Subject: RISKS DIGEST 16.86 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Friday 3 March 1995 Volume 16 : Issue 86 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, etc. ***** Contents: What Goes Intuit May Not Come Out the Same Taxwise (PGN) Apple Settles RSI Claim (Edupage) Apple Settlement Due to Lawyer Error (Edupage) More Security Problems on the Internet (Edupage) Encryption Lawsuit Filed in California (Edupage) Anti-Cyberporn [Exon] Bill Introduced (Edupage) Home Gambling Network (Mich Kabay) Losing your Marbles and your Barings (Peter Wayner) UK National Audit Office report on computer misuse in government (Brian Randell) Re: Perfect (?) Office Bug ... (Matt Cockerill) Blaming the victim for money stolen with lost ATM card (Elizabeth Schwartz) Sick Medicare Scanner (Judith Seeger) Interstate Panopticon (Phil Agre) Risks of living on the left side of the continent (Rob Slade) Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc. ---------------------------------------------------------------------- Date: Fri, 3 Mar 95 07:57:21 PST From: "Peter G. Neumann" Subject: What Goes Intuit May Not Come Out the Same Taxwise Flaws were reported in the PC and Mac versions of TurboTax and MacInTax 1040. These flaws are triggered when transferring tax data to the tax package from other software, such as Quicken. Intuit estimates that the flaws would affect only about 1% of the users. Intuit Chairman Scott Cook apologized that the flaws had been known for a few weeks and had not been publically acknowledged until 1 Mar 1995. He also indicated that new versions can be obtained for free by calling 800-224-0948 (in the US). [Sources: various news reports 2-3 Mar 1995, including the San Francisco Chronicle] ------------------------------ Date: Tue, 28 Feb 1995 20:09:58 -0500 From: info@ivory.educom.edu (Edupage) Subject: Apple Settles RSI Claim (Edupage, 28 Feb 1995) Eight weeks into the first such lawsuit to go to trial, Apple Computer has settled with the plaintiff who claimed her repetitive stress injuries were incurred as a result of Apple's failure to warn about the potential for RSI. One of the requirements in the settlement is that the terms be kept secret. IBM, also named in the suit, has asked the judge to declare a mistrial, saying that news of Apple's settlement was prejudicial. The judge has rejected that motion. IBM says it does not intend to settle. (Tampa Tribune, 28 Feb 1995, B&F1) ------------------------------ Date: Fri, 3 Mar 1995 16:44:13 -0500 From: E-D-U-P-A-G-E Subject: Apple Settlement Due to Lawyer Error (Edupage, 2 Mar 1995) Apple Computer's recent move to settle the repetitive stress injury lawsuit brought by a former high school secretary in Minnesota was prompted by "errors" its law firm , Saperston & Day, made in not turning over some documents before the trial. The judge had threatened to declare a mistrial or impose sanctions because of the oversight. Saperston & Day will pay the settlement. (Wall Street Journal, 28 Feb 1995, B7) ------------------------------ Date: Thu, 23 Feb 1995 20:35:30 -0500 From: info@ivory.educom.edu (Edupage) Subject: More Security Problems on the Internet (Edupage, 23 Feb 1995) The Computer Emergency Response Team has issued a public warning on a vulnerability in some 20 commonly used e-mail programs that run on Unix operating systems. The advisory said the latest discovery could allow a hacker to "read any file on the system, overwrite or destroy files." The ultimate solution to these recurrent security problems, says Purdue University professor Eugene Spafford, is for consumers to demand better security features from software manufacturers. In the absence of improved software, "are we going to continue seeing problems? You bet." (Wall Street Journal, 23 Feb 1995, B8) ------------------------------ Date: Tue, 28 Feb 1995 20:09:58 -0500 From: info@ivory.educom.edu (Edupage) Subject: Encryption Lawsuit Filed in California (Edupage, 28 Feb 1995) A graduate student at the University of California at Berkeley has filed a lawsuit against the federal government, charging it with unfairly limiting his ability to discuss his research on encryption software. The plaintiff developed an equation for encrypting information, and wishes to publish a paper on his work, as well as software based on his equation. He would also like to discuss his findings at professional meetings. The federal government's export-control laws restrict the publication of cryptographic software and documentation. The Electronic Frontier Foundation is handling the plaintiff's case. (Chronicle of Higher Education 3/3/95 A19) ------------------------------ Date: [date lost, on or just after 8 Feb 1985] From: info@ivory.educom.edu (Edupage) Subject: Anti-Cyberporn [Exon] Bill Introduced Sen. James Exon (D-Neb.) has introduced legislation calling for two-year prison terms for anyone convicted of sending obscene or harassing e-mail. Commercial providers have protested, noting their service is more like a telephone company, which is not held responsible for the conversations carried over its conduits, but Exon remains unmoved: "If I were against this, if I didn't want to be bothered with it, if I felt it might complicate my ability to make money on the superhighway, that's the argument I would make." Meanwhile the Center for Democracy and Technology is pushing for more sophisticated filters that users could customize to block specific types of messages. "You could have the Pat Robertson rating system, the Motion Picture rating system, the Playboy rating system," says the Center's founder. (*Wall Street Journal*, 8 Feb 1995, p. B6) ------------------------------ Date: 25 Feb 95 08:58:45 EST From: "Mich Kabay [NCSA Sys_Op]" <75300.3232@compuserve.com> Subject: Home Gambling Network The Washington Post (95.02.24, p. C1) has an interesting story on virtual gambling: The Home Gambling Network: It's Illegal, Maybe Immoral, but Is the Cyberspace Casino a Good Bet? by Richard Leiby Washington Post Staff Writer NEW YORK--Surrounded by a sea of techno-suits discussing the future of media convergence in a bidirectional world of system-neutral platforms, the guy with the shaved head and black leather jacket had to smirk. "What's funny to me," John Bates said, "is how tremendously clueless most of these people are." The author makes for the following key points: * Gambling in the U.S. is a $400 billion industry. * A hundred people paid U$595 to attend a one-day conference in NYC entitled, "Interactive Gaming: What's the Payoff?" * Thirty-one year old Bates is "on-line service director" for the Virtual Vegas company, which is proposing "cyberspace casinos where real and computer-generated players interact in 3-D." * US federal law currently makes betting across interstate borders using telecommunications illegal. * In practice, gamblers have been making off-shore bets on U.S. sports events over the phone using their bank credit cards. * The prospect of unlimited access to credit cards for gambling alarms some observers of addicted gamblers: "Give some people a credit-card-reading device with a keypad hooked into their phones or home computers--models of which were exhibited at the conference--and you're bound to have suckers blowing their life savings. And minors will find a way to log on to parental accounts." * In Quebec, an interactive TV show lets people order up to C$15 (~U$11) of tickets a week (the limit is spelled out in legislation). * The UBI (Universal Bidirectional Interactive) Consortium based in Montreal is working on a consumer-oriented electronic network which will include gambling services. * Some observers predict "a family-values backlash" against such computer-mediated gambling. M.E.Kabay,Ph.D., Director of Education, Natl Computer Security Assn (Carlisle, PA); Mgmt Consultant, LGS Group Inc. (Montreal, QC) ------------------------------ Date: Wed, 1 Mar 1995 13:08:23 -0500 From: pcw@access.digex.com (Peter Wayner) Subject: Losing your Marbles and your Barings The story of the young trader who brought down Barings Bank captivates me as much as it captivates the headline writers at the NY Post. James Glassman wrote in the Washington Post (March 1, 95), "I don't mean to paint him as a romantic hero, but he has reminded us-- in this age of huge financial institutions guided by high-speed computers-- that one little guy can still move the world." RISKS readers, though, should be intrigued because I suspect that deep below all of this may be an intriguing datapoint on the value of anonymity in the modern, electronic marketplace. The Osaka Exchange publishes a weekly digest of the position. The Financial Times quoted someone saying, "everyone knew of the trades" and "no one could quite understand what Barings was doing with that sort of position." This fact leads me to have some fun speculating on what happened. The futures and options markets are quite different from the stock market. Whenever someone loses a dollar, then someone else makes it. Value just doesn't evaporate into smoke like it does on the stock market when everyone decides a stock isn't worth it anymore. So every dollar that Barings lost was gained by someone else. What does this have to do with anonymity? Everything. There aren't many people playing at these levels in the market so people can gang up on one and other. It's much like games of bridge or hearts where everyone can work together to stiff one player who might be in the lead. If everyone knew that Barings was so deeply in the hole, they knew that it might not take much to push Barings into bankruptcy. Just a bit more selling in Tokyo and whammo, the firm is theirs at a huge selling price. No need to negotiate payment terms or other factors. If the firm doesn't have enough assets, the futures exchange might make up the difference from an insurance fund. The strategy that might have been in play was similar to the one that lead to the table stakes rule in poker. The rule limits bets to the smallest pot still in the hand. This prevents the richest player from winning every hand by merely outbidding everyone. Don't play poker against Bill Gates without it. (If you want to see what it could do to a marriage, check out the film "Honeymoon in Vegas.") There is no such rule in these markets and Barings should have known better than to expose themselves to this risk. I suspect, though, that they might have been much safer if their action was kept anonymous. Of course this theory is just a theory. As Glassman would like to believe that a little guy can still move the world, I want to believe that large cabals can gang up on the little guy. ------------------------------ Date: Wed, 1 Mar 1995 11:23:59 +0000 From: Brian.Randell@newcastle.ac.uk (Brian Randell) Subject: UK National Audit Office report on computer misuse in government [Source: COMPUTER HACKING AND THEFT RIFE IN WHITEHALL, by CHRIS BLACKHURST Westminster Correspondent, The Independent, 1 Mar 1995.] Hacking into Whitehall computers soared last year, with a 140 percent rise in the number of reported incidents. An investigation by the National Audit Office, the public finance watchdog, found that Government departments reported 655 hacking incidents last year, of which 111 were successful. Most hackers were internal staff exceeding their authority to obtain unauthorised information to leak to outsiders, and got oral or written warnings. Twelve percent of cases ended in legal action. The report includes these items: - Civil servants and outsiders conspired to defraud a Government department of (pounds sterling) 1.5m. Police are investigating and eight arrests have been made. - A civil servant obtained personal details of colleagues to blackmail them. - A Government official obtained the private address of a married couple, possibly to assist in the kidnapping of the wife. - Two staff members were prosecuted and fined (pounds sterling) 3,750 after leaking computer data. Government computers are also increasingly prone to viruses and programmes designed to harm data and other software. Last year, Government departments and agencies reported a 350 percent rise in virus incidents, to 562. Over half of these cases, NAO points out, were detected by anti-virus scanning software. Two outbreaks were labelled "significant" by the NAO: - Thirty-eight viral infections were traced to one PC hard disk, loaded with pirated computer games. Civil servants had been exchanging games by floppy disks or through e-mail. The viruses were the games manufacturer's own anti-bootlegging devices. - Four PCs in a Government typing pool had been infected with a virus which took two days to eradicate. If hacking and viruses were not bad enough, theft, reports the NAO, "continues to be a major problem, with portable computers, printers and laptop computers being the main targets." There were 433 reported incidents of theft of Government computer equipment last year, a rise of 60 percent. In all, equipment costing (pounds sterling) 1.2m was taken. This included two break-ins to the same office within three months and the loss of equipment worth (pounds sterling) 102,000. The thieves, who have not been caught, were thought to have been "stealing to order." Likewise, the culprits behind the theft of 11 PCs and other hardware, worth (pounds sterling) 55,000, have not been found. In one of the more bizarre incidents, somebody went to the trouble of taking a computer desk from a room and replacing it with an old one. The locked drawers of the desk were broken into, and information, mostly concerning the personal details of 300 staff, was scattered about. The report also noted that The National Computing Centre's 1994 IT Security Breaches Survey, covering a cross-section of industry and commerce, found that 25 percent of businesses had suffered theft of computer equipment in the previous two years. [The National Audit Office has considerable political influence here in the UK, so it will be interesting to see what follows from this report. BR Dept. of Computing Science, University of Newcastle, Newcastle upon Tyne, NE1 7RU, UK EMAIL = Brian.Randell@newcastle.ac.uk PHONE = +44 191 222 7923] [A corresponding article in The Times was reported by Timothy J. Hunt, Institute of Cancer Research, Royal Marsden NHS Trust, Downs Road, Sutton, Surrey UK SM2 5PT +44 (0)181 642 6011 x3312 Timothy@icr.ac.uk . PGN] ------------------------------ Date: Sat, 25 Feb 1995 14:28:09 +0000 From: cockeril@europa.lif.icnet.uk (Matt Cockerill) Subject: Re: Perfect (?) Office Bug ... (Whittle, RISKS-16.85) > In other words, tell them not to hit the power switch until they see C:\. Surely this relates to the previous RISKS discussion on power switches, and Apple's deliberations on how best to implement them. As Apple has realised, a few dollars spent on a software controllable power switch largely solves the problem. Surely this is better than blaming users for their entirely natural impatience with a machine which demands that they wait while it closes itself down, before they are "allowed" to switch it off. One of the major risks of the use of computers is that we end up with computers controlling people rather than vice versa. Matthew Cockerill Tel:[44] 171 269 3877 Imperial Cancer Research Fund (Cell Cycle Group) Fax:[44] 171 269 3801 ------------------------------ Date: Sat, 25 Feb 1995 16:46:52 -0500 From: Elizabeth Schwartz Subject: Blaming the victim for money stolen with lost ATM card In this case, it was stated here that there was supposed to be a limit on the amount of money that the ATM card could withdraw, but an error in the bank's computer allowed the thieves to steal $346,770. The victim had left her ATM card, with the PIN number on it, in or near the ATM machine. It makes sense to me that the victim should be responsible for her own losses, to the limit of the card, since she gave away the number. (I wonder, would I feel differently if she had been robbed and the PIN number found hidden in her belongings?) She should not be responsible for more than the limit. The bank gave her the card and told her it was good for up to $50 or $300 or whatever; the bank should be responsible if an error on their part allowed more than this to be taken. I wonder if any personal theft insurance policies cover losses from ATM cards? ------------------------------ Date: Thu, 2 Mar 95 9:15:10 PST From: Judith Seeger Subject: Sick Medicare Scanner San Jose Mercury News' Action Line section, 15 Feb 1995: SORRY, WRONG NUMBER Q. In October 1993, I received a statement from Medicare that my wife had medical attention in Healdsburg from a Dr. John Fries. I notified Medicare that this was incorrect. Neither of us had ever been in Healdsburg. Medicare answered, thanking us. The other day we received another letter from Medicare showing that Fries had submitted another claim for treating my wife. It appears someone is using my wife's name and Medicare number to obtain care. Or maybe the doctor is making up these visits. Could you check into it? C.E.F., San Jose A. No one is using your wife's Medicare number; nor is the claim submitted in a fraudulent manner, says Claudette Ballard, office manager for Fries. The last time this happened and this time, too, Medicare's scanners misread one of Fries' patients' Medicare number and picked up your wife's number. Ballard says the scanner is somehow reading the fifth digit in the number incorrectly and billing the service as if your wife received it. Ballard has contacted Medicare again and was assured steps would be taken so it doesn't happen again. She is writing you a letter to explain the problem in more detail. ------------------------------ Date: Sat, 25 Feb 1995 17:59:07 -0800 From: Phil Agre Subject: Interstate Panopticon The press is starting to notice some of the serious privacy problems with the rapidly advancing proposals for "Intelligent Transportation Systems" in the United States. Here are a couple of relevant articles: Richard Simon, Camera gains more exposure as a device for traffic control, Los Angeles Times, 20 February 1995, pages B1 and B3. This one is about the accelerating use of video cameras on roads in Southern California. In the near term they're mostly to identify the causes of traffic jams. But the Blue Line between Los Angeles and Long Beach will soon have cameras to detect drivers who attempt to circumvent lowered gates to cross the train tracks. And although the state Office of Traffic Safety is concerned about "a growing problem with commuters eating, reading, changing clothes, brushing their teeth and generally paying less than full attention to the road", it says it has no current plans to check up on these things with its cameras. The cameras, in case you're wondering, are in bulletproof containers. Although some of the problems that state traffic officials have identified are genuine, the real difficulty is in their basic philosophy for solving them. Rather than collect information and circulate it in a decentralized fashion that is useful to individual drivers and engineering crews without permitting unlimited accumulation of information that identifies individual drivers, they have set up a general-purpose centralized observation center in downtown Los Angeles. The slippery slope here is steep: as technologies of surveillance are put in place, new applications will always be available that are only one short step beyond what they've been used for so far. I am generally skeptical about visual metaphors for privacy problems, but this is one case where the Panopticon offers a perfectly simple and straightforward model. That's not so clear in another, much bigger and more consequential case: Don Phillips, Big Brother in the back seat?: The advent of the "intelligent highway" spurs a debate over privacy, Washington Post, 23 February 1995, page D10. This article concerns the "privacy principles" being circulated by the Intelligent Transportation Society of America, which is the industry group coordinating the development of a national architecture for transportation automation systems, including systems that track the locations of vehicles for a range of purposes. Although nobody in the United States is currently proposing that the use of these technologies be made mandatory for drivers, it is very likely that they will become unavoidable as a practical matter, since they will probably be used to implement much more widespread roadway toll-collection. The most recent version of these principles that I have seen is dated December 13th 1994, and they are in fact seriously problematic. For example, they only place very loose restrictions on secondary uses of the information by marketers, and they envision no restrictions on the powers of access to ITS travel information that individual states can confer upon local police. You can retrieve a copy by sending a message that looks like this: To: rre-request@weber.ucsd.edu Subject: archive send its-privacy Or you can look at them on WWW at: http://weber.ucsd.edu/~pagre/its-privacy.html I will probably circulate another message about these principles soon. The Phillips article notes that many people are concerned about law enforcement uses of ITS information; ITS America feels that such use is inevitable and simply wishes the public to be informed of this fact -- they wish to focus on knowing "what the rules are" rather than on actual privacy. The tragedy is that it is completely unnecessary for these systems to collect information that identifies individuals. Profound violations of individual privacy are not the price of progress. Rather, they are the price of using old-fashioned technology, neglecting innovations such as public-key cryptography and digital cash that protect privacy without sacrificing functionality. Phil Agre, UCSD ------------------------------ Date: Tue, 28 Feb 1995 12:40:09 EST From: "Rob Slade, Social Convener to the Net" Subject: Risks of living on the left side of the continent Memoirs of a (coastal) virus researcher Some people may not be aware that, by disconnecting the modem and attaching a device known as a "telephone", communications circuits may be used for voice communications. Unfortunately, unlike email, "telephone" calls must be synchronous (or, more correctly, bisynchronous) in that both parties must be active on the circuit at the same time. With the rise in modern communications technologies, scenes like the following are becoming more common: RRING RRING RMS : Hello? DFP: Hi! I'm looking for, ummm, Robert Slade? RMS: Speaking. DFP: Oh, good. My name's _____ ____ and I'm with the Detroit Free Press. I've got a copy of your book, and I thought we could do a story on this computer virus situation. RMS: Uh huh. DFP: I read most of it, and I liked it, but I've got a few ... sa-a-a-y. Isn't Vancouver on the *West* Coast? RMS: Usually. DFP: Oh, gee, I'm really sorry. See, we're three hours ahead, and ... gee, should I call back later? RMS: No, that's OK, I had to get up and answer the phone anyway. DFP (puzzled): Oh, really? Why's that? RMS: It was ringing. I love reporters. They always get the straight lines right. ====================== DECUS Canada Communications, Desktop, Education and Security group newsletters Editor and/or reviewer ROBERTS@decus.ca, RSlade@sfu.ca, Rob Slade at 1:153/733 Author "Robert Slade's Guide to Computer Viruses" 0-387-94311-0/3-540-94311-0 ------------------------------ Date: 6 February 1995 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc. The RISKS Forum is a moderated digest. Its USENET equivalent is comp.risks. Undigestifiers are available throughout the Internet, but not from RISKS. SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) on your system, if possible and convenient for you. BITNET folks may use a LISTSERV (e.g., LISTSERV@UGA): SUBSCRIBE RISKS or UNSUBSCRIBE RISKS. U.S. users on .mil or .gov domains should contact (Dennis Rears ). UK subscribers please contact . Local redistribution services are provided at many other sites as well. Check FIRST with your local system or netnews wizards. If that does not work, THEN please send requests to (which is not yet automated). SUBJECT: SUBSCRIBE or UNSUBSCRIBE; text line (UN)SUBscribe RISKS [address to which RISKS is sent] CONTRIBUTIONS: to risks@csl.sri.com, with appropriate, substantive Subject: line, otherwise they may be ignored. Must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. PLEASE DO NOT INCLUDE ENTIRE PREVIOUS MESSAGES in responses to them. Contributions will not be ACKed; the load is too great. **PLEASE** include your name & legitimate Internet FROM: address, especially from .UUCP and .BITNET folks. Anonymized mail is not accepted. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. All other reuses of RISKS material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using RISKS material should obtain permission from the contributors. RISKS can also be read on the web at URL http://catless.ncl.ac.uk/Risks Individual issues can be accessed using a URL of the form http://catless.ncl.ac.uk/Risks/VL.IS.html (Please report any format errors to Lindsay.Marshall@newcastle.ac.uk) RISKS ARCHIVES: "ftp unix.sri.comlogin anonymousYourName cd risks or cwd risks, depending on your particular FTP. Issue J of volume 16 is in that directory: "get risks-16.J". For issues of earlier volumes, "get I/risks-I.J" (where I=1 to 15, J always TWO digits) for Vol I Issue j. Vol I summaries in J=00, in both main directory and I subdirectory; "bye" I and J are dummy variables here. REMEMBER, Unix is case sensitive; file names are lower-case only. =CarriageReturn; UNIX.SRI.COM = [128.18.30.66]; FTPs may differ; Unix prompts for username and password. Also ftp bitftp@pucc.Princeton.EDU. WAIS repository exists at server.wais.com [192.216.46.98], with DB=RISK (E-mail info@wais.com for info) or visit the web wais URL http://www.wais.com/ . Management Analytics Searcher Services (1st item) under http://all.net:8080/ also contains RISKS search services, courtesy of Fred Cohen. Use wisely. ------------------------------ End of RISKS-FORUM Digest 16.86 ************************