The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 13 Issue 16

Monday 24 February 1992

Contents

o Computer causes Olympics scoring error
David Shepherd
o Strasbourg Airbus crash report leaked
James Paul
o More on Privacy in Australia
Bruce Howarth
o Italian crooks let others pay phone bill
Debora Weber-Wulff
o Risk of Voice Mail Command Choices
Randall C Gellens
o RISCs of AP news reports
John Sullivan
o Proposal for policy on calculator use during exams
Todd M. Bezenek
o The Worth of Computing
Tony Buckland
o Computer Hackers Get Into Credit Records
Joe Brownlee
o VT Caller ID Decision
Marc Rotenberg
o Carpal Syndrome reports rise sharply
Brinton Cooper
o Re: System certification again
Dave Parnas
o MBDF Macintosh virus
Tom Young
o FBI Eavesdropping Challenged
o Info on RISKS (comp.risks)

Computer causes Olympics scoring error

David Shepherd <des@inmos.com>
Fri, 21 Feb 92 16:52:27 GMT
During the first session of the women's ice skating competition, the UKs number
1 skater, Joanne Conway, complained of biased scoring after the Canadian judge
gave her only 4.2 marks while all the other judges gave around 5.0 to 5.5.
Subsequently the Canadian judge has revealed that she intended to give 5.2
marks.  Each possible score has a separate button to press to signal the score
to the computerized scoring system.  By mistake the judge pressed 4.2 instead
of 5.2 and, even though she realized her mistake, there was no provision to
correct the mark.  The only way of correcting it would have been for the UK
team to lodge an official appeal - which wasn't considered worthwhile as it was
only the difference between 17th and 15th place.

In another incident the UK 2 man bob team, in the lead at that stage, went out
of contention after being kept at the start of 7 minutes while one of the
intermediate timing controls was fixed - note that this timer was not needed
for the actual result, just to give an intermediate split time. Perhaps another
indication of where technology becomes the master rather than the servant of
sport.  (Some people have tried to read a more sinister implication of a Swiss
engineer holding the leading team up for 7 minutes which help the Swiss No 1
bob go into the lead!)

david shepherd: des@inmos.co.uk or des@inmos.com    tel: 0454-616616 x 625
                inmos ltd, 1000 aztec west, almondsbury, bristol, bs12 4sq

    [The old Swisseroo?  Bobbing for Apples (if they were using a Mac)?
    The "Unified" team now has to settle for good marks and Lennon music.
    Next time someone will figure out how to hack into the scoring computers.

    I wondered on several very obviously partisan judge's scorings, with
    outrageous (+/- outlier/outliar) scores, whether the judge was overtly
    trying to cheat ...  I thought they used to discount the highest and
    the lowest scores on judged events, but apparently not.  PGN]


Strasbourg Airbus crash report leaked

James Paul, U.S. House Science Committee <"NOVA::PAUL"@yttrium.house.gov>
Fri, 21 Feb 1992 10:46:30 -0500 (EST)
AIRBUS CRASH PROBE CITES HUMAN, TECHNICAL ERROR

   PARIS, Feb 20, Reuters - French television said on Thursday a preliminary
report to be published next week on the causes of last month's Airbus A320
crash which killed 87 people did not blame the disaster on any single factor or
person.  The TF-1 channel said the independent commission's report concluded
that a mixture of human and technical error had caused the Air Inter flight
from Strasbourg to Lyon to plough into a snow-covered mountainside on January
20, just five minutes before it was scheduled to land.  Nine people survived.
TF-1 said the commission's findings showed the Strasbourg airport was not
equipped with landing approach systems matched to the sophistication of the
Airbus, and that there were serious failings in the crash plane's altimeter
system.  The commission concluded the pilot either did not know how or was
unable to stop the plane's abnormally rapid descent, according to TF-1.  The
station did not reveal how it gained access to the report.
   Publication of the report was delayed because Transport Minister Paul Quiles
is visiting Portugal on Friday and wants to study the findings before
commenting.
   The French civil aviation authority has already taken some preliminary
measures, urging all airlines flying the A320 to review their procedures for
using the VOR-DME beacon system for landing.  But the authorities decided
against grounding the planes, saying there was no initial evidence that
mechanical problems caused the disaster.
   National carriers Air France and Air Inter earlier this month banned their
pilots from using the automatic landing procedure until further notice.
   A spokeswoman for Toulouse-based Airbus Industrie said earlier the aircraft
maker did not yet have a copy of the report and would have no comment until it
did.  Meanwhile a judge investigating legal responsibility for the crash staged
a reconstruction flight on Thursday, circling the accident site three times.


More on Privacy in Australia

<bruce@socs.uts.edu.au>
Wed, 19 Feb 92 08:55:55 EST
   [RISKS-13.14 included "Australian Government Bungles Private Data".
   Bruce submitted the article "DSS blames printer restart for bungle", by
   John Hilvert, in Computerworld Australia, 14 Feb 1992, omitted here.  That
   article supports the printer-restart synchronization glitch theory.  PGN]

By one of *those* coincidences, it was reported on TV the same week that a
branch of the Australian Taxation Office (ATO) sent similarly misprinted forms
to some (as I recall, 80) taxpayers.  Two of the taxpayers had contacted each
other, then presumably the media, to share their disgust at the release of
income and savings data.  An ATO employee on the TV claimed that the misprints
had been caused by a folded page in a box of paper.

Bruce Howarth, Uni of Technology Sydney


Italian crooks let others pay phone bill

Debora Weber-Wulff <weberwu@inf.fu-berlin.de>
Sat, 22 Feb 1992 12:54:43 GMT
[Translated by DWW from the Berlin daily Newspaper "Tagespiegel", 22 Feb 1992]

lui, Rome, 21. February 1992. [...] Half a million Italians are the proud
owners of portable telephones. The cordless appliance has become the favorite
toy of the Southerners, but the game may soon be over: the "telefonini" are not
protected.

Under the motto "Buy one, pay for two", crooks sell manipulated phones that are
used so that the buyer has to pay for the toll calls of the seller.  The trick
works like this: the crooks take a computer with a computing program [whatever
that is ;-) dww] like the ones uses to crack automatic teller machines, and
fuss with it until they find the secret code for the telephone.  The code is a
combination of the telephone number and the serial number that is supposed to
only be available to the telephone company SIP.  When the code has been
cracked, it is no problem to transfer it to a second telephone, so that both
telephones have the same license number.  One phone is sold "under the hand" by
the crooks.  As an added deal, the buyer not only gets to pay his own phone
bill, but the fees run up on the second phone as well.  The Italian underworld
is especially keen on using this method.[...]  The mafia uses the "portabili"
for conducting their unclean business.

[... The police] have not been able to find the instigators, but they suspect
that employees of the telephone manufacturing company are involved, as they
have the knowledge of how the phones are constructed. [...]  The portable
telephone is well-known for the ease of tapping the telephone conversations
[which cannot, however, be traced to the place of origin. A book calle "Italy,
I hear you calling" with some of the more interesting tapped conversations has
just been published.]

[Why is such a telephone easy to crack and easy to reprogram?  dww]

Debora Weber-Wulff, Institut fuer Informatik, Nestorstr. 8-9, D-W-1000
Berlin 31         +49 30 89691 124             dww@inf.fu-berlin.de


Risk of Voice Mail Command Choices

Randall C Gellens <0005000102@mcimail.com>
Wed, 19 Feb 92 09:15 GMT
[I sent this as a reply to Telecom.  It's probably not a serious enough
risk to go into Risks, but I thought I'd let you decide.  --Randy]

In TELECOM Digest Volume 12 : Issue 108, the moderator (Patrick A.
Townson) discusses Ameritech Voice Mail Commands and Security Flaws:

>   After the message has played out, 5 to delete it; 7 to save it.

Considering that the Aspen voice mail product (from Octel,I think) uses 7 to
delete a message, and that Aspen is widely used by businesses, this seems an
unfortunate choice, as people with Aspen at work and IBT RVMS at home will be
likely to confuse 7 and end up deleting messages by accident.  Of course, this
is not as serious a risk of nonstandardization as airline flight controls which
differ from model to model :-).
                                                --Randy


RISCs of AP news reports

<sullivan@geom.umn.edu>
Mon, 24 Feb 1992 10:55:18 -0600
An Associated Press article on new processor chips announced at the
International Solid State Circuits Conference appeared in the (Minneapolis)
Star Tribune last Thursday.  It says, in the middle:
    Most of the chips use a technology called reduced instruction
    set computing (RISC), which speeds the processing of data
    by limiting the number of instructions the processor must execute.
    The microprocessors that power personal computers, by contrast,
    use a different technology.
Of course, limiting the number of instructions a processor knows how to execute
typically increases the number of instructions it must execute.

The Op-Ed page of The New York Times yesterday (Feb 23) has an essay by David
Gelernter from Yale's CS dept complaining that when newspapers (even The Times)
use the term "operating system", they feel obliged to define it.  But someone
who doesn't know what one is is "not going to learn on the basis of a single
phrase, no matter how artfully crafted".

He doesn't mention how misleading a single phrase can be, if crafted by
a reporter who doesn't know technology.

-John Sullivan, Sullivan@Geom.UMN.Edu


proposal for policy on calculator use during exams

Todd M. Bezenek KO0N <plains!bezenek@uunet.uu.net>
21 Feb 92 07:01:23 GMT
     [This is an article which I recently posted to comp.sys.handhelds and
     comp.sys.hp48.  It is in response to a discussion regarding the use of
     calculators on university exams.  I am posting it to comp.risks because it
     demonstrates the risk of introducing computing power into the classroom
     where it may be misused.  TMB]

I have reviewed the responses concerning calculator policies at universities
from all over the world.  Thank you to everyone for sending them.  The
following is my proposed policy.  This policy is intended to eliminate problems
associated with using note-style information, without eliminating the use of
the calculating power of these devices.  If you have any comments, please post
them after thinking them through fully.

   Proposed Policy Regarding the Use of Portable Calculating
           Devices during Closed-Note Examinations

    If a student uses a portable calculating device during a closed-note
examination for the purpose of storing notes, that student shall be considered
guilty of an infraction equivalent to using said notes as they would appear on
paper.

    In the case that a proctor believes beyond a reasonable doubt that a
student is violating the above policy, that proctor shall immediately remove
the calculating device from the student's possession.  The proctor may then
choose whether or not the student should be allowed to complete the
examination.  The calculating device shall remain in the possession of the
proctor until the contents of its memory--both vendor supplied and user
programmed--can be examined.

    The decision of whether or not the above policy has been violated
should be based upon the judgement of a faculty member who shall examine the
memory of the calculating device before it is returned to the student.  In the
case that the memory is found to contain information which, when transferred to
paper, would be considered an unallowable aid, the student shall be considered
guilty of the infraction described above.

    In the case that the student is found to not be in violation of the
above infraction, the student should be allowed to rewrite the examination if
the student so chooses.  Alternately, if the student is found to be in
violation, the student is subject to the same university policies that govern
the use of unallowed notes equivalent to that which would result from
transferring the memory of the calculating device to paper.
     In no case will the student forfeit possession of the calculating device
indefinitely.

Respectfully submitted, Todd M. Bezenek

Todd Michael Bezenek, KO0N         Internet:  bezenek@plains.nodak.edu
  UUCP:  uunet!plains!bezenek        Bitnet:  bezenek@plains


The Worth of Computing

Tony Buckland <buckland@ucs.ubc.ca>
24 Feb 92 15:04 -0800
>From @yonge.csri.toronto.edu:msb@sq.sq.com  Mon Feb 24 14:50:45 1992

You write in can.general:

>  Yesterday, thieves broke into a VanCity Savings branch and stole
>  two bags from a night deposit box.  But not to worry - unless
>  you're in the computing game and proud of it - " ... all they
>  got were worthless computer printouts and administration documents."

                     Mark Brader, Toronto, utzoo!sq!msb, msb@sq.com


Computer Hackers Get Into Credit Records

<joe@cbquest.att.com>
20 Feb 1992 7:15 EST
>From the Columbus, Ohio, _Dispatch_.  Any typos are mine.

Computer Hackers Get Into Private Credit Records

DAYTON - Computer hackers obtained confidential credit reports of Midwest
consumers from a credit reporting firm in Atlanta.  Atlanta-based Equifax said
a ring of 30 hackers in Dayton [Ohio] stole credit card numbers and bill-paying
histories of the consumers by using an Equifax customer's password.

Ronald J. Horst, security consultant for the company said the break-in
apparently began in January.  Police don't know if the password was stolen
or if an employee of the client company cooperated with the hackers.  Horst
said the hackers were apparently doing it just for fun.  No charges have
been filed.  Equifax will notify customers whose credit reports were taken.

[End of quotation]

The usual caveats about media reporting of computer-related topics apply here.
One thing I don't like about this article is the implication that since the
hackers were doing this for "fun", they won't be prosecuted.  Of course, the
article doesn't say that exactly, but I'll be watching to see if this case
goes any farther.

I'll also be waiting to see of I'm one of those people whose credit reports
were stolen, and, if so, what Equifax intends to do about it other than to
notify me.

Joe Brownlee, Analysts International Corp. @ AT&T Network Systems, 471 E Broad
St, Suite 2001, Columbus, Ohio 43215 (614) 860-7461 joe@cbquest.att.com


VT Caller ID Decision

Marc Rotenberg <Marc_Rotenberg@washofc.cpsr.org>
Wed, 19 Feb 92 11:59:52 PST
  VT Caller ID Decision
The Vermont Public Service Board has just released its Caller ID decision.
It's good result with an interesting new wrinkle.

Vermont will require that New England Telephone (NET) make free, per-call
blocking available to all subscribers.  NET will also be required to provide
free, per-line blocking to all subscribers with non-published telephone
numbers.  And NET will be required to provide free, per-line blocking to all
subscribers who have "a legitimate concern that it would be unsafe to transmit"
their telephone numbers, including clients, volunteers and staff associated
with domestic violence and sexual assault agencies.

The Hearing Officer initially recommended that such requests should be subject
to review by NET, but the Public Service Board rejected this approach.  The
Board ruled that all customers should be entitled to receive free per-line
blocking through a "simple declaration."

The Vermont Public Service Board thus found a clever solution to a difficult
problem that was first identified in the Pennsylvania Caller ID case.  In that
case, as in Vermont, concern was expressed that certain individuals may require
blocking to maintain personal safety.  But the Bell company's proposed
"certification procedure" left it unclear as to who would qualify for privacy
protection or how adverse decisions could be appealed.

For these reasons, the Pennsylvania court held that the certification procedure
violated basic due process rights.  (The Pennsylvania court also found that
Caller ID violated the state wiretap statute and the state constitutional right
of privacy and ruled that the service could not be offered in the state).

The due process problem -- deciding who is entitled to greater privacy
protection and who gets to makes the decision -- remains one of the most
interesting and difficult issues in the Caller ID debate.

In ruling that phone subscribers should be entitled to decide for themselves
whether per-line blocking is appropriate, Vermont has avoided the due process
problem that arose in Pennsylvania.

In the Vermont proceeding, CPSR was asked to serve as the Board's expert
witness after the Board determined that "there existed a serious imbalance in
the respective parties' ability to present evidence on all relevant issues."

New England Telephone then retained Harvard Law School Professor and Legal
Affairs TV Commentator Arthur Miller as their expert.  Professor Miller had
earlier stated that Caller ID should be offered without blocking, but in this
case acknowledged that per-call blocking might be an appropriate solution.

CPSR provided extensive testimony for the Vermont Public Service Board on the
privacy implications of Caller ID after carefully reviewing concerns expressed
by those affiliated with domestic violence shelters in the state.

Marc Rotenberg, CPSR Washington Office


Carpal Syndrome reports rise sharply (Helgesen, RISKS-13.14)

Brinton Cooper <abc@BRL.MIL>
Wed, 19 Feb 92 16:26:07 EST
Jeff Helgesen relates a Chicago Tribune article on the sharp increase in Carpal
Tunnel Syndrome (repetitive-motion disorder) and the discussion about high-risk
workplace environments.  The article said, in part,

|When someone applies force over and over to the same group of muscles,
|the same joint or the tendon, the result may be tissue tears and trauma.
|Other factors causing damage are awkward joint posture and prolonged
|constrained posture.

I have no doubt that this is true as stated.  However, anecdotal
evidence causes me to wonder if we're missing something.  (I emphasize
that this is anecdotal.)  Every sufferer of carpal tunnel of whom I am
personally aware is a cashier at a supermarket.  Yet, I work in a
laboratory where some very intensive computing activity takes place.  We
have people who frequently spend more than 10 hours out of 24 at
keyboards.  I am unaware of any carpal tunnel cases here (although I
admit the possibility).  This causes me to wonder:

    What part does psychological or emotional stress play in the
    development of repetitive-motion disorders?

Supermarket cashiers do the work largely for the money.  Folks at this lab work
here for the same reason, but there is great job satisfaction, (dare I call it
"fun?") here that doesn't exist at the grocery store.  Does it matter?

(It's no less a risk either way, but it's better to understand the risk as much
as possible.)
                                           Brint

   [By the way, apologies for losing Elizabeth Willey's contribution in
   RISKS-13.15.  She pointed out that there are lots of parts of the body
   that can suffer from repetitive motion syndromes, not just the carpal
   tunnel areas.  Somehow her message got lost.  Sorry.  PGN


Re: System certification again (RISKS-13.15)

Dave Parnas <parnas@triose.eng.McMaster.CA>
Wed, 19 Feb 92 08:45:28 EST
Marc Horowitz was correct and Perry E. Metzger and Rich Kulawiec, with the
support of Peter Neumann, proved him correct.
                                                      Dave


MBDF Macintosh virus

Tom Young <xmu@piccolo.cit.cornell.edu>
Fri, 21 Feb 92 23:20:10 GMT
(This is being posted on behalf of M. Stuart Lynn)

As I am sure you are aware, a new Macintosh virus, MBDF-A, has been detected in
the Info-Mac archives at SUMEX-AIM that has also been mirrored to other
archives. Furthermore, it appears that the virus may have originated from or
have been vectored through a machine at Cornell.

Other folks are addressing issues of detection, elimination, and prevention. I
just want you to know that we at Cornell take this situation most seriously,
and are doing everything we can to track down the origin and the originator of
this virus. The university absolutely deplores this kind of behavior, and
should it indeed prove that the originator was a member of this community we
will pursue all appropriate remedies under our computer abuse policy.

If anyone out there has any relevant technical information that would help us
track down the originator, I would appreciate it if you would send it to Tom
Young (XMU@cornellc.cit.cornell.edu).

M. Stuart Lynn, Vice President for Information Technologies, Cornell University
607-255-7445
              [Also posted to RISKS by
              laurie@piccolo.cit.cornell.edu (Laurie Collinsworth)]


FBI Eavesdropping Challenged

<[anonymous]>
Tue, 18 Feb 92 10:01:34 PST
     FBI Eavesdropping Challenged
   WASHINGTON (AP, 17 Feb 1992)
   Cellular telephones and other state-of-the art telecommunications technology
are seriously challenging the FBI's ability to listen to the telephone
conversations of criminal suspects, law enforcement officials say.  The FBI is
seeking $26.6 million next year to update its eavesdropping techniques.
Normally tight-lipped FBI officials become even more closed-mouthed when the
subject of investigative "sources and methods" comes up.  But a review of the
bureau's 1993 budget request provides an unusual glimpse into the FBI's
research on electronic surveillance and its concerns about new technologies.
   "Law enforcement is playing catchup with the telecommunications industry's
migration to this technology," said the FBI's budget proposal to Congress. "If
electronic surveillance is to remain available as a law enforcement tool,
hardware and software supporting it must be developed."
   The new technologies include digital signals and cellular telephones.  At
the same time, there has been an increase in over-the-phone transmission of
computer data, which can be encrypted through readily available software
programs, say industry experts and government officials.
   The FBI's five-year research effort to develop equipment compatible with
digital phone systems is expected to cost $82 million, according to
administration figures.
   The FBI effort is just a part of a wider research program also financed by
the Pentagon's secret intelligence budget, said officials who spoke on
condition of anonymity.
   Electronic surveillance, which includes both telephone wiretaps and
microphones hidden in places frequented by criminal suspects, is a key tool for
investigating drug traffickers as well as white-collar and organized crime.
   Conversations recorded by microphones the FBI placed in the New York City
hangouts of the Gambino crime family are the centerpiece of the government's
case against reputed mob boss John Gotti, now on trial for ordering the murder
of his predecessor, Paul Castellano.
   Taps on the phones of defense consultants provided key evidence in the
Justice Department's long running investigation of Pentagon procurement fraud,
dubbed "Operation Ill Wind."  But with the advent of digital phone signals, it
is difficult to unscramble a single conversation from the thousands that are
transmitted simultaneously with computer generated data and images, industry
officials said.
   "In the old days all you had to do was take a pair of clip leads and a head
set, put it on the right terminal and you could listen to the conversation,"
said James Sylvester, an official of Bell Atlantic Network Services Inc.  But
digital signal transmission makes this task much more difficult. Conversations
are broken into an incoherent stream of digits and put back together again at
the other end of the line.
   John D. Podesta, a former counsel to the Senate Judiciary's law and
technology subcommittee, said the FBI and other law enforcement agencies are
simply victims of a technological revolution.  For more than 50 years the basic
telephone technology remained the same.

Please report problems with the web pages to the maintainer

Top