The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 10 Issue 59

Friday 9 November 1990

Contents

o "Software fault hits payphones"
Martyn Thomas
o Plain paper faxes keep copy of received material
Jan Christiaan van Winkel
o Customers limiting programmer access to their systems
Jim Kimble
o Student hackers arrested
Dave King
o Sprint's new calling card
anonymous
o Employer's use of credit reports
Jerry Leichter
o Computers lead to greater monopolization?
Jim Griffith
o Risks when computers replace humans
Martyn Thomas
o Villanova University Computer Ethics course Group Project
J. Gacad et al.
o "The Devouring Fungus" at a bookstore near you
Gene Spafford
o 4th Annual Computer Virus & Security Conference
Gene Spafford
o Info on RISKS (comp.risks)

"Software fault hits payphones"

Martyn Thomas <mct@praxis.co.uk>
Fri, 9 Nov 90 11:04:27 BST
Electronics Weekly (November 7 1990, front page) reports that there is a
software fault in the payphones manufactured by Paytelco (a GPT subsidiary)
and used in the UK by Mercury. They are "exported to >40 countries".

The software fault allegedly allows a phonecard holder to avoid paying for
calls. No technical knowledge or special equipment is required. EW reports that
the faulty software has been rewritten, and that replacement ROMs are being
installed in all payphones.

In the same issue, EW reports a different fraud involving restoring the
holograms on used British telecom phone cards. EW claims to have seen the
restoration demonstrated. They have not published details of the method, but
hint that it involves "phase changes" in the polymers which store the
holograms, through reducing the temperature of the card.

Martyn Thomas, Praxis plc, 20 Manvers Street, Bath BA1 1PX UK.
Tel:    +44-225-444700.   Email:   mct@praxis.co.uk


plain paper faxes keep a copy of all received material

Jan Christiaan van Winkel <jc@atcmpe.atcmp.nl>
Fri, 9 Nov 90 12:34:44 MET
I was asked to change the paper on out FAX machine today. I took a 'kit' we
have for this purpose, and saw that I also had to change the 'toner-roll'. This
is a roll of carbon paper (sort of) that actually prints the message on the
(plain) paper.

I saw that all messages printed on the FAX, are also 'burned' in the carbon
paper (well, that's how the thing works). This means that even if I stand next
to the machine to receive a private message, people can later just open the FAX
machine and read the message. Even worse, since people are not aware of this
'copy' on the toner roll, they just dispose of the roll in the garbage can.

I wonder how many people know about this 'feature' of plain paper FAX-es...

Jan Christiaan van Winkel      Tel: +31 80 566880  jc@atcmp.nl
AT Computing   P.O. Box 1428   6501 BK Nijmegen    The Netherlands


Customers limiting programmer access to their systems

The Programmer Guy <jkimble@bally.bally.com>
Mon, 5 Nov 90 11:49:42 PST
Jerry Leichter writes:
> If the courts uphold Logisticon, it's certain that in the future
> companies will not be willing to allow access to their systems by their
> software suppliers.  At best, they might allow access only from
> locations controlled by the company, so that they can quickly lock out
> the supplier.

Given all the press on these types of events, many of my clients have enacted
some new policies to protect themselves.  Here's the most restrictive...
(thanks, Logisticon):

Before I can dial-in to make a change to a casino's on-line computer, I nnhave to
draft a memo outlining my expected changes and file it with the casino's MIS
department 48 hours in advance.  After it's been reviewed and approved, the
modem is turned (using human call-back verification of identity) and I am
permitted to make my changes.  Within 72 hours of logging in, I have to file
another document with the Gaming Control Board outling everything that was
done, files that were changed, why they were changed, dates, times, etc.  On
the east coast, this paperwork is filed with a division of the State Police so
lies can cost you not only a civil suit, but criminal charges (perjury, etc.)
as well.

Other steps my clients have done to protect themselves include requiring me to
put the original source code tapes in a safety depositn box they can immediately
access so that any problems I create -- intentional or accidental -- can be
"fixed" by applying the virgin tapes.

As you can imagine, this extra bit of work greatly lowers programmer
productivity, especially for the simple, one-line changes; instead of working
to isolate and resolve problems, I spend a lot of time drafting memos and
reports.

At least in this part of the gaming industry, basic programming jobs involve
70% code/theories/debugging, and at least 30% communications skills.

--Jim Kimble,                       jkimble@bally.bally.com
Consulting for Bally Gaming               uunet!bally!jkimble

                                        [I doubt if that is a Bally High.  PGN]


Student hackers arrested

Dave King <71270.450@compuserve.com>
06 Nov 90 22:46:48 EST
   NEW YORK (UPI) -- Two Staten Island youths were arrested on charges of
invading and disrupting the computerized voice mailbox system of a
Massachusetts firm, costing the company $2.4 million, officials said Tuesday [6
Nov 90].  State Police Senior Investigator Donald Delaney said [...] as a
result of the hacker operation, the International Data Group of Framingham,
Mass., lost scores of these messages.  Delaney said an intensive two month
investigation led police and U.S. Secret Service agents to Daniel Rosenbaum,
17, of 42 Caswell Ave., and to a 14-year-old associate, whose identity was not
disclosed because of his age.  He said exhaustive experimentation by the two
suspects enabled their home computer to dial into the system and obtain the
password to use it.
   The youths then changed the passwords for various units in the system, which
resulted in the loss of many important messages.  "In addition, the company had
to shut down the system for 18 days to revamp it," Delaney said.  He added that
the teenagers "made bomb threats and other harassing messages to the company,
and when they were in contact with women employees, they made sexually explicit
remarks to them."  Delaney said Rosenbaum stated that he focused on the
Massaachusetts firm "in anger" when it failed to send him a poster which was
supposed to accompany a paid subscription for a computer game magazine
published by the company.
   Both teenagers, students at Wagner High School, were charged with computer
tampering, unauthorized use of a computer and aggravated harassment.  [...]  If
Rosenbaum is convicted of the charges, he could be sentenced to four years in
prison, Delaney stated.


Sprint's new calling card

<[anonymous]>
Wed, 7 Nov 90
Jim Morton raises a couple of serious risks with respect to Sprint's new
calling-card system.  I used to work for the company which builds the hardware
and software Sprint is using.  At a major presentation the manager in charge of
the project presented the voice-recognizing, Social-Security-number system.  He
presented his own card, prominently displaying his SSN, which I copied down.

During the presentation, he explained that Sprint wanted to use voice
technology so that people wouldn't have to write down as many things (card
number, password number).  Their customer surveys also indicated that people
found a 14-digit number "hard to memorize" and that a 9-digit number "which
was one they used all the time" would be "more convenient."

After the presentation, I arranged to speak to the manager.  I raised the same
objections Jim Morton noted in his article.  I also pointed out that he (the
manager) had put his SSN up in front of close to 120 people and if any of them
were of a mind to be nasty he could be in trouble.  He scoffed at my concerns
and assured me that Sprint's customer-survey managers were aware of the
problems.

He also stated that he disbelieved anyone could "do any damage" simply by
possessing another's SSN.  I tried to explain, but he brushed me off and left.
I spent the rest of the afternoon staring at the napkin on which I had written
the manager's SSN.  As I saw it, I had three options:

    1.Do nothing.

    2.Try to find someone else in the company hierarchy to listen to my
      complaints.

    3.Construct an object lesson which would convince the manager of how
      real my objections might become.

I chose option 1.  I had raised the objections as forcefully as I dared (the
manager was several levels higher than I in the hierarchy, and *much* more
senior).  Trying to circumvent channels is discouraged in the extreme in
this company.  I already had a reputation as a serious maverick.  I didn't
have any evidence to support my objection; all I had was a set of vague
assertions which, to me, seemed to be common sense.  Pitted against the
expressed desires of our customers (Sprint), you can guess how much weight
this would have been given.

With respect to option 3, I can think of at least six ways to make someone's
life seriously miserable if I have their SSN.  I thought about using the
manager's SSN for this example, but since most of the ways I know of involve
committing misdemeanors or felonies, I decided it wasn't worth the risk.  It
also might harm his family who I felt did not deserve to suffer.

In hindsight, I could have bucked the chain of command anyway.  But if put
in that position again, I'm still not sure I would.  In a way, I feel that
people have the choice to use Sprint's stupid, vulnerable system.  I know I
won't.  I also don't have a bank-by-phone system, nor do I have an answering
machine that can be manipulated from a remote touchtone phone, nor do I give
out my SSN to anyone who can't prove a need or legal requirement for it.

But then, maybe I'm a fossil in the information age.


Employer's use of credit reports

Jerry Leichter <leichter@lrw.com>
Thu, 8 Nov 90 09:03:00 EDT
        Use of Credit Reports In Hiring Draws a Caution

    Managers who use credit reports to screen job seekers, beware:
    Spurned applicants have a right to know.

    That message is going out from federal officials, who have grown
    concerned over that companies may be sidestepping the law governing
    the review of personal credit information.  The law permits companies
    to consult credit reports when evaluating job seekers, a practice
    that has boomed of late among employers who see the reports as a way
    to judge the character of prospective workers.  But the law also
    demands that applicants know when they've been rejected "wholly or
    partly" because of data in their credit file - a step that, critics
    have charged and officials fear, many employers ignore.

    The [FTC] ... underscores the requirement in articles that two large
    purveyers of credit reports, TRW and Equifax, agreed to circulate ...
    to ... their customers.  If they fail to comply with the disclosure
    requirement, the pieces note, employers may face suits from both the
    job applicant and the FTC.

    The credit data agencies were "very pleased" to disseminate the warn-
    ings [according to the FTC]....  One factor ... may be the prospect of
    new restrictions on their activities, now pending in Congress. ...
    TRW even changed its contracts to clarify the notification rule for
    employers.

There's actually more to this issue than the WSJ mentions.  Business Week had
an article on it a couple of weeks back.  At one time, references were a fun-
damental part of the hiring process.  Changes in the legal climate - particu-
larly many successful lawsuits by former employees who felt they had received
unfair recommendations that cost them jobs, plus increasing restrictions on
what an employer may legally ask of a job-seeker - have caused many of the
traditional sources of information to dry up.  Recommendations these days are
pretty uniformally bland and uninformative, and interviewers have gotten very,
very cautious.  So a recent trend is to use credit and other similar reports.

The problem is that the reports often contain data that is unverified or
inaccurate - especially since there is a growing market for "el cheapo" re-
ports for entry-level employees.  Even when the reports are accurate, they may
contain information that an employer is legally not permitted to have.  Two
specific examples that have cost people jobs (illegally, if they can prove
it):  Reports of arrests that did not lead to convictions, and reports about
workman's compensation claims.  (The view among some employers is that anyone
who filed for workman's compensation is just out to milk the system, and they
don't want the headache - Business Week has a quote from one employer saying
exactly that, even more harshly than I just did.  They also give an example of
someone who was genuinely injured on the job, took his workman's compensation,
recovered - and has been consistently turned down for jobs ever since.)

The reason that the big guys like TRW and Equifax are willing, even eager, to
help out on issues like this is that the last thing they want is a lot of small
low-ball competitors who not only steal market share from them, but also bring
public (particularly, Congressional) attention to the business.  While in this
case their cooperation may be useful, it's well to remember that ALL of the
credit companies have been involved in problems, even scandals, in the past;
and that it's a classic pattern for regulated industries to come to like the
umbrella of regulation they live under: It keeps competitors and critics out.
                            -- Jerry


Computers lead to greater monopolization?

Jim Griffith <griffith@dweeb.fx.com>
Wed, 7 Nov 90 09:40:00 PST
I heard a radio report saying that someone back east has filed a class action
lawsuit against a number of airlines, charging them with violating anti-trust
laws.  The suit claims that the predominance of live-feed computer systems
in the airlines industry lends itself towards a situation where airline
companies can instantly find out what their competitors are charging and change
their prices accordingly.  A number of airlines were named in the suit.

I'd appreciate someone coming up with a newspaper article or something more
definitive than what I'm reporting.
                                               Jim


risks when computers replace humans (was: Expert System ... Loop)

Martyn Thomas <mct@praxis.co.uk>
Mon, 5 Nov 90 16:51:47 BST
I wrote:

 > This report *explicitly* referred to an expert system. The point of my
 > original posting was that an expert system which provides advice, in
 > circumstances where a decision must be made and there is insufficient time
 > for the commander to analyse the situation him/herself, is effectively
 > making the decision. Many who followed up agreed with this viewpoint.

... and davis@ai.mit.edu (Randall Davis) replies:
: Fair enough.
:
: Note also that a small variation on your fundamental claim is equally true:
:
:  ... an EXPERT who provides advice, in
:  circumstances where a decision must be made and there is insufficient time
:  for the commander to analyse the situation him/herself, is effectively
:  making the decision.
:
: That is, as is frequently true in these situations, not only is this not a
: matter of expert systems, the computer itself is almost competely irrelevant.
:
: It's a matter of being in a complex, time-constrained situation and needing to
: make a decision.  If you don't have the time to consider carefully what to do,
: you're just about equally up the creek whether you get the advice from a
: machine or from another human being.

This is true, but there are characteristics of computer systems that make the
risks different (and less acceptable) than the risks from humans in the same
role.

This is the major reason for the RISKS Forum, so I don't need to list the
characteristics here. They include the complexity of the systems, the
difficulty of assuring that the system functions as intended, and the extra
risks if the system is replicated many times, so that the same fault may appear
in many places.

Randall Davis continues:

: The moral of the story: try not to put yourself into those positions in the
: first place.  Neither computers nor humans will get you out of it, and neither
: of them is to blame for your predicament.

I agree. There is a danger that the expert system will be trusted to a greater
extent than a human expert, and that this will lead to commanders being sent to
places where they would not be sent if only human experts were available to
help. It is important to remember that the expert system, like any computer
system, is complex and probably contains errors. Add to this that it is
effectively in the loop (in the circumstances of the original discussion) and
we can have a sensible discussion about whether it is a good idea to deploy the
system.

Finally, but very importantly, there is the question of who is accountable for
the consequences of errors. In the case of the human expert, accountability is
clear and liability may follow. If the accountability (and possible liability)
is not clear for the situation which uses a computer system, then I believe
that the system should not be used in a critical application.

In my view, the organisation which puts the system into use should be liable
for any injuries it causes, (and I would expect a prudent organisation to pass
this liability to the company which developed the system, through the
development contract).

Martyn Thomas, Praxis plc, 20 Manvers Street, Bath BA1 1PX UK.
Tel:    +44-225-444700.   Email:   mct@praxis.co.uk


Villanova University Computer Ethics course Group Project

<21202764@VUVAXCOM.BITNET>
Wed, 7 Nov 90 20:35 EST
        I represent a group of Computer Science majors at Villanova University,
Villanova, PA who are currently doing a project in a Computer Ethics course. I
am writing in response to a story posted in the RISKS forum on OCT 18 -
`Flawed Computer Chip Sold For Years'(RISKS digest 10.54). Our group project
is to analyze this case in terms of present day ethical theories and give a
class presentation on it. Thus, we have a few questions about it:

1. I need more details/specifics on the chip.(i.e. what was its model number,
   what was its design flaw, etc).

2. Are there any other journals/newspapers where the story appeared?

3. What has National Semiconductor done since the article in the newspaper
   revealed the problem?

If anyone out there could send any other pertinent information about the
case, we'd appreciate it. Replies may be sent to my bitnet address:
21202764@VUVAXCOM. (I do not know if I have a UUCP or CsNet address).

Jonathan Gacad (21202764@VUVAXCOM), Bob Durbin, Lisa Cofey, Al Giordano


"The Devouring Fungus" at a bookstore near you

Gene Spafford <spaf@cs.purdue.edu>
8 Nov 90 00:07:01 GMT
I just recently got a copy of "The Devouring Fungus: Tales of the Computer Age"
by Karla Jennings (W. W. Norton & Co., ISBN 0-393-30732-8, $10.95).

As can be gathered from the unusual title, this is not exactly a computer
textbook.  What it is, is a collection of anecdotes and stories about computer
technology and the people who spend their time working with computers.  The
stories range from historical to modern-day, and most are amusing to read.  Not
all are firmly grounded in documented facts, but that doesn't detract from the
amusement factor; even the apocryphal tales convey a sense of the attitudes and
foibles of the "computer geeks" who have shaped our community.

The tales related in the book read like a cross between items in the Risks
digest and postings to the alt.folklore.computers newsgroup.  Many of the
stories will be familiar, but that is what makes them folklore -- we've all
heard variants of these stories, and probably repeated a few in turn.  This is
the first time I have seen anyone collect so many of them together, and in such
an amusing and readable way.

For $11, this is a must buy if you're into computers.  My copy is going in a
place of honor next to my Hacker's Dictionary, and just down the shelf from my
Sidney Harris cartoon book. Check it out yourself.

Gene Spafford NSF/Purdue/U of Florida SERC Dept. of Computer Sciences, Purdue
University, W. Lafayette IN 47907-2004 ...!{decwrl,gatech,ucbvax}!purdue!spaf


4th Annual Computer Virus & Security Conference

Gene Spafford <spaf@cs.purdue.edu>
6 Nov 90 19:36:34 GMT
               Call for Papers
       4th Annual Computer Virus & Security Conference
         March 14 & 15, 1991 in New York City

      Sponsored by the DPMA Financial Industries Chapter
          In Cooperation with ACM SIGSAC and
           The Computer Society of the IEEE


The 4th Annual Computer Virus and Security Conference will feature more
than thirty speakers on the topics of computer viruses and "vandalware,"
computer law, and computer security.  Approximately twenty are well-known
experts in the field, and fifteen or more will be selected on the basis of
submitted papers.

Held on Thursday and Friday (Ides of March) at the New York World
Trade Center, this major event features:

    * Identification of latest threats to SNA, DEC, PC, MAC, X.25
     and UNIX.

    * Tools and Techniques: What the major corporations are doing.

    * Specific Countermeasures: From labs, other companies, commercial
    vendors.

The Conference traditionally covers recent outbreaks and experiments;
virus/intruder prevention, detection and recovery; product
demonstrations and ratings; and special attention to LAN, PBX, SNA,
OSI, E-Mail, and legal issues.

This year's focus topics are as follows:

    * Prevention, detection and recovery from viruses and other harmful
    computer programs.

    * Original research on these and related topics.

    * Recovery from the Wall Street Blackout and the Novell Virus.

    * Case studies of computer and network security.

    * Surveys of products and techniques available.

    * Computer crime and related actions.

The bound Proceedings will include both the accepted papers and also
discursive articles by the invited speakers. There will be four
concurrent conference tracks each day:

    Thursday will feature the Main Track, Products Track, Research
    Papers, and a special Trap & Prosecute track geared to law
    enforcement and criminal justice personnel.

    Friday will feature Main, Products, and Research tracks, and a How
    to Recover track strongly requested by returning attendees from
    last year.

In the past, this conference has been featured in BYTE, CIO, Communications
(ACM), Computer (IEEE), Computerworld, Data Communications, Data Center
Manager, Datamation, Info World, Macintosh News, MIS Week, Network World,
and Unix Review. It is sponsored by the Data Processing Management
Association Financial Industries Chapter in cooperation with ACM SIGSAC and
the IEEE Computer Society.

Attendees may make use of discount airfares (43% off Continental) from
anywhere to New York, including both adjoining weekends.  The Penta
Hotel (formerly Statler Hilton) has reserved a block of Conference
rooms at $89 per night. Conference itself includes luncheon and
quarter-mile-high hospitality at Windows on the World Restaurant.

Target audience includes MIS Directors, Security Analysts, Software
Engineers, Operations Managers, Academic Researchers, Technical Writers,
Criminal Investigators, Hardware Manufacturers, and Lead Programmers.
Registration (202-371-1013) costs $275 for one day, $375 for both, with a
$25 discount for members of cooperating organizations (DPMA< ACM, IEEE-CS).

Submissions to the conference may be either as an extended abstract or a
draft final paper.  Four copies of each submission should be *received* by
the program chair no later than Tuesday, January 8, 1991.  Each submission
must contain a brief abstract (approx. 200 words), and a header identifying
the names, affiliation, address, and e-mail address (optional) of all
authors.  Successful submitters or co-authors are expected to present in
person.  Decisions will be announceed by Feb. 12, 1991.

Submissions are invited on all aspects of the conference, and particularly
on new research in the area of vandalware and countermeasures.

Program Committee:

    Richard Lefkon      David M. Chess      Stephen R. White
    NYU, DPMA           IBM         IBM

    Thomas Duff         Frederick B. Cohen  Gene Spafford
    AT&T Bell Labs      ASP Research        Purdue University

    Dennis D. Steinauer     Gail M. Thackery    Kenneth R. van Wyk
    NIST            AZ Attorney General's   DARPA/CERT
                   Office
--
Gene Spafford
NSF/Purdue/U of Florida  Software Engineering Research Center,
Dept. of Computer Sciences, Purdue University, W. Lafayette IN 47907-2004
Internet:  spaf@cs.purdue.edu   uucp:   ...!{decwrl,gatech,ucbvax}!purdue!spaf

Please report problems with the web pages to the maintainer

Top