The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 8 Issue 1

Wednesday 4 January 1989

Contents

o Tales from the Vincennes tape
Rodney Hoffman
o A Danish Home Companion
Hugh Miller
o Suit filed to force FBI to enforce privacy provisions of ECPA
John Gilmore
o moRe: Armed with a keyboard ... -- Kevin Mitnick
Rodney Hoffman
o Computer Chaos Congress 88 report
Klaus Brunnstein
o Two steps forward, one step back
Jerry Leichter
o Clapham Junction train crash
Clive Feather via Mark Brader
o Info on RISKS (comp.risks)

Tales from the Vincennes tape

Rodney Hoffman <Hoffman.ElSegundo@Xerox.com>
28 Dec 88 08:27:03 PST (Wednesday)
Congressman Les Aspin (D - Wis.) is the chairman of the House Armed Services
Committee.  In an op-ed piece in the 28 Dec 88 'Los Angeles Times,' he writes
about the rarity of naval combat and about needed improvements in the Navy's
training, screening, and scheduling.  To make his case, he tells details from
the Vincennes' shootdown of an Iranian commercial jet last July:

  The crew was green when the battle began.  And it showed.  Despite all
  the training that the crew of the Vincennes received, the reality of 
  battle was something new and nerve-racking.  We can tell how nerve-
  racking it was from the unique electronic record kept by the Aegis 
  system aboard the Vincennes.  It recorded such details as the precise
  moment in which every button was touched and every toggle switched in
  the Vincennes' command center.

  Because of this record, we know that one officer, who was prompted by
  the computer to "select weapon system" as the countdown to the destruction
  of the Airbus began, hit the wrong buttons five times before he realized
  that he was supposed to select a weapon.  And we also know that another
  member of the Vincennes' crew was so agitated that he got ahead of the
  firing sequence and pushed another button 23 times before it was an
  appropriate part of the procedure.

  I don't recount these errors to pick on the crew.  I recount them because
  I believe that they much be considered the norm when inexperienced
  humans face a sudden stressful encounter.....


A Danish Home Companion

<Hugh Miller <MILLER@vm.epas.utoronto.ca> [MILLER@UTOREPAS.BITNET]>
Mon, 02 Jan 89 22:47:40 EST
I found the following quote in the journal of Soren Kierkegaard for 1850.  As
this is the time of year we traditionally form our resolutions for the next, I
thought it might be helpful for us on the RISKS list to bung this into the
hopper for consideration.  The really good ideas never die; they just change
examples.

  "It is the old story.  A discovery is made--the human race triumphs;
  enthusiastically everything, everything is set going to perfect the
  discovery more and more.  The human race is jubilant and worships itself.
  At long last there comes a halt--man pauses and asks: is this discovery
  really a boon, especially the extraordinary perfection of it that has been
  achieved! Then a new call goes out for the most eminent heads, and they
  torture their brains almost to madness to find safety-valves, dampers,
  clogs, etc. in order, if possible, to put a brake on, to prevent this
  matchless and matchlessly perfected discovery, the pride of the human race,
  from riding roughshod over the whole world and destroying it.  Consider,
  for instance, the invention of the printing press, perfected to a top-speed
  machine sure to guarantee that no dirt or dregs remain unpublished."

A Happy and Safe 1989 to everyone!  Hugh Miller University of Toronto     


Suit filed to force FBI to enforce privacy provisions of ECPA

John Gilmore <gnu@toad.com>
Thu, 22 Dec 88 18:29:47 PST
In January 1988, Riverside, CA coroner's deputies obtained a warrant
to seize all the computers at the Alcor Life Extension Foundation.
This was done in connection with the widely reported cryonic
suspension of 83-year-old Dora Kent.  The coroner accused the Alcor
staff of murder, arguing that the cryonics procedure, where life
support and anesthesia/cooling is applied after legal death, is
murder, because resuscitation technology is applied without the intent
to revive the patient.

The deputies took six or seven computers ranging from an Apple II to
an Amiga, and have held them for the last 11 months.

Only one of these had a hard disk, so there wasn't much they
could get out of the computers anyway.  However, they did succeed
in making it much more difficult for Alcor to conduct business.

The computer with the hard disk was being used as a bulletin board.
Some 50 to 100 people had correspondence on the machine.  No warrants,
not even any "John Doe" warrants, were issued which would permit the
coroners, DAs, or the Riverside Police Department to access these
electronic communications in storage under the Electronic
Communications Privacy Act.  The ECPA requires that the particular
people whose communication is to be seized be named in the warrant,
similar to the warrants required to seize a person's postal mail.
This search warrant specified that "all electronic storage devices...
and the complete hardware necessary to retrieve electronic data" be
confiscated, not even naming Alcor, but simply giving the address of
their office.

Keith Henson (best known for founding the L5 Society, which encourages
the exploration of outer space) was one of the people whose email was
confiscated.  He complained to the FBI about his email being taken
without a warrant last April.  The FBI Riverside office inquired of
the US Attorney's office as to their interest in email, and, on
getting a "not interested," declined to investigate.  Henson tried
through his congressional representatives to get enforcement action
out of the Federal government against the various local law
enforcement agencies who had taken his email.

Finally, becoming convinced that this route was ineffective, Henson
and two other bbs users filed suit against the US Attorney's office
and the FBI.  One of the bbs users, Roger Gregory, is well known for
guiding project Xanadu, the proposed hypertext library system; the
other, Thomas Donaldson, has contributed two science fact articles to
Analog magazine in the last year.  The suit, "Complaint for
Declaratory Judgement" number C 88 20788, was filed in the U.S.
District Court for the Northern District of California on December 9,
1988.

The crux of the matter is whether the ECPA prevents electronic mail
from being read if the entire computer containing the mail is seized
under a warrant.  If this is held true, the ECPA provides little or no
actual protection.  Consider the non-electronic or real-time
analogies; can a warrant that names no names be used to seize and read
all the mail in a building providing private post office boxes?  Can a
warrant claiming that someone is doing something illegal in a
telephone company office be used to tap all the subscribers' lines
going through that office?

A complete online copy of the suit (40 kbytes) is available as email
from keith@toad.com.  He can also send out hardcopies for the disabled,
or for people whose email has been seized.  The plaintiffs are:

    H. Keith Henson     +1 408 978 7616   keith@toad.com
    Thomas K. Donaldson +1 408 732 4234   cis 73647,1215; source beb610
    Roger E. Gregory    +1 415 493 7582   roger@xanadu.com


moRe: Armed with a keyboard and considered dangerous

Rodney Hoffman <Hoffman.ElSegundo@Xerox.com>
28 Dec 88 14:39:59 PST (Wednesday)
A follow-up story to the Kevin Mitnick case [see RISKS 7.95] in the 'Los
Angeles Times' 24 Dec 88 says the federal magistrate refused to release Mitnick
on bail 23 Dec 88

  after prosecutors revealed new evidence that Mitnick penetrated a 
  National Security Agency computer and may have planted a false story 
  on a financial news wire....

  Investigators believe that Mitnick may have been the instigator of a
  false report released by a news service in April that Security Pacific
  National Bank lost $400 million in the first quarter of 1988.  The 
  report, which was released to the NY Stock Exchange and other wire
  services, was distributed four days after Mitnick had been turned 
  down for a job at Security Pacific [after the bank learned he had
  lied on a job application about his past criminal record]....  The 
  false information could have caused huge losses for the bank had it
  reached investors, but the hoax was uncovered before that could happen.

  The prosecutor said Mitnick also penetrated a NSA computer and obtained
  telephone billing data for the agency and several of its employees....

  [In refusing bail, the magistrate said,] "I don't think there's any
  conditions the court could set up based upon which the court would
  be convinced that the defendant would be anything other than a danger
  to the community.... It sounds like the defendant could commit major
  crimes no matter where he is."

  Mitnick's attorney said prosecutors have no evidence for the new
  accusations....


Computer Chaos Congress 88 report

Klaus Brunnstein <brunnstein%rz.informatik.uni-hamburg.dbp.de@RELAY.CS.NET>
03 Jan 89 09:50 GMT+0100
Re:    Observing Chaos Communication Congress 1988, Hamburg
       (`From Threat to Alternative Networks')
Date:  January 2nd, 1989

On 28-30 December, 1988, Computer Chaos Club (CCC) held its 5th annual `Chaos
Communication Congress' at Hamburg/FRG. As in previous years, 300 people
(mainly aged 16-36, 90% male, with some visitors from Austria and The
Netherlands) gathered, carefully observed from newsmedia (German stations,
printmedia, press agencies, but also from UK's BBC, and being observed by
Business Week's Katie Hafner, who gathered material for a book on hackers,
planned by John Markoff and herself).

In the chaotic (though creative) congress `organisation', two different tracks
were visible:

   -- technical presentations on networks (UUCP, GEONET, FIDONet,
      and CCCs emerging `open networks' BTXnet and `Zerberus'),
      and on a PC-DES encryption developed by a leading CCC member
      (who had escaped the French police's arrest by travelling
      to SECURICOM by railway while police waited at the airport);

   -- socio-political discussions about `sociology of hackers',
      `free flow of information' as well as reports about
      recent events, dominated by the arrest of Steffen Wernery
      in Paris in spring 88 when being invited to speak on SECURICOM.

The technical presentations were of mixed quality. The PC-DES program
(evidently written under the experience of several `visits' of German criminal
police on search for convicting material in cases of hacker attacks) encrypts
texts with a key of 8-40 characters, with a velocity of 135 characters/second
(on a 10 MHz 80286 processor); in a demonstration, the stored `Congress report'
of 137.416 Bytes was encrypted (without prior compression) in 2:55 minutes. The
recent version (V.2.02: about 8 kByte long including about 4 kByte of
help-text) was distributed at CCCongress as `Charity-ware' (for hackers free of
charge), but will be available for commercial users from German `Security
advisor' Hans Gliss at 250 DM (about 141 Dollars at actual exchange rates).

CCC speakers reported about their work to install `free networks'.  In Germany,
most of the networks are organised in the form of a `Verein' (an association
with legal status, which guarantees tax-free operation): such networks are
access-restricted to their members. The different German science and University
networks (and their bridges to international networks) usually restrict access
to scientists. Different CCC subgroups are establishing `alternative networks',
such as `EcoNet' for communication of ecological data and information, planned
to be available, free of cost, to broader social, ecological, peace and
political groups and individuals.

Apart from traditional technologies (such as GEONET and FIDONet), the German
Post Office's Bildschirmtext (Btx) will be used as a cheap communications
medium; while CCCs first hack was, years ago, to attack the `insecure
Btx-system' (in the so-called `HASPA coup' where they misused the Btx passwork
of the Hamburg savings bank to repeatedly invoke CCC's Btx information at a
total prize of 135.000 DM, then about 50.000$), they today begin to use this
cheap though very limited medium while more powerful communications media are
available. Today, the emerging ISDN technology is verbally attacked by hackers
because of the excessive accumulation of personal data; from here, hacks may be
attempted when ISDN becomes regionally available in 1989/90.

Several speakers, educated Informaticians with grades from West German
Informatics departments, professionally work in Software production and in
selling hardware/software to economy and state agencies. Among them, several
professional UNIX and UUCP users have begun to organize CCC's future UUCP
version. Up to now, only few CCC members use (and know about) UNIX systems, but
their number may grow within the near future according to CCCs `marketing'.
One speaker told the audience `that you can remotely start programs in UUCP'.
After some learning phase, the broadened availability of UNIX in the hacker
scene may produce new threats.

The other track of the Congress discussed themes like `sociology of hackers'
where a group of politology students from Berlin's Free University analysed
whether hackers belong to the `new social movements' (e.g. groups on peace,
nuclear energy, feminist themes).  They found that, apart from much public
exaggeration ('it is not true that hackers can invade *any* computer'), hackers
are rather `unpolitical' since they are preferably interested in technology.

A major topic was `free access to/flow of information'. Under the title
'freedom of information act', speakers suggested a national legislation which
guarantees individual and group rights to inspect files and registers of
`public interest'; the discussion lacked sufficient basic knowledge, e.g. of
the respective US legislation and corresponding international discussions in
Legal Informatics.  Generally, the published results of the rich discussions
about `Social aspects of Computing', gathered in professional bodies (like ACMs
SIGCAS, IFIPs TC-9 or the German national society's FA-8, all devoted to such
themes) are evidently unknown to this scene.

Summarising the Congress and accompanying discussions, active CCC members try
hard to demonstrate that they have *no criminal goals* and ambitions (they
devoted a significant amount of energy to several press conferences, TV
discussions etc). The conference was dominated by young computer professionals
and students from the PC scene, partially with good technological knowledge of
hardware, software and networks; while some people seem to have good technical
insights in VAXsystems, knowledge of large systems seems to be minimal. To some
extent, the young professionals wish to behave as the `good old-fashioned
hackers': without criminal energy, doing interesting work of good professional
quality in networks and other new areas.

While former CCCongresses were devoted to threats like Viruses, *no explicit
discussion* was devoted *to emerging threats*, e.g. in ISDN or the broadening
use of UNIX, UUCP. The new track discussing political and social aspects of
computing follows former discussions about `hacker ethics'. Here, the
superficial, unprofessional discussions of related themes show that the young
(mainly) males are basically children of a `screen era' (TV, PCs) and of an
education which concentrates on the visible `image', rather than understanding
what is behind it.

(A 140 KBytes electronic Congress news`paper' can be mailed, on demand,
to people who are interested in details; the papers, of mixed quality,
are mainly written in German)

Prof. Dr. Klaus Brunnstein, Faculty for Informatics, University of Hamburg,
Schlueterstr.70, D 2000 Hamburg 13        Tel: (40) 4123-4158 / -4162 Secr.


Two steps forward, one step back

LEICHTER-JERRY@CS.YALE.EDU <"Jerry Leichter>
Tue, 3 Jan 89 15:52 EST
As we well know, technological changes can produce unanticipated side-effects.
The Editorial attached below, from a recent New York Times, provides an
interesting illustration of such an effect.

A day or two later, the Article attached below appeared in the Times.  What
side-effects will this little piece of technology have?
                            -- Jerry

EDITORIAL

    Personal XXXXX's

Not many years ago, there were three kinds of typing and each sent its own
message.  Letters from a genuine V.I.P. were written on an elegant electric
typewriter, with a carbon ribbon that printed sharp black letters.  Letters
from lesser lights were written on manual machines, nicely arranged and error-
free, but distinguishable by the grainy impressions of a fabric ribbon.  Then
there were the personal letters, in which strikeovers and xxxxx's demonstrated
the exclusivity of the correspondence.

Now the word processor has erased this typology of typewriting.  The early
home printers with their coarse san-serif characters are yielding to new
machines, including laser-jet printers, that make the layman's letters look
like the elegant V.I.P. correspondence of old.

That's probably progress, but it comes at a cost.  There's no telling, any-
more, whether such a letter is personal.  Once, you could discern from the
typographical errors whether the annual chatty holiday letter was meant just
for you, or for the whole Christmas list.  Not anymore, not when home compu-
ters can "personalize" a mass mailing by changing the salutation and a tell-
tale fact or two and printing it up beautifully.

The tide of progress, in other words, sometimes flows backward.  There's
probably only one sure way now to write letters that are, and look, personal:
by hand.


ARTICLE

    High-Tech Junk Mail

After installing a facsimile machine, many offices soon discover a byproduct
of this high-tech communications form --- junk fax mail.  When a facsimile
machine is left on, anyone with access to the machine's telephone number is
free to send documents to the machine, just as anyone with access to a postal
address can send mail there.

Now Digital Publications of Norcross, Ga., has come up with a program and a
data base that can be used with a specially equipped personal computer to send
press releases en masse by facsimile machine.  Late at night, when telephone
long-distance rates are lowest, the computer and its facsimile-machine circuit
board will automatically dial telephone numbers all over the country, sending
out press releases.

Executives of Digital Publications contend that after 11 P.M. their system can
deliver a news release for 10 cents.  They said that a news release sent
through the mail costs about 80 cents.  Mail rates keep going up, of course,
and delivery can take two or three days, or longer.

The Digital Publications system data base has 5,000 names and addresses of
newspapers, broadcast stations, trade magazines and writers.  Also --- and
this is crucial --- it has each outlet's fax number.

But the new technology must still overcome the same hurdle that confronts
the old technology of sending an envelope through the mails --- getting the
recipient to read the material.


Clapham Junction train crash

Mark Brader <msb@sq.sq.com>
Tue, 3 Jan 89 21:30:26 EST
Clive Feather, a former contributor to Risks currently off the net but "soon to
be clive@isi.co.uk", has sent me some information about the train crash at
Clapham Junction in London last month.  I have posted a longer version to
Usenet's rec.railroad, but here's the meat.

Clive writes:

#  The BR internal enquiry found that there were no faults in the
#  signalling equipment as such, but a member of the S&T [Signals and
#  Telecommunications] department had failed to correcly tie off a loose
#  cable end.  This was making intermittent contact with a signalling
#  structure (i.e. earth) and this in turn caused the preceding
#  signals to continually vary in aspect.  Presumably the driver ...
#  was only looking at the wrong moment.
#  
#  There will not be a normal enquiry and report.  Instead, there will be
#  a full judicial enquiry, something that up to now has only happened
#  twice -- Tay Bridge [1897] and Hixon [~1968].
#  
#  I expect the February Modern Railways [magazine] will be full of this.

Forwarded to Risks by Mark Brader, Toronto          

Please report problems with the web pages to the maintainer

Top