Subject: RISKS DIGEST 12.23 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Tuesday 3 September 1991 Volume 12 : Issue 23 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Herb Caen on Computerized Radar (via Mike Seibel, Brad Templeton, Allan Meers) "Miser held in record Social Security fraud" (Barry Jaspan) Re: "Thieves Hit Social Security Numbers" (Lars-Henrik Eriksson) Computer Abuse Amendments Act of 1991 (Thomas Zmudzinski) Re: A Danger ... with Intelligent Terminals (Paul Stachour) Complain to Journalists (John E. Mollwitz) The RISKS of Superiority (Arthur Clarke [!] via Ellen Spertus) NASA severs connection on electronic mail linkup (wrapup by Joe Abernathy) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line. Others ignored! REQUESTS to RISKS-Request@CSL.SRI.COM. For vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 12, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1". =CarriageReturn; FTPs may differ; UNIX prompts for username, password. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Mon, 2 Sep 91 09:05:43 PDT From: Allan.Meers@ebay.sun.com (Allan Meers - Sun Education/Professional Services) Subject: Herb Caen on Computerized Radar From Herb Caen's column in the San Francisco Chronicle, via Mike Seibel and Brad Templeton: A motorist was unknowingly caught in an automated speed trap that measured his speed using radar and photographed his car. He later received in the mail a ticket for $40, and a photo of his car. Instead of payment, he sent the police department a photograph of $40. Several days later, he received a letter from the police department that contained another picture -- of handcuffs. ------------------------------ Date: Sun, 1 Sep 91 14:28:27 -0400 From: "Barry Jaspan" Subject: "Miser held in record Social Security fraud" -- UPI, 31 Aug 91 (Extracted from the article in clari.news.law.crime from the ClariNet news service. I've left out a great deal of non-RISKS-related information.) Robert L. Chesney is facing trial in the biggest individual Social Security fraud case in U.S. history. He is accused of receiving retirement and disability checks under at least 29 names. Federal agents found 15 boxes and three steamer trunks full of birth certificates, bank statements, Social Security cards and over 200 CA DMV id cards, each with Chesney's picture and a different name. The final paragraph in the article: Chesney allegedly gleaned biographical date about public personalities from the library. Pretending to be those people, Chesney would write to their home counties, give their birth dates and other information and ask for copies of their birth certificates. He then took the documents to the DMV and obtained the ID cars with which he applied for the Social Security benefits. Barry Jaspan, bjaspan@mit.edu ------------------------------ Date: Mon, 2 Sep 91 10:36:08 +0200 From: Lars-Henrik Eriksson Subject: Re: "Thieves Hit Social Security Numbers" (RISKS-12.20) One thing that strikes me as strange is when I compare this with the situation in Sweden. We have had "civic registration numbers" since 1947. These numbers are unique identification of every resident in Sweden. Children are assigned their numbers shortly after birth and immigrants as they are given a residence permit. These numbers are public information and their use permeate the entire society. Even to become a member of a soccer club, you often have to provide your id number. Often a membership number or customer number is simply identical to your id number. While there is a growing resistance to the use of these numbers, they are still such an accepted part of society that they are often requested even when there is no real need for them. Now the events described in the article, where people are stealing SSN's and using them to get credit etc, virtually never happen in Sweden. This is even more strange as the Swedish id numbers are public information. Of course it *does* happen, but it is not seen as an important risk. The important risk is considered to be the possibility of easily compiling lots of information about a single individual. (There is legislation specifically directed against this.) I wonder what difference between the Swedish and U.S. societies can account for this. Lars-Henrik Eriksson, Swedish Institute of Computer Science, Box 1263, S-164 28, KISTA, SWEDEN +46 8 752 15 09 ------------------------------ Date: 2 Sep 91 14:42:00 EST From: "zmudzinski, thomas" Subject: Computer Abuse Amendments Act of 1991 [xpost risks, security, virus-l] D E F E N S E I N F O R M A T I O N S Y S T E M S A G E N C Y Zmurgy's First Law of Evolving Systems Dynamics -- "Once you open a can of worms, the only way to recan them is to place them in a even larger can." Zmurgy's Second Law [etc.] -- "Tarantulas are even worse!" -- The following is presented as tarantula bait -- Tom Zmudzinski ZmudzinskiT @ IMO-UVAX.DCA.MIL Defense Information Systems Agency (703) 285-5459 [We used to be DCA, but DoD decided to make us a four letter word.] 1991 S. 1322 SYNOPSIS: A BILL To amend title 18 of the United States Code to clarify and expand legal prohibitions against computer abuse. DATE OF INTRODUCTION: JUNE 18, 1991 DATE OF VERSION: JUNE 20, 1991 - - VERSION: 1 SPONSOR(S): Mr. LEAHY (for himself, Mr. BROWN, and Mr. KOHL) introduced the following bill; which was read twice and referred to the Committee on the Judiciary TEXT: A BILL To amend title 18 of the United States Code to clarify and expand legal prohibitions against computer abuse * Be it enacted by the Senate and House of Representatives of the United* *States of America in Congress assembled, * SECTION 1. SHORT TITLE This Act may be cited as the "Computer Abuse Amendments Act of 1991". SEC. 2. AMENDMENTS TO THE COMPUTER FRAUD AND ABUSE ACT. (a) PROHIBITION.-Section 1030(a)(5) of title 18, United States Code is amended to read as follows: "(5)(A) through means of or in a manner affecting a computer used in interstate commerce or communications, knowingly causes the transmission of a program, information, code, or command to a computer or computer system if- "(i) the person causing the transmission intends that such transmission will- "(I) damage, or cause damage to, a computer, computer system, network, information, data, or program; or "(II) withhold or deny, or cause the withholding or denial, of the use of a computer, computer services, system or network, information, data, or program; and "(ii) the transmission of the harmful component of the program, information, code, or command- "(I) occurred without the knowledge and authorization of the persons or entities who own or are responsible for the computer system receiving the program, information, code, or command; and "(II)(aa) causes loss or damage to one or more other persons of value aggregating $ 1,000 or more during any 1-year period; or "(bb) modifies or impairs, or potentially modifies or impairs, the medical examination, medical diagnosis, medical treatment, or medical care of one or more individuals; or "(B) through means of or in a manner affecting a computer used in interstate commerce or communication, knowingly causes the transmission of a program, information, code, or command to a computer or computer system- "(i) with reckless disregard of a substantial and unjustifiable risk that the transmission will- "(I) damage, or cause damage to, a computer, computer system, network, information, data, or program; or "(II) withhold or deny, or cause the withholding or denial, of the use of a computer, computer services, system or network, information, data, or program; and "(ii) the transmission of the harmful component of the program, information, code, or command- "(I) occurred without the knowledge and authorization of the persons or entities who own or are responsible for the computer system receiving the program, information, code, or command; and "(II)(aa) causes loss or damage to one or more other persons of value aggregating $ 1,000 or more during any 1-year period; or "(bb) modifies or impairs, or potentially modifies or impairs, the medical examination, medical diagnosis, medical treatment, or medical care of one or more individuals; or (b) PENALTY.-Section 1030(c) of title 18, United States Code is amended- (1) in paragraph (2)(B) by striking "and" after the semicolon; (2) in paragraph (3)(B) by inserting "(A)" after "(a)(5); and (3) in paragraph (3)(B) by striking the period at the end thereof and inserting ", and"; and (4) by adding at the end thereof the following: "(4) a fine under this title or imprisonment for not more than 1 year, or both, in the case of an offense under subsection (a)(5)(B).". (c) CIVIL ACTION.-Section 1030 of title 18, United States Code is amended by adding at the end thereof the following new subsection: "(g) Any person who suffers damage or loss by reason of a violation of the section, other than a violation of subsection (a)(5)(B), may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief. Damages for violations of any subsection other than subsection (a)(5)(A)(ii)(II)(bb) or (a)(5)(B)(ii)(II)(bb) are limited to economic damages. No action may be brought under this subsection unless such action is begun within 2 years of the date of the act complained of or the date of the discovery of the damage.". (d) REPORTING REQUIREMENTS.-Section 1030 of title 18 United States Code, is amended by adding at the end thereof the following new subsection: "(h) The Attorney General shall report to the Congress annually, during the first 3 years following the date of the enactment of this subsection, concerning prosecutions under section 1030(a)(5) of title 18, United States Code.". (e) DEFINITION.-Section 1030(e)(1) of title 18 United States Code, is amended by striking ", but such term does not include an automated typewriter or typesetter, a portable hand held calculator, or other similar device". (f) PROHIBITION.-Section 1030(a)(3) of title 18 United States Code, is amended by inserting "adversely" before "affects the use of the Government's operation of such computer". ------------------------------ Date: Tue, 3 Sep 91 08:41:49 CDT From: stachour@SCTC.COM (Paul Stachour) Subject: Re: A Danger ... with Intelligent Terminals (Thomson, RISKS-12.21) In original Multics (Unix is supposedly an "improved" derivative of Multics), in the module which has the responsibility for writing messages to the user's terminal (messages which were sent by the Multic-similar function to "write), there is a comment dated 1974 (I enter from memory, the phrasing may not be exact): This module censors control and escape sequences to prevent users from sending messages that masquerade as coming from the Multics System Operator and other potentially dire consequences. Notice that: #1: The date of this message, showing that the problem was understood even back in 1974. #2: The wording of the warning, which gives meaning to the understanding, and not too many hints to the unknowledgeable (Multics source has always, to my knownledge, been publically available). #3: As so often is true, the "new improved version" is poorer than the original version. The mechanism by which Multics sends its mail and messages (which I will not describe here for lack of my time and space, but is quite clearly documented in the Multics manuals) was well-designed to avoid: 1) Forgery 2) Spoofing 3) Default system style doing bad-things and designed to allow: 1) Good access control over mailboxes 2) Ability to retract send-but-not-yet-read-mesasges 3) You to give someone power to send-in-your-name, but with clear indications it was not your userid. The question (on risks) is: Why do we (as consumers) continue to buy cut-down products containing signficantly less functionality and much higher risks when good products are available? My opinion is that there is inherent difficulty for most of us to evaluate the risks inside of products, and we just take what appears to us to be the path of least resistance. Paul Stachour, SCTC, 1210 W. County Rd E, Suite 100, Arden Hills, MN 55112-3739 stachour@sctc.com [1]-(612) 482-7467 ------------------------------ Date: Sun, 1 Sep 91 16:48:00 CDT From: "John E. Mollwitz" Subject: Complain to Journalists The national convention of The Society of Professional Journalists, an organization of roughly 18,000 members in the United States, Canada and Japan, is meeting Oct. 17-19 in Cleveland. As part of that convention, a seminar will be conducted on writing about computers and computer networks. Since over the years, cyberspace travelers have bemoaned the accuracy of articles relating to computers, computer networks and even telephones, we ask that you email or snail mail examples of articles that you have found solid and others that you have found less so. Please include a note of explanation. The panel then will try to compile the examples, and the comments and produce a handout for discussion. Sometime in the week after the convention, we will post the results of the session. The names of the panelists will be disclosed at that time since it is possible that some of the articles that may be submitted may have been written by a panelist. Mail paper examples to me at the address below. Where possible, the examples should include a copy of the article, the name of the publication and _specific_ comments. If the article is dismissed simply as "nonsense," state that it is because paragraph 5 has failed to adequately explain a concept, and that it would have been better to have said it this way or that. So, if you go into fits when you see the word "hacker" in print, please mail by Sept. 30. Thank you for your cooperation. John E. Mollwitz, Chair, Committee on New Information Technologies The Society of Professional Journalists, c/o The Milwaukee Journal P.O. Box 661, Milwaukee, WI 53201-0661 Usenet: moll@mixcom.com CompuServe: 72240,131 GEnie: J.Mollwitz Prodigy: CKFB43A [OK, folks, take him seriously. Here's your chance to have an effect on the SPJ similar to what the net did for Lotus Marketplace? PGN] ------------------------------ Date: Sun, 1 Sep 91 14:18:45 -0400 From: erspert@ATHENA.MIT.EDU Subject: The RISKS of Superiority I recently rediscovered a science fiction short story, "Superiority" (1951), by Arthur C. Clarke, that would be of interest to RISKS readers. Here are excerpts from the story, which is written in the form of a report by a former military leader: The ultimate cause of our failure was a simple one: despite all statements to the contrary, if was not due to lack of bravery on the part of our men, or to any fault of the fleet's. We were defeated by one thing only --- by the inferior science of our enemies. I repeat --- by the *inferior* science of our enemeies. When the war opened we had no doubt of our ultimate victory. The combined fleets of our allies greatly exceeded in number and armament those which the enemy could muster against us, and in almost all branches of military science we were their superiors. We were sure that we could maintain this superiority. Our belief proved, alas, to be only too well founded.... [After an expensive battle victory, the new Chief of the Research Staff, Norden, said:] ``Our existing weapons have practically reached finality. I don't wish to criticize my predecessor, or the excellent work done by the Research Staff in the last few generations, but do you realize that there has been no basic change in armaments for over a century? It is, I am afraid, the result of a tradition that has become conversative. For too long, the Research Staff has devoted itself to perfecting old weapons instead of developing new ones. It is fortunate for us that our opponents have been no wiser: we cannot assume that this will always be so.... ``What we want are *new* weapons --- weapons totally different from any that have been employed before. Such weapons can be made: it will take time, of course, but since assuming charge I have replaced some of the older scientists by young men and have directed research into several unexplored fields which show great promise. I believe, in fact, that a revolution in warfare may soon be upon us.'' We were skeptical. There was a bombastic tone in Norden's voice that made us suspicious of his claims. We did not know, then, that he never promised anything that he had not already almost perfected in the laboratory. *In the laboratory* --- that was the operative phrase. Norden proved his case less than a month later, when he demonstrated the Sphere of Annihilation, which produced complete disintegration of matter over a radius of several hundred meters. We were intoxicated by the power of the new weapon, and were quite prepared to overlook one fundamental defect --- the fact that it *was* a sphere and hence destroyed its rather complicated generating equipment at the instant of formation. This meant, of course, that it could not be used on warships but only on guided missiles, and a great program was started to convert all homing torpedoes to carry the new weapon. For the time being all further offensives were suspended. We realize now that this was our first mistake. I still think that it was a natural one, for it seemed to us then that all our existing weapons had become obsolete overnight, and we already regarded them as almost primitive survivals. What we did not appreciate was the magnitude of the task we were attempting, and the length of time it would take to get the revolutionary super-weapon into battle. Nothing like this had happened for a hundred years and we had no previous experience to guide us. The conversion problem proved far more difficult than anticipated. [Description of problems omitted.] Then two things happened. One of our battleships disappeared completely on a training flight, and an investigation showed that under certain conditions the ship's long-range radar could trigger the Sphere immediately [after] it had been launched. The modification needed to overcome this defect was trivial, but it caused a delay of another month and was the source of much bad feeling between the naval staff and the scientists. We were ready for action again --- when Norden announced that the radius of effectiveness of the Sphere had now been increased by ten, thus multiplying by a thousand the chances of destroying an enmey ship. So the modifications started all over again, but everyone agreed that the delay would be worth it. Meanwhile, however, the enemy had been emboldened by the absence of further attacks and had made an unexpected onslaught... And so forth. What are the lessons for RISKS readers? 1. A technological advance doesn't make your equipment obsolete if it still does what you need. For example, if the x86 on your desk meets your needs, you don't need to get rid of it and buy a (x+1)86. I know somebody who is still happily using his TI 99/4 even though any number of people would tell him it's obsolete. 2. I'm sure that all RISKS readers can think of a computer project, either software or hardware, that looked dazzling on paper, far more ambitious and computer scientific than competing projects, that became a disaster. It slipped years because of problems due to its complexity, perhaps never reaching market, while competitors produced products much quicker and met the customers' needs. 3. One shouldn't replace existing tools before learning how to use them. For example, if a novice spent a month studying Pascal, then switched to C++ when somebody said it was better, then switched to Lisp, etc., they would never get any useful work done. Of course, there are risks in carrying any of these lessons too far (such as carrying the x86 into the next millenium). I am told, at one time, this story was "required reading" at MIT. I never came across it as a student at MIT, which is a shame, because it contains such valuable lessons. I urge engineering/CS professors to consider putting it into a systems-building course. The full story can be found in _Expedition to Earth_, by Arthur C. Clarke (New York: Ballantine Books). Ellen Spertus ------------------------------ Date: Tue, 3 Sep 91 17:05:01 CDT From: edtjda@magic322.chron.com (Joe Abernathy) Subject: NASA severs connection on electronic mail linkup (Houston Chronicle) { This story appeared on Page 1A of the Houston Chronicle on Monday, Sept. 2, 1991. Permission is granted for redistribution in the ACM Risks Digest, Patrick Townson's Telecom Digest, the newsgroup sci.space.shuttle, Computer Underground Digest, and the interesting_people mailing list. Our thanks to these groups for their ongoing contributions to the online community and our coverage of it. Please send comments and suggestions to edtjda@chron.com. } NASA severs connection on electronic mail linkup. By Joe Abernathy, Copyright 1991, Houston Chronicle Although declaring the experiment a success, NASA has called a halt to a project by which space shuttle astronauts briefly were linked with the nation's computer networks through electronic mail. The e-mail experiment, conducted during the recent flight of Atlantis, was part of a larger effort to develop computer and communications systems for the space station Freedom, which is to be assembled during the late 1990s. The National Aeronautics and Space Administration cited unauthorized access as the reason for severing the network connection, but NASA officials did not provide details. The space agency initially attempted to carry out the project in secrecy, but word leaked out on the nation's computer networks. Details were closely guarded because of concerns over malicious computer hacking and astronauts' privacy. "Hello, Earth! Greetings from the STS-43 Crew! This is the first Applelink from space. Having a GREAT time, wish you were here!" read the first message home. It went from Atlantis astronauts Shannon Lucid and James Adamson to Marcia Ivins, a shuttle communicator at Johnson Space Center. It was the use of AppleLink -- a commercial electronic mail network connected to the global computer matrix -- that apparently contained the seeds of trouble. When an AppleLink electronic mail address for the shuttle was distributed online and then published in the Houston Chronicle, it generated about 80 responses from well-wishers. Although the address was created just for this purpose, the flight director nearly pulled the plug on the project, according to Debra Muratore, the NASA experiment manager. The project was concluded as scheduled and declared a success. But ultimately, it was decided, at least for now, to cease all interaction with public computer networks. The decision eventually could mean that NASA's premier research facility, the space station, may not have access to its premier research communications tool, the NASA Science Internet -- the space agency's portion of the vast Internet global computer network. Electronic mail, which is becoming commonplace in offices, is simply the transmission of messages via computers to one or more people, using electronic addresses. Users linked to the right networks can send electronic messages or other data to specific recipients nearly anywhere in the world -- and for a short time, could send them to space. "The problem was that the information had gotten leaked prematurely. There was no problem with security," Muratore said. Even previous to the leak of the addresss, however, the experiment was structured in such a way that it was vulnerable to hackers, she acknowledged. "As a result of this whole experience, at least my project plans never to use a public (electronic) mail system again," she said. Muratore indicated that the space agency may explore other ways of providing "connectivity" -- communication between orbiting astronauts and NASA's broader collection of computerized resources -- which will become increasingly important as the use of computerized information grows. The decision to sever the short-lived e-mail connection has drawn strong criticism among computer security experts and other scientists, who charge that NASA was attempting to design "security through obscurity." "This is another example of an ostrich-oriented protection policy -- stick your head in the sand and pretend no one will find out what you know," wrote Peter G. Neumann, moderator of the Association for Computing Machinery's RISKS Digest, a respected online publication that assesses the risks posed by technology. "Things like that don't stay 'secret' for very long." NASA told Newsday, but would not confirm for the Chronicle, that more than 80 "unauthorized" messages from around the world were sent to the Atlantis address -- which a source told the Chronicle was set up explicitly to handle public requests for a shuttle e-mail address. Private addresses were used for the actual experiments. "The old 'authorization' paradox has reared its ugly head again," wrote Neumann, who prepared a study for NASA on the security requirements of the space station. " `Threatened by unauthorized e-mail,' eh? Sending e-mail to someone REQUIRES NO AUTHORIZATION." Muratore defended the use of secrecy as a security tool. "I feel that that was a viable option," she said. She said operators of AppleLink told NASA that it was impossible to keep public e-mail from being sent to the on-orbit address, so the only option was to try to keep it secret. But network users questioned this viewpoint. "Why is an e-mail system 'in jeapordy' when it receives 80 messages? And what is an 'unauthorized user?' " asked Daniel Fischer of the Max-Planck-Institut feur Radioastronomie, in Bonn, Germany. "Once the system is linked up to the real world, it should expect to receive real mail from everyone. If NASA can't handle that, it really shouldn't get into e-mail at all," added Fischer, writing in an online discussion group composed of scientists involved with the space program. "Consider that (heavy response) a success, NASA!" The disposition of the electronic mail sent to Atlantis is still up in the air. A Chronicle message was not acknowledged, and no one has reported receiving a response. [Chronicle reporter Mark Carreau contributed to this report.] ------------------------------ End of RISKS-FORUM Digest 12.23 ************************