for example, take the same approach to other
kinds of protection provided by the government?  Do they believe, for example,
that we should banish policy departments and arm ourselves for our own
protection against criminals, since some police have been shown to be corrupt?

                            -- Jerry


FBI Phone Taps

George Yanos <U08208@UICVM.UIC.EDU>
Sat, 11 Apr 92 08:50:55 CDT
"Disappointment" might be a better word, but in deference to the forum
I'll ask: Which is the bigger risk, that nobody with the FBI is reading
this, or that some of them are but that they refuse to join the discussion?


fuzzy logic

"Peter G. Neumann" <neumann@csl.sri.com>
Sat, 11 Apr 92 12:10:50 PDT
Fuzzy-Mitsubishi: Mitsubishi motors to use fuzzy logic to make cars safer
(Tokyo, 9 april 1992, kyodo)

    Mitsubishi Motors Corp. said Thursday it has developed a new automobile
safety feature that incorporates fuzzy logic chips to help reduce driver error
and fatigue.  Company officials said the system, called the Intelligent and
Innovative Vehicle Electronic Control System (INVECS), uses fuzzy logic to
control automatic transmissions, four-wheel drive and four-wheel steering
systems, traction control systems, and electronically controlled suspension
systems.
    Fuzzy logic is a mathematical technique which, like human logic, deals with
imprecise data that could lead to many solutions rather than one.
    The new transmission system automatically downshifts gears to improve
braking when the car is going downhill or when moving uphill shifts to a higher
gear to eliminate sluggishness, the officials said.  Currently, such shifting
decisions must be made by the driver.  Traction control systems will adjust
engine power to handle flat, uphill, and downhill roads, while four-wheel drive
controls vary the torque ratio between front and rear wheels to match driving
conditions.  The new four-wheel steering system moves the rear wheels in the
opposite direction of the front wheels to enhance low-speed steering maneuvers.
The new suspension system, which involves a sensor fitted to the front of the
car body, improves riding comfort by adjusting the car to height differences in
the road and lateral movement in the suspension system.
    The officials said Mitsubishi plans to introduce the new safety system in a
future car model.


Compression and Encryption

Douglas W. Jones <jones@pyrite.cs.uiowa.edu>
12 Apr 92 21:32:43 GMT
> Could use of "non-standard" or uncommon compression techniques to
> facilitate high-speed data transmission also be undesirable for the NSA/FBI?

In my CACM article "Application of Splay Trees to Data Compression," CACM 31, 8
(Aug. 1988) 996-1007, I pointed out that many compression algorithms have
cryptographic applications.  Adaptive model based compression algorithms start
from an initial model state that converges as the data stream presented.  The
initial state of the model can be used as a key, and I proposed a trivial way
to do this by throwing the key string at the model used in the compression and
expansion programs prior to using those models to compress or expand data.

Here's the cryptographic algorithm, spelled out in painful detail:

    Encrypt:                      Decrypt:
      Initialize-model              Initialize-model
      for each ch in key loop       for each ch in key loop
         update-model(ch)              update-model(ch)
      end loop                      end loop
      loop                          loop
         get(ch)                       uncompress-and-receive(ch)
         compress-and-send(ch)         update-model(ch)
         update-model(ch)              put(ch)
      end loop when ch=eof          end loop when ch=eof

The above cryptographic algorithm works with my splay-tree-based codes, it
works with Whitten Neal and Cleary's arithmetic codes, and it can even be fixed
to work with such non-model-based adaptive compression schemes as LZW.  Of
course, some compression algorithms will make better encryption schemes than
others, but I am aware of only a small amount of research on this.

It is worth noting that although most compression algorithms can be trivially
modified to make them serve cryptographic purposes, I know of no attempt by the
US government to limit the export of such code.
                             Doug Jones  jones@cs.uiowa.edu


Telephone system foibles (RISKS-13.38)

Tri-Valley Macintosh Users Group,UG <TMUG@applelink.apple.com>
12 Apr 92 11:52 GMT
I recently had two experiences with the telephone systems that leave me
wondering if anyone knows what they are doing.  I tried to make a call from a
pay phone outside a restaurant in Sunnyvale, CA, using my calling card.  The
call wouldn't go through.  The operator (from an alternative phone service)
said that their computer showed I was trying to make a call from a correctional
institution.  I guess to avoid toll fraud, prisoners aren't allowed to make
calling card calls.

In my next phone bill, (from an alternative phone service) there was a billing
on my calling card for two calls made from Ada Mich.  I've never been there and
so had the charges deleted and changed my pin number.  However after looking at
the numbers listed, I found one was to a friend in San Jose.  I now believe
that the alternative phone service's computers somehow read some local calls as
being made from Ada Mich.

What I'd like to know is how I can get all my calls misread so my phone bill
will be cut in half?

However, even though this seems amusing, it makes one wonder just how
inaccurate the alternative systems are.  If they make these screwups, how many
more do they make that are not detected?
                                                   James Zuchelli


Risks of Friends and Family

fc <FBCohen@DOCKMASTER.NCSC.MIL>
Sun, 12 Apr 92 18:42 EDT
AT+T finally caught on, but they really didn't make the point very well.
The "friends and family" database being built by that other phone
company will no doubt be sold so that when collecting a bill I will be
ab;le to dial in and find your relatives and friends - in case you skip
town.  When I market something to you successfully, I will be able to
claim your name when marketing to your friends and family.  You can
think of a lot of other examples of how this database might be abused.

          It is somehow deeply offensive to me to be solicited to give
the names of my friends and family in order to save money.  I almost
feel as if I am selling them out - literally!  Tell me what birth
control you use, and I will give you 10 bucks.  Tell me how you have sex
with your wife and I will give you 20!  But be careful - I may get you
arrested for having illegal sex!

          I have an idea - How about royalties on all data stored in databases.
If you keep data on me, I want you to pay me a dime per 80 bytes of info.  If
you sell it to someone else, I want 20% of gross as royalties.  If it is
inaccurate, I want to sue for damages.  This would of course be the best way to
control databases.  After all, why shouldn't I be able to sell you the right to
keep info on me.  This would also clarify the relationship - I own all
information about me, and you have to pay me to use it.  If you don't keep
accurate info, you are responsible for it - financially!  To make certain it's
right, you have to get my approval for its use.  No waivers permitted, and no
including this stuff in other agreements.  Otherwise it will all be put into
the standard contracts and people will hardly know it exists - but even that
would be better than the current situation.


Re: The makers of the PBS series respond (Tompsett, RISKS-13.37)

Brian Tompsett <bct@cs.hull.ac.uk>
Mon, 13 Apr 92 14:18:09 GMT
In RISKS-13.38 Dave Marvit (WGBH Associate Producer) writes that there is
nothing Orwellian in the multi-versioning of TV programmes, and "The machine
that changed the world/The dream machine" in particular. Contrariwise, I feel
that there is some element of "Newspeak" involved in the programmes to (I
quote) "reflect the interests and knowledge of the different audiences".  When,
for example, I see documented in programmes such as this "locals" such as Clive
Sinclair and Joe Lyons Tea Shops I begin to wonder whether items about
Bletchley Park Collossus, Manchester MADM, Cambridge EDSAC and other UK
contributions to history are also there "to reflect the interests and knowledge
of the different audiences". I can extend this analogy to imagine that the WGBH
transmission reflects local Massachusetts "interest and knowledge" and is in
some minor way different from the West coast and Central US transmissions for
the same reasons. These programs can then be shown to local undergrads and
every graduate will believe that "their" alma mater made *the* contribution to
world development, because they saw it on TV. If this is not the Orwellian view
of history then its pretty damn close.

 We are drifting away from computer risks here, so let me attempt to bring the
discussion back on track. If I applied my paranoid imagination to the Risks
mailing list itself I can easily ask the same question. How do we know that the
items we receive in the UK on Risks are the same that arrive in the US?  We
don't, and in fact they are not the same. There are local UK postings to Risks
readers that do not go to the US list. I can imagine for you an implementation
where Risks articles from the US are put through a "jive" filter before going
to the UK readership and vice-versa all UK contributions to the US list go
through a "biffa" filter. This would have the effect of making each country
think the other one was filled with yokels with a expletive filled vocabulary.
Luckily for us, Risks is also published in paper form which helps to
authenticate many of the contributions.

 For those of you who are interested in these things, there is a US court case
over the changing of TV programmes to "reflect the interests and knowledge of
the different audiences". It involves the first US airing of "Monty Pythons
Flying Circus" by a US network. The networks made "minor" changes to some
sketches (removing some expletives) for a US audience. The python team sued and
won, on the grounds that the changes substantially damaged their reputation.
PBS, as the US readers now know, eventually broadcast Python in its
unexpurgated form (BBC logos and all). Thanks should go to PBS for rendering
this public service.

 I hope readers don't think I'm trivialising the issue, or unnecessarily
attacking reputable programme makers. On the contrary I think these issues are
ones we should be aware of. We should "question" the media, and ensure that
makers of exemplary documentary programmes such as "Nova/Horizon" do not cross
that fine line between truth and ratings or history and Newspeak. When in the
US I showed my support of WGBH at pledge time.

  Brian Tompsett, Computer Science, University of Hull, UK.


Re: Correcting Erroneous Database Listings (Davis, RISKS-13.36)

Steven S. Davis <paa1338@dpsc.dla.mil>
Mon Apr 13 13:04:55 1992
In Risks 13.37, Fred Gilham, responded to a proposal ( in Risks 13.36 )
that an authoritative central database would provide protection against
the spread of inaccurate data through different databases.

>... I think promulgation of inaccurate information should be legally
>treated as a form of libel, ...
>                                -Fred Gilham    gilham@csl.sri.com

That libel laws should be revised to take in to account libel by false inputs
into databases is undeniably true.  The problem with sole reliance on such laws
to protect people against false information is threefold.  It requires the
wronged person to file suit each time the false data is promulgated, it does
not set in place anything to stop further promulgations ( clearly, it's better
to prevent damages than to collect them ), and it does not provide any
protection to the operators of databases.  Though my proposal emphasized the
protection of people from the information in databases, I do not think it is in
the public interest to impede the dissemination of correct data, which I fear
successful libel prosecutions would, if they resulted in punitive damages
sufficient to be a deterrent. The central database, once a correction were
placed in it, would reduce further spread of the false data while greatly
simplifying any actions for promulgating false data that still became
necessary. It would also clarify the responsibility of the owners of databases
to check for false information while providing a way of doing so. The database
operator who has diligently checked the data received ( this would include
checking the central database, but would not exclude other reasonable means of
checking for errors ) should not be subject to the punitive damages that a more
careless operator would richly deserve.
                                         Steven S. Davis (ssdavis@dpsc.dla.mil)


Query: academic transcripts

William Nico <nico@pyr.csuhayward.edu>
Mon, 13 Apr 92 00:01:45 -0700
I have just learned from (senior and middle level) administrators at our
campus, Cal. State U., Hayward, that serious consideration is being given
to electronic exchange of academic transcripts between universities (actually
between all levels of colleges, from community colleges on up).  Our campus
is apparently examining vendor information on such products, and I am told
that San Jose State is actually involved in a pilot project (? alpha test ?)
on this.
    I have been able to get virtually no technical information from the
administrators involved, except that discussion of such a process has been
going on for some time among university admissions officers nation-wide and
that there is even a recent (or proposed) ANSI standard (in X12?) on the
matter.  I am also told, naturally, that there are real products out there
under development to implement such interchange.
     The system seems fraught with risks to me, especially since universities
form a much more heterogeneous (even anarchistic) community than, say, the
banking community.  My fragmentary information also indicates that there
have been made (or are being made) some possibly strange design decisions.
For example, it is reported that the products -- or the standard -- only
allow 3 digits for a "course number" field; since our campus has traditionally
used 4 digit course number, this would require renumbering the whole campus
in order to participate is such a system.
    Perhaps my main question is what sort of authentication/integrity
mechanisms are to be used in such a system. the proposed new DSS? something
DES based? something ad hoc?  Will it require universities to purchase
special hardware, or will it be software-based?
    I think this issue may be of interest to a number of RISKS readers
and that some of those readers may have good information to provide about
what is being developed for transcript interchange.  I, for one, would be
very interested in hearing more on this topic.

-- Bill Nico
W.R. Nico
Mathematics and Computer Science
California State University, Hayward
Hayward, CA 94542-3092

e-mail: nico@csuhayward.edu

PS. --Moderator:  This ran longer that I thought it would when I started.
Feel free to edit it appropriately if you decide to use it to raise the issue.
(Clearly, as moderator, you don't need my permission to edit, or delete, but
it seemed like a nice thing to say.)


Microsoft Windows(tm) 3.1 write cache

Andrew Birner <scsabir@tvgurus.hdtv.zenithe.com>
Mon, 13 Apr 92 14:27:29 CDT
 Microsoft's new version of Windows includes an "enhanced" version of the
SmartDrv disk cache utility.  The primary enhancement is the addition of a
write-behind write cache.  The RISKy part of this is that the default for the
program is to enable the write cache on all hard drives; this is what the Setup
utility suggests as the "preferred" configuration!  Now, maybe I'm paranoid,
but it seems to me that this is going to cause LOTS of problems for naive users.
I'm especially worried because I don't believe that most casual users are going
to bother reading through the documentation to find the little notice that
says (on page 540):

   CAUTION  Check that SMARTDrive has completed all write-caching before you
   turn off your computer.  To make sure this has happened, type SMARTDRV /C
   at the MS-DOS prompt.  After all disk activity has stopped, you can safely
   turn off your computer.

Personally, I think Microsoft has an incredible amount of confidence in the
stability of 3.1, and in the diligence of the casual users; the decision to
make this the default mode of operation was, in my view, ill advised.

- Andrew E. Birner, Zenith Electronics Corporation -

Please report problems with the web pages to the maintainer

Top