Human-Nets-Request%rutgers@brl-bmd.UUCP (Human-Nets-Request@rutgers) (02/23/84)
HUMAN-NETS Digest Wednesday, 22 Feb 1984 Volume 7 : Issue 21
Today's Topics:
Query - Whiz Kids??,
Computers and the Law - Person Numbers (2 msgs) &
Database Information Reporting (2 msgs),
Computers and People - Security Backdoors (3 msgs),
Information - Satellite Insurance
----------------------------------------------------------------------
Date: Thursday, 16 Feb 1984 03:45:17-PST
From: dave porter <decwrl!rhea!krikit!porter@Shasta>
Subject: Whiz Kids ??
Human-Nets occasionally refers to a TV programme called "Whiz Kids"
which seems to have a plotline dealing with computer hackers and the
like.
Anyone care to send in a brief outline of the programme, for the
benefits of any readers in parts of the world that don't get it?
(Since my net address is probably meaningless to most of you, let me
point out that I'm in Reading, England.)
dave
------------------------------
Date: Thursday, 16 Feb 1984 08:10-PST
Reply-to: imagen!geof@shasta
Subject: National Databases and National Socialism - lest we forget
In European countries under occupation during World War II, government
offices were ``burgularized'' with such information as social security
files and tax information stolen shortly before the rounding up of
Jews and other ``undesirables.'' Sometimes even the most well-meaning
government assurances don't help. If the data is there, the potential
for abuse exists.
- Geof
------------------------------
Date: Thursday, 16 Feb 1984 08:50:47-PST
From: decwrl!rhea!krikit!porter@Shasta
Subject: Person numbers
Interested to see comments on `person numbers' in a recent hnt. In the
UK there has been a recent move to introduce plastic cards with
magnetic stripes as a replacement "National Health Service card".
An individual has an NHS number, which is sort of like a social
security number. However, this number doesn't seem to get used all
over the place. The only place I can remember seeing mine written
down is on my "National Health Card", and THAT's only a piece of thin
card that I present to the doctor when I register with a new doctor,
and I think that's only useful to him so that he can claim me as a
registered patient and ask the Government for some money for looking
after me.
My pay slip does have a slot labelled "NI Number". However, the
contents are blank. This might be because I didn't tell them my NI
number (well, how would I know what it is anyway?) or because they
didn't ask me; I can't remember.
Excuse the rambling aside... anyway, the protagonists of the plastic
cards say that there's no big deal about it, the cards merely contain
the same information that the old cards did, just encoded differently.
I see it another way; I see it as the first move towards establishing
a unique, easy-to-digest handle on an individual. Just like an
American social security number now is. No, thank you. I prefer my
bent piece of cardboard which I lose all the time anyway (each time I
move and register with a new doctor, I am indeed unable to find my NHS
card).
A final historical note: apparently, we used to have some numbering
scheme for people, probably introduced to control rationing during
WW II. However, the system was dismantled in 1951 (I believe) owing
to abuse of it.
dave
------------------------------
Date: Thu, 16 Feb 1984 09:55:01 EST
Subject: Database Access and Reporting
To: wmartin@office3
In regard to the discussion about the contents of databases, I'd
just like to relate a true story that is, in fact, still in progress.
About a year ago, one of the people I live with was the victim of
a purse-snatching. Like any sensible person, she immediately reported
the loss of the contents -- credit cards, checkbook, driver's license,
library card, and so on. Within a few weeks, everything except the
$40 or so in cash had been replaced. The criminal was never caught,
and she assumed after some months that the case was closed.
Unfortunately, this was not the case. About nine months after
the crime, she began to receive dunning letters from various chain
stores located 30-60 miles from our home, claiming that she had
written bad checks in payment of bills. None of these were placed
she'd ever stopped.
After some investigation, it was determined that what had
happened was this: several months after the original robbery, someone
took several of the pieces of id found in her handbag, split them
open, and replaced the photos with different pictures. They then went
to several local banks and opened checking accounts using my friend's
name, but a different address (claiming that she was awaiting new id
after a recent move, according to one of the banks involved). These
accounts, which had my friend's social security number as the tax id
on them, were used to write the bad checks.
The various stores found my friend by hiring dunning agencies,
which, in turn, used private detectives to locate her. She had to
take several days off from her job to go and personally visit the
banks to prove that the accounts were not really opened by her, and
also had to do a fair amount of letter writing to explain all this to
the credit departments of the stores.
In one case, the store used one of the national
check-verification-by-phone services to approve the bad check. This
service has its "local" branch located about 45 minutes drive from our
home, and has repeatedly told my friend that unless she makes a
personal visit to them, they will not clear the record they hold on
her, since her various notarized statements are, apparently, not
sufficient. She is, needless to say, having her lawyer look into the
legality of this behavior. In the meantime, her credit rating is, in
part, impaired through a set of actions that were in no way her
responsibility or fault. The incorrect info remains in a
nationally-accessible database used by a fair number of
check-verification firms, and she has no access to it, even to correct
clearly untrue statements. (In my opinion, she may have grounds for a
suit under the Fair Credit Protection Act, but I'm waiting to see what
her lawyer says...)
Clearly, there is a problem with the way this database is being
maintained, a problem which the existing law seems not to be
correcting (unless, that is, the check-verification firm is merely
flagrantly violating the law, believing that nobody will bother to
prosecute them...). Any suggestions for improving the way databases
are handled should, clearly, deal with such situations.
--Dave Axler
------------------------------
Date: 19 February 1984 08:59 EST
From: Robert Elton Maas <REM @ MIT-MC>
Subject: Notification of individuals re database entries
To: WMartin @ OFFICE-3
Credit-extending organizations (like department stores or bank
card offices) should be required to include a summary of the info
they have on file with the statement once a year -- thus this
would be NO added mailing cost.
Unfortunately unless you receive your mail at a locked box and nobody
else, even in your family, has access to that box, it's too easy for
such mailing to go astray, especially since somebody wanting that info
knows (could easily find out) when it'll be mass-mailed, and stage a
sweep of all mailboxes in a geographic area. This is worse than
sending 4-digit ATM passwords in the mail, which might get stolen, but
which are sent at random times when a privacy-invader wouldn't know
when to look for it and certainly couldn't conduct a sweep.
On the other hand, if the info is sent out only on request, it would
complicate the system too much to send it in the same envelop as some
monthly billing, so it would have to be sent under separate cover the
way 4-digit ATM passwords are now, voiding your claim of no additional
mailing cost.
------------------------------
Date: Thu, 16 Feb 84 10:53 EST
From: TMPLee@MIT-MULTICS.ARPA
Subject: WarGames & Backdoors
Cc: mrc@SU-SCORE.ARPA
Perhaps the allegation about backdoors was slanderous if it implied it
to be a common phenomenon (I don't remember exactly what it said), but
in fact they do exist and for the sort of purposes hypothesized in the
movie. It turns out that all the computer security vulnerabilities
used as plot devices in the movie WERE IN FACT BASED ON REAL-WORLD
EVENTS. Admittedly there was a lot of artistic license, the human
factors were unbelievable, and the AI stuff at the end horrible
science fiction, but the security stuff wasn't all that bad for a
popular portrayal. I know of at least two incidents really involving
backdoors or "time bombs"; one moderately serious, the other not.
Don't ask me for details, however -- it is common courtesy NOT to
discuss them in public.
Ted
------------------------------
Date: Thu 16 Feb 84 22:14:46-PST
From: Mark Crispin <MRC@SU-SCORE.ARPA>
Subject: Re: WarGames & Backdoors
To: TMPLee@MIT-MULTICS.ARPA
While "backdoors" or "time bombs" may exist, the implication
of their being commonplace is grossly exaggerated. Some of these
"real world events" may be totally blown out of proportion. For
example, how many of these "backdoors" turn out to be merely that
a former employee's account was not deleted when that employee
left? Just because that account wasn't deleted doesn't mean the
ex-employee left a "backdoor". An explanation both for a
"backdoor" or a "time bomb" could be a legitimate design flaw
which, after later reflection, the designer recognizes but is
unable to repair.
The most absurd thing about "Wargames" was the suggestion
that a "red" system would be accessible on the public telephone
network. The US military isn't *that* foolish. Reports on how
"red" systems are secured are unclassified. If you want to know
about "red" systems on Milnet, read BBN Report 1822, with special
attention to the section on Private Line Interfaces. To be
brief, "red" systems can only talk to other "red" systems; they
cannot talk to "black" systems nor can "black" systems talk to
"red" systems. Any Milnet site you can Telnet, FTP, or Mail to
is "black", not "red".
------------------------------
Date: 18 February 1984 06:07 EST
From: Jerry E. Pournelle <POURNE @ MIT-MC>
Subject: "Wargames"
To: MRC @ SU-SCORE
uh -- truth is an absolute defense at libel and slander suits --
are you ssure "back doors" aren't fairly traditional?
------------------------------
Date: 14-Feb-84 02:51 PST
From: William Daul Tymshare OAD Cupertino CA <WBD.TYM@OFFICE-2>
Subject: Satellite Insurance
To: space@mit-mc
Cc: DIA.TYM@OFFICE-2, SGK.TYM@OFFICE-2, PAMV.TYM@OFFICE-2
>From COMPUTERWORLD (Feb 13, 1984 p. 11)
Will mishap hike insurance rate?
NEW YORK -- The insurance industry is feeling repercussions from
the failures to properly launch two $75 million communications
satellites from the space shuttle Challenger this month.
The Westar VI communications satellite owned by Western Union
Co. was insured for $105 million; Western Union had paid a
premium of about $5.5 million for the policy. Alexander &
Alexander Services, Inc., a New York brokerage company, was the
underwriter for the policy, according to a Western Union
spokesman. ...
------------------------------
End of HUMAN-NETS Digest
************************