The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 15 Issue 62

Thursday 3 *March* 1994


o Joe Camel's 10,000,000 best friends
Phil Agre
o Double Posting of Credit Card Charges
Bryan Apple
o Video Tech & Privacy... what's becoming possible
David Honig
o RISK of computer-controlled landings
Simson L. Garfinkel
o Headline: "Child molesters use computer talk as bait"
David Tarabar
o Conviction for spreading virus?
Laurel Kristick
o 'We {Will} Find you...'
Paul Robinson
o Local TV News Report Misses The Boat
Dan Danknick
o Educating on the RISKS of the Internet
Jeremy Epstein
o Will they ever learn? [Passwords]
Roger Binns
o One time Passwords and Encryption
A. Padgett Peterson
o Of Locks and Legends
Dave Pierson
o Impact fuel cutoff anecdote, risk
o NTIA Releases Notice of Inquiry on Privacy Issues
Beth Givens
o SIGSOFT 94 Call For Papers
Dave Wile
o Info on RISKS (comp.risks)

Joe Camel's 10,000,000 best friends

Phil Agre <>
Thu, 3 Mar 1994 09:03:13 -0800
The 3/3/94 New York Times includes a long, fascinating article on recent
trends in cigarette advertising, away from mass media like billboards
and magazines and toward database-oriented marketing based on promotions.
The full reference is:

  Allen R. Myerson, Selling cigarettes: Who needs ads?, New York Times,
  3 March 1994, pages C1, C5 (business section).

Here are two paragraphs from the middle of the article:

  ... Philip Morris marketers boast that the Adventure Team promotion and
  a carefully calculated price cut restored Marlboro's share of the $42
  billion cigarette market from 22 percent last March to nearly 27 percent
  in January, widening its lead over all other brands.  Flush with the
  names and addresses of their new customers, they are planning their next

  Over at R. J. Reynolds, Philip Morris' major rival, marketers pride
  themselves on computerized data banks so huge and detailed that they
  can go far beyond merely aiming their discount coupons and Camel Cash
  merchandise offers at the less than one-quarter of Americans who smoke.
  They can choose not just smokers of competing brands, but those who
  smoke brands with price, taste and image most like those of Camels, for
  example.  In fact, Reynolds can select from that last group just those
  smokers who would gladly switch, for a few pennies a pack, or perhaps an
  ashtray or cap.

These trends have the virtue that non-smokers get exposed to less cigarette
advertising, thus lessening the force of claims that such advertising is
recruits new smokers rather than getting existing smokers to switch brands.
On the other hand, mass cigarette advertising (such as glossy booklets urging
folks to "Get More Gear") is not going away; indeed it is an integral part
of the new strategy.  Finally, and most importantly for Risks, the cigarette
companies' increasingly personalized connections to their customers may
inhibit smokers' attempts to end their addictions, since they will now be
exposed to ever-more-customized stimuli encouraging them, if only implicitly,
to continue smoking.  This is only speculation, of course, but it's an
important test case for the social implications of data-intensive one-to-one
marketing, and it should be watched closely.

Phil Agre, UCSD

Double Posting of Credit Card Charges

Bryan Apple <>
Wed, 2 Mar 94 13:12:36 CST
In a 16 Feb 1994 letter from The Chicago Symphony Orchestra, Henry Fogel,
Exec. VP describes a "computer error".  It seems that all American Express
charges for tickets and contributions since 1991 were re-submitted.
Considering my seats cost nearly $100 each, this could represent a significant
amount of money.  The letter does not identify which party (Amex or the CSO)
caused the error.

The letter says, "Charges for these items will appear again on your next
statement...", and continues, "In most cases, these charges will also be
removed on the same statement."

The risks include:

  Transaction systems that don't range check their input (shouldn't
  charge dates have to be somewhat current?).

  Automated postings that aren't tied out to an independent check
  (Wow, sales were up 3,700% this month!).

Bryan Apple, Data Vault Systems  (708) 885-6000

Video Tech & Privacy... what's becoming possible

David Honig <honig@ruffles.ICS.UCI.EDU>
Thu, 03 Mar 1994 12:43:00 -0800
In the Feb 94 "Advanced Imaging" magazine, there is a discussion of how video
cameras (from above, preferably, for contrast and occlusion reasons) are being
deployed with machine vision systems in malls.  The stated purpose is to
measure people flow, to learn about buyer behavior.  Sort of like machine
vision applications for traffic flow monitoring.  There is mention of
secondary sensors causing cameras and vision systems to "orient" [my
interpretation] towards some situation.

In the same issue there's an unrelated advert for something called an
"imputer" which is a white palm-sized box with a lens.  (Looks like an
aperture of about a cm.) Next to it is the circuit board presumably within the
white box.  It contains 4 chips: an imaging chip and a microcontroller among
them. One of the chips is socketed.  You can develop algorithms on your
desktop machine and then load them onboard, it seems.  And have your own
standalone motion-interpretation system.

RISK of computer-controlled landings

Simson L. Garfinkel <>
Thu, 3 Mar 94 16:50:16 -0500
I was on one of the few aircraft to land in the Boston blizzard today. There
was zero visibility. When we hit the runway (ouch!), the plane veered back and
forth, slipping on the ice, apparently working differential thrust.

After we landed, the pilot said "in case anybody is interested, you are in one
of the few Northwest Airbus 320's capable of landing itself, which it just

And I thought, "oh, wow."

And I wondered which would have been RISKier: landing on autopilot, or landing
on human pilot.

Headline: "Child molesters use computer talk as bait"

David Tarabar <>
Thu, 3 Mar 83 08:53:02 -0500
This is the headline of article in the 3/3/94 Boston Globe on the front page
of an inside Metro/Region section.

  For most parents, the thought of their child sitting in a bedroom and
  skillfully using a computer is a source of comfort and pride"

  Increasingly, however, the home computer has become a source of danger, as
  manipulative child molesters reach out to unsuspecting children through
  thousands of interactive and easy-to-use computer bulletin board systems."

... The news article triggering this discussion article is:

  A 23-year-old Chelmsford [Mass] man pleaded not guilty to an attempted
  kidnapping charge after he allegedly used a computer bulletin board to
  attempt to coax a teen-ager into helping him abduct a young boy for sexual

The article goes on to explain BBS systems and how they allow impersonal
contact between juveniles and child molesters. Law enforcement officials in
Massachusetts have been concentrating upon (and getting publicity) for
investigating computer assisted child-abuse. There have been several other
charges, and in 1992 a Cambridge man pleaded guilty to raping two boys who he
met through a BBS.

   [Also noted by  PGN]

Conviction for spreading virus?

Laurel Kristick <>
Wed, 2 Mar 94 13:44:53 MST
In Amnesty International's Freedom Writers list for February 1993, one of the
letters is to the Cuban Government on behalf of Luis Grave de Peralta Morrell
and 3 other scientists.  They were convicted in February 1992 of various
charges and given sentences which varied from 8 to 13 years.

Evidence against them included a book written by Luis Grave de Peralta which
criticized the Cuban Government.  Earlier, he had lost his position as
professor of physics at the University of Oriente after resigning from the
Cuban Communist Party.

One of the charges against them was "that the four had been trying to spread a
computer virus."  Amnesty International claims that no clear proof of this was
offered during the trial.  Does anyone have more details on this?  What kind
of virus were these individuals supposedly trying to spread?

The RISK?  I suppose that if a totalitarian government is out to get you, they
will use any possible charge against you, including computer-related ones.

Laurel Kristick

'We {Will} Find you...'

Paul Robinson <PAUL@TDR.COM>
Wed, 2 Mar 1994 23:17:29 -0500 (EST)
In an article on the cover of the February 10, 1994 {Washington Technology}
magazine of the same name, talks about a specialized use of biometrical
information (specific details unique to a person like size, etc.) to identify

The idea behind this is that in an airport, an infrared camera is mounted near
the arriving passengers section, taking pictures of every person who is
passing through the facility.  This captures the 'aura' or underlying facial
vascular system (pattern of blood vessels and such).  In 1/30 of one second,
it captures the data and forwards it via high-speed data lines to an FBI
database that has stored auras of the worlds most-wanted criminals and
terrorists, then matches generate an order to nab a suspect, supposedly
producing "a piece of evidence that is as rock-solid as any presented to a

Currently, infrared cameras are being attached to desktop computers to create
digitized thermograms of people's faces in 1/30 of a second.  The company that
is working on this technology, Betae Corp, an Alexandria, VA government
contractor, claims that the aura is unique for every single person.  The
photos in the front of the article show two clearly different thermographic
images that are claimed to be from identical twins.

The facial print does not change over time (and would allegedly require very
deep plastic surgery to change it), retains the same basic patterns regardless
of the person's health, and can be captured without the person's
participation.  The technology will have to show it is a better choice than
current biometric techniques such as retinagrams (eye photographs, voice
prints and the digital fingerprint.

A Publicity-Shy Reston, VA company called Mikos holds the patent for certain
technology uses of this concept.  Dave Evans of Betac who has obtained certain
"non exclusive" rights in the technology claims that "thermograms are the only
technology he has seen in his more than two decades of security work that meet
the five major criteria of an ideal identification system: They are unique for
every individual, including identical twins; they identify individuals without
their knowing participation; they perform IDs on the fly; they are
invulnerable to counterfeiting or disguises; they remain reliable no matter
the subject's health or age," the article said.  Only retinal photos are
equivalent, but potential assassins aren't likely to cooperate in using them.

Right now it takes about 2-4K per thermograph, (it says '2-4K of computer
memory' but I suspect they mean disk space) and that's not really a problem
for a PC-Based system of 2000 or so people going to and from a building; it's
another magnitude of hardware to handle millions of aircraft travelers in
airports.  Also, infrared cameras are not cheap, in the $35,000 to $70,000
range, which, for the moment is likely to keep small law enforcement
facilities from thermographing all persons arrested the way all persons
arrested are routinely fingerprinted.  But we can expect the price to come
down in the future.

The writer apparently had to agree with Evans not to raise privacy and
security issues in the article, it says, since first they have to show the
technology works.  But even it raised questions:

- The technology could be a powerful weapon in a "big brother" arsenal,
  with cameras in front of many stores and street corners, scanning for
  criminals or anyone on the government's watch list?
- Does the government have the right to randomly photograph people for
  matching them against a criminal database?
- What guarantees do we have that thermographs are actually unique for
  every person, or that the system is foolproof?
- What is the potential for blackmail, with thermographs to prove people
  were in compromising places and positions?

There are also my own points.

- While this can be used to protect nuclear power plants against
  infiltration by terrorists (as one example it gives), what is to stop it,
  for example, to be used to find (and silence or eliminate) critics and
  dissidents?  I wouldn't give China 30 seconds before it would use
  something like this to capture critics such as the victims of Tianamen

- Long history indicates that better technology is not used to improve
  capture of criminals who violate the lives and property of other private
  parties, it is used to go after whatever group the government opposes.
  That's why people who defend themselves with guns against armed
  criminals in places where gun controls are in effect, can expect to
  be treated harsher than the criminal would have been.  Existence of
  criminals supports the need for more police and more police-state laws;
  defending oneself against criminals shows the ineffectiveness of those

Paul Robinson - Paul@TDR.COM

Local TV News Report Misses The Boat

Dan Danknick <>
Thu, 3 Mar 94 13:46:54 PST
Last night there was a news report on our local KABC affiliate about a man who
had been arrested at a local bank for wandering around the parking lot in the
area of the automatic teller machine and acting very suspiciously.  Evidently
a bank patron thought this odd and flagged down a passing police officer. In a
search of the suspect's van that followed, a few hundred blank ATM cards were
found as well as nearly $5,000 in twenty dollar bills. The man had apparently
been "shoulder surfing," the act of peering across the shoulder of an ATM
client to garner their PIN number as it is entered. Such a surfer then
acquires discarded transaction slips in the region of the ATM, matches the
transaction time up with the acquired PIN, programmes a card, and with- draws
a good chunk of money.

Yes, this is nothing new. But where the TV reporter had an excellent
opportunity to remind viewers to _always keep your transaction receipt_
(throwing it away at home if you have to) they neglected to. Instead, I was
presented with a number of interviews with patrons explaining the various
methods they used to conceal their PIN entry actions (my favorite was a woman
who explained that she could type it so fast, nobody could ever see it.)

Great. Another chance to bring the general public up to speed lost in poor
journalism. Maybe all news services should have a RISKs reader on staff?

Dan Danknick

Educating on the RISKS of the Internet

Jeremy Epstein -C2 PROJECT <>
Wed, 2 Mar 94 10:21:11 EST
The RISKS of sending credit card numbers (and other such information) over the
Internet are well known in this group, so I won't rehash it.

I recently received an inquiry from the organizer of an upcoming conference
about the security ramifications of accepting electronic registration.  They
want people to upload (into their World Wide Web server) the registration
data, including a credit card number.  The data is then processed and the
information (including the credit card number) is e-mailed to the registration
agent.  The person who made the inquiry had a suspicion that all of this
electronic traffic might have some security implications, but wasn't sure.

The point of this note is that even though readers of *this* forum know the
RISKS, as more and more people join the Internet we need to deal with
education.  If the Internet community doesn't warn people of the do's and
don'ts, the Internet will get a black eye when the inevitable fraud occurs.

--Jeremy Epstein, Cordant, Inc.

One time Passwords and Encryption (Kabay, RISKS-15.61)

A. Padgett Peterson <>
Thu, 3 Mar 94 21:15:53 -0500
IMHO passwords have been used since before the Roman empire and their
effectiveness has only gotten worse - back then they were changed daily.

I have been using tokens for nearly five years now & a couple of years ago
wondered (both publicly and in print) why, instead of using the token's output
for authentication, it was not used as the seed for autoigniting encryption
since both sides had the result and it had never passed on the line. Since
most token's responses are seven bytes long, DES seemed to be a natural that
was well documented.

The fact that you could communicate would authenticate both ends of the line
and would be resistant to a "man-in-the-middle" attack. Talked to two vendors
about it & both said "fine - you fund it and we'll do it".

The RISK is always that if you wait too long to develop a product, you
will wind up getting Clipped.


Will they ever learn? [Passwords]

Roger Binns <>
Wed, 2 Mar 1994 10:27:28 GMT
The North Carolina State University has proudly announced their web server
to the net on the NCSA What's new page.  Having a look I spotted the following
easy steps to compromising an account there ...

: The username is generally composed of the initial letters of the user's
: first and middle names and the first six characters of his or her last
: name. For example, if the user's name is John Q. Public, then the username
: would be jqpublic.
: The password that users are given initially is their social security number,
: which is typed in the password field without the dashes (e.g., 123-45-6789
: is 123456789). In order to prevent unauthorized access, users need to change
: their passwords as soon as possible and never share their passwords with
: anyone.

I wonder how many illegal accesses they have?

The original is

Roger Binns, Software Engineer, IXI Ltd, Cambridge, UK

Of Locks and Legends

Thu, 3 Mar 94 14:00:21 PST
A recent RISKS reported on a "kick to enter" interaction in certain late model
automobiles.  The current Autoweek, quoting a manufacturer's press release
calls this a "high-tech legend".  Among other things, the air bag mechanism is
deactivated within 150 milliseconds after the ignition is turned off.  (I
assume the delay is to allow for the ignition circuit "dropping" in an

dave pierson  Digital Equipment Corporation

   [Also noted by and
   silas@Informatik.Uni-Bremen.DE (Stefan Mahnke).  PGN]

Impact fuel cutoff anecdote, risk

Bob_Wise <>
Mon, 28 Feb 1994 21:20:46 -0700
This has been well-known dirty trick in showroom-stock autoracing (IMSA
Firehawk and SCCA Showroom Stock, primarily) for many years.  The impact
sensor is typically in the rear of a car.  A firm bumper-to-bumper tap from
behind will often lead to an impact sensor shutting off the electric fuel
pump, usually resulting in a DNF for the bumped driver.  Many showroom-stock
competitors bypass the impact cutoff to keep this from happening, thus leading
to real risk in the case of a serious accident.

I find it strange that the airbag system in the early Ford airbag cars (as
indicated in the post above) was triggered by a sensor that is typically found
in the rear of the car.

Side note: road racing organizations such as IMSA and SCCA require the
disabling of any airbag systems.  The safety equipment required negates the
use of passive systems.

-Bob Wise, #64 SCCA American Sedan Mustang

| Bob Wise          | INET:622-1322 | MCIMail:468-2222 | Pager:719-577-1928 |
| Consultant to MCI | Phone:719-535-1322 | |

NTIA Releases Notice of Inquiry on Privacy Issues

"Beth Givens, Privacy Rights Clearinghouse" <B_GIVENS@USDCSV.ACUSD.EDU>
Thu, 3 Mar 1994 17:43:33 -0800 (PST)
CONTACT:  Larry Williams   (202) 482-1551   MARCH 1, 1994

     The National Telecommunications and Information Administration (NTIA) is
undertaking a comprehensive review of privacy issues relating to private
sector use of telecommunications-related personal information associated with
the National Information Infrastructure (NII).

     Public comment is requested on issues relevant to such a review.  After
analyzing the comments, NTIA will issue a report and make recommendations as

     The inquiry will focus on potential uses of personal information
generated by electronic communications, including interactive multimedia,
cable television and telephony.  NTIA is studying the issues that arise when
such telecommunications- related information is used to create detailed
dossiers about individuals.  NTIA seeks to determine whether any overarching
privacy principles can be developed that would apply to all firms in the
telecommunications sector.  In addition, NTIA is soliciting comment on other
countries' actions to ensure the privacy of information transmitted over
telecommunications networks, and to ascertain how any U.S. policies in this
area will affect the international arena.

     The Notice of Inquiry and Request for Comments appears in Part IX of the
February 11, 1994, Federal Register and is also available on the NTIA Bulletin
Board at (202) 482-1199.  Set communications parameters to no parity, 8 data
bits and 1 stop.  Go into the menu "Teleview-Public Notices and Comments."
File size is 48,514 bytes or about 18 pages of text. Internet users can telnet
into the BBS at

     Comments should be filed on or before March 30, 1994.  NTIA is accepting
comments in writing or posted electronically via its BBS.

     If you have further questions, please contact Carol E.  Mattey or Lisa I.
Leidig at the Office of Policy Analysis and Development, NTIA, 202-482-1880.

SIGSOFT 94 Call For Papers

Dave Wile <wile@ISI.EDU>
Wed, 02 Mar 94 16:48:45 PST
               CALL FOR PAPERS
               The Second ACM SIGSOFT Symposium on the
         Foundations of Software Engineering
              New Orleans, Louisiana USA
              6-9 December 1994
               Sponsored by ACM SIGSOFT

The ACM SIGSOFT '94 Symposium on the Foundations of Software Engineering will
focus on innovative research results that identify and contribute to the
foundations of software engineering.  The intent is to help establish software
engineering as a viable engineering discipline.

We solicit papers in all technical areas of software engineering.  A
successful paper is expected to report on new principles, methods, or results
of experimentation in software engineering (which includes topics related to
the specification, design, implementation, and evaluation of software
systems).  Papers should emphasize how they contribute to a foundation that
allows us to effectively engineer classes of complex software systems in
disciplined, reasoned ways.  Unless a strong tie to software engineering is
made, papers more central to other aspects of computer science should be
submitted to conferences in those areas.

A paper should clearly state the contribution and its underlying assumptions.
It should also assess the results, making appropriate comparisons with and
references to the literature.  Papers will be judged on clarity, significance,
relevance, correctness, and originality.  The paper must contain ideas not
previously presented in or currently waiting acceptance to another formal

All papers will be reviewed by program committee members.  In some cases,
additional external advice may be solicited by the program committee.  Papers
of particular merit may be recommended to major software engineering journals
for expedited review.

Submissions are limited to 12 pages (including figures) in 10 point type or
larger, excluding references.  Overly long submissions will be returned
without review.  Five copies, preferably double-sided, must be RECEIVED BY the
program chair by MAY 31, 1994.  Authors will be notified by AUGUST 5, 1994.
Camera-ready versions of accepted papers are due, along with ACM copyright
release forms, by SEPTEMBER 19, 1994.  Proceedings will be distributed at the
symposium and as a special issue of ACM Software Engineering Notes.

Tutorials will be held on Tuesday, DECEMBER 6, 1994.

                General Chair
              W. Richards Adrion
         Department of Computer & Information Science
           Univ. of Massachusetts, Amherst MA 01003
         (413) 545-2742

                Program Chair
                  David Wile
  University of Southern California / Information Sciences Institute
         4676 Admiralty Way, Marina del Rey CA 90292
             (310) 822-1511

                Tutorial Chair
      Debra Richardson, University of California, Irvine

               Local Arrangements Chair
         Johnette Hassell, Tulane University

              Program Committee
      Lori Clarke, University of Massachusetts, Amherst
        Alan Dearle, University of Adelaide, Australia
         John Gannon, University of Maryland
           David Garlan, Carnegie Mellon University
      Carlo Ghezzi, Polytechnic University, Milan, Italy
           Gail Kaiser, Columbia University
     Axel van Lamsweerde, University of Louvain, Belgium
          Mark Moriconi, Stanford Research Institute
        David Notkin, University of Washington
          Barbara Ryder, Rutgers University
        Dick Taylor, University of California, Irvine
            Ian Thomas, Consultant
        Walter Tichy, University of Karlsruhe, Germany
          Jeannette Wing, Carnegie Mellon University
            Stan Zdonik, Brown University

Please report problems with the web pages to the maintainer