Subject: RISKS DIGEST 10.59 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Friday 9 November 1990 Volume 10 : Issue 59 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: "Software fault hits payphones" (Martyn Thomas) Plain paper faxes keep copy of received material (Jan Christiaan van Winkel) Customers limiting programmer access to their systems (Jim Kimble) Student hackers arrested (Dave King) Sprint's new calling card (anonymous) Employer's use of credit reports (Jerry Leichter) Computers lead to greater monopolization? (Jim Griffith) Risks when computers replace humans (Martyn Thomas) Villanova University Computer Ethics course Group Project (J. Gacad et al.) "The Devouring Fungus" at a bookstore near you (Gene Spafford) 4th Annual Computer Virus & Security Conference (Gene Spafford) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line. Others ignored! REQUESTS to RISKS-Request@CSL.SRI.COM. FTP VOL i ISSUE j: ftp CRVAX.sri.comlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j; j is TWO digits. Vol summaries in risks-i.00 (j=0); "dir risks-*.*" gives directory; bye logs out. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Fri, 9 Nov 90 11:04:27 BST From: Martyn Thomas Subject: "Software fault hits payphones" Electronics Weekly (November 7 1990, front page) reports that there is a software fault in the payphones manufactured by Paytelco (a GPT subsidiary) and used in the UK by Mercury. They are "exported to >40 countries". The software fault allegedly allows a phonecard holder to avoid paying for calls. No technical knowledge or special equipment is required. EW reports that the faulty software has been rewritten, and that replacement ROMs are being installed in all payphones. In the same issue, EW reports a different fraud involving restoring the holograms on used British telecom phone cards. EW claims to have seen the restoration demonstrated. They have not published details of the method, but hint that it involves "phase changes" in the polymers which store the holograms, through reducing the temperature of the card. Martyn Thomas, Praxis plc, 20 Manvers Street, Bath BA1 1PX UK. Tel: +44-225-444700. Email: mct@praxis.co.uk ------------------------------ Date: Fri, 9 Nov 90 12:34:44 MET From: Jan Christiaan van Winkel Subject: plain paper faxes keep a copy of all received material I was asked to change the paper on out FAX machine today. I took a 'kit' we have for this purpose, and saw that I also had to change the 'toner-roll'. This is a roll of carbon paper (sort of) that actually prints the message on the (plain) paper. I saw that all messages printed on the FAX, are also 'burned' in the carbon paper (well, that's how the thing works). This means that even if I stand next to the machine to receive a private message, people can later just open the FAX machine and read the message. Even worse, since people are not aware of this 'copy' on the toner roll, they just dispose of the roll in the garbage can. I wonder how many people know about this 'feature' of plain paper FAX-es... Jan Christiaan van Winkel Tel: +31 80 566880 jc@atcmp.nl AT Computing P.O. Box 1428 6501 BK Nijmegen The Netherlands ------------------------------ Date: Mon, 5 Nov 90 11:49:42 PST From: jkimble@bally.bally.com (The Programmer Guy) Subject: Customers limiting programmer access to their systems Jerry Leichter writes: > If the courts uphold Logisticon, it's certain that in the future > companies will not be willing to allow access to their systems by their > software suppliers. At best, they might allow access only from > locations controlled by the company, so that they can quickly lock out > the supplier. Given all the press on these types of events, many of my clients have enacted some new policies to protect themselves. Here's the most restrictive... (thanks, Logisticon): Before I can dial-in to make a change to a casino's on-line computer, I nnhave to draft a memo outlining my expected changes and file it with the casino's MIS department 48 hours in advance. After it's been reviewed and approved, the modem is turned (using human call-back verification of identity) and I am permitted to make my changes. Within 72 hours of logging in, I have to file another document with the Gaming Control Board outling everything that was done, files that were changed, why they were changed, dates, times, etc. On the east coast, this paperwork is filed with a division of the State Police so lies can cost you not only a civil suit, but criminal charges (perjury, etc.) as well. Other steps my clients have done to protect themselves include requiring me to put the original source code tapes in a safety depositn box they can immediately access so that any problems I create -- intentional or accidental -- can be "fixed" by applying the virgin tapes. As you can imagine, this extra bit of work greatly lowers programmer productivity, especially for the simple, one-line changes; instead of working to isolate and resolve problems, I spend a lot of time drafting memos and reports. At least in this part of the gaming industry, basic programming jobs involve 70% code/theories/debugging, and at least 30% communications skills. --Jim Kimble, jkimble@bally.bally.com Consulting for Bally Gaming uunet!bally!jkimble [I doubt if that is a Bally High. PGN] ------------------------------ Date: 06 Nov 90 22:46:48 EST From: Dave King <71270.450@compuserve.com> Subject: Student hackers arrested NEW YORK (UPI) -- Two Staten Island youths were arrested on charges of invading and disrupting the computerized voice mailbox system of a Massachusetts firm, costing the company $2.4 million, officials said Tuesday [6 Nov 90]. State Police Senior Investigator Donald Delaney said [...] as a result of the hacker operation, the International Data Group of Framingham, Mass., lost scores of these messages. Delaney said an intensive two month investigation led police and U.S. Secret Service agents to Daniel Rosenbaum, 17, of 42 Caswell Ave., and to a 14-year-old associate, whose identity was not disclosed because of his age. He said exhaustive experimentation by the two suspects enabled their home computer to dial into the system and obtain the password to use it. The youths then changed the passwords for various units in the system, which resulted in the loss of many important messages. "In addition, the company had to shut down the system for 18 days to revamp it," Delaney said. He added that the teenagers "made bomb threats and other harassing messages to the company, and when they were in contact with women employees, they made sexually explicit remarks to them." Delaney said Rosenbaum stated that he focused on the Massaachusetts firm "in anger" when it failed to send him a poster which was supposed to accompany a paid subscription for a computer game magazine published by the company. Both teenagers, students at Wagner High School, were charged with computer tampering, unauthorized use of a computer and aggravated harassment. [...] If Rosenbaum is convicted of the charges, he could be sentenced to four years in prison, Delaney stated. ------------------------------ Date: Wed, 7 Nov 90 From: [anonymous] Subject: Sprint's new calling card Jim Morton raises a couple of serious risks with respect to Sprint's new calling-card system. I used to work for the company which builds the hardware and software Sprint is using. At a major presentation the manager in charge of the project presented the voice-recognizing, Social-Security-number system. He presented his own card, prominently displaying his SSN, which I copied down. During the presentation, he explained that Sprint wanted to use voice technology so that people wouldn't have to write down as many things (card number, password number). Their customer surveys also indicated that people found a 14-digit number "hard to memorize" and that a 9-digit number "which was one they used all the time" would be "more convenient." After the presentation, I arranged to speak to the manager. I raised the same objections Jim Morton noted in his article. I also pointed out that he (the manager) had put his SSN up in front of close to 120 people and if any of them were of a mind to be nasty he could be in trouble. He scoffed at my concerns and assured me that Sprint's customer-survey managers were aware of the problems. He also stated that he disbelieved anyone could "do any damage" simply by possessing another's SSN. I tried to explain, but he brushed me off and left. I spent the rest of the afternoon staring at the napkin on which I had written the manager's SSN. As I saw it, I had three options: 1.Do nothing. 2.Try to find someone else in the company hierarchy to listen to my complaints. 3.Construct an object lesson which would convince the manager of how real my objections might become. I chose option 1. I had raised the objections as forcefully as I dared (the manager was several levels higher than I in the hierarchy, and *much* more senior). Trying to circumvent channels is discouraged in the extreme in this company. I already had a reputation as a serious maverick. I didn't have any evidence to support my objection; all I had was a set of vague assertions which, to me, seemed to be common sense. Pitted against the expressed desires of our customers (Sprint), you can guess how much weight this would have been given. With respect to option 3, I can think of at least six ways to make someone's life seriously miserable if I have their SSN. I thought about using the manager's SSN for this example, but since most of the ways I know of involve committing misdemeanors or felonies, I decided it wasn't worth the risk. It also might harm his family who I felt did not deserve to suffer. In hindsight, I could have bucked the chain of command anyway. But if put in that position again, I'm still not sure I would. In a way, I feel that people have the choice to use Sprint's stupid, vulnerable system. I know I won't. I also don't have a bank-by-phone system, nor do I have an answering machine that can be manipulated from a remote touchtone phone, nor do I give out my SSN to anyone who can't prove a need or legal requirement for it. But then, maybe I'm a fossil in the information age. ------------------------------ Date: Thu, 8 Nov 90 09:03:00 EDT From: Jerry Leichter Subject: Employer's use of credit reports Use of Credit Reports In Hiring Draws a Caution Managers who use credit reports to screen job seekers, beware: Spurned applicants have a right to know. That message is going out from federal officials, who have grown concerned over that companies may be sidestepping the law governing the review of personal credit information. The law permits companies to consult credit reports when evaluating job seekers, a practice that has boomed of late among employers who see the reports as a way to judge the character of prospective workers. But the law also demands that applicants know when they've been rejected "wholly or partly" because of data in their credit file - a step that, critics have charged and officials fear, many employers ignore. The [FTC] ... underscores the requirement in articles that two large purveyers of credit reports, TRW and Equifax, agreed to circulate ... to ... their customers. If they fail to comply with the disclosure requirement, the pieces note, employers may face suits from both the job applicant and the FTC. The credit data agencies were "very pleased" to disseminate the warn- ings [according to the FTC].... One factor ... may be the prospect of new restrictions on their activities, now pending in Congress. ... TRW even changed its contracts to clarify the notification rule for employers. There's actually more to this issue than the WSJ mentions. Business Week had an article on it a couple of weeks back. At one time, references were a fun- damental part of the hiring process. Changes in the legal climate - particu- larly many successful lawsuits by former employees who felt they had received unfair recommendations that cost them jobs, plus increasing restrictions on what an employer may legally ask of a job-seeker - have caused many of the traditional sources of information to dry up. Recommendations these days are pretty uniformally bland and uninformative, and interviewers have gotten very, very cautious. So a recent trend is to use credit and other similar reports. The problem is that the reports often contain data that is unverified or inaccurate - especially since there is a growing market for "el cheapo" re- ports for entry-level employees. Even when the reports are accurate, they may contain information that an employer is legally not permitted to have. Two specific examples that have cost people jobs (illegally, if they can prove it): Reports of arrests that did not lead to convictions, and reports about workman's compensation claims. (The view among some employers is that anyone who filed for workman's compensation is just out to milk the system, and they don't want the headache - Business Week has a quote from one employer saying exactly that, even more harshly than I just did. They also give an example of someone who was genuinely injured on the job, took his workman's compensation, recovered - and has been consistently turned down for jobs ever since.) The reason that the big guys like TRW and Equifax are willing, even eager, to help out on issues like this is that the last thing they want is a lot of small low-ball competitors who not only steal market share from them, but also bring public (particularly, Congressional) attention to the business. While in this case their cooperation may be useful, it's well to remember that ALL of the credit companies have been involved in problems, even scandals, in the past; and that it's a classic pattern for regulated industries to come to like the umbrella of regulation they live under: It keeps competitors and critics out. -- Jerry ------------------------------ Date: Wed, 7 Nov 90 09:40:00 PST From: griffith@dweeb.fx.com (Jim Griffith) Subject: Computers lead to greater monopolization? I heard a radio report saying that someone back east has filed a class action lawsuit against a number of airlines, charging them with violating anti-trust laws. The suit claims that the predominance of live-feed computer systems in the airlines industry lends itself towards a situation where airline companies can instantly find out what their competitors are charging and change their prices accordingly. A number of airlines were named in the suit. I'd appreciate someone coming up with a newspaper article or something more definitive than what I'm reporting. Jim ------------------------------ Date: Mon, 5 Nov 90 16:51:47 BST From: Martyn Thomas Subject: risks when computers replace humans (was: Expert System ... Loop) I wrote: > This report *explicitly* referred to an expert system. The point of my > original posting was that an expert system which provides advice, in > circumstances where a decision must be made and there is insufficient time > for the commander to analyse the situation him/herself, is effectively > making the decision. Many who followed up agreed with this viewpoint. ... and davis@ai.mit.edu (Randall Davis) replies: : Fair enough. : : Note also that a small variation on your fundamental claim is equally true: : : ... an EXPERT who provides advice, in : circumstances where a decision must be made and there is insufficient time : for the commander to analyse the situation him/herself, is effectively : making the decision. : : That is, as is frequently true in these situations, not only is this not a : matter of expert systems, the computer itself is almost competely irrelevant. : : It's a matter of being in a complex, time-constrained situation and needing to : make a decision. If you don't have the time to consider carefully what to do, : you're just about equally up the creek whether you get the advice from a : machine or from another human being. This is true, but there are characteristics of computer systems that make the risks different (and less acceptable) than the risks from humans in the same role. This is the major reason for the RISKS Forum, so I don't need to list the characteristics here. They include the complexity of the systems, the difficulty of assuring that the system functions as intended, and the extra risks if the system is replicated many times, so that the same fault may appear in many places. Randall Davis continues: : The moral of the story: try not to put yourself into those positions in the : first place. Neither computers nor humans will get you out of it, and neither : of them is to blame for your predicament. I agree. There is a danger that the expert system will be trusted to a greater extent than a human expert, and that this will lead to commanders being sent to places where they would not be sent if only human experts were available to help. It is important to remember that the expert system, like any computer system, is complex and probably contains errors. Add to this that it is effectively in the loop (in the circumstances of the original discussion) and we can have a sensible discussion about whether it is a good idea to deploy the system. Finally, but very importantly, there is the question of who is accountable for the consequences of errors. In the case of the human expert, accountability is clear and liability may follow. If the accountability (and possible liability) is not clear for the situation which uses a computer system, then I believe that the system should not be used in a critical application. In my view, the organisation which puts the system into use should be liable for any injuries it causes, (and I would expect a prudent organisation to pass this liability to the company which developed the system, through the development contract). Martyn Thomas, Praxis plc, 20 Manvers Street, Bath BA1 1PX UK. Tel: +44-225-444700. Email: mct@praxis.co.uk ------------------------------ Date: Wed, 7 Nov 90 20:35 EST From: <21202764@VUVAXCOM.BITNET> Subject: Villanova University Computer Ethics course Group Project I represent a group of Computer Science majors at Villanova University, Villanova, PA who are currently doing a project in a Computer Ethics course. I am writing in response to a story posted in the RISKS forum on OCT 18 - `Flawed Computer Chip Sold For Years'(RISKS digest 10.54). Our group project is to analyze this case in terms of present day ethical theories and give a class presentation on it. Thus, we have a few questions about it: 1. I need more details/specifics on the chip.(i.e. what was its model number, what was its design flaw, etc). 2. Are there any other journals/newspapers where the story appeared? 3. What has National Semiconductor done since the article in the newspaper revealed the problem? If anyone out there could send any other pertinent information about the case, we'd appreciate it. Replies may be sent to my bitnet address: 21202764@VUVAXCOM. (I do not know if I have a UUCP or CsNet address). Jonathan Gacad (21202764@VUVAXCOM), Bob Durbin, Lisa Cofey, Al Giordano ------------------------------ Date: 8 Nov 90 00:07:01 GMT From: spaf@cs.purdue.edu (Gene Spafford) Subject: "The Devouring Fungus" at a bookstore near you I just recently got a copy of "The Devouring Fungus: Tales of the Computer Age" by Karla Jennings (W. W. Norton & Co., ISBN 0-393-30732-8, $10.95). As can be gathered from the unusual title, this is not exactly a computer textbook. What it is, is a collection of anecdotes and stories about computer technology and the people who spend their time working with computers. The stories range from historical to modern-day, and most are amusing to read. Not all are firmly grounded in documented facts, but that doesn't detract from the amusement factor; even the apocryphal tales convey a sense of the attitudes and foibles of the "computer geeks" who have shaped our community. The tales related in the book read like a cross between items in the Risks digest and postings to the alt.folklore.computers newsgroup. Many of the stories will be familiar, but that is what makes them folklore -- we've all heard variants of these stories, and probably repeated a few in turn. This is the first time I have seen anyone collect so many of them together, and in such an amusing and readable way. For $11, this is a must buy if you're into computers. My copy is going in a place of honor next to my Hacker's Dictionary, and just down the shelf from my Sidney Harris cartoon book. Check it out yourself. Gene Spafford NSF/Purdue/U of Florida SERC Dept. of Computer Sciences, Purdue University, W. Lafayette IN 47907-2004 ...!{decwrl,gatech,ucbvax}!purdue!spaf ------------------------------ Date: 6 Nov 90 19:36:34 GMT From: spaf@cs.purdue.edu (Gene Spafford) Subject: 4th Annual Computer Virus & Security Conference Call for Papers 4th Annual Computer Virus & Security Conference March 14 & 15, 1991 in New York City Sponsored by the DPMA Financial Industries Chapter In Cooperation with ACM SIGSAC and The Computer Society of the IEEE The 4th Annual Computer Virus and Security Conference will feature more than thirty speakers on the topics of computer viruses and "vandalware," computer law, and computer security. Approximately twenty are well-known experts in the field, and fifteen or more will be selected on the basis of submitted papers. Held on Thursday and Friday (Ides of March) at the New York World Trade Center, this major event features: * Identification of latest threats to SNA, DEC, PC, MAC, X.25 and UNIX. * Tools and Techniques: What the major corporations are doing. * Specific Countermeasures: From labs, other companies, commercial vendors. The Conference traditionally covers recent outbreaks and experiments; virus/intruder prevention, detection and recovery; product demonstrations and ratings; and special attention to LAN, PBX, SNA, OSI, E-Mail, and legal issues. This year's focus topics are as follows: * Prevention, detection and recovery from viruses and other harmful computer programs. * Original research on these and related topics. * Recovery from the Wall Street Blackout and the Novell Virus. * Case studies of computer and network security. * Surveys of products and techniques available. * Computer crime and related actions. The bound Proceedings will include both the accepted papers and also discursive articles by the invited speakers. There will be four concurrent conference tracks each day: Thursday will feature the Main Track, Products Track, Research Papers, and a special Trap & Prosecute track geared to law enforcement and criminal justice personnel. Friday will feature Main, Products, and Research tracks, and a How to Recover track strongly requested by returning attendees from last year. In the past, this conference has been featured in BYTE, CIO, Communications (ACM), Computer (IEEE), Computerworld, Data Communications, Data Center Manager, Datamation, Info World, Macintosh News, MIS Week, Network World, and Unix Review. It is sponsored by the Data Processing Management Association Financial Industries Chapter in cooperation with ACM SIGSAC and the IEEE Computer Society. Attendees may make use of discount airfares (43% off Continental) from anywhere to New York, including both adjoining weekends. The Penta Hotel (formerly Statler Hilton) has reserved a block of Conference rooms at $89 per night. Conference itself includes luncheon and quarter-mile-high hospitality at Windows on the World Restaurant. Target audience includes MIS Directors, Security Analysts, Software Engineers, Operations Managers, Academic Researchers, Technical Writers, Criminal Investigators, Hardware Manufacturers, and Lead Programmers. Registration (202-371-1013) costs $275 for one day, $375 for both, with a $25 discount for members of cooperating organizations (DPMA< ACM, IEEE-CS). Submissions to the conference may be either as an extended abstract or a draft final paper. Four copies of each submission should be *received* by the program chair no later than Tuesday, January 8, 1991. Each submission must contain a brief abstract (approx. 200 words), and a header identifying the names, affiliation, address, and e-mail address (optional) of all authors. Successful submitters or co-authors are expected to present in person. Decisions will be announceed by Feb. 12, 1991. Submissions are invited on all aspects of the conference, and particularly on new research in the area of vandalware and countermeasures. Program Committee: Richard Lefkon David M. Chess Stephen R. White NYU, DPMA IBM IBM Thomas Duff Frederick B. Cohen Gene Spafford AT&T Bell Labs ASP Research Purdue University Dennis D. Steinauer Gail M. Thackery Kenneth R. van Wyk NIST AZ Attorney General's DARPA/CERT Office -- Gene Spafford NSF/Purdue/U of Florida Software Engineering Research Center, Dept. of Computer Sciences, Purdue University, W. Lafayette IN 47907-2004 Internet: spaf@cs.purdue.edu uucp: ...!{decwrl,gatech,ucbvax}!purdue!spaf ------------------------------ End of RISKS-FORUM Digest 10.59 ************************