Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Student grants in New Zealand are now paid by direct credit from the university's bank account to the student's. On Tuesday Victoria University sent a tape with the details to its bank, the Bank of NZ, which passed it on to Databank, the NZ banks' centralised computer centre. One (human) error meant the university was apparently asking for debits of a total of about $2,000,000 from some 4700 students instead of credits to their accounts. Databank did this although of course the university was not authorised to debit the students. According to today's "Dominion" newspaper BNZ may have spotted the error. On Wednesday a certain amount of chaos ensued, with students' banks saying all their cheques would be honoured that day and no overdraft fees applied. Corrections were made that night. It seems that Databank had no senior staff on duty on Tuesday night when the wrong transactions occurred, and guessed wrong on finding conflict between BNZ and Victoria University of Wellington instructions. John Harper, Mathematics Department, Victoria University, Wellington, NZ
During a recent episode of the PBS series "Learning in America", the cameras
were taken through a trade show at which computer and software vendors pitched
high-tech teaching aids to school board purchasing agents. Aside from possible
(and clearly debatable) RISKs to the brains of American schoolchildren (my
child was taught by a computer; she must always be right!), a more ominous idea
was presented. A company whose name I cannot recall was demonstrating a
software system to track attendance. It included a feature whereby parents
would be automatically notified (by mail, I suppose) of their childrens'
absences:
"Where were you last week?!?"
"In school, mom!"
"Wrongo! The school computer says you were absent 12 days last week!"
(**whack**)
Mike McNally, Lynx Real-Time Systems
[Incorporeal banishment leads to corporal punishment! PGN]
From the Phila. Inquirer, April 12, 1989. Page One, New Jersey/Metro section. "Ex-worker charged in virus case — Databases were alleged target", by Jane M. Von Bergen, Inquirer Staff Writer A former employee was charged yesterday with infecting his company's computer database in what is believed to be the first computer-virus arrest in the Philadelphia area. "We believe he was doing this as an act of revenge," said Camden County Assistant Prosecutor Norman Muhlbaier said [sic] yesterday, commenting on a motive for the employee who allegedly installed a program to erase databases at his former company, Datacomp Corp. in Voorhees [N.J.]. Chris Young, 21, of the 2000 block of Liberty Street, Trenton, was charged in Camden County with one count of computer theft by altering a database. Superior Court Judge E. Stevenson Fluharty released Young on his promise to pay $10,000 if he failed to appear in court. If convicted, Young faces a 10-year prison term and a $100,000 fine. Young could not be reached for comment. "No damage was done," Muhlbaier said, because the company discovered the virus before it could cause harm. Had the virus gone into effect, it could have damaged databases worth several hundred thousand dollars, Muhlbaier said. Datacomp Corp., in the Echelon Mall, is involved in telephone marketing. The company, which has between 30 and 35 employees, had a contract with a major telephone company to verify the contents of its white pages and try to sell bold-faced or other special listings in the white pages, a Datacomp company spokeswoman said. The database Young is accused of trying to destroy is the list of names from the phone company, she [sic] said. Muhlbaier said that the day Young resigned from the company, Oct. 7, he used fictitious passwords to obtain entry into the company computer, programming the virus to begin its destruction Dec. 7 --- Pearl Harbor Day. Young, who had worked for the company on and off for two years --- most recently as a supervisor --- was disgruntled because he had received some unfavorable job-performance reviews, the prosecutor said. Eventually, operators at the company picked up glitches in the computer system. A programmer, called in to straighten out the mess, noticed that the program had been altered and discovered the data-destroying virus, Muhlbaier said. "What Mr. Young did not know was that the computer system has a lot of security features so they could track it back to a particular date, time and terminal," Muhlbaier said. "We were able to ... prove that he was at that terminal." Young's virus, Muhlbaier said, is the type known as a "time bomb" because it is programmed to go off at a specific time. In this case, the database would have been sickened the first time someone switched on a computer Dec. 7, he said [note — it makes me kind of sick to see the term "sickened" applied to a database... sigh] Norma Kraus, a vice president of Datacomp's parent company, Volt Information Sciences Inc, said yesterday that the company's potential loss included not only the databases, but also the time it took to find and cure the virus. "All the work has to stop," causing delivery backups on contracts, she said. "We're just fortunate that we have employees who can determine what's wrong and then have the interest to do something. In this case, the employee didn't stop at fixing the system, but continued on to determine what the problem was." [hear, hear!] The Volt company, based in New York, does $500 million worth of business a year with such services as telephone marketing, data processing and technical support. It also arranges temporary workers, particularly in the data-processing field, and installs telecommunication services, Kraus said. [As usual, everything is now a `virus', even a nonreplicating timebomb. PGN]
From Walden, Ch. 1 "Economy": ..to keep yourself informed of the state of the markets, prospects of war and peace every where, and anticipate the tendencies of trade and civilization , --taking advantage of the results of all exploring expeditions, using new passages and all improvements in navigation; ---charts to be studied, the position of reefs and new lights and buoys to be ascertained, and ever, and ever, the logarithmic tables to be corrected, for by error of some calculator the vessel often splits upon a rock that should have reached a friendly pier...
Corrections to some semi-philosophical remarks in a recent posting:
Hugh Miller, Not Secure Agencies, in RISKS-8.55:
> The classical philosophers held that knowledge is power.
If we give "classical" its usual meaning, no such philosopher "held
that power is knowledge" (or, at any rate, none known to me). The
famous aphorism comes from Bacon, and what he was doing was proposing
a radically new definition: that nothing counts as true knowledge
unless it enables us to intervene in and control the material world.
All the rest was mumbo-jumbo. This was part of an explicit attack on
(more or less) everybody who preceded him, especially the Schoolmen.
Note: There's a meta-problem with phrases like "the classical
philosophers [believed this or that]" — for the simple reason that
there were many different ones, and they often disagreed.
> 'Information' in the modern sense is much more structured ...
than the classical notion of 'knowledge' allowed.
Comparing information and knowledge is like asking whether the fatness of a pig
is more or less green than the designated hitter rule. Let's take Plato and
Aristotle as exemplars of "classical" views on "knowledge." For both of them,
knowledge concerns the highest truths about the cosmos and mankind's place in
it, and is aspired to by the very best kind of human being. Such cannot be
said of lists of social security numbers.
David Guaspari
From: ficc!peter@uunet.UU.NET > One thing to bear in mind is that the computer can be mistaken, but > it can't be malicious. The computer program won't deliberately try to defraud Hmmm. Depends on your definition of "malicious." A large bank I worked for was found in court to have programmed its computers so as to systematically defraud its customers of their full compound interest. Whether the program into which the fraud was built was "malicious" is largely a matter of terminology. Let me turn the issue around somewhat - can a computer recognize "malice" in a person? Believe it or not, some computerized psychological tests (that are regularly admissible in court as evidence) purport to be able to diagnose malicious tendencies. I was once compelled by a court to submit to such an examination, despite my academic protest that such tests were scientifically invalid (which was established statistically in the 1960s). The computer reported that I didn't have a sense of humor, which I still find amusing. However, the widespread use of such tests is definitely not amusing.
In reference to Dave Curry's response about the guy on the stand. Mason doesn't have to prove he was guilty of the crime; he has to prove that his client is not guilty. Ergo, it wouldn't matter if the guy on the stand denied everything and forced Mason to prove anything. The bottom line is Mason by discussing the "directory" could introduce some doubt to the District Attorney`s argument. Normally, if the case is not provable "beyond a reasonable doubt", a verdict of "not guilty" is usually given. Of course, since Mason always does such a good job, the DA doesn't have to work hard for the next trial. But then again, Mason might defend the "guilty" guy successfully since "was the directory acquisition legal"? So much for supporting Mason writers... I agree strongly with Dave's arguments since many people do accept computer printouts as infallible facts and gospel. I wonder how many RISK debates are accepted because they appear in the RISK forum... I also wonder how many people use the RISKS forum discussions/debates to support local opinions... The computer word/document/listing has become a very powerful tool (just like statistics) and many people use it to their advantage. Jack Holleran (This is strictly an opinion not based on anything legal.)
I'd like to respond to a posting by Brian McMahon, Administrative Computing, University of Maryland in which he states : "May I add to the list of flagrant security violators the Hewlett Packard Corporation? Under MPE/V (the current OS for HP/3000 machines), all batch jobs must begin with a JOB card (those of you living in the late 1980s, substitute "line of text") which contains user and group passwords in plain text. "Interestingly, one of our systems programmers (who shall remain nameless) spoke of this as a FEATURE, because it allows users to submit batch jobs for other accounts!" The C2 evaluated version of MPE V/E, which was announced in October of 1988, allows the security administrator to configure the system to remove this vulnerability. In particular, to quote from the Final Evaluation Report: "Prevention of password exposure in batch submissions is effected by rejecting embedded passwords in job cards, prohibiting cross streaming [mentioned in the second paragraph above], and allowing System Manager and Account Manager to stream subordinate's jobs, and a user to stream one's own jobs, without having to supply passwords. A privileged interface, STREAMJOB, is provided which allows privileged mode programs to start jobs without having to supply passwords." Obviously, word hasn't gotten out to everyone about how the C2 secure version of MPE V/E works, but I know it does since I was team leader of the National Computer Security Center evaluation team. It is true that a customer must pay extra to get the Security Configurator software which will turn on the above features, but the ability to prevent job STREAMing with exposed passwords is there in all versions of release G.03.04 and later. You have to have the Security Configurator to configure it that way; otherwise it will default to the previous way of handling STREAMing, which requires embedded passwords. This is known as backward compatibility, and HP is hardly the first company to worry about that.
Taken from Sun-nets again:
Date: Wed, 12 Apr 89 15:48:28 -0400
From: -David C. Kovar <daedalus!corwin@talcott.harvard.edu>
Subject: Re: Security hole in 386i login
Reply-To: daedalus!kovar%husc4@talcott.harvard.edu
Several phone calls to Sun later ... Someone at Sun claims that it is a
"known security hole in 4.0.1 and will be patched in the next release due
out at the end of May." I pointed out that it was more like a known security
trapdoor feature and there wasn't much argument on the point. [...]
-David C. Kovar
Technical Consultant ARPA: kovar@husc4.harvard.edu
Office of Information Technology BITNET: corwin@harvarda.bitnet
Harvard University Ma Bell: 617-495-5947
Please report problems with the web pages to the maintainer