Subject: RISKS DIGEST 13.68 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Thursday 23 July 1992 Volume 13 : Issue 68 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Telco problem with Garth Brooks concert ticket sales proves fatal (Art Corcoran) Re: 911 call lands caller in jail (SATRE) Re: A computer as a criminal tool (Jonathan A. Marshall) The onus of correcting databases (Henry G. Baker via PGN) Crypto systems -- less is more (Chaz Heritage) Re: BBS Pornography (Chuck Stern, Art Corcoran) Re: Bellcore threatens 2600 (Mel Beckman) 2600 reply to Bellcore lawsuit threat (Emmanuel Goldstein) Re: Technology and leading employees: another example (Clifford Johnson) Re: Nuclear reactor control (Tom Ohlendorf) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line. Others may be ignored! Contributions will not be ACKed. The load is too great. **PLEASE** INCLUDE YOUR NAME & INTERNET FROM: ADDRESS, especially .UUCP folks. REQUESTS please to RISKS-Request@CSL.SRI.COM. Vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 13, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1". =CarriageReturn; FTPs may differ; UNIX prompts for username, password. For information regarding delivery of RISKS by FAX, phone 310-455-9300 (or send FAX to RISKS at 310-455-2364, or EMail to risks-fax@cv.vortex.com). ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Thu, 23 Jul 1992 16:36:46 -0500 From: Art Corcoran Subject: Telco problem with Garth Brooks concert ticket sales proves fatal Our local (Tulsa, OK) television news reported today about how a telco problem proved fatal. A retired Doctor [Homer Hardy] tried to call 911 when his wife [Phyllis Joan Love Hardy, 67] started having a heart attack. His 7-8 attempts always resulted in a busy signal. He finally dialed 0 for the operator, but when the ambulance arrived, his wife was already dead. It seems the telco was overloaded with over 320,000 calls in one hour by persons trying to buy tickets to a concert by country musician, Garth Brooks. One of the persons in the story commented, "I guess Garth Brooks tickets are more important than 911 service." Art Corcoran, University of Tulsa, corcoran@tusun2.mcs.utulsa.edu [Also noted by Phil Karn . An AP story noted that the number of calls exceeded the previous record for Tulsa BY A FACTOR OF TWO. Promoters sold out 23,000 tickets within three hours in Tulsa and Oklahoma City to two Brooks' concerts. Now they will have to do Garthroscopic surgery on the phone system. PGN] ------------------------------ Date: Mon, 20 Jul 1992 06:35 PDT From: RGB Technology/703-556-0667 Subject: Re: 911 call lands caller in jail (Beckman, RISKS-13.66) Mel Beckman reports that "CA resident Helene Golemon called 911 to report (twice) a loud teenage street party in the wee hours." The risk being identified is the police looking up the resident's criminal record. How about the much more serious risk of tying up 911 with a non-life threatening call? ------------------------------ Date: Thu, 23 Jul 92 11:27:42 -0400 From: Jonathan A. Marshall Subject: Re: A computer as a criminal tool (Junger, RISKS-13.67) Would it be safe to assume that the 15-year-old had his parents' permission to participate in the sting and access the adult files? His parents might have known that he could encounter adult pictures during the sting. If so, then perhaps their permission means that no crime actually occurred during the sting, and the case could be thrown out. --Jonathan A. Marshall, Computer Science, UNC-Chapel Hill, marshall@cs.unc.edu ------------------------------ Date: Thu, 23 Jul 92 17:34:31 PDT From: "Peter G. Neumann" Subject: The onus of correcting databases (From Henry G. Baker) Here is an excerpt from a SnailMail letter from Henry G. Baker: I have recently been trying with only moderate success to correct my credit file at the Equifax credit reporting organization based in Atlanta. As you may have seen on the news, they have settled with a number of states' attorneys general over their sloppy data. After getting a copy of my report, and noticing a large number of entries that looked suspiciously as if they belonged to someone else, and seeing one of my previous addresses as ``25 Roycroft Dr.'' (I never lived on that street, nor do I even know where it is), I asked Equifax to remove the entry. The first letter to Equifax didn't work, but a combination of a second letter from me and one from my lawyer finally produced a correction to my file: I am now listed as having previously lived on ``25 Cancel Dr.''!! By the way, Equifax also listed my marital status as ``single'', even though it (correctly) listed my wife's name in the ``spouse'' section, along with her (correct!) social security number. I think that I have now been sensitized to the problem of unfettered national databases, and words like ``radicalized'' and ``click'' come to mind. (Am I dating myself?) [I hope you are not dating yourself, especially as you are married. PGN] Nimble Computer Corp., 16231 Meadow Ridge Way, Encino CA 91436, 818-501-4956 ------------------------------ Date: Thu, 23 Jul 1992 09:43:37 PDT From: chaz_heritage.wgc1@rx.xerox.com Subject: Crypto systems -- less is more There has been much discussion recently on RISKS about the FBI's demands to be allowed to tap phones, etc. and about the restrictions, proposed and implemented, on the export from the USA of cryptological apparatus, whether hardware or software. If one wants - as a bank might - to encipher all of a large volume of transmissions then this is certainly an important issue; the security and 'exportability' of systems like DES and RSA would clearly be mission-critical in these circumstances. However, the justification for these restrictive measures is said to be to facilitate policing. It is said, for example that phone-taps are vital to the 'war on [untaxed] drugs', and encryption restrictions to the fight against terrorism. Any competent criminal or terrorist obliged to use his own telephone would naturally expect it to be tapped, whatever Constitutional 'rights' he might believe himself to have, and act accordingly; if he were obliged to send a co-conspirator a note about their conspiracies then they would doubtless arrange beforehand a secure cipher system. The Foreign Office one-time pad system is said never to have been broken, and those who know far more about cryptology than I do seem to think that it never will be. It is easy to generate its key, and relatively easy to use it for short messages. A simple modification of the system does not rely on the physical transfer of key, eliminating the possibility of detection in transit. The FBI therefore seem to have little chance of catching anyone competent, since they will probably not intercept meaningful conversations between serious crooks, and will be unable to break FO one-time pad cipher should the villains choose to use it. All they will do is hasten the natural selection of criminals and terrorists until only those who are really professional (and therefore dangerous) will still be in business, filling the prisons meanwhile with small fry and amateurs who have, perhaps, been foolish enough to trust their telephones and their expensive, but crippled, commercial cipher systems. What, then, is the true purpose of demanding new phone-taps and restrictions on encryption technology? This for me is merely a matter of curiousity, since I am British, and therefore prohibited by the criminal law from attempting to transmit any form of code or secret writing (our spooks got this sorted out in the time of the *first* Queen Elizabeth). Baffled, Chaz ------------------------------ Date: Thu, 23 Jul 1992 09:52:14 -0400 From: chuck@novus.com (Chuck Stern) Subject: Re: BBS Pornography (Cohen, RISKS-13.67) This is in partial response to a posting by Mr David Cohen (bx953@cleveland. freenet.edu) concerning the recent Akron-area BBS bust. Put your money where your mouth is. Not just Mr. Cohen, but anyone who thinks that arrests of this sort are anything less than savory. If you are an attorney, donate some time to write an Amicus brief for the court, if such things are allowed for criminal prosecutions. Even better, if the miscarriage of justice is so great that it makes you want to scream, donate some time to help defend the case. If you have some knowledge, share it with elected officials who are making the laws without the benefit of technical expertise. Remember that the government never willingly grants a right, or even a privilege, to its citizens. And in these days of the "War on Crime", we must protect what rights we have. Chuck Stern chuck@novus.com ------------------------------ Date: Thu, 23 Jul 1992 17:00:09 -0500 From: Art Corcoran Subject: Re: BBS Pornography (Cohen, RISKS-13.67) We have had at least two cases of BBS Porn here in Tulsa. The local news even had a three part "expose" on the subject last summer. I attended a sysop meeting at the time. "People in the know" said (i.e., rumored) that the sysop's computer equipment is impounded for over six months and that it is often "dropped" or otherwise damaged by the authorities. Computers cannot sue for "Police brutality". In one of the cases, a woman was reading a message and called police when "foul language was uncontrollably displayed on her screen". (That is, she was offended by the contents of the message.) Art Corcoran, University of Tulsa, corcoran@tusun2.mcs.utulsa.edu ------------------------------ Date: Thu, 23 Jul 92 09:07:07 PST From: mbeckman@mbeckman.mbeckman.com (Mel Beckman) Subject: Re: Bellcore threatens 2600 (Goldstein, RISKS-13.67) As someone who has also been involved in of 2600's dubious reprints, I feel reasonably qualified to respond. In the September 1987 issue, 2600 printed a facsimile of an internal technical document I wrote while employed as an IBM systems developer. The document explained how to decrypt password security on the IBM S/36 (the encryption is trivial although not obvious). The document was intended as a "worksheet" for accessing systems where the original "security officer" (superuser) password has been lost or forgotten. With this article, anybody could gain superuser access to a S/36. I still don't know how 2600 got the thing, but my copyright (the series of technical notes is personally copyrighted by me; not a work-for-hire) was stripped off (according to 2600, before they received the document), although my name was still on the thing. At the time of reprinting, I had left the original job and was working at another company (NEWS 34-38 magazine, a technical journal covering the IBM S/34/36/38 systems). I found out about the problem when a lawyer from IBM's Rochester, MN development lab called me, quite irate, wanting to know why I had publicized this document. The way 2600 presented my document -- with no explanation how it was received -- it looked like I had submitted the thing for publication! The noise being made by IBM was causing all kinds of problems for me. My current employer was concerned about possible adverse publicity accruing to one of its regular authors and editors; the original firm doing IBM systems programming was none too happy and let it be known that the problem was all mine; my already tentative relationship with IBM's Rochester lab certainly didn't improve (some relationships were definitely cut off by this incident) and I had to spend a huge amount of time talking with everybody, including the lawyers, trying to convince them I hadn't instigating the incident. 2600 was, in my opinion, irresponsible in printing something with a persons name on it, without making any attempt to contact me (I'm in many online directories, including nic & Compuserve). If they couldn't contact the author, the ethical thing to do is not publish. 2600 apparently couldn't resists such a "juicy" tidbit though, whatever the cost to somebody else. As this was a titled document -- and obviously part of a series -- 2600 reasonably could deduce that somebody owned the thing and that permission should be obtained. At that time, presumption of copyright wasn't a legal doctrine (although now, thankfully, it is), however, 2600 should know that lack of a copyright notice doesn't mean that the notice wasn't illegally removed. Their claim to be able to publish the contents as a news item anyway is academic, as they published a photographic facimile of my work. I also thought 2600 should have withheld the document on the simple grounds that public disclosure would put a good deal of small business systems at exposure to attack. We all know that 2600 revels in making public information that can compromise security, to the great embarassment of system manufacturers (hopefully coercing mfrs into improving their products). Somewhere, though, in a democratic society, there is a line that separates mature activism from juvenile vandalism. 2600 crossed that line in my situation. I had little legal recourse against 2600, and the editor (at that time, Eric Corley), insisted in phone discussions that I was greatly exaggerating my problems. He never apologized, although I did get from him a promise to not further publish anything with my name without permission. I think there is a place for publications such as 2600 (I regularly pick up a copy at Reiters Technical Books in Washington, DC), but 2600 goes over the line periodically, as they did in my case and possibly in the Bellcore case at hand (I haven't seen '91 winter issue). Since Emmanuel asked for comments on his Bellcore lawyer letter, I figured some history from "one of us" could help provide perspective. I consider myself a open-minded member of the Internet community, on the CPSR/EFF side of privacy and information freedom issues, but I nevertheless take exception to some of 2600's practices. Mel Beckman, Beckman Software Engineering, 1201 Nilgai Place, Ventura, CA 93003 805-647-1641 mbeckman@mbeckman.com Compuserve: 75226,2257 Fax: 805/647-3125 As background, following are the two letters exchanged by my magazine's attorneys and Eric Corley. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - April 15, 1988 Blah, blah & blah Law Offices Eric Corley, Editor/Publisher Peter Kang, Office Manager 2600 MAGAZINE Middle Island, NY Dear Sirs: I have been asked to contact you on behalf of Mel Beckman and his employer, NEWS 34-38 magazine. It is my understanding that your publication, 2600 Magazine, for the month of September 1987, included the publication of confidential memorandum written by Mr. Beckman while he was an employee of another company. The name of the article was "Decrypting Password Security." We do not know how the memorandum came into your possession, but its unauthorized use may do serious damage to Mr. Beckman's reputation and to that of his current employer. No determination has yet been made as to what steps may be taken to protect the interests of Mr. Beckman and NEWS 34-38. In the meantime, demand is hereby made that you desist from any further unauthorized use of any articles or documents produced by Mr. Beckman. Please confirm in writing that you will comply with this demand. Very truly yours, [attorney's signature] - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - May 31, 1988 Dear [attorney's name] These are the facts as I know them regarding the acquisition by 2600 Magazine of the article entitled "Decrypting Password Security" written by Mel Beckman. In August of 1987 we received a copy of the article on a single sheet of paper. There was no indication of a copyright or clues to the article being a "confidential memorandum". No company name was evident and there was no publication from which to ask permission for reprinting. The only identification mark on the entire page was the name "Mel Beckman" which was unknown to us. Our magazine is in the habit of printing interesting and humorous pages from telephone books, non-copyrighted manuals, and books that we happen to be reviewing. We do not print personal memos or anything else that would invade the privacy of any one person. Given the facts as they were presented to us at the time we believe no wrongful action was taken on our part. I might also point out that had we indeed managed to track down the author and been refused permission to reprint the article, we would still be able to reveal the contents as a news item, since the article had been leaked to us. But let us not delude ourselves--the article was not all that earth-shattering. We strongly doubt any harm will come to Mr. Beckman's reputation as a result of this incident. Obviously some other person is responsible for sending the article to us. Mr. Beckman cannot and should not be held accountable for another person's actions. You can rest assured that any future articles we may receive with Mr. Beckman's name on them will not be reprinted in our magazine. Sincerely, Eric Corley, Editor, 2600 Magazine ------------------------------ Date: Thu, 23 Jul 92 15:33:25 -0700 From: Emmanuel Goldstein Subject: 2600 reply to Bellcore lawsuit threat The following reply has been sent to Bellcore. Since we believe they have received it by now, we are making it public. Emmanuel Goldstein Editor, 2600 Magazine PO Box 752 Middle Island, NY 11953 July 20, 1992 Leonard Charles Suchyta LCC 2E-311 290 W. Mt. Pleasant Avenue Livingston, NJ 07039 Dear Mr. Suchyta: We are sorry that the information published in the Winter 1991-92 issue of 2600 disturbs you. Since you do not specify which article you take exception to, we must assume that you're referring to our revelation of built-in privacy holes in the telephone infrastructure which appeared on Page 42. In that piece, we quoted from an internal Bellcore memo as well as Bell Operating Company documents. This is not the first time we have done this. It will not be the last. We recognize that it must be troubling to you when a journal like ours publishes potentially embarrassing information of the sort described above. But as journalists, we have a certain obligation that cannot be cast aside every time a large and powerful entity gets annoyed. That obligation compels us to report the facts as we know them to our readers, who have a keen interest in this subject matter. If, as is often the case, documents, memoranda, and/or bits of information in other forms are leaked to us, we have every right to report on the contents therein. If you find fault with this logic, your argument lies not with us, but with the general concept of a free press. And, as a lawyer specializing in intellectual property law, you know that you cannot in good faith claim that merely stamping "proprietary" or "secret" on a document establishes that document as a trade secret or as proprietary information. In the absence of a specific explanation to the contrary, we must assume that information about the publicly supported telephone system and infrastructure is of public importance, and that Bellcore will have difficulty establishing in court that any information in our magazine can benefit Bellcore's competitors, if indeed Bellcore has any competitors. If in fact you choose to challenge our First Amendment rights to disseminate important information about the telephone infrastructure, we will be compelled to respond by seeking all legal remedies against you, which may include sanctions provided for in Federal and state statutes and rules of civil procedure. We will also be compelled to publicize your use of lawsuits and the threat of legal action to harass and intimidate. Sincerely, Emmanuel Goldstein ------------------------------ Date: Thu, 23 Jul 92 16:24:51 PDT From: "Clifford Johnson" Subject: Re: Technology and leading employees: another example (Meyer, RISKS-13.67) > [Technological] advances will in face increase the lead that > the best people already had over the others. In many (especially large) organizations, the presumption that the best have a lead over their co-workers is untrue. Ever heard the parable of the cave-dwellers putting out the eyes of the one who could see? ------------------------------ Date: Thu, 23 Jul 1992 08:45 EDT From: "Tom Ohlendorf - TSU Admin. DP, (410) 830-3642" Subject: Re: Nuclear reactor control (Teasdale, Re: RISKS-13.67) My particular reply is to the statement: > However, this does not help at all in cases where the reactor > is running out of control but still producing steam and power, nor will it do > any good if something has happened to prevent the reinsertion of the damper > rods themselves... While I am not even close to an expert in the nuclear power industry, I did work for a firm that made security systems for nuclear power plants and had an opportunity to learn something about the operations of the industry. Based on my acquired knowledge, the reason why operators and computer systems monitor the reaction is to prevent a run-away reaction such as cited above. The computer systems are sophisticated enough to be able to SCRAM (or drop the control rods for those that don't know what SCRAMing is) the reactor when the reaction goes out of control. The human monitors also have this control in case the computer fails. BTW, for you trivia buffs, SCRAM stands for Secondary Control Rod Axe Man. In the days before all of the sophisticated control, a person would have to physically cut the control rod cable with an axe when a reaction went run-away. Tom Ohlendorf, Programmer/Analyst INTERNET: D7AP002@TOA.TOWSON.EDU ------------------------------ End of RISKS-FORUM Digest 13.68 ************************