risks@CSL.SRI.COM (RISKS Forum) (02/15/91)
RISKS-LIST: RISKS-FORUM Digest Thursday 14 February 1991 Volume 11 : Issue 09
FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
Contents: [A CALL-BY-VALentine saves "nein"?]
Vote-by-fax plan before [CA] Legislature (clarinews via Eric Postpischil)
Douglas goes fly-by-wire (Martyn Thomas)
Vietnam Vet's Memorial article ambiguous (Sam Levitin)
Tax Preparation (Peter Jones)
Collection of Evaded Taxes (Cameron Laird)
Singacard anyone? (Bill J Biesty)
Re: the new CA driver license (Ian Clements, Curt Sampson)
Re: automatic flight and seasickness (Lars-Henrik Eriksson)
Follow-up to wireless network (Frank Letts)
4th Annual Ides-of-March Virus & Security Conference (Judy S. Brand)
The RISKS Forum is moderated. Contributions should be relevant, sound, in
good taste, objective, coherent, concise, and nonrepetitious. Diversity is
welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive
"Subject:" line. Others ignored! REQUESTS to RISKS-Request@CSL.SRI.COM.
FTP VOL i ISSUE j: ftp CRVAX.sri.com<CR>login anonymous<CR>AnyNonNullPW<CR>
CD RISKS:<CR>GET RISKS-i.j<CR> (where i=1 to 11, j is always TWO digits. Vol i
summaries in j=00; "dir risks-*.*<CR>" gives directory; "bye" logs out.
ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY.
Relevant contributions may appear in the RISKS section of regular issues
of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise.
----------------------------------------------------------------------
Date: 6 Feb 91 02:49:14 GMT
From: clarinews@clarinet.com
Subject: Vote-by-fax plan before Legislature
Newsgroups: clari.tw.telecom,clari.news.hot.iraq,alt.desert-storm
Keywords: state government, government, election, politics, fighting,
Reply-To: info@clarinet.com (For More Information)
Article 6531 of alt.desert-storm:
Path: shlump.nac.dec.com!news.crl.dec.com!deccrl!bloom-beacon!snorkelwacker.
mit.edu!hsdndev!wuarchive!uwm.edu!lll-winken!looking!clarinews
[Provided for USENET readers by ClariNet Communications Corp. This copyrighted
material is for one-time USENET distribution only.] [SEE END OF MESSAGE!]
SACRAMENTO (UPI) -- Troops fighting in the Persian Gulf could vote in
California elections by using fax machines to cast their ballots under
legislation announced Tuesday.
The measure, SB293, would amend the state Elections Code to allow
members of the military and other California voters temporarily living outside
the United States to fax absentee ballot applications to county election
officials.
County officials would then use fax machines to send absentee ballots
to overseas voters, who could return the completed ballots by fax.
``Even when applications for overseas absentee ballots are received
early in the process, ballots sent halfway around the world sometimes arrive
too late to be returned by mail before the close of polls on Election Day,''
Secretary of State March Fong Eu said.
``This legislation would allow overseas voters, such as those members
of the armed forces stationed in the Middle East as part of Operation Desert
Storm, to fax their voted ballots back in time to be counted,'' she said.
The bill is coauthored by state Sen. Milton Marks, D-San Francisco, and
Assemblyman Peter Chacon, D-San Diego.
Only a few people stationed at U.S. embassies, working at projects
overseas, and members of the military would be expected to take advantage of
the vote-by-fax program, Eu's spokeswoman Melissa Warren said.
``The numbers aren't huge. We aren't expecting large numbers of people
to participate,'' she said.
Several states accepted vote-by-fax ballots during last November's
elections, Warren said. If the measure is quickly passed by the Legislature and
signed by Gov. Pete Wilson, the first California election with fax voting would
be the March 19 special elections for two state Senate seats and one Assembly
seat.
Marks said he would rush the measure through the Legislature. ``It
seems only fitting that at a time when we are engaged in a military struggle
with a ruthless despot, we make this effort to provide our servicemen and women
with the most important franchise of our democratic system -- the right to
vote,'' he said.
[This item submitted to RISKS by Eric Postpischil <edp@jareth.enet.dec.com>.
THE RESPONSE FROM clarinews@clarinet.com TO PGN's REQUEST FOR PERMISSION TO
REUSE THE ABOVE IN RISKS IS From: Brad Templeton <brad@looking.on.ca>:
"The one time statement indicates you have to ask for more. You did, so
I'll grant permission for RISKS in electronic form. (We are unable to
grant permission for print forms). Brad"]
[Nice phrase, "take advantage" of it!!! Nice opportunities for
voter fraud? I hope some sort of authentication is planned... PGN]
------------------------------
Date: Thu, 14 Feb 91 13:19:09 GMT
From: Martyn Thomas <mct@praxis.co.uk>
Subject: Douglas goes fly-by-wire
McDonnell Douglas has switched to a full fly-by-wire flight control system
for its MD-12X, reports Flight International (13-19 Feb 1991, p4).
"With fly-by-wire we are able to retain the flying qualities of the aircraft
and more easily resemble MD-11 [handling]". "The benefit is predominately in
the area of cross-crew training". "A fly-by-wire aircraft should also be
cheaper to produce". [quotes from MD-12X management].
The control system will be modelled on that developed by GE aerospace for the
USAF C-17 airlifter.
Martyn Thomas, Praxis plc, 20 Manvers Street, Bath BA1 1PX UK.
Tel: +44-225-444700. Email: mct@praxis.co.uk
------------------------------
Date: Thu, 14 Feb 91 06:39:12 PST
From: Go Mossad! 14-Feb-1991 0938 <levitin@cadsys.enet.dec.com>
Subject: Vietnam Vet's Memorial article ambiguous (Johnson, RISKS-11.08)
RE: Jeff Johnson's article in RISKS 11.08 about the Vietnam Vets' memorial and
a photo in the SF Chronicle, I didn't see the photo, but I do know that there
is a possibility that this situation is *not* due to a typo. On the Vietnam
Veterans' Memorial in DC, there is a set of symbols: one to denote "Killed" (a
cross?), one for "Missing in Action", and "Formerly MIA but now known to have
survived" (a circle?). The symbol used for MIA can be further carved in one
way to become the symbol for Killed in Action, and can be further carved in a
different way to become the symbol for "Formerly MIA".
Because I don't know which symbol appeared next to Eugene J. Toni's name on the
monument, I won't comment on the possibility of a typographical error, as
reported by the Chronicle. However, the language in the caption (or perhaps the
title of Johnson's RISKS article) makes it too easy for the reader to believe
that Toni was formerly believed killed.
Sam Levitin Digital Equipment Corporation
------------------------------
Date: Thu, 14 Feb 91 12:12:12 EST
From: Peter Jones <MAINT@UQAM.bitnet>
Subject: Tax Preparation
Today, I saw an advertisement in the mail about a new service on Bell's ALEX
service offering income tax preparation assistance. Customers can supply income
tax information and then order completed forms by mail. The RISKS I see are:
1) Transmitting confidential data in the clear over public phone lines.
2) Giving the service provider potential access to a lot of confidential
information: SIN (SSN in the US), income, address, credit card number,...
I found no mention of safeguards of confidential information when I
browsed the literature.
3) Possible loss of all data entered if the phone connection is broken
(unless the system provides a checkpoint facility. I don't want to
spend $$$ to find out.
4) Underestimation of costs. The literature quotes about $12 for mailing,
and this ALEX service costs $0.15/min. The literature estimates connect
time to be 30 minutes for a couple. So we're talking about $35 or so here,
and this may be optimistic (see 3, especially if the phone has Call
Waiting.)
5) The system only covers certain basic forms (this is stated in the
literature. So you have to be fairly knowledgeable about income tax to
decide if the system is worth using.
Peter Jones (514)-987-3542 UUCP: ...psuvax1!uqam.bitnet!maint
Internet:Peter Jones <MAINT%UQAM.bitnet@ugw.utcs.utoronto.ca>
------------------------------
Date: Mon, 11 Feb 91 09:47:17 CST
From: news@lgc.com (Cameron Laird)
Subject: Collection of Evaded Taxes
Comp.risks supports continuing discussions on advantages and disadvantages of
automation of financial transactions; most recent was a proposal for an
AmeriCard, which would facilitate or enforce movement of all purchases to
equipment which would record those purchases. One of the advantages claimed
for such schemes, including Mr. Gorbachev's latest "monetary reform", is that
they'll flush not-fully-taxed activities into the spotlight of tax enforcement
agencies. For example, if you rebuild your neighbor's carburetor in exchange
for him removing the dying tree in your backyard, the Internal Revenue Service
expects you both to declare those (imputed) incomes and pay corresponding taxes
on them. Thus, as an article in the 21 January 1991 *Forbes* asks,
"Politicians of all stripes love to claim the federal deficit can be cut by
cracking down on tax cheats. Why cut spending when the IRS has $78 billion in
total accounts receivable and is losing $100 billion a year to tax evasion?"
The article's conclusion: "The argument ... grossly exaggerates the IRS'
ability to raise more money through tougher enforcement." Note that the Agency
has strong institutional pressures to overestimate its capabilities. Most
interesting from the point of view of economic science is the (unsupported)
assertion that, "As for outright cheating, even the IRS' toughest audits find
less than half the evasion it claims goes on." In the midst of tendentious
estimates and murkiness, there's a real value in looking at the actual
operating experience of, for example, the IRS.
I've marked the distribution of this note for "world" because it's at least as
great an issue outside the USA. France, for example, sometimes prides itself
on the vigor with which its citizens fail to co-operate with tax agencies; from
my little experience there, though, I can report that people were generally
more law-abiding than they should have to be, given the confusion those
agencies generate.
The article does make one incomplete reference to a scholarly study. The
reporter might be willing to help someone pursue the subject; I've known some
who do, and some who don't.
I summarize: for the reasons others have already stated in comp.risks, tax
enforcement does *not* yield the windfalls some expect of it; in particular,
the IRS' own records suggest much lower returns than they estimate in their
reports to Congress.
Cameron Laird USA 713-579-4613 USA 713-996-8546
------------------------------
Date: Thu, 14 Feb 91 09:33:35 CST
From: wjb@edsr.UUCP (Bill J Biesty)
Subject: Singacard anyone?
>From the Wall Street Journal Wednesday, February 13, 1991, p.A7 c.1
"Singapore Equals Push Buttons"
From cashless shopping to electronic paperwork and even a computerized
pig auction, Singapore is plugging its 2.6 million people into electronic
grids linking the entire island nation. It plans to build grids for
shopping, booking tickets, checking data and sending documents.
Singapore's small size and centralized bureaucracy simplified
establishing the electronic groundwork. All citizens carry a numbered
identification card, allowing cross-indexing of data. "The purpose ... is to
turn Singapore into an intelligent island in which IT [information
technology] will be fully exploited to improve business competiveness and,
more importantly, to enhance the quality of life," and education ministry
official said. A master plan, IT 2000, will be unveiled at year end.
Already, TRadeNet lets companies submit data electronically to the
state and accounts for 90% of all trade documents. The Network for
Electronic Transfers, a cashless shopping system, has been operating for five
years and is used by more than one-third of the population.
Other networks include StarNet for air cargo, MedNet for Medical
claims, and LawNet for company registry. Coming next: "Smart Town," linking
households.
I think it was mentioned in Risks, but was mentioned in WSJ that Singapore
plans to install sensors in cars and roads and start taxing vehicle owners
based on usage rather than an average fee to cover maintenance costs of roads.
Considering Singapore's government, widely considered autocratic, though it is
democratically elected, this will probably be less than beneficial to the entire
populace. (The Editorial and Letters pages of the WSJ recently had a debate on
this. Nepotism seems to be one indicator. Sorry no dates.)
The risk envolved is for those people whose idea of "quality of life" has
nothing to do with feeding the commercial/consumer dynamo. Then again they
probably don't live in Singapore.
Another is as long as you're a good little consumer and a good little
entrepreneur you're ok. The ability to catch laggards and other non-productive
types cannot be underestimated. You've heard of sin taxes, Lazy Tax anyone?
What the article doesn't mention is how much independence exists for the
businesses that use the Nets. Are the Nets a government service or control of
all players using them? Will the Nets provide a situation similar to the
national airline reservation system(s) or will they nationalize industries
under monarchical control.
Bill Biesty, Electronic Data Systems Corp., Research and Advanced Dev., 7223
Forest Lane, Dallas, TX 75230 edsr.eds.com!wjb wjb@edsr.eds.com 214-661-6058
------------------------------
Date: Mon, 11 Feb 91 8:00:32 PST
From: ian@lassen.wpd.sgi.com (Ian Clements)
Subject: The new CA driver license (RISKS-11.07)
In RISKS 11.04 Mark Gabriel writes about privacy issues concerning the new CA
drivers license. In issue 11.07 David Redell responds with two points
concerning recent privacy legislation and the clerks right to certain parts of
the information.
Like many modern marvels, the magnetic strip is easily defeated. If you're
concerned about what a clerk may or may not record or know about you, run a
magnet down the stripe. This will render the stripe useless and the clerk (or
police officer) will once again have to rely on mechanical recording.
I would be more concerned about the possibilities for abuse of this new
technology. Insurance companies will surely ask potential customers for a
drivers license to check the driving record (given CA's new insurance rules,
there is much incentive to bit twiddle)--how long will it be before someone
figures out how to rearrange bits on the stripe?
--ian Ian Clements ian@sgi.com 415/962-3410
------------------------------
Date: Sat, 09 Feb 91 10:40:56 PST
From: curt@cynic.wimsey.bc.ca (Curt Sampson)
Subject: Re: The new California licenses (Hibbert, RISKS-11.03)
> This track will only contain 40 bytes of information, and will only
> contain the name, driver' license number, and expiration date.
This would not likely leave more than 32 bytes for the person's name.
Yet another problem. <Sigh>
Coercivity is a measure of how much magnetic energy it takes to imprint or
erase a magnetic medium, and it is measured in oersteds. The typical
coercivity of a cassette tape would be in the 280-380 oersted range. The
typical coercivity of a high-coercivity tape (such as DAT or 8 mm video) would
be 1000-1400 oersteds.
30 orsteds is quite low (surprisingly low, in fact). That may explain why my
bank card has been "zapped" twice in the past year. 3600 is quite high, but a
standard videotape eraser might be able to affect it if you put the stripe
right up against the surface. (An audiotape eraser would not affect it.)
I have little doubt that a dedicated hardware hacker would be able to
come up with a unit to read from and write to the cards with little
difficulty. The hardest part would probably be machining a head to read
the stripe. I wonder if the data is going to be encrypted in any way?
cjs curt@cynic.wimsey.bc.ca curt@cynic.uucp {uunet|ubc-cs}!van-bc!cynic!curt
------------------------------
Date: Sun, 10 Feb 91 11:33:17 GMT
From: lhe@sics.se (Lars-Henrik Eriksson)
Subject: Re: automatic flight and seasickness (Bryant, RISKS-11.07)
[Re: Bryant on Olivier M.J. Crepin-Leblond" <UMEEB37@vaxa.cc.imperial.ac.uk>
in RISKS-10.83]
I believe the original poster is right. I am a private pilot, and I have
noticed numerous times, that I do have a tendency to get sick when I go along a
a passenger. I have even noticed this tendency when flying the aircraft myself
with an instructor who tells me what to do. When a fly as the
pilot-in-command, I have *no* problems with airsickness even on extended
flights in rough weather.
Lars-Henrik Eriksson, Swedish Institute of Computer Science, Box 1263, S-164 28
KISTA, SWEDEN +46 8 752 15 09
------------------------------
Date: Sun Feb 10 13:16:10 1991
From: frank letts <letts@ficc.ferranti.com>
Subject: follow-up to wireless network
There seems to be some question regarding the legality of the radio telemetry
testing I described in an earlier post. The story was presented with a bent
toward the (objectively) humorous and the obvious risks presented by the
wireless network. Left out was some information that, by its absence, led some
to believe the the operation was an illegal one carried out by "sickos" and
technically incompetent bozos.
The oil company held a valid FCC license for data transmission over the
frequency in its normal operation mode, and a temporary permit for same at low
power in the Houston facility. While looking for the source of the
interference we did find some bad dummy loads which we replaced, but, following
that, our installation was on spec and fully legal. We did determine that the
delivery driver(s) were running linear amps and were bleeding over onto
adjacent frequencies when transmitting. That would explain their interfering
with our operation, but not our interfering with them. Odds were that the
driver(s) only heard the buzzing while driving directly past our building.
They should have had no problem receiving or transmitting.
As far as the personnel are concerned, the engineer and technicians all held
FCC tickets, were highly qualified for the work, and had been in the business
for many years. I have been doing data acquisition and communications software
for about twenty years and consider myself somewhat competent in the area.
None of us are necessarily sickos. One of the techs probably qualifies as a
bozo, but he's a nice enough fellow and a decent tech.
I hope that this quiets any unrest out there.
Frank Letts, Ferranti International Controls Corp., Sugar Land, Texas
(713)274-5509
------------------------------
Date: Fri, 8 Feb 91 08:54:37 -0500
From: news@cs.purdue.edu (News Knower)
From: jsb@well.sf.ca.us (Judy S. Brand)
Subject: 4th Annual Ides-of-March Virus & Security Conference
Who SHOULD attend this year's Ides-of-March
Fourth Annual Computer VIRUS & SECURITY Conference
at the New York World Trade Center?
MIS Directors, Security Analysts, Software Engineers, Operations
Managers, Academic Researchers, Technical Writers, Criminal
Investigators, Hardware Manufacturers, Lead Programmers
who are interested in:
WORLD-RENOWNED SECURITY EXPERTS: CRIMINAL JUSTICE LEADERS:
Dorothy Denning - DEC Bill Cook - US Justice Dept
Harold Highland - Comp & Security Donn Parker - SRI Intl
Bill Murray - Deloitte & Touche Steve Purdy - US Secret Service
Dennis Steinauer - NIST Gail Thackeray - AZ Attorney
UNIVERSITY RESEARCH LEADERS: LEGAL/SOCIAL ISSUES EXPERTS:
Klaus Brunnstein - Hamburg Mike Godwin & Mitch Kapor - EFF
Lance Hoffman - GWU Emmanuel Goldstein - 2600 Magazine
Eugene Spafford - SERC/Purdue Tom Guidoboni - (R.Morris' lawyer)
Ken van Wyk - CERT/CMU Marc Rotenberg - CPSR
PLUS Fred Cohen, Ross (FluShot) Greenberg, Andy (DrPanda) Hopkins, and
over 40 MORE!
Over 35 PRODUCT DEMOS including: include Candle's Deltamon, HJC's
Virex, McAfeeSCAN, Symantec's SAM, ASP 3.0, DDI's Physician,
Gilmore's FICHEK, Certus, FluShot Plus, Iris's Virus Free, 5D/Mace's
Vaccine, Norton Utilities, PC Tools, Quarantine, Viruscan, Panda's
Bear Trap, Disk Defender, Top Secret, Omni, ACF2, RACF and OTHERS AS
REGISTRANTS REQUEST.
FIFTY PRESENTATIONS INCLUDE:
Security on UNIX Platforms, Tips for Investigators, HURRICANE Recovery,
Dissecting/Disassembling Viruses, 6 Bytes for Detection, LAN Recovery,
ISDN/X.25/VOICE Security, Encryption, Apple's Security, EARTHQUAKE Recovery,
IBM's High-Integrity Computing Lab, US/Export Issues, 22-ALARM Fire Recovery,
Publicly Available Help, Adding 66% More Security, NETWARE VIRUS Recovery,
Next Generation of Computer Creatures, THE WALL STREET BLACKOUT Recovery,
Mini Course in Computer Crime, Great Hacker Debate, REDUCING Recovery Costs,
S&L Crisis: Missing DP Controls, OSI and the Security Standard, Virus Myths,
Viruses in Electronic Warfare, US Armed Forces Contracts for New Ideas....
INTERESTED? ONLY $275 one day (Thurs 3/14 - Fri 3/15) or $375 both days:
* Bound, 600-page Proceedings containing ALL materials - no loose paper!
* Eight meal breaks, including Meet-the-Experts cocktail party 107th Floor
* 2-day track of product demo's * 2-day course for ICCP Security exam
* Full-day Legal & Justice Track * Full-day disaster Recoveries Track
There is a $25 discount for ACM/IEEE/DPMA members.
Fourth member in each group gets in for no charge!
To register by mail, send check payable to DPMA, credit card number
(VISA/MC/AMEX), or purchase order to:
Virus Conference
DPMA
Financial Industries Chapter
Box 894
New York, NY 10268
or FAX to (202) 728-0884. Be sure to include your member number if
requesting the discounted rate. Registrations received after 2/28/91
are $375/$395, so register now!
For registration information/assistance, call (202) 371-1013
Discounted rates available at the Penta Hotel. $89 per night. Call
(212) 736-5000, code "VIRUS"
Discounted airfares on Continental Airlines, call (800) 468-7022, code EZ3P71
Sponsored by DPMA Financial Industries Chapter, in cooperation with
ACM SIGSAC and IEEE-CS.
------------------------------
End of RISKS-FORUM Digest 11.09
************************