Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Overseas readers of the article below should note that:
The House of Lords is the final court of appeal as well as (the unelected)
half of the legislature in the UK. Five 'Law Lords' (usually ex-judges and
the like) will sit in judgement on cases that get that far.
Legal precedents can be set in the courts when it comes to interpreting the
law, hence Lord Lane's comments in what follows: the judges can decide if
the existing Forgery Acts apply to passwords etc but cannot spontaneously
make up a new law to cover the problem in question.
Prestel is a dial-up electronic mailing system.
The Duke of Edinburgh is Prince Philip (the spouse of the Queen) - this case
therefore gained some notoriety, at the time, in the tabloid press because of
its 'Royal connection'. [And the mailbox was not really his private
mailbox, but rather a demonstration mailbox for him, according to private
communication to PGN from someone at Prestel.]
= = = = = = = = = = = = = = = = = = = = = =
Reprinted without permission from 'The Guardian', London 22 April 1988:
COMPUTER HACKERS WIN TEST CASE
The House of Lords yesterday ruled that the two computer "hackers" who broke
into British Telecom's Prestel computer information service were not guilty of
forgery.
In what was regarded as a test case, five Law Lords unanimously upheld a
Court of Appeal ruling that accountant Stephen Gold and computer magazine
editor Robert Schifreen had gained access to the data bank by a "trick" which
was not a criminal offence.
Mr Gold, of Watt Lane, Sheffield, and Mr Schifreen, of Edgeware Gardens,
Edgeware, North-West London, had used micro-computers to gain entry to Prestel
computers in 1984.
They made unauthorised alterations to data and charged account-holders
without their knowledge.
Mr Schifreen was said to have got into the Duke of Edinburgh's Prestel
messages file and left messages. "They were not terribly interesting," he
said. They were mostly about the birth of Prince William.
Lord Brandon of Oakbrook said: "Their object in carrying on these activities
was not so much to gain any profit for themselves as to demonstrate their
skill as hackers. It never occurred to them that they might be committing any
offence under the Forgery and Counterfeiting Act, 1981." In the Appeal Court,
Lord Lane, the Lord Chief Justice, had said: "Their conduct amounted in
essence to dishonestly gaining access to the relevant Prestel data bank by a
trick. That is not a criminal offence. If it is thought desirable to make it
so that is a matter for the legislature rather than the courts."
Lord Brandon said that he shared Lord Lane's view that the prosecution was
an attempt to "force the facts of the case into the language of an act not
designed to fit them."
The men had been convicted of nine offences at Southwark crown court in
1986. Last year they successfully overturned that ruling.
Lords Keith of Kinkel, Templeman, Oliver and Goff agreed in dismissing the
prosecution's appeal against the Court of Appeal's ruling.
Afterwards Mr Schifreen said: "I knew from the start that the Forgery Act is
not designed to apply to unauthorised access to computers."
[Doug McIlroy happened to be in London that day.
Here are some excerpts from his message. PGN]
London Times, Page 1, April 22:
The courts held that the prosecution had to prove that the hackers had
made a "false instrument" which they intended to pass off as genuine.
But this thesis was absurd because one and the same machine served as
both instrument and dupe. [Turing hoist on his own petard.] The facts
of the case did not fit the language of the act. The two hackers had
wanted to prove their skill, rather than to gain any benefit.
The Times also observed that hacking for gain or to inflict damage can be
construed as an offense, such as fraud or malicious damage, and that a
commission is studying whether a bill is needed to stop hacking for amusement.
The total is now 10 of British scientist involved in defense work who have died under mysterious circumstances in the past two years. Russell Smith, 23, assistant scientific officer at ultrasecret UK Atomic Research Energy Plant in Harwell, was ruled to have killed himself on 2 February 1988 by jumping from a cliff. Trevor Knight, 52, was found dead in his car in March 1988. He worked for the Marconi defense firm, as did several of the previous dead scientists. Most of the 10 mysterious deaths resembled suicides, but only three cases were actually ruled so by inquests. [Source: San Francisco Chronicle, 22 April 1988, p. A30. Previous cases were noted in earlier RISKS.]
Today's Washington Post and AP wires have some more info on the unpublished congressional report that the system would likely "suffer a catastrophic failure" the first time (and only) time it was used. The OTA report cautioned that the sheer complexity suggested that "there would always be unresolvable questions about how dependable ... (the computer) software was." ... "extrapolating from past experience ... it appears to OTA that the complexity of (ballistic missile defense), the uncertainty ... of the requirements it must meet, and the novelty of the technology it must control would impose a significant probability of software-induced catastrophic failure in the system's first real battle." (The Post, quoting the report)
In a classical asynchronous-attack scam (somewhat similar to the time-of-check- to-time-of-use [TOCTTOU] perpetrations), fourteen postal employees and three associates in NY City were accused of using insider knowledge to postmark their envelopes on time in the 1987 Super Bowl "Pick the Score" contest, and then stuff in the actual final score: NY Giants 39, Denver 20. Only 167 entries had the exact score, and at least 107 of those came from insiders. Selected randomly from those entries, there were 14 contest winners — 8 of whom apparently won through fraudulent means, collecting $85,000 out of the $100,000 awarded. The tip-off came when the $50,000 grand prize winner had a fight with her postal employee boyfriend, and reported the scam. [Source: New York Times, 20 April 1988, p.1] The implications on the opportunities to fake on-line computer time-stamps are self-evident.
The 9 April 1988 issue of the Washington Post carried a news item on the shoot-down of KAL Flight 007. A KAL pilot said that the pilot of the downed plane may have been the indirect victim of his autopilot computer. He asserted that KAL pilots had previously been reprimanded for having to return to their take-off point to correct an autopilot error. This involved an expensive fuel dumping in each case. The autopoilot is designed so that if one of its three computers disagrees, or the crew enters the trip coordinates (start and ending) incorrectly, the aircraft must return to its starting point (!!) so that the data can be re-entered. It has been suspected that the pilot of KAL 007 entered incorrect course data, but did not take action to correct the error, so as to avoid punishment. [For those of you new to this problem, the most plausible theory thus far seems to be that the copilot had inadvertently left the autopilot set on HDG 246 instead of switching to INERTIAL when passing over the outbound checkpoint, at which point they should have changed course.]
I haven't seen this reported in RISKS, so I thought I'd pass it along. In the
last 3 weeks, 3 military aircraft have crashed in Germany. All were
practicing low-flying maneuvers at the time. Two were F-16s; one was a
Mirage. The press says that, in each case, a much worse disaster was only
narrowly avoided (I can't judge how accurate this is). The crashes occured
just down the flight path from: a nuclear generating station, a munitions
dump, and an inhabited village. It seems that many air forces use the Eiffel
and Hunsruck areas (not far from me, actually, as the jet flies!) as practice
areas for low-flying missions (presumably because it's so challenging). The
German government is reported to be considering disallowing or restricting
such flights in future.
In all, 35 military aircraft have fallen out of the skies here since 1960. I
have no idea how this compares with other countries.
Michael
I just got an offer in the mail to try BIX. The mailing includes a BIX login name, in the same impression as my name and address, so I presume the login name is associated with me. They say that should I cancel, I'll be billed only for access time. What's to stop someone from fishing the card out of the trash ? if I use the offer, can I claim that as an excuse not to pay ? These are familiar issues I'd think, it's just that the delivery system they use is prone to abuse. I do not believe that I am under any obligation to shred, burn, or otherwise render unreadable unsolicited mail.
Rob Horn brought up an interesting issue when he spoke of the momentum that
a project gathers, which prevents it from changing direction when objections
are raised. I have an understanding with my supervisors which, among other
things, serves as a governor on a projects momentum.
When I first begin working, I (metaphorically) give my supervisor a number
of tokens, "good for one emergency each". My supervisor also receives
tokens at a given rate per year. One token is "spent" each time I am asked
to do something outside usual practice. "It's an emergency! Can you come in
on the weekend and finish it?" - one token. "I know it's not clean, and not
documented, but we need a fast and dirty fix!" - one token. The theory is
that occasional emergencies are unavoidable, but constant emergencies are
poor planning; the tokens provide a method of determining which is the case.
On a few occasions my supervisor has decided, "it's not such an emergency,
after all", to save the token for a *real* emergency.
The number of tokens provided, and the definition of an "emergency", can vary
according to the company and individuals involved. I have noticed that this
system motivates supervisors not to make commitments that can't be met without
"cutting corners".
---Chip
I am still working on the virus file (cf volume 6 number 45). It is now longer
than 360K and so will be archived and shipped with a copy of PKXARC (if you
use it etc.) However, the means of distribution to the States is through
my wife, who runs a theological college in Vancouver. American mail is
stamped with US postage and taken to border towns in Washington where some
of the American students live and work. Often there are challenged at the
border as to what they are carrying.
What with all the concerns over technology transfer and so forth, I can just
see the conversation between the hapless student (my wife told him he was
carrying a file of virus material) and the customs agent ("...you're trying
to bring *what* into the country?") If some of you don't get your disks
back, contact customs and immigration. (Come to think of it, we haven't
seen Russ since he took that last set of disks down last week...)
There is an article in "SCIENCE", Vol 240, 8 April 1988, pg 133-4 (News & Commentary Section) by Eliot Marshall about viruses: "The Scourge of Computer Viruses". This article among other things, says that "Computers & Security" April issue is devoted to the subject of viruses. AT&T Bell Laboratories, Whippany, NJ
The cover of the April 15, 1988 DATAMATION features the teaser "RISK! A new,
potentially dangerous element has been introduced into global markets and
businesses. The very same information systems that have enabled both to
flourish in the 1980s could cause them to perish in the '90s. In a world of
highly distributed pc power, complex networks, and database systems, risk has
become the third factor in the IS equation." The cover story itself ends with
"If you think today's vulnerabilities are going to be tough to cope with, wait
until tomorrow." [...]
Jim H.
I don't have the particulars of the following event, although I could probably
come up with them if necessary ...
I remember hearing a story about a cockpit wager where one member of the
crew asserted that the autopilot got its engine speed (or something similar)
info directly from the speed sensor, while another member of the crew disagreed
and said that the autopilot got its info from the RPM gauge circuit. They
decided to test this out in flight (this was a commercial airliner) by
shutting off one of the RPM gauges at the breaker ...
Sure enough, the autopilot got the message that the engine had slowed down
dramatically (to 0 RPM) and so it increased fuel flow. Shortly the
engine oversped and stalled, blew up, and sent a blade through the cabin.
The story goes that everything went fine until a woman began screaming
hysterically, saying that the man who had been sitting next to her in the
window seat had just *vanished*, seatbelt and all, through the 1-1/2 foot
hole in the cabin wall ...
The details probably aren't correct — it's been a while since I heard
this — but the spirit of the thing is.
-joseph hall
Please report problems with the web pages to the maintainer