Subject: RISKS DIGEST 10.03 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Sunday 3 June 1990 Volume 10 : Issue 03 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Software development costs delay changes to UK doctors' funding (Ian W Moor) Hacking, Viruses, and UK Law (Pete Mellor) Re: ATM range-checking (Jim Horning) Re: Debate on SJG raid in comp.risks (Chuck Von Rospach, Kee Hinckley, Andy) Risks of moderated newsgroups and COWABUNGA (Nathan K. Meyers) Computer to track down drivers without insurance (Alan Wexelblat) Local solution to caller ID .vs. Privacy problem (Bob Estell) Re: Denial of service due to switch misconfiguration (John R. Levine) What the SJG Cyberpunk Manual Tells You to Do (J. Eric Townsend) Re: Word Perfect Software Upgrade Crashes Utah Phone System (Kyle Jones) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line (otherwise they may be ignored). REQUESTS to RISKS-Request@CSL.SRI.COM. TO FTP VOL i ISSUE j: ftp CRVAX.sri.comlogin anonymousAnyNonNullPW cd sys$user2:[risks]GET RISKS-i.j ; j is TWO digits. Vol summaries in risks-i.00 (j=0); "dir risks-*.*" gets you directory listing of back issues. ALL CONTRIBUTIONS ARE CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. ---------------------------------------------------------------------- Date: Fri, 1 Jun 90 17:55:40 BST From: iwm@doc.imperial.ac.uk Subject: Software development costs delay changes to UK doctors' funding This is a summary of an article in the Guardian for 1st June: `Computer hitch stalls GP budgets', any inaccuracies are mine. At the moment UK family doctors are funded according to the size of their practice and various overheads. As part of changes to the National Health Service, doctors may be required to maintain their own budgets and buy treatment from local hospitals. To do this doctors will require specialist software to interface with hospital databases as well as doing their own accounting. The first stage of the scheme involving several hundred doctors was to start next April. The changes are unpopular and doctors are dropping out, software firms working in the area claim that developing the software is not worthwhile given the number of sales to those doctors participating. It was stated that even if the government funded the development there is not enough time to produce and test the software in time. Although it is not stated in the article, I believe that one problem may be that different hospitals run different (and incompatible) accounting software. Ian W Moor JANET: iwm@uk.ac.ic.doc Department of Computing, Imperial College. 180 Queensgate London SW7 UK. ------------------------------ Date: Sat, 2 Jun 90 18:53:19 PDT From: Pete Mellor Subject: Re: Airline Booking Cancellation (Risks 9.91) I have been asked for the full reference to the paper I referred to in the above article. It is: Adam R: "A licence to steal? The growth and development of airline information systems" Journal of Information Science 16 (1990), pp. 77-91, 0165-5515/90/$3.50, Elsevier Science Publishers B.V. Apologies to anyone who had difficulty tracking it down. I will snail photocopies if requested. Peter Mellor ------------------------------ Date: Sat, 2 Jun 90 21:41:40 PDT From: Pete Mellor Subject: Hacking, Viruses, and UK Law Recent raids on suspected hackers and the likelihood of anti-virus legislation in the US (RISKS 9.95) should not make us forget what is happening in the UK. The story so far: In September 1988, the English Law Commission (ELC) issued a consultative document, "Computer Misuse". In April '89, Emma Nicholson, MP, proposed a private member's bill to make various hacking activities illegal. This was generally thought to be poorly researched, and too hastily drafted. It was roundly attacked in the Guardian by, among others, Peter Sommer (aka Hugo Cornwall, author of "The Hacker's Handbook). The bill failed for lack of time. (A frequent fate of private members' bills.) [1] In October 1989, the ELC published its final report on "Computer Misuse" [2]. This suggested three new offences. I quote from a summary by Peter Casey of the DTI [3]: - a basic offence which will apply to anyone who seeks to enter a computer system knowing that the entry is unauthorised. This would be punishable by up to three months imprisonment. - a more serious offence of unauthorised entry into a computer system with intent to commit or assist the commission of a serious crime. This would be punishable by up to five years imprisonment. - a further offence of intentionally and without authority altering computer held data or programs, punishable with up to five years imprisonment. Because of the international nature of computer misuse the Commission also proposes reform of the jurisdiction rules to remedy a gap in the current law whereby an offender initiating or furthering a crime completed abroad may escape prosecution in any country. [End of quote.] Another private member's bill implementing these proposals was introduced by Michael Colvin, MP, and received its 2nd reading in the Commons on May 4th 1990. Called the "Computer Misuse Bill", it has been amended to allow powers of search and entry of suspected hackers' premises by police armed with a magistrate's warrant. It passed its second reading with the amendment, but without stronger amendments proposed by Emma Nicholson "to give magistrates powers to sign warrants that extended that extended the police powers of search and seizure, and for judges to sign warrants that allowed the police to intercept computer communications....She pressed for an amendment that would oblige British Telecom and Mercury, on the instructions of a magistrate, to begin surveillance of designated communications traffic."[4] The bill was attacked by Harry Cohen, MP. "The first major problem raised by Cohen was that the bill doesn't define the term 'computer'. He also questioned how the offence of 'unauthorised access' would be applied in practice. Cohen pointed out that the lack of a definition raises the spectre of unauthorised access to the microchip computers found in 'domestic appliances such as a sewing machine with a programmable pattern, or a washing machine, video recorder or compact disc player that can be programmed'. Even fax machines or photocopiers would lead to some 'farcical prosecutions', he asserted. However, other anomalies would arise if a defintion of 'computer' were included. For example, if a computer were described in precise and exacting terms, would the next technological development produce a computer that was not a computer as defined by the Computer Misuse Bill?...In the end, it was decided not to include a definition of computer in the bill, as this would let the courts decide in each case." [4] Cohen's second attack was more interesting. "...Cohen drafted three amendments to ensure that the security procedures adopted by a computer owner could be examined by the courts....if computer owners did not have security procedures that sufficiently protected their computers from unauthorised access, the hacker could get off. [From the basic charge of unauthorised access.] Cohen's other two attempts were variants aimed at extending the Data Protection Act to all computer operations. The MP argued that any individual who suffered damage because computers, software or data were insecure or unreliable, should be able to seek compensation from the owner via the courts or the data protection registrar. The owners would have one main defence: to show that they 'had taken such care in all circumstances as was reasonably required' to maintain the reliability and security of the computer, data or program in question."[4] (His amendments failed.) The main arguments can be summarised as: Cohen (quoting Francis Aldhouse, deputy data protection registrar) [4] : "You've only yourself to blame if your neighbour's cattle get into your unfenced field.", and: "Logic dictates that computer owners should be legally responsible for the security of their computers just as gun owners are responsible for their guns." Nicholson [4]: "If a madman with a knife attacks another person in the street, would the victim be responsible for not taking reasonable care to prevent the attack?" Sommer (arguing against Nicholson) [1]: "In fact, most of the computer-related activities most people would think ought to be criminally sactioned already are." It will come as no surprise to UK readers to learn that Colvin and Nicholson are Conservative, and Cohen is Labour, and that the government are being supportive in such little matters as parliamentary time. Interestingly, Colvin seems to favour some of Cohen's arguments. Speaking at a contingency planning and disaster recovery seminar, he said: "If companies do not invest in their own computer security strategy, then they cannot expect the sympathy of the courts when people are charged under the provisions proposed in my Bill." [5] Also, Nicholson "plans to introduce a Computer Usage Bill in the autumn, which will lay down rules for the use of computers covering maintenance, support and upgrades." [5] The truth of Sommer's argument is illustrated by the case of one Nicholas Whiteley, appearing before Southwark Crown Court last week on seven charges of criminal damage arising from hacks carried out during six months in 1988. He admits the hacks, but claims he did no damage. (My private information is that he overwrote files with joke messages, and the amount of damage was estimated as &25 000. I also believe he was convicted, but haven't seen a report of his sentence.) He hacked ICL series 39 machines at Queen Mary College, Hull University, and Glasgow University. He told the court: "My messages weren't a threat, they were just a wind-up." [6] The Computer Misuse Bill, in the meantime, goes on to committee and then to the Lords, then back to the Commons. If it succeeds, we should start worrying about just how 'authorised' we are around September. References: [1] Hugo Cornwall: "Wrong ways on hacking", Guardian, 13th April 1989. [2] The Law Commission report, Command 819, Criminal Law, Computer Misuse, (Law Com. 186), HMSO, &5.60 [3] Peter Casey: "Proposals to curb computer misuse", JFIT News, Issue 8, Nov. 1989, Pub. DTI/SERC [4] Chris Robbins: "Hacking through both the Houses", Computing, 24th May 1990 [5] Lindsay Nicolle: "No sympathy for security slackers", Computer Weekly, 24th May 1990 [6] Tony Collins: "Hacker exposes security of university systems", Computer Weekly, 24th May 1990 Peter Mellor, Centre for Software Reliability, City University, Northampton Square, London EC1V 0HB Tel.: +44 (0)71-253-4399 Ext. 4162/3/1 ------------------------------ Date: 1 Jun 1990 1336-PDT (Friday) From: horning@src.dec.com (Jim Horning) Subject: Re: ATM range-checking (RISKS-10.01) It's pretty clear that different banks have different practices, as well as diverse equipment. My bank (Wells Fargo) advertises that they will credit you with an extra $10 if the ATM makes any mistake on a deposit (and, indeed, I've never detected one). They also do some range-checking. I haven't conducted extensive experiments, but I recently deposited a check for an order of magnitude more than my usual deposit, and was asked to confirm an extra time before the transaction was completed. I thought that this was a very sensible precaution. In a related vein: When I first got my ATM card it was limited to $200/day of cash withdrawal, which is not unreasonable. However, after a decade of modest inflation, there were times (like just before trips) when a larger sum would have been convenient. One day it occurred to me to try to withdraw more, and what do you know? It disbursed $300 without complaint. So my trips to the ATM became less frequent. Some time later, I noticed that years of carrying the card in my wallet had cracked it, right across the magnetic stripe. So I asked for a new one. Now I'm limited to $200/day again. I infer that it was a fault on the stripe that let me withdraw more. I would have hoped that the limit was enforced by something less subject to decay and/or tampering. Jim H. ------------------------------ Date: 1 Jun 90 18:37:35 GMT From: chuq@Apple.COM (That's MR. Idiot to you) Subject: Re: Debate on SJG raid in comp.risks Just to clarify one thing: >>If you're running a BBS that's supporting a group of system crackers, you are, >>at least, contributory to felony crimes... >The problem was that SJG *was* clean, as far as I know -- the Secret >Service just went overboard in their search for "contamination". I >believe guilt-by-association is not a tenable legal theory in the US. A couple of people have taken my comment above as implying I think that SJG was running a cracker board. Not true. From everything I've heard they are definitely in the "innocent bystander" category. Why haven't they got their stuff back? Very good question. All I"m hearing on my side is variations of "it ain't over until it's over" -- which to me sounds silly based on what I know. I am definitely NOT trying to justify the impounding of SJG stuff, nor attempting to imply guilt or anything else at them. I was simply pointing out that the situation was more complex than some were making it out to be. The Secret Service seems to have good cause to talk to SJG about this stuff? Yes? Did they need to go in and grab all the gear? From what I know, no -- but I don't know all the details of the case. The details I do know indicate they over-reacted, however. Chuq Von Rospach <+> chuq@apple.com <+> [This is myself speaking] ------------------------------ Date: Fri, 1 Jun 90 10:51:55 EDT From: nazgul@alphalpha.com (Kee Hinckley) Subject: Re: 2600 article Please someone correct me if I'm wrong, but I think there's a Catch 22 here. The evidence suggests that I can be arrested based on the contents/usage of my BBS, even when I'm unaware of that usage. (It remains to be seen whether I can be convicted, but frankly, if my equipment gets confiscated for a couple years, I hardly care.) However, it seems to me that the Electronic Privacy Act prevents me from taking any actions which would let me prevent the misuse of my board. Namely, I can't read people's mail/files to see if they are doing something illegal. Is this really the case? -kee Alphalpha Software, Inc., 148 Scituate St., Arlington, MA 02174 ------------------------------ Date: Fri, 01 Jun 90 11:17 PDT From: ZENITH Subject: Re: Steve Jackson Games and A.B. 3280 (Von Rospach, 9.97) Chuq Von Rospach (chuq@apples.com) writes: If you're running a BBS that's supporting a group of system crackers, you are, at least, contributory to felony crimes. By law? Why? We don't hold a package delivery service like UPS liable if they happen to deliver burglary tools; why is the owner/operator of a BBS treated differently for what seems to me an equivalent offense? Von Rospach goes on to say: A BBS that's on the up-and-up should have no worries, though. That seems to be the central issue; it shouldn't be tossed off so casually. The Bill of Rights is predicated on the assumption that the innocent have a legitimate reason to worry about the effects of actions taken by their government; governments to that point (and since) had not been terribly worried about who got chewed up by the wheels of justice, so long as some "guilty" party was convicted. Human nature has not changed much in the intervening years--there are still those who hold to the creed of "Kill 'em all; let God sort them out". We the innocent still need protection from those who would elevate expedience over justice; if ease of implementation and administration becomes the primary criterion by which we judge our laws, we are in deep trouble. I have noticed a disturbing trend in society, towards a belief that it is better that 100 innocents should suffer than one guilty critter should go free; it is difficult to reconcile this notion with that of "innocent until proven guilty". - Andy - ------------------------------ Date: Fri, 1 Jun 90 12:01:46 pdt From: Nathan K. Meyers Subject: Risks of moderated newsgroups and COWABUNGA By now, most readers of moderated newsgroups on the internet have had the pleasure of reading the semi-literate ramblings of "THE BIFFSTER". As best I can tell, the following has been shown by this exercise: 1) Moderated newsgroups are not particularly secure (did anyone think otherwise?). 2) You can make something foolproof, but you can't make it damn foolproof. 3) The perpetrator may have reached a new world record in the irr/eff ratio (irr = number of people irritated, eff = effort expended). 4) Gone forever are the days when breakins were conducted by individuals with above-average intelligence and sense of humor (remember moskvax!kremvax!chernenko many Aprils ago?). Nathan Meyers [RISKS has spared you all the gory details of this case, which have been so widespread that it did not seem necessary. PGN] ------------------------------ Date: Fri, 1 Jun 90 16:22:10 edt From: wex@pws.bull.com Subject: Computer to track down drivers without insurance The following is excerpted from a UPI newswire story: BOSTON (UPI) -- Tens of thousands of illegally uninsured drivers in Massachusetts will be tracked down and hunted when the Registry of Motor Vehicles implements a new computer-based system beginning Friday [6/1/90]. The new system, which allows insurance companies to electronically send the Registry's computer a list of uninsured motorists whose policies have been revoked for nonpayment, aims at cracking down on the estimated 300,000 Massachusetts drivers who take to the roads without insurance. ``Hopefully with automation, deadbeats who don't have the money or those who try to beat they system won't be on the road,'' said Robert Hutchinson, Massachusetts registrar of motor vehicles. Police will pursue those individuals who fail to obtain insurance after being discovered. [Generic filler about the costs of uninsured motorists - sky-high - and the hope that the computer will do what the people are unable to do: keep up with the workload.] The significance of this is that there is a new law in MA: get caught driving without insurance and the cops can take away your license plates on the spot. You then get to call a tow truck, since you can't drive without plates. Get caught driving without plates and you get to call a cab, since the cops can have your car towed on the spot. The problem is that insurance companies in this state are notoriously slow in processing paperwork. That's a major reason why so many uninsured motorists get away with it; the paperwork just hasn't caught up with them. The companies take this long with *all* their paperwork. My company took four months to send me a reinstatement notice after they (erroneously) suspended my insurance for not having the car inspected (though they continued to bill me every month). I shudder to think what would have happened had I been stopped during those four months... --Alan Wexelblat, Bull Worldwide Information Systems phone: (508) 671-7485 Usenet: spdcc.com!know!wex ------------------------------ Date: 1 Jun 90 13:34:00 PDT From: "FIDLER::ESTELL" Subject: Local solution to caller ID .vs. Privacy problem The following is by definition going into the Public Domain. (If RISKS posts it.) If that costs me any chance to make a fortune from AT&T, maybe it also raises the possibility that the solution will come sooner. Problem: Some of us want to know "who is calling." BUT some of us don't want others to know when WE call. Solution: Put the smarts for "who are you?" and "none of your business" [or, "I'm 555-1234"] in the handsets, at each end, NOT in the switch [or switches, for long distance calls]. Old handsets would automatically neither request caller ID, nor give it. Folks who want to know would buy new handsets; when they get calls from old handsets, the reply to the "who are you?" query would be, "service not available" [as opposed to "none of your business"]. Yes, a smart switch would have to provide that, probably after a time-out of sorts; and yes, that could be spoofed. Nothing is perfect. (But wait. Could even an old handset, touchtone or rotary, reply manually to a ring, while the line was open? That is, I call you, and you want to know who I am; your query is forwarded to my old handset as a ring; to send you my number, I dial it; the intermediate switch aborts the call, with an appropriate message to you, if it detects my attempt to falsify my ID.) It is then up to the callee to accept or decline the incoming call; and, it is up to the caller to risk losing the connection. That effectively takes the decisions out of the hands of big brother, and puts them back with us, where they belong. Bob ------------------------------ Date: 1 Jun 90 18:33:46 EDT (Fri) From: johnl@esegue.segue.boston.ma.us (John R. Levine) Subject: Re: Denial of service due to switch misconfiguration In every PBX I have ever dealt with, there have been foulups of some sort when dealing with new telephone prefixes and area codes. In one memorable case, I was trying to straighten out a problem with my mortgage, and the person at the bank never, ever, returned my calls. I was about ready to call in the bank regulators. After leaving quite a few tartly worded messages, I finally managed to get her on the phone, and discovered that every time she called me, she'd gotten an error recording of some sort and had assumed that the number she had was wrong or my phone was out of order. In fact, I had just started to work at a job with a new PBX with a new set of DID numbers in a new prefix, and the PBX at the bank hadn't heard about my prefix yet. I told her to dial 9-0 and ask the telco operator to place the call in the future. Even PBXes with class of service restrictions frequently get it wrong. At one place where I consult they forbid international dialing for most lines except for some speed dial codes programmed into the PBX. At least, they think they do. If I dial 011-code-number, I get a fast busy from the PBX. If I dial 01-code-number and make it person to person, it works. If I dial 10288-011-code-number or 10222-011-code number or 10333-code-number, it works. (If only I had some friends in foreign countries to call.) The local telco has a newsletter that they send out to advise PBX customers of new prefixes, upgrades to CO equipment (which always cause some problems since if nothing else, call progress sounds and the timing of calls change.) There are a lot of changes. As far as I can tell, every PBX that does least cost routing needs to know all of the prefixes in its local area code, and in most cases the updates are typed in by hand using some decidedly user hostile interfaces. If anything, I'm surprised that they get them right as often as they do. In many cases, I suspect that the PBX manager only updates the prefix table when somebody complains. Telephone calls are routed by what is in effect a tremendous distributed data base that maps numbers to trunks and routes. At least near the fringes, the data base is usually updated by methods that to me at least seem laughably obsolete. Regards, John Levine, johnl@esegue.segue.boston.ma.us, {spdcc|ima|lotus}!esegue!johnl ------------------------------ Date: Sat, 2 Jun 90 1:25:34 CDT From: J. Eric Townsend Subject: What the SJG Cyberpunk Manual Tells You to Do Well, I rushed out and bought GURPS Cyberpunk, in the hopes that my money will help SJG with legal fees. (Plus, I collect game stuff.) On the front cover, in the SJG Illuminatus logo, it says: "The book that was seized by the U.S. Secret Service! (see p. 4)" Anyway... (Assuming I know *nothing* about cracking/phreaking. I won't comment on my real knowledge.) The following is a summary of text from the GURPS Cyberpunk supplement, with a few direct quotes. How Much Hacking Can I Do Based on the C-word manual: (From the section entitled "Netrunning".) 0. People use handles to hide their real identity (p62). 1. You can uses sensitive devices to listen in on the signals being sent to a computer monitor, and redisplay the image on your own screen (p62). 2. General info on ISDN. (p64-64) 3. Computer accounts can come in various levels, from specialty logins (uucp) to "superuser" who has access to everything. Some programs can give you a higher level of access, equivalent to a "better" account (p68). 4. General info on back doors (p69). 5. General info on chat systems (p69). 6. A list of network names from around the world. No clues as to which are real. For the US, the following are listed: WUT, UDTS 2, Datel I & II, Telenet, Tymnet, ARPAnet, Infomaster, GraphNet, TRT, FTCC, UniNet, Autonet, CompuServer, GENIE, AlaskaNet, JANET, Internet (p 71). 7. Passwords can be really obvious, or hard to remember random text strings (p 72.) 8. A program could possibly cause physical damage (p 72.) 9. General Phreaking Info: - Diverters: go through a bunch of systems so that tracing takes a long time; - Junction Boxing: Just go down to the local junction box and tie in (p 76). 10. Lots of networks use different protocols that are sometimes incompatible (p 77). 11. Ma Bell stuff: - Existence of CN/A, and that Ma Bell can look you up in any way; - Line Routing: "With access to the main phone switch computer, a hacker can control everything about a specific phone line."; - Monitoring: a person could monitor calls with the right access; - After Billing: A person could change bills; (p 82). 12. Trashing: Go through somebody's trash to find out all sorts of interesting info about their computing equipment (p 86,87). (13 and 14 are from the section "Attack and Defense Programs". The programs are obviously s-f software, but...): 13. Promote: "This program is executed from a normal user account on a system. If successful, the account is 'upgraded' to a superuser account." 14. Webster: "This is the standard icebreaker for use against Password programs (see p 93.). It acts as an extremely fast 'brute-force' hacker." (p 92). 15. Credcard Crime: A false balance could be entered in an account. A device could be used to access somebody else's card without having the correct password to get into the credcard (p 105). [note: a credcard is a self-contained debit card that can have anything from a pasword to retina scan protection.] And, um, that's about it. Now that you've read that, you know how to break into computer systems and do phone phreaking... 1/2 :-) -- J. Eric Townsend -- University of Houston Dept. of Mathematics (713) 749-2120 Internet: jet@uh.edu Bitnet: jet@UHOU Skate UNIX(r) ------------------------------ Date: Sat, 2 Jun 90 17:59:33 EDT From: kjones@talos.pm.com (Kyle Jones) Subject: Re: Word Perfect Software Upgrade Crashes Utah Phone System m1wmk00@fed.UUCP writes: > From an Infoworld article on Word Perfect ("Leader of the Pack," > pp. 45-6, May 23, 1990): > > "When [Word Perfect] 5.0 shipped in May 1988, the company underestimated > the demand for telephone support. Although it bought additional phone > lines, traffic was so heavy that calls to the support department brought > down the toll-free systems for the state of Utah, including phone systems > for American Express, Delta Airlines, and the Latter Day Saints Church." This reminds me of something that happened in my own neck of the woods. One night I was watching a program on channel 35 when a message flashed on the screen. The message said that the Xth caller would win concert tickets or some such. Since the phone was right beside me, I decided what the hey, and picked up the phone to call. I didn't get a dial tone for the long time. Odd. Finally I heard the tone and dialed the number. I waited. And waited. And waited. No connection, no ringing, no click, nothing. Thinking I'd misdialed somehow, I depressed the switchhook to try again. I waited for the dial tone. And waited. And waited. And waited! Suddenly it occurred to me, the number began with 358-... my exchange, augh. Apparently the massive influx of calls to the TV station completely hosed whatever gateway there was for my exchange, so I couldn't get a call in edgewise. (Does this sound right to you folks who know something about the phone system?) Whatever the reason, I'm glad the house wasn't on fire. :-/ ------------------------------ End of RISKS-FORUM Digest 10.03 ************************