RISKS@CSL.SRI.COM (RISKS FORUM, Peter G. Neumann -- Coordinator) (10/01/87)
RISKS-LIST: RISKS-FORUM Digest Wenesday, 30 Sept 1987 Volume 5 : Issue 41
FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
Contents:
CHANGE IN RISKS SITE Effective Immediately (PGN)
Life-critical use of a spelling corrector (Dave Horsfall)
AT&T Computers Penetrated (Richard S D'Ippolito)
Satellites and Hackers (Paul Garnet)
Re: Risks in the Misuse of Databases?
(P. T. Withington, Scott E. Preece, J M Hicks)
The RISKS Forum is moderated. Contributions should be relevant, sound, in good
taste, objective, coherent, concise, nonrepetitious. Diversity is welcome.
Contributions to RISKS@CSL.SRI.COM, Requests to RISKS-Request@CSL.SRI.COM.
** NEW 1 Oct ** For back issues Vol i Issue j,
FTP SRI.COM, CD STRIPE:<RISKS>, then GET RISKS-i.j.
Volume summaries for each i in max j: (i,j) = (1,46),(2,57),(3,92),(4,97).
----------------------------------------------------------------------
Date: 30 Sep 87 08:00:00
From: Neumann
To: risks
Subject: CHANGE IN RISKS SITE Effective Immediately
=========================================================================
| This is the VERY LAST RISKS FROM F4.CSL.SRI.COM. Our Foonly F4 will |
| no longer be maintained after 1 October 1987. Incoming mail can be |
| addressed as before, or to RISKS@SRI.COM and RISKS-Request@SRI.COM, |
| as appropriate. The FTP site has changed to SRI.COM. For the |
| immediate future RISKS operations will be moved to SRI.COM. Thanks to|
| David Poole for keeping our Foonly in excellent shape all these years.|
=========================================================================
------------------------------
Date: 30 Sep 87 16:52:59 +1000 (Wed)
From: munnari!astra.necisa.oz.au!dave@uunet.UU.NET (Dave Horsfall)
To: risks@uunet.UU.NET
Subject: Life-critical use of a spelling corrector
The following appeared on the back page of one of Australia's more outrageous
computer publications, "Computing Australia", 21st Sept 1987:
... Blame it on the computer.
An unfriendly computer has been held responsible for a "potentially lethal
error" involving a Mafia loan collector.
A New York paper inadvertently put the `heavy' in the running for a pair of
custom-fitted concrete shoes when it identified him as a "ruthless informer".
According to a published retraction (and apology!), a writer on the paper had
actually typed "ruthless enforcer" - but the computer system's spelling
checker liked it the other way.
And I thought the worst you could expect from a "computer error" was a bill
for a million dollars!
Now, this particular publication (Computing Australia) is not known as the
"computer gutter press" for nothing, so I would appreciate any comments from
indigenous Americans...
Dave Horsfall (VK2KFU) ACS: dave@astra.necisa.OZ
NEC Information Systems Aust. ARPA: dave%astra.necisa.OZ@uunet.UU.NET
3rd Floor, 99 Nicholson St UUCP: {enea,hplabs,mcvax,uunet,ukc}!\
St. Leonards NSW 2064 AUSTRALIA munnari!astra.necisa.OZ!dave
------------------------------
Date: Monday, 28 September 1987 15:21:02 EDT
From: Richard.S.D'Ippolito@sei.cmu.edu
To: risks@csl.sri.com
Subject: AT&T Computers Penetrated
AT&T's attitude that the break in was just 'Yuppie vandalism' and the
defense attorney's comments on motives make me wonder when, if ever, the
view of computer crimes will merge with society's view of other property
crimes: we have laws against breaking and entering. You, as property owner,
don't have to provide 'perfect' security, nor does anything have to be taken
to secure a conviction of unauthorized entry. That conviction should be
easy. Also, using CPU resources (a demonstrably saleable product) amounts to
theft. There still seems to be the presumption that computer property,
unlike other property, is fair game.
I do not imply that we should relax our security efforts -- merely that we
deserve the same legal presumption that our imperfectly protected systems
and work are private property subject to trespass and conversion protection.
------------------------------
Date: Tue, 29 Sep 87 13:54:36 edt
From: pgarnet@nswc-wo.ARPA
To: risks@csl.sri.com
Subject: Satellites and Hackers
>The article also claims "American teenagers using home computers
>have developed the capability to alter orbits of commercial
>satellites, as demonstrated by a recent incident in New Jersey."
>Surely this must be an exaggeration?
Yes, it is a case of misinformation. The 17 July 1985 issue of the
New Jersey newspaper "The Star-Ledger" reported
>The unidentified juveniles, arrested following an intensive
>computer theft probe by South Plainfield, county and federal
>authorities, also participated in elaborate schemes to steal
>merchandise using stolen credit card numbers and reprogrammed
>an American Telephone and Telegraph (AT&T) communications
>satellite to disrupt phone conversations on two continents,
>according to Prosecutor Alan A. Rockoff.
An article in the same paper two days later, on 19 July 1985 reported
>The seven, who are strangers to each other but communicated
>regularly on part of a nationwide computer "billboard" network
>for hobbyists, are accused of stealing computer informational
>services, stealing telephone services, disrupting satellite
>communications and exchanging information on how to make
>explosives and tap into Pentagon and defense contractors over
>coded phone lines.
Time magazine reported on July 29, 1985 (p 65)
>The New Jersey episode assumed heroic proportions when
>Middlesex County Prosecutor Alan Rockoff reported that the
>youths, in addition to carrying on other mischief, had been
>"changing the positions of satellites up in the blue heavens."
>That achievement, if true, could have disrupted telephone and
>telex communications on two continents. Officials from AT&T
>and Comsat hastily denied that anything of the sort had taken
>place. In fact, the computers that control the movement of
>their satellites cannot be reached by public phone lines. By
>week's end the prosecutor's office was quietly backing away
>from its most startling assertion, but to most Americans, the
>satellite caper remained real . . .
This New Jersey case is not very "recent", but seems to be the one
being referred to. If anyone knows of another more recent New Jersey
"satellite caper", please fill me in.
Paul Garnett
------------------------------
Date: Tue, 29 Sep 87 10:48 EDT
From: P. T. Withington <PTW@YUKON.SCRC.Symbolics.COM>
Subject: Re: Risks in the Misuse of Databases? [RISKS-5.40]
To: RISKS FORUM <RISKS@csl.sri.com>
From: Ross Patterson <A024012%RUTVM1.BITNET@wiscvm.wisc.edu>
>From: Brint Cooper <abc@BRL.ARPA>
>Correct me if I'm wrong but isn't this info used merely for the
>enforcement authorities to decide where to search for unlicensed TV
>receivers? They won't arrest you solely because you're not in the
>database, will they?
I can't speak about the UK, but here in New Jersey, any evidence
obtained through such a database cross-match would probably be ruled
inadmissable in court.
How does this jive with a vaguely remembered NPR article of last week
that described how people who had failed to register for the draft
were found by matching social security numbers? The gist of the
article was similar in spirit to the UK television article: the
social security database is searched for draft-age candidates and
those registered with the selective service are subtracted out. All
this despite existing laws that state SSN's are to be used only for
social security and not as a identification number. Unfortunately,
few people know the law only states you have the right to refuse to
give your SSN and must instead be assigned some other ID number (which
presumably would be different for each service and prevent this type
of abuse). If you "voluntarily" give your SSN, you essentially waive
your privacy rights. The only service I have dealt with that treated
my refusal to give my SSN as a normal operation was the Massachusetts
Registry (I won't bore the list with a diatribe on its faults which
far outweigh this one feature). Most services simply will refuse to
deal with you when you decline to give your SSN, whether they
understand the law or not.
------------------------------
Date: Tue, 29 Sep 87 09:40:28 CDT
From: preece@mycroft (Scott E. Preece)
To: RISKS@csl.sri.com
Subject: Re: Risks in the Misuse of Databases
Ross Patterson:
> The preferred form is to limit the request to those suspected of
> committing a crime, as in "No persons without a TV License may own a TV
> set, therefore all persons whose homes openly sport a TV antenna and who
> do not own a TV License should be searched." This, of course, means
> that the database cross-match provides the police with no additional
> homes to be searched, since they still must identify the homes in
> question by some criminal criteria.
It's a little more complicated than that, though: My understanding is
that it is possible to detect the use of a TV set from outside the
house. Is it then permissible for the authorities to use the database
cross-match to identify houses to check (since the check does not
involve a search)? Or is that the fruit of the poisoned tree?
scott preece, gould/csd - urbana
uucp: ihnp4!uiucdcs!ccvaxa!preece
------------------------------
Return-Path: <@WISCVM.WISC.EDU:cudat@DAISY.WARWICK.AC.UK>
From: J M Hicks <cudat@DAISY.WARWICK.AC.UK>
Date: Wed, 30 Sep 87 15:35:00 bst
To: risks@csl.sri.com
Subject: Re: Risks in the Misuse of Databases? [RISKS-5.38]
Disclaimer: this information came to me third-hand. Bear this in mind.
This happened several years ago.
A friend once told me that his parents had been threatened with court action
for not having a television licence, when they did not have a television.
They protested to the licensing authorities, which backed down
apologetically. It looked as though everyone in town who didn't have a
licence was being threatened.
This could have been a mere clerical mistake, of course.
J. M. Hicks, Warwick University. (a.k.a. Hilary)
------------------------------
End of RISKS-FORUM Digest
************************
-------