The RISKS Digest
Volume 11 Issue 54

Thursday, 25th April 1991

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


"Alleged Cable Pirates Caught in Electronic Trap"
Dutch nation portrayed as a bunch of network bashers
Ralph Moonen
Re: "University Exec Backs Hacking"
Piet van Oostrum
Re: response to rude behavior
Mike Nemeth
Trespassing and common law
Phil Agre
Free Speech and Government Control of Information
Larry Hunter
Re: Responsibilities of Internet sites
Mike Godwin
Re: Dutch hackers and KSC
Brinton Cooper
Ron Tencati
Re: Letter to Senators on SB 266
Theodore Ts'o
Re: Trains collide in east London
Ian G Batten
Info on RISKS (comp.risks)

"Alleged Cable Pirates Caught in Electronic Trap"

"Peter G. Neumann" <>
Thu, 25 Apr 91 9:09:06 PDT
An article by George James probably from today's New York Times (I saw it
replayed in today's San Francisco Chronicle, p. A6) describes a successful
effort by American Cablevision of Queens (NY) to trap customers who had
illegally installed chips that let them pick up a variety of premium cable
channels for free.  After analysis of ONE of the bogus chips, American
Cablevision was able to construct a signal (an "electronic bullet") whose
transmission disabled just the bogus chips, leaving the legitimate access
control boxes unaffected.  They then simply waited to catch the 317 customers
who called in to complain that their screens had gone dark — and who were
asked to bring in their boxes, which American Cablevision then kept.  "If
convicted, the subscribers could face fines of up to $100,000."

                      [Able Cable-Caper Sting-Thing Zaps Chips, Nabs Fabs.
                      Potential Variety headline?  PGN]

Dutch nation portrayed as a bunch of network bashers

Ralph 'Hairy' Moonen <>
Thu, 25 Apr 91 09:59 MDT
As a citizen of the Netherlands, I must take offense at the remarks made
by several people that the Netherlands are a law-less and a-social country.

Bill Murray portrayes Holland in this way in RISKS 11.53. While I agree with
him that the behaviour of the Dutch crackers isn't correct, you have to
understand that unlike America has shown in it's operation Sundevil, Holland
has a legislative system wherein someone is innocent untill proven guilty. This
means that not the laws fail in Holland (the crackers could easily be busted
for telephone-wire fraud) but that the burden of proof lies with the Dutch
State. As you can imagine, this is a delicate matter. How does one prove, short
of catching someone in the act, that Mr. A. was behind the keyboard at that
time, doing such-and-such?

Furthermore, I might add, that the media information has been incomplete, in
that the Dutch crackers used Utrecht to crack several universities in the
States, and _proceeded to crack other systems from there_. Following the line
of argument that Bill Murray used, these universities should also be barred
from the net, and yes, perhaps the whole of America should be.

The problem is not that one single country lacks a powerfull law enforcement
and acts as a rogue nation and hacker-haven. The problem is that as long as
people can get onto the net, (students, 'authorised' personnel, outsiders, and
whatever) security will have to be a major issue. Not just the issue of one
single university like Utrecht, but of ALL sites on the internet.  Because you
do realise that a smart cracker could get away with this just as easily in the
States as in Holland? So don't lay any guilt-trip on the Dutch will you?

* Ralph Moonen, (+31) 35-871380

Re: "University Exec Backs Hacking" (Dutch crackers, RISKS-11.50,51)

Piet van Oostrum <>
Thu, 25 Apr 91 17:03:58 met
I don't think Mr. Rook knows much about computer networks. From what I know
about the incident (I haven't seen the TV program) this could have been done
from Every site on the Internet that has a Decnet node. And I agree that it is
the responsability of each site to prevent break-ins into their own computers.

Well, apparently he doesn't know that his own university does not condone any
attempt to break into other systems. Our (computer science) students know this
very well, and risk being excluded from computer access if they try.  Delft
University (not: the prestigious ..) had (or has) a course in computer security
(not in hacking), where one of the assignments of the students was to find
security weaknesses in computer systems.  Yes, we try to encourage exploration
but also responsability and ethical behaviour.

Piet* van Oostrum, Dept of Computer Science, Utrecht University, Padualaan 14,
3508 TB Utrecht, The Netherlands.  +31 30 531806  uunet!mcsun!ruuinf!piet

Re: response to rude behavior

Thu, 25 Apr 91 01:26:27 MDT
I too am part of this community, and I dismiss WHMurray's recent article
(comp.risks 11.53) as a blatantly obvious piece of fear-mongering.

Murray's attempt to isolate an entire nation from the free flow of information
would be scary if it weren't so wretchedly silly and patently self-serving.

>William Hugh Murray, Executive Consultant, Information System Security
And guess who'd love to take on the job of setting himself up as the Leader
of the DataPolice? Kids, be the first one on your block to have an Empire!
Follow in the steps of Hitler, Stalin, and Hoover. You too can have a full
and exciting career as a demogogue.

P.S.  Who said: "Those who give up a little freedom for a little security
           will soon have neither freedom nor security."  ?

Mike Nemeth     VORT Computing     (403) 261-5015     ...calgary!vort!mike

trespassing and common law

Phil Agre <>
Thu, 25 Apr 91 11:56:09 +0100
Steve Bellovin (RISKS-11.52) points out that the US only requires a landowner
to put up a "no trespassing" sign to make trespassing illegal.  A complementary
point to make is that both English and American common law gives me the
permanent right to walk across your property if I have been doing so regularly
with your knowledge for some substantial amount of time.  If the trespassing
analogy is to apply to computer cracking, then this flip-side would seem to
apply as well.
                              Phil Agre, University of Sussex

Free Speech and Government Control of Information

Larry Hunter <>
Tue, 23 Apr 91 14:23:36 EDT
In RISKS 11.51 Jerry Leichter claims that "in an information age we will find
it necessary to control access to and dissemination of certain classes of
information.  In fact, we already do this."  He proceeds to argue that
defending encryption on free speech grounds is misguided.  He is wrong both
about the current state of government control of information and about what is
desirable policy.  The first amendment quite explicitly prohibits government
controls of expression (i.e.  communication of information) with very few
exceptions, and I suggest that the current governmental attacks on this most
basic right are pernicious and must be fought.

Leichter's examples from crime and commerce are deceptive.  One's first
amendment rights of free speech do not exempt all expressive acts from
prosecution.  There is a large body of law that addresses the issue of when
expression becomes action.  Some examples include conspiracies, slander,
copyright violations, and reckless endangerment (e.g. yelling "fire" in a
crowded theater).  What is prohibited is prosecution for _mere_ expression,
even if individuals, organizations or the government would rather keep the
information secret.  As long as I am not conspiring to commit fraud or some
other crime, I can publish your credit card number, or your swiss bank account
number, or your income, etc. in a magazine article without fear of government
prosecution.  And I believe that ability to express things that make some
people uncomfortable is a vital part of basic American liberty.

Leichter's second example involves restrictions on a company selling credit or
other private records.  Commercial speech is regulated very differently than
individual speech.  For example, commercial advertising must not be false or
deceptive (well, at least in law), and there are specific legal limits on the
disclosures that credit bureaus, common carriers, doctors, lawyers, etc. can
make under most circumstances.  Commercial entities do not have the same free
speech rights that individuals do.

Finally, Leichter points out the National Security exception to freedom of
expression, which, as he notes, is both pervasive, and, in the case of "born
classified" information, constitutionally suspect.

Leichter concludes by recommending a couple of science fiction stories about
social control of information.  Interesting as those stories are, let me
suggest that you also read Thomas Emerson's "The System of Freedom of

Any abridgement of a constitutional right must either balance a competing right
or serve some compelling state interest.  What compelling state interest could
be sufficient to infringe on our rights to free expression and privacy by
effectively prohibiting effective encryption?  Surely the routine prosecutorial
needs of the state can be met without recourse to such invasive,
undiscriminating measures.  Terrorism may be a threat, but not such a
compelling one that we as a society ought to sacrifice one of our most basic
constitutional rights in order to _possibly_ reduce the chance of a _potential_

Technology can be used either to enhance or degrade the status of rights such
as freedom of expression and privacy.  Inexpensive, effective encryption is a
basic enabling technology that empowers individuals in an increasingly
technologically invasive society.  I believe it should be defended against
government attack in the strongest possible terms.

Lawrence Hunter, National Library of Medicine

[Please note that I am neither a lawyer nor am I speaking as a representative
of the government.]

Re: Responsibilities of Internet sites (Pereira, RISKS-11.52)

Mike Godwin <>
Wed, 24 Apr 91 10:29:47 EDT
>1) I know of no area of human activity in which wilfull intrusion or condoning
>intrusion are seen as no more condemnable as failure to protect one's domain
>from intrusion to the best of one's ability.

In tort law, the law of trespass is balanced by the law concerning the
negligence of those who maintain attractive nuisances.

The issue is not whether computer trespass is wrong, but whether it is just to
punish the trespassers without imposing any liability upon those who failed to
meet minimum standards of computer security.

It is a fact that every generation faces the challenge of overcoming a wave of
barbarians--its own children. Is it wise social policy to send young men to
prison for doing the kinds of things that not-yet-fully-socialized young men
invariably do while imposing no social responsibility upon those charged with
maintaining system security? That is a question that has not been fully

It will never be fully discussed so long as too many people suppose that the
wrongness of trespass decides all the legal and ethical questions raised by
computer intrusion. It does not.

Mike Godwin, EFF, Cambridge, MA,, (617) 864-0665

[oneel: re: Dutch hackers and KSC [Kennedy Space Center]]

Brinton Cooper <abc@BRL.MIL>
Wed, 24 Apr 91 20:31:24 EDT
Brice O'Neel writes

> I don't believe that KSC is on the internet.

Try (  More are vulnerable than you
dreamed of.  I never dreamed, for example, that OSHA is on the Internet
(not that it matters, mind you).

          [KSC's presence on the Internet was also noted by Ari Ollikainen
          (ari@OldAhwahnee.Stanford.Edu), as reported somewhat red-facedly
          by oneel@heawk1 ( Bruce Oneel ).

Re: Dutch hackers and KSC

301)286-5223 <TENCATI@NSSDCB.GSFC.NASA.GOV (NSI Security Manager>
Tue, 23 Apr 1991 19:32:46 EDT
I have received NO incident reports indicating that any KSC systems were
hacked, or involved in any hacking incidents relating to the Dutch hacker case.

Ron Tencati, Security Manager, NASA Science Internet (NSI)
Coordinator, NSI-CERT, STX/Code 930.4/Goddard Space Flight Center/Greenbelt,MD

Re: Letter to Senators on SB 266 (Engler, RISKS-11.51)

Theodore Ts'o <tytso@ATHENA.MIT.EDU>
Tue, 23 Apr 91 02:09:55 EDT
As previous posters have noted when the Lotus Marketplace controversy was
taking place, sending form letters to your representatives is not terribly
productive; the Senators' or Represatitive's staff are fairly good about
detecting (and disregarding) form letters.  If, however, you write your own
letter and send it off, it will be given much more weight, since presumably it
mattered enough to you to write your own letter.  I do urge everyone to write
his/her own letter and send it off to Biden as well as your own Senators and
Representatives.  If we raise enough fuss, hopefully the bill will be allowed
to die while it's still in committee.
                        - Ted

Re: Trains collide in east London (RISKS-11.52)

Ian G Batten <>
Thu, 25 Apr 91 08:37:36 BST
With respect to the London Docklands Light Railway incident, the report in
RISKS-11.52 ("Computer-controlled commuter trains collide...")  misses one
vital point.  The train that was hit was under manual control, following an
earlier failure.

Please report problems with the web pages to the maintainer