Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
With the recent change back from daylight savings time, we can always expect the usual havoc caused by lousy operating systems that aren't smart enough to know how to switch time automatically. Of course, this issue has been discussed here before, so what happens at this location here may or may not be of particularly exciting news. Anyway, there is a card-key system that locks up a certain development facility between 5pm amd 8am. The system is run by one of the aforementioned lousy operating systems that is not smart enough to change the time automatically. So, for a few days each fall the facility is unlocked and locked early, and for a few days each spring the opposite occurs; until somebody bothers to report it to the right person who has control over the system. I'm not sure which is worse — the security risk of having an unlocked facility, or the annoyance factor in being unable to get into the building without the right key-card. Fortunately, most of the systems I have to deal with are Unix boxes, which do set the time correctly. I wonder why other operating systems are so far behind? L. Scott Emmons, U.S. Computer Services/CableData R&D Center (916) 939-6088 scotte@center.uscs.com
About two months ago I reserved a book at my local library. The library has gone electronic in its reservation system. You reserve a book, and when your turn to receive it comes due a computer dials your home phone number. If an answer occurs, it assumes you heard the message; if you do not pick up the book in three days, you are fined $2.00. Basically, this is what happened to me. Their computer called my number and the phone went off hook, starting the meter running. For some reason my answering machine did not pick up the message (I have an answering machine and a fax modem hanging off the same line, but the fax modem is outgoing only). The RISK here is obvious, and I consider it nontrivial. The librarian insisted that the "system" is "reliable" and "almost always" works. Well, my knowledge of datacomm says that if it does not always work it is not reliable, and that they are fining people based on an assumption that the message was received. What's scary was the attitude of the librarian. Because she was told by someone that the system works, she insisted that I had received the call. I asked her for proof of that and she said that "the system said you got the call, it must be true". My attempt to describe the essence of data communications and reliable communication fell on deaf ears, and she refused to give me the name of her superior because "the system works and nobody should complain about it." Well, I am. I know that it is only two bucks, but the implications that arise from misuse or overly trusting such a system are worrysome. What if the government started issuing parking tickets or summonses in this manner, or banks warning you of surcharges on financial transactions? What if my wife answered the phone and the book was "how to handle infidelity in you marriage" :) (it wasn't). So how do you handle two things: [One] An unreliable delivery system being assumed to be reliable. [Two] People placing trust in such a system. Michael Slavitch, Software Design & Analysis Consultant, assigned to: Bell SYGMA, Suite 250, 150 Elgin St., Ottawa, Ontario K2P 2C4, (613) 781-9824
Troubles with Tele-Phoney Systems
Getting a wrong-number call in the middle of the night from another
human can be irritating. We may hope that future telephone numbers
incorporate a check digit to reduce these errors, but I doubt they will.
But let us first look at our "Telephone Neighborhood". Do you have
any idea who or what exists in the 62 or so valid telephone numbers only
a slip of the digit away from yours? (Area codes brings it up to about
80, but they are less often dialed. Another problem.) Apparently I
have several interesting entities in my telephone neighborhood. And with
most calls being dialed by embedded microprocessors and computers these
days...
What prompts this observation? Funny you should ask that...
On Friday, after the close of business for the weekend, (as in, when
else?!) I began receiving a strange series of persistent wrong number calls
from one gentleman in my area code. As I answered, I would hear the
"musique de telephon" of another ten-digit number being dialed. Although
apologetic, the caller insisted he was trying to reach several very
different numbers in two adjacent area codes. Soon others joined him in
reaching out and touching me with a number of different touchy toney loony
tunes, complaining that I was not the party of their choice; then retrying
the process with more diligence, and sometimes more stridence. But no
matter the area code or number they dialed, they all rang my phone.
Some investigation on my part revealed they all originated from the
same place, an apartment complex in a nearby city with a new PBX (Private
Branch Exchange,) telephone system. To save the dwellers money, (or to
line their coffers some more,) management had contracted with a private
(discount) telephone and cable company called "Western Telephone and
Television" (WTT) for a PBX with a feature called "least cost call
routing." The physical PBX is a 6 x 4 x 2.5-foot box containing twin
680x0 processors for redundancy, each with its own hard drive, and each
running a proprietary operating system called CORTELCO. The box can
handle up to 500 telephone lines, although only approximately 300 lines
were hooked up at that particular site.
Under normal circumstances, this PBX is programmed to quietly intercept
the dialed number, dial a five-digit access code (a 10-xxx number) on one of
several outgoing lines, and when the access number goes off hook (answers),
echo the number that the customer dialed; whereupon the long distance
service provider takes over. However at this particular location, a
five-digit access code was not available, and so a full seven-digit access
code had to be used. In other words, the system simply forwarded all calls
to another ordinary-looking phone number. Unfortunately, the technician
inadvertently entered _my_ phone number while correcting a previously(!)
erroneous number.
Hence, all long distance calls placed from that apartment complex
rang through to my number starting at 6pm Friday evening.
This prompts some interesting observations:
1. No caller ID is transmitted with the call,
2. There is no handshaking between PBX and the service provider.
3. Audio is immediately enabled upon completion of number dialed.
Speculations:
1. All accounting probably resides in the PBX
2. Most billing info and programming is done via modem.
3. Anyone with the seven digit access code...
...has unlimited free telephone service.
Kind of makes you wonder what the fraud rate is in this industry, and how
much is added to the average telephone bill to offset it. (No, I did not ask
what number the computers were trying to call or I'd be their prime suspect!)
Of course, once awakened, Murphy did not stop there. WTT's emergency
pager number had been _Disconnected_. Nor could Pacific Bell Information
find any local phone number for WTT. When I finally got the correct number
from the apartment manager and called WTT, their automated attendant / voice
mail system kept telling me to dial 0 for their operator (receptionist),
then complained this and other automatically suggested extension numbers,
were not valid. Whereupon the default error message, of course, again
instructed me to dial 0 for the operator. (This kind of looping appears
rather common in corporate automated attendant systems.) Eventually some
error count was exceeded and at least _this_ computer had the sense to hang up.
The RISK of not checking your telephony systems for message loops, old
numbers, etc. is looking like a corporation of idiots. Not to mention a
telephone company not having a publicly listed telephone number! [I think
we now might understand WHY! PGN]
(My favorite ploy in the case of such loops and lockouts, is to look
for a Smith or Jones in their audio telephone directory, and inform him that
his company is losing thousands of dollars in sales because the telephone
system will not let callers speak to a human being; then ask he pass my
number on to an appropriate party. Few ever bother. They must think it's
not their job to help their company be profitable.)
Finally, The local Bell Systems affiliate repair service (good old
611) told me that the RISK of harassing innocent telephone subscribers, as
they agreed WTT's automated equipment was clearly doing, was having
telephone service to their equipment, and thus the entire apartment
complex, disconnected. (Probably by Monday...)
But of course, Murphy being who he is, Repair could do nothing right
now. And in retrospect, they really could not do much. Repair directed me
to several different Pacific Bell departments, each with its own 800 number,
but all of which had an identical automated voice issuing identical
instructions. The RISK of using identical messages (computer voice
screens?) is having customers think they are reaching the SAME number. For
all I know, I may have been! Eventually, the chain of "if you have... then
call 1-800-..." messages, which are heard after one finds one's situation is
not on the menu, reached a recorded message informing me to call the local
police to handle the situation.
Is the RISK of having electronic equipment becoming deranged, with no
obvious "OFF" switch, having it SHOT by law enforcement officials?
Something equipment designers really ought to think about!
After numerous complaint calls to the apartment manager, WTT, and
Pacific Bell by apartment residents, Pacific Bell, the apartment manager,
and myself, a WTT technician entered another set of access codes into the
system. The calls ceased shortly before noon, Saturday. I received a long
and very apologetic call from the technician. We ended up discussing the
operational details of the PBX. The technician also checked the voice-mail
looping problem and reports they will have to completely reconfigure their
company office's automated attendant system to avoid the "dial operator"
loop problem.
The RISKS of Busy Telephone Neighborhoods
The people at the Misdialing Gardens Apartments were more polite than
those involved when Coca Cola published my number as their in-warranty
emergency repair number three years back. Now I say that I can fix almost
anything (and often do), but those people insisted I fix their Coca Cola
machines _Right_NOW_For_FREE since soda was usually spewing forth onto the
carpet, etc. Complaints to Coca Cola Corp.'s headquarters met with
Persistent Insistence that my number was Indeed _The_Correct_Number_ for
their in-warranty repair service. They kept looking it up in their
corporate directory and their computers, and telling me it "The computer
says that _IS_ The Correct Number, so stop bothering us!" (I couldn't seem
to get a VP's secretary to understand the true nature of the problem. And
of course, she would NOT pass me on up the line because _I_ was
_Obviously_Wrong_.) After a few go-arounds like that with Coca Cola's
Headquarters, I just gave up and chanced my number to an unlisted number
without a forwarding reference. It only cost me several hundred dollars to
change stationary and notify all my clients...
... Some of whom had recently changed their fax numbers... And
since I usually set up a computer to send these overnight... Well, I
guess I just had all those "favors" returned this past week end!
The ADVANTAGE of Call Return
I still get calls at all hours, but not as often; the present phoney
phone callers all hang up when they hear a human answer, making one think of
burglars trying to see who is home, or the odd former acquaintance,
ex-spouse, or ex-employee who might have traded a few marbles for some lead
pellets. When I ordered call return to investigate this problem, the
Pacific Bell representative told me to call these phoney callers back and
say "I am working with" (not for) "the telephone company to determine why
people call this number." The responses revealed that my current number in
the slipped digit neighborhood of a touch-tone-based Automatic Bank
Information system. If I politely return those phoney phone calls, I can
keep the number of calls down to two or three a month as opposed to the
original three or four a week. (Not to mention retain my peace of mind!) I
guess people do learn.
Don't call me, I won't call you! Please!
Several individuals have commented that someone less ethical might have
set up one of those $95.99 voice mail cards to ask for the caller's account
and PIN numbers, then apologize for the rest of the computers being
unavailable. In effect, a telephonic analog of a terminal with a phony
login screen. Which reminds me of...
The RISK of Borrowing Time Sharing Programs
Back in college, some twenty two years back (seems like yesterday!), I
had been assigned the task of catching a student who was using a phony log
in-screen to steal account numbers on CPS, the time-sharing system which ran
on UConn Research Computer Center's IBM 360. CPS (Conversational
Programming System) was an interactive PL/1-like variant of BASIC. In one
evening, I was able to cobble together parts of a utility program I was
writing to create a 1,400-line PL/1 program which performed a brute force
search over the CPS saved program hierarchy for the word "login". (Not so
easy since CPS used its own file format, saving programs and data in
tokenized form; but my utility already scanned comments for expiration
dates.)
It turned out that the offending programs were saving themselves with
the captured login data stored in arrays. As in interactive BASIC, the
miscreant could query these arrays without executing the programs
themselves. I "de-initialized" the arrays and subtly damaged the programs.
An "On Error" statement was used to activate a few new lines near the end of
the program to message the main operations console whenever the programs
were either run OR the now invalid array elements were queried.
Several nights later, I arrived just in time to join two other staff
members as they ran across campus to catch an unexpected second miscreant.
She later managed to convince the powers that be that she was not The Real
Miscreant; but had "merely borrowed a program to see how it worked." I
always wondered about that. Did you really do it, Ellen? Or was it really
the other fellow?
The RISK of stealing time-sharing programs is stealing Booby Traps.
-JVV-
First, I'd like to disagree with Mr. Carasso's belief that user
confusion due to a lack of standards in control layout is "stupidity". It's
very easy for users to develop an automatic patterns for some frequently
performed operation, and then repeat that pattern in a circumstance where it
is not appropriate. For instance, I've developed a habit of hitting
Control-X Control-C y to exit emacs and confirm it's "Save file foo? (y or
n)" prompt. Then I went to use an editor that, upon exit, prompted something
like "File foo not saved - really quit? (y/n)" My fingers were running the
emacs pattern and hit "y", thinking that that meant to perform the save,
when in fact it meant to exit without saving. I can very easily imagine a
long time PC user whose fingers get ahead of his brain, confuse the floppy
eject with the power switch, and shut the machine off.
I'd also like to question his assumption that if you made such a
mistake, you "obviously just got your Mac, there's little of value on it,
and it's unlikely that anything damaging will *really* happen." It seems to
me that to properly assess the risks of such a situation, one should always
assume a worst-case scenario.
So what kind of "what-ifs" can we add to this situation?
In the worst case, safety critical equipment might be controlled by
that Mac. (Yes, we know that there should be a protective cover over that
switch in such a case, but I'll bet you a nickel there's a system out there
right now that could hurt someone if such down at the wrong time and is
without such a cover.) That's a obvious risk.
Less obvious is the possibility of losing very important data. To take
an example from my own experience, I was forced to do my first extensive
Macintosh work (aside from some light word processing at an old job) for a
robotics class Programs were compiled on the Mac and downloaded to the
controller board. We saved our work on floppies so we could move the work
between any one of several Macs.
Much of the work (at least for my team) turned out to be trial-and-
error setting of various constants. It might take a dozen compile-download-
test cycles to find a good value for one such constant. I can just imagine
the horror, the wailing, and the gnashing of teeth had one of us gone to
swap floppies to save some bit of work and, operating on auto-pilot (as is
known to happen when you're working at some ungodly hour to meet a
deadline) hit the power switch and sent that work to the bit bucket.
-Tom Swiss / tms@tis.com
A few months ago I responded to a similar issue on another mailing list. As a parent, I can appreciate the problems with adding to the burden of parental responsibility in presenting one more threat we must shield our children against. The real question is how to prepare children for a world in which censorship is not viable — how to make them better participants in a world rich in information and sleaze. Which is which is often a matter of personal opinion. Ultimately they will have to make the judgment of how to handle it. I realize that there are lots of issues here and that the mere presence of objectionable materials does open organizations up to harassment suits. But, ultimately, this country has made a bet that open access to information is the better option. Other countries have more or less censorship on various issues and are no longer across a wide ocean. This does mean that one (as a parent, educator, whatever) needs to try to teach that not all information available is valid or representative of the real world. But some information can be real and disturbing. At one point while I was in elementary school, I had a great fear of news — especially international news. Considering that it was in the 50s and duck and cover was a part of the curriculum and one standard topic was how big an H-bomb it would take to reach our school if it landed (precisely?) at Columbus Circle in New York, this was not totally irrational. But is it better to grow up in a world unprepared, without an immune system?
"Mich Kabay [NCSA Sys_Op]" <75300.3232@compuserve.com> wrote of attempts to resolve the problem of access by children to possibly unsuitable sexual material in certain USENET newsgroups. I would like to respond, as a seemingly responsible parent, with some examples of real parental controls, and real parental concerns about this issue. In our case the family MODEM is hardwired to a separate local-only phone line, somewhat reducing the scope of possible teenage computer activities, but Internet is another matter. I have applied suitable access limitations to my son's AOL sub-account, and my kids are never allowed any visual access to my passwords. My kids have also freely discussed these issues with me, and can be expected to understand them to the degree that they are willing to understand them. To that extent I don't worry about my kids and their activities. I am concerned however, with the very real problem of adult human "predators" who seek out congregating kids, whether it be outside the neighborhood convenience store or on the Net. It is a mistake to think that "good", intelligent kids can necessarily resist or even be aware of the attempts of an experienced adult "predator" to do them harm. This is why I remain concerned about the issue of suitable Net access for kids. The article by Mich Kabay appears to trivialize the real concerns of parents who are trying to be responsible about giving their kids access to contemporary tools, but also wish to avoid unreasonable risks to the well-being of their children. Art Hicks
Mitch Kabay comments at length about CMU's decision to block access to
alt.sex.* et. al. on its computer systems. Mitch's comments focus
mostly upon access, calling for finer grains of access to the Internet
rather than total vs. no access.
While Mitch raises good points, they really don't address CMU's
dilemma. The following is an excerpt from the official on-campus
announcement of the change:
Pennsylvania laws prohibits us from carrying bulletin boards
that are known to be used for the distribution of sexually
explicit or obscene material. It is against the law for
anybody to knowingly distribute sexually explicit materials to
people under the age of 18, or obscene materials to people of
any age. [...]
[T]he only criterion that will be used when considering the
withdrawal of a bulletin board is that either the intended
purpose for which it was established or its primary use
(majority of the posts) makes it illegal for Computing
Services to provide access to the bulletin board.
(N.B. Usenet groups at CMU are usually called bulletin boards.)
This isn't really an issue of whether minors can get access — the
vast majority of students at CMU are over 18, anyways. The problem is
that obscene material cannot be distributed in PA, regardless of the
age of the recipient. And so CMU needs to find a way to obey the law.
In some ways, this is already the finer-grain access that Kabay
suggests. CMU isn't going to monitor every newsgroup for obscene
materials; it simply will eliminate those newsgroups where such
material is the most prominent.
Of course, whether or not local definitions of obscenity make sense
anymore in a global infobahn is another question entirely, and one
in which I'm still undecided.
Jim Huggins (huggins@umich.edu)
Mich seems to discuss only one of three problems here. He notes that there is material suitable for adults but not for children. He correctly notes that it is the parent's responsibility to build a suitable barrier. The other two issues of "censorship" he did not discuss are: 1) Highly offensive material not suitable for anyone, and 2) Any material offensive to a payer. In category 1) may be child pornography, or bestiality pornography. The material (at a state or more local level IMO) may be simply ruled illegal. In category 2) Realizing that CMU receives tax funds we should ask if any of these tax funds pay for Internet? If yes, then a case may be made to eliminate several newsgroups because they are offensive to some segment of the taxpaying public. Harry Rockefeller FlightSafety International, Simulation Systems Division Broken Arrow, OK 74012 harryr@ssd.fsi.com (918) 251-0500
Please report problems with the web pages to the maintainer