The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 17 Issue 54

Friday 15 December 1995

Contents

o 16-year-old boy cracks university computer security
o Another sign spoof
Joshua Levy
o Software Keeps Trains on Track
Eleanor Wynn
o Classified Disks Lost--Court Martial
David M Kennedy
o Invaders in Eastern Washington [more squirrels]
David Burlingame
o See you in the funny pages
Don Alvarez
o Risks of grammar checkers
Bruce Wampler
o Anonymity
Winn Schwartau
o Technology risks: an old but familiar tale
Victor Yodaiken
o Better than French card tricks: Australian Customs Shuffle
Karl Reed
o Pick a personality type, any personality type ...
Rob Slade
o Just Say No to Censorship
Audrie Krause
o Committee Slaps the Net -- Again
Craig A. Johnson via Stanton McCandlish
o Re: False Alarms in Digital Systems
Mark Lomas
John R. Sowden
o "The Underground Guide to Computer Security" by Alexander
Rob Slade
o ABRIDGED info on RISKS (comp.risks)

16-year-old boy cracks university computer security

"Peter G. Neumann" <neumann@csl.sri.com>
Wed, 13 Dec 95 12:15:14 PST

Jim Batterson of Richmond VA sent me a clipping of an article from the Richmond Times-Dispatch, 9 Dec 1995, B1.

A Lancaster PA teenager was visiting with a student at Eastern Mennonite University, and was given the student's password. The teenager used that password to log on, download some hacking tools from a BBoard, and gave supervisor privileges to everyone -- including access to everything, including forthcoming final exams, private e-mail, and faculty documents. (Student and financial records are kept elsewhere.) EMU spokesman Jim Bishop said, "Apparently, none of the students rifled through material they shouldn't have seen." [How can you tell? In many systems today, privileged and even normal reads do not show up in directory listings, and few sites run anomaly-detecting software that monitors read access! PGN]


Another sign spoof

Joshua Levy <joshua@intrinsa.com>
16 Dec 1995 00:31:44 GMT

This little note is from Herb Caen's column in the 15 Dec 1995 * San Francisco Chronicle*:

Add storm notes: Some pixies rejiggered the electronic Caltrain sign on I-80 in Richmond Tuesday night, transforming ``Off Ramp Closed'' to ``Boo OJ,'' but nobody can figure out how they did it.

I'm sure the readers here can come up with more RISKy applications for this "rejiggering" technology.

Details: The sign was almost certainty a "caltrans" sign, not a caltrain sign. Caltrans handles the roads, caltrain handles the trains. Personally, I bet Caltrans knows how it was done, but whoever reported this to Herb Caen did not.

Joshua Levy <joshua@intrinsa.com>

Software Keeps Trains on Track (Edupage, 7 December 1995)

Eleanor Wynn <WYNN@applelink.apple.com>
14 Dec 95 05:06 GMT

Next month Union Pacific and the Burlington Northern Railroad Co. will test a satellite-based computer system to monitor locomotives' speed and location. The software flashes a warning to crew members when a train exceeds a safe speed, and if the advice is ignored, the system activates robotic technology to apply the brakes. When fully implemented, the system could save railroads $30 million a year by preventing accidents caused by human error, plus whatever additional savings are realized through more efficient tracking by dispatchers. (Investor's Business Daily, 6 Dec 1995, A6)

[Edupage is written by John Gehl (gehl@educom.edu) & Suzanne Douglas (douglas@educom.edu). Voice: 404-371-1853, Fax: 404-371-8057.]


Classified Disks Lost--Court Martial

David M Kennedy <David_M_Kennedy@smtp.ord.usace.army.mil>
Wed, 13 Dec 1995 10:10:11 -0500

Courtesy of PA News and CompuServe's Executive News Service

NAVY CHIEFS LOST TOP SECRET DATA AFTER PUB VISIT

PA News 11/12/95 16:59

<> Naval commanders lost two top secret computer discs on a train journey from London, a court martial heard today. The officers had given a presentation to a Navy wages review team using the discs. After stopping in a pub for a few beers they took a train back to their unit in Petersfield, Hants, where they discovered to their horror that the 3.5ins discs had gone. <<

[DMK Comment: "Severely reprimanded" Oooo I'm sure that set a good example! The embarrassment is a more severe punishment. Perhaps the US should have "severely reprimanded" Pollard and Ames?]
Dave Kennedy US Army MP, CISSP 76703.2557@compuserve.com volunteer SysOp National Computer Security Assn

Invaders in Eastern Washington [more squirrels]

David Burlingame <davidb@spl.lib.wa.us>
Wed, 13 Dec 1995 17:06:06 -0800 (PST)

From the Walla-Walla Union Bulletin dated 6 December 1995 (page 1):

Squirrel Disrupts Downtown
by Bryan Corliss (of the Union-Bulletin)

A clumsy squirrel brought the high-tech financial hub of Southeast Washington crashing down this morning.

The squirrel touched one line carrying 69,000 volts of elec- tricity and another carrying 12,000 volts at the same time, said Rich Bielby, Pacific Power's assistant operations manager in Walla Walla.

The resulting explosion and fire inside Pacific Power's central substation near the corner of West Rose Street and Sixth Avenue killed the squirrel - and all power to almost 4,000 downtown customers, Bielby said.

"Isn't that something," mused County Extension Agent Walt Gary, who heard the explosion in his office across the street. "It isn't even a native animal here."...

The RISKS? If you're a squirrel, many. Just shows (yet again [...]) how any system can be crippled by quite unforeseen rodents (bugs).

dAVe Burlingame 206 386-4680
davidb@spl.lib.wa.us Seattle Public Library 1000 4th Ave Seattle WA 98104
[The RISKS archives now include about half a dozen such squirrel attacks. We seem to report toothy inciDENTS, acciDENTS, and roDENTS. PGN]

See you in the funny pages

Don Alvarez <dla@cmbr.phys.cmu.edu>
Tue, 12 Dec 1995 10:43:52 -0500 (EST)

There was a story on NPR this morning (Tue Dec 12) about IRS policies for collecting sales tax from cartoonists. Apparently, if you are a cartoonist who provides cartoons to a newspaper on paper, then you must collect sales tax _but_ if you submit those same cartoons electronically (over fax or modem, for example) then you are not required to collect sales tax. Does this mean that it's 6% cheaper to buy any "work of art" over the internet?

Don Alvarez Don+@cmu.edu 412-268-8953 VOICE 412-681-0648 FAX

Risks of grammar checkers (Smith, RISKS-17.53)

<wampler@cs.unm.edu>
Fri, 15 Dec 95 13:04:09 MST

> The problems with the grammar checker are not subtle. ... It exists only
> because it makes a good demo and looks good on a bullet-list chart.

This is an interesting statement because it actually points out some interesting RISKS. First is the risk of not understanding the software you are using, caused by a second risk of adding features to get a "checkmark" without really knowing what the consequences are.

I was the main author and software architect for the grammar checker Grammatik, which is now a part of WordPerfect (and NOT the one used by Microsoft.)

One of the main limitations of grammar checkers is a very high false error rate. Certainly in an error-free document, the false error rate would be 100%. Most documents are not error-free, and in practice the false error rate is closer to 30 or 40%. While that is very high, that still means that 60% of the time, the grammar checkers are finding real errors. For native English speakers, this is actually quite a valuable service.

In 1992, Microsoft decided that 60% was good enough and that grammar checking should be an integral part of word processing. The major competitors followed Microsoft's lead, so now the major word processors all have grammar checking. Because of this, users probably expect the grammar checking to work as well as the spelling checking, which it DOES NOT.

As stand-alone products, the user manuals included with grammar checkers clearly pointed out that many of the flags were false errors. Many of flags are also judgment calls. Passive voice is fine, even standard for some technical writing, but is still weak and ineffective for most other writing. Because of the uncertain nature of the error flags, most of the suggestions are couched with words such as "may be" or "consider."

Even with carefully worded wimpy suggestions, there are a couple of problems. First, if the user has not been educated to expect a large number of false errors, then they often become irritated and give up on the program. A far worse problem and RISK is when the user does not understand proper English well enough to separate the false flags from the true errors. Then following the suggestions of the program can lead to incorrect results.

For many years, grammar checkers were stand-alone products, and the decision to use one was an active choice -- the user knew about the product, and usually was aware of the limitations. Since grammar checking has become a standard feature of word processing, this self-filtering is gone.

The fact is that given the nature of the problem, commercial grammar checkers are really quite good and valuable, given an understanding on how to best use them. Unfortunately, the managers at Microsoft and WordPerfect/Novell consider the issue settled. They have their checkmarks, and as far as I know, not much new work is being done to improve the state of grammar checking.

Bruce E. Wampler, Ph.D. (wampler@cs.unm.edu)
Adjunct Professor, Department of Computer Science, University of New Mexico

Anonymity

<winn@Infowar.Com>
Fri, 15 Dec 1995 17:18:21 -0500

Strange thing happened recently.

I received some e-mail from penet.fi, the Finish anonymous remailer. They gave me an account "at my request." I never requested it though. I asked them how this happened and they swear it was me.

Spoofing. Kevin Mitnick adapted my electronic identity on the Internet 18 months ago and did some nasties which required some explanation. (Hard to do, I might add!)

I've heard of this penet.fi happening to another person. Anyone else? Any ideas?

Winn Schwartau - Interpact, Inc. Information Warfare and InfoSec
V: 813.393.6600 / F: 813.393.6361 Winn@InfoWar.Com

Technology risks: an old but familiar tale

Victor Yodaiken <yodaiken@chelm.cs.nmt.edu>
12 Dec 1995 15:34:28 GMT

"People's distrust of the high-pressure engines was confirmed when the boiler of a stationary engine exploded at Greenwich on 8 September 1803. It was the usual tale; the boy who had been trained to work the engine went off to catch eels and a labourer stopped the engine without releasing the safety valve." Richard Hills, _Power from Steam_, Cambridge 1989.


Better than French card tricks: Australian Customs Shuffle.

Karl Reed <kreed@latcs1.lat.oz.au>
Wed, 13 Dec 1995 14:20:13 +1100 (AEDT)

The Computer Centre at Monahs University ordered a copy of a very fast FortanII called (as I recollect Quicktran) from a westcoast software company in about 1967. This was to run on their recently installed, 32k word CDC3200, and was for student use...

The deck (several boxes of punched cards) was in absolute binary, which meant that it had no sequence numbers and could only be read by humans with some difficulty. The (very expensive) deck duly arrived, and would not load.

In those days, there was only airmail, telex and the telephone, so it took some time before Tony Adams (now Prof. and Dean of International Programs at the Royal Melbourne Institute of Technology) finally accepted that a working deck had been dispatched. He decided to track the consignment's passage through customs, to see what had happened, and discovered a customs officer who recalled that some other person had dropped two of the boxes, spilling them. They had simply been picked up (having been randomised by the experience), and had been sent to Monash without cooment.

A working deck eventually arrived, and worked well...

Prof. Karl Reed, Director, Amdahl Australian Intelligent Program, La Trobe
University, Bundoora 3083, Melbourne Victoria, Australia +61-(0)3-9479 1377

Pick a personality type, any personality type ...

"Rob Slade" <roberts@mukluk.hq.decus.ca>
Thu, 14 Dec 1995 22:29:16 EST

Fred.Sterling@zygn.com is starting to bug me. But the story of yet another spammer, trying to sell yet another silly gizmo over the cyberspace waves is not necessarily of interest. Bear with me, please, for a couple of paragraphs.

Fred is trying to sell a "learning machine". It takes the "subliminal teaching" idea one step further by attaching a headset. Presumably the headset flashes either pictures or (more likely) random patterns at you. If you browse over to http://Zygon.com, you'll find them trying to sell you the whole setup (less the (presumably) audio CD player) for an incredibly discounted price of about 300 bucks. For this low, low price, you also get your choice of five "courses", on the CDs.

As I ran through their offerings, one jumped out at me. They have "self improvement" courses. You know the type of thing: how to be more assertive, how to be more successful, how to make a million, how to make out.

Now, I'm not really afraid of Fred and his friends. They are out to con a few people and make a few bucks. But what if someone *does* manage to come up with a legitimate teaching/training machine, one of these days, that does work as advertised? (Science finction stuff, maybe, but disquieting none the less.) Being unable to get unpopular varieties of apples at the store is one thing, but what happens to requisite variety when everyone wants, and has the means, to become a grinning supersalesperson? What happens to psychodiversity when everyone tries to get that little edge in assertiveness?

OK, everyone back to worrying about the real world, now.

ROBERTS@decus.ca rslade@vanisl.decus.ca rslade@freenet.vancouver.bc.ca
Author "Robert Slade's Guide to Computer Viruses" 0-387-94311-0/3-540-94311-0

Just Say No to Censorship

"Audrie Krause" <akrause@igc.apc.org>
Thu, 14 Dec 1995 05:47:38 -0800

* * * * * * Open Letter to President Clinton & Congress * * * * * *

CPSR will forward the attached letter to President Clinton and Congress on Tuesday, reflecting the position of CPSR's Board of Directors regarding the censorship provisions in the telecommunications deregulation legislation now pending before Congress.

Please share the letter freely as long as this notice is not removed and CPSR is identified as the originator.

********************************************************************

December 12, 1995

President Clinton and Members of Congress,

On behalf of Computer Professionals for Social Responsibility (CPSR), I am writing to urge an immediate halt to Congress's attempt to censor the Internet. The legislation you are considering adopting is the cyberspace equivalent of padlocking the doors to public libraries, burning books and shutting down printing presses. Congress must not enact, and President Clinton must not sign, a law that censors free speech on the Internet.

CPSR is a public interest alliance of computer professionals and computer users concerned about the impact of computer technology on society. We work to influence decisions regarding the development and use of computers because those decisions have far-reaching consequences and reflect our basic values and priorities.

As technical experts, CPSR members provide the public and policymakers with realistic assessments of the power, promise, and limitations of computer technology. As concerned citizens, we direct public attention to critical choices regarding applications of computer technology, and how those choices affect society.

As American citizens, our right to free speech is guaranteed by the First Amendment to the U.S. Constitution. We have the same right to free speech in cyberspace as we have with other forms of the printed word.

Most Americans consider free speech the cornerstone of a free society. But many members of Congress -- incredibly -- support language in the sweeping telecommunications deregulation bill now pending before a joint Senate-House conference committee that would criminalize a broad range of information under the claim that it is harmful to children. These clauses of the bill, while supposedly aimed at pornography, have such vague language that they could be used to censor literary classics and public health information.

Given the open nature of networks such as the Internet, restrictions on sending material that children might look at ends up keeping everyone from speaking freely. The fear of being caught in the law's net will force many networks to shut down. Thus, t he free flow of views we now have on the information highway could be replaced by a controlled set of ideas dished out by corporate broadcasters and monitored by prosecutors all over the country. One example of the impact of the proposed legislation:

CPSR's Seattle Chapter sponsored the Seattle Community Network, a free, public-access computer system for the public's benefit. SCN has over 6,500 users. Under the legislation proposed by Congress, if an individual member of the SCN posted a message on an SCN forum or from SCN that was later deemed to be "indecent," SCN could be fined $100,000, and SCN's Board of Directors and staff could face two-year prison sentences. Without community networks like SCN, the Internet will be out of reach of millions of citizens.

CPSR does not dismiss the concerns of parents who want to shield their children from inappropriate material. The whole point is that each parent defines what is "inappropriate" differently. There are more flexible and effective ways to screen what children see, than to have the government impose censorship on everybody.

The issue before you is not about whether or not our children are exposed to materials that some may find offensive or obscene. It's not about whether or not parents should control what their children are exposed to on the Internet.

It's about freedom of speech, which is a fundamental principle in our society. It's a principle with widespread support. The vast majority of American citizens, no matter what their political leanings, support free speech. Those who oppose free speech are a small, shrill minority, and they appear to want to tyrannize the rest of us in order to get their way.

President Clinton and Members of Congress, it is up to you to protect our rights. That's why we elected you. Today, CPSR's 1,600 members are joining with hundreds of thousands of other Americans in speaking out against this attempt to censor free discourse in cyberspace. Many of you in Congress ignored an earlier petition signed by 107,000 Internet users. Please don't ignore us today. We are the People, and today we're exercising one of our most important rights.

Sincerely,

Audrie Krause, Executive Director, CPSR, P.O. Box 717, Palo Alto, CA 94302
Tel: (415) 322-3778 Fax: (415) 322-4748 e-mail akrause@cpsr.org

Committee Slaps the Net -- Again (fwd)

Stanton McCandlish <mech@eff.org>
Wed, 13 Dec 1995 18:29:11 -0800 (PST)

To: protest@wired.com From: telstar@wired.com (--Todd Lappin-->)

Date: Wed, 13 Dec 1995 13:06:10 -0800 Sender: cyber-rights@Sunnyside.COM

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

[Longish, but starkly subsetted by PGN -- first and last two paras.]
COMMENTARY by Craig A. Johnson
American Reporter Correspondent, Washington, D.C.

HOUSE-SENATE COMMITTEE SLAPS THE NET -- AGAIN
by Craig A. Johnson
American Reporter Correspondent

WASHINGTON -- "Indecency" language, as defined for broadcast media by the Federal Communications Commission, seems now to be superglued onto the telecommunications reform bill. [...] In short, the committee is attempting to build a four-humped camel from parts of the original Exon and Hyde measures in the bills -- and perhaps grafting on some of White's language, which grants more generous protection to service providers who carry content and actively try to keep "indecent" materials from being transmitted to minors. This observer came away with the strong impression that the committee fully intends to abrogate the First Amendment as it applies to the Internet, despite some members' visible discomfort with the results.

[Send e-mail to cyber-rights for the full copy. PGN]

Re: False Alarms in Digital Systems (Burgess, RISKS-17.53)

Mark Lomas <Mark.Lomas@cl.cam.ac.uk>
Thu, 14 Dec 1995 18:16:06 +0000

> ... The False Alarm Rate (FAR) of a home security system is 98%. ...

This statistic may be somewhat misleading.

During some consulting work for the British insurance industry on electronic alarms I was told several of the modi operandi of British criminals.

A favourite trick is to cause false alarms specifically so that the police will record an alarm as unreliable. In other words they will set off your alarm, while carefully avoiding leaving any trace - they then go home. Later they might set off your alarm again - the police record this as a second false alarm when both were genuine. They repeat this until the police regard the alarm as faulty then the thieves can go in with impunity.

A variant on this, which insurers have noted on several occasions, is to attack the telephone exchange through which the alarm signals are routed. The reason for doing this is that so many alarms are recorded (because whoever is monitoring the alarms can no longer communicate with any of them) that police or security firms don't know which alarm to respond to.

Fortunately I have not (yet) heard of occasions where people cause medical alarms with the intention of preventing nursing staff from responding to a subsequent emergency.

Mark

John R. Sowden <amsentry@microweb.com>
Fri, 15 Dec 1995 12:34:35 -0800

A remark was made regarding the 98% false alarm factor from home security systems. This is the nationally recognized number which everyone hears.

We operate a Underwriters Laboratories Listed Central Station Alarm Company. Since we monitor and maintain (service) our systems, we are very aware of false alarms.

First, regarding the 98%:

The 98% figure is used by city police departments to show that officer response time is consumed by false alarms. We use a different statistic. We track a ratio between the number of alarms (total, in a municipality, etc.) and the number of actual dispatches. Our company statistic is about .6 per account per year. The 98% may still be valid, but the total number
of actual dispatches is low.

Most cities have alarm ordinances that inflict some penalty (money, etc.) for excessive false alarms. Although I disagree with most of these ordinances, since they are directed to raising revenue, not reducing false alarms, the net effect is the responding officer will not continually respond to a particular alarm very often because he/she knows that so it will be dealt with by the administration. Also, there are enough alarms that are valid intrusions, that the responding officers don't consider them just another false alarm. No one wants to meet an third time offender (in CA) when they are not prepared.

The answer to the false alarm issue for home security systems is for the monitoring station and the service station to be one and the same. Most alarm companies use a "remote monitoring company", sometimes in another state, with tens of thousands of accounts. This arrangement lowers the personal attention and lack of knowledge when "80 year old Mrs. Smith gets up in the night and opens the wrong door".

One last comment regarding microprocessor based controls vs. relay or transistor based controls. The newer controls allow for multiple zones, so the alarm company knows which area tripped. They also allow for programming the sensor loop response time (in milliseconds), so an old mechanical switch that moves a little when the door rattles, thereby causing a 40 ms. alarm signal, will not cause a police response.

I hope that I have cleared some possible concern regarding false alarms in home security systems.

John Sowden, President, American Sentry Systems, Inc.

"The Underground Guide to Computer Security" by Alexander

"Rob Slade" <roberts@mukluk.hq.decus.ca>
Thu, 14 Dec 1995 11:45:36 EST

BKUNCMSC.RVW 951129

"The Underground Guide to Computer Security", Michael Alexander, 1996, 0-201-48918-X, U$19.95/C$27.00
%A Michael Alexander
%C 1 Jacob Way, Reading, MA 01867-9984
%D 1996
%G 0-201-48918-X
%I Addison-Wesley Publishing Co.
%O U$19.95/C$27.00 416-447-5101 fax: 416-443-0948 markj@aw.com
%O bkexpress@aw.com 800-822-6339 617-944-3700 Fax: (617) 944-7273
%P 239
%T "The Underground Guide to Computer Security"

This book is intended to address the security needs of personal (or desktop) computers, and is one of the few that does. The content addresses those vulnerabilities which *do* plague workstations, and is generally free of "big iron" paranoia and concerns.

Alexander's style is a bit flippant, but not at the expense of the information being conveyed. The organization is a trifle odd. (The first half of the "Safe Desktops and Laptops" chapter deals exclusively with passwords, even though few standalone machines use them. Password generators and challenge/response systems, however, are covered in the chapter on networks.) Technical details and specific suggestions do have a number of errors, particularly when dealing with MS-DOS. For those in the know, the chapter on viruses has some oddities, but nothing that would be dangerous to the user.

Data security is a tedious and often confusing field. This book is only a start, but could be quite helpful to the non-specialist.

copyright IŠ Robert M. Slade, 1995 BKUNCMSC.RVW 951129
Vancouver Institute for Research into User Security Canada V7K 2G6
ROBERTS@decus.ca rslade@vanisl.decus.ca Rob.Slade@f733.n153.z1.fidonet.org

Please report problems with the web pages to the maintainer

Top