The RISKS Digest
Volume 15 Issue 66

Thursday, 17th March 1994

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


o Hit the Wrong Key, become a Verb...
Peter Wayner
o Aldrich Ames, Master Hacker?
Peter Wayner
o "Clipper Compromised?" brief in Network World 14 Mar 1992
Christopher Wysopal
o Sly Imposter Robs S.F. Man of Good Name
Mike Crawford
o Fire knocks out phone service in LA
George Feil
o Ease of Administering Phone Systems Leads to Risk of Sabotage
George Pajari
o Nessy - same new trick
Bob Frankston
o Super-ID and Surveillance
Mich Kabay
o Caught with their pants down [de-picted by rabbit admirers]
Mich Kabay
o Neo-nazi T.A.D. eavesdropping
Mich Kabay
o Derivatives
Phil Agre
o Followup report on TCAS incident in Portland
Lauren Wiener
o Caller ID utility
Robert Morrell Jr.
o New Security Paradigms Workshop: CFP and Correction
Catherine A. Meadows
o Info on RISKS (comp.risks)

Hit the Wrong Key, become a Verb...

Peter Wayner <>
Wed, 16 Mar 1994 15:40:25 -0500
The Wall Street Journal (3/16/94, pg 1) reported that Jan Pablo Davila lost at
least $207 million of Codelco, a state-owned Chilean company by typing the
wrong financial transaction into his computer. He typed "buy" when he says he
ment to type "sell". Now, all of Chile is obsessed with the mistake that cost
0.5% of Chile's GNP and the new word "davilar" is a verb that is "...loosely
translated as 'to botch things up miserably.'"

Aldrich Ames, Master Hacker?

Peter Wayner <>
Wed, 16 Mar 1994 15:33:56 -0500
The Washington Times (3/16/94,pg A3) reported:

  CIA sources told the Washington Times that Mr. Ames used his CIA computer to
  make unauthorized entries into computers within the espionage branch and
  downloaded information about the CIA's operations in Europe, including the
  identity of undercover agents posing as businessmen.

The story goes on to say that they'll be tightening up access to this
information in response to this problem.  But later in the story, they note
that they'll be loosening requirements for peering into the financial records
of the agents. "New legislation would be required to permit secret searches
into personal-finance and credit data without employee consent."

My prediction is that they will reverse both of these changes in a few years
when they discover that 1) some operation abroad was hampered by lack of
direct access to info at a critical time and 2) some employee was
bribed/spindled or mutilated using the data that they got by peering through
credit records.

This just illustrates the problems of maintaining secrets and building
networks of trust. The CIA has a hard job ahead of them. The folks who are
building a Clipper network and crossing their fingers that the centralized
repository won't be compromised have an even tougher one.

"Clipper Compromised?" brief in Network World 14 Mar 1992

Christopher Wysopal <>
15 Mar 94 16:22:48 ES
Clipper Compromised?
"Security Insider Report," a monthly newsletter published in Seminole, Fla.,
has reported that government officials are seeking to determine whether former
CIA employee and alleged traitor Aldrich Ames may have sold information to the
Russians about the government's secret key-escrow technology used in Clipper
Chip chipsets and Capstone Tessera cards.  The secret key-escrow technology,
dubbed Skipjack, can be used to encrypt network voice and data.

Network World, March 14, 1994, Page 2

The RISK of secret algorithms and government key escrow being compromised may
already be 100 percent.

- Christopher Wysopal

    [Also noted by (Rob Seaman).  PGN]

Sly Imposter Robs S.F. Man of Good Name

Mike Crawford <>
Mon, 14 Mar 1994 11:35:07 -0800
"Sly Imposter Robs S.F. Man of Good Name", by Catherine Bowman,
*San Francisco Chronicle*, 14 Mar 1994, p.1.

San Francisco attorney Charles Sentman Crompton II, dogged by a string
of arrest reports, mysterious credit card bills and a fake ID, is fed up and
frustrated - so frustrated, in fact, that he is taking Charles Sentman
Crompton III to court.  [...]
Using Crompton's name, address, and Social Security number, the man has
opened charge accounts at local stores, rented an apartment and obtained
a driver's license, Crompton says.  He has allegedly run up nearly $3,000
in purchases at Macy's, Radio Shack and other stores, buying a portable
computer and other items.  [...]

  (The suspect has been repeatedly arrested and set free by local police
  for stealing cars, etc., and gave Crompton's name.)  [...]
  (The real Crompton obtains the phony Crompton's driver's license after the
  suspect drops it while fleeing from a suspicious store clerk.)  [...]

Crompton obtained a photocopy of that license, which he forwarded to the
state Department of Motor Vehicles with a letter explaining the problem.
He then asked for a new license with a different number.

The DMV obliged.  Then in a monumental goof, the agency mailed the license
to the other Crompton.  [...]

  (The article includes a photo of the real Crompton and a physical
  description of both men.  Real Crompton states that phony Crompton could not
  possibly be a true Elvis fan like him.)

The punch line:

Crompton says he does not blame the system for allowing the case to snowball.
Still, he worries about his credit record and being fingered for crimes he
did not commit.

Hmm... I'd say that this is a built-in feature of the system.


Mike's doomsday speech:

"We are just entering the Information Age.  Those who possess the information,
those who dispense it, and those who know how to manipulate the information
will be the rulers.  Those who do not will be the peasants."

I conjecture that the DMV goof was caused by different people handling the
task of reissuing the license without communicating the nature of the problem
to each other.  One clerk dutifully issued a request for a new license, and
perhaps typed a memo explaining the problem.  Another clerk printed the
license and sent it to the address on file (along with the letter explaining
the problem, so the phony Crompton was officially tipped off in writing by the

The California DMV is one of the largest bureaucracies in the United States,
and possesses one of the largest management information systems as well.
Well-defined lines of communication to handle such exceptional situations
probably do not exist.  I'd say we're lucky it works at all for the normal

One solution might be a government debugging agency.  There should be a single
office that Crompton could go to, that would work with all of the government
agencies and credit bureaus to straighten out the record.

Of course this agency would itself be a fertile ground for fraud.

Mike Crawford, Author of the Word Services Apple Event Suite   Free Mac Source Code: ftp
                          get /info-mac/dev/src/writeswell-jr-102-c.hqx

Fire knocks out phone service in LA

"George Feil" <>
Tue, 15 Mar 94 09:19:45 -0500
A news bulletin just in: A fire in a Pacific Bell switching complex
has knocked out local phone service to most of Los Angeles, CA.

Those of us who recall the Hinsdale, IL fire of several years ago are already
aware of the significant potential single points of failure in the U.S.
telephone systems. Again, fire turns out to be the Achilles' Heel in this

It is ironic that while many financial firms (including my own) have remote
disaster sites, and have had occasion to use them (we tested ours for the
first time when the World Trade Center was bombed last year), telephone
companies continue to use the "fortress" approach, beefing up security of
non-redundant phone switches, instead. It doesn't appear to be effective
enough, and fire will likely be the key element of disaster.

Ease of Administering Phone Systems Leads to Risk of Sabotage

George Pajari <>
Tue, 15 Mar 94 22:26:27 PST
The newer digital small-office phone systems (such as the Northern Telecom
Meridian or NorStar units) reduce the system complexity and cost by enabling
the system to be configured from any telephone (rather than from a terminal or
other specialised interface).

While all of the critical settings are password protected, changing the
password on phone systems seems to be even less popular than managing
computer passwords.

While waiting for some friends at a local (very) up-market Chinese restaurant
I noticed that the convenience phone provided patrons in the waiting area was
a NorStar. Having little else to do while waiting I decided to try the
factory-default master administration password. It worked.  The surprise
was that when I turned over the phone I saw the "Installed by" sticker of
the local telco's "independent" customer premise equipment interconnect
company (i.e. not some small fly-by-night operator but the largest vendor
of such equipment in the province).

The RISK?  Reprogramming their phone switch (a) to change the password and
(b) not to ring on any (audible) extension when incoming calls arrive on
their reservation lines could easily cost such a restaurant a significant
chunk of its income (especially on a Saturday when even finding someone
able to fix the problem once it was discovered could result in hours of
delay, not to mention the time to type in the entire configuration again
once the memory was wiped to get around the changed password).

George Pajari, Faximum Software, 1497 Marine Drive, Suite 300, West Vancouver,
BC / Canada V7T 1B8 pajari@Faximum.COM / Tel: +1 (604) 925-3600

Nessy - same new trick

Sun, 13 Mar 1994 18:02 -0400
Just as a reminder that doctoring photos is nothing new, there is a news
story out of the UK on CNN saying that someone confessed (on his deathbed)
that the famous Loch Ness Monster picture was a hoax. On one hand, it reminds
us that as much as we like to think that all we do is new, it isn't. But it
also puts the risk in perspective and makes us think about how these risks
have been handled in the past. Alas, they are not handled all that well.

Super-ID and Surveillance

"Mich Kabay [NCSA]" <75300.3232@CompuServe.COM>
17 Mar 94 21:37:38 EST
Article by David Lyon in Canada's _Globe and Mail_, 94.03.17, p. A21:

  "Super-ID: keeping and eye on everybody."

  The author reports on Ontario government officials are considering providing
  citizens with a single universal identifier to replace the hodge-podge of
  driver's license, medical card and so on.

Key points:

o   Driving concern is fraud, especially by foreigners using Canadian
medical insurance cards for free medical care.

o   Trend towards a "surveillance society" in which it is expected that
governments and private industry have a right to as much information as they
can gather about individuals, their preferences, behaviour and movements.

o   Risks of developing and using profiles of suspect behaviour and
applying sanctions or suspicion to innocent people simply because they happen
to fit a statistical pattern.

o   Single ID allows cross-relations among disparate databanks; could
easily lead to abuse by commercial or other exploiters.

o   Countries differ in extent to which they require "papers":to be
carried by citizens.  France have used them for decades, Germans since 1987.
Britain still resisting the universal ID, including DNA fingerprints.
Australian proposal rejected in 1987.

o   Recent surveys in Canada indicate popular concern over privacy is
rising; in 1993, a "survey by Ekos Associates showed that 52 per cent of
Canadians are `extremely concerned' about privacy.  Sixty per cent claim they
have less privacy than 10 years ago, and 81 per cent of them attribute this to
computer use."

The author ends his thoughtful, concise essay with a note on who shall
determine whether a single ID is to be used.  He urges everyone to "question
the morality of the super-ID and its place in the trend toward a surveillance
society.  And we need to find out just how and why people feel threatened,
diminished or fearful about things that on other levels--security, efficiency,
convenience--seem so alluring.

The paper published this note about the author:  "David Lyon is associate
professor of sociology at Queen's University, Kingston [Ontario].  His latest
book is _The Electronic Eye: The Rise of Surveillance Society_ (University of
Minnesota Press, 1994).

Michel E. Kabay, Ph.D., Director of Education, National Computer Security Assn

Caught with their pants down [de-picted by rabbit admirers]

"Mich Kabay [NCSA]" <75300.3232@CompuServe.COM>
17 Mar 94 21:37:45 EST
An article from the Reuters News Agency appeared in Canada's _Globe and Mail_
newspaper for 94.03.17, p. A15:

"Who undressed Jessica Rabbit?"

It seems that officials at Walt Disney Co. are embarrassed because some of
their animators got a little playful with Jessica Rabbit, the sultry lead in
the semi-animated film, "Who Framed Roger Rabbit?"  In one scene, the
animators (or someone) removed Jessica's underwear in three frames during a
pirouette which causes her skirt to ride up around her waist.

News of this ghastly descent into depravity seems to have caused hundreds of
people to rush out and buy the $40 CD of the film, depleting stocks at many
retail outlets.  As one viewer said after the L.A. Fox TV affiliate KTTV
showed the three frames publicly on the 16th of March, "If that turned you on,
it's time to see a psychiatrist."

[Seems to me that the RISK here is quality control failure more than anything
specifically electronic.  However, given the growing dependence of animators
on computers to help overcome the drudgery of their craft, I can see all kinds
of possibilities for bored technicians or crafty hackers.  How about a new
version of Snow White--showing what she was _really_ up to with those cute
dwarves.  What about _The Lady and the Tramp--After Hours_?  Or _The
Unexpurgated Little Red Riding Hood_?]

Michel E. Kabay, Ph.D., Director of Education, National Computer Security Assn

Neo-nazi T.A.D. eavesdropping

"Mich Kabay [NCSA]" <75300.3232@CompuServe.COM>
17 Mar 94 21:37:54 EST
>From the Canadian national newspaper, _The Globe and Mail_, 94.03.17, p. A2B.

"Ex-member of Heritage Front tells hearing of dirty tricks."

by R. Platiel (Globe and Mail reporter).

A disenchanted young former Nazi reported that the neo-Nazi Heritage Front
group broke into telephone answering devices (T.A.D.s) used by anti-racism
activists and recorded the phone numbers of correspondents.  They then passed
these numbers around among neo-Nazi supporters and harassed the victims.  She
claimed that some anti-racists were followed; others found that their
employers had received phone calls alleging that they were "Bolsheviks."

[Most T.A.D.s have a 2-digit code at best.  Not very challenging to crack.]

Michel E. Kabay, Ph.D., Director of Education, National Computer Security Assn


Phil Agre <>
Tue, 15 Mar 1994 11:03:05 -0800
The new issue of Fortune contains a long article about the potential risks
of derivatives, which are complex types of financial deals that depend on
the values of certain underlying assets, such as currencies, commodities,
or composite entities like stock indexes.  The full reference is:

  Carol J. Loomis, The risk that won't go away, Fortune 129(5), 7 March
  1994, pages 40-57.

At the moment, there exist outstanding derivatives contracts on assets whose
total value is about $16 trillion dollars, about 2.5 times the United States'
GDP.  The problem is that nobody really understands how derivatives work.
They only exist in the first place because of big computers and global data
networks (see Risks 14.87).  In theory, they allow firms to manage the risks
of global business by hedging against potentially damaging fluctuations in
commodity prices, interest rates, currency exchange rates, and so forth, and
this can be a good thing.  In practice, it is difficult to do this right.
Moreover, the nature of derivative contracts entails increasing levels of
interconnection in the world financial system, with the solvency of each major
player frequently contingent on the ability of numerous other players to make
good on complex contracts.  A serious misjudgement at a large bank, on the
order of the savage losses recently incurred through bungled oil-price hedging
at the German firm Metallgesellschaft, could conceivably propagate through the
entire system.

It actually gets worse from there, as Loomis explains at some length.
Regulation is nearly nonexistent, largely because nobody knows how one *could*
regulate such things.  Reporting requirements are derisory as well.  In short,
the global economy is wound up real tight.  To be sure, market forces are
bringing an urgent profusion of risk management strategies.  The big question
is whether the prudence of individual players is adequate to prevent the total
system from collapsing in case of some exogenous event, or simply because
there's an angle nobody figures out until it's too late.

Phil Agre, UCSD

PS. The same issue of Fortune contains some advice for companies wishing to
engage in commercial activity on the Internet.

Followup report on TCAS incident in Portland

Lauren Wiener <>
Wed, 16 Mar 94 19:00:26 -0800
>From the Oregonian, March 14, 1994, p. B3:
[I'm in square brackets counting risks.  LRW ]

"FAA wants to know why system sent 2 jets toward each other

A collision course alarm sounded in the Portland incident, but the equipment's
subsequent response has officials baffled A system designed to avert air
collisions sent two planes heading toward one another near Portland Int'l
Airport, and federal authorities are trying to figure out why.  The Feb. 3
incident involved an Alaska Airlines jetliner and a HorizonAir commuter jet.
Each plane was equipped with the Traffic Collision Avoidance System, which
alerts pilots to other air traffic and sounds an alarm if there is a chance of
a collision.

"The question is not whether TCAS did its job.  The question is why did the
logic of TCAS tell the upper plane to go down and the lower plane to climb,"
said Dick Meyers, a Federal Aviation Administration spokesman based in Renton,
Wash.  A crash would not have resulted if the pilots had continued obeying the
instructions of the system, but the planes would have come uncomfortably
close, FAA officials said.

Alaska Airlines pilot Thomas Hedrick had been instructed by an air traffic
controller to climb to 9,000 feet and level off.  At the same time, a
HorizonAir commuter jet piloted by Brian Penwell was approaching the airport
and was instructed to descend to 10,000 feet and level off.

In both planes, the FAA-required collision avoidance alarm sounded — a common
occurrence in the traffic-congested skies around airports — letting the
pilots know they were too close to other aircraft.
[Risk 1 — many false alarms.  LRW ]

Then a second alarm sounded indicating the aircraft were on a potential
collision course.  Rather than advising the pilots to level off, the system
instructed the higher-flying plane to descend below the lower-flying plane and
the lower-flying plane to climb above the other.
[Risk 2 — uncoordinated solutions.  LRW ]

An air traffic controller noticed the HorizonAir plane descending toward the
Alaska plane and ordered the pilot to level off.

"I told him we could not because we were receiving a Resolution Advisory,"
Penwell wrote in a report filed with the FAA.  A Resolution Advisory in this
case was the system's directive to descend.
[Risk 3 — unclear who or what is in charge.  LRW ]

Penwell said he finally saw the Alaska plane and banked to the left at about
9200 feet.  Penwell estimated that the planes came within about a mile of each

Caller ID utility

"Robert Morrell Jr." <>
Fri, 11 Mar 1994 19:35:05 -0500 (EST)
An anonymous contributor recently denigrated the utility of caller ID in
stopping obscene callers, believing instead that the real purpose is to swell
the business telephone data banks.  Yet in the note it is recognized that the
uility for catching obscene callers is decreasing "as would be callers catch

Forgive me, but does that mean they are modifying their behavior? If it
inconveniences them, discourages the casual obscene caller, has it not done
its task?

The risks of this logic is clear... discard a technology that is doing what it
was intended to do because someone else is making (horrors) money.


New Security Paradigms Workshop: CFP and Correction

Catherine A. Meadows <>
Thu, 17 Mar 94 14:06:10 EST
Note: The address of the second Program Chair, Eric Leighninger, has changed
since this announcement appeared in SIGSAC Review and elsewhere.  The address
listed below is the correct one.

                              CALL FOR PAPERS
            A workshop sponsored by ACM SIGSAC and DOD
                         NEW SECURITY PARADIGMS '94

  Paradigm shifts disrupt the status quo, destroy outdated ideas, and open
  the way to new possibilities.  This workshop explores new ways of looking
  at computer security, hoping to develop transcendent solutions that
  provide the interoperability and flexibility users need in trusted systems.

                         AUGUST 3-5, 1994
                         Stone House Club
                         Little Compton, R.I.

New Security Paradigms '94 provides a creative and constructive workshop
environment at a small seaside inn for 20 researchers.  Dress is casual.  The
workshop fee of about $450 includes room, meals, and workshop materials.

To participate, submit a research paper or a 5-10 page position paper (5
copies) to one of the two program chairs by March 26, 1994.  The Program
Committee will referee the papers and notify authors of acceptance by June 11,
1994.  Proceedings will be published by ACM.

   Program Chair:  John Dobson
                   Computing Science Dept.
                   University of Newcastle
                   Newcastle NE1 7RU  U.K.
                   (+44) 91 222 8228
                   email:  John.Dobson at
  Program Chair:  Eric Leighninger  NOTE NEW ADDRESS!
                  334 Linwood Ave Apt.3
                  Newtonville, MA  02160
                  (617)  558-1412

  Workshop Chair:  Hilary H. Hosmer, Data Security, Inc.

  Publications Chair:  Catherine Meadows, NRL

  Scholarships:  Ravi Sandhu,  George Mason University

  Treasurer:  Steven Cha, Aerospace
  ACM SIGSAC Liaison:  Dixie Baker,  Aerospace

Please report problems with the web pages to the maintainer