The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 5 Issue 41

Wenesday, 30 Sept 1987

Contents

o CHANGE IN RISKS SITE Effective Immediately
PGN
o Life-critical use of a spelling corrector
Dave Horsfall
o AT&T Computers Penetrated
Richard S D'Ippolito
o Satellites and Hackers
Paul Garnet
o Re: Risks in the Misuse of Databases?
P. T. Withington
Scott E. Preece
J M Hicks
o Info on RISKS (comp.risks)

CHANGE IN RISKS SITE Effective Immediately

<Neumann>
30 Sep 87 08:00:00
   =========================================================================
   | This is the VERY LAST RISKS FROM F4.CSL.SRI.COM.  Our Foonly F4 will  |
   | no longer be maintained after 1 October 1987.  Incoming mail can be   |
   | addressed as before, or to RISKS@SRI.COM and RISKS-Request@SRI.COM,   |
   | as appropriate.  The FTP site has changed to SRI.COM.  For the        |
   | immediate future RISKS operations will be moved to SRI.COM.  Thanks to|
   | David Poole for keeping our Foonly in excellent shape all these years.|
   =========================================================================


Life-critical use of a spelling corrector

Dave Horsfall <munnari!astra.necisa.oz.au!dave@uunet.UU.NET>
30 Sep 87 16:52:59 +1000 (Wed)
The following appeared on the back page of one of Australia's more outrageous
computer publications, "Computing Australia", 21st Sept 1987:

  ...  Blame it on the computer.           

  An unfriendly computer has been held responsible for a "potentially lethal
  error" involving a Mafia loan collector.

  A New York paper inadvertently put the `heavy' in the running for a pair of
  custom-fitted concrete shoes when it identified him as a "ruthless informer".

  According to a published retraction (and apology!), a writer on the paper had
  actually typed "ruthless enforcer" - but the computer system's spelling
  checker liked it the other way.

And I thought the worst you could expect from a "computer error" was a bill
for a million dollars!

Now, this particular publication (Computing Australia) is not known as the
"computer gutter press" for nothing, so I would appreciate any comments from
indigenous Americans...

Dave Horsfall  (VK2KFU)        ACS:  dave@astra.necisa.OZ
NEC Information Systems Aust.  ARPA: dave%astra.necisa.OZ@uunet.UU.NET
3rd Floor, 99 Nicholson St     UUCP: {enea,hplabs,mcvax,uunet,ukc}!\
St. Leonards NSW 2064 AUSTRALIA       munnari!astra.necisa.OZ!dave


AT&T Computers Penetrated

<Richard.S.D'Ippolito@sei.cmu.edu>
Monday, 28 September 1987 15:21:02 EDT
AT&T's attitude that the break in was just 'Yuppie vandalism' and the
defense attorney's comments on motives make me wonder when, if ever, the
view of computer crimes will merge with society's view of other property
crimes: we have laws against breaking and entering. You, as property owner,
don't have to provide 'perfect' security, nor does anything have to be taken
to secure a conviction of unauthorized entry. That conviction should be
easy. Also, using CPU resources (a demonstrably saleable product) amounts to
theft. There still seems to be the presumption that computer property,
unlike other property, is fair game.

I do not imply that we should relax our security efforts -- merely that we
deserve the same legal presumption that our imperfectly protected systems
and work are private property subject to trespass and conversion protection.


Satellites and Hackers

<pgarnet@nswc-wo.ARPA>
Tue, 29 Sep 87 13:54:36 edt
  >The article also claims "American teenagers using home computers
  >have developed the capability to alter orbits of commercial
  >satellites, as demonstrated by a recent incident in New Jersey."
  >Surely this must be an exaggeration?

Yes, it is a case of misinformation.  The 17 July 1985 issue of the
New Jersey newspaper "The Star-Ledger" reported 

  >The unidentified juveniles, arrested following an intensive
  >computer theft probe by South Plainfield, county and federal
  >authorities, also participated in elaborate schemes to steal
  >merchandise using stolen credit card numbers and reprogrammed
  >an American Telephone and Telegraph (AT&T) communications
  >satellite to disrupt phone conversations on two continents,
  >according to Prosecutor Alan A. Rockoff.

An article in the same paper two days later, on 19 July 1985 reported

  >The seven, who are strangers to each other but communicated
  >regularly on part of a nationwide computer "billboard" network
  >for hobbyists, are accused of stealing computer informational
  >services, stealing telephone services, disrupting satellite
  >communications and exchanging information on how to make
  >explosives and tap into Pentagon and defense contractors over
  >coded phone lines.

Time magazine reported on July 29, 1985 (p 65)

  >The New Jersey episode assumed heroic proportions when
  >Middlesex County Prosecutor Alan Rockoff reported that the
  >youths, in addition to carrying on other mischief, had been
  >"changing the positions of satellites up in the blue heavens."
  >That achievement, if true, could have disrupted telephone and
  >telex communications on two continents.  Officials from AT&T
  >and Comsat hastily denied that anything of the sort had taken
  >place.  In fact, the computers that control the movement of
  >their satellites cannot be reached by public phone lines.  By
  >week's end the prosecutor's office was quietly backing away
  >from its most startling assertion, but to most Americans, the
  >satellite caper remained real . . .

This New Jersey case is not very "recent", but seems to be the one 
being referred to.  If anyone knows of another more recent New Jersey
"satellite caper", please fill me in.
                    Paul Garnett


Re: Risks in the Misuse of Databases? [RISKS-5.40]

P. T. Withington <PTW@YUKON.SCRC.Symbolics.COM>
Tue, 29 Sep 87 10:48 EDT
    From: Ross Patterson <A024012%RUTVM1.BITNET@wiscvm.wisc.edu>

      >From: Brint Cooper <abc@BRL.ARPA>
      >Correct me if I'm wrong but isn't this info used merely for the 
      >enforcement authorities to decide where to search for unlicensed TV 
      >receivers?  They won't arrest you solely because you're not in the 
      >database, will they?

    I can't speak about the UK, but here in New Jersey, any evidence
    obtained through such a database cross-match would probably be ruled
    inadmissable in court.

How does this jive with a vaguely remembered NPR article of last week
that described how people who had failed to register for the draft
were found by matching social security numbers?  The gist of the
article was similar in spirit to the UK television article:  the
social security database is searched for draft-age candidates and
those registered with the selective service are subtracted out.  All
this despite existing laws that state SSN's are to be used only for
social security and not as a identification number.  Unfortunately,
few people know the law only states you have the right to refuse to
give your SSN and must instead be assigned some other ID number (which
presumably would be different for each service and prevent this type
of abuse).  If you "voluntarily" give your SSN, you essentially waive
your privacy rights.  The only service I have dealt with that treated
my refusal to give my SSN as a normal operation was the Massachusetts
Registry (I won't bore the list with a diatribe on its faults which
far outweigh this one feature).  Most services simply will refuse to
deal with you when you decline to give your SSN, whether they
understand the law or not.


Re: Risks in the Misuse of Databases

Scott E. Preece <preece@mycroft>
Tue, 29 Sep 87 09:40:28 CDT
  Ross Patterson:
> The preferred form is to limit the request to those suspected of
> committing a crime, as in "No persons without a TV License may own a TV
> set, therefore all persons whose homes openly sport a TV antenna and who
> do not own a TV License should be searched."  This, of course, means
> that the database cross-match provides the police with no additional
> homes to be searched, since they still must identify the homes in
> question by some criminal criteria.

It's a little more complicated than that, though:  My understanding is
that it is possible to detect the use of a TV set from outside the
house.  Is it then permissible for the authorities to use the database
cross-match to identify houses to check (since the check does not
involve a search)?  Or is that the fruit of the poisoned tree?

scott preece, gould/csd - urbana
uucp:   ihnp4!uiucdcs!ccvaxa!preece


Re: Risks in the Misuse of Databases? [RISKS-5.38]

J M Hicks <cudat@DAISY.WARWICK.AC.UK>
Wed, 30 Sep 87 15:35:00 bst
Disclaimer: this information came to me third-hand.  Bear this in mind.
This happened several years ago.

A friend once told me that his parents had been threatened with court action
for not having a television licence, when they did not have a television.
They protested to the licensing authorities, which backed down
apologetically.  It looked as though everyone in town who didn't have a
licence was being threatened.

This could have been a mere clerical mistake, of course.

J. M. Hicks,  Warwick University.   (a.k.a. Hilary)

Please report problems with the web pages to the maintainer

Top