The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 11 Issue 74

Wednesday 29 May 1991

Contents

o Writer steals stories via computer
Rodney Hoffman
o Consumer Reports report on Privacy
Robert Grumbine
o Re: The RISKS of Posting to the Net and the FBI
Andrew R. D'Uva
Ralph Moonen
Arthur Rubin
William Ricker
Randy Saunders
anonymous
o Re: The Death of Privacy?
Michael Rasmussen
o Giving Away Privacy
Sanford Sherizen
o Smart Highways Need Privacy Tutorial
Warner Losh
o Re: Replicated Errors
Neil Rickert
o Info on RISKS (comp.risks)

Writer steals stories via computer

Rodney Hoffman <Hoffman.El_Segundo@Xerox.com>
Wed, 29 May 1991 13:58:18 PDT
In RISKS-09.75, I summarized a March 1990 `Los Angeles Times' story about a
journalist charged with breaking into Fox Television computers.  The 29 May 91
`Los Angeles Times' carries the conclusion, a story by John Kendall headlined
WRITER GETS PROBATION IN STING AT FOX.  Excerpts:

"Free-lance writer Stuart Goldman pleaded no contest Tuesday to three felony
charges of illegally entering Fox Television's computer system and stealing
story ideas planted by Los Angeles police in a sting operation.... [Goldman]
was placed on five years' probation and ordered to pay $90,000 in restitution,
reduced to $12,000 with Fox's approval.  The judge ordered Goldman to serve 120
days in County Jail but stayed the sentence....

"Goldman was arrested ... last year by Secret Service agents and Los Angeles
police who confiscated a personal computer, floppy disks, Rolodexes and a
loaded .38-caliber handgun.

"Prosecutors accused Goldman of using a password apparently gained when the
journalist worked briefly for `A Current Affair' to enter the Fox production's
computer system.  They charged that Goldman stole bogus tips ... and attempted
to sell the items to a national tabloid magazine....

"After Tuesday's court session, Goldman vowed to publish his completed book,
`Snitch' [about being a gossip-media insider], as soon as possible.

"[The judge] ordered authorities to return Goldman's computer.  `I'm sure you
know now that computers will get you in trouble,' the judge said.  `If you
don't, I'll see you back in here again.'"


Consumer Reports report on Privacy

<RMG3@PSUVM.PSU.EDU>
Wed, 29 May 91 16:04 EDT
  I've finally read my May issue of Consumer Reports.  Of interest to
Risks readers is their article `What price privacy?', pp. 356-360.

  They mostly cover ground familiar to Risks readers:
*Databases like the files on people who have ever filed malpractice claims
 or on-the job injury claims.
*The workings of credit bureaus
*The error rate in credit bureau file information

  Of greater news are their suggestions on what should be done.
  "CU thinks the reforms should go even further.  The law should allow
information in credit reports to be disclosed only if the consumer authorizes
the disclosure.  Most people realize that if they apply for a credit card or a
mortgage the prospective lender will examine their credit report.  What they
don't realize is that an application for employment, housing, insurance, even a
dating service, may trigger a check.  Nor do they realize that their files are
routinely prescreened on behalf of direct marketers.
  Any new law should also allow the credit bureaus a maximum of 30 days to
investigate when a consumer asks that something on his or her credit report be
checked for accuracy.  Bureaus should be required to disclose to comsumers
exactly how they go about investigating possible errors reported to them.
  A handful of other laws are supposed to protect consumers against invasions
of privacy, but they're riddled with imprecise language, exceptions, and
loopholes.  For example, a 1978 law supposedly protects against unreasonable
searches of bank accounts by government agencies -- but state and local
agencies are exempt, as are the FBI and U.S. attorneys.
  Ironically, video rental records may enjoy the strongest safeguards against
abuse.  Because of a 1988 lay commonly known as the Bork bill (after the
Supreme Court nominee whose video-rental tastes were made public in newspaper
accounts), a list of the videos you have rented can't be obtained without a
court order.  No such law protects your medical or insurance records (see box
on page 357)."

  They also make some suggestions: [List shortened by RG]
  "Read the disclosure statements before you sign a credit form.  At least
you'll know how much privacy you're about to give up.
   Check your Social Security records periodically to make certain that no one
else is using your number.  (Call 800-234-5772 to request a form.)
   Likewise, write to any one of the major credic bureaus to opt out of
pre-approved credit-card offerings.  [The addresses and phone numbers of the
big three are included in the article, as is the suggestion to check your
record with them periodically. RG]
   If a merchant insists on a phone number or address on a credit slip, you can
refuse.  There is no law that requires this information, and the major
credit-card companies actually discourage or even prohibit merchants from
asking.  In California, Maryland, New York, and Virginia, the practice is
illegal."

  They also recommend "Privacy in America" by David F. Linowes, published by
the University of Illinois Press and available through Consumer Reports Books
as a detailed discussion of privacy issues.

  I recommend the article to Risks readers (and perhaps the more knowledgeable
can make suggestions to CU about policies to pursue).
                                                          Robert Grumbine


Re: the FBI and computer networks (Agre, RISKS-11.72)

Andrew R. D'Uva <ard@ctcg.com>
Tue, 28 May 91 22:50:42 EDT
DO YOU THINK THAT YOU ARE DOING ANYTHING WRONG? IS THERE ANYTHING WRONG WITH
THE NET?!  What the FBI files or does not file is the FBI's business.  Why
should the U.S. Government have less access than a student at an American
university (or a foreign one)?  What the FBI investigator "thinks" about
censorship is really of no concern.  Free speech (well.. free political speech)
is a protected right, and the FBI is not capable of truly infringing on it.
Just think of the outcry on the net if it tried to do so! :) However, the U.S.
Government has a legitimate right to prevent illegal activity from taking
place, especially when it occurs over taxpayer-funded networks like some
portions of the Internet.  In this case, waste is added to the illegal act
itself.  As for the .SU domain, if the boys at the FBI don't know that there
are electronic links to machines in the Soviet Union, you can be certain that
the fellows up at the NSA do.. and might even be doing something about it.
Wouldn't it be pretty foolish of the Government not to.  Would you prefer that
a US--> {any other country here} link be kept unmonitored and clandestine in
the spirit of free speech.  At that point, why not let anyone transmit
sensitive, perhaps classified, data to another nation?  Sounds pretty silly to
me.

The users of the net have nothing to fear
= = = = = = = =  = = = = = = = =  = = = = = = = =  = = = = = = = =  = = = = = =
A momentary pause.  You could object that my argument stinks.. taken to
one conclusion... "Let the police search your home any time.. if you are not
breaking the law, you have nothing to worry about" This sort of argument makes
sense to me, but I want to point out that you referenced newsgroups in your
original message, PUBLIC newsgroups.  You could argue that the status of
private electronic mail is different, and I might agree with you.  As far as
transmitting that mail outside the US...well, we would have to argue about that
some more.  End of pause.
= = = = = = = =  = = = = = = = =  = = = = = = = =  = = = = = = = =  = = = = = =
from FBI scrutiny of the newsgroups.  And taxpayers do have a right to know
that some of their money is being spent relaying alt.sex.pictures to other
sites in the US, and abroad.  Chalk that one up to goodwill :)  The situation
with email is, granted, a different one.  The way I read your response is that
the Internet would be better off without public scrutiny.  Why?


Re: Risks of posting on the NET (jmcleod, RISKS-11.73)

<rmoonen@hvlpa.att.com>
Wed, 29 May 91 09:29 MDT
->..., then did he ever stop to THINK that the time spent
->assessing phony "keywords"can prevent the investigation of an actual
->terrorist plan to commit an atrocity?

Oh, this really makes me laugh. If and when a friend or relative becomes a
victim of a terrorist act, it is solely the terrorists who are responsible.
Furthermore, please explain to me how my actions could "prevent the
investigation of an actual terrorist plan", no, even "help the terrorists" ?
Gee, next time you get a parking ticket, you'd start feeling guilty about the
wasted police time/money that could also have been used to track down real
criminals. You'd even have helped them and might be an accessory :-O

I am talking about machines monitoring phone lines, and certainly it would take
any tape of my conversations 5 minutes to end up in the garbage can.  If this
is what they choose to spend tax-payers money on, then I am free to say
*anything* I want on my phone calls.

Ralph Moonen, Free citizen of The Netherlands


Re: The RISKS of posting to the net (RISKS-11.73)

arthur rubin <a_rubin@dsg4.dse.beckman.com>
Wed, 29 May 91 08:11:42 PDT
Mark Thorson <mmm@cup.portal.com> refers to the FBI making a mistake in the
case of Steve Jackson Games.  I believe it was actually the Secret Service,
although I still don't understand why they thought they would be interested.

   [Also noted by Bill Ricker.]


Re: The RISKS of Posting to the Net

William Ricker <wdr@wang.com>
Wed, 29 May 91 11:58:19 EDT
   It does sounds like the FBI Special Agent that Mark spoke with would have
seen the difference between the SJG Cyberpunk game and a criminal communication
-- if any such exist under our constitution, which I doubt -- which was not
understood by the SS agents hunting for allegedly stolen AT&T documents.
   Ignorance is definitely a contributor to the abuses; evidentiary seizures of
hardware that shut down a legitimate business or FIDO node are not warranted
(pun intended) when what is ordered is seizure of evidence stored on disk -- a
backup taken by the constables is all that is required, which can be analyzed
at their leisure.  But typically they wouldn't know (a) how to do a backup, (b)
how to analyze it, (c) how to configure a system onto which to restore it.
(They also may not have a budget code for renting a PC onto which to restore
it, or be forbidden to do so by work-rules and waste-guidelines!)  And who in
the raiders is going to trust the Obviously Guilty Party to do a backup for
them?  (S)He might try something tricky to destroy evidence, like in those spy
movies...

/s/ Bill Ricker                wdr@wang.wang.com


FBI Inquiries

<RSAUNDERS@hssi.dnet.hac.com>
Tue, 28 May 91 16:55:33 -0700
We had a similar inquiry by the FBI a couple of years ago.  We were demoing
a synthetic TV system using a satellite link between our big computer and
the trade show.  The demo pictures looked like a very low pass over a
nuclear power plant.  We had relocated a nearby plant into distant terrain.
Some guy say it on his home TV and called the FBI.

People should not expect the FBI to be up to speed on everything.  They are
just investigating things, they never accused us of anything.  They asked
where the nuclear plant was (they clearly "saw" one on TV that didn't exist).

We explained everything, and they asked a few questions about synthetic TV.  In
general they were using their position in the Government to get us to teach
them something they didn't know.  I am convinced their only interest was to
determine if this was a problem they needed to investigate in detail.  I
presume their approach with real criminals is different.  In the previously
discussed case, they got a pretty good explanation of Internet mailing lists
without having to do a lot of legwork themselves.  As long as they don't pester
the same people every time, this seems like a pretty cost effective way to get
Government business done.  I would prefer it to using lots of my tax money to
find out something they could have found out just by asking.  I think we need
more Government that takes simple, direct approaches like this.  Give the FBI a
hand for finding an easy solution.
                                                Randy Saunders


Re: Risks of RISKS Networking

<[anonymous]>
Wed, 29 May 91 12:05 xxx
     mmm's story about the risks of Risks postings has prompted me to write
about my experience concerning the risks of Risks postings. I'm staying
anonymous simply because I'd prefer not to have this happen again. Before
I start with the story, may I emphasize that this is not happening in U.S.A.

     About a year ago, I posted a couple of articles to Risks, concerning the
crash of an  aircraft in Eastern France. About a week later, my
apartment was "kindly visited" in my absence.

Note the following facts:
1. nothing was taken from the apartment
2. old issues of RISKS, printed on line paper and stacked in a corner had
   been thoroughly examined. The proof was that my quasi-order had been clearly
   transformed to a full disorder.
3. all my bank papers (account statements, letters from bank manager etc.)
   had also been inspected - again my quasi-order was transformed to disorder.
   I mean that it was in some sort of order, but not mine.
4. my passport was obviously examined, since it was put back in a wrong drawer.

     The job was very well done. I only noticed that my apartment had been
visited because handles on a chest of drawers were sticking up, while I always
made sure that they didn't.

     Since nothing had been stolen, I decided not to inform the police.
However, through some extraordinary coincidence, a man was murdered round the
corner, a block away, and the police paid a visit to everybody in the
neighborhood to investigate. While I had no information about that crime, I
decided to inform them about the break-in in my apartment. Their questions were
as follows:
"- do you keep any confidential information in your apartment, whether defence-
   related or commercial ? "
"- do you work in any governmental institution and have access to classified
   information ?"
"- do you do any scientifical research which could lead to you keeping
   important information in your apartment ? "
"- could any friend, girlfriend, or relative have used a spare set of
   keys to come into your apartment and look through your papers ? "
"- do you deal with drugs ?" (yes, they really asked that !)

Since my answer was NO to all above questions, they decided to send the
forensic unit the next day. Deductions of the forensic unit were as follows:

1. the intruder came in via the kitchen window (which was closed but didn't
   have a lock at the time), stepped into the sink, and left one footmark
   on the kitchen floor, due to the moisture collected by the shoe in the sink.
2. the intruder wore gloves since no fingerprints were found, neither on
  the window nor on anything else (door handles, printouts, drawers, etc.)

     The general feeling was that the job had been done by a professional.  The
forensic unit took a record of the footmark (sneakers) and promised to contact
me a few days later.

     I got a call from the police two days later. All they said was that it was
a professional job but they'd soon identify the intruder(s). Someone was trying
to find-out about my sources of income, and it was probably related to "the
fact that you deal with computers and store this computer information in your
apartment". Well, I had figured that out myself, thanks !  They then told me
they would keep me informed on the developments of the investigation.

     I have not heard from them since.


Re: The Death of Privacy? (Robert Allen, RISKS-11.71)

Michael Rasmussen <mikeraz@techbook.com>
Mon, 27 May 91 16:24:46 GMT
A point that has always bothered me about this type of `privacy' argument is
that `privacy' as we know it is a very recent phenomena.  Before we had a high
density, easily mobile population the conditions you describe were part of
everyday life in the closely knit small communities.  There was not privacy as
we know it today.

The easy collection of data about a person is applying modern technology to
modern population levels to recreate the community knowledge that used to
exist.

The significant difference is that then **everybody** who wanted to know
your business did, now only the authorities collecting the data can know.
The real problem as I see it is to get the information back out of the
collecting agencies and into the public gossip trough.


Giving Away Privacy

Sanford Sherizen <0003965782@mcimail.com>
Wed, 29 May 91 13:43 GMT
Many of the recent postings about privacy suggest that privacy is being taken
by government and businesses in a one-way transaction.  While that certainly
occurs, the nature of collecting information is more complex than that.

Consumers and employees often inform on themselves.  Some are forced to reveal
private information as a "voluntary" tradeoff for obtaining a job or purchasing
insurance.  The employers often treat this information as available for
distribution or whatever use they consider as appropriate.  Many corporations
routinely report sensitive information about their employees to insurance and
credit organizations, often without letting the employees know that this is
their practice.  One major hospital's medical records department receives 1500
requests for this type of information each month, to a large part from
insurance and third party carriers, which distribute this information to other
organizations.

Other people give away their privacy for a variety of inducements.  Valuable
information is given freely by people in exchange for consumer benefits.
Credit card account holders or those tracked through electronic scanning of
their store purchases may be willing to make this trade in order to receive
discounts or notices of advance sales.  One survey company sends a letter to
potential interviewees that offers $10 plus the following comment.
"...(L)egitimate research is an important part of our world and the accuracy of
survey research depends heavily on how many of the people selected into the
sample actually end up participating!  Often survey results are slanted because
too many people are hesitant to cooperate."  Who could resist that appeal?

Privacy invasions in the U.S. have become almost a perfected process.  The poor
were the test population for information scavengers.  The poor were checked for
their eligibility for welfare, immigration, jobs, and law abiding-ness.  They
lived with few privacy rights.

The poor tested well and now the technology is being improved to collect
information on even more people.  Investigating the poor is now the model for
intensively examining the lives of the rich and the middle class.  These
previously protected populations are now checked for their marketability,
payment of college loans, correctness of resumes, professional conduct,
insurability, and driving records.  The list goes on.

Truly, you can run but you can't hide.  One day soon, we may start our work by
electronically connecting ourselves to a computer that has polygraph and urine
analysis options.  Our productivity, workhabits, error rates, and deviations
can be automatically collected.  On a "voluntary" basis, of course.

One recent study found that some companies wre even attempting to restrict
intra-company dating by monitoring employees.  Pinhole videocameras hidden in
smoke alarms, tv sets, and clocks are being sold to companies to monitor
employees and customers.  Even the privacy of our refuse has been trashed.
Some municipalities require that garbage be put in clear bags so that garbage
collectors can inspect residents' trash to ensure that they are recycling
correctly.

In a strange retribution (justice redux?), businesses have themselves begun to
lose some of their own privacy.  Industrial espionage is on the increase.
Major corporations have formed business intelligence units, many run by
ex-intelligence officers.  Competitive business intelligence is considered as a
corporate necessity today, where anything available about competitors is
gathered.  Information can be obtained legally through searching government
records, speeches by corporate spokespersons, and reviews of want ads seeking
specialists (which may indicate new product developments).  Other information
collection may not be legal.

Consumers have also become interested in piercing the often one-way privacy
interests of corporations and government. The Freedom of Information Act and
the various whistleblower laws that provide cash rewards for those who report
illegal activities have begun to make corporate secrets more public.  Even the
electronic tools that businesses use to collect information have become more
readily available to those who wish to gather sensitive corporate information,
such as corporate contributions to PAC's and stock holdings in South Africa, to
cite readily available databases.

Recent information on the East German secret police (Stasi) indicates that they
had an estimated 85,000 full time agents and 500,000 part time informants in a
population of 17 million citizens.  In the U.S., we collect confidential
information differently.  We don't just gather information on dissidents.  In
the American way, we believe in equal opportunity collection of information.
Our diseases, disorders, deviations, and other details are growing into a
national Information Age dossier.

Certainly there are many differences between the East German Communist
government and the U.S. government.  What is important to recognize, however,
is that there are also some startling similarities.  We have become a nation of
informers and informants.  Americans live surrounded by technological vacuum
cleaners that such up information.  Big Brother has turned out to be the Big
Browser.

Sanford Sherizen, Data Security Systems, Inc., 5 Keane Terrace
Natick, MA 01760 USA, MCI MAIL: SSHERIZEN  (396-5782), PHONE: (508) 655-9888


Smart Highways Need Privacy Tutorial

Warner Losh <imp@Solbourne.COM>
Mon, 27 May 91 14:29:39 MDT
cdp!mrotenberg@labrea.Stanford.EDU writes:
: It's worth finding out whether the Senate committee has considered the privacy
: implications of gathering this data on drivers and whether there are any
: proposals to restrict the secondary use of the information.  Likely buyers?
: Marketing firms and insurance companies.

Thieves?  It seems to me if I were able to tap into this system and find out
that Fred Smith's car was in grid lock and so was his wife's, then I'd stand a
better chance of robbing their house than I would if I was just staking it out.
After all, I'd have a nice warning system if I could get periodic updates (or
just program my home computer to "beep" me whenever they got withing 3 miles or
something like that).  Keep in mind that the proposed system doesn't use
encryption at all....  (And even if it did, there would be a back door in it,
right?  After all, isn't that what SB618 (nee SB266) is all about)

Take a look at the book "Mindkiller" by Spider Robinson for an example of a
thief that uses the central monitoring computer to rip off people that aren't
home.

I wonder if such systems would be mandatory or optional.  If they were
mandatory, does that mean that I have to pay for LA's terrible traffic problems
even though I live in Colorado and face little or no traffic on my way to work?
That doesn't sound fair to me.
                                                  Warner


Re: Replicated Errors (McClenon, RISKS-11.73)

Neil Rickert <rickert@cs.niu.edu>
Wed, 29 May 91 11:25:50 -0500
>I respectfully submit that Neil Rickert is completely and very seriously wrong
>as to whether sendmail is primarily responsible for the replicated error
>messages...

On May 24 I observed a period of perhaps 30 minutes in which it was impossible
to make an SMTP connection to THINK.COM.  This is presumably because it was
being besieged with replies to the (apparently forged) sendsys news control
message, which asked all news sites to automatically reply to COMPASS.COM
(which is gatewayed through THINK.COM).

Approx one year ago a message arrived at our site with a `Return-Receipt-To:'
header.  It was part of the distribution of a large mailing list, perhaps
`unix-wizards-digest', although my memory is uncertain on which list.  It took
more that 24 hours before an SMTP connection could be made to deliver the
return receipt, apparently because the receiving host was saturated with
replies.

In neither of these cases was there a "replicated error".  Indeed, there was no
"error" at all.

I repeat my earlier assertion.  The "replicated error" discussion is a bogey
man, which has little to do with the problem.  The problem was caused by
sending into a large mailing list a message which would generate automatic
replies.  The fact that those automatic replies were error messages is largely
incidental.  The behavior of sendmail perhaps multiplied the severity of the
problem by a factor of three, compared with messages generated only at final
destinations.  But just generating messages at final destinations can already
cause a severe problem.

Clearly the responsibility must be on the distribution system (mailing list
software for example) to minimize the likelihood that distributed messages will
generate large numbers of automatic replies.

I should note that the original incident was made particularly obvious by the
fact that the automatic responses happened to go through an address which was
gatewayed by the same host as the mailing list management software.  It is
likely that many such incidents (particularly with Return-Receipt-To:) have
occurred in the past, but since the return address bypassed the list
distributor, the problem was only noticed at the site to which the automatic
responses were addressed, and they probably decided they had no choice but to
live with it.

  Neil W. Rickert, Computer Science               <rickert@cs.niu.edu>
  Northern Illinois Univ.
  DeKalb, IL 60115                                   +1-815-753-6940

Please report problems with the web pages to the maintainer

Top