Forum on Risks to the Public in Computers and Related Systems
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
Volume 8: Issue 40
Friday 17 March 1989
Contents
Re: Sunspots & Communications- Jordan Brown
Gasbarro - Ethics of Copying Fonts
- Jerry Schwarz
- Policy Statement Request
- Dave Grisham
- Re: Incoming-call identification
- Brint Cooper
- Risks of telephone access to your bank account
- Brint Cooper
- Limitless ATMs
- Emily H. Lonsford
- Re: A Touching Faith in Technology
- Henry Spencer
- Risks of helpfulness
- Henry Spencer
- Work monitoring survey
- Goun
- Faking Internet mail
- Robert C. Lehman
- Spying on or intercepting UUCP mail
- David Sherman
- Hackers, cartoons, and computers
- Doug Claar
- Info on RISKS (comp.risks)
Re: Sunspots & Communications
Jordan Brown <herron!jbrown@jato.Jpl.Nasa.Gov>
Fri, 17 Mar 89 10:09:13 PDT
PGN writes: > In the Mount Diablo area of California, there have been many reports of > garage door openers failing to operate. KFWB reported that this was caused by some form of radio transmitter that the Navy was using in the area (paraphrased) "to provide communications to a ship at Alameda while its communications gear was being repaired". It's been turned off. The report was technically quite vague, so I can't provide more detail. Jordan Brown [Also noted by Barry Klawans and Steve Wilson] [The old joke used to be "When is a door not a door?" "When it is ajar." Now we have a new joke, "When is a door not a door?" "When it is ajam(b)." PGN]
Re: Sunspots & Communications
<Gasbarro.pa@Xerox.COM>
16 Mar 89 17:26:07 PST
> I thought that [garage door] openers operated in the microwave range; > isn't this power level of transmission unhealthy? Most garage door openers that I've encountered operate in the 380MHz range. Water resonates at 2.4GHz. Besides, the power level is only a few tens of milliwatts.
Ethics of Copying Fonts
jss@ulysses.UUCP <Jerry Schwarz>
Fri, 17 Mar 89 11:02:24 EST
Marc Mengel ... exactly illustrates why this is a gray area. Suppose that they didn't pick out the letters but were distributing the whole page? Cleary a violation of copyright. Individual columns? Still a clear violation. Indiviual pixels? Clearly permitted, but only because they used no NYT information content. Why bother digitizing the NYT to get bits in simple patterns when you can generate them yourself? Somewhere in between (around the word or letter level) lies a gray area. My (moral) conclusion is that if its worth copying something then there is value in whats being copyied. If the value derives from effort that is not required to make the copy then there ought to be a way to protect that effort. Jerry Schwarz
Policy Statement Request
Dave `White Water' Grisham <dave@charon.unm.edu>
Fri, 17 Mar 89 10:52:44 MST
I am currently (re)writing our Univ. policy on "computer misuse". Rather than reinvent the wheel, I ask anyone who has access to an enforceable, yet comprehensive policy statement to please share it with me. My research to date has shown many universities to be behind in their written-published policies. I believe courts will find that policies written before networking and viruses are of little value. I will be glad to post the results of my efforts individually or to the group. Thanks in advance. dave Dave Grisham Senior Staff Consultant/Virus Security Phone (505) 277-8148 Information Resource Center USENET DAVE@UNMA.UNM.EDU Computer & Information Resources & Technology BITNET DAVE@UNMB University of New Mexico Albuquerque, New Mexico 87131
Re: Incoming-call identification
Brint Cooper <abc@BRL.MIL>
Thu, 16 Mar 89 9:24:50 EST
Incoming-call ID is a difficult problem. Still, doesn't a person, in the
privacy of Home, have the right to an "electronic peep-hole" to control his/her
privacy?
This is a larger issue than screening out the vendors who call at dinnertime.
The police and telecos simply are ineffective at dealing with persistent,
harrasing and/or obscene callers. Their methods are cumbersome and
non-responsive to the harrassment.
Any caller can protect his/her privacy by calling from a work phone (which is a
very common practice, prohibitions notwithstanding) or from a pay phone.
Incidentally, what is the "scope" of Incoming Call-ID? Does it identify only
calls from the same central office? local calling area? area code? or
country? A function similar to Incoming Call-ID is how our teleco gathers
"evidence" on harrassing phone calls. The harrassed plaintiff keeps a
date/time log of objectionable calls; the teleco may be able to tell the
originating phone number. However, in our case, it could resolve only phone
numbers in the same central office as the harrassee and, perhaps, a small
number of other, specified, central offices.
I'm a firm believer in privacy, too. But that includes my right to privacy in
my own home.
_Brint
Risks of telephone access to your bank account
Brint Cooper <abc@BRL.MIL>
Thu, 16 Mar 89 9:29:31 EST
In discussing "Risks of telephone access to your bank account," Michael
McClary relates the identifying information required to transfer funds
by telephone, then observes:
> Now combine that with cellular phones that:
> - are not scrambled,
> - don't switch channels enough to break up a conversation,
> - can be rec[ei]ved on the high end of an old TV set's UHF dial
> - are generally owned by busy people with money
> and you've got the makings of some nasty surprises.
Get the word out, folks: CELLULAR PHONE IS NOT "TELEPHONE." IT'S
BROADCAST RADIO! DON'T SAY ANYTHING ON CELLULAR PHONE THAT YOU WOULDN'T
SAY ON YOUR LOCAL RADIO STATION!
_Brint
Limitless ATMs (Re: RISKS DIGEST 8.37)
Emily H. Lonsford <m19940@mwvm.mitre.org>
Friday, 17 Mar 1989 17:02:51 EST
Some years back, when ATMs were first coming out, I signed up for a card at my bank. The first time I used it was a memorable experience. The machine was very primitive. Instead of a CRT, it had colored buttons with messages like "Insert card" or "Enter your PIN" which were illuminated to instruct the user. I dutifully inserted my card and followed the instructions. "Clickety click!" responded the machine, and then told me to enter my PIN. After each action on my part, there was a noticeable pause and more "clickety clicks" from the machine. I soon decided that the clicks were there to keep me, the poor dumb user, occupied while the machine communicated with the host. This struck me as terribly funny, and I began to chuckle. Each set of clicks made me laugh harder, and people were beginning to stare. The best part was yet to come: when the machine finally spit out the money, it was crisp and new - and WARM, as if it had just been printed! It was all I could do not to roll around on the floor laughing; I grabbed the money and my card and left. A couple of years later, one of the bank's systems programmers explained the machines to me. "Oh," he said very seriously, "the clicks really had a purpose. The machine had no link to the bank; instead it had a ticker tape inside, and it recorded every transaction (hence the clicks.) A technician came around every day, collected the tape (which was keyed into the bank's main computer) and refreshed the money supply." And as for the crisp new bills? "Well, those machines were so cantankerous that they would jam if anything but new money was used." As usual, there was a logical reason for everything the computer did. I think I liked my interpretation better. The moral is, these machines were vulnerable to the kind of attack mentioned in RISKS 8.37. They depended on the cooperation of the user not to go around and collect $300 from each machine. Security via ignorance.... Emily H. Lonsford, MITRE Houston W123 (713) 333-0922
Re: A Touching Faith in Technology
<henry@utzoo.UUCP>
Fri, 10 Mar 89 16:08:28 -0500
>"The adoption of an identity card, at least on a voluntary basis, which would
>carry such numbers - name, date of birth, nationality, signature and perhaps
>blood group - would surely be an advantage for everybody...
Of course, "voluntary" is likely to mean "compulsory" very quickly, unless
this is specifically illegal. I have neither an age-of-majority card (the
only legal proof of drinking age here) nor a driver's licence, and you'd
be surprised at the looks this sometimes gets me.
Blood group, eh? How soon before AIDS-test status gets included?
>... GIVEN THAT TECHNOLOGY SHOULD MAKE IT IMPOSSIBLE TO FORGE THEM,
>such cards could quickly establish one's bona fide. . . ."
This runs into the same problem that (I understand) Germany ran into after
WW2. There were many people with little or no identification in the chaos
that followed Germany's defeat. Some of them were wanted men. There was
felt to be a need for one solid form of ID, something sufficiently well-
researched to be definitive. The obvious choice was the passport. What
this meant, in practice, was that if one could get a forged passport (not
easy, but not impossible), nobody would ever question one's new identity.
Henry Spencer at U of Toronto Zoology
Risks of helpfulness
<henry@utzoo.UUCP>
Fri, 10 Mar 89 15:49:27 -0500
I haven't seen this one mentioned here yet... At the San Diego Usenix
conference at the beginning of last month, in his keynote speech, William T.
O'Shea (VP of AT&T) said that twice recently, intruders got into AT&T systems
by being talked through the sign-on procedures by AT&T help desks!
Henry Spencer at U of Toronto Zoology
Work monitoring survey
<goun%evetpu.DEC@decwrl.dec.com>
10 Mar 89 09:47
From The Boston Globe, Thursday, March 9, 1989:
Most workers in survey think employers use electronic means to spy on them
By Ronald Rosenberg, Globe Staff
A survey said that 75 percent of mostly unionized workers in Greater
Boston feel ``spied on at their jobs'' by electronic monitoring.
The survey, conducted by the Massachusetts Coalition on new Office
Technology, which represents over 40 unions and women's organizations, has
filed state legislation that would require notifying employees in advance of
any monitoring or surveillance. A legislative hearing on the measure is
scheduled Monday at the State House.
Several insurance firms, banks, airlines and industry groups oppose the
legislation, saying it is unnecessary and violates an employer's right to
monitor how employees work.
At issue is the use of computerized or electronic monitoring systems to
keep track of an employee's work performance and activities. This kind of
surveillance includes computer monitoring where the computer counts keystrokes,
error rate, time to complete each task and break time.
Another way checking [sic] on employee productivity is service observation
where supervisors listen into conversations between employees and customers.
A third form, known as telephone call accounting, monitors the time,
length and destination of all calls dialed from each extension but does not
record the conversation. It is used by telemarketing firms and large sales
organizations.
``There have been clear abuses of electronic monitoring and it violates a
person's right of privacy and right of due process,'' said Lisa Gallatin, the
coalition's executive director.
Faking Internet mail
Robert C. Lehman <rcl@jolt.cc.columbia.edu>
Tue, 14 Mar 89 14:54:23 EST
While "faking" electronic mail may be easy, it's not as easy as faking "physical" mail. More specifically, getting some company or university letterhead (or having some printed, for that matter) and typing up a letter requires less specific knowledge than hacking some system's SMTP mailer, for example. However, people perceive computers as being reasonably secure entities, and therefore they assume that electronic mail generated by a computer system is genuine. While an organization such as NSF, which is accepting reviews of proposals via electronic mail, should be concerned about the authenticity of reviews it receives, reviews sent by electronic mail are, in the long run, no more or less likely to be bogus than those sent by surface mail. Robert Lehman, Columbia University
Spying on or intercepting UUCP mail
David Sherman <dave@lsuc.uucp>
Wed, 8 Mar 89 23:51:24 EST
Peter Scott (pjs@grouch.jpl.nasa.gov) writes in RISKS 8.28: > > Walter Roberson in RISKS-8.27 > >How about the > >other way around: how much danger is there that someone can spoof mail in > >order to receive messages destined for someone else? > > The only way I know of doing this is if your machine is on the path for > the mail in the first place, in which case you can look at everything > that passes through anyway. All it takes is a published "mysite uunet(LOCAL), att(LOCAL)". Now that most sites on the net use automated routing with pathalias, a sysadmin with long-term general spying goals need only show very fast connections to major sites in the system's official UUCP map entries. Within a few months a lot of mail from nearby sites will be coming through. Keeping a copy of everything that passes through is as trivial as setting a #define in smail. David Sherman, The Law Society of Upper Canada (att!lsuc!dave :-))
Hackers, cartoons, and computers
Doug Claar <dclaar%hpda@hp-sde.sde.hp.com>
Mon, 13 Mar 89 17:32:44 pst
Recently, while watching my kids watch Saturday cartoons, I noticed a "Computer Minute" public service type add from the network. In it, the father, who was portrayed as clueless, was trying to organize his towering stack of papers. His son, Hacker, tried to tell dad all about Data Base Management Systems. Why, even sister had her (girl stuff) on the computer, and gee, mom had her recipies. Hacker had his (boy stuff) on it as well. Having only seen one, I don't know for certain, but given the girl's name (which I don't remember, but wasn't computer-oriented), and the son's name, it seemed to perpetuate the young male as the hacker stereotype. Relationship to risks? Well, I've seen discussions on the term "hacker," and on comics and computing. Doug Claar, HP Computer Systems Division UUCP: mcvax!decvax!hplabs!hpda!dclaar -or- ucbvax!hpda!dclaar
Report problems with the web pages to the maintainer