Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
WASHINGTON — The IRS acknowledged that last summer it accidentally placed a lien against President and Mrs. Reagan. The error, by a trainee in the Austin, Texas, IRS district, followed a demonstration of the agency's electronic lien system. Despite an IRS policy against using the names of real people in training, an instructor used the Reagans as a hypothetical example. Later, when the trainee was practicing, she pushed the wrong button, accidentally filing a lien of $338.85 at the Travis County courthouse in Austin. The incident was recently reported in the Kiplinger Tax Letter. Although the lien was discovered and rescinded, it will remain a permanent entry in the Travis County Court records because the courthouse doesn't routinely remove a record of a lien even after it's been lifted. But the IRS notice releasing the lien also remains part of the record. Since the entry had assigned the Reagans a fictitious address and Social Security numbers, "there was never any real danger of a real lien being filed," said an IRS spokesman. Ellen Murphy, IRS public affairs director, said the IRS has taken steps to prevent a repeat occurrence, "including appropriate disciplinary action where needed."
[Response from Jeffrey to my message to him regarding the ARPANET collapse, article by Eric Rosen, Software Engineering Notes 6 1, January 1981. PGN] Extremely interesting, and personally relevant. I wrote the "RELAY" package for Bitnet which is essentially a distributed message service of real-time interactive messages as opposed to mail. A "chat" if you prefer the Compuserv example, only there are multiple Relays across a broad geographic area (Bitnet is store-and-forward). Each Relay services users in its local area, and exchanges messages with its neighbors, who exchange redistribute locally and further send to neighbors, etc. It's a very simple flooding algorithm since it is a closed network with no loops. At any rate, a missing edit check and an innovative student discovered that Relay allowed him to sign on to channel "1.0"; the code is written in a high-level language and it asserted 1.0 to be a whole number. The message packet was created and with the "1.0" channel prefix header and was then flooded to the neighboring Relays to update their user tables. With that done, it then goes back to a ready state, which is handled by a front-end Assembler routine. The assembly code tried to download the user table, in the process tried to pack and convert to binary the "1.0" value, which abended on an data exception. Meanwhile, the neighbors receive the update, flood it, and try to go ready. Abend for same. The net result: 36 Relays on 4 continents abended almost simultaneously. Moral of the story: If it's garbage in, eat it :-) /Jeff/
We've heard much about computer crime for personal gain, about vandalism
committed by crackers out for kicks, and now "software warfare" in which a
superpower might attempt to undermine an opponent's warfighting capability by
sabotaging its software. But has there been any discussion of real or
hypothetical civil disobedience by computer?
A loose definition of "civil disobedience" might be nonviolent lawbreaking
by morally motivated individuals, often in what they perceive as obedience
to a "higher law" (e.g. constitutional or international law or a religious
or ethical principle). A few famous examples of CD in the non-computer
world include Rosa Parks' refusal to move to the back of a bus, occupation
of power plants and weapons facilities by anti-nuclear protesters, and
"Plowshares" actions in which priests and nuns have destroyed components of
nuclear weapons.
It seems to me that as the computerization of society continues, the idea of
engaging in civil disobedience via computer is bound to come up more often.
Some computer CD might resemble ordinary computer crime and sabotage except
for the motivation of the individuals carrying it out. I've heard folklore
about politically motivated crackers for years now; do RISKS readers know of
any actual examples?
Other forms of civil disobedience might be engaged in by members of the
general public with no special expertise in computers, especially as
computerized communications systems become more pervasive. For example,
rather than physically occupy a street or building, protesters might clog up
a computer network by engaging in bogus transactions. (This has already been
done with telephone systems: reputedly some fundamentalist right
organizations have had to abandon their toll-free numbers after it became a
common pastime in certain gay and countercultural circles to call them up and
waste their money. This was known as "the Falwell game.")
Like all civil disobedience, computer CD raises many ethical and tactical
questions. Can anyone out there think of any particularly frightening or
promising scenarios for computer CD looming on the horizon?
--- Prentiss Riddle ("Aprendiz de todo, maestro de nada.")
--- Opinions expressed are not necessarily those of Shriners Burns Institute.
--- riddle@woton.UUCP {ihnp4,harvard}!ut-sally!im4u!woton!riddle
I just discovered that the much-touted BSD4.3 release of Unix silently truncates passwords to 8 characters. I found this out by having an easier time guessing a password for an account than I thought I would — because the user name had 8 characters and the password was the user name with a suffix. Let's get this info out to the user community... BEWARE! - Geof Cooper
Two recent articles from "The Capital", the daily newspaper for Annapolis, Maryland. Both are re-typed without permission and condensed. Names of accused are deleted. = = = = = = = October 6, 1987 Teen computer 'hacker' to be tried as adult (Page D1) By Lorraine Ahern — Staff writer A Hanover youth who police claimed used a home computer to charge thousands of dollars worth of electronic equipment to stolen credit card numbers will be tried as an adult, a judge ruled yesterday. [NAME DELETED], 18, is accused of ordering more than $6,400 worth of computer accessories and radar detectors, and having UPS deliver them to his family's home address last summer. Circuit Court Judge Eugene Lerner granted a prosecutors request that [NAME DELETED], who turned 18 last month, be charged and tried as an adult for felony theft. "It's not a kid walking into a 7-Eleven and walking out with a Snickers bar in his pocket," Assistant State's Attorney Eugene Whissel argued. "It's a mature crime for an adult --- a sophisticated crime." ... non-related discussion ... [NAME DELETED] mother said that [...] her son became depressed and "obsessed" with the home computer he had set up in his bedroom. "Initially, I did think that it was good," said [his mother], who testified that she was unaware of any UPS-credit card scheme. "Getting him down to even eat with us ... he was on it all the time. I knew it was not healthy. I even took the plugs at times." [He allegedly confessed that he got the equipment using an illegal MasterCard number from a Brooklyn, NY computer contact through an electronic bulletin board. The Secret Service is "already" being investigated by the Secret Service.] During the same period last spring when state police began investigating [NAME DELETED]' computer activities, police in Baltimore County arrested a number of computer "hackers" in the Annapolis [MD] area and charged them with gaining free illegal access to long-distance telephone service. end of article
'Hacker' pleads guilty (page A13) By Lorraine Ahern — Staff writer An Annapolis [MD] man pleaded guilty yesterday to stealing long-distance telephone service using his home computer, which a judge ordered destroyed. In a case that began a year ago with raids on the homes of sever computer "hackers" in Annapolis and the Baltimore suburbs, J. Scott Meenen [...] pleaded guilty to theft of service in Baltimore County Circuit Court. Meenen, a 28-year-old former audio-visual repairman [...], was put on probation and ordered to pay back $477 to MCI Telecommunications for stolen long-distance service. Police claimed that Meenen had operated an electronic bulletin board known to a circle of computer hackers as "The British Exchange." Using an automatic sequential dialing device, police said, the hackers would hit upon MCI code numbers and then, sharing them on the bulletin board, use those numbers for free long-distance calls. MCI began to pick up on the unauthorized use of the codes through a switching station at Towson [MD (about 30 miles north of Annapolis], and police ultimately traced the calls to computer telephone lines at several addresses. MCI spokeswoman Pamela Small said yesterday[,] thefts that cost the long-distance carriers an estimated $500 million in 1986 alone have decreased. Under Chesapeake & Potomac's [local phone provider] gradual conversion to "equal access," long-distance carriers such as Sprint or MCI will no longer need to assign code numbers for customers to dial. Equal access, which Ms. Small said is now 80 percent complete, means that the subscriber can simply dial the long-distance number itself, as they would if they used AT&T. end of article ----------------- Comments: During the 1987 National Computer Security Conference in Baltimore, Detective McCleod (sp?) of Arizona discussed that he likes to visit and arrest youthful hackers when they turn 18. This was based on a bad experience in the court system for a case against a 14 year youth. This youth was successfully prosecuted and convicted to some community service and a 2 page, hand-writted, double-spaced paper. The "convicted" youth then demanded his computer equipment back and got it. He was not obligated to pay back the fraud. [I remember $14,000 but I could be wrong.] Maybe police and judicial activities like this will bring back the original definition of "hacker". If "equal access" reduces losses, maybe it's time to invest in those companies.
"Computer Watch Aids Body ID 06-Oct-87 BLAUVELT, N.Y. (AP) - Police used a computerized wristwatch that had phone numbers stored in its memory to identify a man whose body was found last week in a park. ... State Police Inspector William Sprague said police tracked down acquaintances of Bly's through his wristwatch, which had their telephone numbers programmed into it." (remainder of article describes the death) RISKS DIGEST was recently discussing implanted transmitters. A computerized wristwatch is not as threatening to one's privacy as an implanted transmitter. But other personalized technology can pose threats to the users, or benefits to society: A recent drug arrest near Minneapolis led to several more arrests after police investigated a phone number from the memory of the drug dealer's cellular phone. These examples show the electronic equivalent of scraps of paper in pockets, except that people are presently not usually aware of them nor know how to alter them. Medical technology with serial numbers can also be used for identification, at least for dead people. An anonymous live suspect with a surgical implant would pose a dilemma, although there already have been court cases of evidence (bullets) in living people. Simple pacemakers with a serial number are already numerous. Near-future technology may cause more complications, such as a computerized nerve replacement implant with a memory of recent motions (ie, pulling a trigger or route recently walked). Scot E. Wilcoxon, Data Progress sewilco@DataPg.MN.ORG +1 612-825-2607 (Peter: Pacemakers DO have serial numbers. I called Medtronic and theirs do. I assume other manufacturers also have them in case of recall.)
This is in response to the recent discussion of TV licenses and Brent
Laminack's comments concerning "Big Brother".
One of the greatest guarantees of privacy is anonymity. For example, there's
hardly a house made that absolutely can't be burgled, and most would be rather
trivial, and police and crime experts have often stated that the best pro-
tection is anonymity - looking less interesting than someone else. Similarly,
were someone *really* interested in you and your habits it probably would
not have been difficult for them to learn a great deal about you - where you
live, work, shop, relax, etc. But anonymity protected you, because it was
just too expensive to do this checking on a random basis with no justification.
That's all changing now, because simple operations on readily available data-
bases can find the needle (us) in the haystack of teeming masses with very
little expense. And a degree of anonymity is lost. Many of us are still
as indistinguishable as before, but not all. Going back to the example of
burglary, the potential exists for some smart crooks to do some neat cross-
referencing of addresses of people who buy (or even read about) high-ticket
items that are small in size and easily fenceable (cameras, electronics,
jewelry, etc. - many readers of this group would probably qualify) and target
them. Going one step further, they might eliminate from this list people
with burglar alarms or a high chance of owning a large dog, or come better
prepared for such contingencies.
One aspect of this that I find particularly disturbing is its affect on the
notion of "innocent until proven guilty". Barring widespread, indescriminate
government harassment, one of your biggest protections against being hassled
by the government was your anonymity. If you're just an average Joe, then
there's no reason for the government to suspect you of anything, gratuitously
assuming guilt until convinced otherwise. There was no return on the invest-
ment from the government's standpoint. Not anymore. Now they can assume
you're guilty ("You don't have a TV license, and you must own a TV, therefore
you must be guilty of not obtaining a needed license".) in some subtle ways
in their uses of database cross-referencing, and get a pretty good return
on their (minimal) effort.
Nic McPhee (mcphee@ratliff.cs.utexas.edu)
[Incidentally, for those of you wondering how you can detect whether
someone's TV set is in use, read Peter Wright's SPYCATCHER. It is easily
available outside of the U.K., and I understand copies are creeping into
Britain at a great rate. PGN]
Seen in Office Management and Automation, Sept.87, p. 4:
+----------------------------------+
|I've found the flaw, sir! |
|It's in this little computer chip.|
+----------------------------------+
|
| /\
| / \ <==(huge ship, sinking)
.----/ o \
/ o / o /
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
(Well, their graphics were better than mine.....)
Please report problems with the web pages to the maintainer