The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 14 Issue 44

Monday 29 March 1993

Contents

o The FORTRAN-hating gateway
Joe Dellinger
o Call for the Class of '88
Ed Ravin
o If they mention flying saucers, they're out to get you
Derek Cooper via Christopher Maeda
o Computer problems at Empire Blue Cross
Robert Wentworth
o Fantasy Baseball Journal Virus
Ed Amoroso
o Reported procedural problems with TCAS
John Dill via Lorenzo Strigini
o Dutch hacker in jail for another month
Hans van Staveren
o Correcting computer information held on you
Peter Debenham
o Re: Conspiracy trial ends in ... acquittal
Anthony Naggs
o Re: Software Warranties
Geoff Pike
o Akron BBS Sting Update 3
David Lehrer
o Virginia voters & Social Security Numbers
Jeremy Epstein
o SSN in the news -- Charles Osgood
Chris Phoenix
o Court Bans SSN Disclosure
Dave Banisar
o Info on RISKS (comp.risks)

The FORTRAN-hating gateway

"Joe Dellinger" <joe@montebello.soest.hawaii.edu>
Fri, 26 Mar 93 23:04:46 HST
    Several months ago we started noticing that (now and again) the
network connection to the mainland would become very very slow; this would
continue for 10-15 minutes or so, then all would suddenly be well again.  A
while after this started happening a coworker of mine complained to me that
the connection to the mainland _never_ worked anymore. It seems that he had
some FORTRAN source that he needed to copy to a machine on the mainland, but
he never could because "the network wouldn't stay up long enough for the ftp
to complete".

    Yes, it turned out that the network outages happened whenever he
attempted to ftp that _particular_ FORTRAN source file to the mainland. We
next tried compressing the file; it copied just fine then (but unfortunately
the machine on the mainland had no uncompress program, so it was still no go).
Finally we "split" his FORTRAN program up into very small pieces and sent them
one at a time. Most of the pieces would copy without trouble, but a few would
either not go at all or only go after many _many_ retries.

    Examining the troublesome pieces, we found they all had one thing in
common: they contained comment blocks that began and ended with lines
consisting of nothing but capital C's (his preferred FORTRAN commenting
style). At this point we started sending e-mail to the network gurus on the
mainland asking for help. Of course, they wanted to see an example of our
un-ftp-able files, so we mailed some to them... but our mail never got there.
Finally we got the bright idea of simply _describing_ what the unsendable
files were like. That worked. :-) [Dare I include in this message an example
of one of the offending FORTRAN comment blocks? Probably better not!]

    Eventually we were able to piece together the story. A new gateway had
recently been installed between our part of campus and the connection to the
mainland. This gateway had GREAT difficulty transmitting packets that
contained repeated blocks of capital C's!!!! Just a few such packets would
occupy all its energies and prevent most everything else from getting through.
At this point we complained to the gateway manufacturer... and were told "Oh,
yes, you've hit the repeated C's bug! We know about that already.".
Eventually we solved the problem... by buying new gateways from another
manufacturer. (In the manufacturer's defense I suppose an inability to
propagate FORTRAN programs might be considered a feature by some!)


Call for the Class of '88

Ed Ravin <eravin@Panix.Com>
Mon, 29 Mar 1993 18:03:17 GMT
I Found the squib below on the Prodigy service --

  QUIRKS                                 Offbeat Computer News

  Mary Bandar recently turned down an invitation to attend kindergarten with
  others born in '88.  "Boy, wouldn't those kids ever be surprised when they
  see me coming to school," Bander, 104, told the Associated Press. "Why would
  they want me? I know the ABCs yet. And I can count to 10," said the Winona,
  Minn, resident, who was born in 1888.

  Sister Mary Donald Miller, superintendent of Winona Area Catholic Schools,
  told the AP that the mix-up occurred when school officials instructed a
  computer to search for the names of people born in '88.

The RISKS aware person might ask a few more questions-- which computer was the
school using?  Where is this central database of all the people in Winona,
Minnesota?  Who puts the data into it, and who decides who else can pull the
data out?

I expect that as we approach the millenium, we'll see a lot more of
these "off by a century" errors.

Ed Ravin eravin@panix.com philabs!trintex!elr +1 914 993 4737


If they mention flying saucers, they're out to get you

Christopher Maeda <cmaeda@ERNST.MACH.CS.CMU.EDU>
Sun, 28 Mar 93 12:29:15 EST
Date: Tue, 23 Mar 1993 14:33:00 BST
Subject: if they mention flying saucers, they're out to get you
From: Derek Cooper <RCAA000@maple.cc.kcl.ac.uk>

From the London Times today (I did check that it's not April 1st!)-

  Officers in Warrington Cheshire fed up with people listening in to their
  messages, broadcast that a flying saucer had crash-landed in a field & gave
  details of where to find it.

  Radio messages about a huge glowing spacecraft were broadcast with the
  warning "Do not approach.  It may be radioactive."  The warning was followed
  by directions to the field in Appleton.  The eavesdroppers arrived within
  minutes, expecting to see little green men.  They were arrested instead.

  Police said that 5 people had been reported to the Crown Prosecution Service
  for telecommunications offences.  Scanning devices that can pick up police
  radio messages are widely available but using them to listen to police
  transmissions is an offence.

     [I have seen this on several groups.  There is a question whether it
     is actually illegal if you are merely listening, as opposed to doing
     something about it.  PGN]


Computer problems at Empire Blue Cross

Robert Wentworth <rhw@hoh-1.att.com>
Mon, 29 Mar 93 15:47:43 EST
From a NY Times article (3/29/93, p. A1,B2) on financial and management
problems at NY state health insurer Empire Blue Cross/Blue Shield:

  Empire was forced to write off $50 million that had gone uncollected or
  unbilled because of computer problems dating to the mid-1970's, according to
  an internal report obtained by The New York Times.
    One glitch involved a computer system that could not understand bills of
  $100,000 or more.  A $103,000 charge, for example, would be interpreted as
  only $3000, and the smaller amount would be billed to the client.  That
  failure occurred 29 times and cost Empire $3 million, the report said.

[Management comments about such problems being ancient history and Empire's
real problems lying elsewhere.]

  Still, the computer problems persist. An expensive new electric system
  for handling claims --- being developed by a former board member --- was
  expected to be finished about 18 months ago, but is not likely to be
  completed until later this year.  Empire has invested $17 million in that
  venture.


Fantasy Baseball Journal Virus

<ega@neptune.att.com>
Thu, 25 Mar 93 08:37 EST
As baseball season is upon us, those who belong to fantasy leagues begin to
devour all available material about players, statistics, injuries, and so on.
One such supplier of these needed facts and opinions, The Fantasy Baseball
Journal, recently apologized for a particularly buggy issue.  They attribute
the printing errors to a "so-called virus that has seeped onto our computer
network."  This is not so startling, as we all know this kind of thing can
happen.  What is startling is the claim in the FBJ that "if [the virus] is the
problem, then that's solvable."  Perhaps these baseball statisticians are
smarter that we thought...

-- Ed Amoroso, AT&T Bell Labs


Reported procedural problems with TCAS, from sci.aeronautics

Lorenzo Strigini <strigini@iei.pi.cnr.it>
Fri, 26 Mar 93 14:38:45 MET
From: ak336@cleveland.Freenet.Edu (John Dill)
Newsgroups: sci.aeronautics
Subject: TCAS Glitchs
Date: 25 Mar 1993 14:48:47 GMT
Organization: Case Western Reserve University, Cleveland, OH (USA)
NNTP-Posting-Host: slc10.ins.cwru.edu

I've been a controller at the Cleveland ARTCC for 22 yrs. I've always welcomed
the arrival of any new procedure or technology that can enhance our ability to
safely separate air traffic. TCAS has proven to be one such aid. However, a
problem has been discovered which has the potential to be disastrous.

Here is the problem:
 Aircraft "A" is climbing to an assigned altitude of 23,000' (as an example),
while aircraft "B" is descending to an assigned altitude of 24,000'. The two
a/c are on converging courses and their combined verticle closure rate is
high, in this case we'll say about 6000' fpm. TCAS (on each aircraft) does
what is called a coordinated interrogation, meaning the equipment talks back
and forth and decides on the best resolution. Of course, the TCAS has no way
of knowing the aircraft are intending to both level off 1,000' apart, so it
issues a resolution advisory (RA) to both flight crews telling them to
INCREASE their respective rates of climb and descent. This is in direct
conflict to the controllers clearances. Only after the controller notices the
mode c readouts deviating from the assigned altitudes is he aware of a
problem. (actually, the frightcrews (pun intended) are required to inform the
controller that they are responding to a TCAS RA, but due to frequency
blockage, other duties, etc.  this may not happen. Upon seeing the deviation,
the controller attempts to have the aircraft return to their assigned
altitudes.

There have been several incidents similar to this fictional one. The loss
of separation has been severe (as little as 200') and resulted from the
crews confusion on who's instructions to follow. In the past few weeks,
the FAA has issued directives to all controllers to NOT attempt to
countermand a TCAS RA. By following only the TCAS RA, it is felt that the
separation, even though less than standard, will be sufficient.

John


Dutch hacker in jail for another month

Hans van Staveren <sater@cs.vu.nl>
Thu, 25 Mar 93 9:53:23 MET
The so-called hacker, the twenty-year-old Ronald O., whom we caught on one of
our PC's doing things as yet unknown at Delft University, will be in temporary
custody (or whatever the correct English term for that is) for 30 more days.
This is to give the police more time to gather evidence.

According to the papers, forged credit cards were found while searching his
home, and that also will not help his case.  He is supposedly unwilling to
answer any questions at this point, but is charged with crimes that could send
him to jail for a maximum of four years.

Although I am definitely not suggesting he is a nice guy, somehow I have some
difficulty connecting this nervous kid in our room with a sentence of four
years. I hope that being the first to be caught under the new law, and in the
act to boot, is not going to give him too much extra attention from law
officers.

Never forget the RISK of someone dying to try out his new toy. This goes for
hackers and law enforcement personnel alike.

    Hans van Staveren,  Vrije Universiteit,  Amsterdam, Holland


Correcting computer information held on you

Peter Debenham <PPXPMD@ppn1.nott.ac.uk>
26 Mar 93 13:36:39 GMT
Over the past couple of weeks it has been pleasant to see the dangers of
faulty information held on computer being acknowledged in Britain.  Under the
Data Protection Act (1986) in this country a Data Protection Registrar was set
up to monitor uses of computers to store personal information and to be an
independent source of help to get faulty data corrected.

Recently a television advert has been running showing clips of actors
mentioning problems that can happen with computer systems (My building society
thinks I died three years ago, According to my bank I have a criminal record
etc.) finishing with the address of the Data Protection Registrar and a
voice-over saying that if you have problems with faulty information held on
you to contact him.  People in other countries might like to know that it is
possible to for officialdom to acknowledge risks of faulty information.

Peter Debenham, Physics Dept., University of Nottingham, UK. NG7 2RD
+ 602 515151 x8323 (wk) +602 730487 (hm) P_Debenham@ppn1.nott.ac.uk


Re: Conspiracy trial ends in ... acquittal (Bowen, RISKS-14.42)

Anthony Naggs <AMN@vms.brighton.ac.uk>
Thu, 25 Mar 93 23:39 GMT
Drawing on a variety of newspaper and magazine articles I hope I can sketch a
slightly wider picture of the case.  The best overall article I have seen is
in this week's New Scientist, (27 March 1993), which I recommend for further
reading.

A little terse I'm afraid, but here is my precis:

On 26 June 1991 British police arrested 3 men who had been cooperating in
hacking a number of university, government and commercial computer systems
across the world.  Individually they used the handles "Gandalf", "Wandaii" and
"Lizard", collectively they called themselves the "Eight Legged Groove
Machine".  They left messages to system managers on some hacked systems signed
"8LGM" or "Eight Little Green Men".

They did not meet, or even know each others real names and addresses, until
they were introduced by the arresting officers, but discussed hacking,
passwords and vulnerable systems on bulletin boards and hacked systems.

Karl Strickland, 22, of Liverpool and Neil Woods, 26, of Oldham in Lancashire
were charged with conspiracy to dishonestly obtain telecommunications
services, having pleaded guilty they are waiting to be sentenced.

Paul Bedworth, then 18, of Ilkley in West Yorkshire was charged with two
counts of conspiracy under the Computer Misuse Act, and one of conspiring to
dishonestly obtain telecommunications services.

It is interesting that the Crown Prosecution Service chose to charge Bedworth
with conspiracy, rather than a simpler charge of unauthorised access
to/modification of a computer system.  This decision was the foundation of the
acquittal, requiring the prosecution to demonstrate that he had a "guilty
mind" at the time of the hacking.

In court Bedworth's solicitor, (lawyer to you US folks), claimed that the case
was a show trial, and brought in a psychiatric expert who described Bedworth
as having a "nonchemical dependence" on using a computer.

It is hard to see how a compulsion to use computers, or even to hack, can be
adequate grounds for acquittal, indeed the judge quite clearly directed the
jury to disregard this.  Nevertheless the jury returned not guilty verdicts on
all charges.  It is impossible to know their reasoning, as it is a criminal
offence to publish any details of the jurors deliberations.

Much of the press, including the New Scientist article, represent this as
setting a legal precedent.  Firstly, this doesn't make sense, because nobody
can say what the supposed precedent is.  Secondly, only the ruling of a judge
can do this, (subject to appeal to a higher courts, ..).

In this case we can do little but accept that our jury system has again
demonstrated it's unpredictability.  Though this is of little consolation to
those institutions who suffered expensive tampering with their systems, and
had to foot tens of thousands of pounds of phone bills, due to the actions of
these men.

  Anthony Naggs, Software/Electronics Engineer, (and virus researcher)
  Phone: +44 273 589701   Email: amn@vms.brighton.ac.uk


Re: Software Warranties (Robinson, RISKS-14.43)

Geoff Pike <pike@snake.CS.Berkeley.EDU>
Thu, 25 Mar 93 23:21:36 -0800
> ...places that make computer programs are refusing to guarantee {anything}.
>This is as it should be.  The risk is not that software might not work; the
>risk is that people blindly assume that it worked, is working, or will work.

A mildly related thought is that the following sort of problem will frequently
rear its ugly head in the near future: An engineer (or architect, etc.)
screws up and is sued, but the problem is traced back to a faulty piece of
third-party software that he or she used.  Now the court must try to untangle
the liabilities, a process that will require detailed technical knowledge that
no judge or jury is likely to have.

Geoff Pike (pike@cs.berkeley.edu)


Akron BBS Sting Update 3 (See RISKS-14.43)

David Lehrer <71756.2116@compuserve.com>
27 Mar 93 11:40:58 EST
The following is an editorial published in the Akron Beacon Journal on
Wednesday, March 24, 1993.  This editorial is copyrighted by the Akron Beacon
Journal, and commercial use or resale of this article is forbidden.
Permission to post this editorial in its entirety has been generously granted
by Mr. David B. Cooper, Associate Editor.

MUNROE FALLS CARRYOUT
Akron Beacon Journal (AK) - WEDNESDAY March 24, 1993, A14

The Fourth Amendment to the Constitution was written to safeguard ordinary
citizens against unreasonable search and seizure.  Recently, however,
law-enforcement officials have taken to seizing possessions of convicted and
suspected criminals, particularly drug dealers.

   In the case of 23-year-old Munroe Falls resident Mark Lehrer, police
confiscated a sophisticated, $3,000 computer setup, programs and disks on the
suspicion that he might be letting kids look at dirty pictures. That charge
was never proved.  In fact, it appears that police received only one or two
complaints about his computer bulletin board, none from area parents.  Lehrer
contends a clerical error put the pornography into files accessible to all the
bulletin board's users, not just adults.  Police enlisted a 15-year-old,
falsified his identity for a membership and then helped the teen call up a
possibly offending program.

   But, when the Summit County grand jury refused to indict the University of
Akron computer whiz on the original charges, Munroe Falls police filed other
charges based on the possibility that some of the programs in Lehrer's private
collection contained pictures of minors.

   Lehrer did plead guilty to a misdemeanor charge of 'attempted possession of
criminal tools' -- his computer -- based on those subsequent charges.

   No one downplays the seriousness of crime in our society, whether it's in
the suburbs or inner cities. None argue that children should be able to view
pornography.

   But in the absence of compelling evidence that Lehrer was trying to peddle
child porn to kids, either at the outset of this case nine months ago or now,
it could appear that the police acted hastily in confiscating the computer.
Such actions invite questions as to whether the police were protecting against
a child pornographer or using the intimidating powers of the police and
judicial system to help themselves to a nice hunk of expensive machinery. dl


Virginia voters & Social Security Numbers

Jeremy Epstein <epstein@trwacs.fp.trw.com>
Thu, 25 Mar 93 10:49:49 EST
In a copyrighted story, the March 24 Washington Post includes an article
describing a ruling by the 4th Circuit Court of Appeals that Virginia's
law requiring a SSN to register to vote is unconstitutional.

The decision is being hailed by civil rights groups as a victory for the 4
million Virginians who are registered to vote.  Because voter roles are public
information, registering to vote is equivalent to publishing your SSN.  The
judges wrote "The harm that can be inflicted from the disclosure of a Social
Security Number to an unscrupulous individual is alarming and potentially
ruinous....  The statute at issue compels a would-be voter in Virginia to
consent to the possibility of a profound invasion of privacy."

A spokesperson for the Virginia Attorney General's office said they have not
decided whether to appeal the ruling.

The case was brought by Marc Alan Greidinger, a 29-year-old Fredricksburg
lawyer (who represented himself) after he was denied the right to register to
vote because he refused to reveal his SSN.  Greidinger said that during the
lawsuit he gave his SSN who was able to get his current balance on two loans,
last payment dates, and university transcripts.

It is not believed that the ruling will affect other state agencies
(such as motor vehicles) which require SSNs, because those are not
considered public records.

The article mentions help from the Public Citizen Litigation Group
(one of the Ralph Nader organizations), and quotes the legal director
for the ACLU, which was not involved in the case.

      [I guess the "good guys" won one!]


SSN in the news

Chris Phoenix <chrisp@efi.com>
Thu, 25 Mar 93 09:50:54 PST
Our local "News Radio 74" has a feature called "the Osgood File" in which
Charles Osgood talks for several minutes.  This morning his topic was Social
Security numbers.  He said a little, but missed some very important points.

He talked about the invasions of privacy that were possible with someone
else's SSN, but said only one or two sentences about possible loss of money.
He mentioned that cards used to say "Not to be used for ID purposes" and don't
say that anymore, but did not talk at all about which uses are actually
illegal.  He talked about a lawyer in Virginia (?) who sued the election
officials because they required his SSN to register to vote and then sold the
lists to special interest groups.  But he did not say anything about all the
other abuses that happen, and especially did not give any advice on how to
reduce your risk.

I was disappointed with the report.  He could have given some very useful
information about our rights and the danger of SSNs, but aside from a closing
comment about "Remember, if they've got your Social Security number they've
got your number!" there was almost nothing in the report that was actually
useful to a listener.

Chris Phoenix   chrisp@efi.com  415-286-8581


Court Bans SSN Disclosure

Dave Banisar <banisar@washofc.cpsr.org>
Fri, 26 Mar 1993 17:21:41 EST
PRESS RELEASE, March 26, 1993

"FEDERAL APPEALS COURT UPHOLDS PRIVACY: USE OF SOCIAL SECURITY NUMBER LIMITED
CPSR Expresses Support for Decision"

A federal court of appeals has ruled that Virginia's divulgence of the Social
Security numbers of registered voters violates the Constitution.  The Court
said that Virginia's registration scheme places an "intolerable burden" on the
right to vote.

    The result comes nearly two years after Marc Greidinger, a resident of
Falmouth, Virginia, first tried to register to vote.  Mr. Greidinger said that
he found it nearly impossible to obtain a driver's license, open accounts with
local utilities or even rent a video without encountering demands for his
Social Security number.

    Mr. Greidinger told the New York Times this week that when the State
of Virginia refused to register him as a voter unless he provided his Social
Security number he decided to take action.  He brought suit against the state,
and argued that Virginia should stop publishing the Social Security numbers of
voters.

    This week a federal appeals court in Richmond, Virginia ruled that the
state's practice constituted "a profound invasion of privacy" and emphasized
the "egregiousness of the harm" that could result from dissemination of an
individual's SSN.

    Computer Professionals for Social Responsibility (CPSR), a national
membership organization of professionals in the computing field, joined with
Mr.  Greidinger in the effort to change the Virginia system.  CPSR, which had
testified before the U.S. Congress and the state legislature in Virginia about
growing problems with the misuse of the SSN, provided both technical and legal
support to Mr. Greidinger.  CPSR also worked with Paul Wolfson of the Public
Citizen Litigation Group, who argued the case for Mr. Greidinger.

    In an amicus brief filed with the court, CPSR noted the long-standing
interest of the computing profession in the design of safe information systems
and the particular concerns about the misuse of the SSN.  The CPSR brief
traced the history of the SSN provisions in the 1974 Privacy Act.  The brief
also described how the widespread use of SSNs had led to a proliferation of
banking and credit crime and how SSNs were used to fraudulently obtain credit
records and federal benefits.

    CPSR argued that the privacy risk created by Virginia's collection and
disclosure of Social Security numbers was unnecessary and that other
procedures could address the State's concerns about records management.

    This week the court of appeals ruled that the state of Virginia must
discontinue the publication of the Social Security numbers of registered
voters.  The court noted that when Congress passed the Privacy Act of 1974 to
restrict the use of the Social Security number, the misuse of the SSN was "one
of the most serious manifestations of privacy concerns in the Nation."

    The Court then said that since 1974, concerns about SSN confidentiality
have "become significantly more compelling. For example, armed with one's SSN,
an unscrupulous individual could obtain a person's welfare benefits, or Social
Security benefits, order new checks at a new address, obtain credit cards, or
even obtain the person's paycheck."

    The Court said that Virginia's voter registration scheme would "compel
a would-be voter in Virginia to consent to the possibility of a profound
invasion of privacy when exercising the fundamental right to vote."

    The Court held that Virginia must either stop collecting the SSN or
stop publicly disclosing it.

    Marc Rotenberg, director of the CPSR Washington office said, "We are
extremely pleased with the Court's decision.  It is a remarkable case, and a
real tribute to Marc Greidinger's efforts.  Still, there are many concerns
remaining about the misuse of the Social Security number.  We would like to
see public and private organizations find other forms of identification for
their computing systems.  As the federal court made clear, there are real
risks in the misuse of the Social Security number."

    Mr. Rotenberg also said that he hoped the White House task force
currently studying plans for a national health care claims payment system
would develop an identification scheme that did not rely on the Social
Security Number.  "The privacy concerns with medical records are particularly
acute.  It would be a serious design error to use the SSN," said Mr.
Rotenberg.

    Cable News Network (CNN) will run a special segment on the Social
Security number and the significance of the Greidinger case on Sunday evening,
March 28, 1993.  The Court's opinion is available from the CPSR Internet
Library via Gopher/ftp/WAIS.  The file name is
"cpsr/ssn/greidinger_opinion.txt".  The CPSR amicus brief is available as
"cpsr/ssn/greidinger_brief.txt".

    CPSR is a national membership organization, based in Palo Alto,
California.  CPSR conducts many activities to protect privacy and civil
liberties.  Membership is open to the public and support is welcome.  For more
information about CPSR, please contact, CPSR, P.O. Box 717, Palo Alto, CA
94302, call 415/322-3778 or email cpsr@csli.stanford.edu.

Please report problems with the web pages to the maintainer

Top