The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 10 Issue 9

Friday 15 June 1990

Contents

o Slovenly Russian Air Defense (again)
Robert Nagler
o UK Hacker Goes To Jail
Anthony Appleyard ... via Robert E. Van Cleef
o Programmable parking meters
Kee Hinckley
o Re: New computerized scoring system fails during Indy 500
Dave Horsfall
o Re: Caller ID for dealing with anonymous callers
Marc Shannon
o Re: Liz Taylor and ``secret codes''
Randal Schwartz
o EEC ITSEC adresses
Klaus Brunnstein
o I APOLOGIZE
Danny Cohen
o Info on RISKS (comp.risks)

Slovenly Russian Air Defense (again)

Robert Nagler <nagler@olsen.UUCP>
Fri, 15 Jun 90 10:47:46 +0200
        Rust Imitator Flew Flowers to the Black Sea

By Elfie Siegl, Moscow - Reported in Tages Anzeiger, Zurich - 13Jun90

  For the second time after Mathias Rust's landing on Red Square, a
West German amateur pilot flew illegally into the Soviet Union with
his private plane.  As reported by the union newspaper "Trud", an
unknown FRG citizen landed last Saturday [9Jun90] between 4 and 5pm
at an airport in the Black Sea health resort, Batumi.  He got out
and distributed flowers, business cards, and leaflets which called
for support of Gorbachov and of "perestroika".

  The Air Force Staff merely told Trud that many questions needed
to be clarified.  The press release of the Air Force Staff stated
that such a small airplane "simply couldn't be noticed".

  The pilot flew over Turkey towards the Soviet border south of
Batumi, then under the radar control of the air force, and landed
at the civilian airport in Batumi.

[I have three questions.  Was this reported elsewhere?  The Tages
Anzeiger is not a rag.  Secondly, the author states that this is the
second time since Rust's famous flight.  Who was the first
imitator?  Lastly, why was this not front page news?  Is it to be
assumed that any yokel can fly into Russia?  Forgive my naivete.]


UK Hacker Goes To Jail

Robert E. Van Cleef <vancleef@fs01.nas.nasa.gov>
Wed, 13 Jun 90 07:28:23 -0700
Posted: Sun, Jun 10, 1990   1:52 PM PDT              Msg: SJJA-2888-9119
From:   RDAVIS
To:     MTynan
CC:     CWoodworth, RCarr
Subj:   UK Hacker Goes To Jail

Date:    Fri, 08 Jun 90 09:10:12 +0100
From:    Anthony Appleyard <PUM04@prime-a.central-services.umist.ac.uk>
Subject: First jailed UK computer hacker

>From a UK newspaper called 'The Daily Telegraph', Friday 8 June 1990:-

['Mad Hacker' jailed for computer war]

A computer operator who called himself "The Mad Hacker" became the first in
Britain to be jailed for the offence yesterday. Nicholas Whiteley,  21,  of
Enfield,  north  London,  was sentenced to 4 months with a further 8 months
suspended for criminally damaging computer  disks  and  wreaking  havoc  on
university  systems. Whiteley, who, it was said, was driven by a desire top
become Britain's top hacker, wept in the dock and held  his  hands  to  his
face as he walked to the cells to begin his sentence.

Judge Geoffrey Rivlin, QC, described him as "very malicious and  arrogant",
and  told  him:  "Anyone minded to behave in this way must be deterred from
doing so.".

Whiteley declared war on computer experts, using a computer in his  bedroom
to  swamp  university  computers  with masses of useless material including
threats and boasts about his brilliance. One  said:  "Don't  mess  with  me
because I am extremely nutty.".

He was found guilty last month of 4 charges of causing damage  to  magnetic
disks in mainframe computers at the universities of London, Bath, and Hull.
The judge said some of the computers stored important and confidential data
relating to medical and scientific research.
#......................................................................
{A.Appleyard} (email: APPLEYARD@UK.AC.UMIST), Fri, 08 Jun 90 08:58:20 BST


Programmable parking meters

Kee Hinckley <nazgul@alphalpha.com>
Fri, 15 Jun 90 01:53:27 EDT
According to the NYT Westwood Village and Reseda, CA are installing
digital parking meters which can be reprogrammed (using an infrared
beam) when the rates go up.  Need I say more?


Re: New computerized scoring system fails during Indy 500

Dave Horsfall <dave@stcns3.stc.oz.au>
Tue, 12 Jun 90 12:29:21 est
This reminds me of the time a couple of weeks ago when I was taking part
in a car rally, providing communications support.  I was amused to hear
some of the traffic being passed just after the race started, to do with
two sets of fancy digital clocks that provided the elapsed times.  It would
appear that one of the clocks advanced itself by three minutes, as a result
of nearby UHF CB activity from the race marshalls.  It did not seem possible
(or perhaps legal) to alter the errant clock, so from there on the time had
to be adjusted manually before being reported.  Since the average lap time
was about one minute such a failure was obvious, but had the course been
much longer then errors could easily have crept in.

Dave Horsfall (VK2KFU)  Alcatel STC Australia  dave@stcns3.stc.oz.AU
dave%stcns3.stc.oz.AU@uunet.UU.NET  ...munnari!stcns3.stc.oz.AU!dave


Re: Caller ID for dealing with anonymous callers (RISKS-10.08)

Marc Shannon <YNFUL@DRYCAS.CLUB.CC.CMU.EDU>
Tue, 12 Jun 90 21:39 EST
From what I understand, Caller ID *cannot* be used to report crank phone calls.
It is simply provided (in some areas - Pennsylvania's legislature has ruled
that Caller ID is an invasion of privacy) as a convenience.

In order to legally report the phone number of a crank call without prior
tracing arrangements with Bell's Nuisance Call Group, one needs to use the Call
Trace function which reports the caller's phone number to Bell while keeping
the number secure from the call's recipient.

The only thing I couldn't understand is that it seems that the ability to "Call
Trace" is an optional service (costing ~$1.50/month).  I would imagine that it
would be in the public's better interest to make it available to anyone since
one usually cannot anticipate when such a call might be made.

(I'd love to report the numbers of these calls that I get telling me that I
need to call 976-xxxx RIGHT NOW.  I definitely consider these to be a
nuisance!)

--Marc


Re: Liz Taylor and ``secret codes'' (RISKS-10.08)

Randal Schwartz <merlyn@iwarp.intel.com>
Tue, 12 Jun 90 12:17:37 PDT
My answering service told its customers in a recent "fact sheet" that the
software they run is used at many (over 200?) locations around the US.

I pick up my messages by calling a "message-number" and dialing a five digit
code.  The first four digits are nothing more than my account number (assigned
sequentially beginning at 0000), and the last digit is whatever it takes to
make the number a multiple of nine (casting out nines)!

How simple.  It'd be trivial for me to read anyone's messages.  In fact, since
the mapping from DID number to the account number is fairly easily determined
from a few tries (293-[78]XYZ maps into "account" [12]XYZ, for example), I
could scan the phone book for rented numbers from this answering service, and
scam on just about anyone I felt like.

Security.  Ha.  If this is the same software that's running on hundreds of
sites around the country, lots of answering services are very vulnerable.

Just another person that doesn't always answer the phone,

Randal L. Schwartz, Stonehenge Consulting Services (503)777-0095


EEC ITSEC adresses

Klaus Brunnstein <brunnstein@rz.informatik.uni-hamburg.dbp.de>
14 Jun 90 12:44 GMT+0100
As the EEC IT SEcurity Criteria have been constructed from groups in 4 EEC
member countries, the paper can be ordered from any of the following adresses:

for France:  Service Central de la Security des Systemes d'Information
             Division Information et Systemes
             18 Rue du Docteur Zamenhof
             F-92131  Issy les Moulineaux
             (apology for missing accents)

for Germany: Zentralstelle fuer die Sicherheit der Informationstechnik (ZSI)
             Am Nippenkreuz 19
             D 5300  Bonn 2

for The Netherlands:
             Netherlands National Comsec Agency
             Bezuidenhoutseweg 67
             P.O. Box 20061
             NL 2500  EB  The Hague

for United Kingdom:
             Head of UK CLEF Scheme Certification Body
             CESG Room 2/0805
             Fiddlers Green Lane
             Cheltenham
             GLOS GL52 5AJ

For those interested in the Green book: you may receive a copy (English or
German) from ZSI (=German Information Security Agency, GISA), adress above;
essential parts of Green Book (esp. the functional classes F1-F5,F6-F10) are
also in EEC ITSEC' annex A, while the 'quality classes' Q0-Q7 have been adapted
and partly enhanced with ideas from the other countries' criteria catalogs.

Klaus Brunnstein        University of Hamburg


I APOLOGIZE

Danny Cohen <OHEN@venera.isi.edu>
Fri 15 Jun 90 13:32:51-PDT
In RISKS-10.05 I expressed some "minority opinion" about the article on A320 in
Aeronautique, April 1990 (RISKS-10.02).  The article that was written by Mr.
Bertrand Bonneau and translated to English by Pete Mellor.

While taking issue with the original article, I tried to compliment the
translation.  In trying to do that I made a terrible mistake by refering to
Bertrand Bonneau as the "the translator to English".  This mistake offended the
Pete Mellor to no end, as he expressed in RISK-10.06: "If this is a joke about
the translation, it's a bit too subtle for me!"

             I APOLOGIZE FOR THIS MISTAKE !

    [An explanation (not an excuse): After composing my message
    about the article I looked for the translator's name and misread
    the line: "Translation of article by Bertrand Bonneau" as if the
    translation, not article, was by Bertrand Bonneau.

    I read it as: "Translation (of article) by Bertrand Bonneau"
    in stead of : "Translation of (article by Bertrand Bonneau)".

    RISKS readers are kindly asked not to submit contributions
    about "Risks in Using Languages with Ambiguous Syntax" and
    not to recommend using LISP as the ultimate solution.

In later issues of RISKS several contribution expressed strong
disagreements with what I submitted.

One of the key points made by them that in this case (unlike many
others) as expressed in:
<> "The pilot and copilot survived the Mulhouse crash, and immediately
<> made statements implicating delays in engine acceleration (Times 27th
<> June 1988)".

Another point is the rush to judgment motivated by the desire of the
French airlines/Industry/Government/etc., not to ground the aircraft.
This was expressed in:

<> "...the day after the accident, the DGAC announced a preliminary
<> conclusion that the pilots, and not the aircraft, were to blame for
<> the disaster. According to the French press, details of the flight
<> records were given to Aerospatiale, which announced that it had
<> confirmation that the aircraft was not at fault in the crash. Several
<> days later, the DGAC exonerated the mechanical performance of the
<> Airbus. The head of the DGAC, Daniel Tenenbaum, said that if this had
<> not been the case, it would have been necessary to ground the A320
<> for tests."

<> (And we couldn't have that, now, could we? :-)

<> [In fairness, I should add that I have spoken to a number of people
<> in the CAA and elsewhere who know a lot about flight certification
<> and about the Mulhouse accident in particular, who have assured me
<> that it *was* pilot error, but, as always, confidentiality prevented
<> them from saying *how* they knew that.]

Facts (that took very little time to find after the accident) included
that the pilots flew too slow and too low (e.g., as I remember it the
pilots submitted plans for 100' and flew at 35'), that due to the high
pitch angle the pilots didn't see early enough the terrain into which
they flew, and that the pilot disconnected some of the safety systems
(some of RISKS readers complained later that it is not safe for an
aircraft system to allow manual override and disconnection -- [this was
probably submitted by non-pilots]).  All of that was confirmed by the
FDR.  [By the way, it shouldn't take more than just a few hours to read
the FDR.]

The surviving pilots (from the hospital) complained that it took too
long for the engines to regain their power.  Many consider the pilots'
statement to be too self-serving (what a surprise!).  It was the opinion
of many (including not only the FAA/NTSB-like organizations but many
people even in competing aircraft engine companies) that this delay was
well within the normal response of such an engine.

Based on the above the aircraft was cleared ("un-grounded").

History didn't prove this decision to be wrong.
                                Danny

P.S., About the timeliness of Aircraft Accident investigation reports:
      The NTSB report about the UAL DC-10 crash at Des Moines, Iowa,
      on July-19-89, is not out yet (as of June-15-90).

Please report problems with the web pages to the maintainer

Top