The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 16 Issue 20

Weds 6 July 1994

Contents

o EM RF RISK turns into life-saver
Ralph Moonen
o Mosaic risks
Faisal Nameer Jawdat
o Airbus
Robert Morrell Jr.
o ACM crypto policy panel chairman's statement
Steve Kent
o Re: Physical Location via Cell Phone
A. Harry Williams
o Phone records
Lauren Weinstein
o Video cameras in City Centres
Scott A. McIntyre
o Re: AI to screen bad from good cops in Chicago
Piers Thompson
o Re: Scary
Jim Horning
o Environmentally Aware Computing
JAN Lee
o "Repetitive Strain Injury" by Pascarelli
Reviewed by Rob Slade
o "Computer Ethics" by Forester/Morrison
Reviewed by Rob Slade
o "A Short Course on Computer Viruses" by Fred Cohen
Reviewed by Rob Slade
o Re: Rob Slade's review of "The Hacker Crackdown"
Richard Schroeppel
o Info on RISKS (comp.risks)

EM RF RISK turns into life-saver

Ralph Moonen <ralph@inter.nl.net>
Wed, 6 Jul 1994 09:52:04 +0200
The oft discussed risk of EM RF radiation to devices like pacemakers can now
sport a case of anti-risk. A 42-year old man of The Hague (Netherlands)
collapsed in front of a swimming pool when his pacemaker failed. A police
officer in the vicinity radioed for help, and as soon as he did, the pacemaker
started working again. The officer was able to keep the man alive until an
ambulance arrived by using his transceiver.....

--Ralph

      [The remote jumpstart has all sorts of interesting possibilities.
      Next we will find a way to remotely beam an electrical charge into
      a car ignition when the battery is low, without jumper cables.  PGN]


Mosaic risks

Faisal Nameer Jawdat <faisal+@CMU.EDU>
Wed, 6 Jul 1994 09:29:14 -0400 (EDT)
    Clarinet reports that Spyglass, Inc. has signed a licensing agreement with
the NCSA for the right to work with, enhance, and redistribute versions of
Mosaic as a commercial product.

    The obvious risk comes in the confusion that could ensue with some people
thinking that their commercial version is also freeware, and distributing it,
or some people getting in trouble for distributing the free version because
someone else thinks it's the commercial version.  Also, there are risks due to
the differing feature sets provided by each.

    The more menacing risks (to my thinking, at least) come from the fact that
Spyglass will be working on some security and authentication systems to allow
credit card transactions over the net.  I am highly dubious of the www's
ability to safely protect credit card transactions (although I could think of
ways this could be handled, I do not trust a browser system that was not
originally designed with highly secure transmission in mind).

    Also, sources to various NCSA projects are not particularly difficult to
find (I found Telnet on wuarchive, and I've seen Mosaic at CMU) - with access
to Mosaic sources people could build fakes of the commercialized Mosaic to
trap credit card numbers.

    --faisal


Airbus

"Robert Morrell Jr." <bmorrell@isnet.is.wfu.edu>
Tue, 5 Jul 1994 23:13:19 -0400 (EDT)
I recently had the opportunity to discuss at length the various RISKS Digest
pieces on air safety and computer controls with a relative who is an
experienced military and civilian industry pilot.

He agreed with the thrust of the threads here, but added a specific and
general comment about the A-320.

Specifically he noted that the greatest problem with the aircraft is that it
is unique in lacking a unified "off switch" for the autopilots. All other
aircraft have one control that can be flipped or pressed that will turn off
the computer pilot(s) and return control to the aircraft.  Apparently doing
this in the A-320 is no small matter.

Generally, though he and other pilots like the A-320, it is known for having a
"mind of its own" literally. Most pilots, according to my relative, have
stories of the plane suddenly "up and deciding to begin an approach, go around
or enter a traffic pattern" It seems amusing usually, but then my relative had
never had it happen low to the ground....


ACM crypto policy panel chairman's statement [See RISKS-16.19]

Steve Kent <kent@BBN.COM>
Wed, 29 Jun 94 10:15:09 -0400
   [The following statement could have been included along with the crypto
   policy panel message and the USACM message in RISKS-16.19, providing an
   explanation of the distinction between the two messages and their
   origins.  Steve's statement was read as part of the press conference
   noted in RISKS-16.19, which Steve could not attend.  I have chosen to
   reproduce it here.  PGN]

        Barbara Simons, chair of the USACM committee recruited me to organize
this panel a little over a year ago, after the announcement of the escrowed
encryption initiative.  Barbara provided suggestions for candidate panel
members, but allowed me complete freedom in inviting panel members.  Barbara
also pointed me towards Susan Landau as a candidate staff member to support
the panel, and I am especially grateful for that recommendation as Susan has
done a tremendous job in writing this report, from inputs provided by the
panel members, from her own research, and through extensive editing sessions
including all of the panel members.

        The panel I assembled is intentionally a mix of individuals with
represent differing perspectives on the complex issues surrounding crypto
policy.  These individuals work for a variety of organizations, including
government agencies, academia, commercial and non-profit organizations. These
organizations graciously donated the participants' time so that they could
participate in this activity.  The panel members did not represent these
organizations in the production of this report, but rather contributed as
individuals.

        The panel members worked together in a cooperative effort to produce a
consensus report.  Not all panel members agree with all of the statements
contained in this report and the report contains no policy recommendations,
because of the diverse panel membership.  The report distinguishes between
facts, opinions and speculation.  It provides a very balanced discussion of
many of the issues that surround the debate on crypto policy, and we hope that
it will serve as a foundation for further public debate on this topic.  I
personally became better informed about some of these issues as a result of
working on this report and I suspect many of the panel members also gained
personally from their participation.

        The statement of the USACM committee, which Barbara will read, and
which is available in hardcopy form, should be viewed as independent of this
report.  The USACM committee reviewed this report, and suggested a variety of
changes, some of which were acted upon while others were not.  Both the panel
and the USACM committee agree on the need for continued public debate on this
topic.  However, the specific recommendations of the USACM committee do not
reflect the consensus views of the panel nor are they necessarily supported by
the contents of this report.  The press, policy makers, and the public should
read the report and use it as a starting point in reaching their own
conclusions about these issues.


Re: Physical Location via Cell Phone (Atkins, RISKS-16.18)

"A. Harry Williams" <HARRY@VM.MARIST.EDU>
Sun, 03 Jul 94 20:46:10 EDT
>And as the cells get smaller, the location detail gets better.  ...

While recently cruising the WWW, one of the people here discovered a location
in England using active pagers to track their staff in the building.  While
some of it was best guess on our part, There was definitely some kind of
meeting going on, since many of the staff were identified as being in a
conference room(even which phone was closest to their location.)  From our
observations, it looks like there is no "cell" for either the hallways, or the
rest rooms.  There was however, identification of those last spotted at the
car park exit, and how long they had been out of the building.

/ahw


Phone records

Lauren Weinstein <lauren@vortex.com>
Wed, 6 Jul 94 00:24 PDT
The question of phone records is an interesting one.  On one hand, there's the
release of records to law enforcement under court action.  There are many
cases where this is important to the solving of a crime and the merits need to
be determined in each individual case.

What I found disturbing in the recent Simpson situation was the *television
station* getting the records and airing them (complete with numbers exposed)
so rapidly.  I've been unable to determine if the release of these records to
the station was somehow legal, or was completely under the table.  The station
had what appeared to be complete, detailed computer printouts in hand.

If you read your phone bill inserts carefully, you may have already received a
notice allowing you to choose whether or not you want your called number
information released to VENDORS of telecommunication services!  Apparently a
new FCC ruling requires this choice be made by subscribers--I believe it
defaults to "no call info" if the subscriber doesn't respond and has no prior
instructions on file.  Of course, this begs the issue of how widespread the
practice was of telcos and long distance companies handing out this info for
commercial purposes in the past.

This is an appropriate area for discussion over in the PRIVACY Forum Digest.
Send the line:

   information privacy

as the only text in the body of a message to:

   privacy-request@vortex.com

for details.

--Lauren--


Video cameras in City Centres

"Scott A. McIntyre" <scott@shrug.org>
Wed, 6 Jul 1994 11:50:25 +0100 (BST)
In a report on the BBC last night (Tue July 5, 1994) the merits and RISKS of
the recent installation of a city centre wide television monitoring system in
Liverpool was discussed.

After the abduction and murder of James Bulger a year or so ago, most of the
residents of Liverpool were all in favour of having their movements monitored
by the bank of high resolution cameras, covering all streets in the main
centre of town.

A private company is in charge of the system, but the police (both local, and
as the report suggested, national) have instant access to any of the camera
views.  There was some discussion as to the dangers of companies,
organisations, and even the government obtaining access to these tapes to
discover who shops where, buys what, etc; yet by and large people seemed
willing to allow Big Brother to move in to combat crime and make the streets
safer.

The RISKS are obvious.  With enough crime, poverty, social decay, people may
be willing to assign away all personal freedom in the perhaps futile attempt
to recover the lost days of leaving your front door open and unlocked, and
your car window rolled down whilst you shop.

Scott


Re: AI to screen bad from good cops in Chicago

Piers Thompson <pjt1@scigen.co.uk>
Wed, 6 Jul 94 11:21:49 BST
What is the legal position on this?  The article lists the factors used by the
program to make decisions: it does not consider the weighting given to these
factors.  The software could quite possibly be ignoring one or more of the
factors.  In the worst case, the software might just be considering the race
or sex of a police officer.  This would be blatent racism/sexism.  When race
and sex are combined with other factors to produce a criminality estimate does
not their inclusion still amount to sexism/racism?

If the program's output were to have any influence on the promotion prospects
of an individual and that individual could demonstrate that changing only
their race or sex (as inputs to the program rather than genetically!) moved
them into the non-potential-criminal group then would that not provide grounds
for them to claim discrimination and take whatever legal action was
appropriate?

Piers Thompson  pjt1@scigen.co.uk

  [Also a good topic for PRIVACY...  PGN]


Re: Scary (Denning on Agre, RISKS-16.18)

<horning@src.dec.com>
Tue, 21 Jun 94 10:12:59 -0700
I suspect that what Phil finds scary is that an unknown candidate (a la
Perot) can appear to each voter to be promising exactly what that voter
wants, and diametrically opposed voters could wind up voting for a
candidate who actually didn't intend to satisfy either of them.  With
broadcast media, there is some chance that everybody will see what the
candidate is promising other people.

It's not quite so scary when applied to a brand of perfume or motor oil,
maybe because they don't have fixed terms of office.

Jim H.


Environmentally Aware Computing

J. A. N. Lee <janlee@vtopus.cs.vt.edu>
Wed, 6 Jul 1994 14:06:53 -0400 (EDT)
   [This would be a useful item for RISKS, so I am including
   JAN's request here.  Please respond to him and CC: RISKS.  PGN]

I am interested in having our students in our Computer Professionalism course
do a homework writing assignment related to the development of environmentally
favorable machines, systems, etc.  While there has been some newspaper
articles about the "clean-up" of Silicon Valley and the hazards of working in
computer manufacturing environments, there seems to be little in the
"technical" press.  I am looking therefore to collecting a bibliography of
articles which address these topics -- including not only hazards and clean
up, but also references to "Green Machines".  Along the same line there has
been some references to VDT radiation and RSI but I do not know of a
bibliography in this area.

Your assistance is sought.

John A. N.(JAN) Lee, Dept. of Computer Science, Virginia Tech, Blacksburg VA
24061-0106, Ph: (703) 231-5780  FAX: (703) 231-6075  E-mail: janlee@cs.vt.edu


<"Rob Slade, Ed. DECrypt & ComNet, VARUG rep, 604-984-4067">
Sat, 02 Jul 1994 12:43:58 -0600 (MDT)
Subject: "Repetitive Strain Injury" by Pascarelli

BKRSI.RVW  940401

Wiley
5353 Dundas Street West, 4th Floor
Etobicoke, ON
M9B 6H8
416-236-4433
fax: 416-236-4448
or
22 Worchester Road
Rexdale, Ontario
M9W 9Z9
800-263-1590
800-567-4797
fax: 800-565-6802
or
605 Third Avenue
New York, NY   10158-0012
USA
800-263-1590
800-CALL-WILEY
212-850-6630
Fax: 212-850-6799
jdemarra@wiley.com
aponnamm@jwiley.com
"Repetitive Strain Injury", Pascarelli, 1994, 0-471-59533-0, U$18.50

My first actual case of repetitive strain injury (or RSI), as a first aid
attendant, was not in the logging camps, railway gangs or spacing crews, but
with a young student athlete at an outdoor school.  He had, literally, outdone
himself the day before on a steep downhill hike.  He was one of the best jocks
in the school and had no problems with stairs and hill climbs--none of which
had prepared him for the repeated extension of his foot which downhill walking
required.

Work-related repetitive strain injury has been known for a long time now.
Writer's cramp shows up in an Italian treatise almost three hundred years old.
Research and treatment, however, has lagged.  For one thing, RSI generally
involves soft tissue damage which does not show up on x-rays (or, indeed, on
anything much besides microscopic examination of the tissue).  For another, few
jobs up until this century have required the kind of environment where actions
had to be repeated so often without variation.  Until very recently, the most
common repetitive strain situations involved gross motor activities, where
strains showed up early and responded well to exercise.  With the advent of the
computer keyboard and data entry as major factors in job situations, RSI has
become a serious issue in the workforce.

This is a comprehensive, factual and practical guide to RSI.  It is directed
primarily to the computer user or repetitive strain injury sufferer, covering
facts about RSI, symptoms and warning signs, diagnosis, choosing a physician,
recovery, legal aspects, maintenance and prevention.  A major emphasis is to
put users/sufferers in charge of, and responsible for, their own health.

The book continually counsels patience.  My student athlete, when asked if he
could walk out with the rest of the group, visibly tried to calculate how much
better he could be in the three days before they had to leave.  I had to ask
him if he could do it right then, since I knew it wasn't going to heal very
fast, and he had to admit he couldn't.  His case was actually extremely mild,
after only a few hours, and would have faded within a week or so of reduced
activity.  Most RSI cases, however, traumatize the area for months or even
years, and the healing process is correspondingly lengthy.

Although the book is written for users, I would strongly recommend that every
manager get a copy.  Averaged over all employees, RSI accounts for about $200
expense per year and per person.  If you have four people working for you,
using computers, it is almost certain that at least one will develop RSI at
some point.  RSI is almost entirely preventable, and is almost entirely caused
by ignorance.  Most of you reading this are probably nodding your heads and
muttering something about carpal tunnel syndrome--unaware that this over-
diagnosed syndrome actually accounts for only one percent of RSI, according to
one study cited in the book.

Highly recommended.   A very minor investment in keeping free of an ailment
which could severely affect your job--not to mention everything else you do
with your hands and body.

copyright Robert M. Slade, 1994   BKRSI.RVW  940401
Vancouver Institute for Research into User Security Canada V7K 2G6
Robert_Slade@sfu.ca rslade@cue.bc.ca p1@CyberStore.ca p1@arkham.wimsey.bc.ca


<"Rob Slade, Ed. DECrypt & ComNet, VARUG rep, 604-984-4067">
Wed, 22 Jun 1994 13:15:55 -0600 (MDT)
Subject: "Computer Ethics" by Forester/Morrison

BKCPTETH.RVW  940406

The MIT Press
55 Hayward Street
Cambridge, MA   02142
USA
Robert V. Prior, Editor - Computer Science prior@mitvma.mit.edu
Maureen Curtin, Int'l Promo. - curtin@mit.edu
"Computer Ethics", Forester/Morrison, 1994, 0-262-56073-9, U$14.95

As a collection of stories on computer crime and problems, this is fascinating
and wide ranging.  As a text on the social, ethical and professional issues
facing the information technology community, it is interesting and possibly
provoking.  As a textbook for a course on computer ethics it lacks analysis,
ethical background and structure.  The sub-title, "Cautionary Tales and Ethical
Dilemmas in Computering," is much more descriptive of the book.  It is full of
"tales"; a cross between "Spectacular Computer Crimes" and "Digital Woes".  The
ethical dilemmas are an add-on, but generally well written.  As a adjunct in a
course on computer ethics, or the social implications of technology, it would
certainly hold students' attention.  The authors seem to be slightly too aware
of this.  The preface states that the authors found computing students to lack
"awareness of social trends, global problems, or organizational issues," and
that the book had been correspondingly directed to the closer details of what
students would face on a daily basis.  One can sympathize with the frustrations
the authors must have felt, but this very example would seem to indicate that
students must be given a broader view of society rather than a narrower one.

Chapter one gives a good introduction and overview, as well as a brief
explanation of the major current ethical philosophies.  It is, unfortunately,
the last statement on ethics that is made.  Until chapter nine, a set of
scenarios for classroom discussion, the remainder of the book is the various
tales, padded with a thin structure of observations from other writings.
Chapter two covers computer crime.  It has a slight tendency to edge towards
the border of the hacking/cracking/phone phreak topic, but the discriminating
reader will note what law enforcement agencies generally find:  most computer
crime is an inside job.  Chapter three deals with software theft and notes,
perhaps a bit smugly, the litigious mess of the American software industry.
(The authors hail from Australia and Singapore, respectively.)  Chapter four
explores "Hacking and Viruses" and, given the confusion of hacking with
computer abuse, is more than slightly confused.  Chapter five looks at issues
of computer reliability or the lack thereof.  Chapter six purports to deal with
invasion of privacy, but spends much of its time with computer errors and,
then, a significant space talking about workplace surveillance (which
anticipates chapter eight).  The examination of artificial intelligence, in
chapter seven, seems mostly to have been a recap of the reliability issues from
chapter five.

Instructors, even when simply using the book as a discussion starter, should be
on top of the subject.  The MacMag/Brandow virus appears, not in chapter four,
but in chapter three as an illustration of software piracy.  This indicates
that the authors have no understanding of viral spread.  Indeed, the authors
define a virus as a self-replicating program that causes damage--even though
three out of the five specific examples do no "damage".  A "trojan horse" is
also defined as a program that allows access to an already penetrated system--
with no mention of pretense, deceit or damage at all.  (The authors also report
the "Twelve Nasty (sic) Tricks" trojan as a virus, the "AIDS" extortion attempt
as a virus and the "Desert Storm" virus as fact.)

This book is definitely a good adjunct text for a social, ethical or
professional computing course.  It will definitely provide interesting
material.  It does not, however, provide the necessary background for such a
course without other materials.

copyright Robert M. Slade, 1994   BKCPTETH.RVW  940406
DECUS Canada Communications, Desktop, Education and Security group newsletters
Editor and/or reviewer ROBERTS@decus.ca, RSlade@sfu.ca, Rob Slade at 1:153/733


<"Rob Slade, Ed. DECrypt & ComNet, VARUG rep, 604-984-4067">
Tue, 05 Jul 1994 13:22:51 -0600 (MDT)
Subject: "A Short Course on Computer Viruses" by Cohen

BKSHRTVR.RVW  940329

Wiley
5353 Dundas Street West, 4th Floor
Etobicoke, ON
M9B 6H8
416-236-4433
fax: 416-236-4448
or
22 Worchester Road
Rexdale, Ontario
M9W 9Z9
800-263-1590
800-567-4797
fax: 800-565-6802
or
605 Third Avenue
New York, NY   10158-0012
USA
800-263-1590
800-CALL-WILEY
212-850-6630
Fax: 212-850-6799
jdemarra@wiley.com
aponnamm@jwiley.com
"A Short Course on Computer Viruses", Cohen, 1994, 0-471-00768-4, $34.95
fc@jupiter.saic.com

This book is fun.  I mean, it starts out with the statement, "I would like to
start with a formal definition," followed by about a paragraph's worth of
symbolic logic, followed by, "So, much for that!"  I assume that the surface
joke is accessible to all: for those who know of the troubles Dr. Cohen has
had over the years with those who insist on an informal translation of his
work, it is doubly funny.  From that beginning right through to Appendix A (a
joke) the light tone is maintained throughout, and it makes for a thoroughly
enjoyable read.

Besides being fun, though, the book is solid material.  Possibly one could
raise quibbles over certain terms or minor details, but almost nothing of
substance.  The only halfway controversial point in the book is Dr. Cohen's
continued crusade on behalf of "benevolent" viral programs.  While I agree
that the concept is worth further study, Dr. Cohen has not yet applied the
rigour of his earlier work to proofs that such programming can be guaranteed
safe or that benevolent viral programs are the best way to accomplish the
examples used.

The material in the book will be accessible to any intelligent reader,
regardless of the level of computer knowledge.  The most benefit, however,
will be to those planning data security or antiviral policies and procedures.
They will find here a thoughtful, provoking and insightful analysis.

copyright Robert M. Slade, 1994   BKSHRTVR.RVW  940329
Vancouver Institute for Research into User Security Canada V7K 2G6
Robert_Slade@sfu.ca rslade@cue.bc.ca p1@CyberStore.ca p1@arkham.wimsey.bc.ca


Rob Slade's review of "The Hacker Crackdown"

"Richard Schroeppel" <rcs@cs.arizona.edu>
Wed, 29 Jun 1994 15:03:11 MST
THC is available for downloading from Project Gutenberg for free.  Courtesy of
Bruce Sterling, who deliberately retained the electronic distribution rights.

Rich Schroeppel   rcs@cs.arizona.edu

Please report problems with the web pages to the maintainer

Top