The RISKS Digest
Volume 8 Issue 76

Wednesday, 31st May 1989

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

State computer system scrapped
Davis
Swedish library loan data to become secret
Howard Gayle
SABRE
Bill Murray
Strange Customs Service Clock Department
Willis H. Ware
No power lunch, just no-power crunch (after the squirrel's over)
PGN
Re: Computer electrocutes chess player who beat it!
David Chase
Five admit automated teller scam
Rodney Hoffman
Re: Kevin Mitnick
Kenneth Siani
Info on RISKS (comp.risks)

State computer system scrapped (RISKS-8.73)

<davis@ai.mit.edu>
Tue, 30 May 89 11:02:49 edt
Rumor:  AI Causes $20M Loss to Pennsylvania

How Rumors Get Started, Lesson 1 (Excerpts from Seattle Times article quoted by
Bruce Forstall in Risks 8.73):

Quote 1:
    COSMOS, designed by Pennsylvania-based UNISYS Corp., was thought so
advanced that Gov. Booth Gardner and some of the state's computer professionals
likened it to ``artificial intelligence.''

Quote 2:
    ``This was an effort to create artificial intelligence so the computer
could `think' about eligibility,'' Gardner said yesterday.  ``I don't think
we'll mess with artificial intelligence again.''


Notice the shift from ``likened it to AI'' to ``an effort to create AI.''
Notice how what starts out being metaphorical turns literal.  Does the system
in fact use any AI techniques?  Impossible to tell.  But what's the lingering
impression and what will people likely remember?


Swedish library loan data to become secret

Howard Gayle <howard@dahlbeck.ericsson.se>
Tue, 30 May 89 15:22:36 +0200
This is based on an article in the Stockholm newspaper Dagens Nyheter, 29
May 1989, p. 25.  The Swedish parliament has just passed a law, effective 1
October 1989, making the records of public library loans secret.  At
present, such records are in principle public information, so that any
person can find out which books any library patron has borrowed.  In
practice some libraries refuse to give out such information, although this
is technically illegal.  The minister of justice opposed the new law,
although the article does not say why.  Like all Swedish laws, there are
plenty of exceptions.  Data may be released if the release does no harm, if
the patron borrows technical literature for use at work, if the data are
needed to calculate compensation to authors, or if the data are to be used
for research.  (Authors get some money based on how many times their books
are borrowed, in addition to royalties.)


SABRE

<WHMurray@DOCKMASTER.NCSC.MIL>
Sat, 27 May 89 13:55 EDT
>Is SABRE is too tightly coupled to its hardware to be moved to a    
>platform that provides hardware memory protection?  Or is it just plain
>too big to be ported?                                                        

SABRE, like most reservation systems, runs on ACP or TPF.  These
high-performance, limited function operating systems run on hardware with
memory protection, i.e., 370 XA.  However, for performance reasons, they do
not exploit the isolation features of the hardware.  All application code
runs in a single address space and at the same level of privilege.

While this strategy is inherently dangerous, there are compensating controls
imposed on application code.  The strategy has been very successful.  The
res systems have achieved extraordinary reliability and stability for any
kind of system, let alone systems which are both mammoth and monolithic.

Portability is another issue.  Like most application code, the code of the res
systems is sensitive to its environment.  It expects a certain application
program interface.  It can run anywhere it sees that API.  The API isolates it
from the underlying hardware and operating system.  The application code has
survived many ports to new hardware and operating system.

However, the application is so large and complex that it is difficult to view
it as anything but a monolith.  The monolith can only be ported as a whole to
something big enough to contain it.  IBM is under continual pressure to expand
the environment fast enough to accomodate the growth of the application, and
the operators struggle to keep it small enough to run in the biggest system
available.

If you were to begin today, knowing what we know, you would never permit
anything so large and monolithic to come into existence.  On the other hand it
is too large, important, valuable, and vital to kill.  Like many other
successful applications from the sixties, it has a life of its own.  While we
may migrate many of its functions to compartmented sub-systems, the core is
likely to be with us for a very long time.

Success is like that.  

William Hugh Murray, Fellow, Information System Security, Ernst & Whinney
2000 National City Center Cleveland, Ohio 44114                          
21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840                


Strange Customs Service Clock Department

"Willis H. Ware" <willis@rand.org>
Fri, 26 May 89 17:13:34 PDT
  [Excerpted and Paraphrased from Goverment Computer News, May 1, 1989,
  pg 6, byline of Vanessa Jo Grimm.]

The U.S. attorney for Washington is reviewing an allegation that a Customs
Service official violated the Computer Security Act [PL 100-235 presumably]
by altering a computer's internal clock.

Treasury Department Inspector General Michael R. Hill referred the
allegation to the prosecutor after an investigation into year-end spedning
by Custom officials at the close of FY 1988.  The allegation involves an
official who may have authorized altering the date maintained by the
computers [that] the agency uses for procurment documents, according to
Maurice S. Moody, the IG's audit director for Financial Management Service.

Moody recently told the House Ways and Means Subcommittee on Oversight
the computers are part of the agency's Automated Commercial System.  He
declined to provide GCN with more details.

Allegedly the computer clock was rolled back during the first three days
of October [of 1988] so that $41.8M in procurement obligations would be
dated in September against FY 1988 appropriations, Moody said.

An IG report issued in late February concluded Customs had not violated
any procurement laws.  The IG's investigation is continuing, however.

"Doesn't $41.8M worth of procurement on the last day of the fiscal year bother
anybody?" asked Rep. Richard T. Shulze (R-Pa).  The purchases did bother the
IG, Moody said, and this concern led to getting the US attorney.  "This problem
is endemic in the federal government," he said.  "Year-end spedning is very
common."

William F. Riley, Customs controller, said he knew about the rollback, but he
and Deputy Commissioner Michael H.  Lane refused to say who authorized the
action...  Subcommittee members continued to press Riley and Lane. "Is the
person still at Customs?" asked subcommittee chairman J.J.Pickle (D-Texas). "He
is working full time and in the position he was at the time," Lane answered.

Rep. Beryl F. Anthony, Jr. (D-Ark) asked how Riley became aware of the
rollback. "He [the official who authorized the rollback] told me that it was
going to be done," Riley said.

[Rep Pickle suggested that a high ranking official would have to authorize such
an action, but Counsel advised Lane not to reply.  He did say neither he nor
Commissioner von Raab had made the decision.]

[The balance of the article deals with the actions of Linda Gibbs, who became
aware of the incident and reported it to the IG after being unable to stop the
action.  Gibbs also alleged that the action was intended to use available
year-end money to cover cost overrun on a contract with Northrop Corp.  She
also alleged that she had been reassigned and given no new duties.]


No power lunch, just no-power crunch

Peter Neumann <neumann@csl.sri.com>
Wed, 31 May 1989 14:30:35 PDT
When people returned to work on Tuesday after Monday's squirrel attack (noted
in RISKS-8.75), at least NINE Sun monitors had been wiped out at SRI.  Sun was
terrific in having replacements for most by Tuesday afternoon.  (The DEC
mainframes that Dave Edwards noted had been downed both took a while to bring
up again — including our friendly old DEC 2065 KL, which I shall miss when it
finally gets decommissioned.)


Re: Computer electrocutes chess player who beat it! (RISKS 8.75)

<chase@orc.olivetti.com>
Tue, 30 May 89 13:18:07 -0700
> This implies that Soviet semiconductors work at voltages of a few
> hundred volts, or maybe their supercomputers are tube-based?

The story as it stands sounds bogus, but don't discount low voltages.  One of
the worst shocks I've ever received (in the range of 6 to 12000 non-static
volts) was only 12 volts.  I was VERY well grounded (driving in the rain in a
car with old metal springs in the seats and big holes in the floor), and
attempted to manipulate the metal stump of the wiper control with a finger with
a cut on the end of it.  The sensation was something like a whack across the
chest with a baseball bat.  Normally, I can't even feel 12 volts.
                                                                      David

   [Maybe the WWN writer got it wrong, and it was "chest" instead of "chess"?


Five admit automated teller scam

Rodney Hoffman <Hoffman.ElSegundo@Xerox.com>
24 May 89 08:33:57 PDT (Wednesday)
In RISKS-8.24, I summarized a news account about five people arrested and
charged with violating federal fraud statutes in a scheme to use more than
7,000 counterfeit ATM cards.  The alleged mastermind, Mark Koenig, was a
computer programmer who, while temporarily working under contract on a job
dealing with several hundred ATMs, transferred bank account and PIN information
to his home computer and stole an ATM encoding machine from his office.  He and
his confederates planned to use the counterfeit ATM cards to withdraw cash from
ATMS throughout California and the Midwest over the three-day Presidents Day
weekend in February.  An unnamed informant alerted the U.S. Secret Service, who
arrested the five people before that holiday weekend.

A wire service story in the LATimes 23-May-89 reports that the five pleaded
guilty Monday.  All are scheduled for sentencing Aug. 25, and face prison terms
of up to 72 years each.


Re: Kevin Mitnick <Armed with a Keyboard and Considered Dangerous>

<SIANI@nssdca.GSFC.NASA.GOV>
Tue, 23 May 89 09:53:47 EST
   Kevin Mitnick, the hacker "so dangerous that he can't even be allowed to use
a phone". "He could ruin your life with his keyboard". "Armed with a keyboard
and considered dangerous."

   These are some of the things that have been said about this person. All of
this media hype would be fine if it just sold news papers. But it has done much
more then just sell a few papers. It has influenced those that will ultimately
decide his fate. I myself don't know the man, but I have talked to others that
do. Including one of the persons that investigated Mitnick.  From all I have
heard about him, I think he is a slime ball! But even a slime ball should not
be railroaded into a prison sentence that others of equal or greater guilt have
avoided.

I personally feel the man is just a criminal, like the guy that robs a 7/11, no
better but certainly not any worse.  Unfortunately he is thought of as some
kind of a "SUPER HACKER".  The head of LA Police Dept's Computer Crime Unit is
quoted as saying "Mitnick is several levels above what you would characterize
as a computer hacker".

   No disrespect intended, but a statement like this from the head of a
computer crime unit indicates his ignorance on the ability of hackers and phone
phreaks. Sure he did things like access and perhaps even altered Police Dept.
criminal records, credit records at TRW Corp, and Pacific Telephone,
disconnecting phones of people he didn't like etc.  But what is not understood
by most people outside of the hack/phreak world is that these things are VERY
EASY TO DO AND ARE DONE ALL THE TIME.  In the hack/phreak community such
manipulation of computer and phone systems is all to easy. I see nothing
special about his ability to do this.  The only thing special about Kevin
Mitnick is that he is not a "novice" hacker like most of the thirteen year old
kids that get busted for hacking/phreaking.  It has been a number of years
since an "advanced" hacker has been arrested.  Not since the days of the Inner
Circle gang have law enforcement authorities had to deal with a hacker working
at this level of ability. As a general rule, advanced hackers do not get caught
because of there activity but rather it is almost always others that turn them
in.  It is therefore easy to understand why his abilities are perceived as
being extraordinary when in fact they are not.

Because of all the media hype this case has received I'm afraid that: 

1.) He will not be treated fairly. He will be judged as a much greater threat
    to society then others that have committed simular crimes.

2.) He will become some kind of folk hero. A Jesse James with a keyboard.
    This will only cause other to follow in his footsteps. 

I'm not defending him or the things he has done in any sense. All I'm saying
is let's be fair. Judge the man by the facts, not the headlines.

Disclaimer: The views expressed here are my own. 

Kenneth Siani, Sr. Security Specialist, Information Systems Div., NYMA Inc.

Please report problems with the web pages to the maintainer

x
Top