Subject: RISKS DIGEST 11.54 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Thursday 25 April 1991 Volume 11 : Issue 54 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: "Alleged Cable Pirates Caught in Electronic Trap" (PGN) Dutch nation portrayed as a bunch of network bashers (Ralph Moonen) Re: "University Exec Backs Hacking" (Piet van Oostrum) Re: response to rude behavior (Mike Nemeth) Trespassing and common law (Phil Agre) Free Speech and Government Control of Information (Larry Hunter) Re: Responsibilities of Internet sites (Mike Godwin) Re: Dutch hackers and KSC (Brinton Cooper, Ron Tencati) Re: Letter to Senators on SB 266 (Theodore Ts'o) Re: Trains collide in east London (Ian G Batten) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line. Others ignored! REQUESTS to RISKS-Request@CSL.SRI.COM. For vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 11, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. =CarriageReturn; FTPs may differ; UNIX prompts for username, password. If you cannot access "CRVAX.SRI.COM", try Internet address "128.18.10.1". ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Thu, 25 Apr 91 9:09:06 PDT From: "Peter G. Neumann" Subject: "Alleged Cable Pirates Caught in Electronic Trap" An article by George James probably from today's New York Times (I saw it replayed in today's San Francisco Chronicle, p. A6) describes a successful effort by American Cablevision of Queens (NY) to trap customers who had illegally installed chips that let them pick up a variety of premium cable channels for free. After analysis of ONE of the bogus chips, American Cablevision was able to construct a signal (an "electronic bullet") whose transmission disabled just the bogus chips, leaving the legitimate access control boxes unaffected. They then simply waited to catch the 317 customers who called in to complain that their screens had gone dark -- and who were asked to bring in their boxes, which American Cablevision then kept. "If convicted, the subscribers could face fines of up to $100,000." [Able Cable-Caper Sting-Thing Zaps Chips, Nabs Fabs. Potential Variety headline? PGN] ------------------------------ Date: Thu, 25 Apr 91 09:59 MDT From: rmoonen@hvlpa.att.com (Ralph 'Hairy' Moonen) Subject: Dutch nation portrayed as a bunch of network bashers As a citizen of the Netherlands, I must take offense at the remarks made by several people that the Netherlands are a law-less and a-social country. Bill Murray portrayes Holland in this way in RISKS 11.53. While I agree with him that the behaviour of the Dutch crackers isn't correct, you have to understand that unlike America has shown in it's operation Sundevil, Holland has a legislative system wherein someone is innocent untill proven guilty. This means that not the laws fail in Holland (the crackers could easily be busted for telephone-wire fraud) but that the burden of proof lies with the Dutch State. As you can imagine, this is a delicate matter. How does one prove, short of catching someone in the act, that Mr. A. was behind the keyboard at that time, doing such-and-such? Furthermore, I might add, that the media information has been incomplete, in that the Dutch crackers used Utrecht to crack several universities in the States, and _proceeded to crack other systems from there_. Following the line of argument that Bill Murray used, these universities should also be barred from the net, and yes, perhaps the whole of America should be. The problem is not that one single country lacks a powerfull law enforcement and acts as a rogue nation and hacker-haven. The problem is that as long as people can get onto the net, (students, 'authorised' personnel, outsiders, and whatever) security will have to be a major issue. Not just the issue of one single university like Utrecht, but of ALL sites on the internet. Because you do realise that a smart cracker could get away with this just as easily in the States as in Holland? So don't lay any guilt-trip on the Dutch will you? * Ralph Moonen, (+31) 35-871380 ------------------------------ Date: Thu, 25 Apr 91 17:03:58 met From: Piet van Oostrum Subject: Re: "University Exec Backs Hacking" (Dutch crackers, RISKS-11.50,51) I don't think Mr. Rook knows much about computer networks. From what I know about the incident (I haven't seen the TV program) this could have been done from Every site on the Internet that has a Decnet node. And I agree that it is the responsability of each site to prevent break-ins into their own computers. Well, apparently he doesn't know that his own university does not condone any attempt to break into other systems. Our (computer science) students know this very well, and risk being excluded from computer access if they try. Delft University (not: the prestigious ..) had (or has) a course in computer security (not in hacking), where one of the assignments of the students was to find security weaknesses in computer systems. Yes, we try to encourage exploration but also responsability and ethical behaviour. Piet* van Oostrum, Dept of Computer Science, Utrecht University, Padualaan 14, 3508 TB Utrecht, The Netherlands. +31 30 531806 uunet!mcsun!ruuinf!piet ------------------------------ Date: Thu, 25 Apr 91 01:26:27 MDT From: mike@vort.cpsc.ucalgary.ca Subject: Re: response to rude behavior I too am part of this community, and I dismiss WHMurray's recent article (comp.risks 11.53) as a blatantly obvious piece of fear-mongering. Murray's attempt to isolate an entire nation from the free flow of information would be scary if it weren't so wretchedly silly and patently self-serving. >William Hugh Murray, Executive Consultant, Information System Security ^^^^^^^^^^^^^^^^^^^^^^^^^^^ And guess who'd love to take on the job of setting himself up as the Leader of the DataPolice? Kids, be the first one on your block to have an Empire! Follow in the steps of Hitler, Stalin, and Hoover. You too can have a full and exciting career as a demogogue. P.S. Who said: "Those who give up a little freedom for a little security will soon have neither freedom nor security." ? Mike Nemeth VORT Computing (403) 261-5015 ...calgary!vort!mike ------------------------------ Date: Thu, 25 Apr 91 11:56:09 +0100 From: Phil Agre Subject: trespassing and common law Steve Bellovin (RISKS-11.52) points out that the US only requires a landowner to put up a "no trespassing" sign to make trespassing illegal. A complementary point to make is that both English and American common law gives me the permanent right to walk across your property if I have been doing so regularly with your knowledge for some substantial amount of time. If the trespassing analogy is to apply to computer cracking, then this flip-side would seem to apply as well. Phil Agre, University of Sussex ------------------------------ Date: Tue, 23 Apr 91 14:23:36 EDT From: hunter@nlm.nih.gov (Larry Hunter) Subject: Free Speech and Government Control of Information In RISKS 11.51 Jerry Leichter claims that "in an information age we will find it necessary to control access to and dissemination of certain classes of information. In fact, we already do this." He proceeds to argue that defending encryption on free speech grounds is misguided. He is wrong both about the current state of government control of information and about what is desirable policy. The first amendment quite explicitly prohibits government controls of expression (i.e. communication of information) with very few exceptions, and I suggest that the current governmental attacks on this most basic right are pernicious and must be fought. Leichter's examples from crime and commerce are deceptive. One's first amendment rights of free speech do not exempt all expressive acts from prosecution. There is a large body of law that addresses the issue of when expression becomes action. Some examples include conspiracies, slander, copyright violations, and reckless endangerment (e.g. yelling "fire" in a crowded theater). What is prohibited is prosecution for _mere_ expression, even if individuals, organizations or the government would rather keep the information secret. As long as I am not conspiring to commit fraud or some other crime, I can publish your credit card number, or your swiss bank account number, or your income, etc. in a magazine article without fear of government prosecution. And I believe that ability to express things that make some people uncomfortable is a vital part of basic American liberty. Leichter's second example involves restrictions on a company selling credit or other private records. Commercial speech is regulated very differently than individual speech. For example, commercial advertising must not be false or deceptive (well, at least in law), and there are specific legal limits on the disclosures that credit bureaus, common carriers, doctors, lawyers, etc. can make under most circumstances. Commercial entities do not have the same free speech rights that individuals do. Finally, Leichter points out the National Security exception to freedom of expression, which, as he notes, is both pervasive, and, in the case of "born classified" information, constitutionally suspect. Leichter concludes by recommending a couple of science fiction stories about social control of information. Interesting as those stories are, let me suggest that you also read Thomas Emerson's "The System of Freedom of Expression." Any abridgement of a constitutional right must either balance a competing right or serve some compelling state interest. What compelling state interest could be sufficient to infringe on our rights to free expression and privacy by effectively prohibiting effective encryption? Surely the routine prosecutorial needs of the state can be met without recourse to such invasive, undiscriminating measures. Terrorism may be a threat, but not such a compelling one that we as a society ought to sacrifice one of our most basic constitutional rights in order to _possibly_ reduce the chance of a _potential_ attack. Technology can be used either to enhance or degrade the status of rights such as freedom of expression and privacy. Inexpensive, effective encryption is a basic enabling technology that empowers individuals in an increasingly technologically invasive society. I believe it should be defended against government attack in the strongest possible terms. Lawrence Hunter, National Library of Medicine [Please note that I am neither a lawyer nor am I speaking as a representative of the government.] ------------------------------ Date: Wed, 24 Apr 91 10:29:47 EDT From: mnemonic@eff.org (Mike Godwin) Subject: Re: Responsibilities of Internet sites (Pereira, RISKS-11.52) >1) I know of no area of human activity in which wilfull intrusion or condoning >intrusion are seen as no more condemnable as failure to protect one's domain >from intrusion to the best of one's ability. In tort law, the law of trespass is balanced by the law concerning the negligence of those who maintain attractive nuisances. The issue is not whether computer trespass is wrong, but whether it is just to punish the trespassers without imposing any liability upon those who failed to meet minimum standards of computer security. It is a fact that every generation faces the challenge of overcoming a wave of barbarians--its own children. Is it wise social policy to send young men to prison for doing the kinds of things that not-yet-fully-socialized young men invariably do while imposing no social responsibility upon those charged with maintaining system security? That is a question that has not been fully debated. It will never be fully discussed so long as too many people suppose that the wrongness of trespass decides all the legal and ethical questions raised by computer intrusion. It does not. --Mike Mike Godwin, EFF, Cambridge, MA, mnemonic@eff.org, (617) 864-0665 ------------------------------ Date: Wed, 24 Apr 91 20:31:24 EDT From: Brinton Cooper Subject: [oneel: re: Dutch hackers and KSC [Kennedy Space Center]] Brice O'Neel writes > I don't believe that KSC is on the internet. Try 128.217.11.25 (nasa2.ksc.nasa.gov). More are vulnerable than you dreamed of. I never dreamed, for example, that OSHA is on the Internet (not that it matters, mind you). _Brint [KSC's presence on the Internet was also noted by Ari Ollikainen (ari@OldAhwahnee.Stanford.Edu), as reported somewhat red-facedly by oneel@heawk1 ( Bruce Oneel ). ------------------------------ Date: Tue, 23 Apr 1991 19:32:46 EDT From: TENCATI@NSSDCB.GSFC.NASA.GOV (NSI Security Manager (301)286-5223) Subject: Re: Dutch hackers and KSC I have received NO incident reports indicating that any KSC systems were hacked, or involved in any hacking incidents relating to the Dutch hacker case. Ron Tencati, Security Manager, NASA Science Internet (NSI) Coordinator, NSI-CERT, STX/Code 930.4/Goddard Space Flight Center/Greenbelt,MD ------------------------------ Date: Tue, 23 Apr 91 02:09:55 EDT From: Theodore Ts'o Subject: Re: Letter to Senators on SB 266 (Engler, RISKS-11.51) As previous posters have noted when the Lotus Marketplace controversy was taking place, sending form letters to your representatives is not terribly productive; the Senators' or Represatitive's staff are fairly good about detecting (and disregarding) form letters. If, however, you write your own letter and send it off, it will be given much more weight, since presumably it mattered enough to you to write your own letter. I do urge everyone to write his/her own letter and send it off to Biden as well as your own Senators and Representatives. If we raise enough fuss, hopefully the bill will be allowed to die while it's still in committee. - Ted ------------------------------ Date: Thu, 25 Apr 91 08:37:36 BST From: Ian G Batten Subject: Re: Trains collide in east London (RISKS-11.52) With respect to the London Docklands Light Railway incident, the report in RISKS-11.52 ("Computer-controlled commuter trains collide...") misses one vital point. The train that was hit was under manual control, following an earlier failure. ian ------------------------------ End of RISKS-FORUM Digest 11.54 ************************