Subject: RISKS DIGEST 16.04 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Tuesday 10 May 1994 Volume 16 : Issue 04 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for information on RISKS (comp.risks) ***** Contents: Secret elevator codes baffle Metro Toronto government (Dave Leibold) Smoke or Malaria - Lesser of the two evils (Hiranmay Ghosh) Dartmouth prof spoofed (Mich Kabay) 11-digit ZIP code (Christine Harbs) Frozen computer scientist (David Honig) Re: Bellcore cracks 129-digit RSA ... (Paul C Leyland, Dik Winter, Paul Buder) Re: Streetwise Guide [Risks of following up on credit-card laws] (Robert Slade) Future of US health care? (Mark Stalzer) White House May Issue National ID Cards (Mitch Ratcliffe via W.C. Daugherity) Canadian long-distance service reseller blunders (Mich Kabay) Cheers to two companies (Michael J. Zehr) Re: MIT student arrested (David desJardins) Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc. ---------------------------------------------------------------------- Date: 06 May 94 00:06:10 -0500 From: Dave.Leibold@f730.n250.z1.fidonet.org (Dave Leibold) Subject: Secret elevator codes baffle Metro Toronto government An article in _The_Toronto_Star_ on 5 May 1994 described secret codes which are necessary to maintain elevators at Metro Hall, the building which houses Metro Toronto municipal council and services. The elevators, made and maintained by Schindler Elevator Corp., require secret password codes in order to maintain them. This means that only Schindler staff can maintain the Metro Hall lifts, and as such forced Metro Council to award a 10 year contract of $3.5 million to Schindler. Meanwhile, Metro is also suing the building's developer, Marathon Realty, to try to get the codes. Without the passwords, elevator maintenance contracts cannot be given to a competing firm. Metro Councillor Howard Moscoe wanted the Council to issue a $10 000 reward to the first person to successfully crack Schindler's Code. This motion probably didn't get approval. David Leibold Fidonet 1:250/730 dave.leibold@f730.n250.z1.fidonet.org ------------------------------ Date: Mon, 9 May 94 09:07:35 IST From: Hiranmay Ghosh Subject: Smoke or Malaria - Lesser of the two evils RISKS usually features risks in high technology area, especially with computers. I am tempted to site one example for risks in a relatively low technology area encountered in a developing country like ours! In the '50s or early '60s, there had been a massive drive to eradicate malaria (a disease cheracterized by high fever and spread through mosquito bites) from India. The attack was primarily on the mosquitos; their lot were killed by pesticides and their hideouts destroyed. The operation was considered to be successful and a case of malaria was rare for about twenty years to come! Unfortunately, in late '80s, mosquitos came back with renewed a vigour and brought malaria back. How did the mosquitos come back? Some 'experts' assign the following reason: In '60s or '70s, most of the Indian household used hearths (coal-fire) to prepare the food. At that time, a popular sight at the dusk at an Indian town was the smoke coming out of every dwelling unit to mark the ignition of the hearth for preparation of the evening meals. In a city, where the population density had been high, the volume of smoke was significant and caused concern about pollution! But, that was the time, when the mosquitos invading the households (dusk is the peak activity hour for the mosquitos!) were repelled by the smoke. In the '80s, the hearths were replaced by 'modern' 'non-polluting' gas stoves. The coal-lit hearth was even banned in many cities in an attempt to curb pollution. So, now there is nothing to prevent the mosquitos to come and join us for dinner and spread malaria in the process! I am not sure, if the reason cited is a valid one, but the concern about the re-advent of malaria in India is beyond any doubt! [Next time, lease a collection of mutant boll weevils to eat the mosquitos and you will be confronted with a lessor of weevils. PGN] ------------------------------ Date: 09 May 94 06:31:56 EDT From: "Mich Kabay [NCSA]" <75300.3232@CompuServe.COM> Subject: Dartmouth prof spoofed Here is some old news that was new to me: According to the _Dartmouth Life_ newsletter (Feb 1994--I'm just clearing up my in basket today), an article appeared in _The New York Times_ on 94.01.05 entitled "Confronting changing ethics of the computer age." The unsigned article begins, "Hanover, N.H. -- Somebody in Prof. David Becker's course on Latin American politics did not want to take the midterm exam, so he or she used Dartmouth's innovative electronic mail network to impersonate a department secretary and cancel the test. "At 11 o'clock on the night before the test in the Government 49 class, a message flashed on students' computer screens. Because of a family emergency, the message said, Professor Becker would be unable to administer the midterm." The article explains that half the class understandably failed to show up for the test. No one has been identified yet as the culprit. The rest of the article talks about the extensive electronic mail system on campus. One of the key concerns of the unregulated network is the rapid spread of rumours: "Late in August computer flashed an account of a woman being raped while jogging near campus. The message was intended as a warning, but there had been no rape." The Hanover police department were swamped with calls. The Chief of Police now has his own electronic mail account to try to squelch rumours. M. E. Kabay, Ph.D. (Dartmouth '76) / Dir Educn / Natl Computer Security Assn. ------------------------------ Date: Mon, 9 May 1994 14:28:30 -0700 (PDT) From: Christine Harbs Subject: 11-digit ZIP code According to the _Friday Report_ , Gene Del Polito, Exec. Dir. of the Advertising Mail Marketing Assn. is urging the Postal Service to adopt an 11 digit ZIP code. The 11 digits would consist of the original five + four, and the last two will be the last two numbers of YOUR house address. <> Translation? Better targeted junk mail. This means that, with only a ZIP code, marketers and harassers will darn near be able to pick out my house. Marketers do a lot of demographic research based on ZIP code. This could lead to _extremely_ targeted marketing. Although not everyone would consider this a risk... Another concern arises for people who are being stalked or harassed. Again, with just the ZIP code, the stalker could pin- point, at the very least, the victim's street. Systems which claim to protect privacy and confidentiality because it _just_ uses a ZIP code for identifiers, may have to be redesigned. <<'The reality we're stuck with is that many people in this country simply don't know what their accurate and complete address is,' said Del Polito.>> I am sure a lot of people make mistakes when addressing an envelope. I do not think the way to solve this problem is to create a system where 11 digits create a path to my doorway. ------------------------------ Date: Fri, 06 May 1994 10:01:10 -0700 From: David Honig Subject: Frozen computer scientist (RISKS-16.03) In the last RISKS someone writes about the dangers of automatically-locking doors when standing in a blizzard at 2500 feet wearing light clothing. The author posits a somewhat amusing possible outcome, had he not been saved by travelling communists: a computer scientist frozen to death next to his over-clever, running but locked, vehicle. Of course, more hardware-oriented types might have clued in to the brittleness of said vehicles' windows before hypothermia set in... :-) ------------------------------ Date: Mon, 9 May 1994 18:04:54 +0100 From: pcl@foo.oucs.ox.ac.uk (Paul C Leyland) Subject: Re: Bellcore cracks 129-digit RSA encryption code (RISKS-16.03) > predicted would take "40 quadrillion years" to break. ... > This mathematically arduous task was accomplished in eight months by > 600 volunteers in 24 countries who used their organizations' spare > computing capacity. ... There are two risks, one amusing. Ron Rivest now regrets ever making that 40 quadrillion years estimate. It was silly when he made it; his papers in the scientific literature from that era give estimates which are within an order of magnitude of how much computation we actually used. From those estimates, and the observation that way back then it wasn't feasible to hook together hundreds of computers, we can deduce that a late 70's supercomputer using the best algorithms available then would have taken a few decades, maybe a century. Certainly much less than the 40 quadrillion years. The risk is: making predictions about the runtime of computer programs can sometimes make you look silly 8-) The other risk is more serious. RSA is widely used to protect commercially significant information. 512-bit keys are widely used for this. Most, if not all, smart-card implementations are restricted to 512-bit keys. RSA-129 has 425 bits. I estimate (taking a risk 8-) that 512-bit keys are only about 20 times harder to break than 425-bit keys. Readers are left to draw their own conclusions. However, it is not by chance that I have a 1024-bit PGP key. Oh yes, as Arjen Lenstra had pointed out: if you had used RSA-129 as the modulus in a digital signature for a 15-year mortgage, you would have been cutting it pretty fine. It is the use of RSA for long-lived signatures which needs to be examined with a very critical eye. Paul Leyland (one of four RSA-129 project coordinators) ------------------------------ Date: Fri, 6 May 1994 02:45:26 +0200 From: Dik.Winter@cwi.nl Subject: Re: Bellcore cracks 129-digit RSA encryption code Perhaps because there is no risk beyond the known ones? Bob Silverman of MITRE (well known in number factoring circles) has publicly predicted already some time ago that it would require about 5000 MIPS years to factor the number. Reasonably close to the actual figure. That the team was led by Bell Communications Research is untrue. It is a team led by four people from Bellcore (Arjen Lenstra), MIT (Derek Atkins), Iowa State University (Michael Graff) and Oxford University (Paul Leyland). dik t. winter, cwi, kruislaan 413, 1098 sj amsterdam, nederland, +31205924098 home: bovenover 215, 1025 jn amsterdam, nederland; e-mail: dik@cwi.nl ------------------------------ Date: Thu, 5 May 94 20:02 PDT From: paulb@teleport.com (Paul Buder) Subject: Re: Bellcore cracks 129-digit RSA encryption code (RISKS-16.03) I've heard this 40 quadrillion years figure a couple of times now and I find it odd. Is that what the Scientific American said? I have the original document from MIT's Laboratory for Computer Science. It's titled "A Method for Obtaining Digital Signatures and Public-Key Cryptosystems" by Ronald Rivest, Adi Shamir, and Len Adleman, April 1977. I can't do superscripting with vi so 10 10th means 10 to the 10th power. It has the following table in it: Digits Number of Operations Time =================================================== 50 1.4 X 10 10th 3.9 hours 75 9.0 X 10 12th 104 days 100 2.3 X 10 15th 73 years 200 1.2 X 10 23rd 3.8 X 10 9th years 300 1.5 X 10 29th 4.8 X 10 15th years 500 1.3 X 10 39th 4.2 X 10 25th years 200 digits was supposed to take 3.8 trillion years and 100 a mere 73. So where does the 40 quadrillion figure come from? paulb@teleport.COM Not affiliated with teleport. ------------------------------ Date: Mon, 09 May 1994 12:06:09 -0600 (MDT) From: "Rob Slade, Ed. DECrypt & ComNet, VARUG rep, 604-984-4067" Subject: Risks of following up on credit card laws (last one) In response to my initial posting of the "Streetwise Guide" book review, and subsequent summary of the initial responses, I (and, I presume, PGN as well) am still receiving mail on the subject. Unfortunately, there is a lot of disagreement and a shortage of direct quotes from the relevant statutes. I pass along these messages, therefore, since they contain at least references to the names of specific acts. From: avm4@crux4.cit.cornell.edu =========== The quoted material appears to be backwards, judging foom the text on the back of my credit card statement and also from the misc.credit FAQ: Q504. Exactly which purchases qualify under the Fair Credit Billing Act? You are protected if all of the following are true: - The purchase was made with a credit card. (If it was a debit card, the money is already gone from your account and the bank won't get involved.) - The amount charged is more than $50. (The amount in dispute could be less, for example if you bought a $90 lamp but were billed $100. The amount in dispute is $10.) - You made the purchase somewhere in your home state, or within 100 miles of your mailing address. (I am not an attorney, but my understanding is that if you are having goods shipped to you by mail or phone order, the place of purchase is the address you are having them shipped to.) If some of the above are not true, you are still protected if the credit-card company owns or operates the merchant, or the credit- card company mailed you the advertisement for what you bought. In that case your purchase is covered by the rules no matter where you bought or how much you paid. In addition, you MAY successfully protest charges outside of these parameters, but there is no legal requirement for the credit card company to do so. ============ From: cramer@world.std.com (Bill Cramer) ============ >I don't remember the exact language, but in the U.S. consumers have the >right to refuse charges made more than 50(?) miles from their home address. >The refusal must be in writing, within 30 days, possibly with an explanation, >etc. The bank must complete its actions within 60 days of receipt of this >letter, cannot charge interest or late fees on the disputed amount, etc. This statement would seem to be in conflict with 15 USC 1666i(a), which states, in part, that a card holder can withhold payment only when the place of the transaction was **within 100 miles**. ============ There was also mention of a Consumer Credit Protection Act. This is as far as I go, since 1) I am not a lawyer, 2) I am not an American and 3) I am part of the larger world to which my original comments still basically hold good. ------------------------------ Date: Fri, 6 May 1994 10:13:31 +0800 From: stalzer@macaw.hrl.hac.com Subject: Future of US health care? For the past few months, my baby daughter has had a large rash. My wife took her to our HMO a few times and the doctor (gatekeeper) finally authorized a blood test and a visit to a dermatologist once the blood test results were available. Last night, we received a form authorizing the visit to the specialist that contained a clearly labeled diagnosis of Lupis. We assumed that this was the result of the blood test and I logged into Prodigy to find out more about Lupis. The online encyclopedia had a detailed description and my daughter appears to have some of the symptoms. Furthermore, the disease is very serious and can lead to death. We were very worried and I immediately contacted the HMO. This was about 6:30p and the front office staff couldn't help us (the doctors were gone) even though their computer generated the form! (I expressed my displeasure as forcefully as possible without using colorful language...) I then called the dermatologiest and what he had to say is very interesting. Apparently, the HMO contacted the dermatologist last week, described the symptoms, and asked for a list of possible diagnoses. He provided about half a dozen possibilities and the HMO doctor then picked the worst possible one so that it would get past the review committee! If he had put a more likely diagnosis, like an allergy or fungus, a specialist visit probably would not have been authorized. Also, the blood test results are not in, and based on my daughter's response to some medication, it looks like she has something simple that will clear up. Of course, she still gets to visit the dermatologist based on the "diagnosis" on the form. I'm thankful that the HMO doctor "worked the system" to get the best possible care for my daughter. However, this form with a diagnosis of a serious disease has me angry. Do health care providers really think it's okay to mail out something like that without making a personal contact? Do they tell people they have AIDS by mail now? Why didn't the front office staff at the HMO have a clue? Shouldn't doctors be spending their time helping people, not trying to figure out how to get around the system? And finally, do we really want the Clinton Administration to mandate this kind of system for all Americans? -- Mark Stalzer (stalzer@macaw.hrl.hac.com) ------------------------------ Date: 9 May 1994 15:26:52 GMT From: daugher@cs.tamu.edu(Walter C. Daugherity) Subject: White House May Issue National ID Cards >From Prodigy 5/9/94: White House May Issue National ID Cards The Clinton administration is working on a national ID card that every American would need in order to interact with any federal agency, reports Digital Media: A Seybold Report, a computer industry newsletter based in Media, Pa. The so-called U.S. Card would be issued to citizens by the Postal Service. It would be issued as a "smart card," with its own internal CPU, or as a plug-in "PCMCIA" card with megabytes of built-in memory. Administration approval of the plan "could come at any time," states the newsletter. Walter C. Daugherity daugher@cs.tamu.edu uunet!cs.tamu.edu!daugher Texas A & M University, College Station, TX 77843-3112 DAUGHER@TAMVENUS [Several folks sent me Mitch's piece from EFFector Online 07.08, and Digital Media, "Ever Feel Like You're Being Watched? You Will..." However, I cannot run it in RISKS because of its copyright notice. Contact Mitch Ratcliffe (NOT RISKS) if you want a copy of the whole article. PGN] ------------------------------ Date: 09 May 94 17:32:49 EDT From: "Mich Kabay [NCSA]" <75300.3232@CompuServe.COM> Subject: Canadian long-distance service reseller blunders In November 1993, I signed up with a long-distance service reseller in Canada. I won't give the name because there's no longer any reason to embarrass the company. Shortly after registering, I received a friendly welcoming letter explaining how to use their service. As expected, there was a special number to dial; when we got the dial tone, we'd punch in a 3-number PIN and our own telephone number. Then we'd get another dial tone and we would dial our destination number. In the envelope were printed labels to stick on our phones with all of these instructions--including the PIN! I called the company and asked to speak to the chief of security. When I finally got to speak to her, she expressed horror at the prospect of having customer PINs stuck to their phones in plain sight, where any passing dishonest person could pick up their access codes and call expensive places. It seems that no one in marketing or customer service had every discussed this brilliant plan with her or with her staff. She assured me that she would report the breach of security and effect changes. Months passed. In January, I spoke to the chief of security again. This time, I cheerfully told her she was running out of time. I sent her a registered letter warning her of the dangers to consumers; pointed out that although theoretically the user of a phone system is responsible for calls, there would be no way to squirm out of the irresponsibility of having sent out thousands of stickers showing the PINs of countless users; and that even if the company absorbed the costs of fraud, they'd be unable to prosecute even dishonest users who abused their own phone codes. I then added what I think was the clincher: if I didn't hear back from them within a week I'd publish a report in the RISKS FORUM DIGEST and in Computing Canada and make them a laughingstock. I got a call from the VP to whom the security chief reports. He assured me that the problem was being solved. Indeed, a few weeks later, I received new stickers _without_ a pin. The system now uses ANI to identify the client. Attempting to access the trunk from an unauthorized phone immediately causes an alert at the company switchboard; repeated attempts to abuse the system can lead to termination of service. The authorized user is informed of such attempts. Moral: don't just ignore security breaches, fight them! Michel E. Kabay, Ph.D. / Dir Education / Natl Computer Security Assn [Or threaten them with worldwide appearances in RISKS? PGN] ------------------------------ Date: Mon, 9 May 94 12:40:52 -0400 From: tada@MIT.EDU Subject: Cheers to two companies Although this forum is primarily for giving examples of computer problems, I'd like to give credit to two companies I recently dealt with that made an extra effort to reduce the risks in their systems. My company recently switched to Fidelity for managing it's 401(k) retirement plans. Fidelity has a phone number one can call to check balances, transfer investments between different funds, etc. When you call for the first time, you're asked to select and enter a PIN. To identify yourself, you need the plan number for your company, your social security number, and your birthdate. All these are easily obtained by others. To prevent misuse, the system sent confirmation by mail to the person's home address that a PIN was set up. (Allowing a PIN setup by phone worried me when I read their literature, but I felt this was a good way of minimizing the risk. Also it should be noted that one couldn't transfer money from one person to another, only transfer to different funds.) A few days ago I stayed at a Mariott Courtyard in Landover, MD. They have an express checkout system in which a copy of the bill is printed and slipped under your door your last night there. On the bill is printed the credit card number used for billing. The copy slipped under the door had the number overwritten with a heavy black marker. It's possible that one could determine the number anyway, but it reduces the risk of casual observance, and at least demonstrates that they're thinking about the problem. Cheers to both companies for thinking about the issues. -michael j zehr ------------------------------ Date: Tue, 3 May 94 13:43:20 EDT From: desj@ccr-p.ida.org (David desJardins) Subject: Re: MIT student arrested (Cohen, RISKS-16.01) Fredrick B. Cohen writes: > As to the issue of his intent to pirate software, that was not the charge > against him. It was wire fraud! I have read the copy of the indictment and > commentary and I find this awfully strange. According to his lawyer on Nightline (and this was not contradicted by the former FBI computer-crime head), Congress wrote the copyright law so that pirating software is not specifically criminalized unless one does it for profit. Whereas the wire fraud statute requires only a "scheme to defraud"; there need not necessarily be a profit motive. David desJardins ------------------------------ Date: 9 May 1994 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc. The RISKS Forum is a moderated digest. Its USENET equivalent is comp.risks. Undigestifiers are available throughout the Internet, but not from RISKS. SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup on your system, if possible and convenient for you. BITNET folks may use a LISTSERV (e.g., LISTSERV@UGA) with SUBSCRIBE RISKS or UNSUBSCRIBE RISKS as needed. Users on US Military and Government machines should contact (Dennis Rears). UK subscribers please contact . Local redistribution services are provided at many other sites as well. Check FIRST with your local system or netnews wizards. If that does not work, send requests to (not automated). CONTRIBUTIONS: to risks@csl.sri.com, with appropriate, substantive Subject: line, otherwise they may be ignored. Must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. PLEASE DO NOT INCLUDE ENTIRE PREVIOUS MESSAGES in responses to them. Contributions will not be ACKed; the load is too great. **PLEASE** include your name & legitimate Internet FROM: address, especially from .UUCP and .BITNET folks. Anonymized mail is not accepted. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ARCHIVES: "ftp crvax.sri.comlogin anonymousYourName cd risks: Issue j of volume 16 is in that directory: "get risks-16.j". For issues of earlier volumes, "get [.i]risks-i.j" (where i=1 to 15, j always TWO digits) for Vol i Issue j. Vol i summaries in j=00, in both main directory and [.i] subdirectory; "dir" (or "dir [.i]") lists (sub)directory; "bye" logs out. CRVAX.SRI.COM = [128.18.30.65]; =CarriageReturn; FTPs may differ; UNIX prompts for username, password; bitftp@pucc.Princeton.EDU and WAIS are alternative repositories. See risks-15.75 for WAIS info. FAX: ONLY IF YOU CANNOT GET RISKS ON-LINE, you may be interested in receiving it via fax; phone +1 (818) 225-2800, or fax +1 (818) 225-7203 for info regarding fax delivery. PLEASE DO NOT USE THOSE NUMBERS FOR GENERAL RISKS COMMUNICATIONS; as a last resort you may try phone PGN at +1 (415) 859-2375 if you cannot E-mail risks-request@CSL.SRI.COM . ------------------------------ End of RISKS-FORUM Digest 16.04 ************************