RISKS-LIST: RISKS-FORUM Digest Friday 24 February 1989 Volume 8 : Issue 30 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: "Do you know who's reading your medical records?" (PGN) Wells Fargo ATM outage (PGN) New York 540 Phone Number Scam (John Murray) 900 "confession" number (Randal L. Schwartz) Re: Chicago Phone Freak Gets Prison Term (Rich Salz) Reach Out and Spy on Someone (Peter Scott) Power failure problems (Jonathan I. Kamens) Photographs as evidence (re: digital editing, etc.) (Ernest H. Robl) Stanford and rec.humor.funny (Martin Minow) ---------------------------------------------------------------------- Date: Fri, 24 Feb 1989 11:18:27 PST From: Peter Neumann Subject: "Do you know who's reading your medical records?" Of considerable interest to RISKSers is an article entitled "Absolutely NOT Confidential" by Clark Norton, in the March/April 1989 issue of Hippocrates (The Magazine of Health and Medicine). The article documents many of the problems of large networked databases, including privacy, data quality, legal and social implications, etc. It also includes a state-by-state table on your access to your own medical records, with separate entries for doctors', hospitals', and mental health records. Arkansas, New Hampshire, Rhode Island, South Carolina, Vermont, and Wyoming are the only states left with no laws guaranteeing your access for all three types of records. Thus far, Montana is the only state to adopt a model bill drafted by the National Conference of Commissioners on Uniform State Laws. ``Like most Americans, you've probably assumed your medical records were confidential -- protected by ethics and the law. At one time you would have been right. "We used to have a medical system that was confidential," says retired Harvard School of Medicine neurosurgeon Vernon Mark...'' Now it is relatively wide open. ------------------------------ Date: Fri, 24 Feb 1989 11:02:52 PST From: Peter Neumann Subject: Wells Fargo ATM outage 445 of Wells Fargo's 1200 ATMs in California were out of commission for many hours on 22 Februrary 1989, due to computer malfunctions. (Bank of America has twice had about 700 ATMs out of commission in recent months.) `John Love, publisher of Bank Network News, a newsletter that covers electronic banking, said that, on the average, ATMs are down 5 percent of the time because of ``machine-specific problems.'' However, such widespread failures are rare, he said, because of extensive backup computer networks.' [Quote from the San Francisco Chronicle, 23 Feb 89, pp. C1 and C18, in an article by David Tuller.] ------------------------------ Date: 24 Feb 89 02:31:46 GMT From: johnm@uts.amdahl.com (John Murray) Subject: New York 540 Phone Number Scam Just picked this up from comp.dcom.telecom - John Murray , Amdahl Corp., Sunnyvale, CA. From wrf@ecse.rpi.edu Tue Feb 21 07:50:32 1989 Subject: 540 ripoff NYS just fined a ripoff outfit that advertised a "GOLD" card if you called 540-GOLD. Several hundred people who did, and stayed on the line for a minute, were billed $50 (FIFTY DOLLARS). Needless to say their gold card had no relation to Mastercard or Amex. They were also contacting people with an illegal autodial operation that would not let the victim hang up to free the line. I think now they're required to say at the start of the call that there is this charge. But what about people whose hearing is bad or English poor? People in every state should have the right to disable this use of their phone as a no limit credit card. In fact, the default status should be disabled, and phone customers should have to enable it, and perhaps specify a $limit, if they want to use it. [Moderator's Note: Illinois Bell was one of the first telephone companies to offer 900/976 blocking at no charge, no questions asked. We do not have '540' service here -- yet -- but I assume any variation on it here would get free blocking. Here you can block 976 or 900 or both. The operator is unable to complete the connection for you. Out-of-LATA 976 calls cannot be blocked, but then they are only billed at regular long distance rates anyway. PT] ------------------------------ Date: Wed, 22 Feb 89 10:19:15 PST From: Randal L. Schwartz Subject: 900 "confession" number (Quotes are from an article in the Feb 27 "Insight on the News" magazine) The latest craze is a 900 number in which callers can "confess" their actions. Another of those adult phone lines, you think, and prepare to hang up. But then there is another voice, female, young, and remorseful. "I'm having an affair with Bob. He's my boss, and I just gave up our baby," she says. "I want to tell Ginne and Les to please take care of her and I hope that she grows up to be better than I was and [pause] I'm sorry." [...] Confessors leave a 60-second message on what amounts to an elaborate answering machine, then the tape is edited for playback on the other phone line. Sometimes listeners call in to respond to someone's confession, and some of these calls are played back. Now, here's the scary part... Denton [producer of the Phone Confessions program] listens to every call, then selects a mix of confessions for playback. Most calls are about relationships, but United Communications [the producer's company] makes no secret that it gets calls from people confessing to crimes [!!]. Most people probably still believe that the phone number from which they make a phone call is available *only* to a select few. But with the 800 and 900 phone services (discussed either in RISKS or TELECOM, I lost track :-), a service-provider can obtain *instantly* the caller's phone number, and correlate it with the confessions. The risks to the public (out of ignorance) is obvious. Law enforcement agencies, or even private opportunists, could set up such services, or tap into existing services, and obtain an unending supply of useful information. Says the article: Denton believes that 98 percent of her calls are true confessions. I suppose if I really wanted to confess a crime to one of these services, I'd go to a pay phone. I doubt that the public is aware of the consequences of calling from their home, though. Randal L. Schwartz, Stonehenge Consulting Services (503)777-0095 on contract to BiiN (for now :-), Hillsboro, Oregon, USA. ------------------------------ Date: 23 Feb 89 00:19:10 GMT From: Rich Salz Subject: Re: Chicago Phone Freak Gets Prison Term (RISKS 8.29) >... and the Zinn residence was raided by FBI agents, AT&T/IBT security >representatives and Chicago Police detectives used for backup. ATT security people as backup? "Stop right there, this is the phone company; hands against the wall!" Is it common practice in such "raids" to use outside companies? ------------------------------ Date: Thu, 23 Feb 89 10:41:46 PST From: Peter Scott Subject: Reach Out and Spy on Someone An article in _Digital Review_, February 20, under the title "Reach Out And Help Someone" reviews a package for VAX/VMS called Video, from Performance Software. The subtitle says, "...system managers and training coordinators can keep an eye on user activity". Among other things, this package allows anyone with appropriate privileges to see what anyone else is typing and receiving on their terminal (passwords excepted, I suspect), or to "take over" another terminal and broadcast their own commands to it. You can also record terminal sessions and play them back at leisure. "With the Video Seer utility, system managers can monitor terminal sessions to detect system abuse or simply to identify performance drains on their systems." Oh joy. [Funny aside: I just received a computer-printed letter for _Time_ Sweepstakes. The first paragraph reads: "... Isn't it time you get that dream house for you and your family in Burbank? Isn't it time you started driving home to Box 6867 in that Mercedes-Benz you've had your eye on for years?..." Don't they know it's hard enough to fit myself into Box 6867, let alone park a Mercedes there?] Peter Scott (pjs@grouch.jpl.nasa.gov) ------------------------------ Date: Mon, 20 Feb 89 04:57:16 EST From: Jonathan I. Kamens Subject: Power failure problems (RISKS 8.28) In RISKS DIGEST 8.28, John Sinteur writes of his previous employers' problems when the power went out and their magnetic card readers failed to work. About nine days ago, a large part of Cambridge, including the entire MIT campus, lost power for several hours as a result of a gas explosion in a manhole. One result of this was that all of Project Athena (The MIT undergraduate computer system/research project) lost power, including all of the workstation clusters. The workstation clusters are all accessed by typing a combination into a keypad outside the door of the cluster. However, when the power went out, the keypads all went dead and hence all of the doors could not be opened. Nevertheless, the people who were sent around to power down all of the workstations (so that when the power came back on things could be brought back up gracefully) were able to get into most (if not all) of the clusters without any trouble. Students leaving the clusters after the power went out realized that the keypads would not open the door, and therefore the last person out of each cluster propped open the door with a garbage can. I guess it didn't occur to them that this would allow anyone to walk onto campus, walk into a computer cluster and steal every keyboard, mouse and chair in the cluster (The computers themselves are locked down in all but one cluster.). (Then again, who would want all of those DEC and IBM keyboards and mice? :-) Jonathan Kamens, MIT Project Athena, jik@Athena.MIT.EDU Office: 617-253-4261 ------------------------------ Date: Mon, 20 Feb 89 14:27:59 EST From: Ernest H. Robl Subject: photographs as evidence (re: digital editing, etc.) Several of the photography trade publications carry regular columns on "forensic photography" -- the making and use of photographs for evidence in civil and criminal cases. The authors of these columns usually stress that photographs themselves are not sufficient for evidence, since such factors as lighting, angle of view (particularly with the use of telephoto or wide angle lenses), etc. can provide a quite different impression from what exists in reality. When photographs are introduced as evidence, the photographer is called as a witness to testify that the pictures are a true representation of a particular scene, object, etc. The authors of these articles therefore stress the importance of keeping related documentation about when, where, and how the photographs were made, since this can come up during the trial. Also related to the digital processing of images: There's currently a fair amount of coverage in the photographic trade press about another legal aspect of electronically combined images -- namely who owns the rights to the final product. Since most commercial photographers sell *rights* to the use of their images, rather than the physical transparency itself, this can get into a sticky area, since some clients (particularly in advertising) will want exclusive use of a particular image (and related images) for either a specific time period or for a specific geographic area. The current issue of _Photomethods_, a journal for the audio-visual industry, has a questionnaire asking photographers whether they feel digital manipulation of images is a help or poses a threat. -- Ernest My opinions are my own and probably not IBM-compatible.--ehr Ernest H. Robl (ehr@ecsvax) (919) 684-6269 w; (919) 286-3845 h Systems Specialist (Tandem System Manager), Library Systems, 027 Perkins Library, Duke University, Durham, NC 27706 U.S.A. ------------------------------ Date: 21 Feb 89 09:36 From: minow%thundr.DEC@decwrl.dec.com Subject: Stanford and rec.humor.funny -- risks in BBoards [Found this on a local bulletin board. Martin Minow] This is from the February 20, 1989, San Jose Mercury News: Computer users worry that Stanford set precedent They say decision to block bulletin board impedes free acces to public information. By Tom Philp Computer scientists at Stanford fear the university has entered a never-ending role as a moral regulator of computer bulletin boards by recently blocking access to a list of jokes deemed to serve no "university educational purpose." Many computer users on campus consider bulletin boards to be the libraries of the future - and thus subject to the same free access as Stanford's library system. Instead, Stanford apparently has become the nation's first university to block access to part of the international bulletin network called Usenet, which reaches 250,000 users of computers running the Unix operating system, according to a computer scientist who helped create the network. To some computer users, Stanford's precedent is troubling. "We get into some very, very touchy issues when system administrators are given the authority to simply get rid of files that they deem inappropriate on publicly available systems," said Gary Chapman, executive director of Computer Professionals for Social Responsibility, a Palo Alto-based organization with 2,500 members. "My personal view is that freedom of speech should apply to computer information." Ralph Gorin, director of Academic Information Resources at Stanford, disagrees. "I think that it's very clear that one should be either in favor of free speech and all of the ramifications of that or be willing to take the consequences of saying free speech sometimes, and then having to decide when," Gorin said. Since the jokes ban, more than 100 Stanford computer users, including a leading researcher in artificial intelligence, have signed a protest petition. And there is some evidence to indicate Stanford officials are looking for a way out of the dilemma they have created. The joke bulletin board, called "rec.humor.funny," is one of several bulletin boards that discuss controversial topics. Stanford, for example, continues to permit access to bulletin boards that allow students to discuss their use of illegal drugs, sexual techniques and tips on nude beaches. Gorin said he is unaware of those bulletin boards. The jokes bulletin board came to Stanford officials' attention in December, after a report about it in a Canadian newspaper. The jokes hit a raw nerve with campus officials, who have been plagued by a variety of racist incidents on campus. And so they decided on Jan. 25 to block the jokes from passing through the university's main computer. "At a time when the university is devoting considerable energy to suppress racism, bigotry and other forms of prejudice, why devote computer resources to let some outside person exploit these?" Gorin explained. The joke that sparked the complaints is this: "A Jew and a Scotsman had dinner in a restaurant. At the end, the Scotsman was heard to say, 'I'll pay.' The next day there was a newspaper headline, 'Jewish Ventriloquist Murdered." Most of the jokes are not racist or sexist, Gorin said; they are just plain silly or political. An example: "What did Mickey Mouse get for Christmas? A Dan Quayle watch." But Stanford officials were troubled because the jokes bulletin board is "moderated," meaning that one person controls everything that it publishes. The jokes bulletin board "does not in itself provide for discussion of the issues that it raises," Gorin said. The moderator, Brad Templeton of Waterloo, in the Canadian province of Ontario, publishes only jokes. Comments he receives go on a separate bulletin board, called "rec.humor.d." For Stanford, the existence of a comment bulletin board is not enough because people who call up the jokes will not necessarily see the comments. The problem with "unmoderated" bulletin boards is clutter, according to Eugene Spafford, a computer scientist at Purdue University who is one of the pioneers of Usenet. The network accumulates the equivalent of 4,000 double-spaced, typewritten pages every day, far too many comments for any person to read. "People who use a network as an information resource like a more focused approach," Spafford said. They is why another, unmoderated, bulletin board that has many comments and fewer - but equally offensive - jokes, is far less popular. Stanford does not block transmission of that bulletin board. Templeton's bulletin board is the most popular of the 500 on Usenet. An estimated 20,000 computer users pull up the jokes on their screens every day, Spafford said. Usenet has its own form of democracy, calling elections to determine whether a new bulletin board should be created, and who - if anyone - should moderate it. Templeton's jokes bulletin board was created by such a vote. Stanford's decision to block access to it "strikes me as hypocritical," Spafford said. "At best, it's someone who doesn't understand the situation who is trying to do something politically correct." John McCarthy, a Stanford computer science professor and one of the founders of the field of artificial intelligence, has met with university President Donald Kennedy to discuss his opposition to blocking the jokes. "No one of these (bulletin boards) is especially important," McCarthy said. The point is that regulating access to them "is not a business that a university should go into." Since deciding to block access to the bulletin board, the administration has referred the issue to the steering committee of Stanford's Faculty Senate. The future of the bulletin board may end up in the hands of the professors. "I think that is an entirely appropriate internal process for reaching that decision," Gorin said. Added McCarthy: "I should say that I am optimistic now that this ban will be corrected. There are some people who think they made a mistake." ... ------------------------------ End of RISKS-FORUM Digest 8.30 ************************ -------