The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 18 Issue 01

Friday 5 April 1996

Contents

o Sixth Computers, Freedom and Privacy
Shabbir J. Safdar
o A Wiretap Incident in New Orleans
Shabbir J. Safdar
o Computer Error Costs MCI $Millions
Scott Lucero
o Teen Accused of Hacking
David M Kennedy
o Only Americans can contact the AT&T operator
Tom Gardner
o Re: Wrong approach to Java security
Frank Stuart
o Re: Risks of rewritable BIOSes
Jeremy J Epstein
o Re: "This is not a bug" messages: MacsBug
David A. Lyons
o Re: The Queen's Speech
Allan Engelhardt
o Re: Notes on e-mail: Use of diaeresis
Dan Hicks
Daan Sandee
o On the meaning of "email"
Clive Feather
o Browser return e-mail addresses
Walter Roberson
o Info on RISKS (comp.risks)

Sixth Computers, Freedom and Privacy

Shabbir J. Safdar <shabbir@vtw.org>
Thu, 04 Apr 1996 16:05:34 -0500
I attended last week's Sixth Computers, Freedom, and Privacy conference in
Cambridge MA, where policy-makers, technical experts, and activists came
together to hash out the intersection of the three elements of its title.
CFP is an unusual place; the closest thing our community can get to "neutral
ground" on many issues.  This is best expressed by the fact that in the
hallways of the hotel, it's not unusual to see those that supported and
those that fought the Communications Decency Act hob-nobbing it up, trading
friendly swipes about their take on the bill.

In addition, it's always an enjoyable thing to be able to meet an FBI agent
in a neutral setting and ask them questions about their perspective on
various issues.

CFP is still finding it's way, though, as the issues it covers evolve in and
out of the mainstream.  A few years ago the issues were hackers and search
warrants for computers and bulletin boards.  Now that seems to have been
replaced by encryption policy, wiretaps and how much of the First Amendment
applies to the net.

CFP has survived well, and I continue to return every year I can.  I return
not only see the issues from new perspectives, but also to obtain the
synergy that can only happen in a face-to-face encounter.

This isn't to say that CFP doesn't stumble occasionally.  There were a few
panels this year that fell into the CFP trap, where individuals came to
express none-to-fresh perspectives on problems that have been beaten like
the Lone Ranger's dead steed.  Encryption is typically the cause of these.

On the other hand, however, CFP was successful in what is the most
entertaining and enlightening approach to the encryption debate I've seen in
the last two years.  Centering around a mock law that required key escrow,
the CFP program committee set up a "moot court" of five Federal judges (real
ones, with black robes and everything) that heavily questioned attorneys
that presented a cases for the government on one side, and plaintiffs
challenging the law on the other.

The live questioning, and the exercise of having to put one's arguments into
a legal framework was an experience that everyone enjoyed.  This was clearly
the most heavily attended panel of the conference.

The other interesting thing this year was the final panel of the conference,
a reflection on the entire conference done by four science fiction authors:
Bruce Sterling, Vernor Vinge, Pat Cadigan, and Tom Maddox.  This was
probably the most interesting way to reflect on the conference, and the
writers seemed to form a sort of "collective conscience" for the rest of us.

Bruce Sterling, in particular, provided a dystopian view with such a
forceful delivery that I, and many others, probably stumbled from the room
unable to decide if we were happy we knew where we were going, or if we
should run screaming in terror at society's impending train wreck.

It was somewhat appropriate that there was no time for questions after that
panel.  They would have simply detracted from the fact that the writers got
the "last word".

It's a great role though, to have those who dream for us, our science
fiction writers, act as our conscience.  I hope the program committee lets
them do it next year, and I look forward to meeting the next set of faces
that I'll have met on the net over the next year.

-Shabbir J. Safdar * Online Representative * Voters Telecomm. Watch (VTW)
 http://www.vtw.org/ * Defending Your Rights In Cyberspace

   [Note: This was a very lively meeting.  I hope further reportage will
   appear in RISKS.  By the way, Shabbir, Matt Blaze, Bob Metcalfe and I were
   honored with this year's EFF Pioneer Awards.  Greatly appreciated! PGN]


A Wiretap Incident in New Orleans

Shabbir J. Safdar <shabbir@vtw.org>
Thu, 04 Apr 1996 16:05:34 -0500
[From VTW's BillWatch newsletter, an announcement-only list archived at
 http://www.vtw.org/billwatch/]

-Shabbir J. Safdar * Online Representative * Voters Telecomm. Watch (VTW)
 http://www.vtw.org/ * Defending Your Rights In Cyberspace

A TRAGIC STORY ABOUT A WIRETAP by Shabbir J. Safdar, VTW Board (New York, NY)

This week most of VTW's staff attended the Computers, Freedom, and Privacy
conference in Cambridge Massachusetts.  I go to the conference every year to
recharge my batteries, put names to faces, and enjoy the synergy that can
only come with face-to-face dialogue.

This year the debate over encryption seemed focused on three panels, the
only novel one being a panel which was a "moot court".  Presided over by
five real Federal judges, attorneys for plaintiffs and the government argued
over the Constitutionality of a mock law that would require escrowing of
encryption keys.  Aside from this, the conference added no new material to
the encryption debate.

One valuable experience happened on the way home, however.  I picked up the
New York Times and came across a story in the New York Times Magazine about
a corrupt New Orleans police chief, and how he reacted to a woman who filed
a police brutality complaint against him.

The story goes this way: the FBI was wiretapping a number of New Orleans
police officers who were allegedly guarding a 286 pound shipment of cocaine.
During that time the FBI overheard a conversation between the police chief
and several other police officials that the FBI alleges was a murder plot.
The intended victim had previously filed a police brutality complaint
against the chief.

Although the FBI had the conversation in hand, they were unable to decode
the police chief's "street slang and police jargon" in time to prevent the
murder.  The woman who filed the complaint, a 32 year old mother of three,
was shot while standing in front of her house.

It's easy to be angry about this incident.  One could (and should) be angry
with the murderers and their conspirators.  However out of this comes two
important observations on the encryption policy debate.

One, while wiretaps have probably been effective in other cases, they were
not effective in this one.  While we can grant law enforcement the benefit
of the doubt in other cases, the existence of this one shows that a wiretap
is not the "silver bullet" of law enforcement that we have been led to
believe.

Another observation that can be made is that this parallels the key escrow
debate very closely.  No reasonable person is objecting to the FBI's right
to conduct a wiretap.  However what is being debated is the extent to which
individuals and law enforcement can go to accomplish their duties.  The
Clinton Administration is striving for a world where everyone is forced to
speak in a form of encryption that is easily decoded by law enforcement.
The public and industry is striving for a world where they continue to have
private conversations.

The situational parallel to this would be if the Administration had pushed a
law that requires everyone to speak on the telephone in plain English,
without slang and without any double meanings.  This is the equivalent of
key escrow.

However, would this have really saved the person so tragically killed above?
Unlikely.  Individuals involved in criminal conspiracies will continue to
use whatever means at their disposal to obscure their activities from the
police.  The corrupt police chief who allegedly ordered the murder would
have still used slang and code, regardless of any laws banning such use.  He
was allegedly conspiring to commit a murder, why should he care?

Such laws will, however, affect law abiding citizen's attempts to gain
privacy.  Law-abiding citizens that may be speaking to their doctors,
attorneys, loved-ones, or business partners will continue to be targets of
industrial espionage, private investigators, and, in a few cases, trusted
individuals abusing that trust.

This example from the New York Times Magazine (3/31/96, p.32) shows that
while we can certainly give a little to law enforcement on their arguments
about the effectiveness of wiretaps, they need to give a little in the other
direction on the practicality of forcing people to speak in a
law-enforcement-understandable code.  Obviously, criminals don't care about
such rules.  Since that is the case, is it really worth handicapping all
technology, and exposing individuals to privacy intrusions when such
measures won't even be effective at attaining their stated goals?


Computer Error Costs MCI $Millions

"lucero" <lucero@optec.army.mil>
Wed, 03 Apr 96 15:15:29 EST
In the *Washington Post* 29 March 1996, MCI reported that they will refund
approximately $40 million due to a computer error.  A billing error was
uncovered by an investigative reporter from local television station, WRIC
in Richmond, VA.  The reporters found that they were charged for 4 minutes
after making a 2.5 minute call, leading to an in-depth investigation.

Scott Lucero


Teen Accused of Hacking

David M Kennedy <David_M_Kennedy@smtp.ord.usace.army.mil>
Thu, 04 Apr 1996 16:28:49 -0500
Courtesy of the Associated Press via CompuServe's Executive News Service:
AP 2 Apr 96 20:21 EST V0491

  <> ST. LOUIS (AP) -- A St. Louis teen-ager arrested last week near
Philadelphia on computer fraud charges is more than just a kid with a hobby
-- and far more dangerous, federal authorities say.  Christopher Schanot,
19, of High Ridge, Mo., is a computer genius who"hacked" his way into the
computers of some of the nation's largest computers, causing security
breaches that forced at least one company to spend thousands of dollars
fixing.<<

o Authorities claim he's a member of the Internet Liberation Front (ILF).

o He claims to be able to take control of any computer he chooses to.

o He was taken to St. Louis Tuesday with a arraignment and bond hearing set
  for Thursday.

o His father was quoted: "If a parent can't monitor the child or if the
  parent doesn't understand how the Internet works, the computer's modem
  should be unplugged."  The younger Schanot received his first computer at
  the age of 4 years.  His father was quoted as instructing him to use only
  public access computer systems and, "He was an honor student, really he
  was all you could want in a child. It was such a shock to us when he
  disappeared."

o He was an honors student at Vianney High School in suburban St. Louis.
  Shortly after graduation last summer he went to Philadelphia to "lay low."

o His father became concerned about him and contacted the authorities and
  turned over his PC to them.

  <>In the computer, authorities found a message headed "Greetings from the
Internet Liberation Front." The message was saved to his computer on
Thanksgiving Day 1994, the day of a computerized "break-in" at NBC.  The
message said the group "has now declared war on any company suspected of
contributing to the final demise of the Internet."  "Big boys" in the
telecommunication industry have turned the Internet "into another
overflowing cesspool of greed," the message added.  "We are capable of
penetrating virtually any network linked to the Internet -- ANY network,"
the message said. <<

[DMK: Gee, that was in RISKS and any number of net-news reports back in 94.
The only reason it's not on _my_ PC is I purged it to save disk space.  Does
that qualify me as a "purged" ILF member?]

o His PC also had hundreds of passwords to corporate computer systems,
  including defense contractors and the computers of credit reporting
  agencies.  The PC also had AT&T calling card numbers, and credit card
  numbers in it.

o He was indicted on five counts (unspecified...18 USC 1029/1030?) last
  month.  Max slammer time = 30 years + US$1.25E06 in fines.

o Victims:  Southwestern Bell Telephone, BELLCORE, Sprint, and SRI.

o Time frame: Oct 24, 1994 to Apr 23, 1995

MAJ Dave Kennedy [CISSP]


Only Americans can contact the AT&T operator

Tom Gardner <tgg@hplb.hpl.hp.com>
Tue, 02 Apr 1996 16:05:53 -0800
  Tom Gardner                 Hewlett Packard Laboratories, Filton Rd,
  tgg@hpl.hp.com              Stoke Gifford, Bristol, Avon, BS12 6QZ, ENGLAND.
  Fax: +44 117 9228920        Tel: +44 117 9799910 ext. 28192

Subject: I Cannot Call The AT&T Operator

While in the US, I recently wanted to find out a number in England, and
since I don't know the local directory enquiries number, I called the AT&T
operator. After dialling "00" the "conversation" between me and the abuser
interface (ABI) was:

ABI: "AT&T. To place a call, please dial the number now, or say
     'operator' to be connected to an operator".
Me:  "Operator"
ABI: "Sorry, your response was not understood. To place a call, please
     dial the number now, or say 'operator' to be connected to the
     operator".
Me:  "Operator"
ABI: "Sorry, your response was not understood..."

Thus the abuser interface would  only allow  me to  do the  single thing
that I didn't know how to do. After a few more abortive attempts I found
that the necessary incantation involved pinching my nose and saying "er-
per-eight-er".

The risk? That people with speech impediments, and ethnic minorities who
do not speak with  a "standard"  US accent (i.e., the  majority of  the
human race!)  cannot be connected with an operator, and are  thus unable
to place telephone calls. The abuser interface would have been perfectly
acceptable if  there had  been an  an additional  escape clause  such as
"...or wait for 30 seconds to be connected to an operator".

On a separate but related issue, can anyone tell me  whether the  codecs
in "digital" cellular phones are usable with non-Indo-European languages
such as:
   -   languages  where  the  pitch  is  extremely  important   but  the
   "consonants" are  relatively unimportant,  e.g. (I  believe) Mandarin
   Chinese
   - the African "click" languages

   [Tom, ``Standard US?'' Many North "Americans" have troubles.  Regional
   dialects here are pretty severe.  But certainly Cockney, Australian
*  ('Strine), and other variants of English are unlikely to be decoded.
   I suppose we all need the language training that actors get.  I am always
   astounded when I hear a Brit or Aussie actor known for wonderful BEnglish
   or AusEnglish dialect speaking perfect AEnglish.  Just a thought.  PGN]
     [* Slight spelling correction in archive copy to ward off pe-roo-sers.]


Re: Wrong approach to Java security (Palme, RISKS-17.95)

Frank Stuart <fstuart@vetmed.auburn.edu>
Mon, 1 Apr 1996 19:57:37 -0600 (CST)
In RISKS-17.95, Jacob Palme suggests that the reputation of "well-kept
depositories" and PICS-like ratings can be used to guard against malicious
Java code.  A more useful idea along the same lines is to allow for code to
carry a digital signature.  A user could then configure his browser to
reject code with unknown or incorrect signatures.  A more daring user might
simply want a warning.  Confidence could be placed in code obtained from
anywhere, even a malicious host, as long as the signature is valid and you
trust the entity signing it.

Digital signatures are not a panacea, however.  There are real problems with
key distribution and even the smallest change in the code would require it
to be re-signed.  Further, although digital signatures offer protection from
malicious code, there is still the possibility of bugs with security
implications or other harmful effects.

Frank Stuart

  [That is actually similar to the Microsoft CAPI (Cryptographic Application
  Programming Interface) concept extended to browsers.  Not a bad idea.
    Note: concerning hyphenating vs. hyphen-hating, notice the distinction
    between re-signed and resigned.  I won't resign from my crusade.  PGN]


Risks of rewritable BIOSes (Valverde, RISKS-17.96)

JEREMY J EPSTEIN <JEPSTEIN@mail.cordant.com>
Tue, 02 Apr 1996 15:31:18 -0500
In RISKS-17.96, J.R. Valverde talked about the risks of having BIOS stored
in flash RAM (because it's rewritable, I hesitate to call it ROM).  A
similar point was raised by Martin Portman in RISKS-17.58, with related
information by Sean Reifschneider in RISKS-17.61.  All of these are quite
accurate as to the problem.  The purpose of this posting is to let people
know what's happening to fix the problem.

As part of a project I'm working on, I've been working with some of the
large PC vendors.  What I've found is that virtually all Pentium based PCs
on the market today have the flaw described.  This sort of problem was
almost unknown in the 286/386/486 generations of PCs, which used real ROM
for storing the BIOS.

Some of the hardware manufacturers understand the risk here, and have
started to address it.  One solution adopted by some vendors is to build a
one-way switch in hardware.  Once the switch is "thrown" (by sending
commands to a device on the board), the write signal to the flash ROM
holding the BIOS is disabled until the next power cycle.  Some vendors have
put code in their BIOS to automatically throw the switch before they boot
from the floppy or hard drive.  This prevents any sort of malicious software
from modifying the BIOS.  To allow BIOS updates to occur, the BIOS looks for
a "signature" on the floppy before throwing the switch, and if the signature
is found it doesn't throw the switch.  (The ease of spoofing the signature
is another topic.)

Other vendors have implemented a BIOS modification password, which must
be written to a particular address before the write signal to the
flash is unlocked.  Unfortunately, such a password is usually subject
to a dictionary attack by the malicious software, which would be invisible
to the user.

The good news is that because each vendor has solved the problem
differently, it would be difficult for a virus writer to disable arbitrary
PCs (although they might be able to disable all PCs from a given vendor).
That is, diversity results in resistance to plague.

The bad news is that even for those vendors who are doing a good job
addressing this problem, they can't retrofit machines already in the field,
since it requires a hardware change that isn't economical.  Further, because
there's no way to tell by physical inspection whether a given machine has a
rewritable BIOS, users can't determine whether they're at risk.  Vendors are
reluctant to disclose how they've solved this problem (if at all), which
makes it impossible for users to tell if they're at risk.

Of course the whole problem occurs only because most PCs don't run modern
operating systems that would prevent a virus from directly accessing the
hardware.  For example, a PC running UNIX, OS/2, or NT is immune to these
sorts of viruses except at boot time (which can be addressed using careful
procedures).


Re: "This is not a bug" messages: MacsBug (Rafn, RISKS-17.92)

David A. Lyons <dlyons@netcom.com>
Thu, 21 Mar 1996 01:46:45 -0800
Mark Rafn's message in RISKS-17.92 reminded me of a change I made to the
low-level debugger MacsBug, during development of Macintosh System 7.5.

If the user holds down the Control key during startup, the debugger
intentionally seizes control and says "User break at <useless address>."
Users who aren't expecting this write up bug reports that say "The
system crashes when I hold down the control key during startup."

After the third or so of these reports, I was tired of saying "it's a
feature" and decided to make the situation clearer to the users.  Now
the message reads:

  Welcome to MacsBug (Thank you for holding down the Control key)

The bug reports stopped.  Perhaps this message shows an appropriate degree
of respect for the user (some alternate versions I considered showed less).


Re: The Queen's Speech

Allan Engelhardt <allane@parallax.co.uk>
Tue, 2 Apr 1996 12:03:06 +0100
The Electronic Telegraph (http://www.telegraph.co.uk/) reported that
the sentence mentioning the Polish Jews were in the electronic version
of the Queen's speech and in the printed copy that was used for proof
reading.

However, the version the Queen was reading from when she gave her
speech was printed in a bigger font and the sentence "fell of the
bottom of the page".

The RISKs are obvious.

    --- Allan.

   [Also noted by "timothy (t.j.) hewson" <hewsot@bnr.ca>.
   But Europeans already use longer paper, so one (silly) approach might
   be to proof-read in the U.S. and print the final copy in England?
   Oh, yes, lawyers like long paper too, but let's keep them out of it,
   or the Queen couldn't afford it.  PGN]


Re: Notes on e-mail: Use of diaeresis

Dan Hicks <danhicks@millcomm.com>
Tue, 02 Apr 1996 00:43:10 -0600
This article brings to mind the birth of the daughter of a teammate of mine.
Seems the chosen name of the child was Zoe (with diaeresis over the "e").
So my teammate sent around a note announcing this name.  However, shortly
after the note went out, people started asking him why in the world he'd
named the kid "ZoK".

Turns out that e-diaeresis is mapped as ctrl-K (or is it alt-K?) on our
system.  When the message was sent to other systems, however, the mail
software converted text that looked something like "Zo^K" to read simply as
"ZoK".

So another risk of computers is one of losing your identity -- on the day
you're born.

Dan Hicks  http://www.millcomm.com/~danhicks


Re: Notes on e-mail: Use diaeresis (Callas, RISKS-17.96)

Daan Sandee <sandee@Think.COM>
2 Apr 1996 16:20:16 GMT
The deficiency of this proposal is demonstrated by the fact that it arrives
on my screen as "co=F6perate", "na=EFf", and "Bront=EB.".  My system is set
up to properly handle ISO 8859-1, which is the only reasonable extended
character set standard for use on the Internet.  It was already mangled in
the RISKS posting (I checked), and as far as I can guess it was presumably
mangled before it left Jon's machine.  I wish people wouldn't assume that
the way their machine handles non-ASCII characters is the same as everyone
else's.

Usenet (at least NNTP) is generally 8-bit transparent, and any European
soc.culture group will tell you that ISO 8859-1 usually works, though
some people's newsreaders may have to be told about it.  This post of
mine, however, goes out by e-mail (SMTP) and upper bits will be stripped,
so I can't demonstrate its use.

|>   [Not a bad idea for folks who can deal with diaeresis, but
|>   there are still lots of problems that does not handle.  PGN]

Well, I can handle diaereses all right, as long as they arrive in a form
recognizable by my software.

Daan Sandee                                           sandee@think.com
Burlington, MA

   [Also commented on by Malcolm Vincent <m.vincent@qub.ac.uk>.  PGN]


On the meaning of "email"

Clive Feather <cdwf@cityscape.co.uk>
Tue, 2 Apr 1996 12:14:04 +0100 (BST)
... the Oxford English Dictionary has a citation from 1480:
    emailed: arranged in net or open work

Presumably we can back-form "email" from this.

Clive D.W. Feather, Managing Director, CityScape Internet Services
cdwf@cityscape.co.uk    +44 1223 566950    Fax: +44 1223 566951

 [Mark Brader notes that this is in the Jargon File / New Hacker's
 Dictionary, edited by Eric Raymond.  From version 3.3.3 of the Jargon File:
   ``Oddly enough, the word `emailed' is actually listed in the OED;
   it means "embossed (with a raised pattern) or perh. arranged in a
   net or open work".  A use from 1480 is given. The word is probably
   derived from French `'emaill'e' (enameled) and related to Old
   French `emmaille"ure' (network).  A French correspondent tells
   us that in modern French, `email' is a hard enamel obtained by
   heating special paints in a furnace; an `emailleur' (no final e) is
   a craftsman who makes email (he generally paints some objects
   (like, say, jewelry) and cooks them in a furnace).''

     Thanks.  That only strengthens my argument for e-mail or E-mail!  PGN]


Browser return e-mail addresses

Walter Roberson <roberson@hamer.ibd.nrc.ca>
Sat, 16 Mar 1996 16:19:13 -0600
I recently received an e-mail reply that addressed someone else by name
about a topic I've never dealt with. My system logs did indicate that I'd
e-mailed the person earlier in the day, so I figured that I had replied to a
posting of theirs and forward a copy to them, and that they had replied to
the wrong message. I was, though, unable to find any previous postings by
that author, and so concluded that it had simply been so recent that the
search engines had not catalogued it yet.

After a day or so I finally realized what had happened. I had, a few weeks
prior, visited another site and had needed to send e-mail out from a WWW
browser on the lab computer I was using. I had configured my e-mail address
as the return address, and had given my server's address as the SMTP
gateway. I did not remember to de-configure them when I left, so the next
time someone send e-mail from that system's browser it not only claimed to
be me but also showed up in my server's logs.

So if you are using a lab computer, be sure to check the reply address
before starting to send mail. If you are replying to someone who might
have been using a lab computer, make sure the reply address matches
your expectations.

  Walter Roberson                         roberson@ibd.nrc.ca

Please report problems with the web pages to the maintainer

Top