Subject: RISKS DIGEST 13.89 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Monday 2 November 1992 Volume 13 : Issue 89 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Leaving greasy marks on monitors may be dangerous (Simon Marshall) Risks Of Cellular Speech (Dave King, PGN) Police and Computers (Mark Bergman, Mike) Cash displenser fraud (E. Kristiansen) Network is a lifesaver (Mike Cepek) Pay-per-call-back-verify (Robert Slade) Re: London Ambulance Service (Brian Randell, John Jones) Alarmism and Prof. Denning (Timothy C. May) Blockbuster announces plan to use data from video rentals (John Nagle via T. Kim Nguyen) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line. Others may be ignored! Contributions will not be ACKed. The load is too great. **PLEASE** INCLUDE YOUR NAME & INTERNET FROM: ADDRESS, especially .UUCP folks. REQUESTS please to RISKS-Request@CSL.SRI.COM. Vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 13, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1". =CarriageReturn; FTPs may differ; UNIX prompts for username, password. For information regarding delivery of RISKS by FAX, phone 310-455-9300 (or send FAX to RISKS at 310-455-2364, or EMail to risks-fax@cv.vortex.com). ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Mon, 2 Nov 1992 11:15:58 +0000 From: Simon Marshall Subject: Leaving greasy marks on monitors may be dangerous Many people regard greasy marks on monitor screens a nuisance. If there is any danger, it is the donor who is at risk because s/he many get some verbal or perhaps (tongue in cheek?) physical abuse from subsequent users. Not so. This weekend, I cleaned the monitor of a workstation I was using in our lab. Heeding warnings about getting electric shocks from static build ups, I turned the monitor off for a minute before applying the anti-static cleaner. When I began to wipe off the water-based cleaner with a paper towel, the screen burst into flames. Blue-yellow flames may look nice with a beige plastic `dimple effect' surround, but they are not good for the skin. Apparently, so I am told, CFCs have been replaced in these aerosols by flammable propellants. The risks are clear: the housekeeping maintenance of a computer is not without its dangers. If the lab had a lower ceiling, and I was not able to blow the fire out, this story might have been a different one. Simon Marshall, Dept. of Computer Science, University of Hull, Hull HU6 7RX, UK Email: S.Marshall@Hull.ac.uk Phone: +44 482 465181 Fax: 466666 ------------------------------ Date: 02 Nov 92 12:00:22 EST From: Dave King <71270.450@compuserve.com> Subject: Risks Of Cellular Speech [The following was distributed here at work by our security folks. I was surprised at the degree to which cellular traffic has apparently become public speech. But then, perhaps my surprise is just a reflection of my naivete. I'm not sure how Canada's laws compare to ours, but given how difficult it must be to catch someone at this, I can't imagine things are much different here in the 'States. (But then if it's so difficult, how'd they do the study???) Dave] Two Bell Canada security managers shared some startling data with us recently. In a three-month study of the Metro Toronto area earlier this summer, Bell found that 80 percent of all cellular telephone traffic is monitored by third parties. Even more eye-opening is the fact that 60 percent of monitored calls are taped for closer scrutiny and culling of marketable information. The chance of being monitored and taped is even higher in rural areas, where air traffic is lighter. Scanners cost as little as $200, and are sold in virtually every shopping mall in Toronto. Marketable information includes the obvious -- mergers, take-overs, market and product plans, but the listeners are also looking for voice/phonemail access codes and passwords. The digitized tones are translated into numbers quite easily. "Phone phreaks", the telecommunications equivalent of computer hackers, use these numbers to break into voicemail systems. One misuse which is growing in frequency is the setting up of "pirate" voicemail boxes, often by organized crime. Pirated boxes give them the ability to disseminate information on drug deals, as one example, with little or no risk of detection. We ask you to be extremely cautious when using your personal or business cellular phone. Do not discuss confidential business matters, and avoid calling in for phonemail messages via your cellular phone. David L. King, IBM SE Region Information & Telecomm Systems Services Department CAY, Mail Drop D072, 10401 Fernwood Road, Bethesda MD 20817 301 571-4349 ------------------------------ Date: Mon, 2 Nov 92 9:49:24 PST From: "Peter G. Neumann" Subject: Cellular Snooping and Privacy Issues An article by John Flinn on the front page of the San Francisco Examiner, Sunday, 1 November 1992, listed several cases of inadvertent or advertent eavesdropping, in the midst of a fine story on the problems in general. * A supposedly private conference call among SF Mayor Jordan, real-estate magnate Walter Shorenstein, and several others discussing the then not public withdrawal of George Shinn from the effort to save the SF Giants was BROADCAST on a TV frequency. * "On the first day of the Soviet coup against Mikhail Gorbachev last year, a scanner buff overheard Vice President Dan Quayle making a call from Air Force Two to Sen. John Danforth about the unfolding crisis." * "In New Hampshire, an anti-nuclear activist picked up calls made from the control room at the Seabrook nuclear plant, including one real-life Homer Simpson saying, ``I've got a bad feeling about these valves.'' " * A Green Bay Packer football player was overheard calling a male escort service and making explicit requests. * A 23-minute conversation allegedly between Princess Diana and a man who called her ``my darling Squidge'' was taped by a retired bank manager in Oxford, and transcribed in The Sun. (The woman allegedly referred to the Royal Family as ``this ****ing family''.) After discussing privacy laws, legalities, and realities, Flinn notes that at Scanners Unlimited in San Carlos, CA, "about a quarter of the customers are interested in telephone eavesdropping." ------------------------------ Date: Mon, 2 Nov 92 12:14:35 EST From: bergman@panix.com (Mark Bergman) Subject: Police and Computers Police Officials Cited for Searching Private Computer Records LOS ANGELES (AP, 30 Oct 1992) -- More than 45 police officials have been cited since 1989 for using department computers to check the backgrounds of baby sitters, house sitters and others for personal reasons, records show. "It's a very serious problem," Police Commissioner Ann Reiss Lane said. The citations came to light after a civilian Police Commission investigator was suspended 10 days for using department computers without permission to get confidential data on white supremacist Tom Metzger and actor Arnold Schwarzenegger. The union representing Robert Bauman appealed the suspension and submitted records showing that more than 45 department employees had been disciplined in the last three years for illegal computer use. Most received suspensions of two or three days or verbal reprimands. As an example, Lane said Thursday, an officer might use the computer to check the background of an individual about to marry one of the officer's relatives. Bauman's 10-day suspension without pay was upheld last week by the Civil Service Commission. Bauman, a 23-year civilian employee, said he already has served the suspension and was back at work. Bauman, a permit processor, routinely uses police computers to check the criminal records, police files, and tax records of people applying for police permits for massage parlors, gun stores and pawn shops. He said he gathered information on Metzger because he is a part-time historian who does research on right- and left-wing political groups. Bauman said he tapped into Schwarzenegger's files because a co-worker was curious about the actor. Mark Bergman 718-855-9148 bergman@panix.com {cmcl2,uunet}!panix!bergman ------------------------------ Date: Sun, 01 Nov 1992 22:24:51 CST From: "Mike" Subject: Re: Police misuse computer checks Other than the obvious RISK, I'd like to point out that much or all of the data in question here is likely kept by government mandate. On a personal note, I recently recommended to a fellow employee that she report a third employee to her supervisor for a similar thing. #3 had offered to access credit data on someone that #2 was having personal and legal trouble with. What appalled me what that neither one thought there was anything wrong with "using the system" in this way -- until I explained it in terms of *their* credit being revealed. ------------------------------ Date: Mon, 2 Nov 92 09:10:43 CET From: "E. Kristiansen - WMS" Subject: Cash displenser fraud Several Dutch newspapers recently carried the following story: The Dutch bank Rabobank has discovered a fraudulent use of their cash dispensers (The term ATM is not commonly used around here. A cash dispenser does just that - dispense cash from your bank account). After you have supplied your card, PIN, etc, banknotes for the desired amount will appear between the "jaws" of the machine. The notes are held rather firmly, and the jaws have a detection device to sense when the money has been removed. If you do not take your money within a given time, the machine will swallow it back, and undo the transaction on your account. The trick is that it appears to be possible to remove part of the stack of notes without the machine noticing. AND THE MACHINE DOES NOT COUNT THE MONEY IT TAKES BACK. Erling Kristiansen - ESTEC ------------------------------ Date: Sun, 01 Nov 1992 22:25:54 CST From: "Mike Cepek, MGI" Subject: Network is a lifesaver Here is a positive story on the RISKS theme. I have summarized from the page 1A article of the 31-Oct-92 (Mpls, MN) Star Tribune entitled: After computer note from France, a life is saved Chris Ginther, a student and computer sales clerk, logged into his home computer Wednesday evening to read his email. One message was from "Emily", a pen-pal of his for several years in Bordeaux, France. The message said she felt cold, alone and empty, that her life was futile. The message said goodbye, and that she was going to kill herself in a few hours. Across a network he contacted her -- she answered. He got her phone number and called her. Her weak, quiet voice said she wanted to die; that she had taken half a bottle of sleeping pills; that she was alone. Ginther and an AT&T operator were eventually able to explain the situation to French authorities. An ambulance soon arrived at her house, they smashed the door down, and found her barely breathing. "If we came one minute later," a paramedic said, "she would have been dead." Ginther has since received messages from Emily as well as her family for his heroic role. Emily regrets her foolish act, and is feeling better about her life now. Fortunately, Ginther doesn't wait until morning to read his email. ------------------------------ Date: Mon, 2 Nov 92 11:07:31 PST From: rslade@sfu.ca Subject: Pay-per-call-back-verify Padgett Peterson was telling me about his recent success in getting a BBS set up with one of the new modems with a "caller-id" feature. I think this is going to be a feature that a lot of sysops are going to want. It happened that just last week I had a request to look into a security problem for a local sysop. He is concerned with security and misuse of his board, and so he has installed a call-back-verify system to check out callers. If he can't call back and get a confirmed phone number, they don't get an account. Many sysops use this to avoid having to "voice verify" each and every caller. Most call back verify systems have an option that will prevent the system from returning long distance calls. Obviously, this will also apply to "900" pay-per-call numbers. Padgett reminds me that recently there was a scam in New York wherein pager wearers were "paged" by "576" pay-per-minute calls. The problem in Vancouver is that BC Tel has recently started up pay-per-call numbers, but they do not yet have identifiable prefixes. Therefore, ankies have been calling various BBSes that have call-back-verify, and leaving these pay-per-call numbers. The sysop who talked to me had lost about $50 in the last month, and this has only just started. Vancouver Inst. for Research into User Security, Canada V7K 2G6 604-526-3676 Robert_Slade@sfu.ca ROBERTS@decus.ca rslade@cue.bc.ca p1@CyberStore.ca ------------------------------ Date: Fri, 30 Oct 1992 10:54:22 GMT From: Brian.Randell@newcastle.ac.uk Subject: Re: London Ambulance Service Despite all the other news, this story is still getting extensive coverage here in the UK. The Independent's follow-up today (30 Oct.) to yesterday's front page story appears as the main story on page 2. It identifies - for the first time as far as I am concerned - the software company involved (Systems Operations - a company I have not heard of before) and adds quite a bit of detail and commentary to the original story, so again I thought it appropriate to submit the complete item (without permission) to RISKS. Brian Randell Dept. of Computing Science, The University, Newcastle upon Tyne, NE1 7RU, UK Brian.Randell@newcastle.ac.uk +44 91 222 7923 FAX = +44 91 222 8232 SOFTWARE FAILURE "MAY BE BEHIND AMBULANCE CRISIS" By Susan Watts and Ian McKinnon Computer specialists yesterday said that the system blamed for this week's crisis at the London Ambulance Service appeared to ignore basic tenets for software where breakdown would put lives at risk. The failure of the computer system over 36 hours on Monday and Tuesday, which was said to have cost between 10 and 20 lives, raised serious questions about the way it was designed and tested, experts said. Yesterday, the software company involved, Systems Options, refused to comment. Leaders of London's ambulance staff last night revealed they had given the services's new chief executive three days to review the efficiency of the computer system. Organisers of the public employees' union, Nupe, said they would have preferred the Computer Aided Dispatch system to have been shut down because it was a danger to the lives of patients. But Chris Humphreys, the union's London regional organiser, said they had chosen to allow a short period of grace to Mark Gorham, the acting chief executive who replaced John Wilby after his resignation in the wake of an outcry over delays of up to 11 hours in the arrival of emergency vehicles. However, Mr. Hunphreys refused to disclose what action the union planned to take if the management refused to meet its demands or arrive at a satisfactory compromise. He emphasised that by reverting to the system in use prior to full computerisation on Monday and Tuesday, patients' lives were still at risk. Ambulance staff argue that the system of partial computerisation, used in conjunction with radio and telephone to send ambulances to emergency calls, had already led to 45 deaths in the capital because of delays. However, Mr. Gorham yesterday held out an olive branch when he met union leaders by promising to conduct a full investigation into the 20 deaths ambulance staff said were the result of delays and breakdown earlier in the week. Robin Bloomfield, a consultant who advised the Government on a programme to promote the safety of computer-controlled systems, said it was a fundamental requirement for this kind of system to have several layers of defence against fialure. He said the ambulance service was asking a lot of its computer system. "With about a million calls a year the system has to be more reliable than a nuclear reactor protection system. I would expect to see a detailed safety case for justifying its operation, and several different back-up systems". He said that as the system originally went into operation, the only back-up it appeared to have was the expectation that people would make their own arrangements if the system failed. "Safety critical" software should always be passed to an independent assessor to make sure it does what it is supposed to, and passes safety checks. This is standard practice as part of the "safety culture" of companies in the nuclear and transport industries which often use software on which people's lives depend. Such software should have at least one back-up system which could be manual, electronic or even an administrative procedure, ready to switch into operation should something go wrong. Mr. Bloomfield said. "You would very rarely rely on a single system." Extra calls on Monday exacerbated the situation, but the computer system should have been designed to cope with this. Tom Anderson, a director of the Centre for Software Reliability in Newcastle upon Tyne, said: "If you are getting overload the system should go into a fall-back mode". [...] More than a quarter of accident and emergency ambulances from the London Ambulance Service are failing to meet performance standards in the Patient's Charter, Tom Sackville, Under-Secretary of State at the Department of Health, said in a written Commons answer yesterday. The Charter sets a 14-minute response time as the standard for London. Latest statistics, for 1990-91, show 26.3 per cent falling below it, even though in 11 per cent of cases ambulances were able to respond in just seven minutes. ------------------------------ Date: Sun, 1 Nov 92 18:05:59 GMT From: John Jones Subject: Failure of London Ambulance despatch system Today's `Independent on Sunday' (1st November, 1992) has further details relating to the failure of the automatic despatch system introduced by the London Ambulance Service last Monday. While it is difficult to get hard detail from a newspaper article, some of the points made include: - the despatch system could not distinguish between duplicate calls relating to the same incident. In some cases several ambulances turned up to respond to the same incident. - logged calls were lost. One particular case is related in detail, in which a disabled woman was trapped in her chair by the body of her collapsed husband. She called the LAS every 30 minutes, on each subsequent call being told that there was no trace of the earlier call. An ambulance eventually arrived 2.75 hours after the initial call, by which time the husband had died. The article also relates details of the pathetic attempt by the LAS and government to `manage' the publicity over the failure. When the LAS management eventually pulled the system out, on Tuesday, they initially tried to ``deflect blame onto the staff''. On wednesday, a government minister announced that the `computer had broken down'. John Jones, Department of Computer Science, University of Hull, UK. ------------------------------ Date: Mon, 2 Nov 92 09:43:48 -0800 From: tcmay@netcom.com (Timothy C. May) Subject: Alarmism and Prof. Denning Newsgroups: sci.crypt As you know, there has been a huge response to the "key registration" idea. I posted a synopsis of the Dorothy Denning proposal in sci.crypt as "A Trial Balloon to Ban Encryption?" So far, over 200 responses to this "risk." The following piece was posted a few days ago (Friday) to sci.crypt. --Tim May, 408-688-5409, tcmay@netcom.com Date: Thu, 29 Oct 1992 23:29:53 GMT Newsgroups: sci.crypt From: tcmay@netcom.com (Timothy C. May) Subject: Alarmism and Prof. Denning Organization: Netcom - Online Communication Services (408 241-9760 guest) Several people have complained, either in this group or in e-mail to me, that some of my recent comments have been alarmist and detract from what they consider to be my otherwise well-taken points. Fair enough. In one posting I said "Be afraid. Be _very_ afraid." I assumed most folks would recognize this as the tag line from the movie "The Fly." I thought it euphonius, so I borrowed it. In any case, having some fear of what governments may do to us seems to me to be a healthy thing. I took great care to be as reasonable and as calm as possible a few days ago when I posted the first message in this thread ("A Trial Balloon to Ban Encryption?"). Clearly the key registration idea is controversial. Now let me be even _more_ reasonable. I think Professor Denning has done us a great service, as it has gotten some healthy debate going about these very important issues. The more than 130 messages, most of them making excellent points, in this group (and a few others, peripherally) indicate the intense interest and scrutiny this subject has attracted. Dorothy Denning has long been involved in crypto (she wrote the book, so to speak) and more recently in hacker matters, as detailed in Bruce Sterling's new book "The Hacker Crackdown." To assume she is somehow pushing this idea, in the legislative sense, seems unfounded. It seems to me that she thought about some of the serious implications of widespread crypto use, developed some ideas (as Ron Rivest did last summer in an article in "IEEE Spectrum"), and talked about them at the recent Computer Security Conference. Now we may think her particular idea is wrong, for political and technological reasons, but we should not villify her for floating the idea. I used the term "trial balloon" in perhaps a way I should not have. It may have suggested to some that Prof. Denning, who recently relocated to the Washington, D.C. area, is part of a cabal of crypto advisors who are plotting the next stage of our enslavement. (A smiley) So far as I know--and I hope we'll find out soon enough--there is no proposed legislation along the lines Prof. Denning suggested. I doubt she was acting as an agent for the Feds in floating this idea. Just academic freedom at work. Furthermore, I favor the open discussion of ideas. I am not one to fear discussing some new idea, or technology, or whatever, for fear it will "give Them ideas" or catalyze a crackdown. In an open society like ours, debate is healthy. I am happy this issue, which is one of several important crypto policy issues that have been simmering for a long time, has come to prominence. I look forward to seeing the debate here. (The only thing that worries me is that folks may get so clever, cryptographically speaking, that they patch the flaws in the key registration proposal and thus make it more likely to become law. Let's not lose cite of the fundamental issues surrounding liberty, surveillance, and privacy. But since nearly everyone who has posted so far seems strongly committed to civil liberties, these worries are minimal.) On with the debate. Timothy C. May tcmay@netcom.com 408-688-5409 W.A.S.T.E.: Aptos, CA ------------------------------ Date: Mon, 2 Nov 1992 11:50:30 -0500 From: kim%phaedrus@uunet.UU.NET (T. Kim Nguyen, kim@watnow.uwaterloo.ca) Subject: Blockbuster announces plan to use data from video rentals [Forwarded to RISKS by T. Kim Nguyen, Systems Design Engineer, Document Imaging Systems, JTS Computer Systems Ltd., Toronto kim@watnow.uwaterloo.ca k.nguyen@ieee.org, kim@jts.com uunet.ca!jts.com!kim] Newsgroups: comp.privacy,alt.privacy Date: Wed, 28 Oct 1992 17:05:34 GMT From: nagle@netcom.com (John Nagle) Keywords: Blockbuster video data privacy dossier database Organization: Netcom - Online Communication Services (408 241-9760 guest) Blockbuster Entertainment Corp. announced plans to used its database of 30 million Blockbuster video club members as part of its marketing push into the music business. Blockbuster is acquiring the 7th largest and 12th largest record chains from Shamrock Holdings, Inc, which will make Blockbuster the 7th largest record retailer by the end of November. Blockbuster sees many opportunities to cross-market home videos and music. Mr. Steven R. Berrard, vice-chairman of Blockbuster, said that Blockbuster could offer free video rentals to customers who buy music from Blockbuster record stores. This works both ways; he was quoted as saying "If you rent a Disney animated film for your children, I know there might be music that appeals to them. This is a significant plus." He, and Mr. Joseph R. Baczso, speaking to reporters and financial analysts in New York, said one of the company's strengths in music retailing will be its base of 30 million Blockbuster video club members and the data it has on those customers. Whether or not such use of personal data would be a violation of the Video Rental Privacy Act remains to be seen. John Nagle (ref: Wall Street Journal, 10/28, p. B6). ------------------------------ End of RISKS-FORUM Digest 13.89 ************************