The RISKS Digest
Volume 8 Issue 40

Friday, 17th March 1989

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

Re: Sunspots & Communications
Jordan Brown
Gasbarro
Ethics of Copying Fonts
Jerry Schwarz
Policy Statement Request
Dave Grisham
Re: Incoming-call identification
Brint Cooper
Risks of telephone access to your bank account
Brint Cooper
Limitless ATMs
Emily H. Lonsford
Re: A Touching Faith in Technology
Henry Spencer
Risks of helpfulness
Henry Spencer
Work monitoring survey
Goun
Faking Internet mail
Robert C. Lehman
Spying on or intercepting UUCP mail
David Sherman
Hackers, cartoons, and computers
Doug Claar
Info on RISKS (comp.risks)

Re: Sunspots & Communications

Jordan Brown <herron!jbrown@jato.Jpl.Nasa.Gov>
Fri, 17 Mar 89 10:09:13 PDT
PGN writes:
> In the Mount Diablo area of California, there have been many reports of
> garage door openers failing to operate.

KFWB reported that this was caused by some form of radio transmitter that the
Navy was using in the area (paraphrased) "to provide communications to a ship
at Alameda while its communications gear was being repaired".  It's been turned
off.  The report was technically quite vague, so I can't provide more detail.

Jordan Brown                     [Also noted by Barry Klawans and Steve Wilson]

  [The old joke used to be "When is a door not a door?"  "When it is ajar."
  Now we have a new joke,  "When is a door not a door?"  "When it is ajam(b)."
  PGN]


Re: Sunspots & Communications

<Gasbarro.pa@Xerox.COM>
16 Mar 89 17:26:07 PST
> I thought that [garage door] openers operated in the microwave range;
> isn't this power level of transmission unhealthy?

Most garage door openers that I've encountered operate in the 380MHz range.
Water resonates at 2.4GHz.  Besides, the power level is only a few tens of
milliwatts.


Ethics of Copying Fonts

jss@ulysses.UUCP <Jerry Schwarz>
Fri, 17 Mar 89 11:02:24 EST
Marc Mengel ... exactly illustrates why this is a gray area.  Suppose that they
didn't pick out the letters but were distributing the whole page?  Cleary a
violation of copyright.  Individual columns?  Still a clear violation.
Indiviual pixels?  Clearly permitted, but only because they used no NYT
information content.  Why bother digitizing the NYT to get bits in simple
patterns when you can generate them yourself?  Somewhere in between (around the
word or letter level) lies a gray area.

My (moral) conclusion is that if its worth copying something then there is
value in whats being copyied.  If the value derives from effort that is not
required to make the copy then there ought to be a way to protect that effort.

Jerry Schwarz


Policy Statement Request

Dave `White Water' Grisham <dave@charon.unm.edu>
Fri, 17 Mar 89 10:52:44 MST
I am currently (re)writing our Univ. policy on "computer misuse".  Rather
than reinvent the wheel, I ask anyone who has access to an enforceable, yet
comprehensive policy statement to please share it with me.  My research
to date has shown many universities to be behind in their written-published
policies.  I believe courts will find that policies written before
networking and viruses are of little value.  I will be glad to post the
results of my efforts individually or to the group.  Thanks in advance.  dave

   Dave  Grisham                                                            
   Senior Staff Consultant/Virus Security          Phone (505) 277-8148     
   Information Resource Center                     USENET DAVE@UNMA.UNM.EDU
   Computer & Information Resources & Technology   BITNET DAVE@UNMB         
   University of New Mexico    Albuquerque, New Mexico  87131              


Re: Incoming-call identification

Brint Cooper <abc@BRL.MIL>
Thu, 16 Mar 89 9:24:50 EST
Incoming-call ID is a difficult problem.  Still, doesn't a person, in the
privacy of Home, have the right to an "electronic peep-hole" to control his/her
privacy?

This is a larger issue than screening out the vendors who call at dinnertime.
The police and telecos simply are ineffective at dealing with persistent,
harrasing and/or obscene callers.  Their methods are cumbersome and
non-responsive to the harrassment.

Any caller can protect his/her privacy by calling from a work phone (which is a
very common practice, prohibitions notwithstanding) or from a pay phone.

Incidentally, what is the "scope" of Incoming Call-ID?  Does it identify only
calls from the same central office?  local calling area? area code?  or
country?  A function similar to Incoming Call-ID is how our teleco gathers
"evidence" on harrassing phone calls.  The harrassed plaintiff keeps a
date/time log of objectionable calls; the teleco may be able to tell the
originating phone number.  However, in our case, it could resolve only phone
numbers in the same central office as the harrassee and, perhaps, a small
number of other, specified, central offices.

I'm a firm believer in privacy, too.  But that includes my right to privacy in
my own home.
                                        _Brint


Risks of telephone access to your bank account

Brint Cooper <abc@BRL.MIL>
Thu, 16 Mar 89 9:29:31 EST
In discussing "Risks of telephone access to your bank account," Michael
McClary relates the identifying information required to transfer funds
by telephone, then observes:

> Now combine that with cellular phones that:
>  - are not scrambled,
>  - don't switch channels enough to break up a conversation,
>  - can be rec[ei]ved on the high end of an old TV set's UHF dial
>  - are generally owned by busy people with money
> and you've got the makings of some nasty surprises.

Get the word out, folks:  CELLULAR PHONE IS NOT "TELEPHONE."  IT'S
BROADCAST RADIO!  DON'T SAY ANYTHING ON CELLULAR PHONE THAT YOU WOULDN'T
SAY ON YOUR LOCAL RADIO STATION!
                                                  _Brint


Limitless ATMs (Re: RISKS DIGEST 8.37)

Emily H. Lonsford <m19940@mwvm.mitre.org>
Friday, 17 Mar 1989 17:02:51 EST
Some years back, when ATMs were first coming out, I signed up for a card at my
bank.  The first time I used it was a memorable experience.  The machine was
very primitive.  Instead of a CRT, it had colored buttons with messages like
"Insert card" or "Enter your PIN" which were illuminated to instruct the user.
I dutifully inserted my card and followed the instructions.  "Clickety click!"
responded the machine, and then told me to enter my PIN.  After each action on
my part, there was a noticeable pause and more "clickety clicks" from the
machine.  I soon decided that the clicks were there to keep me, the poor dumb
user, occupied while the machine communicated with the host.  This struck me as
terribly funny, and I began to chuckle.  Each set of clicks made me laugh
harder, and people were beginning to stare.  The best part was yet to come:
when the machine finally spit out the money, it was crisp and new - and WARM,
as if it had just been printed! It was all I could do not to roll around on the
floor laughing; I grabbed the money and my card and left.

A couple of years later, one of the bank's systems programmers explained the
machines to me.  "Oh," he said very seriously, "the clicks really had a
purpose.  The machine had no link to the bank; instead it had a ticker tape
inside, and it recorded every transaction (hence the clicks.)  A technician
came around every day, collected the tape (which was keyed into the bank's main
computer) and refreshed the money supply."  And as for the crisp new bills?
"Well, those machines were so cantankerous that they would jam if anything but
new money was used."

As usual, there was a logical reason for everything the computer did.  I think
I liked my interpretation better.

The moral is, these machines were vulnerable to the kind of attack mentioned in
RISKS 8.37.  They depended on the cooperation of the user not to go around and
collect $300 from each machine.  Security via ignorance....

Emily H. Lonsford, MITRE Houston W123  (713) 333-0922


Re: A Touching Faith in Technology

<henry@utzoo.UUCP>
Fri, 10 Mar 89 16:08:28 -0500
>"The adoption of an identity card, at least on a voluntary basis, which would
>carry such numbers - name, date of birth, nationality, signature and perhaps
>blood group - would surely be an advantage for everybody...

Of course, "voluntary" is likely to mean "compulsory" very quickly, unless
this is specifically illegal.  I have neither an age-of-majority card (the
only legal proof of drinking age here) nor a driver's licence, and you'd
be surprised at the looks this sometimes gets me.

Blood group, eh?  How soon before AIDS-test status gets included?

>... GIVEN THAT TECHNOLOGY SHOULD MAKE IT IMPOSSIBLE TO FORGE THEM,
>such cards could quickly establish one's bona fide. . . ."

This runs into the same problem that (I understand) Germany ran into after
WW2.  There were many people with little or no identification in the chaos
that followed Germany's defeat.  Some of them were wanted men.  There was
felt to be a need for one solid form of ID, something sufficiently well-
researched to be definitive.  The obvious choice was the passport.  What
this meant, in practice, was that if one could get a forged passport (not
easy, but not impossible), nobody would ever question one's new identity.

                                     Henry Spencer at U of Toronto Zoology


Risks of helpfulness

<henry@utzoo.UUCP>
Fri, 10 Mar 89 15:49:27 -0500
I haven't seen this one mentioned here yet...  At the San Diego Usenix
conference at the beginning of last month, in his keynote speech, William T.
O'Shea (VP of AT&T) said that twice recently, intruders got into AT&T systems
by being talked through the sign-on procedures by AT&T help desks!

                                     Henry Spencer at U of Toronto Zoology


Work monitoring survey

<goun%evetpu.DEC@decwrl.dec.com>
10 Mar 89 09:47
From The Boston Globe, Thursday, March 9, 1989:

  Most workers in survey think employers use electronic means to spy on them

By Ronald Rosenberg, Globe Staff

     A survey said that 75 percent of mostly unionized workers in Greater
Boston feel ``spied on at their jobs'' by electronic monitoring.

     The survey, conducted by the Massachusetts Coalition on new Office
Technology, which represents over 40 unions and women's organizations, has
filed state legislation that would require notifying employees in advance of
any monitoring or surveillance.  A legislative hearing on the measure is
scheduled Monday at the State House.

     Several insurance firms, banks, airlines and industry groups oppose the
legislation, saying it is unnecessary and violates an employer's right to
monitor how employees work.

     At issue is the use of computerized or electronic monitoring systems to
keep track of an employee's work performance and activities.  This kind of
surveillance includes computer monitoring where the computer counts keystrokes,
error rate, time to complete each task and break time.

     Another way checking [sic] on employee productivity is service observation
where supervisors listen into conversations between employees and customers.

     A third form, known as telephone call accounting, monitors the time,
length and destination of all calls dialed from each extension but does not
record the conversation.  It is used by telemarketing firms and large sales
organizations.

     ``There have been clear abuses of electronic monitoring and it violates a
person's right of privacy and right of due process,'' said Lisa Gallatin, the
coalition's executive director.


Faking Internet mail

Robert C. Lehman <rcl@jolt.cc.columbia.edu>
Tue, 14 Mar 89 14:54:23 EST
While "faking" electronic mail may be easy, it's not as easy as faking
"physical" mail.  More specifically, getting some company or university
letterhead (or having some printed, for that matter) and typing up a letter
requires less specific knowledge than hacking some system's SMTP mailer,
for example.

However, people perceive computers as being reasonably secure entities, and
therefore they assume that electronic mail generated by a computer system
is genuine.

While an organization such as NSF, which is accepting reviews of proposals
via electronic mail, should be concerned about the authenticity of reviews
it receives, reviews sent by electronic mail are, in the long run, no more
or less likely to be bogus than those sent by surface mail.

Robert Lehman, Columbia University


Spying on or intercepting UUCP mail

David Sherman <dave@lsuc.uucp>
Wed, 8 Mar 89 23:51:24 EST
Peter Scott (pjs@grouch.jpl.nasa.gov) writes in RISKS 8.28:
> > Walter Roberson in RISKS-8.27
> >How about the
> >other way around: how much danger is there that someone can spoof mail in
> >order to receive messages destined for someone else?
> 
> The only way I know of doing this is if your machine is on the path for
> the mail in the first place, in which case you can look at everything
> that passes through anyway.

All it takes is a published "mysite  uunet(LOCAL), att(LOCAL)".
Now that most sites on the net use automated routing with pathalias,
a sysadmin with long-term general spying goals need only show very fast
connections to major sites in the system's official UUCP map entries.
Within a few months a lot of mail from nearby sites will be coming
through.  Keeping a copy of everything that passes through is as
trivial as setting a #define in smail.

David Sherman, The Law Society of Upper Canada  (att!lsuc!dave :-))


Hackers, cartoons, and computers

Doug Claar <dclaar%hpda@hp-sde.sde.hp.com>
Mon, 13 Mar 89 17:32:44 pst
Recently, while watching my kids watch Saturday cartoons, I noticed a "Computer
Minute" public service type add from the network. In it, the father, who was
portrayed as clueless, was trying to organize his towering stack of papers. His
son, Hacker, tried to tell dad all about Data Base Management Systems. Why,
even sister had her (girl stuff) on the computer, and gee, mom had her
recipies. Hacker had his (boy stuff) on it as well. Having only seen one, I
don't know for certain, but given the girl's name (which I don't remember, but
wasn't computer-oriented), and the son's name, it seemed to perpetuate the
young male as the hacker stereotype.

Relationship to risks? Well, I've seen discussions on the term "hacker," and on
comics and computing.

Doug Claar, HP Computer Systems Division
UUCP: mcvax!decvax!hplabs!hpda!dclaar -or- ucbvax!hpda!dclaar

Please report problems with the web pages to the maintainer

x
Top