The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 13 Issue 65

Friday 17 July 1992

Contents

o NY "Hacker" Indictments
John F. McMullen
o Questionmark over nuclear reactor control software
Anthony Naggs
o Call for papers FTCS-23
Mohamed Kaaniche
o Info on RISKS (comp.risks)

NY "Hacker" Indictments

"John F. McMullen (at Marist)" <KNXD%MARISTB@VM.MARIST.EDU>
Fri, 17 Jul 92 13:53:41 EDT
  [The following editorial piece is reproduced in full with thanks from
  Newsbytes, under whose auspices it appeared, and is reprinted with
  permission of the author(s), including at least John F. McMullen, but
  possibly also Barbara E. McMullen -- I could not be sure from the context
  of the double message, one half of which is included here, the other half
  was an explicitly doubly authored news article.  PGN]

Second Thoughts On New York Computer Crime Indictments 7/13/92 NEW YORK, N.Y.,
U.S.A., 1992 JULY 13 (NB) -- On Wednesday, July 9th, I sat at a press briefing
in New York City's Federal Court Building during which law enforcement
officials presented details relating to the indictment of 5 young computer
"hackers". In describing the alleged transgressions of the indicted, United
States Assistant Attorney Stephen Fishbein wove a tale of a conspiracy in which
members of an evil sounding group called the "Masters of Destruction" (MOD)
attempted to wreck havoc with the telecommunications system of the country.

The accused were charged with infiltrating computer systems belonging to
telephone companies, credit bureaus, colleges and defense contractors --
Southwestern Bell, BT North America, New York Telephone, ITT, Information
America, TRW, Trans Union, Pacific Bell, the University of Washington, New York
University, U.S. West, Learning Link, Tymnet and Martin Marietta Electronics
Information, and Missile Group. They were charged with causing injury to the
telephone systems, charging long distance calls to the universities, copying
private credit information and selling it to third parties -- a long list of
heinous activities.

The immediate reaction to the indictments were predictably knee-jerk.  Those
who support any so-called "hacker"-activities mocked the government and the
charges that were presented, forgetting, it seems to me, that these charges are
serious -- one of the accused could face up to 40 years in prison and $2
million in fines; another - 35 years in prison and $1.5 million in fines. In
view of that possibility, it further seems to me that it is a wasteful
diversion of effort to get all excited that the government insists on misusing
the word "hacker"  (The indictment defines computer hacker as "someone who
uses a computer or a telephone to obtain unauthorized access to other
computers.")  or that the government used wiretapping evidence to obtain the
indictment (I think that, for at least the time being that the wiretapping was
carried out under a valid court order; if it were not, the defendants'
attorneys will have a course of action.).

On the other hand, those who traditionally take the government and corporate
line were publicly grateful that this threat to our communications life had
been removed -- they do not in my judgement properly consider that some of
these charges may have been ill-conceived and a result of political
considerations.

Both groups, I think, oversimplify and do not give proper consideration to the
wide spectrum of issues raised by the indictment document. The issues range
from a simple black-and-white case of fraudulently obtaining free telephone
time to the much broader question of the appropriate interaction of technology
and law enforcement.

The most clear cut cases are the charges such as the ones which allege that two
of the indicted, Julio Fernandez a/k/a "Outlaw" and John Lee a/k/a "Corrupt"
fraudulently used the computers of New York University to avoid paying long
distance charges for calls to computer systems in El Paso Texas and Seattle,
Washington. The individuals named either did or did not commit the acts alleged
and, if it is proven that they did, they should receive the appropriate penalty
(it may be argued that the 5 year, $250,000 fine maximum for each of the counts
in this area is excessive but that is a sentencing issue not an indictment
issue.).

Other charges of this black-and-white are those that allege that Fernandez
and/or Lee intercepted electronic communications over networks belonging to
Tymnet and the Bank of America. Similarly, the charge that Fernandez, on
December 4, 1991 possessed hundreds of user id's and passwords of Soutwestern
Bell, BT North America and TRW fits in the category of "either he did it or he
didn't."

A more troubling count is the charge that the indicted 5 were all part of a
conspiracy to "gain access to and control of computer systems in order to
enhance their image and prestige among other computer hackers; to harass and
intimidate rival hackers and people they did not like; to obtain telephone,
credit, information, and other services without paying for them; and to obtain.
passwords, account numbers and other things of value which they could sell to
others."

To support this allegation, the indictment lists 26, lettered A through Z,
"Overt Acts" to support the conspiracy. While this section of the indictment
lists numerous telephone calls between some of the individuals, it mentions the
ame Paul Stira a/k/a "Scorpion" only twice with both allegations dated "on or
about" January 24, 1990, a full 16 months before the next chronological
incident. Additionally, Stira is never mentioned as joining in any of the
wiretapped conversation -- in fact, he is never mentioned again!  I find it
hard to believe that he could be considered, from these charges, to have
engaged in a criminal conspiracy with any of the other defendants.

Additionally, some of the allegations made under the conspiracy count seem
disproportionate to some of the others. Mark Abene a/k/a "Phiber Optik" is of
possessing proprietary technical manuals belonging to BT North America while it
is charged that Lee and Fernandez, in exchange for several hundred dollars,
provided both information on how to illegally access credit reporting bureaus
and an actual TRW account and password to a person, Morton Rosenfeld, who later
illegally accessed TRW, obtained credit reports on 176 individuals and sold the
reports to private detective (Rosenfeld, indicted separately, pled guilty to
obtaining and selling the credit reports and named "Julio" and "John" as those
who provided him with the information). I did not see anywhere in the charges
any indication that Abene, Stira or Elias Lapodoulos conspired with or likewise
encouraged Lee or Fernandez to sell information involving the credit bureaus to
a third party

Another troubling point is the allegation that Fernandez, Lee, Abene and
"others whom they aided and abetted" performed various computer activities
"that caused losses to Southwestern Bell of approximately $370,000." The
$370,000 figure, according to Assistant United States Attorney Stephen
Fishbein, was developed by Southwestern Bell and is based on "expenses to
locate and replace computer programs and other information that had been
modified or otherwise corrupted, expenses to determine the source of the
unauthorized intrusions, and expenses for new computers and security devices
that were necessary to prevent continued unauthorized access by the defendants
and others whom they aided and abetted."

While there is precedent in assigning damages for such things as "expenses for
new computers and security devices that were necessary to prevent continued
unauthorized access by the defendants and others whom they aided and abetted."
(the Riggs, Darden & Grant case in Atlanta found that the defendants were
liable for such expenses), many feel that such action is totally wrong. If a
person is found uninvited in someone's house, they are appropriately charge
with unlawful entry, trespassing, burglary -- whatever the statute is for the
transgression; he or she is, however, not charged with the cost of the
installation of an alarm system or enhanced locks to insure that no other
person unlawfully enters the house.

When I discussed this point with a New York MIS manager, prone to take a strong
anti-intruder position, he said that an outbreak of new crimes often results in
the use of new technological devices such as the nationwide installation of
metal detectors in airports in the 1970's. While he meant this as a
justification for liability, the analogy seems rather to support the contrary
position. Air line hijackers were prosecuted for all sorts of major crimes;
they were, however, never made to pay for the installation of the metal
detectors or absorb the salary of the additional air marshalls hired to combat
hijacking.

I think the airline analogy also brings out the point that one may both support
justifiable penalties for proven crimes and oppose unreasonable ones -- too
often, when discussing these issues, observers choose one valid position to the
unnecessary exclusion of another valid one. There is nothing contradictory, in
my view, to holding both that credit agencies must be required to provide the
highest possible level of security for data they have collected AND that
persons invading the credit data bases, no matter how secure they are, be held
liable for their intrusions. We are long past accepting the rationale that the
intruders "are showing how insecure these repositories of our information are."
We all know that the lack of security is scandalous; this fact, however, does
not excuse criminal behavior (and it should seem evident that the selling of
electronic burglar tools so that someone may copy and sell credit reports is
not a public service).

The final point that requires serious scrutiny is the use of the indictment as
a tool in the on-going political debate over the FBI Digital Telephony
proposal. Announcing the indictments, Otto G. Obermaier, United States Attorney
for the Southern District of New York, said that this investigation was "the
first investigative use of court-authorized wiretaps to obtain conversations
and data transmissions of computer hackers." He said that this procedure was
essential to the investigation and that "It demonstrates, I think, the federal
government's ability to deal with criminal conduct as it moves into new
technological areas." He added that the interception of data was possible only
because the material was in analog form and added "Most of the new technology
is in digital form and there is a pending statute in Congress which seeks the
support of telecommunications companies to allow the federal government, under
court authorization, to intercept digital transmission. Many of you may have
read the newspaper about the laser transmission which go through fiber optics
as a method of the coming telecommunications method. The federal government
needs the help of Congress and, indeed, the telecommunications companies to
able to intercept digital communications."

The FBI proposal has been strongly attacked by the American Civil Liberties
Union (ACLU), the Electronic Frontier Foundation (EFF) and Computer
Professionals for Social Responsibility (CPSR) as an attempt to
institutionalize, for the first time, criminal investigations as a
responsibility of the communications companies; a responsibility that they feel
belongs solely to law-enforcement. Critics further claim that the proposal will
impede the development of technology and cause developers to have to
"dumb-down" their technologies to include the requested interception
facilities. The FBI, on the other hand, maintains that the request is simply an
attempt to maintain its present capabilities in the face of advancing
technology.

Whatever the merits of the FBI position, it seems that the indictments either
would not have been made at this time or, at a minimum, would not have been
done with such fanfare if it were not for the desire to attempt to drum up
support for the pending legislation. The press conference was the biggest thing
of this type since the May 1990 "Operation Sun Devil" press conference in
Phoenix, Arizona and, while that conference, wowed us with charges of "hackers"
endangering lives by disrupting hospital procedures and being engaged in a
nationwide, 13 state conspiracy, this one told us about a bunch of New York
kids supposedly engaged in petty theft, using university computers without
authorization and performing a number of other acts referred to by Obermaier as
"anti-social behavior" -- not quite as heady stuff!

It is not to belittle these charges -- they are quite serious -- to question
the fanfare. The conference was attended by a variety of high level Justice
Department, FBI and Secret Service personnel and veteran New York City crime
reporters tell me that the amount of alleged damages in this case would
normally not call for such a production -- New York Daily News reporter Alex
Michelini publicly told Obermaier "What you've outlined, basically, except for
the sales of credit information, this sounds like a big prank, most of it"
(Obermaier's response -- "Well, I suppose, if you can characterize that as a
prank but it's really a federal crime allowing people without authorization to
rummage through the data of other people to which they do not have access and,
as I point out to you again, the burglar cannot be your safety expert. He may
be inside and laugh at you when you come home and say that your lock is not
particularly good but I think you, if you were affected by that contact, would
be somewhat miffed"). One hopes that it is only the fanfare surrounding the
indictments that is tied in with the FBI initiative and not the indictments
themselves.

As an aside, two law enforcement people that I have spoken to have said that
while the statement that the case is "the first investigative use of
court-authorized wiretaps to obtain conversations and data transmissions of
computer hackers.", while probably true, seems to give the impression that the
case is the first one in which data transmission was intercepted.  According to
these sources, that is far from the case -- there have been many instances of
inception of data and fax information by law enforcement officials in recent
years.

I know each of the accused in varying degrees. The one that I know the best,
Phiber Optik, has participated in panels with myself and law enforcement
officials discussing issues relating to so-called "hacker" crime.  He has also
appeared on various radio and television shows discussing the same issues.
These high profile activities have made him an annoyance to some in law
enforcement. One hopes that this annoyance played no part in the indictment.

I have found Phiber's presence extremely valuable in these discussions both for
the content and for the fact that his very presence attracts an audience that
might never otherwise get to hear the voices of Donald Delaney, Mike Godwin,
Dorothy Denning and others addressing these issues from quite different vantage
points. While he has, in these appearances, said that he has "taken chances to
learn things", he has always denied that he has engaged in vandalous behavior
and criticized those who do. He has also called those who engage in "carding"
and the like as criminals (These statements have been made not only in the
panel discussion but also on the occasions that he has guest lectured to my
class in "Connectivity" at the New School For Social Research in New York City.
In those classes, he has discussed the history of telephone communications in a
way that has held a class of professionals enthralled by over two hours.

While my impressions of Phiber or any of the others are certainly not a
guarantee of innocence on these charges, they should be taken as my personal
statement that we re not dealing with a ring of hardened criminals that one
would fear on a dark knight.

In summary, knee-jerk reactions should be out and thoughtful analysis in!  We
should be insisting on appropriate punishment for lawbreakers -- this means
neither winking at "exploration" nor allowing inordinate punishment. We should
be insisting that companies that have collected data about us properly protect
-- and are liable for penalties when they do not.  We should not be deflected
from this analysis by support or opposition to the FBI proposal before Congress
-- that requires separate analysis and has nothing to do with the guilt or
innocence of these young men or the appropriate punishment should any guilt be
established.
                              (John F. McMullen/1992 07 13)

(Barbara E. McMullen & John F. McMullen/Press Contacts: Federico E. Virella,
Jr., United States Attorney's Office, 212 791-1955; Betty Conkling, United
States Secret Service, 212 466-4400; Joseph Valiquette, Jr, Federal Bureau of
Investigation, 212 335-2715)


Questionmark over nuclear reactor control software

Anthony Naggs <AMN@vms.brighton.ac.uk>
Thu, 16 Jul 92 18:05 BST
From the Computer Weekly for Thursday July 16 1992, with full permission (so
long as I forward copies of all public responses to the newspaper).  The story
once again raises the issue of the appropriate use of software on systems that
must fail safely.

A couple of background notes:
1   Sizewell B is Britain's first PWR (Pressurised Water Reactor), which is
    currently under construction.  A major argument at the planning inquiry
    in favour of this reactor type was that the design was modern and had a
    proven track record in the US and elsewhere.
2   Nuclear Electric is the rump of the national electricity generating
    company, the rest was split into two companies and floated on the stock
    exchange.  My understanding is that it owns/operates all British civil
    nuclear power stations, of various British designs.

I have joined short paragraphs for readability, and all typos are mine.


    SAFETY OFFICIALS DOUBT SIZEWELL B SOFTWARE

    Tony Collins

        Safety inspectors have questioned the ability of computer protection
    systems to prevent a major accident at the Sizewell B nuclear power
    station.  They want more reliance on older and trusted solid-state
    systems without software as a secondary fallback.

        But Nuclear Electric, Sizewell's operator, is unhappy at the request
    as it would increase costs - which have already risen from 1,700 million
    pounds to 2,000 million [times by 2 for US $]- and could delay Sizewell's
    launch, set for 1994.

        The issue was raised at a recent meeting at the Sizewell site of the
    Advisory Committee on the Safety of Nuclear Installations.  It was also
    discussed at a British Computer Society safety critical systems task
    force meeting last week.

        It is understood that the Nuclear Installations Inspectorate (NII),
    part of the Government's Health and Safety watchdog, has asked Nuclear
    Electric to widen its dependence on magnetic core technology for
    protection systems.  Magnetic core systems, supplied by GEC, have been
    used for years in UK nuclear power stations and have no programmable
    software.  [Presumably a magnetic core is a device where failure of a
    current through the core causes control mechanisms to revert to a safe
    state.]

        The move by the NII is a partial victory for computer industry
    campaigners, who have long argued that public safety should not be
    entrusted to complex software.  Under Nuclear Electric proposals,
    Sizewell B will be the first nuclear power station in the UK to rely
    heavily on computers in its primary protection system (PPS), which
    detects a major failure, and, in the event of an incident, automatically
    shuts down the power station in a controlled fashion.

        But the BCS and other safety-critical software experts say the PPS
    systems, supplied by US firm Westinghouse, are too complex to test for
    dependability.  The PPS is based on between 300 and 400 Eagle-series
    microprocessors and 100,000 lines of code.

        The NII says it is up to Nuclear Electric to prove that its
    protection and other systems are safe.  Until now inspectors have taken
    a neutral line, saying they are waiting for all the documentation from
    Nuclear Electric before deciding on whether the software is safe.

        However, officials now indicate that they may refuse to give Nuclear
    Electric consent to operate Sizewell B, unless the secondary non-
    computerised systems provide back-up to all aspects of the computerised
    PPS.

        Nuclear Electric admits that the GEC secondary circuits back-up most,
    but not all, the computer protection systems.  A spokesman for the NII
    said it has requested, rather than stipulated, that the secondary systems
    be strengthened.  "We have asked them (Nuclear Electric) to consider
    extending the secondary systems as a prudent measure."

Anthony Naggs, PO Box 1080, Peacehaven BN10 8PZ, Great Britain
        E-mail: amn@vms.brighton.ac.uk      +44 273 589701 (vox)


Call for papers FTCS-23

<kaaniche@tsf.laas.fr>
Fri, 17 Jul 92 17:53:14 +0200
    *             FTCS-23 : CALL FOR PAPERS                     *
    *                                                           *
    *    The Twenty Third Annual International Symposium        *
    *             on Fault-Tolerant Computing                   *
    *                                                           *
    *            Toulouse, France, June 22-24, 1993             *
    *                                                           *
    *      Sponsored by IEEE Computer Society and LAAS-CNRS     *
    *          in cooperation with AFCET and IFIP WG 10.4       *

AIMS and TOPICS

The Fault-Tolerant Computing Symposium is the major international forum in
computing system dependability. The symposium scope spans system, software
and hardware issues, including: architectures, design, implementation,
specification, modeling, test, diagnosis, evaluation and validation of
dependable and fault-tolerant computing systems.

In addition to regular paper presentations and panel discussions, the
symposium offers special sessions on

    i)  practical experience in fault-tolerant computing such as design and
      deployment of a system, failure and recovery field data, and
      correlation of field data with model predictions,
     ii)     innovative ideas in early stages of research and development,
     iii)   demonstrations of software tools and systems.

Major topics include, but are not limited to:

        -   Fault-Tolerant Architectures,
        -   Fault Tolerance in On-line Transaction Processing Systems,
        -   Distributed Systems and Real-Time Systems,
        -   Safety-Critical Systems,
        -   Software Fault Tolerance,
        -   Testing and Verification,
        -   Dependability Modeling and Prediction,
        -   Defect Tolerance,
        -   Concurrent Error Detection in VLSI circuits.

INFORMATION FOR AUTHORS

All submitted material (written in English) will be refereed and should be
typed in 1-1/2 spaced, 12 point font. All accepted material will appear in
the proceedings.

PAPERS should not exceed 20 pages including figures and text.

PANEL proposals should include the topic(s), a maximum two-page description
of the panel objectives, names and addresses of the probable panelists. The
proposed panel chair should include a one-page biographical sketch.

For PRACTICAL EXPERIENCE REPORTS and EARLY INNOVATIVE IDEA REPORTS, the
submission should be a 5-10 page description of the experience or the idea.
These manuscripts must be marked either "Practical Experience" or
"Innovative Idea" for them to be considered in their respective categories.

For SOFTWARE DEMONSTRATIONS, the submission should be a 5-10 page
description of the software, its context and objective, and of the planned
demonstration. Sun workstations and MacIntoshes connected to a video
projector will be available. Please indicate on a separate sheet the
requirements for the demonstration. These manuscripts must be marked
"Software Demonstration".

SUBMISSIONS

Six copies of a 1-page abstract and a list of 5 keywords should be
submitted to program chair Ambuj Goyal before October 30, 1992. Mark the
envelope "FTCS 23 submission". Abstracts will be used for referee
assignments. Please submit your abstracts on time to get best possible
reviewing coverage.

Six copies of the papers, panel proposals, practical experience reports,
early innovative idea reports and software demonstrations should be
submitted to program chair Ambuj Goyal by December 4, 1992 and should be
accompanied by ten copies of a title page which includes: the title, author
name(s), affiliations, mailing address, phone number, fax number and
e-mail, a maximum 150-word abstract, five keywords, an approximate word
count and a declaration that the material has been cleared through author
affiliations. For multi-authored submissions, the principal contact should
be indicated. Mark the envelope "FTCS 23 submission". Submissions arriving
late or significantly departing from length guide-lines, or papers
published or submitted elsewhere will be returned without review.

Notification of acceptance or rejection of all submissions will be made by
March 12, 1993.

EXHIBITS

Exhibitors from both industrial and academic communities are encouraged.
This will be an opportunity to present advanced products to an informed and
sophisticated audience. Proposals must be submitted to exhibits chair
Jean-Claude Rault by March 1, 1993 on the official application form
available from the exhibits chair.

GENERAL CHAIR:  Jean-Claude Laprie (LAAS-CNRS)
                7 Avenue du Colonel Roche
                31077 Toulouse - France
                E-mail: Jean-Claude.Laprie@laas.fr

PROGRAM COMMITTEE:

CHAIR:  Ambuj Goyal
              IBM T.J. Watson Res. Center
            P.O. Box 704
            Yorktown Heights, NY 10598, USA
            E-mail: ambuj@watson.ibm.com

V.Agarwal (CDN)    J.Hlavicka (CS)      D.Lenoski (USA)     W.Sanders(USA)
J. Arlat (F)       R.Iyer (USA)         Y.Levendel (USA)    N.Saxsena(USA)
D.Avresky (BG)     N.Kanekawa (J)       R.Leveugle (F)     J.Shen(USA)
M.Banatre (F)      J.Karlsson (S)   M.Malek (USA)        S.Shrivastava(GB)
P.Banerjee (USA)      J.Kelly (USA)     G.Masson (USA)      D.Siewiorek(USA)
D.Blough (USA)      K.Kinoshita (J)   J.Meyer (USA)      L.Simoncini (I)
F.Cristian (USA)      H.Kopetz (A)       T.Nanya (J)           B.Smith(USA)
T.Dahbura (USA)    T.Krol (NL)        M.Nicolaidis (F)    Y.Tamir(USA)
C.Georgiou (USA)      J.Lala (USA)       D.Powell (F)         D.Taylor(CDN)
J.Gray (USA)          G.Le Lann (F)     S.Reddy (USA)        H.Wunderlich(D)

CONFERENCE COORDINATOR

Marie-Therese Ippolito (LAAS-CNRS)
E-mail: Marie-Therese.Ippolito@laas.fr

PUBLICATION CHAIR

David Powell(LAAS-CNRS)
E-mail: David.Powell@laas.fr

PUBLICITY CHAIR

Mohamed Kaaniche(LAAS-CNRS)
E-mail: Mohamed.Kaaniche@laas.fr

EXHIBITS CHAIR

Jean-Claude Rault (EC2)
269 rue de la Garenne
92024 Nanterre - France
Tel +(33) 1 47 80 70 00
Fax +(33) 1 47 80 66 29

EX OFFICIO

Jacob Abraham, FTC-TC Chair
The University of Texas at Austin
2201 Donley Drive
Austin, TX 78758 - USA
jaa@cerc.utexas.edu

FOR FURTHER INFORMATION and/or a copy of the advance program when
available, contact:

                     Mohamed Kaaniche
                     LAAS-CNRS
                     7 Avenue du Colonel Roche
                     31077 Toulouse - France
                        E-mail: Mohamed.Kaaniche@laas.fr
                        Tel +(33) 61 33 64 05
                        Fax +(33) 61 33 64 11

 Mohamed KAANICHE              email: kaaniche@laas.fr
 LAAS-CNRS                      tel:   +33 / 61.33.64.05
 7 av du colonel Roche          fax:   +33 / 61.33.64.11
 31077 TOULOUSE Cedex
 FRANCE

Please report problems with the web pages to the maintainer

Top