The RISKS Digest
Volume 17 Issue 61

Monday, 8th January 1996

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

Snowbound workers overload Nynex lines
Dave Tarabar
Denver Airport baggage misdelivery prompts shutdown
Robert Charette
Estimate of the effects of export controls on U.S. companies
PGN
The Citibank hack, continued
David Kennedy
How They Nailed "The Engineer"
Mark Thorson
DPA: Crime on the Net
Mich Kabay
CompuServe's Can of Worms
Edupage
The risks of using obscenities
Daniel Hicks
Metaphorplay on Compuservile
Henry Baker
Re: Bavarian Police Censors CompuServe
David G. Bell
Russell Stewart
CompuServe Overreaction
Klaus Brunnstein
Re: Problems when PC BIOS is held in flash RAM
Sean Reifschneider
Door-unlocked indicator increases risks?
John Light
ABRIDGED info on RISKS (comp.risks)

Snowbound workers overload Nynex lines

Dave Tarabar <Dave_Tarabar@bcsmac.org>
07 Jan 1996 21:36:42 GMT

It occasionally snows in Massachusetts. Last week most of the state got at least twelve inches of snow in a storm that started Tuesday evening and kept going most of Wednesday (3 Jan 96). The storm was forecast several days in advance and many workers avoided a treacherous drive to work by staying home and trying to telecommute.

Friday's Boston Globe had a short article that reported that Nynex experienced a 50% increase in phone-line demand in some areas. This resulted in some users having to wait for a dial tone and hearing quick busy signals once they got one.

This appears to have been a minor and temporary inconvenience and we all got back to work on Thursday. But I think back to the Blizzard of '78, when a 30+ inch snowfall closed down the state for almost four days. (The state
prohibited non-emergency travel and several major highways were blocked by snow covered abandoned cars.) If that happened today, all of home modems and fax machines that might be used by homebound workers might severely stress a phone system that was already suffering from weather related equipment and wiring breakdowns.

[And of course, it may have happened today? PGN]

Denver Airport baggage misdelivery prompts shutdown

Robert Charette <75000.1726@compuserve.com>
05 Jan 96 20:43:53 EST

A recent AP item from Denver (Denver Baggage System Shutdown) indicates that Denver's long-plagued automated baggage-handling system (most recently, see RISKS-16.83), which finally went on-line in October 1995, has a software problem that has caused its sole user (United Airlines) to shut down use for inbound baggage — which has been handled manually since 22 Dec 1995 pending further analysis, even though the apparent software problem has been fixed. On the other hand, only 15 of 27,706 bags missed their delivery on 22 December. (No details were available on the nature of the bug.)


Estimate of the effects of export controls on U.S. companies

"Peter G. Neumann" <neumann@csl.sri.com>
Mon, 8 Jan 96 08:01:15 PST

The Sunday *San Francisco Examiner and Chronicle* carried an item entitled ``Encryption Sales Ban Costs U.S. $60 Billion'' (7 Jan 1996), which quoted a report of the Computer Systems Policy Project, sponsored by IBM, AT&T, and 11 other companies, estimating that in the year 2000 as much as 30 percent
of an estimated $200 billion computer systems market would be lost because of the existing U.S. export controls on crypto technology.


The Citibank hack, continued

David Kennedy <76702.3557@compuserve.com>
05 Jan 96 03:04:30 EST

Russian pleads guilty to stealing from Citibank ... [Courtesy of Reuters North America (4 Jan 1996) and CompuServe's Executive News Service]

<> Russian pleads guilty to stealing from Citibank accounts <<

<> NEW YORK (Reuter) - A Russian national has pleaded guilty for his role in a scheme to penetrate Citibank's computers, steal millions from corporate accounts and transfer the funds to overseas accounts, federal prosecutors said Thursday. Alexei Lachmanov, 28, faces a possible maximum sentence of five years in prison and a $250,000 fine for participating in the scheme that involved the illegal transfer of funds to bank accounts he controlled in Israel. <<

Dave Kennedy [US Army MP] [CISSP] Volunteer SysOp National Computer Security Assoc

How They Nailed "The Engineer"

Mark Thorson <eee@netcom.com>
Sun, 7 Jan 1996 21:26:01 -0800

There was a story tonight on the _60_Minutes_ television program on CBS describing the recent assassination of a terrorist in Israel.

Known as "The Engineer", he designed bombs used in a number of terrorist incidents in Israel. At the time of his death, he was in hiding.

According to the news story, he was killed by a bomb planted inside a cellphone which was activated by a code sent to the cellphone. The story was that the cellphone had been provided by a trusted person who was presumably an Israeli undercover agent.

This implied that only one sabotaged cellphone exists. It seems more likely to me that if you were tracking down a highly elusive enemy using cellphones, you'd infiltrate many more than one cellphone. GAZA-PHONES-ARE-US might be selling nothing but booby-trapped phones during that end-of-the-year "blowout" sale!

Then, all you have to do is monitor enough telephone conversations until you catch the guy while he uses one of your sabotaged phones. Send the code, and BOOM!

This raises some interesting RISKS possibilities. Selective assassination by dialing in a number? Can the system be hacked? Does the system make mistakes? [What about, Sorry, wrong number?]


DPA: Crime on the Net

"Mich Kabay [NCSA Sys_Op]" <75300.3232@compuserve.com>
04 Jan 96 10:27:22 EST

From the German Press Agency news wire via CompuServe's Executive News Service; translated by MK with the help of Power Translator Deluxe 1.0 from Globalink Inc:

Copyright DPA, 1995
EDV-Polizeiexperte: Kriminelle nutzen vermehrt Computernetze

München (DPA, 95.12.29) - Kriminelle nutzen fur immer mehr Straftaten die elektronischen Möglichkeiten der Computernetze. Darauf verweist der Leiter des Sachgebiets Computerkriminalität beim Bayerischen Landeskriminalamt in München, Werner Paul. ``Die Palette reicht von der Kinderpornographie, über Rauschgift, den Waffenhandel, Software-Raubkopien bis zum Kreditkartenbetrug'', sagte er am Freitag der DPA.

....

Copyright © German Press Agency, 1995
EDP - Police Expert: Criminal use of computer networks increasing

Munich (German Press Agency) - criminals are increasingly using the electronic possibilities of computer networks. According to the director of the computer crime unit of the Bavarian State Prosecutors Office in Munich, Werner Paul, "The range extends from child pornography to narcotics, the arms trade, software piracy and credit-card fraud." Herr Paul was speaking on Friday to the German Press Agency.

Key points:

M. E. Kabay, Ph.D. / Director of Education, National Computer Security Assn (Carlisle, PA)

CompuServe's Can of Worms (Edupage, 7 January 1996)

Educom <educom@elanor.oit.unc.edu>
Mon, 8 Jan 1996 14:26:23 -0500 (EST)

After cutting off subscribers' access to more than 200 electronic bulletin boards that feature adult material last week, CompuServe now is trying to find a technical way to block only German subscribers, whose government originally had lodged the complaint against the commercial online provider. Industry executives are pointing out that this would set a bad precedent, possibly encouraging other governments to make their own demands regarding content restrictions. "Every country will now jump in and say we don't want any antigovernment propaganda. Every country in the world will push its own local hot button," says a University of Pennsylvania professor. (*Wall Street Journal*, 5 Jan 95, B2)


The risks of using obscenities

Daniel Hicks <hotlicks@VNET.IBM.COM>
Wed, 3 Jan 1996 12:22:15 -0600 (CST)

Note: DaveR, a user on an internal IBM system in Lexington, KY, was browsing the ESPN Web pages and came upon some correspondence discussing U of K basketball player Jared Prickett. However, the name appearing on the page was "Jared ett" — some automatic censor logic was removing "Prick" from posts to the ESPN discussion boards. I have encouraged DaveR to submit directly a RISKS article about this [which is now unnecessary], but I thought the following might make for an interesting counterpoint [...].

Back when I was in college (many many years ago), we had an HP 2000 Time Shared Basic system. It was a fairly primitive system by current standards (16 TTY terminals), but the neatest thing since sliced bread at the time. There were several students, however, who just did not get along well with computers. One of these, a classmate of mine, had spent several hours creating a program to do some task, but the program was not working as expected. In a fit of frustration, the student typed in "SCR*W YOU" on the TTY. However it was the student who was screwed. Any line not prefixed by a line number was interpreted by the system as a command, and the system ignored anything beyond the first three letters of commands. So "SCR*W YOU" was seen as "SCR", meaning "scratch" — the system's command to erase the current workspace.

In a final bit of irony, the system responded with its usual response — "OK" — after completing the "scratch" operation. The student was laughing at the system's response — until he realized his program had disappeared.

Dan Hicks IBM Rochester, Minnesota

Metaphorplay on Compuservile

Henry Baker <hbaker@netcom.netcom.com>
Sat, 6 Jan 1996 17:25:55 -0800

A powerful rule-of-thumb from control theory says that the uncertainty in a control system will gravitate towards the degree of freedom that is hardest to measure and/or hardest to control. A classic example of this problem is the 'horizon effect' in computer chess programs, in which bad (or good) things that happen more moves ahead than the program can look, aren't considered at all; this provides a way for a fair human strategic player to beat a tactically excellent chess program.

Politicians appear to be blissfully unaware of this rule, and as a result they go off so half-cocked that their 'cures' are much worse than the diseases for which they are prescribed. For example, instead of having newsgroups whose content is trivially identified, so that people can stay clear of them, the newsgroups will now get innocuous names, and it will be much easier for someone to wander into the middle of an ogrey (sic). However, Santayana was right, and people must learn most things first-hand, so here goes.

Instead of beating our breasts over Compuserve's censorship of Usenet newsgroups, we should should respond to this censorship in the same way that people have all through history — by using metaphoric code. For example, some of the nursery rhymes we learned as children were actually very caustic statements about the powers-that-be of the time, but which if said in plain text would have gotten the speaker's spine stretched and/or severed.

Given the indexing machines like www.dejanews.com

Please report problems with the web pages to the maintainer

x
Top