Subject: RISKS DIGEST 13.16 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Monday 24 February 1992 Volume 13 : Issue 16 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Computer causes Olympics scoring error (David Shepherd) Strasbourg Airbus crash report leaked (James Paul) More on Privacy in Australia (Bruce Howarth) Italian crooks let others pay phone bill (Debora Weber-Wulff) Risk of Voice Mail Command Choices (Randall C Gellens) RISCs of AP news reports (John Sullivan) Proposal for policy on calculator use during exams (Todd M. Bezenek) The Worth of Computing (Tony Buckland) Computer Hackers Get Into Credit Records (Joe Brownlee) VT Caller ID Decision (Marc Rotenberg) Carpal Syndrome reports rise sharply (Brinton Cooper) Re: System certification again (Dave Parnas) MBDF Macintosh virus (Tom Young) FBI Eavesdropping Challenged The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line. Others may be ignored! Contributions will not be ACKed. The load is too great. **PLEASE** INCLUDE YOUR NAME & INTERNET FROM: ADDRESS, especially .UUCP domain folks. REQUESTS please to RISKS-Request@CSL.SRI.COM. Vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 13, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1". =CarriageReturn; FTPs may differ; UNIX prompts for username, password. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Fri, 21 Feb 92 16:52:27 GMT From: David Shepherd Subject: Computer causes Olympics scoring error During the first session of the women's ice skating competition, the UKs number 1 skater, Joanne Conway, complained of biased scoring after the Canadian judge gave her only 4.2 marks while all the other judges gave around 5.0 to 5.5. Subsequently the Canadian judge has revealed that she intended to give 5.2 marks. Each possible score has a separate button to press to signal the score to the computerized scoring system. By mistake the judge pressed 4.2 instead of 5.2 and, even though she realized her mistake, there was no provision to correct the mark. The only way of correcting it would have been for the UK team to lodge an official appeal - which wasn't considered worthwhile as it was only the difference between 17th and 15th place. In another incident the UK 2 man bob team, in the lead at that stage, went out of contention after being kept at the start of 7 minutes while one of the intermediate timing controls was fixed - note that this timer was not needed for the actual result, just to give an intermediate split time. Perhaps another indication of where technology becomes the master rather than the servant of sport. (Some people have tried to read a more sinister implication of a Swiss engineer holding the leading team up for 7 minutes which help the Swiss No 1 bob go into the lead!) david shepherd: des@inmos.co.uk or des@inmos.com tel: 0454-616616 x 625 inmos ltd, 1000 aztec west, almondsbury, bristol, bs12 4sq [The old Swisseroo? Bobbing for Apples (if they were using a Mac)? The "Unified" team now has to settle for good marks and Lennon music. Next time someone will figure out how to hack into the scoring computers. I wondered on several very obviously partisan judge's scorings, with outrageous (+/- outlier/outliar) scores, whether the judge was overtly trying to cheat ... I thought they used to discount the highest and the lowest scores on judged events, but apparently not. PGN] ------------------------------ Date: Fri, 21 Feb 1992 10:46:30 -0500 (EST) From: "NOVA::PAUL"@yttrium.house.gov (James Paul, U.S. House Science Committee) Subject: Strasbourg Airbus crash report leaked AIRBUS CRASH PROBE CITES HUMAN, TECHNICAL ERROR PARIS, Feb 20, Reuters - French television said on Thursday a preliminary report to be published next week on the causes of last month's Airbus A320 crash which killed 87 people did not blame the disaster on any single factor or person. The TF-1 channel said the independent commission's report concluded that a mixture of human and technical error had caused the Air Inter flight from Strasbourg to Lyon to plough into a snow-covered mountainside on January 20, just five minutes before it was scheduled to land. Nine people survived. TF-1 said the commission's findings showed the Strasbourg airport was not equipped with landing approach systems matched to the sophistication of the Airbus, and that there were serious failings in the crash plane's altimeter system. The commission concluded the pilot either did not know how or was unable to stop the plane's abnormally rapid descent, according to TF-1. The station did not reveal how it gained access to the report. Publication of the report was delayed because Transport Minister Paul Quiles is visiting Portugal on Friday and wants to study the findings before commenting. The French civil aviation authority has already taken some preliminary measures, urging all airlines flying the A320 to review their procedures for using the VOR-DME beacon system for landing. But the authorities decided against grounding the planes, saying there was no initial evidence that mechanical problems caused the disaster. National carriers Air France and Air Inter earlier this month banned their pilots from using the automatic landing procedure until further notice. A spokeswoman for Toulouse-based Airbus Industrie said earlier the aircraft maker did not yet have a copy of the report and would have no comment until it did. Meanwhile a judge investigating legal responsibility for the crash staged a reconstruction flight on Thursday, circling the accident site three times. ------------------------------ Date: Wed, 19 Feb 92 08:55:55 EST From: bruce@socs.uts.edu.au Subject: More on Privacy in Australia [RISKS-13.14 included "Australian Government Bungles Private Data". Bruce submitted the article "DSS blames printer restart for bungle", by John Hilvert, in Computerworld Australia, 14 Feb 1992, omitted here. That article supports the printer-restart synchronization glitch theory. PGN] By one of *those* coincidences, it was reported on TV the same week that a branch of the Australian Taxation Office (ATO) sent similarly misprinted forms to some (as I recall, 80) taxpayers. Two of the taxpayers had contacted each other, then presumably the media, to share their disgust at the release of income and savings data. An ATO employee on the TV claimed that the misprints had been caused by a folded page in a box of paper. Bruce Howarth, Uni of Technology Sydney ------------------------------ Date: Sat, 22 Feb 1992 12:54:43 GMT From: weberwu@inf.fu-berlin.de (Debora Weber-Wulff) Subject: Italian crooks let others pay phone bill [Translated by DWW from the Berlin daily Newspaper "Tagespiegel", 22 Feb 1992] lui, Rome, 21. February 1992. [...] Half a million Italians are the proud owners of portable telephones. The cordless appliance has become the favorite toy of the Southerners, but the game may soon be over: the "telefonini" are not protected. Under the motto "Buy one, pay for two", crooks sell manipulated phones that are used so that the buyer has to pay for the toll calls of the seller. The trick works like this: the crooks take a computer with a computing program [whatever that is ;-) dww] like the ones uses to crack automatic teller machines, and fuss with it until they find the secret code for the telephone. The code is a combination of the telephone number and the serial number that is supposed to only be available to the telephone company SIP. When the code has been cracked, it is no problem to transfer it to a second telephone, so that both telephones have the same license number. One phone is sold "under the hand" by the crooks. As an added deal, the buyer not only gets to pay his own phone bill, but the fees run up on the second phone as well. The Italian underworld is especially keen on using this method.[...] The mafia uses the "portabili" for conducting their unclean business. [... The police] have not been able to find the instigators, but they suspect that employees of the telephone manufacturing company are involved, as they have the knowledge of how the phones are constructed. [...] The portable telephone is well-known for the ease of tapping the telephone conversations [which cannot, however, be traced to the place of origin. A book calle "Italy, I hear you calling" with some of the more interesting tapped conversations has just been published.] [Why is such a telephone easy to crack and easy to reprogram? dww] Debora Weber-Wulff, Institut fuer Informatik, Nestorstr. 8-9, D-W-1000 Berlin 31 +49 30 89691 124 dww@inf.fu-berlin.de ------------------------------ Date: Wed, 19 Feb 92 09:15 GMT From: Randall C Gellens <0005000102@mcimail.com> Subject: Risk of Voice Mail Command Choices [I sent this as a reply to Telecom. It's probably not a serious enough risk to go into Risks, but I thought I'd let you decide. --Randy] In TELECOM Digest Volume 12 : Issue 108, the moderator (Patrick A. Townson) discusses Ameritech Voice Mail Commands and Security Flaws: > After the message has played out, 5 to delete it; 7 to save it. Considering that the Aspen voice mail product (from Octel,I think) uses 7 to delete a message, and that Aspen is widely used by businesses, this seems an unfortunate choice, as people with Aspen at work and IBT RVMS at home will be likely to confuse 7 and end up deleting messages by accident. Of course, this is not as serious a risk of nonstandardization as airline flight controls which differ from model to model :-). --Randy ------------------------------ Date: Mon, 24 Feb 1992 10:55:18 -0600 From: sullivan@geom.umn.edu Subject: RISCs of AP news reports An Associated Press article on new processor chips announced at the International Solid State Circuits Conference appeared in the (Minneapolis) Star Tribune last Thursday. It says, in the middle: Most of the chips use a technology called reduced instruction set computing (RISC), which speeds the processing of data by limiting the number of instructions the processor must execute. The microprocessors that power personal computers, by contrast, use a different technology. Of course, limiting the number of instructions a processor knows how to execute typically increases the number of instructions it must execute. The Op-Ed page of The New York Times yesterday (Feb 23) has an essay by David Gelernter from Yale's CS dept complaining that when newspapers (even The Times) use the term "operating system", they feel obliged to define it. But someone who doesn't know what one is is "not going to learn on the basis of a single phrase, no matter how artfully crafted". He doesn't mention how misleading a single phrase can be, if crafted by a reporter who doesn't know technology. -John Sullivan, Sullivan@Geom.UMN.Edu ------------------------------ Date: 21 Feb 92 07:01:23 GMT From: plains!bezenek@uunet.uu.net (Todd M. Bezenek KO0N) Subject: proposal for policy on calculator use during exams [This is an article which I recently posted to comp.sys.handhelds and comp.sys.hp48. It is in response to a discussion regarding the use of calculators on university exams. I am posting it to comp.risks because it demonstrates the risk of introducing computing power into the classroom where it may be misused. TMB] I have reviewed the responses concerning calculator policies at universities from all over the world. Thank you to everyone for sending them. The following is my proposed policy. This policy is intended to eliminate problems associated with using note-style information, without eliminating the use of the calculating power of these devices. If you have any comments, please post them after thinking them through fully. Proposed Policy Regarding the Use of Portable Calculating Devices during Closed-Note Examinations If a student uses a portable calculating device during a closed-note examination for the purpose of storing notes, that student shall be considered guilty of an infraction equivalent to using said notes as they would appear on paper. In the case that a proctor believes beyond a reasonable doubt that a student is violating the above policy, that proctor shall immediately remove the calculating device from the student's possession. The proctor may then choose whether or not the student should be allowed to complete the examination. The calculating device shall remain in the possession of the proctor until the contents of its memory--both vendor supplied and user programmed--can be examined. The decision of whether or not the above policy has been violated should be based upon the judgement of a faculty member who shall examine the memory of the calculating device before it is returned to the student. In the case that the memory is found to contain information which, when transferred to paper, would be considered an unallowable aid, the student shall be considered guilty of the infraction described above. In the case that the student is found to not be in violation of the above infraction, the student should be allowed to rewrite the examination if the student so chooses. Alternately, if the student is found to be in violation, the student is subject to the same university policies that govern the use of unallowed notes equivalent to that which would result from transferring the memory of the calculating device to paper. In no case will the student forfeit possession of the calculating device indefinitely. Respectfully submitted, Todd M. Bezenek Todd Michael Bezenek, KO0N Internet: bezenek@plains.nodak.edu UUCP: uunet!plains!bezenek Bitnet: bezenek@plains ------------------------------ Date: 24 Feb 92 15:04 -0800 From: Tony Buckland Subject: The Worth of Computing >From @yonge.csri.toronto.edu:msb@sq.sq.com Mon Feb 24 14:50:45 1992 You write in can.general: > Yesterday, thieves broke into a VanCity Savings branch and stole > two bags from a night deposit box. But not to worry - unless > you're in the computing game and proud of it - " ... all they > got were worthless computer printouts and administration documents." Mark Brader, Toronto, utzoo!sq!msb, msb@sq.com ------------------------------ Date: 20 Feb 1992 7:15 EST From: joe@cbquest.att.com Subject: Computer Hackers Get Into Credit Records >From the Columbus, Ohio, _Dispatch_. Any typos are mine. Computer Hackers Get Into Private Credit Records DAYTON - Computer hackers obtained confidential credit reports of Midwest consumers from a credit reporting firm in Atlanta. Atlanta-based Equifax said a ring of 30 hackers in Dayton [Ohio] stole credit card numbers and bill-paying histories of the consumers by using an Equifax customer's password. Ronald J. Horst, security consultant for the company said the break-in apparently began in January. Police don't know if the password was stolen or if an employee of the client company cooperated with the hackers. Horst said the hackers were apparently doing it just for fun. No charges have been filed. Equifax will notify customers whose credit reports were taken. [End of quotation] The usual caveats about media reporting of computer-related topics apply here. One thing I don't like about this article is the implication that since the hackers were doing this for "fun", they won't be prosecuted. Of course, the article doesn't say that exactly, but I'll be watching to see if this case goes any farther. I'll also be waiting to see of I'm one of those people whose credit reports were stolen, and, if so, what Equifax intends to do about it other than to notify me. Joe Brownlee, Analysts International Corp. @ AT&T Network Systems, 471 E Broad St, Suite 2001, Columbus, Ohio 43215 (614) 860-7461 joe@cbquest.att.com ------------------------------ Date: Wed, 19 Feb 92 11:59:52 PST From: Marc Rotenberg Subject: VT Caller ID Decision VT Caller ID Decision The Vermont Public Service Board has just released its Caller ID decision. It's good result with an interesting new wrinkle. Vermont will require that New England Telephone (NET) make free, per-call blocking available to all subscribers. NET will also be required to provide free, per-line blocking to all subscribers with non-published telephone numbers. And NET will be required to provide free, per-line blocking to all subscribers who have "a legitimate concern that it would be unsafe to transmit" their telephone numbers, including clients, volunteers and staff associated with domestic violence and sexual assault agencies. The Hearing Officer initially recommended that such requests should be subject to review by NET, but the Public Service Board rejected this approach. The Board ruled that all customers should be entitled to receive free per-line blocking through a "simple declaration." The Vermont Public Service Board thus found a clever solution to a difficult problem that was first identified in the Pennsylvania Caller ID case. In that case, as in Vermont, concern was expressed that certain individuals may require blocking to maintain personal safety. But the Bell company's proposed "certification procedure" left it unclear as to who would qualify for privacy protection or how adverse decisions could be appealed. For these reasons, the Pennsylvania court held that the certification procedure violated basic due process rights. (The Pennsylvania court also found that Caller ID violated the state wiretap statute and the state constitutional right of privacy and ruled that the service could not be offered in the state). The due process problem -- deciding who is entitled to greater privacy protection and who gets to makes the decision -- remains one of the most interesting and difficult issues in the Caller ID debate. In ruling that phone subscribers should be entitled to decide for themselves whether per-line blocking is appropriate, Vermont has avoided the due process problem that arose in Pennsylvania. In the Vermont proceeding, CPSR was asked to serve as the Board's expert witness after the Board determined that "there existed a serious imbalance in the respective parties' ability to present evidence on all relevant issues." New England Telephone then retained Harvard Law School Professor and Legal Affairs TV Commentator Arthur Miller as their expert. Professor Miller had earlier stated that Caller ID should be offered without blocking, but in this case acknowledged that per-call blocking might be an appropriate solution. CPSR provided extensive testimony for the Vermont Public Service Board on the privacy implications of Caller ID after carefully reviewing concerns expressed by those affiliated with domestic violence shelters in the state. Marc Rotenberg, CPSR Washington Office ------------------------------ Date: Wed, 19 Feb 92 16:26:07 EST From: Brinton Cooper Subject: Carpal Syndrome reports rise sharply (Helgesen, RISKS-13.14) Jeff Helgesen relates a Chicago Tribune article on the sharp increase in Carpal Tunnel Syndrome (repetitive-motion disorder) and the discussion about high-risk workplace environments. The article said, in part, |When someone applies force over and over to the same group of muscles, |the same joint or the tendon, the result may be tissue tears and trauma. |Other factors causing damage are awkward joint posture and prolonged |constrained posture. I have no doubt that this is true as stated. However, anecdotal evidence causes me to wonder if we're missing something. (I emphasize that this is anecdotal.) Every sufferer of carpal tunnel of whom I am personally aware is a cashier at a supermarket. Yet, I work in a laboratory where some very intensive computing activity takes place. We have people who frequently spend more than 10 hours out of 24 at keyboards. I am unaware of any carpal tunnel cases here (although I admit the possibility). This causes me to wonder: What part does psychological or emotional stress play in the development of repetitive-motion disorders? Supermarket cashiers do the work largely for the money. Folks at this lab work here for the same reason, but there is great job satisfaction, (dare I call it "fun?") here that doesn't exist at the grocery store. Does it matter? (It's no less a risk either way, but it's better to understand the risk as much as possible.) Brint [By the way, apologies for losing Elizabeth Willey's contribution in RISKS-13.15. She pointed out that there are lots of parts of the body that can suffer from repetitive motion syndromes, not just the carpal tunnel areas. Somehow her message got lost. Sorry. PGN ------------------------------ Date: Wed, 19 Feb 92 08:45:28 EST From: parnas@triose.eng.McMaster.CA (Dave Parnas) Subject: Re: System certification again (RISKS-13.15) Marc Horowitz was correct and Perry E. Metzger and Rich Kulawiec, with the support of Peter Neumann, proved him correct. Dave ------------------------------ Date: Fri, 21 Feb 92 23:20:10 GMT From: xmu@piccolo.cit.cornell.edu (Tom Young) Subject: MBDF Macintosh virus (This is being posted on behalf of M. Stuart Lynn) As I am sure you are aware, a new Macintosh virus, MBDF-A, has been detected in the Info-Mac archives at SUMEX-AIM that has also been mirrored to other archives. Furthermore, it appears that the virus may have originated from or have been vectored through a machine at Cornell. Other folks are addressing issues of detection, elimination, and prevention. I just want you to know that we at Cornell take this situation most seriously, and are doing everything we can to track down the origin and the originator of this virus. The university absolutely deplores this kind of behavior, and should it indeed prove that the originator was a member of this community we will pursue all appropriate remedies under our computer abuse policy. If anyone out there has any relevant technical information that would help us track down the originator, I would appreciate it if you would send it to Tom Young (XMU@cornellc.cit.cornell.edu). M. Stuart Lynn, Vice President for Information Technologies, Cornell University 607-255-7445 [Also posted to RISKS by laurie@piccolo.cit.cornell.edu (Laurie Collinsworth)] ------------------------------ Date: Tue, 18 Feb 92 10:01:34 PST From: [anonymous] Subject: FBI Eavesdropping Challenged FBI Eavesdropping Challenged WASHINGTON (AP, 17 Feb 1992) Cellular telephones and other state-of-the art telecommunications technology are seriously challenging the FBI's ability to listen to the telephone conversations of criminal suspects, law enforcement officials say. The FBI is seeking $26.6 million next year to update its eavesdropping techniques. Normally tight-lipped FBI officials become even more closed-mouthed when the subject of investigative "sources and methods" comes up. But a review of the bureau's 1993 budget request provides an unusual glimpse into the FBI's research on electronic surveillance and its concerns about new technologies. "Law enforcement is playing catchup with the telecommunications industry's migration to this technology," said the FBI's budget proposal to Congress. "If electronic surveillance is to remain available as a law enforcement tool, hardware and software supporting it must be developed." The new technologies include digital signals and cellular telephones. At the same time, there has been an increase in over-the-phone transmission of computer data, which can be encrypted through readily available software programs, say industry experts and government officials. The FBI's five-year research effort to develop equipment compatible with digital phone systems is expected to cost $82 million, according to administration figures. The FBI effort is just a part of a wider research program also financed by the Pentagon's secret intelligence budget, said officials who spoke on condition of anonymity. Electronic surveillance, which includes both telephone wiretaps and microphones hidden in places frequented by criminal suspects, is a key tool for investigating drug traffickers as well as white-collar and organized crime. Conversations recorded by microphones the FBI placed in the New York City hangouts of the Gambino crime family are the centerpiece of the government's case against reputed mob boss John Gotti, now on trial for ordering the murder of his predecessor, Paul Castellano. Taps on the phones of defense consultants provided key evidence in the Justice Department's long running investigation of Pentagon procurement fraud, dubbed "Operation Ill Wind." But with the advent of digital phone signals, it is difficult to unscramble a single conversation from the thousands that are transmitted simultaneously with computer generated data and images, industry officials said. "In the old days all you had to do was take a pair of clip leads and a head set, put it on the right terminal and you could listen to the conversation," said James Sylvester, an official of Bell Atlantic Network Services Inc. But digital signal transmission makes this task much more difficult. Conversations are broken into an incoherent stream of digits and put back together again at the other end of the line. John D. Podesta, a former counsel to the Senate Judiciary's law and technology subcommittee, said the FBI and other law enforcement agencies are simply victims of a technological revolution. For more than 50 years the basic telephone technology remained the same. ------------------------------ End of RISKS-FORUM Digest 13.16 ************************