The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 5 Issue 44

Thursday, 15 October 1987

Contents

o Costly computer risks
Gary A. Kremen
o Re: News Media about hackers and other comments
Amos Shapir
o Mailing Lists
Lindsay F. Marshall
o Discrimination considered pejorative
Geraint Jones
o Re: Anonymity and high-tech
Brint Cooper
o Pacemakers
Hal Schloss
o News Media about hackers and other comments
Bob English
o Password bug - It's everywhere.
Mike Russell
o Re: YAPB (yet another password bug)
Brint Cooper
o Civil Disobedience
Scott Dorsey
Bill Fisher
Eugene Miya
o Phalanx Revisited (Risks to Carrier Aircraft)
Marco Barbarisi
o SSNs
Bill Gunshannon
o Info on RISKS (comp.risks)

Costly computer risks

Gary A. Kremen <89.KREMEN@GSB-HOW.Stanford.EDU>
Tue 13 Oct 87 17:28:10-PDT
From The Wall Street Journal of October 13, 1987 page 47:

"But the DOT [Direct Order Transfer - a computer system that makes
large-scale stock trading faster and more efficient] system isn't
foolproof, either.  Mr. Nelson [whom the article is about] said he
heard a story about a man who pushed his DOT button intending to buy
one $25 million package of securities. When he didn't get a
confirmation of his order, he hit the button again, and then again and
again. A few minutes later, he received four confirmations showing
that he had just bought $100 million of stock."

The article itself is very interesting for those who are looking for
another view on a topic that has been discussed is RISKS for some time
- computer assisted stock trading and "program trading."


Re: News Media about hackers and other comments

Amos Shapir <nsc!taux01!taux01.UUCP!amos@Sun.COM>
14 Oct 87 14:22:44 GMT
Jack Holleran <Holleran@DOCKMASTER.ARPA> writes:
> An Annapolis [MD] man pleaded guilty yesterday to stealing long-distance
>telephone service using his home computer, which a judge ordered destroyed.
                                                  ^^^^^^^^^^^^^^^^^^^^^^^^^
Talk about computer phobia! This must be the silliest court decision
since a boat was put to the gallows in the 17th century!

Amos Shapir, National Semiconductor (Israel)
6 Maskit st. P.O.B. 3007, Herzlia 46104, Israel  Tel. +972 52 522261
amos%taux01@nsc.com (used to be amos%nsta@nsc.com) 34 48 E / 32 10 N


Mailing Lists

"Lindsay F. Marshall" <lindsay%kelpie.newcastle.ac.uk@NSS.Cs.Ucl.AC.UK>
Thu, 15 Oct 87 10:28:59 BST
Only 17 categories of people!! That's not very sophisticated - Britain is
broken down into 45 distinct groups by one of the companies who sell mailing
lists. They have a very neat acronym for this system which eludes me at the
moment. They have also introduced a new system called "Monica" which
classifies people by their first names (Monica is a slang pun - I don't know
if it is meaningful in the US). The idea is actually very obvious - certain
first names are popular at certain times and don't get recycled at regular
intervals so having a first name like "Florence" tends to indicate that you
are older, whereas "Darren" is a younger person's name. I don't know how this
would apply in the US, but the short extracts I have seen are strikingly
accurate when compared with people I know. It does fall down on names like
"John" and "David" which are perennial favourites, and also on very unusual
names or he/she names like Lindsay of course.

Also on the subject of mailing lists, there was an interesting letter in the
Guardian from someone who received a batch of junk mail about investments,
expensive holidays and subscribing to the Tory party. The man has no money
and has been unemployed for 2 years. The letters started arriving six weeks
after he had a letter printed in the Times newspaper...
                                                             Lindsay

                [I wouldn't want to Harm Monica, but a moniker is a
                nickname, as is Nick, and Phil (Harmonica?).  PGN]


Re: Anonymity and high-tech

Brint Cooper <abc@BRL.ARPA>
Tue, 13 Oct 87 21:11:53 EDT
Nic McPhee's essay on anonymity reminded me of an innocent-looking way
that names and demographic information are entered into
frequently-merged databases:  the so-called "warranty registration"
cards that come with nearly everything that we buy.   What our sex, job,
age, and gross annual income have to do with validating the warranty on
a TV or a computer escapes me.  While government doesn't necessary get
ahold of these databases, shady characters in the private sector should
have no trouble posing as legitimate businesses and buying these
databases.

On a related note, and one not directly related to risks in computers
(sorry Peter), the British Government's use of "questionable" means of
searching for unlicensed TV receivers may not in fact be a violation
of THEIR law or traditions.  In many ways, the British system is far
less protective of an individual's rights than is ours in the U.S.


Discrimination considered pejorative

Geraint Jones <geraint%prg.oxford.ac.uk@NSS.Cs.Ucl.AC.UK>
Thu, 15 Oct 87 10:04:04 BST
Yes,  yes,  I too get the annoying annual letter asking me why I haven't got a
licence for my non-existent  television.  I thought  everyone  did.  You can't
mean to say that some people have televisions?
    Surely  the greatest risk of all this information  refining is the risk to
the ego  of the  individual  who  thought  he was  unique,  or at least  in an
`elite'-sized  minority.  I mean,  I thought  I was  the only  bald,  bearded,
Methodist,  owner of a tandem  south  of the Trent;  what am I going  to think
when  I get  the  direct-mail  advertisment  for a hair  restorer  and a beard
trimmer  in with  my invitation  to a tandem  rally  from  the  church's  home
mission division?
    Perhaps there is some comfort here for Cliff Jones' original paranoia.  He
was originally bothered --  RISKS 5.38 --  by the suggestion that he was being
marked down as a potential lawbreaker and that someone might carelessly  treat
that as being the same as having a criminal  record.  I cannot yet conceive of
being in a mechanically-detectable  minority small enough for it to be safe to
make  wild  generalisations  about  us.  To be lumped  in with a large  enough
proportion of the population is not to be discriminated  against in any new or
unusual way.
    There are,  for example,  one in twenty of us (not 1%, as Ian Batten RISKS
5.42)  in the  UK without  haunted  goldfish-bowls  in  our  houses.  I forget
whether  that  is  5%  of  the  population,  or  5%  of households  --  we are
uncommonly likely to be one- or two-  person households,  so it is a different
proportion.  What is depressing is the number of us who seem to be in computer
science.                                                                    gj


Pacemakers (Re: RISKS-5.43)

<psivax!woof%psivax@csl.sri.com>
Wed, 14 Oct 87 17:04:29 PDT
In this issue of comp.risks you wrote . . .
>(Peter: Pacemakers DO have serial numbers.  I called Medtronic and theirs
>do.  I assume other manufacturers also have them in case of recall.)

    Why don't you drop us a line if you have questions about pacemakers.
I believe we are the only pacemaker company on the net right now. Currently
we are about #3 worldwide and growing. We currently have pacemakers with and
without serial numbers; they made be read electronically without explanting
the pacemaker. In general the trend in the future will be towards such
numbers. They are actually most useful for identifying whether we have a
problem with our manufacturing process. If we know the serial number of the
problem pacer, then we can identify which components when into it, and who
worked on it here. (All our pacemakers have serial numbers, but the older
one can be read only on the outside of the pacemaker. Our more complicated
pacemakers store their number electronically, which can be read by a
pacemaker programmer.  I work on pacemaker programmers.)  --

    Hal Schloss  Pacesetter Systems Inc., A Siemens Company
 {sdcrdcf|ttidca|scgvaxd|nrcvax|jplpro|hoptoad|csun|quad1|harvard|csufres|
  bellcore|logico|rdlvax|ihnp4|ashtate}! psivax!woof
  ARPA: woof@rdlvax.rdl.com


News Media about hackers and other comments (Re: RISKS-5.43)

Bob English <lcc.bob@CS.UCLA.EDU>
Tue, 13 Oct 87 18:56:11 PDT
> From:  Jack Holleran <Holleran@DOCKMASTER.ARPA>
> Subject:  News Media about hackers and other comments 

> MCI spokeswoman Pamela Small said yesterday[,] thefts that cost the long-
> distance carriers an estimated $500 million in 1986 alone have decreased.

> If "equal access" reduces losses, maybe it's time to invest in those
> companies.

This is a very curious kind of loss.  If they stole $500 million dollars
in services, the company didn't lose $500 million, unless somehow they
were unable to provide $500 million dollars in service to someone else
as a result of the misappropriation of resources.  While there would be
some of that, I find it very difficult to believe that the real number
is even a significant fraction of that.  There are other real costs
associated with this sort of theft--loss of goodwill by the mischarged
party, accounting costs associated with rebalancing the books, etc--but
those are probably small as well.

In short, the companies have a vested interest in making their losses
appear as large as possible.  While they show a paper loss of $500
million to theft, all that was stolen was paper money that will not be
replaced if the theft ceases, and their revenues will not increase by an
appreciable amount.

Phone theft is not so much an economic problem as a social one.  The
phone companies pursue the legal aspects of it quite aggressively
because they want to prevent it from becoming widespread enough to do
actual damage, but they don't take obvious preventative measures to
prevent it or detect it earlier.  They don't, for example, look for
sudden large changes in service levels and flag them as suspicious.

--bob--

P.S. I heard the other day that the average driver commits about 10
traffic violations every mile here in California.  I'm looking forward
to the day when the CHP can track my car through its computers.


Password bug - It's everywhere.

<To: risks@csl.sri.com>
Thu, 15 Oct 87 15:00 EDT
After reading Geof Cooper's posting on the password truncation problem,
I tried it on every Unix machine I could find.  Only the first 8
characters counted on any of them.  Here's the list:

       Machine            Operating System
     ----------         --------------------
      VAX 750              Ultrix 1.2
      VAX 8600             Ultrix 2.0-1
      VAX 750              Berkeley 4.3
      Celerity 1260D       Accel Unix 3.4.78
      IBM RT-PC            AIX 1.2
      Sun 3/160            3.0

Looks like this bug has been there for quite some time - maybe since
   the beginning.  Can you spell propagation?  Maybe this bug
   can be used for some copyright infringement suits?  I suppose
   all of the Unix-computer producing companies assumed this part
   of the code worked and didn't need looking at.  My guess is that
   there are actually few of us who use more than 8 characters anyway,
   so the implications are not as severe as it might seem, but it
   sure decreases the search time.  Where might the most serious
   implications of this be?  Unicos machines with classified data?
   Other defense machines?
                                        -Mike Russell


Re: YAPB (yet another password bug)

Brint Cooper <abc@BRL.ARPA>
Tue, 13 Oct 87 20:57:11 EDT
Geof (no relation) expresses surprise that 4.3 Unix "silently" truncates
passwords to 8 characters.  Was this a secret?  Did not 4.2 and 4.1 do
the same?  I don't believe that there has been a 14-character password
since the days of the PDP-11.
                                              Brint

      [More importantly, any algorithmically generated password is easier
      to crack...  In this case, once you know more than one password, you 
      could easily infer the algorithm...  With my 7-character name, I get
      only one free character.  The password generating scheme Geof refers 
      to is much dumber than the 8-character truncation.  But it is nice to
      know about the truncation!  PGN]


Civil Disobedience (Re: RISKS-5.43)

Scott Dorsey <kludge@pyr.gatech.edu>
Wed, 14 Oct 87 17:52:39 EDT
In Risks Digest 5.43, I find:
>It seems to me that as the computerization of society continues, the idea of
>engaging in civil disobedience via computer is bound to come up more often. 
>Some computer CD might resemble ordinary computer crime and sabotage except
>for the motivation of the individuals carrying it out.  I've heard folklore
>about politically motivated crackers for years now; do RISKS readers know of
>any actual examples?

   I seem to recall a mention that the Berkeley computer center was
occupied by protesters sometime in the sixties, who claimed that the
computers were being used for war work.  A sit-in was staged, as well 
as the damage of some equipment and a large number of tapes.  I don't
know precisely if any significant damage was done.

   On a slightly more current note, a couple of years back, a student
who was upset with the student government policies here at Georgia
Tech formed an organization called the Barbecue Liberation Front
(the gripe, as I recall, had something to do with a cancelled cookout),
which among other things froze the student government accounts, and
sent messages to all users each second on one of the undergraduate 
class machines, making it unusable.

   This is as close to political motivation as I have ever seen on
the Tech campus.  Although it may be a rather pitiful example, it is
as political as anything ever gets in a place where Poly Sci profs
refer to the Washington Post as an "anarchist rag."

Scott Dorsey   Kaptain_Kludge
SnailMail: ICS Programming Lab, Georgia Tech, Box 36681, Atlanta, Georgia 30332
Internet:  kludge@pyr.gatech.edu
uucp:   ...!{decvax,hplabs,ihnp4,linus,rutgers,seismo}!gatech!gitpyr!kludge


Civil Disobedience (Re: RISKS-5.43)

<bfisher.ES@Xerox.COM>
14 Oct 87 13:19:13 PDT (Wednesday)
Anent Prentiss Riddle's comments on Civil Disobedience - (CD)-- I
suggest that 'Civil Recalcitrance' (CR) is already here. This is defined
as nonviolent copping out by using the 'computer' as a shield. Two
recent examples --(1). Eight weeks for one of the country's largest
insurance companies to issue a check for a health insurance claim --
("I'm sorry - it's in the computer and there's nothing we can (read
'want') do about it; (2). Repeated billing for an item no longer in use
and returned to the lessor. (I'm sorry, the rental data base is in a
different computer than the return for credit base and they don't talk
to each other). The only (simple) way to clear this was to pay the
rental data base people for the item, even though the sales data base
people had already been paid by return of the item. 
                                                         Bill Fisher


Computer civil disobedience

<eugene@ames-nas.arpa>
14 Oct 87 10:31:20 PDT (Wed)
Prentiss Riddle brought up the topic of computer civil disobedience.  The
example of Falwell is an excellent one, and I believe that some
organizations have thought about this type of blocking both for offense and
defense.  First, the organizations that are really worth blocking typically
don't have dial-in access.  Second, some "good organizations" might be
`blocked' by those with differing opinions (creationists blocking science
BBSs?).  But the real reason I wanted to send you this is to point out that
some bureaucratic organizations like the FBI and Service Service take dim
views of civil disobedience, partly this is because of their mission.

Recently, a Vietnam Viet lost his legs to a train in an act of civil
disobedience at the Concord Naval Weapons Station.  All parties agree
this is a tragic act.  If anyone is going to embark on computer
civil disobedience, they had better think about all possible consequences
INCLUDING getting shot.  The people who work for the SS and FBI may
not know computers very well, but computers are increasingly used in
criminal capacities.  At the time of suspicion, they (their perspective)
might not have the time to evaluate, but might run into a building with
guns drawn when there are only teenagers there.  The situation for them
is something similar to the issue of Toy Guns; it's that WE see the
situation from a different perspective.  Softwar is a real possibility
for these people (even though they may not be aware of it, now).

One of the risks of computers we have not discussed is the "evil" unintended
(and non-military) uses of computers.  One BBS in the Bay Area (noted as a
headline story) was a neo-Nazi BBS.  Dan Pasquale of the Fremont PD is most
concerned with the BBSs of pedophiles.  More likely than not there are
neo-Nazis and pedophiles reading RISKs, so "evil" is a minority perspective.
The problem becomes discriminating between crime and liberties, disobedence
versus threat [sorry, I lost the "real" word].

I don't wish to defend the actions of what I regard as an increasingly
police-state mentality of the country (it's largely, "WE" the people
who are pushing this BTW), but I do wish to avoid severed legs and
teenagers shot by carrying laser tag pistols.

--eugene miya


Phalanx Revisited (Risks to Carrier Aircraft)

Barbarisi <marco@ncsc.ARPA>
Wed, 7 Oct 87 13:34:20 CDT
Are US Navy aviators at risk from Phalanx systems on their own ships?  I
mention this because I noticed that aircraft carriers have Phalanx guns
mounted at the stern of the ships - in a perfect position to shoot at
aircraft approaching a carrier for a landing.  I noticed this while
glancing at a Varian advertisement on page 2 of the Oct. 87 issue of
Defense Electronics.
                              Marco


SSNs

Bill Gunshannon <bill@uunet.uu.net>
5 Oct 87 13:17:57 GMT
From: bill@trotter.usma.edu (Bill Gunshannon)
Organization: US Military Academy, West Point, NY

In response to an article in:
RISKS-LIST: RISKS-FORUM Digest  Wenesday, 30 Sept 1987  Volume 5 : Issue 41
>From: P. T. Withington <PTW@YUKON.SCRC.Symbolics.COM>
>Subject: Re: Risks in the Misuse of Databases? [RISKS-5.40]
>                                                                 All
>this despite existing laws that state SSN's are to be used only for
>social security and not as a identification number.                

I think it is time we put this notion to rest once and for all.
How can you say that is the only legal use for the SSN when I was just
required by law to get my daughter (8 yrs old) a SSN and I will have to
include that number on MY income tax return from now on.  Now, unless
they have revoked the child labor laws, she is unlikely to need that 
number, for Social Security purposes, for at least 9 more years. :-)

bill gunshannon
Martin Marietta Data Systems USMA, Bldg 600, Room 26 West Point, NY  10996
UUCP: {philabs}\            WORK    (914)446-7747
      {phri   } >!trotter.usma.edu!bill           
      {sunybcs}/                      

Please report problems with the web pages to the maintainer

Top