The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 13 Issue 79

Friday 11 September 1992

Contents

o "Sneakers" -- A Topical Movie Review
Donn Parker
o Police probe mans death in Citibank disk case
Pat Cain
o Arrest warrant database problems
James Hanlon
o New computer delays Berlin Fire Department
Debora Weber-Wulff
o Hardware failure stops school
Andrew Marchant-Shapiro
o PC board waste in San Francisco Bay
Phil Agre
o Re: TCAS
Nancy Leveson
o Registration and Hotel Information - 15th National Computer Security Conference
Jack Holleran
o Info on RISKS (comp.risks)

"Sneakers" -- A Topical Movie Review

<donn_parker@qm.sri.com>
11 Sep 1992 08:00:03 -0800
    [The following review was prepared by Donn Parker for distribution to the
    members of the International Information Integrity Institute (known as
    I-4), an organization consisting of something like 60 companies with
    significant interest in improved computer security and integrity, which
    is managed by SRI -- with Donn as one of its key players.  This review is
    reproduced here with his permission, and is authorized for further
    distribution, with appropriate attribution.  Sneakers opens today to the
    general public, although in a few selected theaters it opened on Wednesday,
    presumably to get early reviews.  (Both Donn and I had been visited by
    Parkes and Lasker regarding security risks, in their preparation for the
    screenplay for WarGames.  They even used some of our ideas.  In general,
    Sneakers seems technologically sounder, and is certainly of interest to
    RISKS readers.  For those of you who don't know Donn, he is often
    referred to as the Great Bald Eagle of Computer Security.)  PGN]

FILM REVIEW OF SNEAKERS
by Donn B. Parker
September 1992

Sneakers (released September 11, 1992 by Universal Studios, owned by Matsushita
Electric Industrial Co. Ltd., and promoted in association with CompuServe,
owned by H&R Block) starring Robert Redford, Dan Aykroyd, Ben Kingsley, Mary
McDonnell, River Phoenix, Sidney Poitier, and David Strathairn; directed by
Phil Alden Robinson (Field of Dreams director); and produced and written by
Walter F. Parkes and Lawrence Lasker (writers and producers of WarGames in
1981).

The new computer crime movie, Sneakers (as in hackers who wear sneakers and
sneak into computers) was previewed in a San Francisco showing sponsored by
Universal Studios and Mondo 2000 Magazine (a slick-cover psychedelic
publication of the Timothy Leary genre appealing to hackers) and attended by a
large segment of the Bay Area hacker community including Cap'n Crunch.  I had
assisted the writers, Messrs. Lasker and Parkes, with their first movie,
Wargames-much to my chagrin because the technology was so distorted.  This time
they had the technical assistance of Len Adleman (the A in RSA Crypto) from
USC and Robert Abbott, an information security consultant of long standing.
This Mission Impossible, PG-rated (only three "God damn"s and almost no sex)
film is mostly technologically believable, unlike Wargames.  We can forgive
them for showing a Cray computer with a terminal displaying Windows 3.1.

All information security professionals should see this film and use it to
promote security awareness.  Some critics may pan it, but it has all the
ingredients for financial success.  It has:

o  great chase and other street action scenes in the
   beautiful San Francisco Bay Area
o  an interesting but predictable plot
o  the blind technician who finds the bad guys' hideout
   from sounds heard from the trunk of a car
o  the old technique of the bad guy shooting into the
   ceiling tiles at his hidden enemy hiding in ceiling duct area
o  three bloodless murders
o  total unconsciousness produced by simple taps on
   the head followed by immediate concussion-less
   revival with little visible damage
o  popular stars, Redford, Poitier, Aykroyd, and
   Kingsley, who look like the oldest hackers in the
   world (except for me and Cap'n Crunch)
o  great human melodrama with good character
   development and not too much technical sci-fi stuff
o  the good guy and his girlfriend at the mercy of the
   bad guy in the grand finale
o  cryptography very well explained and used for a
   general audience
o  the proverbial spinning computer tape drive, and
o  as usual with Lasker and Parkes, a moral at the end.

Universal has uniquely teamed up with CompuServe and CompUSA computer stores to
promote the movie.  A chat board has been set up to fire questions about the
movie at Mr. Robinson, the director, who has been using CompuServe for 8
years.  Anagram and secret password games can be played, with prizes including
trips to Hollywood and Robert Redford's jacket worn in the film.  The film is
sure to be a big hit in Europe and Japan as well as in the United States and
should appeal to the juvenile hacker culture throughout the world.

One unbelievable item is the skimpy $175,000 accepted by Redford's security
penetration (read "tiger team") consulting company for a record-breaking
information security project.  Redford's team plus all the high-priced
technical equipment were worth much more than that.  They had to steal the
universal decryption black box-the Maltese Falcon of the movie-and then steal
it again from the bad guys posing as NSA types who steal it from Redford.
There is a neat shoulder-surfing password pickup by video recording.  There are
hacker antics such as a transfer of President Nixon's net worth to the National
Organization for the Reform of Marijuana Laws (NORML), credit record and
license plate registration privacy invasions, trashing of the NSA, CIA, and
FBI, and liberal-politics slams at President Bush and the Republican Party
well-timed for the upcoming national elections.  However, this is all tolerable
since it is done by Redford's character and his team who all have serious
criminal and other highly unethical practices in their backgrounds.

A tiger team attack on a client bank that has relatively good security is
excessively elaborate and would have left the bank guard in a good position to
sue his employer for aggravated assault and mental anguish.  We will probably
have to assure our company management people that we don't do things like
that-but the time to justify your budget and staff is soon after they see this
movie.

The film ends with the rather patronizing and simplistic advice that whoever
controls the information, controls the world.  Just the straightforward action
and technology without all the liberal politics and moralizing would have made
it even better.

You and your teenage children and your computer users and management should all
see and enjoy this much-to-be-talked-about film.


Police probe mans death in Citibank disk case

Pat Cain <cain_p@kosmos.wcc.govt.nz>
Wed, 09 Sep 1992 13:24:18 +1200
Early on Saturday (5th Sept) morning in Auckland, New Zealand, Paul Gordon
Edward White, 26, a computer broker, was found in a crashed car by the Auckland
harbour bridge; he died shortly afterwards.  A police investigation into the
accident began.  But last night (Tuesday) the Police Minister, John Banks,
asked police to begin high priority investigations into allegations that his
death may not have been accidental.

White had purchased $525 of surplus office and computer equipment from Citibank
in Auckland.  Accidentally included with the equipment were around 90 computer
disks.  TV3 reported the disks contained details overseas bank accounts of some
politicians and of some companies laundering money overseas.  White is
understood to have offered to sell the material back to the bank for $50,000.
In an out-of-court settlement on Friday, Citibank paid White $15,000 cash for
the return of all outstanding information in his control.  The suitcase in
which White had the money was found in the car along with his body, but the
money was missing.

White's lawyer, Mark Blomkamp told TV3 that someone may well have considered
the information on the disks serious enough to kill for.  Asked if it was
possible that because the money was not in White's briefcase in his crashed car
the accident could have been invoked, Blomkamp said: "You might well think that
but I couldn't possibly comment".

Radio NZ last night quoted an unidentified source saying that White's car was
not as badly damaged as could be expected from an impact with a concrete
pillar.  The front of the car was significantly damaged by the 5.15am crash on
the Fanshawe St, city side, approach to the harbour bridge, but the dashboard
and steering wheel were not and there was no blood in the vehicle.

Bits and pieces ..
* Neighbours reported White's home in Birkenhead had been broken
  into several times and that he had met Tauranga MP Winston
  Peters (who is a member of the current government and several
  months ago alleged government links with big business and corruption).
* In one of three earlier burglaries, White was attacked as he
  returned home one night.
* White reported that in July he had been approached by people
  who identified themselves as members of the Security Intelligence
  Service, wanting to discuss the Citibank information.  After the
  meeting, White told an acquaintance that the supposed SIS agents
  had warned him that the police were about to search his property.
  The search took place two days later.  (NZSIS is NZ's approximate
  equivalent to the US's CIA.)
* On Friday, White celebrated at the Centra hotel in Auckland, he
  then left with a man and a woman (who have since been interviewed)
  at 10pm and went to the Regent Hotel for a meal.  After that he
  went to a nightclub and left about 4am.  What happened between
  then and 5.15am when he was found is unclear.
* Citibank is the New Zealand subsidiary of one of the largest
  banks in the United States, Citicorp.  It operates as a clearing
  bank and provides a range of non-retail banking services.
* The Ambulance service received "two or three" emergency calls from
  mobile phones -- it is not known who made the calls, or whether
  they witnessed the car crash.  White died shortly after the ambulance
  arrived.

(Summarized from {The Dominion} and {The New Zealand Herald}, 9 Sept 1992).


Arrest warrant database problems

James Hanlon <tcubed@ddsw1.mcs.com>
Wed, 9 Sep 92 17:01:51 CDT
Note: I recently posted a similar note to misc.legal.computing; I suspect the
      problem is common enough to enlist the help of the RISKS community.

An attorney acquaintance has a number of clients who have been picked up and
detained for various lengths of time, on the basis of warrants, later shown to
be incorrect. Reasons range from sloppy administrative work (clerical errors,
name confusions), to accumulated delays in the record-keeping process.

BACKGROUND INFORMATION

Police officers in the US need a few things in order to take a person into
custody ("arrest" them): chief among them is probable cause to believe that
they have committed a crime. The fact that an arrest warrant exists is in
itself probable cause. In practice, one can be taken into custody if the
arresting officer believes that a warrant exists--and someone on the radio
telling him that "the computer" shows an outstanding warrant is reason enough.

Problems occur in areas where numerous law enforcement agencies overlap, i.e.,
most urban areas in the US. Although there is normally a regional database of
warrant information, any agency can keep a database of warrants its own
officers have issued. Should a judge order a warrant killed ("quashed" is the
legalism), and should the kill order not be properly accomplished, the stage is
set: person leaves courtroom relieved, goes about his business, is stopped some
months (or years) later, officer checks central database, finds warrant
information, calls warrant-issuing police department, which checks **its**
warrant database. Conclusion: you are under arrest. There follows a collection
of more or less unpleasant and inconvenient experiences (e.g., a weekend in the
county lockup).

My question: is there an archive of these, or similar, occurrences on the net?
Is there a model of how the problem should be solved, perhaps in Jurisdiction
X?

I should mention that the attorney is presently suing the government units
involved, in federal district court in Chicago.

Thanks for all help.

James E. Hanlon                                        tcubed@ddsw1.mcs.com


New computer delays Berlin Fire Department

Debora Weber-Wulff <weberwu@inf.fu-berlin.de>
Tue, 8 Sep 1992 10:11:09 GMT
Sigh. It's like no one reads comp.risks :-(.

The "Tagespiegel" announced this morning that the Berlin Fire Department has
been having terrible trouble with it's new dispatching system. Seems they went
on line after just a few "tests" (no running the system in parallel to the old
one) because they now have to take care of the whole city and not just West
Berlin. They are having problems with fire-trucks being listed more than once,
phantom fire trucks, disappearing fire-trucks and messages, and the wrong
trucks being alerted. Seems the data entry people or the algorithm for finding
the closest fire station (or both) are not working, and trucks are being called
from far away, or they are alerted and then not told where to go. There have
been cases of it taking 30 minutes to get a fire truck to the scene of a fire.

Not a nice thought when youths are increasingly setting fires to refugee
hostels and such.

The company that installed the program is busy fixing the bugs, the newspaper
assures us, and will have it running soon.  Won't we all sleep better knowing
that it is sure to run when that last bug is gone?!

Debora Weber-Wulff, Institut fuer Informatik, Nestorstr. 8-9,
D-W-1000 Berlin 31    +49 30 89691 124   dww@inf.fu-berlin.de


hardware failure stops school

"MARCHANT-SHAPIRO, ANDREW" <MARCHANA@gar.union.edu>
9 Sep 92 15:16:00 EST
My institution, Union College, fell victim to a computer problem today: A
Hewlett-Packard machine used to handle registration died, leaving the College
unable to complete freshfolk registration.  Consequently, classes that were
scheduled to start on 9/10 cannot meet until next Tuesday, and an extra day (or
two??) will have to be added to the term calendar to make things work out.  All
faculty received notices marked URGENT that spoke of a 'massive computer
failure.'

I have little data on the failure, other than that it was apparently NOT a
software failure, but a real hardware breakdown.

Now, I suppose that the software and data on that machine are backed up -- but
there's the rub.  What do you do when you only have one piece of HARDWARE?
It's ironic, because most of the campus is hooked up to a 3-machine VAX cluster
-- while Administration runs on the single HP.  Good for security, but bad for
reliability.  Since many of the copiers went down at the same time (yep, in the
midst of syllabusing) I suspect a technological conspiracy...;-)

Andrew Marchant-Shapiro, Depts of  Sociology and Political Science,
Union College, Schenectady  NY  12308  (518) 370-6225  marchana@union.bitnet


PC board waste in San Francisco Bay

Phil Agre <pagre@weber.ucsd.edu>
Wed, 9 Sep 92 17:11:53 -0700
The lead article in the current issue of "Global Electronics" (issue 115,
August 1992) concerns the pollution of San Francisco Bay by heavy metals
running off from small printed circuit board assembly shops in Silicon Valley.
It traces the problem to the common electronics industry practice of
subcontracting to these small firms rather than doing the dirty work in larger
and safer facilities of its own.  "Global Electronics" is published by the
Pacific Studies Center, 222B View Street, Mountain View CA 94041.  It costs $12
per year (12 issues of four pages each).

Phil Agre, UCSD


Re: TCAS (RISKS-13.78)

Nancy Leveson <nancy@murphy.ICS.UCI.EDU>
Fri, 04 Sep 92 16:23:40 -0700
>From RISKS 13.78,
   In the version of the TCAS story I saw locally about the 2 USair jets
   near-miss, it mentioned that for the period june -June of the previous year,
   over 60% of the warnings/advisements from TCAS systems nationwide have been
   erroneous. Many of these have been of the same sort reported -- the system
   told two planes that were "safe" to maneuver into an "unsafe" flight path...

This is totally and completely untrue and is evidence of what I warned about
in my previous message.  Even if you don't have the facts, does anyone
seriously think that a system with this error rate would be used at all?
Pilots are just not that stupid or suicidal and neither are those at the FAA..

It is very important that forums such as RISKS do not become sources of
dangerous misinformation.

    [I agree.  I have been somewhat too lenient in recent times, permitting
    material to emerge that is lacking in credibility, scholarship,
    carefulness, etc.  Time to ratchet up the quality again.  But I am very
    much at the mercy of our contributors.  Please observe the masthead
    guidelines.  Thanks.  PGN]


Registration and Hotel Information - 15th National Computer

Jack Holleran <Holleran@DOCKMASTER.NCSC.MIL>
Wed, 9 Sep 92 11:10 EDT
          Security Conference

The following information includes registration and hotel information for the
upcoming 15th National Computer Security Conference.  Appropriate phone numbers
are included.  (The program is contained in RISKS-13.78.)

                                     =-+-=

CONFERENCE REGISTRATION FORM
 15th National Computer Security Conference
 October 13-16, 1992
 Baltimore Convention Center
 1 East Pratt Street
 Baltimore, Maryland

 NAME: ___________________________________________________________

 COMPANY: ________________________________________________________

 ADDRESS: ________________________________________________________

 CITY: ___________________  STATE: ___________ ZIP: ______________

 COUNTRY: ______________________ TELEPHONE NO: ___________________

 HOW WOULD YOU LIKE YOUR NAME TO APPEAR ON YOUR BADGE?
 _________________________________

Registration Fee $280.00 before October 1, 1992;
                 $315.00 on or after October 1, 1992

Payment Enclosed in the Amount of:  __________
 Form of Payment:

___       Check.  Make checks payable to NIST/15th National
                  Computer Security Conference.  All checks
                  must be drawn on U.S. banks only.

___       Purchase Order Attached.  P.O. No.:  __________

___       Federal Government Training Form

___       MasterCard          ___Visa
          Account No.:  _______________ Exp. Date _______

          Authorized Signature: _______________________

PLEASE NOTE:  No other credit cards will be accepted.

Please return conference registration form and payment to:

          c/o 15th National Computer Security Conference
          Office of the Comptroller
          National Institute of Standards and Technology
          Room A807, Administration Building
          Gaithersburg, MD  20899
          Credit card registration may be faxed to
            Tammie Grice at (301) 926-1630.

Is this the first time you have attended the National Computer Security
Conference? ______________

Conference Participants List:

__  I do want my name on the Conference Participants List which is
     distributed to conference attendees.
__  I do not want my name on the Conference Participants List.


=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=

HOTEL RESERVATION FORM
15th National Computer Security Conference
October 13-16, 1992
Baltimore Convention Center
Baltimore, Maryland


Hyatt Regency Baltimore             (410) 528-1234
300 Light Street
Baltimore, MD  21202

Holiday Inn Baltimore Inner Harbor  (410) 685-3500
301 West Lombard Street
Baltimore, MD  21201

Radisson Plaza Baltimore Hotel      (410) 539-8400
20 West Baltimore Street
Baltimore, MD  21201

Tremont Plaza                       (410) 727-2222
222 St. Paul Place
Baltimore, MD  21202
(An all suites hotel)

Baltimore Marriott Inner Harbor     (410) 962-0202
110 South Eutaw Street
Baltimore, MD  21201

Tremont Hotels                      (410) 576-1200
8 East Plesant Street
Baltimore, MD  21202
(An all suites hotel)

NAME:
COMPANY:
ADDRESS:
CITY:     ____________________   STATE:   ________  ZIP:  ____
COUNTRY:  ___________   TELEPHONE NO:  __________
(include country access code if appropriate)

Please Reserve:  Single Room(s) ______  Double Room(s) _______

Arrival Date:    _________   Departure Date:    _________

Person Sharing Room:  ___________________________


RATE (Refer to Conference Brochure):  ____Corporate; _____Government

Method of Guarantee:     _____Deposit Enclosed;  _____ Credit Card

Check
One:  __ American Express __ Visa __MasterCard __Diners Club __Carte Blanche

Credit Card #:  _________________ Exp. Date:  ______

Signature of Cardholder:  ________________________

Please report problems with the web pages to the maintainer

Top