RISKS@KL.SRI.COM (RISKS FORUM, Peter G. Neumann -- Coordinator) (03/18/89)
RISKS-LIST: RISKS-FORUM Digest Friday 17 March 1989 Volume 8 : Issue 40
FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
Contents: [Clean-up of loose ends]
Re: Sunspots & Communications (Jordan Brown, Gasbarro)
Ethics of Copying Fonts (Jerry Schwarz)
Policy Statement Request (Dave Grisham)
Re: Incoming-call identification (Brint Cooper)
Risks of telephone access to your bank account (Brint Cooper)
Limitless ATMs (Emily H. Lonsford)
Re: A Touching Faith in Technology (Henry Spencer)
Risks of helpfulness (Henry Spencer)
Work monitoring survey (Goun)
Faking Internet mail (Robert C. Lehman)
Spying on or intercepting UUCP mail (David Sherman)
Hackers, cartoons, and computers (Doug Claar)
The RISKS Forum is moderated. Contributions should be relevant, sound, in good
taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome.
* RISKS MOVES SOON TO csl.sri.com. FTPable ARCHIVES WILL REMAIN ON KL.sri.com.
CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line
(otherwise they may be ignored). REQUESTS to RISKS-Request@CSL.SRI.COM.
FOR VOL i ISSUE j / ftp KL.sri.com / login anonymous (ANY NONNULL PASSWORD) /
get stripe:<risks>risks-i.j ... (OR TRY cd stripe:<risks> / get risks-i.j ...
Volume summaries in (i.j)=(1.46),(2.57),(3.92),(4.97),(5.85),(6.95),(7.99).
----------------------------------------------------------------------
Date: Fri, 17 Mar 89 10:09:13 PDT
From: Jordan Brown <herron!jbrown@jato.Jpl.Nasa.Gov>
Subject: Re: Sunspots & Communications
PGN writes:
> In the Mount Diablo area of California, there have been many reports of
> garage door openers failing to operate.
KFWB reported that this was caused by some form of radio transmitter that the
Navy was using in the area (paraphrased) "to provide communications to a ship
at Alameda while its communications gear was being repaired". It's been turned
off. The report was technically quite vague, so I can't provide more detail.
Jordan Brown [Also noted by Barry Klawans and Steve Wilson]
[The old joke used to be "When is a door not a door?" "When it is ajar."
Now we have a new joke, "When is a door not a door?" "When it is ajam(b)."
PGN]
------------------------------
Date: 16 Mar 89 17:26:07 PST
From: Gasbarro.pa@Xerox.COM
Subject: Re: Sunspots & Communications
> I thought that [garage door] openers operated in the microwave range;
> isn't this power level of transmission unhealthy?
Most garage door openers that I've encountered operate in the 380MHz range.
Water resonates at 2.4GHz. Besides, the power level is only a few tens of
milliwatts.
------------------------------
Date: Fri, 17 Mar 89 11:02:24 EST
From: jss@ulysses.UUCP <Jerry Schwarz>
Subject: Ethics of Copying Fonts
Marc Mengel ... exactly illustrates why this is a gray area. Suppose that they
didn't pick out the letters but were distributing the whole page? Cleary a
violation of copyright. Individual columns? Still a clear violation.
Indiviual pixels? Clearly permitted, but only because they used no NYT
information content. Why bother digitizing the NYT to get bits in simple
patterns when you can generate them yourself? Somewhere in between (around the
word or letter level) lies a gray area.
My (moral) conclusion is that if its worth copying something then there is
value in whats being copyied. If the value derives from effort that is not
required to make the copy then there ought to be a way to protect that effort.
Jerry Schwarz
------------------------------
Date: Fri, 17 Mar 89 10:52:44 MST
From: Dave `White Water' Grisham <dave@charon.unm.edu>
Subject: Policy Statement Request
I am currently (re)writing our Univ. policy on "computer misuse". Rather
than reinvent the wheel, I ask anyone who has access to an enforceable, yet
comprehensive policy statement to please share it with me. My research
to date has shown many universities to be behind in their written-published
policies. I believe courts will find that policies written before
networking and viruses are of little value. I will be glad to post the
results of my efforts individually or to the group. Thanks in advance. dave
Dave Grisham
Senior Staff Consultant/Virus Security Phone (505) 277-8148
Information Resource Center USENET DAVE@UNMA.UNM.EDU
Computer & Information Resources & Technology BITNET DAVE@UNMB
University of New Mexico Albuquerque, New Mexico 87131
------------------------------
Date: Thu, 16 Mar 89 9:24:50 EST
From: Brint Cooper <abc@BRL.MIL>
Subject: Re: Incoming-call identification
Incoming-call ID is a difficult problem. Still, doesn't a person, in the
privacy of Home, have the right to an "electronic peep-hole" to control his/her
privacy?
This is a larger issue than screening out the vendors who call at dinnertime.
The police and telecos simply are ineffective at dealing with persistent,
harrasing and/or obscene callers. Their methods are cumbersome and
non-responsive to the harrassment.
Any caller can protect his/her privacy by calling from a work phone (which is a
very common practice, prohibitions notwithstanding) or from a pay phone.
Incidentally, what is the "scope" of Incoming Call-ID? Does it identify only
calls from the same central office? local calling area? area code? or
country? A function similar to Incoming Call-ID is how our teleco gathers
"evidence" on harrassing phone calls. The harrassed plaintiff keeps a
date/time log of objectionable calls; the teleco may be able to tell the
originating phone number. However, in our case, it could resolve only phone
numbers in the same central office as the harrassee and, perhaps, a small
number of other, specified, central offices.
I'm a firm believer in privacy, too. But that includes my right to privacy in
my own home.
_Brint
------------------------------
Date: Thu, 16 Mar 89 9:29:31 EST
From: Brint Cooper <abc@BRL.MIL>
Subject: Risks of telephone access to your bank account
In discussing "Risks of telephone access to your bank account," Michael
McClary relates the identifying information required to transfer funds
by telephone, then observes:
> Now combine that with cellular phones that:
> - are not scrambled,
> - don't switch channels enough to break up a conversation,
> - can be rec[ei]ved on the high end of an old TV set's UHF dial
> - are generally owned by busy people with money
> and you've got the makings of some nasty surprises.
Get the word out, folks: CELLULAR PHONE IS NOT "TELEPHONE." IT'S
BROADCAST RADIO! DON'T SAY ANYTHING ON CELLULAR PHONE THAT YOU WOULDN'T
SAY ON YOUR LOCAL RADIO STATION!
_Brint
------------------------------
Date: Friday, 17 Mar 1989 17:02:51 EST
From: m19940@mwvm.mitre.org (Emily H. Lonsford)
Subject: Limitless ATMs (Re: RISKS DIGEST 8.37)
Some years back, when ATMs were first coming out, I signed up for a card at my
bank. The first time I used it was a memorable experience. The machine was
very primitive. Instead of a CRT, it had colored buttons with messages like
"Insert card" or "Enter your PIN" which were illuminated to instruct the user.
I dutifully inserted my card and followed the instructions. "Clickety click!"
responded the machine, and then told me to enter my PIN. After each action on
my part, there was a noticeable pause and more "clickety clicks" from the
machine. I soon decided that the clicks were there to keep me, the poor dumb
user, occupied while the machine communicated with the host. This struck me as
terribly funny, and I began to chuckle. Each set of clicks made me laugh
harder, and people were beginning to stare. The best part was yet to come:
when the machine finally spit out the money, it was crisp and new - and WARM,
as if it had just been printed! It was all I could do not to roll around on the
floor laughing; I grabbed the money and my card and left.
A couple of years later, one of the bank's systems programmers explained the
machines to me. "Oh," he said very seriously, "the clicks really had a
purpose. The machine had no link to the bank; instead it had a ticker tape
inside, and it recorded every transaction (hence the clicks.) A technician
came around every day, collected the tape (which was keyed into the bank's main
computer) and refreshed the money supply." And as for the crisp new bills?
"Well, those machines were so cantankerous that they would jam if anything but
new money was used."
As usual, there was a logical reason for everything the computer did. I think
I liked my interpretation better.
The moral is, these machines were vulnerable to the kind of attack mentioned in
RISKS 8.37. They depended on the cooperation of the user not to go around and
collect $300 from each machine. Security via ignorance....
Emily H. Lonsford, MITRE Houston W123 (713) 333-0922
------------------------------
Date: Fri, 10 Mar 89 16:08:28 -0500
From: henry@utzoo.UUCP
Subject: Re: A Touching Faith in Technology
>"The adoption of an identity card, at least on a voluntary basis, which would
>carry such numbers - name, date of birth, nationality, signature and perhaps
>blood group - would surely be an advantage for everybody...
Of course, "voluntary" is likely to mean "compulsory" very quickly, unless
this is specifically illegal. I have neither an age-of-majority card (the
only legal proof of drinking age here) nor a driver's licence, and you'd
be surprised at the looks this sometimes gets me.
Blood group, eh? How soon before AIDS-test status gets included?
>... GIVEN THAT TECHNOLOGY SHOULD MAKE IT IMPOSSIBLE TO FORGE THEM,
>such cards could quickly establish one's bona fide. . . ."
This runs into the same problem that (I understand) Germany ran into after
WW2. There were many people with little or no identification in the chaos
that followed Germany's defeat. Some of them were wanted men. There was
felt to be a need for one solid form of ID, something sufficiently well-
researched to be definitive. The obvious choice was the passport. What
this meant, in practice, was that if one could get a forged passport (not
easy, but not impossible), nobody would ever question one's new identity.
Henry Spencer at U of Toronto Zoology
------------------------------
Date: Fri, 10 Mar 89 15:49:27 -0500
From: henry@utzoo.UUCP
Subject: Risks of helpfulness
I haven't seen this one mentioned here yet... At the San Diego Usenix
conference at the beginning of last month, in his keynote speech, William T.
O'Shea (VP of AT&T) said that twice recently, intruders got into AT&T systems
by being talked through the sign-on procedures by AT&T help desks!
Henry Spencer at U of Toronto Zoology
------------------------------
Date: 10 Mar 89 09:47
From: goun%evetpu.DEC@decwrl.dec.com
Subject: Work monitoring survey
From The Boston Globe, Thursday, March 9, 1989:
Most workers in survey think employers use electronic means to spy on them
By Ronald Rosenberg, Globe Staff
A survey said that 75 percent of mostly unionized workers in Greater
Boston feel ``spied on at their jobs'' by electronic monitoring.
The survey, conducted by the Massachusetts Coalition on new Office
Technology, which represents over 40 unions and women's organizations, has
filed state legislation that would require notifying employees in advance of
any monitoring or surveillance. A legislative hearing on the measure is
scheduled Monday at the State House.
Several insurance firms, banks, airlines and industry groups oppose the
legislation, saying it is unnecessary and violates an employer's right to
monitor how employees work.
At issue is the use of computerized or electronic monitoring systems to
keep track of an employee's work performance and activities. This kind of
surveillance includes computer monitoring where the computer counts keystrokes,
error rate, time to complete each task and break time.
Another way checking [sic] on employee productivity is service observation
where supervisors listen into conversations between employees and customers.
A third form, known as telephone call accounting, monitors the time,
length and destination of all calls dialed from each extension but does not
record the conversation. It is used by telemarketing firms and large sales
organizations.
``There have been clear abuses of electronic monitoring and it violates a
person's right of privacy and right of due process,'' said Lisa Gallatin, the
coalition's executive director.
------------------------------
Date: Tue, 14 Mar 89 14:54:23 EST
From: Robert C. Lehman <rcl@jolt.cc.columbia.edu>
Subject: Faking Internet mail
While "faking" electronic mail may be easy, it's not as easy as faking
"physical" mail. More specifically, getting some company or university
letterhead (or having some printed, for that matter) and typing up a letter
requires less specific knowledge than hacking some system's SMTP mailer,
for example.
However, people perceive computers as being reasonably secure entities, and
therefore they assume that electronic mail generated by a computer system
is genuine.
While an organization such as NSF, which is accepting reviews of proposals
via electronic mail, should be concerned about the authenticity of reviews
it receives, reviews sent by electronic mail are, in the long run, no more
or less likely to be bogus than those sent by surface mail.
Robert Lehman, Columbia University
------------------------------
Date: Wed, 8 Mar 89 23:51:24 EST
From: dave@lsuc.uucp (David Sherman)
Subject: Spying on or intercepting UUCP mail
Peter Scott (pjs@grouch.jpl.nasa.gov) writes in RISKS 8.28:
> > Walter Roberson in RISKS-8.27
> >How about the
> >other way around: how much danger is there that someone can spoof mail in
> >order to receive messages destined for someone else?
>
> The only way I know of doing this is if your machine is on the path for
> the mail in the first place, in which case you can look at everything
> that passes through anyway.
All it takes is a published "mysite uunet(LOCAL), att(LOCAL)".
Now that most sites on the net use automated routing with pathalias,
a sysadmin with long-term general spying goals need only show very fast
connections to major sites in the system's official UUCP map entries.
Within a few months a lot of mail from nearby sites will be coming
through. Keeping a copy of everything that passes through is as
trivial as setting a #define in smail.
David Sherman, The Law Society of Upper Canada (att!lsuc!dave :-))
------------------------------
Date: Mon, 13 Mar 89 17:32:44 pst
From: Doug Claar <dclaar%hpda@hp-sde.sde.hp.com>
Subject: Hackers, cartoons, and computers
Recently, while watching my kids watch Saturday cartoons, I noticed a "Computer
Minute" public service type add from the network. In it, the father, who was
portrayed as clueless, was trying to organize his towering stack of papers. His
son, Hacker, tried to tell dad all about Data Base Management Systems. Why,
even sister had her (girl stuff) on the computer, and gee, mom had her
recipies. Hacker had his (boy stuff) on it as well. Having only seen one, I
don't know for certain, but given the girl's name (which I don't remember, but
wasn't computer-oriented), and the son's name, it seemed to perpetuate the
young male as the hacker stereotype.
Relationship to risks? Well, I've seen discussions on the term "hacker," and on
comics and computing.
Doug Claar, HP Computer Systems Division
UUCP: mcvax!decvax!hplabs!hpda!dclaar -or- ucbvax!hpda!dclaar
------------------------------
End of RISKS-FORUM Digest 8.40
************************
-------