Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
The latest Scientific American has a short piece in the Science and the
Citizen department titled 'Fast Moves: Instant earthquake analysis may beat
the waves' (August 1993, pp. 22-24). The primary topic is a system being
developed at the California Institute of Technology which attempts to analyze
seismological data immediately upon receipt, locating the quake and providing
information to interested parties within minutes or even seconds. To achieve
this, they are building a network of seismological labs in southern
California. They appear to be thinking about the risks:
Fast-analysis systems like the one at Harvard need not worry about small
errors, because "they're not intended to support emergency operations...
CUBE [the network] cannot afford to make mistakes"
But the real danger becomes apparent from the first paragraph of the article:
...researchers may soon be able to anticipate the effects of an initial
tremor, enabling railroads to stop or slow their trains and permit [sic]
elevator systems to halt at the nearest floor.
While that sort of automatic response would have the potential to be very
helpful, it's obviously worrisome. Unfortunately, the system appears to
require automation to achieve sufficiently fast response time. It would seem
to be a difficult problem to not only analyze tremors without false alarms,
but to predict damage well enough to activate only those safety measures
necessary...
owens@cc.rochester.edu
Bill Owens, 727 Elmwood Avenue, Rochester, NY 14620 716/275-9120
Many people raised in the U.S. are unfamiliar with general stamp taxes. We know about excise taxes (e.g., liquor) with payment evidenced by stamps, and tax stamps to validate specific documents (e.g., hunting licenses). But (to my perhaps inadequate knowledge) the U.S. hasn't had a general stamp tax since the War of Independence. England had one years ago... most signatures on receipts for money or bills of sale were invalid unless scrawled across postage stamps. England still imposes stamp taxes on some business transactions, e.g., transfer of real property. NIST's proposal to "license" the DSS to PKP, forcing "the rest of us" including all who wish to transact business with the U.S. government to pay PKP every time we sign something digitally amounts to the imposition of a general stamp tax. Worse, it is a tax imposed by the government for the benefit of private persons (those who are paid by PKP). Attempts by George III's government to impose various stamp taxes on American colonists 200-odd years ago fueled revolutionary sentiment among them...
A report in the Globe and Mail newspaper in Canada (Wed, 14 July 1994; #44801, page 1) by Geoffrey York of the Parliamentary Bureau is entitled "Privacy report warns of `Big Brother' computer; Linked government databases called ominous." Here is a summary. The Canadian federal government's privacy commissioner, Bruce Phillips, submitted a report warning that electronic data interchange among government computers could bring Orwellian Big Brother consequences to society. The government is proposing to establish booths where residents could transact government business; however, users would have to provide personal identification numbers, photographs, and fingerprints to be permitted to use these booths. The commissioner is concerned about the routine exchange of private information among people "whose right to the information is, at best, debatable." He also criticized the growing use of electronic surveillance and monitoring in the workplace. He urged Canadians to push for broader privacy rights and guidelines to control government use of electronic networks. Michel E. Kabay, Ph.D., Director of Education, National Computer Security Assn.
There was an article on the news the other night featuring a rather homemade looking device that a man had purchased for A$150 in Malaysia. This gizmo records and then transmits the codes that unlock car doors (or garages etc). A thief loiters around with the device set to receive as somebody is leaving their expensive looking car. When a remote control is used to lock the car, the signal is picked up and recorded by the device. The car owner wanders off, thinking that the car is secure. The thief sets the device to transmit, and hey presto the car unlocks itself for the thief. Such an elegant and simple idea; I'm surprised that it took this long for someone to think of it (I certainly didn't). [*] The Australian police want the device made illegal (possession of it, I guess). What's the bet that the police will have legal use of it, though. Looks like pretty soon, remote controls will need time-stamped encryption techniques... [* Remember the movie *WarGames*, and the door-control touch-tones beaten by a record-and-playback attack? It's an old form of vulnerability for fixed authenticators. However, remember that even one-time tokens may be compromised if they are not properly incorporated into the system. PGN]
An article "Bottom Line Key In Video Systems" (Aviation Week, July 19,
1993, page 53) describes upcoming per-seat interactive video systems which
will be eventually be installed in many aircraft. The last paragraph touches
on privacy concerns:
"On-board passenger entertainment systems also offer airlines a powerful
marketing research tool. Master control unit software can be modified to
log passenger viewing habits and game use. Inventory records can be
adjusted automatically as meals and beverages are served. Passengers
also can be asked to provide selected demographic data."
This is similar to the credit-card supermarket checkout systems, with the
added bonus (for the airline) that they know just who is sitting in every seat
- even the fact that someone *doesn't* watch TV will be noted.
Not that this seems like a significant privacy concern. But it's bad
enough that we have to put up with advertisements for the airline blasting
out of the speakers and garrulous twits who rattle away on Airphones in the
next seat, without new annoyances such as this.
Jon (leech@cs.unc.edu)
> The conclusion on the cause of the accident is "pilot error". More of a user-interface design error, if you ask me. If you overload a person with things to do and input to consider to the point where they can no longer keep up, it is hardly reasonable to simply brush it off as "human error" when they fail to keep up. This particular risk is one in which I think more computerization ought to be possible, and even good. A computer in the cockpit ought to be able to monitor the fact that "we're dropping 1100 m/s and we're only at 1500 m altitude" (along with quite a number of other things as well), prioritize potential problems, and then issue a verbal warning to the pilots if any problem gets life threatening like this. (Hopefully before it is too late to do anything.) The frequency of warnings are critical of course: if it cries "wolf" too often, it will get ignored. Flint Pellett, Global Information Systems Technology, Inc., 100 Trade Centre Drive, Suite 301, Champaign, IL 61820 (217) 352-1165 flint@gistdev.gist.com
SYSTEM DYNAMICS OF MEDICAL REIMBURSEMENT PROBLEMS Sanford Sherizen (3965782@mcimail.com) writes in Risks Digest 14.75 regarding the risks of incomplete management processes as well as faulty computer systems regarding medical reimbursement systems. The emphasis is more on the dynamics of the system than any particular computer risk. 1st: many physician practices "offload" their entire billing operation to service bureaus. 2nd: these service bureaus earn a fee for timely payment regardless of source, e.g., the patient or his/her insurance carrier. 3rd: some group practices, and large practices like HMOs, offer their service bureaus incentives for timely turnaround on receivables as well as penalties for failure to produce. This creates an incentive for the service bureau to aggressively bill both the patient and the insurance carrier and worry about sorting out double payments, if at all, later on. The reinforcing loop for the service bureau is to churn payments as fast as possible regardless of source. The more quickly their doctor customers get paid, the more robust their incentive fee. From a systems perspective there is no balancing loop to insure integrity in the service bureau's records with regard to the source of the payment, only that an amount has been tallied and the client physician office has covered its receivables. The service bureau cheerfully "offloads" the issue of reconciling mistakes in the source of payment to the patient. Their view is that patients will "know" and have "proof" that the bill for service has been covered. Here is tiny (pop. 45,000) Idaho Falls, ID, we have one such service bureau which exactly follows this model of aggressive practice in double billing the patient and the insurer. Further, there is an long lag (60+ days) in reconciling payments from insurers with copayments from patients. Complaints to the provider have little effect. Once billing is offloaded to the service bureau, there is no one left in the doctor's office who is able, besides the doctor, to deal with the problem. As long as he/she is getting paid, the doctor has no special interest in patient billing problems with the service bureau. Typically, the doctor's office computer system is tied in directly to the service bureau. When the doctor looks at the system, the accounts are ok, and problems of double billing to the patient are invisible. Patients have an opportunity to create a balancing loop if it is external to the doctor/service bureau system. Patients could form a consumer action organization which would intervene on their behalf, privately and publically, with service bureaus and their customers. The annual cost to a patient, e.g, on the order of $25/year, would be cost effective when compared to the average annual health bill of a family of four, e.g, $2,000-3000/year at a minimum. Insurance companies, which are probably also fed up with aggressive double billing from service bureaus, might have an incentive to support such organizations. This would be especially true for those employers who self-insure and hire companies like Mutual of Omaha or Prudential to simply process the paperwork. The reference to these firms is for example purposes only, and is not intended to imply any connection to service bureau practices. Dan Yurman, PO Box 1569, Idaho Falls, ID 83403 dyurman@igc.apc.org 3641277@mcimail.com
This indeed may be quite common - an almost exactly identical incident happened to me — about 10 years ago. It seems the lab bill is handled separately, and the lab computer (or their collection agency's computer) is not informed that the bill has been paid. Amos Shapir, The Hebrew Univ. of Jerusalem, Dept. of Comp. Science. Givat-Ram, Jerusalem 91904, Israel amos@cs.huji.ac.il Tel: +972 2 585706
I've long tried to track medical insurance payments. It isn't easy. In this example the user relied on the lab to assure that there records were correct and become aware of a specific case where they were probably wrong and followed through. In general, however, each component system is designed in isolation with no thought being given to auditability on the part of the user. There are lots of uncorrelated pieces of paper mailed around with payments in varying amounts according to arcane rules going to various parties including the patient. The insurance companies seem to have some concept of medical events in an attempt to avoid double payments. But there is never a summary so the user can understand what is happening without collecting every slip of paper into one central set of records that correspond to the insurance company's representation. One particular offender locally is Newton-Wellesley Hospital where each entity seems to be a separate corporation that does its own billing for each aspect of each procedure for combination of locations. This is compounded by having multiple members of a family with slightly differing names. And then there are lab tests... Simple ideas like replacing bills that contain a single amount past do with summaries of payments and events and some common identification of events would go a long way. Such a system would be in the interest of the insurance agents as a way to discover errors and fraud. In the meantime, I'll continue to use standard system methodology. Whenever things are confused let things quiesce. Don't pay bills until the insurance company and the doctors have had their chance to go around a few times and then take a guess at whether what remains to be paid is appropriate.
To extend the much-trod ATM-fraud path... My MasterCard number was recently used to fraudulently make $8000 worth of ATM cash advances over a 4 day period. Seems that the number itself was obtained via some standard illegal route which by now has undoubtedly been discussed (just the number was obtained, not the card itself) thus will not be addressed further in this note. Much more interesting, however, was how my PIN was obtained, allowing the perpetrators of the fraud to use a fake MasterCard in an ATM 4 times a day, 4 days in a row, $500 each time... Seems a written request for change-of-address was received by my Credit Union (backers of the MasterCard); this change was processed sometime on Wednesday, July 7th. The request included all sorts of identity-confirming information such as date of birth, social security number, and my mother's maiden name. The address was changed to a Brooklyn NY apartment (I live in a single-family house in Virginia). IN THE SAME LETTER a request was made for a copy of the PIN for the MasterCard (not unusual for people to forget a PIN and request it again). The PIN, the most important secret piece of information for the card, was dutifully mailed off to the fraudulent address in Brooklyn. Starting Monday, the 12th, the fraudulent cash advances were made from two different Brooklyn banks' ATMs. Upon finding out about the fraud (tried to use the card myself and was declined for the first time in my life), I immediately called every financial institution I do business with — fortunately, they all require some crucial bit of information for phone account manipulations (like a mother's maiden name...), send a change-of-address notice to BOTH the new AND old addresses, and won't send money/crucial info to the NEW address for 30 days. Hope YOUR financial institutions protect your PINs as well... Oh yeah, one more thing...on calling my MasterCard Service Center I was told that requests for PINs are handled by regenerating the same PIN and mailing it off to the address — the SAME PIN is -always- regenerated (not just retrieved) from the same MasterCard #; if you want a DIFFERENT PIN, you have to get an entirely new MasterCard number...hmmm... Russ <Smith@ur-guh.com>
After many calls and faxes I've found out a little more about the mechanisms behind ATM transactions and the fraudulent use of a MasterCard number of mine. It turned out that the previously-related fraud was done using an EXPIRED MasterCard number to withdraw cash from an ATM machine, not my current MasterCard number. When the request for both the change-of-address and the PIN number came via a letter, an old EXPIRED MasterCard number was used (had expired more than a month earlier). The change-of-address and PIN number for the expired card were processed and sent off to the fake address The perpetrators then used the expired card number and its PIN number to make the cash advances. How is it possible to use an EXPIRED card to make $8000 in cash advances? It's possible because the ATM's verification center ONLY checks if the card number is on a list of STOLEN/LOST cards. If the card is not stolen/lost, the verification center then performs a verification check of the information FROM THE CARD ITSELF, not from some other database. So the perpetrators just wrote a new expiration date on the magnetic stripe of their fake card; the ATM verification center verified that the date hadn't yet passed and that was that. Russ "Cancelled Credit" <Smith@ur-guh.com>
Conference Announcement and Call for Papers
Computers, Freedom, and Privacy 1994
23-26 March 1994
The fourth annual conference, "Computers, Freedom, and Privacy," will be
held in Chicago, Il., March 23-26, 1994. This conference will be jointly
sponsored by the Association for Computing Machinery (ACM) and The John
Marshall Law School. George B. Trubow, professor of law and director of the
Center for Informatics Law at The John Marshall Law School, is general
chairman of the conference.
The series began in 1991 with a conference in San Francisco\Burlingame,
and subsequent meetings took place in Washington, D.C. and again in San
Francisco\Burlingame, in successive years. Each conference has addressed a
broad range of issues confronting the "information society" in this era of the
computer revolution.
The advance of computer and communications technologies holds great
promise for individuals and society. From conveniences for consumers and
efficiencies in commerce to improved public health and safety and increased
knowledge of and participation in government and community, these technologies
are fundamentally transforming our environment and our lives.
At the same time, these technologies present challenges to the idea of a
free and open society. Personal privacy is increasingly at risk from
invasions by high-tech surveillance and monitoring; a myriad of personal
information data bases expose private life to constant scrutiny; new forms of
illegal activity may threaten the traditional barriers between citizen and
state and present new tests of Constitutional protection; geographic
boundaries of state and nation may be recast by information exchange that
knows no boundaries as governments and economies are caught up in global data
networks.
Computers, Freedom, and Privacy '94 will present an assemblage of
experts, advocates and interested parties from diverse perspectives and
disciplines to consider the effects on freedom and privacy resulting from the
rapid technological advances in computer and telecommunication science.
Participants come from fields of computer science, communications, law,
business and commerce, research, government, education, the media, health,
public advocacy and consumer affairs, and a variety of other backgrounds. A
series of pre-conference tutorials will be offered on March 23, 1994, with the
conference program beginning on Thursday, March 24, and running through
Saturday, March 26, 1994.
The Palmer House, a Hilton hotel located at the corner of State Street
and Washington Ave. in Chicago's "loop," and only about a block from The John
Marshall Law School buildings, will be the conference headquarters. Room
reservations should be made directly with the hotel, mentioning The John
Marshall Law School or "CFP'94" to get the special conference rate of $99.00,
plus tax.
The Palmer House Hilton
17 E. Monroe., Chicago, Il., 60603
Tel: 312-726-7500; 1-800-HILTONS; Fax 312-263-2556
Call for Papers and Program Suggestions
The emphasis at CFP'94 will be on examining the many potential uses of
new technology and considering recommendations for dealing with them.
Specific suggestions to harness the new technologies so society can enjoy the
benefits while avoiding negative implications are solicited.
Proposals are requested from anyone working on a relevant paper, or who
has an idea for a program presentation that will demonstrate new computer or
communications technology and suggest what can be done with it. Any proposal
must: state the title of the paper or program; describe the theme and content
in a short paragraph; set out the credentials and experience of the author or
suggested speakers; and should not exceed two pages. If an already completed
paper is being proposed for presentation, then a copy should be included with
the proposal.
Student Papers and Scholarships
It is anticipated that announcement of a student writing competition for
CFP'94 will be made soon, together with information regarding the availability
of a limited number of student scholarships for the conference.
Timetables
Proposals for papers and programs are being accepted at this time. It is
intended that program committees will be finalized by August 1, 1993.
Proposals must be received by October 1, 1993.
Communications
Conference communications should be sent to:
CFP'94
The John Marshall Law School
315 S. Plymouth Ct.
Chicago, IL 60604
(Voice: 312-987-1419; Fax: 312-427-8307; E-mail: CFP94@jmls.edu)
CALL FOR PAPERS
SCIENCE AND TECHNOLOGY THROUGH SCIENCE FICTION
workshop next summer in Barcelona, Spain (22nd and 23rd, June 1994)
This will be the first edition of such a Workshop. If you know more
people that could be interested, please help in making this information
available by forwarding this message.
If you need more information, please feel free to contact
blo@lsi.upc.es, Dr. Miquel Barcels, Software Department - UPC
Pau Gargallo, 5, E 08028 BARCELONA (Spain)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
First Announcement and CALL FOR PAPERS
STSF '94
An International Workshop on
SCIENCE and TECHNOLOGY through SCIENCE FICTION
22nd-23rd June 1994 - BARCELONA (Spain)
Organized by CONSELL SOCIAL (Board of Trustees)
of Universitat Polithcnica de Catalunya (UPC)
in cooperation with:
Software Department (UPC)
Physics and Nuclear Engineering Department (UPC)
WORLD SF (Hispanic Chapter)
THE WORKSHOP
A good working definition of science fiction is "speculative
extrapolation about the effect of science and technology on society".
The aim of this International Workshop is to provide a forum for identifying,
encouraging and discussing research about science and technology, or their
consequences, as portrayed in science fiction. The Workshop will bring
together researchers, scientists, and other academics with science fiction
professionals to share information and explore new ideas about the
relationship between science fiction, science and technology.
TOPICS OF INTEREST
The topics of interest include but are not limited to:
- Biotechnology, genetic engineering
- Computer science, robotics, artificial intelligence
- Macroengineering
- Nanotechnology
- Physics, astronomy, cosmology
- Professional activity of scientists and engineers
- Social impact of science and technology
- Teaching science and technology with science fiction
PROGRAM COMMITTEE
* Miquel Barcels (Software Dept., UPC, SPAIN)
* Joe Haldeman (SFWA president, M.I.T. Associate Professor, USA)
* Elizabeth A. Hull (SFRA past-president, USA)
* Frederik Pohl (SFWA and WSF past-president, USA)
* Vernor Vinge (Dept. of Math Sciences, SDSU, USA)
ORGANIZING COMMITTEE
* Miquel Barcels (Software Dept., UPC)
* Laura Cabarrocas (Board of Trustees (secr.), UPC)
* Gay Haldeman (Writing Program, M.I.T.,USA)
* Pedro Jorge (Hispanic Chapter of WORLD SF)
* Jordi Josi (Physics and Nuclear Engineering Dept., UPC)
* Louis Lemkow (Sociology Dept., UAB)
* Manel Moreno (Physics and Nuclear Engineering Dept., UPC)
INSTRUCTIONS TO AUTHORS
Paper submissions must be in English and no more than 6000 words long. The
Proceedings of the Workshop will be published by the organizing institution.
Authors are requested to submit a "Letter of Intention" with the title of the
paper and a short abstract (less than one page) before November 30, 1993.
Authors must submit five copies of each paper, before January 31, 1994, to
the Program Chairperson: Miquel Barcels
Facultat d'Inform`tica
Universitat Polithcnica de Catalunya
Pau Gargallo, 5
E 08028 BARCELONA (Spain)
Tel: 34.3.401.6958
Fax: 34.3.401.7113
E-mail: blo@lsi.upc.es
IMPORTANT DATES
* Deadline for Letter of Intention: November 30, 1993
* Deadline for Paper Submission: January 31, 1994
* Notification of Acceptance: March 15, 1994
* Camera Ready Papers Due: April 30, 1994
* Workshop: June, 22-23, 1994
Please report problems with the web pages to the maintainer