Subject: RISKS DIGEST 15.63 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Monday 7 March 1994 Volume 15 : Issue 63 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** EARLIER VOLUMES NOW IN FTP ARCHIVE SUBDIRECTORIES. ***** ***** See last item for information on RISKS (comp.risks) ***** **** HUGE BACKLOG OF PENDING 2nd- & 3rd-order contribs. I'll try... . *** Contents: Yet Another Mistaken Identity (Mike Zehr) Philadelphia 911 Crash (Steve Pielocik) Service a computer, go to jail (Kriss A. Hougland) Court Case casts doubt on cashpoint credibility (Brian Randell) `Hacker' alters Drug Protocol in British Hospital (Peter B Ladkin) Will Australia be doomed to repeat Clipper? (Rhys Weatherley) A Well Oiled Mac (Jon Golob) SCIENCE article critical of computer models (Jon Jacky) Re: Autopilot landings in `zero visibility' (Peter B Ladkin) The risks of user ID's (Jason Haines) RISKS RISKS: Bug in mailing RISKS-15.61 (Mike Sullivan, PGN) Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc. ---------------------------------------------------------------------- Date: Mon, 7 Mar 94 08:21:02 EST From: mikez@kenan.com (Mike Zehr) Subject: Yet Another Mistaken Identity Boston Globe, Monday, March 7 -- (Summarized) For the past 4.5 years, Clinton Rumrill 3rd has been trying to clear his name of financial and criminal problems caused by One of Rumrill's childhood friends, John Mudge. Mudge apparently started by taking a department store credit card in Rumrill's name, has since racked up traffic charges, and been charged with ticket scalping, all in Rumrill's name and with Rumrill's social security number. Although he's been able to clear up each case so far, because Rumrill and Mudge have very different appearances, new cases keep springing up. Rumrill has been told it would be easier to change his name and SS number than to keep trying to clear his name. Rumrill now has another problem. Police have been made aware of the fact that Mudge is using Rumrill's ID, and now police computers think they are the same person! The difficulties are made worse by the fact that in Massachusetts it is not a crime to give false information to the police. -michael j zehr ------------------------------ Date: Fri, 04 Mar 94 10:26:28 EST From: spiel@aol.com Subject: Philadelphia 911 Crash KYW Radio reports that the 911 emergency service for almost the entire city of Philadelphia was out of service last night for several hours resulting in dozens of emergency calls not going through. Callers got a "try again later" message. The outage was reportedly due to a "software problem". Service has apparently been restored but the station reports that the authorities are still trying to correct the source of the problem. Nothing in the early edition of this mornings Inquirer but this sounds like a mini version of the ATT collapse of '90....... Steve Pielocik Glenside, Pa. spiel@aol.com pielociks@smtpgate.nadc.navy.mil ------------------------------ Date: Thu, 3 Mar 1994 20:41:20 -0700 (MST) From: "Kriss A. Hougland" Subject: Service a computer, go to jail I came across this report of a really nasty computer risk.... >From Electronics Now, April 1994, page 6 (I contacted the magazine to confirm this is NOT a joke and permission to post the article. Many thanks for Evelyn Rose, editorial assistant.) NESDA Challenges U.S. Copyright Act The National Electronics Service Dealers Association (NESDA) has come to the aid of Peak Computer Corporation in its legal battle with MAI Systems Inc. NESDA and its associated organizations filed a friend-of-the-court brief in Washington DC last November on behalf of Peak which has been sued by MAI Systems for alleged violations of the U.S. Copyright Act. MAI says the software which operates its computers is licensed only to the owners of those computers, and only licensed owners should be allowed to turn them on. Its suit charges that Peak and other service companies are breaking the law by turning on the computer for service. Two lower courts agreed with MAI that by turning on a computer a "copy" of the operating program is made in the computer's RAM. This, MAI says, violates Sec. 117 of the U.S. Copyright Act. NESDA believes that if the ruling is allowed to stand, manufacturers of such products as appliances, audio and video equipment, and heating and air-conditioning controls could claim a similar exclusive right to their "intellectual property." According to NESDA Executive Director Clyde Nabors, "NESDA has no choice but to oppose" the lower court's ruling, which he views as "another of a long string of thinly-veiled attempts by some manufactures to eliminate competition from independent service [organizations]." The NESDA brief challenges the ruling on several points of law. In its brief, NESDA referenced a previous Supreme Court ruling that concluded that a market for the service of a product exists after the sale of the product. In effect, the Court said that even if a manufacturer does not monopolize the sale of its product, it can still be charged with illegally trying to monopolize the service of those products. The NESDA brief entitled the "Service Industry Signal," is being filed by attorney Ron Katz of the San Francisco office of Coudert Brothers, a New York law firm. To recover the cost of the brief as well as the cost of future "signals' from the service industry, NESDA has requested contributions to the "S.I.S" legal defense fund from concerned service dealers and technicians. The contributions are to be sent to the SIS Fund, c/o NESDA, 2708 West Berry Street, Fort Worth, TX 76109. I am aware that some companies (Borland) have a "book" type of license. I would hate to have to bail out my car mechanic when the SPA busts him/her for turning on my car to try and fix it. -------------------------------- Date: Mon, 7 Mar 94 14:02:35 GMT From: Brian.Randell@newcastle.ac.uk (Brian Randell) Subject: Court Case casts doubt on cashpoint credibility Court Case casts doubt on cashpoint credibility, by Mark Ward *Computing* (UK weekly), 3 Mar 1994 ATM's are in the news again after the Halifax Building society's court-rrom defence of their reputation. Almost all high-street financial institutions are now facing a combined lawsuit brought by Denis Whalley of Liverpool solicitors, J Keith Park, on behalf of 66 clients who claim they have been victims of phantom withdrawals from automated teller machines. The case follows that of Suffolk policeman John Munden. He was convicted of attempting to obtain money by deception when he queried the Halifax over a series of transactions he claimed he had not made but which appeared on his bank statement (Computing, 24 February). The Halifax - the UK's biggest building society - decided to prosecute. Curiously, though, when the trial was convened it was adjourned because the building society could not offer any expert testimony on its security procedures. The case came to court late last month and led to Munden's conviction. He is due to be sentenced in the next couple of weeks. During the trial, the somewhat ramshackle nature of the Halifax's security procedures came to light. The central personal identity number (PIN) validation application was first developed in 1978 and reworked in 1981, when the Diebold series of cash machines were bought. It doubtless it has been tweaked since, but it is still a system built for a less demanding era. Banks and building societies alike are trying to patch up the failing security procedures of their cash machines by putting in cameras and looking at other ways to prove users are who they claim they are. But the Halifax is not alone in trying to use old technology to meet changing customer needs. Every high-street bank and building society is closing branches or working out how to turn them into selling spaces rather than service points. And one man at least is convinced that this and other trends will make the cash machine a museum piece by 2010. A book, published next month, by author Bryan Clough, Cheating At Cards: Sharp Practice and Naive Systems, takes a long look at cashpoint crime. Clough believes the high pnce of ATMs in terms of pounds and pain could force a banking revolution. He says in many US states, so many people are mugged and murdered while using ATMs that state governments are forcing banks to fit safety devices that nearly double the cost of holes in the wall. And this is before any consideration is given to making the machines less fallible. The UK's first recorded incident of a person murdered after using a cash machine occurred in Hampshire this January. Clough is sure there have been others, though no one is collecting figures. He is convinced that retailers have an enormous opportunity to take business away from the banks, with the secure environment they offer people for getting cash when using debit cards to buy their shopping. That advantage is compounded by the fact that the cost to supermarkets of being able to offer the service is only that of a (pounds)50 swipe terminal and the connection to the bank's computer. Certainly, there is a real contradiction between banks and building societies trying to turn a branch into a space through which to sell more services, and their putting a machine on the outside that means customers have no contact with branch staff. Regulatory bodies regard cash machine fraud as small beer. According to the Association for Payment and Clearing Services, the body that comments on security, ATM fraud in 1992 cost banks and building societies (pounds)3m, compared with the (pounds)165m cost of plastic card fraud. Apacs sees cash machines as a relatively secure method of dispensing money. Some are even looking at extending the PIN concept to plastic cards to cut the level of fraud at the point of sale. An Apacs spokesman said there are various studies being conducted that will result in technology to aid decisions at the point of sale. He said one problem lies in limiting false rejections - turning away genuine customers. He suggested a false rejection rate of one in 100,000 as acceptable. No technology on trial has yet demonstrated anything like this rate. What is clear is that crunch time is coming for the humble cash machine. Will it go the way of all flesh, or become the preferred method of dealing with your bank-only this time with the banks paying for their mistakes. ------------------------------ Date: 7 Mar 94 18:22:32 GMT (Mon) From: Dr Peter B Ladkin Subject: `Hacker' alters Drug Protocol in British Hospital In the German news magazine Der Spiegel 1994(9) 28/2/94 p243 is a story concerning Dominic Rymer, who obtained a doctor's password by looking over his shoulder, and then edited the drug protocol of a nine-year-old meningitis patient to something that might have killed her. This all happened at the Arrowe [sic] Park Hospital in Wirral, Lancs. I didn't see any article about it in a British newspaper. Peter Ladkin ------------------------------ Date: 6 Mar 1994 08:55:07 GMT From: rhys@cs.uq.oz.au (Rhys Weatherley) Subject: Will Australia be doomed to repeat Clipper? I was looking through "The Sunday Mail" here in Brisbane, Australia on Sunday, March 6, when I noticed an article on page 20 titled "New Phone Stumps Oz Spy Group". I'll paraphrase it and give a few excerpts. The key point was that the new digital Telecom Talkabout system which has been deployed here in Brisbane "cannot be traced or bugged using current technology". Talkabout is a "small cell" mobile phone system: there are now Talkabout poles all over the CBD and most suburbs, and people can buy a cheap small mobile phone to take advantage of the system. It is quite popular. What the above quote probably means is that the police, ASIO (domestic security) and ASIS (Australia's CIA), don't currently have scanners that can decode the digital signals, although I suspect that Talkabout probably also uses the GSM encryption system which was introduced here recently, over the objections of the afore-mentioned agencies. Of relevance to the Clipper debate is the following quote: "Telecom corporate public relations spokesman, Mr John Tucker, said it was a requirement of the federal Attorney General's department that all telecommunications be capable of being intercepted by intelligence and police agencies". Telecom have special dispensation from the Attorney General to run Talkabout as a trial as long as it is contained to the Brisbane network. The future of the system would be discussed after the trial and a decision would be made as to who would fund the cost of developing means of tracing calls. So, it looks like Australia is doomed to repeat the same battle for strong encryption that is currently raging in the United States. The usual RISKs of "buggable" encryption systems apply, but an additional RISK for Australia is that the Attorney General will buy the US government's line on Clipper and put our telecommunications at risk with all of the keys stored in databases held by a foreign power, no matter how friendly that power may currently be. Either that or the Attorney General will commission the development of a similar system here. Another RISK is that once a tracing mechanism is developed, the "small cell" nature of Talkabout might permit the tracking of a user's every move. The cynical members of the Clipper debate will put this down as yet another power that the US government seeks over its citizens and the rest of the world. The NSA for one would have no restrictions against monitoring the Clipper-ised internal communications of another country: that is part of their purpose for existence. Probably the only good sign is that since Talkabout is very popular (and Telecom have been pushing it very aggressively), Telecom will probably fight tooth and nail to keep their investment, and the concerns of the above agencies will be overridden. The agencies will then be forced to recognise that wiretap surveillance is coming to the end of its useful life whether they like it or not, and they will have to develop alternative means. We can only hope. Rhys Weatherley, University of Queensland, Australia rhys@cs.uq.oz.au ------------------------------ Date: Sat, 05 Mar 94 16:04:53 EST From: jongolob@aol.com Subject: A Well Oiled Mac Lurking in a computer lab in a High School is a Macintosh, a Macintosh that wasn't well oiled, a Macintosh that ended its existence abruptly during a High School music class. It was a Macintosh SE and like its many other brothers in the lab it had a little hole in the back of it in which oil was placed. The brilliant administrators at the school found out that when a computer is left on 24 hours a day, seven days a week and 365 days a year for seven years a computer gets worn out. An unsuspecting student sat down at his table, flipped on his keyboard and turned on his Macintosh SE like he always did. The Mac slowly came to life, he clicked on the MIDI program and all hell broke loose. At first it started rather benignly, a gentle tap but, far worse things were about to come. Soon the Macintosh was going BUMP BUMP BUMP and was jumping on the desk. The student yelled for his teacher and the teacher proceeded to click on the mouse in a vain effort to fix the ailing computer. Next the Mac began to emit a grinding noise not unlike a garbage disposal. The teacher screamed "DID YOU OIL IT!!!!." The student replies "YES I DID, YES I DID." The Macintosh is now rapidly convulsing on the table. The screen began to flash black and white. Next the Mac started to emit a high pitched whine. All of the other students began to flee from the room, several female students began to cry and the Mac, like an animal slowly dying of blood-loss, began to spurt oil out of the little hole on the back of the computer coating several other computers. There is a gigantic BANG as the student runs for his life out of the room and pieces of glass slide out into the hallway. The moral of the story.... KEEP YOUR MACINTOSH WELL OILED. Jon Golob s97jgol1@cranbrook.edu (after March 30) jongolob@aol.com ------------------------------ Date: Mon, 7 Mar 1994 10:04:55 -0800 From: Jon Jacky Subject: SCIENCE article critical of computer models RISKS readers may be interested in: "Verification, Validation and Confirmation of Numerical Models in the Earth Sciences" by Naomi Oreskes, Kristin Shrader-Frechette and Kenneth Belitz, SCIENCE 263, 4 Feb 1994, 641 -- 646. This article is a critique of computer modelling applied to such public policy issues as global warming and nuclear waste disposal. >From the abstract: "Verification and validation of numerical models of natural systems is impossible ... The primary value of models is heuristic." The article struck me as a philosophical essay on the limits of modelling in general, rather than as a critique of particular models. These authors do not use the term "verification" with its usual meaning in computing, rather they use "verified" to mean "makes predictions consistent with observations." In fact, the article does not consider computing issues specifically. I think a better title would have been just, "Validation and Confirmation ..." - Jon Jacky, jon@radonc.washington.edu University of Washington, Seattle ------------------------------ Date: 4 Mar 94 13:34:51 GMT (Fri) From: Dr Peter B Ladkin Subject: Re: Autopilot landings in `zero visibility' In RISKS-15.62, Simson Garfinkel says: > I was on one of the few aircraft to land in the Boston blizzard today. There > was zero visibility. [...] > And I wondered which would have been RISKier: landing on autopilot, or landing > on human pilot. It's well to wonder, but in this case there might not have been the option. There are three categories of Instrument Landing System (ILS) approaches, Cat I, II and III, and Cat III is further subdivided into A, B, and C. The categories are differentiated according to the minimum weather conditions required for landing. An ILS is, abstractly, a couple of radio homing beams. One, the `localiser', beams down the centerline of the runway, so you can tell if you're left or right of it, and another beams up at an angle, usually between 3-5 degrees, from the touchdown point - the `glide slope'. You or your favorite autopilot are supposed to follow the beams from 5-15 miles out. In order to land legally for most Cat I Instrument Landing System approaches, besides the usual visibility conditions, some part of the runway, its lighting or its environment must be visible when you're roughly 200 feet above the ground (and therefore a few more hundred feet from touchdown). Cat II `minimums' are lower, Cat III lower still. Furthermore, for air carriers, operation is only permitted with certain values of `Runway Visual Range'. Special crew and aircraft certification is required for Cat II and III, and certain modes of operation are mandatory. It is possible that the landing described was made under Cat IIIA, in which case use of some automated systems is mandatory, and hand-flying is not an option. A further question is: what form of safety analysis has been done to ensure that the requirement to use automated landing systems rather than people is appropriate for Cat III landings? Perhaps those RISKS readers who have extensive dealings with the regulatory authorities and the airplane manufacturers could tell us? Peter Ladkin ------------------------------ Date: Fri, 04 Mar 1994 16:04:01 +1100 From: jhaines@compsol.fidonet.org (Jason Haines) Subject: The risks of user ID's At the end of each semester, my university publishes unit results by printing out the student number of each pupil and their unit scores. These results are then posted in a public area in the university. Since only the student ID number (and not the person's name) is printed, it is impossible to find out someone else's results unless you know their student ID number. This was reasonable secure, as it was fairly difficult to find out someone else's student ID number without obtaining their student card. Unfortunately, the computing unit at the university have introduced a new scheme for allocating usernames to students. The username is comprised of the first letter of the user's surname, and the user's student ID number. It is fairly easy to obtain someone else's username. They may give it to you for e-mail purposes. Their username will often appear in a window title on their physical terminal, or in their command prompt. Tools like 'who' could also assist in finding out another person's username without their permission. The inclusion of the first letter of the person's surname into the username makes such investigation even easier. Thus, with only a small effort, any student with a computer account could quite easily obtain the student number, and then the results, of any other student who uses the system. Of course the university may change it's policy on posting results in a public place, but somehow I doubt it. ------------------------------ Date: 04 Mar 94 22:51:25 EST From: Mike Sullivan <74160.1134@CompuServe.COM> Subject: RISKS RISKS: Bug in mailing RISKS-15.61 I was surprised to discover that RISKS-15.61 arrived in my emailbox with a list of well over 100 "Apparently-to: user@domain" headers that appear to be a substantial portion of the mailing list. ------------------------------ Date: 07 Mar 94 19:59:23 PST From: Risks-Request@csl.sri.com Subject: Re: Bug in mailing RISKS-15.61 In an effort to avoid the problem of MCImail RISKS recipients getting each issue with the entire list of MCImail users on their sublist, for RISKS-15.61 I tried BCC on a sublist that at that time also included MCImail, CompuServe, NetCom, and a few other so-called services. CompuServe gets added to the MORON list of services apparently unable to handle BCC, because they turned that into the long list of addresses that apparently worked just fine when sent TO the sublist. NetCom reportedly also got wedged as a result of my attempt to use BCC. I GUESS YOU CAN CONCLUDE THAT BCC: MAY BE VERY RISKY! In RISKS-15.62 I solved that problem by creating a BCC sublist just for MCImail and reverting to TO for everyone else on the rest of that sublist. I feel like a three-TO:ed sloth. But the degenerative "services" are really causing me too much grief. (I presume you recall the fact that several of them bounce the entire list if one address fails.) GROAN. PGN ------------------------------ Date: ongoing From: RISKS-request@csl.sri.com Subject: Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc. The RISKS Forum is a moderated digest. Its USENET equivalent is comp.risks. Undigestifiers are available throughout the Internet, but not from RISKS. SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup on your system, if possible and convenient for you. BITNET folks may use a LISTSERV (e.g., LISTSERV@UGA) with SUBSCRIBE RISKS or UNSUBSCRIBE RISKS as needed. Users on US Military and Government machines should contact (Dennis Rears). UK subscribers please contact . Local redistribution services are provided at many other sites as well. Check FIRST with your local system or netnews wizards. If that does not work, send requests to (not automated). CONTRIBUTIONS: to risks@csl.sri.com, with appropriate, substantive Subject: line, otherwise they may be ignored. Must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. PLEASE DO NOT INCLUDE ENTIRE PREVIOUS MESSAGES in responses to them. Contributions will not be ACKed; the load is too great. **PLEASE** include your name & legitimate Internet FROM: address, especially from .UUCP and .BITNET folks. Anonymized mail is not accepted. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ARCHIVES: "FTP CRVAX.SRI.COMlogin anonymousYourName CD RISKS: Issue j of volume 15 is in that directory: "GET RISKS-15.j". For issues of earlier volumes, "GET [.i]RISKS-i.j" (where i=1 to 14, j always TWO digits) for Vol i Issue j. Vol i summaries in j=00. "DIR" (or "DIR [.i]") lists (sub)directory; "bye" logs out. CRVAX.SRI.COM = [128.18.30.65]; =CarriageReturn; FTPs may differ; UNIX prompts for username, password. WAIS and bitftp@pucc.Princeton.EDU are alternative repositories. FAX: ONLY IF YOU CANNOT GET RISKS ON-LINE, you may be interested in receiving it via fax; phone +1 (818) 225-2800, or fax +1 (818) 225-7203 for info regarding fax delivery. PLEASE DO NOT USE THOSE NUMBERS FOR GENERAL RISKS COMMUNICATIONS; as a last resort you may try phone PGN at +1 (415) 859-2375 if you cannot E-mail risks-request@CSL.SRI.COM . ------------------------------ End of RISKS-FORUM Digest 15.63 ************************