The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 4 Issue 8

Sunday, 9 November 1986


o Brazilian laws require proof of voting. People NEED those cards.
Scot E. Wilcoxon
o Grassroots sneak attack on NSA
Herb Lin
Matthew P Wiener
o Ethernet Security Risks
Phil Ngai
o Perfection
Herb Lin
o Information replacing knowledge
Daniel G. Rabe
o Word Processors / The Future of English
Stephen Page
o Copyrights; passwords; medical information
Matthew P Wiener
o Info on RISKS (comp.risks)

Re: Computer causes chaos in Brazilian Election

Sun, 9 Nov 86 01:14:36 EST
This situation involving computers is severe due to Brazil's laws, with
which most of the RISKS readers are undoubtedly not familiar.

The "frayed tempers" due to not getting the "essential voting card" in
Brazil are not simply because everyone likes to vote.  Everyone MUST vote in
Brazil.  Proof of recent voting is one of the required legal documents for
several situations, including simply getting a job.  Those missing voting
registration cards are the prerequisite to being able to vote and be a
law-abiding citizen qualified to live a normal life.  (My wife is from
Brazil and had to carry those documents.)

>  Programmers overlooked that twins are born on the same day to the same
>  parents. Consequently, the voting rights of an estimated 70,000 twins
>  were cancelled. The Federal Electoral Tribunal in Brasilia is currently
>  wading through 140,000 appeals, including the case of a certain Jose
>  Francisco, who says all his 14 brothers were baptised with identical
>  names.

All this is familiar to analysts and programmers.  The voting documents
were formerly handled by humans who modified the processing procedure
as required by common sense and local situations ("Yeah, I know Jose
Francisco.  All 14 were here last year, I still have to see 6 of them this
year.")  The written procedures are undoubtedly what guided the programmers.
If the implementation schedule was the same for the whole country, it is
little wonder that many exceptions were found at the same time.

Scot E. Wilcoxon    Minn Ed Comp Corp  {quest,dayton,meccts}!mecc!sewilco

Grassroots sneak attack on NSA

Sat, 8 Nov 1986 09:42 EST
    From: weemba at (Matthew P Wiener)

    Several people have started inserting cute words like
    "crypt" or "terror" or "CIA" in their signatures in an attempt to over-
    load NSA's automatic grep for cute words in overseas traffic.  Consider-
    ing the minuteness of the added load, and the likelihood that NSA already
    filters out obvious traffic like the net...

That would be inconsistent with the oft-repeated claims that NSA
monitors ALL overseas telephone calls.  I have been told (someone pls
confirm or deny?) that voice recognition technology is good enough
that given Crays on an NSA budget, such a feat is possible when you
are looking for certain key words, and that recognition can be done on
a very limited vocabulary independent of speaker.


Re: Grassroots sneak attack on NSA

Matthew P Wiener <>
Sat, 8 Nov 86 14:33:51 PST
   >    Considering ... the likelihood that NSA already
   >    filters out obvious traffic like the net...     [MPW]
   >That would be inconsistent with the oft-repeated claims that NSA
   >monitors ALL overseas telephone calls.              [HL]

Of course they intercept the net, but if you were snooping around through
all overseas telephone calls, you too would set some priorities.

   >[voice recognition rumor]

Well if that's how they do it, I *hope* they know enough to filter the net!

ucbvax!brahms!weemba    Matthew P Wiener/UCB Math Dept/Berkeley CA 94720

Ethernet Security Risks

Phil Ngai <lll-crg!amdcad!phil@seismo.CSS.GOV>
Sat, 8 Nov 86 12:49:41 pst
Security on an Ethernet is a very tricky business. If you use the Berkeley
rhosts scheme, it is easy to spoof someone else's ip address, although there
is some code in Berkeley Unix that detects when someone is impersonating
you, the message only comes out on the system console. And if the bad guy
makes your machine crash while you are away, no one will be the wiser.

If you ban rhosts and only allow ftp and telnet, you are vulnerable
to people grabbing packets off the Ethernet and getting your password.

Which is worse? Would you rather freeze to death or burn to death?
I don't know if it matters. I think that if security matters, it
would be best not to let machines you don't trust on your Ethernet.

Sun proposed an interesting scheme at the last Usenix. Two machines that
wanted to communicate would use an encrypted timestamp on each packet as
authentication. This assumes, of course, that the two machines have
synchronized their clocks and that they have a common key no one else knows.
(their scheme included a key distribution method which I will not discuss
here) There is also a performance penalty. They did some back of the
envelope calculations showing it would be acceptable in many cases.

Is it unreasonable to put machines you don't trust on another Ethernet, 
with a router between your group and them?
                                            Phil Ngai


Tue, 28 Oct 1986 10:48 EST
   From: Douglas Humphrey 

Information replacing knowledge

Sat, 8 Nov 86 14:20 CST
In RISKS 4.4, Martin Minow makes the point that computerization makes
it easier to substitute quantity for quality in our writing.  I would
go one step farther and say that the easy access to information made
possible by computer systems has also degraded our ability (or at least
our desire) to gain and retain knowledge.

The following is excerpted from an essay entitled "Look it up!
Check it out!" by Jacques Barzun in the Autumn 1986 *American Scholar.*

  ``... the age of ready reference is one in which knowledge inevitably
  declines into information.  The master of so much packaged stuff needs to
  grasp context or meaning much less than his forebears:  he can always look
  it up.  His live memory is otherwise engaged anyway, full of the arbitrary
  names, initials, and code numbers essential to carrying on daily life.  He
  can be vague about the rest: he can always check it out.

  ``... But what we are experiencing is not the knowledge explosion so often 
  boasted of; it is a torrent of information, made possible by first reducing
  the known to compact form and then bulking it up again -- adding water.
  That is why the product so often tastes like dried soup.''

As computer scientists, I think we find it all too easy to divide
and compartmentalize information as we see fit.  As I see it, one
of the greatest risks of widespread computing is that we'll all stop
learning.  We've got spelling checkers, so why bother learning to
spell?  We've got calculators and home computers, so why bother learning
any math?  We've got electronic mail and conferencing, so why bother
to learn or practice the art of public speaking?  Are we reaching the
point where being an expert simply means having a large computer
database, as opposed to years of learning and knowledge?  I don't
think we're there yet, but I fear that our society's heavy emphasis on
"information" and computing might be leading us there.

Daniel G. Rabe
Northwestern University

Word Processors / The Future of English

Stephen Page <munnari!uqcspe.oz!sdpage@seismo.CSS.GOV>
Sunday, 9 Nov 1986 14:07-EST
The interesting article by Anthony Burgess reproduced in RISKS-4.4 reminded
me that when the first lap-top computers were introduced a few years ago,
some professional writers noticed that their sentences were becoming shorter
and their paragraphs chunkier, as they relied on a 40-column, 8-line display
(e.g.)  when composing texts.  Has this really been cured by newer
technology?  Or is our familiar 80x25 model just as likely to have an
adverse impact on writing style?

Copyrights; passwords; medical information

Matthew P Wiener <>
Sat, 8 Nov 86 01:16:22 PST
>  "How Fred lets the fraudsters in" (c) Newspaper Publishing PLC
Considering the frequency with which we see this half-circled c used as an
ASCII replacement for the genuine circled c, it is obvious that a lot of
people have let their primitive keyboards delude them into a non-copyright.
("Copyright", spelled out, takes longer than "(c)", but it has legal standing.)

>  Passwords are particularly vulnerable when they remain unchanged for a long
>  time.  The chairman of one major company the auditors investigated had kept
>  the same password for five years. It was "chairman".

This reminds me of the WWII story in Feynman's book about the hot-shot
military big boss with his fancy-dancy super-safe: the combination was never
changed from the factory original.  "The more things change, the more they
stay the same."

>Now, I am being accused of taking confidential information out of the
>hospital in the form of patient records and doctors names! All I had on the
>computer were my notes. The paranoid medical staff is afraid that having
>this information in my "COMPUTER" is dangerous, [...]
>Pretty amazing paranoia, huh? Do people really still fear computers this way?

In this situation, it strikes me as typical computer ignorance.  But in
general, the use of a computer as opposed to a legal pad leads to more
security problems.  Handwritten notes are both unmistakeable as such and are
naturally limited in content.  (I assume this is old hat to RISKers.)

ucbvax!brahms!weemba    Matthew P Wiener/UCB Math Dept/Berkeley CA 94720

Please report problems with the web pages to the maintainer