Subject: RISKS DIGEST 12.12 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Monday 12 August 1991 Volume 12 : Issue 12 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Teenage Hacker Emulates Hess (PAJ) Future Risks (Hilarie Kauiolani Orman via Richard Schroeppel) Security comes to the Free Software Foundation (Martin Minow) Lotus Marketplace Epilogue (Marc Rotenberg) Computer frustration (Andrew Goldberg via Les Earnest) Yet another threat to telephone privacy (Jeff Makey) "Enemy of the State" -- Story on risk to privacy (Richard Thomsen Firefighters won't give first aid to AIDS patients (Sean Eric Fagan) Lifestyle discrimination (Martyn Thomas) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line. Others ignored! REQUESTS to RISKS-Request@CSL.SRI.COM. For vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 12, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1". =CarriageReturn; FTPs may differ; UNIX prompts for username, password. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: 9 Aug 1991 11:54:25-BST From: paj Subject: Teenage Hacker Emulates Hess Summarised from Computer Weekly, 8th August 1991. A 16 year old schoolboy named Jamie Moulding has been cautioned by plain-clothed police after hacking into a military computer and trying to sell secrets to the USSR. He claims to have read the Ministry of Defence personnel and payroll files. One computer he entered held details of a British Army tank control system. Moulding first incorporated details of the system into his own simulation package, and then phoned the Soviet Union's London embassy to try to sell the information. Next day two policemen turned up at his home and spoke to his parents. Moulding's telephone bills were unwittingly paid by his school. He wrote an autodialer program and an automatic hack program which "planted a command which led to a display of passwords". DEC denied that its systems had been hacked. The police officers were unavailable for comment. ------------------------------ Date: Sat, 10 Aug 91 02:54:22 PDT From: ho (Hilarie Kauiolani Orman) Subject: Future Risks [Via fermat!r@la.tis.com (Richard Schroeppel)] TINY BUG IN H.S. "GENOME" CAUSES MASSIVE HUMANITY FAILURE Officials responsible for a spiral galaxy near the middle section of the universe revealed today that a small error in an encoding for the life form "Homo sapiens" was responsible for the near extinction of the partly intelligent species. The change had been introduced during routine maintenance of the life form. Officials explained that the maintenance had been intended to improve the survivability of the species, but inadequate testing had caused it to become suspectible to a new sexually transmitted disease. Senior universe officials expressed disappointment in the control of the life forms in the galaxy, citing a series of malfunctions, especially near a yellow star at the edge. The H.S. species has required several patches in the field and still seems unstable. The latest change was not tested in alternative universes due to lax controls and lack of funding. Other officials cited inadequate specification and design review. "How can we guarantee that the species works without a formal definition of what it is?" lamented one senior observer. "These things just look like collections of cells - they just sort of grow. There's no mathematical model that can be used to verify it. I don't see how they ever got it started in the first place." Insiders feel that the species can be rescued, but expressed doubt about its long-term viability. The estimate of the time needed for a thorough review of the documentation, writing the formal specifications, and verifying the genome encoding, expressibility, and environmental testing, is greater than the lifetime of the universe. Meanwhile, yet another mutation and alteration of the local laws of physics will be required to back out of this particular upgrade. With funding already stretched, this setback might just spell the end of H.S. The formally verified Vulcan species, originally slated for production next year, has been delayed due to a series of technical problems and is now scheduled for beta testing after the next big bang. ------------------------------ Date: Tue, 6 Aug 91 05:12:02 PDT From: Martin Minow 06-Aug-1991 0757 Subject: Security comes to the Free Software Foundation This is summarized from a front-page article in the Boston Globe, Aug 6, 1991. The Free Software Foundation (FSF) has been forced to institute security (password) control because "vandals who were able to enter the foundation's system anonymously were not only deleting and trashing files there, but were also entering Internet ... and doing damage in other systems as well." ... "Michael Bushnell, a programmer at the Free Software Foundation, said the changes are making systems more inconvenient to use and creating an international network that cannot be used without an operator putting himself under surveilance. "''There's not a big sharp impact because, over time, so many networks already created security barriers,'' Bushnell said. Extension of these restrictions ... ''is kind of like when the last critical-of-the-government newspaper is shut down. After it's gone a while, people notice a difference.''" "... An estimated 1,000 to 2,00 persons gained access ... and staff members say they will try to preserve this somehow." "''I feel ashamed not having an open system,'' says [Richard] Stallman, ... ''I feel ashamed having a system that treats everyone as vandals when in fact very few were. ... Every time I think about this I want to cry.''" ------- The above summarizes the first half of a long story. The remainder discusses trust, community, hacking, and access in terms and concepts that will be familiar to Risks readers. About a week ago, Richard Stallman was interviewed on the local NPR morning news (the local portion of Morning Edition) on the closure of the FSF systems. Personal observation: a few years ago, I had "tourist" access to Internet through an FSF computer and, many years before that, tourist access through MIT-AI. Now, I have (password-protected) access through another MIT system, one of the few that will allow access from "known to be trustworthy" persons. Martin Minow minow@ranger.enet.dec.com [And here is PGN putting out this issue from New Haven, where he will be participating in the National Conference on Computing and Values this week, having expected to be involved in a lively discussion with Richard who might have opposed my position on why security (at least for integrity and availability purposes if not for confidentiality) remains necessary even in an open world... But I am really sorry to see FSF getting cracked. PGN] ------------------------------ Date: Thu, 8 Aug 1991 20:56:02 EDT From: Marc Rotenberg Subject: Lotus Marketplace Epilogue Lotus Marketplace Epilogue CPSR Endorses Equifax Privacy Decision August 8, 1991 WASHINGTON, DC -- Computer Professionals for Social Responsibility (CPSR) announced today that it supported a decision by Equifax to discontinue the sale of direct marketing lists derived from consumer credit files. CPSR Washington Office Director Marc Rotenberg said, "Equifax did the right thing. Personal financial information should not be fair game for direct marketers. " The national membership organization of computer professionals had earlier lead a successful campaign to stop the release of "Lotus Marketplace," a series of computer diskettes containing detailed information on 120 million consumers. Name and address information in Marketplace was taken directly from credit files. CPSR has recommended that businesses follow the "Code of Fair Information Practices," which requires that organizations obtain explicit permission before using personal information for secondary purposes, such as direct marketing. Evan Hendricks, chairman of the United States Privacy Council, said that "This is another victory for the privacy movement in the United States. Equifax continues moving in a positive direction. We will follow this closely to see that their actions match their words. Meanwhile, the focus shifts to TRW and Trans Union who continue to sell mailing lists derived from credit report data." Marc Rotenberg said that while CPSR was pleased with the recent Equifax decision, there were many other issues that consumers should watch on the credit privacy front, including the indiscriminate use of the Social Security Number, the practice of "pre-screening" credit applicants, and the continued sale of credit information by other credit reporting agencies. Marc Rotenberg, CPSR Washington Office, 202/544-9240 rotenberg@washofc.cpsr.org ------------------------------ Date: Fri, 26 Jul 91 10:50:58 PDT From: Andrew Goldberg Subject: Computer frustration [Via Les Earnest ] From the NY Times The annual Spring Comdex computer show in Atlanta earlier this month meant a booming business for the Bulletstop, an indoor firing range in suburban Marietta where customers can rent firearms and bullets to shoot anything they please, as long as it is already dead and fits through the doors. The Bulletstop gave Comdex visitors a chance to vent their frustrations by venting PC's, printers, hard disks, monitors and manuals with lead. Paul LaVista, the owner, said about 10 groups of high-tech types came in during the Comdex show. "I'm not a computer whiz, but one group brought in what looked like a hard disk and blasted it," he said. "Another bunch brought in some kind of technical manual. The thing was enormous, about 2,000 pages. They rented three machine guns -- an Uzi, an M3 grease gun and a Thompson -- and when they were done it looked like confetti." "It must have been quite a show," LaVista said of Comdex. "Doctors and computer types usually have a lot of pent-up anxiety, but these folks were dragging when they came in. When they left they were really up. The range looked like a computer service center after a tornado." LaVista said PC's were popular targets year-round. "People are frustrated with them," he said. A year ago seven or eight men carried in a giant old Hewlett-Packard printer. "I ran an extension cord to it, and just as it started to whirr and spit out paper, they blasted it," he said. ------------------------------ Date: Fri, 2 Aug 91 21:04:04 PDT From: Jeff Makey Subject: Yet another threat to telephone privacy I recently saw an advertisement for a device that lets you plug your telephone into any power outlet in your house, with the claimed benefit that you can use existing wiring rather than spend money wiring every room in your house for phone service. Intercom systems that use this principle have been around for years, with the less-than-obvious risk that a neighbor who is connected to the same power transformer can plug in a similar device in their own home and listen to your conversations. Extended to your telephone, such a neighbor can not only listen to your phone calls (apparently without violating any laws), but can now even make phone calls on your line (surely illegal, regardless of how it is accomplished). The risks are comparable to those of cordless phones, only skewed a bit. Understandably, the advertisement made no mention of these risks. :: Jeff Makey makey@VisiCom.COM ------------------------------ Date: Fri, 2 Aug 91 14:58:02 -0600 From: rgt@beta.lanl.gov (Richard Thomsen) Subject: "Enemy of the State" -- Story on risk to privacy There is a lovely story in the August 1991 issue of _Analog_ _Science_ _Fiction_ _Science_ _Fact_ by Jack C. Haldeman II called "Enemy of the State" that shows the risks to privacy. It is a series of messages to a consumer. It starts out with a message from FOOD-NET, telling him about starting smoking again and his pets (according to their records). Then comes a message from his service station, saying his car needs a tune-up and new tires (according to their records). Likewise, he gets messages from NED-CHECK, his dentist, the pet store, etc. Then he gets a message from the sheriff's office, saying that they would like to discuss some things. For example, he gets his mail at a P.O. box, has an unlisted number, and an answering machine. They say "It is well known that individulas with such equipment are almost always concealing information, especially those with unlisted numbers." They mention deposits to his checking account, by amount and a cash transaction. They mention he is a "substance abuser (beer, nicotine, and caffeine)", the magazines he subscribes to, etc, and also say that "You exhibit wanton disregard for public safety by operating your motor vehicle without the proper maintenance any good citized would perform as a matter of course." All in all, an interesting story and quite appropriate to some of the discussions. Richard Thomsen rgt@lanl.gov ------------------------------ Date: Tue, 6 Aug 91 20:32:26 PDT From: Sean Eric Fagan Subject: Firefighters won't give first aid to AIDS patients Arvada, Colo: Volunteer firefighters in this Denver suburb no longer will respond to first-aid calls involving people known to have AIDS or other infectious diseases, city officials said. [Yes, there is a risk here... read on -- sef] The fire department's computer system has been programmed to flash a warning to dispatchers if an assistance call comes from someone known to have an infectious disease such as acquired immune deficiency syndrome, said an Arvada official who spoke on ocndition of anonymity. [end of excerpt] Got a grudge against someone? Well, here's a way to cause them lots of problem! (*extreme* sarcasm there) Sean Eric Fagan sef@kithrup.COM ------------------------------ Date: Mon, 12 Aug 91 15:18:53 BST From: Martyn Thomas Subject: Lifestyle discrimination According to a BBC news programme, there is a growing incidence of discrimination in US employment on the basis of employees' private lives. Examples were given of someone dismissed for smoking cigarettes at home (detected by urine test), someone refused employment for living with someone to whom they were not married, someone refused employment for a dangerous hobby (hanggliding), someone sacked for being overweight. If this is a real threat, it provides a compelling reason to shop only with cash, to stay off lifestyle marketing databases. Even a magazine subscription could cost you your job! Point-of-sale terminals could monitor how much alcohol you buy, and how often; how many cigarettes, pregnancy-test kits, junk food ... Paranoia, anyone? Martyn Thomas, Praxis plc, 20 Manvers Street, Bath BA1 1PX UK. Tel: +44-225-444700. Email: mct@praxis.co.uk ------------------------------ End of RISKS-FORUM Digest 12.12 ************************