Human-Nets-Request%rutgers@brl-bmd.UUCP (Human-Nets-Request@rutgers) (02/09/84)
HUMAN-NETS Digest Thursday, 9 Feb 1984 Volume 7 : Issue 17 Today's Topics: Queries - Denying Access to Computers & The "World" of Computer Science & The Wolfe Computer Exam, Response to Query - Silicon Gulch Gazette, Computers and the Law - Notification of Database Entry (2 msgs), Computer Security - Access Criteria, Computers in the Media - Other uses of the name "WORLDNet", Computers and People - Telecollaborated Simulation ---------------------------------------------------------------------- Date: 30 Jan 1984 0032-EST From: Greg Skinner <Uc.Gds at MIT-EECS at MIT-MC> Subject: Denying access to computers Does a legal precedent exist for denying someone access to a computer? For example, say a computer facility is in the habit of granting guest users accounts on their machine on a person-to-person basis, in other words, they can deny certain persons accounts if they so desire. Is the facility acting legally? May the person who is being denied the account sue the facility for a violation of civil rights? You may respond to me in person or via this newsgroup. --greg Gds@XX (ARPA) {decvax!genrad, ihnp4, eagle!mit-vax}!mit-eddie!gds (UUCP) ------------------------------ Date: 30 Jan 1984 0044-EST From: Greg Skinner <Uc.Gds at MIT-EECS at MIT-MC> Subject: the "world" of computer science I had a discussion with a friend of mine about the world of computer science. I described it as a "world" in the sense that it has everything the outside world has (media, politics, religion of a sort, art, etc.) plus a degree of romanticism, fantasy, etc. I elaborated on that aspect of computer science by giving examples of the language of a computer hacker (grokking the monitor, moby code), descriptiveness (having a magic program that guns people), and its relationship to other works of sf and fantasy (many computer systems model themselves after Lord of the Rings, The Hitchhiker's Guide to the Galaxy, The Wizard of Oz, etc. in their host and/or device nomenclature). If you're not sure what I'm getting at, what I'm trying to do is solicit your opinions on whether or not the world of computer science is in fact a world within a world, or if it is a fantasy world, or both, or neither. I'd appreciate serious responses to this (although humorous ones won't be unwelcome) as I may use your ideas (anonymously, of course) in my argument. --greg Gds@XX (ARPA) {decvax!genrad, ihnp4, eagle!mit-vax}!mit-eddie!gds (UUCP) ------------------------------ Date: Wed, 1 Feb 84 01:46:12 CST From: Stan Barber <sob@rice> Subject: wolfe computer exam I need to find out about the Wolfe Computer Competency Exam. It is produeced by the Wolfe Computer Testing Co in New Jersey. If anyone has heard about it, I would appreciate your comments and help in locating any research or resources concerning this exam (or similiar). Thanks Stan Barber Department of Psychology Rice University Houston TX sob@rice (arapnet,csnet) sob.rice@rand-relay (broken arpa mailers) ...!{parsec,lbl-csam}!rice!sob (uucp) BBS:(713) 660-9252 (Bulletin Board) ------------------------------ Date: 30-Jan-84 10:41 PST From: Kirk Kelley <KIRK.TYM@OFFICE-2> Subject: Silicon Gulch Gazette The name of the advertising newspaper Jim Warren put out for the original West Coast Computer Faires, and sundry related projects down in Silicon Valley, was called the Silicon Gultch Gazette. That may be because it came from his rustic home up in the Santa Cruz mountains. -- kirk ------------------------------ Date: Wednesday, 1 Feb 1984 13:56-PST Subject: Re: HUMAN-NETS Digest, various ones From: willis@Rand-Unix (Willis_Ware) In HUMNETS (vol. 7 # 12), the following (partial) message appeared from R. E. Maas. Date: 14 January 1984 01:15 EST From: Robert Elton Maas <REM @ MIT-MC> Subject: Review-Rise of the Computer State I propose the following law: Once a year, any maintainer of a database that contains information on people indexed by social security number must inform each person so indexed (except those whose records haven't been modified since the last notification) of the existance of such records and of the means for examining them, either directly by sending mail or telephoning them, or indirectly by passing the list of SSNs to another database maintainer who promises (by sworn affidavit) to inform the people, again either directly or indirectly. Most database maintainers would pool their notifications to reduce overhead, but private databases which don't want "big brother" to know, just the individual persons to know, may opt for direct notification, and of course the place where the buck stops will directly notify on behalf of the whole consortium that feeds into it. I'd like to offer the following comments. The idea of notifying all entrants in a database has been around a long time. It was first talked about during the early 70s in the deliberations of the Secretary's (HEW) Special Advisory Committee on Automated Personal Data Systems; this was the group whose report formed the intellectual foundation for the Federal Privacy Act of 1974. Later the Privacy Protection Study Commission, chartered by the Privacy Act and working during 1975-77, also considered it. While the idea is appealing on the surface, the big problems would be the practical ones, notably the cost of preparing and mailing the notices plus the difficulty of making a strong positive cost-benefit argument. Consider two of the largest databases at the Federal level: the Social Security Administration and the IRS; both of them are indexed by SSN. Most entries in each will change each year; SSA will make payments and receive deductions and the IRS will receive tax returns. The population of the country is now about 225 million, so there is probably 125 million or more taxpayers and a correspondingly large number of individuals who contribute to or receive funds from the SSA. Even if these two agencies combined their notices, a mailing or any other process of notification would be a massive undertaking. Furthermore data processing installations in the government generally do not enjoy the most recent state-of-art; for the most part they will not have the level of technical sophistication that most readers of HUMNETS would automatically expect. Thus, for many Federal databases (also organized by SSN), the system would not be able to ascertain which records had been changed during the year. To add another practical problem -- the address-of-record may very well be different from one database to the next; the amount of address-change activity is surprisingly large and in many cases, differing addresses are used for legitimate but legal purpose. So, combining notification across agencies would not necessarily work well. And one more difficulty: identification of individuals is not consistent across databases; this is one of the better unplanned but effective protections against computer matching of files. It would also inhibit the combining of notifications from several sources. Whatever one thinks about the Postal Service, many mailings of large size would be a non-trivial additional burden. The only such large mailing that comes to mind is the annual IRS outpouring of tax forms to all taxpayers but these are mailed from the many regional processing centers that IRS has. Nonetheless, the example is the existance proof that it can be done -- at least once per year by the USPS. The private sector pales when such suggestions are made to it. The position generally is that the cost of such notifications is not warranted by the threat to people nor the expected benefit to be received. It is dreadfully easy in a forum like HUMNETS to assume that the views of its participants are a proper representation of the views of the country. No way!! We who read this Digest are a minority group, and even if one adds all the others who are likely to be well informed and to have sound opinions on privacy matters, it is still a minority group and by no means a cross-section of the country. For the most part, most recipients of such notifications would be disinterested and could care less about whatever they revealed. It is for reasons such as this that it is so hard to create an advocacy position for privacy issues of various kinds. The basic point is sound though; one does not have a good mechanism for knowing where records about him exist or what they contain. It's a hit and miss proposition and even individuals who are well informed and adroit in tracking down things will occasionally be startled to uncover a new and unexpected collection of data. Willis H. Ware Rand Corporation ------------------------------ Date: Fri 3 Feb 84 10:38:40-PST From: Richard Treitel <TREITEL@SUMEX-AIM.ARPA> Subject: Re: HUMAN-NETS Digest V7 #16 To: dehn@MIT-MULTICS.ARPA In repsonse to Dehn's questions: How do you feel about the fact that at this very moment my computer has your name in it, together with several other facts about you? How am I supposed to go about showing my legal right to keep it? WHAT ARE YOU GOING TO DO ABOUT IT? If I can't keep information about other people in my computer, what can I keep? That depends on what the other facts about me are! If they include, for example, my checking account balance, then I am quite annoyed. If they only include facts which I have made public myself, or which are an inevitable result of my use of this system, then fine. I don't think you should have any legal right to keep information about me other than that which I have chosen to make available. Of course, I can't do anything about it at the moment; that is what I would like to see changed. This may surprise you, but I don't keep files of information about other people in my computer; I keep programs, output data, drafts of papers, and so on. However, I've got no objection to your keeping information about other people, provided they consent to this, or indeed about me, within certain limits. I'm willing to be reasonable (??!?) about data which are not too personal. Information stored in your head does not worry me nearly so much as information on a machine, because it is not (yet) the case that N million people can tap into your head and read the data at high speed -- and you probably can't sort and index it the way a machine could, mapping from (say) my driver's license number to my mailing address in a millisecond (unless I was the only person in your database ...). - Richard ------------------------------ Date: Wednesday, 1 Feb 1984 13:56-PST Subject: Re: HUMAN-NETS Digest, various ones From: willis@Rand-Unix (Willis_Ware) Two people have commented in recent issues of HUMNETS [e.g., v 7 #9] that suspending a login attempt after several failed tries can seriously intrude on the capability of a system by denying access to legitimate users. These observations were made in response to my testimony before Congress on October 14 [published in HUMNETS some issues ago]. The point is well taken, but clarification is in order as to what I really said. First of all I did not propose that this approach be universally applied, nor did I take a position with regard to its effectiveness or desireability. My testimony is quite explicit that I was only describing one installation that has used such a scheme; it was an illustration (for Congress) of what can be done. Moreoever, one must understand that the Los Alamos National Laboratory undoubtedly did a careful examination of its circumstances, including the perceived threat from penetrators and the risk of service denial and the inconvenience to users, before implementing it. For one organization in one set of circumstances guarding against one perception of threat, it was judged an appropriate approach. For other organizations in different circumtances, it might well not be. Especially it might not be appropriate for facilities that primarily support dial-in users. This discussion prompts me to stress a point that I don't recall appearing in HUMNETS. The HUMNETS discussions have focussed on small parts of the problem whereas the security protection issue is one of many dimensions. No security safeguard is a panacea nor is any one absolute. For every installation, its managers must decide what threat exists and what part (or all) of it is serious enough to warrant safeguards. Then they must decide on an economic/technical basis what array of safeguards -- technical (hardware, software), managerial, administrative, procedural.... -- provide the desired protection at an affordable or acceptable cost, and what policies are essential to enforce them. In the end, the choice of security safeguards is basically an engineering-economic analysis at the system level. The point is not new; it is often called risk analysis or risk management. It partially explains the quite different views held by managers within government and those in the private sector; the perception of the threat and its details are quite different in the two places. At the Federal level, a series of documents called Federal Information Processing Standards provide guidance and insight to government agencies faced with the issue of implementing safeguards in computer systems. In the private sector, a variety of specialized consultants and companies have materialized to assist with the matter. Willis H. Ware Rand Corporation ------------------------------ Date: 3 Feb 84 16:17:43 EST From: Dave <Steiner@RUTGERS.ARPA> Subject: Other uses of the name "WORLDNet" Seems that someone has used the term WORLDNet in another manner before we could get a world-wide computer network up of the same name. Oh, well.... n100 2027 02 Feb 84 AM-NEWSSUMMARY c.1984 N.Y. Times News Service The New York Times news summary for Friday, Feb. 3, 1984: WASHINGTON - A advanced USIA news service was announced by the Reagan administration. The USIA said it planned to use communications satellites to enable reporters around the world to question officials in Washington or wherever they might be. The system, to be called Worldnet, would provide three hours a day of two-way television news conferences. nyt-02-02-84 2314est ------------------------------ Date: 30-Jan-84 22:08 PST From: Kirk Kelley <KIRK.TYM@OFFICE-2> Subject: telecollaborated simulation This refers to the model of&for a world-wide telecollaborated simulation in HN #14. The equation directly measuring the existance of the project was represented for one time unit in the simulation as: change_messages = student_changes + modeler_changes. Assuming student_changes = students * changes_per_student modeler_changes = modelers * changes_per_modeler an important focus becomes how people become students, then become modelers, and finally cease to participate. It is unclear exactly what will be the most important factors, but a few of the most obvious can be identifed. students = lasttime's students + new_students - lost_students. new_students = lasttime's non_players * new_interest. lost_students = lasttime's students * (graduation_rate + disinterest_rate + disable_rate). modelers = lasttime's modelers + graduates - lost_modelers. lost_modelers = lasttime's modelers * (disinterest_rate + disable_rate). disable_rate = human_death_rate + discommunication_rate. The human death rate could be modeled initially by integrating one of the existing world models. These telecollaborated simulation equations could be placed into the service-capital sector of such a model. Thus the human death rate would affect this project's simulation of its own life time. Is it possible for this project, in turn, to also significantly affect the human death rate? What if it encouraged the design and implementation of systems that teach skills for living well while focusing research on global survival issues? -- kirk ------------------------------ End of HUMAN-NETS Digest ************************