The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 6 Issue 08

Tuesday, 12 January 1988

Contents

o Missent Missives
Martin Ewing
Leonard B. Bliss
o Touch-Tone Risks
Andrew Vaught
o American Express Computer Problem 2
Frank Wales
o Re: PCs die of New Year Cerebration
Scott Nelson
o UK Logic Bomb Case is Thrown Out
Geoff Lane
o SSN abuse warned about long ago
Richard Brown
o SSN Required Disclosures -- library social security privacy
Steve Cisler
o Info on RISKS (comp.risks)

Missent Missives

Martin Ewing <msesys@DEImos.Caltech.Edu>
Tue, 12 Jan 88 15:05:39 PST
Telex service does give you a more-or-less positive feedback as to whom you've
been connected to.  It's called the "answerback code", which is sent at the
initiation of a connection and whenever you (the sender) transmit a WRU (who
are you) control character.  Each machine is give a supposedly unique (and
usually mnemonic) code when it is installed; it has a length of 8 characters
or so.

You might think a campaign manager would alert to the Washington newspaper's
answerback, but it's all too easy to overlook the code until after the message
is sent.

Telex is an odd medium, slow and fundamentally two-way, but it
is almost always used in a one-way unattended receiver mode.

Martin Ewing, Caltech

   [It used to be a relatively easy matter to break off a few tynes on
   your answer-back drum, or indeed install a different one, thus being
   able to masquerade as someone else.  Perhaps it is harder now?  
   Somehow I doubt it.  PGN]


Missent Missives

Leonard B. Bliss <ecsvax!blissl@mcnc.org>
Tue, 12 Jan 88 10:46:11 est
Joe Morris asks, concerning misdelivery of E-mail due to human error,
"What feedback mechanisms are (should) there be to prevent this kind
of misdelivery for electronic mail?"  I suggest that the answer to this
question is, "None!"  There comes a point where human beings must be made
to accept the consequences of their actions and something akin to not
noticing that 202 (D.C. area code) is not equal to 319 (Iowa area code) is
decidedly one of those times.  While machines make our work faster, easier,
and more comfortable, there is probably a limit to the extent that they
should protect us from our own stupidity.  Certainly, the misaddressing of
E-mail described by Joe has passed that limit.  However, it would be
interesting for us to attempt to pin-point precisely (or at least 
approximately) where that limit is.  Any ideas out there?

Len Bliss, Appalachian State University, College of Education, Boone, NC 28608

     [One widely used notion is that of REDUNDANCY -- including check sums.
     The notion that anyone can call your home (10 digits) and with another
     single digit can (1) read your answering machine messages, (2) turn on
     your oven, (3) turn your burglar alarm on or off, (4) feed the dog, ...
     is somewhat hair-raising.  One way of making unlisted numbers much 
     harder to find by sequential dialing experiments would be to use the
     European technique of variable-length phone numbers.  You want a
     difficult number?  Get one with 20 digits.  It would also cut down
     on random wrong numbers.  PGN]


Touch-Tone Risks

Andrew Vaught <29284843%WSUVM1.BITNET@CUNYVM.CUNY.EDU>
Tue, 12 Jan 88 15:46:42 PLT
  Washington State University, like several other universities in the
area is currently planning on implementing a registration system based
on touch tone phones. The student dials the computer, and when connected
"dials" his/her ID number, followed by a five-digit number associated with
specific classes. The computer will either sign a person up, or inform the
caller that the class is full.
  The ID numbers are eight digits long, which would give some protection
against someone using someone else's number. The only problem is that on
the local IBM mainframe (under VM/CMS), student userid's are the ID
numbers, and there are some pretty huge NAMES files floating around.
  The potential for abuse is there, especially considering that one could
use dial-out modems on the system.....
                                                 Andy


American Express Computer Problem 2

Frank Wales <mcvax!zen.co.uk!frank@uunet.UU.NET>
Mon, 11 Jan 88 14:25:31 GMT
After my submission the other week about American Express losing my PIN,
I just thought you might like to know that things don't appear to have
ended there.  I used the card to withdraw some cash shortly afterwards
while on holiday in Scotland, and have received two (so far) notifications of
intent to debit the requisite amount from my bank account.

I called Customer Service and spoke to a Representative who assured me
that I would only be debited once; we'll see.  A few questions revealed
that: this duplication had been happening to many Cardmembers using the
Express Cash service; that he didn't think there was a link to those who
had recently lost their PINs (although it hadn't occured to him); and
that he seemed unsure about whether this would be the last problem I
would encounter.

I'm sure all this malarkey is doing Amex's reputation no end of bad;
I'll let you know of any future developments.

Frank Wales, Development Engineer,    [frank@zen.uucp<->mcvax!zen.co.uk!frank]
Zengrange Ltd., Greenfield Rd., Leeds, ENGLAND, LS9 8DB. (+44) 532 489048 x220 


Re: PCs die of New Year Cerebration [Risks 6.5]

Scott Nelson <decwrl!esunix!nelson@ucbvax.Berkeley.EDU>
Tue, 12 Jan 88 08:43:05 mst
A guy I used to work with here who previously worked at Sperry-Univac (now
UniSys) claimed to have inserted a good joke into one of their intelligent
terminals buried deep in the microcode where no one is likely to accidentally
find it.  I don't know all of the details about the intelligent terminal, but
it could have had PC-compatibility as one of its intelligent features.

Anyway, when the terminal is first powered on, it checks to see if the current
year according to the battery-powered clock is different from the one saved
the last time it was turned off.  If so, it displays a New Year's message and
plays "Auld Lang Syne" for about a minute using the tone generator normally
reserved for the bell.  It is then supposed to work normally for the rest of
the year.  He said he gets a good laugh every new year just thinking about it.

That company does start with "S" as the first article mentioned (at least it
did when it sold the terminal).  I suppose there is a chance that this
"harmless prank" could become not so harmless after a few years.

Oh, and by the way, this guy now works for the other "S" company
mentioned above.  Just a thought...

    Scott R. Nelson
    Evans & Sutherland Computer Corporation

UUCP Address:  {decvax,ucbvax,ihnp4,allegra}!decwrl!esunix!nelson
Alternates:    ihnp4!utah-cs!esunix!nelson     usna!esunix!nelson


UK Logic Bomb Case is Thrown Out

"Geoff. Lane. Phone UK-061 275 6051" <ZZASSGL@CMS.UMRCC.AC.UK>
Tue, 12 Jan 88 11:34:11 GMT
The following appeared in Datalink, dated Monday, January 11,1988.

  James McMahon, the contract systems programmer accused of planting
  "logic bombs" in his client's computer systems, has been cleared of
  all charges.

  McMahon walked free from Isleworth Crown Court, London, late last
  month after the presiding judge Derek Holden accepted a
  mid-trial motion that the evidence against McMahon was inconsistent,
  incomplete and laking in reliability.

  The ruling, which focused on print-out and disk exhibits, promises to
  be a watershed in the history of computer law, influencing the
  validity of such admissions in future cases.

  The trial was billed as the UK's first "logic bomb" case, with McMahon
  accused of planting unauthorised code in the DEC PDP 11 system
  software of air freight forwarder Pandair Freight. The prosection
  claimed that one such "lofic bomb" locked terminals at Pandair's
  Heston office, near Heathrow, and a second was set to wipe the memory
  of the company's Birmingham computer.

  McMahon's motive was either financial gain or revenge after losing a
  50,000 pound contract with Pandair, the prosecution said.

  The judge ruled that the evidence wasn't solid enough and instructed
  the jury to pronounce McMahon not quilty. A relieved McMahon told
  Datalink: "I have lost much more than Pandair ever did."

  McMahon, who was referred to during the case as a Posche or
  Lamborghini driving philanderer, says he bears no resentment. His only
  gripe is that he lost a major contract worth 40,000 pounds with the
  Stock Exchange after police informed directors there that there was a
  case pending.

  McMahon has now returened full-time to DEC system consultancy in the
  City.

In a second article in the same paper the following appeared...

  Eighteen months of bing labelled a "logic bomber" finally ended for
  system programmer James McMahon late last month.

  McMahon was found not quilty of planting three so-called logic bombs
  in the screen handling module of his client's DEC PDP 11 system
  software.

  The client, air freight forwarder Pandair, employed him on a freelance
  basic to patch its system software and install or tune its operating
  system, in this case the RSX 11 M+ operating system.

  As well as maintaining his innocence throughout, McMahon is adamant
  that the code that constituted the alleged bombs could never have
  produced the effect the prosecution claimed. In short he claims he was
  framed, that the code was written to discredit him.

  As his barrister, Colin Nicholls, QC, put it in court: "The
  prosecution evidence is partial, deceptive and manufactured. It smells
  of dishonesty and contrivance."

  The judge thought this submission well-founded, agreeing that there
  were areas of unsatisfactory and missing evidence.

  First, the original disks containing the supposed bomb were not taken
  into police custody immediately after the suspected sabotage, but left
  in the Pandair computer room.

  The Pandair programmer who produced the printout of file directories
  and source listings from the disks had sufficient skills in Macro
  Assembler to insert the bombs the judge said.

  Further the Pandair development disk went missing shortly after the
  alleged crime.

  "There is doubt over who produced the printout and which disks it came
  from," he said.

  And the motive for framing McMahon was there, claimed Nicholls:
  jealousy over a shared lover and envy over McMahon's expensive
  lifestyle.

  However, after five weeks the judge was unwilling for the case to
  continue with such gaps and doubts over the evidence. "we need to take
  a particularly robust view of evidence in such a complex technical
  case," he said.

  The relief on the faces of the 12 men and women of the jury as they
  were dismissed testified to that.

 Geoff Lane, UMRCC


SSN abuse warned about long ago

Richard Brown <richard%a.cs.okstate.edu@RELAY.CS.NET>
Sat, 9 Jan 88 23:06:24 CST
  The abuse of the SSN was forseen long ago by none other than then-FBI-
director J. Edgar Hoover.  His warning was against two things that would
reduce U.S.A. to a Police State: a national identification card, and a
national police force.  His warning was heard loudly enough that for many
years the SSN card that you recieved from the government had a notice on the
back "this card is not legal for identification purposes."
  I recently tried an experiment: I tried to go for one month without giving
my SSN to anyone.  I found it impossible to manitain a reasonably civilized
life-style under that circumstance.  For example:  I could not write a 
check, because it has my driver's license number on it which is, guess what?
I could not get a post-office box: positive ID (driver's license or state ID
issued by Department of Motor Vehicles, using SSN) AND current AND former
street address required.  I could not use a credit card (BTW- this is alledged
to be tracked by NCIC and IRS.  Cannot verify how much access is required
for the NCIC version of this).  Could not enroll in college.  |Financial Aid?-
HAH!!!!  Could not get utilities connected at my new appartment.  etc.
It is getting scary, Folks.  Big Brother is here!  
ps My Sysop commented on how much time I've been spending in net.mail lately...
  --- Richard Brown, Oklahoma State University   richard@a.cs.okstate.edu


SSN Required Disclosures -- library social security privacy

Steve Cisler <well!sac@lll-crg.llnl.gov>
7 Jan 88 14:00:43 GMT
I work in a public library, and I can assure comp.risks readers that most
libraries and librarians are very conscious of the privacy issue when it
comes to records about library users.

The best example is how our automated circulation systems are designed to
work.  We will be using CLSI, Inc., the largest vendor to libraries, and I
think they are a good example of the care taken to protect the rights of a
book borrower's privacy.  When you check out a book a link is established
between the barcode number on your library card and the barcode in the
borrowed item.  As soon as you bring the book back, that link is broken and
no record of the transaction is archived.  You can opt not to even be able
to see the current unbroken links unless items are overdue.

This means that no one in the library or legal or mental health system can
get a profile of your reading habits from checking old records.  There are
just not any--except overdue items, and they are kept until you pay up and
clear your record.

That is reassuring, but I am troubled that some libraries ask for SSN as a
unique id before they issue a library card.  Our committee on registering
library users quickly decided against this, again because of privacy matters.
I would urge any of you who use a library to inquire about this and post some
responses here.  Our unique id will be first letter of first name, first four
letters of last name, month (1-9,O,N,D) and two digits of the year.  Mine
would be SCISL042. There is some way they handle all the John Smith in one
big area, but this works quite well for most cities and counties.

Please report problems with the web pages to the maintainer

Top