The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 7 Issue 62

Friday 7 October 1988

Contents

o Re: Assault on Privacy
Anthony G. Atkielski
o Interesting article in PCW
Hugh Davies
o Bridge over troubled pseudo-random generation
PGN
o Reach Out and Touch Someone... for $650,000
Henry Cox
o Computer Security and Voice Mail ... $150,000
Davis
o Re: Risks of Cellular Phones
Wes Plouff
o Self-correcting (obliterating?) time
Jeffrey R Kell
o Risks in ATMs, Parking, Power outages
Steve Philipson
o Info on RISKS (comp.risks)

Re: Assault on Privacy (Arthur Miller's speech, via Barry C. Nelson)

"Anthony G. Atkielski" <Atkielski@PCO-MULTICS.HBI.HONEYWELL.COM>
Fri, 7 Oct 88 15:38 MST
Seriously, many of the concerns Mr. Miller voiced in his speech have already
been addressed outside the United States.  Specifically, France has had
legislation regulating the establishment and operation of virtually all
databases containing sensitive information about specific individuals for over
ten years.

French Public Law 78-17 of January 6, 1978 established a Commission on Freedom
and Computers and set forth requirements to be met by any organization wishing
to collect and process "personal" information, i.e., information that can be
linked to specific individuals.  The Commission is a relatively autonomous
organization charged with tracking the establishment and operation of databases
containing "personal" information throughout France.  Its members are selected
from both the public and private sector.

Some provisions of this legislation address certain of Mr. Miller's concerns
specifically, for example:

   >  YOU can't get a copy of these records. There is no law which forces
   >  private agencies to tell YOU what they know in most cases.

In France, Public Law 78-17 requires that most organizations maintaining
databases containing personal information declare the existence and purpose of
these databases to the Commission on Freedom and Computers.  These declarations
are a matter of public record.  These organizations MUST provide an individual
with a copy of any information they may have on him (except for medical
records, which must be requested through a licensed physician) on demand, and
they must provide the name and location of an agent through whom such requests
may be submitted in their declaration to the Commission.

   >  Data is a lot like humans. It is born. Matures. Gets married to other
   >  data, divorced. Gets old. One thing that it doesn't do is die. It has
   >  to be killed.

The French legislation requires that expiration periods for various classes
of data be specified in the declaration to the Commission.  The organization
submitting the declaration must observe the expiration periods it declares.

   >  Only the information which is necessary for the job at hand should be
   >  collected.

Law 78-17 restricts the use of information concerning religious beliefs,
lifestyles, political beliefs, race, union membership, and legal records
(arrests, etc.) to organizations with a bona fide business interest in this
information (e.g., political parties, churches, unions, police departments).

   >  People should have access to the data which you have about them.  There
   >  should be a process for them to challenge any inaccuracies.

As already mentioned, this mecanism exists in France.  An individual may force
organizations to correct or update any information they may have on him.  They
are also obligated to correct and update information on their own initiative
as they become aware of inaccuracies.

   >  There should be more control on the eventual uses of data which was
   >  supplied for some business at hand, but has been sent elsewhere "upon
   >  request"

Organizations must describe exactly with whom and under what conditions they
will share the information they have gathered in their declarations to the
Commission.  They must also propagate corrections and updates to these third
parties as they become necessary.

Public Law 78-17 requires that the following information be made available
to the public for any organization collecting and processing personal data:

   -- the identity of the organization
   -- the types of data being collected, their sources, the periods of
      their retention, and the identities of any organizations or
      individuals to whom the data might be communicated
   -- the purpose to which the collected data is to be put
   -- the agent through whom an individual may exercise his "right of
      access" to data collected by this organization concerning himself
   -- the categories of persons who might for any reason have direct
      access to the data
   -- the relationships defined between the various data collected for
      a given individual
   -- the types of security measures taken to ensure the confidentiality
      of the data
   -- the manner in which the data are communicated to organizations or
      individuals outside France, if applicable

All individuals have the right to oppose the collection of personal data
concerning themselves, except when such collection is required by government
agencies.  This implies that they may insist that, say, a credit bureau erase
all information concerning themselves from its database.

When personal information is collected from a person, that person is entitled
to the following information:

   -- whether or not the information requested is required or optional
   -- what will happen if they refuse to provide the information
   -- the persons or organizations to which the information will be
      communicated
   -- the fact that they are entitled to inspect and correct the
      information being collected ("right of access")

This part at least resembles the U.S. Privacy Act of 1974.

The French legislation also provides penalties for those who fail to heed the
law.  Organizations collecting data without filing a declaration may be subject
to a $31,000 fine and a three-year prison term (the prison term would apply
the individual(s) responsible for the violation).  Collecting information
forbidden by the law (religious affiliation, etc.) is punishable by a $310,000
fine and five years in jail.  Revealing confidential information to
unauthorized persons is punishable by a $3100 fine, plus six months in jail if
the act was deliberate (as opposed to being the result of carelessness or
negligence).  Finally, a $310,000 fine and five years in prison awaits anyone
who deliberately uses personal information for a purpose other than the purpose
declared to the Commission.

As far as I know, no legislation in the U.S. even comes close to this; if
there is any such legislation, it is being ignored.  Maybe it's time we
enacted something similar here in the U.S.

Anthony Atkielski,     Honeywell Bull Inc.,     Phoenix, AZ, U.S.A.


Interesting article in PCW

<"hugh_davies.WGC1RX"@Xerox.COM>
7 Oct 88 03:54:25 PDT (Friday)
The current edition of Personal Computer World (October) has a long and
interesting article on the application of the Data Protection Act, by Duncan
Campbell. ('On and Off the Record', P146). I have no intention of keying the
article in as it is several thousand words, but in essence it states that the
application of the DPA is effectively being sidestepped by Government
Departments, and that the Data Protection Registrar is toothless, underfunded
and overwhelmed with pointless paperwork.

Campbell, who has been a thorn in the side of Government secrecy for some
years, attempted to get a copy of his records on the PNC (Police National
Computer). He was at first unable to locate a copy of the Data Protection
Register, which lists all the registered computer systems in the UK. There is
supposed to be a copy in every Public Library, but most had never heard of it.
When he finally located a copy, the Librarian was reluctant to let him look at
it. Once he had found out which systems the PNC have, he then couldn't find out
who to write to. The DPR said write to the Data Protection Officer at the PNC,
but no-one ever replied. Finally he tried several local police stations, but
most denied knowing anything about it.  Once a police station accepted the
query, they gave him a form to fill in which asked several irrelevant and
personal questions. Finally, he got a reply from the PNC, 40 days after putting
in the query (the legal maximum time allowed). The DPA allows for a charge of
#10 for each query on each system, he queried each of the 5 systems running at
the PNC and was charged #50. He was refunded #10 because the PNC said that they
could not be bothered to inspect one of the files, because "there won't be
anything on it".

This whole shambles would appear to be mainly designed to deter anybody from
attempting to use the DPA to enquire on Government (or indeed, any other)
computer systems. Campbell conludes that the DPA is a complete failure, and
after reading the article I agree with him.

Also, some more interesting information on the PNC has recently come to light.
The British Government is busily (and fairly quietly) installing a system to
connect all the computer systems belonging to such organisations as the Inland
Revenue, Department of Health and Social Security and the Driver and Vehicle
Licensing Centre. This system is called the Government Data Network, or GDN for
short. Virtually no information has been forthcoming about this system. It has
been denied that the Police National Computer is to be part of this network,
but it has recently become clear that this is not the case. The reason being
that the present PNC is indeed not to be connected to the GDN. However, the
soon to be installed upgrade to the PNC, being imaginatively called 'PNC2' *IS*
to be connected to the GDN.

Hugh Davies, Computer Consultant, St.Albans, England.

The opinions expressed herein are mine, not those of my current, or any
past, employer or client.


Bridge over troubled pseudo-random generation

Peter Neumann <neumann@csl.sri.com>
Fri, 7 Oct 1988 14:42:30 PDT
Computers are now being used for all sorts of purposes for which people
formerly did the same job.  A case at hand deals with the game of bridge, in
which shuffling for tournament matches is now done by computer.  Alan
Truscott's column in the Sunday New York Times (2 October 1988) relates that
during the team-of-four matches the players sensed that the hands were
strangely familiar.  The American Chip player Martel "eventually solved the
problem: All the deals corresponded to those most of the players had
encountered in the open pairs final four days earlier, but with a suit rotation
-- spades had become hearts, hearts diamonds and so on.  The computer program
that generated the deals for both events was suffering from a flaw in its
random generator."  (The bridge rules state that a deal previously played must
be null and void.  Apparently that rule was extended on the spot to include
suit transformations.)

         [Thanks to Paul Abrahams for this one.  Now that he is no longer 
         President of the ACM, I presume he has a little more spare time to
         keep an eye out for us on computer related bridge risks.  PGN]


Reach Out and Touch Someone...

Henry Cox <cox@spock.ee.mcgill.ca>
Fri, 7 Oct 88 09:00:08 edt
TEENS RUN UP TELEPHONE BILL OF $650 000

[From the Montreal Gazette, 7 October 1988]

LAS VEGAS (AP) - Ten teenage hackers may have run up $650 000 in
telephone calls by tricking phone company computers, and their parents
could be liable for the tab, authorities said.

"They reached out, all right," assistant U.S. Attorney Russel Mayer said
of the hackers, nine 14-year-olds and one 17-year-old.  "They reached
out and touched the world."

Tom Spurlock, resident agent in charge of the Las Vegas Secret Service
office, said the teen agers engaged in "blue boxing," a technique that
enabled them to talk to fellow hackers throughout Europe.

"They were calling numbers that were in the ATT system, and their
(computer) programs would allow them to `jump' ATT's circuits, allowing
them to call anywhere in the world."

The expensive shenanigans came to light when local phone company
officials discovered unusual activity on nine Las Vegas phone lines,
Spurlock said.  He said federal agents obtained warrants and searched
the nine homes.

The teenagers weren't taken into custody or charged, but their computers
were seized.

                    Henry Cox


Computer Security and Voice Mail

<davis@community-chest.mitre.org>
Fri, 07 Oct 88 13:35:03 -0400
From the Oct 6 Washington Post.
From a news item "Hackers Find New Way to Tap Long-Distance Phone Lines".

Zotos International Co. received two consecutive $75,000 phone bills, 
due to use of their automated answering system by hackers.

Zotos' switchboard automatically routes incoming calls to the proper
department.  Hackers found a way to circumvent the system to place outgoing
long-distance calls, in some cases to Pakistan and Senegal.  In this case the
calls were traced to Pakistani businesses in New York.  However, police
officials told Zotos that they must catch the hackers in the act in order to
prosecute.  The telephone company informed Zotos' mangement to pay the bills,
and collect from the susspected hackers via the civil courts.

In the same article, a related Los Angeles case of misuse of an electronic
switchboard system by outsiders described 'capture' of 200 of a company's
password-secured voice mail accounts.  Outsiders, in this cases a dope ring and
a prostitution ring, gained access by guessing the 4-digit passwords and
changing them.  The hackers backed off only when 'Federal authorities' began
tracing calls.

The article quotes security experts as recommending systems including several
access codes.  Also, major companies are adding software to detect changes in
calling patterns.


Re: Risks of Cellular Phones

Wes Plouff <plouff%nac.DEC@decwrl.dec.com>
6 Oct 88 09:45
Recent writers to RISKS, starting with Chuck Weinstock in issue 7.57, have
focused on the risk of vehicle location by cellular telephone systems.  In my
opinion, they exaggerate this risk and underestimate another risk of mobile
phones, the complete lack of privacy in radio transmissions.

Roughly 10 years ago I designed vehicle location controller hardware and
firmware used in the Washington-Baltimore cellular demonstration system.
That system led directly to products sold at least through the first 
waves of cellular system construction a few years ago.

Since cellular base stations have intentionally limited geographic
coverage, vehicle location is a requirement. This limitation is used to
conserve radio channels; one cell's frequencies can be re-used by others
far enough away in the same metropolitan area.  The cell system must
determine which cell a mobile user is located in when he begins a call,
and when during a conversation a vehicle crosses from one cell into
another.  Cells are set up perhaps 3 to 20 miles in diameter and range
from circular to very irregular shapes.  Cellular phone systems are 
designed with ample margins so that statistically very few calls will be 
lost or have degraded voice quality.

Making this system work does not require anything so fancy as
triangulation.  Vehicle location needs to be only good enough to keep
signal quality acceptably high.  John Gilmore explained in RISKS 7.58
how this works while the mobile phone is on-hook.  During a
conversation, the base station periodically measures the signal strength
of an active mobile in its cell.  When the signal strength goes below a
threshold, adjacent cells measure the mobile's signal strength.  This
'handoff trial' procedure requires no interaction with the mobile.  If
the mobile was stronger by some margin in an adjacent cell, both the mobile
phone and the cellular exchange switch are ordered to switch to a channel and
corresponding phone line in the new cell.  Since base stations commonly use
directional antennas to cover a full circle, mobiles could be reliably located
in one third of the cell area at best.  Distance-measuring techniques advocated
by AT&T were not adopted because the added cost was too high for the modest
performance gain.

Certainly a cellular phone system can locate a mobile at any time, and always
locates a mobile during a conversation.  But the information is not
fine-grained enough to implement some of the schemes imagined by previous
writers.

A more important risk is the risk of conversations being intercepted.  The
public airwaves are simply that: public.  Scanner radios can easily be found or
modified to cover the cellular band, and listeners will tolerate lower signal
quality than cellular providers, hence one scanner can listen to cell base
stations over a wide area.  The communications privacy law is no shield because
listeners are undetectable.  To bring this back to risks of computers,
automated monitoring and recording of selected mobile phones is probably beyond
the reach of the average computer hobbyist, but easily feasible for a
commercial or government organization using no part of the infrastructure
whatever, just the control messages available on the air.

Wes Plouff, Digital Equipment Corp, Littleton, Mass. 
plouff%nac.dec@decwrl.dec.com


Self-correcting (obliterating?) time

Jeffrey R Kell <JEFF@UTCVM.BITNET>
Thu, 06 Oct 88 16:40:32 EDT
I just had a most aggravating experience with a time function which may be
of interest (and this is NOT related to year change, daylight savings time,
or any standard horror story).  It is machine specific (HP-3000/950).

I have been converting our subroutine library from our old HP-3000 (written
in SPL, an obscure systems language for that machine) into 'C' for the new
one.  One such routine returns the current date in the format we use as a
standard database date.  I was using ctime() and localtime() functions in
the resulting C function.  But upon testing, the function was returning a
date and time several days and a few odd hours prior to the current date.
Extensive testing and tracing revealed that ctime() was not returning the
correct clock value; yet all other date references within the operating
system were correct.  Being more than confused, I placed a problem report.

The cause of the 'bug' was the ctime() library function queries the lowest
level hardware clock, and could care less about the operating system clock.
This 'feature' came about by porting the C library more or less literally
from their Unix-based systems.  Although we had set the 'clock' when the
system was installed, MPE (the operating system) calculates an offset from
the time you 'set' and the hardware clock value, and saves this to set the
clock automatically after failures or power outages.

In summary, the hardware clock was never right.  MPE tried to correct for
this by juggling offsets, thus hiding the real underlying problem.  Finally
the whole bizarre mess was uncovered by the C library.  Needless to say, we
have finally correctly set the hardware clock.

| Jeffrey R Kell, Dir Tech Services |  UTC Postmaster/Listserv co-ord. |
| Admin Computing, 117 Hunter Hall  |Bitnet:  JEFF@UTCVM.BITNET        |
| Univ of Tennessee at Chattanooga  |JEFF%UTCVM.BITNET@CUNYVM.CUNY.EDU |


Risks in ATMs, Parking, Power outages

Steve Philipson <steve@aurora.arc.nasa.gov>
Thu, 6 Oct 88 20:15:54 PDT
   This past weekend I got to see/hear about three new RISKS in action.

   A friend was in from out of town.  She had an interesting story for
me.  It seems that a bank in New York has a great new feature for their
ATM cards:  if all you need is an account balance, you can go to a
special ATM reserved for that purpose, insert your card, and get your
balance immediately.  In the interest of saving time, they've made it
really simple ... you don't even have to enter your PID (personal I.D.
number or password)!!!  Veteran RISKS readers can see the folly in
this.  Of course, on of my friend's office co-workers had her wallet
stolen.  Inside was both her ATM card and a single blank check.  The
thief took the card to the ATM machine, found the balance, then made
out the check for that amount.  Determining liability in this case 
will be loads of fun.

   Next, I drove my friend to San Francisco International Airport for her
flight home.  I parked in the central parking structure.  On entry, you get a
ticket from a machine.  The ticket has the time stamped on it in ink, and also
a magnetic stripe.  The billing mechanism seemed obvious -- read the entry time
off the stripe, compute time in the structure, and bill accordingly.  It
surprised me when the clerk at the exit asked for the correct amount BEFORE I
handed him the ticket.  Then I noticed that he was facing a TV monitor, and
that my car's aft end was on the screen.  I asked about the system.  It seems
that they have another camera and operator enter your license plate number when
you enter.  They re-enter your plate number as you leave and find the elapsed
time between those events.  All your comings and goings are recorded.  Ain't
this a great one! Now big brother can keep track of your comings and goings at
the airport.  Right to privacy fans might consider public transport as a more
private mode of transportation.

     [RISKS has had reports before of people being charged for ten days when
     they parked on two consecutive weekends, and other related horrors. PGN]

   Finally, I came into work on Sunday to catch up on a few things.
I had mail!  And what did it say?  Here's the text, verbatim:

*   *   *   *   *   *   *   *   *   *   *   *   *   *   *   *   *   *   *
Hi folks.  As of 6:13 today, we have completely lost power to N254, our main
communications facility.  A power transformer feeding that facility appears to
have been destroyed (it's all black and burned on the outside, and smells
really bad!).  While that facility is on UPS, the UPS does not have generator
back-up at this time, and as of an hour or so ago, the UPS batteries have been
drained.  I talked to the power people out there inspecting the transformer,
and they said it will be out at least until tommorrow (Monday).

Now, this means all things that depend on N254 are out of service.  These
include:

All external network access, BARRNET,MILNET,ARPANET,SPAN, etc...
All X.25 access via Telenet.
All ARCLAN access that is attached in the N254 ARCLAN hub, including NAS
    and N202. [ARCLAN is the Ames Research Center Local Area Net.  SHP]
All FTS service to other NASA facilities (at least for now).
    [FTS is the Federal Telephone System, our main long distance service. SHP]
All PSCN activities, including TMIS, and ARCNET.

With luck, we'll be back in service as of Monday afternoon or so.  The
transformer cannot be repaired, so a replacement will have to be found.
[FOUND??? No on site spares??? SHP]

Hopefully, this will inspire people to get that generator back-up system
funded...

*   *   *   *   *   *   *   *   *   *   *   *   *   *   *   *   *   *   *

   There are lots of folks here at Ames who read RISKS, yet we still have a
system with massive losses from failure at a single site.  No NASA cracks --
I'll bet this situation is common.  Those of you at other sites who are
concerned about this kind of thing might show the above to your site managers.
Best of luck.
                      Steve Philipson

Please report problems with the web pages to the maintainer

Top