The RISKS Digest
Volume 13 Issue 80

Wednesday, 16th September 1992

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

Arrest Warrants
Joseph Nathan Hall
Stop the presses, call the police!
Frans Heeman
A Financial risk avoided
Rob Horn
From the Jury Room - Alcohol breath analyzer
Jim Haynes
Automatic DUI (Driving Under the Influence)
Jane Beckman
Re: update: Barclay voice mail insecurity
Flint Pellett
Re: "Sneakers" — A Topical Movie Review
Mark Brader
James Zuchelli
Greening of Computers
Mark J. Crosbie
Michigan Awarded Funds to Improve Criminal History Records
Nigel Allen
Info on RISKS (comp.risks)

Arrest Warrants

Joseph Nathan Hall <joseph@joebloe.maple-shade.nj.us>
Sat, 12 Sep 92 13:57:25 EDT
The son of a former employer of mine was met at the door one Saturday morning
by two local police officers, who presented him with a felony arrest warrant
and took him off to jail.  The charges involved were something like passing bad
commercial paper and perhaps interstate flight.  I gather that he was a little
surprised.

It turned out that he had left some money in a checking account in a bank in
another state (Missouri, I think) before moving to his new residence.  After a
while, the service charges ate up the funds in the account and the last charge
"bounced."  The bank treated it as a bad check.  They looked for him for a
while, and then, since bad paper in the state in question is a felony,
regardless of the amount, they passed the info to the local authorities and an
arrest warrant resulted.  (I wonder whether there was any human intervention up
to the point where the judge issued the warrant.)

Apparently there is a pretty good interstate commerce in arrest warrants, and
somehow the out-of-state warrant wound up at the local police station, along
with the "suspect's" current address.  Most stations keep a pile of warrants
that need to be served handy for slow times--like Saturday morning.

It could happen to YOU!

Disclaimer: This story was related to me a few years ago by a former employer.
I believe that the facts as I have stated them are essentially correct, though
the details are no longer clear in my memory.

uunet!joebloe!joseph   (609) 273-8200 day   joseph%joebloe@uunet.uu.net
2102 Ryan's Run East, Rt. 38 & 41, Maple Shade NJ 08052


Stop the presses, call the police!

<Frans.Heeman@cwi.nl>
Tue, 15 Sep 1992 07:53:35 GMT
[From the Dutch national paper "De Volkskrant", September 3, 1992:]

On Saturday morning, August 29, the presses at the local newspaper "De
Gelderlander" went down, causing delivery to be delayed. Many subscribers
called the newspaper at its phone number 650611.  The telephone exchange at the
newspaper got jammed. One of the consequences was, that when people tried to
call the newspaper, often only the last four digits, 0611, came through. Now it
happens that 0611 is the national emergency number in the Netherlands. So the
police was swamped with calls from people, informing about the delivery of
their newspaper, jamming the emergency number. In a reaction, the PTT said that
they would be careful with giving numbers ending in 0611 to large companies.

Frans Heeman, CWI dept. of Interactive Systems, Kruislaan 413, 1098 SJ
Amsterdam P.O. Box 4079, 1009 AB Amsterdam frans@cwi.nl phone: +31 20 592 4164


A Financial risk avoided

<HORN%athena@leia.polaroid.com>
Fri, 11 Sep 1992 14:29 EST
In light of all the financial problems that get reported I decided to recognize
a firm that made an intelligent decision.  Recently Citizen's Utilities had a
stock split: 3 for 2.  People who use the dividend reinvestment alternative
generally have fractional share balances.  So someone with 0.70 fractional
shares would now have 1.05 shares.  Rather than merge the full shares from the
split with the full share from the fractional share account, they chose to wait
until the next regular quarterly dividend.  At this time the routine processing
shifts full shares.

In the letter accompanying the newly issued shares they called attention to
this and gave the name of the person who could manually issue the extra share
if for some reason you needed that share before the next dividend (about ten
weeks later).  They gave the reason for all this as:

     excessive programming complexity

Considering how few people will need that one share certificate during the next
ten weeks I think they made a good choice by sticking to the regularly used and
reliable procedures, providing a manual override, and informing their owners.

We usually hear about various kinds of mistakes, oversights, and maliciousness.
It is also appropriate to point out things done well.

Rob Horn     horn%hydra@polaroid.com


From the Jury Room - Alcohol breath analyzer

Jim Haynes <haynes@cats.UCSC.EDU>
Sun, 13 Sep 92 22:00:43 -0700
I was on a jury last week (trial now over so I can talk about it) and part of
the case involved a breath alcohol machine.  We were not shown the machine but
it was described by expert witnesses and we saw its output.  The machine in
question is microprocessor controlled and displays two digits of output - any
other significance is truncated.  To use it the officer first puts a blank card
into a slot and types in the suspect's name and date and time and the like.
The machine prints all this on the card along with the test results.  The test
consists of an air purge, when the machine checks itself for a zero reading;
then the suspect blows; then another air purge and zero check; then another
blow; then a final air purge and zero check and all these results are printed
on the card.  During the blowing a tone sounds to signal that the suspect is
blowing hard enough.

Whatever it is the machine measures, it takes a measurement every 0.6 seconds
and waits for three of these to be the same before treating that as a reading.
Hence as the alcohol concentration in the blow increases the machine is
supposed to wait for a plateau and record the plateau value.  The machine is
supposed to measure and subtract something else to eliminate the effects of
substances such as acetone that were known to throw off earlier model machines.

Supposedly the calibration of the machine is fixed at manufacture; but the
calibration is verified about once a week by the forensic lab which takes care
of it.  There is an alcohol-water solution in a breath simulator attached to
the machine.  The lab dials up using a modem and commands the machine to verify
its calibration.  The machine measures the simulated breath and sends the
measurement and its identification back to the lab, where the information is
kept in their computer and can produce a printed report as needed.  The test
solution is supposed to make the machine read 0.14% +/- 0.01%.

For the machine in question there was a verification a few days before the
crucial test, and another one a few days later.  Both times the machine read
0.15%, which is acceptable.  We saw the results of several other verifications
and this machine usually read 0.15%, although once or twice in the past it had
read 0.13%.  On the test in question the machine had read 0.09% . A blood
alcohol level of 0.08% makes it illegal to drive a car in California.

I convinced myself and the rest of the jury that a blood alcohol level of 0.08%
in the defendant was unproven.  First, when the machine read 0.15% that could
mean anything between 0.1500... and 0.1599...  Second, we were not told any
more about the test solution than that it should produce a reading of 0.14%.  I
know chemists can mix up solutions very accurately, and for good science you
would want to mix the solution as close to 0.14500.. as possible; but we had to
assume the solution could be anywhere between 0.1400...  and 0.1499...  So we
could have a solution at the high end of 0.14 and the machine could be
measuring at the low end of 0.15 and it is measuring pretty close.  Or we could
have a solution at the low end of 0.14 and the machine could be measuring at
the high end of 0.15 and it is off by just under 0.02%.  If errors are additive
offsets then the defendant's blood alcohol could be anywhere between 0.0700...
and 0.0899... and that absolutely fails to prove 0.08% or more.  I used an
analogy at the time that this is like trying to verify the accuracy of a
yardstick by comparing it with another yardstick.

There's an interesting psychological phenomenon that I observed.  There was a
lot of testimony by experts about errors and possible errors in the machine.
Invariably they and the attorneys would add and subtract 0.01 here and 0.02
there from machine readings as if all the errors are additive offsets.  There
was never any testimony as to whether the errors in the machine are really
offsets or proportional to the reading, or completely nonlinear, or anything
else.  Nobody ever mentioned an error of so many per-cent, or suggested that
multiplication be used.  So I conjecture: when people deal with numerical data
where there are only two digits they tend to assume that any adjustments to the
data are to be made by addition and subtraction.  Maybe this phenomenon results
from habit dealing with dollars and cents; or maybe it's just that people are
lazy and addition is easier than multiplication.

Both experts agreed that the readings are affected by the suspect's body
temperature.  I was surprised that the machine doesn't measure and correct for
this, or that the temperature isn't taken and recorded at the time of the test.

If we had not been doubtful of guilt from the above accuracy considerations
alone we would have had to consider the defense expert's suggestion of various
confounding factors, a much more speculative undertaking.  He and his
colleagues have done experiments and published in the field.  They have a few
instances in which the subject got a false high reading by blowing very hard.
This is not fully understood.  He said something about the mucous membranes
drying out and releasing extra alcohol.  He drew a graph showing that the
machine sees a first plateau, at which the reading is good; but then the
alcohol level increases and goes to a second higher plateau and the machine
takes that as its reading instead of the first.  They have also found the
machine will read too high if the suspect is still absorbing ingested alcohol,
which can happen for example if the alcohol was taken with food.  He didn't
offer an explanation for this, but only evidence that it can happen.

There are formulas to predict blood alcohol level based on the amount of
alcohol ingested and the weight of the subject and other factors.  Our
defendant admitted to drinking only one pint of stout with food about 2 hours
before the arrest.  Both experts calculated this was not enough alcohol to get
anywhere near 0.08% blood alcohol.  It was maybe barely enough to get the
machine to read 0.09% with all of the confounding factors such as temperature
and blowing hard and the absorptive-phase phenomenon.  Maybe she drank more
than she admitted; maybe the machine really is that lousy inaccurate; maybe
there are other unconsidered factors leading to errors; we didn't have to go
into that.

Advice to drivers would seem to be: if you are arrested for DUI and believe you
are innocent then don't choose the breath test - it's not very accurate.  If
you think you might barely be guilty then choose the breath test and fight it
in court.


Automatic DUI (Driving Under the Influence)

Jane Beckman <jane@stratus.swdc.stratus.com>
Mon, 14 Sep 92 17:50:55 PDT
A friend's husband just recently got a shock.  A notice showed up in the mail
that his driver's license was suspended.  He called up the California
Department of Motor Vehicles (DMV) to find out what was going on.  He had
recently been involved in a dispute involving his auto, so he suspected it
might have something to do with that.

Well, they asked him, didn't you recently plead guilty to a charge of Reckless
Driving?  Yes, he said.  Well, that explains it.  Wait a minute, he said,
explains what?  He said it was his understanding that Reckless Driving was not
something they normally pulled your license for, or he would have fought it.
Oh no, they said, that was for the liquor.  You have a DUI (Driving Under the
Influence).  WHAT? he asked.  Your Reckless Driving in connection with DUI.  At
this point, he knew he had a problem since there was no alcohol involved.

He explained to the woman that the Reckless Driving charge was a plea bargain.
He had been stopped and threatened by a juvenile gang who had blocked his car.
He had stepped on the gas and hit one of them in trying to get out of there.
He was charged with Battery and Assault With a Deadly Weapon (his car) by the
gang member, who pressed charges.  His lawyer had advised him that fighting the
charge, despite circumstances, would be a long and costly battle, especially
since where juveniles were involved, it was possible that the jury would find
against him.  They plea-bargained to a lesser charge of Reckless Driving, and
he was fined $250 and sentenced to do 60 hours of community service work (which
he was doing, anyway).

Fine up until that point.  The woman at the DMV insisted that there was a DUI
on the record.  He explained all of the above, and she asked where the liquor
came into it.  He explained that there was *never* any liquor involved.
Finally, he went down to the office and hassled with the officials there, and
the court records were pulled.  Surprise, no DUI!  It was entered into the
system again, and bingo, a DUI came up.  I suspect that regular RISKS readers
already suspect what the problem was.  The system programming on traffic
offenses was set up so that a count of Reckless Driving *automatically* entered
in a paired count of Driving Under the Influence.  The programmer had made the
assumption that the two counts were so intimately connected that you would
almost *never* have one without the other.  To enter a count of Reckless
Driving without a DUI, you had to manually override it, and the data-entry
clerk was not instructed on this peculiarity, nor was there any flag that
Reckless Driving was paired with DUI.  And a "guilty" on that count was paired
to an automatic license suspension.  The problem of overriding the DUI was
finally resolved, but it took several days and a lot of arguing
hyperventilating on his part.  I would suspect that his is not the first, nor
the last, case where this "automatic conviction" came up.

 Jane Beckman   [jane@swdc.stratus.com]


Re: update: Barclay voice mail insecurity (Brunnstein, RISKS-13.79)

Flint Pellett <flint@gistdev.gist.com>
14 Sep 92 19:59:51 GMT
>... Northern Telecom requires for the US/Canada product *at least 4
>digits code*, whereas the German version was reduced to require *at least 3...

This discussion reminded me of something that I was involved in way back in
1979, which I think is still relevant.  The point to be made is that merely the
number of bytes in the codeword is insufficient protection.  What matters is
the product of the number of different combinations by the amount of time
required to try each one.  (I think this principle applies to other things such
as garage door openers as well, and would love to see someone telling me that
once my garage door opener circuitry has recognized that a code was sent which
was not the right one, it would not respond to any other code (even the right
one) for a period of, perhaps, 15 seconds.)  I could then calculate that if
there were 10,000 possible codes, that an automated attack would take an
average of 20.5 hours, and know how lousy the protection was.)  As it stands
now, I don't really know how secure the system is, and I don't have any idea
how secure the 4-digit or 3-digit codes above are.

The incident in question that I had experience with: note that I was not a part
of the system staff, so parts of the following are 2nd hand information and may
not be completely correct.  This particular mainframe system allowed access to
files based on the entry of a codeword, which could have up to 10 characters,
and it was quite secure even if you used a 5 character password, given the fact
that it would accept input at a maximum of 1200 baud: the average time required
to enter all the codes even with a machine doing your typing was years.  Normal
users were not allowed to access files through programs.  The obvious extension
of allowing a user program to open a file was made, and the risk that a program
could try passwords a lot faster than 1200 baud was noted.  The solution
adopted was to write the file opening code so that it would re-read the disk to
get the password on every attempt: thus, the speed of the disk access limited
the speed at which passwords could be tried, and given agonizingly slow disk
performance, things were still secure.  Unfortunately, at some time later disk
cache software was incorporated into the system which made the system smart
enough that it would not re-read something if it still had it available in
memory.  The result was that the 5 character passwords which had been pretty
secure suddenly became worthless, because even a brute-force program to try all
combinations would run in a few hours.

Bottom line: if you're trying to tell me how secure something is, don't tell me
how many combinations there are on the lock, tell me how long it would take to
try 1/2 of the combinations, and convince me that you have a way to insure that
that time will not decrease as faster and more powerful hardware becomes
available.

Flint Pellett, Global Information Systems Technology, Inc., 100 Trade Centre
Drive, Suite 301, Champaign, IL 61820  (217) 352-1165   uunet!gistdev!flint


Re: "Sneakers" — A Topical Movie Review (Parker, RISKS-13.79)

Mark Brader <msb@sq.com>
Mon, 14 Sep 1992 02:06:00 -0400
Anyone who has not already seen "Sneakers", but would like to, should be
careful to have NOT read RISKS-13.79, where a so-called review, right at the
top of the issue, reveals most of the storyline and many of the nicer
"touches", WITHOUT SO MUCH AS A SPOILER WARNING.

Mark Brader    SoftQuad Inc., Toronto     utzoo!sq!msb, msb@sq.com

   [Donn Parker's review was written for his I-4 audience, consisting largely
   of corporate folks with serious security concerns.  He was undoubtedly
   trying to encourage them to see the movie.  Perhaps that review was less
   suitable for the RISKS audience, so I suppose next time Mark or I will have
   write a review specifically aimed at you all, tantalizing you without
   revealing any of the plot or technological devices.  There are also lots
   of in-jokes, which will NOT appear here.  Incidentally, Sneakers was
   ranked NUMBER 1 in box-office this week.  PGN]


Re: Sneakers, the movie (RISKS-13.79)

Tri-Valley Macintosh Users Group,UG <TMUG@applelink.apple.com>
15 Sep 92 01:23 GMT
The phone number they mention in the movie "Sneakers" is a valid 510 area code
number; it gets you the IRS in the East Bay.  I wonder if this was a glitch.
(Movies usually use the 555 prefix for phone numbers.)  When I told the IRS
person they would probably get lots of phone calls, they did not sound very
happy.
                                     James Zuchelli

   [It certainly is a departure from the usual 555 regime.  But what is
   interesting is that the number is now permanently problematic, as VCRs
   will go on forever with that number.  PGN]


Greening of Computers

Mark J. Crosbie <mcrosbie@unix1.tcd.ie>
Tue, 15 Sep 92 11:52:18 +0100
Re: PC board waste in San Francisco Bay (Agre, RISKS-13.79),

In a similar vein, this month's (Sept.) issue of Byte has an article on the
"Greening of Computers". It certainly opened my eyes to the various issues
involved when disposing of computer hardware.

I wonder if there would be a call for a newsgroup to discuss these
environmental issues in relation to computers (including, I suppose, research
into the adverse effects of over-exposure to monitor radiation etc.) as against
comp.risks which discusses hardware/software failures and such like.

The group would take into account the more wide-ranging impact of computing on
the environment as a whole, and also discussions of methods of minimising the
harmful effects could take place.

If it already exists, what is it called, if it doesn't would
comp.risks.environmental would be a good name for it? Does this entail a call
for votes to set it up??

Any ideas, takers, or comments???

Mark Crosbie, Dept. of Computer Science, Trinity College, Dublin, Dublin 2
IRELAND.    mcrosbie@vax1.tcd.ie

   [RISKS is certainly a good place for technology related environmental
   issues.   PGN]


Michigan Awarded Funds to Improve Criminal History Records

Nigel Allen <Nigel.Allen@lambada.oit.unc.edu>
Tue, 15 Sep 1992 23:03:06 GMT
After someone mentioned problems with incorrect information about outstanding
arrest warrants in police databases, I thought I should mention that the U.S.
Justice Department is awarding state governments grants to improve their
criminal history databases.

The following press release from the U.S. Justice Department is typical of
the announcements it makes when it announces a grant to a state government.

Michigan Awarded Funds to Improve Criminal History Records
 To: Michigan Correspondents
 Contact: Stu Smith of the Office of Justice Programs,
          U.S. Department of Justice,
          202-307-0784 or 301-983-9354 (after hours)

   WASHINGTON, Sept. 9 — The U.S. Department of Justice has awarded Michigan
$50,000 to continue improving the quality of the state's criminal history
recordkeeping, the Bureau of Justice Statistics (BJS) announced today.
   The project, administered by BJS in the Office of Justice Programs (OJP), is
part of a three-year, $27 million Criminal History Record Improvement (CHRI)
program established by the attorney general to help states upgrade current
systems used to maintain records of arrests, prosecutions, convictions and
sentences.  The Bureau of Justice Assistance is providing the funding through
the Edward Byrne Memorial State and Local Law Enforcement Assistance Program.
   "The major objective of this cooperative agreement is to improve the overall
quality of the state's criminal history record information by improving
disposition reporting," said BJS Director Steven D. Dillingham.  "This
administration is making every effort to assure the highest standards of
accuracy and timeliness in criminal history record information across the
country.  "It is critical that law enforcement officers, prosecutors, judges
and corrections officials have access to complete and accurate information on
each individual within the purview of the criminal justice system," Dillingham
commented.
   The Michigan State Police will use the assistance to identify, retrieve and
enter missing court disposition records and develop an automated court records
system.
   "The program emphasizes the recording of arrest, conviction and sentencing
information in a form that will make felony history information more reliable
and complete," Dillingham commented.  "This is a crucial component of the
overall objective of insuring that state criminal history records are
up-to-date and available to all criminal justice agencies."
   Additional information about this program is available from BJS.
Publications and statistical and research data may be obtained from the
National Criminal Justice Reference Service, Box 6000, Rockville, Md. 20850.
The telephone number is 1-301-251-5500.  The toll-free number is
1-800-732-3277.
                                  internet:  bbs.oit.unc.edu or 152.2.22.80
                          [rampant disclaimers deleted.  All are in effect.]

Please report problems with the web pages to the maintainer

x
Top