Subject: RISKS DIGEST 16.79 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Weds 8 February 1995 Volume 16 : Issue 79 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, etc. ***** Contents: Proposed Virginia law on self-disabling software (Jeremy Epstein) Cellular Phone Security (Chip Seymour) Japanese bank workers steal 140 million yen by PC (Mich Kabay) Road pricing in Singapore (Phil Agre) InfoWar Level II in Miami (Mich Kabay) Phone switch bug causes alarm among NM officials (Mich Kabay) Telephone RISKS (Ry Jones) Risks in computerized cockpits (Rob Horn) Concatenating phrases produces confusing results in bank responses (Daniel P. B. Smith) More from the cat file (Phil) 1996 ACM COCCS call for papers (R.F. Graveman) Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc. ---------------------------------------------------------------------- Date: Sun, 5 Feb 95 17:02:53 EST From: jepstein@cordant.com (Jeremy Epstein) Subject: Proposed Virginia law on self-disabling software The "Washington Post" reported in Saturday's edition (4 Feb 95) that the Virginia legislature is considering a law requiring that companies notify customers if the software they sell has a self-disabling feature (e.g., after some period of time). The article was sketchy, but it's intended to head off people developing software and then demanding ransom to prevent the software from self-destructing. The law would not *ban* such features, just require that they be disclosed. The RISK? Does informing people that the software is self-disabling encourage them to try to subvert the feature? And if someone did and that triggered the disable feature, would that come under the law? And what if it were used in safety critical systems: "I'm sorry, but the license period on the software in your heart monitor has expired. Please contact the vendor to reenable." ------------------------------ Date: Mon, 6 Feb 1995 11:43:54 -0500 From: Chip Seymour Subject: Cellular Phone Security Under the heading "CELLULAR PHONE SECURITY", EDUPAGE of 5 Feb 1995 mentions a *Wall Street Journal* article dated 3 Feb 1995 that states Cellular One of New York and New Jersey is starting to require new customers to enter a four-digit security code before placing calls. This is in an effort to curtail cellular fraud, which is quoted as being $482 million (3.7% of the industry's revenue) in 1994. NYNEX began such a program last fall. I spoke with a NYNEX sales representative who told me the new system changes channels after a user enters the phone number and presses "Send". The four-digit PIN code is sent on a new frequency, and would-be ESN thieves now have the added task of determining which PIN goes with which ESN. However, if your cellular telephone is equipped with a recall feature, pressing "RCL" displays, not the telephone number you've just dialed, but the four-digit PIN number. My Motorola DPL 550 recalls the PIN number even after a powerdown. Just a word of warning. Recall your PIN and Clear the display before leaving your telephone, and consider enabling the automatic-lock feature, if available. ------------------------------ Date: 05 Feb 95 14:12:50 EST From: "Mich Kabay [NCSA Sys_Op]" <75300.3232@compuserve.com> Subject: Japanese bank workers steal 140 million yen by PC >From the Reuters news wire via CompuServe's Executive News Service: RTw 02/05 0107 Japanese bank workers steal 140 million yen by PC TOKYO, Feb 5 (Reuter) - A Japanese bank employee and two computer operators have been arrested and charged with allegedly using a personal computer money transfer system to steal 140 million yen ($1.4 million), police said on Sunday. Police said the 140 million yen was illegally sent in December last year from Tokai Bank Ltd to an account in another bank using a settlement system operated by personal computers. It was withdrawn the same day. The following day, a total of 1,490 million yen ($14.9 million) was sent from Tokai Bank to accounts in several other banks using the same system. But this time the fraud was discovered before any withdrawals could be made. According to the article, the suspects include employees of the bank systems group and a computer services supplier. It seems that the scheme was driven in part by debts owed to organized crime groups. M.E.Kabay,Ph.D., Director of Education, Natl Computer Security Assn (Carlisle, PA); Mgmt Consultant, LGS Group Inc. (Montreal, QC) ------------------------------ Date: Sun, 5 Feb 1995 21:48:04 -0800 From: Phil Agre Subject: road pricing in Singapore The LA Times had an article about road pricing in Singapore: Charles P. Wallace, Singapore in high-tech tangle to fight automobile gridlock, Los Angeles Times, 3 February 1995, page A5. The story is that Singapore's streets are rapidly becoming jammed with cars, and so the authoritarian government is trying to impose a road-pricing scheme based on automatic vehicle identification (AVI). "Road pricing" means that every road, or at least every frequently clogged road, is a toll road. "AVI" means that your car carries a device that can be "pinged" by a radio signal from a roadside beacon, whereupon it broadcasts a number (its own serial number in most versions, but perhaps the car's identification number) that allows a charge to be made to an account. The LA Times article is basically sympathetic to the government's position despite the straightforward coercion that the system involves. It pays no attention to privacy issues. The only existing AVI toll-collection system mentioned is the voluntary Telepass system in Italy. The basic argument behind road-pricing is a familiar market argument: when people can travel on roads for free, they naturally do so at a higher rate than if they had to pay the actual costs of providing roads. Road pricing, on this model, seeks to establish the most efficient level of road usage by letting people decide how much it's worth to them to drive. In practice this argument generally runs afoul of reality in several ways: (1) Road pricing schemes have generally required the collection of large amounts of data about individuals' travel patterns. So long as this data is accumulating, pressures to use it for other purposes, from marketing to repression, are more or less inevitable. Digital cash payment schemes might alleviate this problem, but so far as I am aware they have not been seriously proposed, much less implemented. (2) Unless you actually privatize the roads, in practice a "road price" is really a tax whose levels are set not by a market but by a legislature. One might argue that this is fine in a properly functioning democracy, but people often don't see it that way. A road-pricing scheme in Hong Kong failed a while back due in part to anti-tax sentiments. (3) It's very difficult to establish a proper competitive market in roads, since in most areas it's an industry with extremely high barriers to entry. (4) The whole geography of many countries -- maybe not Singapore, but certainly the United States -- has been shaped by the availability of free road travel. Introducing road pricing at this late date would cause great economic disruption. The resulting process would actually be very interesting to watch, and in the very long run might even reverse the flight from cities into the suburban sprawl. But it would be very messy. (5) When it costs money to drive on roads, the poor cannot legally drive. When you're looking for a job, free roads are one of those little subsidies that keep the wolves from the door. Enormous intelligent vehicle-highway systems (IVHS) including AVI-based toll collection are coming to most of the world. Singapore is the exception in declaring that the systems will be mandatory. But do you really believe that the IVHS in your region will remain voluntary? Will your insurance company require you to sign up for it? Will the availability of AVI encourage your local bureaucrats, faced with intractable budgetary woes, to propose road pricing schemes for the two dozen most overburdened roads in your region? Will you still refuse to sign up for the system when the alternatives are traveling strictly on free roads or stopping to pay thirteen tolls every day? These are questions worth thinking about now, before IVHS technical standards are established and deployment decisions get set in stone. Phil Agre, UCSD ------------------------------ Date: 07 Feb 95 21:45:05 EST From: "Mich Kabay [NCSA Sys_Op]" <75300.3232@compuserve.com> Subject: InfoWar Level II in Miami The following item does not involve high technology, but it _does_ illustrate the risk from information warfare level II (inter-corporate): WP 02/06 Dial and Save's Word-of-Mouth Toll; Chantilly Long-Distance Firm Battles False Rumors of Free Service to Cuba By Kara Swisher, Washington Post Staff Writer Executives at Dial and Save, a small long-distance company in Chantilly, never thought they would have something in common with corporate giants such as Procter & Gamble Co. and Kentucky Fried Chicken Corp. But recently the firm became a member of that unfortunate group of companies zapped by untrue rumors that spread out of control. ... Dial and Save is contending with thousands of angry customers who say they thought that certain calls placed through its network were free. According to the author, over 10,000 people in the Miami area thought they were getting free calls to Cuba--and they placed over $2 million in calls in a few weeks. Now people are reacting to unexpected bills (some as high as $10,000). The furious callers insisted that they had placed the calls only because they had heard they were using free test lines. Customers said they would never have made the calls if they had known the costs; they had believed that Dial and Save's access number was the code for a free ride to reach their relatives in Cuba. The article continues with an extensive discussion of the public-relations nightmare caused by the angry customers (or perhaps I should say, "would-be non-customers") over their unexpected bills. In addition, the company has felt obliged to hire 20 extra Spanish-speaking operators to handle the thousands of angry calls they are currently receiving. [Comments by MK: I don't want to discuss the possible motivations of people claiming they expected free service by calling an access number. My reason for posting this fairly low-tech story is to illustrate the economic consequences of a simple rumour. Now imagine this rumour spreading through cyberspace, aided by anonymous postings and repostings in innumerable news groups, e-mail messages and bulletin board systems. This story reminds me of the lament recently posted by an anonymous executive in _Network World_ 11(49):41 (94.12.05) entitled, "Ad leads to a nightmare on Cyber-Street." This poor fellow spammed the Net in a small way and got a slew of nastygrams e-mail and was publicly pilloried in many news groups. Unfortunately, "someone uploaded a message to most of the alt.sex groups that listed my company's two 800 numbers as phone sex lines." The consequences of _that_ rumour were horrendous: flooded phone lines, angry and embarrassed receptionists, and complete humiliation of the naive Internet advertiser. Now, such childish pranks have already had expensive consequences, yet they are as nothing compared to the potential for economic terrorism posed by anonymity and pseudonymity on the Internet. As yet, I think, only some people on the Net have internalized the appropriate level of skepticism about _any_ information gleaned from the Internet, let alone about _anonymous_ postings. With a growth rate estimated by some at 10% _per month_ in the number of people using IDs that can access the Internet, we will see a natural increase in credulous newcomers. If thousands of people can believe that a phone-sex service would use an 800 number (or that a commercial phone service supplier would make free long-distance calls available), I think millions of people will be prepared to believe all sorts of other nonsense--and, alas for the victims, act upon those mistaken beliefs. So what are we gonna do, eh? Even my usual leitmotiv (We need non-repudiatable identification and authentication for access to the Internet -- etc. etc. etc.) fails: the people using the "free" access codes for calls to Cuba were tracked unerringly by their normal phone company accounts. No doubt the gullible seekers after, ah, aural sex were equally traceable--but so what? The damage was done regardless of non-repudiation. I dunno what we're going to do. Any ideas?] M.E.Kabay,Ph.D., Director of Education, Natl Computer Security Assn (Carlisle, PA), Chief Sysop, CompuServe NCSA Forum ------------------------------ Date: 07 Feb 95 21:45:39 EST From: "Mich Kabay [NCSA Sys_Op]" <75300.3232@compuserve.com> Subject: Phone switch bug causes alarm among NM officials >From the Washington Post news wire via CompuServe's Executive News Service: WP 02/06 DIGITAL FLUBS According to the brief report, The Albuquerque Tribune reported that many calls placed to numbers that use the state government's main Sante Fe prefix, 827, were erroneously routed to a recording that announced that the number was not in service. Since these events coincided with New Mexico Governor Gary Johnson's announced intention to replace many government officials, the bug in the phone switching software caused an unusual number of strong emotional responses. M.E.Kabay,Ph.D., Director of Education, Natl Computer Security Assn (Carlisle, PA); Mgmt Consultant, LGS Group Inc. (Montreal, QC) ------------------------------ Date: 5 Feb 1995 20:12:58 GMT From: rjones@rjones.oz.net (Ry Jones) Subject: Telephone RISKS Two items have recently become news in the PNW. One, we had an earthquake centered in Tacoma. According to articles in the Tacoma News-Tribune, the Seattle Post-Intelligencer, and The Daily Olympian, all three counties 911 systems were knocked out due to people calling to see if there had been an earthquake, or to get information about the quake. All three articles mentioned very high call volumes; the Seattle article mentioned 350 calls in the first 10 minutes after the quake. The RISKS are obvious. As a denial of service attack, this was perfect. Hundreds of well-meaning people (like rubberneckers on the information superhighway?) slowed or stopped vital services from being delivered. All three counties exhorted people to only call 911 after you have been hurt in an earthquake. As an aside, I got on the net and hit gopher://geophys.washington.edu:79/0quake and had instant, up-to-date information. Much better than what was available on the radio or TV. Perhaps if someone made a VMB that recited the most recent event to all callers? Then we could lose access to one switch somewhere, instead of to the 911 switch. Two: page A9, Saturday Feb 4 1995 issue of The Daily Olympian. LOSER: AUTOMATIC CALLING Poor Kenneth Calkins. The retired South Sound resident has received the same call once a week, every week, for nearly a year. The call, made through the Employment Security Department, is for a job opening Calkins has no interest in. Officials say the call, portions of which are in spanish, was meant for another person at another number. ... They go on to talk about how he didn't know how to remove himself from whatever list was generating the calls. The RISKS here are the annoyance of the voting elderly by newfangled computers with Automatic Calling Units. You could get voted out of office if enough people get angry... Finest handcrafted code since 1987. ------------------------------ Date: Wed, 08 Feb 1995 10:04:00 -0500 (EST) From: Rob Horn 6-4365 Subject: Risks in computerized cockpits Last week's (30 Jan 1995) and this week's (6 Feb 1995) Aviation Week & Space Technology have two moderately large sections on investigations, theories, and practices with the new computerized cockpits. In general the articles are good. The authors take the perspective of pilots. They discuss how pilots interact with the computerized systems and how these interactions improve or decrease effectiveness and safety. R Horn [Also noted by wb8foz@netcom.com (David Lesher), who added that the first issue includes "detailed (make that *very* detailed) discussions on some of the [in]famous Airbus incidents." PGN] ------------------------------ Date: Thu, 2 Feb 1995 22:56:33 +0001 (EST) From: "Daniel P. B. Smith" Subject: Concatenating phrases produces confusing results in bank responses BayBank, a Massachusetts chain, has recently started offering "linked accounts." For example, a recent ad shows the former hockey player, Bobby Orr, using his telephone to transfer money from his account to his son's. I figured it would be neat to have something in common with Bobby Orr, so I had them set up the same thing for me and my daughter who's at U. Mass. Before setting up the link, my accounts, as shown at ATM machines or over the phone, were identified as "savings" and "checking." BayBank has a feature which they call "custom account names." You might think this means you can pick any name you want, but what it actually means is that you can select from a list of about a hundred names, with highly personalized choices like "daughter 1" and "son 2." The BayBank rep who set up my account suggested the "custom" names "my checking," "daughter's checking," "my savings," and "daughter's savings," which sounded sensible to me. The first time I tried to be like Bobby Orr, here's what the confirmation dialog I got over the phone was: "Seventy dollars have been transferred from your my savings account to your daughter's checking account. The reference number for this transaction is one thousand eight hundred and four." This caused me to say "huh?" three times. The (British?) grammar of "seventy dollars have" isn't bad; I would have preferred that the transaction number be read as "one eight zero four;" but the phrase "your my savings account" stopped me cold. So, next month my daughter gets her bank statement and, yep, you guessed it: her statement shows this as "BayBank XP24 Transfer From BB Boston My Savings." See, it's my daughter's statement, but it's not _her_ my savings, it's _my_ my savings. Daniel P. B. Smith dpbsmith@world.std.com ------------------------------ Date: Fri, 3 Feb 95 14:35:45 +1300 From: phil@hyphen.equinox.gen.nz Subject: More from the cat file You think *you've* got problems... We have three little furry friends. The other morning (about 5 am) I was obliged to remove one of them from my bedroom in response to demands for food. Said mammal was carried to the kitchen and fed in an attempt to get some more sleep. On the return trip to my room I was alerted by the distinctive sound of the dial tone from the `handsfree' phone in my study. Then I heard it dial... It had only rung twice by the time I cancelled the call (it's a long hall, ok? :-). It appears that the kitten was asleep in the empty paper box on the corner of my desk and had been aroused by the sound of cat biscuits hitting the food bowl. In the process of heading for the easy way off my desk (via my chair) he had managed to stand on my phone and take advantage of the `one-touch hands-off dialing' facility. Later that morning I used the redial function to see who had been disturbed and to apologise profusely for the obscenely early call. Luckily, the recipients were somewhat amused and quite forgiving. There is now an empty box over my phone whenever I'm not sitting right next to it... phil ------------------------------ Date: Sat, 4 Feb 1995 10:50:03 -0500 From: "R.F. Graveman" Subject: 1996 ACM COCCS call for papers Call for Papers Third ACM Conference on Computer and Communications Security Hyatt Regency, New Delhi, India March 14-16, 1996 Sponsored by ACM SIGSAC Hosted by Indian NIC and AIMIL, Bell Atlantic, and George Mason University High quality, original, and unpublished (and not submitted elsewhere) research and practice papers in the area of computer and communications security are solicited. All aspects of computer security are relevant, such as theories, techniques, applications, and practical experiences. They include: access control, accounting and audit, applied cryptography (block ciphers, hash functions, digital signatures, key escrowing, cryptographic protocols), authentication, authorization, data/system integrity, electronic commerce, intrusion detection, key management, open systems security, privacy, protection of software and intellectual property, secure networking (LANs, WANs, firewalls, ATM, Internet, mobile, wireless, and telecommunications), secure operating systems and APIs, security architectures and models, security management, security of distributed systems and databases, security protocols, and smart-cards and secure PDAs. Instruction for authors: Submit seven (7) copies of your paper (not exceeding 7500 words or 25 pages) to either of the Program co-Chairs, in a form suitable for anonymous review (no author names, affiliations, obvious references), with a cover letter including author names, email and postal addresses, phone and fax numbers. Electronic or late submissions will be rejected without review. Where possible all further communications to authors will be via email. Paper submission: July 1, 1995 Acceptance decision: September 1, 1995 Camera-ready papers due: December 1, 1995 General Chairs: Ravi Ganesan, Bell Atlantic, USA Ravi Sandhu, George Mason University, USA Program Chairs: Li Gong SRI International Computer Science Laboratory 333 Ravenswood Avenue Menlo Park, California 94025, U.S.A. Tel: + 1-415-859-3232 Fax: + 1-415-859-2844 Email: gong@csl.sri.com Jacques Stern ENS-DMI 45 Rue d'Ulm 75230-05 Paris, France Tel: + 33-1-44322029 Email: Jacques.Stern@ens.fr Local Arrangement: N. Seshagiri, National Informatics Center, India H.C. Verma, AIMIL, India Awards: Raymond Pyle, Bell Atlantic, USA Publication: Clifford Neuman, U. of Southern California, USA Publicity: Richard Graveman, Bellcore, USA Program Committee Members: Aditya Bagchi, Indian Statistical Institute Elisa Bertino, University of Milan, Italy Matt Blaze, AT&T Bell Laboratories, USA Claude Crepeau, Universite de Montreal, Canada Matthew Franklin, AT&T Bell Laboratories, USA Virgil Gligor, University of Maryland, USA Richard Graveman, Bellcore, USA Sushil Jajodia, George Mason University, USA Kwok-Yan Lam, National University of Singapore E. Stewart Lee, University of Toronto, Canada Arjen K. Lenstra, Bellcore, USA Kaicheng Lu, Tsinghua University, China Shyh-Wei Luan, IBM Almaden Research Center, USA Tsutomu Matsumoto, Yokohama National University, Japan Catherine Meadows, Naval Research Laboratory, USA Clifford Neuman, University of Southern California, USA Luke O'Connor, DSTC, Australia Bart Preneel, K.U. Leuven, Belgium Jean-Jacques Quisquater, UCL-MathRiZK, Belgium Lakshmi Raman, Bellcore, USA Michael Reiter, AT&T Bell Laboratories, USA Nachum Shacham, SRI International, USA Y.K. Sharma, National Informatics Center, India Shiuh-Pyng Shieh, Chiao-Tung University, Taiwan Stuart Stubblebine, AT&T Bell Laboratories, USA Paul Syverson, Naval Research Laboratory, USA Paul Van Oorschot, Bell-Northern Research, Canada Vijay Varadharajan, University of Western Sydney, Australia Gio Wiederhold, Stanford University, USA Michael Wiener, Bell-Northern Research, Canada Rebecca Wright, AT&T Bell Laboratories, USA Moti Yung, IBM T.J. Watson Research Center, USA More information, access http://www.csl.sri.com/acm-ccs/ccs.html or email to acmccs3@isse.gmu.edu. ------------------------------ Date: 6 February 1995 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc. The RISKS Forum is a moderated digest. Its USENET equivalent is comp.risks. Undigestifiers are available throughout the Internet, but not from RISKS. SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) on your system, if possible and convenient for you. BITNET folks may use a LISTSERV (e.g., LISTSERV@UGA): SUBSCRIBE RISKS or UNSUBSCRIBE RISKS. U.S. users on .mil or .gov domains should contact (Dennis Rears ). UK subscribers please contact . Local redistribution services are provided at many other sites as well. Check FIRST with your local system or netnews wizards. If that does not work, THEN please send requests to (which is not yet automated). SUBJECT: SUBSCRIBE or UNSUBSCRIBE; text line (UN)SUBscribe RISKS [address to which RISKS is sent] CONTRIBUTIONS: to risks@csl.sri.com, with appropriate, substantive Subject: line, otherwise they may be ignored. Must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. PLEASE DO NOT INCLUDE ENTIRE PREVIOUS MESSAGES in responses to them. Contributions will not be ACKed; the load is too great. **PLEASE** include your name & legitimate Internet FROM: address, especially from .UUCP and .BITNET folks. Anonymized mail is not accepted. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. All other reuses of RISKS material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using RISKS material should obtain permission from the contributors. RISKS can be read on the web at URL http://catless.ncl.ac.uk/Risks Individual issues can be accessed using a URL of the form http://catless.ncl.ac.uk/Risks/VL.IS.html (Please report any format errors to Lindsay.Marshall@newcastle.ac.uk) RISKS ARCHIVES: "ftp unix.sri.comlogin anonymousYourName cd risks or cwd risks, depending on your particular FTP. Issue J of volume 16 is in that directory: "get risks-16.J". For issues of earlier volumes, "get I/risks-I.J" (where I=1 to 15, J always TWO digits) for Vol I Issue j. Vol I summaries in J=00, in both main directory and I subdirectory; "bye" I and J are dummy variables here. REMEMBER, Unix is case sensitive; file names are lower-case only. =CarriageReturn; UNIX.SRI.COM = [128.18.30.66]; FTPs may differ; Unix prompts for username and password. Also ftp bitftp@pucc.Princeton.EDU. WAIS repository exists at server.wais.com [192.216.46.98], with DB=RISK (E-mail info@wais.com for info) or visit the web wais URL http://www.wais.com/ . ------------------------------ End of RISKS-FORUM Digest 16.79 ************************