Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Flaws were reported in the PC and Mac versions of TurboTax and MacInTax 1040. These flaws are triggered when transferring tax data to the tax package from other software, such as Quicken. Intuit estimates that the flaws would affect only about 1% of the users. Intuit Chairman Scott Cook apologized that the flaws had been known for a few weeks and had not been publically acknowledged until 1 Mar 1995. He also indicated that new versions can be obtained for free by calling 800-224-0948 (in the US). [Sources: various news reports 2-3 Mar 1995, including the San Francisco Chronicle]
Eight weeks into the first such lawsuit to go to trial, Apple Computer has settled with the plaintiff who claimed her repetitive stress injuries were incurred as a result of Apple's failure to warn about the potential for RSI. One of the requirements in the settlement is that the terms be kept secret. IBM, also named in the suit, has asked the judge to declare a mistrial, saying that news of Apple's settlement was prejudicial. The judge has rejected that motion. IBM says it does not intend to settle. (Tampa Tribune, 28 Feb 1995, B&F1)
Apple Computer's recent move to settle the repetitive stress injury lawsuit brought by a former high school secretary in Minnesota was prompted by "errors" its law firm , Saperston & Day, made in not turning over some documents before the trial. The judge had threatened to declare a mistrial or impose sanctions because of the oversight. Saperston & Day will pay the settlement. (Wall Street Journal, 28 Feb 1995, B7)
The Computer Emergency Response Team has issued a public warning on a vulnerability in some 20 commonly used e-mail programs that run on Unix operating systems. The advisory said the latest discovery could allow a hacker to "read any file on the system, overwrite or destroy files." The ultimate solution to these recurrent security problems, says Purdue University professor Eugene Spafford, is for consumers to demand better security features from software manufacturers. In the absence of improved software, "are we going to continue seeing problems? You bet." (Wall Street Journal, 23 Feb 1995, B8)
A graduate student at the University of California at Berkeley has filed a lawsuit against the federal government, charging it with unfairly limiting his ability to discuss his research on encryption software. The plaintiff developed an equation for encrypting information, and wishes to publish a paper on his work, as well as software based on his equation. He would also like to discuss his findings at professional meetings. The federal government's export-control laws restrict the publication of cryptographic software and documentation. The Electronic Frontier Foundation is handling the plaintiff's case. (Chronicle of Higher Education 3/3/95 A19)
Sen. James Exon (D-Neb.) has introduced legislation calling for two-year prison terms for anyone convicted of sending obscene or harassing e-mail. Commercial providers have protested, noting their service is more like a telephone company, which is not held responsible for the conversations carried over its conduits, but Exon remains unmoved: "If I were against this, if I didn't want to be bothered with it, if I felt it might complicate my ability to make money on the superhighway, that's the argument I would make." Meanwhile the Center for Democracy and Technology is pushing for more sophisticated filters that users could customize to block specific types of messages. "You could have the Pat Robertson rating system, the Motion Picture rating system, the Playboy rating system," says the Center's founder. (*Wall Street Journal*, 8 Feb 1995, p. B6)
The Washington Post (95.02.24, p. C1) has an interesting story on virtual
gambling:
The Home Gambling Network:
It's Illegal, Maybe Immoral, but Is the Cyberspace Casino
a Good Bet?
by Richard Leiby
Washington Post Staff Writer
NEW YORK--Surrounded by a sea of techno-suits discussing the
future of media convergence in a bidirectional world of
system-neutral platforms, the guy with the shaved head and
black leather jacket had to smirk. "What's funny to me,"
John Bates said, "is how tremendously clueless most of these
people are."
The author makes for the following key points:
* Gambling in the U.S. is a $400 billion industry.
* A hundred people paid U$595 to attend a one-day conference in NYC
entitled, "Interactive Gaming: What's the Payoff?"
* Thirty-one year old Bates is "on-line service director" for the
Virtual Vegas company, which is proposing "cyberspace casinos
where real and computer-generated players interact in 3-D."
* US federal law currently makes betting across interstate borders
using telecommunications illegal.
* In practice, gamblers have been making off-shore bets on U.S. sports
events over the phone using their bank credit cards.
* The prospect of unlimited access to credit cards for gambling alarms
some observers of addicted gamblers: "Give some people a
credit-card-reading device with a keypad hooked into their phones or
home computers--models of which were exhibited at the conference--and
you're bound to have suckers blowing their life savings. And minors
will find a way to log on to parental accounts."
* In Quebec, an interactive TV show lets people order up to C$15 (~U$11)
of tickets a week (the limit is spelled out in legislation).
* The UBI (Universal Bidirectional Interactive) Consortium based in
Montreal is working on a consumer-oriented electronic network which will
include gambling services.
* Some observers predict "a family-values backlash" against such
computer-mediated gambling.
M.E.Kabay,Ph.D., Director of Education, Natl Computer Security Assn
(Carlisle, PA); Mgmt Consultant, LGS Group Inc. (Montreal, QC)
The story of the young trader who brought down Barings Bank captivates me as much as it captivates the headline writers at the NY Post. James Glassman wrote in the Washington Post (March 1, 95), "I don't mean to paint him as a romantic hero, but he has reminded us-- in this age of huge financial institutions guided by high-speed computers-- that one little guy can still move the world." RISKS readers, though, should be intrigued because I suspect that deep below all of this may be an intriguing datapoint on the value of anonymity in the modern, electronic marketplace. The Osaka Exchange publishes a weekly digest of the position. The Financial Times quoted someone saying, "everyone knew of the trades" and "no one could quite understand what Barings was doing with that sort of position." This fact leads me to have some fun speculating on what happened. The futures and options markets are quite different from the stock market. Whenever someone loses a dollar, then someone else makes it. Value just doesn't evaporate into smoke like it does on the stock market when everyone decides a stock isn't worth it anymore. So every dollar that Barings lost was gained by someone else. What does this have to do with anonymity? Everything. There aren't many people playing at these levels in the market so people can gang up on one and other. It's much like games of bridge or hearts where everyone can work together to stiff one player who might be in the lead. If everyone knew that Barings was so deeply in the hole, they knew that it might not take much to push Barings into bankruptcy. Just a bit more selling in Tokyo and whammo, the firm is theirs at a huge selling price. No need to negotiate payment terms or other factors. If the firm doesn't have enough assets, the futures exchange might make up the difference from an insurance fund. The strategy that might have been in play was similar to the one that lead to the table stakes rule in poker. The rule limits bets to the smallest pot still in the hand. This prevents the richest player from winning every hand by merely outbidding everyone. Don't play poker against Bill Gates without it. (If you want to see what it could do to a marriage, check out the film "Honeymoon in Vegas.") There is no such rule in these markets and Barings should have known better than to expose themselves to this risk. I suspect, though, that they might have been much safer if their action was kept anonymous. Of course this theory is just a theory. As Glassman would like to believe that a little guy can still move the world, I want to believe that large cabals can gang up on the little guy.
[Source: COMPUTER HACKING AND THEFT RIFE IN WHITEHALL, by CHRIS BLACKHURST
Westminster Correspondent, The Independent, 1 Mar 1995.]
Hacking into Whitehall computers soared last year, with a 140 percent rise
in the number of reported incidents. An investigation by the National Audit
Office, the public finance watchdog, found that Government departments
reported 655 hacking incidents last year, of which 111 were successful. Most
hackers were internal staff exceeding their authority to obtain unauthorised
information to leak to outsiders, and got oral or written warnings. Twelve
percent of cases ended in legal action.
The report includes these items:
- Civil servants and outsiders conspired to defraud a Government department
of (pounds sterling) 1.5m. Police are investigating and eight arrests have
been made.
- A civil servant obtained personal details of colleagues to blackmail them.
- A Government official obtained the private address of a married couple,
possibly to assist in the kidnapping of the wife.
- Two staff members were prosecuted and fined (pounds sterling) 3,750 after
leaking computer data.
Government computers are also increasingly prone to viruses and programmes
designed to harm data and other software. Last year, Government departments
and agencies reported a 350 percent rise in virus incidents, to 562. Over
half of these cases, NAO points out, were detected by anti-virus scanning
software.
Two outbreaks were labelled "significant" by the NAO:
- Thirty-eight viral infections were traced to one PC hard disk, loaded with
pirated computer games. Civil servants had been exchanging games by floppy
disks or through e-mail. The viruses were the games manufacturer's own
anti-bootlegging devices.
- Four PCs in a Government typing pool had been infected with a virus which
took two days to eradicate.
If hacking and viruses were not bad enough, theft, reports the NAO,
"continues to be a major problem, with portable computers, printers and
laptop computers being the main targets."
There were 433 reported incidents of theft of Government computer equipment
last year, a rise of 60 percent. In all, equipment costing (pounds
sterling) 1.2m was taken. This included two break-ins to the same office
within three months and the loss of equipment worth (pounds sterling)
102,000. The thieves, who have not been caught, were thought to have been
"stealing to order." Likewise, the culprits behind the theft of 11 PCs and
other hardware, worth (pounds sterling) 55,000, have not been found.
In one of the more bizarre incidents, somebody went to the trouble of
taking a computer desk from a room and replacing it with an old one. The
locked drawers of the desk were broken into, and information, mostly
concerning the personal details of 300 staff, was scattered about.
The report also noted that The National Computing Centre's 1994 IT Security
Breaches Survey, covering a cross-section of industry and commerce, found
that 25 percent of businesses had suffered theft of computer equipment in
the previous two years.
[The National Audit Office has considerable political influence here in the
UK, so it will be interesting to see what follows from this report. BR
Dept. of Computing Science, University of Newcastle, Newcastle upon Tyne,
NE1 7RU, UK EMAIL = Brian.Randell@newcastle.ac.uk PHONE = +44 191 222 7923]
[A corresponding article in The Times was reported by Timothy
J. Hunt, Institute of Cancer Research, Royal Marsden NHS Trust,
Downs Road, Sutton, Surrey UK SM2 5PT +44 (0)181 642 6011 x3312
Timothy@icr.ac.uk . PGN]
> In other words, tell them not to hit the power switch until they see C:\. Surely this relates to the previous RISKS discussion on power switches, and Apple's deliberations on how best to implement them. As Apple has realised, a few dollars spent on a software controllable power switch largely solves the problem. Surely this is better than blaming users for their entirely natural impatience with a machine which demands that they wait while it closes itself down, before they are "allowed" to switch it off. One of the major risks of the use of computers is that we end up with computers controlling people rather than vice versa. Matthew Cockerill Tel:[44] 171 269 3877 Imperial Cancer Research Fund (Cell Cycle Group) Fax:[44] 171 269 3801
In this case, it was stated here that there was supposed to be a limit on the amount of money that the ATM card could withdraw, but an error in the bank's computer allowed the thieves to steal $346,770. The victim had left her ATM card, with the PIN number on it, in or near the ATM machine. It makes sense to me that the victim should be responsible for her own losses, to the limit of the card, since she gave away the number. (I wonder, would I feel differently if she had been robbed and the PIN number found hidden in her belongings?) She should not be responsible for more than the limit. The bank gave her the card and told her it was good for up to $50 or $300 or whatever; the bank should be responsible if an error on their part allowed more than this to be taken. I wonder if any personal theft insurance policies cover losses from ATM cards?
San Jose Mercury News' Action Line section, 15 Feb 1995: SORRY, WRONG NUMBER Q. In October 1993, I received a statement from Medicare that my wife had medical attention in Healdsburg from a Dr. John Fries. I notified Medicare that this was incorrect. Neither of us had ever been in Healdsburg. Medicare answered, thanking us. The other day we received another letter from Medicare showing that Fries had submitted another claim for treating my wife. It appears someone is using my wife's name and Medicare number to obtain care. Or maybe the doctor is making up these visits. Could you check into it? C.E.F., San Jose A. No one is using your wife's Medicare number; nor is the claim submitted in a fraudulent manner, says Claudette Ballard, office manager for Fries. The last time this happened and this time, too, Medicare's scanners misread one of Fries' patients' Medicare number and picked up your wife's number. Ballard says the scanner is somehow reading the fifth digit in the number incorrectly and billing the service as if your wife received it. Ballard has contacted Medicare again and was assured steps would be taken so it doesn't happen again. She is writing you a letter to explain the problem in more detail.
The press is starting to notice some of the serious privacy problems with the rapidly advancing proposals for "Intelligent Transportation Systems" in the United States. Here are a couple of relevant articles: Richard Simon, Camera gains more exposure as a device for traffic control, Los Angeles Times, 20 February 1995, pages B1 and B3. This one is about the accelerating use of video cameras on roads in Southern California. In the near term they're mostly to identify the causes of traffic jams. But the Blue Line between Los Angeles and Long Beach will soon have cameras to detect drivers who attempt to circumvent lowered gates to cross the train tracks. And although the state Office of Traffic Safety is concerned about "a growing problem with commuters eating, reading, changing clothes, brushing their teeth and generally paying less than full attention to the road", it says it has no current plans to check up on these things with its cameras. The cameras, in case you're wondering, are in bulletproof containers. Although some of the problems that state traffic officials have identified are genuine, the real difficulty is in their basic philosophy for solving them. Rather than collect information and circulate it in a decentralized fashion that is useful to individual drivers and engineering crews without permitting unlimited accumulation of information that identifies individual drivers, they have set up a general-purpose centralized observation center in downtown Los Angeles. The slippery slope here is steep: as technologies of surveillance are put in place, new applications will always be available that are only one short step beyond what they've been used for so far. I am generally skeptical about visual metaphors for privacy problems, but this is one case where the Panopticon offers a perfectly simple and straightforward model. That's not so clear in another, much bigger and more consequential case: Don Phillips, Big Brother in the back seat?: The advent of the "intelligent highway" spurs a debate over privacy, Washington Post, 23 February 1995, page D10. This article concerns the "privacy principles" being circulated by the Intelligent Transportation Society of America, which is the industry group coordinating the development of a national architecture for transportation automation systems, including systems that track the locations of vehicles for a range of purposes. Although nobody in the United States is currently proposing that the use of these technologies be made mandatory for drivers, it is very likely that they will become unavoidable as a practical matter, since they will probably be used to implement much more widespread roadway toll-collection. The most recent version of these principles that I have seen is dated December 13th 1994, and they are in fact seriously problematic. For example, they only place very loose restrictions on secondary uses of the information by marketers, and they envision no restrictions on the powers of access to ITS travel information that individual states can confer upon local police. You can retrieve a copy by sending a message that looks like this: To: rre-request@weber.ucsd.edu Subject: archive send its-privacy Or you can look at them on WWW at: http://weber.ucsd.edu/~pagre/its-privacy.html I will probably circulate another message about these principles soon. The Phillips article notes that many people are concerned about law enforcement uses of ITS information; ITS America feels that such use is inevitable and simply wishes the public to be informed of this fact — they wish to focus on knowing "what the rules are" rather than on actual privacy. The tragedy is that it is completely unnecessary for these systems to collect information that identifies individuals. Profound violations of individual privacy are not the price of progress. Rather, they are the price of using old-fashioned technology, neglecting innovations such as public-key cryptography and digital cash that protect privacy without sacrificing functionality. Phil Agre, UCSD
Memoirs of a (coastal) virus researcher Some people may not be aware that, by disconnecting the modem and attaching a device known as a "telephone", communications circuits may be used for voice communications. Unfortunately, unlike email, "telephone" calls must be synchronous (or, more correctly, bisynchronous) in that both parties must be active on the circuit at the same time. With the rise in modern communications technologies, scenes like the following are becoming more common: RRING RRING RMS : Hello? DFP: Hi! I'm looking for, ummm, Robert Slade? RMS: Speaking. DFP: Oh, good. My name's _____ ____ and I'm with the Detroit Free Press. I've got a copy of your book, and I thought we could do a story on this computer virus situation. RMS: Uh huh. DFP: I read most of it, and I liked it, but I've got a few ... sa-a-a-y. Isn't Vancouver on the *West* Coast? RMS: Usually. DFP: Oh, gee, I'm really sorry. See, we're three hours ahead, and ... gee, should I call back later? RMS: No, that's OK, I had to get up and answer the phone anyway. DFP (puzzled): Oh, really? Why's that? RMS: It was ringing. I love reporters. They always get the straight lines right. ====================== DECUS Canada Communications, Desktop, Education and Security group newsletters Editor and/or reviewer ROBERTS@decus.ca, RSlade@sfu.ca, Rob Slade at 1:153/733 Author "Robert Slade's Guide to Computer Viruses" 0-387-94311-0/3-540-94311-0
Please report problems with the web pages to the maintainer