Subject: RISKS DIGEST 17.30
REPLY-TO:
[email protected]
RISKS-LIST: Risks-Forum Digest Monday 28 August 1995 Volume 17 : Issue 30
FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
***** See last item for further information, disclaimers, etc. *****
Contents:
Re: Australia's proposed crypto policy (Ross Anderson)
Risks of automatic newspaper publishing (Jeremy J Epstein)
Database for Deadbeat Dads (Simson L. Garfinkel)
Two-Way HOV Lane (Chuck Weinstock)
To Bus or Not to Bus (John Deas)
Phone-mail woes (Bob Frankston)
Re: The traffic light does NOT think (Rich Lethin)
Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc.
----------------------------------------------------------------------
Date: Sat, 26 Aug 1995 12:02:07 +0100
From:
[email protected]
Subject: Re: Australia's proposed crypto policy (Denning/Orlowski, RISKS-17.29)
> Ross Anderson posted a message on the net recently stating that Australia
> was proposing an encryption policy that would force residents to use weak
> cryptography while banks would get key escrow.
Dorothy Denning goes on to say that I misinterpreted Mr Orlowski; that he
`is not proposing that individuals be forced to use weak encryption'.
Well, Orlowski is now wriggling like a lawyer, but I was there at the
conference, and on the panel with him afterwards. His paper states that
`the needs of the majority of users of the infrastructure for privacy
and smaller financial transactions can be met by lower level
encryption'
and
`Given that a large proportion of the population would not be using
the higher level encryption products, application of key escrow for
such products is less likely to create the type of adverse reaction
seen to date. Government agencies and large financial institutions are
more likely to accept the need for key escrow in the type of products
which they use'
and
`As mentioned earlier, I see encryption being utilised on two levels, a
general level being used by the majority of users and a more
sophisticated level with much more limited use. Intercepted messages
under the first level may be able to be decrypted by the various
interception authorities.
`The second level would probably, however, require more sophisticated
techniques in circumstances where the key cannot, for whatever reason,
be recovered from escrow. This may be achieved by the establishment of
a central decrypting unit which would receive, decrypt and transmit back
messages'
He stated at this point, in a verbal aside, that the AG's department
considered itself the proper repository for this `central decrypting unit'.
As I summarised it in my original post to risks:
> 40 bit keys for the masses, 56-bit escrowed keys for the banks, and a
> Wiener machine sitting in Orlowski's office. Belt, braces and string.
Orlowski does phrase his comments as advocacy rather than prescription, and
he does have a disclaimer saying that these are his personal views, not
those of the Australian government.
But it emerged in the subsequent discussions that the paper did not really
represent his personal views at all. Not only was he unable to defend them
with any vigour during the panel, but he admitted that he had been told to
float the policy by his boss, who didn't want to appear himself out of fear
of the sort of fuss which greeted the Clipper chip in the USA, and the last
attempt to introduce ID cards in Australia. With a general election due, the
Keating government is vulnerable, and this clearly limits their spooks'
freedom of action.
Risks readers might like to know that the usual suspects - John Rogers from
the Australian Defence Signals Directorate and Mark King from GCHQ - were
prominent in the audience. King arrived on the same plane as me; he flew
business class and went off to a posh downtown hotel. I doubt that GCHQ paid
for all that out of idle curiosity.
Orlowski's article also states
"Debate on these issues should be limited to the appropriate
parties rather than widely promulgated on the network."
Curiously, I was not able to post to usenet while I was in Australia --
nobody at Queensland University of Technology was, and their sysprogs
couldn't find the fault. (Is this a RISK of playing host to someone involved
in the crypto policy debate?) Anyway, once I got back to the UK, I brought
Orlowski's proposals to public attention - and this has led to precisely the
fuss which Canberra was clearly trying to avoid.
Finally, Orlowski did not even get the URL of his paper right in the letter
which Dorothy posted to this group. It is actually to be found at
http://commerce.anu.edu.au/comm/staff/RogerC/Info_Infrastructure/Orlowski.html
Ross
------------------------------
Date: Mon, 28 Aug 1995 09:44:28 -0500
From: JEREMY J EPSTEIN <
[email protected]>
Subject: Risks of automatic newspaper publishing
I'm not sure I've got all the details right, but...
National Public Radio's "All Things Considered" reported on Friday August 25
that the "Aspen Daily News" (Aspen CO) had published an article reporting
that a large number of men aged 13-78 had been hospitalized from "sexual
exhaustion" after some woman took advantage of them. The story, which was
supposed to be a joke, made it into the newspaper (or so it sounds) because
a writer, who had made up the fake story for internal distribution,
accidentally put the article in the directory where stories to be in the
next edition belong. The automatic page-layout software picked it up from
there. It sounds like the galleys were never examined by a human (or if so,
they did a sloppy job). Reaction by the newspaper readers has been
mixed...some have been amused, while others thought it was "pornography".
According to the editor-in-chief of the newspaper, who was interviewed on
the program, there were four safeguards (not specifically named) that all
failed to allow the piece into the paper. As a result of the incident,
they've added a fifth safeguard: only editors can place articles in the
to-be-printed directory. It's not clear whether that's a procedural or
computer-enforced restriction.
The risk is that as newspaper production becomes more and more automated,
there's less need for people to do reviews, and hence a greater risk of an
error like this happening.
In the meantime, the author of the particular piece is still working at the
newspaper. The editor-in-chief did not disclose what punishment, if any,
there would be.
Jeremy Epstein, Cordant Inc.,
[email protected]
[OK. So now we need laws governing safe editing and computer layouts.
In the olden days, galley slaves rowed or cooked. Now they are going
to have to READ COPY in sweatshop backrooms. Remember Henry Miller
got his start as a proofreader, and look what it did for him! PGN]
------------------------------
Date: Mon, 28 Aug 1995 08:12:52 -0400
From:
[email protected] (Simson L. Garfinkel)
Subject: Database for Deadbeat Dads
SOCIAL INSECURITY PLAN TO MAKE IT EASIER TO
TRACK DOWN 'DEADBEAT DADS' WORRIES PRIVACY ADVOCATES
Simson Garfinkel, Special to the Mercury News
San Jose Mercury News, 17 July 1995, Business Monday, Page 1F
Copyright 1995, Simson Garfinkel
ELEVEN years late, the 1984 as envisioned by George Orwell finally may
arrive.
Welfare reform legislation moving through Congress could dramatically
increase the use of Social Security numbers by state governments as a way
to track people from cradle to grave. The proposal, which would create or
expand a series of national data banks, is designed to track people who
don't want to be found.
With support among both Democrats and Republicans, the proposal is
striking fear among the guardians of privacy, who believe the legislation
would increase the government's surveillance of the American public.
''What we are facing is the single greatest step toward big brother
government since Watergate,'' said Donald L. Haines, a legislative counsel
with the American Civil Liberties Union in Washington.
Nevertheless, the proposal has received relatively little attention
because the expanded use of Social Security numbers is one of the few areas
of agreement between the Republican-controlled Congress and the Clinton
administration.
Welfare reform was one of President Clinton's campaign promises, and it
also was one of the 10 tenets of the Republican Party's ''Contract with
America.''
Called the ''Personal Responsibility Act,'' the U.S. House of
Representatives passed its version of the bill March 24. The Senate
version, retitled the ''Family Self-Sufficiency Act of 1995,'' passed a
committee vote June 9. Although the committee, chaired by Sen. Bob
Packwood, R-Ore., made substantial changes to the House bill, the sections
dealing with the expanded use of Social Security numbers remained
essentially intact. At the heart of the legislation is the desire to do
something about so-called ''deadbeat dads'' - and moms - who refuse to
pay court-ordered child support payments. Both Congress and the Clinton
administration believe that a large amount of the money spent on the
government's Aid to Families with Dependent Children program could be saved
if more single parents obtained child support orders, and if those orders
were better enforced.
''People normally say that there is a $34 billion gap'' between the $14
billion that is annually paid in child support and the $48 billion that
theoretically could be collected, says Jane Checkan of the Health and Human
Service's Administration on Children and Families in Washington. Checkan's
figures are for the year 1993, the last year available.
In an attempt to close this gap, the welfare reform legislation
mandates increased surveillance of all American citizens. By tracking
Americans when they change jobs or receive state driver's or professional
licenses, the legislation's backers hope to give deadbeat dads nowhere to
hide.
The legislation also calls for mandatory reporting of Social Security
numbers by people getting marriage licenses or divorced, and in paternity
proceedings. These reports are designed to make it easier for single
parents to obtain support orders, and to make it easier for state welfare
agencies to figure out the identity of a spouse when a single parent
applies for benefits.
''Ten million women are potentially eligible to child support for their
kids,'' Checkan said. But many people do not take advantage of their legal
rights. ''Forty-two percent do not have an award in place.'' Welfare reform
pushed
Checkan said that it is estimated that as much as 8 percent of the
government's Aid to Families with Dependent Children payments could be
eliminated if child support orders were obtained and enforced. ''That's
why, in the Clinton proposal, that child support is such a major part of
welfare reform,'' she said.
Currently, many government agencies maintain databases that are indexed
by Social Security numbers. Nevertheless, the databases are of limited use
for welfare enforcement. Some of the databases are restricted by statute so
that their information may not be used for purposes other than that which
they were collected. A move to unify standards
Others are not cross-indexed with databases of current address,
employment and child support orders. Still other databases cannot easily
be searched against, because the information is not in a uniform format.
One of the intents of the legislation, sponsors say, is to bring order to
this computational chaos by mandating standard data representation and
indexing strategies. Basing the databanks on Social Security numbers is key
to its success, said Bill Walsh, chief of California's Child Support
Management Bureau, part of the Department of Social Services.
''I'll tell you, the Social Security number is probably the most
important piece of data that there is in trying to locate parents that we
can't find in order to establish child-support orders, or in cases where we
have already established an order, to get payment on those orders,'' he
said.
A national database also could make it easier to track down the 30
percent of dads who live outside the state, said Walsh. Although such a
database currently exists, the proposed legislation would greatly expand
its reach, by creating a virtual dragnet that could not be escaped. Civil
libertarians worry
Walsh said his department is in favor of creation and expansion of
the national databanks, because they ''allow us to have access to more and
better data in order to locate parents who owe child support.''
Nevertheless, a growing number of civil libertarians are questioning
the creation of large-scale national databanks, and the expanded use of
Social Security numbers, for tracking down deadbeat dads.
''It's a databank that could be used to allow people to track people
down for purposes having nothing to do with (child support),'' said Haines
of the ACLU.
Haines is especially worried that the system could be used to find
victims of domestic violence who are attempting to hide from their
assailants.
''An unfortunate truth is that in our justice system today, for many
victims of domestic violence, their only hope for relief is to escape into
some level of anonymity,'' he said. ''Protective orders don't work or
aren't enforced.''
Although the legislation would prohibit the unauthorized use of the
system, Haines characterized such use as ''inevitable.'' As an example, he
noted how some abusive men find runaway spouses using surreptitious means,
such as privileged data reserved for law enforcement. Potential for fraud
Other privacy advocates are concerned that the databanks could be
used as the basis for financial fraud.
''I think that there is a real danger using (information) provided for
one purpose for another purpose,'' said Claudia Terraza, an attorney with
the Privacy Rights Clearinghouse at the University of San Diego. ''I see a
real problem with people getting access to your Social Security number and
from there, being able to find out your credit report, or for finding out
other information that they could use for fraudulent purposes.''
Privacy advocates are most upset about the expansion of the Federal
Parent Locator Service. As written, the legislation would create a national
database of virtually all U.S. citizens - parents or not - with the stated
purpose of tracking them so that any individual's most recent address and
employer can be easily determined at any time. The legislation also would
help enforce court- ordered parental visitation rights.
Staff members working on both the House and Senate versions of the
legislation said that lawmakers were aware of the privacy issues, and had
tried to put ''privacy protection'' measures into the legislation without
compromising the central goal of creating a national location registry.
''We had a long discussion about (privacy issues) - and the (lawmakers)
were the main people doing the talking,'' said a staffer. ''There were some
members who were real sensitive, and they were absolutely adamant that (the
Social Security number) could not be required to be on the license
itself.''
Nevertheless, the legislation does require states to ask drivers for
their Social Security numbers when they are issued driver's licenses or
professional licenses, and for those numbers to be reported to the central
registry.
''What all of that means is that we will have a de facto national ID
system in this country, which is going to be this database, and with a de
facto national ID card, which will be your Social Security card/driver's
license, all without a debate on whether or not Americans deserve to be
subjected to a Soviet- or Nazi-style national ID system,'' Haines said.
Effort failed in '60s
This is not the first time that the federal government has proposed
creating a national databank. A proposal in the late 1960s called for the
creation of a national data center that would ''pull together the scattered
statistics in government files on citizens and to provide instant, total
recall of significant education, health, citizenship, employment records
and in some cases personal habits of individuals,'' reported an article in
the Feb. 25, 1968 issue of The New York Times.
At the time, the proposal was opposed by privacy advocates like
Columbia University Professor Alan F. Westin and University of Michigan Law
School Professor Arthur R. Miller. Information centers ''may become the
heart of the surveillance system that will turn society into a transparent
world in which our home, our finances, our associates, our mental and
physical conditions are bared to the most casual observer,'' Miller told
the Times.
The national data center was never built, and today the controversy has
been largely forgotten. Nevertheless, says Marc Rotenberg, director of the
Electronic Privacy Information Center, one of the important issues raised
at the time was the danger of entrusting a single federal agency with so
many different files.
''These proposals invariably reach further than originally intended,''
said Rotenberg. ''If the Social Security number is used today to catch
welfare cheats, it can be used tomorrow to identify political dissidents.
''It is of course ironic that such a proposal would go through the
Congress at the very same time that the Republican majority is urging
greater relaxation of government regulation.''
- - - - - - - - - - - - - - - - - - - - - - - -
INFOBOX: THEY'VE GOT YOUR NUMBER
Legislation currently before the Senate would mandate the creation or
expansion of three national databanks. Each databank would be indexed
by Social Security number. Together, they would track every American.
(box) Federal Parent Locator Service: Would contain a record of every
driver's license and professional license issued in individual states.
(box) Federal Case Registry of Child Support Orders: Besides tracking
every child support order issued by the states, this database also
would contain records of every marriage, every divorce and every
paternity determination case in the United States.
(box) State Directory of New Hires: This federal database would be
updated every time an American started working for a new employer. It
would contain the employee's name, address, job description, and the
name of their employer.
------------------------------
Date: Mon, 28 Aug 95 15:17:04 EDT
From: Chuck Weinstock <
[email protected]>
Subject: Two-Way HOV Lane
The (relatively) new Parkway North in Pittsburgh (I279) has the only High
Occupancy Vehicle lane in the state. It is a reversible two lane road that
runs down the middle of the Interstate for about 5 miles. It is open into the
city for the morning rush, and out from the city for the evening rush.
On Friday, early afternoon, while the lanes were still opened Southbound, an
apparently lost carload of people entered heading North. The resulting
head-on collision between the car and a pickup truck killed several people.
I would have thought that making such a lane reasonably failsafe not be too
difficult. Manual barriers at each end. Close the whole thing at
changeover. Verify visually by driving a highway truck down it that the
lanes are empty. Then manually open up the barriers for the correct
direction. Interlocks as appropriate.
It turns out that because of real estate (the lack thereof) several of the
ramps on the downtown side are dual use. During the morning rush they are
exit ramps. During the afternoon rush they are entry ramps. There wasn't
enough physical space to put in separate entry and exit ramps. Hence, no
barriers. Instead, they rely on flashing lights and Do Not Enter and Wrong
Way signs which get pointed aside or turned off when they are not needed.
Short of putting in tire shredders for wrong way travel, I cannot think of a
way to make this kind of arrangement safe against your typical non-observant
driver.
Chuck Weinstock
------------------------------
Date: Mon, 28 Aug 95 12:37:35 -0400
From:
[email protected] (John Deas)
Subject: To Bus or Not to Bus
Pinellas is Florida's most densely populated county. Approximately 42,000
students are transported daily by 510 buses. This school year, which started
August 21, has been an example of what happens when poor planning is
exacerbated by ineffectively used automated routing and scheduling software.
The *St. Petersburg Times* reported on August 24 that buses are showing up
late - sometimes by two or more hours. Some come early and don't wait for
students. Some bus rides are lasting more than an hour, which is against
state law. Some buses are overcrowded, with children sitting on the floor.
Wednesday, one bus came three hours late, and another required 45 minutes
for a 14-block trip. Parents and school board officials are having
difficulty contacting transportation department officials, who are blaming
the problems on a computer program the district installed within the past
year.
The Edulog system is set up with maps of the county and house addresses;
data entered by the district includes names, addresses and schools, as well
as speed limits on various streets. The computer is supposed to provide the
most efficient routes, which resulted in many stops being moved or deleted.
Apparently, officials didn't use "speed made good" common sense and assumed
that the speed limits were the actual average speed without regard for
traffic or stops. Some parents did not register their children for school on
time. Planning will start earlier next year, according to the transportation
head, and new transportation coordinators will be hired. Similar (but less
severe) problems were experienced last year.
Maybe they should let the students (and parents) use the program; they
probably understand the risks a lot better.
John Deas DCMAO Clearwater
[email protected]
------------------------------
Date: Sat, 26 Aug 1995 17:14 -0400
From:
[email protected]
Subject: Phone-mail woes
In anticipating traveling internationally, I decided to get CO-based phone
mail since I thought it would be more reliable to connect to than my analog
answering machine. Because I've got two lines, I decided that I'd put the
service on the second line and then forward the first to the second when I
need to. I tried testing the forwarding and found that when I called the
first number, instead of just giving me voice mail, it asked me to key in a
number, presumably the number I was calling -- the first number. So I
obliged, and got a message from someone saying he was in Central America and
couldn't answer the calls.
* The request to key in the number is clearly a bug since the caller doesn't
know that I've forwarded the call nor the number to which I forwarded the
call.
* Since my ownership of both number predates the installation of the switch,
it seemed that the caller gets directed into hyperspace.
* When asking for the service, I was told that they were planning to drop the
stutter dialtone since it didn't work reliably!
* I did not test the interactions with distinctive ringing numbers. I feared
the worst but didn't have the time.
In speaking to the service people about this, the basic response is that
this is a problem with the DMS-100 (Northern Telecom) switch and not
necessarily the ATT ESS switches. This is the same DMS that, on my ISDN
line, requires two numbers for a 2B call whereas the ESS needs only one.
I don't know what profound lessons there are to learn except that I'm amazed
out the presence of such a gross bug in an expensive production CO. It would
never be tolerated in a $29.99 software package. This is a feature
interaction but unlike the problems with ad-hoc interaction between
separately produced features, this should be testable. Note, though, that
voice mail is often provided by a third party, such as Octel, and the bug
could be due to version interactions between to disparate systems.
------------------------------
Date: Fri, 25 Aug 95 15:21:15 EDT
From:
[email protected] (Rich Lethin)
Subject: Re: The traffic light does NOT think (Carr, RISKS-17.29)
Isn't the main purpose of the intelligent highway traffic system from
the perspective of the system as a whole: throttling and rerouting the
incoming traffic to a section/region of road to preserve the linear
queuing behavior and get good throughput. On urban grids, the stop
lights serve this function: attempting to prevent gridlock and
deadlock. On high speed roadways there are no stoplights, and the
range of speeds available is greater, so the periodic signs have
greater control latitude.
So the signs aren't saying "slow down because the cars ahead of you
are going slower" but rather something like "slow down because this
can prevent congestion and stop and go traffic ahead that will make
the throughput of the entire system plummet".
------------------------------
Date: 9 August 1995 (LAST-MODIFIED)
From:
[email protected]
Subject: Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc.
The RISKS Forum is a moderated digest. Its USENET equivalent is comp.risks.
Undigestifiers are available throughout the Internet, but not from RISKS.
SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) on
your system, if possible and convenient for you. BITNET folks may use a
LISTSERV (e.g., LISTSERV@UGA): SUBSCRIBE RISKS or UNSUBSCRIBE RISKS. U.S.
users on .mil or .gov domains should contact <
[email protected]>
(Dennis Rears <
[email protected]>). UK subscribers please contact
<
[email protected]>. Local redistribution services are
provided at many other sites as well. Check FIRST with your local system or
netnews wizards. If that does not work, THEN please send requests to
the newly automated <
[email protected]>, with first text line
SUBSCRIBE or UNSUBSCRIBE
[with option of E-mail address if not the same as FROM: on the same line].
HELP
gives instructions on using the Majordomo listserver in other ways,
although not all are implemented for RISKS.
CONTRIBUTIONS: to
[email protected], with appropriate, substantive Subject:
line, otherwise they may be ignored. Must be relevant, sound, in good taste,
objective, cogent, coherent, concise, and nonrepetitious. Diversity is
welcome, but not personal attacks. PLEASE DO NOT INCLUDE ENTIRE PREVIOUS
MESSAGES in responses to them. Contributions will not be ACKed; the load is
too great. **PLEASE** include your name & legitimate Internet FROM: address,
especially from .UUCP and .BITNET folks. Anonymized mail is not accepted.
ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY.
Relevant contributions may appear in the RISKS section of regular issues
of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise.
All other reuses of RISKS material should respect stated copyright notices,
and should cite the sources explicitly; as a courtesy, publications using
RISKS material should obtain permission from the contributors.
RISKS can also be read on the web at URL
http://catless.ncl.ac.uk/Risks
Individual issues can be accessed using a URL of the form
http://catless.ncl.ac.uk/Risks/VL.IS.html
(Please report any format errors to
[email protected])
RISKS ARCHIVES: "ftp unix.sri.com<CR>login anonymous<CR>[YourNetAddress]<CR>
cd risks<CR> or cwd risks<CR>, depending on your particular FTP.
Issue J of volume 17 is in that directory: "get risks-17.J<CR>". For issues
of earlier volumes, "get I/risks-I.J<CR>" (where I=1 to 16, J always TWO
digits) for Vol I Issue j. Vol I summaries in J=00, in both main directory
and I subdirectory; "bye<CR>" I and J are dummy variables here. REMEMBER,
Unix is case sensitive; file names are lower-case only. <CR>=CarriageReturn;
UNIX.SRI.COM = [128.18.30.66]; FTPs may differ; Unix prompts for username and
password. Also ftp
[email protected]. WAIS repository exists at
server.wais.com [192.216.46.98], with DB=RISK (E-mail
[email protected] for info)
or visit the web wais URL
http://www.wais.com/ .
Management Analytics Searcher Services (1st item) under
http://all.net:8080/
also contains RISKS search services, courtesy of Fred Cohen. Use wisely.
------------------------------
End of RISKS-FORUM Digest 17.30
************************
