RISKS-LIST: RISKS-FORUM Digest Tuesday 8 November 1988 Volume 7 : Issue 72 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: The Worm/Virus -- and an Unlearned Lesson (PGN) Airline Reservation System Vulnerabilities (Rodney Hoffman) Computers in the oldest profession (Dave Horsfall) Auto Privacy (Dave Robinson) Computer science unencumbered by fears about cutting safety margins (Jeffrey Mogul) Re: Risks in Answering Machines (revisited) (Amos Shapir, Gordon Meyer, Bob Felderman, Greeny, William Curtiss) Re: CRT noise (Ed Ravin, Geoffrey Welsh) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line (otherwise they may be ignored). REQUESTS to RISKS-Request@CSL.SRI.COM. FOR VOL i ISSUE j / ftp kl.sri.com / login anonymous (ANY NONNULL PASSWORD) / get stripe:risks-i.j ... (OR TRY cd stripe: / get risks-i.j ... Volume summaries in (i, max j) = (1,46),(2,57),(3,92),(4,97),(5,85),(6,95). ---------------------------------------------------------------------- Date: Tue, 8 Nov 88 14:03:20 PST From: Peter G. Neumann Subject: The Worm/Virus -- and an Unlearned Lesson There have been OVER 50 MESSAGES to RISKS since last evening, and over a hundred backlogged since Friday. Bear with me. I'll get to them. I am only human, although I try to be that as well as I can. Things have been fairly hectic here. Not surprisingly, most of the pending messages deal with the RTM worm/virus discussion, which continues with healthy discussion on propriety, morality, ethics, prosecution, judgement, compensation, penance, etc. The messages are vastly too repetitive to include fully, and range wildly all over the map -- from "string him up" to "let's learn the lessons he has offered for us." The discussion is indeed very worthwhile, but needs significant editing to make it palatable to our usually discriminating audience. Thus, I thought it might be nice to have an issue on other subjects while I am trying to get the worm material together. Here is a potpourri of backlog. By the way, something approaching a hundred copies of RISKS-7.69 -- which have been queued since Friday -- are still waiting on my system for the recipient systems to accept delivery. (RISKS-7.70 and 71 also.) I assume many sites are STILL off the (ARPA|MIL) net. Worse yet, we had need today to poke at a UNIX system that claims to be up on the ARPANET but was rejecting mail. SMTP showed the system working. But, guess what? The DEBUG option still works fine on that system! I wonder how many other system administrators have still not learned anything yet. ------------------------------ Date: 4 Nov 88 12:33:11 PST (Friday) From: Rodney Hoffman Subject: Airline Reservation System Vulnerabilities Today's "Wall Street Journal" carries a story about American Airlines suing a Tulsa, OK woman and her father who have credit for more than 50 million miles in American's frequent flier program. The airline alleges that they and unknown co-conspirators stole the mileage by breaking into American's computer reservations system. They have also been indicted by a federal grand jury for wire fraud in the alleged scheme. The woman is an independent employee of a travel agency. She is accused of shifting miles from actual travelers who were not part of American Airlines frequent flier program into fake frequent flier accounts, then redeeming for tickets and selling those. But the story concludes with some more general worries: The allegations raise some troubling questions about access to airline computer systems. Such systems contain a wealth of information not only about frequent-flier trips, but also about the confidential travel plans of hundreds of companies. And yet any employee at any travel agency can normally log into the agency's system and see any trips the agency has booked. "It's just too easy to get into these systems," says John Caldwell, a travel attorney in Washington, D.C. "I think this is going to become an increasingly sensitive issue." ------------------------------ Date: Wed, 2 Nov 88 13:14:59 est From: Dave Horsfall Subject: Computers in the oldest profession From the "Backbytes" page in Computing Australia, 31st Oct 88: ``Where the Gigabyte meets garter belt As computer and related industry manufacturers scout for new niche markets, they could do worse than consider the world's oldest profession. In recent months, US cops have busted several large prostitution rings -- all heavily dependent on microcomputer support. The databases held such priceless information as clients' names and addresses, billing methods, preferred frolics and the names of who did what best. And to whom. How the new technocrats had missed the lucrative sales possibilities to this service industry is hard to fathom, as one recently raided establishment of easy virtue was in San Jose, in the heart of California's Silicon Valley. In its computer's ledger were the names of more than 50,000 customers. Obviously, a considerable horizontal market worth the attention of a lateral-thinking, but discreet, sales go-getter.'' ------------------------------ Date: Fri, 4 Nov 88 01:43:49 PST From: robinson%osi.DEC@decwrl.dec.com (DAVE ROBINSON DTN:830-6498 REO2-G/C2) Subject: Auto Privacy In recent issues of RISKS there has been concern voiced over the ability to trace the location of a car from its car phone. Last night, no BBC's TOP GEAR programme, a device deliberately designed to locate cars was described. Essentially, it is a navigational aid designed to take into account traffic congestion. You tell the device your intended destination and it determines the best route. On the way, it tells you when the turn right or left both on a dashboard indicator and a synthesised voice. So far, nothing particularly revolutionary. The route selected takes into account the traffic congestion on various roads. To determine this, there are many sensors across a town. When you pass one of these sensors, the device in your car sends a message to it. Each sensor is connected to a central computer. This records the time taken to travel from one sensor to another to judge the current congestion alone the route. However, the side effect is that the central computer knows our location and route through a city. This loss of privacy would be even greater should the scheme be extended to cover not only the individual cities but also the interconnecting motorways and side roads. At present, the scheme is only in prototype. It is being developed at the Goverment's Road Research Laboratories. However, it does indicate the sort of devices we may be getting in the future. To the best of my knowledge, Digital Equipment Co. has no involvement in the project. Hence the usual disclaimers apply. Dave Robinson ------------------------------ Date: 2 Nov 1988 1742-PST (Wednesday) From: mogul@decwrl.dec.com (Jeffrey Mogul) Subject: computer science unencumbered by fears about cutting safety margins I had to spend a few hours at the British Airways terminal at Heathrow last week, and to help kill time I picked up a copy of the October 1988 issue of a free magazine called "Airport". The cover story is "Fighting for the Freedom of the Skies: In Europe ...", and covers the European experiences with their version of airline deregulation. Apparently, the fragmented and uncoordinated nature of European Air Traffic Control is causing chaos (my own flight was delayed by ATC for 45 minutes, and our pilot told us as we left that flights requesting clearance at that time were being told to wait for 90 minutes). The final two paragraphs of the article made me chuckle (nervously): Aviation Scientists in Britain, the US, France and West Germany are now working on a data-exchange system which would reduce or even eliminate the human element in air traffic control and in airport approach, landing and take-off-slot technique. [so far, so good] Machine-talking-to-machine would enable the system to improve perhaps five-fold, because the precise nature of computer science is unencumbered by fears about cutting safety margins too finely. A cold dish of comfort, perhaps; one which will not be available until well after 2005. And anyway, nobody knows yet how much such a system will cost. But we all know who's going to pay for it, don't we? The syntax of the first sentence is a little confusing, but I think the author believes that once things are computerized there will be no need for safety margins. Computerization might well reduce the need for safety margins, but this has little to do with how precise computer science is (or is alleged to be). ------------------------------ Date: 2 Nov 88 13:16:44 GMT From: amos@taux02.UUCP (Amos Shapir) Subject: Re: Risks in Answering Machines (revisited) (RISKS DIGEST 7.68) Andy-Krazy-Glew writes: > (3) Have there been any incidents of remote sabotage of answering machines, > or, worse, criminal interception of messages, or bugging, as I describe > above? During the latest election campaign here, one of the major parties set up several answering machines for political messages, e.g. "if you want to know why you should vote for us, dial 555-1234". They were very surprised when they found out that the messages have been changed, (not in their favor of course). The machines were rented from a company that lets users have only a phone number to call to, and an access code; so the only way such messages may have been altered is by remote control. Amos Shapir, National Semiconductor (Israel) P.O.B. 3007, Herzlia 46104, Israel ------------------------------ Date: Wed, 02 Nov 88 12:38 CST From: Gordon Meyer Subject: re: risks in answering machines (revisted) Andy Glew expresses some concerns about the security of telephone answering machines. I too have these concerns, and have had some problems along these lines with my answering machine at home. It is an older Cobra model. Manufactured in about 1982 it offers remote message retrieval with the use of a tone generating device. The remote control device is a pain to use...you have to carry it around with you, and past experiments have shown that tone units from other machines will work just as well as the one the company provides! A friend of mine had a similar machine, of another brand, and our remote controls worked interchangably. Also, I did a little experimenting and found that I could activate both our machines by using a sweeping tone generated by my home computer. About six months ago I had a problem with an unknown person calling my machine and listening to my messages. There was no way I could disable this option, but there is a switch that prevents outside callers from erasing the messages after listening to them. There is no option to change outgoing messages and the like so that is not a concern with this machine. Luckily I have since moved and the new phone number has stopped these outside invasions of my privacy. A back issue of 2600 Magazine had a short editorial on this subject. Their response to the uncaring attitude of the manufacturer was to call the company at night, (the company was using their own machines to man the phones at night) and change the outgoing message to one warning others about the lack of security on the product. Gordon R. Meyer, Dept of Sociology, Northern Illinois University. ------------------------------ Date: Mon, 31 Oct 88 18:38:24 PST From: feldy@ats.ucla.edu (Bob Felderman) Subject: Re: RISKS DIGEST 7.68 (Answering machines) The cobra AN-8500 allows ONLY remote listening to messages and has a switch on the machine which determines whether msgs will be erased after being heard remotely. Unfortunately, the code for remote listening is one (1) factory preset digit. Bob Felderman feldy@cs.ucla.edu UCLA Computer Science ...!{rutgers,ucbvax}!cs.ucla.edu!feldy ------------------------------ Date: Mon 07 Nov 1988 00:56 CDT From: GREENY Subject: re: Risks in Answering Machines (revisited) > Are there any machines on the market..... Well, the one that I have (mainly for cost reasons, since I'm just an undergrad) is a Phonemate. Basically, it answers the phone, plays my digitally recorded message, and takes the message.....then when I come home I can listen to them. About the only thing that it does remotely is answer the phone, and get my messages. Although it does allow one to turn it on (if its accidently let off) from a remote location by letting the phone ring 15 times or more (it will pick up and play the message to let you know that it is on.....). After being on RISKS for a few years, I have realized that the convience realized by a completely remote machine is not worth the risks. I suppose I could always go to voice mail, or hire a secretary if I needed one.... > Is there any machines out there w/o the remote erase.... What's the big deal? The machine *usually* has a cassette, in it, and assuming that it wont do a remote rewind of the cassette after playback, all one would have to do to disable the erase circuit would be to install a small switch in series with the erase head....when you go out, flip it off when you come back in and want to erase -- flip it on. GEtting a copy of the schematics would be helpful if possible so that you could disable the entire circuit thereby preventing the thing from rewinding w/o erasing and then taping over the messages....perhaps a circuit that would prevent erasure during rewind (the way they usually work) so that you could play them back but not erase em (i.e. it wouldnt rewind or erase if you selected erase with the "switch" off.... Shouldn't be too much of a hassle if you are somewhat knowledgeable in electronics.....or if you arent -- try to find a hungry student in electronics and offer PIZZA! :-> Greeny Bitnet: miss026@ecncdc Internet:miss026%ecncdc.bitnet@cunyvm.cuny.edu Disclaimer: I ain't responsible for nothing you or anyone else does...so don't blame me.... ------------------------------ Date: Wed, 2 Nov 88 14:03 EST From: Curtiss@DOCKMASTER.ARPA Subject: Re: Risks in Answering Machines In RISKS 7.68, Andy "Krazy" Glew asks if there are any answering machines with redefinable passwords that are long enough for an acceptable level of security and if any have only non-destructive remote commands. One possible solution is an "answering machine card" for a PC. Essentially, it is a complete telephone interface, capable of recognizing touch tones, recording and playing digitized speech (stored on a hard disk or floppy) and acting as a modem. A program is usually included with the board that makes it function as an answering machine. Since the full power of a complete computer is available, the user can create any kind of password scheme they desire, including multi-level menus for leaving messages for specific people. Also, the program can be modified to eliminate destructive remote commands and new functions can be added. They can even be set up to call people, delivering a pre-recorded message (ala, computer cold calling). There are two such boards available, that I know of. Either can be had for about $250, not much more than a full featured, top-of-the-line dedicated machine. I'm not quite sure that this is a good solution to the problem, though. Now we have a potentially expensive machine attached to the phone line. If you're worried about losses to messages on a dedicated tape, just think about the PC with one of these cards. William Curtiss ------------------------------ Date: Thu, 3 Nov 88 15:42:07 EST From: cmcl2!cucard!dasys1!eravin@harvard > That noise is *very* nasty; there really ought to be emissions standards. > Every low-cost computer I've ever worked with has been horribly annoying. > IBM PC's with CGA cards (or EGA cards in CGA mode) were terrible offenders; > even my Mac is fairly offensive. I used to shudder when I heard an IBMPC go into EGA graphics mode. On my current job that happens ten or twenty times a day, I still don't like it but I'm used to it. I love using the Mac but do notice the noise: sometimes it helps on a lot of these monitors to hang a cloth or drape something soft behind the machine. When the monitor is backed against a solid wall the problem is usually worse. I also have noticed noise coming out of a couple of IBM AT clone's power supplies, though not at irritating frequencies. > (High-resolution screens (noninterlaced, 640x480 and up) don't seem to > have the problem, but they won't become common in cost-sensitive > applications for quite a while.) I don't agree with this. I think you just can't hear them anymore because they're using higher scan rates. My usually reliable intuition has steered me away from a Sun workstation with a 19" color screen. However, working with Unix PC's has really sensitized me to this stuff: when I was last abroad I had trouble being in the same room as a European TV set (625 scan lines), especially 25" models. > How can we drum up some pressure to get OSHA to look into this? Good question. I've never thought about it, but I sure would like to try. I suspect letters and phone calls to one's favorite senator or representative would be a start. Might even be worth trying... -- Ed Ravin Reader bears responsibility for all opinions expressed in this article. ------------------------------ Date: Mon, 07 Nov 88 18:13:29 EST From: Geoffrey Welsh Subject: Ultrasonic emissions a real problem In RISKS-7-68 eravin@dasys1.UUCP (Ed Ravin) writes: >I've got my own story to tell about high frequency noises crawling out of >computer related devices, and since I'm new to RISKS, my apologies if any >or all of this has been discussed before. I, too, am new to RISKS (drawn here by news of the ARPAnet worm), and I, too, share your earitability. (sorry!) When I was much younger, I used to hear whistle sounds and I'd ask my parents what they were. They immediately took me to the doctor, who told them that I did *not* have an ear infection. They stopped only short of taking me to a neurologist to find out if something upstairs was shorting out. >After that I began noticing the sounds made by all the other CRT's in my >life. They were high pitched and slightly irritating, but not painful. I had >always, even before meeting computers, noticed the 15khz whine from a TV set, >but it had never bothered me. It didn't take me long to figure out that this was among the causes of the noise I was hearing. I have also heard sounds which are distinctly higher in pitch than a standard NTSC CRT (i.e. higher frequency than a 15,750 Hz flyback transformer). I am puzzled as to exactly what these are as the only things I know of that operate around 16 KHz RF are LORAN-type devices and, to the best of my knowledge, I am near no such installations (e.g. the nearest sizable body of water is a long drive from here). >Maybe my problem is that I never listened to loud rock music and my hearing >above 15khz is mostly intact. Here's the kicker: I HAVE listened to loud rock music. I have worked in factories where a wide spectrum of loud noises assaults me for eight or twelve hours at a time (with occasional breaks), but my inability to hear these high frequencies clearly fades within an hour or so after I leave, leading me to believe that that my decreased hearing sensitivity is more a muscle reaction in my ear rather than damage cause by the volume. What, then, leads some of us to be sensitive to these frequencies to a fault and others to be completely unaware of them? Worse, how can we determine what levels are acceptable, given that some people are simply more sensitive than others? If indeed ultrasonic emissions are a cause of illness or other unacceptable consequences, it is vital that a study into the area be launched. Who knows; in a few years we may find our present CRTs replaced with ones that have a horizontal scan rate above 30 KHz to avoid this problem. Geoffrey Welsh, 66 Mooregate Crescent, Suite 602, Kitchener, Ontario N2M 5E6 - CANADA ------------------------------ End of RISKS-FORUM Digest 7.72 ************************