Subject: RISKS DIGEST 14.15 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Monday 7 December 1992 Volume 14 : Issue 15 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Similar But Different User Interfaces and Traces of Memory (Tom Swiss) Name Confusion and Democratic Concept of Limited Government (Roy G. Saltman) Re: Police and Database [name confusion with twist] (Alan (A.G.) Carter) Toronto Stock Exchange Virus Scare (Shyamal Jajodia) Re: Akron BBS trial update! (Phil Karn) Risks of children using BBSes (Re: Akron BBS ..) (Michael P. Deignan) Lost Technology (A. Padgett Peterson) Re: Computer theft from GP's; encryption is not a cure-all (Julian Thomas) Turn Signals (John Sullivan) Estimating risks (Jerry Leichter) Revenge via computer (Thomas Dzubin) Re: Risk reduction: Human Factors (Chris Norloff) Flood Stories (Lindsay F. Marshall) Re: holiday reading on Risks (Gary McClelland) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line. Others may be ignored! Contributions will not be ACKed. The load is too great. **PLEASE** INCLUDE YOUR NAME & INTERNET FROM: ADDRESS, especially .UUCP folks. REQUESTS please to RISKS-Request@CSL.SRI.COM. Vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 14, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1". =CarriageReturn; FTPs may differ; UNIX prompts for username, password. For information regarding delivery of RISKS by FAX, phone 310-455-9300 (or send FAX to RISKS at 310-455-2364, or EMail to risks-fax@cv.vortex.com). ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Thu, 3 Dec 92 16:37:13 -0500 From: tms@cs.UMD.EDU (Tom Swiss (not Swift, not Suiss, Swiss!)) Subject: Similar But Different User Interfaces and Traces of Memory I recently learned a hard lesson about the risks of superficially similar user interfaces. Most of the time I use GNU Emacs for editing, but my home PC is too low-powered top run the DOS version with acceptable alacrity, so I usually use Multi-Edit for files on my PC. Now, when you exit GNU Emacs with C-x C-c, it prompts you to save the file you've been working on, like so: Save file /path/filename? (y or n) And when you exit Multi-Edit with Alt-X, it prompts you to save the file you've been working on, something like: FILE NOT SAVED! Exit? Yes No Save file and exit There's a superficial similarity in that both programs ask for confirmation before exiting with unsaved files, but the Emacs confirmation confirms saving, while the Multi-Edit confirmation confirms exiting. So to exit and save changes under Emacs, it's C-x C-c y; to exit and save changes under Multi-Edit, it's Alt-X s. It should come as no surprise that my fingers got ahead of my brain and I ended up exiting my Multi-Edit session with Alt-X y, and lost about an hour's worth of work. Ah! But all was not lost. For I knew, that somewhere in my PC's RAM, large portions of my file might still be waiting. I immediately ran a small utility program called Corelook, and searched the memory for character strings that might be from my file. I wrote them down on a handy pad of paper, and between what I recovered from my PC's memory and what I dug out of my memory, I re-assembled the file. But what if this hadn't been _my_ file to start with? Open PC labs are becoming more and more common on university campuses. Assume I was an unscrupulous computer science student. Pretend I saw a classmate working on a project in one of these open labs. When he was finished, I might just grab the PC he was using and search its RAM for anything that might be of interest. If the PC is running Windows, or any other program that uses virtual memory, looking at disk used for swap space could also prove very interesting. Or, for those who are in the habit of leaving their PCs on at work 24 hours a day, after-hours snooping in your machine's RAM by a corporate spy disguised as a mild-mannered custodian could give your competition a few clues about what you're up to. RISKS has seen some recent discussion of the use of supposedly deleted files on a disk; it's worth remembering that what's left in your RAM might be interesting to others as well. - Tom Swiss / tms@cs.umd.edu ------------------------------ Date: Fri, 4 Dec 1992 11:50:02 -0500 (EST) From: SALTMAN@ECF.NCSL.NIST.GOV (Roy G. Saltman) Subject: Name Confusion and Democratic Concept of Limited Government Two correspondents, Don Norman and Jerry Leichter, have indicated their sympathy with the police in the situation of a Canadian citizen who was confused by the police with another person of the same name. Specifically, they indicated sympathy for the statement of the police representative who said the onus was upon the victim to change his name so as to avoid confusion. While it would be prudent for the victim to modify his name for governmental as well as for commercial and other non-governmental purposes, he has done nothing wrong. In the U.S. specifically, and possibly in other democratic countries such as Canada, the individual is innocent until proven guilty, and government is the servant of the people, not the reverse. While there may be extenuating circumstances that could absolve the police, we have statutes providing compensation for false arrest and for violations of civil rights. Certainly, the two individuals with the same name lived at different locations, had different appearances, had different families and friends, engaged in different occupations or worked at different locations, and had different (Canadian equivalents of our) social security numbers. In this country, it is up to government agencies to get it right; it is not required of an innocent victim to do anything except obey current law. An activity for which personal identification is essential is voter registration. If the bill on this subject passed by Congress in its previous session had become law (it was successfully vetoed by President Bush), the driver's license would have become the fundamental voter identification and registration document. Persons would have been required to register to vote when they obtained or renewed their driver's license unless they *declined in writing,* a fundamental shift in attitude about the concept of citizen participation in voting. As this bill is very likely to be introduced in the new Congress, I may revisit this subject in the near future. [Don Norman will also. He has prepared a lengthy response to many of the contributions that have come in recently, but which have not appeared in RISKS. It will follow in a special double issue of RISKS. PGN] ------------------------------ Date: Thu, 3 Dec 1992 11:36:00 +0000 From: "Alan (A.G.) Carter" Subject: Police and Database [name confusion with twist] There was an interesting case in the UK in the mid-80s. The Data Protection Act (DPA) had recently come into force, providing persons whose details were stored in databases (known as Data Subjects) with certain rights. A woman applied for a job with a local Council. She thought she was ideally suited and was surprised to be turned down. Her friend who already worked for the Council investigated for her and found that for the job concerned, the Council made a routine check with the Police National Computer (PNC). We don't want criminals in certain positions of trust. The PNC had claimed that she had been convicted for shoplifting. The woman had no criminal record, so she sent her nominal fee to the PNC people and asked for her record. It was the record of another person with the same name, who had been convicted in the 1960s. As she had been denied employment on the basis of the false statement made about her, she decided to take the PNC people to court and obtain compensation, as allowed for in the DPA. Then the Police lawyers came out with a wondrous bit of sophistry. Data Subjects are indeed entitled to compensation for losses caused by mis-representation of their records, but in this case, the woman was not a Data Subject. The other woman, with a criminal record, was a Data Subject, but our heroine had no criminal record. As she was not a Data Subject she could not have been mis-represented, and was entitled to no compensation. The Police won the case. ------------------------------ Date: Fri, 04 Dec 92 15:21:20 EST From: Shyamal Jajodia Subject: Toronto Stock Exchange Virus Scare The following report has been paraphrased from the EDPACS Newsletter for January 1993: InformationWeek reported that someone described as a disgruntled former employee of the Toronto Stock Exchange telephoned a local TV station newsroom and claimed that he had placed a computer virus in the exchange computer system due to activate at 9-30 the following morning. An all night search of the system did not reveal any infection, and trading proceeded on the following trading day without interruption. This risk is similar to the risk of bomb scares on flights. Seems that all systems vulnerable to threats that cannot be detected without considerable work are vulnerable to the risk of false alarms. Shyamal Jajodia ------------------------------ Date: Thu, 3 Dec 92 01:29:24 -0800 From: karn@qualcomm.com (Phil Karn) Subject: Re: Akron BBS trial update! I couldn't have invented a better reason to encrypt EVERYTHING on one's computer system than this. It's sad that it would ever be necessary, but until civilization matures a little more I don't see much of an alternative. The law is at present an awfully unreliable safeguard of one's right to personal privacy. Even when one wins (is acquitted) one almost always loses - in lost time, personal anguish, diminished reputation and, of course, legal fees. I agree with John Gilmore -- I have far more confidence in the ability of physics and mathematics to protect my privacy than in laws passed by a government that can violate or ignore them at will. Phil ------------------------------ Date: Fri, 4 Dec 1992 21:09:40 -0500 (EST) From: kd1hz@anomaly.sbs.com (Michael P. Deignan) Subject: Risks of children using BBSes (Was: Re: Akron BBS trial update!) In a previous posting, we read how a BBS sysop was being "unjustly" accused of various crimes. Just to balance things out, I would like to refer to the following articles: This first article appeared in the Providence Journal Bulletin in April 1991. (Sorry, I don't have the exact date.) "Computer Guru faces Sex Counts Networks Abuzz Over Charges Against Bulletin Board Czar By Christopher Rowland Journal Bulletin Staff Reporter Warwick - Michael P. Labbe reigned as a kind of supreme talk-show host for Rhode Island's home-computer buffs, allowing thousands of hobbyists to communicate electronically through an array of equipment in his basement. But Labbe's network crashed last week, when police arrested him and an associate and charged them with sexually assaulting two teenage brothers whom he befriended using his computer. The arrest has left the state's largest computer "bulletin board" in tatters, crippling a popular source for computer enthusiasts of technical information, business news, computer-game updates and gossip. It also has stunned Labbe's subscribers, who have engaged in a steady electronic discussion of the allegations on various alternative bulletin boards. Labbe, 25, and Jeffrey L. Whitman, 23, were released on bail after a bail hearing yesterday in Superior Court. They had been held at the Adult Correctional Institute since their April 15 arrest. Labbe's system, established in 1984, was shut doen after his arrest. It was revived yesterday after his release, but without its crucial link to a national and international information network. Labbe and Whitman are charged with first- and third-degree child molestation. Authorities allege that Labbe molested the youths during 1989, 1990, and 1991. Whitman is charged with molesting them in 1990. Authorities said Labbe first contacted the two boys, ages 16 and 14, through his computer bulletin board, the "Eagle's Nest" - so dubbed because Labbe was active in Boy Scouts as a North Providence High School student and achieved the rank of Eagle Scout. Warwick police said the victims were frequent visitors to Labbe's house, which visitors described as being an electronic showcase." [...The article then goes on with testimonials about "what a good boy" he was and how "shocked" the interviewees are at the charges...] Well, time passed. Until a few months ago, nobody knew what happened. That is, until this story was published: "Warwick Man Sentenced On Felony Morals Charge (no byline) Warwick - A founding member of one of the state's largest computer bulletin board networks received a seven-year suspended sentence after pleading no- contest this week to a felony morals charge involving two teenagers whom he befriended using his computer. Michael P. Labbe, 26, of Warwick was sentenced Thursday after reaching a plea agreement with the attorney general's office. The victims, who were 15 and 16 at the time of the offense, were present in the courtroom and had agreed with the sentence. Labbe and Jeffrey L. Whitman of Cranston were each arraigned in District Court in April 1991 on charges of first-degree child molestation and third- degree sexual assault. First-degree child molestation, which carries up to life in prison, involves children 14 years or younger. When the case was sent to the Superior Court, the attorney general's office amended the charges to a felony morals offense, which carries a maximum 10-year sentence. Whitman pleaded no-contest to the same charges last fall and also received a seven-year suspended sentence. Labbe founded his computer bulletin board "Eagle's Nest" and contacted the victims through the network. The network, which Labbe operated with Whitman, was the oldest and largest bulletin board in Rhode Island and was geared to general hobbyists and teenagers. As part of the plea agreement, both men were ordered to undergo counseling and to have to contact with either of the boys." This case was depicted by many people on the local BBS scene as an attempt to "taint" Labbe's image, as part of an attempt by other BBS sysops who were "jealous" of him to 'take over BBSing in Rhode Island'. However, in the long run we see that in fact this wasn't the case, that Labbe did indeed engage in questionable activity with these underage boys, and eventually pleaded guilty to reduced charges to avoid a prison term. The Risks in the case are numerous. First, as a parent, you should know what your children are doing, especially on computer bulletin board systems. Second, Mike Labbe and the Eagle's Nest BBS is still a participating member of the RIME network. As Eagle's Nest BBS caters primarily to the under-age teen user, and the controlling members of the RIME network are aware that Labbe pleaded guilty to the charges, clearly they continue to support him and his 'actions'. In a nutshell, it is important to read beyond the hype and disinformation which is presented by both sides of the issue and get down to the truth of the matter. Michael P. Deignan mpd@anomaly.sbs.com ...!uunet!rayssd!anomaly!mpd Telebit +1 401 455 0347 [Excuse me for noting it here, but mole-station is one of the classic mishy-phenations, along with works-tation and times-tamp, and reminds me to request that you all try to avoid sending me stuff with rampant autohy-phenations. It makes routine reformatting really ugly. PGN] ------------------------------ Date: Fri, 4 Dec 92 11:30:39 -0500 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: Lost Technology Some time ago I was made aware of a company that was developing a software-based session encryption package that would allow remote dial-up users to authenticate both ends of the connection and prevent eavesdropping by a simple wiretap. At the time my opinion was that it was something that a great many companies and agencies needed. With the current proliferation of "wireless LANs" the danger becomes even acute since a physical connection is unnecessary for capture of traffic. One of the real advantages of the system was that it was purely software based making it much more portable and potentially far less expensive than hardware devices. Recently, I found that the development of the product had ceased from a lack of funds. It seemed that the FBI wiretap proposals had given their sponsor cold feet. It is particularly bothersome since the proliferation of error correcting modems has removed the only real barrier to full session encryption (line noise causing loss of synch). With all of the RISKS of bringing to market a fully featured software product (actually developing the driver is not that difficult, it is the user interface, compatibility testing, and quality control that really adds up in time and effort), we must now add intimidation of the backers to the list. Padgett ps for anyone who might be interested, the company is CRYPTECH in Jamestown, New York (716)484-0244. I have no other knowledge of the company besides having seen the demo. ------------------------------ Date: Thu, 3 Dec 92 11:13:42 EST From: jt@giverny.aix.kingston.ibm.com (Julian Thomas) Subject: Re: Computer theft from GP's; encryption is not a cure-all I share your concern about the risk, but it is far too easy to get complacent about the protection afforded by encryption since the medical community isn't apt to be as sophisticated as members of the computing community when it comes to password security (selection of good passwords, not writing them down,...). The human element is normally the weak link in cases like these; it might be easier to subvert an office worker for a key than for a medical record itself. To be effective, a records encryption scheme would need to be both powerful (ideally using different keys for different records), easy to use (so it doesn't make the job of the legitimate users significantly more difficult), and robust (resistant to subversion by either malice or ignorance). I have often used a diskette file (that can be separately physically secured) to load a password (or set of keys) into memory on system startup; other schemes will undoubtedly come to mind. If the thefts are for the equipment, not the data, today, it may not be too long before the thieves find it profitable to pass the equipment on to the professional blackmailers rather than the usual fencers of hot equipment. Snailmail: 83DA/988 IBM DSD Kingston Compuserve: 72355,20 MCIMAIL: 173-6393 ------------------------------ Date: Thu, 3 Dec 92 22:17:06 CST From: sullivan@geom.umn.edu Subject: Turn Signals Seeing a couple of postings from Don Norman in a recent RISKS reminds me that I haven't seen mention of his book(s) here. I got a copy of "Turn Signals are the Facial Expressions of Automobiles", a collection of essays on the interaction of technology and society, a few months ago, and found it so engaging that I lost sleep reading it in one night. I haven't read his earlier book "The Design of Everyday Things". Norman's essays touch on topics like misleading user interfaces (on things as simple as doors), the trend towards experiencing life through recordings, low-tech fixes for confusing airplane cockpits, the estimation of low- probability risks, and the ramifications of international computer networks. Of course, this is not an exhaustive list. Addison Wesley: ISBN 0-201-58124-8 (I got my copy through Library of Science) -John Sullivan, sullivan@geom.umn.edu ------------------------------ Date: Sat, 5 Dec 92 07:54:46 EDT From: Jerry Leichter Subject: Estimating risks This Wednesday through Friday mornings (2-Dec through 4-Dec), NPR's Morning Edition ran an extended story on environmental problems and the present and future of the EPA and environmental laws. Unfortunately, I only caught the tail ends of two of the segments. Of particular interest to this group - and I wish I'd heard the whole thing! - was Thursday's segment. At least the part I did hear discussed the problem of tradeoffs: With limited resources, how do we decide which risks are the ones most important to deal with? Much of the discussion centered on a question that has been recently discussed in RISKS: Is "the common man" competent to answer such questions in a rational way? The answer of the people they spoke to was basically, "yes". As has been discussed here, people do not look only at probabilities in deciding the importance of various risks; but they do follow an understandable, not at all arbitrary, procedure. One interesting study they cited: If asked to rank the "danger of death" from a variety of causes, such as (say) smoking or driving, people come up with an ordering that does not match the probabilities of death from those causes. However, if the same people are asked to rank the "CHANCES of death", they produce the "correct" ranking. The "incorrect" ranking is not based on ignorance! I seem to recall seeing messages from someone on NPR in RISKS. Anyone out there who could get a transcript of this segment for RISKS readers? Jerry ------------------------------ Date: Sun, 6 Dec 92 11:28:07 PST From: tdzubin@cue.bc.ca (Thomas Dzubin) Subject: Revenge via computer San Francisco. A man sent his ex-wife (who had apparently asked him to retrieve some inaccessible files) a computer diskette that destroyed her entire hard disk, including software and manuscripts, and then displayed a vengeful limerick. James Welsh, a 32-year-old accountant has pleaded not guilty to three counts of "introducing a virus" into the computer. He could face three years in prison if convicted. Welsh's ex-wife, writer Kathleen Shelton, said she had a problem with a computer they formerly owned together. Welsh apparently sent her a computer disk with instructions for correcting the trouble. Police said, "She followed Welsh's instructions, which resulted in the destruction of approximately $8,000 worth of software and manuscripts, leaving only a limerick explaining Welsh's actions against her." "A lying bitch named Kathleen, Made in the courts quite a scene. To have her ex, the hacker, Enjoined not to smack her, So I wiped her whole hard disk clean." Detectives searched Welsh's home, seized $4,000 worth of computer hardware and allegedly found evidence of the "virus". Welsh's lawyer, Annette Lombardi, said: "There's not as much damage as charged. It's basically the cost of getting a guy to fix the computer and install new software." [Presumably a DIFFERENT GUY this time..., maybe someone who can write poetry that scans.] [Source _The Province_ Vancouver, B.C. Canada, plus the San Francisco Chronicle, 4 Dec 1992, edited by PGN] ------------------------------ Date: Mon, 7 Dec 92 11:27:41 EST From: cnorloff@tecnet1.jcte.jcs.mil Subject: Risk reduction: Human Factors (Moonen, RISKS-14.03) Ralph Moonen (rmoonen@ihlpl.att.com) writes in RISKS-14.03 that he's concerned about making concessions during design. He includes human factors as a concession, when it is, in fact, a prime design requirement in most systems. After all, humans operate most of the systems we design! I'm a human factors engineer, and have seen incredibly bad designs built to meet schedule or performance requirements, with no regard to the human operators. People are part of the system, not merely users. And just because a designer can operate a system doesn't mean a typical user can operate a system. This has been proven time and time again. And the lesson has not been learned yet. Just reading through RISKS provides many examples of poor user design: bad interfaces, mental models foreign to current users, and systems not meeting users' needs. Systems, including computer systems, must be designed with the human as the main enabling part of the system. The system should take advantage of humans strength and not overload human weaknesses. Mr. Moonen's comment that they will see better products by following his points, but that he hasn't "touched the subject of user interaction" illustrates the problem: designers are designing for themselves rather than for the users. Chris Norloff cnorloff@tecnet1.jcte.jcs.mil ------------------------------ Date: Thu, 3 Dec 92 16:49:31 GMT From: Lindsay F. Marshall Subject: Flood Stories A while ago I asked for people's stories relating to computers and floods (not just of water - molten metal featured in one). Since then, I am sure new readers have joined and new floods have happened, so if you haven't sent me your flood story before can you please send it to me now. Lindsay.Marshall@newcastle.ac.uk +44-91-222-8267 FAX +44-91-222-8572 Computing Laboratory, The University, Newcastle upon Tyne, UK NE1 7RU ------------------------------ Date: Thu, 3 Dec 1992 08:50:58 -0700 From: mcclella@yertle.Colorado.EDU (Gary McClelland) Subject: Re: holiday reading on Risks (Agre, RISKS-14.14) >Lorraine Daston, Classical Probability in the Enlightenment, Princeton: >Princeton University Press, 1988. This is a detailed and scholarly history >of early modern mathematical ideas of probability. I second the recommendation for reading Daston's histories. For those with limited time, I recommend as a shorter course this wchapter: Daston, L. J. The domestication of risk: Mathematical probability and insurance 1650-1830. In L. Kruger, L. J. Daston, & M. Heidelberger (Eds.), The probabilistic revolution: Volume 1. Ideas in history (pp. 237-260). Cambridge , MA: MIT Press, 1987. It is interesting to look back and see the probabilists scratching their heads trying to understand the boneheadedness of both users and designers of insurance systems (e.g., the Bank of England almost went broke by selling lifetime annuities at a fixed price _not_ conditional on age). I think readers of RISKS often scratch their heads in the same way trying to understand the boneheadedness of both users and designers of computer systems. The good news is that the insurance companies finally got it right with respect to probability. The bad news is that it took a long time and required some fundamental shifts in thinking about probability and uncertainty. RISKS readers may therefore find some lessons in Daston's work on what must occur before designers and users of computing systems (ironically, of course, the insurance companies are now big users) more appropriately deal with the risks of computing. Alas, the Bank of England was near bankruptcy before they wised up so the message may not be comforting. gary mcclelland, univ of colorado mcclella@yertle.colorado.edu ------------------------------ End of RISKS-FORUM Digest 14.15 ************************