Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Recently, in Atlanta, Georgia (GA), I was stopped and given three (!) traffic citations, when it was obvious that I was guilty of none: "Offense": Reality: --------------------------------- ------------------------------- Turning where posted No Left Turn Not posted Driving without valid license Gave officer valid license Driving without insurance Gave officer proof of insurance --------------------------------- ------------------------------- I gave the officer my plastic Minnesota (MN) license, which indicated that it had just been renewed (MN clips the corner of the plastic card when a new one is ordered) and the temporary paper license that MN issues to cover the 45 day period it takes to make a new plastic card. The officer refused to accept this documentation! He said his computer did not show that I had a valid license. When I suggested that he retry his computer query (he may have made a mistake in typing, the GA or the MN computer or the connection between them could be having problems), he refused to do so! His rationale for giving me a citation for no insurance was that I had signed the collision damage waiver for the National car I was renting. Apparently, he doesn't know that most major car rental companies are fully self-insuring for liability and he also doesn't know the difference between collision and liability insurance. He also refused the proof I had in hand that I also was covered by American Express, AND Honeywell, AND my personal MN liability insurance. I guess that none of this paper would stand up against his computer, which would only show GA insurance registration. Being quadruply insured with documents to prove it didn't help me at all. The next day I saw an Atlanta newspaper article by Bette Harrison entitled "The Bureaucracy Zone" (in the style of the "Twilight Zone") about foul-ups in GA's handling of auto insurance information. The article tells how the GA Highway Patrol visited a man's house and confiscated his driver's license because of a clerical error. After explaining that GA insurance companies must inform the Department of Public Safety (DPS) of any policy changes, the article records the following conversation between the man's insurance agent and the DPS: Agent: Look, if I send my policyholder down there with a letter from us indicating his policy didn't cancel, a copy of his insurance company's reinstatement notice, and a completed copy of your form O.C.G.A. 33-34-11 which we completed and and returned to you on Nov. 10, 1988 and he is stopped, what will happen? DPS: He'll be arrested and his car will be impounded. Agent: You've got to be kidding. DPS: That is our procedure. Agent: This is a clerical error and he is coming with the proof. Why should you penalize someone for a clerical error? DPS: That is our procedure. Agent to reporter: See, the machine that sits on their desk has become their God! They believe because the computer says it's right, it is. . . . There are three issues here: the penalization of the American public due to our dependency on computers; the bureaucratic attitude that we experience at every level; and a system that doesn't have safeguards to prevent the innocent from being victimized along with the real violators. I can confirm what the agent said. GA gave me two options, plead guilty or go to court. Pleading guilty to three moving violations (yes, in GA license and insurance are also moving violations) would mean loss of my license when GA forward the guilty info to MN. MN suspends licenses for 3 moving violations in 6 months. This happened on a Thursday. The officer said he only appeared in court on Mondays. But next Monday was too soon. It seems that GA's computer system can instantly accuse me of crimes, but it takes more than four days to get information from the police department to the courts! Just before I left GA on the following Wednesday (almost a week later), I went to the Traffic Court to see if I could straighten things out. The citation information hadn't gotten there yet! I told the clerk my story, and said that I had, with me, the proof of license and insurance. She said, "OK, give me your copy of the citation and the fine and we can process it." Fine? She thought I was pleading guilty. Bringing in proof of license and insurance (if you have them) is required to plead GUILTY! Not only must a driver have both, but also must have them in the car when driving. Bringing them in later is no proof of not being guilty. I spent all of that afternoon convincing the Court to let me see a judge and to plead not guilty. The majority of the cases I witnessed while waiting for the judge were license and insurance citations. In the first concession to reasonableness I had seen in this affair, I got the license and insurance citations dropped. However, the judge said I would have to come back for the No Left Turn citation. I had to be in California the next Monday, so I asked if I could do it by deposition through the mail. No, I had to appear in person. So one can be accused by remote information by cannot use the same process for defense. Not being able to be in Atlanta, I have pleaded nolo contendere under duress. I nolo plea HAS to be handled through the mail and can be accepted or rejected by a judge. I am still waiting for the outcome. The moral: When in GA, watch out, that caricature of southern justice may now have silicon help. P.S. You would think that Atlanta, which is trying to be a major convention city, would have special provisions to make things easier for out of state visitors. Because just the opposite appears to be true, I will stay clear of Atlanta. Also the conventions and meetings that I have influence over will also not be in Atlanta. Kevin R. Driscoll, Principal Research Scientist (612) 782-7263 FAX: -7438 Honeywell M/S MN65-2500; 3660 Technology Drive; Mpls, MN 55418-1006 [In the old days — 40s, 50s, maybe even 60s — Georgia was famous for its speed traps, e.g., 15 mph (poorly marked) for a few yards in the middle of a stretch of 45 mph, with squad cars and a judge sitting there waiting for unsuspecting out-of-staters. Apparently "Poli want a Cracker" is NOT the operative principle — except maybe for Floridians. PGN]
From the 6 March 1989 _PC Week_: Like every other U.S. airport, San Francisco International always charged a monthly fee to the rental-car and hotel courtesy vans that sweep through its terminal areas to pick up customers. But the flat rate became problematic. Courtesy vehicles, free to swarm through ground-transportation areas as often as they liked, jammed up the limited space in passenger pick-up areas. Airport managers even began suspecting courtesy vans were driving into passesnger areas "more for advertising than for carrying people," said Sheldon Fein, airport manager of traffic control. Now, the airport is pioneering a PC-based system it hopes will relieve traffic congestion and help it bill courtesy providers for every time they cruise by. The airport is requiring vehicle [sic] to mount radio-frequency identification tags on the roof of each vehicle. Each electronic tag, made by General Railway Signal Corp. of Rochester, N.Y., emits a unique ID code that's logged automatically by overhead receiving boxes every time a vehicle drives into a ground-transportation area. The receivers link by modem to a back-office PC AT, where custom-developed software help bill vehicle operators accurately and report on driver activity. Now, instead of $50 to $100 a month, vehicle operators pay 35 cents a trip. The fee will hit $1 next January. Fein believes this will reduce traffic jams and create an airport profit center. [There are other vendors for such systems, as well. I wonder what the reset time is for a sensor? If I drove my (slightly-modified) personal vehicle slowly beneath a sensor, could I enrich the Airport with hundreds of my competitors' dollars? Could I trigger every sensor in the area? Would they receive an appropriately itemized bill? Would anyone (except Cliff Stoll) even notice?]
Several colleagues have been kind enough to tell me about the message sent to
the Risks Forum by Randall Neff of Stanford University concerning my recent
seminar talk on the VorTeX project.
In this note, I hope to set the record straight and to clear up Mr Neff's
misunderstandings.
1. As Mr. Neff indicated, the VorTeX group implemented an interpreter to
display PostScript on our workstations. Adobe has given us a license to use
their PostScript commands in this software.
2. It is also the case that in order to preview output, we needed outline
fonts. When we inquired about the use of Adobe fonts, we were told that they
were not available (at any price). I attempted to obtain fonts from Bitstream,
but their price of $85,000 plus royalties was beyond our means for research
software.
Mr. Neff's quotations are erroneous. I never objected to Adobe's refusal to
let us use their fonts. That is their right. I did express concern that
commercial interests were forming an impediment to research in document
processing.
3. In the US, type faces may not be copyrighted (although their names may be
trademarked). It has always been perfectly legal to measure or photograph
characters appearing in a book, for example, and to use those measurements or
images for the type face of some other manuscript. In our case, we wrote
Postscript code that measured the characters of various fonts, and then used
curve fitting to reconstruct approximations to the shapes of the original
characters. As I indicated in my talk and others have discussed in this forum
our methods were legal and proper. It is unfortunate that Mr Neff thought we
were trying to put one over on Adobe. He alleges that we acquired Adobe's
product. This is certainly incorrect. In particular, we did not try to
extract the "hints" that make low-resolution rendering possible, although
others done so.
4. Once we had devised this approach, which seemed to solve our problem, I
phoned a senior staff member at Adobe to report what we had done and to find
out if Adobe had any problems with it. After telling me that he knew a faster
way to do what we were doing (but not indicating what it is!), he said that he
would report it to management and that I should expect a call. A day later, I
received a call from the Adobe general counsel requesting only that I obtain a
license for the use of the PostScript instruction set. We honored that
request.
Thus not only do I see nothing unethical about our behavior, Adobe has
registered no objection.
5. Finally, let me mention that there was a formal question/answer session at
the end of my seminar. I stayed around afterwards talking with people. After
that, there was a dinner to which all interested parties were invited. Mr Neff
had ample time to raise ethical or any other issues with me had he chosen to do
so.
[Messages from Mike Haertel and Kenton A. Hoover reiterated
one or two of Mike's points, and are omitted here. PGN]
This latest controversy [about UCB "reverse engineering" Adobe fonts] smells
suspiciously like the incident several years ago in which another UC campus
duplicated and distributed around the campus multiple copies of a CAD package.
When sued by the owners of the CAD package, the successful defense was that the
Regents of the University of California *are* the State of California, as so
far as the law is concerned; and, under the Constitution, a State may only be
sued with its consent and the Regents did not consent to be sued.
This suggests that under current case law, there is a significant commercial
risk in selling (or, far worse, allowing to be sold) intellectual property, or
anything containing significant intellectual property, to, at least, anyone
involved with the UC system. Since it appears UC is not bound by the usual
"fair use" rules of copyright, we may now start to see strange restrictions in
the "shrink wrap" agreements as companies and their lawyers attempt to protect
their products.
Elliott Frank ...!{hplabs,ames,sun}!amdahl!esf00 (408) 746-6384
or ....!{bnrmtv,drivax,hoptoad}!amdahl!esf00
[the above opinions are strictly mine, if anyone's.]
I suddenly remembered just now that 1) I don't remember taking the
3.5" floppy out of my shirt pocket last night and 2) My wife was doing
laundry this morning. Yet another risk to data integrity. Gives another
definition to "cleaning out your old files". We didn't have these problems
back in the old days; when's the last time you forgot to take a reel of
tape (or a deck or cards!) out of your pocket before doing the laundry?
I found this message highly disturbing. Not only did this obvious weakness not
occur to the bank, but after it had been pointed out, there solution was
removing the individual that noticed from the system, rather than doing
anything to fix the problem.
--bob--
[A comment on Henry Spencer's comment in RISKS-8.40 on Ruaridh Macdonald's "A Touching Faith in Technology", RISKS-8.35] An item that could be encoded on the magstripes in credit cards that would pose little privacy risk while enhancing protection for the consumer would be a digital image of the credit card holder. When they apply for their card they send in a picture, and their card's stripe is encoded with a compressed image, say 100 * 100 * 8 bits. A display terminal would be small and reasonably cheap in mass production, and would end a great deal of credit-card fraud. I see no disadvantage to the consumer. Of course, if they just laminated the photograph on the credit card in the first place... but perhaps using the stripe would be easier since it requires no time-consuming human intervention in the card fabrication process, and the company could store your digitized image along with your account information. (Which provides new possibilities for verifying your identity over the telephone: "So, sir, do you still have that wart on the left side of your nose?" "What wart?" "That's what I wanted to hear. How may I help you?") Peter Scott (pjs@grouch.jpl.nasa.gov)
The bill I believe only requires ENGLISH and WELSH football clubs to enforce
the card ID scheme. Scotland is EXEMPT from this scheme, probably for much
the same reasons as ENGLISH and WELSH teams were banned from playing on the
continent (and still are), whereas Scottish teams ARE NOT.
Please use the term `English and Welsh' instead of UK, when the bill does
not apply to Scotland (I don't know the exact situation in NI). Scotland has
it's own laws, and is proud to remain separate from its southern companions.
Craig. cockburn@marvin.wessex.co.uk
[Hmm. Amusing that this message follows contributions
from English and Scott? But no one is Welshing. PGN]
Why is writability necessary for anti-passback? Seems to me that remembering what cards have been used is more than sufficient. Putting writable cards in the hands of the public and trusting what they say would be just "asking for trouble" in this country, and likely so in other countries. The one thing you probably want to be able to say to a card is "please, card #1234, don't squawk for ten seconds", so the electronic turnstile could make sense out of a crowd. But even this is probably unnecessary with careful design.
There seems to be an implicit assumption here, and in other discussions on RISKS, that simple possession on my credit card number is all of the authorization that one needs to charge me. It should be noted that all of the ethical people with whom I do business by credit card do have my number. They do not re-use it for the simple reasons that they are ethical AND that I can disown the transaction. You see, not only must you have my number, you must also have my consent. While it is true that possession of the number transfers the burden of action to me, the burden is still on you to prove that you have my consent. In the absence of some other evidence on your part (such as a receipt for the delivery of goods), a simple assertion on my part that you do not have my consent is sufficient. Note that in the credit card system, my right to disown the transaction persists even after you have received your money. This is a much better remedy than is available to me if you have gotten your money by currency or check. William Hugh Murray, Fellow, Information System Security, Ernst & Whinney 2000 National City Center Cleveland, Ohio 44114 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840
Many of the control problems that are suggested here will be dealt with through the application of digital envelopes (to prevent the disclosure of the credit card number) and digital envelopes (to demonstrate your intent to pay for the software and to enable you to disown any transactions not so signed.) However, two other innovative methods for distributing and collecting for software are being used by companies engaged in selling crypto products. For example, EnigmaLogic, who sells one-time password software, has a license fee that is based upon the number of users that you employ it for. If you want to change the number, you call them. They give you a one-time password that can be used to adjust the software and they adjust your bill accordingly. RSA Security Inc. market public/private key software. They will freely distribute the software, but charge you a license fee for it only when you wish to register your key. William Hugh Murray, Fellow, Information System Security, Ernst & Whinney 2000 National City Center Cleveland, Ohio 44114 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840
Please report problems with the web pages to the maintainer