The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 16 Issue 86

Friday 3 March 1995

Contents

o What Goes Intuit May Not Come Out the Same Taxwise
PGN
o Apple Settles RSI Claim
Edupage
o Apple Settlement Due to Lawyer Error
Edupage
o More Security Problems on the Internet
Edupage
o Encryption Lawsuit Filed in California
Edupage
o Anti-Cyberporn [Exon] Bill Introduced
Edupage
o Home Gambling Network
Mich Kabay
o Losing your Marbles and your Barings
Peter Wayner
o UK National Audit Office report on computer misuse in government
Brian Randell
o Re: Perfect (?) Office Bug ...
Matt Cockerill
o Blaming the victim for money stolen with lost ATM card
Elizabeth Schwartz
o Sick Medicare Scanner
Judith Seeger
o Interstate Panopticon
Phil Agre
o Risks of living on the left side of the continent
Rob Slade
o Info on RISKS (comp.risks)

What Goes Intuit May Not Come Out the Same Taxwise

"Peter G. Neumann" <neumann@csl.sri.com>
Fri, 3 Mar 95 07:57:21 PST
Flaws were reported in the PC and Mac versions of TurboTax and MacInTax
1040.  These flaws are triggered when transferring tax data to the tax
package from other software, such as Quicken.  Intuit estimates that the
flaws would affect only about 1% of the users.  Intuit Chairman Scott Cook
apologized that the flaws had been known for a few weeks and had not been
publically acknowledged until 1 Mar 1995.  He also indicated that new
versions can be obtained for free by calling 800-224-0948 (in the US).
[Sources: various news reports 2-3 Mar 1995, including the San Francisco
Chronicle]


Apple Settles RSI Claim (Edupage, 28 Feb 1995)

Edupage <info@ivory.educom.edu>
Tue, 28 Feb 1995 20:09:58 -0500
Eight weeks into the first such lawsuit to go to trial, Apple Computer has
settled with the plaintiff who claimed her repetitive stress injuries were
incurred as a result of Apple's failure to warn about the potential for
RSI. One of the requirements in the settlement is that the terms be kept
secret. IBM, also named in the suit, has asked the judge to declare a
mistrial, saying that news of Apple's settlement was prejudicial.  The
judge has rejected that motion.  IBM says it does not intend to settle.
(Tampa Tribune, 28 Feb 1995, B&F1)


Apple Settlement Due to Lawyer Error (Edupage, 2 Mar 1995)

E-D-U-P-A-G-E <info@ivory.educom.edu>
Fri, 3 Mar 1995 16:44:13 -0500
Apple Computer's recent move to settle the repetitive stress injury lawsuit
brought by a former high school secretary in Minnesota was prompted by
"errors" its law firm , Saperston & Day, made in not turning over some
documents before the trial.  The judge had threatened to declare a mistrial
or impose sanctions because of the oversight.  Saperston & Day will pay the
settlement.   (Wall Street Journal, 28 Feb 1995, B7)


More Security Problems on the Internet (Edupage, 23 Feb 1995)

Edupage <info@ivory.educom.edu>
Thu, 23 Feb 1995 20:35:30 -0500
The Computer Emergency Response Team has issued a public warning on a
vulnerability in some 20 commonly used e-mail programs that run on Unix
operating systems.  The advisory said the latest discovery could allow a
hacker to "read any file on the system, overwrite or destroy files."  The
ultimate solution to these recurrent security problems, says Purdue
University professor Eugene Spafford, is for consumers to demand better
security features from software manufacturers.  In the absence of improved
software, "are we going to continue seeing problems? You bet."  (Wall
Street Journal, 23 Feb 1995, B8)


Encryption Lawsuit Filed in California (Edupage, 28 Feb 1995)

Edupage <info@ivory.educom.edu>
Tue, 28 Feb 1995 20:09:58 -0500
A graduate student at the University of California at Berkeley has filed a
lawsuit against the federal government, charging it with unfairly limiting
his ability to discuss his research on encryption software.  The plaintiff
developed an equation for encrypting information, and wishes to publish a
paper on his work, as well as software based on his equation.  He would
also like to discuss his findings at professional meetings.  The federal
government's export-control laws restrict the publication of cryptographic
software and documentation.  The Electronic Frontier Foundation is handling
the plaintiff's case.  (Chronicle of Higher Education 3/3/95 A19)


Anti-Cyberporn [Exon] Bill Introduced

Edupage <info@ivory.educom.edu>
{[date} lost, on or just after 8 Feb 1985\]
Sen. James Exon (D-Neb.) has introduced legislation calling for two-year
prison terms for anyone convicted of sending obscene or harassing e-mail.
Commercial providers have protested, noting their service is more like a
telephone company, which is not held responsible for the conversations
carried over its conduits, but Exon remains unmoved: "If I were against
this, if I didn't want to be bothered with it, if I felt it might
complicate my ability to make money on the superhighway, that's the
argument I would make." Meanwhile the Center for Democracy and Technology
is pushing for more sophisticated filters that users could customize to
block specific types of messages. "You could have the Pat Robertson rating
system, the Motion Picture rating system, the Playboy rating system," says
the Center's founder.  (*Wall Street Journal*, 8 Feb 1995, p. B6)


Home Gambling Network

"Mich Kabay [NCSA Sys_Op]" <75300.3232@compuserve.com>
25 Feb 95 08:58:45 EST
The Washington Post (95.02.24, p. C1) has an interesting story on virtual
gambling:

    The Home Gambling Network:
    It's Illegal, Maybe Immoral, but Is the Cyberspace Casino
    a Good Bet?

    by Richard Leiby
    Washington Post Staff Writer

    NEW YORK--Surrounded by a sea of techno-suits discussing the
    future of media convergence in a bidirectional world of
    system-neutral platforms, the guy with the shaved head and
    black leather jacket had to smirk.  "What's funny to me,"
    John Bates said, "is how tremendously clueless most of these
    people are."

The author makes for the following key points:

* Gambling in the U.S. is a $400 billion industry.

* A hundred people paid U$595 to attend a one-day conference in NYC
  entitled, "Interactive Gaming:  What's the Payoff?"

* Thirty-one year old Bates is "on-line service director" for the
  Virtual Vegas company, which is proposing "cyberspace casinos
  where real and computer-generated players interact in 3-D."

* US federal law currently makes betting across interstate borders
  using telecommunications illegal.

* In practice, gamblers have been making off-shore bets on U.S. sports
  events over the phone using their bank credit cards.

* The prospect of unlimited access to credit cards for gambling alarms
  some observers of addicted gamblers: "Give some people a
  credit-card-reading device with a keypad hooked into their phones or
  home computers--models of which were exhibited at the conference--and
  you're bound to have suckers blowing their life savings.  And minors
  will find a way to log on to parental accounts."

* In Quebec, an interactive TV show lets people order up to C$15 (~U$11)
  of tickets a week (the limit is spelled out in legislation).

* The UBI (Universal Bidirectional Interactive) Consortium based in
  Montreal is working on a consumer-oriented electronic network which will
  include gambling services.

* Some observers predict "a family-values backlash" against such
  computer-mediated gambling.

M.E.Kabay,Ph.D., Director of Education, Natl Computer Security Assn
(Carlisle, PA); Mgmt Consultant, LGS Group Inc. (Montreal, QC)


Losing your Marbles and your Barings

Peter Wayner <pcw@access.digex.com>
Wed, 1 Mar 1995 13:08:23 -0500
The story of the young trader who brought down Barings Bank captivates me as
much as it captivates the headline writers at the NY Post. James Glassman
wrote in the Washington Post (March 1, 95), "I don't mean to paint him as a
romantic hero, but he has reminded us-- in this age of huge financial
institutions guided by high-speed computers-- that one little guy can still
move the world." RISKS readers, though, should be intrigued because I
suspect that deep below all of this may be an intriguing datapoint on the
value of anonymity in the modern, electronic marketplace.

The Osaka Exchange publishes a weekly digest of the position. The Financial
Times quoted someone saying, "everyone knew of the trades" and "no one could
quite understand what Barings was doing with that sort of position."

This fact leads me to have some fun speculating on what happened. The
futures and options markets are quite different from the stock market.
Whenever someone loses a dollar, then someone else makes it. Value just
doesn't evaporate into smoke like it does on the stock market when everyone
decides a stock isn't worth it anymore. So every dollar that Barings lost
was gained by someone else.

What does this have to do with anonymity? Everything. There aren't many
people playing at these levels in the market so people can gang up on one
and other. It's much like games of bridge or hearts where everyone can work
together to stiff one player who might be in the lead.

If everyone knew that Barings was so deeply in the hole, they knew that it
might not take much to push Barings into bankruptcy. Just a bit more
selling in Tokyo and whammo, the firm is theirs at a huge selling price. No
need to negotiate payment terms or other factors. If the firm doesn't have
enough assets, the futures exchange might make up the difference from an
insurance fund.

The strategy that might have been in play was similar to the one that lead
to the table stakes rule in poker. The rule limits bets to the smallest pot
still in the hand. This prevents the richest player from winning every hand
by merely outbidding everyone. Don't play poker against Bill Gates without
it. (If you want to see what it could do to a marriage, check out the film
"Honeymoon in Vegas.")

There is no such rule in these markets and Barings should have known better
than to expose themselves to this risk. I suspect, though, that they might
have been much safer if their action was kept anonymous.

Of course this theory is just a theory. As Glassman would like to believe
that a little guy can still move the world, I want to believe that large
cabals can gang up on the little guy.


UK National Audit Office report on computer misuse in government

Brian Randell <Brian.Randell@newcastle.ac.uk>
Wed, 1 Mar 1995 11:23:59 +0000
 [Source: COMPUTER HACKING AND THEFT RIFE IN WHITEHALL, by CHRIS BLACKHURST
 Westminster Correspondent, The Independent, 1 Mar 1995.]

Hacking into Whitehall computers soared last year, with a 140 percent rise
in the number of reported incidents.  An investigation by the National Audit
Office, the public finance watchdog, found that Government departments
reported 655 hacking incidents last year, of which 111 were successful.  Most
hackers were internal staff exceeding their authority to obtain unauthorised
information to leak to outsiders, and got oral or written warnings.  Twelve
percent of cases ended in legal action.

The report includes these items:

- Civil servants and outsiders conspired to defraud a Government department
of (pounds sterling) 1.5m.  Police are investigating and eight arrests have
been made.

- A civil servant obtained personal details of colleagues to blackmail them.

- A Government official obtained the private address of a married couple,
possibly to assist in the kidnapping of the wife.

- Two staff members were prosecuted and fined (pounds sterling) 3,750 after
leaking computer data.

Government computers are also increasingly prone to viruses and programmes
designed to harm data and other software. Last year, Government departments
and agencies reported a 350 percent rise in virus incidents, to 562. Over
half of these cases, NAO points out, were detected by anti-virus scanning
software.

Two outbreaks were labelled "significant" by the NAO:

- Thirty-eight viral infections were traced to one PC hard disk, loaded with
pirated computer games. Civil servants had been exchanging games by floppy
disks or through e-mail. The viruses were the games manufacturer's own
anti-bootlegging devices.

- Four PCs in a Government typing pool had been infected with a virus which
took two days to eradicate.

If hacking and viruses were not bad enough, theft, reports the NAO,
"continues to be a major problem, with portable computers, printers and
laptop computers being the main targets."

There were 433 reported incidents of theft of Government computer equipment
last year, a rise of 60 percent. In all, equipment costing (pounds
sterling) 1.2m was taken. This included two break-ins to the same office
within three months and the loss of equipment worth (pounds sterling)
102,000.  The thieves, who have not been caught, were thought to have been
"stealing to order." Likewise, the culprits behind the theft of 11 PCs and
other hardware, worth (pounds sterling) 55,000, have not been found.

In one of the more bizarre incidents, somebody went to the trouble of
taking a computer desk from a room and replacing it with an old one. The
locked drawers of the desk were broken into, and information, mostly
concerning the personal details of 300 staff, was scattered about.

The report also noted that The National Computing Centre's 1994 IT Security
Breaches Survey, covering a cross-section of industry and commerce, found
that 25 percent of businesses had suffered theft of computer equipment in
the previous two years.

 [The National Audit Office has considerable political influence here in the
 UK, so it will be interesting to see what follows from this report.  BR
   Dept. of Computing Science, University of Newcastle, Newcastle upon Tyne,
   NE1 7RU, UK EMAIL = Brian.Randell@newcastle.ac.uk PHONE = +44 191 222 7923]

      [A corresponding article in The Times was reported by Timothy
      J. Hunt, Institute of Cancer Research, Royal Marsden NHS Trust,
      Downs Road, Sutton, Surrey UK SM2 5PT +44 (0)181 642 6011 x3312
      Timothy@icr.ac.uk .  PGN]


Re: Perfect (?) Office Bug ... (Whittle, RISKS-16.85)

Matt Cockerill <cockeril@europa.lif.icnet.uk>
Sat, 25 Feb 1995 14:28:09 +0000
>  In other words, tell them not to hit the power switch until they see C:\.

Surely this relates to the previous RISKS discussion on power switches, and
Apple's deliberations on how best to implement them.

As Apple has realised, a few dollars spent on a software controllable power
switch largely solves the problem. Surely this is better than blaming users
for their entirely natural impatience with a machine which demands that
they wait while it closes itself down, before they are "allowed" to switch
it off. One of the major risks of the use of computers is that we end up
with computers controlling people rather than  vice versa.

Matthew Cockerill                                Tel:[44] 171 269 3877
Imperial Cancer Research Fund (Cell Cycle Group) Fax:[44] 171 269 3801


Blaming the victim for money stolen with lost ATM card

Elizabeth Schwartz <betsys@cs.umb.edu>
Sat, 25 Feb 1995 16:46:52 -0500
In this case, it was stated here that there was supposed to be a limit on
the amount of money that the ATM card could withdraw, but an error in the
bank's computer allowed the thieves to steal $346,770. The victim had left
her ATM card, with the PIN number on it, in or near the ATM machine.

It makes sense to me that the victim should be responsible for her own
losses, to the limit of the card, since she gave away the number. (I
wonder, would I feel differently if she had been robbed and the PIN number
found hidden in her belongings?)  She should not be responsible for more
than the limit. The bank gave her the card and told her it was good for up
to $50 or $300 or whatever; the bank should be responsible if an error on
their part allowed more than this to be taken.

I wonder if any personal theft insurance policies cover losses from ATM
cards?


Sick Medicare Scanner

Judith Seeger <jws@hpl.hp.com>
Thu, 2 Mar 95 9:15:10 PST
San Jose Mercury News' Action Line section, 15 Feb 1995:

SORRY, WRONG NUMBER

Q.  In October 1993, I received a statement from Medicare that my wife had
medical attention in Healdsburg from a Dr. John Fries.  I notified Medicare
that this was incorrect.  Neither of us had ever been in Healdsburg.
Medicare answered, thanking us.  The other day we received another letter
from Medicare showing that Fries had submitted another claim for treating my
wife.  It appears someone is using my wife's name and Medicare number to
obtain care.  Or maybe the doctor is making up these visits.  Could you
check into it?   C.E.F., San Jose

A. No one is using your wife's Medicare number; nor is the claim submitted
in a fraudulent manner, says Claudette Ballard, office manager for Fries.
The last time this happened and this time, too, Medicare's scanners misread
one of Fries' patients' Medicare number and picked up your wife's number.
Ballard says the scanner is somehow reading the fifth digit in the number
incorrectly and billing the service as if your wife received it.  Ballard
has contacted Medicare again and was assured steps would be taken so it
doesn't happen again.  She is writing you a letter to explain the problem in
more detail.


Interstate Panopticon

Phil Agre <pagre@weber.ucsd.edu>
Sat, 25 Feb 1995 17:59:07 -0800
The press is starting to notice some of the serious privacy problems with
the rapidly advancing proposals for "Intelligent Transportation Systems" in
the United States.  Here are a couple of relevant articles:

  Richard Simon, Camera gains more exposure as a device for traffic control,
  Los Angeles Times, 20 February 1995, pages B1 and B3.

This one is about the accelerating use of video cameras on roads in Southern
California.  In the near term they're mostly to identify the causes of traffic
jams.  But the Blue Line between Los Angeles and Long Beach will soon have
cameras to detect drivers who attempt to circumvent lowered gates to cross the
train tracks.  And although the state Office of Traffic Safety is concerned
about "a growing problem with commuters eating, reading, changing clothes,
brushing their teeth and generally paying less than full attention to the
road", it says it has no current plans to check up on these things with its
cameras.

The cameras, in case you're wondering, are in bulletproof containers.

Although some of the problems that state traffic officials have identified
are genuine, the real difficulty is in their basic philosophy for solving
them.  Rather than collect information and circulate it in a decentralized
fashion that is useful to individual drivers and engineering crews without
permitting unlimited accumulation of information that identifies individual
drivers, they have set up a general-purpose centralized observation center
in downtown Los Angeles.

The slippery slope here is steep: as technologies of surveillance are put
in place, new applications will always be available that are only one short
step beyond what they've been used for so far.  I am generally skeptical
about visual metaphors for privacy problems, but this is one case where the
Panopticon offers a perfectly simple and straightforward model.

That's not so clear in another, much bigger and more consequential case:

  Don Phillips, Big Brother in the back seat?: The advent of the "intelligent
  highway" spurs a debate over privacy, Washington Post, 23 February 1995,
  page D10.

This article concerns the "privacy principles" being circulated by the
Intelligent Transportation Society of America, which is the industry group
coordinating the development of a national architecture for transportation
automation systems, including systems that track the locations of vehicles
for a range of purposes.  Although nobody in the United States is currently
proposing that the use of these technologies be made mandatory for drivers,
it is very likely that they will become unavoidable as a practical matter,
since they will probably be used to implement much more widespread roadway
toll-collection.  The most recent version of these principles that I have
seen is dated December 13th 1994, and they are in fact seriously problematic.
For example, they only place very loose restrictions on secondary uses of the
information by marketers, and they envision no restrictions on the powers of
access to ITS travel information that individual states can confer upon local
police.  You can retrieve a copy by sending a message that looks like this:

  To: rre-request@weber.ucsd.edu
  Subject: archive send its-privacy

Or you can look at them on WWW at:

  http://weber.ucsd.edu/~pagre/its-privacy.html

I will probably circulate another message about these principles soon.  The
Phillips article notes that many people are concerned about law enforcement
uses of ITS information; ITS America feels that such use is inevitable and
simply wishes the public to be informed of this fact -- they wish to focus
on knowing "what the rules are" rather than on actual privacy.  The tragedy
is that it is completely unnecessary for these systems to collect information
that identifies individuals.  Profound violations of individual privacy are
not the price of progress.  Rather, they are the price of using old-fashioned
technology, neglecting innovations such as public-key cryptography and digital
cash that protect privacy without sacrificing functionality.

Phil Agre, UCSD


Risks of living on the left side of the continent

"Rob Slade, Social Convener to the Net" <roberts@mukluk.decus.ca>
Tue, 28 Feb 1995 12:40:09 EST
Memoirs of a (coastal) virus researcher

Some people may not be aware that, by disconnecting the modem and attaching
a device known as a "telephone", communications circuits may be used for
voice communications.  Unfortunately, unlike email, "telephone" calls must
be synchronous (or, more correctly, bisynchronous) in that both parties must
be active on the circuit at the same time.  With the rise in modern
communications technologies, scenes like the following are becoming more
common:

RRING

RRING

RMS : Hello?

DFP: Hi!  I'm looking for, ummm, Robert Slade?

RMS: Speaking.

DFP:  Oh, good.  My name's _____ ____ and I'm with the Detroit Free Press.
I've got a copy of your book, and I thought we could do a story on this
computer virus situation.

RMS: Uh huh.

DFP: I read most of it, and I liked it, but I've got a few ... sa-a-a-y.
Isn't Vancouver on the *West* Coast?

RMS: Usually.

DFP: Oh, gee, I'm really sorry.  See, we're three hours ahead, and ... gee,
should I call back later?

RMS: No, that's OK, I had to get up and answer the phone anyway.

DFP (puzzled): Oh, really?  Why's that?

RMS: It was ringing.

I love reporters.  They always get the straight lines right.

======================
DECUS Canada Communications, Desktop, Education and Security group newsletters
Editor and/or reviewer ROBERTS@decus.ca, RSlade@sfu.ca, Rob Slade at 1:153/733
Author "Robert Slade's Guide to Computer Viruses" 0-387-94311-0/3-540-94311-0

Please report problems with the web pages to the maintainer

Top