The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 16 Issue 68

Tuesday 27 December 1994

Contents

o Washington Post flubs stock prices
William C. Fenner
o Sorcerer's Apprentice Hits Medicare
Mich Kabay
o $25m power bungle: Automation at Australian electricity plant
Tom Worthington
o Buy a country for $1200
Amos Shapir
o Re: Mary Payne and "Good to the Last Bit"
Jim Haynes
o Rate Hike For Universal TouchTone?
Leonard Erickson
o Re: Year 2000 date problems already happening now
Scot E. Wilcoxon
o Re: American Scientist article on the year 2000
Brian Hayes
o RISKS of guessing at Fair Use
Mich Kabay
o Info on RISKS (comp.risks)

Washington Post flubs stock prices

"William C. Fenner" <fenner@cmf.nrl.navy.mil>
Tue, 27 Dec 1994 09:01:22 -0500
The Washington Post printed a full page of old stock prices one day last
week in their business section.  According to their explanation, the data is
normally stored in a file named "ap stox 2".  In preparing the erroneous
page, a user saw "ap stox2" (i.e. no space) "elsewhere in the machine" and
used it instead.

The article also says that "Steps have been taken to prevent a recurrence".
I wonder what kind of steps?  Educating users?  Probably the most useful
thing to do would be to have the date in the filename, so an old file could
not be mistaken for current data.

Bill Fenner                  fenner@cmf.nrl.navy.mil


Sorcerer's Apprentice Hits Medicare

"Mich Kabay [NCSA Sys_Op]" <75300.3232@compuserve.com>
26 Dec 94 16:37:59 EST
The Associated Press newswire for 94.12.26 @ 02:43 EST (via CompuServe's
Executive News Service) reports a case of failed identification and
authentication:

    Sting Backfires.

    MIAMI (AP) -- FBI agents thought they were setting a trap
    by buying copies of 35 Medicare cards and selling them to
    a suspected fraud operation.

    But now the cards are being used to buy expensive leg braces
    and other medical equipment -- and the FBI can't track them.

    "The FBI lost control of the cards. Now they have a monster
    on their hands," a government investigator familiar with the
    case told The Miami Herald for a story in Sunday's issues.

According to the story, Medicare spokesperson "Faye Baggiano, associate
administrator of the Health Care Financing Administration in
Washington," admits that they have used the social insurance number as the
Medicare identifier; therefore "Medicare says it can't cancel the copied cards,
which have been circulating for 16 months, because that would wipe out
legitimate federal benefits to the people whose names are on those cards."

Normally, Medicare "provides phony numbers that can be canceled; it is unclear
why the FBI used real numbers.

An analysis of just 10 of the 35 stolen cards shows "a total of $163,745 for
services that the real card holders say they never got or tried to get."

<<Comments by MK:  yet another case where inadequate identification and
authentication leads to problems--not to speak of the design error of using
production data for test purposes!<>

M.E.Kabay,Ph.D./DirEd/Natl Computer Security Assn.


$25m power bungle: Automation at Australian electricity plant

Tom Worthington <tomw@ccadfa.cc.adfa.oz.au>
Tue, 27 Dec 1994 12:13:02 GMT
The attached is from the headline story Tuesday 27 December of the
Courier-Mail newspaper (ph: +61 7 2526011, fax: +61 7 2526696) in the state
of Queensland, Australia. I thought it may be of interest to readers of
"Risks" as it covers a number of themes discussed before:

              $25m power bungle - Report slams hi-tech move
                          Exclusive by Ed Southorn

A $25 million project to turn one of the state's power stations into an
automated plant created an unsafe workplace requiring twice the number of
engineers to run, a confidential report reveals.  The new automatic control
systems also caused more than $1.5 million damage to machinery at the
Swanbank station near Ipswich.

...The audit found the Swanbank automatic control system had failed to
protect the plant from damage.  The system had been unable to prevent a
"trip" (temporary shutdown) cutting oil flow to a turbine. This had resulted
in a bent shaft leaving the turbine with reduced generating capacity.
...The automatic alarm system which tells operators how the plant is
functioning was not properly operating almost two years after it was
installed.  ...The report found lack of adequate testing before
commissioning and "waving of proper commissioning and acceptance testing
procedures" and "a single-minded drive to meet target dates."

  [Posted by Tom Worthington, Director of the Community Affairs Board,
  Australian Computer Soc. Inc.  tomw@adfa.oz.au http://www.peg.apc.org/~tomw


Buy a country for $1200

Amos Shapir <amos@cs.huji.ac.il>
25 Dec 1994 17:21:07 +0200
Police in Israel have started an investigation last week to determine how
the entire population registry of the country has ended up being offered for
sale by a private company, on a CD ROM disk for $1200.

Political parties are entitled to get the voters registry (which includes
people's names, addresses, birth dates and ID number) from the Ministry of
the Interior.  The latest elections in 1992 were the first time this
information was disseminated on a CD ROM and not just printouts; these disks
should have been returned to the Ministry after the elections, and were
coded and numbered, but it's not clear from newspaper reports here how this
coding was done, and how this was supposed to prevent the parties or their
employees from keeping their own copies.

In addition to the registry (which is actually public information, though
not freely available) the government-owned phone company sells a disk
containing all phone books, and the government's companies registry is also
available (I'm not sure if it is sold legally).

All this information enabled a TV reporter to demonstrate getting the list
of all companies privately directed by the minister of Finance (including
the names of all other directors), or the private address and phone number
of the chief of the Mossad and all of his neighbors (which were shown on
screen, though with illegible resolution).

Israel is a small country, but it's only a matter of time and computing
power before this kind of personal information processing is available
everywhere.

Amos Shapir, The Hebrew Univ. of Jerusalem, Dept. of Comp. Science,
Givat-Ram, Jerusalem 91904, Israel  +972 2 585706,586950  amos@cs.huji.ac.il


Re: Mary Payne and "Good to the Last Bit"

Jim Haynes <haynes@cats.ucsc.edu>
Fri, 23 Dec 1994 17:31:13 -0800
Perhaps it didn't happen on Mary Payne's watch; but I do recall there was a
problem with floating point in early VAX-11/780 machines.  Believe it
required a microcode change, and a board swap for machines equipped with a
floating point accelerator.  Then there was the early production G.E. 635
floating point problem which resulted from truncating, rather than rounding,
a 2's complement number, giving a negative bias to the results.  Supposedly
(urban legend alert!) this was recognized as important when a tape calculated
on one of the machines was used to operate a numerically-controlled cutting
torch.  The torch was supposed to cut a circular plate out of a thick piece
of steel.  The actual cut had a jog in it, resembling (coincidentally, I'm
sure) the "Intel Inside" logo.  Then there was the floating point problem
early in the life of the IBM 360 series.  As I recall this was not so much
an error as a surprisingly sudden loss of significance resulting from the
base-16 fractions, such that a shift for exponent alignment shifted four
bits at a time.  And I recall some allegation about an early CDC machine
(1604? 3600?) in which fixed point -1 x -1 = -1.


Rate Hike For Universal TouchTone? (nonincluded message, Pelletier)

Leonard Erickson <Leonard.Erickson@f51.n105.z1.fidonet.org>
Sun, 25 Dec 1994 07:34:20 -0800
 > Is this just a ploy to line their pockets from their captive market?

No. Take another look at the figures you quoted. It costs *more* to support
pulse dialing. They can't go 100% touchtone until all their subscribers quit
using old gear. So they have to keep the "pulse counters" around (and
maintained) until then. Therefore, if you want pulse dialing, they are going
to charge you $2 extra each month.

This is the most *sensible* thing I've seen a phone co. do in a long time.
It encourages folks to quit using pulse/rotary phones. And it gives them
hard figures on how many folks still can't use touchtone.


Re: Year 2000 date problems already happening now (Elana, RISKS-16.67)

Scot E. Wilcoxon <sewilco@fieldday.mn.org>
Sat, 24 Dec 94 16:26 CST
A local newspaper in Minneapolis recently ran a short article about the year
2000 problems, and pointed out that in 1995 any five-year planning programs
are at risk.

Scot E. Wilcoxon    sewilco@fieldday.mn.org     +1 612 936 0118


American Scientist article (PGN, RISKS-16.67)

Brian Hayes <bhayes@mercury.interpath.net>
Sat, 24 Dec 1994 13:12:38 -0400
   [With regard to Brian's "Computing Science" column in the Jan-Feb 1994
   issue of _American Scientist_ (Vol. 83, No. 1, pp. 12-15),
   <P.O. Box 13975, Research Triangle Park, NC, 27709, 800-282-0444>,
   which PGN noted in RISKS-16.67, Brian has made the following offer:]

For net denizens who don't read ink on paper, I can supply a plain-ASCII
version of the article's text by E-mail. Send me a request at
bhayes@mercury.interpath.net.

  [The column is based largely on material that has appeared in the RISKS
  Forum over the years. (Thanks, folks!)  BH]


RISKS of guessing at Fair Use

"Mich Kabay [NCSA Sys_Op]" <75300.3232@compuserve.com>
26 Dec 94 22:15:12 EST
In an article by Andrew Lawler in _Science_ magazine (94.11.25; 266:1315)
entitled "Court says no to copying articles," we read of a recent case which
may affect anyone who collects news, newspaper, magazine and journal
articles:

    Thinking of photocopying an article from your favorite journal?
    Think again.  Last month [in October 94] a three-member federal
    appeals court in New York ruled that a Texaco Corp. scientist
    violated copyright laws by making one copy each of eight articles
    in a scientific journal and placing them in his files.  The
    2-1 ruling dramatizes the uncertainty over what constitutes fair
    use of copyrighted material, say lawyers familiar with the case,
    adding that the ruling should prompt companies and universities
    to review their policies toward copying.

According to the author, the suit was launched by the American Geophysical
Union (AGU) and more than 80 other plaintiffs.  They accused Texaco of
"copying and distributing hundreds of scientific articles to hundreds of
researchers" and picked a sample case for the civil suit.

The court ruled that because the scientist in the sample case (David
Chickering, who copied the eight articles from the journal _Catalysis_)
filed the papers away in his library rather than use them immediately, he
was in violation of the fair use laws governing copyrighted materials.

The dissenting judge wrote that because the defendant used the copied
materials for research only, that use fell under existing fair use doctrine.

"Jon Baumgarten of Proskauer. Rpse. Gpetz & Mendelsohn in Washington," one
of the lawyers for the plaintiffs, said that it's not true that "all
educational use is fair use."  He advised academic researchers to "Consult
with your university counsel before making copies."

<<Comments by M.K.: This ruling has serious implications for anyone who uses
online databases of bibliographic material; e.g., the Computer Database Plus
owned by Information Access Company (IAC) and available on CD-ROM and online
via CompuServe. The terms of use for the online service include the
following text:

    TERMS AND CONDITIONS

    Computer Database Plus and its contents are
    copyright (c) 1988-1994 by Information Access
    Company (IAC) and/or its data suppliers. Copying,
    retransmitting, redistributing or publishing any
    part of this database, either in hardcopy or
    electronically, is prohibited.

    The material contained in this database is
    provided only to individual users.  Users may
    electronically store downloaded material only to
    facilitate changing the format or presentation of
    the material. If the user is retrieving
    information on behalf of another, the user may
    supply only one (1) printed copy.  Copyright
    notices must not be removed from any material
    retrieved from this database.

Judging from the ruling described above, the IAC may very well be able to
argue that its rules are _not_ superseded by fair use doctrine.  Thus
storing specific articles in files on one's own hard disk for later search
and use may be prohibited regardless of intention or actual use.

Similarly, the Executive News (ENS) Service on CompuServe, which provides
news wire feeds in real time, allows users to store captured stories
("clippings") for a maximum of 14 days, after which they are discarded
automatically.  The introductory text for this service makes no specific
restrictions on storage.

In ENS, individual newswires have different copyright wording:

* AP includes, "All rights reserved.  The information
  contained in this news report may not be republished
  or redistributed without the prior written authority
  of The Associated Press."

* Reuter's entries state, "Copyright Reuters America Inc.
  1994.  All rights reserved."

* UPI articles include only, "Copyright 1994 United Press International"

* Washington Post has, "Copyright 1994 The Washington Post."

It may be that storing copies of these articles in one's own online archives
is actionable.

For those unfamiliar with fair use doctrine, I include the following
commentary to stimulate further thought and discussion:

 -------------------- %<>== --------------------------

        US COPYRIGHT OFFICE CIRCULAR ON FAIR USE (1993)

One of the rights accorded to the owner of copyright is the right to
reproduce or to authorize others to reproduce the work in copies or
phonorecords. This right is subject to certain limitations found in sections
107 through 120 of the copyright act (title 17, U.S. Code). One of the more
important limitations is the doctrine of "fair use." Although fair use was
not mentioned in the previous copyright law, the doctrine has developed
through a substantial number of court decisions over the years. This
doctrine has been codified in section 107 of the copyright law.

Section 107 contains a list of the various purposes for which the
reproduction of a particular work may be considered "fair," such as
criticism, comment, news reporting, teaching, scholarship, and research.
Section 107 also sets out four factors to be considered in determining
whether or not a particular use is fair:
    (1) the purpose and character of the use, including whether

        such use is of commercial nature or is for nonprofit
        educational purposes;
    (2) the nature of the copyrighted work;
    (3) the amount and substantiality of the portion used in
        relation to the copyrighted work as a whole; and
    (4) the effect of the use upon the potential market for or
        value of the copyrighted work.

The distinction between "fair use" and infringement may be unclear and not
easily defined. There is no specific number of words, lines, or notes that
may safely be taken without permission.  Acknowledging the source of the
copyrighted material does not substitute for obtaining permission.

The 1961 _Report of the Register of Copyrights on the General Revision of
the U.S. Copyright Law_ cites examples of activities that courts have
regarded as fair use: "quotation of excerpts in a review or criticism for
purposes of illustration or comment; quotation of short passages in a
scholarly or technical work, for illustration or clarification of the
author's observations; use in a parody of some of the content of the work
parodied; summary of an address or article, with brief quotations, in a news
report; reproduction by a library of a portion of a work to replace part of
a damaged copy; reproduction by a teacher or student of a small part of a
work to illustrate a lesson; reproduction of a work in legislative or
judicial proceedings or reports; incidental and fortuitous reproduction, in
a newsreel or broadcast, of a work located in the scene of an event being
reported."

Copyright protects the particular way an author has expressed himself; it
does not extend to any ideas, systems, or factual information conveyed in
the work.

The safest course is always to get permission from the copyright owner
before using copyrighted material. The Copyright Office cannot give this
permission.

When it is impracticable to obtain permission, use of copyrighted material
should be avoided unless the doctrine of "fair use" would clearly apply to
the situation. The Copyright Office can neither determine if a certain use
may be considered "fair" nor advise on possible copyright violations. If
there is any doubt, it is advisable to consult an attorney.

***Last update 6/10/93 (raa)***

       -------------------- %<>== --------------------------

Another useful document is the following:

(DRAFT VERSION) COPYRIGHT LAW AND MULTIMEDIA DEVELOPMENT IN EDUCATION

Section 106 of the Copyrights Act (P.L. 94-553) describes the exclusive
rights of copyright owners.

"[T]he owner of copyright...has the exclusive rights to do and to authorize
any of the following:

1.   To reproduce the copyrighted work in copies or phonorecords;

2.   To prepare derivative works based upon the copyrighted work;

3.  To distribute copies or phonorecords of the copyrighted work to the
public by sale or other transfer of ownership, or by rental, lease, or
lending;

4.   In the case of literary, musical, dramatic, and choreographic works,
pantomimes, and motion pictures and other audiovisual works, to perform the
copyrighted work publicly; and

5.  In the case of literary, musical, dramatic, and choreographic works,
pantomimes, and pictorial, graphic, or sculptural works, including the
individual images of a motion picture or other audiovisual work, to display
the copyrighted work publicly."

The fair use provision of the Copyrights Act is found in Section 107 which is
reproduced below.

"Notwithstanding the provisions of section 106, the fair use of a
copyrighted work, including such use by reproduction in copies or
phonorecords or by any other means specified by that section, for purposes
such as criticism, comment, news reporting, teaching (including multiple
copies for classroom use), scholarship, or research, is not an infringement
of copyright. In determining whether the use made of a work in any
particular case is a fair use the factors to be considered shall include--

1.   the purpose and character of the use, including whether such use is of a
commercial nature or is for nonprofit educational purposes;

2.   the nature of the copyrighted work;

3.   the amount and substantiality of the portion used in relation to the
copyrighted work as a whole; and

4.   the effect of the use upon the potential market for or value of the
copyrighted work."

The legislative history which speaks to the fair use provision acknowledges:

"The judicial doctrine of fair use, one of the most important and well
established limitations on the exclusive right of copyright owners, would be
given express statutory recognition for the first time in section 107. The
claim that a defendant's acts constituted a fair use rather than an
infringement has been raised as a defense in innumerable copyright actions
over the years, and there is ample case law recognizing the existence of the
doctrine and applying it."

It should be noted that at this point, the legislative history reiterates the
four points listed above from section 107. Fair use must meet all four criteria
to be a protected activity.

"Although the courts have considered and ruled upon the fair use doctrine over
and over again, no real definition of the concept has ever emerged. Indeed,
since the doctrine is an equitable rule of reason, no generally applicable
definition is possible, and each case raising the question must be decided on
its own facts. On the other hand, the courts have evolved a set of criteria
which, though in no case definitive or determinative, provide some gauge for
balancing the equities.  These criteria have been stated in various ways, but
essentially they can all be reduced to the four standards which have been
adopted in section 107...."

There are no definitive standards or guidelines governing the use of
copyrighted materials in the preparation of multimedia courseware for
instruction, or classroom presentations utilizing multimedia. However, while
developing these products, faculty should be governed by the same criteria
which are prescribed for the use of copyrighted print materials. In essence,
the use of copyrighted print materials is governed by three criteria:

Spontaneity: The "fair use" of copyrighted materials in an educational
setting should be at the "instance and inspiration of the individual
teacher...."  Further, the "inspiration and decision to use the work and the
moment of its use for maximum teaching effectiveness" must be so close
together in time "that it would be unreasonable to expect a timely reply to
a request for permission." In other words, the decision to use the material
must be the instructor's and not dictated by management or administration
and it must be a spontaneous decision.

Brevity: With regard to print media, the guidelines are specific even to the
point of specifying the maximum length of an excerpt from poetry or prose.
Though these limits do not apply to non-print media, they clearly indicate
that the intent is for a small portion of the original to be copied under
fair use, and not a substantial portion of the work.

Cumulative Effect: "...copying of...material is for only one course in the
school in which the copies are made." The guidelines for copying of print
media, states "[n]ot more than one short poem, article, story, essay or two
excepts from the same author, nor more than three from the same collective
work or periodical volume during one class term" is permitted.  Even though
the media may be different, faculty can best avoid copyright infringement by
following the spirit of these guidelines when dealing with other forms of
media in a multimedia presentation. For instance, using 8 minutes from a 10
minute video tape (in a multimedia presentation) would appear to violate the
fair use guidelines by diminishing the "potential market" and value of the
copyrighted work.

Instructors should be aware that when relying on the fair use provision, the
use of copyrighted materials must meet all three tests (spontaneity,
brevity, and cumulative effect). Instructors are encouraged to procure
copyright releases for materials which they anticipate using for longer than
one term.

Finally, the guidelines (developed by the Ad Hoc Committee on Copyright
Revision, the Author-Publisher Group, and the Association of American
Publishers) also indicate that

1.   "Copying shall not be used to create or to replace or substitute for
anthologies, compilations, or collective works..."

2.   Copying is not allowed from consumable works  such as "workbooks,
exercises, standardized tests and test booklets and answer sheets...."

3.  "Copying shall not substitute for the purchase of books, publisher's
reprints or periodicals...(and shall not) be repeated with respect to the
same item by the same teacher from term to term."

It should be noted that clip art, clip video, and clip audio are marketed
and available for use in developing multimedia materials. These forms of
"clip media" are licensed to the purchaser (individual, school, or faculty
member) for use in multimedia presentations. In many cases, clip media can
be used to substitute in a presentation for copyrighted materials that might
violate the fair use provision.

Assembled by the Academic Computing Technologies Group, Johnson County
Community College, Overland Park, KS 66210.

      -------------------- %<>== --------------------------

Given the nature of the RISKS FORUM and NCSA FORUM membership, I think these
issues warrant further clarification.  I invite legal counsel with expertise
in the field to comment.<>

Mich    M.E.Kabay,Ph.D./DirEd/Natl Computer Security Assn

Please report problems with the web pages to the maintainer

Top