Lawrence Livermore National Laboratory (one of the U.S.'s three nuclear weapons labs) has had one of its unclassified Internet computers hacked to provide a repository for 2 Gigabytes of pornographic images, storing over 1000 pictures. (You thought a picture is worth 1000 words? In this case it is worth 2000 kilobytes, i.e., 2 megabytes each.) This was reported in a Los Angeles Times article by Adam S. Bauman (appearing in the San Jose Mercury, 12 July 1994, front page); the Times article also noted that the Software Publishers Association and the FBI are tracking something like 1600 B-boards that contain pirated software. [Thanks to Nachum Shacham for bringing in the clipping.]
This is one for the Highway, not the I-way (Information Dirt Road): On 2 July 1994, on Route 29 in Virginia, one of those roadside variable message electronic signs was reported as flashing: "DUMB FROGS AHEAD" This wasn't a case of someone fat-fingering "dense fog ahead". Some prankster(s) had gotten access to the controls and had a little fun confusing the public. Stacy Pruitt, spokesbeing for Virginia Department of Transportation (VDOT), was quoted in the Washington Post as saying, "We think someone got in there during the night. What is mysterious is that it takes a password to sign onto the system. We're calling it 'highway hacking'." VDOT officials reported that the security box (on the back of the unit) was left unlocked, allowing physical access to the keyboard. Obviously, the so-called highway hacker(s) could have concocted a far more dangerous prank (the mind boggles!) but that merely begs the REAL question: How do you tell the smart frogs from the dumb ones? Tom Zmudzinski [Unreformed Paronomasiac] ZmudzinT@CC.IMS.DISA.MIL CAUTION! INCORRIGIBLE PUNSTER! PLEASE DON'T INCORRIGE! [A chunk of the 13 July 1994 Washington Post article (which appeared in the "Dr. Gridlock" column about local auto and traffic issues) was sent to RISKS by firstname.lastname@example.org (Marc Pawliger), with the Subject line "FROGGY BOTTOM". As I try not to use copyrighted material in its entirety (although I sometimes FROGETTE, as in the case of the amusing "TOUCH-TOE" [sic!] item "Risks of REDIAL" in RISKS-16.21), I have in this case chosen Tom's adaptation. I TOAD the line on this one. TOUCH-TOAD or TOUCH-TOED? "This carflee tastes like ZMUD to me!" "It should. It was GROANED this morning." PGN]
Often when driving, one is confronted with those big digital display boards that warn of impending traffic conditions. On top, there always appears to be a cellular antenna. Am I correct in thinking that there is a modem on the cellular "line"? The risks are somewhat obvious - one could call and change the message! While "COP AHEAD - SLOW DOWN" would be a bit amusing, a change from "BRIDGE OUT AHEAD" to "WEST HIGH RULEZ" would be disastrous. Jason J. Hanson, Univ. of Wisc., 22 Langdon Street #220 Madison, WI 53703-1344 (608) 256-1004 Ham: N9LEA (Extra) email@example.com
I received an e-mail that was distributed over a large mail-group today. It had a line, just below the "Subject" line, that read: > Sensitivity: Company-Confidential There are several RISKS here: 1) Misuse of this label can cause your company problems when it comes time to sue someone for stealing confidential information. This label should mean what it says in order to be valid in court. My company has told the employees several times to use this label ONLY for actual confidential material, for this reason. 2) It did not say which company the material was confidential for. It would not be a valid in court on actual confidential material because the company's name is not mentioned. 3) The person who sent this message is not paying attention to lines that their mailer adds. Lesson: Learn how your mailer works! Paul Szabo, Test Engineer, Tektronix Test and Measurement, Beaverton, OR 503-627-5811
The 24 June 1994 issue of The Wall Street Journal contains a long article about a wave of "fax scams" that has been emanating from Nigeria. People receive quasi-official-looking faxes with elaborate stories about money that needs to be parked in their bank accounts for short periods, with large profits promised. The recipients of these faxes, of course, start dreaming of big bucks. Just before the deal is closed a temporary "hitch" arises, requiring the person to send over some money or goods to bribe a government official. Needless to say, the money and goods are never seen again. Part of what makes these scams so effective is that the scammers manage to come up with enough personal information about the victim to play on his or her weak points and make the faxed "documents" more compelling. The scam requires faxes rather than just airmail because the parties need to exchange increasing numbers of faxes as things get more complicated, and speed presumably helps keep doubt from setting in. The article says: Nigerian scam artists have claimed so many victims in Texas that the Nigerian soccer team and its fans have received a less-than-enthusiastic welcome at the World Cup games there. In Addison, the Dallas suburb where the Nigerian team is practicing, a local newspaper quoted the police chief warning restaurateurs to beware of Nigerians bearing credit cards. After outraged Nigerians called for his resignation, the chief said his remarks had been misinterpreted. The full reference is: Geraldine Brooks, How a recurring scam cost an accountant and his wife $54,000, The Wall Street Journal, 24 June 1994, pages A1, A6. The Risk, of course, is not specific to faxes. When communications are cheap and personal information is readily available, scams like these can readily cross borders, so that criminal communications can originate in "off-shore" locations where they are not likely to be punished. Just think what will be possible when global broadband communications become widely available. Phil Agre, UCSD
Re: Mosaic risks (Levine, RISKS-16.22) At the RISK of sounding like a commercial, "Mosaic" (a brand-name for the generic World Wide Web (Web) technology) is and has been available in privacy and integrity enhanced versions from the MicroElectronics and Computer Technology Corporation (MCC - my employer). MCC EINet has secured Web client versions on Mac and Windows, as well as Unix servers. Web is the latest in a series of internet products that MCC has secured, including WAIS and FTP. We also maintain commercial grade access control and key servers on the network, available to any registered user. The two most obvious RISKS in an internet Web environment are the authentication of the user and the server. Just as a user must authenticate to a server, responsible users will want non-reputable evidence that the server is what it says it is. This two-way authentication process is fully deployed today. And before everyone responds, we agree that their are many more RISKS, and secured clients and servers are only part of our system, which includes an internet security plan, risk analysis, fully integrated firewalls, and transparent encryption. Re: Fraud on the Internet (Rowley, RISKS-16.22) ... Your reaction is naive. The short answer is yes. The internet is a wonderful collection of networks of all shapes and sizes, for many purposes. There is no reason to try to impose additional rules and regulations on it. What is happening, however, is that as commercial entities are looking to make use of it, they want additional security features in place. If a company puts in links to the internet with a firewall and authenticating server, that does not 'require' the rest of the users to change anything. It just means that one organization is making use of an advanced technology in a safe and secure manor. Tom Patterson, Director, INFOSEC, MCC firstname.lastname@example.org
A minor but (mildly?) interesting bar-code risk lies in coupons which are part of the packaging of products. The manufacturers have figured out that they shouldn't put barcodes on those which appear on the outside of packaging, lest the store pay you for taking the product (although this means that the scanner cannot verify that you bought the necessary product when redeeming the coupon), but continue to put barcodes on those which appear *inside* the product. In the case of Healthy Choice frozen fake eggs, the coupon happens to be on the inside, but *opposite the normal product bar-code*. I found myself paying for 2 products instead of paying for one and cashing a coupon, when the checker scanned the wrong side of the coupon! Hardly earth-shattering, but a nice gotcha. ...phsiii
It's Silvio M*i*cali. Meeks got it consistently wrong throughout his article, and unfortunately now even extracts are repeating the mastake. :-) — Jerry [Your moderator knew that also, and somehow neglected to fix it. PGN]
One more contribution on the use and abuse of cellular phone technology, if the forum can tolerate it. As a technology planning engineer in the trade, I find the amount of ignorance-fueled fear of telephony and the vast amount of misinformation on cellular telephony in particular to be a source of constant amusement (but hey, I'm easily amused :). I'll address some specific remarks from earlier contributions first, then raise the noise floor another few dB with my own views. Willis H. Ware writes: >If cells get smaller in the future, then the precision of location will >increase ... In a subsequent issue of Risks, Lauren Weinstein writes: >If you read your phone bill inserts carefully, you may have already > received a notice allowing you to choose whether or not you want your > called number information released to VENDORS of telecommunication services! The concern about monitoring is justified only up to a point — remember, the only reason for this information to be saved is because it has value to someone. Wireline telcos long ago abandoned detailed billing, and today don't even retain that information unless required by a government agency; the cost of collecting and storing this tidal wave of data is still too prohibitive to make it useful on an everyday basis (this is a situation I don't see changing in the foreseeable future, either). The cellular phone industry, on the other hand, has employed detailed billing from its infancy, for reasons driven both by customer needs (why did this call cost so much?) and economies of scale (the processing needs have been orders of magnitude smaller than what is required by our wireline brethren, and at the same time the silicon revolution has made low to midrange computing power cheap — many smaller cellular phone companies still do billing on a single PC!). So, for instance, seeing LA reporters with copies of OJ's cellular phone bill are no surprise at all, given that the information is readily at hand and the weakest security link in a system is usually the human operator. For all the high tech, gee whiz methods of obtaining cellular phone IDs, the most common way is still for unscrupulous sorts to bribe or blackmail company insiders into sharing lists of valid subscribers. In the case of a large company like AirTouch (or my own), a corruptible someone with access to subscriber data can probably also get billing data. Robert Morrell, Jr. and Bob Frankston pointed out different aspects of the risks of eavesdropping on cellular phone conversations (Mr. Morrell made the point that it is incumbent upon the user to ascertain and protect his level of privacy, and Mr. Frankston pointed out the fallacy of comparing wired and wireless technologies from a privacy perspective). The so-called security of the wired telephone is conceptually similar to "security through obscurity" in that it is the medium itself that makes listening to an otherwise unencoded communication difficult. It is something that virtually no phone user has thought about but takes for granted anyhow. I could agree with Mr. Morrell's extreme-sounding position if there was some assurance that once the user body was educated about the risk and began demanding truly secure communication (which I believe will happen eventually) the option was still available. Right now the US government is trying to usurp the issue while the body politic is still ignorant, and I see that as a violation of the public trust. BTW, several companies make scramblers for analog cellular phones (which work in conjunction with a companion device on the target phone, either wired or compatible cellular). The big drawback to these is that they must do most of their cryptographic work in the frequency domain, and 3300 Hz is not a lot of bandwidth to play in. On the general issue of location tracking, I think the greater concern should be with real-time monitoring. I can sit at my desk today and find out which cell sites in our network any given phone number has placed calls on for the last 24 hours (after which time the data is rolled off into oblivion but continues to be available offline in printed detailed billing reports). But, as has already been correctly pointed out, this information is highly imprecise. Triangulation can be employed with a greater degree of precision (within a few hundred feet at best), but not consistently enough to be reliable. Data from technologies such as GPS must be transmitted in-band, so it is useless to the phone company unless the receivers are integrated into the network. However, I can't — and probably won't ever be able to — get any of the same information from a competitor, because that type of data is highly competitive in nature. No competing carriers will share that information with one another, nor will they be enthusiastic about providing the data to a clearinghouse where it might be generally accessible. So in this case competition is our friend. In any event, every large cellular carrier is already performing real-time network monitoring, and using called number information to get to the weak human link is probably more effective for law enforcement anyhow. Phil Brown GTE Mobilnet email@example.com
I believe the first instance I can think of is Orwell's novel 1984, although I would not be surprised that the idea predated that as well. I do recall having seen 1930s Gene Autry serials in which the evil mole-men placed television transmitters throughout an unsuspecting town. --scott
Michael Stern writes in RISKS-16.23 about an alarming number of errors in a closed-captioned news program, and wonders if these are induced by faulty voice-recognition systems or spell-checker bugs. The truth is far simpler. Many live programs (such as news) are live-captioned by a service provider. In other words, a live human stenographer listens in (and usually views) the program while it is being broadcast, and types along as best as they can keep up. This is a somewhat outdated method when it comes to news, but many stations still use it, and it is quite error-prone. This is probably what happened in the reported case. More modern newsrooms with integrated teleprompting/news composition software, have the newsroom computer automatically generate live close-captioning data from the teleprompter display. So the home viewer actually gets to see the news slightly before the anchor reads it off the display. The problem here is that commentary from persons on screen, such as people live in the field, must still be provided manually or not at all. Some stations elect to caption the news program after it has aired, then re-broadcast it during the late-night hours. The problem here, of course, is that hearing-impaired viewers aren't able to get the news until hours after everyone else. Bob Richardson, OmiCo Industries firstname.lastname@example.org PO Box 1404 Corvallis, OR 97339 503-758-5018
Unlike most programmes, teletext conversion of the news is done live. As I understand it, a typist transcribes what the newsreader is saying using a special phonetic keyboard (like those devices you sometimes see being used in Parliamentary Committees or Congress). This is linked to a computer, which makes a "best guess" at the corresponding words and outputs the teletext directly. Obviously there is no time to correct errors. Clive D.W. Feather, Santa Cruz Operation, Croxley Centre, Hatters Lane, Watford WD1 8YN, UK email@example.com +44 923 816 344 Fax: +44 923 210 352 |
It's interesting that one looks for a high tech explanation for these errors. Many Risks readers seem to forget that we already have a fairly reliable speech to text system. I presume that the TV stations use the same kind of system that one encounters when using the text to speech mechanism that is employed in the page networks. This is an efficient system that runs on 2000 to 3000 calories a day and can handle a wide variety of speech. A human. Unlike the paging systems which allow the typist to confirm the message (though I do get messages like my wife's request that I buy some "weak germ"), the TV systems require someone to type at a furious pace without any chance to correct or think. It's surprising how few errors occur. Wait for the story on Unix.
Is it too much to expect that when airlines find problems with laptop computers they report which ones? It is possible that particular manufacturer's machines are out of compliance. As part of assuring safety, it would be worthwhile to report the brands to the FCC rather than just condemning all devices. As to lavatories, is it indeed worth risking an aircraft because one passenger is in the lavatory without a seatbelt on?
I hate to second-guess somebody who probably used the available information and did what he thought was best, but... jumpin' jehoosephat! Rather than violate procedures by taking off with somebody in the potty, he came within a "few feet" of re-enacting Tenerife on at least one occasion, maybe more? Not all RISKS involve computers... --Joe
I recently saw the Flight Safety Department of the Swedish CAA comment on interference by the use of cellular phones. In one instance, operating a cellular phone caused the aircraft transponder to stop replying to interrogations from ground secondary radar stations. When the phone was turned off the transponder replied normally again. The FSD speculates that transmissions from the cellular phone on frequencies close to the interrogation frequency of the transponder had caused the sensitivity of the transponder receiver (which is automatically adjusted) to be reduced to the point where it could no longer receive interrogations. Neither the cellular phone type (NMT or GSM) nor the aircraft type was given. (PS. A "transponder" is a device that provides ground radar stations with coded replies that identifies the aircraft and gives information about its altitude.) Lars-Henrik Eriksson, Swedish Institute of Computer Science, Box 1263 S-164 28 KISTA, SWEDEN firstname.lastname@example.org (intn'l): +46 8 752 15 09
I may not be as up on this issue as I should be. I do however fly fairly often, and have become aware of the subject of interference to in-flight instruments by electronic devices being used by passengers, and the rules regarding the use of electronic devices. It is clear that there is plenty of circumstantial evidence reported by flight crews of this phenomenon. When this first became an issue my understanding was that no one was sure that there was any link between the electronic devices and the occurrences, however for safety's sake, the restrictions were being instituted. What I don't understand is why after all this time there isn't more substantial data available. How hard would it be to reproduce the problem? Certainly if one such device can cause a problem, then a cabin full of devices, which can be switched on and off in a controlled experiment should yield some measurable effect. Has something like this been done already? Has this been done without being able to reproduce the problem? It isn't that I don't believe there is a problem. It just seems to me that the kind of evidence I've seen reported does not help pinpoint the problem. Therefore, the restrictions on the electronic devices may inconvenience travelers without diminishing any risk. Or perhaps once the effect can be reproduced and isolated, alterations could be made to shield the instrumentation from the effect. This would be a far more effective approach than expecting a few flight attendants to police an entire cabin full of potential abusers. Also, if the phenomena are caused by other unidentified sources, then there is certainly a risk that too much attention to this theory could be diverting attention from the real cause of the potentially disastrous occurrences.
Please report problems with the web pages to the maintainer