The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 5 Issue 43

Tuesday, 13 October 1987

Contents

o IRS Accidentally Imposes $338.85 Lien On Reagans
Chris Koenigsberg
o Another ARPANET-collapse-like accidental virus effect
Jeffrey R Kell
o Computers and civil disobedience
Prentiss Riddle
o YAPB (yet another password bug)
Geof Cooper
o News Media about hackers and other comments
Jack Holleran
o Personalized Technology Side-effects
Scot Wilcoxon
o Anonymity and high-tech
Nic McPhee
o Naval Contemplation [Humor]
Don Chiasson
o Info on RISKS (comp.risks)

IRS Accidentally Imposes $338.85 Lien On Reagans

<DowJones@andrew>
Tue, 6 Oct 87 10:12:30 -0400 (EDT)
   WASHINGTON -- The IRS acknowledged that last summer it accidentally
placed a lien against President and Mrs. Reagan. 

   The error, by a trainee in the Austin, Texas, IRS district, followed
a demonstration of the agency's electronic lien system. Despite an IRS
policy against using the names of real people in training, an instructor
used the Reagans as a hypothetical example. 

   Later, when the trainee was practicing, she pushed the wrong button,
accidentally filing a lien of $338.85 at the Travis County courthouse
in Austin. The incident was recently reported in the Kiplinger Tax Letter.

   Although the lien was discovered and rescinded, it will remain a permanent
entry in the Travis County Court records because the courthouse doesn't
routinely remove a record of a lien even after it's been lifted. But
the IRS notice releasing the lien also remains part of the record. 

   Since the entry had assigned the Reagans a fictitious address and
Social Security numbers, "there was never any real danger of a real lien
being filed," said an IRS spokesman. 

   Ellen Murphy, IRS public affairs director, said the IRS has taken
steps to prevent a repeat occurrence, "including appropriate disciplinary
action where needed." 


Another ARPANET-collapse-like accidental virus effect

Jeffrey R Kell <JEFF%UTCHP1.BITNET@WISCVM.WISC.EDU>
FRI, OCT 9, 1987, 1:39 PM
[Response from Jeffrey to my message to him regarding the ARPANET collapse,
article by Eric Rosen, Software Engineering Notes 6 1, January 1981.  PGN]

Extremely interesting, and personally relevant.  I wrote the "RELAY" package
for Bitnet which is essentially a distributed message service of real-time
interactive messages as opposed to mail.  A "chat" if you prefer the
Compuserv example, only there are multiple Relays across a broad geographic
area (Bitnet is store-and-forward).  Each Relay services users in its local
area, and exchanges messages with its neighbors, who exchange redistribute
locally and further send to neighbors, etc.  It's a very simple flooding
algorithm since it is a closed network with no loops.

At any rate, a missing edit check and an innovative student discovered
that Relay allowed him to sign on to channel "1.0"; the code is written
in a high-level language and it asserted 1.0 to be a whole number.  The
message packet was created and with the "1.0" channel prefix header and
was then flooded to the neighboring Relays to update their user tables.
With that done, it then goes back to a ready state, which is handled by
a front-end Assembler routine.  The assembly code tried to download the
user table, in the process tried to pack and convert to binary the "1.0"
value, which abended on an data exception.  Meanwhile, the neighbors
receive the update, flood it, and try to go ready.  Abend for same.
The net result:  36 Relays on 4 continents abended almost simultaneously.

Moral of the story:  If it's garbage in, eat it :-)           /Jeff/


Computers and civil disobedience

Prentiss Riddle <rutgers!im4u!woton!riddle@uunet.uu.net>
6 Oct 87 22:27:47 GMT
We've heard much about computer crime for personal gain, about vandalism
committed by crackers out for kicks, and now "software warfare" in which a
superpower might attempt to undermine an opponent's warfighting capability by
sabotaging its software.  But has there been any discussion of real or
hypothetical civil disobedience by computer? 

A loose definition of "civil disobedience" might be nonviolent lawbreaking
by morally motivated individuals, often in what they perceive as obedience
to a "higher law" (e.g. constitutional or international law or a religious
or ethical principle).  A few famous examples of CD in the non-computer
world include Rosa Parks' refusal to move to the back of a bus, occupation
of power plants and weapons facilities by anti-nuclear protesters, and
"Plowshares" actions in which priests and nuns have destroyed components of
nuclear weapons.

It seems to me that as the computerization of society continues, the idea of
engaging in civil disobedience via computer is bound to come up more often. 
Some computer CD might resemble ordinary computer crime and sabotage except
for the motivation of the individuals carrying it out.  I've heard folklore
about politically motivated crackers for years now; do RISKS readers know of
any actual examples?

Other forms of civil disobedience might be engaged in by members of the
general public with no special expertise in computers, especially as
computerized communications systems become more pervasive.  For example,
rather than physically occupy a street or building, protesters might clog up
a computer network by engaging in bogus transactions.  (This has already been
done with telephone systems: reputedly some fundamentalist right
organizations have had to abandon their toll-free numbers after it became a
common pastime in certain gay and countercultural circles to call them up and
waste their money.  This was known as "the Falwell game.")

Like all civil disobedience, computer CD raises many ethical and tactical
questions.  Can anyone out there think of any particularly frightening or
promising scenarios for computer CD looming on the horizon? 

--- Prentiss Riddle ("Aprendiz de todo, maestro de nada.")
--- Opinions expressed are not necessarily those of Shriners Burns Institute.
--- riddle@woton.UUCP  {ihnp4,harvard}!ut-sally!im4u!woton!riddle


YAPB (yet another password bug)

Geof Cooper <imagen!geof@decwrl.dec.com>
Tue, 6 Oct 87 17:56:53 pdt
I just discovered that the much-touted BSD4.3 release of Unix
silently truncates passwords to 8 characters.  I found this out
by having an easier time guessing a password for an account than
I thought I would -- because the user name had 8 characters and
the password was the user name with a suffix.

Let's get this info out to the user community... BEWARE!

- Geof Cooper


News Media about hackers and other comments

Jack Holleran <Holleran@DOCKMASTER.ARPA>
Wed, 7 Oct 87 23:37 EDT
Two recent articles from "The Capital", the daily newspaper for
Annapolis, Maryland.  Both are re-typed without permission and
condensed.  Names of accused are deleted.

 = = = = = = =

October 6, 1987
 Teen computer 'hacker' to be tried as adult  (Page D1)
  By Lorraine Ahern -- Staff writer

 A Hanover youth who police claimed used a home computer to charge thousands
of dollars worth of electronic equipment to stolen credit card numbers will be
tried as an adult, a judge ruled yesterday.

 [NAME DELETED], 18, is accused of ordering more than $6,400 worth of computer
accessories and radar detectors, and having UPS deliver them to his family's
home address last summer.

 Circuit Court Judge Eugene Lerner granted a prosecutors request that [NAME
DELETED], who turned 18 last month, be charged and tried as an adult for
felony theft.

 "It's not a kid walking into a 7-Eleven and walking out with a Snickers bar
in his pocket," Assistant State's Attorney Eugene Whissel argued.  "It's a
mature crime for an adult --- a sophisticated crime."

... non-related discussion ...

 [NAME DELETED] mother said that [...] her son became depressed and "obsessed"
with the home computer he had set up in his bedroom.

 "Initially, I did think that it was good," said [his mother], who testified
that she was unaware of any UPS-credit card scheme.  "Getting him down to 
even eat with us ... he was on it all the time.  I knew it was not healthy.
I even took the plugs at times."

[He allegedly confessed that he got the equipment using an illegal MasterCard
number from a Brooklyn, NY computer contact through an electronic bulletin 
board.  The Secret Service is "already" being investigated by the Secret 
Service.]

During the same period last spring when state police began investigating
[NAME DELETED]' computer activities, police in Baltimore County arrested
a number of computer "hackers" in the Annapolis [MD] area and charged them
with gaining free illegal access to long-distance telephone service.

end of article


  'Hacker' pleads guilty  (page A13)
  By Lorraine Ahern -- Staff writer

 An Annapolis [MD] man pleaded guilty yesterday to stealing long-distance
telephone service using his home computer, which a judge ordered destroyed.

 In a case that began a year ago with raids on the homes of sever computer 
"hackers" in Annapolis and the Baltimore suburbs, J. Scott Meenen [...] pleaded
guilty to theft of service in Baltimore County Circuit Court.

 Meenen, a 28-year-old former audio-visual repairman [...], was put on
probation and ordered to pay back $477 to MCI Telecommunications for 
stolen long-distance service.

 Police claimed that Meenen had operated an electronic bulletin board known
to a circle of computer hackers as "The British Exchange."  Using an
automatic sequential dialing device, police said, the hackers would hit upon
MCI code numbers and then, sharing them on the bulletin board, use those 
numbers for free long-distance calls.

 MCI began to pick up on the unauthorized use of the codes through a 
switching station at Towson [MD (about 30 miles north of Annapolis], and
police ultimately traced the calls to computer telephone lines at several
addresses.

 MCI spokeswoman Pamela Small said yesterday[,] thefts that cost the 
long-distance carriers an estimated $500 million in 1986 alone have
decreased.

 Under Chesapeake & Potomac's [local phone provider] gradual conversion
to "equal access," long-distance carriers such as Sprint or MCI will no
longer need to assign code numbers for customers to dial.

 Equal access, which Ms. Small said is now 80 percent complete, means
that the subscriber can simply dial the long-distance number itself, as
they would if they used AT&T.

end of article
-----------------

Comments: During the 1987 National Computer Security Conference in Baltimore, 
Detective McCleod (sp?) of Arizona discussed that he likes to visit and
arrest youthful hackers when they turn 18.  This was based on a bad experience
in the court system for a case against a 14 year youth.  This youth was
successfully prosecuted and convicted to some community service and a 2 page,
hand-writted, double-spaced paper.  The "convicted" youth then demanded his
computer equipment back and got it.  He was not obligated to pay back the
fraud.  [I remember $14,000 but I could be wrong.]

 Maybe police and judicial activities like this will bring back the original
definition of "hacker".  

 If "equal access" reduces losses, maybe it's time to invest in those
companies.


Personalized Technology Side-effects

Scot Wilcoxon <umn-cs!sewilco@datapg.MN.ORG>
7 Oct 87 08:15:14 CDT (Wed)
"Computer Watch Aids Body ID     06-Oct-87   

   BLAUVELT, N.Y. (AP) - Police used a computerized wristwatch that had phone
numbers stored in its memory to identify a man whose body was found last week
in a park.  ...  State Police Inspector William Sprague said police tracked
down acquaintances of Bly's through his wristwatch, which had their telephone
numbers programmed into it." (remainder of article describes the death)

RISKS DIGEST was recently discussing implanted transmitters.  A computerized
wristwatch is not as threatening to one's privacy as an implanted transmitter.
But other personalized technology can pose threats to the users, or benefits to
society: A recent drug arrest near Minneapolis led to several more arrests
after police investigated a phone number from the memory of the drug dealer's
cellular phone.

These examples show the electronic equivalent of scraps of paper in pockets,
except that people are presently not usually aware of them nor know how to
alter them.

Medical technology with serial numbers can also be used for identification, at
least for dead people.  An anonymous live suspect with a surgical implant would
pose a dilemma, although there already have been court cases of evidence
(bullets) in living people.  Simple pacemakers with a serial number are already
numerous.  Near-future technology may cause more complications, such as a
computerized nerve replacement implant with a memory of recent motions (ie,
pulling a trigger or route recently walked).

Scot E. Wilcoxon, Data Progress     sewilco@DataPg.MN.ORG    +1 612-825-2607

(Peter: Pacemakers DO have serial numbers.  I called Medtronic and theirs
do.  I assume other manufacturers also have them in case of recall.)


Anonymity and high-tech

Nic McPhee <mcphee@ratliff.cs.utexas.edu>
Thu, 8 Oct 87 18:57:36 CDT
This is in response to the recent discussion of TV licenses and Brent
Laminack's comments concerning "Big Brother".

One of the greatest guarantees of privacy is anonymity.  For example, there's
hardly a house made that absolutely can't be burgled, and most would be rather
trivial, and police and crime experts have often stated that the best pro-
tection is anonymity - looking less interesting than someone else.  Similarly,
were someone *really* interested in you and your habits it probably would
not have been difficult for them to learn a great deal about you - where you
live, work, shop, relax, etc.  But anonymity protected you, because it was
just too expensive to do this checking on a random basis with no justification.

That's all changing now, because simple operations on readily available data-
bases can find the needle (us) in the haystack of teeming masses with very
little expense.  And a degree of anonymity is lost.  Many of us are still
as indistinguishable as before, but not all.  Going back to the example of
burglary, the potential exists for some smart crooks to do some neat cross-
referencing of addresses of people who buy (or even read about) high-ticket
items that are small in size and easily fenceable (cameras, electronics,
jewelry, etc. - many readers of this group would probably qualify) and target
them.  Going one step further, they might eliminate from this list people
with burglar alarms or a high chance of owning a large dog, or come better
prepared for such contingencies.

One aspect of this that I find particularly disturbing is its affect on the
notion of "innocent until proven guilty".  Barring widespread, indescriminate
government harassment, one of your biggest protections against being hassled
by the government was your anonymity.  If you're just an average Joe, then
there's no reason for the government to suspect you of anything, gratuitously
assuming guilt until convinced otherwise.  There was no return on the invest-
ment from the government's standpoint.  Not anymore.  Now they can assume
you're guilty ("You don't have a TV license, and you must own a TV, therefore
you must be guilty of not obtaining a needed license".) in some subtle ways
in their uses of database cross-referencing, and get a pretty good return
on their (minimal) effort.

    Nic McPhee  (mcphee@ratliff.cs.utexas.edu)

    [Incidentally, for those of you wondering how you can detect whether
    someone's TV set is in use, read Peter Wright's SPYCATCHER.  It is easily
    available outside of the U.K., and I understand copies are creeping into
    Britain at a great rate.  PGN]


Naval Contemplation [Humor] [A slip of a chip can sink a ship? PGN]

Don Chiasson <G.CHIASSON@DREA-XX.ARPA>
Thu, 8 Oct 87 00:46:20 ADT
Seen in Office Management and Automation, Sept.87, p. 4:

        +----------------------------------+
        |I've found the flaw, sir!         |
        |It's in this little computer chip.|
        +----------------------------------+        
                       |
                       |   /\
                       |  /  \     <==(huge ship, sinking)
                    .----/ o  \
                   / o  / o   /
        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

(Well, their graphics were better than mine.....)

Please report problems with the web pages to the maintainer

Top