Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Several months ago we started noticing that (now and again) the
network connection to the mainland would become very very slow; this would
continue for 10-15 minutes or so, then all would suddenly be well again. A
while after this started happening a coworker of mine complained to me that
the connection to the mainland _never_ worked anymore. It seems that he had
some FORTRAN source that he needed to copy to a machine on the mainland, but
he never could because "the network wouldn't stay up long enough for the ftp
to complete".
Yes, it turned out that the network outages happened whenever he
attempted to ftp that _particular_ FORTRAN source file to the mainland. We
next tried compressing the file; it copied just fine then (but unfortunately
the machine on the mainland had no uncompress program, so it was still no go).
Finally we "split" his FORTRAN program up into very small pieces and sent them
one at a time. Most of the pieces would copy without trouble, but a few would
either not go at all or only go after many _many_ retries.
Examining the troublesome pieces, we found they all had one thing in
common: they contained comment blocks that began and ended with lines
consisting of nothing but capital C's (his preferred FORTRAN commenting
style). At this point we started sending e-mail to the network gurus on the
mainland asking for help. Of course, they wanted to see an example of our
un-ftp-able files, so we mailed some to them... but our mail never got there.
Finally we got the bright idea of simply _describing_ what the unsendable
files were like. That worked. :-) [Dare I include in this message an example
of one of the offending FORTRAN comment blocks? Probably better not!]
Eventually we were able to piece together the story. A new gateway had
recently been installed between our part of campus and the connection to the
mainland. This gateway had GREAT difficulty transmitting packets that
contained repeated blocks of capital C's!!!! Just a few such packets would
occupy all its energies and prevent most everything else from getting through.
At this point we complained to the gateway manufacturer... and were told "Oh,
yes, you've hit the repeated C's bug! We know about that already.".
Eventually we solved the problem... by buying new gateways from another
manufacturer. (In the manufacturer's defense I suppose an inability to
propagate FORTRAN programs might be considered a feature by some!)
I Found the squib below on the Prodigy service -- QUIRKS Offbeat Computer News Mary Bandar recently turned down an invitation to attend kindergarten with others born in '88. "Boy, wouldn't those kids ever be surprised when they see me coming to school," Bander, 104, told the Associated Press. "Why would they want me? I know the ABCs yet. And I can count to 10," said the Winona, Minn, resident, who was born in 1888. Sister Mary Donald Miller, superintendent of Winona Area Catholic Schools, told the AP that the mix-up occurred when school officials instructed a computer to search for the names of people born in '88. The RISKS aware person might ask a few more questions-- which computer was the school using? Where is this central database of all the people in Winona, Minnesota? Who puts the data into it, and who decides who else can pull the data out? I expect that as we approach the millenium, we'll see a lot more of these "off by a century" errors. Ed Ravin eravin@panix.com philabs!trintex!elr +1 914 993 4737
Date: Tue, 23 Mar 1993 14:33:00 BST
Subject: if they mention flying saucers, they're out to get you
From: Derek Cooper <RCAA000@maple.cc.kcl.ac.uk>
From the London Times today (I did check that it's not April 1st!)-
Officers in Warrington Cheshire fed up with people listening in to their
messages, broadcast that a flying saucer had crash-landed in a field & gave
details of where to find it.
Radio messages about a huge glowing spacecraft were broadcast with the
warning "Do not approach. It may be radioactive." The warning was followed
by directions to the field in Appleton. The eavesdroppers arrived within
minutes, expecting to see little green men. They were arrested instead.
Police said that 5 people had been reported to the Crown Prosecution Service
for telecommunications offences. Scanning devices that can pick up police
radio messages are widely available but using them to listen to police
transmissions is an offence.
[I have seen this on several groups. There is a question whether it
is actually illegal if you are merely listening, as opposed to doing
something about it. PGN]
From a NY Times article (3/29/93, p. A1,B2) on financial and management
problems at NY state health insurer Empire Blue Cross/Blue Shield:
Empire was forced to write off $50 million that had gone uncollected or
unbilled because of computer problems dating to the mid-1970's, according to
an internal report obtained by The New York Times.
One glitch involved a computer system that could not understand bills of
$100,000 or more. A $103,000 charge, for example, would be interpreted as
only $3000, and the smaller amount would be billed to the client. That
failure occurred 29 times and cost Empire $3 million, the report said.
[Management comments about such problems being ancient history and Empire's
real problems lying elsewhere.]
Still, the computer problems persist. An expensive new electric system
for handling claims --- being developed by a former board member --- was
expected to be finished about 18 months ago, but is not likely to be
completed until later this year. Empire has invested $17 million in that
venture.
As baseball season is upon us, those who belong to fantasy leagues begin to devour all available material about players, statistics, injuries, and so on. One such supplier of these needed facts and opinions, The Fantasy Baseball Journal, recently apologized for a particularly buggy issue. They attribute the printing errors to a "so-called virus that has seeped onto our computer network." This is not so startling, as we all know this kind of thing can happen. What is startling is the claim in the FBJ that "if [the virus] is the problem, then that's solvable." Perhaps these baseball statisticians are smarter that we thought... -- Ed Amoroso, AT&T Bell Labs
From: ak336@cleveland.Freenet.Edu (John Dill) Newsgroups: sci.aeronautics Subject: TCAS Glitchs Date: 25 Mar 1993 14:48:47 GMT Organization: Case Western Reserve University, Cleveland, OH (USA) NNTP-Posting-Host: slc10.ins.cwru.edu I've been a controller at the Cleveland ARTCC for 22 yrs. I've always welcomed the arrival of any new procedure or technology that can enhance our ability to safely separate air traffic. TCAS has proven to be one such aid. However, a problem has been discovered which has the potential to be disastrous. Here is the problem: Aircraft "A" is climbing to an assigned altitude of 23,000' (as an example), while aircraft "B" is descending to an assigned altitude of 24,000'. The two a/c are on converging courses and their combined verticle closure rate is high, in this case we'll say about 6000' fpm. TCAS (on each aircraft) does what is called a coordinated interrogation, meaning the equipment talks back and forth and decides on the best resolution. Of course, the TCAS has no way of knowing the aircraft are intending to both level off 1,000' apart, so it issues a resolution advisory (RA) to both flight crews telling them to INCREASE their respective rates of climb and descent. This is in direct conflict to the controllers clearances. Only after the controller notices the mode c readouts deviating from the assigned altitudes is he aware of a problem. (actually, the frightcrews (pun intended) are required to inform the controller that they are responding to a TCAS RA, but due to frequency blockage, other duties, etc. this may not happen. Upon seeing the deviation, the controller attempts to have the aircraft return to their assigned altitudes. There have been several incidents similar to this fictional one. The loss of separation has been severe (as little as 200') and resulted from the crews confusion on who's instructions to follow. In the past few weeks, the FAA has issued directives to all controllers to NOT attempt to countermand a TCAS RA. By following only the TCAS RA, it is felt that the separation, even though less than standard, will be sufficient. John
The so-called hacker, the twenty-year-old Ronald O., whom we caught on one of
our PC's doing things as yet unknown at Delft University, will be in temporary
custody (or whatever the correct English term for that is) for 30 more days.
This is to give the police more time to gather evidence.
According to the papers, forged credit cards were found while searching his
home, and that also will not help his case. He is supposedly unwilling to
answer any questions at this point, but is charged with crimes that could send
him to jail for a maximum of four years.
Although I am definitely not suggesting he is a nice guy, somehow I have some
difficulty connecting this nervous kid in our room with a sentence of four
years. I hope that being the first to be caught under the new law, and in the
act to boot, is not going to give him too much extra attention from law
officers.
Never forget the RISK of someone dying to try out his new toy. This goes for
hackers and law enforcement personnel alike.
Hans van Staveren, Vrije Universiteit, Amsterdam, Holland
Over the past couple of weeks it has been pleasant to see the dangers of faulty information held on computer being acknowledged in Britain. Under the Data Protection Act (1986) in this country a Data Protection Registrar was set up to monitor uses of computers to store personal information and to be an independent source of help to get faulty data corrected. Recently a television advert has been running showing clips of actors mentioning problems that can happen with computer systems (My building society thinks I died three years ago, According to my bank I have a criminal record etc.) finishing with the address of the Data Protection Registrar and a voice-over saying that if you have problems with faulty information held on you to contact him. People in other countries might like to know that it is possible to for officialdom to acknowledge risks of faulty information. Peter Debenham, Physics Dept., University of Nottingham, UK. NG7 2RD + 602 515151 x8323 (wk) +602 730487 (hm) P_Debenham@ppn1.nott.ac.uk
Drawing on a variety of newspaper and magazine articles I hope I can sketch a slightly wider picture of the case. The best overall article I have seen is in this week's New Scientist, (27 March 1993), which I recommend for further reading. A little terse I'm afraid, but here is my precis: On 26 June 1991 British police arrested 3 men who had been cooperating in hacking a number of university, government and commercial computer systems across the world. Individually they used the handles "Gandalf", "Wandaii" and "Lizard", collectively they called themselves the "Eight Legged Groove Machine". They left messages to system managers on some hacked systems signed "8LGM" or "Eight Little Green Men". They did not meet, or even know each others real names and addresses, until they were introduced by the arresting officers, but discussed hacking, passwords and vulnerable systems on bulletin boards and hacked systems. Karl Strickland, 22, of Liverpool and Neil Woods, 26, of Oldham in Lancashire were charged with conspiracy to dishonestly obtain telecommunications services, having pleaded guilty they are waiting to be sentenced. Paul Bedworth, then 18, of Ilkley in West Yorkshire was charged with two counts of conspiracy under the Computer Misuse Act, and one of conspiring to dishonestly obtain telecommunications services. It is interesting that the Crown Prosecution Service chose to charge Bedworth with conspiracy, rather than a simpler charge of unauthorised access to/modification of a computer system. This decision was the foundation of the acquittal, requiring the prosecution to demonstrate that he had a "guilty mind" at the time of the hacking. In court Bedworth's solicitor, (lawyer to you US folks), claimed that the case was a show trial, and brought in a psychiatric expert who described Bedworth as having a "nonchemical dependence" on using a computer. It is hard to see how a compulsion to use computers, or even to hack, can be adequate grounds for acquittal, indeed the judge quite clearly directed the jury to disregard this. Nevertheless the jury returned not guilty verdicts on all charges. It is impossible to know their reasoning, as it is a criminal offence to publish any details of the jurors deliberations. Much of the press, including the New Scientist article, represent this as setting a legal precedent. Firstly, this doesn't make sense, because nobody can say what the supposed precedent is. Secondly, only the ruling of a judge can do this, (subject to appeal to a higher courts, ..). In this case we can do little but accept that our jury system has again demonstrated it's unpredictability. Though this is of little consolation to those institutions who suffered expensive tampering with their systems, and had to foot tens of thousands of pounds of phone bills, due to the actions of these men. Anthony Naggs, Software/Electronics Engineer, (and virus researcher) Phone: +44 273 589701 Email: amn@vms.brighton.ac.uk
> ...places that make computer programs are refusing to guarantee {anything}.
>This is as it should be. The risk is not that software might not work; the
>risk is that people blindly assume that it worked, is working, or will work.
A mildly related thought is that the following sort of problem will frequently
rear its ugly head in the near future: An engineer (or architect, etc.)
screws up and is sued, but the problem is traced back to a faulty piece of
third-party software that he or she used. Now the court must try to untangle
the liabilities, a process that will require detailed technical knowledge that
no judge or jury is likely to have.
Geoff Pike (pike@cs.berkeley.edu)
The following is an editorial published in the Akron Beacon Journal on Wednesday, March 24, 1993. This editorial is copyrighted by the Akron Beacon Journal, and commercial use or resale of this article is forbidden. Permission to post this editorial in its entirety has been generously granted by Mr. David B. Cooper, Associate Editor. MUNROE FALLS CARRYOUT Akron Beacon Journal (AK) - WEDNESDAY March 24, 1993, A14 The Fourth Amendment to the Constitution was written to safeguard ordinary citizens against unreasonable search and seizure. Recently, however, law-enforcement officials have taken to seizing possessions of convicted and suspected criminals, particularly drug dealers. In the case of 23-year-old Munroe Falls resident Mark Lehrer, police confiscated a sophisticated, $3,000 computer setup, programs and disks on the suspicion that he might be letting kids look at dirty pictures. That charge was never proved. In fact, it appears that police received only one or two complaints about his computer bulletin board, none from area parents. Lehrer contends a clerical error put the pornography into files accessible to all the bulletin board's users, not just adults. Police enlisted a 15-year-old, falsified his identity for a membership and then helped the teen call up a possibly offending program. But, when the Summit County grand jury refused to indict the University of Akron computer whiz on the original charges, Munroe Falls police filed other charges based on the possibility that some of the programs in Lehrer's private collection contained pictures of minors. Lehrer did plead guilty to a misdemeanor charge of 'attempted possession of criminal tools' — his computer — based on those subsequent charges. No one downplays the seriousness of crime in our society, whether it's in the suburbs or inner cities. None argue that children should be able to view pornography. But in the absence of compelling evidence that Lehrer was trying to peddle child porn to kids, either at the outset of this case nine months ago or now, it could appear that the police acted hastily in confiscating the computer. Such actions invite questions as to whether the police were protecting against a child pornographer or using the intimidating powers of the police and judicial system to help themselves to a nice hunk of expensive machinery. dl
In a copyrighted story, the March 24 Washington Post includes an article
describing a ruling by the 4th Circuit Court of Appeals that Virginia's
law requiring a SSN to register to vote is unconstitutional.
The decision is being hailed by civil rights groups as a victory for the 4
million Virginians who are registered to vote. Because voter roles are public
information, registering to vote is equivalent to publishing your SSN. The
judges wrote "The harm that can be inflicted from the disclosure of a Social
Security Number to an unscrupulous individual is alarming and potentially
ruinous.... The statute at issue compels a would-be voter in Virginia to
consent to the possibility of a profound invasion of privacy."
A spokesperson for the Virginia Attorney General's office said they have not
decided whether to appeal the ruling.
The case was brought by Marc Alan Greidinger, a 29-year-old Fredricksburg
lawyer (who represented himself) after he was denied the right to register to
vote because he refused to reveal his SSN. Greidinger said that during the
lawsuit he gave his SSN who was able to get his current balance on two loans,
last payment dates, and university transcripts.
It is not believed that the ruling will affect other state agencies
(such as motor vehicles) which require SSNs, because those are not
considered public records.
The article mentions help from the Public Citizen Litigation Group
(one of the Ralph Nader organizations), and quotes the legal director
for the ACLU, which was not involved in the case.
[I guess the "good guys" won one!]
Our local "News Radio 74" has a feature called "the Osgood File" in which Charles Osgood talks for several minutes. This morning his topic was Social Security numbers. He said a little, but missed some very important points. He talked about the invasions of privacy that were possible with someone else's SSN, but said only one or two sentences about possible loss of money. He mentioned that cards used to say "Not to be used for ID purposes" and don't say that anymore, but did not talk at all about which uses are actually illegal. He talked about a lawyer in Virginia (?) who sued the election officials because they required his SSN to register to vote and then sold the lists to special interest groups. But he did not say anything about all the other abuses that happen, and especially did not give any advice on how to reduce your risk. I was disappointed with the report. He could have given some very useful information about our rights and the danger of SSNs, but aside from a closing comment about "Remember, if they've got your Social Security number they've got your number!" there was almost nothing in the report that was actually useful to a listener. Chris Phoenix chrisp@efi.com 415-286-8581
PRESS RELEASE, March 26, 1993
"FEDERAL APPEALS COURT UPHOLDS PRIVACY: USE OF SOCIAL SECURITY NUMBER LIMITED
CPSR Expresses Support for Decision"
A federal court of appeals has ruled that Virginia's divulgence of the Social
Security numbers of registered voters violates the Constitution. The Court
said that Virginia's registration scheme places an "intolerable burden" on the
right to vote.
The result comes nearly two years after Marc Greidinger, a resident of
Falmouth, Virginia, first tried to register to vote. Mr. Greidinger said that
he found it nearly impossible to obtain a driver's license, open accounts with
local utilities or even rent a video without encountering demands for his
Social Security number.
Mr. Greidinger told the New York Times this week that when the State
of Virginia refused to register him as a voter unless he provided his Social
Security number he decided to take action. He brought suit against the state,
and argued that Virginia should stop publishing the Social Security numbers of
voters.
This week a federal appeals court in Richmond, Virginia ruled that the
state's practice constituted "a profound invasion of privacy" and emphasized
the "egregiousness of the harm" that could result from dissemination of an
individual's SSN.
Computer Professionals for Social Responsibility (CPSR), a national
membership organization of professionals in the computing field, joined with
Mr. Greidinger in the effort to change the Virginia system. CPSR, which had
testified before the U.S. Congress and the state legislature in Virginia about
growing problems with the misuse of the SSN, provided both technical and legal
support to Mr. Greidinger. CPSR also worked with Paul Wolfson of the Public
Citizen Litigation Group, who argued the case for Mr. Greidinger.
In an amicus brief filed with the court, CPSR noted the long-standing
interest of the computing profession in the design of safe information systems
and the particular concerns about the misuse of the SSN. The CPSR brief
traced the history of the SSN provisions in the 1974 Privacy Act. The brief
also described how the widespread use of SSNs had led to a proliferation of
banking and credit crime and how SSNs were used to fraudulently obtain credit
records and federal benefits.
CPSR argued that the privacy risk created by Virginia's collection and
disclosure of Social Security numbers was unnecessary and that other
procedures could address the State's concerns about records management.
This week the court of appeals ruled that the state of Virginia must
discontinue the publication of the Social Security numbers of registered
voters. The court noted that when Congress passed the Privacy Act of 1974 to
restrict the use of the Social Security number, the misuse of the SSN was "one
of the most serious manifestations of privacy concerns in the Nation."
The Court then said that since 1974, concerns about SSN confidentiality
have "become significantly more compelling. For example, armed with one's SSN,
an unscrupulous individual could obtain a person's welfare benefits, or Social
Security benefits, order new checks at a new address, obtain credit cards, or
even obtain the person's paycheck."
The Court said that Virginia's voter registration scheme would "compel
a would-be voter in Virginia to consent to the possibility of a profound
invasion of privacy when exercising the fundamental right to vote."
The Court held that Virginia must either stop collecting the SSN or
stop publicly disclosing it.
Marc Rotenberg, director of the CPSR Washington office said, "We are
extremely pleased with the Court's decision. It is a remarkable case, and a
real tribute to Marc Greidinger's efforts. Still, there are many concerns
remaining about the misuse of the Social Security number. We would like to
see public and private organizations find other forms of identification for
their computing systems. As the federal court made clear, there are real
risks in the misuse of the Social Security number."
Mr. Rotenberg also said that he hoped the White House task force
currently studying plans for a national health care claims payment system
would develop an identification scheme that did not rely on the Social
Security Number. "The privacy concerns with medical records are particularly
acute. It would be a serious design error to use the SSN," said Mr.
Rotenberg.
Cable News Network (CNN) will run a special segment on the Social
Security number and the significance of the Greidinger case on Sunday evening,
March 28, 1993. The Court's opinion is available from the CPSR Internet
Library via Gopher/ftp/WAIS. The file name is
"cpsr/ssn/greidinger_opinion.txt". The CPSR amicus brief is available as
"cpsr/ssn/greidinger_brief.txt".
CPSR is a national membership organization, based in Palo Alto,
California. CPSR conducts many activities to protect privacy and civil
liberties. Membership is open to the public and support is welcome. For more
information about CPSR, please contact, CPSR, P.O. Box 717, Palo Alto, CA
94302, call 415/322-3778 or email cpsr@csli.stanford.edu.
Please report problems with the web pages to the maintainer