The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 8 Issue 30

Friday 24 February 1989

Contents

o "Do you know who's reading your medical records?"
PGN
o Wells Fargo ATM outage
PGN
o New York 540 Phone Number Scam
John Murray
o 900 "confession" number
Randal L. Schwartz
o Re: Chicago Phone Freak Gets Prison Term
Rich Salz
o Reach Out and Spy on Someone
Peter Scott
o Power failure problems
Jonathan I. Kamens
o Photographs as evidence (re: digital editing, etc.)
Ernest H. Robl
o Stanford and rec.humor.funny
Martin Minow
o Info on RISKS (comp.risks)

"Do you know who's reading your medical records?"

Peter Neumann <neumann@csl.sri.com>
Fri, 24 Feb 1989 11:18:27 PST
Of considerable interest to RISKSers is an article entitled "Absolutely NOT
Confidential" by Clark Norton, in the March/April 1989 issue of Hippocrates
(The Magazine of Health and Medicine).  The article documents many of the
problems of large networked databases, including privacy, data quality, legal
and social implications, etc.  It also includes a state-by-state table on your
access to your own medical records, with separate entries for doctors',
hospitals', and mental health records.  Arkansas, New Hampshire, Rhode Island,
South Carolina, Vermont, and Wyoming are the only states left with no laws
guaranteeing your access for all three types of records.  Thus far, Montana is
the only state to adopt a model bill drafted by the National Conference of
Commissioners on Uniform State Laws.

``Like most Americans, you've probably assumed your medical records were
confidential -- protected by ethics and the law.  At one time you would have
been right.  "We used to have a medical system that was confidential," says
retired Harvard School of Medicine neurosurgeon Vernon Mark...''  Now it is
relatively wide open.


Wells Fargo ATM outage

Peter Neumann <neumann@csl.sri.com>
Fri, 24 Feb 1989 11:02:52 PST
445 of Wells Fargo's 1200 ATMs in California were out of commission for many
hours on 22 Februrary 1989, due to computer malfunctions.  (Bank of America has
twice had about 700 ATMs out of commission in recent months.)

  `John Love, publisher of Bank Network News, a newsletter that covers
  electronic banking, said that, on the average, ATMs are down 5 percent of the
  time because of ``machine-specific problems.''  However, such widespread
  failures are rare, he said, because of extensive backup computer networks.'
  [Quote from the San Francisco Chronicle, 23 Feb 89, pp. C1 and C18, in an
  article by David Tuller.]


New York 540 Phone Number Scam

John Murray <johnm@uts.amdahl.com>
24 Feb 89 02:31:46 GMT
 Just picked this up from comp.dcom.telecom
  - John Murray , Amdahl Corp., Sunnyvale, CA.

  From wrf@ecse.rpi.edu Tue Feb 21 07:50:32 1989
  Subject: 540 ripoff

  NYS just fined a ripoff outfit that advertised a "GOLD" card if you called
  540-GOLD.  Several hundred people who did, and stayed on the line for a
  minute, were billed $50 (FIFTY DOLLARS).  Needless to say their gold card had
  no relation to Mastercard or Amex.  They were also contacting people with an
  illegal autodial operation that would not let the victim hang up to free the
  line.  I think now they're required to say at the start of the call that there
  is this charge.  But what about people whose hearing is bad or English poor?

  People in every state should have the right to disable this use of their
  phone as a no limit credit card.  In fact, the default status should be
  disabled, and phone customers should have to enable it, and perhaps specify a
  $limit, if they want to use it.

[Moderator's Note: Illinois Bell was one of the first telephone companies
to offer 900/976 blocking at no charge, no questions asked. We do not have
'540' service here -- yet -- but I assume any variation on it here would
get free blocking. Here you can block 976 or 900 or both. The operator is
unable to complete the connection for you. Out-of-LATA 976 calls cannot be
blocked, but then they are only billed at regular long distance rates
anyway.   PT]


900 "confession" number

Randal L. Schwartz <merlyn@intelob.intel.com>
Wed, 22 Feb 89 10:19:15 PST
(Quotes are from an article in the Feb 27 "Insight on the News" magazine)

The latest craze is a 900 number in which callers can "confess" their actions.

   Another of those adult phone lines, you think, and prepare to hang
   up.  But then there is another voice, female, young, and
   remorseful.  "I'm having an affair with Bob.  He's my boss, and I
   just gave up our baby," she says.  "I want to tell Ginne and Les to
   please take care of her and I hope that she grows up to be better
   than I was and [pause] I'm sorry."

   [...] Confessors leave a 60-second message on what amounts to an
   elaborate answering machine, then the tape is edited for playback
   on the other phone line.  Sometimes listeners call in to respond to
   someone's confession, and some of these calls are played back.

Now, here's the scary part...

   Denton [producer of the Phone Confessions program] listens to every
   call, then selects a mix of confessions for playback.  Most calls
   are about relationships, but United Communications [the producer's
   company] makes no secret that it gets calls from people confessing
   to crimes [!!].

Most people probably still believe that the phone number from which
they make a phone call is available *only* to a select few.  But with
the 800 and 900 phone services (discussed either in RISKS or TELECOM,
I lost track :-), a service-provider can obtain *instantly* the caller's
phone number, and correlate it with the confessions.

The risks to the public (out of ignorance) is obvious.  Law enforcement
agencies, or even private opportunists, could set up such services,
or tap into existing services, and obtain an unending supply of useful
information.  Says the article:

   Denton believes that 98 percent of her calls are true confessions.

I suppose if I really wanted to confess a crime to one of these
services, I'd go to a pay phone.  I doubt that the public is aware of
the consequences of calling from their home, though.

Randal L. Schwartz, Stonehenge Consulting Services (503)777-0095
on contract to BiiN (for now :-), Hillsboro, Oregon, USA.


Re: Chicago Phone Freak Gets Prison Term (RISKS 8.29)

Rich Salz <rsalz@BBN.COM>
23 Feb 89 00:19:10 GMT
>... and the Zinn residence was raided by FBI agents, AT&T/IBT security
>representatives and Chicago Police detectives used for backup.

ATT security people as backup?  "Stop right there, this is the phone
company; hands against the wall!"  Is it common practice in such "raids"
to use outside companies?


Reach Out and Spy on Someone

Peter Scott <PJS@naif.JPL.NASA.GOV>
Thu, 23 Feb 89 10:41:46 PST
An article in _Digital Review_, February 20, under the title "Reach Out And
Help Someone" reviews a package for VAX/VMS called Video, from Performance
Software.  The subtitle says, "...system managers and training coordinators can
keep an eye on user activity".  Among other things, this package allows anyone
with appropriate privileges to see what anyone else is typing and receiving on
their terminal (passwords excepted, I suspect), or to "take over" another
terminal and broadcast their own commands to it.  You can also record terminal
sessions and play them back at leisure.

"With the Video Seer utility, system managers can monitor terminal sessions to
detect system abuse or simply to identify performance drains on their systems."

Oh joy.

[Funny aside: I just received a computer-printed letter for _Time_ Sweepstakes.
The first paragraph reads: "... Isn't it time you get that dream house for you
and your family in Burbank?  Isn't it time you started driving home to Box 6867
in that Mercedes-Benz you've had your eye on for years?..."  Don't they know
it's hard enough to fit myself into Box 6867, let alone park a Mercedes there?]

Peter Scott (pjs@grouch.jpl.nasa.gov)


Power failure problems (RISKS 8.28)

Jonathan I. Kamens <jik@Athena.MIT.EDU>
Mon, 20 Feb 89 04:57:16 EST
In RISKS DIGEST 8.28, John Sinteur writes of his previous employers' problems
when the power went out and their magnetic card readers failed to work.

About nine days ago, a large part of Cambridge, including the entire MIT
campus, lost power for several hours as a result of a gas explosion in a
manhole.  One result of this was that all of Project Athena (The MIT
undergraduate computer system/research project) lost power, including all of
the workstation clusters.

The workstation clusters are all accessed by typing a combination into a
keypad outside the door of the cluster.  However, when the power went out, the
keypads all went dead and hence all of the doors could not be opened.

Nevertheless, the people who were sent around to power down all of the
workstations (so that when the power came back on things could be brought back
up gracefully) were able to get into most (if not all) of the clusters without
any trouble.  Students leaving the clusters after the power went out realized
that the keypads would not open the door, and therefore the last person out of
each cluster propped open the door with a garbage can.

I guess it didn't occur to them that this would allow anyone to walk onto
campus, walk into a computer cluster and steal every keyboard, mouse and chair
in the cluster (The computers themselves are locked down in all but one
cluster.).

(Then again, who would want all of those DEC and IBM keyboards and mice? :-)

Jonathan Kamens, MIT Project Athena, jik@Athena.MIT.EDU  Office: 617-253-4261


photographs as evidence (re: digital editing, etc.)

Ernest H. Robl <ehr@uncecs.edu>
Mon, 20 Feb 89 14:27:59 EST
Several of the photography trade publications carry regular columns on
"forensic photography" -- the making and use of photographs for evidence in
civil and criminal cases.  The authors of these columns usually stress that
photographs themselves are not sufficient for evidence, since such factors as
lighting, angle of view (particularly with the use of telephoto or wide angle
lenses), etc. can provide a quite different impression from what exists in
reality.

When photographs are introduced as evidence, the photographer is called as a
witness to testify that the pictures are a true representation of a particular
scene, object, etc.  The authors of these articles therefore stress the
importance of keeping related documentation about when, where, and how the
photographs were made, since this can come up during the trial.

Also related to the digital processing of images:  There's currently a fair
amount of coverage in the photographic trade press about another legal aspect
of electronically combined images -- namely who owns the rights to the final
product.  Since most commercial photographers sell *rights* to the use of their
images, rather than the physical transparency itself, this can get into a
sticky area, since some clients (particularly in advertising) will want
exclusive use of a particular image (and related images) for either a specific
time period or for a specific geographic area.  The current issue of
_Photomethods_, a journal for the audio-visual industry, has a questionnaire
asking photographers whether they feel digital manipulation of images is a help
or poses a threat.

     -- Ernest

My opinions are my own and probably not IBM-compatible.--ehr
Ernest H. Robl  (ehr@ecsvax)  (919) 684-6269 w; (919) 286-3845 h
Systems Specialist (Tandem System Manager), Library Systems,
027 Perkins Library, Duke University, Durham, NC  27706  U.S.A.


Stanford and rec.humor.funny -- risks in BBoards

<minow%thundr.DEC@decwrl.dec.com>
21 Feb 89 09:36
                     [Found this on a local bulletin board.    Martin Minow]

This is from the February 20, 1989, San Jose Mercury News:

Computer users worry that Stanford set precedent

They say decision to block bulletin board
impedes free acces to public information.

By Tom Philp

Computer scientists at Stanford fear the university has entered a never-ending
role as a moral regulator of computer bulletin boards by recently blocking
access to a list of jokes deemed to serve no "university educational purpose."
Many computer users on campus consider bulletin boards to be the libraries of
the future - and thus subject to the same free access as Stanford's library
system.  Instead, Stanford apparently has become the nation's first university
to block access to part of the international bulletin network called Usenet,
which reaches 250,000 users of computers running the Unix operating system,
according to a computer scientist who helped create the network.

To some computer users, Stanford's precedent is troubling.  "We get into some
very, very touchy issues when system administrators are given the authority to
simply get rid of files that they deem inappropriate on publicly available
systems," said Gary Chapman, executive director of Computer Professionals for
Social Responsibility, a Palo Alto-based organization with 2,500 members.  "My
personal view is that freedom of speech should apply to computer information."

Ralph Gorin, director of Academic Information Resources at Stanford, disagrees.
"I think that it's very clear that one should be either in favor of free speech
and all of the ramifications of that or be willing to take the consequences of
saying free speech sometimes, and then having to decide when," Gorin said.

Since the jokes ban, more than 100 Stanford computer users, including a leading
researcher in artificial intelligence, have signed a protest petition.  And
there is some evidence to indicate Stanford officials are looking for a way out
of the dilemma they have created.  

The joke bulletin board, called "rec.humor.funny," is one of several bulletin
boards that discuss controversial topics.  Stanford, for example, continues to
permit access to bulletin boards that allow students to discuss their use of
illegal drugs, sexual techniques and tips on nude beaches.  Gorin said he is
unaware of those bulletin boards.

The jokes bulletin board came to Stanford officials' attention in December,
after a report about it in a Canadian newspaper.  The jokes hit a raw nerve
with campus officials, who have been plagued by a variety of racist incidents
on campus.  And so they decided on Jan. 25 to block the jokes from passing
through the university's main computer.  "At a time when the university is
devoting considerable energy to suppress racism, bigotry and other forms of
prejudice, why devote computer resources to let some outside person exploit
these?"  Gorin explained.

The joke that sparked the complaints is this:  "A Jew and a Scotsman
had dinner in a restaurant.  At the end, the Scotsman was heard to say,
'I'll pay.'  The next day there was a newspaper headline, 'Jewish
Ventriloquist Murdered."  Most of the jokes are not racist or sexist, Gorin
said; they are just plain silly or political.  An example:  "What did Mickey
Mouse get for Christmas?  A Dan Quayle watch."

But Stanford officials were troubled because the jokes bulletin board is
"moderated," meaning that one person controls everything that it publishes.
The jokes bulletin board "does not in itself provide for discussion of the
issues that it raises," Gorin said.  The moderator, Brad Templeton of Waterloo,
in the Canadian province of Ontario, publishes only jokes.  Comments he
receives go on a separate bulletin board, called "rec.humor.d."  For Stanford,
the existence of a comment bulletin board is not enough because people who call
up the jokes will not necessarily see the comments.

The problem with "unmoderated" bulletin boards is clutter, according to Eugene
Spafford, a computer scientist at Purdue University who is one of the pioneers
of Usenet.  The network accumulates the equivalent of 4,000 double-spaced,
typewritten pages every day, far too many comments for any person to read.
"People who use a network as an information resource like a more focused
approach," Spafford said.  They is why another, unmoderated, bulletin board
that has many comments and fewer - but equally offensive - jokes, is far less
popular.  Stanford does not block transmission of that bulletin board.
Templeton's bulletin board is the most popular of the 500 on Usenet.  An
estimated 20,000 computer users pull up the jokes on their screens every day,
Spafford said.

Usenet has its own form of democracy, calling elections to determine whether a
new bulletin board should be created, and who - if anyone - should moderate it.
Templeton's jokes bulletin board was created by such a vote.  Stanford's
decision to block access to it "strikes me as hypocritical," Spafford said.
"At best, it's someone who doesn't understand the situation who is trying to do
something politically correct."

John McCarthy, a Stanford computer science professor and one of the founders of
the field of artificial intelligence, has met with university President Donald
Kennedy to discuss his opposition to blocking the jokes.  "No one of these
(bulletin boards) is especially important," McCarthy said.  The point is that
regulating access to them "is not a business that a university should go into."

Since deciding to block access to the bulletin board, the administration has
referred the issue to the steering committee of Stanford's Faculty Senate.  The
future of the bulletin board may end up in the hands of the professors.  "I
think that is an entirely appropriate internal process for reaching that
decision," Gorin said.

Added McCarthy:  "I should say that I am optimistic now that this ban will be
corrected.  There are some people who think they made a mistake."   ...

Please report problems with the web pages to the maintainer

Top