* Forwarded (from: netmail) by Roy J. Tellason using timEd 1.10.y2k.



Date: Sun, 20 Apr 2003 01:25:21 -0400
From: Monty Solomon 
Subject: Rules let marketers see patient data

In an emergency, the hospital can't tell anyone except family that you're a
patient.  But it's free to use intimate medical details to forward
marketing pitches to you from drug companies, insurers, and other
"business associates".  U.S. Representative Edward J. Markey,
Massachusetts Democrat,
has filed a bill that would require patient consent.  ...  [Source: Diane
E. Lewis, subtitled Campaign afoot to give patients right to block release
of files, *The Boston Globe*, 19 Apr 2003; PGN-ed]
  http://www.boston.com/dailyglobe2/109/business/
  Rules_let_marketers_see_patient_data+.shtml

--

Date: Mon, 7 Apr 2003 19:51:11 -0400
From: "Kantrowitz, Mark" 
Subject: Airline boarding pass algorithm flaw

On a recent USAir flight, two people were both assigned to the seat in
front of me.  It turns out that they both had the exact same name.  One was
female and the other male, but their full names were spelled identically.

Both were issued boarding passes for the same seat.

This suggests that the algorithm the airline uses to issue boarding passes
is based on the flight number and passenger name, and not based on a unique
identifier such as ticket number or passenger id number.

Besides being a potential security risk, I would not be surprised if it
costs the airline some lost revenue.

  [Perhaps.  But it also might be thought of as saving a little in
  programming complexity and maintenance?  On the other hand, you would
  think there was a flag for "boarding pass already issued".  PGN]

Mark Kantrowitz PO Box 81620, Pittsburgh, PA 15217  1-412-422-6190
www.fastweb.com www.finaid.org www.edupass.org www.monster.com



So how many is ok? --RJT

Date: Thu, 17 Apr 2003 14:21:51 -0400
From: Monty Solomon 
Subject: NASCAR fan faces prison time for flooding Fox with angry e-mails

A NASCAR fan faces up to a year in prison for flooding Fox Entertainment
Group in Los Angeles with more than a half-million e-mails because he was
angry the network aired a Boston Red Sox game instead of an auto race in
early April and May 2001.  Michael Melo of Billerica agreed to plead guilty
to a federal misdemeanor charge of damage to a protected computer system,
(Fearing a cyberattack, Fox shut down part of its Web site, and claims it
cost them $36,000.)  [Source: Mark Pratt, Associated Press, 16 Apr 2003.
PGN-ed]
  http://www.boston.com/dailynews/106/region/
  NASCAR_fan_faces_prison_time_f:.shtml



Date: Fri, 18 Apr 2003 09:53:43 -0700
From: "NewsScan" 
Subject: Cyberstalking on the rise

Cyberstalking -- stalking people over the Net -- is increasing across the
U.S., according to a new study by Wired Safety. And while women remain the
most likely targets, they're getting into the act as perpetrators, too. In
addition, growing numbers of children are cyberstalking children. "We didn't
find much good news," said Wired Safety executive director Parry
Aftab. "Identity theft is increasing. And because more people are cyber
dating they become victims of cyberstalking when things don't work out."
Aftab expressed concern over a recent court ruling that compelled Verizon to
turn over the name of an ISP subscriber under the subpoena power of the
Digital Millennium Copyright Act. "This is an outrageous and dangerous
ruling. It was supposedly about music piracy, but the result of the case is
that anyone can obtain personal information about any Internet user by
simply filling out a one-page form and submitting it to a court clerk.
There is absolutely nothing you can do to protect yourself, even if you are
a police officer doing undercover work against s*xual predators. The future
safety and privacy of all Americans engaged in online communications now
rests with Verizon winning this case on appeal." [Asterisk inserted so that
NewsScan Daily doesn't get caught in the software filters meant to ward off
pornography.]  [Internet News 18 Apr 2003; NewsScan Daily, 18 Apr 2003]
http://dc.internet.com/news/article.php/2193131



Date: Wed, 16 Apr 2003 18:08:55 +0100
From: Markus Kuhn 
Subject: Re: POW Social Security numbers revealed (Cowan, RISK-22.69)

> SSN's are hopelessly easy to obtain

Well, there is a good opportunity to turn a bug into a feature:

The U.S. social security administration could simply make their entire
database of social security numbers and associated names and dates of
birth openly available to the general public for download, and of course
publicise this step prominently. As a result, the SSN would instantly
lose any usefulness whatsoever as an authenticator and become even more
harmless and fear-free than telephone numbers or ZIP+4 codes. Problem
solved. [I can literally hear a few thousand US RISKS readers breathing
in sharply at this idea as they feel cold shivers running down their
back, so deeply is the cultural fear of anyone else knowing a few digits
associated with you engraved in a nation's collective psyche ... ;-]

Such a step would of course require [listed in order of increasing difficulty]

(a) some warning time for organizations who currently use the SSN as part of
    an authentication procedure to give them time to adjust their practices,

(b) the introduction of a proper authentication mechanism as an alternative,

(c) a population that can mentally make that step and overcome deeply
    embedded phobias about the entire idea of other people being able to
    look up *YOUR* number, no matter how little (ab)usefulness knowledge of
    that number has in practice

> It is tempting to propose something prescriptive, specifying how 
> organizations should authenticate people. ...

Many countries have done that long ago. They run reasonably carefully
administered population registers and residents are entitled to get a
tamper-resistant copy of their entry of that register, to show it to other
people whenever establishing identity is desired in a transaction. These
tamper-resistant copies are usually "called ID" cards, or, where
the form factor is a somewhat larger booklet with sufficient space for
travel visas, they are called "passports". In those few
(typically anglophone) countries where the term "ID card" causes
shivers running down the back of too many scared people for cultural
reasons, the same thing is now called "entitlement card" or
"driver's licence".

Passports and ID cards are widely considered the only accepted serious form
of authentication in continental Europe. At first sight, they seem to be
only useful for card-holder present transactions, e.g., were you physically
walk into a bank, school, administration, etc. However, that does not mean
that they are useless for using online services from home.  It is not too
difficult to build remotely usable proper authentication mechanisms on top
of ID cards. For example, on top of a well-run ID card infrastructure, it
becomes immediately feasible for the national postal service to offer
authenticated personal delivery. For a small additional fee, a package or
letter sent to you will only be handed over to you if you show up
personally in the nearest post office and authenticate yourself with your
ID card, which contains all the information that allows the postal office
clerk to verify that your biometrics belong to the person named as the
recipient of the letter. Once you have authenticated postal delivery,
companies can easily send all sorts of authentication tools to you, such as
lists of transaction numbers, floppy disks or chips with certified crypto
keys, etc.

Banks and delivery services might find it an attractive business
opportunity to offer similar authenticated delivery services. By using two
independent routes to deliver electronic authenticators to you (two shares
of a secret key arrive via postal authenticated delivery and via pickup
from your local bank branch), abuse of the system by malicious employees in
the delivery chain can be made unattractive enough for potential fraudsters
to look elsewhere for work.

Governments setting up the underlying ID infrastructure remains a
prerequisite for all these more convenient and safer forms of
authentication to become available.

(Why?  --RJT)

Markus Kuhn, University of Cambridge, GB  http://www.cl.cam.ac.uk/~mgk25/



Date: Wed, 16 Apr 2003 00:11:17 -0400 (EDT)
From: msb{at}vex.net (Mark Brader)
Subject: Re: Friendly Fire (Goodall, RISKS-22.69)

I'm reminded of the way that many people writing about the Titanic disaster
tend to assert that about 1,520 *passengers* were killed.  Actually it was
820 passengers and 700 crew, out of 1320 and 900 respectively, all this
in round numbers.  Note that the crew death rate was significantly higher.

--

Date: Mon, 14 Apr 2003 13:49:02 +0200
From: "Peter B. Ladkin" 
Subject: Correction on fratricide item (Ladkin, RISKS-22.68)

Im my fratricide note in RISKS-22.68, I gave figures from FM 100-14 via
Chris Johnson that the fratricide figure for Desert Storm/Shield was 1%
according to FM 100-14. Well, FM 100-14 in fact says 5% for Desert
Storm/Shield fratricide (I found an on-line copy). All the other figures in
the table in my note are correctly transcribed from FM 100-14.

  [Annotated correction is being made in the official archives.  PGN]

In my new note, I give on-line source for FM 100-14, and also quote a UK
National Audit Office report that says that US research has shown that
historically the figure lies around 10-15%, not the 1-5% that FM 100-14
says.

Peter B. Ladkin, Professor of Computer Networks and Distributed Systems,
Faculty of Technology, University of Bielefeld, 33594 Bielefeld, Germany

--

Date: Tue, 1 Apr 2003 00:25:45 -0500 (EST)
From: Ed Ravin  You have no choice but to attempt to join a potentially busy road by going
> through a red light or ride on the pavement to a safe spot to rejoin
> traffic.

To clarify for our American readers, I believe what Ryan calls "riding on
the pavement" would be "driving on the sidewalk" in Americanese, or
"operating a motor vehicle on the pedestrian right-of-way" in
bureaucratese.



---