Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
An item from a Boeing News Digest: Washington, D.C. Office Morning Report - Volume 19 Number 81 April 26, 1993 1. WALL STREET JOURNAL - After an incident in which an Evergreen International Airlines 747 went into a slow roll, lost lift and went into a dive, dropping from 31,000 feet to 19,000 feet, the Federal Aviation Administration began an investigation. It found 30 similar incidents the FAA believes were caused by a broad variety of autopilot faults. The incidents, both fast and slow rolls, showed up on 747s at several airlines over a 22-year period. Many occurred in daylight with a horizon visible, enabling pilots to regain control more quickly — and postponing the day when the seriousness of the problem would be widely recognized. Among carriers whose 747 autopilots went into rolls are British Airways, TWA, Air Canada and Lufthansa. Boeing, the airlines and aviation regulators are in a quandary. After more than a year of intense investigation following Evergreen's near-disaster, engineers can't agree on whether the fault lies in the autopilot or elsewhere, or on what the remedy should be. Boeing says pilots should pay close attention to their job so they can quickly right the plane should the autopilot throw it into a roll. Autopilots "are designed to assist and supplement the pilot's capabilities and not replace them," a company statement says. "This means our airplanes are designed so pilots are the final control authority and it means that a well trained crew is the first line of safety." Stephen L Nicoud <stephen@Boeing.Com> bcstec!bcsaic!stephen Boeing Computer Services Research and Technology, Bellevue, Washington USA [Also noted by dhartung@chinet.com (Dan Hartung).]
From The Guardian, Friday April 16th 1993, tabloid supplement, p3,
article: ``Down to Earth with a bump'', by Tim Radford:-
------------------Begin extract----------------------
[Astronaut Mike] Collins once compared Apollo's flight to a half a million
mile daisy chain, draped round the Moon. A Nasa safety engineer on an
earlier voyage put it more graphically. ``Apollo 8 has 5,600,000 moving
parts. Even if all functioned with 99.9 per cent reliability, we could
expect 5,600 defects.'' On Apollo 11 something did go wrong, but no one
now remembers it. When Armstrong and Aldrin climbed back into the module
and began the checklist in preparation for blast-off, they discovered that
a plastic pin which acted as a circuit breaker for the launch engine had
snapped off. They decided it was because a backpack must have bumped it as
they left the tiny lunar module. For a few appalling moments it must have
seemed as though the nightmare had begun: marooned on the Moon, with only a
day's oxygen and no way home. Aldrin poked around, and found a felt-tipped
pen, and shoved it in the slot. It worked. A charge of electricity could
then start the launch engine. Man had a proper place in the scheme after all.
``Where else,'' said one test pilot in the programme, ``would you get a
non-linear computer weighing only 160lbs, having a billion binary decision
elements, that can be mass-produced by unskilled labour?''
The classic argument of the what's-the-point lobby, which includes space
administrators and big business as well as governments and scientists, and
for which Lewis Mumford spoke so eloquently, is that humans in space can't
do without computers, but computers can do without humans. This is almost
but not quite true, and Aldrin's felt-tipped pen has written one tiny answer
to that, and the same point will be made again and again: the history of
unmanned space is a history of of technical flaws as well as technical
triumphs. Man may not be going to Mars just yet, but he'll get there.
He'll be wanted on the voyage.
But that isn't quite the point either. A manned Mars mission would be an
awfully big adventure, and not just for the men who set out on it.
Does anyone now think the pyramids were really a waste of money?
------------------End extract----------------------
Peter Mellor, Centre for Software Reliability, City University, Northampton
Sq., London EC1V 0HB, Tel: +44(0)71-477-8422, JANET: p.mellor@city.ac.uk
During 1991 and 1992, many things happened in Spain related with computer risks. Some of them went to the Court, and many others remain in an unhealthy silence. Data stolen from banks, cryptology used by terrorist organizations, hacking, piracy, personal dossiers and blackmailing have been studied by the police, lawyers, journalists and professional technicians. Moreover, a deep crisis in Spanish economy does not help to recover any investment in data processing. There are too many unpaid bills and half performed projects in computing. At the same time, politicians at the Parliament approved a new Law on Data Protection, and a Data Protection Agency, a Computer Police that is not clear enough who can control and how can it work. Computer victimization is very high in Spain due to knowledge lack and technical dependency from equipment and service sellers. In an increasingly complex and critical environments, there is almost no local technology industry, and multinationals are very disconcerted because lack of expertise, expensive commercial nets, counter-productive promotional efforts, and political corruption on almost every local big business. Since December 1992, there is an Association, APEDANICA, that can help to discover sensible troubles related with computers and communications, and its markets. Members of this non-profitable organization acts like expert witness, cryptologist, lawyers, and even as Sherlock Holmes in computer environments. APEDANICA (ASOCIACION PARA LA PREVENCION Y ESTUDIO DE DELITOS ABUSOS Y NEGLIGENCIAS EN INFORMATICA Y COMUNICACIONES AVANZADAS), Spanish Legal Advanced Communications and Computer Crime Association, is very interested in developing relationships with any other organization with similar goals, all over the World. Miguel A. Gallardo Ortiz, P.O. Box 17083 - E-28080 Madrid (Spain) Tel: (341) 474 38 09 - FAX: 473 81 97 E-mail: gallardo@batman.fi.upm.es President of APEDANICA-Spanish Legal Computer Crime Research Association
Forwarded message:
Date: Wed, 28 Apr 93 13:03:57 EST
From: Roger.Clarke@anu.edu.au
Subject: Crypto-Schemes and Mobile Digital Services
At CFP'93, there was considerable debate about whether cryptographic
schemes should be designed to be 'crackable' by national security and law
enforcement agencies. The Australian situation is that the licences issued
for mobile digital telephone services all require the cryptography to be
crackable. Now read on ...
New digital phones on line despite objections
By BERNARD LAGAN and ANNE DAVIES
The Sydney Morning Herald, Wednesday 28 April, 1993
CANBERRA: The Federal government has over-ridden the objections of law
enforcement agencies and allowed Telecom and Optus to start new digital
mobile phone networks which are so secure that conversations can escape
officially authorised telephone bugging.
While law enforcement agencies can still intercept calls from mobile
phones to an ordinary phone, calls from one digital mobile phone to another
cannot be tapped.
The Government agreed to waive the bugging requirement, originally a
condition of Telecom and Optus's mobile phone network licences, late last week
after strong pressure from both carriers to begin their services without
providing technology to allow law enforcement agencies to listen into
conversations.
The changes to the system to allow official bugging will take up to
two years to complete and will cost more than $25 million, a cost which the
Government has agreed to bear.
The Government's waiving of the bugging requirement was made despite
strong opposition from law enforcement agencies, who wanted the start of the
new digital mobile phone networks delayed until there was technology available
to allow conversations conducted on these networks to be intercepted.
The law enforcement agencies argued that once criminals and others who
had reason to avoid officially authorised interceptions of their telephone
conversations became aware of the loopholes in the new system, they would
exploit it.
The exemption was given by the Minister for Communications, Mr Beddall
after talks held last week with the acting Attorney-General, Mr Kerr.
It enabled Telecom to launch the country's first digital mobile phone
network yesterday.
The Federal Government is reticent about the decision to let the new
network go ahead. A spokesman would only say that the Attorney-General was
"satisfied" with the operational aspects of the new system.
A spokesman for Minister for Communications, Mr Beddall, said that
"the matter had been resolved", and any further queries should be addressed to
Telecom and Optus.
General manager of Telecom, MobileNet, Mr John Dearn, refused to
confirm or deny that calls made from the new GSM (General System
Mobile),mobile phones to other GSM mobile phones could not be intercepted, or
that an exemption had been sought from the Government to allow the new GSM
service to begin.
"We have an agreement with the Department of Communications that we
will not discuss the licence conditions," he said.
Referring to the fact that most mobile phone calls are to fixed phones
attached to the ordinary telephone network, Optus chief operating officer, Mr
Ian Boatman said that most calls carried on Optus's GSM network would be
interceptable by the security agencies.
Optus is understood to have met with the Attorney General last
Thursday, and has been given similar exemptions to its licence conditions.
A third licensed operator is Vodaphone. Managing director, Mr Phillip
Cornish, said: "These are Government and security matters and Vodaphone had no
comment". Vodaphone is not likely to begin its service until late this year.
The three mobile licensees Telecom MobileNet, Optus and Vodaphone
Australia - are 'required by their licences to introduce the new digital
mobile system, or GSM, as soon as the standard is available.
However it became clear that the formula used to encode the new
service, known as the A5 algorithm, was so secure that not even the police or
security agencies could listen in.
The dilemma for the Government was that having insisted on the the
early introduction of GSM, it faced the prospect of substantial delays if it
did not waive the licence condition. Because the standard was so secure,
nobody anticipated the difficulty of re-coding and re-encrypting the algorithm
to give access to law enforcement agencies.
The Telecom system, costing in excess of $10O million to establish,
covers more than 55 per cent of Australian consumers in Sydney, Melbourne,
Canberra, Brisbane, Perth, Adelaide, the Gold Coast, Newcastle, Geelong and
the Mornington Peninsula, Victoria.
Its high security - compared to the existing 018 mobile telephone
network - together with greater clarity is being used by Telecom to attract
new customers.
Under the 018 radio phone network, people using sophisticated scanners
could pick up private conversations. But the digital technology ensures the
telephone transmissions are scrambled and cannot be understood by people with
scanners.
Posted by: Roger Clarke, Reader in Information Systems, Dept. of Commerce,
Australian National University Roger.Clarke@anu.edu.au +61 6 249 3666/3664
An article in the UK Sunday Telegrapph on 25 Apr 1993, p. 5, by Barbara Lewis, deals with the current argument that banks in the UK deny that "phantom" withdrawals happen, and all such things from ATMs are because the cashcard owner has let the PIN be revealed. The card used was a free gift from a Total garage (Total - a French petrol company), for use in a money saving offer. The PIN belonged to someone's account. By bringing the two together, and programming the card with a genuine account number taken from a discarded till receipt, Mr Clough was able to fool the machine into paying out. The requirements included specialised computer knowledge and basic technology. A magnetic card reader and programmer costing as little as 500 pounds (750 dollars) which is capable of turning worthless blanks into cashcards. By using the details of the discard receipt, which contained the full account number, plus the details off a valid card, they were able to "break" the system. They used a machine which could not check the validity of the card with the banks central computer, and so forced validation by the information of the card itself. From the article, the area of danger is the number of printouts with numbers of cards on them and the ability to find ATMs which are not on-line to the banks computer. They also demonstrated that a careful watcher of users of ATMs can "see" what PIN is used, pick up a receipt discarded by the same person who they watched, and then can make a usable card. The particular ATM still prints all the account number, and not all UK ATMs may work the way this banks one did, but they believe that it is a major loophole. The banks deny that they are finding lots of "white" cards, and a spokesman for the Association for Payment Clearing Services (APCS) insisted that hat was done was impossible. It seems as usual that the banks are hiding their collective heads in the sand. Lord John - The Programming Peer w0400@ggr.co.uk fax - +44 81 423 4070
I will substantiate the article by J. Phillip Miller. The same circumstances occurred in Holt, Michigan, last year (1992) in the house next to my parents' (address and date available upon request): a search warrant was issued because of higher-than-neighborhood-average electric bills, a sweep by helicopter with infrared camera confirmed thermal hot spots, search of the house turned up marijuana cultivation. Evidently this is a known routine for the electric utilities, but I don't know if there is a chi-square or similar statistic they use to determine what is "substantially" higher usage. Mark S. Shanks shanks@saifr00.cfsat.honeywel.com
A similar situation occurred locally a few months back. From memory, the local police (don't remember which city) had reason to believe that an individual was cultivating marijuana in his basement, but they had insufficient grounds for a search warrant. I believe what happened is that they got a PG&E guy to read the suspect's meter, which told them that he was using a *lot* of energy. And that got them a search warrant. The issue that arises, of course, was the legality of the procedure, because the PG&E guy was technically acting as a law enforcement agent, and therefore he violated "unlawful search and seizure" laws. Again, I'm fuzzy on the details, so take this with a grain of salt. Jim Jim Griffith griffith@dweeb.fx.com
This is purely speculative, but I would imagine that many utilities now may have routines which flag any unusually high billing amounts and request human confirmation of the accuracy of the figures. We've all heard the stories of Mr. & Mrs. John Q. Public who received an electrical/gas/etc. bill for a couple hundred thousand dollars for their two-bedroom home and had to fight tooth-and-nail with the utility company to get them to realize that they had made a mistake. Such publicity is probably embarrassing enough for is probably embarrassing enough for the company to make a simple double-check routine worth the effort. Jim Huggins (huggins@eecs.umich.edu)
I knew someone who this happened to in the late 70s. He seemed to think that such monitoring of electricity was not uncommon; he was, however, not taken to court, since the police or prosecutor apparently was worried that their search was not legal. They made a verbal agreement with him that he would just stop growing pot in his house and they wouldn't press the matter. He did mention another interesting variation on this theme. He said that in winter if the police notice that part of your roof (e.g., the attic) has no snow on it then they can (and will) legally search your house, presumably after getting a warrant. I would think that this would hold up in court. I'm not sure how RISKy this whole subject is, however, unless the electricity monitoring was done by computer... Dave Bakken
The *important* risk here is to the "old-timers" ... I suspect one PDP-8 is worth a fair number of grow-lamps ;-) I can't imagine *what* the newspapers would make of it. Randall Gray, CSIRO Division of Fisheries, Pelagic Fisheries CSIRO Marine Laboratories, Castray Esplanade, GPO Box 1538, Hobart, Tasmania 7001 AUSTRALIA
In RISKS-14.55, J. Philip Miller (phil@wubios.wustl.edu) wondered if utilities detect "unusual" customers. I know the water company for New Haven, Connecticut asked my mother-in-law why her water usage trebled from one billing period to the next. I think that utility companies are generally expected to monitor "average" or "normal" use for when somebody protests that $1000.00 dollar gas/electric/phone/water bill. I would be surprised if the St. Louis police could get a warrant just on the basis of high electricity use and an "unusually warm" attic. These may have been used to support statements made by an informant--say a neighbor wondering why this guy had so many visitors at 3:00am. Or the warrant may have been instigated by concerns for violations of local building codes or zoning ordinances. If the fire marshall saw marijuana plants growing in the attic while executing a warrant searching for potential fire code violations would another warrant be needed to arrest the occupant for drug violations? Edwin M. Culver culver@cse.bridgeport.com (203) 468-1803
In California, PG&E (the electric utility in many parts of Northern California) issues press releases which indicate that they do this. Your power company may be quite willing to tell you if they do this, if you call a public affairs office. Kevin
U.S. Phone companies spend more than 4000 times as much running the phone system ($126b) as police spend on legal domestic phone wiretaps ($31m), to listen to phone conversations without the consent of either party. So if wiretaps are worth at most a few times what police spend on them, we can justify only the slightest modification of our phone system to accommodate wiretaps. Yet the new wiretap chip, and last year's FBI digital telephony bill, both threaten to raise our phone bills by far more than they reduce our taxes for police. Dorothy Denning claims that wiretaps are worth "billions of dollars per year", based on amounts fined, recovered, etc. But this is just the wrong way to estimate the value of police services, according to standard texts on law enforcement economics. Instead, the value of each wiretap should be not far from how much police would be willing to pay extra for that wiretap. Given alternatives to use hidden microphones, informants, offer immunity, investigate someone else, or to raise the punishment for some crimes, it seems hard to imagine that most wiretaps would still be done if they cost police four times as much as they do now. And even if wiretaps were on average worth four times what police now pay, the option to wiretap the average phone line would be worth only six cents a month. Yet phone companies must even now perceive substantial costs to supporting wiretaps, even relative to wanting to stay on the good side of police; why else would police be complaining about lack of support? Government policies attempting to preserve wiretaps in the face of technological change would discourage a full global market for phone systems, while government decree would displace marketplace evolution of standards for representing, encrypting, and exchanging voice. Do you think these factors would raise the average $76 monthly phone bill by more than six cents? Even the wiretap chip itself, sold for $30 each while private chips without wiretap support sell for $10, would cost people who buy a new phone every five years an extra 30 cents per month. The central question is this: would police agencies still be willing to pay for each wiretap, if each wiretapping agency were charged its share of the full cost, to phone users, of forcing phones to support wiretaps? And why not let the market decide the answer? Currently, police must pay phone company "expenses" to support wiretaps. Let us interpret this to mean that phone companies may sell to police the option to perform legal wiretaps on given sets of phone lines, at whatever price the two parties can negotiate. Phone companies could then offer discounts to customers who use phones with wiretap chips, and each person could decide if the extra cost and risk of privacy invasion was worth the price to make life easier for the police. If it turns out wiretaps aren't worth their cost, so be it; no big deal. Less than one part in a thousand of police budgets is spent on wiretaps, and wiretaps weren't even legal before 1968. [For references and a more detailed discussion of these issues, ask me for my longer paper with the same title.] Robin Hanson, MS-269-2, NASA Ames Research Center, Moffett Field, CA 94035 415-604-3361 hanson@ptolemy.arc.nasa.gov
There is an enormous amount of pending mail on the Clipper Chip. However, much of it is now third- or fourth-order incrementalism. Please excuse me if I arbitrarily cut off the discussion rather than try to cull through everything looking for a few gems. I am delighted that this issue raised such a response, and hope that the discussion in RISKS has been helpful. The last words have obviously not yet been said, but it seems silly to continue a discussion that includes considerable misinterpretations of already misleading comments. If you have something really important to add, please make it incremental to the previous discussion, and make it salient. Thanks. PGN
CALL FOR CONFERENCE PAPERS AND PARTICIPATION
eicar CONFERENCE '93
When? December, 1st - 3rd 1993
Where? St. Albans, Hertfordshire, England
The Occasion: 4th Annual Eicar Conference
Submission Deadline: 31st May 1993
Following a successful event in Munich last year, the European Institute for
Computer Anti-Virus Research (eicar), is holding its 1993 Conference on 1st -
3rd December.
Eicar is an independent organisation supporting and co-ordinating European
activities in the areas of research, control and prevention of computer
viruses and related security compromising sabotage software.
The conference will bring together users of computers and the world's leading
experts and authorities in the anti-virus field along with the writers of
anti-virus products that you are using such as Fridrik Skulason of Frisk -
F-Prot, Joe Wells of Symantec - Norton Anti-Virus and Alan Solomon of S&S
International - Dr Solomon's Anti-Virus Toolkit.
The conference covers all aspects of computer viruses and other malicious
software including the following:-
- virus trends - anti-virus technology
- infection recovery tools - anti-virus product selection
- network security - system security
- backup measures - risk assessment
- corporate strategies - disaster recovery plans
- case studies - educational tasks
- impact on technology - epidemiology
- forensic procedures - legal aspects
- social implications - ethics
Tutorial Day - an optional tutorial on computer viruses and similar SW threats
Day One - will carry two tracks covering state-of-the-art information
Day Two - continues the two tracks and concludes with a panel discussion
Call for Exhibitors
Whether or not you are considering speaking at the conference, you should at
least be investigating the sales and marketing opportunities available at the
exhibition. For further information on exhibiting at the conference, please
contact Rebecca Pitt at the address below.
Submissions of draft papers and panel proposals should be received by Friday,
31st May 1993.
Please send your conference papers in ascii or Word for Windows, to the
following address:-
Miss Alison Sweeney, Conference Manager, S&S International Limited
Berkley Court, Mill Street, Berkhamsted, Herts, HP2 4HW, England
Tel: +44 442 877877 Fax: +44 442 877882 Sands@cix.compulink.co.uk
Please report problems with the web pages to the maintainer