The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 16 Issue 43

Tues 27 September 1994

Contents

o Pretty Bad Privacy in Top-Level Negotiations
Charles Dunlop
o Re: Mexico election
H?vard Hegna
o Coyote sues Acme Co.
Luis Fernandes
o Reasoning 101, the FBI Telecom Bill, and EPIC
Jerry Leichter
Marc Rotenberg
o Please!, let's call it the "Government Wiretap Bill" !!!
Jim Warren
o The high-tech university: 500 channels, all alike
Phil Agre
o Pagers and power supplies
Laszlo Nemeth
o Marketing of science
Michael Jampel
o Power Disasters
Matthew D. Healy
o Re: Power Outage in Russia?
Arthur D. Flatau
o Questions re: security of computerized medical records
Richard Goldstein
o Network Security Observations
NSO
o Info on RISKS (comp.risks)

Pretty Bad Privacy in Top-Level Negotiations

"Charles Dunlop" <cdunlop@spruce.flint.umich.edu>
Sun, 25 Sep 1994 18:43:58 -0400
   _Business Week_ (October 3, 1994) has obtained a tape of two telephone
calls made by an aide to Jimmy Carter on September 18 during negotiations over
Haiti.  The calls were made over an unsecured radio link from Port- au-Prince
to Carter's plane -- one to a National Security Council staff person, and the
other to Carter himself.  Shown transcripts of the calls during a CNN
interview, Carter responded that he was "taken aback", and commented "Now I
see what happened to Prince Charles".

  [I guess that some public figures still haven't see the air of their waves.]

C.E.M. Dunlop, Philosophy Department, University of Michigan, Flint
Flint, Michigan 48502-2186     (810) 762-3380     cdunlop@umich.edu


Re: Mexico election (Sullivan, RISKS-16.36)

H?vard Hegna <Havard.Hegna@nr.no>
Mon, 26 Sep 1994 09:57:15 +0100
John Sullivan quotes IFE (Federal Electoral Institute) officials who deny
there were problems with the computer system but continues an investigation on
an apparent effort to infiltrate a computer virus into the main computer
system.

In Norwegian newspaper Aftenposten on August 26., the election
is reported as "a great step forward for Mexican democracy" with
a turnout of 75% of the 45 mill. electorate, as compared to the normal 50%.

In a report from Mexico on The Norwegian Broadcasting System (NRK) Radio
Program 2 (P2) on Saturday August 27., Joar Hoel Larsen quotes a professor in
political science at UNAM (?) Louis Javier Garrido who claims that the means
for rigging an election are much more sophisticated now than ever before.
With todays computers and networks one person in the right spot can easily
manipulate a whole election, something which would require an army of election
officials in the earlier primitive systems employed.

Larsen's view was that the Mexicans really wanted to make the election open
and fair this time, and had control rules on election day that bordered on the
paranoid and went a lot further than procedures that are considered quite
acceptable in for instance Norway. So there were few irregularities reported
at the voting stations. Instead, according to professor Garrido, the
manipulation was done at the electorate registry level. 7-8 mill. voters from
districts that were known to have a clear majority in opposition to the ruling
PRI party, were removed from the electorate. Not everybody, but the necessary
percentage from each such district.

The result was a normal turn-out (percentage-wise) and the normal majority in
these districts, but their influence on the totals was reduced. Resulting in
the PRI staying in power. Again according to Garrido, a serious political
independent who is not a member of the loosing PRD, says Larsen.

I have seen reports of complaints on the Mexican election in various media,
but very little mention of this accusation. Has it been reported elsewhere?
Does it have any substance?

Does anybody know what kind of computerized system was used in Mexico this
time, before, during and after the election?  Any Direct Recording Equipment?

Hevard Hegna, Norwegian Computing Center, P.O. Box 114, Blindern, 0314 Oslo,
Norway (+47) 22 85 25 00/ (+47) 22 85 26 21        Fax  : (+47) 22 69 76 60


Coyote sues Acme Co.

Luis Fernandes <elf@eccles.ee.ryerson.ca>
Sat, 24 Sep 1994 13:18:34 +0500
What follows is an excerpt of an article that appeared in the 26 Feb 1990
issue of "The New Yorker" magazine.

Specifically, the article is about a suit brought against Acme Company,
incorporated in Delaware, by Wile E. Coyote who lives in the Arizona Desert
and is seeking, "compensation for personal injuries, loss of business income,
and mental suffering caused as a direct result the actions and/or gross
negligence of said company's...  mail-order department..."

The article illustrates the RISKS of operating badly documented and labeled
equipment; the RISKS of using improperly designed equipment, and the RISKS of
using equipment for unintended purposes.

This is a quote from the opening statement of Mr. Coyote's attorney:

   Mr. Coyote states that on December 13th he received of Defendant
   via parcel post one Acme Rocket Sled. The intention of Mr. Coyote
   was to use the Rocket Sled to aid him in pursuit of his prey. Upon
   receipt of the Rocket Sled Mr. Coyote removed it from its wooden
   shipping crate and, sighting his prey in the distance, activated
   the ignition. As Mr. Coyote gripped the handlebars, the Rocket Sled
   accelerated with such sudden and precipitate force as to stretch
   Mr. Coyote's fore-limbs to a length of fifty feet.  Subsequently,
   the rest of Mr. Coyote's body shot forward with a violent jolt,
   causing severe strain to his back and neck and placing him unex-
   pectedly astride the Rocket Sled. Disappearing over the horizon at
   such speed as to leave a diminishing jet trail along his path, the
   Rocket Sled soon brought Mr. Coyote abreast of his prey. At that
   moment the animal he was pursuing veered sharply to the right.
   Mr. Coyote vigorously attempted to follow this maneuver but was
   unable to do so, due to poorly designed steering and a faulty or
   nonexistent braking system. Shortly thereafter, the unchecked
   progress of the Rocket Sled brought it and Mr. Coyote into
   collision with the side of a mesa.

In another incident, Coyote purchased a pair of rocket skates which, his
attorney claims, Acme sold without sufficient caveat and with "little or no
provision for passenger safety", because the design attached very powerful
jet-engines to "inadequate vehicles"; i.e. the roller-skates.

Other products, manufactured by Acme, that have caused Mr. Coyote great
anguish include: itching-powder, giant kites, Burmese tiger traps, anvils, and
two-hundred-foot-long rubber bands.

RISKS readers are advised to be cautious with products purchased from the Acme
Mail-Order Catalog and especially with explosives purchased from the Acme
Mail-Order Explosives Catalog; the explosives tend to detonate prematurely
very possibly due to the use of faulty primer-cord.

(If ever there was a candidate suitable for the role of RISKS mascot, Wile E.
Coyote is that animal.)


Reasoning 101, the FBI Telecom Bill, and EPIC

Jerry Leichter <leichter@lrw.com>
Fri, 23 Sep 94 17:59:42 EDT
Marc Rotenberg quotes a 1992 GSA report that the FBI's proposals for access
requirements to the telephone system would have an adverse impact on national
security.  He says this speaking for the "100 Reasons ... project of the
Electronic Privacy Information Center [EPIC]".

I haven't read the GSA report in question, but from context and the parts
quoted by Rotenberg, it seems clear that the particular issue concerning GSA
was one feature of the 1992 (1991?) version of the FBI proposal, which called
for the telephone companies to link to a central, government-controlled office
somewhere which would then have the ability to initiate taps anywhere without
any further assistance from the telephone companies.  The GSA was correct in
pointing out that any breach of the security of this centrally controlled sys-
tem could have serious implications.  The GSA was also not alone in pointing
this particular risk.

This year's version of the proposal explicitly states that tapping is to be
done *by telephone company personnel*, on telephone company premises (as is
the case today).  The central tapping facility is gone.

How shall we then classify Reason 55?  A straw man attack?  An appeal to
emotion?  (For many years, "national security" was the standard justification
for almost anything the government wanted to do.  Now EPIC has appropriated
that battle cry.)  Disingenuous?  Dishonest?

At the least, if EPIC is going to quote the GSA's report, honesty requires
that they quote enough context to show what the statement is based on.  If
their going to use an analysis of the 1992 bill, it's incumbent on *them* to
argue that analysis is applicable to the 1994 incarnation, which has undergone
substantial changes - some of them presumably a direct result of the GSA's
analysis.

In any case, proponents can as easily quote an FBI report to the effect that
*not* passing this bill would have an adverse effect on national security.
Why should one prefer the statement of one three-letter government agency over
another?  Duelling appeals to authority do not rational debate make.

    -- Jerry


Re: Jerry Leichter's response

Marc Rotenberg <rotenberg@washofc.epic.org>
Mon, 26 Sep 1994 12:51:45 EST
There is nothing in the GSA memo that supports Jerry Leichter's
interpretation.  The memo did not even mention the problems associated with
centralized monitoring. Although, it's good of Jerry to bring that up. <grin>

The memo is reprinted in full, along with accompanying materials, in Banisar
and Rotenberg, The Third CPSR Cryptography and Privacy Conference (1993).  The
memo is also available at the CPSR ftp site.  CPSR.ORG
/cpsr/privacy/communications/wiretap/gsa_wiretap_memo.txt

The GSA memo contains at least *ten* Reasons to oppose the wiretap plan
(incompatibility, impact on federal communication networks, scope of proposed
change, powers of Attorney General, national security, network security,
standards, current capability, cost effectiveness, delay in development of new
systems, international trade, associated costs, impact on new services).

We cited only one Reason  -- national security.

A story appeared in *The New York Times* when the memo was obtained (15 Jan
1993, "FBI's Proposal on Wiretaps Draws Criticism from GSA").

Quoting from the NYT article, "the GSA said the proposed legislation was
unnecessary, could hurt the nation's competitiveness in the international
trade arena, and posed a possible danger to national security."

Marc Rotenberg, EPIC


please!, let's call it the "Government Wiretap Bill" !!!

Jim Warren <jwarren@autodesk.com>
Sun, 25 Sep 94 12:45:38 PDT
It is *much* more accurate and much more provocative to call the "digital
telephony" bill the "Government Wiretap Bill."

1.  It helps their propaganda and harms our propaganda to call it the "*FBI*
Wiretap Bill."

2.  The FBI Wiretap Bill implies that only the FBI would use its access,
whereas all the phrasing of the versions seems to include a catch-all like,
"... and as otherwise authorized by law."

3.  We need to emphasize that it's the *government* that wants the snoop-n-
peep power.

4.  We need to point out that *all* levels of government can use it, "when
authorized by law," of course.  

The high-tech university: 500 channels, all alike

Phil Agre <pagre@weber.ucsd.edu>
Sun, 25 Sep 1994 20:04:33 -0700
In a recent issue of Forbes, Thomas Sowell reports that he's looking forward
to the day when market pressures require universities to distribute a large
proportion of their lectures over video.  The reference is:

  Thomas Sowell, Letting in the light, Forbes, 12 September 1994, page 98.

He anticipates many advantages of this system.  Among them, he says, is that
professors who engage in "propaganda", "pretentious mush", "strident
ideology", and "recruitment of disciples" will be caught on tape and exposed
to public censure.  Sowell is a conservative economist and these are all
obviously code-words for the expression of political views with which
conservatives disagree.  This is to be expected.

But the danger that such proposals represent is independent of your political
views.  Imagine what this new world will be like.  It will become unwise to
engage in unscripted give-and-take with students, lest an ambiguous remark be
placed in a foreign context by someone with video editing equipment and a
political axe to grind.  It will become unwise to express unpopular opinions
in lectures, and even fundamentally conformist lectures will have to be
structured as a series of soundbites, each of which will survive being edited
into arbitrarily unfriendly contexts.  University education, in other words,
will be converted into television -- 500 channels, all alike, and all subject
to the leveling force of external pressure.

These scenarios might seem paranoid, but one perfectly robust model for them
can already be found in journalism.  Substantial institutions have arisen for
harassing journalists whose articles diverge from the political views of those
who care to fund them.  Mistakes are magnified, passages are taken out of
context, and political evaluations are assembled and made available to people
whose cooperation the journalist may require to gather stories.  Of course,
these activities are all perfectly legal and covered by the First Amendment.
But they are regrettable nonetheless.

(Such practices could already be organized in universities simply through
having monitors sit in on classes and forward notes to a central organization.
This is indeed done on a small scale, but video recording would make it much
easier.)

It will be argued (and indeed, Sowell does argue) that the warnings of college
professors like me are just the self-serving obfuscations of interest groups
with something to hide.  But the consequences of such phenomena go far beyond
the university.  When work activities that were formerly conducted
face-to-face start to be mediated on a large scale by digital video and other
computerized telecommunications technologies, unless those communications are
given vastly more statutory protection than seems at all likely, the door will
be opened to greatly intensified monitoring and regulation of those activities
by anyone who has legal access to recordings of the signals.  If this happens,
we will realize how much slack we got from face-to-face interaction, and we
will be forced to look to one another to find ways of getting it back.

Phil Agre, UCSD


Pagers and power supplies

Laszlo Nemeth <laszlo@eclipse.cs.colorado.edu>
Fri, 23 Sep 1994 21:01:59 -0600
A rather humorous thing happened the other day. I was connecting up a scsi
disk to a sparc 10 (nice small power supply) and had powered everything of.
while leaning over the system to connect the various cables to the disk, my
pager went off in vibrate mode.

I wear my pager clipped backwards in my front jeans pocket (so the nice clear
face doesn't get scratched, it mutes the sound of the pager, and gives really
good contact when vibrating) a very tender spot on most people.

when that pager went off I had a flashback to a time when I forgot how much
power is in a sun 4/260 power supply and decided to test it with me as the
path.

both times I have made it across the room before I knew what happened.  From
now on when a system is open, the pager is elsewhere.

laz


Marketing of science

Michael Jampel <jampel@cs.city.ac.uk>
Mon, 26 Sep 94 11:29 BST
Phil Agre <pagre@weber.ucsd.edu> asked [RISKS-16.41] asked (re:
uninterruptable power supplies causing power failures):

> Where do hubristic terms like "uninterruptable" come from?

They come from marketing people and sales people. Scientists and engineers
often have contempt for these people, but unfortunately their mistakes and
their hubris may lead to an anti-science back-lash.  Therefore we can't just
let them get on with it: it's not the sales people who will get the sack when
a UPS proves to be interruptible; but the whole discipline of electrical
engineering loses a little credibility. So next time an engineer says
something like ``We must not do X because it is very unsafe'', it is possible
that those who have bee mislead by advertisements will say ``Yeah, yeah, what
do you know.''  This is a risk (not of computers, but applying to any
technical discipline).

Phil then added:
> I've got an "inherently safe nuclear reactor" to sell you

There _is_ a difference between inherent safety and engineered safety.  And
one of the first nuclear reactors _was_ inherently safe. It was in Sweden,
called the Triga, and the opening ceremony (by Niels Bohr) consisted of
removing all the cooling rods from the core. Within a minute, the reactor had
stabilised, rather than starting to melt-down, due to the physical properties
of the materials it was made from. (The damping effect went up exponentially
with increasing temperature.)  My guess is that the reason no reactors are
like this is commercial, i.e. it didn't make as much power per dollar's worth
of uranium, not technical. Another risk when scientists allow people they hold
in contempt to do a job that doesn't interest them; the anti-nuclear power
lobby has good reasons for its views, all due to mistakes made for commercial
reasons. Possible end result: the whole world is condemned to lack of power
when the oil runs out, because nuclear power will still be considered taboo.

Michael Jampel <jampel@cs.city.ac.uk>


Power Disasters

Matthew D. Healy <healy@seviche.med.yale.edu>
24 Sep 1994 01:42:23 GMT
All the postings about various incidents in which main power and backup were
both lost serve as examples of a point often missed by risk planners: the
multiplicative probability rule only applies if the events are truly
independent.  A common mode failure can take out several "redundant" systems
at once.

It's extremely difficult to design truly redundant systems.

The O'Hare incident also seems to illustrate another point.  All I know about
this incident is what was posted to RISKS; I gather they were doing some kind
of test on the UPS.

_Chernobyl_ was a disastrous failure triggered by a test of emergency
generation capabilities!  The problem was exacerbated by numerous problems in
design and maintenance, but the trigger event was a misguided test of
generating emergency power from the main turbines as they spun down and the
diesel generators were started up.

A test is an inherently hazardous situation; various common-mode failures can
be triggered by tests.  Therefore one must be especially careful about
scheduling and running tests!

Matthew D. Healy  healy@seviche.med.yale.edu
Postdoc, Yale School of Medicine


Re: Power Outage in Russia? (RISKS-16.42)

Arthur D. Flatau <flatau@cli.com>
Mon, 26 Sep 94 11:20:28 CDT
Dave Barry (syndicated humorist) wrote an article a while back about another
similar situation in Russia.  The power to some military complex was shut off
because the bill was not paid, the officer in charge ordered a tank be driven
and parked next to the electric company building.  The business end of the
tank was pointed at the building and miraculously power was quickly restored.

The rest of the article was about the advantages of having a tank in resolving
disputes with creditors and how one acquires the tank.  The latter is done by
sending in all the credit card applications one gets in the mail, acquiring
enough credit and then charging the tank.  When the credit card companies
start demanding payments, it is easy to satisfy them because now you have a
tank.

Art  flatau@cli.com  Computational Logic, Inc.  Austin, Texas


questions re: security of computerized medical records

Richard Goldstein <richgold@netcom.com>
Mon, 26 Sep 1994 07:56:04 -0700 (PDT)
I am a statistician and I sit on the Human Studies Committee (IRB) of a local
HMO.  I have been assigned as primary reviewer for our committee for a
recently submitted protocol dealing with security issues on the HMO's
computerized patient data base.  (Note: this may not need committee approval
under Federal rules, but it does under local rules.)  I am requesting some
help regarding issues I should be asking about and guidance on literature.

Brief explanation of project: the current computerized medical record has two
sections (I am oversimplifying some issues here, without, I hope, being
misleading): a coded section that can be searched via computer and a text
section that currently cannot be automatically searched.  The HMO has entered
into an agreement with a 'local' university (about 90 miles away) to attempt
to develop tools for exploiting clinical text data (e.g., access, search,
extract, manipulate the text portion of the record).

The process includes providing the university with example records (size of
sample not known), where the records have been 'sanitized'.  "The sanitization
process has three stages:

1. automated masking or identifiers such as addresses and
   telephone numbers in ... extract headers as created [at the HMO]
2. automated masking of medical record numbers
3. automated masking of each segment of each member's name
   everywhere these segments occur in the ... extract"

There are some known problems with this masking (e.g., regarding the
occurrence of names in the record other than than of the particular patient).
My problem is that I have no idea how much faith, trust, etc. to put into the
"automated masking" process.  Of particular help would be guidance on what
questions to ask about this process to help make decisions about whether it is
sufficient (guidance on literature would also be appreciated).

I note also that the people on the project appear to be unaware of the
possibility of identifying patients via combinations of coded information.  As
a statistician, I am aware of some of the large literature on this question,
especially with respect to Census information.  However, I am not familiar
with recent literature on this question or with computer algorithms; further,
I am not aware of any literature dealing specifically with this question for
medical records (except that I do have a copy of the 9/93 publication from the
Office of Technology Assessment entitled _Protecting Privacy in Computerized
Medical Information_; however, this is not a technical publication).

Another question relates to what we should be asking about the security of the
university computer; we have been told that the center "has implemented data
access security by granting electronic access to [HMO] data only to
researchers designated as members of the [HMO] project."  However, we have
been provided with NO details; again, what questions should we be asking and
how do we interpret the responses.

I should mention that our committee very strongly opposes any movement of HMO
data outside the HMO, but in rare circumstances we have agreed when we were
satisfied with the security situation (usually a stand-alone computer in a
room that could easily be locked).

Any help or advice would be greatly appreciated and should, preferably, be
sent directly to me at "richgold@netcom.com".  If desired, I could post a
summary of the resulting responses to this group.

Rich Goldstein


Network Security Observations

Network Security Observations <NSO@delphi.com>
Tue, 27 Sep 1994 05:21:00 -0400 (EDT)
November 1994 NETWORK SECURITY OBSERVATIONS will be out with its inaugural
issue. NETWORK SECURITY OBSERVATIONS is expected to be the leading
international journal on computer network security for the science, research
and professional community.  Every annual volume contains five issues, each
offering ample space for vigorously reviewed academic and research papers of
significant and lasting importance, and a wealth of other network security
information, including security patches and other technical information
supplied by manufacturers, related governmental documents (international),
discussions about ethics and privacy aspects, the Clipper chip and other
cryptologic issues, viruses, privacy enhanced mail, protocols, harmonization
of computer security evaluation criteria, information security management,
access management, transborder data flow, EDI security, risk analysis, trusted
systems, mission critical applications, integrity issues, computer abuse and
computer crime, etc. etc.

If and when appropriate reports of major international conferences, congresses
and seminars will be included, as well as information made available by
governments, agencies, and international and supra national organizations.
Network Security Observations is published in the English language, and
distributed Worldwide. The publication does NOT feature commercial
announcements. National and international organizers of dedicated conferences,
etc. can offer calls for papers and invitations to participate. Relevant
posting from other publishers announcing new relevant books, etc are welcomed
as well.

NETWORK SECURITY OBSERVATIONS provides the in depth and detailed look that is
essential for the network system operator, network system administrator, edp
auditor, legal counsel, computer science researcher, network security manager,
product developer, forensic data expert, legislator, public prosecutor, etc.,
including the wide range of specialists in the intelligence community, the
investigative branches and the military, the financial services industry and
the banking community, the public services, the telecom industry and the
computer industry itself.

Subscription applications by email or fax before November 1, 1994 are entitled
to a special rebated subscription rate.  Special academic/educational
discounts, and rebates for governmental personnel, and other special groups,
are available upon request.  Network Security Observations is a not-for-profit
journal, and therefore we are sorry to reject requests for trial orders.

For further information please contact:
by email>     NSO@delphi.com
Or by fax>    +1 202 429 9574
Or alternatively you can write to:
Network Security Observations, Suite 400, 1825 I Street, NW
Washington DC, 20006, United States

Please report problems with the web pages to the maintainer

Top