Subject: RISKS DIGEST 16.68 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Tuesday 27 December 1994 Volume 16 : Issue 68 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** HAPPY NEW YEAR! ***** SLIGHT TYPO FIXED IN THIS VERSION. ***** ***** NOTE, THE SRI RISKS ARCHIVE SOURCE has moved to unix.sri.com. ***** ***** See last item for further information, disclaimers, etc. ***** Contents: Washington Post flubs stock prices (William C. Fenner) Sorcerer's Apprentice Hits Medicare (Mich Kabay) $25m power bungle: Automation at Australian electricity plant (Tom Worthington) Buy a country for $1200 (Amos Shapir) Re: Mary Payne and "Good to the Last Bit" (Jim Haynes) Rate Hike For Universal TouchTone? (Leonard Erickson) Re: Year 2000 date problems already happening now (Scot E. Wilcoxon) Re: American Scientist article on the year 2000 (Brian Hayes) RISKS of guessing at Fair Use (Mich Kabay) [long] Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc. ---------------------------------------------------------------------- Date: Tue, 27 Dec 1994 09:01:22 -0500 From: "William C. Fenner" Subject: Washington Post flubs stock prices The Washington Post printed a full page of old stock prices one day last week in their business section. According to their explanation, the data is normally stored in a file named "ap stox 2". In preparing the erroneous page, a user saw "ap stox2" (i.e. no space) "elsewhere in the machine" and used it instead. The article also says that "Steps have been taken to prevent a recurrence". I wonder what kind of steps? Educating users? Probably the most useful thing to do would be to have the date in the filename, so an old file could not be mistaken for current data. Bill Fenner fenner@cmf.nrl.navy.mil ------------------------------ Date: 26 Dec 94 16:37:59 EST From: "Mich Kabay [NCSA Sys_Op]" <75300.3232@compuserve.com> Subject: Sorcerer's Apprentice Hits Medicare The Associated Press newswire for 94.12.26 @ 02:43 EST (via CompuServe's Executive News Service) reports a case of failed identification and authentication: Sting Backfires. MIAMI (AP) -- FBI agents thought they were setting a trap by buying copies of 35 Medicare cards and selling them to a suspected fraud operation. But now the cards are being used to buy expensive leg braces and other medical equipment -- and the FBI can't track them. "The FBI lost control of the cards. Now they have a monster on their hands," a government investigator familiar with the case told The Miami Herald for a story in Sunday's issues. According to the story, Medicare spokesperson "Faye Baggiano, associate administrator of the Health Care Financing Administration in Washington," admits that they have used the social insurance number as the Medicare identifier; therefore "Medicare says it can't cancel the copied cards, which have been circulating for 16 months, because that would wipe out legitimate federal benefits to the people whose names are on those cards." Normally, Medicare "provides phony numbers that can be canceled; it is unclear why the FBI used real numbers. An analysis of just 10 of the 35 stolen cards shows "a total of $163,745 for services that the real card holders say they never got or tried to get." <> M.E.Kabay,Ph.D./DirEd/Natl Computer Security Assn. ------------------------------ Date: Tue, 27 Dec 1994 12:13:02 GMT From: tomw@ccadfa.cc.adfa.oz.au (Tom Worthington) Subject: $25m power bungle: Automation at Australian electricity plant The attached is from the headline story Tuesday 27 December of the Courier-Mail newspaper (ph: +61 7 2526011, fax: +61 7 2526696) in the state of Queensland, Australia. I thought it may be of interest to readers of "Risks" as it covers a number of themes discussed before: $25m power bungle - Report slams hi-tech move Exclusive by Ed Southorn A $25 million project to turn one of the state's power stations into an automated plant created an unsafe workplace requiring twice the number of engineers to run, a confidential report reveals. The new automatic control systems also caused more than $1.5 million damage to machinery at the Swanbank station near Ipswich. ...The audit found the Swanbank automatic control system had failed to protect the plant from damage. The system had been unable to prevent a "trip" (temporary shutdown) cutting oil flow to a turbine. This had resulted in a bent shaft leaving the turbine with reduced generating capacity. ...The automatic alarm system which tells operators how the plant is functioning was not properly operating almost two years after it was installed. ...The report found lack of adequate testing before commissioning and "waving of proper commissioning and acceptance testing procedures" and "a single-minded drive to meet target dates." [Posted by Tom Worthington, Director of the Community Affairs Board, Australian Computer Soc. Inc. tomw@adfa.oz.au http://www.peg.apc.org/~tomw ------------------------------ Date: 25 Dec 1994 17:21:07 +0200 From: amos@cs.huji.ac.il (Amos Shapir) Subject: Buy a country for $1200 Police in Israel have started an investigation last week to determine how the entire population registry of the country has ended up being offered for sale by a private company, on a CD ROM disk for $1200. Political parties are entitled to get the voters registry (which includes people's names, addresses, birth dates and ID number) from the Ministry of the Interior. The latest elections in 1992 were the first time this information was disseminated on a CD ROM and not just printouts; these disks should have been returned to the Ministry after the elections, and were coded and numbered, but it's not clear from newspaper reports here how this coding was done, and how this was supposed to prevent the parties or their employees from keeping their own copies. In addition to the registry (which is actually public information, though not freely available) the government-owned phone company sells a disk containing all phone books, and the government's companies registry is also available (I'm not sure if it is sold legally). All this information enabled a TV reporter to demonstrate getting the list of all companies privately directed by the minister of Finance (including the names of all other directors), or the private address and phone number of the chief of the Mossad and all of his neighbors (which were shown on screen, though with illegible resolution). Israel is a small country, but it's only a matter of time and computing power before this kind of personal information processing is available everywhere. Amos Shapir, The Hebrew Univ. of Jerusalem, Dept. of Comp. Science, Givat-Ram, Jerusalem 91904, Israel +972 2 585706,586950 amos@cs.huji.ac.il ------------------------------ Date: Fri, 23 Dec 1994 17:31:13 -0800 From: haynes@cats.ucsc.edu (Jim Haynes) Subject: Re: Mary Payne and "Good to the Last Bit" Perhaps it didn't happen on Mary Payne's watch; but I do recall there was a problem with floating point in early VAX-11/780 machines. Believe it required a microcode change, and a board swap for machines equipped with a floating point accelerator. Then there was the early production G.E. 635 floating point problem which resulted from truncating, rather than rounding, a 2's complement number, giving a negative bias to the results. Supposedly (urban legend alert!) this was recognized as important when a tape calculated on one of the machines was used to operate a numerically-controlled cutting torch. The torch was supposed to cut a circular plate out of a thick piece of steel. The actual cut had a jog in it, resembling (coincidentally, I'm sure) the "Intel Inside" logo. Then there was the floating point problem early in the life of the IBM 360 series. As I recall this was not so much an error as a surprisingly sudden loss of significance resulting from the base-16 fractions, such that a shift for exponent alignment shifted four bits at a time. And I recall some allegation about an early CDC machine (1604? 3600?) in which fixed point -1 x -1 = -1. ------------------------------ Date: Sun, 25 Dec 1994 07:34:20 -0800 From: Leonard.Erickson@f51.n105.z1.fidonet.org (Leonard Erickson) Subject: Rate Hike For Universal TouchTone? (nonincluded message, Pelletier) > Is this just a ploy to line their pockets from their captive market? No. Take another look at the figures you quoted. It costs *more* to support pulse dialing. They can't go 100% touchtone until all their subscribers quit using old gear. So they have to keep the "pulse counters" around (and maintained) until then. Therefore, if you want pulse dialing, they are going to charge you $2 extra each month. This is the most *sensible* thing I've seen a phone co. do in a long time. It encourages folks to quit using pulse/rotary phones. And it gives them hard figures on how many folks still can't use touchtone. ------------------------------ Date: Sat, 24 Dec 94 16:26 CST From: sewilco@fieldday.mn.org (Scot E. Wilcoxon) Subject: Re: Year 2000 date problems already happening now (Elana, RISKS-16.67) A local newspaper in Minneapolis recently ran a short article about the year 2000 problems, and pointed out that in 1995 any five-year planning programs are at risk. Scot E. Wilcoxon sewilco@fieldday.mn.org +1 612 936 0118 ------------------------------ Date: Sat, 24 Dec 1994 13:12:38 -0400 From: bhayes@mercury.interpath.net (Brian Hayes) Subject: American Scientist article (PGN, RISKS-16.67) [With regard to Brian's "Computing Science" column in the Jan-Feb 1994 issue of _American Scientist_ (Vol. 83, No. 1, pp. 12-15), , which PGN noted in RISKS-16.67, Brian has made the following offer:] For net denizens who don't read ink on paper, I can supply a plain-ASCII version of the article's text by E-mail. Send me a request at bhayes@mercury.interpath.net. [The column is based largely on material that has appeared in the RISKS Forum over the years. (Thanks, folks!) BH] ------------------------------ Date: 26 Dec 94 22:15:12 EST From: "Mich Kabay [NCSA Sys_Op]" <75300.3232@compuserve.com> Subject: RISKS of guessing at Fair Use In an article by Andrew Lawler in _Science_ magazine (94.11.25; 266:1315) entitled "Court says no to copying articles," we read of a recent case which may affect anyone who collects news, newspaper, magazine and journal articles: Thinking of photocopying an article from your favorite journal? Think again. Last month [in October 94] a three-member federal appeals court in New York ruled that a Texaco Corp. scientist violated copyright laws by making one copy each of eight articles in a scientific journal and placing them in his files. The 2-1 ruling dramatizes the uncertainty over what constitutes fair use of copyrighted material, say lawyers familiar with the case, adding that the ruling should prompt companies and universities to review their policies toward copying. According to the author, the suit was launched by the American Geophysical Union (AGU) and more than 80 other plaintiffs. They accused Texaco of "copying and distributing hundreds of scientific articles to hundreds of researchers" and picked a sample case for the civil suit. The court ruled that because the scientist in the sample case (David Chickering, who copied the eight articles from the journal _Catalysis_) filed the papers away in his library rather than use them immediately, he was in violation of the fair use laws governing copyrighted materials. The dissenting judge wrote that because the defendant used the copied materials for research only, that use fell under existing fair use doctrine. "Jon Baumgarten of Proskauer. Rpse. Gpetz & Mendelsohn in Washington," one of the lawyers for the plaintiffs, said that it's not true that "all educational use is fair use." He advised academic researchers to "Consult with your university counsel before making copies." <== -------------------------- US COPYRIGHT OFFICE CIRCULAR ON FAIR USE (1993) One of the rights accorded to the owner of copyright is the right to reproduce or to authorize others to reproduce the work in copies or phonorecords. This right is subject to certain limitations found in sections 107 through 120 of the copyright act (title 17, U.S. Code). One of the more important limitations is the doctrine of "fair use." Although fair use was not mentioned in the previous copyright law, the doctrine has developed through a substantial number of court decisions over the years. This doctrine has been codified in section 107 of the copyright law. Section 107 contains a list of the various purposes for which the reproduction of a particular work may be considered "fair," such as criticism, comment, news reporting, teaching, scholarship, and research. Section 107 also sets out four factors to be considered in determining whether or not a particular use is fair: (1) the purpose and character of the use, including whether such use is of commercial nature or is for nonprofit educational purposes; (2) the nature of the copyrighted work; (3) the amount and substantiality of the portion used in relation to the copyrighted work as a whole; and (4) the effect of the use upon the potential market for or value of the copyrighted work. The distinction between "fair use" and infringement may be unclear and not easily defined. There is no specific number of words, lines, or notes that may safely be taken without permission. Acknowledging the source of the copyrighted material does not substitute for obtaining permission. The 1961 _Report of the Register of Copyrights on the General Revision of the U.S. Copyright Law_ cites examples of activities that courts have regarded as fair use: "quotation of excerpts in a review or criticism for purposes of illustration or comment; quotation of short passages in a scholarly or technical work, for illustration or clarification of the author's observations; use in a parody of some of the content of the work parodied; summary of an address or article, with brief quotations, in a news report; reproduction by a library of a portion of a work to replace part of a damaged copy; reproduction by a teacher or student of a small part of a work to illustrate a lesson; reproduction of a work in legislative or judicial proceedings or reports; incidental and fortuitous reproduction, in a newsreel or broadcast, of a work located in the scene of an event being reported." Copyright protects the particular way an author has expressed himself; it does not extend to any ideas, systems, or factual information conveyed in the work. The safest course is always to get permission from the copyright owner before using copyrighted material. The Copyright Office cannot give this permission. When it is impracticable to obtain permission, use of copyrighted material should be avoided unless the doctrine of "fair use" would clearly apply to the situation. The Copyright Office can neither determine if a certain use may be considered "fair" nor advise on possible copyright violations. If there is any doubt, it is advisable to consult an attorney. ***Last update 6/10/93 (raa)*** -------------------- %<>== -------------------------- Another useful document is the following: (DRAFT VERSION) COPYRIGHT LAW AND MULTIMEDIA DEVELOPMENT IN EDUCATION Section 106 of the Copyrights Act (P.L. 94-553) describes the exclusive rights of copyright owners. "[T]he owner of copyright...has the exclusive rights to do and to authorize any of the following: 1. To reproduce the copyrighted work in copies or phonorecords; 2. To prepare derivative works based upon the copyrighted work; 3. To distribute copies or phonorecords of the copyrighted work to the public by sale or other transfer of ownership, or by rental, lease, or lending; 4. In the case of literary, musical, dramatic, and choreographic works, pantomimes, and motion pictures and other audiovisual works, to perform the copyrighted work publicly; and 5. In the case of literary, musical, dramatic, and choreographic works, pantomimes, and pictorial, graphic, or sculptural works, including the individual images of a motion picture or other audiovisual work, to display the copyrighted work publicly." The fair use provision of the Copyrights Act is found in Section 107 which is reproduced below. "Notwithstanding the provisions of section 106, the fair use of a copyrighted work, including such use by reproduction in copies or phonorecords or by any other means specified by that section, for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright. In determining whether the use made of a work in any particular case is a fair use the factors to be considered shall include-- 1. the purpose and character of the use, including whether such use is of a commercial nature or is for nonprofit educational purposes; 2. the nature of the copyrighted work; 3. the amount and substantiality of the portion used in relation to the copyrighted work as a whole; and 4. the effect of the use upon the potential market for or value of the copyrighted work." The legislative history which speaks to the fair use provision acknowledges: "The judicial doctrine of fair use, one of the most important and well established limitations on the exclusive right of copyright owners, would be given express statutory recognition for the first time in section 107. The claim that a defendant's acts constituted a fair use rather than an infringement has been raised as a defense in innumerable copyright actions over the years, and there is ample case law recognizing the existence of the doctrine and applying it." It should be noted that at this point, the legislative history reiterates the four points listed above from section 107. Fair use must meet all four criteria to be a protected activity. "Although the courts have considered and ruled upon the fair use doctrine over and over again, no real definition of the concept has ever emerged. Indeed, since the doctrine is an equitable rule of reason, no generally applicable definition is possible, and each case raising the question must be decided on its own facts. On the other hand, the courts have evolved a set of criteria which, though in no case definitive or determinative, provide some gauge for balancing the equities. These criteria have been stated in various ways, but essentially they can all be reduced to the four standards which have been adopted in section 107...." There are no definitive standards or guidelines governing the use of copyrighted materials in the preparation of multimedia courseware for instruction, or classroom presentations utilizing multimedia. However, while developing these products, faculty should be governed by the same criteria which are prescribed for the use of copyrighted print materials. In essence, the use of copyrighted print materials is governed by three criteria: Spontaneity: The "fair use" of copyrighted materials in an educational setting should be at the "instance and inspiration of the individual teacher...." Further, the "inspiration and decision to use the work and the moment of its use for maximum teaching effectiveness" must be so close together in time "that it would be unreasonable to expect a timely reply to a request for permission." In other words, the decision to use the material must be the instructor's and not dictated by management or administration and it must be a spontaneous decision. Brevity: With regard to print media, the guidelines are specific even to the point of specifying the maximum length of an excerpt from poetry or prose. Though these limits do not apply to non-print media, they clearly indicate that the intent is for a small portion of the original to be copied under fair use, and not a substantial portion of the work. Cumulative Effect: "...copying of...material is for only one course in the school in which the copies are made." The guidelines for copying of print media, states "[n]ot more than one short poem, article, story, essay or two excepts from the same author, nor more than three from the same collective work or periodical volume during one class term" is permitted. Even though the media may be different, faculty can best avoid copyright infringement by following the spirit of these guidelines when dealing with other forms of media in a multimedia presentation. For instance, using 8 minutes from a 10 minute video tape (in a multimedia presentation) would appear to violate the fair use guidelines by diminishing the "potential market" and value of the copyrighted work. Instructors should be aware that when relying on the fair use provision, the use of copyrighted materials must meet all three tests (spontaneity, brevity, and cumulative effect). Instructors are encouraged to procure copyright releases for materials which they anticipate using for longer than one term. Finally, the guidelines (developed by the Ad Hoc Committee on Copyright Revision, the Author-Publisher Group, and the Association of American Publishers) also indicate that 1. "Copying shall not be used to create or to replace or substitute for anthologies, compilations, or collective works..." 2. Copying is not allowed from consumable works such as "workbooks, exercises, standardized tests and test booklets and answer sheets...." 3. "Copying shall not substitute for the purchase of books, publisher's reprints or periodicals...(and shall not) be repeated with respect to the same item by the same teacher from term to term." It should be noted that clip art, clip video, and clip audio are marketed and available for use in developing multimedia materials. These forms of "clip media" are licensed to the purchaser (individual, school, or faculty member) for use in multimedia presentations. In many cases, clip media can be used to substitute in a presentation for copyrighted materials that might violate the fair use provision. Assembled by the Academic Computing Technologies Group, Johnson County Community College, Overland Park, KS 66210. -------------------- %<>== -------------------------- Given the nature of the RISKS FORUM and NCSA FORUM membership, I think these issues warrant further clarification. I invite legal counsel with expertise in the field to comment.>> Mich M.E.Kabay,Ph.D./DirEd/Natl Computer Security Assn ------------------------------ Date: 22 December 1994 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc. The RISKS Forum is a moderated digest. Its USENET equivalent is comp.risks. Undigestifiers are available throughout the Internet, but not from RISKS. SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) on your system, if possible and convenient for you. BITNET folks may use a LISTSERV (e.g., LISTSERV@UGA): SUBSCRIBE RISKS or UNSUBSCRIBE RISKS. U.S. users on .mil or .gov domains should contact (Dennis Rears ). UK subscribers please contact . Local redistribution services are provided at many other sites as well. Check FIRST with your local system or netnews wizards. If that does not work, THEN please send requests to (which is not yet automated). SUBJECT: SUBSCRIBE or UNSUBSCRIBE; text line (UN)SUBscribe RISKS [address to which RISKS is sent] CONTRIBUTIONS: to risks@csl.sri.com, with appropriate, substantive Subject: line, otherwise they may be ignored. Must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. PLEASE DO NOT INCLUDE ENTIRE PREVIOUS MESSAGES in responses to them. Contributions will not be ACKed; the load is too great. **PLEASE** include your name & legitimate Internet FROM: address, especially from .UUCP and .BITNET folks. Anonymized mail is not accepted. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. All other reuses of RISKS material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using RISKS material should obtain permission from the contributors. CURRENT ARCHIVES: "ftp unix.sri.comlogin anonymousYourName cd risks or cwd risks, depending on your particular FTP. Issue J of volume 16 is in that directory: "get risks-16.J". For issues of earlier volumes, "get I/risks-I.J" (where I=1 to 15, J always TWO digits) for Vol I Issue j. Vol I summaries in J=00, in both main directory and I subdirectory; "bye" I and J are dummy variables here. REMEMBER, Unix is case sensitive; file names are lower-case only. =CarriageReturn; UNIX.SRI.COM = [128.18.30.66]; FTPs may differ; Unix prompts for username, password; bitftp@pucc.Princeton.EDU and WAIS are alternative repositories. Risks can also be read on the web at URL http://catless.ncl.ac.uk/Risks Individual issues can be accessed using a URL of the form http://catless.ncl.ac.uk/Risks/VL.IS.html (Please report any format errors to Lindsay.Marshall@newcastle.ac.uk) FAX: ONLY IF YOU CANNOT GET RISKS ON-LINE, you may be interested in receiving it via fax; phone +1 (818) 225-2800, or fax +1 (818) 225-7203 for info regarding fax delivery. PLEASE DO NOT USE THOSE NUMBERS FOR GENERAL RISKS COMMUNICATIONS; as a last resort you may try phone PGN at +1 (415) 859-2375 if you cannot E-mail risks-request@CSL.SRI.COM . ------------------------------ End of RISKS-FORUM Digest 16.68 ************************