The RISKS Digest
Volume 16 Issue 04

Tuesday, 10th May 1994

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

Secret elevator codes baffle Metro Toronto government
Dave Leibold
Smoke or Malaria - Lesser of the two evils
Hiranmay Ghosh
Dartmouth prof spoofed
Mich Kabay
11-digit ZIP code
Christine Harbs
Frozen computer scientist
David Honig
Re: Bellcore cracks 129-digit RSA ...
Paul C Leyland
Dik Winter
Paul Buder
Re: Streetwise Guide [Risks of following up on credit-card laws]
Robert Slade
Future of US health care?
Mark Stalzer
White House May Issue National ID Cards
Mitch Ratcliffe via W.C. Daugherity
Canadian long-distance service reseller blunders
Mich Kabay
Cheers to two companies
Michael J. Zehr
Re: MIT student arrested
David desJardins
Info on RISKS (comp.risks)

Secret elevator codes baffle Metro Toronto government

Dave Leibold <Dave.Leibold@f730.n250.z1.fidonet.org>
06 May 94 00:06:10 -0500
An article in _The_Toronto_Star_ on 5 May 1994 described secret codes which
are necessary to maintain elevators at Metro Hall, the building which houses
Metro Toronto municipal council and services. The elevators, made and
maintained by Schindler Elevator Corp., require secret password codes in order
to maintain them. This means that only Schindler staff can maintain the Metro
Hall lifts, and as such forced Metro Council to award a 10 year contract of
$3.5 million to Schindler. Meanwhile, Metro is also suing the building's
developer, Marathon Realty, to try to get the codes. Without the passwords,
elevator maintenance contracts cannot be given to a competing firm.

Metro Councillor Howard Moscoe wanted the Council to issue a $10 000
reward to the first person to successfully crack Schindler's Code.
This motion probably didn't get approval.

David Leibold       Fidonet 1:250/730  dave.leibold@f730.n250.z1.fidonet.org


Smoke or Malaria - Lesser of the two evils

Hiranmay Ghosh <ghosh@cdotd.ernet.in>
Mon, 9 May 94 09:07:35 IST
RISKS usually features risks in high technology area, especially with
computers. I am tempted to site one example for risks in a relatively low
technology area encountered in a developing country like ours!

In the '50s or early '60s, there had been a massive drive to eradicate malaria
(a disease cheracterized by high fever and spread through mosquito bites) from
India. The attack was primarily on the mosquitos; their lot were killed by
pesticides and their hideouts destroyed. The operation was considered to be
successful and a case of malaria was rare for about twenty years to come!

Unfortunately, in late '80s, mosquitos came back with renewed a vigour and
brought malaria back. How did the mosquitos come back? Some 'experts' assign
the following reason:

In '60s or '70s, most of the Indian household used hearths (coal-fire) to
prepare the food. At that time, a popular sight at the dusk at an Indian town
was the smoke coming out of every dwelling unit to mark the ignition of the
hearth for preparation of the evening meals. In a city, where the population
density had been high, the volume of smoke was significant and caused concern
about pollution! But, that was the time, when the mosquitos invading the
households (dusk is the peak activity hour for the mosquitos!) were repelled
by the smoke.

In the '80s, the hearths were replaced by 'modern' 'non-polluting' gas stoves.
The coal-lit hearth was even banned in many cities in an attempt to curb
pollution. So, now there is nothing to prevent the mosquitos to come and join
us for dinner and spread malaria in the process!

I am not sure, if the reason cited is a valid one, but the concern about the
re-advent of malaria in India is beyond any doubt!

   [Next time, lease a collection of mutant boll weevils to eat the
   mosquitos and you will be confronted with a lessor of weevils.  PGN]


Dartmouth prof spoofed

"Mich Kabay [NCSA]" <75300.3232@CompuServe.COM>
09 May 94 06:31:56 EDT
Here is some old news that was new to me:

According to the _Dartmouth Life_ newsletter (Feb 1994--I'm just clearing up
my in basket today), an article appeared in _The New York Times_ on 94.01.05
entitled "Confronting changing ethics of the computer age."

The unsigned article begins, "Hanover, N.H. — Somebody in Prof. David
Becker's course on Latin American politics did not want to take the midterm
exam, so he or she used Dartmouth's innovative electronic mail network to
impersonate a department secretary and cancel the test.
     "At 11 o'clock on the night before the test in the Government 49 class, a
message flashed on students' computer screens.  Because of a family emergency,
the message said, Professor Becker would be unable to administer the midterm."

The article explains that half the class understandably failed to show up for
the test.  No one has been identified yet as the culprit.

The rest of the article talks about the extensive electronic mail system on
campus.  One of the key concerns of the unregulated network is the rapid
spread of rumours: "Late in August computer flashed an account of a woman
being raped while jogging near campus.  The message was intended as a warning,
but there had been no rape."

The Hanover police department were swamped with calls.  The Chief of Police now
has his own electronic mail account to try to squelch rumours.

M. E. Kabay, Ph.D. (Dartmouth '76) / Dir Educn / Natl Computer Security Assn.


11-digit ZIP code

Christine Harbs <charbs@teetot.acusd.edu>
Mon, 9 May 1994 14:28:30 -0700 (PDT)
According to the _Friday Report_ <April 29, 1994>, Gene Del Polito, Exec. Dir.
of the Advertising Mail Marketing Assn. is urging the Postal Service to adopt
an 11 digit ZIP code.  The 11 digits would consist of the original five +
four, and the last two will be the last two numbers of YOUR house address.

<<Developing and using an 11-digit code, called a delivery point ZIP Code, is
a way to 'purge the costs out of the postal system...  and add value to mail
as a communications medium,' said Del Polito.<> Translation? Better targeted
junk mail.

This means that, with only a ZIP code, marketers and harassers will darn near
be able to pick out my house. Marketers do a lot of demographic research based
on ZIP code. This could lead to _extremely_ targeted marketing. Although not
everyone would consider this a risk...

Another concern arises for people who are being stalked or
harassed. Again, with just the ZIP code, the stalker could pin-
point, at the very least, the victim's street. Systems which claim
to protect privacy and confidentiality because it _just_ uses a ZIP
code for identifiers, may have to be redesigned.

<<'The reality we're stuck with is that many people in this country simply
don't know what their accurate and complete address is,' said Del Polito.<> I
am sure a lot of people make mistakes when addressing an envelope. I do not
think the way to solve this problem is to create a system where 11 digits
create a path to my doorway.


Frozen computer scientist (RISKS-16.03)

David Honig <honig@binky.ICS.UCI.EDU>
Fri, 06 May 1994 10:01:10 -0700
In the last RISKS someone writes about the dangers of automatically-locking
doors when standing in a blizzard at 2500 feet wearing light clothing.  The
author posits a somewhat amusing possible outcome, had he not been saved by
travelling communists: a computer scientist frozen to death next to his
over-clever, running but locked, vehicle.

Of course, more hardware-oriented types might have clued in to the
brittleness of said vehicles' windows before hypothermia set in...  :-)


Re: Bellcore cracks 129-digit RSA encryption code (RISKS-16.03)

Paul C Leyland <pcl@foo.oucs.ox.ac.uk>
Mon, 9 May 1994 18:04:54 +0100
>   predicted would take "40 quadrillion years" to break.  ...

>   This mathematically arduous task was accomplished in eight months by
>   600 volunteers in 24 countries who used their organizations' spare
>   computing capacity.  ...

There are two risks, one amusing.  Ron Rivest now regrets ever making that 40
quadrillion years estimate.  It was silly when he made it; his papers in the
scientific literature from that era give estimates which are within an order
of magnitude of how much computation we actually used.  From those estimates,
and the observation that way back then it wasn't feasible to hook together
hundreds of computers, we can deduce that a late 70's supercomputer using the
best algorithms available then would have taken a few decades, maybe a
century.  Certainly much less than the 40 quadrillion years.  The risk is:
making predictions about the runtime of computer programs can sometimes make
you look silly 8-)

The other risk is more serious.  RSA is widely used to protect commercially
significant information.  512-bit keys are widely used for this.  Most, if not
all, smart-card implementations are restricted to 512-bit keys.  RSA-129 has
425 bits.  I estimate (taking a risk 8-) that 512-bit keys are only about 20
times harder to break than 425-bit keys.  Readers are left to draw their own
conclusions.  However, it is not by chance that I have a 1024-bit PGP key.

Oh yes, as Arjen Lenstra had pointed out: if you had used RSA-129 as
the modulus in a digital signature for a 15-year mortgage, you would
have been cutting it pretty fine.  It is the use of RSA for long-lived
signatures which needs to be examined with a very critical eye.

Paul Leyland (one of four RSA-129 project coordinators)


Re: Bellcore cracks 129-digit RSA encryption code

<Dik.Winter@cwi.nl>
Fri, 6 May 1994 02:45:26 +0200
Perhaps because there is no risk beyond the known ones?  Bob Silverman of
MITRE (well known in number factoring circles) has publicly predicted already
some time ago that it would require about 5000 MIPS years to factor the
number.  Reasonably close to the actual figure.

That the team was led by Bell Communications Research is untrue.  It is a team
led by four people from Bellcore (Arjen Lenstra), MIT (Derek Atkins), Iowa
State University (Michael Graff) and Oxford University (Paul Leyland).

dik t. winter, cwi, kruislaan 413, 1098 sj  amsterdam, nederland, +31205924098
home: bovenover 215, 1025 jn  amsterdam, nederland; e-mail: dik@cwi.nl


Re: Bellcore cracks 129-digit RSA encryption code (RISKS-16.03)

Paul Buder <paulb@teleport.com>
Thu, 5 May 94 20:02 PDT
I've heard this 40 quadrillion years figure a couple of times now and I
find it odd.  Is that what the Scientific American said?  I have the
original document from MIT's Laboratory for Computer Science.  It's
titled "A Method for Obtaining Digital Signatures and Public-Key
Cryptosystems" by Ronald Rivest, Adi Shamir, and Len Adleman, April
1977.  I can't do superscripting with vi so 10 10th means 10 to the
10th power.  It has the following table in it:

Digits        Number of Operations          Time
===================================================
50            1.4 X 10 10th                 3.9 hours
75            9.0 X 10 12th                 104 days
100           2.3 X 10 15th                 73 years
200           1.2 X 10 23rd                 3.8 X 10 9th years
300           1.5 X 10 29th                 4.8 X 10 15th years
500           1.3 X 10 39th                 4.2 X 10 25th years

200 digits was supposed to take 3.8 trillion years and 100 a mere 73.
So where does the 40 quadrillion figure come from?

paulb@teleport.COM  Not affiliated with teleport.


<"Rob Slade, Ed. DECrypt & ComNet, VARUG rep, 604-984-4067">
Mon, 09 May 1994 12:06:09 -0600 (MDT)
Subject: Risks of following up on credit card laws (last one)

In response to my initial posting of the "Streetwise Guide" book review, and
subsequent summary of the initial responses, I (and, I presume, PGN as well) am
still receiving mail on the subject.  Unfortunately, there is a lot of
disagreement and a shortage of direct quotes from the relevant statutes.  I
pass along these messages, therefore, since they contain at least references to
the names of specific acts.

From: avm4@crux4.cit.cornell.edu
===========
The quoted material appears to be backwards, judging foom the text on
the back of my credit card statement and also from the misc.credit FAQ:

Q504. Exactly which purchases qualify under the Fair Credit Billing Act?

    You are protected if all of the following are true:

    - The purchase was made with a credit card.  (If it was a debit
      card, the money is already gone from your account and the bank
      won't get involved.)

    - The amount charged is more than $50.  (The amount in dispute could
      be less, for example if you bought a $90 lamp but were billed
      $100.  The amount in dispute is $10.)

    - You made the purchase somewhere in your home state, or within 100
      miles of your mailing address.  (I am not an attorney, but my
      understanding is that if you are having goods shipped to you by
      mail or phone order, the place of purchase is the address you are
      having them shipped to.)

    If some of the above are not true, you are still protected if the
    credit-card company owns or operates the merchant, or the credit-
    card company mailed you the advertisement for what you bought.  In
    that case your purchase is covered by the rules no matter where you
    bought or how much you paid.

    In addition, you MAY successfully protest charges outside of these
    parameters, but there is no legal requirement for the credit card
    company to do so.
============

From: cramer@world.std.com (Bill Cramer)
============
>I don't remember the exact language, but in the U.S. consumers have the
>right to refuse charges made more than 50(?) miles from their home address.
>The refusal must be in writing, within 30 days, possibly with an explanation,
>etc.  The bank must complete its actions within 60 days of receipt of this
>letter, cannot charge interest or late fees on the disputed amount, etc.

This statement would seem to be in conflict with 15 USC 1666i(a), which
states, in part, that a card holder can withhold payment only when the
place of the transaction was **within 100 miles**.
============

There was also mention of a Consumer Credit Protection Act.

This is as far as I go, since 1) I am not a lawyer, 2) I am not an American and
3) I am part of the larger world to which my original comments still basically
hold good.


Future of US health care?

<stalzer@macaw.hrl.hac.com>
Fri, 6 May 1994 10:13:31 +0800
For the past few months, my baby daughter has had a large rash. My wife took
her to our HMO a few times and the doctor (gatekeeper) finally authorized a
blood test and a visit to a dermatologist once the blood test results were
available.  Last night, we received a form authorizing the visit to the
specialist that contained a clearly labeled diagnosis of Lupis.  We assumed
that this was the result of the blood test and I logged into Prodigy to find
out more about Lupis.  The online encyclopedia had a detailed description and
my daughter appears to have some of the symptoms. Furthermore, the disease is
very serious and can lead to death. We were very worried and I immediately
contacted the HMO. This was about 6:30p and the front office staff couldn't
help us (the doctors were gone) even though their computer generated the form!
(I expressed my displeasure as forcefully as possible without using colorful
language...) I then called the dermatologiest and what he had to say is very
interesting. Apparently, the HMO contacted the dermatologist last week,
described the symptoms, and asked for a list of possible diagnoses. He
provided about half a dozen possibilities and the HMO doctor then picked the
worst possible one so that it would get past the review committee! If he had
put a more likely diagnosis, like an allergy or fungus, a specialist visit
probably would not have been authorized. Also, the blood test results are not
in, and based on my daughter's response to some medication, it looks like she
has something simple that will clear up. Of course, she still gets to visit
the dermatologist based on the "diagnosis" on the form.

I'm thankful that the HMO doctor "worked the system" to get the best possible
care for my daughter. However, this form with a diagnosis of a serious disease
has me angry. Do health care providers really think it's okay to mail out
something like that without making a personal contact? Do they tell people
they have AIDS by mail now? Why didn't the front office staff at the HMO have
a clue? Shouldn't doctors be spending their time helping people, not trying to
figure out how to get around the system? And finally, do we really want the
Clinton Administration to mandate this kind of system for all Americans?

  — Mark Stalzer (stalzer@macaw.hrl.hac.com)


White House May Issue National ID Cards

Walter C. Daugherity <daugher@cs.tamu.edu>
9 May 1994 15:26:52 GMT
>From Prodigy 5/9/94:

White House May Issue National ID Cards

The Clinton administration is working on a national ID card that every
American would need in order to interact with any federal agency, reports
Digital Media: A Seybold Report, a computer industry newsletter based in
Media, Pa.

The so-called U.S. Card would be issued to citizens by the Postal Service.  It
would be issued as a "smart card," with its own internal CPU, or as a plug-in
"PCMCIA" card with megabytes of built-in memory.

Administration approval of the plan "could come at any time," states the
newsletter.

Walter C. Daugherity  daugher@cs.tamu.edu  uunet!cs.tamu.edu!daugher
Texas A & M University, College Station, TX 77843-3112  DAUGHER@TAMVENUS

   [Several folks sent me Mitch's piece from EFFector Online 07.08, and
   Digital Media, "Ever Feel Like You're Being Watched?  You Will..."
   However, I cannot run it in RISKS because of its copyright notice.
   Contact Mitch Ratcliffe <godsdog@netcom.com> (NOT RISKS) if you want
   a copy of the whole article.  PGN]


Canadian long-distance service reseller blunders

"Mich Kabay [NCSA]" <75300.3232@CompuServe.COM>
09 May 94 17:32:49 EDT
In November 1993, I signed up with a long-distance service reseller in Canada.
I won't give the name because there's no longer any reason to embarrass the
company.  Shortly after registering, I received a friendly welcoming letter
explaining how to use their service.  As expected, there was a special number
to dial; when we got the dial tone, we'd punch in a 3-number PIN and our own
telephone number.  Then we'd get another dial tone and we would dial our
destination number.

In the envelope were printed labels to stick on our phones with all of these
instructions--including the PIN!

I called the company and asked to speak to the chief of security.  When I
finally got to speak to her, she expressed horror at the prospect of having
customer PINs stuck to their phones in plain sight, where any passing
dishonest person could pick up their access codes and call expensive places.
It seems that no one in marketing or customer service had every discussed this
brilliant plan with her or with her staff. She assured me that she would
report the breach of security and effect changes.

Months passed.

In January, I spoke to the chief of security again.  This time, I cheerfully
told her she was running out of time.  I sent her a registered letter warning
her of the dangers to consumers; pointed out that although theoretically the
user of a phone system is responsible for calls, there would be no way to
squirm out of the irresponsibility of having sent out thousands of stickers
showing the PINs of countless users; and that even if the company absorbed the
costs of fraud, they'd be unable to prosecute even dishonest users who abused
their own phone codes.  I then added what I think was the clincher: if I
didn't hear back from them within a week I'd publish a report in the RISKS
FORUM DIGEST and in Computing Canada and make them a laughingstock.

I got a call from the VP to whom the security chief reports.  He assured me
that the problem was being solved.  Indeed, a few weeks later, I received new
stickers _without_ a pin.  The system now uses ANI to identify the client.
Attempting to access the trunk from an unauthorized phone immediately causes
an alert at the company switchboard; repeated attempts to abuse the system can
lead to termination of service.  The authorized user is informed of such
attempts.

Moral:  don't just ignore security breaches, fight them!

Michel E. Kabay, Ph.D. / Dir Education / Natl Computer Security Assn

    [Or threaten them with worldwide appearances in RISKS?  PGN]


Cheers to two companies

<tada@MIT.EDU>
Mon, 9 May 94 12:40:52 -0400
Although this forum is primarily for giving examples of computer
problems, I'd like to give credit to two companies I recently dealt with
that made an extra effort to reduce the risks in their systems.

My company recently switched to Fidelity for managing it's 401(k) retirement
plans.  Fidelity has a phone number one can call to check balances, transfer
investments between different funds, etc.  When you call for the first time,
you're asked to select and enter a PIN.  To identify yourself, you need the
plan number for your company, your social security number, and your birthdate.
All these are easily obtained by others.  To prevent misuse, the system sent
confirmation by mail to the person's home address that a PIN was set up.
(Allowing a PIN setup by phone worried me when I read their literature, but I
felt this was a good way of minimizing the risk.  Also it should be noted that
one couldn't transfer money from one person to another, only transfer to
different funds.)

A few days ago I stayed at a Mariott Courtyard in Landover, MD.  They have an
express checkout system in which a copy of the bill is printed and slipped
under your door your last night there.  On the bill is printed the credit card
number used for billing.  The copy slipped under the door had the number
overwritten with a heavy black marker.  It's possible that one could determine
the number anyway, but it reduces the risk of casual observance, and at least
demonstrates that they're thinking about the problem.

Cheers to both companies for thinking about the issues.

-michael j zehr


Re: MIT student arrested (Cohen, RISKS-16.01)

David desJardins <desj@ccr-p.ida.org>
Tue, 3 May 94 13:43:20 EDT
Fredrick B. Cohen <fc@Jupiter.SAIC.Com> writes:
> As to the issue of his intent to pirate software, that was not the charge
> against him.  It was wire fraud! I have read the copy of the indictment and
> commentary and I find this awfully strange.

According to his lawyer on Nightline (and this was not contradicted by
the former FBI computer-crime head), Congress wrote the copyright law so
that pirating software is not specifically criminalized unless one does
it for profit.  Whereas the wire fraud statute requires only a "scheme
to defraud"; there need not necessarily be a profit motive.

                                        David desJardins

Please report problems with the web pages to the maintainer

x
Top