RISKS-LIST: RISKS-FORUM Digest Saturday 25 March 1989 Volume 8 : Issue 45 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Wells Fargo Deposits Slip (PGN) Hospital Viruses (Dennis Steinauer and Joe Morris) Optical Scanning of Handwritten Purchase Orders (Hiram Clawson) Credit card magstripe-encoded pictures (Mike Trout) Cellular phones and health (anonymous, Dale Worley, R. Scott Truesdell) New method (risk) of demagnetizing floppies (Douglas B. Robinson) Microwave ovens (Don Chiasson) Corrections to Internet Security Plans (David M. Balenson) ---------------------------------------------------------------------- Date: Sat, 25 Mar 1989 14:16:46 PST From: Peter Neumann Subject: Wells Fargo Deposits Slip A computer software glitch at Wells Fargo Bank has caused a delay in depositing payroll funds for 12,000 to 15,000 workers at about 70 companies, mostly in Northern California. (The delay of a day or weekend apparently affects only people whose paychecks are deposited automatically on a weekly basis. This was considered a drop in the bucket, because WFB processes about 1.5 million payroll accounts each month. SFB promised to cover any overdraft charges.) [Source: San Francisco Chronicle, 25 March 1989, p. B4] ------------------------------ Date: 23 Mar 89 21:13:00 EDT From: "STEINAUER, DENNIS" Subject: Hospital Viruses -- Now things are REALLY getting confusing. The following was in the 3/23/89 Washington Post (and probably other places, since it came over the newswire. Lots of comfusing and seeminly contradictory info. Anyone know anything about it? dds COMPUTER VIRUS STRIKES MICHIGAN HOSPITAL Records Altered or Scrambled but Patients Were Not Endangered BOSTON, March 22 - Computer viruses, which have disrupted university, newspaper and government systems, have spread to hospital computers. Officials at William Beaumont Hospital in Royal Oak, Mich., said two viruses altered or scrambled patient information in a computer that creates high-quality pictures for diagnosing diseases. The viruses, according to a report in the New England Journal of Medicine Thursday, also created non-existent patients and spread to two other medical facilities. Dr. Jack E. Juni and Richard Ponto of the Beaumont Hospital said patients were not endangered by the virus because original copies of the records were not stored in the infected computer. A computer virus is a malevolent computer program designed to spread itself surreptitiously throughout a computer system and, before anyone realizes it is present, destroy or alter stored information. The new case is being reported as doctors and hospitals are developing growing reliance on all-purpose computers far more vulnerable to infection by viruses. Ponto and Juni said the Beaumont virus was discovered when the hospital's new image-display station, which creates pictures for heart studies, stopped responding to commands. Then nonexistent patients and garbled names appeared on the patient directory. When officials investigated, they discovered that seven of 10 programs had been altered and that the virus had created many new files. Juni said the virus was on a hard disk manufactured by CMS Enhancements of Tustin, Calif. CMS spokesman Ted James said a virus, inadvertently put on 600 such disks last October, had contaminated a program used to format the disks. The virus apparently entered the company's plant on a hard disk returned for servicing. James said the virus was "as harmless as it's possible to be." It inserted a small piece of extra computer code on hard disks but did not reproduce or tamper with other material on the disk. [Also noted by Joe Morris] ------------------------------ Date: Fri Mar 24 17:00:51 1989 From: hiramc@sco.UUCP Subject: Optical Scanning of Handwritten Purchase Orders Seen on the order form for Microsoft QuickC Ver. 2.0 Update: "To quickly and accurately process the large volume of orders that we receive, we have installed an optical scanner that will read and code your coupon. To ensure the fastest possible fulfillment of your order, when filling out the coupon, print your characters so that they look exactly like those in the sample below (take special notice of the "o")." That last line was in italics, and there followed the alphabet and numbers as we are supposed to print them. The "o" looked like a Q rotated 180 degrees. I thought the computers were supposed to adapt to us rather than the other way around? --Hiram Clawson - uunet!sco!hiramc | hiramc@sco.COM 408-458-1422 ext. 3289 ------------------------------ Date: 23 Mar 89 20:01:55 GMT From: miket@brspyr1.brs.com (Mike Trout) Subject: Credit card magstripe-encoded pictures (RISKS-8.44) > ... I see no disadvantage to the consumer. I do. Once this starts up, it will be only a matter of time before they start taking digitized images of you ("cheap line-scanning monochrome cameras!") each time you attempt to use the card. The bits of this "current" image will then be electronically compared to the bits of the "original" image. If the match-up is less than, say, 99%, or maybe 95%, or maybe even 90%, it's "sorry, charge not approved..." Who decides the percentage of match-up allowed? Even assuming the digitized image is only "one-way," that is, only appears on a screen for a clerk to compare to your face as you stand there with hat in hand, there are serious potential problems. In either case, consider the following scenarios: Two or three times a year, I drastically change my facial hair (clean shaven, mustache only, mustache plus beard, etc.). And what of folks who have plastic surgery, either by choice or because of disfiguring accident? And those who have accidents and can't afford surgery? Men going bald? Women (and men!) who drastically change their hair styles? Differences in makeup application? The basic aging process? Are we all to be locked into one appearance? And what of the complexities of the individual human face? By slightly flexing a few facial muscles, anyone can transform their face into something new. Meryl Streep is an extreme example. What of the guy who has his original photo taken the day after he is married, and then applies for some credit the day after his wife informs him she is filing for divorce? You know that any digital representation of his face will have considerable bit differences. Will this image exclude any clothing that appears below the neck (collars, ties, etc)? If not, you'd better be sure to wear exactly the same thing every time you use your credit card ("uh, wait, lemme try tying my tie a little differently..."). And what of differences in light and shadows? Many will argue, "but those same problems COULD exist with any photo ID, but there are no such problems in real life." Absolutely true. But once something has been "computerized" it takes on God-granted status. In the last issue of RISKS, Kevin Driscoll treated us to the bizarre story of how the Georgia Department of Public Safety is completely unwilling to correct errors entered into their computers, even when they know about those errors. Try explaining to an 18-year-old clerk that she shouldn't worry about the fact that you "look different" from your computerized image ("I'm sorry, sir, but that's what's in the COMPUTER..."). People can adjust for changes in a photograph, such as those on most driver's licenses. But that image on the "computer screen" may as well be carved in granite. > ... "What wart?" ... I find such personal inquires repugnant, and would have a hard time avoiding slamming down the phone. But on a more important topic, is there any empirical evidence to suggest that credit card fraud could be significantly reduced by facial images, either true photographs or digitized images? I am reminded of the controversy in New York State a few years back, when we became the last of 50 states to place a photo ID on driver's licenses. Some enterprising reporters actually went so far as to talk to law enforcement officials about the value of photo IDs. The consensus, even among the sometimes over-enthusiastic State Troopers, was that there was no real law enforcement use for photo IDs. Alternative methods of investigation are far more useful. NSA food: Iran sells Nicaraguan drugs to White House through CIA, SOD & NRO. Michael Trout, BRS Information Technologies, 1200 Rt. 7, Latham, N.Y. 12110 (518) 783-1161 ------------------------------ Date: Wed, 22 Mar 89 10:11:18 PST From: [anonymous] Subject: cellular phones and health It is fairly well established that exposure to high relative power densities of UHF and higher RF frequencies can cause significant health problems. Parts of the body that are the most sensitive to heat effects are the most vulnerable to RF effects, with the eyes being the most sensitive of all. There have been cases of police departments having problems with officers who developed cataracts apparently relating to their use of hand-held UHF (e.g. 450 Mhz) transceivers. Hand-held cellular phones are probably even worse. Like police transceivers, these units almost always have the antenna in very close proximity to the user's head, putting the head (and eyes of course) in a quite strong relative field (while the absolute power may only be a few watts, the relative power density near the antenna is quite high). Also, cellular units operate at around twice the frequency of police transceivers (i.e., cellular operates around 800 Mhz and higher) and the higher the frequency, the worse the risk. Another factor is that while police transceivers are half duplex and only transmitting when the officer has something to say, cellular transceivers are transmitting continuously when a conversation is occurring (since they are full duplex) so the overall exposure is far higher in most situations. It would appear that a real risk may exist. Note that the farther you get away from the antenna, the better off you are, since the inverse square law applies. ------------------------------ Date: Fri, 24 Mar 89 10:53:08 EST From: worley@compass.com (Dale Worley) Subject: Risks from cellular phones From: miket@brspyr1.brs.com (Mike Trout) Subject: Possible Cancer Risks from Cellular Phones? I recently had a discussion with a major electronics guru for a local television station. We were talking about microwave transmitters (radar speed guns, garage door openers, that sort of thing), when he made a dramatic statement that shocked me: he claimed that cellular phones were extremely hazardous and probably highly carcinogenic. Sorry, but this is extremely unlikely. Human flesh is very poor at absorbing (or affecting in any way) radio waves. Because of this, possible resonance effects between the skull and the transmissions are very unlikely. There are three ways that electro-magnetic radiation can harm living tissue: (1) electric-current burns. This is what gets people who touch or come very close to high-power antennas. (To be precise, however, this effect is due to inductive or capacitive coupling with the antenna, rather than absorption of E-M radiation.) (2) thermal heating due to resonance absorption (usually by water molecules). This is how microwave ovens heat things. However, this effect can happen only at certain specific frequencies of radiation, all of which are much higher frequencies than are normally used for cellular phones. [These first two effects cause problems only at high power levels, because the human body can take a significant amount of current flow and heating without any damage at all -- at low power levels, they are lost in the noise of biological currents and heat generation.] (3) direct modification of molecules. This happens only with high-energy E-M radiation, X-rays and gamma rays. [This is the only one of the three damage mechanisms that can cause cancer.] As you can see, it is unlikely that a cellular phone will harm you via any of the three mechanisms, much less cause you cancer. I'm not particularly astonished that this fellow is worried that pressing a radio transmitter to your head might be harmful, although he should have done a bit of research before spreading groundless warnings. I am astonished that he thinks they cause cancer. I can see no reason for even an uninformed person thinking this, other than the "Everything bad causes cancer" scare-mentality that seems to be popular. I once read an article noting that over the last 10 years there were several dozen alleged risks to human health that had achieved enough newspaper coverage to seriously scare people, and it noted that while a few of them were indeed serious health risks, most of them were, in practice, harmless. It also noted that the information presented in newspapers was almost useless for distinguishing these two categories. I wonder what will happen when "cellular phones cause brain tumors" hits the papers? The RISKS of needless and wasteful regulation of non-threats (not to mention of hardening people to the point that they fail to be concerned about genuine health risks) are, as people say here, obvious. When will some sanity be injected into the subject? Dale Worley, Compass, Inc. worley@compass.com ------------------------------ Date: Wed, 22 Mar 89 10:01:52 -0800 From: truesdel@PARIS.ICS.UCI.EDU Subject: Cancer from Cellular Phones Cellular phones operate in the 800 MegaHertz band. This is in the middle of the UHF band, directly below the microwave band. Microwaves, as we all know, are used for making popcorn and cooking turkeys. 800 MHz puts the full wave right at 14.8 inches or a half wave at 7.4 inches which is a little long to resonate inside the skull cavity. This doesn't mean that it can't cause real damage, though. An example has been showing up since civic police forces have started switching up from the VHF to the UHF bands for local communications. The advantages of using higher frequencies are more bandwidth, less interferrence, and better audio quality. The RISKS, however, are starting to show up. The problems were first noticed in officers making extensive use of hand held (walkie-talkie) units with built-in "Stubby-Duck" antennas. These antennea are identified by have a length of around 2 - 4 inches, a diameter of about a quarter inch, and made usually with a black rubber coating. When held in the talking position, the antenna is positioned in close proximity to one of the eyeballs. That's when the glaucoma started showing up. Essentially, the UFH waves were frying the aqueous humor... turning what should have been the consistency or Jello brand gellatin desert into the consistency of 3 day old oatmeal. So the local P.D.s decided to move the radios away from the face and strap them onto the officer's belt. The interaction is through a hand-held speaker/mic. Great solution! Now the officers get it in the spleen instead of the face! So, back to cellular phones. Hand-held units with built-in antennas are obviously the greatest risk. Antennas placed on the roof of the car, shielded by the cars sheet metal, are best. This assumes that the installation was competently made by a knowledgeable RF technician (NOT a stereo installation jocky), the connectors are "low loss", and the coax itslf is "low loss". The most common cellular phone coax is cheap RG-58/U. This is "thin ethernet" cable. A much safer connection is made the thicker coax (I think RG 59/U, but I don't remember). The thin stuff is used more because it is cheaper and MUCH EASIER to install. I am very interested to see what further studies are being conducted relative to the long term effects of exposure to RF. I am worried about the unrestricted saturation we receive 24 hours a day on all frequencies. How free of effect are the "safe" frequencies (VHF, HF)? R. Scott Truesdell [Please pardon a little redundancy. I could not prune easily. PGN] ------------------------------ Date: Fri, 24 Mar 89 13:11:46 EST From: robinson@apollo.com Subject: New method (risk) of demagnetizing floppies One fine *cold* day in February I transported a floppy from location A to location B. I thought nothing about placing the floppy in the passenger chair. It was positioned vertically against the chair back, wedged gently behind an empty child seat. The trip took about 30 minutes. Then I tried to read the floppy and could not: the machine couldn't even find track 0. I tried about a half-dozen or so machines before I gave up. It was an old floppy so I guessed that it just couldn't hold the bits anymore, so I got a few new ones and was going to try again when the real cause of the problem dawned on me: I own a 1985 SAAB with the *heated* front seats. I guessed that since the heating element was electrical it might be puting out enough of a magnetic field to scramble the data. So I experimented: I made about 5 copies of the floppy and placed some of them on the floor and one of them on the seat as before, drove for about 30 minutes (again on a cold day) and then tried to read them. The floppy placed like the first one was unreadable. Those on the floor were fine. I'd sure like to get a instrument and measure the magnetic field near that chair when the heater is working. I'd like to know why the magnetic stripe on the credit cards in my wallet still work... Douglas B. Robinson Apollo Computer, Inc., MS CHA-01-LT, 15 Elizabeth Drive, Chelmsford, MA 01824 508/256-6600 x6225 ------------------------------ Date: Wed, 22 Mar 89 16:13:34 AST From: Don Chiasson Subject: Microwave ovens A few nights ago a minor incident occurred which typifies how computer risks can be worse than those of other technologies and why people get upset. At about 2:00am, my toddler woke up demanding nourishment so I put 250ml of milk in the microwave to heat. It was dark and I wasn't too well coordinated with the result that I spilled the milk. Most went on the kitchen counter, some on the touch pad and a few drops went into the door latch mechanism. I cleaned the mess, heated more milk and all was fine. The next morning was not quite so fine: the microwave worked normally except that it turned on when the door was open! A small amount of milk had seeped (I suspect through the door latch) into the electronics causing a bizarre and highly unsafe failure. I was especially disturbed because a microwave hazard is invisible. My point is that a very important safety requirement - the magnetron must not be on when the door is open - had been implemented in logic with other routine functions. An old design would have used a mechanical switch to disable the magnetron when the door was open. Computerized logic systems allow inexpensive implementation of a broad range of features by treating all functions and all signals uniformly. Unfortunately, such uniformity does not normally permit special safeguards for critical functions. A robust design would use separate systems for activation and safety. Don ------------------------------ Date: Thu, 23 Mar 89 15:00:06 EST From: David M. Balenson Subject: Corrections to Internet Security Plans (RISKS-8.43) For the record ... ... the New York Times article by Vin McLellan on March 21st (Volume 8, Issue 43) regarding the "Internet Security Plans" incorrectly included Texas Instruments (TI) Inc. in the list of representatives responsible for the Internet standard. In fact, Trusted Information Systems (TIS) Inc. a small privately-owned computer and communications security consulting firm based in Glenwood, Maryland is one of the representatives responsible for the Internet standard. Furthurmore, Dartmouth College was inadvertently ommitted from the list of representatives. I should also mention that the article fails to point out that the Internet mail messages themselves are actually protected using the Data Encryption Standard (DES) and that RSA is only used to protect and distribute the DES keys. -David M. Balenson, Trusted Information Systems, Inc. (301) 854-6889 ------------------------------ End of RISKS-FORUM Digest 8.45 ************************ -------