The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 4 Issue 90

Monday, 25 May 1987


o Laser guided missiles...
Herb Lin
o Computer use costs civil servants $1,270
Matthew Kruk
o Liability in Expert Systems
David Chase
o Electronic Communications Privacy Act
Dave Curry
o ATM security
Kenton Abbott Hoover via Martin Minow
o Communications Technology Aids Criminals
Larry Lippman
o Info on RISKS (comp.risks)

Laser guided missiles...

Mon, 25 May 1987 13:54 EDT
  From: Peter G. Neumann <Neumann at CSL.SRI.COM>
  ...  He claimed that the Iranians electronically countermanded the missiles
  (an Exocet [which did not explode] and the other still unidentified missile,
  possibly an AS-30 laser-guided missile) AWAY FROM one of their tankers.

Other messages have also referred to laser-guided missiles.  [They] require
a laser to designate the target, which the missile then homes in on, by
seeking the reflected laser light.  That means that there must be a laser
actively illuminating the target at all times while the missile is seeking.

If the airplane carrying the missile goes away or drops out of line of
sight, it can't illuminate the target.

  [This discussion at the moment is labelled SPECULATION with respect to the
  Stark investigation in progress.  But one question is, how easily can a 
  missile such as the laser-guided AS-30 be faked out?  What happens under 
  cloud cover?  Does the missile go inertial for a while if it loses the 
  target, in hopes of reacquiring the target?  Can it get confused by decoys,
  light chaff, fireworks, or whatever?  Is the Iranian countermeasure claim
  plausible?  Remember, there were two missiles (the exploded one suspected
  NOT to be an Exocet?), and if one was electronic and the other laser guided,
  the countermeasure theory seems less likely.  Although I presume analogous
  arguments hold for electronic countermeasures on electronically guided
  missiles, the mechanisms might be different...  In any case, the risks of
  hitting something other than the desired target seem to be nontrivial. PGN]


The AS-30 is indeed a laser guided missile, but it too requires an
independent laser designator.  If no Iranian airplane or boat was in sight
of the ship, no target designation would take place.  You must have a line
of sight to the target.              [Rafsanjani reportedly said that there 
                                     had been an Iranian tanker in range.  PGN]

The AS-30 is described as having two guidance components — inertial
reference for the initial phase, and laser homing for the terminal
phase.  If anything intervenes between the laser beam and the target,
most likely the missile will lock its home-on track, and be lost.

Computer use costs civil servants $1,270 [Canadian Press]

Mon, 25 May 87 09:20:40 PDT
OTTAWA - Two federal public servants who used a government computer for
their own purposes have been ordered to pay the government $1,270 for misuse
of high technology.  The environment department billed Michel Grenier and
Gaston Boisvert, two Montreal-based computer systems workers, for tying up a
government computer for almost an hour in August 1986.  Grenier, with the
permission of his supervisor Boisvert, used the computer for 57 minutes to
develop a personal program.

Liability in Expert Systems

David Chase <>
Sun, 24 May 87 21:38:55 CDT
Perhaps this is an old problem; it occurred to me a couple of days ago.
It seems that there is more and more litigation initiated by people who
feel that they have been wronged by someone else's malice, negligence, or
deep pockets (ahem).  Someone out there already sued Lotus, right?

What happens when an "expert system" is involved?  Who gets the blame?
The programmer, who designed the system, or the expert(s) who supposedly
provided the rules that direct the system?  Can you imagine the stream of
expert witnesses giving their debugging of the problem?  Of course, if the
debugger was faulty....

Another source of fault might be the non-maintenance of an expert system.
For example, a new edition of the Physician's Desk Reference is published
every year.  The new information should be added to the expert system, or
else it will get out of date (and lack information on new drugs and newly
discovered side-effects and interactions).  If the expert system was
designed in such a way that maintenance was difficult, then the designer
might share some blame, too.

Just thought I'd ask.  It sounds like a great opportunity for finger-pointing.
         [We've been around this one several times before, although not
         specifically in the context of "expert systems".  The juries are
         not in yet.  Are there any new contributions in the wings?  PGN]

Electronic Communications Privacy Act

Dave Curry <>
Sun, 24 May 87 19:24:25 EST
When I got the MIT notice from the SECURITY list, I did a little digging
in the law books (Purdue's library is a Federal Depository).

I pulled out a copy of the Act (Public Law 99-508, H.R. 4952) and a copy
of Title 18 of the United States Code, which it amends.  From this
(after a couple of hours of "strike words a through f, insert words g
through m" — I'd hate to be a law clerk), I extracted most of the
"interesting" parts of the law.

These parts pertain to administrators and users of electronic
communications services (if your machine has electronic mail or bboards,
it fits into this category).  The parts I specifically went for were
what we can and cannot do, what the punishment is if we do it, and what
our means of recourse are if it's done to us.  I left out all the stuff
about government agents being able to requisition things and stuff,
and all the stuff pertaining to radio and satellite communications.

So anyway, I typed all this stuff in to give it to our staff so they'd be
aware of the new legislation.  Since there is probably interest in this, I
am making the document availble for anonymous ftp from the host  Grab the file "pub/PrivacyAct.troff" if you have
troff (it looks better), or "pub/PrivacyAct.output" if you need a
pre-formatted copy.  Bear in mind I'm not a lawyer, and I just typed in the
parts of the law I deemed to be of interest to our staff.
                                                           --Dave Curry

ATM security (from Usenet)

Martin Minow <decvax!LOCAL!minow@decwrl.DEC.COM>
Sun, 24 May 87 19:20:09 edt
[Background: sci.crypt is intended to discuss cryptography issues.
 Recently, it has been discussing automatic teller machines, the
 security of personal id numbers, and how cards are invalidated after
 successive incorrect input of the user's "secret code."  This article
 branches out a bit, and might be of interest to Risks readers.

 Martin Minow   ]

Path: decvax!ucbvax!ucbcad!ames!lll-tis!ptsfa!lll-lcc!well!shibumi
From: shibumi@well.UUCP (Kenton Abbott Hoover)
Newsgroups: sci.crypt
Subject: Re: ATM security (was Re: DES info wanted)
Date: 23 May 87 21:26:55 GMT
Organization: Whole Earth 'Lectronic Link, Sausalito, CA

The determination on invalidation is done at the host.  If the programmer wants
to invalidate the card on three attempts, well, then the programmer has to
put a flag on the data record for the card.  An example: Bank Of America (who
I used to work 4) simply sends a report to the branch where your account is
and the branch personel decide whether to flag your card, or just call you
and ask what the h**l is going on.

Trivia:  The Diabold and IBM ATMs (diabolds have CRTs with 4 unmarked buttons,
IBMs say IBM on them, if not they have the cash sort of flop out of a slot and
have an open/closed sign on them) are ...wait for it... 3270 devices!  They]
actually have PF keys and the whole nine yards built-in.

Usual chain of activity in an ATM:

1) The interaction with the user, screens, etc. is done by some sort of
controller, a Series/1-type (read: VERY STUPID) machine which controls 
a whole set of ATMs.  The controller normally resides at some central location
and communicates with the ATMs over leased lines.

2) When you do a transaction, the controller tries to queue up a set of
transactions from its other ATMs.  It will either succeed or timeout. In
either case, the transactions are communicated to a 37X5 and from there
to a mainframe which runs a batch job to do the transaction.

3) Most banks cannot update the account base in real-time, so the ATM
processor (the mainframe doing the batch run, not the ATM itself) works
from a database containing last nights data corrected with todays transactions.
The transaction you actually do is simply made a memo posting and is
entered into the actual accounts system as if it were a teller withdrawl/deposit
with a note saying it was from an ATM.

MORE TRIVIA: The PIN is not a timing issue (in most systems).  Its just that
the whole transaction is usually sent to the mainframe, and that is slow going.

EVEN MORE TRIVIA: Have you ever been cheated out of money by an ATM?  If you
were it was most likely an IBM.  Go to your branch and report it, and they
(after you fill out the usual form) will credit your account.  Save the ATM
receipt, as they normally ask for it.  The IBM machines steal like theives,
and normally (like in socks in dryers) the money has simply vanished.  Diabold
ATMs miscount once in a blue moon, AND if you do a transaction that asks for
more money than is the the ATM (they dont keep track in most cases), it will
give you what it has and debit your account for only that much.

STILL MORE TRIVIA: Dont deposit cash unless it is to a Diabold ATM.  Diabold
ATMs check the deposit envelope to see if there is anything in it.  IBMs dont.
The deposit box is opened by two branch officers, and they (normally) wont
swipe cash from a Diabold, since it would be hard to claim an empty envelope.
However, an IBM machine...

(someone should really write a book on this subject)

Communications Technology Aids Criminals

Fri, 22 May 87 23:40:12 EDT
I have submitted the following to comp.dcom.telecom, but thought it may also be
of interest to RISKS as indicating how advances in communication technology 
pose a risk to society by facilitating the conduct of criminal activity.

  > In a recent article dmt@ptsfa.UUCP (Dave Turner) writes:
  > The following is from an editorial by Wayne Green in the June, 1987 issue
  > of 73 Amateur Radio magazine:
  > The recent legislation making cellular phone calls illegal to listen in on
  > has provided a bonanza for both organized and disorganized crime. It's
  > difficult not to laugh over the situation the cellular industry has gotten
  > itself into in its blind pursuit of the fast buck.
  > What's happened is a mass move into cellular by criminals. They buy a
  > cellular system, have an unscrupulous dealer alter the electronic serial
  > number (ESN) on the built-in programmable IC, which makes calls both
  > untraceable and free--a great combo. They tool around town, making calls
  > to Pakistan, Columbia, and their Caribbean drug warehouses at will.

    I have a few comments to make on this and some related topics which
may be of interest to Net readers.  My comments are based upon personal
knowledge and experience as one who has provided some forensic science
consulting services to certain law enforcement agencies for a number of years. 

    It's sort of interesting to note that it was even easier to implement
spoofing fraud in dial IMTS mobile telephone installations, but such fraud
has been virtually unheard of.  The reasons for this are: much fewer IMTS
channels and much fewer IMTS customers than cellular make such fraud extremely
conspicuous; most IMTS installations are combined with MTS installations and
have a high probability of telephone company (or RCC) operator monitoring.
    My personal opinion is that cellular fraud has been encouraged due to
"safety in numbers". :-)

  > Cellular has turned out to be great for coordinating every kind of criminal
  > activity. It's just what criminals have been needing for years-- a
  > dependable, free, untraceable, and safe communications system. With a
  > combination of pagers and cellular phones, crooks are making a shambles
  > of the cellular system--all protected by Congress.
  > If you wanted to deal in drugs, how better to get orders from your
  > customers than by giving them your cellular phone number? There's no way
  > to tap a telephone that can be anywhere in a big city, operating through
  > different cells as it moves around. And with an altered ESN it's all free!

    Progress in telecommunications has unquestionably been of benefit to
criminal activity.
    Probably the single greatest benefit has been the introduction of call
forwarding.  This service has been of such great benefit to the conduct of
unlawful gambling, narcotics and prostitution operations that for many years
I have jokingly referred to it as: "1A Criminal Facilitation Service"; AT&T
and BOC people may appreciate the satire in this remark.
    As an example, an unlawful gambling operation could change location
every day or so, with the telephone number for bettors being the same.  This
situation also neatly defeats any court-authorized eavesdropping warrant since
there would never be conversations on the telephone pair that was the subject
of such a wiretap; a forwarded call never takes place on the physical line
whose number was dialed.  In earlier No. 1 and No 1A ESS installations there
was no rapid method to determine to what number a given line had its calls
forwarded; such determination could only be made by an experienced switchman
using the ESS maintenance tty.  This rather frustrated law enforcement
agencies in their investigation of unlawful gambling and narcotics activity.
Furthermore, I know of some instances where telephone company personnel flatly
denied to law enforcement investigators that they could determine the
forwarded telephone number; this was, of course, a false statement, but was
made in a  misguided effort to keep the telephone company "uninvolved".
    As an interesting aside, prior to the advent of ESS and call
forwarding, some larger unlawful gambling operations used an electronic device
called a "cheese box" that effected a rudimentary kind of call forwarding in a
manner similar to a loop-around test line.  Two telephone lines would be
ordered for say, an unoccupied office or apartment, and each line would
connect to the "cheese box".  The actual location of the gambling operation
would call the first line, and remain on the line and wait for calls; the
"customers" would call the second line, with the result that it would
auto-answer and be connected to the first line.
    Telephone company loop-around test lines were used for the conduct of
unlawful narcotics dealing during the 1970's, but this practice has generally
disappeared as telephone companies: (1) installed 60A control units or
equivalent devices that dropped loop-around connections upon the detection
of speech energy (legitimate use of loop-around test lines is for single
frequency transmission measurements only); and (2) went ESS and therefore had
"call trace" capability that would automatically determine the origin of
calls to loop-around and other test lines.
    After call forwarding, the next most useful communications adjunct to
criminal activity is the voice radio pager.  It is an unfortunate fact of life
that no self-respecting prostitute or "street dealer" of narcotics would be
caught without their voice pager.  Voice pagers represent an ideal, inexpensive
method of arranging clandestine meetings.  A typical voice pager scenario:
customer calls narcotics dealer's pager from a coin telephone, giving coin
telephone number; narcotics dealer finds coin telephone to call coin telephone
where customer is waiting to arrange for a meeting.  What could be simpler
and more untraceable?
    In my travels, I have known of only two instances where criminals used
any speech privacy devices (speech scramblers) to defeat eavesdropping (lawful
of otherwise); however, I suspect that a new generation of low-cost digital
speech privacy devices will result in more of these devices being used by
criminals.  The units that I have seen used were all based upon analog
"speech inversion" techniques; these devices are easy to defeat, whereas the
digital devices are virtually impossible to compromise by other than NSA.
    One of the most novel (at the time) applications of communications
technology by criminals that I have personally seen was the use of
telecopiers by a large unlawful gambling operation about 11 years ago.
While the law enforcement agencies involved had obtained eavesdropping
warrants to install wiretaps on some of the telephone lines involved, they
were totally baffled by the strange sounds heard during some intercepted
calls.  I was called in to solve the mystery, and some listening told me
that this was an FSK facsimile machine running in 6-minute mode.  So we
borrowed a telecopier to decode the tapes; this was not as easy as first
anticipated.  I finally had to modify the telecopier to start in receive
mode without receiving a ringing signal (which was not possible from an
after-the-fact tape recording).  We got some pretty damning evidence, much
to the consternation of the criminals (who suspected a wiretap, but felt
that the facsimile machine was "secure").  While telecopiers are rather
common today, such was not the case 11 years ago.  I suspect that as
telecopiers decrease in price, they too will be more commonly used by
criminals.  While Group I and Group II facsimile machines are fairly easy
to monitor, the more common Group III (sub-minute) machines are much more
complex since they are digital and require faking a handshake protocol by
any receiving machine used as a monitor.

> If it weren't against the law to listen to cellular channels, I'd suggest we
> hams help the law by listening for suspicious cellular calls and recording
> them. Say, how'd you like to get the goods on some serious crooks and find
> (a) the evidence is inadmissible because it was illegally attained and (b)
> yourself on trial for making the recordings. So join me in a big laugh, okay?

    I know of law enforcement agencies that have in the past used scanners
to listen to paging service channels and IMTS mobile telephone channels, and
have obtained useful intelligence information.  None of the information so
derived was used in court per se, but it may have contributed to the "probable
cause" for looking in a certain _public_ place at a certain time.  When any
investigator was pressed in court for the "basis of probable cause", the
information was attributed to an "anonymous informant" - a VERY common source
of law enforcement information.  Under the circumstances, I see nothing wrong
with this - but I am certain that a number of people will disagree with me.
    For example, an experienced investigator can readily detect a drug
deal going on via certain types of pager messages.  Now, if a police cruiser
just happened to be going by the aforesaid location, and decided it was time
for a routine traffic check... :-)  

    [Flames about prosecuting people for alleged "victimless" crimes such
as gambling, narcotics and prostitution should be directed to /dev/null]

<>  Larry Lippman @ Recognition Research Corp., Clarence, New York
<>  UUCP:  {allegra|ames|boulder|decvax|rocksanne|watmath}!sunybcs!kitty!larry
<>  VOICE: 716/688-1231        {hplabs|ihnp4|mtune|seismo|utzoo}!/

Please report problems with the web pages to the maintainer