Subject: RISKS DIGEST 11.87 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Tuesday 11 June 1991 Volume 11 : Issue 87 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Re: The impact of formalism on Computer Science education (Hal Pomeranz) Fighting phone hackers in SoCal (Mark Seecof) Re: There is a Ford in your future (and in your past) (Ed Wright, Michael J Zehr, Bruce Oneel, Brinton Cooper) Active Badges: Article in 16 May "Economist" (Bob Ayers) Re: The Activated Active Badge Project (Peter Robinson) Re: Caller-ID (Arthur Rubin, Andrew Tannenbaum) Knock, Knock! (Heritage Cable) (Ed Greenberg) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line. Others ignored! REQUESTS to RISKS-Request@CSL.SRI.COM. For vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 11, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1". =CarriageReturn; FTPs may differ; UNIX prompts for username, password. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Tue, 11 Jun 91 13:17:21 EDT From: pomeranz@isis.dccs.upenn.edu (Hal Pomeranz) Subject: Re: The impact of formalism on Computer Science education I was dismayed by Ed Nilges' (egnilges@pucc.princeton.edu) article in RISKS-11.86. Ed discussed a recent CACM article by Karen Frankel, citing Daniele Bernstein's criticisms of Edsger Dijkstra's proposed reforms for Computer Science education. Ed's analysis of the situation appears to have some huge holes in its logic. Essentially Dijkstra recommends that Computer Science education be based on formal mathematics and logic rather than early exposure to and experimentation with computers. Bernstein notes that women tend to prefer experimentation and teamwork to solitary abstract thought, and accuses Dijkstra of sexism on the basis that the proposed educational reforms would present a barrier to women in Computer Science. Ed concludes "Dijkstra is right and Nye and Bernstein are wrong" because he believes that the sort of solitary thinking about formal mathematics and logic encouraged by Dijkstra's reforms will lead to better (less error prone) software. It has not been sufficiently demonstrated to me that this sort of thinking leads to better software, but that is not the basis on which I would like to argue with Ed. Bernstein's criticism of Dijkstra relates not so much to the practice of programming and other areas of Computer Science, but rather to the education of future programmers. Several studies have noted that, from an early age, girls in Western societies are not encouraged to take up activities which lead to careers in scientific fields, particularly Mathematics, Computer Science, and Engineering. Bertstein's criticisms are, I believe, pointing out that the changes proposed by Dijkstra would be yet another barrier to women wishing to enter the field of Computer Science. It would be akin to requiring a student who only knows conversational German to learn something from a German technical article-- there is a "language" barrier which is very difficult but not impossible to overcome. However, if I were that student I wouldn't even bother. Ed goes on to support his argument with a description of his own experience teaching C programming to American and Russian emigre students. He notes that, due to scarce resources, the Russian students are learning in an environment that is similar to the one that Dijkstra proposes. He states that he finds "NO sex differences". This may be true, but is the ratio of women to men in his courses the same as the ratio of women to men in the population (choose your own demographics) as a whole? If, as I expect, this ratio is much lower than the ratio for the general population, then it would suggest that the Russian curriculum is discouraging to women. The Russian women in Ed's classes are those few women who are able to "hack it" in the rigorously mathematical and abstract Russian system. It may well be that more formal training turns some people into better programmers. It is certainly the case that formal training turns a lot of people off or presents an impossible obstacle to many groups (not only women). I believe that many of these people could become excellent programmers, or professors of Computer Science, or researchers, etc. However, if Dijkstra's proposals are widely implemented, chances are that none of this latter group will get the opportunity. This, then, is Bernstein's criticism of Dijkstra's proposal. It is unfortunate that Bernstein slings the word "sexist", and that Ed feels threatened enough to counter with the (now) negatively connotated term "politically correct" which raises all sorts of spectres of thought police. All education would benefit from massive dose of new and different thinking, so as to encourage marginalized groups to participate more fully, rather than a retreat to older, more formal approaches which would only push groups on the outside farther out. Hal Pomeranz pomeranz@dccs.upenn.edu ------------------------------ Date: Tue, 11 Jun 91 10:29:55 -0700 From: Mark Seecof Subject: Fighting phone hackers in SoCal Excerpts from an article published in the Los Angeles Times May 17, 1991; page E1. Edited and submitted to RISKS Digest by Mark Seecof of the L.A. Times Publishing Systems Department. [elisions and bracketed comments mine --Mark S.] ``Little Phone Company on a Hacker Attack'' By Susan Christian, Times Staff Writer. [Introductory blather...] [...] in the last seven months [small long-distance company] Thrifty Tel's [security chief] has put seven hackers in jail. And she has made 48 others atone for their sins with hard cash and hardware. The case that [security chief] Bigley calls her biggest coup--involving a 16-year-old Buena Park boy whose alleged theft of computer data cost Thrifty Tel millions of dollars--is pending in Orange County Superior Court. Thrifty Tel has become one of the most agressive hacker fighters in California, according to Jim Smith, president of the California Assn. of Long Distance Telephone Cos. (Caltel). ``[Bigley] is tough,'' he says. ``I would not want to be a hacker on her network.'' So far, the company has collected more than $200,000 in penalties and reimbursements from hackers. ``We do not have a hacking problem any more because we stood up and punched them in the face,'' Bigley proclaims. ``These kids think that what they're doing is no big deal--they're not murdering anyone,'' Bigley says. ``They think we're terrible for calling them on it. Their attitude is extremely arrogant. But these are not just kids having some fun. They are using their intellect to devise ways to steal. And these are not kids who need to steal. They come from white-collar families.'' For Thrifty Tel Inc., the battle of wits started a year ago. [...Thrifty Tel is ten years old, went public in '86, and serves 7,000 customers in SoCal.] [...Last year the hackers discovered them. Hackers use computer programs to try many possible code numbers until they find the ones which unlock the system.] ``The first quarter of 1990 we came in with a half-million-dollar net profit, and everything was going great,'' Bigley says. ``Then the next quarter, all of a sudden we were lopsided. We were getting bigger bills from our carriers than we were billing out to our customers.'' With a little investigation, the company pinpointed the culprits: hackers who were eating up telephone time at as much as ten hours a ``conversation.'' Because hackers exchange information and solve secret codes via long-distance modem connections, circumventing expensive telephone charges has become their mainstay. ``It was so frustrating to sit here and watch these hackers burn through our lines,'' says Bigley, a 33-year-old San Fernando Valley resident. She has been vice-president of operations at Thrifty Tel for four years. ``I had technicians out changing customers' codes that they'd just changed a few weeks before.'' But Bigley is not the sort to throw in the towel. [...She is hard-working and persistent.] First, she devoted a couple of months to educating herself about hacking. She monitored Thrifty Tel's computers for unusual activity--telephone calls coming into the switching facility from non-customers. ``They believe that because they're sitting in a room with a computer they're safe,'' Bigley says. ``The problem is, they're using their telephone; we can watch them in the act. It's a lot easier to catch a hacker than a bank robber.'' Bigley started making a few calls of her own. If the infiltrator seemed major league, like the Buena Park boy, she contacted the Garden Grove Police Department, whose fraud investigators went into homes with search warrants. If the hacker seemed relatively small, however, Bigley took matters into her own hands, telephoned the suspect and presented an ultimatum: Either pay up or face criminal charges. A non-negotiable condition of Bigley's out-of-court settlement provided that the guilty party relinquish his (or, infrequently, her) computer and modem. Thrifty Tel donates the confiscated weapons [computers] to law enforcement agencies. Teen-age hackers tend to be ``very intelligent and somewhat introverted,'' says Garden Grove Police Detective Richard Harrison, a fraud investigator who has arrested many of Thrifty Tel's suspects. Most of the parents he has dealt with were oblivious to their children's secret lives, Harrison says. He suggests that parents educate themselves about their children's computers. ``If a kid is spending a whole bunch of time on his computer and it's hooked up to a modem, he's not just running his software. What is he doing on that computer? Does he really need a modem?'' [ed. note-- this officer may be an expert on fraud but is clearly unqualified to make such sweeping assertions about what (young) people do with computers. Playing rogue can eat up as much time as hacking while the modem remains idle.] Not all hackers are young computer fanatics testing their limits. ``The hacking problem is two-fold,'' says Caltel president Smith, also president of the Sacramento-based long-distance telephone company Execuline. ``First, we have Information Age fraud, which is an outgrowth of the proliferation of computers in households. We have all these kids who want to talk to each other on bulletin boards, and if mom and dad had to pay for all those phone calls, the cost would be prohibitive. Then we have professional fraud--adults as well as kids who attempt to gain access to our codes for the purpose of selling the codes. They have made a big business out of hacking.'' Smith's company has waged a more low-key defens[e] against hackers than Thrifty Tel. ``I wish I had the time to devote to hacker fraud that she [Bigley] has been able to devote,'' he says. Therein lies the reason that many telephone companies decline to file charges against hackers, says Roy Costello, a fraud investigator for GTE. ``Smaller carriers don't have the time to allow their people to do the investigation and then carry it through the court system,'' he says. [... Stuff about the sticktoitiveness of Thrifty Tel's Bigley and how she thinks that hackers are immoral and wants to defeat them.] ------------------------------ Date: Tue, 11 Jun 91 9:42:16 PDT From: Ed Wright Subject: Re: There is a Ford in your future (and in your past) (RISKS-11.86) I would suggest that equipment of this type would negate some risks, rather than create new ones. Currently if there is an accident sorting out who was at fault (in non no-fault states) winds up being a long involved process which primarily benefits members of the legal community, and costs the taxpayer lots of money in the form increased insurance premiums down the line, and increased taxes to cover court expenses. With a recorder on board that showed one party was clearly speeding, or failed to apply brakes, resolution could be more straight forward. At worst resolution would be no more involved than it is now. I am often intrigued by people apparently worrying about the risk of "getting caught". I would presume that if a driver is not speeding or otherwise inappropriately operating the vehicle, then a recorder could be a benefit in resolving a suit, or more mundanely detecting malfunction before it becomes expensive, or in detecting driving habits that are expensive. At worst it would be a nonentity like the controller that runs the cruise control. ------------------------------ Date: Tue, 11 Jun 91 14:39:48 -0400 From: tada@ATHENA.MIT.EDU Subject: Re: There's a Ford in your future (and your past!) (RISKS-11.86) In other words the risk is that the police might be able to actually determine the cause of an accident based on evidence, rather than on the possibly true account of the participants based on their possibly correct memory?!? Perhaps the real risk is that the device might be used to determine where your car had been, and when. Like, if the police used it to find out if you had been at a crime scene. (Perhaps an even greater risk is that of preventing some helpful technology from coming to the market based on the fear that maybe it will stop someone's illegal or unethical behavior as well as helping those who have nothing to lose and something to gain from the new technology. While we should be concerned over privacy concerns, we should also be concerned about the overall benefit to society, etc...) -michael j zehr ------------------------------ Date: Tue, 11 Jun 91 12:39:00 EDT From: oneel%heawk1@heawk1.gsfc.nasa.gov ( Bruce Oneel ) Subject: Re: There's a Ford in your future (and your past!) It's been a while since I've read car magazines, but, in the late 70's to early 80's GM started putting engine control computers in some of the more expensive cars. These were to aid in diagnosis. If certain engine parameters were exceded then the computer would remember them and then could dump them out to the mechanic when poked the right direction. I do remember that over rev, temp, and oil pressure were mentioned as being monitored. It would allow a mechanic to say "Well, this really wasn't meant to spin all the way to 8000 rpm..." bruce ------------------------------ Date: Tue, 11 Jun 91 14:09:44 EDT From: Brinton Cooper Subject: Re: There's a Ford in your future (and your past!) (RISKS-11.86) John Moore writes, regarding a Ford Motor Co. "customer flight recorder..." that is installed in a car when a customer has an intermittent problem (and which) mechanics can later read and attempt to diagnose the problem. He asserts a "risk" in that data so recorded might be used in legal activities following an accident while such a device is in use. On the other hand, one might ask "risk to whom?" The principal risks in the use of such a device seems to be to the careless driver and to negligent auto manufacturers. Flight data recorders on aircraft seem to be a risky only to the extent to which they fail to provide sufficient information on the cause and responsibility for a crash. Do we really want to hide behind arguments about "risk" in an effort to avoid responsibility for our actions? One of the great (potential) contributions of computers is their ability to provide information which can improve the safety of our transportation systems. (Yes, I'm aware of the risks of doing this improperly, carelessly, etc.) The risk in John Moore's world seems to be NOT to collect the "flight" data. -Brint ------------------------------ Date: Sat, 8 Jun 91 17:08:25 -0700 From: ayers@Pa.dec.com (Bob Ayers) Subject: Active Badges: Article in 16 May "Economist" (RISKS-11.85) The use of "active badges" at Xerox EuroPARC was the subject of a one-page article in the 16 May "Economist." The article discussed the basic technology, and also discussed the risks of "as long as users actually wear their bleepers, the system records where each person has been during the day, for how many minutes, and with whom. Soon, it will be able to record telephone conversations and identify types of meeting, too ... this will be an 'aide memoire,' but it will also be a way in which managers can keep tabs on their employees." ------------------------------ Date: Tue, 11 Jun 1991 18:00:13 +0100 From: Peter.Robinson@cl.cam.ac.uk Subject: Re: The Activated Active Badge Project [RISKS 11.85] The article has prompted me to report an interesting risk of using active badges. The main concern here when the system was installed was that the system would assist a thief in identifying empty offices for nefarious purposes. We now have evidence of such a use, albeit for a very minor theft of intellectual property. I was somewhat surprised the other week to walk past a printer in the Laboratory and see it printing out a draft copy of a book on which I am working. I hadn't printed it. A quick check by our systems manager determined that it had been printed by one of the students in the Department. A further check determined that the student had used the active badge system to verify that I was not in the vicinity when he printed the draft. Unfortunately for him, the print queue jammed for six hours and the job was released at precisely the wrong moment... The moral seems to be that the risk of systems revealing locations (automatic vehicle identification for road tolls, on-line credit card processing, active badge systems and so on) is not that they allow other people to know where you are (after all, anyone could hire a private detective to tell them that), but that they tell people where you are not. - Peter Robinson. ------------------------------ Date: Tue, 11 Jun 91 14:38:37 PDT From: a_rubin@dsg4.dse.beckman.com (arthur rubin) Subject: Caller-ID The proposal for Caller ID in California (probably the PUC gave the minimal conditions they would accept) was to have free per-call blocking, no per-line blocking, with no mention of ovverides, except: a blocked call would still be recognized by Call Trace or Call Return. I don't know the current status of the proposal. ------------------------------ Date: Tue, 11 Jun 91 18:49:11 -0400 From: trb@ima.isc.com (Andrew Tannenbaum) Subject: re: Caller-ID and Risks/Benefits of reusing commands I see that the telco's are fighting to prohibit normal users from specifying per-line blocking of Caller-ID. Is anyone selling phones that will automatically prepend the call-block code (*67 or whatever) whenever you dial, effectively circumventing the lame telco restriction? You can already program it into your speed-dials buffers, but this would allow you to forget about it when you dial normally. Andrew Tannenbaum Interactive Cambridge, MA +1 617 661 7474 ------------------------------ Date: Sat, 8 Jun 91 14:58:15 PDT From: edg@netcom.com (Ed Greenberg) Subject: Knock, Knock! (Heritage Cable) This is quoted from Action Line, a write-in column of the San Jose Mercury News. The paper was dated 8-Jun-1991. "Q: The other day, I was visited by a representative of Heritage Cable, stating he was here to investigate the purchase of an illegal de-scrambler that he said I bought in 1987. He also stated that he had every right to inspect the line that went into our household. I felt outraged to be woken up -- I work nights -- for such a rediculous and demeaning experience. I've had cable at this address since 1986. Does the Heritage Cable representative have the right to inspect inside our house? "A: They do, says Mark Solins, Heritage's director of field service. Solin says the cable company receives lists from the Federal Bureau of Investigation every so often with names of people who bought de-scramblers for the purpose of obtaining a cable station without paying the cable company for the right to the air waves. The FBI doesn't monitor all de-scrambler sales, but does get involved if it learns of illegal activity. Solins says the contract you signed when you signed up for cable allows a company rep the right to inspect the cable service and line. Solins says your name popped up on a recent list the FBI sent to Heritage. Solins says no illegal de-scrambler was found in your home. Evidently, someone who used to live in the rear of your property ordered the de-scrambler, under your name and address and used it to pick up cable waves without subscribing to the service." Ed Greenberg, P. O. Box 28618, San Jose, CA 95159 Work: +1 408 764 5305 [Also contibuted by Mark Thorson, who prefaced the item with this: "Although not directly related to computer RISKS, it's easy to see how electronic means for detecting illegal cable hookups could be adapted to exploit this mechanism for running roughshod over individual privacy. Mark Thorson (a.k.a. mmm@cup.portal.com)." Mark also added EMPHASIS to the line beginning "SOLINS SAYS THE CONTRACT YOU SIGNED ..." PGN] ------------------------------ End of RISKS-FORUM Digest 11.87 ************************