The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 16 Issue 14

Monday 13 June 1994

Contents

o Unconventional Telephones
Mike Hoffberg
o Ex-deputy police chief charged over Computer Records
Mich Kabay
o RISKS in UK Election Voting Process
Thomas Rushton
o Big brother wants the shirt off your back
Lynn R Grant
o Re: GIF contains more than just a picture
Castor Fu
o Re: How to feel safer in an Airbus
Peter Ladkin
o Airbus A3(0?)0 deductions
Phil Overy
o Correction for address of Clipper paper
Sidney Markowitz
o Chunnel vision
David Honig
o RISKS of real-time image processing
Andy Cunningham
o Re: Women and Tetris addiction
Hilarie Orman
o Re: Campaigns and Elections
Robert J. Burkhart
o Re: Apathy toward computer errors
Tom Yurkiw
o Security? Maybe....
Neill Clift
o Re: Call Your OPERATER
Hardwire
o Re: Risks of too-simple responses
Ross Anderson
o Info on RISKS (comp.risks)

Unconventional Telephones

Mike Hoffberg <hoffberg@aps.anl.gov>
Sun, 12 Jun 94 21:45:24 CDT
I just got a new 900 MHz telephone made by Bel-tronis.  Plastered all over it
is the fact that it "Styled by BRONDI, Italy".  I guess I should be impressed.

Well today I prepare to make a call on it to SouthWest Airlines
(1-800-I-FLY-SWA).  Guess what?  The phone does not have a "W" on it.

On the #9 key it has XYZ.  It is missing the "Q" though.

It kind of reminds me of the (sorry about the non-PC reference) Polish
joke of the day 555-POLZ.  Except it would not work on this phone.

Michael Hoffberg  hoffberg@phebos.aps.anl.gov  mike@anl.gov


Ex-deputy police chief charged over Computer Records

"Mich Kabay [NCSA Sys_Op]" <75300.3232@CompuServe.COM>
12 Jun 94 09:26:26 EDT
>From the Reuter newswire (94.06.10 @ 16:59) via Executive News Service (GO
ENS) on CompuServe:

  LOS ANGELES, June 10 (Reuter) - A former deputy police chief who is now a
  private detective has been accused of obtaining highly sensitive criminal
  records from his old department, a spokeswoman for the District Attorney's
  Office said Friday.
     Spokeswoman Sandi Gibbons said Daniel Sullivan, former deputy chief of
  the Los Angeles Police Department, was charged Thursday with 11 misdemeanor
  counts of being in possession of criminal records.

According to the article, Sullivan allegedly used an inside collaborator to get
the data.  The collaborator and another private detective who received
confidential police files were also charged with misdemeanors.  Some of the
stolen information concerned people in official witness-protection programs,
relocated to protect their lives.


RISKS in UK Election Voting Process

Thomas Rushton <RUSHTON@RMCS.CRANFIELD.AC.UK>
Fri, 10 Jun 94 16:24 BST
A colleague (call him ZX) has just told me about how he voted in the
recent European Elections, and I thought I would share it with you.

He realised that he didn't have his voting card with him, but went to vote
anyway.  The voting hall contains several tables, where you exchange your card
for a voting slip, and the usual booths / boxes etc.

The procedure:  Go to the table which is labelled with your street name,
hand over your card, and receive a voting slip.

ZX (with no card), went to the appropriate table, and explained that he
wanted to vote, but did not have his voting card with him.  The clerk
said ``Oh, that's OK -- which street do you live in?''.  ZX replied
[RISK area -- pick a street, any street, from the following...]
The clerk then looked up in his copy of the electoral register for
that street, and asked ZX for the number of the house he lived in.
[RISK area -- the names in the register were marked in a way that
indicates who has voted already]  ZX replied with his house number,
the clerk said ``Oh, you must be Mr X'', and handed ZX a ballot slip.

The obvious conclusion is that J. Random Voter can go to any polling
station, say he's left his voting card at home, give a street name
(supplied on the tables), pick the number of a house on that street
from which no one has voted (by reading the electoral roll copy),
and vote, without having had to produce any for of ID.

The RISKs here are even higher when you consider that approx only 30%
of the total electorate participated in this election....

Question: Should the UK update its voting system?

Thomas Rushton SwEng / SEES, RMCS, Shrivenham, Swindon, WILTS, SN6 8LA, UK
rushton@rmcs.cranfield.ac.uk             tel: +44 (0)793 785684


Big brother wants the shirt off your back

Lynn R Grant <Grant@DOCKMASTER.NCSC.MIL>
Mon, 13 Jun 94 16:16 EDT
Here's another risk on the horizon.  We may have to wait a few
years, though.  From the June 1994 issue of Bobbin, "The premier
news and information source of the global sewn products industry":

     Groups such as the American Textile Partnership (AMTEX), a
     research consortium that links the sewn products industry with
     the Department of Energy's national laboratories, also are looking
     at RF technology as a means to improve the production process.  In a
     research project called the Embedded Electronic Fingerprint, long-term
     work is underway to develop a computer-type device the size of a grain
     of wheat that could be attached to a garment and used through the
     entire product life cycle.

     "A manufacturer could program into the device information unique to
     a garment, such as the size, color, style, line, or plant of
     manufacture, care instructions, etc.," explains Jud Early, director
     of research and development for the Textile/Clothing Technology
     Corp, [TC]**2.  "There also would be a large amount of blank memory
     that could be used for anti-counterfeit tracking and more."

     Since each tag would have a unique identity, in-process inventory
     could be tracked easily using RF units--without ever touching garments
     or having to open shipping boxes.  For example, a carton could be
     passed through a reading system, which would verify the contents
     against the packing list.

So, all that is needed is for the clerk at the store to capture the
identity of the shirt, perhaps through a barcode on the tag (so they
wouldn't have to install the special shirt readers), and they already
know your identity from your credit card number (unless someone else
buys your shirts for you), so they can track your movements by setting
up shirt readers in various places.

But that might take more collusion between government and the stores
than we want to speculate.  So try this: a crime is committed.  A few
days later, you walk past a hidden shirt reader, and are immediately
approached by an officer of the law, who arrests you for the crime.
"But I was nowhere near the scene of the crime," you protest.
"On the contrary," the officer counters, "one of our hidden shirt
readers detected you shirt in the vicinity of the crime.  You must
be guilty."

One would hope that the manufacturers of these devices don't accidentally
program duplicate serial numbers in them.  And you should think twice
about lending your shirt to your girlfriend.

Lynn Grant  Grant@DOCKMASTER.NCSC.MIL


GIF contains more than just a picture (Aldous, RISKS-16.13)

Castor Fu <castor@drizzle.Stanford.EDU>
Thu, 9 Jun 1994 23:10:30 -0700
So does this mean that xv - vi = une ix ?

  [To which PGN replied,
  However, if  ix  were masculine, we would have  un ix.]

     [To which Castor replied,
     One could argue that the gender of Unix is somewhat ill-defined.]

        [So, we need a language such as Latin with a neuter gender,
        and in which "un" is an indefinite article.  PGN]

           [Kevin Kenny (kennykb@dssv01.crd.ge.com) noted that the other
           popular image viewer, `xli,' is the FORTY-ONE program!]


Re: How to feel safer in an Airbus [Terribile, RISKS-16.13]

Peter Ladkin <Peter.Ladkin@loria.fr>
Fri, 10 Jun 1994 11:04:40 +0200
Mark Terribile offered some interesting comments on Airbus aircraft
design. But some of his speculation is ill-founded, and should not
pass without comment.

> If I understand correctly, Airbus was forced to use these multimode control
> systems because some of its aircraft use sidestick controllers.
> [...]
> There is another serious problem with the control mechanism described:

This is confused.  His first comment refers to the Airbus A320
aircraft, which is the first `fly-by-wire' commercial transport.  His
second comment refers to the crash of a China Airlines A300 in Nagoya,
which is a different aircraft, with the usual mechanical and hydraulic
primary control systems and relatively limited use of computers. It
does not have sidestick control.

His speculation on the A320, that Airbus were forced to use modes
because they chose a sidestick design, is incorrect. Fly-by-wire
aircraft use modes because they have to. What toys you give the pilot
to convey her instructions to the computer is almost an independent
choice. If the plane is flown by computer, she doesn't need a large
lever to move the control surfaces.

> There is another serious problem with the control mechanism described: the
> autopilot used one set of control surfaces (stabilizer trim) while the
> pilot continued to operate another (elevators).

This arrangement is used on more or less every transport aircraft
flying, as well as all tiny planes big enough to warrant a three-axis
autopilot. If this is a `serious problem', all aircraft have it.
(Also, the trim system is not primary control as the elevators are. It
serves a different function.)

> There is a third problem: the pilot has no indication through his controls
> that the autopilot--in effect, the aircraft's control laws--are actively
> working against him.

This is false for the A300, as for most conventional transports. In
fact, the copilot who was flying had to work quite hard to counteract
the nose-up trim. This is one of the puzzles of the accident.

A further comment about the Nagoya accident is appropriate. Current
knowledge is that the pilots failed to follow normal, explicit
procedure for control of the aircraft, and secondly that they had both
been drinking alcohol, which is illegal for good reason.  Responsible
senior management of China Airlines has resigned because of this
accident.  The FAA has virtually insisted that China Airlines work
with it on improving safety procedures including crew training and
oversight.  Trying to draw conclusions about aircraft design from
details of this particular accident is probably unwise.

Those wary of fly-by-wire transport aircraft design might also like to
know that Boeing's next airplane, the 777, is full fly-by-wire - just
like the A320, but, of course, different.

Peter Ladkin


Airbus A3(0?)0 deductions

Phil Overy RAL <PJO@ib.rl.ac.uk>
Fri, 10 Jun 94 09:06:53 BST
re: Mark Terribile's posting:-

1) Boeing sell similar automation to the A320 - they also caused the second-
worst Japanese crash and in this case much more directly (the fuselage broke).

2) whether you se sidestick or yoke, a modern airliner has no direct "cables"
to the rudders - it relies on multiple links either electrical or hydraulic
which would work equally well with sidesticks. A300s have been around for 20
years - this was an A320.

3) This is one of three crashes involving a simple confusion that I remember -
the first Tri-Star crash (neither pilot had switched off the auto-pilot); the
Kegworth crash (on a BOEING - the pilot shut down the wrong engine when it
caught fire) and this one (the younger pilot didn't switch off the auto-pilot
and didn't relinquish control. I automatically think of my poor (fortunately
very quick-witted) gliding instructors when I read of this particular crash-
thank you for not letting me land on the crosswind runway, Barry Hogarth!.

4) as for mode-switching and elevators etc - the senior pilot seems to have
tried to recover without switching off the auto-pilot, the junior pilot seems
to have flown as if the auto-pilot wasn't on. Reports will not say this as
it's a conclusion, not a fact - it does however sound like the explanation.

5) Since several A320s have crashed when silly things have been happening,
perhaps the automation, like the "watertight" hull of the Titanic, is
creating a too-complacent pilot. As a far-too-complacent pilot myself in the
past, I can understand this.

I do not pretend any insight into the cause of the crash, all I can say is
that if Mark Terribile is basing his preferred flight on the logic presented
here, he won't fly at all.

Regards
Phil Overy
Rutherford-Appleton Laboratory
(computer programmer with a chequered past, not a pilot or a designer, although
I have used gliders to exploit the many rain clouds over England)


Correction for address of Clipper paper

Sidney Markowitz <sidney@taurus.apple.com>
Fri, 10 Jun 1994 13:18:05 -0700
Perhaps the subject should be "RISKS of not using available spelling checker
technology". In RISKS-16.12, I had a typo in the address for the ftp site
containing Matt Blaze's paper. The correct site name is research.att.com and
the file is in /dist/mab/eesproto.ps and is in PostScript format. Thanks and
my apologies to the people who took my creative spelling of the word
"research" literally and sent me mail informing me of the error.

 -- sidney markowitz <sidney@taurus.apple.com>

    [My spell checker always balks on net addresses, so the "resarch"
    slipped by me.  It also let a Blase go through in RISKS-16.13.  PGN]


Chunnel vision (beaten to the pun)

David Honig <honig@binky.ICS.UCI.EDU>
Fri, 10 Jun 1994 15:54:36 -0700
Colville reported in RISKS-16.13 on the first false alarm in the Chunnel.
One might predict that these will be common at first.  In the public's
lexicon "False Alarm" might be replaced by "Channel Tunnel Syndrome" :-)


RISKS of real-time image processing

Andy Cunningham <andyc@eurovi.uucp>
Fri, 10 Jun 94 08:50:36 BST
I had a first hand demonstration of a new road-side traffic monitoring system
here in the UK earlier this week.

I was driving into some road works on the M1 motorway and was slowing down
to take account of the 50m.p.h. speed limit which had been imposed.
Immediately (10 yards) after the speed limit sign was a bridge, and mounted
on this bridge was a camera.  On the other side of the bridge was a large
dot matrix display, which immediately flashed up the message:

    SPEEDING
    L123 ABC
     58 MPH

(actual registration number changed to protect the guilty).

RISKS: first of all, I'm expecting to get a warning about the consequences of
speeding in the mail.  (In the UK, the police usually won't give you a ticket
unless you're at least 10mph over the speed limit).  More importantly some
drivers might be surprised by this and cause an accident.

This technology starts to get real "big brother" overtones if it's used to
actually send out tickets (camera/radar systems which produce photographic
evidence of speeding are already in place, but human intervention is required
to actually send out the tickets).  And just how accurate is the character
recognition anyway?

Andy Cunningham, VI Corporation (Europe), Ilex House, Mulberry Business Park,
Fishponds Road, Wokingham, RG11 2GY   +44 734 892111 Fax: +44 734 892090


Re: Women and Tetris addiction

Hilarie Orman <ho@cs.arizona.edu>
Fri, 10 Jun 1994 19:05:16 -0700
There are indeed deep psychological forces that draw women to the game of
Tetris.  I've been a Tetris junky, and I can give my testament to the risks of
this particular addiction.  First, I admit that I am, by nature, susceptible.
I've been through several 12 step programs to rid myself of addictions in the
past: adventure, pacman, rogue, hack.  Yes, I've been there, and in several
other autotelic hells as well: elisp, C++, interrupt handler bugs, and more
recently I've been developing a WWW browsing problem.  It started in childhood
with a Revell model of a "car of the future" (lime-green with huge tailfins
and clear bubbles over the occupants in their bucket seats) and continued with
more plastic cars, battleships, airplanes, then those chests of little steel
girders, then calligraphy, ..., OK, OK, I'm autotelic, I'm a woman, and I'm
going to tell my Tetris tale.

First, let me establish my credentials as a Tetris hard-core.  I found it
while on vacation in Maui.  I dragged my family in our Aloha clothing to a
video games den every evening after we cleaned up from a day on the beach.
The clientele was young, local, kind of tough.  Ordinarily I'd feel
uncomfortable spending 5 minutes in such a place.  But with a stack of
quarters and a Tetris machine, I was transported.  The locals would sit behind
me sneering and asking if they could "PLEASE" use the machines.  At first, I'd
let them.

But things changed when we got back home to Los Angeles.  I found a
video parlor in Marina Del Rey with Tetris.  The clientele was even
more disturbing, but again, the game presented a world of its own.
One afternoon, a woman with two small children attempted to take the
machine away from me.  While I was concentrating on the play, she
informed me that her kids wanted to use the machine.  Without looking
up, I told her that I'd only yield if it was management policy to
impose a time limit.  After a moment of shock she began screaming
insults at me and dragged the children away.  Though I didn't ever
look up to see what kind of person she was, it did pretty much ruin my
timing for that level.  I got busy with various home and work
projects shortly after that, and I haven't played much since.

For a while I tried using xtetris on my workstation, but it wasn't the same.
And I've never actually used a GameBoy, because it's hard to get the little
kids to share them, and even if they do they won't let you play for more than
a few minutes before they start whining.  So I'm going to talk only about my
experiences with the big machines in the video arcades.

So what is it exactly that draws women to Tetris?  I think it's refrigerators.
At first I thought it was cabinets, but I've been over this in my mind a lot,
and I'm convinced that refrigerators are the key.  The sociologist who
mentioned women's "craving for order" seemed way off base, she'd obviously
never been within a mile of a teenage girl's room, but still, that's the key
to it.  Women spend a lot of time trying to get things into refrigerators.
The point is, they don't have a natural sense of order, but they've got to get
the damn stuff into the fridge so it doesn't fall out, and that requires
ingenuity.  Cabinets are similar, but they use different reasoning skills than
refrigerators.  For example, it's OK to push something to the back of a
cabinet and lose it for a year.  And things that go into cabinets nest ---
you've got to be careful with those graduated bowls if they're from different
sets, because if you put one inside the other you'll need a screwdriver and
pliers to get it out.

Now refrigerators and Tetris are much the same thing.  The Tetris shapes are
like Tupperware boxes and milk cartons and packages of cheese.  But unlike
real household items, they remain sparkling and attractive no matter how long
you leave them there.  And if you pack them very carefully along the bottom,
instead of rotting and giving off foul odors, they are conveniently whisked
away, while more continue falling.  This is sort of like having your husband
help unload the groceries --- there you are trying to get the vegetables
packed carefully into the bottom bins, and there he is stuffing soft drink
cans into the dairy products section.

As you move through the various difficulty levels of Tetris, it's even more
like a refrigerator --- you don't get to start with a clean space, but instead
have what looks like piles of debris from unknown previous users.  Women know
that these unseen entities are teenagers and you've got to be very resourceful
and controlled to work around them.

But what's the payoff in this contest?  Well, mainly it's being able to
exercise a skill that women already have, but with lots more positive feedback
than real life.  And for me, the video arcade games have two really important
features.  One is a cute little Slavic dance tune that plays in the background
and helps with the timing.  But the real clincher is that as you get proceed
through the difficulty levels, there's entertainment.  Little Russian men come
out onto the screen and dance in that style where they fold their arms and
bend their knees and kick straight out.  Yes, that's the real thing about
Tetris for some of us older ladies, it's the dancing men.  In all my years of
cleaning out the refrigerator, I've never had a man dance a jig for me.  Well,
that's why I play Tetris; I'm not sure about anyone else.


Re: Campaigns and Elections (Agre, RISKS-16.12)

"Robert J. Burkhart" <0006344755@mcimail.com>
Sun, 12 Jun 94 23:04 EST
  ... just find out what everybody's hot issues are and make them all
  whatever promises you need to make, ...

And so (once again) fact follows fiction ...

Eugene Burdick (Co-Author of THE UGLY AMERICAN) wrote this script
in his futurist novel THE 480.  I thought this was also the same
computer-assisted campaign process used for the last presidential campaign!

Bob Burkhart at Twin Cities ACM  Senior Consultant - The Security Board


Re: Apathy toward computer errors (Seymour, RISKS-16.13)

"Tom Yurkiw (Tommy the Yurk)" <tnyurkiw@undergrad.math.uwaterloo.ca>
Sat, 11 Jun 1994 17:57:23 -0400
>"'I'm not going to send it in. They make too many mistakes, and I'm not going
>to rectify their mistakes,' he said. 'I can't see why people have to keep
>paying for their mistakes all the time.'" He says this is the "last straw."

The RISKS?  If people place unreasonable trust and expectations on the
accuracy of computer information, they are bound to be disappointed.

Also, people quickly forget the advantages of using a particular system,
and zero in on the drawbacks.  Does this guy really want to stand in line
for 8 hours or so, like they do in non-computerized elections?

Finally, this illustrates the RISK of working for government institutions -
people are far more aggressive in dealing with government agencies --
they speak in terms of `rights', they make demands rather than requests.
The relationship is different from the company-customer framework - even
the most obnoxious individuals must be humoured.


Security? Maybe....

Neill Clift <neill@macro.demon.co.uk>
Sun, 12 Jun 1994 08:47:13 BST
I posted this to comp.os.vms and somebody suggested it would be of interest to
risks readers. I am a risks reader but it didn't cross my mind until I was
told.

X-NEWS: macro.demon.co.uk comp.os.vms: 22614
Path: macro.demon.co.uk!neill
From: neill@macro.demon.co.uk (Neill Clift)
Newsgroups: comp.os.vms
Subject: Security? Maybe...
Message-ID: <1994Jun11.221520.201@macro.demon.co.uk>
Date: 11 Jun 94 22:15:20 BST
Organization: None
Lines: 38

One of our customers employees asked me to have a quick look at two security
packages for VMS that he was evaluating. The purpose of my quick look was to
determine if there where any obvious holes that these packages introduced or if
their auditing features where easily evaded. I spent less than a couple of
hours on each one (I wasn't getting paid just having a laugh :-)).

Package 1

This s/w had a facility for performing checksums on various files to enable
detection of tampering. I asked their representative what algorithm they used
for their checksum. All he would say was that it was proprietary. You would
expect 'proprietary' to mean that there was at least some thought behind it. I
found the algorithm to consist of summing the file as a contiguous set of
longwords and a recording of the modification date. Files could easily be fixed
up after modification! Why didn't they implement one of the many checksums
something like tripwire supports?

This s/w trapped AUDIT_SERVER messages via a mailbox. The protection on the
mailbox allowed read and write access to the world so that data could be read
out before the auditing s/w could get at it with a simple copy command. Fake
audits could also be introduced. This s/w had mechanisms for DCL command
procedures to take actions based on the audits passing parameters extracted
from the alarm data (evil grin).

Package 2

On looking what this s/w installed I spotted a privileged image that looked a
good target. Within 20 mins I had decided that I could probably use it to
obtain all privileges as an unprivileged user. After an hour or two of
programming I had done just that. In the end I exploited what I thought was the
quickest bug to use but this bit of code appeared to be teaming with problems.

Both of these packages looked very flash and professional from the outside.

Sad but true.
                                  Neill.

Neill Clift  neill@macro.demon.co.uk


Re: Call Your OPERATER (RISKS-16.09)

Hardwire <0003436453@mcimail.com>
Mon, 30 May 94 18:57 EST
I remember reading about this in NETWORK WORLD.  It's kind of funny: MCI
already owned 1800 OPERATER long before AT&T released 1800 OPERATOR (Which was
5 months after MCI released 1800 COLLECT).  MCI was using the OPERATER number
internally for something, but not collect calls.  They noticed after AT&T
released their collect call product: 800 OPERATOR they were getting a lot of
calls from people who misdialed.  MCI was directing them to the correct
number or 800 COLLECT.  Due to the large number of calls MCI finally decided
to send 800 OPERATER to the 800 COLLECT system.  According the NETWORLD WORLD
article, MCI was making about $200K a month thanks to people with the 'Quayle'
syndrome.


Re: Risks of too-simple responses (Lodge, RISKS-16.12)

<Ross.Anderson@cl.cam.ac.uk>
Thu, 9 Jun 1994 17:51:46 +0100
> ... All French credit cards are smart cards, and have been in mass use
> for several years now. The French don't seem to be having any problems
> with fragility or expense.

This is not quite so. One of the standard ways of defrauding the French
smartcard system is to destroy the chip, whether by stamping on it or by an
overvoltage.  This causes the terminal to revert to standin mode, which is
quite vulnerable.  Fraud was reduced slightly by the introduction of
smartcards - in France it is about 0.08%, against 0.2% for MasterCard and
0.1% for VISA - bit it has by no means been eliminated (source: `Cards
International' 22 July 1993).

Quite apart from fraud, the French card failure rate of 3% was the reason
why smartcards were not introduced in Belgium (source: `Cards International'
27th October 1993).

Also, there was a furore recently when French banks announced that all
merchants would have to move over to electronic terminals. This would have
cost over half a million small family businesses perhaps Ffr20,000 each, and
the main beneficiary would have been Bull - a struggling state-owned company
which was losing billions and being supported by the French government
(which seems to have been behind the move on terminals).

The risk? There are several - in not understanding the trade-off between
security and reliability, and in letting governments set security standards
before the technology is properly mature.

Ross Anderson <rja14@cl.cam.ac.uk>  Cambridge University Computer Lab

Please report problems with the web pages to the maintainer