Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Telex service does give you a more-or-less positive feedback as to whom you've been connected to. It's called the "answerback code", which is sent at the initiation of a connection and whenever you (the sender) transmit a WRU (who are you) control character. Each machine is give a supposedly unique (and usually mnemonic) code when it is installed; it has a length of 8 characters or so. You might think a campaign manager would alert to the Washington newspaper's answerback, but it's all too easy to overlook the code until after the message is sent. Telex is an odd medium, slow and fundamentally two-way, but it is almost always used in a one-way unattended receiver mode. Martin Ewing, Caltech [It used to be a relatively easy matter to break off a few tynes on your answer-back drum, or indeed install a different one, thus being able to masquerade as someone else. Perhaps it is harder now? Somehow I doubt it. PGN]
Joe Morris asks, concerning misdelivery of E-mail due to human error, "What feedback mechanisms are (should) there be to prevent this kind of misdelivery for electronic mail?" I suggest that the answer to this question is, "None!" There comes a point where human beings must be made to accept the consequences of their actions and something akin to not noticing that 202 (D.C. area code) is not equal to 319 (Iowa area code) is decidedly one of those times. While machines make our work faster, easier, and more comfortable, there is probably a limit to the extent that they should protect us from our own stupidity. Certainly, the misaddressing of E-mail described by Joe has passed that limit. However, it would be interesting for us to attempt to pin-point precisely (or at least approximately) where that limit is. Any ideas out there? Len Bliss, Appalachian State University, College of Education, Boone, NC 28608 [One widely used notion is that of REDUNDANCY — including check sums. The notion that anyone can call your home (10 digits) and with another single digit can (1) read your answering machine messages, (2) turn on your oven, (3) turn your burglar alarm on or off, (4) feed the dog, ... is somewhat hair-raising. One way of making unlisted numbers much harder to find by sequential dialing experiments would be to use the European technique of variable-length phone numbers. You want a difficult number? Get one with 20 digits. It would also cut down on random wrong numbers. PGN]
Washington State University, like several other universities in the area is currently planning on implementing a registration system based on touch tone phones. The student dials the computer, and when connected "dials" his/her ID number, followed by a five-digit number associated with specific classes. The computer will either sign a person up, or inform the caller that the class is full. The ID numbers are eight digits long, which would give some protection against someone using someone else's number. The only problem is that on the local IBM mainframe (under VM/CMS), student userid's are the ID numbers, and there are some pretty huge NAMES files floating around. The potential for abuse is there, especially considering that one could use dial-out modems on the system..... Andy
After my submission the other week about American Express losing my PIN, I just thought you might like to know that things don't appear to have ended there. I used the card to withdraw some cash shortly afterwards while on holiday in Scotland, and have received two (so far) notifications of intent to debit the requisite amount from my bank account. I called Customer Service and spoke to a Representative who assured me that I would only be debited once; we'll see. A few questions revealed that: this duplication had been happening to many Cardmembers using the Express Cash service; that he didn't think there was a link to those who had recently lost their PINs (although it hadn't occured to him); and that he seemed unsure about whether this would be the last problem I would encounter. I'm sure all this malarkey is doing Amex's reputation no end of bad; I'll let you know of any future developments. Frank Wales, Development Engineer, [frank@zen.uucp<->mcvax!zen.co.uk!frank] Zengrange Ltd., Greenfield Rd., Leeds, ENGLAND, LS9 8DB. (+44) 532 489048 x220
A guy I used to work with here who previously worked at Sperry-Univac (now UniSys) claimed to have inserted a good joke into one of their intelligent terminals buried deep in the microcode where no one is likely to accidentally find it. I don't know all of the details about the intelligent terminal, but it could have had PC-compatibility as one of its intelligent features. Anyway, when the terminal is first powered on, it checks to see if the current year according to the battery-powered clock is different from the one saved the last time it was turned off. If so, it displays a New Year's message and plays "Auld Lang Syne" for about a minute using the tone generator normally reserved for the bell. It is then supposed to work normally for the rest of the year. He said he gets a good laugh every new year just thinking about it. That company does start with "S" as the first article mentioned (at least it did when it sold the terminal). I suppose there is a chance that this "harmless prank" could become not so harmless after a few years. Oh, and by the way, this guy now works for the other "S" company mentioned above. Just a thought... Scott R. Nelson Evans & Sutherland Computer Corporation UUCP Address: {decvax,ucbvax,ihnp4,allegra}!decwrl!esunix!nelson Alternates: ihnp4!utah-cs!esunix!nelson usna!esunix!nelson
The following appeared in Datalink, dated Monday, January 11,1988. James McMahon, the contract systems programmer accused of planting "logic bombs" in his client's computer systems, has been cleared of all charges. McMahon walked free from Isleworth Crown Court, London, late last month after the presiding judge Derek Holden accepted a mid-trial motion that the evidence against McMahon was inconsistent, incomplete and laking in reliability. The ruling, which focused on print-out and disk exhibits, promises to be a watershed in the history of computer law, influencing the validity of such admissions in future cases. The trial was billed as the UK's first "logic bomb" case, with McMahon accused of planting unauthorised code in the DEC PDP 11 system software of air freight forwarder Pandair Freight. The prosection claimed that one such "lofic bomb" locked terminals at Pandair's Heston office, near Heathrow, and a second was set to wipe the memory of the company's Birmingham computer. McMahon's motive was either financial gain or revenge after losing a 50,000 pound contract with Pandair, the prosecution said. The judge ruled that the evidence wasn't solid enough and instructed the jury to pronounce McMahon not quilty. A relieved McMahon told Datalink: "I have lost much more than Pandair ever did." McMahon, who was referred to during the case as a Posche or Lamborghini driving philanderer, says he bears no resentment. His only gripe is that he lost a major contract worth 40,000 pounds with the Stock Exchange after police informed directors there that there was a case pending. McMahon has now returened full-time to DEC system consultancy in the City. In a second article in the same paper the following appeared... Eighteen months of bing labelled a "logic bomber" finally ended for system programmer James McMahon late last month. McMahon was found not quilty of planting three so-called logic bombs in the screen handling module of his client's DEC PDP 11 system software. The client, air freight forwarder Pandair, employed him on a freelance basic to patch its system software and install or tune its operating system, in this case the RSX 11 M+ operating system. As well as maintaining his innocence throughout, McMahon is adamant that the code that constituted the alleged bombs could never have produced the effect the prosecution claimed. In short he claims he was framed, that the code was written to discredit him. As his barrister, Colin Nicholls, QC, put it in court: "The prosecution evidence is partial, deceptive and manufactured. It smells of dishonesty and contrivance." The judge thought this submission well-founded, agreeing that there were areas of unsatisfactory and missing evidence. First, the original disks containing the supposed bomb were not taken into police custody immediately after the suspected sabotage, but left in the Pandair computer room. The Pandair programmer who produced the printout of file directories and source listings from the disks had sufficient skills in Macro Assembler to insert the bombs the judge said. Further the Pandair development disk went missing shortly after the alleged crime. "There is doubt over who produced the printout and which disks it came from," he said. And the motive for framing McMahon was there, claimed Nicholls: jealousy over a shared lover and envy over McMahon's expensive lifestyle. However, after five weeks the judge was unwilling for the case to continue with such gaps and doubts over the evidence. "we need to take a particularly robust view of evidence in such a complex technical case," he said. The relief on the faces of the 12 men and women of the jury as they were dismissed testified to that. Geoff Lane, UMRCC
The abuse of the SSN was forseen long ago by none other than then-FBI- director J. Edgar Hoover. His warning was against two things that would reduce U.S.A. to a Police State: a national identification card, and a national police force. His warning was heard loudly enough that for many years the SSN card that you recieved from the government had a notice on the back "this card is not legal for identification purposes." I recently tried an experiment: I tried to go for one month without giving my SSN to anyone. I found it impossible to manitain a reasonably civilized life-style under that circumstance. For example: I could not write a check, because it has my driver's license number on it which is, guess what? I could not get a post-office box: positive ID (driver's license or state ID issued by Department of Motor Vehicles, using SSN) AND current AND former street address required. I could not use a credit card (BTW- this is alledged to be tracked by NCIC and IRS. Cannot verify how much access is required for the NCIC version of this). Could not enroll in college. |Financial Aid?- HAH!!!! Could not get utilities connected at my new appartment. etc. It is getting scary, Folks. Big Brother is here! ps My Sysop commented on how much time I've been spending in net.mail lately... --- Richard Brown, Oklahoma State University richard@a.cs.okstate.edu
I work in a public library, and I can assure comp.risks readers that most libraries and librarians are very conscious of the privacy issue when it comes to records about library users. The best example is how our automated circulation systems are designed to work. We will be using CLSI, Inc., the largest vendor to libraries, and I think they are a good example of the care taken to protect the rights of a book borrower's privacy. When you check out a book a link is established between the barcode number on your library card and the barcode in the borrowed item. As soon as you bring the book back, that link is broken and no record of the transaction is archived. You can opt not to even be able to see the current unbroken links unless items are overdue. This means that no one in the library or legal or mental health system can get a profile of your reading habits from checking old records. There are just not any--except overdue items, and they are kept until you pay up and clear your record. That is reassuring, but I am troubled that some libraries ask for SSN as a unique id before they issue a library card. Our committee on registering library users quickly decided against this, again because of privacy matters. I would urge any of you who use a library to inquire about this and post some responses here. Our unique id will be first letter of first name, first four letters of last name, month (1-9,O,N,D) and two digits of the year. Mine would be SCISL042. There is some way they handle all the John Smith in one big area, but this works quite well for most cities and counties.
Please report problems with the web pages to the maintainer