The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 8 Issue 31

Monday 27 February 1989

Contents

o Bank fraud was "easy"
Stephen Page
o Men accused of `hacker' crime
Michael C Polinske
o Stanford bboard censorship
Les Earnest
John McCarthy
Jerry Hollombe
o Computer writing coach / friend
Rodney Hoffman
o British Computer Society policy on safety-critical systems
Martyn Thomas
o Reach out and spy
gls
o Risks of Running a Hotel
Chuck Weinstock
o Singing in the Rain
Kent Borg
o [RISKS BARFMAIL]
PGN
o Info on RISKS (comp.risks)

Bank fraud was "easy"

Stephen Page <sdpage@prg.oxford.ac.uk>
Sun, 26 Feb 89 10:03:38 gmt
From The Independent [London], 24 February 1989, p. 2:

"A 17-year-old junior cashier cheated the National Westminster Bank out of
1m pounds in a computer fraud, a court heard yesterday.  ...

Judge Helen Palin criticised the bank for lax security and refused to make
a compensation order for 15,000 pounds which the bank has not been able
to recover.

... After being given access to the bank's computer system he began by
paying 10 pounds into his own account. He then paid himself 12,000 in 
imaginary cheques. Later, he transferred a credit for 984,252 pounds
into the account of a friend ... and celebrated by buying 50 bottles of 
champagne.

... The judge said: "One of the worrying features of this case is that a
young man who hasn't long left school is able to work the system in the
NatWest bank on a number of occasions without being found out. Indeed, the
general chat within the bank seems to be how easy it is to defraud that
bank."

This is a good example of what ensues when system designers build weak
controls - or perhaps when users fail to implement them? Too often
in the IT community I hear security and controls described as dull and
uninteresting - anyone who has had the dreary job of producing a
risks/controls matrix will sympathise - but it should NEVER be
neglected. I'm glad the judge denied the compensation order.


Men accused of `hacker' crime

Michael C Polinske <mcp2@csd4.milw.wisc.edu>
Mon, 27 Feb 89 10:12:07 CDT
This appeared in Friday, February 24th's _Milwaukee Journal_

2 MEN ACCUSED OF `HACKER' CRIME

By James Gribble of the Journal staff.

Vowing to step up efforts to stop computer crime, a Milwaukee County
prosecutor has charged two Milwaukee men with fraudulently obtaining
free long-distance telephone service.

The felony charges filed Thursday against Alan Carr, 35 and David
Kelsey, 26 are the first so-called hacker crimes to be prosecuted by
the district attorney's office.

Working independently, using home computers and similar software
programs, the men are alleged to have obtained calling card codes for
customers of an independent long-distance telephone company, Schneider
Communications.

They then used the codes to bill their personal calls to Schneider's
customers, according to a criminal complaint prepared by Asst. Dist.
Atty. Jon N. Reddin, head of the district attorney's White Collar
Crime Unit.

Reddin said the total theft probably was less than $1,000, but he
said the case reflected a growing problem.

"I have the feeling, from our investigation, that there's a lot of
people out there doing this," he said.  "The only way to stop it is to
prosecute them, because this is theft.  It's almost like some one
stealing your credit card and using it to make purchases."

Schneider Communications was the victim in this case, Reddin said,
because the company had to write off the customer billings for which
Carr and Kelsey turned out to be responsible.

According to court records and Reddin, the investigation was prompted
by a complaint from Schneider Communications.

The company's computer keeps track of all calls that are rejected
because of an improper access code.  Clients dialing incorrectly would
cause 10 to 30 rejected calls a month, but sometime last year the
number jumped to 1,000 or 2,000 per month.

Computer printouts showed the unknown parties were repeatedly dialing
the computer and changing the access code sequentially, Reddin said.
Hundreds of calls at a time were being made in this fashion, and each
time the code was changed one digit at a time until a working code was
encountered.

Because the company had no way of knowing where the calls were coming
from, Wisconsin Bell placed a tracing device on the line, through
which the calls were traced to the phone numbers of Carr and Kelsey.

The men were apparently unaware of each other and simply happened to
be involved in similar schemes, Reddin said.

Carr is alleged to have used a bootleg computer called "Hacking
Construction Set Documentation."  Kelsey is alleged to have used a
similar bootleg program called "Mickey-Dialer."  The programs were
seized in raids at the defendant's houses, according to court records.

Reddin acknowledged that technological safeguards can detect such
thefts after the fact but not prevent them.  What Carr and Kelsey are
alleged to have done can be done by any computer buff with the right
software and know-how, Reddin said.

The key to deterring computer crime, in Reddin's view, lies in it's
prompt reporting to authorities.

"The best way I can think of to do that is by filing a complaint with
our office," Reddin said.


Stanford bboard censorship

Les Earnest <les@gang-of-four.stanford.edu>
25 Feb 89 01:57:48 GMT
Public accounts of the Stanford bboard censorship case, including the
San Jose Mercury News article that appeared in RISKS 8.30, give the
impression that the administration's ban on newsgroup rec.humor.funny
has been effective.  Nothing could be farther from the truth -- the
"banned" jokes continue to be available on all computers where they
were available before and are now more widely read than ever before.

Usenet newsgroups are stored on 9 primary distribution machines at
Stanford but are accessed via ethernet from hundreds of computers and
workstations on campus.  Two of these distribution machines were
affected by the administration's ban on rec.humor.funny.  The rest of
the system, which I organized several years ago, still carries all
newsgroups.

Since the "ban" began, every message from rec.humor.funny has been
cross-posted to another bboard at Stanford (su.etc) that goes to all
machines, including those that are supposed to be censored.  There has
been no move so far by the administration to deal with this "civil
disobedience."

Interestingly enough, the bureaucrats who decided to ban
rec.humor.funny didn't have the technical expertise to carry out their
intentions, so they came to the Computer Science Department for help.
This help was provided even though the individual involved disagreed
with what they were doing.

The Usenet primary feed for Stanford is under the control of the
Computer Science Department.  There was a plan to turn control over to
the administration but that plan has now been shelved.  The Computer
Science faculty voted this week to oppose newsgroup censorship.

Stanford's President Kennedy, who approved the original censorship
decision, is now carefully dancing around the issue and has agreed
that the Faculty Senate should review and decide on what the
University's policy should be.  It appears likely that the Senate will
agree with the Computer Science Department.

Les Earnest                                  Phone: 415 723-9729
Internet: Les@Sail.Stanford.edu              USMail: Computer Science Dept.
UUCP: . . . decwrl!Sail.Stanford.edu!Les             Stanford, CA 94305


Stanford bboard censorship

<John McCarthy <JMC@SAIL.Stanford.EDU> [via <LES@SAIL.Stanford.EDU>]>
26 Feb 89 1343 PST
The following statement was passed unanimously at a meeting of the Computer
Science Department faculty on Tuesday, Feb 21, 1989.

Statement of Protest about the AIR Censorship of rec.humor.funny.

Computer scientists and computer users have been involved in making
information resources widely available since the 1960s.  Such resources are
analogous to libraries.  The newsgroups available on various networks are
the computer analog of magazines and partial prototypes of future universal
computer libraries.  These libraries will make available the information
resources of the whole world to anyone's terminal or personal computer.

Therefore, the criteria for including newsgroups in computer systems or
removing them should be identical to those for including books in or
removing books from libraries.  For this reason, and since the resource
requirements for keeping newsgroups available are very small, we consider it
contrary to the function of a university to censor the presence of
newsgroups in University computers.  We regard it as analogous to removing a
book from the library.  To be able to read anything subject only to cost
limitations is an essential part of academic freedom.  Censorship is not an
appropriate tool for preventing or dealing with offensive behavior.

We therefore think that AIR and SDC should rescind the purge of
rec.humor.funny.  The Computer Science Department has also decided not to
censor Department Computers.


Censorship (Re: RISKS-8.30)

The Polymath <hollombe@ttidca.tti.com>
27 Feb 89 23:48:37 GMT
This is the same silly, emotional argument raised every time some form of
public or semi-public media refuses to carry someone's pet hobby horse.
If you throw out all the emotional baggage about "freedom of speech" and
"censorship", Stanford's decision not to carry rec.humor.funny is no more
illegal, unconstitutional or censorious then their (de facto) decision not
to sell hard-core pornography in the Student's Store.

Only governments can commit censorship, by prohibiting all access to a set
of facts.  Rec.humor.funny still exists and is still accessible.  Those at
Stanford who wish to continue accessing it will simply have to sign up with
a public access Unix site. (I believe the WELL is conveniently close, as are
one or two free-access sites).  Stanford is well within it's rights to
refuse to spend campus resources to support it.

The Polymath (aka: Jerry Hollombe, hollombe@ttidca.tti.com)  Citicorp(+)TTI
3100 Ocean Park Blvd.   (213) 452-9191, x2483
Santa Monica, CA  90405 {csun|philabs|psivax}!ttidca!hollombe


Computer writing coach / friend

Rodney Hoffman <Hoffman.ElSegundo@Xerox.com>
26 Feb 89 14:07:56 PST (Sunday)
From the "Bits and Bytes" page in 'Business Week' 6 March 89:

       A PROGRAM SWITCHES FROM THERAPIST TO WRITING COACH

  Sometimes talking over a subject with a friend can help you sort
  out your thoughts before you write a speech or business presentation.
  A Carrollton (Tex.) company called Xpercom now offers a computer-
  based "friend" for just that purpose -- a program called Thoughtline
  that runs on IBM personal computers and clones.  It's based on
  Joseph Weizenbaum's famous Eliza program, written in the early 
  1960s at MIT.  Named after the character in 'My Fair Lady,' Eliza
  could mimic the conversational skills of a psychotherapist so
  convincingly that many people believed it actually understood
  them as a human would and shared with it intimate details of their
  lives.  [See RISKS 8.17 and 8.18]  A shocked Weizenbaum ended up
  writing 'Computer Power and Human Reason,' a leading book on man's
  relationship to the computer.

  Thoughtline, selling for $295, works a lot like that.  It engages
  authors in written conversations about what they want to say, asking
  questions based on a script that it constantly adapts as each dis-
  cussion progresses.  It then spits out an outline based on what it
  has been told.  Just like its predecessor Eliza, though, Thoughtline
  "understands" nothing at all.


British Computer Society policy on safety-critical systems

Martyn Thomas <mct@praxis.UUCP>
Thu, 23 Feb 89 16:34:20 BST
The BCS recently issued the following policy statement on safety-related
computer systems (SRCS) in an attempt to raise awareness of the special
problems created by programmable systems in safety-related applications.  The
policy attempts to steer a responsible course between the need to alert society
to the increasing risks from poorly-developed SRCS, and the need to avoid
creating irrational panic.

We would welcome constructive criticism of this policy from Risks readers.

[declaration of interest: I chair the BCS safety-critical systems group, and
wrote the policy statement. It was reviewed and amended by my colleagues in
the group before being approved as BCS policy by the Vice-President
(Professional), on behalf of the Professional Board.]

The complete text of the policy statement is given below. 


THE BRITISH COMPUTER SOCIETY, 13 Mansfield Street, London W1M 0BP   

BCS SAFETY CRITICAL SYSTEMS GROUP

Policy Statement on Safety-Related Computer Systems

PREAMBLE

Safety-Related Computer Systems (SRCS) are defined as those systems which, if
they go wrong, can lead directly to physical injury of humans.

In almost every case, the potential for injury lies in the system which the
SRCS is controlling or monitoring.  Assuring the safety of the total system
therefore involves several branches of engineering, depending on the
application.  Most industries are justifiably proud of their safety records.

POLICY

1 Computer systems, appropriately developed and deployed, can enhance the
safety of many processes and products, and bring other economic benefits.

2 The safety of a system is a system-wide issue, and the safety of a SRCS
cannot usefully be considered in isolation from the total system of which it
forms part.

3 Safety is a relative term; system safety can always be improved at increase
cost.  The developer therefore has to identify the level of adequate safety and
to develop all the subsystems so that this level is achieved overall.

4 The probability of error in a system increases with increasing complexity.
SRCS should be designed so that their complexity is kept to a minimum, and so
that they are isolated from interference from non safety-related subsystems.

5 SRCS should be developed and supported by suitably-qualified staff.

6 The quality of every SRCS should be the responsibility of a named engineer
within an accredited organisation who has up to date training and certification
in the relevant technologies.

7 Wherever possible, the methods used for developing, supporting and assessing
SRCS should be based on sound, scientific and mathematical principles.

8 There is urgent need for harmonisation of development standards for SRCS
between industries and internationally.  The BCS will work with the relevant
authorities to achieve this harmonisation.

9 The science and technology necessary to achieve and assess highly reliable
computer systems is not yet fully developed, and research and development are
therefore urgently needed.  The BCS calls upon the DTI and SERC to encourage
and support the necessary work.

10 In view of the limited experience with SRCS, the wide variation in
development methods, and the rapid growth in their use, the BCS calls for a
system of registration of SRCS, with mandatory fault reporting, so that minimum
standards can be enforced and data can be gathered which will allow the success
of different approaches to be assessed.

11 The BCS wishes to emphasise that there is no evidence that current SRCS pose
a serious threat to the public.  There is therefore no cause for alarm,
although action is urgently recommended on the points listed above.

Martyn Thomas, Chairman, BCS Safety Critical Systems Group
Martyn Thomas, Praxis plc, 20 Manvers Street, Bath BA1 1PX UK.
Tel:    +44-225-444700.   Email:   ...!uunet!mcvax!ukc!praxis!mct 


Reach out and spy

<odyssey!gls@att.att.com>
Sun, 26 Feb 11:15:09 1989
The VAX/VMS "spying" package that Peter Scott describes in Risks Digest 8.30
has an old precedent.  Aiken C. C. got a Scientific Data Systems "Sigma"
time-sharing system around 1969, with terminals in several locations on the
Harvard campus.  A few months after it was installed I wrote an interactive
program called RADIO that monitored any other terminal in the system.

RADIO required no privilege, because the pages of system space that were mapped
into user memory included the terminal buffers for the whole system! RADIO made
a mockery of confidentiality, and since you could use it to monitor a login
sequence, it also made a mockery of authentication.  Incidentally, there was no
source code for RADIO.  Access to the assembler was restricted (as a security
feature), so I wrote the program in machine language using the debugger.

The staff at Aiken _eventually_ succeeded in destroying all copies of RADIO ...
but not without reluctance.  They had meanwhile learned the RADIO users'
practice of using two RADIOs to talk to each other.  If the facility of
"talking" seems useful now, it seemed miraculous then.  In those days computer
system engineers were careful to leave out any kind of "talking" facility for
fear of subjecting their systems to FCC regulations.

So far as I know, the only harm that RADIO did was to explode password
security.  If not for that it might have lived for years.


Risks of Running a Hotel

Chuck Weinstock <weinstoc@SEI.CMU.EDU>
Mon, 27 Feb 89 09:55:33 EST
Those of you who have been ripped off by the alternative operator services
(AOS) that provide long distance telephone services to many hotels will be
interested in an article that appeared in Friday's Wall Street Journal.  It
seems that most hotels are neither equipped to bill 976 or 900 calls
properly nor to block them.  As more and more people discover this, the
hotels are finding they are getting interesting phone bills at the end of
the month!


Singing in the Rain

Kent Borg <kent@lloyd.UUCP>
Fri, 24 Feb 89 15:07:03 EST
Not only have our eyes been the victims of trickery for years (Fred dancing on
the ceiling), but so have our ears: In the famous Singing in the Rain dance
scene we saw Gene Kelly get rather wet, but we were hearing Gwen Verden (sp?)
doing the tapping on the sound track (would that be foot syncing?).

(Ever notice how very well lit the `rain' drops were in that scene?  In real
life you often have to put your hand out to find out whether it is raining, in
the movies you can always *SEE* the rain.)

Hollywood has been using pictures and recordings to `lie' for years.  As a
famous camera man once said: "There is nothing natural about natural lighting."
The digital doctoring of photos is, in many ways, nothing new, just more
powerful.

Kent Borg

P.S. Deception has a long history: "But I *WATCHED* him saw her in two!!"


[RISKS BARFMAIL]

<The Mailer Daemon <Mailer@KL.SRI.COM> [via PGN]>
Mon, 27 Feb 89 12:30:19 PST
    [THIS HAS BEEN GOING ON FOR WEEKS NOW.  NO ONE HAS COMPLAINED.
    IS THE NET GOING TO HELL?  ARE THESE RISKS READERS FINDING OTHER SOURCES?
    I AM GIVING UP ON THESE ADDRESSES.  PLEASE NOTIFY YOUR FRIENDS.
    I GOT 400,000 characters in barf mail over the weekend.  PGN]

Message undelivered after 3 days -- will try for another 2 days:
...@VAXA.ISI.EDU: Cannot connect to host
...@lll-crg.llnl.gov.#Internet: Cannot connect to host
...@EWD.DREO.DND.CA: Cannot connect to host
...@LA.TIS.COM.#Internet: Cannot connect to host
...@mitre.arpa: Cannot connect to host
...@xx.drea.dnd.ca: Cannot connect to host
...@red.ipsa.dnd.ca: Cannot connect to host
...@sealion.gcy.nytel.com: Cannot connect to host
...@wr-hits.arpa: Cannot connect to host
...@afsc-bmo.af.mil: Cannot connect to host
...@epsilon.jpl.nasa.gov: Cannot connect to host
risks-p@brl.arpa: 550 (USER) Unknown user name in "risks-p@brl.arpa"

AND THEN I GOT EIGHT COPIES OF THE ENTIRE RISKS MAILING BACK FROM   
Return-Path: <MAILER-DAEMON@cos1.fac.ford.com>
554 mailer mail died with signal 4

THIS IS GETTING MORE AND MORE RIDICULOUS!

Please report problems with the web pages to the maintainer

Top