The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 12 Issue 23

Tuesday 3 September 1991

Contents

o Herb Caen on Computerized Radar
via Mike Seibel
Brad Templeton
Allan Meers
o "Miser held in record Social Security fraud"
Barry Jaspan
o Re: "Thieves Hit Social Security Numbers"
Lars-Henrik Eriksson
o Computer Abuse Amendments Act of 1991
Thomas Zmudzinski
o Re: A Danger ... with Intelligent Terminals
Paul Stachour
o Complain to Journalists
John E. Mollwitz
o The RISKS of Superiority
Arthur Clarke [!] via Ellen Spertus
o NASA severs connection on electronic mail linkup
wrapup by Joe Abernathy
o Info on RISKS (comp.risks)

Herb Caen on Computerized Radar

Allan Meers - Sun Education/Professional Services <Allan.Meers@ebay.sun.com>
Mon, 2 Sep 91 09:05:43 PDT
From Herb Caen's column in the San Francisco Chronicle,
via Mike Seibel and Brad Templeton:

A motorist was unknowingly caught in an automated speed trap that measured his
speed using radar and photographed his car. He later received in the mail a
ticket for $40, and a photo of his car. Instead of payment, he sent the police
department a photograph of $40. Several days later, he received a letter from
the police department that contained another picture -- of handcuffs.


"Miser held in record Social Security fraud" -- UPI, 31 Aug 91

"Barry Jaspan" <bjaspan@MIT.EDU>
Sun, 1 Sep 91 14:28:27 -0400
(Extracted from the article in clari.news.law.crime from the ClariNet news
service.  I've left out a great deal of non-RISKS-related information.)

Robert L. Chesney is facing trial in the biggest individual Social Security
fraud case in U.S. history.  He is accused of receiving retirement and
disability checks under at least 29 names.  Federal agents found 15 boxes and
three steamer trunks full of birth certificates, bank statements, Social
Security cards and over 200 CA DMV id cards, each with Chesney's picture and a
different name.

The final paragraph in the article:

  Chesney allegedly gleaned biographical date about public personalities from
  the library. Pretending to be those people, Chesney would write to their home
  counties, give their birth dates and other information and ask for copies of
  their birth certificates.  He then took the documents to the DMV and obtained
  the ID cars with which he applied for the Social Security benefits.

Barry Jaspan, bjaspan@mit.edu


Re: "Thieves Hit Social Security Numbers" (RISKS-12.20)

Lars-Henrik Eriksson <lhe@sics.se>
Mon, 2 Sep 91 10:36:08 +0200
One thing that strikes me as strange is when I compare this with the situation
in Sweden. We have had "civic registration numbers" since 1947. These numbers
are unique identification of every resident in Sweden. Children are assigned
their numbers shortly after birth and immigrants as they are given a residence
permit.

These numbers are public information and their use permeate the entire society.
Even to become a member of a soccer club, you often have to provide your id
number. Often a membership number or customer number is simply identical to
your id number. While there is a growing resistance to the use of these
numbers, they are still such an accepted part of society that they are often
requested even when there is no real need for them.

Now the events described in the article, where people are stealing SSN's and
using them to get credit etc, virtually never happen in Sweden. This is even
more strange as the Swedish id numbers are public information. Of course it
*does* happen, but it is not seen as an important risk. The important risk is
considered to be the possibility of easily compiling lots of information about
a single individual.  (There is legislation specifically directed against
this.)

I wonder what difference between the Swedish and U.S. societies can account for
this.

                  Lars-Henrik Eriksson, Swedish Institute of Computer Science,
                  Box 1263, S-164 28, KISTA, SWEDEN            +46 8 752 15 09


Computer Abuse Amendments Act of 1991 [xpost risks, security, virus-l]

"zmudzinski, thomas" <zmudzinskit@IMO-UVAX.DCA.MIL>
2 Sep 91 14:42:00 EST
      D E F E N S E   I N F O R M A T I O N   S Y S T E M S   A G E N C Y

Zmurgy's First Law of Evolving Systems Dynamics --
 "Once you open a can of worms, the only way to recan
  them is to place them in a even larger can."

Zmurgy's Second Law [etc.] -- "Tarantulas are even worse!"

  -- The following is presented as tarantula bait --

Tom Zmudzinski                       ZmudzinskiT @ IMO-UVAX.DCA.MIL
Defense Information Systems Agency                   (703) 285-5459
[We used to be DCA, but DoD decided to make us a four letter word.]

                              1991 S. 1322
 SYNOPSIS: A BILL
To amend title 18 of the United States Code to clarify and expand legal
                  prohibitions against computer abuse.

DATE OF INTRODUCTION: JUNE 18, 1991

DATE OF VERSION: JUNE 20, 1991 - - VERSION: 1

 SPONSOR(S):
Mr. LEAHY (for himself, Mr. BROWN, and Mr. KOHL) introduced the following
bill; which was read twice and referred to the Committee on the Judiciary

 TEXT:
                                  A BILL
To amend title 18 of the United States Code to clarify and expand legal
                  prohibitions against computer abuse

*  Be it enacted by the Senate and House of Representatives of the United*
*States of America in Congress assembled,                                *
SECTION 1. SHORT TITLE
  This Act may be cited as the "Computer Abuse Amendments Act of 1991".
SEC. 2. AMENDMENTS TO THE COMPUTER FRAUD AND ABUSE ACT.
  (a) PROHIBITION.-Section 1030(a)(5) of title 18, United States Code is
amended to read as follows:
      "(5)(A) through means of or in a manner affecting a computer used
    in interstate commerce or communications, knowingly causes the
    transmission of a program, information, code, or command to a
    computer or computer system if-
          "(i) the person causing the transmission intends that such
        transmission will-
              "(I) damage, or cause damage to, a computer, computer
            system, network, information, data, or program; or
              "(II) withhold or deny, or cause the withholding or denial,
            of the use of a computer, computer services, system or
            network, information, data, or program; and
          "(ii) the transmission of the harmful component of the program,
        information, code, or command-
              "(I) occurred without the knowledge and authorization of
            the persons or entities who own or are responsible for the
            computer system receiving the program, information, code, or
            command; and
              "(II)(aa) causes loss or damage to one or more other
            persons of value aggregating $ 1,000 or more during any 1-year
            period; or
              "(bb) modifies or impairs, or potentially modifies or
            impairs, the medical examination, medical diagnosis, medical
            treatment, or medical care of one or more individuals; or
      "(B) through means of or in a manner affecting a computer used in
    interstate commerce or communication, knowingly causes the
    transmission of a program, information, code, or command to a
    computer or computer system-
          "(i) with reckless disregard of a substantial and unjustifiable
        risk that the transmission will-
              "(I) damage, or cause damage to, a computer, computer
            system, network, information, data, or program; or
              "(II) withhold or deny, or cause the withholding or denial,
            of the use of a computer, computer services, system or
            network, information, data, or program; and
          "(ii) the transmission of the harmful component of the program,
        information, code, or command-
              "(I) occurred without the knowledge and authorization of
            the persons or entities who own or are responsible for the
            computer system receiving the program, information, code, or
            command; and
              "(II)(aa) causes loss or damage to one or more other
            persons of value aggregating $ 1,000 or more during any 1-year
            period; or
              "(bb) modifies or impairs, or potentially modifies or
            impairs, the medical examination, medical diagnosis, medical
            treatment, or medical care of one or more individuals; or
  (b) PENALTY.-Section 1030(c) of title 18, United States Code is
amended-
      (1) in paragraph (2)(B) by striking "and" after the semicolon;
      (2) in paragraph (3)(B) by inserting "(A)" after "(a)(5); and
      (3) in paragraph (3)(B) by striking the period at the end thereof
    and inserting ", and"; and
      (4) by adding at the end thereof the following:
      "(4) a fine under this title or imprisonment for not more than 1
    year, or both, in the case of an offense under subsection
    (a)(5)(B).".
  (c) CIVIL ACTION.-Section 1030 of title 18, United States Code is
amended by adding at the end thereof the following new subsection:
  "(g) Any person who suffers damage or loss by reason of a violation of
the section, other than a violation of subsection (a)(5)(B), may maintain
a civil action against the violator to obtain compensatory damages and
injunctive relief or other equitable relief.  Damages for violations of
any subsection other than subsection (a)(5)(A)(ii)(II)(bb) or
(a)(5)(B)(ii)(II)(bb) are limited to economic damages.  No action may be
brought under this subsection unless such action is begun within 2 years
of the date of the act complained of or the date of the discovery of the
damage.".
  (d) REPORTING REQUIREMENTS.-Section 1030 of title 18 United States
Code, is amended by adding at the end thereof the following new
subsection:
  "(h) The Attorney General shall report to the Congress annually, during
the first 3 years following the date of the enactment of this subsection,
concerning prosecutions under section 1030(a)(5) of title 18, United
States Code.".
  (e) DEFINITION.-Section 1030(e)(1) of title 18 United States Code, is
amended by striking ", but such term does not include an automated
typewriter or typesetter, a portable hand held calculator, or other
similar device".
  (f) PROHIBITION.-Section 1030(a)(3) of title 18 United States Code, is
amended by inserting "adversely" before "affects the use of the
Government's operation of such computer".


Re: A Danger ... with Intelligent Terminals (Thomson, RISKS-12.21)

Paul Stachour <stachour@SCTC.COM>
Tue, 3 Sep 91 08:41:49 CDT
   In original Multics (Unix is supposedly an "improved" derivative of
Multics), in the module which has the responsibility for writing messages to
the user's terminal (messages which were sent by the Multic-similar function to
"write), there is a comment dated 1974 (I enter from memory, the phrasing may
not be exact):

   This module censors control and escape sequences to prevent users from
sending messages that masquerade as coming from the Multics System Operator and
other potentially dire consequences.

   Notice that:
      #1:  The date of this message, showing that the problem was
           understood even back in 1974.
      #2:  The wording of the warning, which gives meaning to the
           understanding, and not too many hints to the unknowledgeable
           (Multics source has always, to my knownledge, been publically
           available).
      #3:  As so often is true, the "new improved version" is poorer
           than the original version.

     The mechanism by which Multics sends its mail and messages (which I will
not describe here for lack of my time and space, but is quite clearly
documented in the Multics manuals) was well-designed to avoid:

      1)  Forgery
      2)  Spoofing
      3)  Default system style doing bad-things

and designed to allow:

      1)  Good access control over mailboxes
      2)  Ability to retract send-but-not-yet-read-mesasges
      3)  You to give someone power to send-in-your-name, but with
          clear indications it was not your userid.

The question (on risks) is:

    Why do we (as consumers) continue to buy cut-down products containing
signficantly less functionality and much higher risks when good products are
available?  My opinion is that there is inherent difficulty for most of us to
evaluate the risks inside of products, and we just take what appears to us to
be the path of least resistance.

Paul Stachour, SCTC, 1210 W. County Rd E, Suite 100, Arden Hills, MN
55112-3739         stachour@sctc.com              [1]-(612) 482-7467


Complain to Journalists

"John E. Mollwitz" <moll@mixcom.com>
Sun, 1 Sep 91 16:48:00 CDT
The national convention of The Society of Professional Journalists, an
organization of roughly 18,000 members in the United States, Canada and Japan,
is meeting Oct. 17-19 in Cleveland.  As part of that convention, a seminar will
be conducted on writing about computers and computer networks.

Since over the years, cyberspace travelers have bemoaned the accuracy of
articles relating to computers, computer networks and even telephones,
we ask that you email or snail mail examples of articles that you have
found solid and others that you have found less so.  Please include a note
of explanation.

The panel then will try to compile the examples, and the comments and produce a
handout for discussion.  Sometime in the week after the convention, we will
post the results of the session.  The names of the panelists will be disclosed
at that time since it is possible that some of the articles that may be
submitted may have been written by a panelist.

Mail paper examples to me at the address below.  Where possible, the examples
should include a copy of the article, the name of the publication and
_specific_ comments.  If the article is dismissed simply as "nonsense," state
that it is because paragraph 5 has failed to adequately explain a concept, and
that it would have been better to have said it this way or that.

So, if you go into fits when you see the word "hacker" in print, please mail by
Sept. 30.

Thank you for your cooperation.

John E. Mollwitz, Chair, Committee on New Information Technologies
The Society of Professional Journalists, c/o The Milwaukee Journal
P.O. Box 661, Milwaukee, WI 53201-0661

Usenet: moll@mixcom.com  CompuServe: 72240,131 GEnie: J.Mollwitz Prodigy: CKFB43A

           [OK, folks, take him seriously.  Here's your chance to have an effect
           on the SPJ similar to what the net did for Lotus Marketplace?  PGN]


The RISKS of Superiority

<erspert@ATHENA.MIT.EDU>
Sun, 1 Sep 91 14:18:45 -0400
I recently rediscovered a science fiction short story, "Superiority" (1951), by
Arthur C. Clarke, that would be of interest to RISKS readers.  Here are
excerpts from the story, which is written in the form of a report by a former
military leader:

    The ultimate cause of our failure was a simple one: despite all
    statements to the contrary, if was not due to lack of bravery on the
    part of our men, or to any fault of the fleet's.  We were defeated by
    one thing only --- by the inferior science of our enemies.  I repeat
    --- by the *inferior* science of our enemeies.

    When the war opened we had no doubt of our ultimate victory.  The
    combined fleets of our allies greatly exceeded in number and armament
    those which the enemy could muster against us, and in almost all
    branches of military science we were their superiors.  We were sure
    that we could maintain this superiority.  Our belief proved, alas, to
    be only too well founded....

    [After an expensive battle victory, the new Chief of the Research
    Staff, Norden, said:] ``Our existing weapons have practically reached
    finality.  I don't wish to criticize my predecessor, or the excellent
    work done by the Research Staff in the last few generations, but do
    you realize that there has been no basic change in armaments for over
    a century?  It is, I am afraid, the result of a tradition that has
    become conversative.  For too long, the Research Staff has devoted
    itself to perfecting old weapons instead of developing new ones.  It
    is fortunate for us that our opponents have been no wiser: we cannot
    assume that this will always be so....

    ``What we want are *new* weapons --- weapons totally different from
    any that have been employed before.  Such weapons can be made: it will
    take time, of course, but since assuming charge I have replaced some
    of the older scientists by young men and have directed research into
    several unexplored fields which show great promise.  I believe, in
    fact, that a revolution in warfare may soon be upon us.''

    We were skeptical.  There was a bombastic tone in Norden's voice that
    made us suspicious of his claims.  We did not know, then, that he
    never promised anything that he had not already almost perfected in
    the laboratory.  *In the laboratory* --- that was the operative
    phrase.

    Norden proved his case less than a month later, when he demonstrated
    the Sphere of Annihilation, which produced complete disintegration of
    matter over a radius of several hundred meters.  We were intoxicated
    by the power of the new weapon, and were quite prepared to overlook
    one fundamental defect --- the fact that it *was* a sphere and hence
    destroyed its rather complicated generating equipment at the instant
    of formation.  This meant, of course, that it could not be used on
    warships but only on guided missiles, and a great program was started
    to convert all homing torpedoes to carry the new weapon.  For the time
    being all further offensives were suspended.

    We realize now that this was our first mistake.  I still think that it
    was a natural one, for it seemed to us then that all our existing
    weapons had become obsolete overnight, and we already regarded them as
    almost primitive survivals.  What we did not appreciate was the
    magnitude of the task we were attempting, and the length of time it
    would take to get the revolutionary super-weapon into battle.  Nothing
    like this had happened for a hundred years and we had no previous
    experience to guide us.

    The conversion problem proved far more difficult than anticipated.
    [Description of problems omitted.]  Then two things happened.  One of
    our battleships disappeared completely on a training flight, and an
    investigation showed that under certain conditions the ship's
    long-range radar could trigger the Sphere immediately [after] it had
    been launched.  The modification needed to overcome this defect was
    trivial, but it caused a delay of another month and was the source of
    much bad feeling between the naval staff and the scientists.  We were
    ready for action again --- when Norden announced that the radius of
    effectiveness of the Sphere had now been increased by ten, thus
    multiplying by a thousand the chances of destroying an enmey ship.

    So the modifications started all over again, but everyone agreed that
    the delay would be worth it.  Meanwhile, however, the enemy had been
    emboldened by the absence of further attacks and had made an
    unexpected onslaught...

And so forth.  What are the lessons for RISKS readers?

1. A technological advance doesn't make your equipment obsolete if it still
does what you need.  For example, if the x86 on your desk meets your needs, you
don't need to get rid of it and buy a (x+1)86.  I know somebody who is still
happily using his TI 99/4 even though any number of people would tell him it's
obsolete.

2. I'm sure that all RISKS readers can think of a computer project, either
software or hardware, that looked dazzling on paper, far more ambitious and
computer scientific than competing projects, that became a disaster.  It
slipped years because of problems due to its complexity, perhaps never reaching
market, while competitors produced products much quicker and met the customers'
needs.

3. One shouldn't replace existing tools before learning how to use them.  For
example, if a novice spent a month studying Pascal, then switched to C++ when
somebody said it was better, then switched to Lisp, etc., they would never get
any useful work done.

Of course, there are risks in carrying any of these lessons too far (such as
carrying the x86 into the next millenium).  I am told, at one time, this story
was "required reading" at MIT.  I never came across it as a student at MIT,
which is a shame, because it contains such valuable lessons.  I urge
engineering/CS professors to consider putting it into a systems-building
course.  The full story can be found in _Expedition to Earth_, by Arthur C.
Clarke (New York: Ballantine Books).
                           Ellen Spertus


NASA severs connection on electronic mail linkup (Houston Chronicle)

Joe Abernathy <edtjda@magic322.chron.com>
Tue, 3 Sep 91 17:05:01 CDT
{ This story appeared on Page 1A of the Houston Chronicle on Monday, Sept. 2,
 1991. Permission is granted for redistribution in the ACM Risks Digest,
 Patrick Townson's Telecom Digest, the newsgroup sci.space.shuttle, Computer
 Underground Digest, and the interesting_people mailing list. Our thanks to
 these groups for their ongoing contributions to the online community and our
 coverage of it. Please send comments and suggestions to edtjda@chron.com. }

NASA severs connection on electronic mail linkup.
By Joe Abernathy, Copyright 1991, Houston Chronicle

Although declaring the experiment a success, NASA has called a halt to a
project by which space shuttle astronauts briefly were linked with the nation's
computer networks through electronic mail.  The e-mail experiment, conducted
during the recent flight of Atlantis, was part of a larger effort to develop
computer and communications systems for the space station Freedom, which is to
be assembled during the late 1990s.  The National Aeronautics and Space
Administration cited unauthorized access as the reason for severing the network
connection, but NASA officials did not provide details.  The space agency
initially attempted to carry out the project in secrecy, but word leaked out on
the nation's computer networks. Details were closely guarded because of
concerns over malicious computer hacking and astronauts' privacy.

"Hello, Earth! Greetings from the STS-43 Crew! This is the first Applelink
from space. Having a GREAT time, wish you were here!" read the first message
home. It went from Atlantis astronauts Shannon Lucid and James Adamson to
Marcia Ivins, a shuttle communicator at Johnson Space Center.

It was the use of AppleLink -- a commercial electronic mail network connected
to the global computer matrix -- that apparently contained the seeds of
trouble.  When an AppleLink electronic mail address for the shuttle was
distributed online and then published in the Houston Chronicle, it generated
about 80 responses from well-wishers.

Although the address was created just for this purpose, the flight director
nearly pulled the plug on the project, according to Debra Muratore, the NASA
experiment manager. The project was concluded as scheduled and declared a
success.  But ultimately, it was decided, at least for now, to cease all
interaction with public computer networks. The decision eventually could mean
that NASA's premier research facility, the space station, may not have access
to its premier research communications tool, the NASA Science Internet -- the
space agency's portion of the vast Internet global computer network.

Electronic mail, which is becoming commonplace in offices, is simply the
transmission of messages via computers to one or more people, using electronic
addresses. Users linked to the right networks can send electronic messages or
other data to specific recipients nearly anywhere in the world -- and for a
short time, could send them to space.  "The problem was that the information
had gotten leaked prematurely. There was no problem with security," Muratore
said. Even previous to the leak of the addresss, however, the experiment was
structured in such a way that it was vulnerable to hackers, she acknowledged.
"As a result of this whole experience, at least my project plans never to use a
public (electronic) mail system again," she said.  Muratore indicated that the
space agency may explore other ways of providing "connectivity" --
communication between orbiting astronauts and NASA's broader collection of
computerized resources -- which will become increasingly important as the use
of computerized information grows.

The decision to sever the short-lived e-mail connection has drawn strong
criticism among computer security experts and other scientists, who charge that
NASA was attempting to design "security through obscurity."  "This is another
example of an ostrich-oriented protection policy -- stick your head in the sand
and pretend no one will find out what you know," wrote Peter G. Neumann,
moderator of the Association for Computing Machinery's RISKS Digest, a
respected online publication that assesses the risks posed by technology.
"Things like that don't stay 'secret' for very long."

NASA told Newsday, but would not confirm for the Chronicle, that more than 80
"unauthorized" messages from around the world were sent to the Atlantis address
-- which a source told the Chronicle was set up explicitly to handle public
requests for a shuttle e-mail address. Private addresses were used for the
actual experiments.  "The old 'authorization' paradox has reared its ugly head
again," wrote Neumann, who prepared a study for NASA on the security
requirements of the space station. " `Threatened by unauthorized e-mail,' eh?
Sending e-mail to someone REQUIRES NO AUTHORIZATION."

Muratore defended the use of secrecy as a security tool.  "I feel that that was
a viable option," she said. She said operators of AppleLink told NASA that it
was impossible to keep public e-mail from being sent to the on-orbit address,
so the only option was to try to keep it secret.

But network users questioned this viewpoint.  "Why is an e-mail system 'in
jeapordy' when it receives 80 messages? And what is an 'unauthorized user?' "
asked Daniel Fischer of the Max-Planck-Institut feur Radioastronomie, in Bonn,
Germany. "Once the system is linked up to the real world, it should expect to
receive real mail from everyone.  If NASA can't handle that, it really
shouldn't get into e-mail at all," added Fischer, writing in an online
discussion group composed of scientists involved with the space program.
"Consider that (heavy response) a success, NASA!"

The disposition of the electronic mail sent to Atlantis is still up in the air.
A Chronicle message was not acknowledged, and no one has reported receiving a
response.

[Chronicle reporter Mark Carreau contributed to this report.]

Please report problems with the web pages to the maintainer

Top