Subject: RISKS DIGEST 15.62 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Thursday 3 *March* 1994 Volume 15 : Issue 62 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** EARLIER-VOLUME ARCHIVE NOW IN FTP SUBDIRECTORIES. ***** ***** See last item for information on RISKS (comp.risks) ***** Contents: Joe Camel's 10,000,000 best friends (Phil Agre) Double Posting of Credit Card Charges (Bryan Apple) Video Tech & Privacy... what's becoming possible (David Honig) RISK of computer-controlled landings (Simson L. Garfinkel) Headline: "Child molesters use computer talk as bait" (David Tarabar) Conviction for spreading virus? (Laurel Kristick) 'We {Will} Find you...' (Paul Robinson) Local TV News Report Misses The Boat (Dan Danknick) Educating on the RISKS of the Internet (Jeremy Epstein) Will they ever learn? [Passwords] (Roger Binns) One time Passwords and Encryption (A. Padgett Peterson) Of Locks and Legends (Dave Pierson) Impact fuel cutoff anecdote, risk (Bob_Wise) NTIA Releases Notice of Inquiry on Privacy Issues (Beth Givens) SIGSOFT 94 Call For Papers (Dave Wile) Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc. ---------------------------------------------------------------------- Date: Thu, 3 Mar 1994 09:03:13 -0800 From: Phil Agre Subject: Joe Camel's 10,000,000 best friends The 3/3/94 New York Times includes a long, fascinating article on recent trends in cigarette advertising, away from mass media like billboards and magazines and toward database-oriented marketing based on promotions. The full reference is: Allen R. Myerson, Selling cigarettes: Who needs ads?, New York Times, 3 March 1994, pages C1, C5 (business section). Here are two paragraphs from the middle of the article: ... Philip Morris marketers boast that the Adventure Team promotion and a carefully calculated price cut restored Marlboro's share of the $42 billion cigarette market from 22 percent last March to nearly 27 percent in January, widening its lead over all other brands. Flush with the names and addresses of their new customers, they are planning their next campaign. Over at R. J. Reynolds, Philip Morris' major rival, marketers pride themselves on computerized data banks so huge and detailed that they can go far beyond merely aiming their discount coupons and Camel Cash merchandise offers at the less than one-quarter of Americans who smoke. They can choose not just smokers of competing brands, but those who smoke brands with price, taste and image most like those of Camels, for example. In fact, Reynolds can select from that last group just those smokers who would gladly switch, for a few pennies a pack, or perhaps an ashtray or cap. These trends have the virtue that non-smokers get exposed to less cigarette advertising, thus lessening the force of claims that such advertising is recruits new smokers rather than getting existing smokers to switch brands. On the other hand, mass cigarette advertising (such as glossy booklets urging folks to "Get More Gear") is not going away; indeed it is an integral part of the new strategy. Finally, and most importantly for Risks, the cigarette companies' increasingly personalized connections to their customers may inhibit smokers' attempts to end their addictions, since they will now be exposed to ever-more-customized stimuli encouraging them, if only implicitly, to continue smoking. This is only speculation, of course, but it's an important test case for the social implications of data-intensive one-to-one marketing, and it should be watched closely. Phil Agre, UCSD ------------------------------ Date: Wed, 2 Mar 94 13:12:36 CST From: bha@offsite.com (Bryan Apple) Subject: Double Posting of Credit Card Charges In a 16 Feb 1994 letter from The Chicago Symphony Orchestra, Henry Fogel, Exec. VP describes a "computer error". It seems that all American Express charges for tickets and contributions since 1991 were re-submitted. Considering my seats cost nearly $100 each, this could represent a significant amount of money. The letter does not identify which party (Amex or the CSO) caused the error. The letter says, "Charges for these items will appear again on your next statement...", and continues, "In most cases, these charges will also be removed on the same statement." The risks include: Transaction systems that don't range check their input (shouldn't charge dates have to be somewhat current?). Automated postings that aren't tied out to an independent check (Wow, sales were up 3,700% this month!). Bryan Apple, Data Vault Systems (708) 885-6000 ------------------------------ Date: Thu, 03 Mar 1994 12:43:00 -0800 From: David Honig Subject: Video Tech & Privacy... what's becoming possible In the Feb 94 "Advanced Imaging" magazine, there is a discussion of how video cameras (from above, preferably, for contrast and occlusion reasons) are being deployed with machine vision systems in malls. The stated purpose is to measure people flow, to learn about buyer behavior. Sort of like machine vision applications for traffic flow monitoring. There is mention of secondary sensors causing cameras and vision systems to "orient" [my interpretation] towards some situation. In the same issue there's an unrelated advert for something called an "imputer" which is a white palm-sized box with a lens. (Looks like an aperture of about a cm.) Next to it is the circuit board presumably within the white box. It contains 4 chips: an imaging chip and a microcontroller among them. One of the chips is socketed. You can develop algorithms on your desktop machine and then load them onboard, it seems. And have your own standalone motion-interpretation system. ------------------------------ Date: Thu, 3 Mar 94 16:50:16 -0500 From: simsong@next.cambridge.ma.us (Simson L. Garfinkel) Subject: RISK of computer-controlled landings I was on one of the few aircraft to land in the Boston blizzard today. There was zero visibility. When we hit the runway (ouch!), the plane veered back and forth, slipping on the ice, apparently working differential thrust. After we landed, the pilot said "in case anybody is interested, you are in one of the few Northwest Airbus 320's capable of landing itself, which it just did." And I thought, "oh, wow." And I wondered which would have been RISKier: landing on autopilot, or landing on human pilot. ------------------------------ Date: Thu, 3 Mar 83 08:53:02 -0500 From: dtarabar@hstbme.mit.edu (David Tarabar) Subject: Headline: "Child molesters use computer talk as bait" This is the headline of article in the 3/3/94 Boston Globe on the front page of an inside Metro/Region section. For most parents, the thought of their child sitting in a bedroom and skillfully using a computer is a source of comfort and pride" Increasingly, however, the home computer has become a source of danger, as manipulative child molesters reach out to unsuspecting children through thousands of interactive and easy-to-use computer bulletin board systems." ... The news article triggering this discussion article is: A 23-year-old Chelmsford [Mass] man pleaded not guilty to an attempted kidnapping charge after he allegedly used a computer bulletin board to attempt to coax a teen-ager into helping him abduct a young boy for sexual purposes The article goes on to explain BBS systems and how they allow impersonal contact between juveniles and child molesters. Law enforcement officials in Massachusetts have been concentrating upon (and getting publicity) for investigating computer assisted child-abuse. There have been several other charges, and in 1992 a Cambridge man pleaded guilty to raping two boys who he met through a BBS. [Also noted by Bob_Frankston@frankston.com. PGN] ------------------------------ Date: Wed, 2 Mar 94 13:44:53 MST From: kristill@robie.cs.trw.com (Laurel Kristick) Subject: Conviction for spreading virus? In Amnesty International's Freedom Writers list for February 1993, one of the letters is to the Cuban Government on behalf of Luis Grave de Peralta Morrell and 3 other scientists. They were convicted in February 1992 of various charges and given sentences which varied from 8 to 13 years. Evidence against them included a book written by Luis Grave de Peralta which criticized the Cuban Government. Earlier, he had lost his position as professor of physics at the University of Oriente after resigning from the Cuban Communist Party. One of the charges against them was "that the four had been trying to spread a computer virus." Amnesty International claims that no clear proof of this was offered during the trial. Does anyone have more details on this? What kind of virus were these individuals supposedly trying to spread? The RISK? I suppose that if a totalitarian government is out to get you, they will use any possible charge against you, including computer-related ones. Laurel Kristick kristill@robie.cs.trw.com ------------------------------ Date: Wed, 2 Mar 1994 23:17:29 -0500 (EST) From: Paul Robinson Subject: 'We {Will} Find you...' In an article on the cover of the February 10, 1994 {Washington Technology} magazine of the same name, talks about a specialized use of biometrical information (specific details unique to a person like size, etc.) to identify them. The idea behind this is that in an airport, an infrared camera is mounted near the arriving passengers section, taking pictures of every person who is passing through the facility. This captures the 'aura' or underlying facial vascular system (pattern of blood vessels and such). In 1/30 of one second, it captures the data and forwards it via high-speed data lines to an FBI database that has stored auras of the worlds most-wanted criminals and terrorists, then matches generate an order to nab a suspect, supposedly producing "a piece of evidence that is as rock-solid as any presented to a court." Currently, infrared cameras are being attached to desktop computers to create digitized thermograms of people's faces in 1/30 of a second. The company that is working on this technology, Betae Corp, an Alexandria, VA government contractor, claims that the aura is unique for every single person. The photos in the front of the article show two clearly different thermographic images that are claimed to be from identical twins. The facial print does not change over time (and would allegedly require very deep plastic surgery to change it), retains the same basic patterns regardless of the person's health, and can be captured without the person's participation. The technology will have to show it is a better choice than current biometric techniques such as retinagrams (eye photographs, voice prints and the digital fingerprint. A Publicity-Shy Reston, VA company called Mikos holds the patent for certain technology uses of this concept. Dave Evans of Betac who has obtained certain "non exclusive" rights in the technology claims that "thermograms are the only technology he has seen in his more than two decades of security work that meet the five major criteria of an ideal identification system: They are unique for every individual, including identical twins; they identify individuals without their knowing participation; they perform IDs on the fly; they are invulnerable to counterfeiting or disguises; they remain reliable no matter the subject's health or age," the article said. Only retinal photos are equivalent, but potential assassins aren't likely to cooperate in using them. Right now it takes about 2-4K per thermograph, (it says '2-4K of computer memory' but I suspect they mean disk space) and that's not really a problem for a PC-Based system of 2000 or so people going to and from a building; it's another magnitude of hardware to handle millions of aircraft travelers in airports. Also, infrared cameras are not cheap, in the $35,000 to $70,000 range, which, for the moment is likely to keep small law enforcement facilities from thermographing all persons arrested the way all persons arrested are routinely fingerprinted. But we can expect the price to come down in the future. The writer apparently had to agree with Evans not to raise privacy and security issues in the article, it says, since first they have to show the technology works. But even it raised questions: - The technology could be a powerful weapon in a "big brother" arsenal, with cameras in front of many stores and street corners, scanning for criminals or anyone on the government's watch list? - Does the government have the right to randomly photograph people for matching them against a criminal database? - What guarantees do we have that thermographs are actually unique for every person, or that the system is foolproof? - What is the potential for blackmail, with thermographs to prove people were in compromising places and positions? There are also my own points. - While this can be used to protect nuclear power plants against infiltration by terrorists (as one example it gives), what is to stop it, for example, to be used to find (and silence or eliminate) critics and dissidents? I wouldn't give China 30 seconds before it would use something like this to capture critics such as the victims of Tianamen Square. - Long history indicates that better technology is not used to improve capture of criminals who violate the lives and property of other private parties, it is used to go after whatever group the government opposes. That's why people who defend themselves with guns against armed criminals in places where gun controls are in effect, can expect to be treated harsher than the criminal would have been. Existence of criminals supports the need for more police and more police-state laws; defending oneself against criminals shows the ineffectiveness of those laws. Paul Robinson - Paul@TDR.COM ------------------------------ Date: Thu, 3 Mar 94 13:46:54 PST From: ddanknic@cisoc.canon.com (Dan Danknick) Subject: Local TV News Report Misses The Boat Last night there was a news report on our local KABC affiliate about a man who had been arrested at a local bank for wandering around the parking lot in the area of the automatic teller machine and acting very suspiciously. Evidently a bank patron thought this odd and flagged down a passing police officer. In a search of the suspect's van that followed, a few hundred blank ATM cards were found as well as nearly $5,000 in twenty dollar bills. The man had apparently been "shoulder surfing," the act of peering across the shoulder of an ATM client to garner their PIN number as it is entered. Such a surfer then acquires discarded transaction slips in the region of the ATM, matches the transaction time up with the acquired PIN, programmes a card, and with- draws a good chunk of money. Yes, this is nothing new. But where the TV reporter had an excellent opportunity to remind viewers to _always keep your transaction receipt_ (throwing it away at home if you have to) they neglected to. Instead, I was presented with a number of interviews with patrons explaining the various methods they used to conceal their PIN entry actions (my favorite was a woman who explained that she could type it so fast, nobody could ever see it.) Great. Another chance to bring the general public up to speed lost in poor journalism. Maybe all news services should have a RISKs reader on staff? Dan Danknick ddanknic@cisoc.canon.com ------------------------------ Date: Wed, 2 Mar 94 10:21:11 EST From: jepstein@cordant.com (Jeremy Epstein -C2 PROJECT) Subject: Educating on the RISKS of the Internet The RISKS of sending credit card numbers (and other such information) over the Internet are well known in this group, so I won't rehash it. I recently received an inquiry from the organizer of an upcoming conference about the security ramifications of accepting electronic registration. They want people to upload (into their World Wide Web server) the registration data, including a credit card number. The data is then processed and the information (including the credit card number) is e-mailed to the registration agent. The person who made the inquiry had a suspicion that all of this electronic traffic might have some security implications, but wasn't sure. The point of this note is that even though readers of *this* forum know the RISKS, as more and more people join the Internet we need to deal with education. If the Internet community doesn't warn people of the do's and don'ts, the Internet will get a black eye when the inevitable fraud occurs. --Jeremy Epstein, Cordant, Inc. jepstein@cordant.com ------------------------------ Date: Thu, 3 Mar 94 21:15:53 -0500 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: One time Passwords and Encryption (Kabay, RISKS-15.61) IMHO passwords have been used since before the Roman empire and their effectiveness has only gotten worse - back then they were changed daily. I have been using tokens for nearly five years now & a couple of years ago wondered (both publicly and in print) why, instead of using the token's output for authentication, it was not used as the seed for autoigniting encryption since both sides had the result and it had never passed on the line. Since most token's responses are seven bytes long, DES seemed to be a natural that was well documented. The fact that you could communicate would authenticate both ends of the line and would be resistant to a "man-in-the-middle" attack. Talked to two vendors about it & both said "fine - you fund it and we'll do it". The RISK is always that if you wait too long to develop a product, you will wind up getting Clipped. Padgett ------------------------------ Date: Wed, 2 Mar 1994 10:27:28 GMT From: rogerb@x.co.uk (Roger Binns) Subject: Will they ever learn? [Passwords] The North Carolina State University has proudly announced their web server to the net on the NCSA What's new page. Having a look I spotted the following easy steps to compromising an account there ... : The username is generally composed of the initial letters of the user's : first and middle names and the first six characters of his or her last : name. For example, if the user's name is John Q. Public, then the username : would be jqpublic. : : The password that users are given initially is their social security number, : which is typed in the password field without the dashes (e.g., 123-45-6789 : is 123456789). In order to prevent unauthorized access, users need to change : their passwords as soon as possible and never share their passwords with : anyone. I wonder how many illegal accesses they have? The original is http://www.eos.ncsu.edu/eos_access/accounts.html Roger Binns, Software Engineer, IXI Ltd, Cambridge, UK rogerb@x.co.uk ------------------------------ Date: Thu, 3 Mar 94 14:00:21 PST From: pierson@cimcad.enet.dec.com Subject: Of Locks and Legends A recent RISKS reported on a "kick to enter" interaction in certain late model automobiles. The current Autoweek, quoting a manufacturer's press release calls this a "high-tech legend". Among other things, the air bag mechanism is deactivated within 150 milliseconds after the ignition is turned off. (I assume the delay is to allow for the ignition circuit "dropping" in an accident.) dave pierson Digital Equipment Corporation pierson@msd26.enet.dec.com [Also noted by eli@cisco.com and silas@Informatik.Uni-Bremen.DE (Stefan Mahnke). PGN] ------------------------------ Date: Mon, 28 Feb 1994 21:20:46 -0700 From: rmwise@mcigate.apdev.cs.mci.com (Bob_Wise) Subject: Impact fuel cutoff anecdote, risk This has been well-known dirty trick in showroom-stock autoracing (IMSA Firehawk and SCCA Showroom Stock, primarily) for many years. The impact sensor is typically in the rear of a car. A firm bumper-to-bumper tap from behind will often lead to an impact sensor shutting off the electric fuel pump, usually resulting in a DNF for the bumped driver. Many showroom-stock competitors bypass the impact cutoff to keep this from happening, thus leading to real risk in the case of a serious accident. I find it strange that the airbag system in the early Ford airbag cars (as indicated in the post above) was triggered by a sensor that is typically found in the rear of the car. Side note: road racing organizations such as IMSA and SCCA require the disabling of any airbag systems. The safety equipment required negates the use of passive systems. -Bob Wise, #64 SCCA American Sedan Mustang | Bob Wise | INET:622-1322 | MCIMail:468-2222 | Pager:719-577-1928 | | Consultant to MCI | Phone:719-535-1322 | Internet:rmwise@apdev.cs.mci.com | ------------------------------ Date: Thu, 3 Mar 1994 17:43:33 -0800 (PST) From: "Beth Givens, Privacy Rights Clearinghouse" Subject: NTIA Releases Notice of Inquiry on Privacy Issues CONTACT: Larry Williams (202) 482-1551 MARCH 1, 1994 The National Telecommunications and Information Administration (NTIA) is undertaking a comprehensive review of privacy issues relating to private sector use of telecommunications-related personal information associated with the National Information Infrastructure (NII). Public comment is requested on issues relevant to such a review. After analyzing the comments, NTIA will issue a report and make recommendations as needed. The inquiry will focus on potential uses of personal information generated by electronic communications, including interactive multimedia, cable television and telephony. NTIA is studying the issues that arise when such telecommunications- related information is used to create detailed dossiers about individuals. NTIA seeks to determine whether any overarching privacy principles can be developed that would apply to all firms in the telecommunications sector. In addition, NTIA is soliciting comment on other countries' actions to ensure the privacy of information transmitted over telecommunications networks, and to ascertain how any U.S. policies in this area will affect the international arena. The Notice of Inquiry and Request for Comments appears in Part IX of the February 11, 1994, Federal Register and is also available on the NTIA Bulletin Board at (202) 482-1199. Set communications parameters to no parity, 8 data bits and 1 stop. Go into the menu "Teleview-Public Notices and Comments." File size is 48,514 bytes or about 18 pages of text. Internet users can telnet into the BBS at ntiabbs.ntia.doc.gov. Comments should be filed on or before March 30, 1994. NTIA is accepting comments in writing or posted electronically via its BBS. If you have further questions, please contact Carol E. Mattey or Lisa I. Leidig at the Office of Policy Analysis and Development, NTIA, 202-482-1880. ------------------------------ Date: Wed, 02 Mar 94 16:48:45 PST From: Dave Wile Subject: SIGSOFT 94 Call For Papers CALL FOR PAPERS The Second ACM SIGSOFT Symposium on the Foundations of Software Engineering New Orleans, Louisiana USA 6-9 December 1994 Sponsored by ACM SIGSOFT The ACM SIGSOFT '94 Symposium on the Foundations of Software Engineering will focus on innovative research results that identify and contribute to the foundations of software engineering. The intent is to help establish software engineering as a viable engineering discipline. We solicit papers in all technical areas of software engineering. A successful paper is expected to report on new principles, methods, or results of experimentation in software engineering (which includes topics related to the specification, design, implementation, and evaluation of software systems). Papers should emphasize how they contribute to a foundation that allows us to effectively engineer classes of complex software systems in disciplined, reasoned ways. Unless a strong tie to software engineering is made, papers more central to other aspects of computer science should be submitted to conferences in those areas. A paper should clearly state the contribution and its underlying assumptions. It should also assess the results, making appropriate comparisons with and references to the literature. Papers will be judged on clarity, significance, relevance, correctness, and originality. The paper must contain ideas not previously presented in or currently waiting acceptance to another formal forum. All papers will be reviewed by program committee members. In some cases, additional external advice may be solicited by the program committee. Papers of particular merit may be recommended to major software engineering journals for expedited review. Submissions are limited to 12 pages (including figures) in 10 point type or larger, excluding references. Overly long submissions will be returned without review. Five copies, preferably double-sided, must be RECEIVED BY the program chair by MAY 31, 1994. Authors will be notified by AUGUST 5, 1994. Camera-ready versions of accepted papers are due, along with ACM copyright release forms, by SEPTEMBER 19, 1994. Proceedings will be distributed at the symposium and as a special issue of ACM Software Engineering Notes. Tutorials will be held on Tuesday, DECEMBER 6, 1994. General Chair W. Richards Adrion Department of Computer & Information Science Univ. of Massachusetts, Amherst MA 01003 (413) 545-2742 adrion@cs.umass.edu Program Chair David Wile University of Southern California / Information Sciences Institute 4676 Admiralty Way, Marina del Rey CA 90292 (310) 822-1511 wile@isi.edu Tutorial Chair Debra Richardson, University of California, Irvine Local Arrangements Chair Johnette Hassell, Tulane University Program Committee Lori Clarke, University of Massachusetts, Amherst Alan Dearle, University of Adelaide, Australia John Gannon, University of Maryland David Garlan, Carnegie Mellon University Carlo Ghezzi, Polytechnic University, Milan, Italy Gail Kaiser, Columbia University Axel van Lamsweerde, University of Louvain, Belgium Mark Moriconi, Stanford Research Institute David Notkin, University of Washington Barbara Ryder, Rutgers University Dick Taylor, University of California, Irvine Ian Thomas, Consultant Walter Tichy, University of Karlsruhe, Germany Jeannette Wing, Carnegie Mellon University Stan Zdonik, Brown University ------------------------------ Date: ongoing From: RISKS-request@csl.sri.com Subject: Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc. The RISKS Forum is a moderated digest. Its USENET equivalent is comp.risks. Undigestifiers are available throughout the Internet, but not from RISKS. SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup on your system, if possible and convenient for you. BITNET folks may use a LISTSERV (e.g., LISTSERV@UGA) with SUBSCRIBE RISKS or UNSUBSCRIBE RISKS as needed. Users on US Military and Government machines should contact (Dennis Rears). UK subscribers please contact . Local redistribution services are provided at many other sites as well. Check FIRST with your local system or netnews wizards. If that does not work, send requests to (not automated). CONTRIBUTIONS: to risks@csl.sri.com, with appropriate, substantive Subject: line, otherwise they may be ignored. Must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. PLEASE DO NOT INCLUDE ENTIRE PREVIOUS MESSAGES in responses to them. Contributions will not be ACKed; the load is too great. **PLEASE** include your name & legitimate Internet FROM: address, especially from .UUCP and .BITNET folks. Anonymized mail is not accepted. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ARCHIVES: "FTP CRVAX.SRI.COMlogin anonymousYourName CD RISKS: Issue j of volume 15 is in that directory: "GET RISKS-15.j". For issues of earlier volumes, "GET [.i]RISKS-i.j" (where i=1 to 14, j always TWO digits) for Vol i Issue j. Vol i summaries in j=00. "DIR" (or "DIR [.i]") lists (sub)directory; "bye" logs out. CRVAX.SRI.COM = [128.18.30.65]; =CarriageReturn; FTPs may differ; UNIX prompts for username, password. WAIS and bitftp@pucc.Princeton.EDU are alternative repositories. FAX: ONLY IF YOU CANNOT GET RISKS ON-LINE, you may be interested in receiving it via fax; phone +1 (818) 225-2800, or fax +1 (818) 225-7203 for info regarding fax delivery. PLEASE DO NOT USE THOSE NUMBERS FOR GENERAL RISKS COMMUNICATIONS; as a last resort you may try phone PGN at +1 (415) 859-2375 if you cannot E-mail risks-request@CSL.SRI.COM . ------------------------------ End of RISKS-FORUM Digest 15.62 ************************