The RISKS Digest
Volume 16 Issue 44

Thursday, 29th September 1994

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Re: Neural Redlining == Plausible Deniability ?
Jim Horning on Brian Randell
Response to various comments on Internet Security
Winn Schwartau
Present Internet Security
George Thornton
Re: Mexico election
Alex Lopez-Ortiz
Re: Uninterruptables
Phil Agre
Martyn Thomas
Safety issues with Screen Savers
Rich Baker
Re: Phil Agre on high-tech university
Robert Ashcroft
Re: Neural networks and testing
Fred Cohen
Re: Yet More daring tales of address disasters!
Dan Fass
Andrew Marc Greene
Steve Summit
Jan Mandel
Jonathan I. Kamens
Mike Crawford
Chris Smith
Paul Robinson
Michael Jampel
Privacy & American Business conference in DC next week
Lance J. Hoffman
Info on RISKS (comp.risks)

Re: Neural Redlining == Plausible Deniability ? (RISKS-16.40)

Mon, 26 Sep 94 17:40:08 -0700
Brian Randell's posts to early volumes of RISKS about the St. George's medical
school scandal are quite pertinent here.  They are well worth re-reading in
their entirety from the RISKS archives (RISKS-4.27 and 6.34).  I give only
the highlights here:

"Leading medical schools face an investigation into allegations that they
are discriminating against women and black students.  This follows the
discovery by two consultants that their own school, St. George's in south
London, has been using a computer selection programme which deliberately
down grades applicants if they are female and non-white...

"The St. George's claim is particularly worrying because the school has a
better record on discrimination than most other colleges.  The computer
selection programme was designed to mimic the decisions of the school's
panel which screened applicants to see who merited an interview.  It
matched the panel's results so closely that the panel was scrapped and for
several years all St. george's applicants have been screened by computer...

"St George's was caught, officials admit, only because the attitudes of its
selectors in years gone by were enshrined in a computer program: that program
deliberately downgraded non-Caucasians and women...

"Being non-Caucasian, and or a women, resulted in a lower grade on the
interview scale: simply having a non-European name could take 15 points off
an applicant's score. Sex had less effect: on average, being female took no
more than three points off the score.  That was enough, the Commission
found in its investigation, to deprive 60 candidates a year of the
interviews for which they should have qualified...

"In fact, since the program mimicked the previous human assessors, it is
probable that discrimination occurred before the program was introduced, the
report says...

"In November 1986, Dr Collier discovered, by accident, that the program was
weighted. He wrote to the dean.  Dr West asked Mr Evans to run a few cases
through the program.  When he saw the effect, he immediately stopped its

Jim H.

Response to various comments on Internet Security (RISKS-16.42)

"Winn Schwartau" <>
Thu, 29 Sep 94 11:53:25 -0500
   [MODERATOR'S NOTE: I have omitted several of the flames that attacked
   Winn for the perceived high hype of his press-conference note in
   RISKS-16.42.  I ran his message because I know enough about the underlying
   technology to have some significant hope that the system will do something
   useful.  But excessive hype always tends to be offputting.  PGN]

We understand a handful of RISKS readers wanted to know the sources of some
fascinating data we recently published in a Press Conference announcement.
Here goes.

The 85-97% figure came from Jim Settle, former Head of the Computer Crime
Squad, FBI.  These are the figures he cited on "Under Scrutiny," an FX channel
(Fox network) TV show where he appeared with Robert Steele of Open Source
Solutions and Chris Goggans, 'national resource hacker.' One government study
he mentioned cites the higher figure of 97% of all computer intrusions go
undetected.  Settle also said that the experience of the FBI Computer Crime
Squad is in excess of 85% computer intrusions go undetected.

The million plus computer breakins figure came from USA Research as reported
by Information Week.  The industrial espionage figure is from Parvus and
Assoc. - an international Private Investigation company who specialize in high
tech commercial espionage - and ASIS, American Society for Industrial Security
representing the findings of a study into this area: (The figures are for 1985
through 1991.)

     * Foreign sponsored information theft is up 400%
     * US sponsored industrial espionage is up 260%

According to the Washington Post, as of April 1993, the industrial espionage
case load of the FBI was up a whopping 500%!

The billions of dollars that espionage costs the US econotechnical
infrastructure is well documented in Schwartau's book, "Information Warfare:
Chaos on the Electronic Superhighway," available anywhere. Take a read.

We hope this settles any misunderstandings on the part of RISKS readers.

Kevin Sorensen, Secure Computing, Inc.
Winn Schwartau, Interpact, Inc. P00506@Psilink.Com

   [Winn's message actually said "Information Warefare", which is sort
   of a nice pun, but he meant to write "Information Warfare".  PGN]

Present Internet Security

George Thornton <>
Wed, 28 Sep 1994 12:15:25 GMT
I noticed RISKS-16.42 contained the announcement for Internet security, and
thus wish to append my own such annoucement.  Not to upstage such a fine
organization but such solutions to internet security already exist, have been
announced, are shipping, and will be discussed in full at the Federal
Smartcard Users Group at The Smartcard Forum.

                The "Present" of Internet is Secure!
        The Role of SmartCARDS in the Era of Network Security And NII
                  A Shrink-Wrapped Solution Strategy
               Ray Hanner, V-ONE Corporation, Rockville Md

                           Also Presenting
               Platform Issues of Smartcard Implementation
                    Institutional Solution Strategy
            Avi Zahavi, ATT Smart Card Division, Highland Park, NJ

On Sept. 27-28, Tyson Ritz Carlton Hotel, 1700 Tysons Blvd., Mclean, Virginia

Voice 301-881-2297 Fax 301-881-5377

Re: Mexico election (Sullivan, RISKS-16.36)

Alex Lopez-Ortiz <>
Tue, 27 Sep 1994 19:16:36 -0400
>... according to professor Garrido, the manipulation was done at the
>electorate registry level. 7-8 mill. voters from districts that were known
>to have a clear majority in opposition to the ruling PRI party, were removed
>from the electorate. ...

This technique is known as "shaving" the voter's list. It is one of many
techniques allegedly used by the ruling party to rig the elections.  How many
voters were shaved is anybody's guess. Estimates have ranged from 2-4% to 25%.

On the eight million figure, the minister of the interior declared:

  Luckily they [the PRD] came up with a ridiculous large figure for
  shaved voters. This places their claims in the realm of the absurd.

It should be said that the minister of the Interior, which is in charge
of the election procedure, is a noted academic known for his political
independence and does not belong to the ruling party.

>I have seen reports of complaints on the Mexican election in various media,
>but very little mention of this accusation. Has it been reported elsewhere?

The Wall Street Journal and/or the Washington Post explained several
known schemes for rigging the election, including shaving, the "taco"
(a roll or premarked electoral ballots inserted by a voter), and
the "carousel" (voters go around and around voting time and time again).

>Does it have any substance?

The eight million figure certainly not.

Were there some shaved voters?  Yes.

How many?  According to audits commissioned by the government and performed by
independent national and internacional firms, about 2-4% of the voters had
taken the steps to register but did not appear in the lists.

It is _not_ known how many of those are due to administrative errors (such as
entering and incorrect address and having the voter appear in an incorrect
voting station) and how many are intentional.

>Does anybody know what kind of computerized system was used in Mexico this
>time, before, during and after the election?

There are no systems used during the election. All the voting is a manual
process done in see-through ballot boxes (to avoid pre-stuffing them with

After the election, a series of Tandem systems were used. The government has
refused to make details specific, according to "security considerations".
From declarations by election officials, it seems that the central system is
connected to computers in each state and that elections results were
transferred electronically, and later verified manually.

Alex Lopez-Ortiz, Computer Science Dept, University of Waterloo, Waterloo,
Ontario Canada

Re: Uninterruptables (RISKS-16.41)

Phil Agre <>
Tue, 27 Sep 1994 15:35:40 -0700
My note about uninterruptable power supplies in RISKS-16.41 brought quite a
bit of interesting correspondence.  Most of it asserted (with no more evidence
than I presented in my own note) that phrases like "uninterruptable power
systems" come from sales and marketing people.  This might be, but it doesn't
explain why technical people go along with them.  They must accept that it's
reasonable to call something "uninterruptable" if it prevents one particular
failure mode, regardless of any others.  This would be like calling a child's
toy "unbreakable" if it cannot be broken by being chewed on, even though it
shatters into long, sharp needles when used to pry something open.  The point
is not to discredit electrical engineering, which brings many benefits to
society, but simply to encourage broader systems thinking and more rigorous
truth in labeling.

The same thing goes for "inherently safe nuclear reactors".  I'm sure that
such reactors can pass coolant-loss tests, but that's only one of the many
dangers from nuclear power.  This probably isn't the place to argue the merits
of nuclear power in general, but I do think that the analogy between these two
cases of misleading terminology is strong.  In each case, absolute statements
are made based on the defeat of single failure modes that can be represented
within a narrowly technical definition of the system's operation.

Phil Agre, UCSD

uninterruptable thought patterns

Martyn Thomas <>
Wed, 28 Sep 1994 10:27:44 +0100 (BST)
My least favourite tendentious phrase is "incredible accident" for the low
probability incidents in the analysis of system hazards. I first met it in
the nuclear industry, but it's more widespread than that.

      Martyn Thomas, Praxis plc, 20 Manvers Street, Bath BA1 1PX UK.
Tel:    +44-225-444700.   Email:     Fax: +44-225-465205

Safety issues with Screen Savers

Rich Baker <>
Sat, 24 Sep 94 22:36:31 EDT
I am doing some research on Safety issues concerned with Screen Savers.  Do
you know of any incidents that have been caused by Screen Savers masking out
critical information on a screen or on the reactivation of a screen saver
causing inadvertent actions in an application?

Richard Baker, Modicon, Inc., North Andover, MA   508-975-9789

Phil Agre on high-tech university

Robert Ashcroft <rna@sphinx.Stanford.EDU>
Tue, 27 Sep 1994 22:22:46 -0700
> ...  Substantial institutions have arisen for
>harassing journalists whose articles diverge from the political views of those
>who care to fund them.  ...

Anyone with even a passing acquaintance with universities realizes that
this already happens internally at universities.  Even at the Graduate
School of Business at Stanford, there is a problem with at least the
perception of a "party line" over which it is not safe to step (regularly
bemoaned in the school newspaper, in case anyone cares to check).

At the most, video of university lecture just enlarges the group that
decides, through whatever mechanism, what is the "party line".  It's
not clear that one group's decision is any better than another's.

In fact I have serious doubts about two parts of Agre's scenario:

1) That many lectures will in fact be found interesting (or lucrative)
enough to bother broadcasting, outside of technical subjects like EE,
which are not subject to these kinds of controversy.  Face it, a heck
of a lot of stuff that goes on at a university is just plain boring to
the vast majority of folks.

2) In the event that any "radical" is caught in such a thing as the above,
s/he is more likely to be delighted by the attention.  Supposing the
professor has tenure (and few professors stick out their necks before
achieving this status) s/he is is perfectly safe from retribution, and
is more likely to leverage their new-found notoriety, a la Rush Limbaugh.
Imagine, everyone tuning into your lecture every week to hear your latest
pronouncements.  It's every professor's dream.

A new media star is born, the University makes a bundle selling off the
lecture broadcasts to HBO, and everyone goes home happy.


Re: Neural networks and testing (Re: RISKS-16.42)

Mon, 26 Sep 1994 06:30:05 -0400
Peter Denning suggested that we could test away the uncertainty with
neural networks, however, doing a complete test is infeasible for all
but the simplest systems, and not doing a complete test leaves the
possibility that an unlikely (i.e., low enough probability that it was
not worth testing) chain of events will cause catastrophic results.
Recent research has shown that even the best tested systems fail under
the combination of only two unlikely events a lot of the time.  In a
random world, this is perhaps good enough, but in a world with malicious
attackers, testing neural networks will simply not do.

Re: Yet More daring tales of address disasters! (Risks 16.42)

Dan Fass <>
Mon, 26 Sep 1994 15:21:26 -0700
I doubt I'm the only person to point this out, but Charles Reichley's proposal
does not deal with the problem you posed.  If the acknowledgement is sent to
both the old and new addresses, and if a bogus Change of Address form had been
previously sent to the local Post Office, then the acknowledgement sent to the
old address is forwarded to the imposter.

- Dan Fass

     [Also noted in one form or another by
         Barry Jaspan <>,
         Ping Huang <pshuang@MIT.EDU>, who notes that
           Fidelity Investments notifies both OLD and NEW addresses,
           and suggests phone verification as well (although call
           forwarding can also be spoofed),
         Jim Hiller <>, who adds
           "As with any trusted distribution system, I submit that,
           once the reference monitor (the PO in this case) is hosed,
           it's all over."
     I am probably overly permissive in letting the following bunch
     through, because the topic is marginal to begin with, but I am
     feeling tolerant today.  STOP NOW if you have already had enough.  PGN]

Re: Yet More daring tales of address disasters!

Sun, 25 Sep 1994 10:57 -0400
  [Regarding sending notification to OLD and NEW addresses:]

But this won't solve the problem unless the one sent to the old address says
"DO NOT FORWARD" — and even then the post office will probably simply return
it to sender regardless of whether the change-of-address form was legit or not.

- Andrew

  [Yes, human fallibility is also a problem.  Evidently, my postperson does
  not read English very well, but has less trouble with numbers.  I get some
  mail for several other blocks in my area for houses with the same street
  number, and they get mine.  PGN]

Re: Yet More daring tales of address disasters! (RISKS 16.42)

Steve Summit <>
Sat, 24 Sep 1994 14:10:11 -0700
I'm not sure how safe it is to assume that an acknowledgement mailed to the
old address will be forwarded; I for one am seriously considering *not*
notifying the Post Office the next time I move, since filling out one of their
change-of-address forms automatically gets you lots of new junk mail.
(Evidently the U.S. Postal Service refuses not to sell the recently-moved
address lists, as they're a money-maker and the USPS is chronically strapped
for cash.)  [...]

Steve Summit

Re: Address disasters

Jan Mandel <>
24 Sep 1994 19:06:06 -0600
Assume for privacy sake one will want to move _without_ leaving a forwarding
address, and notify all that one does business with about the new address.
In that case the practice to send the acknowledgement to the old address will
backfire. And of course, try to tell that to the companies you do business
with, when their computers are programmed that way.

Forwarding by US Mail does create serious privacy issues.  I hear that the
Post Office stopped/will stop giving the new address to anyone. That's good.
But the PO will give your address to anyone who sends you a letter after one
year but before the record expires; the letter is sent back to sender with a
big yellow sticker with your new address on it...

Jan Mandel, Center for Computational Math, University of Colorado at Denver

Authentication of changes of address (Re: Postal address disasters)

"Jonathan I. Kamens" <>
Sun, 25 Sep 1994 10:55:50 -0400
Six months or so ago, my father went to the post office to put a temporary
hold on his mail because he was going on vacation, and the clerk he spoke to
said something to the effect of, "Now, when you say on this form that you want
your mail to start being delivered on date <x>, you really mean that you want
it to start being forwarded to your new address, right?"

Puzzled, my father responded, "What new address?"

The clerk responded, "The address you sent us on your change-of-address card."

My father hadn't sent in a change-of-address card.  Subsequent investigation
(and a number of interviews with the postmaster at that post office) revealed
that someone had sent a fraudulent change-of-address card in my parents' name
to the post office, forwarding their mail to a non-existent address in
California.  The card was sent from another state.  it seems unlikely that
whoever sent it will ever be caught.

Fortunately, the deception was detected before they started forwarding the
mail, because of the coincidence of the timing of my father's visit to the
post office.  If he hadn't gone in to put a hold on his mail, the post office
would have happily started forwarding it with no questions asked.

Obviously, the problem here is that there was no authentication whatsoever of
the change of address.  Admittedly, the post office does send a
change-of-address kit to anyone who files a card, but if the card asks for the
forwarding to begin immediately, it will start happening quite a while before
the kit arrives.  And the kit will be forwarded to the new address, which
doesn't do much good if it's a fake!

Even something simple like delivering a confirmation card to any address that
requests a change of address, and requiring that it be filled out and returned
before processing the change, would be a huge improvement over the current
system.  Who knows why the post office doesn't do this.

Jonathan Kamens  |  OpenVision Technologies, Inc.  |

Re: Yet More daring tales of address disasters!

Mike Crawford <>
Fri, 23 Sep 1994 19:52:22 -0700
The California Legislature recently passed a bill forbidding prison inmates
from changing their names without the permission of the prison warden.  It
seems that a "resident" of Pelican Bay state pen, reputedly the state's
toughest prison, changed his name to that of the ex-husband of a woman who
had accused him of molesting her daughter.  The fellow succeeding in changing
this woman's postal address to his prison address so he could read all her
mail, and I believe he even obtained her credit record!

This went on despite her complaints until the San Francisco Chronicle ran
a full page article detailing this fellow's activities.

Apparently the prison had tried to punish him further, but they could not stop
him from sending mail.  Now mail from California prisons is stamped with the
name of the prison so that the recipient can get a clue to be suspicious.

Mike Crawford

Mail Forwarding must have been purchased by addressee

Chris Smith <>
Sun, 25 Sep 1994 18:23:46 -0400 (EDT)
Depending on such a feature can be a RISK, since Canada Post treats
such a service as an additional-cost item. It is purchased ahead of time,
and for a certain period of service. If the addressee is not aware that
a change of address notification will be mailed to the old address, they
may not bother purchasing the service.

Of course, during a recent move, the "guy in charge of putting the
stickers on the P.O. boxes didn't trust his stand-in, so he didn't leave
instructions to do it" — and we had no mail forwarded for 10 days.

An additional RISK? Beware of internal processes that extract an address and
*use* it two months later! A recent, automatic credit-card replacement didn't
get to us because (1) it depended on an address taken from the database 2
weeks before we moved, but not used until 6 weeks *after* we moved, and (2)
for security, it was sent via a courier — who does not have access to the
mail-forward info, even if you *have* purchased the service.

Chris Smith  <>

Re: Yet More daring tales of address disasters!

Paul Robinson <>
Mon, 26 Sep 1994 04:34:34 -0500 (EST)
[...]  By sending the confirmation to the *old* address, it warns the person
who owns the stock that their address is being changed, *in the event the
change is fraudulent*.  If that confirmation is sent with a signature required
and a do not forward order on it, it provides excellent protection to the
original owner that the change of address is not fraudulent.

Realize that for most stock, ownership includes certain benefits including
right to vote at the stockholders meeting, and something important to a lot of
people, dividend checks.

Because of laws on the right of stockholders to submit candidates for the
board of directors, just about anyone, and certainly anyone who owns even one
share of stock in the company, has the right to obtain a list of every
stockholder in the company including their name and address (in order to
solicit them to support a new board of directors and to solicit them for
proxies for their vote).  This was common practice for doing a hostile or
friendly takeover before Michael Milken got the idea of selling bonds and
buying a company instead of simply getting the owners of a company to fire the
board of directors via proxy fights.

Now imagine what happens if someone decides to get the list of stockholders
and sends in fake change of address requests during the week just before the
dividend checks are issued, for the top five largest individual stockholders.
If the acknowledgement of change of address is sent to the new address, the
stockholder would never know that someone had changed their address.  Who pays
for it if someone then forges the signature of the recipients and cashes
thousands or tens of thousands of dollars in dividend checks?

Re: address disasters

Michael Jampel <>
Mon, 26 Sep 94 11:34 BST
Douglas Adams, author of Hitch-Hiker's Guide to the Galaxy, created a computer
game called Bureaucracy, the aim of which was to get a company to acknowledge
a change of address card. (They insisted you inform them of changes of address
on an official form, which they were happy to send to the old address.) At one
stage you had to get a green form in order to get a red form, but in order to
get a red form you needed a yellow form. guess why you needed a green form in
the first place?

Anyway, the game is good, in an infuriating way.

Michael Jampel <>

Privacy & American Business conference in DC next week

"Lance J. Hoffman" <>
Wed, 28 Sep 1994 12:00:39 -0400 (EDT)
"Managing the Privacy Revolution" Oct. 4-5, 1994 Features
Top Privacy Experts in Landmark Washington Conference

 Fifty leading privacy experts from the administration, federal and state
government, the business community, public interest and advocacy groups,
corporate legal representatives, telecommunications, the academic and policy
community, national industry associations, the media, and survey research
will participate in "Managing the Privacy Revolution," the first annual
business/privacy conference sponsored by Privacy & American Business, October
4-5, 1994 at Loews L'Enfant Plaza Hotel, Washington, D.C. (Program, speakers,
and P&AB information attached)
 The conference will also offer the first look at a new P&AB/Louis Harris
survey on the Consumer, Interactive Services, and Privacy.
 Geared to assist those who handle personal information about consumers,
clients and employees, the conference is expected to attract those who manage
information privacy issues  and policy in consumer credit,
telecommunications, banking credit cards, employment, life/health/ property
insurance, health care, telemessaging, direct marketing and medical records.
 The conference will lay out the sweeping political, legal, and technological
changes affecting the way every U.S. business will handle personal customer
and employee  information in the future and will  provide a forum for
addressing the changes.
 The $595 registration fee for the two day conference includes all sessions,
private time with speakers, interaction with fellow conferees, cocktail party
and buffet reception, two banquet luncheons, two continental breakfasts,
three refreshment breaks.  Also a Washington Legislative Briefing Book, a
Handbook of Company Privacy Codes, a specially prepared 35-page book of
Highlights from 1994 Louis Harris Privacy Surveys and a six-month trial
subscription to Privacy & American Business (or a six month renewal of an
existing subscription). Special rates for nonprofit organizations, multiple
registrations, and a $100 Early Bird registration discount are available.
  For further conference information, call P&AB,  201-996-1154 or fax

Please report problems with the web pages to the maintainer