RISKS-LIST: RISKS-FORUM Digest Friday 7 October 1988 Volume 7 : Issue 62 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Re: Assault on Privacy (Anthony G. Atkielski) Interesting article in PCW (Hugh Davies) Bridge over troubled pseudo-random generation (PGN) Reach Out and Touch Someone... for $650,000 (Henry Cox) Computer Security and Voice Mail ... $150,000 (Davis) Re: Risks of Cellular Phones (Wes Plouff) Self-correcting (obliterating?) time (Jeffrey R Kell) Risks in ATMs, Parking, Power outages (Steve Philipson) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line (otherwise they may be ignored). REQUESTS to RISKS-Request@CSL.SRI.COM. FOR VOL i ISSUE j / ftp kl.sri.com / login anonymous (ANY NONNULL PASSWORD) / get stripe:risks-i.j ... (OR TRY cd stripe: / get risks-i.j ... Volume summaries in (i, max j) = (1,46),(2,57),(3,92),(4,97),(5,85),(6,95). ---------------------------------------------------------------------- Date: Fri, 7 Oct 88 15:38 MST From: "Anthony G. Atkielski" Subject: Re: Assault on Privacy (Arthur Miller's speech, via Barry C. Nelson) Seriously, many of the concerns Mr. Miller voiced in his speech have already been addressed outside the United States. Specifically, France has had legislation regulating the establishment and operation of virtually all databases containing sensitive information about specific individuals for over ten years. French Public Law 78-17 of January 6, 1978 established a Commission on Freedom and Computers and set forth requirements to be met by any organization wishing to collect and process "personal" information, i.e., information that can be linked to specific individuals. The Commission is a relatively autonomous organization charged with tracking the establishment and operation of databases containing "personal" information throughout France. Its members are selected from both the public and private sector. Some provisions of this legislation address certain of Mr. Miller's concerns specifically, for example: > YOU can't get a copy of these records. There is no law which forces > private agencies to tell YOU what they know in most cases. In France, Public Law 78-17 requires that most organizations maintaining databases containing personal information declare the existence and purpose of these databases to the Commission on Freedom and Computers. These declarations are a matter of public record. These organizations MUST provide an individual with a copy of any information they may have on him (except for medical records, which must be requested through a licensed physician) on demand, and they must provide the name and location of an agent through whom such requests may be submitted in their declaration to the Commission. > Data is a lot like humans. It is born. Matures. Gets married to other > data, divorced. Gets old. One thing that it doesn't do is die. It has > to be killed. The French legislation requires that expiration periods for various classes of data be specified in the declaration to the Commission. The organization submitting the declaration must observe the expiration periods it declares. > Only the information which is necessary for the job at hand should be > collected. Law 78-17 restricts the use of information concerning religious beliefs, lifestyles, political beliefs, race, union membership, and legal records (arrests, etc.) to organizations with a bona fide business interest in this information (e.g., political parties, churches, unions, police departments). > People should have access to the data which you have about them. There > should be a process for them to challenge any inaccuracies. As already mentioned, this mecanism exists in France. An individual may force organizations to correct or update any information they may have on him. They are also obligated to correct and update information on their own initiative as they become aware of inaccuracies. > There should be more control on the eventual uses of data which was > supplied for some business at hand, but has been sent elsewhere "upon > request" Organizations must describe exactly with whom and under what conditions they will share the information they have gathered in their declarations to the Commission. They must also propagate corrections and updates to these third parties as they become necessary. Public Law 78-17 requires that the following information be made available to the public for any organization collecting and processing personal data: -- the identity of the organization -- the types of data being collected, their sources, the periods of their retention, and the identities of any organizations or individuals to whom the data might be communicated -- the purpose to which the collected data is to be put -- the agent through whom an individual may exercise his "right of access" to data collected by this organization concerning himself -- the categories of persons who might for any reason have direct access to the data -- the relationships defined between the various data collected for a given individual -- the types of security measures taken to ensure the confidentiality of the data -- the manner in which the data are communicated to organizations or individuals outside France, if applicable All individuals have the right to oppose the collection of personal data concerning themselves, except when such collection is required by government agencies. This implies that they may insist that, say, a credit bureau erase all information concerning themselves from its database. When personal information is collected from a person, that person is entitled to the following information: -- whether or not the information requested is required or optional -- what will happen if they refuse to provide the information -- the persons or organizations to which the information will be communicated -- the fact that they are entitled to inspect and correct the information being collected ("right of access") This part at least resembles the U.S. Privacy Act of 1974. The French legislation also provides penalties for those who fail to heed the law. Organizations collecting data without filing a declaration may be subject to a $31,000 fine and a three-year prison term (the prison term would apply the individual(s) responsible for the violation). Collecting information forbidden by the law (religious affiliation, etc.) is punishable by a $310,000 fine and five years in jail. Revealing confidential information to unauthorized persons is punishable by a $3100 fine, plus six months in jail if the act was deliberate (as opposed to being the result of carelessness or negligence). Finally, a $310,000 fine and five years in prison awaits anyone who deliberately uses personal information for a purpose other than the purpose declared to the Commission. As far as I know, no legislation in the U.S. even comes close to this; if there is any such legislation, it is being ignored. Maybe it's time we enacted something similar here in the U.S. Anthony Atkielski, Honeywell Bull Inc., Phoenix, AZ, U.S.A. ------------------------------ Date: 7 Oct 88 03:54:25 PDT (Friday) From: "hugh_davies.WGC1RX"@Xerox.COM Subject: Interesting article in PCW The current edition of Personal Computer World (October) has a long and interesting article on the application of the Data Protection Act, by Duncan Campbell. ('On and Off the Record', P146). I have no intention of keying the article in as it is several thousand words, but in essence it states that the application of the DPA is effectively being sidestepped by Government Departments, and that the Data Protection Registrar is toothless, underfunded and overwhelmed with pointless paperwork. Campbell, who has been a thorn in the side of Government secrecy for some years, attempted to get a copy of his records on the PNC (Police National Computer). He was at first unable to locate a copy of the Data Protection Register, which lists all the registered computer systems in the UK. There is supposed to be a copy in every Public Library, but most had never heard of it. When he finally located a copy, the Librarian was reluctant to let him look at it. Once he had found out which systems the PNC have, he then couldn't find out who to write to. The DPR said write to the Data Protection Officer at the PNC, but no-one ever replied. Finally he tried several local police stations, but most denied knowing anything about it. Once a police station accepted the query, they gave him a form to fill in which asked several irrelevant and personal questions. Finally, he got a reply from the PNC, 40 days after putting in the query (the legal maximum time allowed). The DPA allows for a charge of #10 for each query on each system, he queried each of the 5 systems running at the PNC and was charged #50. He was refunded #10 because the PNC said that they could not be bothered to inspect one of the files, because "there won't be anything on it". This whole shambles would appear to be mainly designed to deter anybody from attempting to use the DPA to enquire on Government (or indeed, any other) computer systems. Campbell conludes that the DPA is a complete failure, and after reading the article I agree with him. Also, some more interesting information on the PNC has recently come to light. The British Government is busily (and fairly quietly) installing a system to connect all the computer systems belonging to such organisations as the Inland Revenue, Department of Health and Social Security and the Driver and Vehicle Licensing Centre. This system is called the Government Data Network, or GDN for short. Virtually no information has been forthcoming about this system. It has been denied that the Police National Computer is to be part of this network, but it has recently become clear that this is not the case. The reason being that the present PNC is indeed not to be connected to the GDN. However, the soon to be installed upgrade to the PNC, being imaginatively called 'PNC2' *IS* to be connected to the GDN. Hugh Davies, Computer Consultant, St.Albans, England. The opinions expressed herein are mine, not those of my current, or any past, employer or client. ------------------------------ Date: Fri, 7 Oct 1988 14:42:30 PDT From: Peter Neumann Subject: Bridge over troubled pseudo-random generation Computers are now being used for all sorts of purposes for which people formerly did the same job. A case at hand deals with the game of bridge, in which shuffling for tournament matches is now done by computer. Alan Truscott's column in the Sunday New York Times (2 October 1988) relates that during the team-of-four matches the players sensed that the hands were strangely familiar. The American Chip player Martel "eventually solved the problem: All the deals corresponded to those most of the players had encountered in the open pairs final four days earlier, but with a suit rotation -- spades had become hearts, hearts diamonds and so on. The computer program that generated the deals for both events was suffering from a flaw in its random generator." (The bridge rules state that a deal previously played must be null and void. Apparently that rule was extended on the spot to include suit transformations.) [Thanks to Paul Abrahams for this one. Now that he is no longer President of the ACM, I presume he has a little more spare time to keep an eye out for us on computer related bridge risks. PGN] ------------------------------ Date: Fri, 7 Oct 88 09:00:08 edt From: Henry Cox Subject: Reach Out and Touch Someone... TEENS RUN UP TELEPHONE BILL OF $650 000 [From the Montreal Gazette, 7 October 1988] LAS VEGAS (AP) - Ten teenage hackers may have run up $650 000 in telephone calls by tricking phone company computers, and their parents could be liable for the tab, authorities said. "They reached out, all right," assistant U.S. Attorney Russel Mayer said of the hackers, nine 14-year-olds and one 17-year-old. "They reached out and touched the world." Tom Spurlock, resident agent in charge of the Las Vegas Secret Service office, said the teen agers engaged in "blue boxing," a technique that enabled them to talk to fellow hackers throughout Europe. "They were calling numbers that were in the ATT system, and their (computer) programs would allow them to `jump' ATT's circuits, allowing them to call anywhere in the world." The expensive shenanigans came to light when local phone company officials discovered unusual activity on nine Las Vegas phone lines, Spurlock said. He said federal agents obtained warrants and searched the nine homes. The teenagers weren't taken into custody or charged, but their computers were seized. Henry Cox ------------------------------ Date: Fri, 07 Oct 88 13:35:03 -0400 From: davis@community-chest.mitre.org Subject: Computer Security and Voice Mail From the Oct 6 Washington Post. From a news item "Hackers Find New Way to Tap Long-Distance Phone Lines". Zotos International Co. received two consecutive $75,000 phone bills, due to use of their automated answering system by hackers. Zotos' switchboard automatically routes incoming calls to the proper department. Hackers found a way to circumvent the system to place outgoing long-distance calls, in some cases to Pakistan and Senegal. In this case the calls were traced to Pakistani businesses in New York. However, police officials told Zotos that they must catch the hackers in the act in order to prosecute. The telephone company informed Zotos' mangement to pay the bills, and collect from the susspected hackers via the civil courts. In the same article, a related Los Angeles case of misuse of an electronic switchboard system by outsiders described 'capture' of 200 of a company's password-secured voice mail accounts. Outsiders, in this cases a dope ring and a prostitution ring, gained access by guessing the 4-digit passwords and changing them. The hackers backed off only when 'Federal authorities' began tracing calls. The article quotes security experts as recommending systems including several access codes. Also, major companies are adding software to detect changes in calling patterns. ------------------------------ Date: 6 Oct 88 09:45 From: plouff%nac.DEC@decwrl.dec.com (Wes Plouff) Subject: Re: Risks of Cellular Phones Recent writers to RISKS, starting with Chuck Weinstock in issue 7.57, have focused on the risk of vehicle location by cellular telephone systems. In my opinion, they exaggerate this risk and underestimate another risk of mobile phones, the complete lack of privacy in radio transmissions. Roughly 10 years ago I designed vehicle location controller hardware and firmware used in the Washington-Baltimore cellular demonstration system. That system led directly to products sold at least through the first waves of cellular system construction a few years ago. Since cellular base stations have intentionally limited geographic coverage, vehicle location is a requirement. This limitation is used to conserve radio channels; one cell's frequencies can be re-used by others far enough away in the same metropolitan area. The cell system must determine which cell a mobile user is located in when he begins a call, and when during a conversation a vehicle crosses from one cell into another. Cells are set up perhaps 3 to 20 miles in diameter and range from circular to very irregular shapes. Cellular phone systems are designed with ample margins so that statistically very few calls will be lost or have degraded voice quality. Making this system work does not require anything so fancy as triangulation. Vehicle location needs to be only good enough to keep signal quality acceptably high. John Gilmore explained in RISKS 7.58 how this works while the mobile phone is on-hook. During a conversation, the base station periodically measures the signal strength of an active mobile in its cell. When the signal strength goes below a threshold, adjacent cells measure the mobile's signal strength. This 'handoff trial' procedure requires no interaction with the mobile. If the mobile was stronger by some margin in an adjacent cell, both the mobile phone and the cellular exchange switch are ordered to switch to a channel and corresponding phone line in the new cell. Since base stations commonly use directional antennas to cover a full circle, mobiles could be reliably located in one third of the cell area at best. Distance-measuring techniques advocated by AT&T were not adopted because the added cost was too high for the modest performance gain. Certainly a cellular phone system can locate a mobile at any time, and always locates a mobile during a conversation. But the information is not fine-grained enough to implement some of the schemes imagined by previous writers. A more important risk is the risk of conversations being intercepted. The public airwaves are simply that: public. Scanner radios can easily be found or modified to cover the cellular band, and listeners will tolerate lower signal quality than cellular providers, hence one scanner can listen to cell base stations over a wide area. The communications privacy law is no shield because listeners are undetectable. To bring this back to risks of computers, automated monitoring and recording of selected mobile phones is probably beyond the reach of the average computer hobbyist, but easily feasible for a commercial or government organization using no part of the infrastructure whatever, just the control messages available on the air. Wes Plouff, Digital Equipment Corp, Littleton, Mass. plouff%nac.dec@decwrl.dec.com ------------------------------ Date: Thu, 06 Oct 88 16:40:32 EDT From: Jeffrey R Kell Subject: Self-correcting (obliterating?) time I just had a most aggravating experience with a time function which may be of interest (and this is NOT related to year change, daylight savings time, or any standard horror story). It is machine specific (HP-3000/950). I have been converting our subroutine library from our old HP-3000 (written in SPL, an obscure systems language for that machine) into 'C' for the new one. One such routine returns the current date in the format we use as a standard database date. I was using ctime() and localtime() functions in the resulting C function. But upon testing, the function was returning a date and time several days and a few odd hours prior to the current date. Extensive testing and tracing revealed that ctime() was not returning the correct clock value; yet all other date references within the operating system were correct. Being more than confused, I placed a problem report. The cause of the 'bug' was the ctime() library function queries the lowest level hardware clock, and could care less about the operating system clock. This 'feature' came about by porting the C library more or less literally from their Unix-based systems. Although we had set the 'clock' when the system was installed, MPE (the operating system) calculates an offset from the time you 'set' and the hardware clock value, and saves this to set the clock automatically after failures or power outages. In summary, the hardware clock was never right. MPE tried to correct for this by juggling offsets, thus hiding the real underlying problem. Finally the whole bizarre mess was uncovered by the C library. Needless to say, we have finally correctly set the hardware clock. | Jeffrey R Kell, Dir Tech Services | UTC Postmaster/Listserv co-ord. | | Admin Computing, 117 Hunter Hall |Bitnet: JEFF@UTCVM.BITNET | | Univ of Tennessee at Chattanooga |JEFF%UTCVM.BITNET@CUNYVM.CUNY.EDU | ------------------------------ Date: Thu, 6 Oct 88 20:15:54 PDT From: Steve Philipson Subject: Risks in ATMs, Parking, Power outages This past weekend I got to see/hear about three new RISKS in action. A friend was in from out of town. She had an interesting story for me. It seems that a bank in New York has a great new feature for their ATM cards: if all you need is an account balance, you can go to a special ATM reserved for that purpose, insert your card, and get your balance immediately. In the interest of saving time, they've made it really simple ... you don't even have to enter your PID (personal I.D. number or password)!!! Veteran RISKS readers can see the folly in this. Of course, on of my friend's office co-workers had her wallet stolen. Inside was both her ATM card and a single blank check. The thief took the card to the ATM machine, found the balance, then made out the check for that amount. Determining liability in this case will be loads of fun. Next, I drove my friend to San Francisco International Airport for her flight home. I parked in the central parking structure. On entry, you get a ticket from a machine. The ticket has the time stamped on it in ink, and also a magnetic stripe. The billing mechanism seemed obvious -- read the entry time off the stripe, compute time in the structure, and bill accordingly. It surprised me when the clerk at the exit asked for the correct amount BEFORE I handed him the ticket. Then I noticed that he was facing a TV monitor, and that my car's aft end was on the screen. I asked about the system. It seems that they have another camera and operator enter your license plate number when you enter. They re-enter your plate number as you leave and find the elapsed time between those events. All your comings and goings are recorded. Ain't this a great one! Now big brother can keep track of your comings and goings at the airport. Right to privacy fans might consider public transport as a more private mode of transportation. [RISKS has had reports before of people being charged for ten days when they parked on two consecutive weekends, and other related horrors. PGN] Finally, I came into work on Sunday to catch up on a few things. I had mail! And what did it say? Here's the text, verbatim: * * * * * * * * * * * * * * * * * * * Hi folks. As of 6:13 today, we have completely lost power to N254, our main communications facility. A power transformer feeding that facility appears to have been destroyed (it's all black and burned on the outside, and smells really bad!). While that facility is on UPS, the UPS does not have generator back-up at this time, and as of an hour or so ago, the UPS batteries have been drained. I talked to the power people out there inspecting the transformer, and they said it will be out at least until tommorrow (Monday). Now, this means all things that depend on N254 are out of service. These include: All external network access, BARRNET,MILNET,ARPANET,SPAN, etc... All X.25 access via Telenet. All ARCLAN access that is attached in the N254 ARCLAN hub, including NAS and N202. [ARCLAN is the Ames Research Center Local Area Net. SHP] All FTS service to other NASA facilities (at least for now). [FTS is the Federal Telephone System, our main long distance service. SHP] All PSCN activities, including TMIS, and ARCNET. With luck, we'll be back in service as of Monday afternoon or so. The transformer cannot be repaired, so a replacement will have to be found. [FOUND??? No on site spares??? SHP] Hopefully, this will inspire people to get that generator back-up system funded... * * * * * * * * * * * * * * * * * * * There are lots of folks here at Ames who read RISKS, yet we still have a system with massive losses from failure at a single site. No NASA cracks -- I'll bet this situation is common. Those of you at other sites who are concerned about this kind of thing might show the above to your site managers. Best of luck. Steve Philipson ------------------------------ End of RISKS-FORUM Digest 7.62 ************************