The RISKS Digest
Volume 11 Issue 36

Monday, 1st April 1991

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


o Another type of password attack
from several different sources [!]
o PBS presents 3 hours of RISKS — Wednesday
R. Kevin Oberman
William Ricker
o NOVA (TV) broadcast: "We know where you live" Tuesday
David A. Honig
o Correction Re: Terminus, Len Rose (Rodney Hoffman,
Mike Godwin
o More "Sun Devil" indictments
Rodney Hoffman
o TRW report shows who else is interested
David A. Honig
o Info on RISKS (comp.risks)

Another type of password attack

Gene Spafford <>
Mon, 01 Apr 91 17:20:00 EST
[Forwarded with permission of, this represents one of the most
amusing attempts at a breakin in recent memory.  This reminds me of the
confidence scam where people call elderly marks and ask them to cooperate in a
bank investigation by withdrawing a large sum of money.  Spaf]

- ------- Forwarded Message

Date:    Mon, 01 Apr 91 17:05:55 -0500
From:    ssw (Samuel S Wagstaff)
To:      spaf
Subject: scam [ssw (Samuel S Wagstaff): scam]

>From Mon Apr  1 15:22:14 1991
Date: Mon, 1 Apr 91 15:20:25 EST
From: "Diane J. Donaldson" <>

There has been a recent attempt to break in to our system.
Sudip Bose received the following letter:

  - ---

>From Mon Mar 25 19:13:34 1991
Date: Mon, 25 Mar 91 19:12:58 EST
From: "Operator" <>

This is the system administration:

     Because of security faults, we request that you change your password
     to "systest001". This change is MANDATORY and should be done IMMEDIATLY.
     You can make this change by typing "passwd" at the shell prompt. Then,
     follow the directions from there on.

     Again, this change should be done IMMEDIATLY. We will inform you when
     to change your password back to normal, which should not be longer than
     ten minutes.

                Thank you for your cooperation,

                 The system administration (root)

 - --

Fortunately, he realized it was a fake and told me about it.  If anyone else
received one of these messages, PLEASE LET ME KNOW IMMEDIATELY!!!!  In case you
don't know already, I NEVER need to have anyone change their password so that I
can fix "security faults".  I can change your password myself if I have to.
Again, if you have ever received or ever do receive a message of this sort, let
me know so I can try to track down the person doing this.  Thanks!

 - — End of Forwarded Message

Re: Another type of password attack

Peter G. Neumann <>
Mon, 01 Apr 91, 15:15:15 PST
I first saw this message on 25 Mar 91, but did not get around to running it in
RISKS.  (I am still backlogged.)  In light of the date today, I include it now.
However, it could have been a real hoax, not a prank, and I imagine there were
people who were taken in.  I heard of several reports of original appearances,
spoofed out of different root addresses.  So, what will the day bring us this

For those of you who have been requesting information on back pranks, see my
Inside Risks column in the April CACM, which should be out forthwith.
(Fourthmonth.)  I honor the best spoofs of the past, particularly Piet
Beertema's 1984 NOT-BY-Chernenko Spoof (ACM SIGSOFT SEN July 1984) and Chuq von
Rospach's 1988 NOT-BY-Spafford Spoof (SEN July 1988 and RISKS-6.52, 1 Apr 88).
Apparently the NOT-BY-Spafford Spoof is making an annual reappearance again
today.  PGN

   [By the way, as of a few hours ago, I am now running on a SPARCstation.
   There are a few differences, so I won't be surprised if this RISKS mailing
   exhibits some of them...]

PBS presents 3 hours of RISKS

31 Mar 91 17:38:45 GMT
This week PBS is running a 3 hour program on the subject of risks. It's title
is: "Living Against the Odds" and is hosted by Richard Lewis. My TV suplement
gives the following blurb:
  "Specialists seek a perspective on life's many risks, from voluntary dangers
  like gambling and rock-scaling to natural disasters, accidents and hazardous

It is on Wednesday, April 3 in San Francisco, but, being PBS, the date may
differ in other areas.

R. Kevin Oberman  Lawrence Livermore National Lab. [or]

           [I hope PBS uses some of the stuff they got from The Risks Forum,
           but I think the slant of the program is rather different.  PGN]

PBS special: Living with Risks

William Ricker <>
Mon, 1 Apr 91 17:39:59 EST
[...] It won't dwell specifically on automated or even technologic risk, but on
risk acceptance and the risks of everyday life.

It *might* increase public understanding of risk assessment and risk

Bill Ricker      

NOVA (TV) broadcast: "We know where you live" Tues @ 8 KCET

"David A. Honig" <honig@ICS.UCI.EDU>
Fri, 29 Mar 91 17:51:07 -0800
on tech & privacy

Correction Re: Terminus

Rodney Hoffman <>
Sun, 31 Mar 1991 14:49:11 PST
In RISKS 11.35, I summarized a short article from the 23 March 'Los Angeles
Times' about Leonard Rose's guilty plea.  Two corrections:

1.  The article said, "The Baltimore indictment asserted that he was associated
with a group of computer hackers known as the 'Legion of Doom.'"  I used that
as part of my "Subject:" line for the RISKS posting.

I've now heard from several people that Leonard Rose was NOT a member of the
Legion of Doom, and never claimed to be.  (It may still be true that the
indictment says he is.)  The 'Washington Post' also ran the story of Rose's
sentencing on 23 March, but published a correction on 26 March saying he was
not a member of the Legion of Doom.  I have not spotted any correction
published in the 'Los Angeles Times.'

2.  The LATimes article said, "Under the plea agreements, ... Rose ... will
serve a year in prison."  My RISKS posting omitted the reference to the plea
agreements.  The one-year sentence (actually, two concurrent one-year terms) is
apparently the prosecutors' recommendation.  Rose's formal sentencing is
scheduled for May.

[Corrections via Craig Neidorf, and, indirectly, Brendan Kehoe and Bob
Izenberg.  Anyone interested in more details may write me.  — RH]

   [See also two other items, noted for completeness to ensure that
   the message gets through...  PGN]

Re: Len Rose (Hoffman, RISKS-11.35)

Mike Godwin <>
Sun, 31 Mar 91 16:03:20 EST
[...] This is actually incorrect. Rose pled guilty to two counts of
unauthorized possession of UNIX source code. Rose did not plead guilty to
"distributing Trojan horse programs designed to gain unauthorized access to
computer systems."

"Rose, known as "Terminus", was alledgedly associated with the Legion of Doom
"hacker group"."

Federal prosecutors are unwilling to abandon the allegation that Rose was a
member of the Legion of Doom. He was not, however, and the counts to which he
pled guilty have nothing to do with any known Legion of Doom activities, real
or alleged.

Mike Godwin, (617) 864-0665  Electronic Frontier Foundation

Re: Len Rose (RISKS-11.35)

<TK0JUT1@MVS.CSO.NIU.EDU [still trying to be anonymous!]>
Fri, 29 Mar 91 23:33 CST
In RISKS DIGEST 11.35, Rodney Hoffman <> writes:

Why, oh why, does this trash persist? Despite media distortion, prosecutorial
hyperbole, and inane headers such as Hoffman's ("LoD's Terminus"??--c'mon!!),
the following are demonstrable facts:

1) Len Rose was never associated with Legion of Doom, period.  The Washington
Post's story of March 23, which was based on an alleged link between Len and
the LoD, contained numerous blatantly false statements, and the Post retracted
the LoD connection. The retraction destroyed the basis of the Post's story,
but the damage was done. Rose became involved in Secret Service investigations
because of the infamous E911 files published in Phrack. Rose was raided, and
although he was not associated with the E911 files, the SS agents found him in
possesion of unlicensed copies of of AT&T's Unix source code and login.c

2) The continued attempt to link Len to LoD, despite overwhelming evidence
that there was no link, frames this case as one of computer security. Face it!
The government (Messrs Cook, Foley, Willcox, et. al.) wanted this case to be
about something it wasn't. This case was about unlicensed software, *not*
about computer security. Possession of AT&T source code, in this context,
simply meant that Len had a copy of Unix that he was not licensed to have and
that he allegedly received it from and shared it with others who allegedly
were not authorized to have it.  Len pleaded guilty to two federal counts (one
from Maryland, one from Illinois) under Title 18 s. 1343:

      Sec. 1343. Fraud by wire, radio, or television

      Whoever, having devised or intending to devise any scheme or
      artifice to defraud, or for obtaining money or property by
      means of false or fraudulent pretenses, representations, or
      promises, transmits or causes to be transmitted by means of
      wire, radio, or television communication in interstate or
      foreign commerce, any writings, signs, signals, pictures,
      or sounds for the purpose of executing such scheme or
      artifice, shall be fined not more than $1000 or imprisoned
      not more than five years, or both.

3) A not-so-trivial point: login.c required root access. If one had root
access, there was no need to hack into a system because one was already there.
Yet, despite the nature of the plea, the allegations of the indictment, and
the facts of the case, some irresponsible prosecutors and media types (not to
mention hysterical headers such as Hoffman's) insist on sending the message
that Len was a "hacker" who posed a potential threat to the nation's computer
security. At least one computer security consultant indicated that he used
login.c to log passwords as a way of protecting security, not subverting it.
I have yet to hear even a marginally literate Unix type claim that, despite
prosecutors' claims in press releases (where they try to create meanings and
images that they couldn't do at court), login.c is a realistic "hacking
device." But, this is moot, because--I'll put it in caps--THE CASE WAS ABOUT

Len Rose accepted a guilty plea in an attempt to make the best of a situation
in which there could be no winners on either side.  He was under pressure to
fight the case from those who had access to all the evidence and felt he could
"win," and to accept a plea from those who felt he had committed a
transgression and should be punished. Len's wife and two small children were
in the middle.  He made the decision that he felt would balance the needs of
justice with those of his family and help him move on to a future in which he
could rebuild his life.  Let's not, despite all evidence to the contrary,
continue this "hacker image" that was not at issue in Len's plea nor in the
spirit or letter of the statutes defining his transgressions.

More "Sun Devil" indictments

Rodney Hoffman <>
Sun, 31 Mar 1991 18:21:00 PST
According to a story by Henry Weinstein in the 30-Mar-91 'Los Angeles Times,'
Arizona authorities have arrested Baron Monroe Majette, 19, also known as "Doc
Savage," and charged him with three counts of fraudulent schemes and three
counts of conspiracy.

The charges outlined in the article are (a) falsely posing as an employee of
Toys R Us to illegally gain access to a telephone conference call line for
calls worth $8,100, and (b) using a computer to illegally gain access to TRW
Credit's database and extracting names, addresses, SSNs, credit histories, and
other data, then using the information to create false billing addresses,
obtain credit cards, and make purchases exceeding $60,000.

This arrest is a result of the federal - state Operation Sun Devil raids in
May, 1990.  From the end of the newspaper article:  "Dale Boll, deputy director
of the Secret Service's fraud division, defended the operation but said the
agency would have done some things differently.  He added that several new
cases will be filed in coming months."

TRW report shows who else is interested

"David A. Honig" <honig@ICS.UCI.EDU>
Fri, 29 Mar 91 17:54:44 -0800
A friend of mine just bought a car.  As he was talking to the person reviewing
his finances, that person mentioned that Arrowhead (the bottled water supplier)
was doing a check on my friend.  (He was starting up bottled water delivery
service (and they ran a credit check!!) )

It surprised both him and I that the names of recently-interested
report-receivers would be printed with your credit report.  This seems
like an invasion of privacy.  Does anyone know more?

Please report problems with the web pages to the maintainer