RISKS-LIST: RISKS-FORUM Digest Wednesday 31 May 1989 Volume 8 : Issue 76 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: State computer system scrapped (Davis) Swedish library loan data to become secret (Howard Gayle) SABRE (Bill Murray) Strange Customs Service Clock Department (Willis H. Ware) No power lunch, just no-power crunch (after the squirrel's over) (PGN) Re: Computer electrocutes chess player who beat it! (David Chase) Five admit automated teller scam (Rodney Hoffman) Re: Kevin Mitnick (Kenneth Siani) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. * RISKS MOVES SOON TO csl.sri.com. FTPable ARCHIVES WILL REMAIN ON KL.sri.com. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line (otherwise they may be ignored). REQUESTS to RISKS-Request@CSL.SRI.COM. FOR VOL i ISSUE j / ftp KL.sri.com / login anonymous (ANY NONNULL PASSWORD) / get stripe:risks-i.j ... (OR TRY cd stripe: / get risks-i.j ... Volume summaries in (i.j)=(1.46),(2.57),(3.92),(4.97),(5.85),(6.95),(7.99). ---------------------------------------------------------------------- Date: Tue, 30 May 89 11:02:49 edt From: davis@ai.mit.edu Subject: State computer system scrapped (RISKS-8.73) Rumor: AI Causes $20M Loss to Pennsylvania How Rumors Get Started, Lesson 1 (Excerpts from Seattle Times article quoted by Bruce Forstall in Risks 8.73): Quote 1: COSMOS, designed by Pennsylvania-based UNISYS Corp., was thought so advanced that Gov. Booth Gardner and some of the state's computer professionals likened it to ``artificial intelligence.'' Quote 2: ``This was an effort to create artificial intelligence so the computer could `think' about eligibility,'' Gardner said yesterday. ``I don't think we'll mess with artificial intelligence again.'' Notice the shift from ``likened it to AI'' to ``an effort to create AI.'' Notice how what starts out being metaphorical turns literal. Does the system in fact use any AI techniques? Impossible to tell. But what's the lingering impression and what will people likely remember? ------------------------------ Date: Tue, 30 May 89 15:22:36 +0200 From: howard@dahlbeck.ericsson.se (Howard Gayle) Subject: Swedish library loan data to become secret This is based on an article in the Stockholm newspaper Dagens Nyheter, 29 May 1989, p. 25. The Swedish parliament has just passed a law, effective 1 October 1989, making the records of public library loans secret. At present, such records are in principle public information, so that any person can find out which books any library patron has borrowed. In practice some libraries refuse to give out such information, although this is technically illegal. The minister of justice opposed the new law, although the article does not say why. Like all Swedish laws, there are plenty of exceptions. Data may be released if the release does no harm, if the patron borrows technical literature for use at work, if the data are needed to calculate compensation to authors, or if the data are to be used for research. (Authors get some money based on how many times their books are borrowed, in addition to royalties.) ------------------------------ Date: Sat, 27 May 89 13:55 EDT From: WHMurray@DOCKMASTER.NCSC.MIL Subject: SABRE >Is SABRE is too tightly coupled to its hardware to be moved to a >platform that provides hardware memory protection? Or is it just plain >too big to be ported? SABRE, like most reservation systems, runs on ACP or TPF. These high-performance, limited function operating systems run on hardware with memory protection, i.e., 370 XA. However, for performance reasons, they do not exploit the isolation features of the hardware. All application code runs in a single address space and at the same level of privilege. While this strategy is inherently dangerous, there are compensating controls imposed on application code. The strategy has been very successful. The res systems have achieved extraordinary reliability and stability for any kind of system, let alone systems which are both mammoth and monolithic. Portability is another issue. Like most application code, the code of the res systems is sensitive to its environment. It expects a certain application program interface. It can run anywhere it sees that API. The API isolates it from the underlying hardware and operating system. The application code has survived many ports to new hardware and operating system. However, the application is so large and complex that it is difficult to view it as anything but a monolith. The monolith can only be ported as a whole to something big enough to contain it. IBM is under continual pressure to expand the environment fast enough to accomodate the growth of the application, and the operators struggle to keep it small enough to run in the biggest system available. If you were to begin today, knowing what we know, you would never permit anything so large and monolithic to come into existence. On the other hand it is too large, important, valuable, and vital to kill. Like many other successful applications from the sixties, it has a life of its own. While we may migrate many of its functions to compartmented sub-systems, the core is likely to be with us for a very long time. Success is like that. William Hugh Murray, Fellow, Information System Security, Ernst & Whinney 2000 National City Center Cleveland, Ohio 44114 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 ------------------------------ Date: Fri, 26 May 89 17:13:34 PDT From: "Willis H. Ware" Subject: Strange Customs Service Clock Department [Excerpted and Paraphrased from Goverment Computer News, May 1, 1989, pg 6, byline of Vanessa Jo Grimm.] The U.S. attorney for Washington is reviewing an allegation that a Customs Service official violated the Computer Security Act [PL 100-235 presumably] by altering a computer's internal clock. Treasury Department Inspector General Michael R. Hill referred the allegation to the prosecutor after an investigation into year-end spedning by Custom officials at the close of FY 1988. The allegation involves an official who may have authorized altering the date maintained by the computers [that] the agency uses for procurment documents, according to Maurice S. Moody, the IG's audit director for Financial Management Service. Moody recently told the House Ways and Means Subcommittee on Oversight the computers are part of the agency's Automated Commercial System. He declined to provide GCN with more details. Allegedly the computer clock was rolled back during the first three days of October [of 1988] so that $41.8M in procurement obligations would be dated in September against FY 1988 appropriations, Moody said. An IG report issued in late February concluded Customs had not violated any procurement laws. The IG's investigation is continuing, however. "Doesn't $41.8M worth of procurement on the last day of the fiscal year bother anybody?" asked Rep. Richard T. Shulze (R-Pa). The purchases did bother the IG, Moody said, and this concern led to getting the US attorney. "This problem is endemic in the federal government," he said. "Year-end spedning is very common." William F. Riley, Customs controller, said he knew about the rollback, but he and Deputy Commissioner Michael H. Lane refused to say who authorized the action... Subcommittee members continued to press Riley and Lane. "Is the person still at Customs?" asked subcommittee chairman J.J.Pickle (D-Texas). "He is working full time and in the position he was at the time," Lane answered. Rep. Beryl F. Anthony, Jr. (D-Ark) asked how Riley became aware of the rollback. "He [the official who authorized the rollback] told me that it was going to be done," Riley said. [Rep Pickle suggested that a high ranking official would have to authorize such an action, but Counsel advised Lane not to reply. He did say neither he nor Commissioner von Raab had made the decision.] [The balance of the article deals with the actions of Linda Gibbs, who became aware of the incident and reported it to the IG after being unable to stop the action. Gibbs also alleged that the action was intended to use available year-end money to cover cost overrun on a contract with Northrop Corp. She also alleged that she had been reassigned and given no new duties.] ------------------------------ Date: Wed, 31 May 1989 14:30:35 PDT From: Peter Neumann Subject: No power lunch, just no-power crunch When people returned to work on Tuesday after Monday's squirrel attack (noted in RISKS-8.75), at least NINE Sun monitors had been wiped out at SRI. Sun was terrific in having replacements for most by Tuesday afternoon. (The DEC mainframes that Dave Edwards noted had been downed both took a while to bring up again -- including our friendly old DEC 2065 KL, which I shall miss when it finally gets decommissioned.) ------------------------------ Date: Tue, 30 May 89 13:18:07 -0700 From: chase@orc.olivetti.com Subject: Re: Computer electrocutes chess player who beat it! (RISKS 8.75) > This implies that Soviet semiconductors work at voltages of a few > hundred volts, or maybe their supercomputers are tube-based? The story as it stands sounds bogus, but don't discount low voltages. One of the worst shocks I've ever received (in the range of 6 to 12000 non-static volts) was only 12 volts. I was VERY well grounded (driving in the rain in a car with old metal springs in the seats and big holes in the floor), and attempted to manipulate the metal stump of the wiper control with a finger with a cut on the end of it. The sensation was something like a whack across the chest with a baseball bat. Normally, I can't even feel 12 volts. David [Maybe the WWN writer got it wrong, and it was "chest" instead of "chess"? ------------------------------ Date: 24 May 89 08:33:57 PDT (Wednesday) From: Rodney Hoffman Subject: Five admit automated teller scam In RISKS-8.24, I summarized a news account about five people arrested and charged with violating federal fraud statutes in a scheme to use more than 7,000 counterfeit ATM cards. The alleged mastermind, Mark Koenig, was a computer programmer who, while temporarily working under contract on a job dealing with several hundred ATMs, transferred bank account and PIN information to his home computer and stole an ATM encoding machine from his office. He and his confederates planned to use the counterfeit ATM cards to withdraw cash from ATMS throughout California and the Midwest over the three-day Presidents Day weekend in February. An unnamed informant alerted the U.S. Secret Service, who arrested the five people before that holiday weekend. A wire service story in the LATimes 23-May-89 reports that the five pleaded guilty Monday. All are scheduled for sentencing Aug. 25, and face prison terms of up to 72 years each. ------------------------------ Date: Tue, 23 May 89 09:53:47 EST From: SIANI@nssdca.GSFC.NASA.GOV Subject: Re: Kevin Mitnick Kevin Mitnick, the hacker "so dangerous that he can't even be allowed to use a phone". "He could ruin your life with his keyboard". "Armed with a keyboard and considered dangerous." These are some of the things that have been said about this person. All of this media hype would be fine if it just sold news papers. But it has done much more then just sell a few papers. It has influenced those that will ultimately decide his fate. I myself don't know the man, but I have talked to others that do. Including one of the persons that investigated Mitnick. From all I have heard about him, I think he is a slime ball! But even a slime ball should not be railroaded into a prison sentence that others of equal or greater guilt have avoided. I personally feel the man is just a criminal, like the guy that robs a 7/11, no better but certainly not any worse. Unfortunately he is thought of as some kind of a "SUPER HACKER". The head of LA Police Dept's Computer Crime Unit is quoted as saying "Mitnick is several levels above what you would characterize as a computer hacker". No disrespect intended, but a statement like this from the head of a computer crime unit indicates his ignorance on the ability of hackers and phone phreaks. Sure he did things like access and perhaps even altered Police Dept. criminal records, credit records at TRW Corp, and Pacific Telephone, disconnecting phones of people he didn't like etc. But what is not understood by most people outside of the hack/phreak world is that these things are VERY EASY TO DO AND ARE DONE ALL THE TIME. In the hack/phreak community such manipulation of computer and phone systems is all to easy. I see nothing special about his ability to do this. The only thing special about Kevin Mitnick is that he is not a "novice" hacker like most of the thirteen year old kids that get busted for hacking/phreaking. It has been a number of years since an "advanced" hacker has been arrested. Not since the days of the Inner Circle gang have law enforcement authorities had to deal with a hacker working at this level of ability. As a general rule, advanced hackers do not get caught because of there activity but rather it is almost always others that turn them in. It is therefore easy to understand why his abilities are perceived as being extraordinary when in fact they are not. Because of all the media hype this case has received I'm afraid that: 1.) He will not be treated fairly. He will be judged as a much greater threat to society then others that have committed simular crimes. 2.) He will become some kind of folk hero. A Jesse James with a keyboard. This will only cause other to follow in his footsteps. I'm not defending him or the things he has done in any sense. All I'm saying is let's be fair. Judge the man by the facts, not the headlines. Disclaimer: The views expressed here are my own. Kenneth Siani, Sr. Security Specialist, Information Systems Div., NYMA Inc. ------------------------------ End of RISKS-FORUM Digest 8.76 ************************