Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!linus!decvax!brl-bmd!Human-Nets-Request@rutgers From: Human-Nets-Request%rutgers@brl-bmd.UUCP (Human-Nets-Request@rutgers) Newsgroups: fa.human-nets Subject: HUMAN-NETS Digest V7 #21 Message-ID: <806@brl-bmd.UUCP> Date: Wed, 22-Feb-84 20:58:45 EST Article-I.D.: brl-bmd.806 Posted: Wed Feb 22 20:58:45 1984 Date-Received: Thu, 23-Feb-84 06:47:06 EST Lines: 264 HUMAN-NETS Digest Wednesday, 22 Feb 1984 Volume 7 : Issue 21 Today's Topics: Query - Whiz Kids??, Computers and the Law - Person Numbers (2 msgs) & Database Information Reporting (2 msgs), Computers and People - Security Backdoors (3 msgs), Information - Satellite Insurance ---------------------------------------------------------------------- Date: Thursday, 16 Feb 1984 03:45:17-PST From: dave porterSubject: Whiz Kids ?? Human-Nets occasionally refers to a TV programme called "Whiz Kids" which seems to have a plotline dealing with computer hackers and the like. Anyone care to send in a brief outline of the programme, for the benefits of any readers in parts of the world that don't get it? (Since my net address is probably meaningless to most of you, let me point out that I'm in Reading, England.) dave ------------------------------ Date: Thursday, 16 Feb 1984 08:10-PST Reply-to: imagen!geof@shasta Subject: National Databases and National Socialism - lest we forget In European countries under occupation during World War II, government offices were ``burgularized'' with such information as social security files and tax information stolen shortly before the rounding up of Jews and other ``undesirables.'' Sometimes even the most well-meaning government assurances don't help. If the data is there, the potential for abuse exists. - Geof ------------------------------ Date: Thursday, 16 Feb 1984 08:50:47-PST From: decwrl!rhea!krikit!porter@Shasta Subject: Person numbers Interested to see comments on `person numbers' in a recent hnt. In the UK there has been a recent move to introduce plastic cards with magnetic stripes as a replacement "National Health Service card". An individual has an NHS number, which is sort of like a social security number. However, this number doesn't seem to get used all over the place. The only place I can remember seeing mine written down is on my "National Health Card", and THAT's only a piece of thin card that I present to the doctor when I register with a new doctor, and I think that's only useful to him so that he can claim me as a registered patient and ask the Government for some money for looking after me. My pay slip does have a slot labelled "NI Number". However, the contents are blank. This might be because I didn't tell them my NI number (well, how would I know what it is anyway?) or because they didn't ask me; I can't remember. Excuse the rambling aside... anyway, the protagonists of the plastic cards say that there's no big deal about it, the cards merely contain the same information that the old cards did, just encoded differently. I see it another way; I see it as the first move towards establishing a unique, easy-to-digest handle on an individual. Just like an American social security number now is. No, thank you. I prefer my bent piece of cardboard which I lose all the time anyway (each time I move and register with a new doctor, I am indeed unable to find my NHS card). A final historical note: apparently, we used to have some numbering scheme for people, probably introduced to control rationing during WW II. However, the system was dismantled in 1951 (I believe) owing to abuse of it. dave ------------------------------ Date: Thu, 16 Feb 1984 09:55:01 EST Subject: Database Access and Reporting To: wmartin@office3 In regard to the discussion about the contents of databases, I'd just like to relate a true story that is, in fact, still in progress. About a year ago, one of the people I live with was the victim of a purse-snatching. Like any sensible person, she immediately reported the loss of the contents -- credit cards, checkbook, driver's license, library card, and so on. Within a few weeks, everything except the $40 or so in cash had been replaced. The criminal was never caught, and she assumed after some months that the case was closed. Unfortunately, this was not the case. About nine months after the crime, she began to receive dunning letters from various chain stores located 30-60 miles from our home, claiming that she had written bad checks in payment of bills. None of these were placed she'd ever stopped. After some investigation, it was determined that what had happened was this: several months after the original robbery, someone took several of the pieces of id found in her handbag, split them open, and replaced the photos with different pictures. They then went to several local banks and opened checking accounts using my friend's name, but a different address (claiming that she was awaiting new id after a recent move, according to one of the banks involved). These accounts, which had my friend's social security number as the tax id on them, were used to write the bad checks. The various stores found my friend by hiring dunning agencies, which, in turn, used private detectives to locate her. She had to take several days off from her job to go and personally visit the banks to prove that the accounts were not really opened by her, and also had to do a fair amount of letter writing to explain all this to the credit departments of the stores. In one case, the store used one of the national check-verification-by-phone services to approve the bad check. This service has its "local" branch located about 45 minutes drive from our home, and has repeatedly told my friend that unless she makes a personal visit to them, they will not clear the record they hold on her, since her various notarized statements are, apparently, not sufficient. She is, needless to say, having her lawyer look into the legality of this behavior. In the meantime, her credit rating is, in part, impaired through a set of actions that were in no way her responsibility or fault. The incorrect info remains in a nationally-accessible database used by a fair number of check-verification firms, and she has no access to it, even to correct clearly untrue statements. (In my opinion, she may have grounds for a suit under the Fair Credit Protection Act, but I'm waiting to see what her lawyer says...) Clearly, there is a problem with the way this database is being maintained, a problem which the existing law seems not to be correcting (unless, that is, the check-verification firm is merely flagrantly violating the law, believing that nobody will bother to prosecute them...). Any suggestions for improving the way databases are handled should, clearly, deal with such situations. --Dave Axler ------------------------------ Date: 19 February 1984 08:59 EST From: Robert Elton Maas Subject: Notification of individuals re database entries To: WMartin @ OFFICE-3 Credit-extending organizations (like department stores or bank card offices) should be required to include a summary of the info they have on file with the statement once a year -- thus this would be NO added mailing cost. Unfortunately unless you receive your mail at a locked box and nobody else, even in your family, has access to that box, it's too easy for such mailing to go astray, especially since somebody wanting that info knows (could easily find out) when it'll be mass-mailed, and stage a sweep of all mailboxes in a geographic area. This is worse than sending 4-digit ATM passwords in the mail, which might get stolen, but which are sent at random times when a privacy-invader wouldn't know when to look for it and certainly couldn't conduct a sweep. On the other hand, if the info is sent out only on request, it would complicate the system too much to send it in the same envelop as some monthly billing, so it would have to be sent under separate cover the way 4-digit ATM passwords are now, voiding your claim of no additional mailing cost. ------------------------------ Date: Thu, 16 Feb 84 10:53 EST From: TMPLee@MIT-MULTICS.ARPA Subject: WarGames & Backdoors Cc: mrc@SU-SCORE.ARPA Perhaps the allegation about backdoors was slanderous if it implied it to be a common phenomenon (I don't remember exactly what it said), but in fact they do exist and for the sort of purposes hypothesized in the movie. It turns out that all the computer security vulnerabilities used as plot devices in the movie WERE IN FACT BASED ON REAL-WORLD EVENTS. Admittedly there was a lot of artistic license, the human factors were unbelievable, and the AI stuff at the end horrible science fiction, but the security stuff wasn't all that bad for a popular portrayal. I know of at least two incidents really involving backdoors or "time bombs"; one moderately serious, the other not. Don't ask me for details, however -- it is common courtesy NOT to discuss them in public. Ted ------------------------------ Date: Thu 16 Feb 84 22:14:46-PST From: Mark Crispin Subject: Re: WarGames & Backdoors To: TMPLee@MIT-MULTICS.ARPA While "backdoors" or "time bombs" may exist, the implication of their being commonplace is grossly exaggerated. Some of these "real world events" may be totally blown out of proportion. For example, how many of these "backdoors" turn out to be merely that a former employee's account was not deleted when that employee left? Just because that account wasn't deleted doesn't mean the ex-employee left a "backdoor". An explanation both for a "backdoor" or a "time bomb" could be a legitimate design flaw which, after later reflection, the designer recognizes but is unable to repair. The most absurd thing about "Wargames" was the suggestion that a "red" system would be accessible on the public telephone network. The US military isn't *that* foolish. Reports on how "red" systems are secured are unclassified. If you want to know about "red" systems on Milnet, read BBN Report 1822, with special attention to the section on Private Line Interfaces. To be brief, "red" systems can only talk to other "red" systems; they cannot talk to "black" systems nor can "black" systems talk to "red" systems. Any Milnet site you can Telnet, FTP, or Mail to is "black", not "red". ------------------------------ Date: 18 February 1984 06:07 EST From: Jerry E. Pournelle Subject: "Wargames" To: MRC @ SU-SCORE uh -- truth is an absolute defense at libel and slander suits -- are you ssure "back doors" aren't fairly traditional? ------------------------------ Date: 14-Feb-84 02:51 PST From: William Daul Tymshare OAD Cupertino CA Subject: Satellite Insurance To: space@mit-mc Cc: DIA.TYM@OFFICE-2, SGK.TYM@OFFICE-2, PAMV.TYM@OFFICE-2 >From COMPUTERWORLD (Feb 13, 1984 p. 11) Will mishap hike insurance rate? NEW YORK -- The insurance industry is feeling repercussions from the failures to properly launch two $75 million communications satellites from the space shuttle Challenger this month. The Westar VI communications satellite owned by Western Union Co. was insured for $105 million; Western Union had paid a premium of about $5.5 million for the policy. Alexander & Alexander Services, Inc., a New York brokerage company, was the underwriter for the policy, according to a Western Union spokesman. ... ------------------------------ End of HUMAN-NETS Digest ************************