Subject: RISKS DIGEST 11.40 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Friday 5 April 1991 Volume 11 : Issue 40 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Re: Computers, Freedom, Privacy Trip Report (Lance J. Hoffman, Dorothy Denning) European Nervous System (ENS) (Pete Jinks) Draconian Accountability (re: Korean typographers) (Mike Laur) Small risk with Telephone cards (Hank Cohen) Re: Tricky application of Caller ID (Randal L. Schwartz, William Clare Stewart) Re: E-mail role in LA cop probe (Jerry Hollombe) Re: Len Rose (Mike Godwin) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line. Others ignored! REQUESTS to RISKS-Request@CSL.SRI.COM. For vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 11, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Fri, 5 Apr 91 2:03:09 EST From: hoffman@eesun.gwu.edu (Lance J. Hoffman) Subject: Re: Computers, Freedom, Privacy Trip Report (RISKS-11.39) RISKS readers of R. T. Mercuri's long trip report (RISKS, Volume 11, Issue 39, 4 April 1991) on the Computers, Freedom, and Privacy Conference who were not there now have a pretty good sense of what they missed. As our moderator said a few days ago in this forum, and as many have told me, it was one of the most thought-provoking and enjoyable conferences in a very long time. One important point was omitted. Towards the end of the conference, a general consensus emerged that there should be a follow-on conference, and the general feeling was that it should take place on the East Coast. To make a long story short, Jim Warren and others twisted my arm with the result that I have become the general chairman of CFP-2, which will take place in Spring 1992 in Washington. This was announced during the last session. Many holdovers from the Bay Area based program committee and advisors have already agreed to serve, and we have some important East Coast people already lined up as well. We are already moving to obtain an appropriate site; the planning process has begun. We hope to keep the diversity of attendees (it indeed ranged from the sandals of Silicon Valley to the dark suits of Washington [Terry Winograd's phrase]) -- it's pretty rare to see most if not all of the computer crime prosecutors at the same conference with a large number of the prosecutees. We also hope to provide at least the same large amount of information transfer. Stay tuned! And -- for those who were there and those who weren't -- suggestions are welcome and this is the best time to send them in; just mail them to me (address below). Also, if you for some reason were not on the mailing list for this conference but wish to be kept informed about the next one, mail me your snailmail (and, optionally, email) address. A few things I saw differently enough from Ms. Mercuri to comment on: "Jim Warren ... took a severe loss on the conference." Final figures are not in yet, but the most recent appear to suggest this is not the case. (This is not posturing; I think it is just later information.) "What was resolved was to form an organization called the US Privacy Council which `will attempt to build a consensus on privacy needs, means, and ends, and will push to educate the industry, legislatures, and citizens about privacy issues.'" This was not resolved by the attendees there, but in fact had been done before the conference; its first public meeting was held during an evening break, and had no official conference involvement (except that a breakout room was made available). It's important to note this because the conference, under Jim Warren's stellar direction, was hospitable to a number of points of view. CFP 2 will also serve this brokering function and will not itself take advocacy positions, but rather provide a platform for the contending ideas. "Robert Veeder of the D.C. Office of Information Regulatory Affairs discussed the impact of the 30,000+ messages to Lotus which effectively stopped the production of their CD-ROM database." Rob Veeder will be surprised to hear that he works for the D.C. Government. In fact, that Office is part of the federal Office of Management and Budget. "Lance Hoffman, of the EE & CS department at George Washington University ... noted that no one has ever received the ACM Turing Award for [constructing a] socially responsible system, and encouraged positive recognition of achievements along these lines. He also recommended that a "dirty dozen" list of worst systems be compiled and distributed." I said this *could be done*, but (ever cautious!) stopped short of *recommending* it (see the paper in the Proceedings). "Simon Davies, a member of the law faculty at Australia's University of New South Wales, provided a sobering criticism of this conference and the United States' policy making processes, stating that the conference was too `nice' and `conciliatory' ..." I guess this ended when, on the last day, during the "Prodigy discussion", "a loud altercation broke out in the front of the room" [from the third paragraph of Ms. Mercuri's report]. Jim Warren was quoted (I think in the San Jose Mercury-News) as saying that the conference would be a success if (two speakers whose identities I forget) could speak without killing each other, or words to that effect. (They did.) Don Delaney from the New York State Police stated that he had never been to a conference with such a diverse group of attendees. I have *never* been to a meeting of such a diverse group where so much information (as opposed to rhetoric) was orally transmitted per unit time. "Mark Rasch who defended the internet worm case stated that the expectation of privacy is changed because of the technology employed --- technology affects behavior." Mark actually *prosecuted* that case. The Conference may indeed have started something. In addition to the L. A. Times 3/28/91 report of Laurence Tribe's speech already excerpted in RISKS, John Markoff wrote "Remember Big Brother? Now He's a Company Man" in The New York Times of Sunday, March 31. I've heard that Time magazine has a whole page on the conference this week, but I haven't seen it yet. Professor Lance J. Hoffman, Department of Electrical Engineering and Computer Science, The George Washington University, Washington, D. C. 20052 (202) 994-4955 fax: (202) 994-0458 ------------------------------ Date: Fri, 5 Apr 91 10:46:31 PST From: denning@src.dec.com (Dorothy Denning) Subject: Re: Computers, Freedom, Privacy Trip Report Kudos to Rebecca Mercuri for providing such a thorough and candid report of the first CFP conference. I'd like to elaborate on what she said about my talk in the Ethics and Education session: Dorothy Denning spoke briefly regarding the network uses by children (Kids Net). She speculated that we should teach them something about hacking in order to take the mystery out of it. She compared telephone fraud by children as a more sophisticated version of the "is your refrigerator running" prank. My comment about Kids Net was made in the context of proposals I've heard to regulate modems and perhaps require an age limitation on their use (analogous to getting a drivers license). I pointed out that many children have or will have access to networks at school, so I did not think it made a lot of sense to deny them that access at home. Regarding teaching "hacking," I was passing along a suggestion that a student made to me based on a positive report he had received from someone attending a school where it was practiced. In this context, hacking was referring to breaking into systems. Overall I'm wary of training young people to hack, but I can see some merit to telling students about it & why it's a crime. Regarding telephone fraud, it is not only more sophisticated, but also more costly, sometimes costing in the tens or hundreds of thousands of dollars. The reason I spoke about telephone fraud was to point out that it was not simply a question of a new technology, namely computers, that parents had no experience with, or of teaching computer ethics. The crimes under investigation by operation Sundevil, for example, are mainly toll fraud and credit card fraud. The main point I tried to make in my talk was that we are letting our young people down by not taking responsibility for bringing them into the computing and network community as responsible users. Instead, the young people learn their ethics on their own or on BBS's run by teenagers. The consequences are that some basically good teenagers end up getting into serious trouble, which is very disruptive to their lives. One good way to teach responsible computing is to let students be responsible for computing in their schools. This recommendation is from Brian Harvey, who did it in the high school where he taught. Above all, we need to practice responsible computing ourselves, for example, by not using information gathered about individuals for one purpose for some other purpose. Dorothy Denning ------------------------------ Date: 5 Apr 91 14:41:19 GMT From: Pete Jinks Subject: European Nervous System (ENS) The 6th April issue of New Scientist carries a story on p.9: "The ENS will create links between administrative computer networks [in the EC] including tax, social security and environmental monitoring. ... intense activity on police networks which ... will be essential when frontier control are relaxed in 1992". The EC "is seeking powers to make it compulsory for member states to to link their computer systems" This is represented as being a vital part of a program to pump money into the european IT industry. I don't remember reading or hearing about this before. I hope that this is an April fool, but it has a ghastly ring of plausibility. ------------------------------ Date: Fri, 5 Apr 91 09:39:05 EST From: dmlaur@gauguin.Princeton.EDU Subject: Draconian Accountability (re: Korean typographers) this reaction forwarded for Prof. Michael Mahoney (mike@pucc.princeton.edu), regarding Martin Minow's article on strict Korean typographic rules: Check the Code of Hammurabi and, if I remember correctly, you will find that the builder of a structure that collapsed and killed the head of the household paid with his own life; if the collapse killed the owner's son, the builder's son paid the price of his life, etc. Similar Draconian rules governed the construction of buildings in other ancient cultures, leading to overbuilt, rock-steady structures. Now, suppose the programmers of, say, Airbus avionics software were subject to the same penalties. One adult life per adult life, etc. Suppose the programmer of an automated incubator had to place her own child's life as warranty. Would we see better software? There is middle ground. We as a society could simply refuse to honor the disclaimers of liability that accompany software. We could start suing for damages, requiring into the bargain that the names of all participating programmers be attached to the product, if not for the purposes of suing them, then so that other companies could know who had contributed to the demise of ruined enterprise. The trouble is, that despite all the complaints (correct and, if anything, understated) about defense software, DARPA is now riding high after the allegedly spectacular performance of weapons systems in Iraq. SEI at CMU has more money than it can spend. The products and the processes used to produce them are no better than on 16 January. Mike ------------------------------ Date: Fri, 05 Apr 91 01:05:05 EST From: hank@westford.ccur.com Subject: Small risk with Telephone cards I just noticed this yesterday and although it is hardly a life threatening risk it still seems to be a bug. In Japan prepaid telephone cards have become very popular. Yesterday I made a call with a phone card that had only 1 unit of credit remaining. After dialing my call but before the othe party answered the phone debited my card to zero and returned it to me. If the other party hadn't answered I would have lost my dime. One can imagine: Late night in a storm only a phone card to make a life and death emergency call and ... :^) Hank Cohen ------------------------------ Date: Fri, 5 Apr 91 09:00:47 PST From: merlyn@iwarp.intel.com (Randal L. Schwartz) Subject: Re: Tricky application of Caller ID (Re: Kiddie Call-in, RISKS-11.38) This sounds suspiciously like the 976-SANTA(?) in Seattle two years ago. Apparently, they ran a 1/2 hour "entertainment" show around christmas time, urging kiddies to stand by with their phones at the end of the show. The tones for the 976 phone number (along with the phone number on screen in case they didn't have a touch-tone phone) came out over the speaker. Caused quite a flack, if I recall. Randal L. Schwartz, Stonehenge Consulting Services (503)777-0095 merlyn@iwarp.intel.com ...!any-MX-mailer-like-uunet!iwarp.intel.com!merlyn ------------------------------ Date: Fri, 5 Apr 91 11:35:44 EST From: wcs@erebus.att.com (William Clare Stewart) Subject: Re: Tricky application of Caller ID Aside from the use of caller-id mentioned here, it seems like an obvious potential rip-off: Touch-Tone 1-900-EXPENSIVE "Hey, kiddies - hold your phone up to the TV for a Big Surprise!" Bill Stewart 908-949-0705 erebus.att.com!wcs AT&T Bell Labs 4M-312 Holmdel NJ ------------------------------ Date: 4 Apr 91 20:57:43 GMT From: hollombe@ttidca.tti.com (The Polymath) Subject: Re: E-mail role in LA cop probe (Fagan, RISKS-11.37) }... Giving electronic messages the same validity as recorded voice is a bad move, it seems to me. Actually, it's a Good Thing. Recorded voice has no validity in a court of law and hasn't for decades. It can only be used when backed up and confirmed by eye (ear?) witness testimony. That's why someone has to actually _listen_ to a wire tap, rather than automatically record and review at a more convenient time. Jerry Hollombe, Citicorp, 3100 Ocean Park Blvd., Santa Monica, CA 90405 {rutgers|pyramid|philabs|psivax}!ttidca!hollombe (213) 450-9111, x2483 ------------------------------ Date: Fri, 5 Apr 91 08:19:45 EST From: mnemonic@eff.org (Mike Godwin) Subject: Re: Len Rose (RISKS-11.37) Steve Bellovin writes about the Len Rose case: "The prosecutor must demonstrate intent to misuse in such cases. If possesion of ``hacking tools'' were against the law (as far as I know, it's not, and given how loosely many such statutes are drawn, that's probably just as well), there would be a considerable burden of proof. Maybe such evidence could be produced in this case, maybe not. But it's far from unreasonable to claim that hacking is at issue." What makes it unreasonable to claim that Rose is a hacker is the fact that he had authorized access to every system he wanted to use. There was no question of unauthorized intrusion in Len's case. It bears a lot of repeating that Len pled guilty to unauthorized possession of Unix source code, not to computer fraud or unauthorized access. Len's case identifies a RISK, by the way: if law enforcement is investigating you for another reason, and they don't find evidence of that crime, they'll look all over your system in the hope of finding unauthorized code (or anything else) in order to indict you. "In that case, the charge should be extreme negligence. I don't care what your motives are; no responsible system administrator should ever store cleartext user passwords online." Let me gently suggest that the criminal law is not the proper tool for making sure that system administrators are responsible or nonnegligent. While nonlawyers have doubtless heard the term "criminal negligence," the fact is that negligence is normally dealt with in civil law, where the proper remedy is money, not jail time. --Mike Mike Godwin, Electronic Frontier Foundation mnemonic@eff.org (617) 864-0665 ------------------------------ End of RISKS-FORUM Digest 11.40 ************************