Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Buried near the bottom of the daily report of Credit Markets on page
29 of the Friday, October 1, Wall Street Journal is the following
intriguing paragraph:
"The rate on federal funds, or reserves that banks lend each other
overnight, averaged 7.6%, down from 8.38%, according to Fulton
Prebond (U.S.A.) Inc. At one point Wednesday, the rate was as high
as 30% because of a computer problem, the Fed said."
That one somehow sounds a little scarier than usual. Does anyone have
any facts?
Jerry
A short blurb in today's paper reports that the Pac Bell computers logged
over 300,000 phone calls in the six minutes after the earthquake. The
system appears to have degraded gracefully under the excessive load - the
only problems reported were delays in getting a dial tone.
Alan Wexelblat UUCP: {harvard, gatech, pyramid, &c.}!sally!im4u!milano!wex
[As always, it is nice to see success stories. On the other hand,
the call volume that resulted was enormous all day — and various LA
exchanges were down completely for quite some time. By late evening it
was still almost impossible to get some calls through to LA. PGN]
A recent message in the RISKS Forum raises an issue that I think needs
more careful discussion. The opinion expressed was similar to many I've
heard in the last few years, in its complaint that people regard the theft
and disruption of computer services more tolerantly than theft and vandalism
of "other forms of property."
I think such opinions are based on the mistaken belief that society and
the law regard the property holder's rights as absolute and final. I'm not
a lawyer or a serious student of social mores, but it's obvious to me that
both law and society recognize that a property holder has an obligation to
take reasonable measures to prevent tresspass, vandalism, and theft.
Society in general has little sympathy for people who are careless with
their property, as many system administrators have sometimes been. An
administrator who accidentally publishes all his user passwords (something
that I've actually seen happen!) is certainly like a person who absent
mindedly leaves his front door unlocked.
Providers of computer services are right to be frustrated with the
slugish way judges and legislators apply existing moral and legal concepts
to the new technology. But they should be aware that existing legal concepts
are not entirely on their side. Consider the laws of easment, for example.
They should also not pay excessive attention to the arguments of
defense attorneys, whose jobs obligate them to take a very narrow view of
these problems.
None of this excuses the Matt and Ally fans who think that fouling up a
Big Corporation's operations is just a fun prank. And it certainly doesn't
justify more serious forms of hooliganism and brigandage. But system
administrators should not feel that society is giving them a special bum deal.
In RISKS DIGEST 5.41, Richard.S.D'Ippolito@sei.cmu.edu writes:
" . . . the defense attorney's comments on motives make me wonder when, if
ever, the view of computer crimes will merge with society's view of other
property crimes: we have laws against breaking and entering...
I think we all agree with the fundamental premise, i.e. that information
is a form of property and is entitled to the same protection as any
other form of property. However, there is a difference between
information property and tangible property that complicates the issue
and may be responsible for much of the confusion in society's view and
the ambiguity in current law.
To extend the analogy, in real property ("real" as in "real estate") the
law makes a clear distinction between "fully private" property and
"places of public accommodation." (I may not have the legal terms
right, but you get the idea.) I'm allowed to walk at will through a
shopping mall, for example, even if I have no intention of buying
anything. I can come in out of the rain, use the rest rooms, sit on a
bench and warm up, and not be subject to prosecution for breaking and
entering. The "resources" that I use, bench space, warm air, rest
rooms, etc. are "saleable items" in the sense that the mall owner has to
pay for them, and recovers that cost in rent from merchants.
On the other hand I can't simply walk into your house at will. Not even
if you leave the door wide open. Furthermore, your house doesn't have
to have a sign saying "private property" on it. If I did that, I would
be subject to charges of trespassing, illegal entry, and burglary, or at
least attempted burglary. You wouldn't be required to show that you had
taken any special measures of protection, let alone had "perfect
security." It is assumed that everyone knows that a house is private
property and furthermore it is assumed that everyone is capable of
recognizing a house.
That's the point. Through long custom and usage, we have all come to be
aware of the distinction between private places and places of public
accommodation. The key phrase here is "long custom and usage." The
problem that we face with computer security is that society has not yet
had a chance to form a conceptual model of the distinction of what is or
is not a private information resource. The era of the widely accessible
computer is hardly ten years old.
Education is one part of the process. One of the functions of the
security measures that we computer operations people take must be in a
sense educational. People who literally don't know any better, because
they've never been taught, must be told, in one way or another, "Look
here, this is private. Keep out." Schools, government, etc., have a
responsibility, too, of course, but ultimately, computer professionals
have the greatest stake and must accept the fact that we must take the
lead. Some day, the view of computer crimes will indeed merge with
society's view of other property crimes, but we better face the fact
that it may not be soon.
Art Axelrod, Xerox Webster Research Center
The recent talk in this group about cross-correlating public
databases for questionable purposes reminds me of the method used to
catch insider trading on the NYSE.
Above "the floor" is a computer room that constantly monitors the
movements of stocks. If a stock moves up or down more that a certain
percentage of its selling price in a given day, or if more shares
trade hands than normal, an alarm sounds. The analysts then
cross-correlate that stock with all available press releases, wire
service reports, and stock offerings to try to determine if there is a
valid reason for this movement. If no reason can be determined, the
incident gets investigated further. The buying and selling
stockholders get cross-correlated with the members of the board and
all employees of the company in question. They also cross-correlate
all known data about the parties in question: club memberships,
professional societies, civic organizations, to try to determine if
any contact was likely. If these joins come up positive, the case
gets investigated by old-fashioned "legwork." The above information
was related in an NPR story as the insider trading scandal was
breaking a while back.
I have long suspected that if "big brother" were to come into
being, it wouldn't be created by the government. The government is
far to big, slow, and open to public inspection. If "big brother" is
to be created, it will probably be done by private enterprise, as
above. But it's not just the "big-wigs" of the NYSE. It's you and me
being cross-correlated as below:
There are companies known as "list brokers." These companies buy
and sell names and addresses. Everyone notices that once you get on
one "junk mail" list, you soon get mail from a plethora of other
organizations. Your name has been brokered. All types of
organizations from credit-card companies to non-profit fund raisers
buy and sell lists. The price depends on the quality of the name,
from a cent or so for inactive names to upwards of a dollar a name for
high quality lists. The average is about 10 to 15 cents. How do the
most profitable companies make money? By cross-correlating. One of
the largest list brokers has taken the census information and run
cluster analysis on a wide range of socio-economic scales. The result
is a clustering of the nation into 17 groups. These have colorful
names like the "pickups and shotguns" cluster, and the "money and
brains" cluster. Now suppose a shotgun shell maker wants to drop a
direct-mail piece to new prospects. What kind of list should he buy?
The list broker pulls up the "pickups and shotguns" profile and
determines that a greater than average number of people in that
segment also own electric freezers, so they sell the shell maker a
list of names of people who returned warranty cards for freezers.
Viola! Everyone makes money: the freezer manufacturer who sold the
freezers, then sold the names to the broker, the broker who re-sold
the names at a mark-up (the value added being the cross- correlation
he ran) and the shell maker who stands to sell more shells than to an
unqualified list.
Add another wrinkle: the intelligent set-top cable converter.
This is an individually addressed converter used for "pay per view"
cable. You see a good movie will be on HBO tonight. You call your
cable company. They turn on HBO for you house tonight so you can
see RAMBO or whatever. Thus they collect information on you as to
who wants to see what movie. Another new feature is the "people-meter."
At 8:07 p.m. tonight, the central cable computer sends out a "poll"
message. The set-top captures what channel it's currently tuned to
and over the next 24 hours, all the little set-tops report back to
the home office. This can go into the database as well. It's only
a matter of time until this information is merged with the list-brokers
profile. Now we have a complete demographic profile of your household:
Area of town, cost of house, number of incomes, favorite TV shows,
most recent major purchases, etc., etc.
I claim if "big brother" is to be, it will come from the private
sector for marketing reasons, motivated by profit. There is legislation
in the works to prevent the cable companies from selling information.
But will the set-tops encrypt the data they send? If not, a simple
passive tap could generate reams of data. The potential for invasion
of privacy is large here, simply because of the scale of the mailing
list and cable systems. Also by the nature of the beast, the
correlations are done on a huge scale, hence only approximate in many
cases, so the potential for mismatches is large.
Brent Laminack
Detecting a TV inside a house is easy, and is a process that has been refined over the years to cope with such things as multiple occupancy and high-rise flats etc. I have also heard of people being sent letters about TV licences when they had no TV, but I don't think they were any more threatening than your average government letter. I would doubt very much that the search for licence evasion is as simplistic as has been suggested - the impression I get is that the letters sent by mistake tend to be caused by people with no TV moving into a new house where the previous occupant did have one. I would suspect that the address is a more important part of the check than the occupant, rather like some credit validation schemes, where information concerning previous occupants can blight you for up to 6 years - I got caught by this recently, and to add insult to injury, the information was not even correct! The previous occupant had been summonsed AFTER he had vacated out house, but for some reason was still listed as being at our address...however the companies involved sorted this out very fast and very politely. Lindsay
My parents (who do not have a TV) get a letter every year stating that
they do not hold a license and then giving a list of reasons as to why
this may be so (just bought the TV, forgotten it expired, etc). Nowhere
on this note does it suggest the possibility that they don't have a TV!
This letter can only be being generated by cross-matching some "list of
everyone" with a "TV license-holders list", as they have had the house
from new in 1961 and have never had a TV in that time. [I can't
remember when radio licenses were subsumed into TV licenses and waived
for the non-TV 1% of the population; I'm too young :-)]
ian
I don't know how easy it is to detect TV's from a distance (though I suspect anything using heterodyning is detectable from the emissions from the IF oscillator), but I recall a story about detecting satellite-TV thieves: The satellite TV company drove down a street with a RF signal analyzer and detected the emissions from rooftop dishes. Each house with a dish tuned to the (im)proper frequencies was sent a harsh letter describing the (fairly accurate, in this case) evidence against them. Apparently this was effective (partially it was a publicity-motivated crackdown, the satellite company wanting to show that they could catch "signal-stealers").
Last election in 1986 several cities in Holland used voting machines in
order to keep a count of the votes for the candidates of the various
parties.
It appeared that several voters were confused by the lay-out of the buttons
and inadvertently choose the wrong candidate by pushing the button at the
wrong side of the candidate's name. This was discovered in the little
village of Katwijk because suddenly a conspicuous great amount of people
voted for a very left-wing party (whereas in other years the vast majority
votes for the very right-wing "Gereformeerde Partij").
Eke van Batenburg, Instituut v.Theoretische Biologie, Groenhovenstraat 5
2321BT Leiden (tel.071-132298) Holland
[They could tell left from right among the
parties, but not among the buttons. PGN]
Call for Papers
DIRECTIONS AND IMPLICATIONS OF ADVANCED COMPUTING
DIAC-88 St. Paul, Minnesota August 21, 1988
The adoption of current computing technology, and of technologies that seem
likely to emerge in the near future, will have a significant impact on the
military, on financial affairs, on privacy and civil liberty, on the medical
and educational professions, and on commerce and business.
The aim of the symposium is to consider these influences in a social,
economic, and political context as well as a technical one. The directions
and implications of current computing technology, including artificial
intelligence and other areas, make attempts to separate science and policy
unrealistic. We therefore solicit papers that directly address the wide range
of ethical and moral questions that lie at the intersection of science and
policy.
Within this broad context, we request papers that address the following
suggested topics. The scope of the topics includes, but is not limited to,
the sub-topics listed.
RESEARCH DIRECTIONS DEFENSE APPLICATIONS
Ethical Issues in Computing Research AI and the Conduct of War
Sources and Effects of Research Funding Limits to the Automation of War
Responsible Software Development Automated Defense Systems
COMPUTING IN A DEMOCRATIC SOCIETY COMPUTERS IN THE PUBLIC INTEREST
Community Access Computing for the Handicapped
Computerized Voting Resource Modeling
Civil Liberties Arbitration and Conflict Resolution
Risks of the New Technology Software and the Professions
Computing and the Future of Work Software Safety
Submissions will be read by members of the program committee, with the
assistance of outside referees. The program committee includes Steve Berlin
(MIT), Jonathan Jacky (U. WA), Richard Ladner (U. WA), Bev Littlewood (City
U., London) Nancy Leveson (UCI), Peter Neumann (SRI), Luca Simoncini (U.Reggio
Calabria, Italy), Lucy Suchman (Xerox PARC), Terry Winograd (Stanford), and
Elaine Weyuker (NYU).
Complete papers, not exceeding 6000 words, should include an abstract, and a
heading indicating to which topic it relates. Reports on in-progress or
suggested directions for future work will be given equal consideration with
completed work. Submissions will be judged on clarity, insight, significance,
and originality. Papers (4 copies) are due by April 1, 1988. Notices of
acceptance or rejection will be mailed by June 1, 1988. Camera ready copy is
due by July 1, 1988. Send papers to Professor Nancy Leveson, ICS Department,
University of California, Irvine, Irvine, CA 92717.
Proceedings will be distributed at the symposium, and will be available during
the 1988 AAAI conference. The DIAC-87 proceedings are being published by
Ablex. Publishing the DIAC-88 proceedings is planned. The program committee
will select a set of submitted papers to be considered for publication in the
Communications of the ACM.
For further information contact Nancy Leveson (714-856-5517) or Doug Schuler
(206-865-3226).
Sponsored by Computer Professionals for Social Responsibility, P.O. Box 717,
Palo Alto, CA 94301.
[For those of you on BITNET, you should be aware of the instructions for
the automatic self-maintaining mailing list indirection (which apparently
is going to change in the near future). PLEASE DO NOT send any mail to
the designated RISKS address except the properly formatted SUBSCRIBE and
UNSUBSCRIBE messages. All other messages get rebroadcast to the BITNET
RISKS community, and then I get complaints... Instructions upon request,
if you have lost them. BUT, I am suddenly getting notices from LISTSERV
that I (not YOU?) can add YOU using ADD (not SUBSCRIBE?)... Grumble...
Update on the new forwarding when available. PGN]
It seems that computers indeed aren't flawless - especially as regards
automated redistribution of the RISKS Digest on BitNet. For several weeks
(ever since I subscribed, in fact) I have been getting various messages,
none of which has to do with RISKS (mostly subscription requests &c).
Wondering if something was amiss, I sent a message to the address used for
BITNET subscription. Much to my surprise, when I logged in several days
later, I found 12 messages waiting for me. They were typically from people
experiencing the same difficulties, but two held the key to the problem.
It seems that the address for BITNET subscription/distibution has a very
limited intellect. If it receives mail of the proper for (ADD ... or
DELETE ...), it is processed. Any other mail is assumed to be a RISKS
issue, and is distributed to the subscribers. Needless to say, my query was
treated as a RISKS Issue, and was subsequently distributed.
-jfp
Please report problems with the web pages to the maintainer