The RISKS Digest
Volume 8 Issue 45

Saturday, 25th March 1989

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

Wells Fargo Deposits Slip
PGN
Hospital Viruses
Dennis Steinauer and Joe Morris
Optical Scanning of Handwritten Purchase Orders
Hiram Clawson
Credit card magstripe-encoded pictures
Mike Trout
Cellular phones and health
anonymous
Dale Worley
R. Scott Truesdell
New method (risk) of demagnetizing floppies
Douglas B. Robinson
Microwave ovens
Don Chiasson
Corrections to Internet Security Plans
David M. Balenson
Info on RISKS (comp.risks)

Wells Fargo Deposits Slip

Peter Neumann <neumann@csl.sri.com>
Sat, 25 Mar 1989 14:16:46 PST
A computer software glitch at Wells Fargo Bank has caused a delay in
depositing payroll funds for 12,000 to 15,000 workers at about 70 companies,
mostly in Northern California.  (The delay of a day or weekend apparently
affects only people whose paychecks are deposited automatically on a weekly
basis.  This was considered a drop in the bucket, because WFB processes
about 1.5 million payroll accounts each month.  SFB promised to cover any
overdraft charges.)  [Source: San Francisco Chronicle, 25 March 1989, p. B4]


Hospital Viruses — Now things are REALLY getting confusing.

"STEINAUER, DENNIS" <steinauer@ecf.icst.nbs.gov>
23 Mar 89 21:13:00 EDT
The following was in the 3/23/89 Washington Post (and probably other places,
since it came over the newswire.  Lots of comfusing and seeminly
contradictory info.  Anyone know anything about it?   dds

            COMPUTER VIRUS STRIKES MICHIGAN HOSPITAL
            Records Altered or Scrambled but Patients
                       Were Not Endangered

     BOSTON, March 22 - Computer viruses, which have disrupted university,
newspaper and government systems, have spread to hospital computers.
     Officials at William Beaumont Hospital in Royal Oak, Mich., said two
viruses altered or scrambled patient information in a computer that creates
high-quality pictures for diagnosing diseases.
     The viruses, according to a report in the New England Journal of
Medicine Thursday, also created non-existent patients and spread to two
other medical facilities.
     Dr. Jack E. Juni and Richard Ponto of the Beaumont Hospital said
patients were not endangered by the virus because original copies of the
records were not stored in the infected computer.
     A computer virus is a malevolent computer program designed to spread
itself surreptitiously throughout a computer system and, before anyone
realizes it is present, destroy or alter stored information.
     The new case is being reported as doctors and hospitals are developing
growing reliance on all-purpose computers far more vulnerable to infection
by viruses.
     Ponto and Juni said the Beaumont virus was discovered when the
hospital's new image-display station, which creates pictures for heart
studies, stopped responding to commands.  Then nonexistent patients and
garbled names appeared on the patient directory.
     When officials investigated, they discovered that seven of 10 programs
had been altered and that the virus had created many new files.
     Juni said the virus was on a hard disk manufactured by CMS Enhancements
of Tustin, Calif.
     CMS spokesman Ted James said a virus, inadvertently put on 600 such
disks last October, had contaminated a program used to format the disks.
The virus apparently entered the company's plant on a hard disk returned for
servicing.
     James said the virus was "as harmless as it's possible to be."  It
inserted a small piece of extra computer code on hard disks but did not
reproduce or tamper with other material on the disk.

                                                     [Also noted by Joe Morris]


Optical Scanning of Handwritten Purchase Orders

<hiramc@sco.UUCP>
Fri Mar 24 17:00:51 1989
Seen on the order form for Microsoft QuickC Ver. 2.0 Update:

  "To quickly and accurately process the large volume of orders that we
  receive, we have installed an optical scanner that will read and code your
  coupon.  To ensure the fastest possible fulfillment of your order, when
  filling out the coupon, print your characters so that they look exactly like
  those in the sample below (take special notice of the "o")."

That last line was in italics, and there followed the alphabet and numbers as
we are supposed to print them.  The "o" looked like a Q rotated 180 degrees.

I thought the computers were supposed to adapt to us rather than the other way
around?

--Hiram Clawson - uunet!sco!hiramc  |  hiramc@sco.COM 408-458-1422 ext. 3289


Credit card magstripe-encoded pictures (RISKS-8.44)

Mike Trout <miket@brspyr1.brs.com>
23 Mar 89 20:01:55 GMT
> ... I see no disadvantage to the consumer.

I do.  Once this starts up, it will be only a matter of time before they start
taking digitized images of you ("cheap line-scanning monochrome cameras!") each
time you attempt to use the card.  The bits of this "current" image will then
be electronically compared to the bits of the "original" image.  If the
match-up is less than, say, 99%, or maybe 95%, or maybe even 90%, it's "sorry,
charge not approved..."  Who decides the percentage of match-up allowed?

Even assuming the digitized image is only "one-way," that is, only appears on a
screen for a clerk to compare to your face as you stand there with hat in hand,
there are serious potential problems.  In either case, consider the following
scenarios:  Two or three times a year, I drastically change my facial hair
(clean shaven, mustache only, mustache plus beard, etc.).  And what of folks
who have plastic surgery, either by choice or because of disfiguring accident?
And those who have accidents and can't afford surgery?  Men going bald?  Women
(and men!) who drastically change their hair styles?  Differences in makeup
application?  The basic aging process?  Are we all to be locked into one
appearance?

And what of the complexities of the individual human face?  By slightly flexing
a few facial muscles, anyone can transform their face into something new.
Meryl Streep is an extreme example.  What of the guy who has his original photo
taken the day after he is married, and then applies for some credit the day
after his wife informs him she is filing for divorce?  You know that any
digital representation of his face will have considerable bit differences.

Will this image exclude any clothing that appears below the neck (collars,
ties, etc)?  If not, you'd better be sure to wear exactly the same thing every
time you use your credit card ("uh, wait, lemme try tying my tie a little
differently...").  And what of differences in light and shadows?

Many will argue, "but those same problems COULD exist with any photo ID, but
there are no such problems in real life."  Absolutely true.  But once something
has been "computerized" it takes on God-granted status.  In the last issue of
RISKS, Kevin Driscoll treated us to the bizarre story of how the Georgia
Department of Public Safety is completely unwilling to correct errors entered
into their computers, even when they know about those errors.  Try explaining
to an 18-year-old clerk that she shouldn't worry about the fact that you "look
different" from your computerized image ("I'm sorry, sir, but that's what's in
the COMPUTER...").  People can adjust for changes in a photograph, such as
those on most driver's licenses.  But that image on the "computer screen" may
as well be carved in granite.

> ...  "What wart?" ...

I find such personal inquires repugnant, and would have a hard time avoiding
slamming down the phone.  But on a more important topic, is there any empirical
evidence to suggest that credit card fraud could be significantly reduced by
facial images, either true photographs or digitized images?  I am reminded of
the controversy in New York State a few years back, when we became the last of
50 states to place a photo ID on driver's licenses.  Some enterprising
reporters actually went so far as to talk to law enforcement officials about
the value of photo IDs.  The consensus, even among the sometimes
over-enthusiastic State Troopers, was that there was no real law enforcement
use for photo IDs.  Alternative methods of investigation are far more useful.
NSA food:  Iran sells Nicaraguan drugs to White House through CIA, SOD & NRO.

Michael Trout, BRS Information Technologies, 1200 Rt. 7, Latham, N.Y. 12110  
(518) 783-1161


cellular phones and health

<[anonymous]>
Wed, 22 Mar 89 10:11:18 PST
It is fairly well established that exposure to high relative power densities
of UHF and higher RF frequencies can cause significant health problems.
Parts of the body that are the most sensitive to heat effects are the most
vulnerable to RF effects, with the eyes being the most sensitive of all.
There have been cases of police departments having problems with officers
who developed cataracts apparently relating to their use of hand-held UHF
(e.g. 450 Mhz) transceivers.

Hand-held cellular phones are probably even worse.  Like police
transceivers, these units almost always have the antenna in very
close proximity to the user's head, putting the head (and eyes of
course) in a quite strong relative field (while the absolute power
may only be a few watts, the relative power density near the antenna
is quite high).  Also, cellular units operate at around twice the 
frequency of police transceivers (i.e., cellular operates around
800 Mhz and higher) and the higher the frequency, the worse the risk.

Another factor is that while police transceivers are half duplex and
only transmitting when the officer has something to say, cellular
transceivers are transmitting continuously when a conversation is
occurring (since they are full duplex) so the overall exposure is far
higher in most situations.

It would appear that a real risk may exist.

Note that the farther you get away from the antenna, the better off you are,
since the inverse square law applies.


Risks from cellular phones

Dale Worley <worley@compass.com>
Fri, 24 Mar 89 10:53:08 EST
    From: miket@brspyr1.brs.com (Mike Trout)
    Subject: Possible Cancer Risks from Cellular Phones?

    I recently had a discussion with a major electronics guru for a local
    television station.  We were talking about microwave transmitters (radar
    speed guns, garage door openers, that sort of thing), when he made a
    dramatic statement that shocked me:  he claimed that cellular phones were
    extremely hazardous and probably highly carcinogenic.

Sorry, but this is extremely unlikely.  Human flesh is very poor at
absorbing (or affecting in any way) radio waves.  Because of this, possible
resonance effects between the skull and the transmissions are very unlikely.

There are three ways that electro-magnetic radiation can harm living tissue:
(1) electric-current burns.  This is what gets people who touch or come very
close to high-power antennas.  (To be precise, however, this effect is due
to inductive or capacitive coupling with the antenna, rather than absorption
of E-M radiation.)  (2) thermal heating due to resonance absorption (usually
by water molecules).  This is how microwave ovens heat things.  However,
this effect can happen only at certain specific frequencies of radiation,
all of which are much higher frequencies than are normally used for cellular
phones.  [These first two effects cause problems only at high power levels,
because the human body can take a significant amount of current flow and
heating without any damage at all — at low power levels, they are lost in
the noise of biological currents and heat generation.]  (3) direct
modification of molecules.  This happens only with high-energy E-M
radiation, X-rays and gamma rays.  [This is the only one of the three damage
mechanisms that can cause cancer.]

As you can see, it is unlikely that a cellular phone will harm you via
any of the three mechanisms, much less cause you cancer.

I'm not particularly astonished that this fellow is worried that pressing a
radio transmitter to your head might be harmful, although he should have
done a bit of research before spreading groundless warnings.  I am
astonished that he thinks they cause cancer.  I can see no reason for even
an uninformed person thinking this, other than the "Everything bad causes
cancer" scare-mentality that seems to be popular.

I once read an article noting that over the last 10 years there were several
dozen alleged risks to human health that had achieved enough newspaper
coverage to seriously scare people, and it noted that while a few of them
were indeed serious health risks, most of them were, in practice, harmless.
It also noted that the information presented in newspapers was almost
useless for distinguishing these two categories.  I wonder what will happen
when "cellular phones cause brain tumors" hits the papers?

The RISKS of needless and wasteful regulation of non-threats (not to mention
of hardening people to the point that they fail to be concerned about
genuine health risks) are, as people say here, obvious.  When will some
sanity be injected into the subject?

Dale Worley, Compass, Inc.                      worley@compass.com


Cancer from Cellular Phones

<truesdel@PARIS.ICS.UCI.EDU>
Wed, 22 Mar 89 10:01:52 -0800
Cellular phones operate in the 800 MegaHertz band. This is in the middle of the
UHF band, directly below the microwave band. Microwaves, as we all know, are
used for making popcorn and cooking turkeys.

800 MHz puts the full wave right at 14.8 inches or a half wave at 7.4 inches
which is a little long to resonate inside the skull cavity. This doesn't mean
that it can't cause real damage, though.  An example has been showing up since
civic police forces have started switching up from the VHF to the UHF bands for
local communications. The advantages of using higher frequencies are more
bandwidth, less interferrence, and better audio quality.  The RISKS, however,
are starting to show up.

The problems were first noticed in officers making extensive use of hand held
(walkie-talkie) units with built-in "Stubby-Duck" antennas. These antennea are
identified by have a length of around 2 - 4 inches, a diameter of about a
quarter inch, and made usually with a black rubber coating.  When held in the
talking position, the antenna is positioned in close proximity to one of the
eyeballs.  That's when the glaucoma started showing up.  Essentially, the UFH
waves were frying the aqueous humor... turning what should have been the
consistency or Jello brand gellatin desert into the consistency of 3 day old
oatmeal.

So the local P.D.s decided to move the radios away from the face and strap them
onto the officer's belt. The interaction is through a hand-held speaker/mic.
Great solution! Now the officers get it in the spleen instead of the face!

So, back to cellular phones.  Hand-held units with built-in antennas are
obviously the greatest risk.  Antennas placed on the roof of the car, shielded
by the cars sheet metal, are best.  This assumes that the installation was
competently made by a knowledgeable RF technician (NOT a stereo installation
jocky), the connectors are "low loss", and the coax itslf is "low loss".  The
most common cellular phone coax is cheap RG-58/U. This is "thin ethernet"
cable.  A much safer connection is made the thicker coax (I think RG 59/U, but
I don't remember).  The thin stuff is used more because it is cheaper and MUCH
EASIER to install.

I am very interested to see what further studies are being conducted relative
to the long term effects of exposure to RF. I am worried about the unrestricted
saturation we receive 24 hours a day on all frequencies. How free of effect are
the "safe" frequencies (VHF, HF)?

R. Scott Truesdell

     [Please pardon a little redundancy.  I could not prune easily.  PGN]


New method (risk) of demagnetizing floppies

<robinson@apollo.com>
Fri, 24 Mar 89 13:11:46 EST
One fine *cold* day in February I transported a floppy from location
A to location B.  I thought nothing about placing the floppy in the
passenger chair.  It was positioned vertically against the chair back,
wedged gently behind an empty child seat.  The trip took about 30 minutes.
Then I tried to read the floppy and could not:  the machine couldn't even
find track 0.  I tried about a half-dozen or so machines before I gave up.

It was an old floppy so I guessed that it just couldn't hold the bits
anymore, so I got a few new ones and was going to try again when the real
cause of the problem dawned on me:  I own a 1985 SAAB with the *heated*
front seats.  I guessed that since the heating element was electrical it
might be puting out enough of a magnetic field to scramble the data.  So I
experimented:  I made about 5 copies of the floppy and placed some of them
on the floor and one of them on the seat as before, drove for about 30
minutes (again on a cold day) and then tried to read them.  The floppy
placed like the first one was unreadable.  Those on the floor were fine.

I'd sure like to get a instrument and measure the magnetic field near that
chair when the heater is working.  I'd like to know why the magnetic stripe
on the credit cards in my wallet still work...

Douglas B. Robinson



Microwave ovens

Don Chiasson <G.CHIASSON@XX.DREA.DND.CA>
Wed, 22 Mar 89 16:13:34 AST
     A few nights ago a minor incident occurred which typifies how computer
risks can be worse than those of other technologies and why people get
upset.  At about 2:00am, my toddler woke up demanding nourishment so I put
250ml of milk in the microwave to heat.  It was dark and I wasn't too well
coordinated with the result that I spilled the milk.  Most went on the
kitchen counter, some on the touch pad and a few drops went into the door
latch mechanism.  I cleaned the mess, heated more milk and all was fine. 
     The next morning was not quite so fine: the microwave worked normally
except that it turned on when the door was open! A small amount of milk had
seeped (I suspect through the door latch) into the electronics causing a
bizarre and highly unsafe failure.  I was especially disturbed because a
microwave hazard is invisible.
     My point is that a very important safety requirement - the magnetron
must not be on when the door is open - had been implemented in logic with
other routine functions.  An old design would have used a mechanical switch
to disable the magnetron when the door was open.  Computerized logic systems
allow inexpensive implementation of a broad range of features by treating
all functions and all signals uniformly.  Unfortunately, such uniformity
does not normally permit special safeguards for critical functions.  A
robust design would use separate systems for activation and safety.
                                                                        Don


Corrections to Internet Security Plans (RISKS-8.43)

David M. Balenson <balenson@TIS.COM>
Thu, 23 Mar 89 15:00:06 EST
For the record ...

... the New York Times article by Vin McLellan on March 21st (Volume 8,
Issue 43) regarding the "Internet Security Plans" incorrectly included Texas
Instruments (TI) Inc. in the list of representatives responsible for the
Internet standard.  In fact, Trusted Information Systems (TIS) Inc.  a small
privately-owned computer and communications security consulting firm based
in Glenwood, Maryland is one of the representatives responsible for the
Internet standard.  Furthurmore, Dartmouth College was inadvertently
ommitted from the list of representatives.

I should also mention that the article fails to point out that the Internet
mail messages themselves are actually protected using the Data Encryption
Standard (DES) and that RSA is only used to protect and distribute the DES
keys.

-David M. Balenson,  Trusted Information Systems, Inc.    (301) 854-6889

Please report problems with the web pages to the maintainer

x
Top