Subject: RISKS DIGEST 13.79 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Friday 11 September 1992 Volume 13 : Issue 79 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: "Sneakers" -- A Topical Movie Review (Donn Parker) Police probe mans death in Citibank disk case (Pat Cain) Arrest warrant database problems (James Hanlon) New computer delays Berlin Fire Department (Debora Weber-Wulff) Hardware failure stops school (Andrew Marchant-Shapiro) PC board waste in San Francisco Bay (Phil Agre) Re: TCAS (Nancy Leveson) Registration and Hotel Information - 15th National Computer Security Conference (Jack Holleran) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line. Others may be ignored! Contributions will not be ACKed. The load is too great. **PLEASE** INCLUDE YOUR NAME & INTERNET FROM: ADDRESS, especially .UUCP folks. REQUESTS please to RISKS-Request@CSL.SRI.COM. Vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 13, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1". =CarriageReturn; FTPs may differ; UNIX prompts for username, password. For information regarding delivery of RISKS by FAX, phone 310-455-9300 (or send FAX to RISKS at 310-455-2364, or EMail to risks-fax@cv.vortex.com). ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: 11 Sep 1992 08:00:03 -0800 From: donn_parker@qm.sri.com Subject: "Sneakers" -- A Topical Movie Review [The following review was prepared by Donn Parker for distribution to the members of the International Information Integrity Institute (known as I-4), an organization consisting of something like 60 companies with significant interest in improved computer security and integrity, which is managed by SRI -- with Donn as one of its key players. This review is reproduced here with his permission, and is authorized for further distribution, with appropriate attribution. Sneakers opens today to the general public, although in a few selected theaters it opened on Wednesday, presumably to get early reviews. (Both Donn and I had been visited by Parkes and Lasker regarding security risks, in their preparation for the screenplay for WarGames. They even used some of our ideas. In general, Sneakers seems technologically sounder, and is certainly of interest to RISKS readers. For those of you who don't know Donn, he is often referred to as the Great Bald Eagle of Computer Security.) PGN] FILM REVIEW OF SNEAKERS by Donn B. Parker September 1992 Sneakers (released September 11, 1992 by Universal Studios, owned by Matsushita Electric Industrial Co. Ltd., and promoted in association with CompuServe, owned by H&R Block) starring Robert Redford, Dan Aykroyd, Ben Kingsley, Mary McDonnell, River Phoenix, Sidney Poitier, and David Strathairn; directed by Phil Alden Robinson (Field of Dreams director); and produced and written by Walter F. Parkes and Lawrence Lasker (writers and producers of WarGames in 1981). The new computer crime movie, Sneakers (as in hackers who wear sneakers and sneak into computers) was previewed in a San Francisco showing sponsored by Universal Studios and Mondo 2000 Magazine (a slick-cover psychedelic publication of the Timothy Leary genre appealing to hackers) and attended by a large segment of the Bay Area hacker community including Cap'n Crunch. I had assisted the writers, Messrs. Lasker and Parkes, with their first movie, Wargames-much to my chagrin because the technology was so distorted. This time they had the technical assistance of Len Adleman (the A in RSA Crypto) from USC and Robert Abbott, an information security consultant of long standing. This Mission Impossible, PG-rated (only three "God damn"s and almost no sex) film is mostly technologically believable, unlike Wargames. We can forgive them for showing a Cray computer with a terminal displaying Windows 3.1. All information security professionals should see this film and use it to promote security awareness. Some critics may pan it, but it has all the ingredients for financial success. It has: o great chase and other street action scenes in the beautiful San Francisco Bay Area o an interesting but predictable plot o the blind technician who finds the bad guys' hideout from sounds heard from the trunk of a car o the old technique of the bad guy shooting into the ceiling tiles at his hidden enemy hiding in ceiling duct area o three bloodless murders o total unconsciousness produced by simple taps on the head followed by immediate concussion-less revival with little visible damage o popular stars, Redford, Poitier, Aykroyd, and Kingsley, who look like the oldest hackers in the world (except for me and Cap'n Crunch) o great human melodrama with good character development and not too much technical sci-fi stuff o the good guy and his girlfriend at the mercy of the bad guy in the grand finale o cryptography very well explained and used for a general audience o the proverbial spinning computer tape drive, and o as usual with Lasker and Parkes, a moral at the end. Universal has uniquely teamed up with CompuServe and CompUSA computer stores to promote the movie. A chat board has been set up to fire questions about the movie at Mr. Robinson, the director, who has been using CompuServe for 8 years. Anagram and secret password games can be played, with prizes including trips to Hollywood and Robert Redford's jacket worn in the film. The film is sure to be a big hit in Europe and Japan as well as in the United States and should appeal to the juvenile hacker culture throughout the world. One unbelievable item is the skimpy $175,000 accepted by Redford's security penetration (read "tiger team") consulting company for a record-breaking information security project. Redford's team plus all the high-priced technical equipment were worth much more than that. They had to steal the universal decryption black box-the Maltese Falcon of the movie-and then steal it again from the bad guys posing as NSA types who steal it from Redford. There is a neat shoulder-surfing password pickup by video recording. There are hacker antics such as a transfer of President Nixon's net worth to the National Organization for the Reform of Marijuana Laws (NORML), credit record and license plate registration privacy invasions, trashing of the NSA, CIA, and FBI, and liberal-politics slams at President Bush and the Republican Party well-timed for the upcoming national elections. However, this is all tolerable since it is done by Redford's character and his team who all have serious criminal and other highly unethical practices in their backgrounds. A tiger team attack on a client bank that has relatively good security is excessively elaborate and would have left the bank guard in a good position to sue his employer for aggravated assault and mental anguish. We will probably have to assure our company management people that we don't do things like that-but the time to justify your budget and staff is soon after they see this movie. The film ends with the rather patronizing and simplistic advice that whoever controls the information, controls the world. Just the straightforward action and technology without all the liberal politics and moralizing would have made it even better. You and your teenage children and your computer users and management should all see and enjoy this much-to-be-talked-about film. ------------------------------ Date: Wed, 09 Sep 1992 13:24:18 +1200 From: Pat Cain Subject: Police probe mans death in Citibank disk case Early on Saturday (5th Sept) morning in Auckland, New Zealand, Paul Gordon Edward White, 26, a computer broker, was found in a crashed car by the Auckland harbour bridge; he died shortly afterwards. A police investigation into the accident began. But last night (Tuesday) the Police Minister, John Banks, asked police to begin high priority investigations into allegations that his death may not have been accidental. White had purchased $525 of surplus office and computer equipment from Citibank in Auckland. Accidentally included with the equipment were around 90 computer disks. TV3 reported the disks contained details overseas bank accounts of some politicians and of some companies laundering money overseas. White is understood to have offered to sell the material back to the bank for $50,000. In an out-of-court settlement on Friday, Citibank paid White $15,000 cash for the return of all outstanding information in his control. The suitcase in which White had the money was found in the car along with his body, but the money was missing. White's lawyer, Mark Blomkamp told TV3 that someone may well have considered the information on the disks serious enough to kill for. Asked if it was possible that because the money was not in White's briefcase in his crashed car the accident could have been invoked, Blomkamp said: "You might well think that but I couldn't possibly comment". Radio NZ last night quoted an unidentified source saying that White's car was not as badly damaged as could be expected from an impact with a concrete pillar. The front of the car was significantly damaged by the 5.15am crash on the Fanshawe St, city side, approach to the harbour bridge, but the dashboard and steering wheel were not and there was no blood in the vehicle. Bits and pieces .. * Neighbours reported White's home in Birkenhead had been broken into several times and that he had met Tauranga MP Winston Peters (who is a member of the current government and several months ago alleged government links with big business and corruption). * In one of three earlier burglaries, White was attacked as he returned home one night. * White reported that in July he had been approached by people who identified themselves as members of the Security Intelligence Service, wanting to discuss the Citibank information. After the meeting, White told an acquaintance that the supposed SIS agents had warned him that the police were about to search his property. The search took place two days later. (NZSIS is NZ's approximate equivalent to the US's CIA.) * On Friday, White celebrated at the Centra hotel in Auckland, he then left with a man and a woman (who have since been interviewed) at 10pm and went to the Regent Hotel for a meal. After that he went to a nightclub and left about 4am. What happened between then and 5.15am when he was found is unclear. * Citibank is the New Zealand subsidiary of one of the largest banks in the United States, Citicorp. It operates as a clearing bank and provides a range of non-retail banking services. * The Ambulance service received "two or three" emergency calls from mobile phones -- it is not known who made the calls, or whether they witnessed the car crash. White died shortly after the ambulance arrived. (Summarized from {The Dominion} and {The New Zealand Herald}, 9 Sept 1992). ------------------------------ Date: Wed, 9 Sep 92 17:01:51 CDT From: tcubed@ddsw1.mcs.com (James Hanlon) Subject: Arrest warrant database problems Note: I recently posted a similar note to misc.legal.computing; I suspect the problem is common enough to enlist the help of the RISKS community. An attorney acquaintance has a number of clients who have been picked up and detained for various lengths of time, on the basis of warrants, later shown to be incorrect. Reasons range from sloppy administrative work (clerical errors, name confusions), to accumulated delays in the record-keeping process. BACKGROUND INFORMATION Police officers in the US need a few things in order to take a person into custody ("arrest" them): chief among them is probable cause to believe that they have committed a crime. The fact that an arrest warrant exists is in itself probable cause. In practice, one can be taken into custody if the arresting officer believes that a warrant exists--and someone on the radio telling him that "the computer" shows an outstanding warrant is reason enough. Problems occur in areas where numerous law enforcement agencies overlap, i.e., most urban areas in the US. Although there is normally a regional database of warrant information, any agency can keep a database of warrants its own officers have issued. Should a judge order a warrant killed ("quashed" is the legalism), and should the kill order not be properly accomplished, the stage is set: person leaves courtroom relieved, goes about his business, is stopped some months (or years) later, officer checks central database, finds warrant information, calls warrant-issuing police department, which checks **its** warrant database. Conclusion: you are under arrest. There follows a collection of more or less unpleasant and inconvenient experiences (e.g., a weekend in the county lockup). My question: is there an archive of these, or similar, occurrences on the net? Is there a model of how the problem should be solved, perhaps in Jurisdiction X? I should mention that the attorney is presently suing the government units involved, in federal district court in Chicago. Thanks for all help. James E. Hanlon tcubed@ddsw1.mcs.com ------------------------------ Date: Tue, 8 Sep 1992 10:11:09 GMT From: weberwu@inf.fu-berlin.de (Debora Weber-Wulff) Subject: New computer delays Berlin Fire Department Sigh. It's like no one reads comp.risks :-(. The "Tagespiegel" announced this morning that the Berlin Fire Department has been having terrible trouble with it's new dispatching system. Seems they went on line after just a few "tests" (no running the system in parallel to the old one) because they now have to take care of the whole city and not just West Berlin. They are having problems with fire-trucks being listed more than once, phantom fire trucks, disappearing fire-trucks and messages, and the wrong trucks being alerted. Seems the data entry people or the algorithm for finding the closest fire station (or both) are not working, and trucks are being called from far away, or they are alerted and then not told where to go. There have been cases of it taking 30 minutes to get a fire truck to the scene of a fire. Not a nice thought when youths are increasingly setting fires to refugee hostels and such. The company that installed the program is busy fixing the bugs, the newspaper assures us, and will have it running soon. Won't we all sleep better knowing that it is sure to run when that last bug is gone?! Debora Weber-Wulff, Institut fuer Informatik, Nestorstr. 8-9, D-W-1000 Berlin 31 +49 30 89691 124 dww@inf.fu-berlin.de ------------------------------ Date: 9 Sep 92 15:16:00 EST From: "MARCHANT-SHAPIRO, ANDREW" Subject: hardware failure stops school My institution, Union College, fell victim to a computer problem today: A Hewlett-Packard machine used to handle registration died, leaving the College unable to complete freshfolk registration. Consequently, classes that were scheduled to start on 9/10 cannot meet until next Tuesday, and an extra day (or two??) will have to be added to the term calendar to make things work out. All faculty received notices marked URGENT that spoke of a 'massive computer failure.' I have little data on the failure, other than that it was apparently NOT a software failure, but a real hardware breakdown. Now, I suppose that the software and data on that machine are backed up -- but there's the rub. What do you do when you only have one piece of HARDWARE? It's ironic, because most of the campus is hooked up to a 3-machine VAX cluster -- while Administration runs on the single HP. Good for security, but bad for reliability. Since many of the copiers went down at the same time (yep, in the midst of syllabusing) I suspect a technological conspiracy...;-) Andrew Marchant-Shapiro, Depts of Sociology and Political Science, Union College, Schenectady NY 12308 (518) 370-6225 marchana@union.bitnet ------------------------------ Date: Wed, 9 Sep 92 17:11:53 -0700 From: pagre@weber.ucsd.edu (Phil Agre) Subject: PC board waste in San Francisco Bay The lead article in the current issue of "Global Electronics" (issue 115, August 1992) concerns the pollution of San Francisco Bay by heavy metals running off from small printed circuit board assembly shops in Silicon Valley. It traces the problem to the common electronics industry practice of subcontracting to these small firms rather than doing the dirty work in larger and safer facilities of its own. "Global Electronics" is published by the Pacific Studies Center, 222B View Street, Mountain View CA 94041. It costs $12 per year (12 issues of four pages each). Phil Agre, UCSD ------------------------------ Date: Fri, 04 Sep 92 16:23:40 -0700 From: Nancy Leveson Subject: Re: TCAS (RISKS-13.78) >From RISKS 13.78, In the version of the TCAS story I saw locally about the 2 USair jets near-miss, it mentioned that for the period june -June of the previous year, over 60% of the warnings/advisements from TCAS systems nationwide have been erroneous. Many of these have been of the same sort reported -- the system told two planes that were "safe" to maneuver into an "unsafe" flight path... This is totally and completely untrue and is evidence of what I warned about in my previous message. Even if you don't have the facts, does anyone seriously think that a system with this error rate would be used at all? Pilots are just not that stupid or suicidal and neither are those at the FAA.. It is very important that forums such as RISKS do not become sources of dangerous misinformation. [I agree. I have been somewhat too lenient in recent times, permitting material to emerge that is lacking in credibility, scholarship, carefulness, etc. Time to ratchet up the quality again. But I am very much at the mercy of our contributors. Please observe the masthead guidelines. Thanks. PGN] ------------------------------ Date: Wed, 9 Sep 92 11:10 EDT From: Jack Holleran Subject: Registration and Hotel Information - 15th National Computer Security Conference The following information includes registration and hotel information for the upcoming 15th National Computer Security Conference. Appropriate phone numbers are included. (The program is contained in RISKS-13.78.) =-+-= CONFERENCE REGISTRATION FORM 15th National Computer Security Conference October 13-16, 1992 Baltimore Convention Center 1 East Pratt Street Baltimore, Maryland NAME: ___________________________________________________________ COMPANY: ________________________________________________________ ADDRESS: ________________________________________________________ CITY: ___________________ STATE: ___________ ZIP: ______________ COUNTRY: ______________________ TELEPHONE NO: ___________________ HOW WOULD YOU LIKE YOUR NAME TO APPEAR ON YOUR BADGE? _________________________________ Registration Fee $280.00 before October 1, 1992; $315.00 on or after October 1, 1992 Payment Enclosed in the Amount of: __________ Form of Payment: ___ Check. Make checks payable to NIST/15th National Computer Security Conference. All checks must be drawn on U.S. banks only. ___ Purchase Order Attached. P.O. No.: __________ ___ Federal Government Training Form ___ MasterCard ___Visa Account No.: _______________ Exp. Date _______ Authorized Signature: _______________________ PLEASE NOTE: No other credit cards will be accepted. Please return conference registration form and payment to: c/o 15th National Computer Security Conference Office of the Comptroller National Institute of Standards and Technology Room A807, Administration Building Gaithersburg, MD 20899 Credit card registration may be faxed to Tammie Grice at (301) 926-1630. Is this the first time you have attended the National Computer Security Conference? ______________ Conference Participants List: __ I do want my name on the Conference Participants List which is distributed to conference attendees. __ I do not want my name on the Conference Participants List. =-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-= HOTEL RESERVATION FORM 15th National Computer Security Conference October 13-16, 1992 Baltimore Convention Center Baltimore, Maryland Hyatt Regency Baltimore (410) 528-1234 300 Light Street Baltimore, MD 21202 Holiday Inn Baltimore Inner Harbor (410) 685-3500 301 West Lombard Street Baltimore, MD 21201 Radisson Plaza Baltimore Hotel (410) 539-8400 20 West Baltimore Street Baltimore, MD 21201 Tremont Plaza (410) 727-2222 222 St. Paul Place Baltimore, MD 21202 (An all suites hotel) Baltimore Marriott Inner Harbor (410) 962-0202 110 South Eutaw Street Baltimore, MD 21201 Tremont Hotels (410) 576-1200 8 East Plesant Street Baltimore, MD 21202 (An all suites hotel) NAME: COMPANY: ADDRESS: CITY: ____________________ STATE: ________ ZIP: ____ COUNTRY: ___________ TELEPHONE NO: __________ (include country access code if appropriate) Please Reserve: Single Room(s) ______ Double Room(s) _______ Arrival Date: _________ Departure Date: _________ Person Sharing Room: ___________________________ RATE (Refer to Conference Brochure): ____Corporate; _____Government Method of Guarantee: _____Deposit Enclosed; _____ Credit Card Check One: __ American Express __ Visa __MasterCard __Diners Club __Carte Blanche Credit Card #: _________________ Exp. Date: ______ Signature of Cardholder: ________________________ ------------------------------ End of RISKS-FORUM Digest 13.79 ************************