The RISKS Digest
Volume 14 Issue 28

Tuesday, 19th January 1993

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

Racetrack goes to the dogs as computer fails
Mark Colan via John Markoff
Earthwinds balloon crash
John Sullivan
More on the Air-Inter politics
Peter B Ladkin
Attempted Mindvox Break-in
John F. McMullen
New E-journal on computer security
J.B. Condat
Lautro assessment of computer reliability
Pete Mellor
Released GSA Docs Slam FBI Wiretap Proposal
Dave Banisar
Four charged with theft of registration microfilms in Sapporo Japan
Hank
Nintendo and Epileptic attacks
Marvin Moskowitz
Robert A. Morris
Info on RISKS (comp.risks)

Racetrack goes to the dogs as computer fails (from Mark Colan)

John Markoff, NY Times, San Fran 1-415 362 3912 <markoff@nyt.com>
Thu, 14 Jan 1993 10:32:04 -0800
> Date: Thu, 14 Jan 93 10:21:45 EST
> From: Mark_Colan.LOTUS@CRD.lotus.com
> Subject: heard on BBC this morning

> At the tail end of the sports news at the end of NewsHour, the morning BBC
> show heard on WBUR, was the mention of an error in a betting computer at a
> greyhound race track.  The computer continued to accept bets well after the
> conclusion of the race.  Needless to say, many gleeful track-betters bought
> tickets for the dog that had already won, and claimed their winnings.

> The article also mentioned that some people are just born losers.
> After the race had finished, 139 people bet on dogs that had *lost*!

> The government management reported that they intended to reclaim all of the
> unfairly-won monies.  However, they stated that they intend to *keep* the
> money from the losers.

                                    [Slight edit by PGN.]


Earthwinds balloon crash

<sullivan@geom.umn.edu>
Tue, 19 Jan 93 12:26:02 CST
There is a long article in the NYTimes Science section on Jan 19, 1993, about
the crash last week of the Earthwinds balloon just after it took off to try to
fly around the world.  The three men of the crew have been trading accusations
since the crash, and many people blame the problems on the lack of "adequate
engineering and planning, particularly in the integration of its labyrinthine
electronic and plumbing systems".

-John Sullivan@geom.umn.edu


More on the Air-Inter politics

Dr Peter B Ladkin <pbl@compsci.stirling.ac.uk>
19 Jan 93 13:38:39 GMT (Tue)
>From the International Herald Tribune, 19 Jan 1993

Paris Charges Ex-Official in Air Crash

COLMAR, France (AP) - A former official of the French domestic airline
Air-Inter was charged Monday with negligent homicide in the crash of a
passenger jet a year ago that killed 87 people.  Jacques Rantet, Air-Inter's
former director of flight security, was charged ... with negligence leading to
death and injury in the crash of the Airbus A320.  Nine people survived after
the airliner crashed into a mountainside as it approached Strasbourg airport
on Jan. 20, 1992.


Attempted Mindvox Break-in

John F. McMullen <mcmullen@mindvox.phantom.com>
Mon, 18 Jan 93 13:55:17 EST
The following appeared on Newbytes, a copyrighted commercial service, on
January 18, 1993. It is republished here with the express consent of the
authors:

Phantom Access Foils Cracking Attempt 01/18/93 NEW YORK, NEW YORK,
U.S.A.,1993 JAN 18 (NB) — An attempt to illegally break into, or "crack"
the "Mindvox" conferencing stem contained in Phantom Access, a flat-rate
New York-based online service recently featured in various news
publications, was detected and rebuffed.

Bruce Fancher, co-owner of Phantom Access, told Newsbytes, "There was no
real damage and we have notified all of our users about the attempt in the
hope that they will be even more conscious of security. The nature of this
attempt points out one of the things that users of any on-line system must
be aware of in order to protect her/his privacy."

The attempt came to the attention of the owners of the system, Fancher and
Patrick Kroupa, when subscribers reported receiving the following message:

  It has been brought to my attention that your account has been 'hacked'
  by an outside source. The charges added were quite significant which is
  how the error was caught. Please temporarily change your password to
  'DPH7' so that we can judge the severity of the intrusion. I will notify
  you when the problems has been taken care of. Thank you for your help in
  this matter. -System Administrator"

The system owners immediately sent a message to all subscribers declaring the
message to be fraudulent. In addition to pointing out the textual errors in
the message — for example, Mindvox is a "flat rate" system and charges are
not accumulated — the owners admonished users to both safeguard their
passwords and insure that they are not easy to decipher.

Fancher told Newsbytes that the review of Mindvox in a recent issue of Mondo
2000, its mention in an issue of Forbes, and his speaking engagements on
behalf of the system have led to more rapid growth than had been anticipated.
He said, "We are moving to larger space on February 1st and will be upgrading
our equipment from a single Next system to multiple Suns. We will also
increase the number of dial-in ports and greatly increase the speed of our
Internet connection. We are very grateful for the user response to date."

(Barbara E. McMullen & John F. McMullen/Press Contact: Bruce Fancher, Phantom
Access, dead@phantom.com (e-mail), 212-254-3226 70210.172@compuserve.com
mcmullen@mindvox.phantom.com knxd@maristb.bitnet mcmullen@well.sf.ca.us [...]


New E-journal on computer security

<jbcondat@attmail.com>
31 Dec 69 23:59:59 GMT
A new computer security e-journal is being published in France.
It's the first in my country:

     * weekly;
     * name: _Chaos Digest_;
     * latest issue available: #1.03 (18 Jan 1993);
     * for a subscription send an e-message to: jbcondat@attmail.com

Thanks, and hope to hear from you soon!
                                              Fax:  +33 1 47877070
Jean-Bernard Condat, Chaos Computer Club France [CCCF], B.P. 8005,
69351 Lyon Cedex 08, France  jbcondat@attmail.com   +33 1 40101775


Lautro assessment of computer reliability

Pete Mellor <pm@cs.city.ac.uk>
Mon, 18 Jan 93 17:55:52 GMT
A student on a short course on software reliability that I gave late last year
informed me that Lautro, the UK insurance companies' watch-dog organisation,
has recently been putting the wind up a lot of companies by doing spot checks
on computer systems.

Lautro has real "teeth", and can stop a company from trading if they are not
satisfied with the service it provides to the public. Nowadays, this includes
deficiencies in service due to computer cock-ups.

Apparently, a number of insurance companies are beginning to take software
reliability rather seriously all of a sudden!

Unfortunately, we only had time for a short conversation, and I do not have
any further information. I would be extremely interested to know, for example,
what Lautro measure when they perform their audit.

Peter Mellor, Centre for Software Reliability, City University, Northampton
Sq., London EC1V 0HB, Tel: +44(0)71-477-8422, JANET: p.mellor@city.ac.uk


Released GSA Docs Slam FBI Wiretap Proposal

Dave Banisar <banisar@washofc.cpsr.org>
Fri, 15 Jan 1993 23:22:47 -0500
"GSA Memos Reveal that FBI Wiretap Plan was
Opposed by Government's Top Telecomm Purchaser"

The New York Times reported today on a document obtained by CPSR
through the Freedom of Information Act.  ("FBI's Proposal on Wiretaps Draws
Criticism from G.S.A.," New York Times, January 15, 1993, p. A12)

The document, an internal memo prepared by the General Services
Administration, describes many problems with the FBI's wiretap plan and also
shows that the GSA strongly opposed the sweeping proposal.  The GSA is the
largest purchaser of telecommunications equipment in the federal government.

The FBI wiretap proposal, first announced in March of 1992, would have
required telephone manufacturers to design all communications equipment to
facilitate wire surveillance.  The proposal was defeated last year. The FBI
has said that it plans to reintroduce a similar proposal this year.

The documents were released to Computer Professionals for Social
Responsibility, a public interest organization, after CPSR submitted Freedom
of Information Act requests about the FBI's wiretap plan to several federal
agencies last year.

The documents obtained by CPSR reveal that the GSA, which is responsible for
equipment procurement for the Federal government, strongly opposed two
different versions of the wiretap plan developed by the FBI.  According to the
GSA, the FBI proposal would complicate interoperability, increase cost, and
diminish privacy and network security.  The GSA also stated that the proposal
could "adversely _affect national security._"

In the second memo, the GSA concluded that it would be a mistake to give the
Attorney General sole authority to waive provisions of the bill.

The GSA's objections to the proposal were overruled by the Office of
Management and Budget, a branch of the White House which oversees
administrative agencies for the President.  However, none of GSA's objections
were disclosed to the public or made available to policy makers in Washington.

Secrecy surrounds this proposal.  Critical sections of a report on the FBI
wiretap plan prepared by the General Accounting Office were earlier withhold
after the FBI designated these sections "National Security Information."
These sections included analysis by GAO on alternatives to the FBI's wiretap
plan.  CPSR is also pursuing a FOIA lawsuit to obtain the FBI's internal
documents concerning the wiretap proposal.

The GSA memos, the GAO report and others that CPSR is now seeking indicate
that there are many important documents within the government which have still
not been disclosed to the public.

Marc Rotenberg, CPSR Washington office        rotenberg@washofc.cpsr.org

Note: Underscores indicate underlining in the original text.
Dashes that go across pages indicate page breaks.

[Computer Professionals for Social Responsibility is a nonprofit, public
interest membership organization. For membership information about CPSR,
contact cpsr@csli.stanford.edu or call 415/322-3778.  For information on
CPSR's FOIA work, contact David Sobel at 202/544-9240
(sobel@washofc.cpsr.org).]

   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

                      (#4A)

              Control No. X92050405
               Due Date:     5/5/92

Brenda Robinson (S)

After KMR consultations, we still _"cannot support"_ Draft Bill. No. 118 as
substantially revised by Justice after its purported full consideration of
other agencies' "substantive concerns."

Aside from the third paragraph of our 3/13/92 attachment response for the
original draft bill, which was adopted as GSA's position (copy attached),
Justice has failed to fully address other major GSA concerns (i.e.,
technological changes and associated costs).

Further, by merely eliminating the FCC and any discussion of cost issues in
the revision, we can not agree as contended by Justice that it now " ... takes
care of kinds of problems raised by FCC and others ...."

Finally, the revision gives Justice sole unilateral exclusive authority to
enforce and except or waive the provisions of any resultant Iaw in Federal
District Courts. Our other concerns are also shown in the current attachment
for the revised draft bill.

Once again OMB has not allowed sufficient time for a more through review, a
comprehensive internal staffing, or a formal response.

                       /Signature/

                       Wm. R. Loy  KMR     5/5/92

Info: K(Peay),KD,KA,KB,KE,KG,KV,KM,KMP,KMR,R/F,LP-Rm.4002

(O/F) -   9C1h (2) (a) - File (#4A)

   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

                          ATTACHMENT
                 REVISED JUSTICE DRAFT BILL
                       DIGITAL TELEPHONY

The proposed legislation could have a widespread impact on the government's
ability to acquire _new_ telecommunications equipment and provide electronic
communications services.

_Existing_ Federal government telecommunications resources will be affected by
the proposed new technology techniques and equipment. An incompatibility and
interoperability of existing Federal government telecommunications system, and
resources would result due to the new technological changes proposed.

The Federal Communications Commission (FCC) has been removed from the
legislation, but the Justice implementation may require modifications to the
"Communications Act of 1934," and other FCC policies and regulations to remove
inconsistencies. This could also cause an unknown effect on the wire and
electronic communications systems operations, services, equipment, and
regulations within the Federal government. Further, to change a major portion
of the United States telecommunications infrastructure (the public switched
network within eighteen months and others within three years) seems very
optimistic, no matter how trivial or minimal the proposed modifications are to
implement.

In the proposed legislation the Attorney General has sole _unilateral
exclusive_ authority to enforce, grant exceptions or waive the provisions of
any resultant law and enforce it in Federal District Courts. The Attorney
General would, as appropriate, only "consult" with the FCC, Department of
Commerce, or Small Business Administration. The Attorney General has exclusive
authority in Section 2 of the legislation; it appears the Attorney General has
taken over several FCC functions and placed the FCC in a mere consulting
capacity.

The proposed legislation would apply to all forms of wire and electronic
communications to include computer data bases, facsimile, imagery etc., as
well as voice transmissions.

The proposed legislation would assist eavesdropping by law enforcement, but it
would also apply to users who acquire the technology capability and make it
easier for criminals, terrorists, foreign intelligence (spies) and computer
hackers to electronically penetrate the public network and pry into areas
previously not open to snooping. This situation of easier access due to new
technology changes could therefore affect _national security_.

                            (1)

   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The proposed legislation does not address standards and specifications for
telecommunications equipment nor security considerations. These issues must be
addressed as they effect both the government and private industry. There are
also civil liberty implications and the public's constitutional rights to
privacy which are not mentioned.

It must be noted that equipment already exists that can be used to wiretap the
digital communications lines and support court-authorized wiretaps, criminal
investigations and probes of voice communications. The total number of
interception applications authorized within the United States (Federal and
State) has been averaging under nine hundred per year. There is concern that
the proposed changes are not cost effective and worth the effort to revamp all
the existing and new telecommunications systems.

The proposed bill would have to have the FCC or another agency approve or
reject new telephone equipment mainly on the basis of whether the FBI has the
capability to wiretap it. The federal-approval process is normally lengthy
and the United States may not be able to keep pace with foreign industries to
develop new technology and install secure communications. As a matter of
interest, the proposed restrictive new technology could impede the United
States' ability to compete in digital telephony and participate in the
international trade arena.

Finally, there will be unknown associated costs to implement the proposed new
technological procedures and equipment.  These costs would be borne by the
Federal government, consumers, and all other communications ratepayers to
finance the effort. Both the Federal government and private industry
communications regular phone service, data transmissions, satellite and
microwave transmissions, and encrypted communications could be effected at
increased costs.
                               (2)

[Documents disclosed to Computer Professionals for Social Responsibility
(CPSR), under the Freedom of Information Act December 1992.]


Four charged with theft of registration microfilms in Sapporo Japan

<hank@westford.ccur.com>
Mon, 18 Jan 93 01:39:10 EST
>From The Japan Times Wednesday January 13,1993

  SAPPORO (Kyodo)

  Four men went on trial here Tuesday for allegedly taking out residency
  register microfilm from a Sapporo ward office, then selling duplicates of it
  that they had made.  The defendants are accused [of] duplicating all of the
  Sapporo citizens' residency registrations, using the microfilm and selling
  it to direct marketing companies.

  Katsumi Shibuki, 32, an office worker of Chuo Ward Sapporo, Jun Hongo, 24,
  a company executive of the same ward, and two others were charged with
  theft.

  During their first trial hearing at the Sapporo District Court, all four
  admitted taking microfilm that is kept at the ward office for resident
  perusal.  However, an attorney for Hongo entered a plea of innocent of
  behalf of his client, contending that the defendants took out the microfilm
  only for temporary use and therefore the act does not constitute theft.

  The three other defendants refused to enter a plea Tuesday as their
  attorneys argued that legal problems are involved in charging their
  clients with theft for their act.  In their opening statement, prosecutors
  said the four made several preliminary inspections of the ward office
  where the microfilm was kept and then purchased a microfilm duplicator,
  thus premeditating the crime.  They noted that Shibuki borrowed the
  microfilm on the pretext of reading it, but his accomplices took it out
  and duplicated it in their Sapporo office.

  The prosecutors charged that the defendants collaborated and each assumed
  a different role.  According to the indictments, the four were accused of
  taking out 482 residency register microfilm entries kept at all of
  Sapporo's eight ward offices between April and May 1992.

A few comments.  Japan has a universal citizen registration law that requires
all residents to report their place of residence to their local government.
This is in addition to a family registration system that tracks all births
deaths, marriages and divorces.  That data may be similarly ill secured
however it is of less interest to direct marketeers than the residence data
which is kept up to date within about 15 days.  Although this system is very
ancient the law regarding data security has obviously not caught up with the
technology.  As more and more local governments are keeping this data on
personal computers all of the attendant risks to privacy will appear.
Obviously what is needed is a law that relates specifically to the data and
not to the media. It is clear from the article that the prosecutors believe
that the accused did something illegal but they don't seem to have a statute
appropriate for the circumstances.  A final observation is that while the case
for theft seems very weak to someone familiar with American or English law
things in Japan are not so obvious.  People have been convicted in Japan for
intent to commit a felony when no felony was actually committed.  The courts
may also take a similarly broad interpretation of theft even though the
physical objects taken were promptly returned.


Nintendo and Epileptic attacks

Marvin Moskowitz <marvinm@catman.tti.com>
Fri, 15 Jan 93 07:52:56 PST
In article <CMM.0.90.1.726985062.risks@chiron.csl.sri.com> Rick Russell writes:
> The Super Nintendo Entertainment System "Consumer Information and Precautions
> Booklet", which comes with SNES and NES systems sold in the US (and the UK,
> to the best of my knowledge), issues the following warning:
>
>      EPILEPSY WARNING: READ BEFORE USING YOUR NES OR SUPER NES

Well, I guess all this should be no surprise to anyone who has read
Crichton's "Andromeda Strain." The flashing lights causing a seizure
was a major device he used.  His background as a physician lent some
credibility to the novel.

Marvin S. Moskowitz, Transaction Tech, Inc., 3100 Ocean Park Blvd.,
Santa Monica, CA  90405  1-310-450-9111 x3197  marvinm@soldev.tti.com


Re: Computer games may endanger your health (Russell, RISKS-14.27)

Robert A. Morris <ram@cs.umb.edu>
Sun, 17 Jan 1993 18:07:40 -0500
> EPILEPSY WARNING: READ BEFORE USING YOUR NES OR SUPER NES
> Consult your physician if you experience any of the following symptoms while
> playing video games: altered vision, muscle twitching, other involuntary
> movements, loss of awareness of your surroundings, mental confusion, and/or
> convulsions.

Of course, the search for most of these conditions are among the _goals_ of
video game players....

Please report problems with the web pages to the maintainer

x
Top