The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 11 Issue 40

Friday 5 April 1991


o Re: Computers, Freedom, Privacy Trip Report
Lance J. Hoffman
Dorothy Denning
o European Nervous System (ENS)
Pete Jinks
o Draconian Accountability (re: Korean typographers)
Mike Laur
o Small risk with Telephone cards
Hank Cohen
o Re: Tricky application of Caller ID
Randal L. Schwartz
William Clare Stewart
o Re: E-mail role in LA cop probe
Jerry Hollombe
o Re: Len Rose
Mike Godwin
o Info on RISKS (comp.risks)

Re: Computers, Freedom, Privacy Trip Report (RISKS-11.39)

Lance J. Hoffman <>
Fri, 5 Apr 91 2:03:09 EST
     RISKS readers of R. T. Mercuri's long trip report (RISKS, Volume 11, Issue
39, 4 April 1991) on the Computers, Freedom, and Privacy Conference who were
not there now have a pretty good sense of what they missed.  As our moderator
said a few days ago in this forum, and as many have told me, it was one of the
most thought-provoking and enjoyable conferences in a very long time.

     One important point was omitted.  Towards the end of the conference, a
general consensus emerged that there should be a follow-on conference, and the
general feeling was that it should take place on the East Coast.  To make a
long story short, Jim Warren and others twisted my arm with the result that I
have become the general chairman of CFP-2, which will take place in Spring 1992
in Washington.  This was announced during the last session.  Many holdovers
from the Bay Area based program committee and advisors have already agreed to
serve, and we have some important East Coast people already lined up as well.
We are already moving to obtain an appropriate site; the planning process has
begun.  We hope to keep the diversity of attendees (it indeed ranged from the
sandals of Silicon Valley to the dark suits of Washington [Terry Winograd's
phrase]) -- it's pretty rare to see most if not all of the computer crime
prosecutors at the same conference with a large number of the prosecutees.  We
also hope to provide at least the same large amount of information transfer.
Stay tuned!

     And -- for those who were there and those who weren't -- suggestions are
welcome and this is the best time to send them in; just mail them to me
(address below).

     Also, if you for some reason were not on the mailing list for this
conference but wish to be kept informed about the next one, mail me your
snailmail (and, optionally, email) address.

     A few things I saw differently enough from Ms. Mercuri to comment on:

      "Jim Warren ... took a severe loss on the conference."

Final figures are not in yet, but the most recent appear to suggest this is not
the case.  (This is not posturing; I think it is just later information.)

      "What was resolved was to form an organization called the
     US Privacy Council which `will attempt to build a consensus
     on privacy needs, means, and ends, and will push to educate
     the industry, legislatures, and citizens about privacy issues.'"

This was not resolved by the attendees there, but in fact had been done before
the conference; its first public meeting was held during an evening break, and
had no official conference involvement (except that a breakout room was made
available).  It's important to note this because the conference, under Jim
Warren's stellar direction, was hospitable to a number of points of view.  CFP
2 will also serve this brokering function and will not itself take advocacy
positions, but rather provide a platform for the contending ideas.

     "Robert Veeder of the D.C. Office of Information Regulatory
     Affairs discussed the impact of the 30,000+ messages to Lotus
     which effectively stopped the production of their CD-ROM database."

Rob Veeder will be surprised to hear that he works for the D.C.  Government.
In fact, that Office is part of the federal Office of Management and Budget.

      "Lance Hoffman, of the EE & CS department at George
     Washington University ... noted that no one has ever
     received the ACM Turing Award for [constructing a] socially
     responsible system, and encouraged positive recognition of
     achievements along these lines.  He also recommended that a
     "dirty dozen" list of worst systems be compiled and

I said this *could be done*, but (ever cautious!) stopped short
of *recommending* it (see the paper in the Proceedings).

      "Simon Davies, a member of the law faculty at Australia's
     University of New South Wales, provided a sobering criticism
     of this conference and the United States' policy making
     processes, stating that the conference was too `nice' and
     `conciliatory'  ..."

I guess this ended when, on the last day, during the "Prodigy discussion", "a
loud altercation broke out in the front of the room" [from the third paragraph
of Ms. Mercuri's report].  Jim Warren was quoted (I think in the San Jose
Mercury-News) as saying that the conference would be a success if (two speakers
whose identities I forget) could speak without killing each other, or words to
that effect.  (They did.)  Don Delaney from the New York State Police stated
that he had never been to a conference with such a diverse group of attendees.
I have *never* been to a meeting of such a diverse group where so much
information (as opposed to rhetoric) was orally transmitted per unit time.

      "Mark Rasch who defended the internet worm case stated that
     the expectation of privacy is changed because of the
     technology employed --- technology affects behavior."

Mark actually *prosecuted* that case.

     The Conference may indeed have started something.  In addition to the L.
A. Times 3/28/91 report of Laurence Tribe's speech already excerpted in RISKS,
John Markoff wrote "Remember Big Brother?  Now He's a Company Man" in The New
York Times of Sunday, March 31.  I've heard that Time magazine has a whole page
on the conference this week, but I haven't seen it yet.

Professor Lance J. Hoffman, Department of Electrical Engineering and Computer
Science, The George Washington University, Washington, D. C. 20052
(202) 994-4955  fax: (202) 994-0458

Re: Computers, Freedom, Privacy Trip Report

Dorothy Denning <>
Fri, 5 Apr 91 10:46:31 PST
Kudos to Rebecca Mercuri for providing such a thorough and candid
report of the first CFP conference.  I'd like to elaborate on
what she said about my talk in the Ethics and Education session:

  Dorothy Denning spoke briefly regarding the network uses by children
  (Kids Net).  She speculated that we should teach them something about
  hacking in order to take the mystery out of it.  She compared
  telephone fraud by children as a more sophisticated version of the
  "is your refrigerator running" prank.

My comment about Kids Net was made in the context of proposals I've heard to
regulate modems and perhaps require an age limitation on their use (analogous
to getting a drivers license).  I pointed out that many children have or will
have access to networks at school, so I did not think it made a lot of sense to
deny them that access at home.  Regarding teaching "hacking," I was passing
along a suggestion that a student made to me based on a positive report he had
received from someone attending a school where it was practiced.  In this
context, hacking was referring to breaking into systems.  Overall I'm wary of
training young people to hack, but I can see some merit to telling students
about it & why it's a crime.  Regarding telephone fraud, it is not only more
sophisticated, but also more costly, sometimes costing in the tens or hundreds
of thousands of dollars.  The reason I spoke about telephone fraud was to point
out that it was not simply a question of a new technology, namely computers,
that parents had no experience with, or of teaching computer ethics.  The
crimes under investigation by operation Sundevil, for example, are mainly toll
fraud and credit card fraud.

The main point I tried to make in my talk was that we are letting our young
people down by not taking responsibility for bringing them into the computing
and network community as responsible users.  Instead, the young people learn
their ethics on their own or on BBS's run by teenagers.  The consequences are
that some basically good teenagers end up getting into serious trouble, which
is very disruptive to their lives.  One good way to teach responsible computing
is to let students be responsible for computing in their schools.  This
recommendation is from Brian Harvey, who did it in the high school where he
taught.  Above all, we need to practice responsible computing ourselves, for
example, by not using information gathered about individuals for one purpose
for some other purpose.
                                           Dorothy Denning

European Nervous System (ENS)

Pete Jinks <>
5 Apr 91 14:41:19 GMT
The 6th April issue of New Scientist carries a story on p.9:

"The ENS will create links between administrative computer networks [in the
EC] including tax, social security and environmental monitoring. ...  intense
activity on police networks which ...  will be essential when frontier control
are relaxed in 1992". The EC "is seeking powers to make it compulsory for
member states to to link their computer systems"

This is represented as being a vital part of a program to pump money into the
european IT industry. I don't remember reading or hearing about this before.
I hope that this is an April fool, but it has a ghastly ring of plausibility.

Draconian Accountability (re: Korean typographers)

Fri, 5 Apr 91 09:39:05 EST
this reaction forwarded for Prof. Michael Mahoney (,
regarding Martin Minow's article on strict Korean typographic rules:

Check the Code of Hammurabi and, if I remember correctly, you will find
that the builder of a structure that collapsed and killed the head of
the household paid with his own life; if the collapse killed the owner's
son, the builder's son paid the price of his life, etc.  Similar
Draconian rules governed the construction of buildings in other ancient
cultures, leading to overbuilt, rock-steady structures.  Now, suppose the
programmers of, say, Airbus avionics software were subject to the same
penalties.  One adult life per adult life, etc. Suppose the programmer of
an automated incubator had to place her own child's life as warranty.
Would we see better software?

There is middle ground.  We as a society could simply refuse to honor
the disclaimers of liability that accompany software.  We could start
suing for damages, requiring into the bargain that the names of all
participating programmers be attached to the product, if not for the
purposes of suing them, then so that other companies could know who
had contributed to the demise of ruined enterprise.

The trouble is, that despite all the complaints (correct and, if anything,
understated) about defense software, DARPA is now riding high after the
allegedly spectacular performance of weapons systems in Iraq.  SEI at CMU has
more money than it can spend.  The products and the processes used to produce
them are no better than on 16 January.

Small risk with Telephone cards

Fri, 05 Apr 91 01:05:05 EST
I just noticed this yesterday and although it is hardly a life threatening risk
it still seems to be a bug.  In Japan prepaid telephone cards have become very
popular.  Yesterday I made a call with a phone card that had only 1 unit of
credit remaining.  After dialing my call but before the othe party answered the
phone debited my card to zero and returned it to me.  If the other party hadn't
answered I would have lost my dime.  One can imagine: Late night in a storm
only a phone card to make a life and death emergency call and ... :^)

Hank Cohen

Re: Tricky application of Caller ID (Re: Kiddie Call-in, RISKS-11.38)

Randal L. Schwartz <>
Fri, 5 Apr 91 09:00:47 PST
This sounds suspiciously like the 976-SANTA(?) in Seattle two years ago.
Apparently, they ran a 1/2 hour "entertainment" show around christmas time,
urging kiddies to stand by with their phones at the end of the show.  The tones
for the 976 phone number (along with the phone number on screen in case they
didn't have a touch-tone phone) came out over the speaker.

Caused quite a flack, if I recall.

Randal L. Schwartz, Stonehenge Consulting Services (503)777-0095 ...!any-MX-mailer-like-uunet!!merlyn

Re: Tricky application of Caller ID

William Clare Stewart <>
Fri, 5 Apr 91 11:35:44 EST
Aside from the use of caller-id mentioned here, it seems like an obvious
potential rip-off: Touch-Tone 1-900-EXPENSIVE

    "Hey, kiddies - hold your phone up to the TV for a Big Surprise!"

Bill Stewart 908-949-0705!wcs AT&T Bell Labs 4M-312 Holmdel NJ

Re: E-mail role in LA cop probe (Fagan, RISKS-11.37)

The Polymath <>
4 Apr 91 20:57:43 GMT
}... Giving electronic messages the same validity as recorded voice is a bad
     move, it seems to me.

Actually, it's a Good Thing.  Recorded voice has no validity in a court of law
and hasn't for decades.  It can only be used when backed up and confirmed by
eye (ear?) witness testimony.  That's why someone has to actually _listen_ to a
wire tap, rather than automatically record and review at a more convenient

Jerry Hollombe, Citicorp, 3100 Ocean Park Blvd., Santa Monica, CA 90405
{rutgers|pyramid|philabs|psivax}!ttidca!hollombe   (213) 450-9111, x2483

Re: Len Rose (RISKS-11.37)

Mike Godwin <>
Fri, 5 Apr 91 08:19:45 EST
Steve Bellovin writes about the Len Rose case:

"The prosecutor must demonstrate intent to misuse in such cases.  If possesion
of ``hacking tools'' were against the law (as far as I know, it's not, and
given how loosely many such statutes are drawn, that's probably just as well),
there would be a considerable burden of proof.  Maybe such evidence could be
produced in this case, maybe not.  But it's far from unreasonable to claim that
hacking is at issue."

What makes it unreasonable to claim that Rose is a hacker is the fact that
he had authorized access to every system he wanted to use. There was
no question of unauthorized intrusion in Len's case.

It bears a lot of repeating that Len pled guilty to unauthorized possession
of Unix source code, not to computer fraud or unauthorized access.

Len's case identifies a RISK, by the way: if law enforcement is
investigating you for another reason, and they don't find evidence of
that crime, they'll look all over your system in the hope of finding
unauthorized code (or anything else) in order to indict you.

"In that case, the charge should be extreme negligence.  I don't care
what your motives are; no responsible system administrator should ever store
cleartext user passwords online."

Let me gently suggest that the criminal law is not the proper tool for making
sure that system administrators are responsible or nonnegligent.  While
nonlawyers have doubtless heard the term "criminal negligence," the fact is
that negligence is normally dealt with in civil law, where the proper remedy is
money, not jail time.

Mike Godwin, Electronic Frontier Foundation (617) 864-0665

Please report problems with the web pages to the maintainer