The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 5 Issue 35

Thursday, 10 September 1987

Contents

o Drugs, DES, and the criminal world
Jerry Leichter
o More on the Irish Tax Swindle
Jerry Harper
o Costs and Liability in Good Systems
David Collier-Brown
o Re: The influence of RISKS on car design?
Benjamin Thompson
o Re: Computer Syndrome; Dutch Crime Computer
Brian Douglass
o Reach out, touch someone
Brad Miller
Richard Kovalcik
Jr.
Curtis Abbott
o Info on RISKS (comp.risks)

Drugs, DES, and the criminal world (A New Connection?)

"Jerry Leichter" <leichter@venus.ycc.yale.edu>
8 Sep 87 15:38:00 EDT
From "Logged On", by Vin McLellan - Digital Review, August 24, 1987, page 87

Anthony Prince Fairchild is doubtless a colorful rogue.  Five years ago, when
People magazine reported on a dispute between the Aspen sheriff and the Drug
Enforcement Administration (DEA) about lax law enforcement in the Colorado
resort town, Fairchild stepped forth - not to deny the DEA's allegations that
he was running an Aspen "drug factory," but, rather, to defend eccentricity.
"It's not against the law to be bizarre," he told People, which featured a
photograph of him leaning back against a nude female mannequin he called
Christina.

Some may have found Fairchild's face familiar.  An engineer by education and
trade, Fairchild had also been a model:  His Salem-smoking visage has
adorned millions of magazines and billboards.  He's now 50 years old, but
police still call him a "pretty boy."  Last month at a pre-trial hearing in
San Jose, Calif., Fairchild curled up on a courthouse bench reading
Firestarter, while the curious strolled by to check him out.  After all,
Fairchild had just had his bail changed from $2.5 million to "no bail" out
of fear that he would post the money and disappear.  "He looks just like
Timothy Leary," said an onlooker, referring to the LSD guru the '60s.

If Fairchild isn't a legend like Leary, it may be because federal
authorities have never publicized the extent of their interest in him, even
though they've sought him several times over the years.  But after being
arrested last November with eight kilos of cocaine, $12,000 in counterfeit
money and 85 pounds of high explosives, Fairchild became a topic of rumor in
Silicon Valley, in the California drug culture and, oddly enough, among the
nation's top security consultants as well.

"The guy's got a brain," remarked one California investigator.  "You maybe
couldn't guess it to see the mess he's in, but he's done a lot of things -
legit things - and some say he's just slightly short of being absolutely
brilliant."  Fairchild's resume indicates success in a half-dozen careers,
most recently as an EDP consultant in Silicon Valley.  It claims he holds 11
U.S. patents, and states that he was one of the authors of Digital
Research's Concurrent PC-DOS.  The police say this work record is accurate.

Predictably, Silicon Valley police have been among the first to confront the
probleme of criminal enterprises that digitally encrypt incriminating records.
"There's one case like that every six weeks around here," noted a local police
reporter.  "It's become quite common."  The method of choice is, of course,
the Digital Encryption Standard (DES), the cipher approved by the U.S.
government for commercial data security.

Fairchild used a Winterhalter DES board in a DOS micro to keep what police
believe to be an extensive diary of the affairs of a "large international drug
ring."  Local, state and federal narcotics agents are all very eager to gain
access to Fairchild's records.  Indeed, Santa Clara, Calif., police reportedly
used covert FBI funds to have a privately owned supercomputer grind away at
cracking the DES-encrypted data.

The attempt was not a big secret.  Several EDP security consultants were
asked to suggest crypto attacks.  What made the DES attack feasible, if
still unlikely to succeed, was that the Winterhalter device uses a program
to transform a 6-to-16-character password into the 64-bit DES key.

The cops got lucky:  With a pass through a full English dictionary, and by
culling significant names and such from Fairchild's personal history, they
were apparently able to guess three of four passwords that were used to
encrypt files stored on his micro.

The passwords were all eight or fewer characters in length, and all in
lowercase letters.  The diary file continued to elude their efforts, but
the police reasoned that if the DES password for the diary was less than
eight characters, a "brute force" approach to finding it was possible.  A
cryptoanalyst who is a leading consultant for California banks was hired to
make the attempt.

The supercomputer may have actually been chewing away when the Justice
Department stepped in late last month to confiscate copies of the encrypted
diary, presumably as evidence in a federal drug case against Fairchild.  This
pre-empted local authorities from possibly making the big score.


More on the Irish Tax Swindle (RISKS-4.33)

Jerry Harper <mcvax!euroies!jharper@seismo.CSS.GOV>
Tue, 8 Sep 87 17:01:04 BST
The situation is in fact much worse (and farcical) than seems credible.
Firstly, there is no accurate estimate of the size of the fraud, with the
revenue preferring to err in low figures.  To date the "figure" of 300,000IR
(about $4.2m) is being suggested as the *most* accurate.  However, no one
seriously believes this, least of all tax consultants in the large
accountancy firms.  Secondly, John's comments about officials causing the
disappearance of defaulters files is not quite accurate.  Many of the
cheques which were altered came from quite respectable companies and
self-employed business people -- I am trading on the knowledge of friends who
are in taxation consultancy -- it was the deposit time lag in revenue which
provided the gateway to the fraud.  Between the receipt of a cheque and its
lodgement there could be a delay of three months.  Finally, and I think this
is what John was referring to, the revenue have a "pending file" where
information on possible defaulters is kept.  By flicking through this file
it would have been easy to select the right targets.

P.S. Since the banks no longer have a policy of automatically returning cheques
many companies and individuals may be totally unaware that theirs' have been
altered.

This is the second major fraud to affect the revenue services here. I reported 
a previous fraud involving tax repayments to RISKS a few months back.  It 
remains to be seen what comprehensive overhaul of the system will be pursued.


Re Pogo Wins a Free Lunch -- Costs and Liability in Good Systems

Brown <geac!daveb@seismo.CSS.GOV>
8 Sep 87 17:18:32 GMT
  The argument probably does not apply to long-lived systems such as
operating systems and major suites of applications.  Honeywell-Bull
found some years ago that the cost of fixing things that could have
been done correctly before release was significant, and started a 
rather successful quality programme, thereby saving themselves
money. Most of the areas they saved money were in the maintenance and
correction of old, long-running systems, both hardware and software.

  Moral: We have met the enemy and ... oh-oh, do we really want this war?

Disclaimer: the above is the opinion of neither Honeywell-Bull nor Geac.

David Collier-Brown, Geac Computers International Inc., 350 Steelcase Road,
Markham, Ontario,  CANADA, L3R 1B3 (416) 475-0525 x3279 
{mnetor|yetti|utgpu}!geac!daveb


Re: The influence of RISKS on car design?

Benjamin Thompson <munnari!mulga.OZ!bjpt@uunet.UU.NET>
Tue, 8 Sep 87 17:05:59 EST
There seems to be quite a lot of public criticism of steer-by-wire etc.  at
the moment.  Perhaps Honda is just trying to cash in on the current wave of
Luddism.  Perhaps their electronics don't work.  Perhaps they can't produce
electronic cars fast enough.

These reasons are all fairly legitimate, and all could explain why Honda plugs 
the lack of electronics and points out that the car is "mechanical and sure".  
Honda doesn't have to be particularly safety-conscious to make a profit.

Ben Thompson


Re: Computer Syndrome; Dutch Crime Computer (RISKS 5.34)

Brian Douglass <brian%asci.uucp@RELAY.CS.NET>
9 Sep 87 10:38:47 PDT (Wed)
In regards to the 18 year old that developed "computer syndrome" in Denmark.
My question is did the kid develop it because he was working on the computer,
as if they pose some inherent social risk, or was the kid already at risk to
developing some type of neurosis and because he had a computer it settled on
that?  Was the kid just as likely to develop a drug habit in an effort to
conform and have friends, or possibly take his own life out of frustration and
loneliness due to an illogical world he could not fit into.  If so, then did
the computer save his life by temporarily giving him the logic and structure he
craved?  Sort of like using a small bomb to destroy a larger bomb, but its
still a bomb.

About the inventor who has a developed a telephone receiver that can be
implanted behind a human's ear:

Sometimes, no matter how much the potential for good, the dangers can far out
weigh them, and therefore the potential good must be denied.  A perfect example
is the recent Supreme Court ruling for Preventative Detention, that persons can
be held with out bail if they are shown to be a danger to the community.  The
intent was to hold drug pushers and Mafia figures that could easily make bails
of 5 or 10 million dollars, and then continue to run their empires, or skip out
and not thing twice about it.  Well now a D.A. in Florida is using that ruling
to hold juveniles that are accused of murder or drugs, or simply have a history
of arrests, showing that history as a pattern to prove they are a danger to the
community.

Suddenly we have incarceration without trial.  Preventative Detention was
viewed as having both good and bad effects, but was thought that properly
controlled and regulated, it could be used for the good of society without the
bad effects.  Thomas Jefferson argued for strict interpretation of the
Constitution, so that such finely cut interpretations as Preventative Detention
could not be legislated by the courts.  In our modern society, we feel "smart"
enough to be able to maximise the good and minimize the bad.

I agree with the original poster and PGN [You mean "MS"?  PGN], sometimes
no matter how helpful some technological innovations may be, you must take
into account their implications, which are sometimes to grave and it is
better left uninvented.  I think the article about the Dutch Crime Computer
is a perfect example that we are human and do err (even something as
*stupid* as dropping your backup system).  Could you imagine the chaos if
the Dutch allowed Preventative Detention and you couldn't get bail while you
waited around for the authorities to straighten things out.  That's exactly
why Preventative Dentention is supposed to be forbidden by the constitution,
but we just think we're so smart.  What a glorious 200th birthday present
for our constitution.

Brian Douglass, Applied Systems Consultants, Inc. (ASCI), P.O. Box 13301,
Las Vegas, NV 89103  Office: (702) 733-6761
UUCP:    {mirror,sdcrdcf}!otto!jimi!asci!brian


Reach out, touch someone [RISKS-5.32]

Brad Miller <miller@DOUGHNUT.CS.ROCHESTER.EDU>
Tue, 8 Sep 87 22:41 EDT
       [What will it take before inventors of technology consider
       implications of their work as part of their responsibilities?  MS]

Umm, jobs that pay regardless of productivity?              Brad Miller

University of Rochester, Department of Computer Science     716-275-1118
Computer Science Department, University of Rochester, Rochester NY 14627
miller@cs.rochester.edu {...[allegra|seismo]!rochester!miller}


Reach out, touch someone [RISKS-5.32]

"Richard Kovalcik, Jr." <Kovalcik@MIT-Multics.ARPA>
Tue, 8 Sep 87 12:29 EDT
I don't think the moderator or anyone else is being paranoid here.  It is
issues like this that make me very glad there are groups like the ACLU.
There is a real risk of Big Brother in this.  The issues here are very
similiar to those of mandatory AIDS testing - when is violating individual
rights outweighed by the good to society?  Given that such a device would
violate existing laws, be easily abusable, and / or be unnecessary because
there are other ways of accomplishing the same thing, it should be banned.
Engineers and professionals do have a duty to act responsibly.  The
moderator is correct.

           [Actually the comment prompting this was marked with 
           "MS", the contributor, NOT the moderator.  PGN]

1) The parole laws were not written with the idea that the Government
know where the parolee was at every instant in time.  To implant a
device that did so is certainly violating the existing law and the most
probably the parolee's constitutional rights.

2) Parent's should not be allowed to implant this sort of thing.  While
parents have a responsibility to take care of their children.  They
should do so by taking an active interest rather than using technology
to snoop on their children.  Perhaps you think it is OK for parents to
bug phones their children might use too?  And what about employers
recording calls employees make without telling them?  Besides, unless
there is someway to remove this "wonderful" device onc the person
reaches 18, it is subject to being misused later by Government.

3) As to pet owners, anyone who lets their pet roam freely tearing up
lawns, breaking into garbage, and playing "chicken" with cars shouldn't
be allowed to be a pet owner.  I'm sure a lot of people will disagree
with me on this one but as far as I am concerned this is another misuse
of techology.

4) As for criminals in jail, implanting them would be OK as long as the
device was removable after they were released so as not to violate their
rights.  But, then if it is removable, they could get a shady doctor to
do it if they escaped (which is presumably (hopefully?)  what you are
trying to guard against here).

5) If someone wants to have one implanted to guard against kidnapping
that if fine, but I would urge such a person to consider the
disadvantages.


Re: Reach out, touch someone

abbott.pa@Xerox.COM <Curtis Abbott>
Tue, 8 Sep 87 18:03:44 PDT
This should be an interesting case for the patent attorneys, because the
idea Dr. Man has patented was used as the climactic plot twist in "The
President's Analyst", a wonderful film that came out around 1969.  

Please report problems with the web pages to the maintainer

Top