Subject: RISKS DIGEST 14.44 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Monday 29 March 1993 Volume 14 : Issue 44 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: The FORTRAN-hating gateway (Joe Dellinger) Call for the Class of '88 (Ed Ravin) If they mention flying saucers, they're out to get you (Derek Cooper via Christopher Maeda) Computer problems at Empire Blue Cross (Robert Wentworth) Fantasy Baseball Journal Virus (Ed Amoroso) Reported procedural problems with TCAS (John Dill via Lorenzo Strigini) Dutch hacker in jail for another month (Hans van Staveren) Correcting computer information held on you (Peter Debenham) Re: Conspiracy trial ends in ... acquittal (Anthony Naggs) Re: Software Warranties (Geoff Pike) Akron BBS Sting Update 3 (David Lehrer) Virginia voters & Social Security Numbers (Jeremy Epstein) SSN in the news -- Charles Osgood (Chris Phoenix) Court Bans SSN Disclosure (Dave Banisar) The RISKS Forum is a moderated digest discussing risks; comp.risks is its Usenet counterpart. Undigestifiers are available throughout the Internet, but not from RISKS. Contributions should be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with appropriate, substantive "Subject:" line. Others may be ignored! Contributions will not be ACKed. The load is too great. **PLEASE** INCLUDE YOUR NAME & INTERNET FROM: ADDRESS, especially .UUCP folks. REQUESTS please to RISKS-Request@CSL.SRI.COM. Vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 14, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1". =CarriageReturn; FTPs may differ; UNIX prompts for username, password. For information regarding delivery of RISKS by FAX, phone 310-455-9300 (or send FAX to RISKS at 310-455-2364, or EMail to risks-fax@cv.vortex.com). ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Fri, 26 Mar 93 23:04:46 HST From: "Joe Dellinger" Subject: The FORTRAN-hating gateway Several months ago we started noticing that (now and again) the network connection to the mainland would become very very slow; this would continue for 10-15 minutes or so, then all would suddenly be well again. A while after this started happening a coworker of mine complained to me that the connection to the mainland _never_ worked anymore. It seems that he had some FORTRAN source that he needed to copy to a machine on the mainland, but he never could because "the network wouldn't stay up long enough for the ftp to complete". Yes, it turned out that the network outages happened whenever he attempted to ftp that _particular_ FORTRAN source file to the mainland. We next tried compressing the file; it copied just fine then (but unfortunately the machine on the mainland had no uncompress program, so it was still no go). Finally we "split" his FORTRAN program up into very small pieces and sent them one at a time. Most of the pieces would copy without trouble, but a few would either not go at all or only go after many _many_ retries. Examining the troublesome pieces, we found they all had one thing in common: they contained comment blocks that began and ended with lines consisting of nothing but capital C's (his preferred FORTRAN commenting style). At this point we started sending e-mail to the network gurus on the mainland asking for help. Of course, they wanted to see an example of our un-ftp-able files, so we mailed some to them... but our mail never got there. Finally we got the bright idea of simply _describing_ what the unsendable files were like. That worked. :-) [Dare I include in this message an example of one of the offending FORTRAN comment blocks? Probably better not!] Eventually we were able to piece together the story. A new gateway had recently been installed between our part of campus and the connection to the mainland. This gateway had GREAT difficulty transmitting packets that contained repeated blocks of capital C's!!!! Just a few such packets would occupy all its energies and prevent most everything else from getting through. At this point we complained to the gateway manufacturer... and were told "Oh, yes, you've hit the repeated C's bug! We know about that already.". Eventually we solved the problem... by buying new gateways from another manufacturer. (In the manufacturer's defense I suppose an inability to propagate FORTRAN programs might be considered a feature by some!) ------------------------------ Date: Mon, 29 Mar 1993 18:03:17 GMT From: eravin@Panix.Com (Ed Ravin) Subject: Call for the Class of '88 I Found the squib below on the Prodigy service -- QUIRKS Offbeat Computer News Mary Bandar recently turned down an invitation to attend kindergarten with others born in '88. "Boy, wouldn't those kids ever be surprised when they see me coming to school," Bander, 104, told the Associated Press. "Why would they want me? I know the ABCs yet. And I can count to 10," said the Winona, Minn, resident, who was born in 1888. Sister Mary Donald Miller, superintendent of Winona Area Catholic Schools, told the AP that the mix-up occurred when school officials instructed a computer to search for the names of people born in '88. The RISKS aware person might ask a few more questions-- which computer was the school using? Where is this central database of all the people in Winona, Minnesota? Who puts the data into it, and who decides who else can pull the data out? I expect that as we approach the millenium, we'll see a lot more of these "off by a century" errors. Ed Ravin eravin@panix.com philabs!trintex!elr +1 914 993 4737 ------------------------------ Date: Sun, 28 Mar 93 12:29:15 EST From: Christopher Maeda Subject: If they mention flying saucers, they're out to get you Date: Tue, 23 Mar 1993 14:33:00 BST Subject: if they mention flying saucers, they're out to get you From: Derek Cooper From the London Times today (I did check that it's not April 1st!)- Officers in Warrington Cheshire fed up with people listening in to their messages, broadcast that a flying saucer had crash-landed in a field & gave details of where to find it. Radio messages about a huge glowing spacecraft were broadcast with the warning "Do not approach. It may be radioactive." The warning was followed by directions to the field in Appleton. The eavesdroppers arrived within minutes, expecting to see little green men. They were arrested instead. Police said that 5 people had been reported to the Crown Prosecution Service for telecommunications offences. Scanning devices that can pick up police radio messages are widely available but using them to listen to police transmissions is an offence. [I have seen this on several groups. There is a question whether it is actually illegal if you are merely listening, as opposed to doing something about it. PGN] ------------------------------ Date: Mon, 29 Mar 93 15:47:43 EST From: rhw@hoh-1.att.com (Robert Wentworth) Subject: Computer problems at Empire Blue Cross From a NY Times article (3/29/93, p. A1,B2) on financial and management problems at NY state health insurer Empire Blue Cross/Blue Shield: Empire was forced to write off $50 million that had gone uncollected or unbilled because of computer problems dating to the mid-1970's, according to an internal report obtained by The New York Times. One glitch involved a computer system that could not understand bills of $100,000 or more. A $103,000 charge, for example, would be interpreted as only $3000, and the smaller amount would be billed to the client. That failure occurred 29 times and cost Empire $3 million, the report said. [Management comments about such problems being ancient history and Empire's real problems lying elsewhere.] Still, the computer problems persist. An expensive new electric system for handling claims --- being developed by a former board member --- was expected to be finished about 18 months ago, but is not likely to be completed until later this year. Empire has invested $17 million in that venture. ------------------------------ Date: Thu, 25 Mar 93 08:37 EST From: ega@neptune.att.com Subject: Fantasy Baseball Journal Virus As baseball season is upon us, those who belong to fantasy leagues begin to devour all available material about players, statistics, injuries, and so on. One such supplier of these needed facts and opinions, The Fantasy Baseball Journal, recently apologized for a particularly buggy issue. They attribute the printing errors to a "so-called virus that has seeped onto our computer network." This is not so startling, as we all know this kind of thing can happen. What is startling is the claim in the FBJ that "if [the virus] is the problem, then that's solvable." Perhaps these baseball statisticians are smarter that we thought... -- Ed Amoroso, AT&T Bell Labs ------------------------------ Date: Fri, 26 Mar 93 14:38:45 MET From: Lorenzo Strigini Subject: Reported procedural problems with TCAS, from sci.aeronautics From: ak336@cleveland.Freenet.Edu (John Dill) Newsgroups: sci.aeronautics Subject: TCAS Glitchs Date: 25 Mar 1993 14:48:47 GMT Organization: Case Western Reserve University, Cleveland, OH (USA) NNTP-Posting-Host: slc10.ins.cwru.edu I've been a controller at the Cleveland ARTCC for 22 yrs. I've always welcomed the arrival of any new procedure or technology that can enhance our ability to safely separate air traffic. TCAS has proven to be one such aid. However, a problem has been discovered which has the potential to be disastrous. Here is the problem: Aircraft "A" is climbing to an assigned altitude of 23,000' (as an example), while aircraft "B" is descending to an assigned altitude of 24,000'. The two a/c are on converging courses and their combined verticle closure rate is high, in this case we'll say about 6000' fpm. TCAS (on each aircraft) does what is called a coordinated interrogation, meaning the equipment talks back and forth and decides on the best resolution. Of course, the TCAS has no way of knowing the aircraft are intending to both level off 1,000' apart, so it issues a resolution advisory (RA) to both flight crews telling them to INCREASE their respective rates of climb and descent. This is in direct conflict to the controllers clearances. Only after the controller notices the mode c readouts deviating from the assigned altitudes is he aware of a problem. (actually, the frightcrews (pun intended) are required to inform the controller that they are responding to a TCAS RA, but due to frequency blockage, other duties, etc. this may not happen. Upon seeing the deviation, the controller attempts to have the aircraft return to their assigned altitudes. There have been several incidents similar to this fictional one. The loss of separation has been severe (as little as 200') and resulted from the crews confusion on who's instructions to follow. In the past few weeks, the FAA has issued directives to all controllers to NOT attempt to countermand a TCAS RA. By following only the TCAS RA, it is felt that the separation, even though less than standard, will be sufficient. John ------------------------------ Date: Thu, 25 Mar 93 9:53:23 MET From: Hans van Staveren Subject: Dutch hacker in jail for another month The so-called hacker, the twenty-year-old Ronald O., whom we caught on one of our PC's doing things as yet unknown at Delft University, will be in temporary custody (or whatever the correct English term for that is) for 30 more days. This is to give the police more time to gather evidence. According to the papers, forged credit cards were found while searching his home, and that also will not help his case. He is supposedly unwilling to answer any questions at this point, but is charged with crimes that could send him to jail for a maximum of four years. Although I am definitely not suggesting he is a nice guy, somehow I have some difficulty connecting this nervous kid in our room with a sentence of four years. I hope that being the first to be caught under the new law, and in the act to boot, is not going to give him too much extra attention from law officers. Never forget the RISK of someone dying to try out his new toy. This goes for hackers and law enforcement personnel alike. Hans van Staveren, Vrije Universiteit, Amsterdam, Holland ------------------------------ Date: 26 Mar 93 13:36:39 GMT From: Peter Debenham Subject: Correcting computer information held on you Over the past couple of weeks it has been pleasant to see the dangers of faulty information held on computer being acknowledged in Britain. Under the Data Protection Act (1986) in this country a Data Protection Registrar was set up to monitor uses of computers to store personal information and to be an independent source of help to get faulty data corrected. Recently a television advert has been running showing clips of actors mentioning problems that can happen with computer systems (My building society thinks I died three years ago, According to my bank I have a criminal record etc.) finishing with the address of the Data Protection Registrar and a voice-over saying that if you have problems with faulty information held on you to contact him. People in other countries might like to know that it is possible to for officialdom to acknowledge risks of faulty information. Peter Debenham, Physics Dept., University of Nottingham, UK. NG7 2RD + 602 515151 x8323 (wk) +602 730487 (hm) P_Debenham@ppn1.nott.ac.uk ------------------------------ Date: Thu, 25 Mar 93 23:39 GMT From: Anthony Naggs Subject: Re: Conspiracy trial ends in ... acquittal (Bowen, RISKS-14.42) Drawing on a variety of newspaper and magazine articles I hope I can sketch a slightly wider picture of the case. The best overall article I have seen is in this week's New Scientist, (27 March 1993), which I recommend for further reading. A little terse I'm afraid, but here is my precis: On 26 June 1991 British police arrested 3 men who had been cooperating in hacking a number of university, government and commercial computer systems across the world. Individually they used the handles "Gandalf", "Wandaii" and "Lizard", collectively they called themselves the "Eight Legged Groove Machine". They left messages to system managers on some hacked systems signed "8LGM" or "Eight Little Green Men". They did not meet, or even know each others real names and addresses, until they were introduced by the arresting officers, but discussed hacking, passwords and vulnerable systems on bulletin boards and hacked systems. Karl Strickland, 22, of Liverpool and Neil Woods, 26, of Oldham in Lancashire were charged with conspiracy to dishonestly obtain telecommunications services, having pleaded guilty they are waiting to be sentenced. Paul Bedworth, then 18, of Ilkley in West Yorkshire was charged with two counts of conspiracy under the Computer Misuse Act, and one of conspiring to dishonestly obtain telecommunications services. It is interesting that the Crown Prosecution Service chose to charge Bedworth with conspiracy, rather than a simpler charge of unauthorised access to/modification of a computer system. This decision was the foundation of the acquittal, requiring the prosecution to demonstrate that he had a "guilty mind" at the time of the hacking. In court Bedworth's solicitor, (lawyer to you US folks), claimed that the case was a show trial, and brought in a psychiatric expert who described Bedworth as having a "nonchemical dependence" on using a computer. It is hard to see how a compulsion to use computers, or even to hack, can be adequate grounds for acquittal, indeed the judge quite clearly directed the jury to disregard this. Nevertheless the jury returned not guilty verdicts on all charges. It is impossible to know their reasoning, as it is a criminal offence to publish any details of the jurors deliberations. Much of the press, including the New Scientist article, represent this as setting a legal precedent. Firstly, this doesn't make sense, because nobody can say what the supposed precedent is. Secondly, only the ruling of a judge can do this, (subject to appeal to a higher courts, ..). In this case we can do little but accept that our jury system has again demonstrated it's unpredictability. Though this is of little consolation to those institutions who suffered expensive tampering with their systems, and had to foot tens of thousands of pounds of phone bills, due to the actions of these men. Anthony Naggs, Software/Electronics Engineer, (and virus researcher) Phone: +44 273 589701 Email: amn@vms.brighton.ac.uk ------------------------------ Date: Thu, 25 Mar 93 23:21:36 -0800 From: Geoff Pike Subject: Re: Software Warranties (Robinson, RISKS-14.43) > ...places that make computer programs are refusing to guarantee {anything}. >This is as it should be. The risk is not that software might not work; the >risk is that people blindly assume that it worked, is working, or will work. A mildly related thought is that the following sort of problem will frequently rear its ugly head in the near future: An engineer (or architect, etc.) screws up and is sued, but the problem is traced back to a faulty piece of third-party software that he or she used. Now the court must try to untangle the liabilities, a process that will require detailed technical knowledge that no judge or jury is likely to have. Geoff Pike (pike@cs.berkeley.edu) ------------------------------ Date: 27 Mar 93 11:40:58 EST From: David Lehrer <71756.2116@compuserve.com> Subject: Akron BBS Sting Update 3 (See RISKS-14.43) The following is an editorial published in the Akron Beacon Journal on Wednesday, March 24, 1993. This editorial is copyrighted by the Akron Beacon Journal, and commercial use or resale of this article is forbidden. Permission to post this editorial in its entirety has been generously granted by Mr. David B. Cooper, Associate Editor. MUNROE FALLS CARRYOUT Akron Beacon Journal (AK) - WEDNESDAY March 24, 1993, A14 The Fourth Amendment to the Constitution was written to safeguard ordinary citizens against unreasonable search and seizure. Recently, however, law-enforcement officials have taken to seizing possessions of convicted and suspected criminals, particularly drug dealers. In the case of 23-year-old Munroe Falls resident Mark Lehrer, police confiscated a sophisticated, $3,000 computer setup, programs and disks on the suspicion that he might be letting kids look at dirty pictures. That charge was never proved. In fact, it appears that police received only one or two complaints about his computer bulletin board, none from area parents. Lehrer contends a clerical error put the pornography into files accessible to all the bulletin board's users, not just adults. Police enlisted a 15-year-old, falsified his identity for a membership and then helped the teen call up a possibly offending program. But, when the Summit County grand jury refused to indict the University of Akron computer whiz on the original charges, Munroe Falls police filed other charges based on the possibility that some of the programs in Lehrer's private collection contained pictures of minors. Lehrer did plead guilty to a misdemeanor charge of 'attempted possession of criminal tools' -- his computer -- based on those subsequent charges. No one downplays the seriousness of crime in our society, whether it's in the suburbs or inner cities. None argue that children should be able to view pornography. But in the absence of compelling evidence that Lehrer was trying to peddle child porn to kids, either at the outset of this case nine months ago or now, it could appear that the police acted hastily in confiscating the computer. Such actions invite questions as to whether the police were protecting against a child pornographer or using the intimidating powers of the police and judicial system to help themselves to a nice hunk of expensive machinery. dl ------------------------------ Date: Thu, 25 Mar 93 10:49:49 EST From: epstein@trwacs.fp.trw.com (Jeremy Epstein) Subject: Virginia voters & Social Security Numbers In a copyrighted story, the March 24 Washington Post includes an article describing a ruling by the 4th Circuit Court of Appeals that Virginia's law requiring a SSN to register to vote is unconstitutional. The decision is being hailed by civil rights groups as a victory for the 4 million Virginians who are registered to vote. Because voter roles are public information, registering to vote is equivalent to publishing your SSN. The judges wrote "The harm that can be inflicted from the disclosure of a Social Security Number to an unscrupulous individual is alarming and potentially ruinous.... The statute at issue compels a would-be voter in Virginia to consent to the possibility of a profound invasion of privacy." A spokesperson for the Virginia Attorney General's office said they have not decided whether to appeal the ruling. The case was brought by Marc Alan Greidinger, a 29-year-old Fredricksburg lawyer (who represented himself) after he was denied the right to register to vote because he refused to reveal his SSN. Greidinger said that during the lawsuit he gave his SSN who was able to get his current balance on two loans, last payment dates, and university transcripts. It is not believed that the ruling will affect other state agencies (such as motor vehicles) which require SSNs, because those are not considered public records. The article mentions help from the Public Citizen Litigation Group (one of the Ralph Nader organizations), and quotes the legal director for the ACLU, which was not involved in the case. [I guess the "good guys" won one!] ------------------------------ Date: Thu, 25 Mar 93 09:50:54 PST From: chrisp@efi.com (Chris Phoenix) Subject: SSN in the news Our local "News Radio 74" has a feature called "the Osgood File" in which Charles Osgood talks for several minutes. This morning his topic was Social Security numbers. He said a little, but missed some very important points. He talked about the invasions of privacy that were possible with someone else's SSN, but said only one or two sentences about possible loss of money. He mentioned that cards used to say "Not to be used for ID purposes" and don't say that anymore, but did not talk at all about which uses are actually illegal. He talked about a lawyer in Virginia (?) who sued the election officials because they required his SSN to register to vote and then sold the lists to special interest groups. But he did not say anything about all the other abuses that happen, and especially did not give any advice on how to reduce your risk. I was disappointed with the report. He could have given some very useful information about our rights and the danger of SSNs, but aside from a closing comment about "Remember, if they've got your Social Security number they've got your number!" there was almost nothing in the report that was actually useful to a listener. Chris Phoenix chrisp@efi.com 415-286-8581 ------------------------------ Date: Fri, 26 Mar 1993 17:21:41 EST From: Dave Banisar Subject: Court Bans SSN Disclosure PRESS RELEASE, March 26, 1993 "FEDERAL APPEALS COURT UPHOLDS PRIVACY: USE OF SOCIAL SECURITY NUMBER LIMITED CPSR Expresses Support for Decision" A federal court of appeals has ruled that Virginia's divulgence of the Social Security numbers of registered voters violates the Constitution. The Court said that Virginia's registration scheme places an "intolerable burden" on the right to vote. The result comes nearly two years after Marc Greidinger, a resident of Falmouth, Virginia, first tried to register to vote. Mr. Greidinger said that he found it nearly impossible to obtain a driver's license, open accounts with local utilities or even rent a video without encountering demands for his Social Security number. Mr. Greidinger told the New York Times this week that when the State of Virginia refused to register him as a voter unless he provided his Social Security number he decided to take action. He brought suit against the state, and argued that Virginia should stop publishing the Social Security numbers of voters. This week a federal appeals court in Richmond, Virginia ruled that the state's practice constituted "a profound invasion of privacy" and emphasized the "egregiousness of the harm" that could result from dissemination of an individual's SSN. Computer Professionals for Social Responsibility (CPSR), a national membership organization of professionals in the computing field, joined with Mr. Greidinger in the effort to change the Virginia system. CPSR, which had testified before the U.S. Congress and the state legislature in Virginia about growing problems with the misuse of the SSN, provided both technical and legal support to Mr. Greidinger. CPSR also worked with Paul Wolfson of the Public Citizen Litigation Group, who argued the case for Mr. Greidinger. In an amicus brief filed with the court, CPSR noted the long-standing interest of the computing profession in the design of safe information systems and the particular concerns about the misuse of the SSN. The CPSR brief traced the history of the SSN provisions in the 1974 Privacy Act. The brief also described how the widespread use of SSNs had led to a proliferation of banking and credit crime and how SSNs were used to fraudulently obtain credit records and federal benefits. CPSR argued that the privacy risk created by Virginia's collection and disclosure of Social Security numbers was unnecessary and that other procedures could address the State's concerns about records management. This week the court of appeals ruled that the state of Virginia must discontinue the publication of the Social Security numbers of registered voters. The court noted that when Congress passed the Privacy Act of 1974 to restrict the use of the Social Security number, the misuse of the SSN was "one of the most serious manifestations of privacy concerns in the Nation." The Court then said that since 1974, concerns about SSN confidentiality have "become significantly more compelling. For example, armed with one's SSN, an unscrupulous individual could obtain a person's welfare benefits, or Social Security benefits, order new checks at a new address, obtain credit cards, or even obtain the person's paycheck." The Court said that Virginia's voter registration scheme would "compel a would-be voter in Virginia to consent to the possibility of a profound invasion of privacy when exercising the fundamental right to vote." The Court held that Virginia must either stop collecting the SSN or stop publicly disclosing it. Marc Rotenberg, director of the CPSR Washington office said, "We are extremely pleased with the Court's decision. It is a remarkable case, and a real tribute to Marc Greidinger's efforts. Still, there are many concerns remaining about the misuse of the Social Security number. We would like to see public and private organizations find other forms of identification for their computing systems. As the federal court made clear, there are real risks in the misuse of the Social Security number." Mr. Rotenberg also said that he hoped the White House task force currently studying plans for a national health care claims payment system would develop an identification scheme that did not rely on the Social Security Number. "The privacy concerns with medical records are particularly acute. It would be a serious design error to use the SSN," said Mr. Rotenberg. Cable News Network (CNN) will run a special segment on the Social Security number and the significance of the Greidinger case on Sunday evening, March 28, 1993. The Court's opinion is available from the CPSR Internet Library via Gopher/ftp/WAIS. The file name is "cpsr/ssn/greidinger_opinion.txt". The CPSR amicus brief is available as "cpsr/ssn/greidinger_brief.txt". CPSR is a national membership organization, based in Palo Alto, California. CPSR conducts many activities to protect privacy and civil liberties. Membership is open to the public and support is welcome. For more information about CPSR, please contact, CPSR, P.O. Box 717, Palo Alto, CA 94302, call 415/322-3778 or email cpsr@csli.stanford.edu. ------------------------------ End of RISKS-FORUM Digest 14.44 ************************