The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 16 Issue 40

Monday 12 September 1994

Contents

o Highest Quality Company Logos for Inclusion in Software
Dennis Lawrence
o German Parking Violators Accused of War Crimes
Scott Mincey
o Enola Gay: Another text substitution (from alt.folklore.urban)
Henry Troup
o More daring tales of address disasters!
Peter Ladkin
o Risks of duality in electronic media
Bob Mehlman
o Unique way to find bugs: be investigated for breaking the rules [McLaren Peugot Formula One]
Bjorn Freeman-Benson
o Neural Redlining == Plausible Deniability ?
Fred Baube
o Reply to New indecency rules proposed for all online services
Julian Meadow
o CPSR Annual Meeting
Phil Agre
o Proceedings on Assurance and Trustworthiness
Marshall D. Abrams
o Info on RISKS (comp.risks)

Highest Quality Company Logos for Inclusion in Software

Dennis Lawrence <LAWRENCE@addvax.llnl.gov>
Wed, 7 Sep 1994 08:05 PST
I received an ad from TigerDirect, Florida, offering a set of "650
High-Quality Logos" of major corporations. The ad suggests using "these logos
in newspaper and yellow page ads, brochures and cross-promotions." It goes on
to say "all images displayed are the registered trademarks or trademarks of
their respective companies." Can be used by Macintoshes or Windows
applications.

What a wonderful gift for con artists!

-- Dennis Lawrence


German Parking Violators Accused of War Crimes

Scott_Mincey <scottm@dorsai.dorsai.org>
Sat, 10 Sep 1994 22:47:31 -0400 (edt)
Bayreuth, Germany - Three violators of the municipal parking code became war
criminals when an official entered the wrong code number. According to the
"Nordbayerischen Kurier" the three Bayreuth residents received summonses for
"Conspiracy to prepare agressive warfare," when they should have only received
citations for parking violations. According to the paper, the official, who
had just served ten hours on the night shift, filled out the forms relating to
the minor offenses and incorrectly entered the code number of the violation.
(Deutsche Presse Agentur)


Enola Gay: Another text substitution (found in alt.folklore.urban)

"henry (h.w.) troup" <hwt@bnr.ca>
Wed, 7 Sep 1994 11:55:00 -0400
(amusing, not very new)

The Dragon De Monsyne (dragondm@netcom.com) wrote:
...
:Well, I can vouch fer it REALLY happening. In today's (Sept. 5, 1994, Final
:Edition) Northwest Herald (a local paper in ithe far northwest Chicago Suburbs
:(McHenry County, fer those who know where that is), on pg 3, bottom, left hand
:corner, I found this gem.

:         "Atomic bombers criticize Enola homosexual exhibit"

Nicely documented, for UL hunters.

Henry Troup - H.Troup@BNR.CA (Canada)


More daring tales of address disasters!

Peter Ladkin <Peter.Ladkin@loria.fr>
Thu, 8 Sep 1994 18:32:55 +0200
A colleague, Paul Gibson, arrived at INRIA Lorraine in France from Scotland at
the beginning of July. He set up an account with a local branch of the Banque
Populaire de Lorraine in Haussonville, a district of Villers in the Nancy
conurbation. The address on his account is that of our host, who lives in a
tiny village 75km from here. The bank put a false postal code on his address,
consequently his mail from the bank arrives either very late or, in the case
of important items such as his bankcard PIN code and checkbook, not at all (I
wonder if the important mail has a `Do Not Forward' instruction on the
envelope?).  However, whenever he notifies the branch and they check, the
correct postal code appears with his account information.  The bank employees
claim not to understand how the two addresses can be different and seem to be
at a loss to rectify the situation, even though he's been physically to see
them about it three times in the last two months.

There's an easy fix. Close the account and open another one. But there should
be an easier fix - ensure the right address. Either way, the bank lacks
effective procedures for troubleshooting. He still has no checkbook and no
functioning cash card.

Peter Ladkin


Risks of duality in electronic media

<rmehlman%grumpy.decnet@UCLASP.IGPP.UCLA.EDU>
Sat, 10 Sep 1994 14:29:50 PDT
A new teleconferencing system installed at JPL still has some bugs.
Participants are told to dial into the telecon themselves.  Two numbers are
provided: an area 818 local number, and an 800 number for distant callers.  I
dialed the local number for a NASA/Galileo project telecon which turned out to
be seriously depleted; half the expected participants, including the convener,
were missing.  Attempts to reach the convener by phone failed; the line was
always busy.  We went ahead and had our discussion anyway, only to learn later
that a dual telecon, among the people who had dialed the 800 number, had taken
place simultaneously.

This reminds me of a curiously similar situation on Telemail about ten years
ago.  A user complained of often missing important mail.  Months later,
investigation showed him to have two accounts, differing only by the appended
organization.  His default login went to one of these, but the group mail
distribution list went to the other.  About a hundred messages were there
waiting for him.  "The Black Hole of Telemail", we always called it.

Bob Mehlman, UCLA/IGPP


Unique way to find bugs: be investigated for breaking the rules

Bjorn Freeman-Benson <bnfb@ursaminor.scs.carleton.ca>
Fri, 9 Sep 94 13:04:45 EDT
Here's an interesting positive-risk (rather than negative-risk)...

The McLaren Peugot Formula One racing team was investigated for breaking
the rule against computerized driver aids.  During the investigation, the
governing body (FIA) contracted with LDRA Ltd to decode MacLaren's software
and determine if the rules were broken.  According to the press release:

   PRESS RELEASE FROM THE FEDERATION INTERNATIONALE DE L'AUTOMOBILE (FIA)

   ...lots of stuff...and then the interesting paragraph...

       The World Council noted that during the course of the
       investigation, LDRA Ltd discovered a bug (fault) in the McLaren
       software which was producing a power loss in the engine (due to a
       faulty signal from the gearbox control unit to the engine control
       unit).  McLaren will now be able to correct this problem.

   Paris 7 September 1994

Bjorn N. Freeman-Benson


Neural Redlining == Plausible Deniability ?

F.Baube[tm] <flb@flb.optiplan.fi>
Sun, 11 Sep 94 18:15:52 EET
My understanding of neural nets is hazy, so someone please correct me if I'm
way off-base.

Neural nets are being used more and more in commercial applications, for
example in evaluating mortgage applications.

It occurs to me that since the internal state of a neural net, and its
decision-making "process", is essentially opaque, a lender could depend on a
neural net to implement redlining in a manner such that, if the bank were in
fact to be accused of redlining, the bank could reply, "We don't redline, we
rely on objective computer programs to evaluate applications."

The training set for the net could itself contain redlining, and the net would
learn it.  Then the training set is discarded, and there is no proof of intent
to evade the law.

Any applications receives a final yes/no from a live human being, but how easy
is it for the lending officer to let a neural net do his or her "dirty work" ?

* Fred Baube(tm)   GU/MSFS/88    baube@optiplan.fi


Reply to New indecency rules proposed for all online services

Julian Meadow <jmeadow@craycom.co.nz>
Wed, 07 Sep 1994 17:17:42 +0000 (GMT)
Don't you just love it when you read about something that might happen,
happens! After reading Daniel J. Weitzner's comments about the proposed new
indecency rules, I read the following article on the front page of this
weeks New Zealand COMPUTERWORLD (dated Sept 5, 1994):

INTERNET SEX GOES OFF-LINE, by Rob Hosking

    The prospect of being the target of an indecency test case has caused
Internet service provider ICONZ (Internet Company of New Zealand) to pull
its pornographic news groups and bulletin boards off line.

   "We've pumped hundreds of thousands of dollars into ICONZ and I'm not going
to see that go in a test case," says systems administrator Jon Clarke.  The
company pre-empted the impending litigation after hearing "through the
grapevine" that an Auckland religious group was planning a lawsuit following
an item on television news about the Internet.  Approximately 20 news groups
were taken off the wire, out of about 440, and only two users had complained
since their removal, says Clarke.  "To put it into some sort of perspective,
it's effectively stopped us transmitting 100Kb out of 150Mb a day," he says.

   The action would have been under the Films, Videos and Publications
Classifications Act, passed earlier this year. There is some doubt as to
whether the Internet is covered by the act, and the issue has yet to be
decided in court.

   Clarke says the material being carried is tamer than that available over
the counter in most dairies <JM comment - read cornerstore, newsagent, etc.),
and he queries what he sees as a double standard involved.  Network users in
the US have formed a group to lobby against restrictive legislation and, with
the Howick MP Trevour Rogers' Technology and Crimes private members bill
currently before Parliament, Clarke says it could be time for the information
of such a group here.

   The material is still coming into New Zealand but is now "being put in the
great big bit bin", as far as ICONZ is concerned.  Clarke believes the
material will be available - "there are millions of sites worldwide you can go
to for this kind of stuff, the only thing is you'll have to pay for it".

<<< JM's comments follow <>>

This article raises several interesting questions:

1.  Do we really want local network providers to become our censors?

2.  How does the network provider filter 150Mb of data a day, especially
when he doesn't know what the law states is and isn't allowed?

3.  If a network provider, whilst censoring the days 150Mb of information,
reads that a "religious group" was planning a lawsuit against him because
they didn't agree with one of his services, what should he do?

The internet provider doesn't lose either way, since as Jon Clarke points out
himself, his users just have to go further afield, and I'm sure he'll be happy
to charge for this.


CPSR Annual Meeting

Phil Agre <pagre@weber.ucsd.edu>
Tue, 6 Sep 1994 19:02:42 -0700
The 1994 CPSR Annual Meeting will be held on the weekend of October 8th and
9th at UC San Diego.  One focus of the meeting this year is teaching people
how to actually do something about computer-related Risks to privacy and
the like.  We'll have a workshop on privacy activism by Christine Harbs from
the Privacy Rights Clearinghouse and Dave Redell from CPSR's Civil Liberties
Working Group.  We'll also have a workshop on legal issues for BBS operators
from Mike Godwin of EFF, and a panel discussion on the issues that arise when
protecting privacy and intellectual freedom in various professions.  Everyone
is welcome to attend.

The Annual Meeting Web pages are now ready to go.  Just aim your Web client at
http://www.cpsr.org/dox/am/program.html and look around.  Or, if you prefer,
you can get the program and registration information from an autoresponder by
sending a message to cpsr-annmtg@cpsr.org.

Phil Agre, UCSD


Proceedings on Assurance and Trustworthiness

Marshall D. Abrams <abrams@mwunix.mitre.org>
Wed, 7 Sep 1994 10:47:43 -0500
Announcing the availability of the Proceedings of an Invitational Workshop on
Information Technology (IT) Assurance and Trustworthiness held March 21-23,
1994 at George Washington Inn Williamsburg, Virginia.

The proceedings are available by FTP as an ASCII document from csrc.nist.gov.
The path is /pub/nistir/assure.txt Hardcopy was published by the National
Institute of Standards and Technology numbered NISTIR 5472.

ABSTRACT

The purpose of the 1994 Invitational Workshop on Information Technology (IT)
Assurance and Trustworthiness was to identify crucial issues on assurance in
IT systems and to provide input into the development of policy guidance on
determining the type and level of assurance appropriate in a given
environment. The readers of these proceedings include those who handle
sensitive information involving national security, privacy, commercial value,
integrity, and availability.

Existing IT security policy guidance is based on computer and communications
architectures of the early 1980s.  Technological changes since that time
mandate a review and revision of policy guidance on assurance and
trustworthiness, especially since the changes encompass such technologies as
distributed systems, local area networks, the worldwide Internet,
policy-enforcing applications, and public key cryptography.

1995 WORKSHOP

A call for participation for the 1995 workshop will be available in October.
You may request a copy by sending e-mail to   witat-info@cs.umd.edu.

Marshall D. Abrams, Info Systems Security Division, The MITRE Corporation,
7525 Colshire Drive, McLean, VA 22102-3481 703.883.6938 abrams@mitre.org

Please report problems with the web pages to the maintainer

Top