Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Dr. Demento collects the weirder songs for his nationally syndicated show -- he's one of the best reasons to own a radio. Last week's program featured The Ballad of Silicon Slim, a country & western song by John Forster. It's about a rootin-tootin, home computin' guy who breaks into Chase Manhattan Bank and snags a penny from everyone's account. This salami-slicing thief makes millions, gets caught, tossed in jail, but is popped out by a computer. It's a song praising the thief as being democratic (stealing equally from everyone), and carries several dubious stereotypes (the best programmers break into computers, outsiders are the biggest threat to banking systems, skimming of bank accounts won't be noticed). A ballad about a computing thief. Had to happen sometime! -Cliff Stoll stoll@ocf.berkeley.edu A few excerpts (without permission of copyright holder; I'm trying to reach him) In the dead of night he'd access each depositor's account And from each of them he'd siphon off the teeniest amount. And since no one ever noticed that there'd even been a crime He stole forty million dollars — a penny at a time! Little Janet was only eight but she had her own account And the seven dollars in it was to her a huge amount. So the day that penny vanished one unhappy little tot Screamed, "Hey, what happened to my penny?" And the teller tried to tell her but could not. Is your whole year's withholding getting to the government? Have you figured out your FICA to the hundredth of a cent? Though the average Joe don't even know how much his FICA was Out there, somewhere, there's a software packin' buckeroo who does!
If you were one of the 1.1 million people who filed a 1991 tax return electronically between 10Jan1992 and 27Jan1992, you may have gotten a notification that a refund was forthcoming even if one was not. Apparently during that period the IRS computer program ignored all back-tax debts, which would otherwise have offset the refunds. Relying on the refund notification, lenders have been making loans that were (supposedly) secured by the expected refunds. No one knows yet how many such unsecure loans were actually granted. [Source: San Francisco Chronicle, 3Feb1992, p.A3, from the Washington Post]
reposted from alt.security and forwarded to Risks by Cliff Stoll
<stoll@ocf.Berkeley.EDU> [and lightly edited by PGN]
This is a revision of an earlier posting carrying the same title. Any
inaccuracies are my own responsibility.
According to Dutch TV and newspaper reports, the Amsterdam police have arrested
two computer crackers and seized their equipment. A press conference was held
on Friday 31st. The two made a full confession.
The reports state that over the past four months, R.J.N., age 25, computing
science engineer, and H.W., age 21, c.s. student, installed so-called Trojan
horses on a computer system of the Amsterdam Free University, and used that
same system to break into computer systems in the US, Canada, and several
European countries. According to a Dutch police spokesman, the two had no
intention to damage or to steal information, but were doing it `just for
kicks'.
Dutch law on computer crime is still in preparation. Apparently, the charges
are based on existing law: falsification (corrupting systems files in order to
get privileges), destruction of property (rendering a computer system
unusable), and fraud (using stolen passwords).
Both fidelio and wave were students at my faculty, so I know them personally.
The sad thing is, had the police been ready for this type of action a year
earlier, they would probably still be free.
Wietse Venema, dept. of Mathematics and Computing Science,
Eindhoven University of Technology, The Netherlands
"Berliner Zeitung", 3Feb1992 ([East] Berlin), translated by DWW.
"Sabotage fails - Virus in Power Plant Program for the Lithuanian Atomic Power
Plant in Ignalina vaccinated
Vilna/Moscow (dpa)
This past weekend an act of sabotage against the computer system for the atomic
power plant in Ignalina failed. A worker in the computer center of the plant
tried on Thursday to plant a virus in a program in the non-nuclear part of the
reactor, in order to cause disruption.
dpa learned on Saturday from Vilna that the man probably wanted to get money
from the reactor managers for repairing the damage he himself causes. The plant
engineers managed, however, to repair the damage themselves in a very short
time, according to information from the news agency ITAR-TASS, which is based
on information from the government press office in Lithuania. A warrant for the
arrest of the sabotager has been issued, and officials state that he will be
prosecuted.
The shutdown of one of the two reactors since Thursday has nothing whatsoever
to do with the attempted sabotage, said the deputy Lithuanian energy minister,
Saulus Kutas. ["Wer das glaubt, wird seelig." LOOSELY TRANSLATED AS "If you
believe that, you'll believe anything." dww]
[And goes on to explain about the tiny leak in the cooling system and how the
water is not radioactive, and there are no problems, and a team of Swedish
specialists looked at the reactor and found no big problems, but they do have a
list of 20 little things they want to look at, and the Swedish government is
going to pay for it all.]"
Debora Weber-Wulff, Institut fuer Informatik, Nestorstr. 8-9, D-W-1000 Berlin 31
+49 30 89691 124 dww@inf.fu-berlin.de
While having dinner I overheard two automobile mechanics discussing a problem
one had with one of the fancy automotive diagnostic systems. Apparently, any
attempt to 'take a measurement' caused a catastrophic failure in the system
(i.e., it 'crashed'). The cause was attributed to a `virus'. While to a
computing professional such rationale appears ludicrous, it is quite a logical
conclusion for the layperson.
Chuck Lins, lins@apple.com
From a UPI press release: The Supreme Court's decree topped a roller-coaster day for refugees waiting to learn their fate. Earlier Friday, the clerk's office of the 11th Circuit issued an order allowing the government to send the refugees back to Haiti. But 4 1/2 hours later, it said that order had been made by mistake. ``It was a clerical error,'' said Joyce Larkin, deputy clerk. ``The order was erroneously issued. The motion filed by the government to stay the injunctive order issued by Judge Atkins remains pending before this court.'' Kembra Smith, motions attorney for the 11th Circuit, said a facsimile message between judges apparently was sent by mistake to the clerk's office, and the erroneous order was then issued. ``I think we got an erroneous fax today, directed between the judges. It should not have come here — it should not have been released,'' Smith said. She said there had been no final decision by the court, and that it should not be assumed that the court necessarily will issue an order similar to the one issued in error. ``They (the clerk's office) received a number of documents after the office received that (erroneous fax),'' she said. ``A decision is probably in the near future. But there's no way to know that. Any time period is totally speculative on my part.'' Smith said the mistake was unusual — and highly embarrassing to the court because of the magnitude of the case. ``We're aware that it's fairly outrageous,'' she said. ``Hopefully, this will never happen again. Oh my God, especially in a case like this.'' [I can only add that had this been a last-day death penalty case, the error could have caused an unjust killing — 4.5 hours is a long enough delay, and in a case involving less people, the delay may have been much greater. CJ]
There's been a fair amount of writing lately that the "real world" needs protection against loss of integrity, not loss of confidentiality. I'm not sure it even cares about that. Last week I learned something about how Hennepin County (where Minneapolis is located) handles important documents that sort of bothers me. I needed to get a certified copy of a power of attorney that we had filed with the county's title registry a couple of years ago. I walked into a 30' x 30' room that had a clerk, a copying machine, a half dozen microfilm readers/printers and maybe half the room filled with racks of microfilm. A quite visible sign at the entrance said something like "please have the clerk retrieve printed documents; microfilm is self-service." Several lawyer-looking people appeared in fact to have done that — they were sitting in front of the viewers just like one does at a public library. Not wanting to wade through the film I just gave the clerk the document number. She went over to the appropriate rack, got the film, and made a print of what I had asked for, which she then duly certified with the date and embossed county seal as being a true and accurate copy of the original that had been filed on such and such a date. All true scam artists and system penetrators by now ought to be asking themselves the question that came to my mind as I drove home. After having done a little reconnaissance to find out what kind of film was used, what would have prevented me from going to view a film, pretend to re-file it, but actually slip it in my pocket and remove it? (I saw no signs of any alarms like they have in stores.) I could then take it to a lab and temporarily or permanently replace any image of a document with the image of one I had forged up on a laser printer. I'd return, put it back in the files, and then ask for a certified copy of the forged image. (I'd pick either a very recent document or a very old one so the chances of the film's being missed while it was being doctored would be slight.) I would think that if one could forge a legally-certified power of attorney giving himself power over, say, the affairs of the president of 3M, or perhaps, the deed to a downtown office building one could make a lot of mischief and probably a lot of money. (You'd have to be careful, but the possibilities are, as they say, intriguing.) (Two additional points to note: nowhere was I asked for identification, although I did have to sign for the certified copy. Also, the registrar does NOT keep any originals — all they have are the microfilm copies; we didn't have the original of what I needed because that had in fact to be deposited at a different state office.)
I'd like to draw RISKS readers' attention to Daniel P Siewiorek's recent survey of fault tolerant computer design: Daniel P Siewiorek, Architecture of Fault-Tolerant Computers: An Historical Perspective, Proceedings of the IEEE 79, 12 (Dec 1991), 1710-1734 Siewiorek proposes a 3D design space and classifies two dozen well known systems ranging from the Univac I to the Galileo mission. There's a wealth of juicy tidbits with a broad historical perspective. For example, I didn't know that the Univac I contained more error detection circuitry than most contemporary microprocessors — the circuitry was essential because they couldn't simulate the machine in advance! Although I highly recommend the survey, I have two reservations. First, publication delays have dated it a bit — e.g. surely the new CM-5 deserves a place in Siewiorek's pantheon. Also, there's a frustrating lack of coverage of software fault tolerance, despite hints scattered throughout that software is a big problem area. Perhaps we'll have to wait for the book.
> [direct message transmission from ATC to aircraft] > How the message was displayed: Headup display, voice, or another console > display There was a piece in a recent Aviation Week (Jan 6, I think) on NASA experiments with a digital data-transmission system. The pilots who tried it generally liked it, with reservations. They wanted to see voice used during high-workload times like landing approaches, because they didn't want to have their heads down inside the cockpit reading a screen at such times. For communication at less busy times, though, they liked it a lot. Messages generally did not need repeating, which was needed for a significant fraction of voice messages. There was less room for misunderstanding, and more time to think about complex messages. Being able to scroll back and look at earlier messages was something they liked very much. They particularly liked digital transmission and scrolling back to earlier messages for weather data, since this gave them some sense of how weather was changing. Henry Spencer at U of Toronto Zoology henry@zoo.toronto.edu utzoo!henry
The Omaha World Herald reported that one problem with this level of calls is
that quite a number of them went to an 800 number in Minnesota either by
accident or because of other circumstances. The company in Minnesota is asking
(unsuccessfully) for CBS to repay them for the several thousand phone calls
that they received by accident, and is claiming that at least in some areas the
phone number shown on the TV special was their 800 number and not the one for
Call Interactive. CBS has decided that it should not have to pay for anyone
dialing a wrong number (good point) and denies that the number shown on
television was ever the incorrect one.
Bill Mahoney
... The owner of the store had been watching the SotU address and recognized
his 1-800 number as the one CBS gave. He raced to the store only to find that
his answering machine tape was filled to capacity (approx 50 msgs). He said
some of the messages were pleasant, but others contained language unfit to
print, apparently from frustrated viewers? He estimated the calls had cost him
several hundred dollars in lost business. (No mention of any plans to sue CBS
for compensation. :)
CBS also had some comments but I don't recall what those were; typical
apologies for the screw-up and disbelief that it could occur come to mind,
though. I don't recall any explanation being given for the screw-up.
In light of this article, I wonder how accurate CBS's numbers are:
> Shortly afterward, with the display showing about 125,000 calls
> processed, Dan Rather reported on the air that AT&T was estimating there
> had been about 7,000,000 call attempts! Obviously their throughput was
> a little below the capacity requirements...
I can't seem to come up with an especially pithy RISK but perhaps our
moderator can. To me, it seems either to be one of not very thorough
testing of the system (I mean, c'mon, couldn't someone have _dialed_ the
number before showing it to the entire nation) or perhaps a typical
transcription error, though as I said I don't recall any mention in the
article.
— jay
A less obvious risk - although any phone-in survey is less than scientific, the
low call completion rate (1 in 70) could further bias the results. Consider
that the probability of success is probably strongly correlated with various
factors such as geographic location (e.g. due to blocking systems that allow
equal numbers of calls from areas with non-equal populations), population
density (rural/urban/suburban), or ownership of a repeat-dial phone.
With an extremely high call-blocking probability, it is easy to imagine that
these factors could result in a given population sub-group (e.g. residents of
New Hampshire and Maine*) being under- or over-represented in the sample by a
factor of two or more.
Peter Desnoyers
* I especially find it hard to believe that no residents of New Hampshire - who
are supposed to live and breathe politics every 4 years, with a 70%
presidential primary turnout - would have gotten through in the first few
minutes if the blocking probability was uniform.
>... However, the magistrates' courts which should deal with such cases are >refusing to hear them, on the grounds that computer output is hearsay and >therefore not acceptable as evidence. It is a little more complex than this. The law regarding summoning non-payers requires that the Council send a bill (of course) and a reminder before any court action is possible. The computer evidence problem surrounds this. In the UK proof of posting in the Royal Mail is _legally equivalent to proof of delivery_ (a precedent was set in Victorian times - they had a better postal service then*). Reams of computer printout are used to prove that bills and reminders have been sent, but all RISKS readers know that just because a computer prints out that a letter has been sent is no proof that is has. There have been a lot of software errors with Poll Tax systems (See RISKS passim) and I suspect that the Magistrates are so annoyed at having to deal with so many computer errors that they threw the cases out, which has now set a legal precedent. Now, the Government has changed the law for the Poll Tax making computer evidence legal. There are worrying aspects to making computer evidence legal: does the Plaintiff have to prove that the computer system is accurate? Or is it up to the Defendant to prove that it is full of errors? Will the accuracy of computer evidence ever be questioned? This problem will open up a whole can of worms in the English legal system, and I bet we will see non-computerate ill-advised legislators making sweeping changes which will create more problems than they solve. Sounds like a case for the EFF? Ken Tindell * I do not imply that the UK postal system is bad! Computer Science Dept., York University, YO1 5DD UK ..!mcsun!uknet!minster!ken Internet: ken%minster.york.ac.uk@nsfnet-relay.ac.uk Tel.: +44-904-433244
> [ Unfortunately I don't have a citable source for this as I no longer live > in the UK and so I rely on BBC Radio for this news. ] I had been surprised that no-one else had posted about this matter, and had dug out old newspapers: there were articles in `The Guardian' on Jan 16 and 17. > [ Curiously, in the main criminal courts, computer evidence is acceptable as a > result of specific legislation, but this legislation does not apply to the > lower courts. The government has promised to end this anomaly. ] Actually, the case is a _civil_ one (presumably because the government never believed that the non-payment campaign would get off the ground). The specific legislation that Kevin talks about applies to Crown Courts and up for civil cases (I don't know what the rules are about criminal cases). If there were only small numbers of defaulters, the ruling would presumably not be a problem: a council officer could attend the court for the (trivial) time it takes a magistrate to make an order. In fact, there were (until the ruling) hundreds of defaulters being dealt with in every court. All of this legal activity (and interest charges on loans to cover uncollected tax) is adding massively to the costs of administering local government. The (Labour Party) opposition has claimed that, on average, Poll Tax bills will go up by 50% in the coming financial year. The government's promise to end the anomaly has not taken the form of `rushing legislation through'; the councils have complained that their collection strategy is in a shambles until the new legislation is passed.
Jerry Hollombe questions the trend to selling things without
warranties. Does not the commercial code require that all things offered for
sale be merchantable, unless the sellor limit this merchantability in some
explicit way? That a program called Taxamatic-91 can be expected to compute my
1991 taxes correctly as long as I answer its questions correctly? That the
sole purpose of a warranty is to limit the sellor's liability, and if there is
no warranty, there is no limit. Therefore, if it is called Taxamatic, with no
91, and there is no mention of the year in the instructions, I have grounds for
suit if it doesn't work correctly for my 92 taxes, and my 93 taxes, etc..
How can lack of a warranty be worse than one that says, more or less,
"The sellor makes no claim that this product is error free, will operate
correctly, or is merchantable."?
Irv Chidsey
Under the Uniform Commercial Code, there are implied warranties, but they
are much more limited than you suggest.
The basic implied warrenty is that of "merchantability" [UCC 2-314];
that is, the product is good enough to:
- pass without objection in the trade under the contract description; and
- in the case of fungible goods, are of fair average quality; and
- are fit for the ordinary purposes for which such goods are used; and
- run, within any agreed variations, of even kind, quality and quantity
within each unit and among all units involved; and
- are adequately contained, packaged and labelled as the agreement may
require; and
- conform to the promises or affirmations of fact made on the container
or label if any.
There is also an "implied warranty of fitness for a particular purpose"
when the merchant selects the product for the buyer based on a description of
the intended purpose, and the buyer relys on the seller's skill and judgement.
[UCC 2-315]
Neither of these warranties are perpetual; rather, they describe the
condition the product is expected to be in when delivered to the buyer. The
buyer has four years from the date of delivery to file a claim against the
seller, regardless of when s/he becomes aware of the defect. [UCC 2-725]
Charlie Mingo mingo@well.sf.ca.us mingo@cup.portal.com
Charlie.Mingo@p4218.f70.n109.z1.fidonet.org
Please report problems with the web pages to the maintainer