The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 17 Issue 30

Monday 28 August 1995

Contents

o Re: Australia's proposed crypto policy
Ross Anderson
o Risks of automatic newspaper publishing
Jeremy J Epstein
o Database for Deadbeat Dads
Simson L. Garfinkel
o Two-Way HOV Lane
Chuck Weinstock
o To Bus or Not to Bus
John Deas
o Phone-mail woes
Bob Frankston
o Re: The traffic light does NOT think
Rich Lethin
o Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc.

Re: Australia's proposed crypto policy (Denning/Orlowski, RISKS-17.29)

<Ross.Anderson@cl.cam.ac.uk>
Sat, 26 Aug 1995 12:02:07 +0100

> Ross Anderson posted a message on the net recently stating that Australia
> was proposing an encryption policy that would force residents to use weak
> cryptography while banks would get key escrow.

Dorothy Denning goes on to say that I misinterpreted Mr Orlowski; that he `is not proposing that individuals be forced to use weak encryption'. Well, Orlowski is now wriggling like a lawyer, but I was there at the conference, and on the panel with him afterwards. His paper states that

`the needs of the majority of users of the infrastructure for privacy and smaller financial transactions can be met by lower level encryption'
and
`Given that a large proportion of the population would not be using the higher level encryption products, application of key escrow for such products is less likely to create the type of adverse reaction seen to date. Government agencies and large financial institutions are more likely to accept the need for key escrow in the type of products which they use'
and
`As mentioned earlier, I see encryption being utilised on two levels, a general level being used by the majority of users and a more sophisticated level with much more limited use. Intercepted messages under the first level may be able to be decrypted by the various interception authorities.

`The second level would probably, however, require more sophisticated techniques in circumstances where the key cannot, for whatever reason, be recovered from escrow. This may be achieved by the establishment of a central decrypting unit which would receive, decrypt and transmit back messages'

He stated at this point, in a verbal aside, that the AG's department considered itself the proper repository for this `central decrypting unit'. As I summarised it in my original post to risks:

> 40 bit keys for the masses, 56-bit escrowed keys for the banks, and a
> Wiener machine sitting in Orlowski's office. Belt, braces and string.

Orlowski does phrase his comments as advocacy rather than prescription, and he does have a disclaimer saying that these are his personal views, not those of the Australian government.

But it emerged in the subsequent discussions that the paper did not really represent his personal views at all. Not only was he unable to defend them with any vigour during the panel, but he admitted that he had been told to float the policy by his boss, who didn't want to appear himself out of fear of the sort of fuss which greeted the Clipper chip in the USA, and the last attempt to introduce ID cards in Australia. With a general election due, the Keating government is vulnerable, and this clearly limits their spooks' freedom of action.

Risks readers might like to know that the usual suspects - John Rogers from the Australian Defence Signals Directorate and Mark King from GCHQ - were prominent in the audience. King arrived on the same plane as me; he flew business class and went off to a posh downtown hotel. I doubt that GCHQ paid for all that out of idle curiosity.

Orlowski's article also states

"Debate on these issues should be limited to the appropriate parties rather than widely promulgated on the network."

Curiously, I was not able to post to usenet while I was in Australia -- nobody at Queensland University of Technology was, and their sysprogs couldn't find the fault. (Is this a RISK of playing host to someone involved in the crypto policy debate?) Anyway, once I got back to the UK, I brought Orlowski's proposals to public attention - and this has led to precisely the fuss which Canberra was clearly trying to avoid.

Finally, Orlowski did not even get the URL of his paper right in the letter which Dorothy posted to this group. It is actually to be found at

http://commerce.anu.edu.au/comm/staff/RogerC/Info_Infrastructure/Orlowski.html

Ross

Risks of automatic newspaper publishing

JEREMY J EPSTEIN <JEPSTEIN@smtpgate.cordant.com>
Mon, 28 Aug 1995 09:44:28 -0500

I'm not sure I've got all the details right, but...

National Public Radio's "All Things Considered" reported on Friday August 25 that the "Aspen Daily News" (Aspen CO) had published an article reporting that a large number of men aged 13-78 had been hospitalized from "sexual exhaustion" after some woman took advantage of them. The story, which was supposed to be a joke, made it into the newspaper (or so it sounds) because a writer, who had made up the fake story for internal distribution, accidentally put the article in the directory where stories to be in the next edition belong. The automatic page-layout software picked it up from there. It sounds like the galleys were never examined by a human (or if so, they did a sloppy job). Reaction by the newspaper readers has been mixed...some have been amused, while others thought it was "pornography".

According to the editor-in-chief of the newspaper, who was interviewed on the program, there were four safeguards (not specifically named) that all failed to allow the piece into the paper. As a result of the incident, they've added a fifth safeguard: only editors can place articles in the to-be-printed directory. It's not clear whether that's a procedural or computer-enforced restriction.

The risk is that as newspaper production becomes more and more automated, there's less need for people to do reviews, and hence a greater risk of an error like this happening.

In the meantime, the author of the particular piece is still working at the newspaper. The editor-in-chief did not disclose what punishment, if any, there would be.

Jeremy Epstein, Cordant Inc., jepstein@cordant.com
[OK. So now we need laws governing safe editing and computer layouts. In the olden days, galley slaves rowed or cooked. Now they are going to have to READ COPY in sweatshop backrooms. Remember Henry Miller got his start as a proofreader, and look what it did for him! PGN]

Database for Deadbeat Dads

Simson L. Garfinkel <simsong@vineyard.net>
Mon, 28 Aug 1995 08:12:52 -0400

SOCIAL INSECURITY PLAN TO MAKE IT EASIER TO TRACK DOWN 'DEADBEAT DADS' WORRIES PRIVACY ADVOCATES
Simson Garfinkel, Special to the Mercury News
San Jose Mercury News, 17 July 1995, Business Monday, Page 1F
Copyright 1995, Simson Garfinkel

ELEVEN years late, the 1984 as envisioned by George Orwell finally may arrive. Welfare reform legislation moving through Congress could dramatically increase the use of Social Security numbers by state governments as a way to track people from cradle to grave. The proposal, which would create or expand a series of national data banks, is designed to track people who don't want to be found.
With support among both Democrats and Republicans, the proposal is striking fear among the guardians of privacy, who believe the legislation would increase the government's surveillance of the American public. ''What we are facing is the single greatest step toward big brother government since Watergate,'' said Donald L. Haines, a legislative counsel with the American Civil Liberties Union in Washington.
Nevertheless, the proposal has received relatively little attention because the expanded use of Social Security numbers is one of the few areas of agreement between the Republican-controlled Congress and the Clinton administration.
Welfare reform was one of President Clinton's campaign promises, and it also was one of the 10 tenets of the Republican Party's ''Contract with America.''
Called the ''Personal Responsibility Act,'' the U.S. House of Representatives passed its version of the bill March 24. The Senate version, retitled the ''Family Self-Sufficiency Act of 1995,'' passed a committee vote June 9. Although the committee, chaired by Sen. Bob Packwood, R-Ore., made substantial changes to the House bill, the sections dealing with the expanded use of Social Security numbers remained essentially intact. At the heart of the legislation is the desire to do something about so-called ''deadbeat dads'' - and moms - who refuse to pay court-ordered child support payments. Both Congress and the Clinton administration believe that a large amount of the money spent on the government's Aid to Families with Dependent Children program could be saved if more single parents obtained child support orders, and if those orders were better enforced.
''People normally say that there is a $34 billion gap'' between the $14 billion that is annually paid in child support and the $48 billion that theoretically could be collected, says Jane Checkan of the Health and Human Service's Administration on Children and Families in Washington. Checkan's figures are for the year 1993, the last year available. In an attempt to close this gap, the welfare reform legislation mandates increased surveillance of all American citizens. By tracking Americans when they change jobs or receive state driver's or professional licenses, the legislation's backers hope to give deadbeat dads nowhere to hide.
The legislation also calls for mandatory reporting of Social Security numbers by people getting marriage licenses or divorced, and in paternity proceedings. These reports are designed to make it easier for single parents to obtain support orders, and to make it easier for state welfare agencies to figure out the identity of a spouse when a single parent applies for benefits.
''Ten million women are potentially eligible to child support for their kids,'' Checkan said. But many people do not take advantage of their legal rights. ''Forty-two percent do not have an award in place.'' Welfare reform pushed
Checkan said that it is estimated that as much as 8 percent of the government's Aid to Families with Dependent Children payments could be eliminated if child support orders were obtained and enforced. ''That's why, in the Clinton proposal, that child support is such a major part of welfare reform,'' she said.
Currently, many government agencies maintain databases that are indexed by Social Security numbers. Nevertheless, the databases are of limited use for welfare enforcement. Some of the databases are restricted by statute so that their information may not be used for purposes other than that which they were collected. A move to unify standards
Others are not cross-indexed with databases of current address, employment and child support orders. Still other databases cannot easily be searched against, because the information is not in a uniform format. One of the intents of the legislation, sponsors say, is to bring order to this computational chaos by mandating standard data representation and indexing strategies. Basing the databanks on Social Security numbers is key to its success, said Bill Walsh, chief of California's Child Support Management Bureau, part of the Department of Social Services.
''I'll tell you, the Social Security number is probably the most important piece of data that there is in trying to locate parents that we can't find in order to establish child-support orders, or in cases where we have already established an order, to get payment on those orders,'' he said.
A national database also could make it easier to track down the 30 percent of dads who live outside the state, said Walsh. Although such a database currently exists, the proposed legislation would greatly expand its reach, by creating a virtual dragnet that could not be escaped. Civil libertarians worry
Walsh said his department is in favor of creation and expansion of the national databanks, because they ''allow us to have access to more and better data in order to locate parents who owe child support.'' Nevertheless, a growing number of civil libertarians are questioning the creation of large-scale national databanks, and the expanded use of Social Security numbers, for tracking down deadbeat dads.
''It's a databank that could be used to allow people to track people down for purposes having nothing to do with (child support),'' said Haines of the ACLU.
Haines is especially worried that the system could be used to find victims of domestic violence who are attempting to hide from their assailants.
''An unfortunate truth is that in our justice system today, for many victims of domestic violence, their only hope for relief is to escape into some level of anonymity,'' he said. ''Protective orders don't work or aren't enforced.''
Although the legislation would prohibit the unauthorized use of the system, Haines characterized such use as ''inevitable.'' As an example, he noted how some abusive men find runaway spouses using surreptitious means, such as privileged data reserved for law enforcement. Potential for fraud Other privacy advocates are concerned that the databanks could be used as the basis for financial fraud.
''I think that there is a real danger using (information) provided for one purpose for another purpose,'' said Claudia Terraza, an attorney with the Privacy Rights Clearinghouse at the University of San Diego. ''I see a real problem with people getting access to your Social Security number and from there, being able to find out your credit report, or for finding out other information that they could use for fraudulent purposes.''
Privacy advocates are most upset about the expansion of the Federal Parent Locator Service. As written, the legislation would create a national database of virtually all U.S. citizens - parents or not - with the stated purpose of tracking them so that any individual's most recent address and employer can be easily determined at any time. The legislation also would help enforce court- ordered parental visitation rights.
Staff members working on both the House and Senate versions of the legislation said that lawmakers were aware of the privacy issues, and had tried to put ''privacy protection'' measures into the legislation without compromising the central goal of creating a national location registry. ''We had a long discussion about (privacy issues) - and the (lawmakers) were the main people doing the talking,'' said a staffer. ''There were some members who were real sensitive, and they were absolutely adamant that (the Social Security number) could not be required to be on the license itself.''
Nevertheless, the legislation does require states to ask drivers for their Social Security numbers when they are issued driver's licenses or professional licenses, and for those numbers to be reported to the central registry.
''What all of that means is that we will have a de facto national ID system in this country, which is going to be this database, and with a de facto national ID card, which will be your Social Security card/driver's license, all without a debate on whether or not Americans deserve to be subjected to a Soviet- or Nazi-style national ID system,'' Haines said.


Effort failed in '60s
This is not the first time that the federal government has proposed creating a national databank. A proposal in the late 1960s called for the creation of a national data center that would ''pull together the scattered statistics in government files on citizens and to provide instant, total recall of significant education, health, citizenship, employment records and in some cases personal habits of individuals,'' reported an article in the Feb. 25, 1968 issue of The New York Times.
At the time, the proposal was opposed by privacy advocates like Columbia University Professor Alan F. Westin and University of Michigan Law School Professor Arthur R. Miller. Information centers ''may become the heart of the surveillance system that will turn society into a transparent world in which our home, our finances, our associates, our mental and physical conditions are bared to the most casual observer,'' Miller told the Times.
The national data center was never built, and today the controversy has been largely forgotten. Nevertheless, says Marc Rotenberg, director of the Electronic Privacy Information Center, one of the important issues raised at the time was the danger of entrusting a single federal agency with so many different files.
''These proposals invariably reach further than originally intended,'' said Rotenberg. ''If the Social Security number is used today to catch welfare cheats, it can be used tomorrow to identify political dissidents. ''It is of course ironic that such a proposal would go through the Congress at the very same time that the Republican majority is urging greater relaxation of government regulation.''

- - - - - - - - - - - - - - - - - - - - - - - -

INFOBOX: THEY'VE GOT YOUR NUMBER

Legislation currently before the Senate would mandate the creation or expansion of three national databanks. Each databank would be indexed by Social Security number. Together, they would track every American.

(box) Federal Parent Locator Service: Would contain a record of every driver's license and professional license issued in individual states.

(box) Federal Case Registry of Child Support Orders: Besides tracking every child support order issued by the states, this database also would contain records of every marriage, every divorce and every paternity determination case in the United States.

(box) State Directory of New Hires: This federal database would be updated every time an American started working for a new employer. It would contain the employee's name, address, job description, and the name of their employer.


Two-Way HOV Lane

Chuck Weinstock <weinstoc@SEI.CMU.EDU>
Mon, 28 Aug 95 15:17:04 EDT

The (relatively) new Parkway North in Pittsburgh (I279) has the only High Occupancy Vehicle lane in the state. It is a reversible two lane road that runs down the middle of the Interstate for about 5 miles. It is open into the city for the morning rush, and out from the city for the evening rush.

On Friday, early afternoon, while the lanes were still opened Southbound, an apparently lost carload of people entered heading North. The resulting head-on collision between the car and a pickup truck killed several people.

I would have thought that making such a lane reasonably failsafe not be too difficult. Manual barriers at each end. Close the whole thing at changeover. Verify visually by driving a highway truck down it that the lanes are empty. Then manually open up the barriers for the correct direction. Interlocks as appropriate.

It turns out that because of real estate (the lack thereof) several of the ramps on the downtown side are dual use. During the morning rush they are exit ramps. During the afternoon rush they are entry ramps. There wasn't enough physical space to put in separate entry and exit ramps. Hence, no barriers. Instead, they rely on flashing lights and Do Not Enter and Wrong Way signs which get pointed aside or turned off when they are not needed. Short of putting in tire shredders for wrong way travel, I cannot think of a way to make this kind of arrangement safe against your typical non-observant driver.

Chuck Weinstock

To Bus or Not to Bus

John Deas <agc7602@dcmds11.dcmds.dla.mil>
Mon, 28 Aug 95 12:37:35 -0400

Pinellas is Florida's most densely populated county. Approximately 42,000 students are transported daily by 510 buses. This school year, which started August 21, has been an example of what happens when poor planning is exacerbated by ineffectively used automated routing and scheduling software.

The *St. Petersburg Times* reported on August 24 that buses are showing up late - sometimes by two or more hours. Some come early and don't wait for students. Some bus rides are lasting more than an hour, which is against state law. Some buses are overcrowded, with children sitting on the floor. Wednesday, one bus came three hours late, and another required 45 minutes for a 14-block trip. Parents and school board officials are having difficulty contacting transportation department officials, who are blaming the problems on a computer program the district installed within the past year.

The Edulog system is set up with maps of the county and house addresses; data entered by the district includes names, addresses and schools, as well as speed limits on various streets. The computer is supposed to provide the most efficient routes, which resulted in many stops being moved or deleted.

Apparently, officials didn't use "speed made good" common sense and assumed that the speed limits were the actual average speed without regard for traffic or stops. Some parents did not register their children for school on time. Planning will start earlier next year, according to the transportation head, and new transportation coordinators will be hired. Similar (but less severe) problems were experienced last year.

Maybe they should let the students (and parents) use the program; they probably understand the risks a lot better.

John Deas DCMAO Clearwater jdeas@dcmds.dla.mil

Phone-mail woes

<Bob_Frankston@frankston.com>
Sat, 26 Aug 1995 17:14 -0400

In anticipating traveling internationally, I decided to get CO-based phone mail since I thought it would be more reliable to connect to than my analog answering machine. Because I've got two lines, I decided that I'd put the service on the second line and then forward the first to the second when I need to. I tried testing the forwarding and found that when I called the first number, instead of just giving me voice mail, it asked me to key in a number, presumably the number I was calling -- the first number. So I obliged, and got a message from someone saying he was in Central America and couldn't answer the calls.

In speaking to the service people about this, the basic response is that this is a problem with the DMS-100 (Northern Telecom) switch and not necessarily the ATT ESS switches. This is the same DMS that, on my ISDN line, requires two numbers for a 2B call whereas the ESS needs only one.

I don't know what profound lessons there are to learn except that I'm amazed out the presence of such a gross bug in an expensive production CO. It would never be tolerated in a $29.99 software package. This is a feature interaction but unlike the problems with ad-hoc interaction between separately produced features, this should be testable. Note, though, that voice mail is often provided by a third party, such as Octel, and the bug could be due to version interactions between to disparate systems.


Re: The traffic light does NOT think (Carr, RISKS-17.29)

Rich Lethin <lethin@ai.mit.edu>
Fri, 25 Aug 95 15:21:15 EDT

Isn't the main purpose of the intelligent highway traffic system from the perspective of the system as a whole: throttling and rerouting the incoming traffic to a section/region of road to preserve the linear queuing behavior and get good throughput. On urban grids, the stop lights serve this function: attempting to prevent gridlock and deadlock. On high speed roadways there are no stoplights, and the range of speeds available is greater, so the periodic signs have greater control latitude.

So the signs aren't saying "slow down because the cars ahead of you are going slower" but rather something like "slow down because this can prevent congestion and stop and go traffic ahead that will make the throughput of the entire system plummet".

Please report problems with the web pages to the maintainer

Top