Forum on Risks to the Public in Computers and Related Systems
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
Volume 5: Issue 44
Thursday, 15 October 1987
Contents
Costly computer risks- Gary A. Kremen
- Re: News Media about hackers and other comments
- Amos Shapir
- Mailing Lists
- Lindsay F. Marshall
- Discrimination considered pejorative
- Geraint Jones
- Re: Anonymity and high-tech
- Brint Cooper
- Pacemakers
- Hal Schloss
- News Media about hackers and other comments
- Bob English
- Password bug - It's everywhere.
- Mike Russell
- Re: YAPB (yet another password bug)
- Brint Cooper
- Civil Disobedience
- Scott Dorsey
Bill Fisher
Eugene Miya - Phalanx Revisited (Risks to Carrier Aircraft)
- Marco Barbarisi
- SSNs
- Bill Gunshannon
- Info on RISKS (comp.risks)
Costly computer risks
Gary A. Kremen <89.KREMEN@GSB-HOW.Stanford.EDU>
Tue 13 Oct 87 17:28:10-PDT
From The Wall Street Journal of October 13, 1987 page 47: "But the DOT [Direct Order Transfer - a computer system that makes large-scale stock trading faster and more efficient] system isn't foolproof, either. Mr. Nelson [whom the article is about] said he heard a story about a man who pushed his DOT button intending to buy one $25 million package of securities. When he didn't get a confirmation of his order, he hit the button again, and then again and again. A few minutes later, he received four confirmations showing that he had just bought $100 million of stock." The article itself is very interesting for those who are looking for another view on a topic that has been discussed is RISKS for some time - computer assisted stock trading and "program trading."
Re: News Media about hackers and other comments
Amos Shapir <nsc!taux01!taux01.UUCP!amos@Sun.COM>
14 Oct 87 14:22:44 GMT
Jack Holleran <Holleran@DOCKMASTER.ARPA> writes:
> An Annapolis [MD] man pleaded guilty yesterday to stealing long-distance
>telephone service using his home computer, which a judge ordered destroyed.
^^^^^^^^^^^^^^^^^^^^^^^^^
Talk about computer phobia! This must be the silliest court decision
since a boat was put to the gallows in the 17th century!
Amos Shapir, National Semiconductor (Israel)
6 Maskit st. P.O.B. 3007, Herzlia 46104, Israel Tel. +972 52 522261
amos%taux01@nsc.com (used to be amos%nsta@nsc.com) 34 48 E / 32 10 N
Mailing Lists
"Lindsay F. Marshall" <lindsay%kelpie.newcastle.ac.uk@NSS.Cs.Ucl.AC.UK>
Thu, 15 Oct 87 10:28:59 BST
Only 17 categories of people!! That's not very sophisticated - Britain is
broken down into 45 distinct groups by one of the companies who sell mailing
lists. They have a very neat acronym for this system which eludes me at the
moment. They have also introduced a new system called "Monica" which
classifies people by their first names (Monica is a slang pun - I don't know
if it is meaningful in the US). The idea is actually very obvious - certain
first names are popular at certain times and don't get recycled at regular
intervals so having a first name like "Florence" tends to indicate that you
are older, whereas "Darren" is a younger person's name. I don't know how this
would apply in the US, but the short extracts I have seen are strikingly
accurate when compared with people I know. It does fall down on names like
"John" and "David" which are perennial favourites, and also on very unusual
names or he/she names like Lindsay of course.
Also on the subject of mailing lists, there was an interesting letter in the
Guardian from someone who received a batch of junk mail about investments,
expensive holidays and subscribing to the Tory party. The man has no money
and has been unemployed for 2 years. The letters started arriving six weeks
after he had a letter printed in the Times newspaper...
Lindsay
[I wouldn't want to Harm Monica, but a moniker is a
nickname, as is Nick, and Phil (Harmonica?). PGN]
Re: Anonymity and high-tech
Brint Cooper <abc@BRL.ARPA>
Tue, 13 Oct 87 21:11:53 EDT
Nic McPhee's essay on anonymity reminded me of an innocent-looking way that names and demographic information are entered into frequently-merged databases: the so-called "warranty registration" cards that come with nearly everything that we buy. What our sex, job, age, and gross annual income have to do with validating the warranty on a TV or a computer escapes me. While government doesn't necessary get ahold of these databases, shady characters in the private sector should have no trouble posing as legitimate businesses and buying these databases. On a related note, and one not directly related to risks in computers (sorry Peter), the British Government's use of "questionable" means of searching for unlicensed TV receivers may not in fact be a violation of THEIR law or traditions. In many ways, the British system is far less protective of an individual's rights than is ours in the U.S.
Discrimination considered pejorative
Geraint Jones <geraint%prg.oxford.ac.uk@NSS.Cs.Ucl.AC.UK>
Thu, 15 Oct 87 10:04:04 BST
Yes, yes, I too get the annoying annual letter asking me why I haven't got a
licence for my non-existent television. I thought everyone did. You can't
mean to say that some people have televisions?
Surely the greatest risk of all this information refining is the risk to
the ego of the individual who thought he was unique, or at least in an
`elite'-sized minority. I mean, I thought I was the only bald, bearded,
Methodist, owner of a tandem south of the Trent; what am I going to think
when I get the direct-mail advertisment for a hair restorer and a beard
trimmer in with my invitation to a tandem rally from the church's home
mission division?
Perhaps there is some comfort here for Cliff Jones' original paranoia. He
was originally bothered -- RISKS 5.38 -- by the suggestion that he was being
marked down as a potential lawbreaker and that someone might carelessly treat
that as being the same as having a criminal record. I cannot yet conceive of
being in a mechanically-detectable minority small enough for it to be safe to
make wild generalisations about us. To be lumped in with a large enough
proportion of the population is not to be discriminated against in any new or
unusual way.
There are, for example, one in twenty of us (not 1%, as Ian Batten RISKS
5.42) in the UK without haunted goldfish-bowls in our houses. I forget
whether that is 5% of the population, or 5% of households -- we are
uncommonly likely to be one- or two- person households, so it is a different
proportion. What is depressing is the number of us who seem to be in computer
science. gj
Pacemakers (Re: RISKS-5.43)
<psivax!woof%psivax@csl.sri.com>
Wed, 14 Oct 87 17:04:29 PDT
In this issue of comp.risks you wrote . . .
>(Peter: Pacemakers DO have serial numbers. I called Medtronic and theirs
>do. I assume other manufacturers also have them in case of recall.)
Why don't you drop us a line if you have questions about pacemakers.
I believe we are the only pacemaker company on the net right now. Currently
we are about #3 worldwide and growing. We currently have pacemakers with and
without serial numbers; they made be read electronically without explanting
the pacemaker. In general the trend in the future will be towards such
numbers. They are actually most useful for identifying whether we have a
problem with our manufacturing process. If we know the serial number of the
problem pacer, then we can identify which components when into it, and who
worked on it here. (All our pacemakers have serial numbers, but the older
one can be read only on the outside of the pacemaker. Our more complicated
pacemakers store their number electronically, which can be read by a
pacemaker programmer. I work on pacemaker programmers.) --
Hal Schloss Pacesetter Systems Inc., A Siemens Company
{sdcrdcf|ttidca|scgvaxd|nrcvax|jplpro|hoptoad|csun|quad1|harvard|csufres|
bellcore|logico|rdlvax|ihnp4|ashtate}! psivax!woof
ARPA: woof@rdlvax.rdl.com
News Media about hackers and other comments (Re: RISKS-5.43)
Bob English <lcc.bob@CS.UCLA.EDU>
Tue, 13 Oct 87 18:56:11 PDT
> From: Jack Holleran <Holleran@DOCKMASTER.ARPA> > Subject: News Media about hackers and other comments > MCI spokeswoman Pamela Small said yesterday[,] thefts that cost the long- > distance carriers an estimated $500 million in 1986 alone have decreased. > If "equal access" reduces losses, maybe it's time to invest in those > companies. This is a very curious kind of loss. If they stole $500 million dollars in services, the company didn't lose $500 million, unless somehow they were unable to provide $500 million dollars in service to someone else as a result of the misappropriation of resources. While there would be some of that, I find it very difficult to believe that the real number is even a significant fraction of that. There are other real costs associated with this sort of theft--loss of goodwill by the mischarged party, accounting costs associated with rebalancing the books, etc--but those are probably small as well. In short, the companies have a vested interest in making their losses appear as large as possible. While they show a paper loss of $500 million to theft, all that was stolen was paper money that will not be replaced if the theft ceases, and their revenues will not increase by an appreciable amount. Phone theft is not so much an economic problem as a social one. The phone companies pursue the legal aspects of it quite aggressively because they want to prevent it from becoming widespread enough to do actual damage, but they don't take obvious preventative measures to prevent it or detect it earlier. They don't, for example, look for sudden large changes in service levels and flag them as suspicious. --bob-- P.S. I heard the other day that the average driver commits about 10 traffic violations every mile here in California. I'm looking forward to the day when the CHP can track my car through its computers.
Password bug - It's everywhere.
<To: risks@csl.sri.com>
Thu, 15 Oct 87 15:00 EDT
After reading Geof Cooper's posting on the password truncation problem,
I tried it on every Unix machine I could find. Only the first 8
characters counted on any of them. Here's the list:
Machine Operating System
---------- --------------------
VAX 750 Ultrix 1.2
VAX 8600 Ultrix 2.0-1
VAX 750 Berkeley 4.3
Celerity 1260D Accel Unix 3.4.78
IBM RT-PC AIX 1.2
Sun 3/160 3.0
Looks like this bug has been there for quite some time - maybe since
the beginning. Can you spell propagation? Maybe this bug
can be used for some copyright infringement suits? I suppose
all of the Unix-computer producing companies assumed this part
of the code worked and didn't need looking at. My guess is that
there are actually few of us who use more than 8 characters anyway,
so the implications are not as severe as it might seem, but it
sure decreases the search time. Where might the most serious
implications of this be? Unicos machines with classified data?
Other defense machines?
-Mike Russell
Re: YAPB (yet another password bug)
Brint Cooper <abc@BRL.ARPA>
Tue, 13 Oct 87 20:57:11 EDT
Geof (no relation) expresses surprise that 4.3 Unix "silently" truncates
passwords to 8 characters. Was this a secret? Did not 4.2 and 4.1 do
the same? I don't believe that there has been a 14-character password
since the days of the PDP-11.
Brint
[More importantly, any algorithmically generated password is easier
to crack... In this case, once you know more than one password, you
could easily infer the algorithm... With my 7-character name, I get
only one free character. The password generating scheme Geof refers
to is much dumber than the 8-character truncation. But it is nice to
know about the truncation! PGN]
Civil Disobedience (Re: RISKS-5.43)
Scott Dorsey <kludge@pyr.gatech.edu>
Wed, 14 Oct 87 17:52:39 EDT
In Risks Digest 5.43, I find: >It seems to me that as the computerization of society continues, the idea of >engaging in civil disobedience via computer is bound to come up more often. >Some computer CD might resemble ordinary computer crime and sabotage except >for the motivation of the individuals carrying it out. I've heard folklore >about politically motivated crackers for years now; do RISKS readers know of >any actual examples? I seem to recall a mention that the Berkeley computer center was occupied by protesters sometime in the sixties, who claimed that the computers were being used for war work. A sit-in was staged, as well as the damage of some equipment and a large number of tapes. I don't know precisely if any significant damage was done. On a slightly more current note, a couple of years back, a student who was upset with the student government policies here at Georgia Tech formed an organization called the Barbecue Liberation Front (the gripe, as I recall, had something to do with a cancelled cookout), which among other things froze the student government accounts, and sent messages to all users each second on one of the undergraduate class machines, making it unusable. This is as close to political motivation as I have ever seen on the Tech campus. Although it may be a rather pitiful example, it is as political as anything ever gets in a place where Poly Sci profs refer to the Washington Post as an "anarchist rag." Scott Dorsey Kaptain_Kludge SnailMail: ICS Programming Lab, Georgia Tech, Box 36681, Atlanta, Georgia 30332 Internet: kludge@pyr.gatech.edu uucp: ...!{decvax,hplabs,ihnp4,linus,rutgers,seismo}!gatech!gitpyr!kludge
Civil Disobedience (Re: RISKS-5.43)
<bfisher.ES@Xerox.COM>
14 Oct 87 13:19:13 PDT (Wednesday)
Anent Prentiss Riddle's comments on Civil Disobedience - (CD)-- I
suggest that 'Civil Recalcitrance' (CR) is already here. This is defined
as nonviolent copping out by using the 'computer' as a shield. Two
recent examples --(1). Eight weeks for one of the country's largest
insurance companies to issue a check for a health insurance claim --
("I'm sorry - it's in the computer and there's nothing we can (read
'want') do about it; (2). Repeated billing for an item no longer in use
and returned to the lessor. (I'm sorry, the rental data base is in a
different computer than the return for credit base and they don't talk
to each other). The only (simple) way to clear this was to pay the
rental data base people for the item, even though the sales data base
people had already been paid by return of the item.
Bill Fisher
Computer civil disobedience
<eugene@ames-nas.arpa>
14 Oct 87 10:31:20 PDT (Wed)
Prentiss Riddle brought up the topic of computer civil disobedience. The example of Falwell is an excellent one, and I believe that some organizations have thought about this type of blocking both for offense and defense. First, the organizations that are really worth blocking typically don't have dial-in access. Second, some "good organizations" might be `blocked' by those with differing opinions (creationists blocking science BBSs?). But the real reason I wanted to send you this is to point out that some bureaucratic organizations like the FBI and Service Service take dim views of civil disobedience, partly this is because of their mission. Recently, a Vietnam Viet lost his legs to a train in an act of civil disobedience at the Concord Naval Weapons Station. All parties agree this is a tragic act. If anyone is going to embark on computer civil disobedience, they had better think about all possible consequences INCLUDING getting shot. The people who work for the SS and FBI may not know computers very well, but computers are increasingly used in criminal capacities. At the time of suspicion, they (their perspective) might not have the time to evaluate, but might run into a building with guns drawn when there are only teenagers there. The situation for them is something similar to the issue of Toy Guns; it's that WE see the situation from a different perspective. Softwar is a real possibility for these people (even though they may not be aware of it, now). One of the risks of computers we have not discussed is the "evil" unintended (and non-military) uses of computers. One BBS in the Bay Area (noted as a headline story) was a neo-Nazi BBS. Dan Pasquale of the Fremont PD is most concerned with the BBSs of pedophiles. More likely than not there are neo-Nazis and pedophiles reading RISKs, so "evil" is a minority perspective. The problem becomes discriminating between crime and liberties, disobedence versus threat [sorry, I lost the "real" word]. I don't wish to defend the actions of what I regard as an increasingly police-state mentality of the country (it's largely, "WE" the people who are pushing this BTW), but I do wish to avoid severed legs and teenagers shot by carrying laser tag pistols. --eugene miya
Phalanx Revisited (Risks to Carrier Aircraft)
Barbarisi <marco@ncsc.ARPA>
Wed, 7 Oct 87 13:34:20 CDT
Are US Navy aviators at risk from Phalanx systems on their own ships? I
mention this because I noticed that aircraft carriers have Phalanx guns
mounted at the stern of the ships - in a perfect position to shoot at
aircraft approaching a carrier for a landing. I noticed this while
glancing at a Varian advertisement on page 2 of the Oct. 87 issue of
Defense Electronics.
Marco
SSNs
Bill Gunshannon <bill@uunet.uu.net>
5 Oct 87 13:17:57 GMT
From: bill@trotter.usma.edu (Bill Gunshannon) Organization: US Military Academy, West Point, NY In response to an article in: RISKS-LIST: RISKS-FORUM Digest Wenesday, 30 Sept 1987 Volume 5 : Issue 41 >From: P. T. Withington <PTW@YUKON.SCRC.Symbolics.COM> >Subject: Re: Risks in the Misuse of Databases? [RISKS-5.40] > All >this despite existing laws that state SSN's are to be used only for >social security and not as a identification number. I think it is time we put this notion to rest once and for all. How can you say that is the only legal use for the SSN when I was just required by law to get my daughter (8 yrs old) a SSN and I will have to include that number on MY income tax return from now on. Now, unless they have revoked the child labor laws, she is unlikely to need that number, for Social Security purposes, for at least 9 more years. :-) bill gunshannon Martin Marietta Data Systems USMA, Bldg 600, Room 26 West Point, NY 10996 UUCP: {philabs}\ WORK (914)446-7747 {phri } >!trotter.usma.edu!bill {sunybcs}/
Report problems with the web pages to the maintainer