Subject: RISKS DIGEST 11.23 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Sunday 10 March 1991 Volume 11 : Issue 23 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: [Still working on the backlog. This is mostly new stuff.] IRS agent and information privacy (Ed Ravin) Secret Service Foils Cellular Phone Fraud (Ed Ravin) Telephone risks revisited (Jim Griffith) Computer does everything (Robert Mokry) High Tea at the Helmsley in New York City (Gligor Tashkovic) Citibank Machines (David C. Frier) Re: Medical image compression (Tom Lane) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line. Others ignored! REQUESTS to RISKS-Request@CSL.SRI.COM. FTP VOL i ISSUE j: ftp CRVAX.sri.comlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j (where i=1 to 11, j is always TWO digits. Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Fri, 8 Mar 91 23:40:14 EST From: elr%trintex@uunet.UU.NET (Unix Guru-in-Training) Subject: IRS agent and information privacy New York Newsday, Friday March 1, 1991 "IRS Agent Says She's Penalty-Free", by Leonard Levitt An Internal Revenue Service agent under investigation by her agency over her contacts with [infamous Bronx defendant in cop-shooting and other drug-related cases] Larry Davis yesterday denied giving confidential tax information to the Bronx murder suspect and said she has resigned her federal job. [ to summarize, the IRS agent was accused of looking up the tax records and home addresses of judges, jurors and detectives involved in Larry Davis's arrests and trials. Why post this on RISKS? Read on: ] [The IRS agent] insisted that she did not get the addresses of court officials for [Davis]. "I would never go into the master [computer] system. Not that he even asked me," she said. [So the information the agent is accused of giving out is kept on a computer. Not at all surprising. RISKS readers have known for years that computer database systems often lend themselves to this kind of abuse where authorized people make unauthorized forays into other people's data.] [The agent] was asked [by the IRS] why she accessed the tax files of [Davis's] sister and brother-in-law, who live in Huntington, L.I., and who a law enforcement source said owed the federal government about $10,000. [The agent's] jurisdiction was limited to [several counties not in Long Island]. [...] It is a criminal offense for a revenue officer to access a tax file outside an officer's jurisdiction. What I find interesting is that if I've not "read too much" into this article, it would appear the IRS has the ability to tell when its officers peek into computer files they're not supposed to, or at least the ability to find out afterwards if they suspect misdeeds. This kind of audit tracking and control is the kind of stuff CPSR has been asking be put into the NCIC to prevent similiar abuses by police and criminal justice personel. Anyone out there know more about what the IRS uses for their information systems and how they track accesses to it? glossary: CPSR: Computer Professionals for Social Responsibility, who track Star Wars and privacy related issues. NCIC: National Crime Information Center, a nationwide database of stolen cars and outstanding arrest warrants, accessible by state cops and others. Ed Ravin elr@trintex.UUCP ------------------------------ Date: Fri, 8 Mar 91 23:57:30 EST From: elr%trintex@uunet.UU.NET (Unix Guru-in-Training) Subject: Secret Service Foils Cellular Phone Fraud New York Newsday, March 7, 1991, By Joshua Quittner The US Secret Service said one of its agents cracked the code of counterfeit computer chips to block a kind of cellular telephone fraud responsible for an estimated $100 million a year in unbillable long-distance calls. During the past two months, the service has quietly distributed a free software "patch" that blocks unauthorized long-distance calls at cellular telephone switches. The patch is being heralded in New York City, where more phone service is stolen than anywhere else in the country. The first day the patch was put into use in Los Angeles, more than 5,000 illegal cellular calls were blocked, a Secret Service spokesman said yesterday. [...] The counterfeit chip used by phone cheats exploits a weakness in the cellular telephone system that allows a caller's first call to be completed before the billing status is verified... A legitimate mobile phone has a silicon chip that generates an identification number. When a call is made, that number is relayed to the carrier, along with the caller's phone number, and the two numbers are compared to establish billing. However "depending on where you're roaming and how busy the cellular network across the country is, you can make a phone call before that procedure is completed." [Norman Black, Cellular Telephone Industry Association] To exploit that weakness, underground engineers designed a counterfeit chip that generates a different, phoney identification number on each call, tricking [the cellular telephone exchange] into thinking each call is the first. One illegally rigged phone, confiscated by police in New York City last year, was turned over to the Secret Service, which investigates, among other things, telecommunications fraud. Like a hacker -- a phone computer cheat -- the agent broke into the chip, read the microcode, decoded the algorithm at its core, then wrote a program that would help carriers detect its peculiar pattern. Dave Boll, who heads the Secret Service's Fraud Division in Washington, said that cellular telephones equipped with the counterfeit chips "sell for as much as $5,000 each". And he estimated that such phones are used to make $100 million in unbillable calls each year. [The article goes on, to talk about the call-stealing problem being the worst in NYC and how the unbillable calls tied up the network for the paying customers]. It is nice to see a technical issue covered reasonably well in a major newspaper. Even moderately awake RISKS readers will notice that the Secret Service's efforts only help a cellular telephone company reprogram their exchange to recognize one particular random number generator. When the next "counterfeit" chip comes out, probably selling at a higher price, it will no doubt use a different algorithm and the Secret Service will have to do the whole thing over again. It would be nice if someone would expend a little effort to fix the "roamer" system so that it would know a real mobile identification number from a spoofed one; when I use a calling card to make a regular phone call, someone's computer seems to always know if my number is real or not -- what's the problem over in cellular land? Ed Ravin elr@trintex.UUCP ------------------------------ Date: Sat, 9 Mar 91 22:06:17 PST From: griffith@dweeb.fx.com (Jim Griffith) Subject: Telephone risks revisited We received a telephone bill with a notice of scheduled public hearings on proposed features to be provided by Pacific Bell. The services include: - Caller ID - a special display device displays the number of the caller. - Call Return - lets callers dial the last person to call, whether or not the caller actually answered the call. - Repeat Dialing - when a number you call is busy, it polls the number until it is no longer busy, places the call, and rings you back. - Priority Ringing - allows customers to specify a list of "priority" numbers. When someone calls you from one of those numbers, your telephone rings in a distinctive manner. - Select Call Forwarding - allows customers to specify a list of numbers which are automatically forwarded to another number. - Call Trace - allows customers to order a trace of the last number called. Information is not provided to customers, but it is held for future use by law enforcement agencies. - Call Block - allows customers to reject calls from specific numbers. These features strike me as being both scary and attractive. Certainly, they're intended towards the convenience and protection of the customer. But the potential for abuse is also there. The notice says that the California Public Utilities Commission will be holding hearings around the state to gauge public opinion on the Caller ID and Call Trace features. I can also see where the Call Return feature could be effectively used in place of Caller ID. I suspect this is going to be a hot topic for debate. Welcome to the age of Big Brother. Jim ------------------------------ Date: Fri, 1 Mar 91 13:26:08 -0500 From: mokry@sirius.ctr.columbia.edu (Robert Mokry) Subject: Computer does everything The Feb 26th issue of the New York Times contained an article about Marist College, a small liberal arts college in New Jersey, that got a large mainframe computer donated from IBM. Here's an excerpt from the article: The computer, which might be found at a Fortune 500 company with a spare $10 million, handles tuition bills, class enrollment records, freshman applications, administration records and correspondence, college payrolls and investments, student essays, classroom exams, polling data, student and faculty bulletin boards and messages between professors and students. It handles campus crime records and patterns, investment and marketing plans for hypothetical student companies, all the articles for the student newspaper, faculty lecture notes, campus parking permits, files on every Marist alumnus, all personnel records, every college bill and invoice, every grade for every student in every course, the records for every telephone on the 120-acre campus and communications between Marist and campuses worldwide. Oh, and it holds the library's entire card catalogue and circulation files including when every book is due. The article praised all these great technological advantages for a small college. The article was headlined "Biggest Brain at this College is Not Enrolled." Somehow, I would interpret the headline in a different way, perhaps that anyone with any knowledge of computers would not go to this college. I guess that might be stretching the quote a bit, and it's just my opinion. Some risks that I can think of are: (1) IBM can view and control everything on campus -- this need not even be done in an obviously-illegal way like a wire-tap, since computers need superusers (possibly generously supplied by IBM), and a liberal-arts college is unlikely to have any students who can handle such a complicated computer. (2) Since everything is done on one large computer that everyone has access to, potentially anyone might be able to change anything (students changing grades, for example); sure everything can be checked against written records, but then there's no need for the computer. (3) If the computer crashes, everything crashes and possibly the whole college grinds to a hault. In my opinion, many small computers are much better than one large computer, because then computers handling unrelated functions (like payroll, grades, and student communication) can be physically isolated from each other, and the computers that are connected together can restrict communications to what is necessary. Perhaps the difference between technological advancement and bigbrotherism is how the computing power is distributed. Some of these ideas may only be speculation, and I think that most people can think of more problems than I can, so I just sent it in without much comment, leaving potential risks as an exercise for the reader :-). --Robert ------------------------------ Date: Sun, 10 Mar 91 12:41 EST From: Subject: High Tea at the Helmsley in New York City My friend and I wanted to pay the $50 bill after enjoying a once-in-a-lifetime (for that price!) High Tea at the Gold Room in the Helmsley New York. She only had enough to cover about 2/3rds of the cost, so I handed that to the waiter and gave him my credit card with the instructions to put the remaining charge on the card. The resulting confusion was astonishing. The waiter didn't know what to do (and it wasn't a language problem either). He asked his boss, who asked his boss and they finally decided that it couldn't be done. Why? Because the computer system only accepted one method of payment (i.e. cash or credit card) and not a mix of them. Not a very customer-friendly system! (The reason I had not taken her cash in the first place was because some of it was in quarters! Oh well. ) [You should have asked for separate checks. But, if there is a "next time", you may need separate tables, if you still want her to pay 2/3. PGN] ------------------------------ Date: 10 Mar 91 08:52:08 EST From: "David C. Frier {DBADVISOR}" <76702.1417@compuserve.com> Subject: Citibank Machines My encounter with a Citibank ATM, to which I recently gained access by means of an new link between several ATM nets, left me wondering just who checks the algorithms for these machines: are there any standards? After dispensing my cash, the large bright screen oriented in the vertical plane announced my account balance in what seemed to my astonished eyes to be characters more than 1/2" high. It did not request my permission to do so, nor did it warn me it was about to do so, nor did it check to see who might be standing with or behind me. It then waited patiently for me to press a key... ...which I did with all dispatch. Now the ATM programmers are obviously readers of Risks and know very well the horrors of receipt printers running out of paper. In an ingenious move to conserve this precious commodity, their next question was whether I wanted a "record." I had to recover sufficiently from my rattled state (after seeing my account balance displayed in a public place for any passers-by to chuckle at) to realize that "record" referred to my printed receipt. Then I had to respond by pressing the correct one of two adjacent keys labelled by the screen "Yes" and "No." Not to mention that determining which key is labelled for which repsonse depends highly on the angle from which the screen and buttons are being viewed: could a user in a wheelchair have seen the "No" key as being "Yes?" I think so. I may try this out next time by crouching low in front of the machine and trying to read the screen from that angle. Passers-by will already be in sufficient hysterics at my balance that they will take no note of my odd contortions. I leave an enumeration of the Risks as an exercise for the reader. --David C. Frier, Logical Software, Inc., (301) 358-3100 ------------------------------ Date: Thu, 07 Mar 91 15:33:24 EST From: Tom.Lane@G.GP.CS.CMU.EDU Subject: Re: Medical image compression In RISKS 11.21, David A. Honig points out risks of using lossy compression schemes for medical images (or, presumably, any other critical application). I believe the compression scheme involved is JPEG. As leader of a group producing a free JPEG implementation, I've run into the lossy-compression- is-unacceptable mindset quite a bit. I think that in most cases this is a knee-jerk reaction. Why? Because *any digital rasterization of an image loses data* compared to the real world. You lose spatial resolution by reducing the continuous scene to pixels; you lose color resolution by having a finite number of color values (to say nothing of the fact that computer displays have limited color ranges); and in many cases you lose more color resolution by having to map an image into 256 or fewer distinct colors for display on colormapped hardware. (Or you can trade spatial resolution for color resolution by dithering.) Need I say anything about monochrome (B/W or grayscale) images? In short, whatever image representation you're using now already loses data compared to the real world. A lossy compression scheme may actually permit more data to be carried. For example, the GIF image format currently popular on Usenet carries only 8 bits per pixel, so quite a bit of color resolution is sacrificed. JPEG compression permits close to 24-bit-per-pixel color resolution to be carried in a file about one-quarter the size of a GIF file, with approximately equal spatial resolution. The JPEG spec includes a large number of adjustable compression parameters. The extent of compression can be traded off against recovered image quality over a very large range, from thumbnail-sketch quality to below-threshold- of-perception errors. Thus the user has the ability (and responsibility) to decide what is an acceptable error level; a decision which is pre-empted by most older image formats. I think the true RISK here is rejecting a new technology on the basis of perceived characteristics, without considering the actual characteristics of current technology. If people allow themselves to be dissuaded by the adjective "lossy", they may blind themselves to significant improvements. Unfortunately, David is probably correct that the lawyers will have a field day the first time a bad medical decision is made on the basis of a compressed image. Never mind about lives that are saved because images are transmitted more quickly, or because more images can be kept on file. (None of this is intended to claim that JPEG is an ideal solution for all applications; only that thorough appraisal of benefits and disadvantages is necessary.) tom lane tgl@cs.cmu.edu BITNET: tgl%cs.cmu.edu@cmuccvma ------------------------------ End of RISKS-FORUM Digest 11.23 ************************