Subject: RISKS DIGEST 14.65 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Sunday 30 May 1993 Volume 14 : Issue 65 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Flight control computers `to bypass pilots' (Brian Randell) UK Hacker trial (Brian Randell) Computerised Intensive Care Unit (H}kan Karlsson) Computerized telephone solicitations (Jane Beckman) Credit-card retention by phone number (Andrew Koenig) Cash machine keypad risk? (Paul Potts) Stop The Madness! (Arthur R. McGee) The risks of teaching about computers and the law (Peter D. Junger) Disaster Avoidance & Recovery Conference & Exhibition May 26-28 (Nigel Allen) The RISKS Forum is a moderated digest discussing risks; comp.risks is its Usenet counterpart. Undigestifiers are available throughout the Internet, but not from RISKS. Contributions should be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with appropriate, substantive "Subject:" line. Others may be ignored! Contributions will not be ACKed. The load is too great. **PLEASE** INCLUDE YOUR NAME & INTERNET FROM: ADDRESS, especially .UUCP folks. REQUESTS please to RISKS-Request@CSL.SRI.COM. Vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 14, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1". =CarriageReturn; FTPs may differ; UNIX prompts for username, password. For information regarding delivery of RISKS by FAX, phone 310-455-9300 (or send FAX to RISKS at 310-455-2364, or EMail to risks-fax@vortex.com). ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Thu, 20 May 1993 11:38:26 +0100 From: Brian.Randell@newcastle.ac.uk Subject: Flight control computers `to bypass pilots' [In the following item, the statement: "The system also ensures that no mistakes are made" especially caught my eye! And I imagine that RISKS readers such as Don Norman will have something to say about: "[Pilots] will control by exception, in other words leaving all routine tasks to be done automatically by the computers." Brian Randell, Dept. of Computing Science, University of Newcastle, Newcastle upon Tyne, NE1 7RU, UK Brian.Randell@newcastle.ac.uk +44 91 222 7923] Flight control computers 'to bypass pilots' The Independent (a national UK paper), 19 May 93 Christian Wolmar reports on a new electronic system for air communications While aircraft flown with the aid of computers have transformed the role of pilots, communications between aircraft and ground control have changed little since the early days of aviation. "Roger" and his pal "out" still feature prominently, and misunderstood instructions have led to several of crashes. All that is set to change. Yesterday the first test demonstration of equipment which will allow pilots and air traffic controllers to communicate through computers was held. An experimental BAC 1-11 "flying laboratory", belonging to the Defence Research Agency at Bedford, flew above East Anglia sending and receiving messages on its on-board computer. This project, called the Experimental Flight Management System, is part of a Europe-wide programme that is expected to enable commercial aircraft to begin communicating in this way by 1998, saving time and reducing the risk of accidents. Trevor Gilpin, programme manager for the National Air Traffic Services, the organisation responsible for air traffic control, says the new system has many advantages: "The airwaves are getting very cluttered and would not be able to cope with the expected doubling of air traffic over the next 15 years. The system also ensures that no mistakes are made." Pilots will be able to get weather information on their screens, whereas at the moment they can only do so by tuning to a special radio frequency. The messages from ground control can also go direct to the plane's auto pilot, which raises the possibility, already mooted by the European aircraft manufacturing consortium Airbus, that pilots may become redundant. Aircraft could be controlled from the ground with a person in the cockpit as a failsafe. A ground-based computer could ensure pilots have carried out its instructions and send a warning if they have failed to do so. Mr Gilpin feels that there will always be a pilot but accepts that the role of both pilot and air traffic controller will be different: "They will control by exception, in other words leaving all routine tasks to be done automatically by the computers." At the core of the system is a new form of radar communication, called Mode S, which allows information to be transmitted electronically. For it to be used widely, new transmission centres will have to be built throughout Europe. Mode S allows aircraft to be tracked in four dimensions - including time - which enables tighter control of airspace, reducing delays. Partial introduction of the system is expected in 1996. Electronic information also needs to be sent between air traffic control centres and already nine, mainly in northern Europe, are able to send messages to each other's computers. This is reducing delays since previously air traffic control centres had to telephone each other with flight plan information. The urgency of introducing the new system was highlighted last month in a letter to Flight International in which a pilot said that air communications between the Far East and Eastern Europe were so bad because of high demand and old equipment that an accident appeared inevitable. He said: "If and when an accident does occur, I can imagine the amount of words which will be spoken and published in the press and official inquiries wondering how a state of affairs like this has been allowed to exist for so long." A long-haul pilot also told the Independent that at times he was unable to contact ground control when there were bad radio conditions over the Atlantic "while the guy in the back can phone his wife on a mobile telephone using satellite links". ------------------------------ Date: Wed, 26 May 1993 15:50:41 +0100 From: Brian.Randell@ncl.ac.uk (Brian Randell) Subject: UK Hacker trial Hackers given six months for 'intellectual joyriding' The Independent, 22 May 1993, STEPHEN WARD TWO COMPUTER hackers given six-month prison sentences yesterday were the first to be jailed under legislation, passed in 1990, to outlaw the practice. Neil Woods, 24, and Karl Strickland, 22, had pleaded guilty to the offences. In March, Paul Bedworth, a Yorkshire schoolboy who regularly communicated with Woods and Strickland, and was arrested at the same time, was cleared of similar charges by a jury after a 15-day trial. He had pleaded not guilty and claimed that he had become addicted to hacking. All three were trapped by sophisticated police and British Telecom telephone tracking in several countries. Before the 1990 Computer Misuse Act, those who gained access to other people's computer networks had to be prosecuted for causing damage or stealing information, but in the case which ended yesterday the judge accepted that the accused had not been intending to cause damage, and had not profited in any way. Sentencing the two graduates at Southwark Crown Court, Judge Michael Harris said: "I have to mark your conduct with prison sentences, both to penalise you for what you have done and for the losses caused, and to deter others who might be similarly tempted." The offences were committed over three years before and after the 1990 Act was passed. Strickland, a research assistant at Liverpool University, and Woods, of Chadderton, Oldham, Greater Manchester, a computer salesman and computer science graduate from Manchester University, pleaded guilty to conspiring to obtain telegraphic services dishonestly, and engaging in the unauthorised publication of computer information. Woods also admitted causing #15,000 of damage to a computer owned by the then Polytechnic of Central London. The two did not meet until after their arrests in June 1991, although they "spoke" on screen under their codenames. Among hackers, Woods was known as "Pad", and Strickland as "Gandalf" (the wizard in Tolkien's Lord of the Rings). Using personal computers at home, they were frequent illegal users of a BT network called PSS, and a system known as "Janet", which linked academic institutions throughout Britain. Strickland's hi-tech conquests included the United States space agency Nasa and ITN's Oracle network- since replaced by Teletext. Woods keyed into systems run by the Ministry of Defence, the European Community and the Financial Times. Counsel for both men agreed that their clients, who received their first computers when they were 11 years old, became "obsessed" with them. "If your passion had been cars rather than computers we would have called your conduct delinquent, and I don't shrink from the analogy of describing what you were doing as intellectual joyriding," the judge said. He went on: "There may be people out there who consider hacking to be harmless, but hacking is not harmless. Computers now form a central role in our lives, containing personal details, financial details, confidential matters of companies and government departments and many business organisations. "Some, providing emergency services, depend on their computers to deliver those services. It is essential that the integrity of those systems should be protected and hacking puts that integrity into jeopardy." He said that hackers needed to be given a "clear signal" by the courts that their activities " will not and cannot be tolerated". The judge added that he had hesitated long and hard before sending two young men to jail. Although there were powerful factors in their favour, prison for them was inevitable, he said. Detective Sergeant Barry Donovan, formerly attached to Scotland Yard's computer crimes squad, said that since the publicity surrounding the arrest of Woods and Strickland, the amount of hacking in Britain had decreased dramatically, although it was still an international problem. ------------------------------ Date: Fri, 28 May 1993 14:36:56 +0200 From: H}kan Karlsson Subject: Computerised Intensive Care Unit The Swedish issue of "Apple News" (2/93) includes an article about a computerised Intensive Care Unit at the Hospital for Sick Children in Toronto, Canada. Each bed has a Macintosh Quadra at the bedside monitoring blood pressure, temperature, etc., and controlling various life-critical functions. Unfortunately(naturally?), the article has no information about the reliability of the system. The hospital is a part of the University of Toronto and responsible for development of the system is Gordon Tait and clinic manager is Dr. Geoffrey Barker. I would like to get more information about this system, especially reliability questions and risk assessment. H.Karlsson Department of Computer Science, University of Uppsala, Sweden (ch92hka@cs.uu.se) ------------------------------ Date: Fri, 28 May 93 15:34:56 PDT From: jane@stratus.swdc.stratus.com (Jane Beckman) Subject: Computerized telephone solicitations I heard on the radio about two weeks ago that a judge had ruled that computerized (non-live-human) phone calls were indeed legal, as a form of free speech, and thus struck down a law banning them. In the time since the ruling, I have received *two* computerized advertisements on my phone at work. This is a much higher proportion than in times past, when it was more like two a year. Obviously, the computerized phone advertisers are making up for lost time! Jane Beckman [jane@swdc.stratus.com] ------------------------------ Date: Tue, 25 May 93 18:06:21 EDT From: ark@research.att.com Subject: Credit-card retention by phone number Today I received electronic mail from a friend of mine in Sweden saying that he had gotten a substantial credit card bill from a camera store in New York and didn't remember having ordered anything. It didn't take me long to figure out what had happened. Sweden has substantial import duties on photographic equipment, but exempts equipment acquired and used abroad and then brought home. My friend has occasion to visit the US several times a year and often takes the opportunity to add to his equipment collection when here. If his trip includes a visit to my house, it is particularly convenient for him to order stuff, charge it to his credit card, and ask it to be shipped to me. Several weeks ago, I had occasion to order from the same store. As with every order of mine except the first, they asked me `Would you like us to charge that to the same credit card you used for the last order?' and I said `yes.' Since it had always worked before, I didn't bother to verify the number. Evidently they file credit card numbers by shipping address rather than by cardholder address, because my friend's credit card number became the one in my file. --Andrew Koenig ark@europa.att.com ------------------------------ Date: Thu, 20 May 93 15:14:30 EDT From: Paul Potts Subject: Cash machine keypad risk? I've been using ATMs very frequently for at least 7 years, but this is the first time I've ever had this problem... A few days ago on my way in to work I stopped at a cash machine to get some money for cappucino. When punching in my password, I noticed there was a significant delay between pushing the key and the corresponding "beep." The keypad seemed to be behaving erratically. I tried to punch in $20.00 to withdraw. This proceeded something like <2> , <0> <0> , <0>, , <0>, , "OK," , then suddenly display catches up, machine dispenses $200.00 (more than was in my account). Aarrghh! It was not a matter of a flaky key contact, because it did record all my keystrokes - it looked like the ATM's little processor was too busy doing something else to service my keystrokes. Who writes the operating systems for these things? I suppose it was, technically, "operator error," but isn't that the excuse always invoked to defend poor user interfaces? The risk should be obvious - I am fortunate that I have overdraft protection, or I could have bounced several pending checks. So now I have to pay interest on the overdraft, and since I wasn't keen on putting $200 in a deposit envelope back into the machine, I kept it. Not to mention the health risk that came from having to drink $200.00 worth of cappucino... : > -Paul Potts- Software Designer, Office of Instructional Technology University of Michigan, Ann Arbor - potts@oit.itd.umich.edu ------------------------------ Date: Thu, 27 May 1993 12:56:45 -0700 (PDT) From: "Arthur R. McGee" Subject: Stop The Madness! So did anyone else watch or tape yesterday's Donahue which talked about(yes, it was just a matter of time) Virtual Reality and Sex? I just heard a new term the other day, "Cybergasm." I now really know how Stanton feels, I'm sick of all the weirdness and sensationalism too. Oh yeah, here's something from the latest EDUPAGE newsletter: ---------- Forwarded message ---------- [stuff deleted] YOU CAN'T SAY THAT ON THE INTERNET. Censorship has hit the Internet, where battles over free speech are being waged on several fronts. Colleges in Canada have banned all electronic discussions of sex, and controversy is raging stateside over a program that automatically wipes out anonymous messages and the suspension of a California professor who ran a BBS that carried messages harassing a female student. Congress has even gone so far as to order a study of whether bulletin boards, on-line services and cable TV are being used to encourage "crimes of hate." (Wall Street Journal 5/24/93 B1) [stuff deleted] Art "Rambo" McGee [amcgee@netcom.com] [72377.1351@compuserve.com] Voice: [1-310-320-BYTE] ------------------------------ Date: Fri, 21 May 93 16:13:46 EDT From: junger@samsara.law.cwru.edu (Peter D. Junger) Subject: The risks of teaching about computers and the law A fortnight ago, in order to postpone the necessity of grading final exams, I started writing a simple-minded encryption program, which uses a "one-time pad" as a key, for use this Fall in my class on Computers and the Law. The program is intended to demonstrate certain things that lawyers who are going to deal with the problems generated by computers should know: things like the nature of an algorithm and the fact that any text (that is encoded in binary digits) of length n contains (if one just has the key) all other texts of length n. Although in that course we shall mainly be concerned with copyright and patent issues relating to computer programs, we should also spend some time on security issues and on government regulation of computer programs. And that, of course, includes the regulation of the export of computer programs, including cryptographic programs and technical information relating to such programs. I shall also have to discuss cryptographic programs when dealing with issues of computer security, since it would profit lawyers to be aware of the fact that cryptography can do far more than the law can to keep one's confidences confidential. The latter point is, of course, of particular importance to members of a profession who have a legal and moral duty to keep their clients' confidences confidential from everyone, but especially from the agents of the state. As I was writing this program I realized that it itself, and any `technical data' relating to it, might be subject to federal export licensing regulations, since I intended to give copies of it to, and discuss it with, my students and make it available to anyone who wants it, even foreigners. Even if I do not put it on an anonymous FTP server, as I originally planned, there is no way that I can guarantee that all the students who enroll in my class will be citizens or permanent residents of the United States. After a little quick research I have determined that my program may be--and, in fact, probably is--subject to such licensing, though whether by the Department of Commerce or that of State is a matter that it will take some sixty days for the bureaucrats to determine. The trouble is that the program, which should run on any PC clone running MSDOS 3 or higher, and which now consists in its entirety of 174 bytes of 8086 machine code, which I am pretty sure I can get down to 170 bytes or less, is squarely covered by the definitions of Category XIII of the U.S. Munitions List (as is my old Captain Midnight Decoder, which I got during the War for a boxtop--or was it an Ovaltine label?--and change). The relevant subdivision of Category XIII of the Munitions List is (b), which provides in relevant part: (b) Information Security Systems and equipment, cryptographic devices, software, and components specifically designed or modified therefor, including: (1) Cryptographic (including key management) systems, equipment, assemblies, modules, integrated circuits, components or software with the capability of maintaining secrecy or confidentiality of information or information systems, except cryptographic equipment and software as follows: .... [none of the exceptions appear to be applicable to my program] There is no exception for encryption software that is so simple minded that a law teacher, whose only degrees are in English and law, can hack it out in about six hours, most of which time was spent chasing bugs that were the result of typos. I estimate that the average computer literate 12-year old could have written the program in about 20 minutes. In the course of my researches, which so far have consisted of speaking to a very pleasant person at the Department of Commerce's Bureau of Export Administration, to a not very nice major and a slightly nicer person at the Department of State's Bureau of Politico-Military Affairs, Office of Defense Trade Controls, and to a not un-nice person, whose name I was not allowed to know, who supposedly was at NSA, and wading an inch or so into a seven inch stack of Commerce Department regulations and a few more inches of statutes, I have concluded that if I `export' my little program without first getting a license I may be subject to a fine of not more than $1,000,000, or imprisonment for not more than ten years, or both. This isn't so bad, since in the case of the actual program it is pretty clear that `exporting' means exporting, so, since I don't intend to export the program, the only problem is that posting it on an FTP server on the internet gets into a `grey' area (according to the unknowable at NSA). Of course, if the program is considered to be my expression--which it must be if it is protected by the copyright laws--it is probably a violation of the First Amendment to require me to get a license before I can export it. But since I don't intend to export it--and the unknowable, on whom I dare not rely, did keep saying that it was a matter of my intention--I can treat that issue as an academic problem. (By the way, it is my position that the actual program--the machine code--not being in any sense expression--cannot Constitutionally be protected by copyright law; this is a position that the lower courts have--at least _sub silentio_--uniformly rejected, but it is a good bet that the Supreme Court will agree with me when it finally gets around to considering this issue!) The real trouble is that Category XIII contains as its final subdivision paragraph (k), which covers (k) Technical data . . . related to the defense articles listed in this category. And that, of course, means that I cannot lawfully export technical data about my program without first obtaining a license. But the regulations relating to technical data that is included on the Munitions List say, in effect, that the `export' of technical data includes talking about the defense article to which the data relates--which in my case is my piddling little program--in the presence of someone who is neither a citizen of the United States nor admitted to permanent residence in the United States. So, if any foreign students sign up for my course I will be required to get a license--which I am not sure I can get at all, and certainly will not be able to get in time to teach my course--before describing the program to my class, explaining how to use it, and giving them the source code--which, by the way, I contend _does_ contain expression--to load in with the debug program. I admit that I am not greatly concerned about the potential criminal penalties that might be imposed if I do discuss the program with my students without a license, and not only because I don't have a million dollars and--far all I know--may not have ten years. I cannot imagine anyone--except perhaps that major--who would be stupid enough to try to punish me for discussing my trivial program with my students. But how can I teach this particular bit of computer law if the very act of teaching amounts--at least in theory--to a criminal violation of the very law that I am teaching? That this is not a logical paradox is an illustration of the fact that the law is not logic; but I still feel that I am trapped in an impossible situation. It is hard for me as a law teacher to believe that this regulatory scheme that requires me to get a prior license each time that I speak about, or publish the details of, my trivial program (or, in the alternative, to make sure that no foreigners get to hear or read what I have to say about it) can withstand a constitutional challenge on First Amendment grounds. The "secret" of how to keep a secret in 170 bytes or less is not something that imposes any conceivable threat to the security of the United States, especially not when the underlying algorithm is well known to most who are, and many who aren't, knowledgeable about computers--or, for that matter, about logic. And thus the government can't constitutionally punish me for revealing this "secret" of mine or talking and writing about how it works. And even if the government could constitutionally punish me after the fact, that does not mean that they can impose a prior restraint on my speaking or writing about the "secret". Prior restraints on speech or publication--and especially licensing schemes--are especially vulnerable to constitutional attack, since the First Amendment provisions relating to the freedom of speech and of the press were adopted in large part to prevent the federal government from adopting the type of censorship and licensing that had prevailed in England under the Tudor and Stuart monarchies. And yet I am so intimidated and disheartened by this unconstitutional scheme that I dare not explain in a submission to Risks, which undoubtedly has foreign subscribers, how my silly little program works. And even if I were willing to take that risk, I could not in good conscience impose it on our moderator. And if I have problems now, just think how ridiculous the situation will be if the government tries to outlaw all encryption programs and devices other than the Clipper Chip. [For those of you who understand how my program works and who take the effort to write your own encryption program based on that understanding, I have a special offer. If you will just send me an E-mail message certifying that you are a United States Citizen, I will send you (at any address on the internet that is within the United States), a UUENCODEd key that when applied by your program to this particular submission to Risks--after all headers have been stripped off--will produce a working copy of my program, which is a COM file that runs under MSDOS. (Be sure that your copy of this submission uses the Carriage Return / Line Feed combination as the End of Line indicator.)] Peter D. Junger Case Western Reserve University Law School, Cleveland, OH Internet: JUNGER@SAMSARA.LAW.CWRU.Edu -- Bitnet: JUNGER@CWRU [Incidentally, at last week's IEEE Symposium on Research in Security and Privacy, a rump group decided that because crypto falls under munitions controls, the right to bear arms must sanction private uses of cryptography! PGN] ------------------------------ Date: Wed, 19 May 93 22:16:03 EDT From: ae446@freenet.carleton.ca (Nigel Allen) Subject: Disaster Avoidance & Recovery Conference & Exhibition May 26-28 Here is a press release from the Disaster Avoidance & Recovery '93 Conference. Disaster Avoidance & Recovery Conference & Exhibition May 26-28; To: Assignment Desk, Daybook Editor Contact: John Mungenast of Insystex Inc., Ventura, Calif., 805-650-7052, or George J. Whalen of G.J. Whalen & Co. Inc., New Rochelle, N.Y., 914-576-6750 News Advisory: Disaster Avoidance & Recovery '93, sponsored in part by AT&T, NCR and Power Quality magazine, will take place May 26-28, at the Sheraton Premiere at Tyson's Corner, in Vienna, Va. CEOs, participants from government, technology, financial manufacturing and utility companies, other major industry and key government groups are expected. They will hear from a blue-ribbon faculty of experts whose presentations will deal with all sides of disaster preparedness and recovery, sharing latest planning methods and technology to ward off, deal with and rapidly recover from natural or man-made disasters. The intensive three day conference points up the reality that U.S. businesses, buildings and people are more at-risk than ever before and that our technology-dependent society now relies on a "house of cards" of interdependent computers, telephone and power utilities. Keynote speaker will be Rep. Dick Swett (D-N.H.), who sees preparedness as a "new war" against natural and man-made threats. Assessments of recent wide-area disasters (Hurricanes Andrew and Iniki, floods, Nor'easters, tornados, earthquakes, fires and blizzards) and a comprehensive review of the terrorist attack on the World Trade Center will introduce topics such as evacuation, medical care and shelter, building vulnerability, standby power, elevator design flaws, plus how to plan against high-rise disasters. Participants will also discover that only a handful of utilities now have tested, workable disaster and recovery plans in place... that few power companies have "mutual aid plans" with telephone companies, even though they share the same poles and conduits and despite the fact that telephone companies rely in part on electric utility power. Counter-terrorism authorities will advise on protective measures, while telecommunications, computer, power and business recovery xperts will deal with how disasters can strike through our near-total dependency on computer technology and its vulnerability to the minute-by-minute quality of electrical power. There is a side benefit of all this: the wave of new methods, technology and products now emerging to improve preparedness of U.S. businesses is stimulating the economy with new jobs, new contracts and new opportunities. Additional information and details about Disaster Avoidance & Recovery '93 can be obtained from John Mungenast at Insystex Inc., the conference organizer, 805-650-7052 during business hours (Pacific time). Nigel Allen, Toronto, Ontario, Canada ae446@freenet.carleton.ca ------------------------------ End of RISKS-FORUM Digest 14.65 ************************