The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 3 Issue 12

Tuesday, 24 June 1986


o License Plate Risks
Chuck Price
o SDI is for ICBMs, Not Terrorists
Mark Day
o Still another kind of clock problem
Rodney Hoffman
o Estimating Unreported Incidents
Ken Laws
o Estimating Unreported Incidents — and the risks of using statistics
o Re: Privacy legislation (RISKS-3.8) and radio eavesdropping
Jerry Mungle
Jeff Mogul
Jim Aspnes
o Info on RISKS (comp.risks)

License Plate Risks

Chuck Price <price@src.DEC.COM>
Mon, 23 Jun 86 09:56:05 pdt
I heard the following tale on KCBS this morning.  [I intersperse a few
details from the SF Chron, 23 Jun 86.  PGN]

It seems that this fellow [Robert Barbour] desired personalized license
plates for his car.  Since he loved sailing, he applied for ``SAILING'' and
``BOATING'' as his first two choices [seven years ago]. He couldn't think of
a third name of NAUTICAL intent, so he wrote ``NO PLATE'' in as his third

You guessed it. He got ``NO PLATE''.

A week or so later, he received his first parking ticket in the mail.  This
was followed by more and more tickets, from all over the state [2500 in
all!].  It seems that when a police officer writes a parking ticket for a
car with no license plates, he writes ``NO PLATE'' on the ticket.

Our friend took his problem to the DMV, which informed him that he should
change his plates.

The DMV also changed their procedures. They now instruct officers to write
the word ``NONE'' on the unplated parking tickets.

Wonder who's gonna get those tickets now?

-chuck price

     [Obviously some poor sap whose license plate says ``NONE''!]

SDI is for ICBMs, Not Terrorists

Mon 23 Jun 86 12:04:46-EDT
Bob Estell states that   "SDI does not equate to ICBM defense."

This is simply not true.  Even in Reagan's first speech about rendering
nuclear weapons "impotent and obsolete" (Mar 23, 1983), he went on to
say that he was
    "directing a long-term research and development program to begin to
     achieve our ultimate goal of eliminating the threat posed by 
     STRATEGIC NUCLEAR MISSILES."  [Emphasis added]

From its inception, SDI has been intended to defend against and deter a
massive attack by ICBMs.  As others have previously pointed out in RISKS,
terrorists don't need to deal with ICBMs and would be foolish to try.  
At the Stanford debate on SDI feasibility, Maj. Pete Worden (special asst.
to the Director of SDIO) answered a question about terrorists and smuggling
bombs into the country by saying "We are trying to deter something that
is reasonably military, not a terrorist act."

SDI is intended as a defense against Soviet ICBMs and (on particularly 
optimistic days at SDIO) Soviet cruise missiles.  It is not intended to 
save the United States population from every nuclear threat.


Still another kind of clock problem

23 Jun 86 10:00:39 PDT (Monday)
You might be amused by the anomalous dates [in an earlier message from
Rodney to me, not included].  Our power was off all weekend for some work.
When I came in this morning, no computer servers were working yet --
including the time servers.  So I set the date and time on my machine
myself, including stuff like "Hours offset from Greenwich Mean Time" and
"First day of Daylight Savings Time"! (Luckily they have proper default
values.)  I then interrupted (instead of booted) into another volume.
Because of that, this volume's clock tried unsuccessfully to locate a time
server and, by default, resumed ticking from when I left Friday evening! And
once it begins ticking, it apparently never checks again for a time server.

When I typed in my RISKS contribution and sent it, it had that Friday
timestamp, though it was Monday and I was (correctly) citing a Sunday
news article.


Estimating Unreported Incidents

Ken Laws <Laws@SRI-AI.ARPA>
Fri 20 Jun 86 16:21:04-PDT
  [In RISKS-3.8, I noted how rarely I get two reports of the same incident,
   and wondered how many do not get reported at all.  PGN]

There is actually a statistical technique (based on the Poisson distribution, 
I'm sure) for estimating the number of unreported items from the frequencies
of multiply reported ones.  It was developed for estimating true numbers of
Malaysian butterfly species from collected ones, and has recently been used
to validate a newly discovered Shakespeare poem from the percentages of
words that were used 0, 1, ... times in the accepted Shakespearean literature.
                    — Ken Laws

Estimating Unreported Incidents — and risks of using statistics

Peter G. Neumann <Neumann@SRI-CSL.ARPA>
Tue 24 Jun 86 01:09:31-PDT
Ah, Ken's message brings us to the risks of computer authentication! The
poem in question really did not read like authentic "Shakespeare" to me; it
seemed vastly too pedestrian, childish, and uncharacteristically repetitive.
But then, don't get us started on who actually wrote the works attributed to
William Shakespeare.  That might be a little risky for this Forum.
(However, for some fascinating background, see Charlton Ogburn's book "The
Mysterious William Shakespeare — the Myth & the Reality", pursuing the case
that the man known as "William Shakspere" was functionally illiterate, with
almost no documents bearing his signature or handwriting and no known
contemporary literary activity, and that he could not possibly have written
the works attributed to "Shakespeare".)  (By the way, I don't think it was
Marlowe, Bacon, or — as Ogburn contends — Edward de Vere 

Re: Privacy legislation (RISKS-3.8) and radio eavesdropping

16 Jun 1986 06:09:22 PDT
Re: Michael Wagner's query about privacy of radio telephone...

    [Here are THREE more messages on this subject.  Each adds a little more 
     to what Dan Franklin contributed in RISKS-3.10.  This time I did not
     have the patience to edit each one down to its nub, so please read them
     accordingly...  PGN]

    For quite a while telephone traffic has been carried by satellite
links.  It is quite easy to receive such transmissions using nothing
more sophisticated than a backyard dish antenna, and the demultiplexing
needed to recover a conversation is doable by undergraduate EEs.  I believe
it is quite illegal to "intercept" phone conversations (or data transmissions
via phone lines) in this fashion.  However, it is *very* difficult to detect
such activities.

    I do not believe it should be illegal to monitor ANY radio communication,
as the airways are public property.  But there seems to me to be precedence
for laws regulating reception of radio transmissions (beware, I am not a 

    The risks to computer systems lies in the ease with which data transmitted
over phone lines may be intercepted.  This relative ease is offset to some
degree by the difficulty of finding the particular phone link one wishes
to monitor.  But, given a reasonable level of support, it should be possible
to eavesdrop on conversations/data transmission which one desires to hear.
Sales figures, marketing info, experimental data.... lots of valuable data
go unencrypted over the phones every day.

Re: Privacy legislation (RISKS-3.8) and radio eavesdropping

Jeff Mogul <>
17 Jun 1986 1128-PDT (Tuesday)
In RISKS-3.8, ubc-vision!utcs!wagner@seismo.CSS.GOV (Michael Wagner) asks:
    Does anyone have any idea how the last part (radio telephones) could be
    legally supported in view of other legal freedoms?  I thought that one
    was free to listen to any frequency one wished in the US (Canada too).
    You don't have to trespass to receive radio signals.

It's been a decade or so since I was familiar with current US communications
law (as a licensed Amateur Radio operator, I had to pass several exams
covering this sort of thing), but I recall that although there is no
prohibition against receiving radio signals, there is a prohibition against
divulging what you receive to any other party.  Of course, this doesn't
apply to all radio services (it's not against the law to reveal baseball
scores you heard on an AM broadcast station) and I doubt it's often enforced.

Compare this to what a computer system manager might face when unraveling a
mail snafu.  I might not be able to avoid seeing the text of an unencrypted
message (as I watch packets moving between hosts) but it would certainly be
unethical for me to reveal what I saw, or indeed to make any use of it.
Ideally, the technology would be such that I could not accidentally see the
contents of a message while performing a management function, but in today's
world I think the only enforceable prohibition is against divulging or using
electronic mail, not against seeing it.  (Of course, seeing by means of
unauthorized access is also prohibitable.)

-Jeff Mogul

Re: Privacy Legislation (RISKS-3.10)

Jim Aspnes <asp@ATHENA.MIT.EDU>
Mon, 23 Jun 86 11:39:45 EDT
    Date: Tue, 17 Jun 1986  00:32 EDT
    To:   ubc-vision!utcs!wagner@SEISMO.CSS.GOV (Michael Wagner)
    Subject: Privacy legislation (RISKS-3.6)

       [On the same topic...]

    Not true.  States routinely ban the use of radar detectors, and that
    is nothing more than "listening to a frequency."  

Most states do not actually ban the use of radar detectors, but rather
the operation of a motor vehicle containing one; as I understand it,
if you want to sit at home and detect your burglar alarm, you are
entirely within the law.  There is no constitutional or federal
restriction on how states can regulate your driving.

Please report problems with the web pages to the maintainer