RISKS@KL.SRI.COM (RISKS FORUM, Peter G. Neumann -- Coordinator) (10/16/87)
RISKS-LIST: RISKS-FORUM Digest Thursday, 15 October 1987 Volume 5 : Issue 43
FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
Contents:
Costly computer risks (Gary A. Kremen)
Re: News Media about hackers and other comments (Amos Shapir)
Mailing Lists (Lindsay F. Marshall)
Discrimination considered pejorative (Geraint Jones)
Re: Anonymity and high-tech (Brint Cooper)
Pacemakers (Hal Schloss)
News Media about hackers and other comments (Bob English)
Password bug - It's everywhere. (Mike Russell)
Re: YAPB (yet another password bug) (Brint Cooper)
Civil Disobedience (Scott Dorsey, Bill Fisher, Eugene Miya)
Phalanx Revisited (Risks to Carrier Aircraft) (Marco Barbarisi)
SSNs (Bill Gunshannon)
The RISKS Forum is moderated. Contributions should be relevant, sound, in good
taste, objective, coherent, concise, nonrepetitious. Diversity is welcome.
Contributions to RISKS@CSL.SRI.COM, Requests to RISKS-Request@CSL.SRI.COM.
For Vol i issue j, FTP SRI.COM, CD STRIPE:<RISKS>, GET RISKS-i.j.
Volume summaries for each i in max j: (i,j) = (1,46),(2,57),(3,92),(4,97).
----------------------------------------------------------------------
Date: Tue 13 Oct 87 17:28:10-PDT
From: Gary A. Kremen <89.KREMEN@GSB-HOW.Stanford.EDU>
Subject: Costly computer risks
To: risks@csl.sri.com
From The Wall Street Journal of October 13, 1987 page 47:
"But the DOT [Direct Order Transfer - a computer system that makes
large-scale stock trading faster and more efficient] system isn't
foolproof, either. Mr. Nelson [whom the article is about] said he
heard a story about a man who pushed his DOT button intending to buy
one $25 million package of securities. When he didn't get a
confirmation of his order, he hit the button again, and then again and
again. A few minutes later, he received four confirmations showing
that he had just bought $100 million of stock."
The article itself is very interesting for those who are looking for
another view on a topic that has been discussed is RISKS for some time
- computer assisted stock trading and "program trading."
------------------------------
To: nsc!comp-risks@Sun.COM
From: nsc!taux01!taux01.UUCP!amos@Sun.COM (Amos Shapir)
Subject: Re: News Media about hackers and other comments
Date: 14 Oct 87 14:22:44 GMT
Jack Holleran <Holleran@DOCKMASTER.ARPA> writes:
> An Annapolis [MD] man pleaded guilty yesterday to stealing long-distance
>telephone service using his home computer, which a judge ordered destroyed.
^^^^^^^^^^^^^^^^^^^^^^^^^
Talk about computer phobia! This must be the silliest court decision
since a boat was put to the gallows in the 17th century!
Amos Shapir, National Semiconductor (Israel)
6 Maskit st. P.O.B. 3007, Herzlia 46104, Israel Tel. +972 52 522261
amos%taux01@nsc.com (used to be amos%nsta@nsc.com) 34 48 E / 32 10 N
------------------------------
From: "Lindsay F. Marshall" <lindsay%kelpie.newcastle.ac.uk@NSS.Cs.Ucl.AC.UK>
Subject: Mailing Lists
To: risks@kl.sri.com
Date: Thu, 15 Oct 87 10:28:59 BST
Only 17 categories of people!! That's not very sophisticated - Britain is
broken down into 45 distinct groups by one of the companies who sell mailing
lists. They have a very neat acronym for this system which eludes me at the
moment. They have also introduced a new system called "Monica" which
classifies people by their first names (Monica is a slang pun - I don't know
if it is meaningful in the US). The idea is actually very obvious - certain
first names are popular at certain times and don't get recycled at regular
intervals so having a first name like "Florence" tends to indicate that you
are older, whereas "Darren" is a younger person's name. I don't know how this
would apply in the US, but the short extracts I have seen are strikingly
accurate when compared with people I know. It does fall down on names like
"John" and "David" which are perennial favourites, and also on very unusual
names or he/she names like Lindsay of course.
Also on the subject of mailing lists, there was an interesting letter in the
Guardian from someone who received a batch of junk mail about investments,
expensive holidays and subscribing to the Tory party. The man has no money
and has been unemployed for 2 years. The letters started arriving six weeks
after he had a letter printed in the Times newspaper...
Lindsay
[I wouldn't want to Harm Monica, but a moniker is a
nickname, as is Nick, and Phil (Harmonica?). PGN]
------------------------------
Date: Tue, 13 Oct 87 21:11:53 EDT
From: Brint Cooper <abc@BRL.ARPA>
To: mcphee@ratliff.cs.utexas.EDU
cc: RISKS@sri.COM
Subject: Re: Anonymity and high-tech
Nic McPhee's essay on anonymity reminded me of an innocent-looking way
that names and demographic information are entered into
frequently-merged databases: the so-called "warranty registration"
cards that come with nearly everything that we buy. What our sex, job,
age, and gross annual income have to do with validating the warranty on
a TV or a computer escapes me. While government doesn't necessary get
ahold of these databases, shady characters in the private sector should
have no trouble posing as legitimate businesses and buying these
databases.
On a related note, and one not directly related to risks in computers
(sorry Peter), the British Government's use of "questionable" means of
searching for unlicensed TV receivers may not in fact be a violation
of THEIR law or traditions. In many ways, the British system is far
less protective of an individual's rights than is ours in the U.S.
------------------------------
Date: Thu, 15 Oct 87 10:04:04 BST
From: Geraint Jones <geraint%prg.oxford.ac.uk@NSS.Cs.Ucl.AC.UK>
To: risks <RISKS@kl.sri.com>
Subject: Discrimination considered pejorative
Yes, yes, I too get the annoying annual letter asking me why I haven't got a
licence for my non-existent television. I thought everyone did. You can't
mean to say that some people have televisions?
Surely the greatest risk of all this information refining is the risk to
the ego of the individual who thought he was unique, or at least in an
`elite'-sized minority. I mean, I thought I was the only bald, bearded,
Methodist, owner of a tandem south of the Trent; what am I going to think
when I get the direct-mail advertisment for a hair restorer and a beard
trimmer in with my invitation to a tandem rally from the church's home
mission division?
Perhaps there is some comfort here for Cliff Jones' original paranoia. He
was originally bothered -- RISKS 5.38 -- by the suggestion that he was being
marked down as a potential lawbreaker and that someone might carelessly treat
that as being the same as having a criminal record. I cannot yet conceive of
being in a mechanically-detectable minority small enough for it to be safe to
make wild generalisations about us. To be lumped in with a large enough
proportion of the population is not to be discriminated against in any new or
unusual way.
There are, for example, one in twenty of us (not 1%, as Ian Batten RISKS
5.42) in the UK without haunted goldfish-bowls in our houses. I forget
whether that is 5% of the population, or 5% of households -- we are
uncommonly likely to be one- or two- person households, so it is a different
proportion. What is depressing is the number of us who seem to be in computer
science. gj
------------------------------
From: psivax!woof%psivax@csl.sri.com
Date: Wed, 14 Oct 87 17:04:29 PDT
To: Risks@rdlvax.rdl.com
Subject: Pacemakers (Re: RISKS-5.43)
Organization: Pacesetter Systems Inc., Sylmar, CA
In this issue of comp.risks you wrote . . .
>(Peter: Pacemakers DO have serial numbers. I called Medtronic and theirs
>do. I assume other manufacturers also have them in case of recall.)
Why don't you drop us a line if you have questions about pacemakers.
I believe we are the only pacemaker company on the net right now. Currently
we are about #3 worldwide and growing. We currently have pacemakers with and
without serial numbers; they made be read electronically without explanting
the pacemaker. In general the trend in the future will be towards such
numbers. They are actually most useful for identifying whether we have a
problem with our manufacturing process. If we know the serial number of the
problem pacer, then we can identify which components when into it, and who
worked on it here. (All our pacemakers have serial numbers, but the older
one can be read only on the outside of the pacemaker. Our more complicated
pacemakers store their number electronically, which can be read by a
pacemaker programmer. I work on pacemaker programmers.) --
Hal Schloss Pacesetter Systems Inc., A Siemens Company
{sdcrdcf|ttidca|scgvaxd|nrcvax|jplpro|hoptoad|csun|quad1|harvard|csufres|
bellcore|logico|rdlvax|ihnp4|ashtate}! psivax!woof
ARPA: woof@rdlvax.rdl.com
------------------------------
Date: Tue, 13 Oct 87 18:56:11 PDT
From: Bob English <lcc.bob@CS.UCLA.EDU>
To: RISKS@KL.SRI.Com
Subject: News Media about hackers and other comments (Re: RISKS-5.43)
> From: Jack Holleran <Holleran@DOCKMASTER.ARPA>
> Subject: News Media about hackers and other comments
> MCI spokeswoman Pamela Small said yesterday[,] thefts that cost the long-
> distance carriers an estimated $500 million in 1986 alone have decreased.
> If "equal access" reduces losses, maybe it's time to invest in those
> companies.
This is a very curious kind of loss. If they stole $500 million dollars
in services, the company didn't lose $500 million, unless somehow they
were unable to provide $500 million dollars in service to someone else
as a result of the misappropriation of resources. While there would be
some of that, I find it very difficult to believe that the real number
is even a significant fraction of that. There are other real costs
associated with this sort of theft--loss of goodwill by the mischarged
party, accounting costs associated with rebalancing the books, etc--but
those are probably small as well.
In short, the companies have a vested interest in making their losses
appear as large as possible. While they show a paper loss of $500
million to theft, all that was stolen was paper money that will not be
replaced if the theft ceases, and their revenues will not increase by an
appreciable amount.
Phone theft is not so much an economic problem as a social one. The
phone companies pursue the legal aspects of it quite aggressively
because they want to prevent it from becoming widespread enough to do
actual damage, but they don't take obvious preventative measures to
prevent it or detect it earlier. They don't, for example, look for
sudden large changes in service levels and flag them as suspicious.
--bob--
P.S. I heard the other day that the average driver commits about 10
traffic violations every mile here in California. I'm looking forward
to the day when the CHP can track my car through its computers.
------------------------------
Date: Thu, 15 Oct 87 15:00 EDT
From: To: risks@csl.sri.com
Mike Russell <MRUSSELL@jvncc.csc.org>
Subject: Password bug - It's everywhere.
After reading Geof Cooper's posting on the password truncation problem,
I tried it on every Unix machine I could find. Only the first 8
characters counted on any of them. Here's the list:
Machine Operating System
---------- --------------------
VAX 750 Ultrix 1.2
VAX 8600 Ultrix 2.0-1
VAX 750 Berkeley 4.3
Celerity 1260D Accel Unix 3.4.78
IBM RT-PC AIX 1.2
Sun 3/160 3.0
Looks like this bug has been there for quite some time - maybe since
the beginning. Can you spell propagation? Maybe this bug
can be used for some copyright infringement suits? I suppose
all of the Unix-computer producing companies assumed this part
of the code worked and didn't need looking at. My guess is that
there are actually few of us who use more than 8 characters anyway,
so the implications are not as severe as it might seem, but it
sure decreases the search time. Where might the most serious
implications of this be? Unicos machines with classified data?
Other defense machines?
-Mike Russell
------------------------------
Date: Tue, 13 Oct 87 20:57:11 EDT
From: Brint Cooper <abc@BRL.ARPA>
To: imagen!geof@decwrl.dec.COM
Cc: risks@csl.sri.com
Subject: Re: YAPB (yet another password bug)
Geof (no relation) expresses surprise that 4.3 Unix "silently" truncates
passwords to 8 characters. Was this a secret? Did not 4.2 and 4.1 do
the same? I don't believe that there has been a 14-character password
since the days of the PDP-11.
Brint
[More importantly, any algorithmically generated password is easier
to crack... In this case, once you know more than one password, you
could easily infer the algorithm... With my 7-character name, I get
only one free character. The password generating scheme Geof refers
to is much dumber than the 8-character truncation. But it is nice to
know about the truncation! PGN]
------------------------------
Date: Wed, 14 Oct 87 17:52:39 EDT
From: kludge@pyr.gatech.edu (Scott Dorsey)
To: RISKS@kl.sri.com
Subject: Civil Disobedience (Re: RISKS-5.43)
In Risks Digest 5.43, I find:
>It seems to me that as the computerization of society continues, the idea of
>engaging in civil disobedience via computer is bound to come up more often.
>Some computer CD might resemble ordinary computer crime and sabotage except
>for the motivation of the individuals carrying it out. I've heard folklore
>about politically motivated crackers for years now; do RISKS readers know of
>any actual examples?
I seem to recall a mention that the Berkeley computer center was
occupied by protesters sometime in the sixties, who claimed that the
computers were being used for war work. A sit-in was staged, as well
as the damage of some equipment and a large number of tapes. I don't
know precisely if any significant damage was done.
On a slightly more current note, a couple of years back, a student
who was upset with the student government policies here at Georgia
Tech formed an organization called the Barbecue Liberation Front
(the gripe, as I recall, had something to do with a cancelled cookout),
which among other things froze the student government accounts, and
sent messages to all users each second on one of the undergraduate
class machines, making it unusable.
This is as close to political motivation as I have ever seen on
the Tech campus. Although it may be a rather pitiful example, it is
as political as anything ever gets in a place where Poly Sci profs
refer to the Washington Post as an "anarchist rag."
Scott Dorsey Kaptain_Kludge
SnailMail: ICS Programming Lab, Georgia Tech, Box 36681, Atlanta, Georgia 30332
Internet: kludge@pyr.gatech.edu
uucp: ...!{decvax,hplabs,ihnp4,linus,rutgers,seismo}!gatech!gitpyr!kludge
------------------------------
Date: 14 Oct 87 13:19:13 PDT (Wednesday)
From: bfisher.ES@Xerox.COM
Subject: Civil Disobedience (Re: RISKS-5.43)
To: RISKS FORUM (Peter G. Neumann -- Coordinator) <RISKS@KL.SRI.Com>
Anent Prentiss Riddle's comments on Civil Disobedience - (CD)-- I
suggest that 'Civil Recalcitrance' (CR) is already here. This is defined
as nonviolent copping out by using the 'computer' as a shield. Two
recent examples --(1). Eight weeks for one of the country's largest
insurance companies to issue a check for a health insurance claim --
("I'm sorry - it's in the computer and there's nothing we can (read
'want') do about it; (2). Repeated billing for an item no longer in use
and returned to the lessor. (I'm sorry, the rental data base is in a
different computer than the return for credit base and they don't talk
to each other). The only (simple) way to clear this was to pay the
rental data base people for the item, even though the sales data base
people had already been paid by return of the item.
Bill Fisher
------------------------------
To: risks@kl.sri.com
Subject: Computer civil disobedience
Date: 14 Oct 87 10:31:20 PDT (Wed)
From: eugene@ames-nas.arpa
Prentiss Riddle brought up the topic of computer civil disobedience. The
example of Falwell is an excellent one, and I believe that some
organizations have thought about this type of blocking both for offense and
defense. First, the organizations that are really worth blocking typically
don't have dial-in access. Second, some "good organizations" might be
`blocked' by those with differing opinions (creationists blocking science
BBSs?). But the real reason I wanted to send you this is to point out that
some bureaucratic organizations like the FBI and Service Service take dim
views of civil disobedience, partly this is because of their mission.
Recently, a Vietnam Viet lost his legs to a train in an act of civil
disobedience at the Concord Naval Weapons Station. All parties agree
this is a tragic act. If anyone is going to embark on computer
civil disobedience, they had better think about all possible consequences
INCLUDING getting shot. The people who work for the SS and FBI may
not know computers very well, but computers are increasingly used in
criminal capacities. At the time of suspicion, they (their perspective)
might not have the time to evaluate, but might run into a building with
guns drawn when there are only teenagers there. The situation for them
is something similar to the issue of Toy Guns; it's that WE see the
situation from a different perspective. Softwar is a real possibility
for these people (even though they may not be aware of it, now).
One of the risks of computers we have not discussed is the "evil" unintended
(and non-military) uses of computers. One BBS in the Bay Area (noted as a
headline story) was a neo-Nazi BBS. Dan Pasquale of the Fremont PD is most
concerned with the BBSs of pedophiles. More likely than not there are
neo-Nazis and pedophiles reading RISKs, so "evil" is a minority perspective.
The problem becomes discriminating between crime and liberties, disobedence
versus threat [sorry, I lost the "real" word].
I don't wish to defend the actions of what I regard as an increasingly
police-state mentality of the country (it's largely, "WE" the people
who are pushing this BTW), but I do wish to avoid severed legs and
teenagers shot by carrying laser tag pistols.
--eugene miya
------------------------------
Date: Wed, 7 Oct 87 13:34:20 CDT
From: marco@ncsc.ARPA (Barbarisi)
To: risks@csl.sri.com
Subject: Phalanx Revisited (Risks to Carrier Aircraft)
Are US Navy aviators at risk from Phalanx systems on their own ships? I
mention this because I noticed that aircraft carriers have Phalanx guns
mounted at the stern of the ships - in a perfect position to shoot at
aircraft approaching a carrier for a landing. I noticed this while
glancing at a Varian advertisement on page 2 of the Oct. 87 issue of
Defense Electronics.
Marco
------------------------------
From: bill@uunet.uu.net (Bill Gunshannon)
Date: 5 Oct 87 13:17:57 GMT
To: comp-risks@uunet.uu.net
Subject: SSNs
From: bill@trotter.usma.edu (Bill Gunshannon)
Organization: US Military Academy, West Point, NY
In response to an article in:
RISKS-LIST: RISKS-FORUM Digest Wenesday, 30 Sept 1987 Volume 5 : Issue 41
>From: P. T. Withington <PTW@YUKON.SCRC.Symbolics.COM>
>Subject: Re: Risks in the Misuse of Databases? [RISKS-5.40]
> All
>this despite existing laws that state SSN's are to be used only for
>social security and not as a identification number.
I think it is time we put this notion to rest once and for all.
How can you say that is the only legal use for the SSN when I was just
required by law to get my daughter (8 yrs old) a SSN and I will have to
include that number on MY income tax return from now on. Now, unless
they have revoked the child labor laws, she is unlikely to need that
number, for Social Security purposes, for at least 9 more years. :-)
bill gunshannon
Martin Marietta Data Systems USMA, Bldg 600, Room 26 West Point, NY 10996
UUCP: {philabs}\ WORK (914)446-7747
{phri } >!trotter.usma.edu!bill
{sunybcs}/
------------------------------
End of RISKS-FORUM Digest
************************
-------