The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 6 Issue 04

Wednesday, 6 January 1988

Contents

o PCs die of New Year Cerebration
Scot E. Wilcoxon
o More on Missouri Voting Decision
Charles Youman
o Market for prankster programs?
Geoff Goodfellow
o Ham radio operators and cancer
Mark Fulk
Steve Philipson
o Getting into ATM rooms
Mark A. R.
o Re: Knowing Source Code is not Sufficient
Michael Wagner
o Trust and quoting and write-only hard disks
Michael Wagner
o Info on RISKS (comp.risks)

PCs die of New Year Cerebration

Scot E. Wilcoxon <sewilco@datapg.mn.org>
Tue, 5 Jan 88 23:35:36 CST
One of my clients has just reported to me that a certain brand of
PC-compatibles which they sold in 1984 suddenly stopped working when 1988
was reached.  They were flooded with calls on Monday and the manufacturer of
the equipment also got many reports then.

If your PC-compatible suddenly stopped working on New Years' Day and the first
letter of its name is "S", you may want your dealer to check for this unlikely
problem.

Scot E. Wilcoxon    sewilco@DataPg.MN.ORG   ihnp4!meccts!datapg!sewilco
Data Progress       C and UNIX consulting   +1 612-825-2607


More on Missouri Voting Decision

Charles Youman (youman@mitre.arpa) <m14817@mitre.arpa>
Wed, 06 Jan 88 09:52:53 EST
Thanks to my mother-in-law and the USPS, I now have the article I mentioned
in RISKS 5.84.  The article is from the December 24, 1987 edition of the
St. Louis Post-Dispatch.  The page 1 article is titled "Decision Threatens
Punch-Card Elections" and is quoted without permission.

"If a federal judge's order this week is upheld, it could eliminate the punch-
card voting system, throw elections here [i.e., in Missouri] into chaos and 
cost taxpayers missions of dollars, election officials said Wednesday.

But civil-rights groups hailed the decision as a landmark that they say will
increase the participation of blacks in elections.

U.S. District Judge William L. Hungate ordered Tuesday that the St. Louis
Election Board 'take appropriate steps' for a manual count of ballots that
are cast but uncounted by the city's automatic tabulating equipment due to
such problems as double voting in one category and not pushing the pin all
the way through the ballot.

Representatives of the Election Board criticized Hungate's ruling and said
they expected it to be overturned on appeal...

Garvin [an attorney for the board] said the board might ask the 8th U.S.
Circuit Court of Appeals to postpone the effect of Hungate's order until after 
the Missouri presidential primary March 8.

The punch-card voting system is used throughout Missouri.  But Garvin said
he thought no other jurisdiction would follow Hungate's ruling unless it
was affirmed on appeal...

In the judge's order, he said it was not the punch-card voting system but
the board's actions that violated federal voting laws.  But election officials
said the ruling could have the same effect...

Punch-card voting accounted for 70 percent of the votes in the last 
presidential election in Missouri.

Hungate gave his order in a suit filed by Michael V. Roberts, an unsuccessful
candidate in the primary March 3 for the president of the St. Louis Board
of Aldermen.  Roberts, who is black, lost by 171 votes to Thomas A. Villa,
who is white.

Roberts claimed the punch-card voting system discriminated against blacks
because most of the votes cast but not counted by the Election Board's 
computers came from wards where most of the voters are black.

In his order Tuesday, Hungate said the board's failure to review by hand
ballots left uncounted by the machines violated the federal Voting Rights
Act and resulted in the disenfranchisement of voters.

Garvin said that in most elections, a large number of voters do not vote
on every ballot issue.  He said that while the board's computers could be
programmed to identify ballots for which no votes register on some issues,
the number would be so great that it would make the punch-card system
unworkable. . .

Kenneth Warren, a political science professor at St. Louis University,
called Hungate's ruling 'devastating for the punch-card voting system;
in effect, it is doing away with the system. . .

Warren [who testified for the board at the trial] said about 60 percent
of voters in the United States used the punch-card system. . .

Miriam Raskin, the assistant executive director of the American Civil
Liberties Union of Eastern Missouri, said she was thrilled by the decision.
the ACLU had entered the case on behalf of Roberts."

Charles Youman (youman@mitre.arpa)


Market for prankster programs?

the terminal of Geoff Goodfellow <Geoff@csl.sri.com>
6 Jan 1988 09:45-PST
Snippet on a software developer who wants to prove there is a
market for computer prank hacks, from PC Week, 22/29 Dec 1987, Pg 28:

    "Weirdware, a division of Mainland Machine, a software
  developer in San Luis Obisbo Calif., markets for $19.95 a
  practical joke generator it calls PC Prankster.  The software
  includes 10 pranks that the owner can play on unsuspecting
  friends or prospective enemies.

    "The pranks weren't designed to be malicious or destructive,
  said John Ames, a software engineer at Mainland Machine.  First,
  the jokester has to store one of the prank files on the intended
  victim's hard disk or boot disk.  Once that's done, the
  perpetrator can set the joke to go into action after a certain
  number of keystrokes right in the middle of whatever program the
  victim is running at the time.

   "In one joke, the figure of a huge one-eyed monster appears on
  the screen, blinks and disappears, allowing the program to resume
  operation unaltered.  Other pranks briefly scrambles the PC
  character set, or makes the monitor screen appear to be cracking.


Ham radio operators and cancer

<fulk@cs.rochester.edu>
Wed, 6 Jan 88 10:33:34 EST
One must ask whether Milham controlled for the age of his subjects;
amateur radio is very popular among retired persons and advanced age
is one of the major risk factors for all kinds of cancer (rates go
up roughly as the 4th power of age, if I recall correctly).  Amateur
radio operators are also fairly likely to build some of their own
equipment; in the process they are exposed to the fumes of over-heated
solder flux (I remember a considerable burning sensation in my nose
when using rosin-core solder) and are exposed to considerable levels of
lead.  Finally, it seems to me that hams smoke a lot (a study would
be required to really know); and the effects would be worsened by a
tendency to spend a lot of time in a small room huddled over a Morse
code key.

With respect to power lines: I think that high-voltage long-distance
power lines were probably what was meant.  I went to high school and
college in North Carolina (location of one of the studies); it seems to
me that such power lines indeed seemed to cluster near other sorts of
cancer-causing facilities.  For example, they frequently ran near
highways (I-40 from Statesville to Morganton had power lines along its
whole length).  Furthermore, they (of course) ran mostly through rural
areas; people living near them were likely to be engaged in agriculture,
meaning the use of pesticides, meaning that they were exposed to a high
and well-documented risk of various sorts of cancer.  In North Carolina,
in particular, they would likely be growing tobacco!

This is not to say that non-ionizing radiation cannot contribute to
cancer rates, although, based on my current (lay) understanding of the
mechanisms of cancer induction, I am inclined to doubt that the effect
could be strong.  Nor do I wish to cast doubt on the meaningfulness
of all such studies: one can never control all the variables, and thus
can never prove anything beyond all doubt; however, one must certainly
control those variables which have been established to have significant
effects on one's independent variable (cancer risk in this case).

ex-WB4FLO  Mark Fulk


Shielding (Re: RISKS-6.3)

Steve Philipson <steve@ames-aurora.arpa>
Wed, 6 Jan 88 11:32:45 PST
From: flatline!erict@uunet.UU.NET (eric townsend)
Date: 4 Jan 88 03:37:47 GMT
> 3.  I realise that ham radio gear is not always shielded properly, etc,
>    but how safe are we hackers from the stuff our 'puters put out?  ...

   Ham radio gear is usually very well sheilded.  The equipment itself may
not be the problem.  Operators are frequently in close proximity to the
transmitting antennae, and thus can be on the receiving end of a large
amount of radiated energy.  I observed this phenomenom first hand in 1973
after I had installed a new beam antenna on the roof of my house.  With the
antenna pointed in my direction, full power output would cause both
florescent and incandescent bulbs in the room to light up.  (Some specifics:
appx. 800 watts output into a 9 db gain beam located about 20 feet higher and
30 feet away from my location.) I found the effect quite disconcerting and 
avoided high transmission power levels in my direction.

   This may seem an unusually high level of exposure, but it is far more
common than most people realize.  What is important is not total power
but power density.  Hand held portable radios are widely used now, in
public service and private operations alike. Typically, these radios use 
"rubber duck" antennae that are mounted to the top of the unit, only inches
from the eyes.  At this distance, power densities are quite high, even with
power output levels below 5 watts. Some reports have pointed to increased 
risk of glaucoma from use of these radios.

   As far as home computers go, the risk is probably very small.  About
two years ago both the SIGGRAPH and SIGCHI groups of ACM ran technical
sessions in their national conferences on the human factors / risks
involved in using computer displays.  For reasonably modern equipment,
the emmitted radiation levels were typically less than background levels.
As an example, broadcast radio stations several miles away showed up 
in spectrum analysis at power density levels much higher than CRTs at
the screen surface.  More significant risks from the use of computer
systems included back pain from poor ergonomic design of workstations,
and skin irritations.  The latter occur as CRTs tend to precipitate
out airborne particulates due to static charge on the screen.
People will touch the screen and spread such material on their skin.
The "high tech" solution for this problem was to clean the screens
daily.  

   The terminal screen I'm using right now looks somewhat dusty --
time to get out the anti-static screen cleaner!

Steve Philipson      steve@ames-aurora.arpa       WB2EUZ/6


getting into ATM rooms -- Play-Safe: it could save your life

<mar@ATHENA.MIT.EDU>
Tue, 5 Jan 88 16:16:44 EST
Many ATMs are in small rooms which you enter by putting your bank card into
a card reader.  I had been wondering how it knew to let you in, since cards
from out-of-town banks work, and there's no noticible pause for it to look
up your institution to see if you should have access.

Yesterday I tried an experiment, and discovered that my AT&T calling
card, and even a rapid transit pass would open the door.  I think
their algorithm is "if there are bits on the card, unlock the door".

What's the interest to RISKS (besides sharing more ATM trivia, which
flourishes here)?  The reverence people hold for technology.  The magnetic
stripe and card reader imply a computer, so people think that they have
controlled access.  Most people would never think to question it, and don't
know what shortcuts are taken.  The mistake will come when someone wants to
use one of those cardreaders to control access to a room where the security
really does matter.
                    -Mark


Re: Knowing Source Code is not Sufficient

Michael Wagner <WAGNER%DBNGMD21.BITNET@CUNYVM.CUNY.EDU>
06 Jan 88 12:30:46
In Risks 6.3, William Smith wrote:
> >             IF YOU CAN'T READ IT, DON'T RUN IT
>
> Unfortunately, this is not sufficient if the vendor of your
> software is not trustworthy.

We seem to be trying to solve several different problems here, and
that may be part of the confusion.  Having the source to a piece of
public domain software might help you find out what it's going to do
to you.  At least it's better than a kick in the pants.  You
generally have little other recourse in the case of a piece of
software the originator won't support.

On the other hand, untrustworthy vendors have entered into a
contract with you, and the fact that they (or one of their
employees) injected a virus into the program they sold you is quite
a different matter.

> When you buy a tool such as an automobile, you do not ask to see all
> of the engineering drawings and analyses to decide that the car is
> safe.  An amount of trust is necessary when using any technology.

But surely not blind trust.  There are whole organizations set up to judge
cars on their abilities to perform according to specification, and the
informed buyer is always able to read those reports and make the appropriate
judgement.  Since testing isn't always enough, there is also a legal
mechanism to sue in cases where the product fails to perform.  It seems no
one cares enough yet to test software thoroughly (not even mass-market
stuff).  Not sure why.
                                        Michael


Trust and quoting and write-only hard disks.

Michael Wagner <WAGNER%DBNGMD21.BITNET@CUNYVM.CUNY.EDU>
06 Jan 88 11:41:03
Since we are talking about trusting code (and implictly, other
people), how trusting are we about documents we get from elsewhere?
In Risks 6.2, "guthery%asc@sdr.slb.com" wrote:

> As a little bit of reflection ... will show, there is no
> protection in trying programs out with write-only harddisks or
> with privileges turned off.

When I first saw this, I wondered what good a write-only hard disk would be
in this application (or in any other, for that matter).  I had to read on a
bit, and then backtrack, to guess that this probably should have been a
read-only hard disk.  Seemingly, no one else wondered about this, because
the line was quoted two times in the next issue of Risks, without any signal
(the usual one is to write 'sic' in parenthesis after the word) that this
may be an error in the original.

If you think this is quibbling, then you must answer the question:
how well can you proof-read a piece of source code for subtleties?

Consider:  the original author missed it, the moderator missed it, and at
least those two who quoted it (and can therefore be assumed to have spent
some time considering the quote) in Risks 6.2 missed it.  Each read what
they wanted to read there, and not what really was there.  Exactly how I
would disguise a Trojan horse in a source (a horse in a source?  A horse, of
course.  Sounds like Dr. Seuss!) were I to so desire.
                                                            Michael

Please report problems with the web pages to the maintainer

Top