The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 11 Issue 87

Tuesday 11 June 1991

Contents

o Re: The impact of formalism on Computer Science education
Hal Pomeranz
o Fighting phone hackers in SoCal
Mark Seecof
o Re: There is a Ford in your future (and in your past)
Ed Wright
Michael J Zehr
Bruce Oneel
Brinton Cooper
o Active Badges: Article in 16 May "Economist"
Bob Ayers
o Re: The Activated Active Badge Project
Peter Robinson
o Re: Caller-ID
Arthur Rubin
Andrew Tannenbaum
o Knock, Knock! (Heritage Cable)
Ed Greenberg
o Info on RISKS (comp.risks)

Re: The impact of formalism on Computer Science education

Hal Pomeranz <pomeranz@isis.dccs.upenn.edu>
Tue, 11 Jun 91 13:17:21 EDT
I was dismayed by Ed Nilges' (egnilges@pucc.princeton.edu) article in
RISKS-11.86.  Ed discussed a recent CACM article by Karen Frankel, citing
Daniele Bernstein's criticisms of Edsger Dijkstra's proposed reforms for
Computer Science education.  Ed's analysis of the situation appears to have
some huge holes in its logic.

Essentially Dijkstra recommends that Computer Science education be based on
formal mathematics and logic rather than early exposure to and experimentation
with computers.  Bernstein notes that women tend to prefer experimentation and
teamwork to solitary abstract thought, and accuses Dijkstra of sexism on the
basis that the proposed educational reforms would present a barrier to women in
Computer Science.

Ed concludes "Dijkstra is right and Nye and Bernstein are wrong" because he
believes that the sort of solitary thinking about formal mathematics and logic
encouraged by Dijkstra's reforms will lead to better (less error prone)
software.  It has not been sufficiently demonstrated to me that this sort of
thinking leads to better software, but that is not the basis on which I would
like to argue with Ed.

Bernstein's criticism of Dijkstra relates not so much to the practice of
programming and other areas of Computer Science, but rather to the education of
future programmers.  Several studies have noted that, from an early age, girls
in Western societies are not encouraged to take up activities which lead to
careers in scientific fields, particularly Mathematics, Computer Science, and
Engineering.  Bertstein's criticisms are, I believe, pointing out that the
changes proposed by Dijkstra would be yet another barrier to women wishing to
enter the field of Computer Science.  It would be akin to requiring a student
who only knows conversational German to learn something from a German technical
article-- there is a "language" barrier which is very difficult but not
impossible to overcome.  However, if I were that student I wouldn't even
bother.

Ed goes on to support his argument with a description of his own experience
teaching C programming to American and Russian emigre students.  He notes that,
due to scarce resources, the Russian students are learning in an environment
that is similar to the one that Dijkstra proposes.  He states that he finds "NO
sex differences".  This may be true, but is the ratio of women to men in his
courses the same as the ratio of women to men in the population (choose your
own demographics) as a whole? If, as I expect, this ratio is much lower than
the ratio for the general population, then it would suggest that the Russian
curriculum is discouraging to women.  The Russian women in Ed's classes are
those few women who are able to "hack it" in the rigorously mathematical and
abstract Russian system.

It may well be that more formal training turns some people into better
programmers.  It is certainly the case that formal training turns a lot of
people off or presents an impossible obstacle to many groups (not only women).
I believe that many of these people could become excellent programmers, or
professors of Computer Science, or researchers, etc.  However, if Dijkstra's
proposals are widely implemented, chances are that none of this latter group
will get the opportunity.  This, then, is Bernstein's criticism of Dijkstra's
proposal.

It is unfortunate that Bernstein slings the word "sexist", and that Ed feels
threatened enough to counter with the (now) negatively connotated term
"politically correct" which raises all sorts of spectres of thought police.
All education would benefit from massive dose of new and different thinking, so
as to encourage marginalized groups to participate more fully, rather than a
retreat to older, more formal approaches which would only push groups on the
outside farther out.
                                Hal Pomeranz        pomeranz@dccs.upenn.edu


Fighting phone hackers in SoCal

Mark Seecof <marks@capnet.latimes.com>
Tue, 11 Jun 91 10:29:55 -0700
Excerpts from an article published in the
Los Angeles Times May 17, 1991; page E1.

Edited and submitted to RISKS Digest by
Mark Seecof <marks@latimes.com> of the
L.A. Times Publishing Systems Department.

[elisions and bracketed comments mine --Mark S.]

``Little Phone Company on a Hacker Attack''
By Susan Christian, Times Staff Writer.

[Introductory blather...]

[...] in the last seven months [small long-distance company] Thrifty Tel's
[security chief] has put seven hackers in jail.  And she has made 48 others
atone for their sins with hard cash and hardware.  The case that [security
chief] Bigley calls her biggest coup--involving a 16-year-old Buena Park boy
whose alleged theft of computer data cost Thrifty Tel millions of dollars--is
pending in Orange County Superior Court.

Thrifty Tel has become one of the most agressive hacker fighters in California,
according to Jim Smith, president of the California Assn. of Long Distance
Telephone Cos. (Caltel).  ``[Bigley] is tough,'' he says.  ``I would not want
to be a hacker on her network.''  So far, the company has collected more than
$200,000 in penalties and reimbursements from hackers.

``We do not have a hacking problem any more because we stood up and punched
them in the face,'' Bigley proclaims.  ``These kids think that what they're
doing is no big deal--they're not murdering anyone,'' Bigley says.  ``They
think we're terrible for calling them on it.  Their attitude is extremely
arrogant.  But these are not just kids having some fun.  They are using their
intellect to devise ways to steal.  And these are not kids who need to steal.
They come from white-collar families.''

For Thrifty Tel Inc., the battle of wits started a year ago.  [...Thrifty Tel
is ten years old, went public in '86, and serves 7,000 customers in SoCal.]
[...Last year the hackers discovered them.  Hackers use computer programs to
try many possible code numbers until they find the ones which unlock the
system.]

``The first quarter of 1990 we came in with a half-million-dollar net profit,
and everything was going great,'' Bigley says.  ``Then the next quarter, all of
a sudden we were lopsided.  We were getting bigger bills from our carriers than
we were billing out to our customers.''  With a little investigation, the
company pinpointed the culprits: hackers who were eating up telephone time at
as much as ten hours a ``conversation.''  Because hackers exchange information
and solve secret codes via long-distance modem connections, circumventing
expensive telephone charges has become their mainstay.  ``It was so frustrating
to sit here and watch these hackers burn through our lines,'' says Bigley, a
33-year-old San Fernando Valley resident.  She has been vice-president of
operations at Thrifty Tel for four years.  ``I had technicians out changing
customers' codes that they'd just changed a few weeks before.''

But Bigley is not the sort to throw in the towel.  [...She is hard-working and
persistent.]  First, she devoted a couple of months to educating herself about
hacking.  She monitored Thrifty Tel's computers for unusual activity--telephone
calls coming into the switching facility from non-customers.  ``They believe
that because they're sitting in a room with a computer they're safe,'' Bigley
says.  ``The problem is, they're using their telephone; we can watch them in
the act.  It's a lot easier to catch a hacker than a bank robber.''  Bigley
started making a few calls of her own.  If the infiltrator seemed major league,
like the Buena Park boy, she contacted the Garden Grove Police Department,
whose fraud investigators went into homes with search warrants.  If the hacker
seemed relatively small, however, Bigley took matters into her own hands,
telephoned the suspect and presented an ultimatum: Either pay up or face
criminal charges.

A non-negotiable condition of Bigley's out-of-court settlement provided that
the guilty party relinquish his (or, infrequently, her) computer and modem.
Thrifty Tel donates the confiscated weapons [computers] to law enforcement
agencies.

Teen-age hackers tend to be ``very intelligent and somewhat introverted,'' says
Garden Grove Police Detective Richard Harrison, a fraud investigator who has
arrested many of Thrifty Tel's suspects.  Most of the parents he has dealt with
were oblivious to their children's secret lives, Harrison says.  He suggests
that parents educate themselves about their children's computers.  ``If a kid
is spending a whole bunch of time on his computer and it's hooked up to a
modem, he's not just running his software.  What is he doing on that computer?
Does he really need a modem?''

[ed. note-- this officer may be an expert on fraud but is clearly unqualified
to make such sweeping assertions about what (young) people do with computers.
Playing rogue can eat up as much time as hacking while the modem remains idle.]

Not all hackers are young computer fanatics testing their limits.  ``The
hacking problem is two-fold,'' says Caltel president Smith, also president of
the Sacramento-based long-distance telephone company Execuline.  ``First, we
have Information Age fraud, which is an outgrowth of the proliferation of
computers in households.  We have all these kids who want to talk to each other
on bulletin boards, and if mom and dad had to pay for all those phone calls,
the cost would be prohibitive.  Then we have professional fraud--adults as well
as kids who attempt to gain access to our codes for the purpose of selling the
codes.  They have made a big business out of hacking.''  Smith's company has
waged a more low-key defens[e] against hackers than Thrifty Tel.  ``I wish I
had the time to devote to hacker fraud that she [Bigley] has been able to
devote,'' he says.

Therein lies the reason that many telephone companies decline to file charges
against hackers, says Roy Costello, a fraud investigator for GTE.  ``Smaller
carriers don't have the time to allow their people to do the investigation and
then carry it through the court system,'' he says.

[... Stuff about the sticktoitiveness of Thrifty Tel's Bigley and how she
thinks that hackers are immoral and wants to defeat them.]


Re: There is a Ford in your future (and in your past) (RISKS-11.86)

Ed Wright <edw@sequent.com>
Tue, 11 Jun 91 9:42:16 PDT
I would suggest that equipment of this type would negate some risks, rather
than create new ones.  Currently if there is an accident sorting out who was at
fault (in non no-fault states) winds up being a long involved process which
primarily benefits members of the legal community, and costs the taxpayer lots
of money in the form increased insurance premiums down the line, and increased
taxes to cover court expenses.  With a recorder on board that showed one party
was clearly speeding, or failed to apply brakes, resolution could be more
straight forward.  At worst resolution would be no more involved than it is
now.

I am often intrigued by people apparently worrying about the risk of "getting
caught". I would presume that if a driver is not speeding or otherwise
inappropriately operating the vehicle, then a recorder could be a benefit in
resolving a suit, or more mundanely detecting malfunction before it becomes
expensive, or in detecting driving habits that are expensive. At worst it would
be a nonentity like the controller that runs the cruise control.


Re: There's a Ford in your future (and your past!) (RISKS-11.86)

<tada@ATHENA.MIT.EDU>
Tue, 11 Jun 91 14:39:48 -0400
In other words the risk is that the police might be able to actually determine
the cause of an accident based on evidence, rather than on the possibly true
account of the participants based on their possibly correct memory?!?

Perhaps the real risk is that the device might be used to determine where your
car had been, and when.  Like, if the police used it to find out if you had
been at a crime scene.

(Perhaps an even greater risk is that of preventing some helpful technology
from coming to the market based on the fear that maybe it will stop someone's
illegal or unethical behavior as well as helping those who have nothing to lose
and something to gain from the new technology.  While we should be concerned
over privacy concerns, we should also be concerned about the overall benefit to
society, etc...)
                                       -michael j zehr


Re: There's a Ford in your future (and your past!)

Bruce Oneel <oneel%heawk1@heawk1.gsfc.nasa.gov>
Tue, 11 Jun 91 12:39:00 EDT
It's been a while since I've read car magazines, but, in the late 70's to early
80's GM started putting engine control computers in some of the more expensive
cars.  These were to aid in diagnosis.  If certain engine parameters were
exceded then the computer would remember them and then could dump them out to
the mechanic when poked the right direction.  I do remember that over rev,
temp, and oil pressure were mentioned as being monitored.  It would allow a
mechanic to say "Well, this really wasn't meant to spin all the way to 8000
rpm..."
                                      bruce


Re: There's a Ford in your future (and your past!) (RISKS-11.86)

Brinton Cooper <abc@BRL.MIL>
Tue, 11 Jun 91 14:09:44 EDT
John Moore writes, regarding a Ford Motor Co. "customer flight recorder..."
that is installed in a car when a customer has an intermittent problem (and
which) mechanics can later read and attempt to diagnose the problem.  He
asserts a "risk" in that data so recorded might be used in legal activities
following an accident while such a device is in use.

On the other hand, one might ask "risk to whom?"  The principal risks in the
use of such a device seems to be to the careless driver and to negligent auto
manufacturers.  Flight data recorders on aircraft seem to be a risky only to
the extent to which they fail to provide sufficient information on the cause
and responsibility for a crash.

Do we really want to hide behind arguments about "risk" in an effort to avoid
responsibility for our actions?  One of the great (potential) contributions of
computers is their ability to provide information which can improve the safety
of our transportation systems.  (Yes, I'm aware of the risks of doing this
improperly, carelessly, etc.)  The risk in John Moore's world seems to be NOT
to collect the "flight" data.
                                                 -Brint


Active Badges: Article in 16 May "Economist" (RISKS-11.85)

Bob Ayers <ayers@Pa.dec.com>
Sat, 8 Jun 91 17:08:25 -0700
The use of "active badges" at Xerox EuroPARC was the subject of a one-page
article in the 16 May "Economist."  The article discussed the basic
technology, and also discussed the risks of

  "as long as users actually wear their bleepers, the system records
  where each person has been during the day, for how many minutes, and
  with whom. Soon, it will be able to record telephone conversations and
  identify types of meeting, too ... this will be an 'aide memoire,' but
  it will also be a way in which managers can keep tabs on their
  employees."


Re: The Activated Active Badge Project [RISKS 11.85]

<Peter.Robinson@cl.cam.ac.uk>
Tue, 11 Jun 1991 18:00:13 +0100
The article has prompted me to report an interesting risk of using active
badges.  The main concern here when the system was installed was that the
system would assist a thief in identifying empty offices for nefarious
purposes.  We now have evidence of such a use, albeit for a very minor theft of
intellectual property.

I was somewhat surprised the other week to walk past a printer in the
Laboratory and see it printing out a draft copy of a book on which I am
working.  I hadn't printed it.  A quick check by our systems manager determined
that it had been printed by one of the students in the Department.  A further
check determined that the student had used the active badge system to verify
that I was not in the vicinity when he printed the draft.  Unfortunately for
him, the print queue jammed for six hours and the job was released at precisely
the wrong moment...

The moral seems to be that the risk of systems revealing locations (automatic
vehicle identification for road tolls, on-line credit card processing, active
badge systems and so on) is not that they allow other people to know where you
are (after all, anyone could hire a private detective to tell them that), but
that they tell people where you are not.

- Peter Robinson.


Caller-ID

arthur rubin <a_rubin@dsg4.dse.beckman.com>
Tue, 11 Jun 91 14:38:37 PDT
The proposal for Caller ID in California (probably the PUC gave the minimal
conditions they would accept) was to have free per-call blocking, no per-line
blocking, with no mention of ovverides, except: a blocked call would still be
recognized by Call Trace or Call Return.  I don't know the current status of
the proposal.


re: Caller-ID and Risks/Benefits of reusing commands

Andrew Tannenbaum <trb@ima.isc.com>
Tue, 11 Jun 91 18:49:11 -0400
I see that the telco's are fighting to prohibit normal users from specifying
per-line blocking of Caller-ID.  Is anyone selling phones that will
automatically prepend the call-block code (*67 or whatever) whenever you dial,
effectively circumventing the lame telco restriction?  You can already program
it into your speed-dials buffers, but this would allow you to forget about it
when you dial normally.

    Andrew Tannenbaum   Interactive   Cambridge, MA   +1 617 661 7474


Knock, Knock! (Heritage Cable)

Ed Greenberg <edg@netcom.com>
Sat, 8 Jun 91 14:58:15 PDT
This is quoted from Action Line, a write-in column of the San Jose Mercury
News. The paper was dated 8-Jun-1991.

"Q: The other day, I was visited by a representative of Heritage Cable, stating
he was here to investigate the purchase of an illegal de-scrambler that he said
I bought in 1987.  He also stated that he had every right to inspect the line
that went into our household.  I felt outraged to be woken up -- I work nights
-- for such a rediculous and demeaning experience.  I've had cable at this
address since 1986.  Does the Heritage Cable representative have the right to
inspect inside our house?

"A: They do, says Mark Solins, Heritage's director of field service.  Solin
says the cable company receives lists from the Federal Bureau of Investigation
every so often with names of people who bought de-scramblers for the purpose of
obtaining a cable station without paying the cable company for the right to the
air waves.  The FBI doesn't monitor all de-scrambler sales, but does get
involved if it learns of illegal activity.  Solins says the contract you signed
when you signed up for cable allows a company rep the right to inspect the
cable service and line.  Solins says your name popped up on a recent list the
FBI sent to Heritage.  Solins says no illegal de-scrambler was found in your
home.  Evidently, someone who used to live in the rear of your property ordered
the de-scrambler, under your name and address and used it to pick up cable
waves without subscribing to the service."

Ed Greenberg, P. O. Box 28618, San Jose, CA  95159    Work: +1 408 764 5305

   [Also contibuted by Mark Thorson, who prefaced the item with this:
       "Although not directly related to computer RISKS, it's easy to see how
       electronic means for detecting illegal cable hookups could be adapted to
       exploit this mechanism for running roughshod over individual privacy.
       Mark Thorson (a.k.a. mmm@cup.portal.com)."  Mark also added EMPHASIS to
       the line beginning "SOLINS SAYS THE CONTRACT YOU SIGNED ..."   PGN]

Please report problems with the web pages to the maintainer

Top