The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 6 Issue 74

Sunday 1 May 1988

Contents

o KAL007 and Bourland's Electronic Warfare Theorem
Clifford Johnson
o Prestel Hacking
Brian Randell
o Uncritical acceptance of computer results
Paul L. Schauble
o Supermarket buying habits databases
Richard Wiggins
o Virus protection
Phil Goetz
o Info on RISKS (comp.risks)

KAL007 and Bourland's Electronic Warfare Theorem

Clifford Johnson <GA.CJJ@forsythe.stanford.edu>
Sat, 30 Apr 88 10:43:57 PDT
    From: Steve Philipson <steve@ames-aurora.arpa>
       The article in RISKS 6.70 by Clifford Johnson sent me reeling.

The evidence in R.W.Johnson's Shootdown sent me reeling too.

    To quote NTSB Part 830.1 Applicability:
        This part contains rules pertaining to:
       (a) Notification and reporting aircraft accidents and incidents and
    certain other occurrences in the operation of aircraft when
    they involve CIVIL AIRCRAFT OF THE UNITED STATES wherever
    they occur, or FOREIGN CIVIL AIRCRAFT WHEN SUCH EVENTS OCCUR
    IN THE UNITED STATES, ITS TERRITORIES OR POSSESSIONS.
    [emphasis added]

Besides the careful rebuttals in Shootdown, and besides the fact that the
NTSB automatically began an investigation in recognition of its plain duty,
the statutory definition indisputably applies.  KAL007 was off course RIGHT
FROM TAKEOFF - the cause of the accident happened in the U.S.A., maybe in
Washington.,D.C.  The error was major by the time the flight left the
guiding auspices of U.S.A.  controllers. I know the wording you quote was
the official excuse for squelching the inquiry, but that's all it was, a
lame excuse.  Do you seriously contend that the NTSB has no duty to
investigate why American-made planes with navigational systems that are
standard might take off in the wrong direction from U.S. airfields?

  Johnson refers to _Shootdown_ by R.W. Johnson, who provides "astonishing"
  evidence that KAL007 was on an espionage mission.  This certainly is
  astonishing, as all other available information leads away from this
  conclusion.

One of the astonishing things about the evidence in Shootdown is the fact that
it shows amazing failures to report key evidence in the United States press.  I
doubt if you can find any potentially important piece of information not
covered in Shootdown, and books like Hersh's are a joke by comparison.  I
understand your incredulity, because the U.S. media has all but successfully
stamped out proper consideration of the evidence.  There is a sort of
presumption that the press would report and evaluate key evidence, and that it
has kept quiet is interpreted as a sort of proof that the evidence does not
exist.  Indeed, you make this very argument, citing the reliability of the NYT.
But the New York Times in not reliable in reporting such matters.  For example,
after the U-2 shootdown, it parroted Eisenhower's lying denial, although it was
later learned that the editor had known about the illegal spy flights for
months, without informing the readership.  The disinformative disregard of
KAL007 facts by the American press is noted in detail as appropriate throughout
Shootdown.

  What has all this to do with RISKS?  If we classify a massive error as a
  deliberate act, we dismiss the need for investigation as to why the error
  occured, and remove all possibility of discovering and/or correcting any
  problems.  The "deliberate act" explanation is a variation on "pilot error".
  If an accident is simply hand-waved away as "pilot error", we lose the
  opportunity to understand what in the system allowed that error to occur, and
  we do nothing to decrease risk and the possibility that the error will occur
  again.

So you think that the NTSB should have investigated the cause of KAL007's
taking off in the wrong direction?  Here, here!

  The really interesting things that have come up in the investigation of this
  incident are the multiplicity of ways designing systems that are more safe.

No one designed a safer navigation computer because of all these theories.
All of the multiplicity of theories of errors have been demonstrated to be
fatally inconsistent with KAL007's course, unless one chooses to believe
that the radars were all wrong.  It's the inability to devise even one not
incredible sequence of errors to fit the route that is of interest.  And
that is why my submission belonged on RISKS.  There are instances in which
we should point to the inadequacy of "computer/operator error" explanations,
i.e. excuses, and in my opinion this is one of those instances.

Since virtually all my information is from Shootdown, I will simply refer
readers to this book for further facts, and not respond further myself re
KAL007.  But setting this aside, I'd be interested any other applications of
Bourland's Electronic Warfare Theorem.


Prestel Hacking

Brian Randell <Brian_Randell%newcastle.ac.uk@NSS.Cs.Ucl.AC.UK>
Sun, 1 May 88 13:33:11 +0100
  The most celebrated "telephone hacking" court case in Britain so far involved
penetration of British Telecom's Prestel viewdata service. Legal history seemed
to have been made when the perpetrators were convicted of having committed
forgery! However the Appeal Court threw out the conviction, and this decision
has just been finally confirmed by the House of Lords. Thus in Britain, at any
rate, it seems that new laws will be needed to cope with such activities.

  On April 28, the Guardian carried a lengthy article, written by one of
the hackers. It is given here, in its entirety (without permssion), for the
editor to hack out those parts which are most likely to be of interest to
the RISKS readership. [Why should PGN have a British Telecom-like monopoly on
bad puns!]

Brian Randell


HACKERS LET OFF THE HOOK

Steve Gold explains what really happened in the Prestel case, resolved by the
the Lords last week:

  "The first inkling I had that there was a world ready to be dialled up was
when British Telecom installed international direct dialling in my home town,
Sheffield, back in 1971. I soon discovered that you could dial certain codes
and, subject to a slight deterioration in call quality, not incur any charges.

  This cost me dear. In May 1975, along with several other Sheffield students,
I was fined (pounds)100 for placing national and international telephone calls
without payment.

  Several years later, in 1983, I bought a computer. And while I was fiddling
away with my Sinclair Spectrum, East Midlands Allied Press was busy negotiating
with British Telecom to launch a microcomputing service on Prestel: Micronet
800. Initially the service was available to users of the Acorn BBC micro, but
soon Micronet and Prestel launched a Sinclair Spectrum hard-wired modem, the
Prism VTX5000. In August 1984 I bought one for (pounds) 74.95.

  I was equipped to use Prestel, but Prestel was boring. While waiting to be
admitted to Micronet 800, I discovered that, if you sounded plausible enough,
you could gain editing rights to unrouted pages on the Prestel database. These
pages were known as the prestel Scratchpad.

  A friend and I joined forces and developed a software editor for the
Spectrum/VTX5000 combination and, much to Prestel's incredulity, began to use
it to edit Prestel pages offline and upload them to the database. Before long,
Micronet 800 hired us to edit pages on their database.

  In the summer of 1984, an electronic acquaintance (we had never met) told me
that he'd discovered a simple ID of ten 2s and a password (1234) which gained
admission to Prestel without paying.

  That was Robert Schifreen, and the ID was a Mr G. Reynolds, whose profile
on Prestel identified him as a member of BT staff. He was entitled to look
at areas on the database not normally accessible to members of the general
public.

  Those pages contained the nucleus of how Prestel worked, right down to the
telephone numbers of Prestel computers we'd never even heard of. One of these
"development computers" had an unusual log-on frame: it welcomed modem users
with, and prompted them to enter, their ID and password. It had a series of
numbers on its log-on frame which both Robert and myself recognised as a
Prestel ID and password.

  Keying in these numbers resulted in the user logging on (that is, gaining
admission to the database) as the system manager. The system manager could do
things with Prestel that no other user could do. this included interrogating
the user files to obtain IDs and passwords by the cartload.

  Thus, at the press of a few keys, the system manager could obtain information
that enabled him or her to log on as any other subscriber on the system. Also,
using information-provider IDs and passwords, it was possible to alter or amend
pages.

  We had hacked Prestel at the highest level.

  However, power brings responsibility, and since we were both active
contributors to the Micronet database, we approached Micronet's staff to show
them. Micronet duly contacted Prestel, who were made aware of the incredible
loophole in their security.

  Prestel strove to protect the integrity of their database. Changing
everyone's ID on the database was not worthwhile, in its opinion. Information
providers - high-ranking subscribers who rented their own pages - were seen as
a high risk, since anyone using their IDs and passwords (obtained using the
system manager ID) could alter or delete pages at will.

  So within a matter of days, Prestel changed the information-provider
passwords. But they made a mistake. Instead of changing them completely, they
merely transposed the access and editing passwords! Since Robert and I were
editors on the system (using Micronet-supplied IDs) we were notified that our
original passwords of (say) ABCD and 1234 had turned into 1234 and ABCD.

  After a phenomenal process of deduction, we applied the same transposition to
a selection of information-provider passwords in our possession. They worked.

  Fortunately for BT, information providers realised the crassness of Prestel's
attempt to plug its security and changed their own passwords, thereby barring
normal (but unauthorised) access to Prestel editing facilities to Robert and
myself.

  But amazingly, Prestel had left a trapdoor for us to use. The high-speed
update ports, by which information providers could edit their pages in bulk,
required only an editing password. Most information providers kept their own
editing password, believing that their access passwords had been changed.

  After noting a little judicious editing, Prestel was faced with the awful
truth: it's security division had said that the hacker problem had been
resolved, yet pages were being changed again under their noses. Prestel finally
changed its information-provider IDs and passwords, thereby plugging the gap.
And that seemed to be that.

  We had told Prestel (via Micronet) about the security lapse. We'd also had a
little fun at Prestel's expense. Prestel recognised what we had done, and that
we hadn't done anything stupid such as altering or deleting pages on the
database. The incident passed into history, or so we thought.

  During October and November, Prestel placed a telephone tap on Robert's north
London home telephone line. After monitoring his activities they found he was
frequently calling a Sheffield number (he was comparing notes with me). By
January 1985, they thought they had enough information to prosecute us both.

  Had we know about it, we would have expected a prosecution under the Theft
Act - for theft of (minute amounts of) electricity. But Prestel and BT were
worried about computer-hacking. IDs and passwords were being exchanged at an
alarming rate. Prestel IDs (as passwords) were assuming the same level of
security as train numbers. ID spotters (apprentice hackers) were hanging around
on Prestel, using the message boards (chatlines) to exchange passwords.

  BT logged Robert sending me an electronic mail message (using someone else's
ID and password). The message contained the ID and password of that account.
BT later produced that message in court as confirmation of our hacking
activities. Unknown to BT (and Robert) however, I had already obtained this
particular ID and password from the Prestel chatlines. I already knew that
these particular details were passing around dozens of users.

  Prestel had problems. Hordes of youthful users were staging multiple log-ons.
One particular group even boasted of its intention to "clock' an account one
weekend.

  Like car mileometers, Prestel accounts had a rolling tally of the charges on
an account. These went up to (pounds) 9,999.99, at which point the meter would
roll over to zero and start again. The chatline boasters intended continually
to access chargeable areas of the database until the (pounds) 10,000 mark was
broached. Such pointless activities took place often in 1985. Prestel thought
they had tracked two major hackers in Robert and myself. In fact they had
latched onto two journalists who were compiling a dossier of online security
breaches. The real hackers were - and are - still at large.

  On Tuesday March 26, two groups of police officers and BT staff
simultaneously raided my house in Sheffield and Robert's house in north
London. We were both driven to Holborn police station in London and held
overnight and throughout most of the following day. It was with some amazement
that I discovered in the course of my interview with Detective Inspector John
Austin and BT security chief Ron Aston, that I had been arrested for hacking.
Up to that point I had suspected that someone - probably an online acquaintance
- had committed a major bank robbery.

  We were subsequently charged with committing a number of offences contrary
to the Forgery Act 1981. Forgery is, we were told, a serious offence and can
carry a prison sentence of ten years. Ten years - just for breaking into
Prestel, and telling them what we had done!

  Rather than printing dud fivers in our kitchens we had "forged" an area of
Ram (random access memory) in the Prestel computer - using our modems over the
telephone line - which existed for about one fortieth of a second before being
wiped clean. Could BT provide the instrument (the area of Ram) in court, the
judge asked. No, since the area of Ram was etherial. It was, in fact, an area
of the program known as the user segment. Our guilt or innocence hinged on
how an electronic signal was interpreted by the court.

  We were convicted and fined, but the case came up for appeal in July last
year. The three Appeal Court judges - presided over by Lord Justice Lane -
mulled over the arguments. Several weeks later, Lord Lane announced he was
quashing the conviction, calling the case a blatant attempt to mould the facts
of the case to fit the scope of the Forgery Act.

  I was dismayed to discover that BT had applied to take the case further, to
the House of Lords. But the highest court in the land concurred with Lord Lane's
decision from the Appeal Courts that, if hacking was to be considered a crime,
then a change in the law was required.

  We are free, but the issue remains unresolved."


Uncritical acceptance of computer results

<portal!cup.portal.com!Paul_L_Schauble@Sun.COM>
Sat Apr 30 17:04:33 1988
My mental library of computer system risks contains an item about an experiment
involving electronic calculators. The researchers assembled a group of
engineering undergraduate students and gave them gimmicked calculators. These
calculators would give answers that were related to the numbers entered, but
which were wrong by various amounts. They then gave the students problems
from their lab work to calculate. They were looking to see how far wrong the
calculators could be before the students noticed problems.

As I recall the results of the experiments, they effectively never did notice.
It seems that the fine art of estimating reasonable answers as a check went
out with slide rules.

Now, I need a specific reference to this study. A friend is considering doing
something similar to update the work to computers. I recall reading about the
original sometime in the mid seventies. Can anyone help out?


Supermarket buying habits databases

<Richard_Wiggins@um.cc.umich.edu>
Fri, 29 Apr 88 23:22:40 EDT
Stanley Quayle's report of supermarkets using Social Security Numbers
to keep up with buying habits is a matter for concern, but it's
probably not uniquely nefarious.

In Michigan we have driver licenses that are not based on SSN.
Instead, they are a hash function on the person's name.  (In
fact, the same function is used by some other states; I once
knew someone who moved to Michigan and was surprised to learn
his driver license number remained the same.)

Supermarkets that I use also perform online validation of checks.
A department store that I shop at also allows credit card
customers to cash checks.  When you do so, they key in the
driver license number as well.  Once I noticed the clerk make
a typo as she typed mine in.  Before I could speak up, the
register said "Approved" and she'd finished the transaction.

It seems clear that in fact the check approval process is simply
querying a list of hot numbers.  If your driver license number
has not been added to the list, you are approved, and the
transaction continues.  This is a read-only transaction.

Now, clearly down the road there is cause for concern.  As
storage capacity gets cheaper and  cheaper it might become
economical for stores to keep up with this information.
I've read claims that stores would like to send personalized
brochures based on your buying habits.

In fact, I've wondered if stores like Sears don't already do
so.  I assume Sears keeps mailing me its Big and Tall catalog
because I occasionally order their products.

So, although I think the supermarkets have too much traffic
to keep up with how many avocados each of us buys, it may only
be a matter of time until they  can.  When they do, I don't
think those of us in states that don't use SSN have any
greater privacy than Ohioans.


Virus protection

<PGOETZ%LOYVAX.BITNET@CUNYVM.CUNY.EDU>
Sat, 30 Apr 88 16:04 EST
Somebody (I forget who) said,

>To suggest that [write-protection] is 100% effective against a virus is to
>overstate.  Studies in biology suggest that a virus can thrive even in a
>population in which a large percentage of the members are immune, if a there
>is sufficient commerce among the non-immune members...

>Depending upon design of the virus, the target system and population, and the
>chosen distribution vector, the effectiveness of this mechanism against the
>spread of the virus might vary from high to none at all.

   Now, think about that for 2 or 3 seconds.  If you turn on your machine,
write-protect all the drives, run a virus unknowingly, and turn off your
machine, you will NOT be infected by any possible virus.  It is IMPOSSIBLE
unless you have bubble memory or FRAMs or something like that.  When you
turn the machine on next, it is in the same startup configuration as before.
The biology analogy is unapplicable.
   Of course, if you are using your computer as a terminal, you might
move a virus between accounts on a mainframe, or between different
computers you dial up.  But your computer is protected.

Conclusion: Write-protecting the hard drive can offer 100% protection.

Phil Goetz

   [But you are assuming that between the time you "turn on your machine"
   and the time you write-protect all the drives that you have not already
   been done in.  How do you know the operating system has not already been 
   compromised?  How about workstations on which files must be downloaded
   from a file server?  How about workstations with no hard disk?  In general
   there is no such thing as 100% protection (despite Fred Cohen saying he can
   detect all viruses).  There are far too many vulnerabilities in most
   systems, with lots of security flaws and opportunities for Trojan horses
   that run with all of your normal privileges... "Anything you can do, I
   can do better," said the Trojan horse.  PGN]

Please report problems with the web pages to the maintainer