Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
The Confederation of British Industry has submitted a proposal to the Law Commission proposing changes to the law on conspiracy to defraud. They propose (inter alia) that current offences involving "deception" (which require that a human mind is deceived) should be extended to include deception of machines, including (in particular) computers. This sounds risky - can anyone think of good examples of unintended consequences? Martyn Thomas !uunet!mcvax!ukc!praxis!mct
In the November 7, 1988 issue, 'Business Week' has a two-page story headlined
"IT'S LATE, COSTLY, INCOMPETENT — BUT TRY FIRING A COMPUTER SYSTEM: Companies
get stuck with 'runaways' that trample all over their budgets and reputations."
Nothing amazingly new, but a good summary of the problems, with several case
histories.
From the article: "A recent Peat Marwick Mitchell & Co. survey of 600 of
the accounting firm's largest clients highlighted the problem: Some 35%
currently have major runaways.... In 1986, [a management consultant] set up
a group at Peat Marwick to rein in runaways. Since then, he has had $30
million in revenues from nearly 20 clients...."
Two sidebars are of interest:
A SAMPLING OF `RUNAWAY' PROJECTS
* ALLSTATE INSURANCE. In 1982, with software from Electronic Data
Systems, the insurer began to build an $8 million computer
system that would automate it from top to bottom. Completion
date: 1987. An assortment of problems developed, delaying
completion until 1993. The new estimated price: $100 million.
* CITY OF RICHMOND. In 1984 it hired Arthur Young to develop a
$1.2 million billing and information sytem for its water and
gas utilities. Completion date: March, 1987. After paying
out close to $1 million, Richmond recently canceled the contract,
saying no system had been delivered. Arthur Young has filed
a $2 million breach of contract suit against the city.
* BUSINESS MEN'S ASSURANCE. In 1985 the reinsurer began a one-
year project to build a $500,000 system to help minimize the
risk of buying insurance policies held by major insurers. The
company has spent nearly $2 million to date on the project, which
is in disarray. The new completion date is early 1990.
* STATE OF OKLAHOMA. In 1983 it hired a Big Eight accounting firm
to design a $500,000 system to handle explosive growth in workers'
compensation claims. Two years and more than $2 million later,
the system still didn't exist. It finally was finished last year
at a price of nearly $4 million.
* BLUE CROSS AND BLUE SHIELD UNITED OF WISCONSIN. In late 1983 it
hired Electronic Data Systems to build a $200 million computer
sytem. It was ready 18 months later — on time. But it didn't
work. The system spewed out some $60 million in overpayments
and duplicate checks before it was harnessed last year. By
then, Blue Cross says, it had lost 35,000 policyholders.
[Several of these are discussed in more detail in the article.]
---
HOW TO KEEP A PROJECT UNDER CONTROL
* Before designing the system, get suggestions from the people
who will use it.
* Put senior, nontechnical management in charge of the project
to help ensure that it is finished on time and within budget
* Set up 12-month milestones — interim deadlines for various
parts of the project
* Insist on performance clauses that hold suppliers legally
responsible for meeting deadlines
* Don't try to update the system in midstream, before the original
plan is finished
Freudenburg, William R, "Perceived Risk, Real Risk: Social Science and the Art of Probabilistic Risk Assessment", Science, vol 242 #4875 (10/7/88) p.44. A very interesting article. The author's thesis is that risks computed from "hard scientific evidence" frequently inadequately predict both the probability and the consequences of a risk, because human factors are inadequately modelled. Risk estimation workers suffer from non-obvious human errors. The general public are not as irrational as they sometimes seem to technical people, when their concerns, values and experience history are taken into account. Readers of this newsgroup may already "know" all this, but it's useful to have our noses rubbed in it yet again. James F. Carter (213) 825-2897 UCLA-Mathnet; 6608B MSA; 405 Hilgard Ave.; Los Angeles, CA 90024-1555
[Entered without permission from Computerworld, 3 Oct 88, page 133]
By Kathy Chin Leong, CW Staff
SAN DIEGO --- As more and more confidential data winds its way across computer
networks, users are expressing alarm over how much of that information is safe
from subsidiaries of the Bell operating companies and long-distance firms
providing transmission services.
This fear has prompted the Tele-Communications Association (TCA) and large
network users to appeal to the Federal Communications Commission to clarify
exactly what network data is available to these vendors.
Users with large networks, such as banks and insurance companies, are
concerned that published details even of where a circuit is routed can be
misused. "We don't what someone like AT&T to use our information and then
turn around and compete against us," said Leland Fong, a network planner at
Visa International in San Francisco. Users are demanding that the FCC
establish a set of rules and regulations so that information is not abused.
At issue is the term "customer proprietary network information" (CPNI), which
encompasses packet data, address and circuit information and traffic
statistics on networks. Under the FCC's Computer Inquiry III rules,
long-distance carriers and Bell operating companies --- specifically,
marketing personnel --- can get access to their own customers' CPNI unless
users request confidentiality. What his group wants, TCA President Jerry
Appleby said, is the FCC to clarify exactly what falls under the category of
CPNI.
Fong added that users can be at the mercy of the Bell operating companies and
long-distance vendors if there are no safeguards established. Customer
information such as calling patterns can be used by the operating companies
for thier own competitive advantage. "At this time, there are no controls
over CPNI, and the users need to see some action on this," Fong said.
SPREAD THE CONCERN
At a meeting here during the TCA show, TCA officials and the association's
government liason committee met with AT&T to discuss the issue; the group will
also voice its concerns to other vendors.
Appleby said the issue should not be of concern just to network managers but
to the entire company. Earlier this month, several banks, including Chase
Manhattan Bank and Security Pacific National Bank, and credit card companies
met with the FCC to urge it to come up with a standard definition for CPNI,
Appleby said.
While the customer information is generally confidential, it is available to
the transmission carrier that is supplying the line. The data is also
available to marketing departments of that vendor unless a company asks for
confidentiality. Fong said that there is no regulation that prevents a
company from passing the data along to its subsidiaries.
[Comment: What I find particularly fascinating about this article is its
perfect illustration of the world-view of large businesses. Banks, insurance
companies and credit agencies collect tons of information about individuals,
which they then wish to treat as their private property, to do with as they
see fit. They fight "government interference" intended to protect the privacy
of that data as expensive, burdensome and unnecessary.
But when their precious data is moved over AT&T's lines, all of a sudden they
are very concerned that AT&T not abuse it. Not only that, but they want the
government to make SURE that AT&T remains on its best behavior!
— Jerry]
Recently I went to purchase an answering machine. Modern answering machines
have all sorts of remote features, features that can be exercised from another
phone, by generating touch tones. These features include the ability to listen
to already recorded messages, erase already recorded messages, change the
outgoing message that answers the phone, etc.
There is almost no security for these remote features. The machine I bought
has a two digit code, with one digit factory set, and the second digit set by a
switch on the machine. The user settable digit can only be set to 3 values!
Now, I don't have many secrets, so the idea of people listening to
my recorded messages doesn't bother me too much (except for the possibility
that a criminal watching my house and knowing my number could intercept
a message from me telling my wife that I won't be home for several hours).
But I do not like the possibility that someone could, maliciously
or accidentally, erase messages, or change my answering message.
And I most emphatically do not like the remote listen feature, whereby
anyone can call my answering machine, press a dial tone, and listen to
anything going on in my apartment.
I spent some time looking for a basic answering machine that had only the most
basic remote feature, the ability to listen to recorded messages remotely,
*without* having them erased. There doesn't seem to be such a system — if you
can remotely listen, you can remotely erase. Unfortunately, it does not seem
possible to selectively disable these remote features.
Most salespeople were surprised by my concern, but one gave me the service
numbers for Panasonic and GE. The Panasonic service was distinctly unhelpful,
unable to understand why one might want more than the 256 password
possibilities in their top of the line model (a model that uses 3 digits, only
one of which is user settable). The Panasonic service refused even to give me
an address to which I might write to describe what I think a secure answering
machine should be. The GE service was much more sympathetic - but,
unfortunately, GE's consumer electronics was sold to Thomson a while back, and
the GE service didn't know where to forward consumer suggestions.
All this leads me to several questions:
(1) Are there any answering machines that have redefinable passwords
that are long enough for an acceptable level of security?
(2) Are there any answering machines that have only non-destructive
remote commands, ie. that only allow messages to be listened to remotely,
not reset and overwritten?
(3) Have there been any incidents of remote sabotage of answering machines,
or, worse, criminal interception of messages, or bugging, as I describe
above?
Andy "Krazy" Glew, Motorola Microcomputer Division, Champaign-Urbana
Development Center [lengthy trailer and disclaimer deleted. PGN]
I've got my own story to tell about high frequency noises crawling out of computer related devices, and since I'm new to RISKS, my apologies if any or all of this has been discussed before. It all started back in college, when I went to a little office in the computing center. I walked into the room and immediately clapped my hands two my ears and shouted in aversion to the awful sound I was hearing. The two techs in the room, who worked in there most of the day, looked at me like I was crazy, because they didn't hear anything. It turned out to be the high-frequency whining from a Televideo terminal's flyback transformer. The two technicians never reported any ill effects from it. The few times I visited them again I had to stay outside of the office because of the direct pain I would experience walking in there when that terminal was turned on. After that I began noticing the sounds made by all the other CRT's in my life. They were high pitched and slightly irritating, but not painful. I had always, even before meeting computers, noticed the 15khz whine from a TV set, but it had never bothered me. My next experience was with a DEC VT-100. I visited a friend of mine who had an operating VT-100 in a little room in his house. Again, I heard a loud, high pitched whine that I felt as pressure in my ears and pain. He noticed nothing, but said that that particular VT-100 was stacked with option boards and might be overloading its power supply. I've worked with other VT-100 terminals and noticed noise, but not anywhere near as bad as that sample. And the best story of all is the AT&T Unix PC. All of the Unix PC's I ever worked with had a high-frequency noise problem to one extent or another, but the worst offenders were the ones with 40 meg disk drives installed. As soon as I turned on of them on, I would hear a high pitched noise that would slowly rise in pitch until it either went beyond my audible range or got lost in the fan noise. I thought nothing more of it until I realized that I was getting headaches, stomachaches, and feeling irritable without knowing why. I moved the machine to a closet and used it remotely. I polled everyone else at the office, as well as a few visitors from AT&T: almost noone could hear the noise from it, but anyone who had to work in the same room as the machine would eventually start complaining, even if the machine was parked in a noisy machine room. This wasn't limited to one sample, because we returned the machine and got it replaced two or three times, and none of them were acceptable to me. It wasn't just me, because we tried it out on a few other employees, who complained of irritation, stomachaches and toothaches after being in the same room as the Unix PC after a few days. This noise was definitely associated with the hard drive (as opposed to the flyback transformer who is the usual culprit), and was in the 20khz or above range, since I couldn't directly hear it, but felt it as a slight pressure in my ears. I have walked up to airline reservation counters, car rental counters, and other service desks where the ubiquitous VDT is part of the worker's routine, where the worker must sit in front of the terminal all day, and blanched from the whine coming out of the back of the CRT. As a white collar employeee in a technical office, with a moderately eloquent speaking ability, I was able to explain to my managers why I couldn't use certain equipment and they understood and assisted me. The information industry service worker has no such options: you can work on the machine or you can get another job. Managers over 40 probably can't even hear at 15khz, and will not understand what you're talking about. There have been numerous studies of "cluster miscarriages", where a high proportion of pregnant women using a particular brand of VDT all experience miscarriages, but most studies of VDT hazards seem to focus on low level radiation and ignore sound emissions completely. There are no OSHA or NIOSH standards on high-frequency sound or ultrasound emmissions from devices in the workplace: the engineers who build these things are used to listening to 15 or 20 khz whines all day long and no longer notice such things. Maybe my problem is that I never listened to loud rock music and my hearing above 15khz is mostly intact. But even when you can't hear it, that noise can still bother you, as witnessed by the Stevie Wonder experience (if not my own). And I wouldn't be surprised if it has a factor in miscarriages: one of the things ultrasound can do is heat up the tissue under your skin, which is related to the hospital uses of ultrasound devices. The scary thing is that so many people just dismiss this problem because they "can't hear it". Ed Ravin | cucard!dasys1!eravin (BigElectricCatPublicUNIX)| eravin@dasys1.UUCP Reader bears responsibility for all opinions expressed in this article.
Please report problems with the web pages to the maintainer