risks@CSL.SRI.COM (RISKS Forum) (01/26/91)
RISKS-LIST: RISKS-FORUM Digest Friday 25 January 1991 Volume 10 : Issue 80
FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
Contents:
7th Chaos Computer Congress, Hamburg, 27-29 Dec 1990 (Klaus Brunnstein)
San Francisco taxes its computer people rather than its property owners (PGN)
Not risk versus convenience, but risks of conveniences (Jack Campin) [Loo-Hoo!]
Re: Computer program gives police a bum rap (Mark Hull-Richter)
Re: Lotus Marketplace (Richard A. Schumacher)
MasterCard policy opens door to crooks (Steve Pozgaj, anonymous)
The RISKS Forum is moderated. Contributions should be relevant, sound, in
good taste, objective, coherent, concise, and nonrepetitious. Diversity is
welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive
"Subject:" line. Others ignored! REQUESTS to RISKS-Request@CSL.SRI.COM.
FTP VOL i ISSUE j: ftp CRVAX.sri.com<CR>login anonymous<CR>AnyNonNullPW<CR>
CD RISKS:<CR>GET RISKS-i.j<CR> (where i=1 to 10, j is always TWO digits. Vol i
summaries in j=00; "dir risks-*.*<CR>" gives directory; "bye" logs out.
ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY.
Relevant contributions may appear in the RISKS section of regular issues
of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise.
----------------------------------------------------------------------
Date: 24 Jan 91 14:19 GMT+0100
From: Klaus Brunnstein <brunnstein@rz.informatik.uni-hamburg.dbp.de>
Subject: 7th Chaos Computer Congress, Hamburg, 27-29 Dec 1990
In its 7th year, the annual conference of Chaos Computer Club was held in
Hamburg (Germany) in the last week of December. A broad spectrum of themes was
offered, dominated by networking, but also covering legal aspects, ecological
computing, freedom of information, female computer handling, psychology of
hackers and others. Among the more than 300 participants, only few people from
European countries (Netherland, Italy) and USA participated. The Congress
newspaper (covering reports about most sessions, available as *.DOC or *.TXT
files, see below) is only in German. Though the printed (DTP-ed) version of it
looks more professionally, some essential discussions (e.g. female computer
handling, computer viruses, the new German Information Security Agancy, GISA)
are missing; quality and readibility of articles is rather mixed. As there
were only few spectacular themes (phreaking, copying bank cards), public
interest and coverage in newsmedia, as compared to CCC'89 (the year, when the
KGB hack was published) was moderate.
Among the spectacular themes, a group HACK-TIC from Netherland demonstrated a
machine (about 1,500$) to copy credit and Eurocheque cards (EC); according to
Wau Holland (co-founder of CCC), this was arranged "to demonstrate the
insecurity of these plastique cards". While the speaker of Hamburg's saving
bank (HASPA, which was the victim of CCC's famous "Btx/HASPA-attack") said that
this is impossible, a journalist of BILD (a German boulevard newspaper)
received a printout of his account with a copy of his card, but when trying to
order money from a teller machine, his card was collected.
The most spectacular event was a workshop on (phone) "Phreaking". Experiences
and methods how "to call as far as possible with as many phreaks as possible at
lowest possible price" were described in some detail (few of which were
written). Tricks with German PTT's 130-number (and connection to US' 700/800
numbers) as well as with the (PTT-internal) test number 1177 to establish
low-cost (at least for the phreaks) teleconferences and voice mailboxes were
discussed. It is surprising to hear from a US phreak that the old tricks (2,600
MHz, red boxes to simulate the coins' click) even work today; some new
experiences esp. tricks with Calling Cards (due to missing expiration date on
some cards or delayed update of MCI databank) were added to "help fight the
excessive telephone costs". Dutch phreaks informed about "use" of 008-numbers;
a hotel reservation service at a large airport doesnot check the validity of
credit cards (file: PHREAK.DOC). The workshop was not concerned with legal
aspects of Phreaking.
Several sessions were devoted to networking. Chaos Computer Club runs a
network ("Zerberus") with gateways to international networks and a growing
number of regional mailbox systems. Despite mixed (or even bad) experiences
with new mailbox systems and gateways (the gateway group emailed invitation to
this workshop; 50% of the invitations came back, essentially with "error-mail";
file NETWCHAoS.DOC), several sessions were devoted to introductions into
networking (file WSI-NET.DOC covering a detailed INTERNET survey; several files
on GATOR, a GATEway ORientation guide to regional and international
communication and gateways). A special report was devoted to communication of
graphic and sound data, where special standards, command languages and software
are under development (file SCF.DOC). Special discussions were devoted to
applications of mailboxes for ecological purposes (file UMWE-DFU.DOC) and as
infrastructure for publications (file Med-DFU.DOC), as well as to aspects of
(German) publication laws (file PRESRECH.DOC).
One session was devoted to CCCs idea to aid the former GDR (now "5 new federal
countries") in establishing a citizen computer network "DDRNET". Despite of
significant aid by computer dealers (who spontaneously donated PCs, software
and modems in significant numbers) and despite of the interest of local groups
and parties (New Forum, essential force in the East-German revolution), tax and
organisation problems finally stopped the project when German reunification
happened. The document (file: DDRNET.DOC) gives a lively example of good ideas
and plans being killed by hostile bureaucracy.
Following earlier CCC' discussions on sociological aspects of hacking, a
student (Tommy) described his examination thesis (diplom work) relating
Psychology and Computing (file PSYCHO.DOC, thesis in compacted form: PSYCH.LZH
in 109kBytes). According to Tommy, hackers exhibit their self-consciousness as
an elite by their techno-speak. "Ordinary" people of same age with no
understanding of computing are rather suspicious about hackers, even more as
computers appear as threats to their civil rithts and working places. In such
controversies, hackers seems to flee reality, mostly unconsciously, and they
live in simulated worlds such as Cyberspace ("not as dangerous as other
drugs"). Anonymous or technically depersonalized communication (e.g.
mailboxes) lowers the threshold of moral scruples, resulting in communication
garbage and flames. Btw: as in previous years, a special workshop on Cyberspace
demonstrated EEG-coupled graphical devices and software (file: CYBER.DOC); the
sub-culture (as initiated by Gibson's book "Neuromancer") developing around
this techno-drug has it's first European magazines (Decoder, Cyberpunk).
A special discussion developed on computer "viruses". Two speakers working
with Ralph Burger (author of the "Big Book of Computer Viruses", also
publishing virus code in German, English and Russian) described his work to
classify new viruses and to establish a databank of virus code. In their
classification, the group starts with a specific model of virus mechanisms
including self-encryption; this model is in some contradiction with other
classification (e.g. as a virus in their model must always have an effect,
parent viruses like DONOTHING having no effect would not be a virus while their
descendants are), and stealth mechanisms other than encryption are not
foreseen. The speakers argued that information on virus details should be
easily accessible to all relevant parties.
A controversial discussion arose when the author of this report informed about
the establishment of CARO (=Computer Antivirus Research Organisation, cofounded
by V.Bonchev/Sofia, Ch.Fischer/Karlsruhe, F.Skulason/Rejkjavik, A.Solomon/UK,
M.Swimmer/Hamburg, M.Weiner/Vienna and the author) to establish a database with
virus specimen and procedures to quickly analyse new viruses and distribute the
disassemblies for verification and antivirus developmernt. As the number of
viruses grows significantly (more than 400 MsDos viruses known, plus new
developments visible in Soviet Union, Hungary etc) with advanced stealth
methods and more sophisticated damage, restrictions in the access to such virus
specimen based on concepts of "trusted persons" and "need to know" are
presently discussed (also controversially). In contrast to such concepts,
CCC'90 participants and the speakers expressed their view that such virus
specimen should be accessible to any interested party.
Summary: apart from the session on phone phreaking, Chaos Computer Club visibly
demonstrated its distance to criminal activities which dominated the last
conferences (e.g. KGB hack). In discussing themes of technical and related
interests, they return to the list of items which were described in their
foundation document (file THESEN.TXT, October 1981). Themes related to civil
rights (e.g. "Freedom of Information") are visibly of more interest than
classical hacking techniques. As CCC didnot discuss any consequences of the
KGB case (after the trial in March 1990) for its members or related persons,
CCC omitted the opportunity to prepare for it's role in future hacks in it's
environment. While their annual conference was less chaotically organised than
last year, it's structure and future developments remain as the name indicates:
chaotic and computer-minded, yet with a sense for new ideas and applications.
------------------------------
Date: Thu, 24 Jan 1991 12:02:03 PST
From: "Peter G. Neumann" <neumann@csl.sri.com>
Subject: San Francisco taxes its computer people rather than its property owners
Last year, as many as 8700 San Francisco property owners did not receive their
annual tax bill (normally arriving by 1 November). A "computer glitch" in the
tax collector's office was blamed for not sending bills to owners in the
"default" category (as a result of having missed or been late on a previous
payment).
[Source: San Francisco Chronicle, 14 Dec 1990. I finally got around to
entering this item, even though it is now old-hat. However, I haven't seen
anything further about the problem being fixed, although it presumably has by
now. Surprisingly, the Tax Collector was quoted as saying he did not think
they would lose money because of the delay! Not much interest in getting it
fixed? I would think there would be interest LOST from NOT getting it fixed.]
------------------------------
Date: Wed, 23 Jan 91 20:28:58 GMT
From: Jack Campin <jack@cs.glasgow.ac.uk>
Subject: Not risk versus convenience, but risks of conveniences
>From the Glasgow Herald, 18 January 1991:
Superloos reveal all by Graeme Smith
******************** ***************
Vandals who tangle with a new (pounds) 50,000 superloo in Aberdeen face the
prospect of having their misdemeanours revealed to all.
Apparently the most advanced convenience in the world allows undesirables
just 1.7 seconds of misbehaviour before it throws open its door to reveal
their misdemeanours and sprays them with violet coloured dye which will
remain on their skin for at least five weeks.
If, however, you are there for legitimate purposes it will allow you 15
minutes of luxury for just 10p. The air is perfumed, as well as heated,
there is background music to help you relax and there are special
facilities for the disabled and for baby changing.
When you have completed your business and safely departed the superloo
spruces itself up for the next customer. The walls, floor and WC
automatically wash themselves down and when the disinfecting cycle is
completed the WC is dried with warm air.
It is careful to ensure that thrifty Aberdonians do not try to sneak in two
at a time to half the cost, or for any other purpose. It will happily
allow a mother with children and a pram to enter but if two adults step
inside, the computerised equipment which the importers claim is sensitive
enough to tell the size of your shoes, will prevent the door closing.
Three have been commissioned in Aberdeen this week, one in Byron Square in
Northfield, one in a layby on the Stonehaven road on the outskirts of the
city, and the third at North Deeside Road.
(Any Aberdeen readers brave enough to try changing their shoes in one? - jack)
Jack Campin, Computing Science Department, Glasgow University
------------------------------
Date: Wed, 23 Jan 91 11:22:09 PST
From: mhr@ccicpg.UUCP (Mark Hull-Richter)
Subject: Re: Computer program gives police a bum rap (RISKS-10.77)
It is with great interest that I read the referenced article. Of all the
police departments in the state of California, I would have thought that the
Long Beach Police were the least capable of being given a "bum rap", least of
all by a computer program.
Unless things have changed drastically in the last few years, the Long Beach
Police Department is the most likely to deserve a "bum rap". They had a policy
(unofficial, of course) many years ago of not investigating crimes which they
considered to be unimportant, even when they knew who the perpetrator(s) were
and that there was evidence of same. Perhaps this was limited to the low-rent
areas with high Hispanic concentrations in the population or other poor areas
of the city, but this happened over and over again during the late 70s and
early 80s (last I checked).
Furthermore, the Long beach Police Department is the one wherein seven police
officers were sued for the wrongful death of a man who was murdered by LBPD
officers in a case of mistaken identity. This was fairly well-documented in
the press at the time. Summary: four police cars with seven police officers
were called to a house late in the evening to apprehend a suspect in a series
of crimes. The suspect was taken out to the police cars where he was beaten to
death by the police despite the fact that, according to witnesses, he did not
resist the arrest in any way nor was he armed. It turns out the man was the
_wrong_ person, selected (I think) incorrectly from a partial license plate and
his slight resemblance to the real suspect.
Brutality and refusals to enforce of the above nature used to be common in Long
Beach. I don't know if they still are, but I would be greatly surprised if
not. Thus, I find it difficult to believe that the computer programs actually
gave them a bum rap. In fact, it wouldn't surprise me if the LBPD actually
abandoned cases they couldn't solve within one month, hence the reporting.
Mark A. Hull-Richter, ICL North America, 9801 Muirlands Blvd
Irvine, CA 92713 (714)458-7282x4539 UUCP: ccicpg!mhr
------------------------------
Date: Thu, 24 Jan 91 19:56:58 -0600
From: schumach@magnum.convex.com (Richard A. Schumacher)
Subject: Re: Lotus Marketplace
So Lotus will withdraw its product, and everyone will go home happy and
satisfied that they have preserved their privacy. Well, as faculty at the
University of Wisconsin - Madison and elsewhere have told me informally, these
people are wrong. Everything that Lotus was offering on CD-ROM is already
available at "substantially" the same price and conditions; these academics say
they are puzzled about the uproar, since in their opinion Lotus offered nothing
new.
If we want to truly change things it will take new laws and new attitudes in
the business community concerning what information it is acceptable to gather
and use. Halting this one form of marketing won't change anything by itself,
but it can be the opening skirmish in the necessary public relations war.
------------------------------
Date: Thu, 24 Jan 1991 09:54:46 -0500
From: steve@dmntor.uucp (Steve Pozgaj)
Subject: MasterCard policy opens door to crooks (Re: Westrom, RISKS-10.79)
> A man identifying himself as Warren informed me that they could not provide me
> with a copy of the sales receipt, and the only way to address this matter was
> for me to write a letter (to Julia) explaining that the charge was incorrect.
This sounds bizarre. In the 20 years I've been a MasterCard holder, I've had
this problem twice. Each time I was told that they would indeed send me a copy
of the slip [shich they are legally bound to keep for some number of years].
However, if it turned out to be mine legitimately, then I would be charged a ~$6
processing fee. If it was indeed not mine, no charge would be incurred. (In
both cases, it was not my charge!)
So, I believe your "Warren" is simply misinformed, or the laws protecting
consumers in the US are seriously worse than those here in Canada. However,
there still remains an irk: I got no reimbursement for the money that they
had forced me to pay while the credit was being processed. This I find rather
despicable. I was told by my "Warren" that if I didn't pay the amount as due, I
would be charged interest on it, and, EVEN IF it were not mine, hell would
freeze over before I got the interest credit.
So, even though the charge was erased, I was out of pocket, without
compensation, for the approximately 8 weeks this all took. On ~$200 at the
then-current rate of 10% savings account interest, that represents about $3!
Steve Pozgaj @ Digital Media (steve@dmntor)
------------------------------
Date: Wed, 23 Jan 1991 18:47:31 PST
From: [anonymous]
Subject: "Mastercard" Policy
It is worth nothing that almost all issues relating to charges, errors,
credits, etc. on VISA and MASTERCARD statements are under the control of the
particular bank/financial institution issuing the particular card and/or
merchant account in question. VISA and MASTERCARD themselves are primarily
umbrella organizations for properly allocating purchase charges and credits
among the member financial institutions. While VISA and MASTERCARD do have
umbrella security regulations, the sorts of problems mentioned by a recent
writer to RISKS should be addressed to the financial institution directly.
Since policies on such matters vary widely between institutions, blaming VISA
or MASTERCARD themselves is probably a misdirected effort.
------------------------------
End of RISKS-FORUM Digest 10.80
************************