The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 8 Issue 55

Wednesday 12 April 1989


o Informing the Public about Risks
Marc Rotenberg
o Central Locking Systems
J M Hicks
o Social Security Administration Verifying SSNs
David Gast
o Not Secure Agencies
Hugh Miller
o Re: Cellular Telephones
Eric Roskos
o Risk to Sun 386i users
Mike O'Connor via Alan Wexelblat
o Infallible Computers and Perry Mason
Brinton Cooper
Ephraim Vishniac
o Air Canada and fuel-proof gauges
Robert Dorsett
John Hascall
o Info on RISKS (comp.risks)

Informing the Public about Risks

Wed, 12 Apr 89 07:57:52 -0700
"Tell the Public the Truth About Risks"
(The Washington Post, 4/12/89, p. A22, letter to the editor)

"Jessica Tuchman Mathew's op-ed article `Is There More Risk in the World?'
(March 29, 1989) sidesteps one the most basic issues in risk management: the
difference between imposed risk and assumed risk.  Dr. Mathews states that
once people cease to trust `those who manage and regulate the risks in their
lives . . . society's responses become irrational.'

"Public opposition to risky technologies - or technologies whose risks are
concealed or lied about by industry and regulators - is not irrational.  If
they are denied complete and reliable information, people will continue to
fight against the introduction of new, unknown risks in their lives.

"Full public information and participation are critical elements in
decisions about risk.  Unfortunately, in this decade the federal government
has consistently restricted public knowledge and involvement in such
questions, with decisions often made on the basis of narrowly defined
cost-benefit analysis.

"This trend should be reversed.  Complete information about various options
must reach those upon whom risks will be imposed in order to ensure their
involvement in final decisions.  For example, in the public debate over
meeting future energy needs, nuclear power and its attendant risks should be
compared not only with conventional methods of power generation but with
increased efficiency and renewable energy sources, federal, state and local
government must cooperate and show increasing flexibility in informing, not
closing out, the public.  The public has a right to know - and to decide."

John E. Young, Research Assistant. Worldwatch Institute, Washington, DC

Central Locking Systems

J M Hicks <>
Wed, 12 Apr 89 15:29:48 +0100
I expect that the dangers of overlooking the possiblility of someone
disconnecting the power supply of a security system were hammered out in
this forum years ago, but I thought this story was a little different.

A friend of my brother had a car whose alternator broke down.  He had the
alternator mended.  He tried to start the car again.  Nothing happened.  He
realised the battery was still disconnected.  He left the car, shut the
door, opened the bonnet and reconnected the battery.

Clunk!  The Central Locking System locked all the doors of the car,
with the keys left in the ignition....

Disconnecting the battery again didn't allow the doors to be opened
again --- the manufacturers got that one right.

J. M. Hicks (a.k.a. Hilary),
Computing Services, Warwick University, Coventry, England. CV4 7AL

Social Security Administration Verifying Social Security Numbers

David Gast <gast@CS.UCLA.EDU>
Wed, 12 Apr 89 00:41:33 PDT
The NYT (April 11, 1989) reports that Dorcas R. Hardy, Commisssioner of the
Social Security Administration, told a Congressional committee that the agency
had verified millions of SSN's for private credit companies.

The risks of using SSNs and private credit companies have been discussed
before.  TRW, the nations largest credit reporting company recently proposed
paying the SS Administration $1000000 to have 140 million numbers verified.
Risks seem even greater when one company has credit information on 140
individuals--approximately 2/3 of every man, woman, and child in the country.

Phil Gambino, an agency spokesman, reported last month that the agency had
verified SSNs only at the request of beneficiaries or employers and had never
verified more than 25 numbers at a time.  He said such disclosures were
required under the Freedom of Information Act.

At the hearing yesterday, Dorcas R Hardy, Commissioner of the SSA, at first
denied any other verifications.  Later she admitted that in the early 80s,
3,000,000 SSNs were verified for Citi Corp and that last year 151,000 numbers
were verified for TRW.  Ms Hardy said that the 151,000 numbers were just part
of a "test run."

Senator David Pryor, D-Ark, chairman of the Special Committee on Aging, said
that previous commissioners, the Congressional Research Service of the Library
of Congress, and Donald A. Gonya, chief counsel for Social Security have all
decided that such verification is illegal.

David Gast                  {uunet,ucbvax,rutgers}!{ucla-cs,}!gast

Not Secure Agencies

Hugh Miller <>
Wed, 12 Apr 89 06:19:49 EDT
        Re Curtis Spangler's contribution in RISKS 8.54 ("NSA and Not Secure
Agencies"), quoting the SF Chronicle, quoting the CPSR spokesperson:

> "There is a constant risk that the federal agencies, under the guise
> of enhancing computer security, may find their programs - to the extent
> that they rely upon computer systems - increasingly under the
> supervision of the largest and most secretive intelligence organization
> in the country," [CPSR] said."

        I find the "may" most quaint.  It strikes me that this is a risk to
which we give all too little consideration.  In the recent disputes over
`hackers' and the `ethics' of hacking on this newsgroup I have occasionally
noticed some pretty uncritical paeans to security.

        The classical philosophers held that knowledge is power.  Today we
hold that information is power -- not the same thing: worse, in fact.
`Information' in the modern sense is much more structured, hierarchical, and
systematic than the classical notion of `knowledge' allowed.  It therefore
permits a much greater range and freedom for the employment of our powers and
a correspondingly greater degree of control over nature -- human included.  As
a result, it aggravates and amplifies the tendency of power to centralise
itself to a much greater extent than would have been possible in premodern
times.  One could, in fact, state a general law of information similar to that
of thermodynamics: "The information control (security) of the universe is
always increasing."  Just as in thermodynamics local excursions in the
direction of lesser entropy occur only at the expense of a net gain in entropy
for the universe, so in information systems temporary increases in access to
information take place at the expense of global increases in control.

        Security itself is a (potential) risk -- to those who are not
themselves part of the security establishment or who are not in favour
therewith.  The interests of those who would implement and enforce security
measures in information systems must always be balanced against the rights and
interests of (1)the users and (2)the subjects, i.e. those about whom the
information is being gathered.  Remember: just because you are a member of (1)
does not mean you are not a member of (2).

Hugh Miller, University of Toronto

Re: Cellular Telephones

Eric Roskos <>
Tue, 11 Apr 89 10:22:10 EDT
(Re: Thayer, RISKS-8.53)

> Has the law changed? I was led to understand that the FCC does not ban
> the reception of any signal.  Of course, banning the reception of
> certain signals is going to be tough to enforce anyway.

[I originally wrote the following posting in response to the first
cellular telephone posting, then decided not to send it because (a) I'd
already made several RISKS postings recently and (b) I'm reluctant to
comment on legal matters when many legal people seem to get upset by
lay-persons doing so.  However, in response to the above question I
decided to send it in anyway.]

(Re: Den Beste, RISKS-8.52)

> The article goes on to say that Radio Shack no longer sells that model, and
> that the FCC says such eavesdropping is illegal.

Intentionally listening to cellular communications is a violation of PL 99-508,
"The Electronic Communications Privacy Act of 1986," and the violator is
subject to a $500 criminal fine if the interception was of cellular telephone
and not for one of the "bad purposes" defined in the legislation (other types
of violations have penalties up to $250,000 for an individual or $500,000 for
an organization).  Accidentally encountering such a broadcast while tuning this
model of receiver is not a violation if you do not intentionally listen to it,
i.e., if you just pass by it in the course of tuning the radio; this issue was
specifically addressed in the ECPA.

The cellular telephone frequencies are adjacent to and overlap part of the UHF
TV band, so it is also possible to tune them on older, continuous (as vs.
discrete)-tuning UHF TV sets.  It was reported in the press that the FCC
recently stated that it is not illegal to manufacture and sell radios that tune
the cellular frequencies, and in the past the FCC has allegedly declined to
enforce the ECPA as applied to cellular telephones.  On the other hand, the
Cellular Telecommunications Industry Association recently used legal measures
to force Grove Enterprises, a small dealer of radio equipment in North
Carolina, to stop enabling a disabled feature of Radio Shack scanners that
allowed reception of cellular telephone.  It's interesting to note that Radio
Shack was one of the companies listed in the Senate Report 99-541 as
"support[ing] the principles involved in the [ECPA] legislation," and they
manufacture a radio which has an option jumper that enables reception of these
communications.  It is currently sold with this option disabled.

There is currently an ongoing debate between radio hobbyists and various
sections of the government on application of the ECPA to cellular telephone
communications.  Recent issues of the monthly periodical _Monitoring_Times_
contain a good bit of editorializing and news items on the subject; there was
also a recent book specifically about how to intercept radio telephone
communications released by a publisher oriented towards "communications
monitoring" topics.  It also appears to be the case that a lot of scanners are
sold and modified to receive cellular communications, and that the popular
opinion is that the ECPA will not be enforced with regard to cellular
telephone.  From a practical standpoint, this suggests that it is wise to
assume that any cellular telephone communications are probably being listened
to.  From the viewpoint of the potential listener, like the types of
unauthorized computer access discussed here recently, in the absence of strong
enforcement it is probably largely an ethical consideration: whether or not it
is technically legal or illegal, one has to consider whether it is ethical.
And, as I've argued in the past, Ethics per se doesn't say whether this sort of
activity is "ethical." It's a difficult problem to address, other than simply
to realize that the problem exists, and act in an informed manner.

Disclaimers: The above comments result from reading published documents on the
ECPA, and are *not* the opinions of a legal professional.  My interest in the
subject is solely in the area of keeping up with security and privacy issues,
and does not necessarily reflect the opinion of anyone else.

Eric Roskos (roskos@CS.IDA.ORG or Roskos@DOCKMASTER.ARPA)

Risk to Sun 386i users (Taken from Sun-nets mailing list)

"Alan Wexelblat" <>
Wed, 12 Apr 89 14:55:15 CDT
DISCLAIMER: I merely receive Sun-nets because I am assistant admin here.
I have no way to verify the accuracy of this report, but thought it
should be distributed.  People wanting more information should contact
Mike O'Conner directly.             --Alan Wexelblat

------- Forwarded Message

Date: Wed, 12 Apr 89 13:18:49 -0400
From: (Mike O'Connor)
Subject: Security hole in 386i login

The login program supplied by Sun for its 386i machines accepts an argument
which bypasses authentication.  It was apparently added in order to allow
the Sun program "logintool" to do the authentication and have login do the
housekeeping.  This allows any user who discovers the new argument to the
login program to become root a couple of ways.

            Mike O'Connor
            301-840-4952 | 703-359-0172

ps:  Mike Rigsby ( tells me that at a 386i SOS
     administration class he attended, he was informed that this access path
     was a design feature put in for forgetful administrators but that the
     class was told to keep it a secret.  I find this surprising, if true,
     since this is the OS that Sun claims "meets the spirit of C2
     specifications."  Then again, maybe I understand even less of the C2
     specs than I thought I did.

------- End of Forwarded Message

Infallible Computers and Perry Mason (Dave Curry, RISKS-8.54)

Brinton Cooper <abc@BRL.MIL>
Wed, 12 Apr 89 17:19:05 EDT
>If I were the guy on the stand, I would have denied it all and forced Mason to
>prove that the time of day clock on the computer was correct at the time I
>last edited that file.

Actually, in the experience of the "average viewer" of a Perry Mason show, this
is probably a valid representation.  If they know computers at all, they're
probably PC-class things containing a clock card.  Just a little diligence sets
things up OK; most folks probably like the idea of a date/time stamp on
documents that they're constantly revising.

So, while it wouldn't have happened in many of our labs, it's probably
reasonable to have skipped Mason's providing "proof" that the clock was correct
since it's entirely reasonable, in this kind of case, that it probably was.


Infallible computers :-)

Wed, 12 Apr 89 16:29:29 EDT
In RISKS 8.54, reports on Perry Mason's latest:

"Anyway, the show demonstrates the fallacy of assuming that since the
information came from a computer, it is somehow ennobled,..."

But it didn't come from just any computer, it came from a Macintosh!

Seriously, I've come across several Macs here at TMC with clocks about four
hours slow.  Why?  They were manufactured and tested on Pacific Standard Time,
and here it is Eastern Daylight Time.  Contrariwise, I've seen and heard about
many Macs with clocks that run fast by several minutes per month.  Clock
accuracy requires maintenance!
                                            Ephraim Vishniac

Air Canada and fuel-proof gauges (Wales, RISKS-8.51)

Robert Dorsett <>
Tue, 11 Apr 89 20:27:16 CDT
I have been trying to get more information on how the 767's systems work,
but I think I should clarify something here.  People seem to be getting the
idea that the romantic notion of sticking a dipstick in a fuel tank is
a practical, easy accomplished act in an airliner.  It isn't.

Putting aside the fact that one has to get on the wing (and add structural
and maintenance support for the traffic areas), on Boeing aircraft, at least,
the overwing fuelling ports are fastened with several dozen screws.  It is
a pain taking the ports off and putting them back on.  A lengthy, expensive
process.  Normally, fuelling is done on the starboard wing, through an
underwing high-pressure nozzle.

To give an idea of how unattractive overwing fuelling is, recently, an Aero-
mexico 727 diverted to an ex-WWII bomber base in Galveston, TX, during a
thunderstorm.  They were short on fuel.  Galveston has a full-service FBO,
and routinely caters to executive jets--but they didn't have the right
nozzle size.  Instead of opening the overwing hatches, they sent a car off
to Houston to fetch the right adapter, sixty miles away--a total delay of
about four hours.

All of this rather makes me doubt the "dipstick" story on the Air Canada
767, unless there's a new, specialized system that avoids the filler port.
Or, more likely, "dipstick" is slang for a secondary automated system.

In the old days (on props), "inspections" WERE used, but often required custom-
designed dipsticks.  A few planes were lost because the wrong dipstick was
used (improper graduations).

In practical airliner work, fuel is calculated using four methods:
   1.  The amount pumped in (by weight, on the truck);
   2.  Gauges near the wing (totalizers);
   3.  Individual tank quantity gauges and a totalizer gauge in the cockpit
       (merely knowing how much fuel is left is not adequate; one must know
        WHERE it is, due to loading considerations).
   4.  The amount burned (the fuel passed through the engines, fuel flow).

Fuel management is a continual cross-check of all these factors (that's what
the flight engineer, if present, is there for).  Occasionally, things screw up
(as in the case of the UA 747 near Japan, which "ran out of fuel," but was
found to have 30,000 lbs left in the center tank--they actually lost three
engines).  Overfilling is also more common than it should be--if you ever see a
plane dripping liquid, it's probably an overfilled tank.  The fire trucks won't
be far behind...

>Henry Spencer wrote that aviations regulations state that the "ultimate
>authority and responsibility rest with the pilot, nobody else."  Whereas this
>is certainly true in general aviation, this is NOT true in air carrier
>operations.  In air carrier operations, there is a division of labor, where
>many people other than the pilot in command are responsible for, and have
>authority as to, various aspects of a flight.

Legally, they have no authority.  Under FAR 91.3, the pilot in command is
directly responsible for, and is the ultimate authority as to, the proper
operation of the aircraft.  In PRACTICAL work, as other posters have noticed,
other people assume a de facto responsibility.  However, once the captain signs
the dispatch papers, he is LEGALLY responsible.  If the captain signs off with
an improperly loaded aircraft, or with dry fuel tanks, it is HIS legal

The "ground crew" concept came into being during the 60's, and was a result
of human-resource studies.  It usually works, but ground people do make mis-
takes.  The pragmatic pilot will always double-check the figures and, at
least, make an effort to determine whether the figures (and the general
status of the airplane) are in the ballpark.  We are starting to see a re-
turn to a more "hands on" management style.

Robert Dorsett

Air Canada and fuel-proof gauges (Wales, RISKS-8.51)

John Hascall <>
Tue, 11 Apr 89 20:18:44 CDT
  Commercial aircraft rarely take off with a full fuel tank, there is no
profit to be made in lifting a bunch of extra fuel.  Only enough to make
it to the primary destination and secondary landing site plus some extra
for holding is loaded.  Any extra would just have to be dumped anyway to
meet the safe landing weight.

  So eyeballing the tank to see if it was full would be useless, you would
need to use the dipstick.
                                          John Hascall

   [The next step is a computer program that checks the fuel levels, the
   flight destination, the weather data, and the plane load (among other
   things) and determines whether there is enough fuel.  If pilots came to
   trust THAT computer program -- and the sensors, computer data. etc. -- then
   my eyeballs would be rolling.  So, let's hear it for intelligent people,
   whether or not they use dipsticks!  PGN]

Please report problems with the web pages to the maintainer