The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 14 Issue 65

Sunday 30 May 1993

Contents

o Flight control computers `to bypass pilots'
Brian Randell
o UK Hacker trial
Brian Randell
o Computerised Intensive Care Unit
H}kan Karlsson
o Computerized telephone solicitations
Jane Beckman
o Credit-card retention by phone number
Andrew Koenig
o Cash machine keypad risk?
Paul Potts
o Stop The Madness!
Arthur R. McGee
o The risks of teaching about computers and the law
Peter D. Junger
o Disaster Avoidance & Recovery Conference & Exhibition May 26-28
Nigel Allen
o Info on RISKS (comp.risks)

Flight control computers `to bypass pilots'

<Brian.Randell@newcastle.ac.uk>
Thu, 20 May 1993 11:38:26 +0100
  [In the following item, the statement: "The system also ensures that no
  mistakes are made" especially caught my eye! And I imagine that RISKS
  readers such as Don Norman will have something to say about: "[Pilots] will
  control by exception, in other words leaving all routine tasks to be done
  automatically by the computers."  Brian Randell, Dept. of Computing Science,
  University of Newcastle, Newcastle upon Tyne, NE1 7RU, UK
  Brian.Randell@newcastle.ac.uk +44 91 222 7923]

Flight control computers 'to bypass pilots'
The Independent (a national UK paper), 19 May 93

Christian Wolmar reports on a new electronic system for air communications

While aircraft flown with the aid of computers have transformed the role of
pilots, communications between aircraft and ground control have changed little
since the early days of aviation. "Roger" and his pal "out" still feature
prominently, and misunderstood instructions have led to several of crashes.

All that is set to change. Yesterday the first test demonstration of
equipment which will allow pilots and air traffic controllers to
communicate through computers was held. An experimental BAC 1-11 "flying
laboratory", belonging to the Defence Research Agency at Bedford, flew
above East Anglia sending and receiving messages on its on-board computer.

This project, called the Experimental Flight Management System, is part of a
Europe-wide programme that is expected to enable commercial aircraft to begin
communicating in this way by 1998, saving time and reducing the risk of
accidents.

Trevor Gilpin, programme manager for the National Air Traffic Services, the
organisation responsible for air traffic control, says the new system has
many advantages: "The airwaves are getting very cluttered and would not be
able to cope with the expected doubling of air traffic over the next 15
years. The system also ensures that no mistakes are made."

Pilots will be able to get weather information on their screens, whereas at
the moment they can only do so by tuning to a special radio frequency.

The messages from ground control can also go direct to the plane's auto
pilot, which raises the possibility, already mooted by the European
aircraft manufacturing consortium Airbus, that pilots may become redundant.
Aircraft could be controlled from the ground with a person in the cockpit
as a failsafe. A ground-based computer could ensure pilots have carried
out its instructions and send a warning if they have failed to do so.

Mr Gilpin feels that there will always be a pilot but accepts that the role
of both pilot and air traffic controller will be different: "They will
control by exception, in other words leaving all routine tasks to be done
automatically by the computers."

At the core of the system is a new form of radar communication, called Mode
S, which allows information to be transmitted electronically. For it to be
used widely, new transmission centres will have to be built throughout
Europe. Mode S allows aircraft to be tracked in four dimensions - including
time - which enables tighter control of airspace, reducing delays. Partial
introduction of the system is expected in 1996.

Electronic information also needs to be sent between air traffic control
centres and already nine, mainly in northern Europe, are able to send
messages to each other's computers. This is reducing delays since
previously air traffic control centres had to telephone each other with
flight plan information.

The urgency of introducing the new system was highlighted last month in a
letter to Flight International in which a pilot said that air
communications between the Far East and Eastern Europe were so bad because
of high demand and old equipment that an accident appeared inevitable. He
said: "If and when an accident does occur, I can imagine the amount of
words which will be spoken and published in the press and official
inquiries wondering how a state of affairs like this has been allowed to
exist for so long."

A long-haul pilot also told the Independent that at times he was unable to
contact ground control when there were bad radio conditions over the
Atlantic "while the guy in the back can phone his wife on a mobile
telephone using satellite links".


UK Hacker trial

Brian Randell <Brian.Randell@ncl.ac.uk>
Wed, 26 May 1993 15:50:41 +0100
Hackers given six months for 'intellectual joyriding'
The Independent, 22 May 1993, STEPHEN WARD

TWO COMPUTER hackers given six-month prison sentences yesterday were the first
to be jailed under legislation, passed in 1990, to outlaw the practice.

Neil Woods, 24, and Karl Strickland, 22, had pleaded guilty to the offences.
In March, Paul Bedworth, a Yorkshire schoolboy who regularly communicated with
Woods and Strickland, and was arrested at the same time, was cleared of
similar charges by a jury after a 15-day trial. He had pleaded not guilty and
claimed that he had become addicted to hacking.

All three were trapped by sophisticated police and British Telecom telephone
tracking in several countries. Before the 1990 Computer Misuse Act, those who
gained access to other people's computer networks had to be prosecuted for
causing damage or stealing information, but in the case which ended yesterday
the judge accepted that the accused had not been intending to cause damage,
and had not profited in any way.

Sentencing the two graduates at Southwark Crown Court, Judge Michael Harris
said: "I have to mark your conduct with prison sentences, both to penalise you
for what you have done and for the losses caused, and to deter others who
might be similarly tempted."

The offences were committed over three years before and after the 1990 Act
was passed. Strickland, a research assistant at Liverpool University, and
Woods, of Chadderton, Oldham, Greater Manchester, a computer salesman and
computer science graduate from Manchester University, pleaded guilty to
conspiring to obtain telegraphic services dishonestly, and engaging in the
unauthorised publication of computer information.

Woods also admitted causing #15,000 of damage to a computer owned by the
then Polytechnic of Central London.

The two did not meet until after their arrests in June 1991, although they
"spoke" on screen under their codenames. Among hackers, Woods was known as
"Pad", and Strickland as "Gandalf" (the wizard in Tolkien's Lord of the
Rings). Using personal computers at home, they were frequent illegal users
of a BT network called PSS, and a system known as "Janet", which linked
academic institutions throughout Britain.

Strickland's hi-tech conquests included the United States space agency Nasa
and ITN's Oracle network- since replaced by Teletext. Woods keyed into
systems run by the Ministry of Defence, the European Community and the
Financial Times.
Counsel for both men agreed that their clients, who received their first
computers when they were 11 years old, became "obsessed" with them.

"If your passion had been cars rather than computers we would have called
your conduct delinquent, and I don't shrink from the analogy of describing
what you were doing as intellectual joyriding," the judge said.

He went on: "There may be people out there who consider hacking to be
harmless, but hacking is not harmless. Computers now form a central role in
our lives, containing personal details, financial details, confidential
matters of companies and government departments and many business
organisations.

"Some, providing emergency services, depend on their computers to deliver
those services. It is essential that the integrity of those systems should
be protected and hacking puts that integrity into jeopardy."

He said that hackers needed to be given a "clear signal" by the courts that
their activities " will not and cannot be tolerated".

The judge added that he had hesitated long and hard before sending two
young men to jail. Although there were powerful factors in their favour,
prison for them was inevitable, he said.

Detective Sergeant Barry Donovan, formerly attached to Scotland Yard's
computer crimes squad, said that since the publicity surrounding the arrest
of Woods and Strickland, the amount of hacking in Britain had decreased
dramatically, although it was still an international problem.


Computerised Intensive Care Unit

H}kan Karlsson <ch92hka@csd.uu.se>
Fri, 28 May 1993 14:36:56 +0200
The Swedish issue of "Apple News" (2/93) includes an article about a
computerised Intensive Care Unit at the Hospital for Sick Children in Toronto,
Canada.  Each bed has a Macintosh Quadra at the bedside monitoring blood
pressure, temperature, etc., and controlling various life-critical functions.
Unfortunately(naturally?), the article has no information about the
reliability of the system.  The hospital is a part of the University of
Toronto and responsible for development of the system is Gordon Tait and
clinic manager is Dr. Geoffrey Barker.

I would like to get more information about this system, especially reliability
questions and risk assessment.

H.Karlsson   Department of Computer Science, University of Uppsala, Sweden
(ch92hka@cs.uu.se)


Computerized telephone solicitations

Jane Beckman <jane@stratus.swdc.stratus.com>
Fri, 28 May 93 15:34:56 PDT
I heard on the radio about two weeks ago that a judge had ruled that
computerized (non-live-human) phone calls were indeed legal, as a form
of free speech, and thus struck down a law banning them.

In the time since the ruling, I have received *two* computerized
advertisements on my phone at work.  This is a much higher proportion than in
times past, when it was more like two a year.  Obviously, the computerized
phone advertisers are making up for lost time!

  Jane Beckman   [jane@swdc.stratus.com]


Credit-card retention by phone number

<ark@research.att.com>
Tue, 25 May 93 18:06:21 EDT
Today I received electronic mail from a friend of mine in Sweden saying that
he had gotten a substantial credit card bill from a camera store in New York
and didn't remember having ordered anything.  It didn't take me long to figure
out what had happened.

Sweden has substantial import duties on photographic equipment, but exempts
equipment acquired and used abroad and then brought home.  My friend has
occasion to visit the US several times a year and often takes the opportunity
to add to his equipment collection when here.

If his trip includes a visit to my house, it is particularly convenient for
him to order stuff, charge it to his credit card, and ask it to be shipped to
me.

Several weeks ago, I had occasion to order from the same store.  As with every
order of mine except the first, they asked me `Would you like us to charge
that to the same credit card you used for the last order?'  and I said `yes.'
Since it had always worked before, I didn't bother to verify the number.

Evidently they file credit card numbers by shipping address rather than by
cardholder address, because my friend's credit card number became the one in
my file.
        --Andrew Koenig           ark@europa.att.com


Cash machine keypad risk?

Paul Potts <potts@oit.itd.umich.edu>
Thu, 20 May 93 15:14:30 EDT
I've been using ATMs very frequently for at least 7 years,
but this is the first time I've ever had this problem...

A few days ago on my way in to work I stopped at a cash machine to get some
money for cappucino. When punching in my password, I noticed there was a
significant delay between pushing the key and the corresponding "beep." The
keypad seemed to be behaving erratically. I tried to punch in $20.00 to
withdraw. This proceeded something like <2> <pause> <beep>, <0> 

Stop The Madness!

"Arthur R. McGee" <amcgee@netcom.com>
Thu, 27 May 1993 12:56:45 -0700 (PDT)
So did anyone else watch or tape yesterday's Donahue which talked
about(yes, it was just a matter of time) Virtual Reality and Sex?<sigh>

I just heard a new term the other day, "Cybergasm."<sigh> I now really know
how Stanton feels, I'm sick of all the weirdness and sensationalism too.

Oh yeah, here's something from the latest EDUPAGE newsletter:

          ---------- Forwarded message ----------

[stuff deleted]

YOU CAN'T SAY THAT ON THE INTERNET. Censorship has hit the Internet,
where battles over free speech are being waged on several fronts.
Colleges in Canada have banned all electronic discussions of sex, and
controversy is raging stateside over a program that automatically
wipes out anonymous messages and the suspension of a California
professor who ran a BBS that carried messages harassing a female
student. Congress has even gone so far as to order a study of whether
bulletin boards, on-line services and cable TV are being used to
encourage "crimes of hate." (Wall Street Journal 5/24/93 B1)

[stuff deleted]

Art "Rambo" McGee   [amcgee@netcom.com]  [72377.1351@compuserve.com]
Voice: [1-310-320-BYTE]


The risks of teaching about computers and the law

Peter D. Junger <junger@samsara.law.cwru.edu>
Fri, 21 May 93 16:13:46 EDT
        A fortnight ago, in order to postpone the necessity of grading
final exams, I started writing a simple-minded encryption program, which
uses a "one-time pad" as a key, for use this Fall in my class on
Computers and the Law.  The program is intended to demonstrate certain
things that lawyers who are going to deal with the problems generated by
computers should know:  things like the nature of an algorithm and the
fact that any text (that is encoded in binary digits) of length n
contains (if one just has the key) all other texts of length n.

        Although in that course we shall mainly be concerned with
copyright and patent issues relating to computer programs, we should
also spend some time on security issues and on government regulation of
computer programs.  And that, of course, includes the regulation of the
export of computer programs, including cryptographic programs and
technical information relating to such programs.  I shall also have to
discuss cryptographic programs when dealing with issues of computer
security, since it would profit lawyers to be aware of the fact that
cryptography can do far more than the law can to keep one's confidences
confidential. The latter point is, of course, of particular importance
to members of a profession who have a legal and moral duty to keep their
clients' confidences confidential from everyone, but especially from the
agents of the state.

        As I was writing this program I realized that it itself, and any
`technical data' relating to it, might be subject to federal export
licensing regulations, since I intended to give copies of it to, and
discuss it with, my students and make it available to anyone who wants
it, even foreigners.  Even if I do not put it on an anonymous FTP
server, as I originally planned, there is no way that I can guarantee
that all the students who enroll in my class will be citizens or
permanent residents of the United States.

        After a little quick research I have determined that my program
may be--and, in fact, probably is--subject to such licensing, though
whether by the Department of Commerce or that of State is a matter that
it will take some sixty days for the bureaucrats to determine.  The
trouble is that the program, which should run on any PC clone running
MSDOS 3 or higher, and which now consists in its entirety of 174 bytes
of 8086 machine code, which I am pretty sure I can get down to 170 bytes
or less, is squarely covered by the definitions of Category XIII of the
U.S. Munitions List (as is my old Captain Midnight Decoder, which I got
during the War for a boxtop--or was it an Ovaltine label?--and change).

        The relevant subdivision of Category XIII of the Munitions List
is (b), which provides in relevant part:

        (b)  Information Security Systems and equipment, cryptographic
        devices, software, and components specifically designed or
        modified therefor, including:

           (1)  Cryptographic (including key management) systems,
           equipment, assemblies, modules, integrated circuits,
           components or software with the capability of maintaining
           secrecy or confidentiality of information or information
           systems, except cryptographic equipment and software as
           follows:

              .... [none of the exceptions appear to be applicable to my
              program]

There is no exception for encryption software that is so simple minded
that a law teacher, whose only degrees are in English and law, can hack
it out in about six hours, most of which time was spent chasing bugs
that were the result of typos.  I estimate that the average computer
literate 12-year old could have written the program in about 20 minutes.

        In the course of my researches, which so far have consisted
of speaking to a very pleasant person at the Department of Commerce's
Bureau of Export Administration, to a not very nice major and a slightly
nicer person at the Department of State's Bureau of Politico-Military
Affairs, Office of Defense Trade Controls, and to a not un-nice person,
whose name I was not allowed to know, who supposedly was at NSA, and
wading an inch or so into a seven inch stack of Commerce Department
regulations and a few more inches of statutes, I have concluded that if
I `export' my little program without first getting a license I may be
subject to a fine of not more than $1,000,000, or imprisonment for not
more than ten years, or both.

        This isn't so bad, since in the case of the actual program it is
pretty clear that `exporting' means exporting, so, since I don't intend
to export the program, the only problem is that posting it on an FTP
server on the internet gets into a `grey' area (according to the
unknowable at NSA).  Of course, if the program is considered to be my
expression--which it must be if it is protected by the copyright
laws--it is probably a violation of the First Amendment to require me to
get a license before I can export it.  But since I don't intend to
export it--and the unknowable, on whom I dare not rely, did keep saying
that it was a matter of my intention--I can treat that issue as an
academic problem.  (By the way, it is my position that the actual
program--the machine code--not being in any sense expression--cannot
Constitutionally be protected by copyright law; this is a position that
the lower courts have--at least _sub silentio_--uniformly rejected, but
it is a good bet that the Supreme Court will agree with me when it
finally gets around to considering this issue!)

        The real trouble is that Category XIII contains as its final
subdivision paragraph (k), which covers

        (k) Technical data . . . related to the defense articles listed
        in this category.

And that, of course, means that I cannot lawfully export technical data
about my program without first obtaining a license.

        But the regulations relating to technical data that is included on the
Munitions List say, in effect, that the `export' of technical data includes
talking about the defense article to which the data relates--which in my case
is my piddling little program--in the presence of someone who is neither a
citizen of the United States nor admitted to permanent residence in the United
States.  So, if any foreign students sign up for my course I will be required
to get a license--which I am not sure I can get at all, and certainly will not
be able to get in time to teach my course--before describing the program to my
class, explaining how to use it, and giving them the source code--which, by
the way, I contend _does_ contain expression--to load in with the debug
program.

        I admit that I am not greatly concerned about the potential criminal
penalties that might be imposed if I do discuss the program with my students
without a license, and not only because I don't have a million dollars
and--far all I know--may not have ten years.  I cannot imagine anyone--except
perhaps that major--who would be stupid enough to try to punish me for
discussing my trivial program with my students.

        But how can I teach this particular bit of computer law if the very
act of teaching amounts--at least in theory--to a criminal violation of the
very law that I am teaching?  That this is not a logical paradox is an
illustration of the fact that the law is not logic; but I still feel that I am
trapped in an impossible situation.

        It is hard for me as a law teacher to believe that this regulatory
scheme that requires me to get a prior license each time that I speak about,
or publish the details of, my trivial program (or, in the alternative, to make
sure that no foreigners get to hear or read what I have to say about it) can
withstand a constitutional challenge on First Amendment grounds.

        The "secret" of how to keep a secret in 170 bytes or less is not
something that imposes any conceivable threat to the security of the United
States, especially not when the underlying algorithm is well known to most who
are, and many who aren't, knowledgeable about computers--or, for that matter,
about logic.  And thus the government can't constitutionally punish me for
revealing this "secret" of mine or talking and writing about how it works.
And even if the government could constitutionally punish me after the fact,
that does not mean that they can impose a prior restraint on my speaking or
writing about the "secret".  Prior restraints on speech or publication--and
especially licensing schemes--are especially vulnerable to constitutional
attack, since the First Amendment provisions relating to the freedom of speech
and of the press were adopted in large part to prevent the federal government
from adopting the type of censorship and licensing that had prevailed in
England under the Tudor and Stuart monarchies.

        And yet I am so intimidated and disheartened by this
unconstitutional scheme that I dare not explain in a submission to
Risks, which undoubtedly has foreign subscribers, how my silly little
program works.  And even if I were willing to take that risk, I could
not in good conscience impose it on our moderator.

        And if I have problems now, just think how ridiculous the
situation will be if the government tries to outlaw all encryption
programs and devices other than the Clipper Chip.

        [For those of you who understand how my program works and who
take the effort to write your own encryption program based on that
understanding, I have a special offer.  If you will just send me an
E-mail message certifying that you are a United States Citizen, I will
send you (at any address on the internet that is within the United
States), a UUENCODEd key that when applied by your program to this
particular submission to Risks--after all headers have been stripped
off--will produce a working copy of my program, which is a COM file that
runs under MSDOS. (Be sure that your copy of this submission uses the
Carriage Return / Line Feed combination as the End of Line indicator.)]

Peter D. Junger

Case Western Reserve University Law School, Cleveland, OH
Internet:  JUNGER@SAMSARA.LAW.CWRU.Edu -- Bitnet:  JUNGER@CWRU

   [Incidentally, at last week's IEEE Symposium on Research in Security
   and Privacy, a rump group decided that because crypto falls under
   munitions controls, the right to bear arms must sanction private uses of
   cryptography!  PGN]


Disaster Avoidance & Recovery Conference & Exhibition May 26-28

Nigel Allen <ae446@freenet.carleton.ca>
Wed, 19 May 93 22:16:03 EDT
Here is a press release from the Disaster Avoidance & Recovery '93 Conference.

 Disaster Avoidance & Recovery Conference & Exhibition May 26-28;
 To: Assignment Desk, Daybook Editor
 Contact: John Mungenast of Insystex Inc., Ventura, Calif.,
          805-650-7052, or
          George J. Whalen of G.J. Whalen & Co. Inc., New Rochelle,
          N.Y., 914-576-6750

 News Advisory:

   Disaster Avoidance & Recovery '93, sponsored in part by AT&T, NCR
and Power Quality magazine, will take place May 26-28, at the
Sheraton Premiere at Tyson's Corner, in Vienna, Va.
   CEOs, participants from government, technology, financial
manufacturing and utility companies, other major industry and key
government groups are expected.
   They will hear from a blue-ribbon faculty of experts whose
presentations will deal with all sides of disaster preparedness and
recovery, sharing latest planning methods and technology to ward off,
deal with and rapidly recover from natural or man-made disasters.
   The intensive three day conference points up the reality that U.S.
businesses, buildings and people are more at-risk than ever before
and that our technology-dependent society now relies on a "house of
cards" of interdependent computers, telephone and power utilities.
   Keynote speaker will be Rep. Dick Swett (D-N.H.), who sees
preparedness as a "new war" against natural and man-made threats.
Assessments of recent wide-area disasters (Hurricanes Andrew and
Iniki, floods, Nor'easters, tornados, earthquakes, fires and
blizzards) and a comprehensive review of the terrorist attack on the
World Trade Center will introduce topics such as evacuation, medical
care and shelter, building vulnerability, standby power, elevator
design flaws, plus how to plan against high-rise disasters.
   Participants will also discover that only a handful of utilities
now have tested, workable disaster and recovery plans in place...
that few power companies have "mutual aid plans" with telephone
companies, even though they share the same poles and conduits and
despite the fact that telephone companies rely in part on electric
utility power.
   Counter-terrorism authorities will advise on protective measures,
while telecommunications, computer, power and business recovery
xperts will deal with how disasters can strike through our
near-total dependency on computer technology and its vulnerability to
the minute-by-minute quality of electrical power.
   There is a side benefit of all this: the wave of new methods,
technology and products now emerging to improve preparedness of U.S.
businesses is stimulating the economy with new jobs, new contracts
and new opportunities.  Additional information and details about
Disaster Avoidance & Recovery '93 can be obtained from John Mungenast
at Insystex Inc., the conference organizer, 805-650-7052 during
business hours (Pacific time).

Nigel Allen, Toronto, Ontario, Canada  ae446@freenet.carleton.ca

Please report problems with the web pages to the maintainer

Top