The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 10 Issue 03

Sunday 3 June 1990

Contents

o Software development costs delay changes to UK doctors' funding
Ian W Moor
o Hacking, Viruses, and UK Law
Pete Mellor
o Re: ATM range-checking
Jim Horning
o Re: Debate on SJG raid in comp.risks
Chuck Von Rospach
Kee Hinckley
Andy
o Risks of moderated newsgroups and COWABUNGA
Nathan K. Meyers
o Computer to track down drivers without insurance
Alan Wexelblat
o Local solution to caller ID .vs. Privacy problem
Bob Estell
o Re: Denial of service due to switch misconfiguration
John R. Levine
o What the SJG Cyberpunk Manual Tells You to Do
J. Eric Townsend
o Re: Word Perfect Software Upgrade Crashes Utah Phone System
Kyle Jones
o Info on RISKS (comp.risks)

Software development costs delay changes to UK doctors' funding

<iwm@doc.imperial.ac.uk>
Fri, 1 Jun 90 17:55:40 BST
This is a summary of an article in the Guardian for 1st June:
`Computer hitch stalls GP budgets', any inaccuracies are mine.

At the moment UK family doctors are funded according to the size of their
practice and various overheads. As part of changes to the National Health
Service, doctors may be required to maintain their own budgets and buy
 treatment from local hospitals. To do this doctors will require specialist
software to interface with hospital databases as well as doing their own
accounting. The first stage of the scheme involving several hundred doctors was
to start next April. The changes are unpopular and doctors are dropping out,
software firms working in the area claim that developing the software is not
worthwhile given the number of sales to those doctors participating. It was
stated that even if the government funded the development there is not enough
time to produce and test the software in time.

Although it is not stated in the article, I believe that one problem may be
that different hospitals run different (and incompatible) accounting software.

Ian W Moor   JANET: iwm@uk.ac.ic.doc
Department of Computing, Imperial College.  180 Queensgate London SW7 UK.


Re: Airline Booking Cancellation (Risks 9.91)

Pete Mellor <pm@cs.city.ac.uk>
Sat, 2 Jun 90 18:53:19 PDT
I have been asked for the full reference to the paper I referred to in the
above article. It is:

Adam R: "A licence to steal? The growth and development of airline information
         systems"
         Journal of Information Science 16 (1990), pp. 77-91,
         0165-5515/90/$3.50, Elsevier Science Publishers B.V.

Apologies to anyone who had difficulty tracking it down. I will snail
photocopies if requested.

Peter Mellor


Hacking, Viruses, and UK Law

Pete Mellor <pm@cs.city.ac.uk>
Sat, 2 Jun 90 21:41:40 PDT
Recent raids on suspected hackers and the likelihood of anti-virus legislation
in the US (RISKS 9.95) should not make us forget what is happening in the UK.

The story so far:

In September 1988, the English Law Commission (ELC) issued a consultative
document, "Computer Misuse".

In April '89, Emma Nicholson, MP, proposed a private member's bill to make
various hacking activities illegal. This was generally thought to be poorly
researched, and too hastily drafted. It was roundly attacked in the Guardian
by, among others, Peter Sommer (aka Hugo Cornwall, author of "The Hacker's
Handbook). The bill failed for lack of time. (A frequent fate of private
members' bills.) [1]

In October 1989, the ELC published its final report on "Computer Misuse" [2].
This suggested three new offences. I quote from a summary by Peter Casey
of the DTI [3]:

- a basic offence which will apply to anyone who seeks to enter a computer
  system knowing that the entry is unauthorised. This would be punishable by
  up to three months imprisonment.

- a more serious offence of unauthorised entry into a computer system with
  intent to commit or assist the commission of a serious crime. This would
  be punishable by up to five years imprisonment.

- a further offence of intentionally and without authority altering computer
  held data or programs, punishable with up to five years imprisonment.

Because of the international nature of computer misuse the Commission also
proposes reform of the jurisdiction rules to remedy a gap in the current law
whereby an offender initiating or furthering a crime completed abroad may
escape prosecution in any country. [End of quote.]

Another private member's bill implementing these proposals was introduced by
Michael Colvin, MP, and received its 2nd reading in the Commons on May 4th 1990.
Called the "Computer Misuse Bill", it has been amended to allow powers of search
and entry of suspected hackers' premises by police armed with a magistrate's
warrant. It passed its second reading with the amendment, but without stronger
amendments proposed by Emma Nicholson "to give magistrates powers to sign
warrants that extended that extended the police powers of search and seizure,
and for judges to sign warrants that allowed the police to intercept computer
communications....She pressed for an amendment that would oblige British
Telecom and Mercury, on the instructions of a magistrate, to begin surveillance
of designated communications traffic."[4]

The bill was attacked by Harry Cohen, MP. "The first major problem raised by
Cohen was that the bill doesn't define the term 'computer'. He also questioned
how the offence of 'unauthorised access' would be applied in practice. Cohen
pointed out that the lack of a definition raises the spectre of unauthorised
access to the microchip computers found in 'domestic appliances such as a
sewing machine with a programmable pattern, or a washing machine, video
recorder or compact disc player that can be programmed'. Even fax machines or
photocopiers would lead to some 'farcical prosecutions', he asserted.
However, other anomalies would arise if a defintion of 'computer' were
included. For example, if a computer were described in precise and exacting
terms, would the next technological development produce a computer that
was not a computer as defined by the Computer Misuse Bill?...In the end, it
was decided not to include a definition of computer in the bill, as this
would let the courts decide in each case." [4]

Cohen's second attack was more interesting. "...Cohen drafted three amendments
to ensure that the security procedures adopted by a computer owner could be
examined by the courts....if computer owners did not have security procedures
that sufficiently protected their computers from unauthorised access, the
hacker could get off. [From the basic charge of unauthorised access.]
Cohen's other two attempts were variants aimed at extending the Data Protection
Act to all computer operations. The MP argued that any individual who suffered
damage because computers, software or data were insecure or unreliable, should
be able to seek compensation from the owner via the courts or the data
protection registrar. The owners would have one main defence: to show that they
'had taken such care in all circumstances as was reasonably required' to
maintain the reliability and security of the computer, data or program in
question."[4]

(His amendments failed.)

The main arguments can be summarised as:

Cohen (quoting Francis Aldhouse, deputy data protection registrar) [4] :
"You've only yourself to blame if your neighbour's cattle get into your
unfenced field.", and:
"Logic dictates that computer owners should be legally responsible for the
security of their computers just as gun owners are responsible for their guns."

Nicholson [4]: "If a madman with a knife attacks another person in the street,
would the victim be responsible for not taking reasonable care to prevent the
attack?"

Sommer (arguing against Nicholson) [1]: "In fact, most of the computer-related
activities most people would think ought to be criminally sactioned already
are."

It will come as no surprise to UK readers to learn that Colvin and Nicholson
are Conservative, and Cohen is Labour, and that the government are being
supportive in such little matters as parliamentary time.

Interestingly, Colvin seems to favour some of Cohen's arguments. Speaking at
a contingency planning and disaster recovery seminar, he said: "If companies
do not invest in their own computer security strategy, then they cannot expect
the sympathy of the courts when people are charged under the provisions
proposed in my Bill." [5]

Also, Nicholson "plans to introduce a Computer Usage Bill in the autumn, which
will lay down rules for the use of computers covering maintenance, support and
upgrades." [5]

The truth of Sommer's argument is illustrated by the case of one Nicholas
Whiteley, appearing before Southwark Crown Court last week on seven charges
of criminal damage arising from hacks carried out during six months in 1988.
He admits the hacks, but claims he did no damage. (My private information is
that he overwrote files with joke messages, and the amount of damage was
estimated as &25 000. I also believe he was convicted, but haven't seen a
report of his sentence.) He hacked ICL series 39 machines at Queen Mary College,
Hull University, and Glasgow University. He told the court: "My messages weren't
a threat, they were just a wind-up." [6]

The Computer Misuse Bill, in the meantime, goes on to committee and then to the
Lords, then back to the Commons. If it succeeds, we should start worrying
about just how 'authorised' we are around September.

References:

[1] Hugo Cornwall: "Wrong ways on hacking", Guardian, 13th April 1989.

[2] The Law Commission report, Command 819, Criminal Law, Computer Misuse,
    (Law Com. 186), HMSO, &5.60

[3] Peter Casey: "Proposals to curb computer misuse", JFIT News, Issue 8,
                  Nov. 1989, Pub. DTI/SERC

[4] Chris Robbins: "Hacking through both the Houses", Computing, 24th May 1990

[5] Lindsay Nicolle: "No sympathy for security slackers",
                     Computer Weekly, 24th May 1990

[6] Tony Collins: "Hacker exposes security of university systems",
                     Computer Weekly, 24th May 1990

Peter Mellor, Centre for Software Reliability, City University, Northampton
Square, London EC1V 0HB          Tel.: +44 (0)71-253-4399 Ext. 4162/3/1


Re: ATM range-checking (RISKS-10.01)

Jim Horning <horning@src.dec.com>
1 Jun 1990 1336-PDT (Friday)
It's pretty clear that different banks have different practices, as well as
diverse equipment.  My bank (Wells Fargo) advertises that they will credit you
with an extra $10 if the ATM makes any mistake on a deposit (and, indeed, I've
never detected one).  They also do some range-checking.  I haven't conducted
extensive experiments, but I recently deposited a check for an order of
magnitude more than my usual deposit, and was asked to confirm an extra time
before the transaction was completed.  I thought that this was a very sensible
precaution.

In a related vein: When I first got my ATM card it was limited to $200/day of
cash withdrawal, which is not unreasonable.  However, after a decade of modest
inflation, there were times (like just before trips) when a larger sum would
have been convenient.  One day it occurred to me to try to withdraw more, and
what do you know?  It disbursed $300 without complaint.  So my trips to the ATM
became less frequent.  Some time later, I noticed that years of carrying the
card in my wallet had cracked it, right across the magnetic stripe.  So I asked
for a new one.  Now I'm limited to $200/day again.  I infer that it was a fault
on the stripe that let me withdraw more.  I would have hoped that the limit was
enforced by something less subject to decay and/or tampering.

Jim H.


Re: Debate on SJG raid in comp.risks

That's MR. Idiot to you <chuq@Apple.COM>
1 Jun 90 18:37:35 GMT
Just to clarify one thing:

<>If you're running a BBS that's supporting a group of system crackers, you are,
<>at least, contributory to felony crimes...

>The problem was that SJG *was* clean, as far as I know -- the Secret
>Service just went overboard in their search for "contamination".  I
>believe guilt-by-association is not a tenable legal theory in the US.

A couple of people have taken my comment above  as implying I think
that SJG was running a cracker board. Not true. From everything I've
heard they are definitely in the "innocent bystander" category. Why
haven't they got their stuff back? Very good question. All I"m hearing
on my side is variations of "it ain't over until it's over" -- which to
me sounds silly based on what I know.

I am definitely NOT trying to justify the impounding of SJG stuff, nor
attempting to imply guilt or anything else at them. I was simply pointing
out that the situation was more complex than some were making it out to be.
The Secret Service seems to have good cause to talk to SJG about this stuff?
Yes? Did they need to go in and grab all the gear? From what I know, no --
but I don't know all the details of the case. The details I do know indicate
they over-reacted, however.

Chuq Von Rospach   <+>   chuq@apple.com   <+>   [This is myself speaking]


Re: 2600 article

Kee Hinckley <nazgul@alphalpha.com>
Fri, 1 Jun 90 10:51:55 EDT
Please someone correct me if I'm wrong, but I think there's a Catch 22 here.

The evidence suggests that I can be arrested based on the contents/usage of my
BBS, even when I'm unaware of that usage.  (It remains to be seen whether I can
be convicted, but frankly, if my equipment gets confiscated for a couple years,
I hardly care.)

However, it seems to me that the Electronic Privacy Act prevents me from taking
any actions which would let me prevent the misuse of my board.  Namely, I can't
read people's mail/files to see if they are doing something illegal.

Is this really the case?
                    -kee

Alphalpha Software, Inc., 148 Scituate St., Arlington, MA 02174



Re: Steve Jackson Games and A.B. 3280 (Von Rospach, 9.97)

ZENITH <ENITH@l66a.ladc.bull.com>
Fri, 01 Jun 90 11:17 PDT
 Chuq Von Rospach (chuq@apples.com) writes:

  If you're running a BBS that's supporting a group of system crackers, you
  are, at least, contributory to felony crimes.

 By law?  Why?  We don't hold a package delivery service like UPS liable

if they happen to deliver burglary tools; why is the owner/operator of a
BBS treated differently for what seems to me an equivalent offense?
 Von Rospach goes on to say:

  A BBS that's on the up-and-up should have no worries, though.

 That seems to be the central issue; it shouldn't be tossed off so casually.
The Bill of Rights is predicated on the assumption that the innocent have a
legitimate reason to worry about the effects of actions taken by their
government; governments to that point (and since) had not been terribly
worried about who got chewed up by the wheels of justice, so long as some
"guilty" party was convicted.  Human nature has not changed much in the
intervening years--there are still those who hold to the creed of "Kill 'em
all; let God sort them out".  We the innocent still need protection from
those who would elevate expedience over justice; if ease of implementation
and administration becomes the primary criterion by which we judge our laws,
we are in deep trouble.
 I have noticed a disturbing trend in society, towards a belief that it is
better that 100 innocents should suffer than one guilty critter should go
free; it is difficult to reconcile this notion with that of "innocent until
proven guilty".

- Andy -


Risks of moderated newsgroups and COWABUNGA

Nathan K. Meyers <nathanm@hpcvxnkm.cv.hp.com>
Fri, 1 Jun 90 12:01:46 pdt
By now, most readers of moderated newsgroups on the internet have had
the pleasure of reading the semi-literate ramblings of "THE BIFFSTER".
As best I can tell, the following has been shown by this exercise:

1) Moderated newsgroups are not particularly secure (did anyone think
   otherwise?).

2) You can make something foolproof, but you can't make it damn
   foolproof.

3) The perpetrator may have reached a new world record in the irr/eff
   ratio (irr = number of people irritated, eff = effort expended).

4) Gone forever are the days when breakins were conducted by individuals
   with above-average intelligence and sense of humor (remember
   moskvax!kremvax!chernenko many Aprils ago?).

Nathan Meyers
                [RISKS has spared you all the gory details of this case, which
                have been so widespread that it did not seem necessary.  PGN]


Computer to track down drivers without insurance

<wex@pws.bull.com>
Fri, 1 Jun 90 16:22:10 edt
The following is excerpted from a UPI newswire story:

       BOSTON (UPI) -- Tens of thousands of illegally uninsured drivers in
   Massachusetts will be tracked down and hunted when the Registry of Motor
   Vehicles implements a new computer-based system beginning Friday [6/1/90].
       The new system, which allows insurance companies to electronically
   send the Registry's computer a list of uninsured motorists whose
   policies have been revoked for nonpayment, aims at cracking down on the
   estimated 300,000 Massachusetts drivers who take to the roads without
   insurance.
       ``Hopefully with automation, deadbeats who don't have the money or
   those who try to beat they system won't be on the road,'' said Robert
   Hutchinson, Massachusetts registrar of motor vehicles.
       Police will pursue those individuals who fail to obtain insurance
   after being discovered.
    [Generic filler about the costs of uninsured motorists - sky-high -
   and the hope that the computer will do what the people are unable to do:
   keep up with the workload.]

The significance of this is that there is a new law in MA: get caught
driving without insurance and the cops can take away your license plates on
the spot.  You then get to call a tow truck, since you can't drive without
plates.  Get caught driving without plates and you get to call a cab, since
the cops can have your car towed on the spot.

The problem is that insurance companies in this state are notoriously slow
in processing paperwork.  That's a major reason why so many uninsured
motorists get away with it; the paperwork just hasn't caught up with them.

The companies take this long with *all* their paperwork.  My company took four
months to send me a reinstatement notice after they (erroneously) suspended my
insurance for not having the car inspected (though they continued to bill me
every month).  I shudder to think what would have happened had I been stopped
during those four months...

--Alan Wexelblat, Bull Worldwide Information Systems
phone: (508) 671-7485           Usenet: spdcc.com!know!wex


Local solution to caller ID .vs. Privacy problem

"FIDLER::ESTELL" <estell%fidler.decnet@scfd.nwc.navy.mil>
1 Jun 90 13:34:00 PDT
The following is by definition going into the Public Domain. (If RISKS
posts it.)  If that costs me any chance to make a fortune from AT&T,
maybe it also raises the possibility that the solution will come sooner.

Problem: Some of us want to know "who is calling."
         BUT some of us don't want others to know when WE call.

Solution: Put the smarts for "who are you?" and "none of your business"
          [or, "I'm 555-1234"] in the handsets, at each end,
          NOT in the switch [or switches, for long distance calls].

Old handsets would automatically neither request caller ID, nor give it.
Folks who want to know would buy new handsets; when they get calls from
old handsets, the reply to the "who are you?" query would be, "service
not available" [as opposed to "none of your business"].  Yes, a smart
switch would have to provide that, probably after a time-out of sorts;
and yes, that could be spoofed.  Nothing is perfect.
(But wait.  Could even an old handset, touchtone or rotary, reply manually
to a ring, while the line was open?  That is, I call you, and you want to
know who I am; your query is forwarded to my old handset as a ring; to send
you my number, I dial it; the intermediate switch aborts the call, with an
appropriate message to you, if it detects my attempt to falsify my ID.)

It is then up to the callee to accept or decline the incoming call; and,
it is up to the caller to risk losing the connection.  That effectively
takes the decisions out of the hands of big brother, and puts them back
with us, where they belong.

Bob


Re: Denial of service due to switch misconfiguration

John R. Levine <johnl@esegue.segue.boston.ma.us>
1 Jun 90 18:33:46 EDT (Fri)
In every PBX I have ever dealt with, there have been foulups of some sort when
dealing with new telephone prefixes and area codes.  In one memorable case, I
was trying to straighten out a problem with my mortgage, and the person at the
bank never, ever, returned my calls.  I was about ready to call in the bank
regulators.  After leaving quite a few tartly worded messages, I finally
managed to get her on the phone, and discovered that every time she called me,
she'd gotten an error recording of some sort and had assumed that the number
she had was wrong or my phone was out of order.  In fact, I had just started
to work at a job with a new PBX with a new set of DID numbers in a new prefix,
and the PBX at the bank hadn't heard about my prefix yet.  I told her to dial
9-0 and ask the telco operator to place the call in the future.

Even PBXes with class of service restrictions frequently get it wrong.  At one
place where I consult they forbid international dialing for most lines except
for some speed dial codes programmed into the PBX.  At least, they think they
do.  If I dial 011-code-number, I get a fast busy from the PBX.  If I dial
01-code-number and make it person to person, it works.  If I dial
10288-011-code-number or 10222-011-code number or 10333-code-number, it works.
(If only I had some friends in foreign countries to call.)

The local telco has a newsletter that they send out to advise PBX customers of
new prefixes, upgrades to CO equipment (which always cause some problems since
if nothing else, call progress sounds and the timing of calls change.)  There
are a lot of changes.  As far as I can tell, every PBX that does least cost
routing needs to know all of the prefixes in its local area code, and in most
cases the updates are typed in by hand using some decidedly user hostile
interfaces.  If anything, I'm surprised that they get them right as often as
they do.  In many cases, I suspect that the PBX manager only updates the
prefix table when somebody complains.

Telephone calls are routed by what is in effect a tremendous distributed data
base that maps numbers to trunks and routes.  At least near the fringes, the
data base is usually updated by methods that to me at least seem laughably
obsolete.

Regards,
John Levine, johnl@esegue.segue.boston.ma.us, {spdcc|ima|lotus}!esegue!johnl


What the SJG Cyberpunk Manual Tells You to Do

J. Eric Townsend <jet@karazm.math.uh.edu>
Sat, 2 Jun 90 1:25:34 CDT
Well, I rushed out and bought GURPS Cyberpunk, in the hopes that my
money will help SJG with legal fees.  (Plus, I collect game stuff.)

On the front cover, in the SJG Illuminatus logo, it says:
"The book that was seized by the U.S. Secret Service! (see p. 4)"

Anyway...
(Assuming I know *nothing* about cracking/phreaking.  I won't comment
on my real knowledge.)  The following is a summary of text from the
GURPS Cyberpunk supplement, with a few direct quotes.

How Much Hacking Can I Do Based on the C-word manual:
(From the section entitled "Netrunning".)

0.  People use handles to hide their real identity (p62).

1.  You can uses sensitive devices to listen in on the signals being
sent to a computer monitor, and redisplay the image on your own screen
(p62).

2.  General info on ISDN.  (p64-64)

3.  Computer accounts can come in various levels, from specialty logins
(uucp) to "superuser" who has access to everything.  Some programs can
give you a higher level of access, equivalent to a "better" account (p68).

4.  General info on back doors (p69).

5.  General info on chat systems (p69).

6.  A list of network names from around the world.  No clues as to which
are real.  For the US, the following are listed:
WUT, UDTS 2, Datel I & II, Telenet, Tymnet, ARPAnet, Infomaster, GraphNet,
TRT, FTCC, UniNet, Autonet, CompuServer, GENIE, AlaskaNet, JANET, Internet
(p 71).

7.  Passwords can be really obvious, or hard to remember random text strings
(p 72.)

8.  A program could possibly cause physical damage (p 72.)

9.  General Phreaking Info:
-  Diverters:  go through a bunch of systems so that tracing takes
a long time;
-  Junction Boxing:  Just go down to the local junction box and tie in
(p 76).

10.  Lots of networks use different protocols that are sometimes
incompatible (p 77).

11.  Ma Bell stuff:
-  Existence of CN/A, and that Ma Bell can look you up in any way;
-  Line Routing: "With access to the main phone switch computer,
a hacker can control everything about a specific phone line.";
-  Monitoring: a person could monitor calls with the right access;
-  After Billing:  A person could change bills;
(p 82).

12.  Trashing:  Go through somebody's trash to find out all sorts
of interesting info about their computing equipment (p 86,87).
(13 and 14 are from the section "Attack and Defense Programs".  The
programs are obviously s-f software, but...):

13.  Promote:  "This program is executed from a normal user account on a
system.  If successful, the account is 'upgraded' to a superuser account."

14.  Webster: "This is the standard icebreaker for use against Password
programs (see p 93.).  It acts as an extremely fast 'brute-force' hacker."
(p 92).

15. Credcard Crime:  A false balance could be entered in an account.
A device could be used to access somebody else's card without having
the correct password to get into the credcard (p 105).  [note:  a credcard
is a self-contained debit card that can have anything from a pasword to
retina scan protection.]

And, um, that's about it.  Now that you've read that, you know how to break
into computer systems and do phone phreaking... 1/2 :-)


--
J. Eric Townsend -- University of Houston Dept. of Mathematics (713) 749-2120
Internet: jet@uh.edu
Bitnet: jet@UHOU
Skate UNIX(r)


Re: Word Perfect Software Upgrade Crashes Utah Phone System

Kyle Jones <kjones@talos.pm.com>
Sat, 2 Jun 90 17:59:33 EDT
m1wmk00@fed.UUCP writes:
 > From an Infoworld article on Word Perfect ("Leader of the Pack,"
 > pp. 45-6, May 23, 1990):
 >
 > "When [Word Perfect] 5.0 shipped in May 1988, the company underestimated
 > the demand for telephone support.  Although it bought additional phone
 > lines, traffic was so heavy that calls to the support department brought
 > down the toll-free systems for the state of Utah, including phone systems
 > for American Express, Delta Airlines, and the Latter Day Saints Church."

This reminds me of something that happened in my own neck of the woods.

One night I was watching a program on channel 35 when a message flashed on the
screen.  The message said that the Xth caller would win concert tickets or some
such.  Since the phone was right beside me, I decided what the hey, and picked
up the phone to call.  I didn't get a dial tone for the long time.  Odd.
Finally I heard the tone and dialed the number.  I waited.  And waited.  And
waited.  No connection, no ringing, no click, nothing.

Thinking I'd misdialed somehow, I depressed the switchhook to try again.  I
waited for the dial tone.  And waited.  And waited.  And waited!  Suddenly it
occurred to me, the number began with 358-...  my exchange, augh.  Apparently
the massive influx of calls to the TV station completely hosed whatever gateway
there was for my exchange, so I couldn't get a call in edgewise.  (Does this
sound right to you folks who know something about the phone system?)

Whatever the reason, I'm glad the house wasn't on fire. :-/

Please report problems with the web pages to the maintainer

Top