risks@CSL.SRI.COM (RISKS Forum) (04/25/91)
RISKS-LIST: RISKS-FORUM Digest Thursday 25 April 1991 Volume 11 : Issue 54
FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
Contents:
"Alleged Cable Pirates Caught in Electronic Trap" (PGN)
Dutch nation portrayed as a bunch of network bashers (Ralph Moonen)
Re: "University Exec Backs Hacking" (Piet van Oostrum)
Re: response to rude behavior (Mike Nemeth)
Trespassing and common law (Phil Agre)
Free Speech and Government Control of Information (Larry Hunter)
Re: Responsibilities of Internet sites (Mike Godwin)
Re: Dutch hackers and KSC (Brinton Cooper, Ron Tencati)
Re: Letter to Senators on SB 266 (Theodore Ts'o)
Re: Trains collide in east London (Ian G Batten)
The RISKS Forum is moderated. Contributions should be relevant, sound, in
good taste, objective, coherent, concise, and nonrepetitious. Diversity is
welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive
"Subject:" line. Others ignored! REQUESTS to RISKS-Request@CSL.SRI.COM. For
vol i issue j, type "FTP CRVAX.SRI.COM<CR>login anonymous<CR>AnyNonNullPW<CR>
CD RISKS:<CR>GET RISKS-i.j<CR>" (where i=1 to 11, j always TWO digits). Vol i
summaries in j=00; "dir risks-*.*<CR>" gives directory; "bye<CR>" logs out.
<CR>=CarriageReturn; FTPs may differ; UNIX prompts for username, password.
If you cannot access "CRVAX.SRI.COM", try Internet address "128.18.10.1".
ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY.
Relevant contributions may appear in the RISKS section of regular issues
of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise.
----------------------------------------------------------------------
Date: Thu, 25 Apr 91 9:09:06 PDT
From: "Peter G. Neumann" <neumann@csl.sri.com>
Subject: "Alleged Cable Pirates Caught in Electronic Trap"
An article by George James probably from today's New York Times (I saw it
replayed in today's San Francisco Chronicle, p. A6) describes a successful
effort by American Cablevision of Queens (NY) to trap customers who had
illegally installed chips that let them pick up a variety of premium cable
channels for free. After analysis of ONE of the bogus chips, American
Cablevision was able to construct a signal (an "electronic bullet") whose
transmission disabled just the bogus chips, leaving the legitimate access
control boxes unaffected. They then simply waited to catch the 317 customers
who called in to complain that their screens had gone dark -- and who were
asked to bring in their boxes, which American Cablevision then kept. "If
convicted, the subscribers could face fines of up to $100,000."
[Able Cable-Caper Sting-Thing Zaps Chips, Nabs Fabs.
Potential Variety headline? PGN]
------------------------------
Date: Thu, 25 Apr 91 09:59 MDT
From: rmoonen@hvlpa.att.com (Ralph 'Hairy' Moonen)
Subject: Dutch nation portrayed as a bunch of network bashers
As a citizen of the Netherlands, I must take offense at the remarks made
by several people that the Netherlands are a law-less and a-social country.
Bill Murray portrayes Holland in this way in RISKS 11.53. While I agree with
him that the behaviour of the Dutch crackers isn't correct, you have to
understand that unlike America has shown in it's operation Sundevil, Holland
has a legislative system wherein someone is innocent untill proven guilty. This
means that not the laws fail in Holland (the crackers could easily be busted
for telephone-wire fraud) but that the burden of proof lies with the Dutch
State. As you can imagine, this is a delicate matter. How does one prove, short
of catching someone in the act, that Mr. A. was behind the keyboard at that
time, doing such-and-such?
Furthermore, I might add, that the media information has been incomplete, in
that the Dutch crackers used Utrecht to crack several universities in the
States, and _proceeded to crack other systems from there_. Following the line
of argument that Bill Murray used, these universities should also be barred
from the net, and yes, perhaps the whole of America should be.
The problem is not that one single country lacks a powerfull law enforcement
and acts as a rogue nation and hacker-haven. The problem is that as long as
people can get onto the net, (students, 'authorised' personnel, outsiders, and
whatever) security will have to be a major issue. Not just the issue of one
single university like Utrecht, but of ALL sites on the internet. Because you
do realise that a smart cracker could get away with this just as easily in the
States as in Holland? So don't lay any guilt-trip on the Dutch will you?
* Ralph Moonen, (+31) 35-871380
------------------------------
Date: Thu, 25 Apr 91 17:03:58 met
From: Piet van Oostrum <piet@cs.ruu.nl>
Subject: Re: "University Exec Backs Hacking" (Dutch crackers, RISKS-11.50,51)
I don't think Mr. Rook knows much about computer networks. From what I know
about the incident (I haven't seen the TV program) this could have been done
from Every site on the Internet that has a Decnet node. And I agree that it is
the responsability of each site to prevent break-ins into their own computers.
Well, apparently he doesn't know that his own university does not condone any
attempt to break into other systems. Our (computer science) students know this
very well, and risk being excluded from computer access if they try. Delft
University (not: the prestigious ..) had (or has) a course in computer security
(not in hacking), where one of the assignments of the students was to find
security weaknesses in computer systems. Yes, we try to encourage exploration
but also responsability and ethical behaviour.
Piet* van Oostrum, Dept of Computer Science, Utrecht University, Padualaan 14,
3508 TB Utrecht, The Netherlands. +31 30 531806 uunet!mcsun!ruuinf!piet
------------------------------
Date: Thu, 25 Apr 91 01:26:27 MDT
From: mike@vort.cpsc.ucalgary.ca
Subject: Re: response to rude behavior
I too am part of this community, and I dismiss WHMurray's recent article
(comp.risks 11.53) as a blatantly obvious piece of fear-mongering.
Murray's attempt to isolate an entire nation from the free flow of information
would be scary if it weren't so wretchedly silly and patently self-serving.
>William Hugh Murray, Executive Consultant, Information System Security
^^^^^^^^^^^^^^^^^^^^^^^^^^^
And guess who'd love to take on the job of setting himself up as the Leader
of the DataPolice? Kids, be the first one on your block to have an Empire!
Follow in the steps of Hitler, Stalin, and Hoover. You too can have a full
and exciting career as a demogogue.
P.S. Who said: "Those who give up a little freedom for a little security
will soon have neither freedom nor security." ?
Mike Nemeth VORT Computing (403) 261-5015 ...calgary!vort!mike
------------------------------
Date: Thu, 25 Apr 91 11:56:09 +0100
From: Phil Agre <phila@cogs.sussex.ac.uk>
Subject: trespassing and common law
Steve Bellovin (RISKS-11.52) points out that the US only requires a landowner
to put up a "no trespassing" sign to make trespassing illegal. A complementary
point to make is that both English and American common law gives me the
permanent right to walk across your property if I have been doing so regularly
with your knowledge for some substantial amount of time. If the trespassing
analogy is to apply to computer cracking, then this flip-side would seem to
apply as well.
Phil Agre, University of Sussex
------------------------------
Date: Tue, 23 Apr 91 14:23:36 EDT
From: hunter@nlm.nih.gov (Larry Hunter)
Subject: Free Speech and Government Control of Information
In RISKS 11.51 Jerry Leichter claims that "in an information age we will find
it necessary to control access to and dissemination of certain classes of
information. In fact, we already do this." He proceeds to argue that
defending encryption on free speech grounds is misguided. He is wrong both
about the current state of government control of information and about what is
desirable policy. The first amendment quite explicitly prohibits government
controls of expression (i.e. communication of information) with very few
exceptions, and I suggest that the current governmental attacks on this most
basic right are pernicious and must be fought.
Leichter's examples from crime and commerce are deceptive. One's first
amendment rights of free speech do not exempt all expressive acts from
prosecution. There is a large body of law that addresses the issue of when
expression becomes action. Some examples include conspiracies, slander,
copyright violations, and reckless endangerment (e.g. yelling "fire" in a
crowded theater). What is prohibited is prosecution for _mere_ expression,
even if individuals, organizations or the government would rather keep the
information secret. As long as I am not conspiring to commit fraud or some
other crime, I can publish your credit card number, or your swiss bank account
number, or your income, etc. in a magazine article without fear of government
prosecution. And I believe that ability to express things that make some
people uncomfortable is a vital part of basic American liberty.
Leichter's second example involves restrictions on a company selling credit or
other private records. Commercial speech is regulated very differently than
individual speech. For example, commercial advertising must not be false or
deceptive (well, at least in law), and there are specific legal limits on the
disclosures that credit bureaus, common carriers, doctors, lawyers, etc. can
make under most circumstances. Commercial entities do not have the same free
speech rights that individuals do.
Finally, Leichter points out the National Security exception to freedom of
expression, which, as he notes, is both pervasive, and, in the case of "born
classified" information, constitutionally suspect.
Leichter concludes by recommending a couple of science fiction stories about
social control of information. Interesting as those stories are, let me
suggest that you also read Thomas Emerson's "The System of Freedom of
Expression."
Any abridgement of a constitutional right must either balance a competing right
or serve some compelling state interest. What compelling state interest could
be sufficient to infringe on our rights to free expression and privacy by
effectively prohibiting effective encryption? Surely the routine prosecutorial
needs of the state can be met without recourse to such invasive,
undiscriminating measures. Terrorism may be a threat, but not such a
compelling one that we as a society ought to sacrifice one of our most basic
constitutional rights in order to _possibly_ reduce the chance of a _potential_
attack.
Technology can be used either to enhance or degrade the status of rights such
as freedom of expression and privacy. Inexpensive, effective encryption is a
basic enabling technology that empowers individuals in an increasingly
technologically invasive society. I believe it should be defended against
government attack in the strongest possible terms.
Lawrence Hunter, National Library of Medicine
[Please note that I am neither a lawyer nor am I speaking as a representative
of the government.]
------------------------------
Date: Wed, 24 Apr 91 10:29:47 EDT
From: mnemonic@eff.org (Mike Godwin)
Subject: Re: Responsibilities of Internet sites (Pereira, RISKS-11.52)
>1) I know of no area of human activity in which wilfull intrusion or condoning
>intrusion are seen as no more condemnable as failure to protect one's domain
>from intrusion to the best of one's ability.
In tort law, the law of trespass is balanced by the law concerning the
negligence of those who maintain attractive nuisances.
The issue is not whether computer trespass is wrong, but whether it is just to
punish the trespassers without imposing any liability upon those who failed to
meet minimum standards of computer security.
It is a fact that every generation faces the challenge of overcoming a wave of
barbarians--its own children. Is it wise social policy to send young men to
prison for doing the kinds of things that not-yet-fully-socialized young men
invariably do while imposing no social responsibility upon those charged with
maintaining system security? That is a question that has not been fully
debated.
It will never be fully discussed so long as too many people suppose that the
wrongness of trespass decides all the legal and ethical questions raised by
computer intrusion. It does not.
--Mike
Mike Godwin, EFF, Cambridge, MA, mnemonic@eff.org, (617) 864-0665
------------------------------
Date: Wed, 24 Apr 91 20:31:24 EDT
From: Brinton Cooper <abc@BRL.MIL>
Subject: [oneel: re: Dutch hackers and KSC [Kennedy Space Center]]
Brice O'Neel writes
> I don't believe that KSC is on the internet.
Try 128.217.11.25 (nasa2.ksc.nasa.gov). More are vulnerable than you
dreamed of. I never dreamed, for example, that OSHA is on the Internet
(not that it matters, mind you).
_Brint
[KSC's presence on the Internet was also noted by Ari Ollikainen
(ari@OldAhwahnee.Stanford.Edu), as reported somewhat red-facedly
by oneel@heawk1 ( Bruce Oneel ).
------------------------------
Date: Tue, 23 Apr 1991 19:32:46 EDT
From: TENCATI@NSSDCB.GSFC.NASA.GOV (NSI Security Manager (301)286-5223)
Subject: Re: Dutch hackers and KSC
I have received NO incident reports indicating that any KSC systems were
hacked, or involved in any hacking incidents relating to the Dutch hacker case.
Ron Tencati, Security Manager, NASA Science Internet (NSI)
Coordinator, NSI-CERT, STX/Code 930.4/Goddard Space Flight Center/Greenbelt,MD
------------------------------
Date: Tue, 23 Apr 91 02:09:55 EDT
From: Theodore Ts'o <tytso@ATHENA.MIT.EDU>
Subject: Re: Letter to Senators on SB 266 (Engler, RISKS-11.51)
As previous posters have noted when the Lotus Marketplace controversy was
taking place, sending form letters to your representatives is not terribly
productive; the Senators' or Represatitive's staff are fairly good about
detecting (and disregarding) form letters. If, however, you write your own
letter and send it off, it will be given much more weight, since presumably it
mattered enough to you to write your own letter. I do urge everyone to write
his/her own letter and send it off to Biden as well as your own Senators and
Representatives. If we raise enough fuss, hopefully the bill will be allowed
to die while it's still in committee.
- Ted
------------------------------
Date: Thu, 25 Apr 91 08:37:36 BST
From: Ian G Batten <I.G.Batten@fulcrum.bt.co.uk>
Subject: Re: Trains collide in east London (RISKS-11.52)
With respect to the London Docklands Light Railway incident, the report in
RISKS-11.52 ("Computer-controlled commuter trains collide...") misses one
vital point. The train that was hit was under manual control, following an
earlier failure.
ian
------------------------------
End of RISKS-FORUM Digest 11.54
************************