RISKS-LIST: RISKS-FORUM Digest Wednesday 14 February 1990 Volume 9 : Issue 68 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Re: Caller ID (NYTimes editorial) (John M. Sullivan) How to make answering machines deliver ransom messages (Denis Coskun) More on the Hubble Space Telescope (Hank Strub) Human blamed, not the computer! -- jury duty (Lee S. Ridgway) Accents are more than just decorations (Kai-Mikael J{{-Aro) [Parse-ly, Rosemary, Time, Light, Control & Other SAGE Remarks] (Martin Minow) Blazers (Jeff Berkowitz) Re: Computers, good and evil (Gregg TeHennepe) Telephone Switch Security (Roland Ouellette) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line (otherwise they may be ignored). REQUESTS to RISKS-Request@CSL.SRI.COM. TO FTP VOL i ISSUE j: ftp CRVAX.sri.comlogin anonymousAnyNonNullPW cd sys$user2:[risks]get risks-i.j . Vol summaries now in risks-i.0 (j=0) ---------------------------------------------------------------------- Date: Fri, 9 Feb 90 20:27:26 -0500 From: sullivan@math.Princeton.EDU (John M. Sullivan) Subject: Re: Caller ID (NYTimes editorial) An editorial in the New York Times this morning (Feb 9) entitled ``Obscenities, Hang-Ups and Technology'' discussed Caller ID, the new phone feature showing the caller's number before the phone is answered. It discussed the privacy issues, namely the enhanced privacy of those who no longer receive obscene calls, and the reduced privacy of those placing calls. Suppposedly it is ``a potent deterrent that already seems to have sharply reduced those annoyances [crank calls] in New Jersey.'' Then it mentioned Call Blocking, an added feature not available in New Jersey, but to be available for free in California: ``By pressing two or three keys, callers could keep their numbers from being transmitted. The recipient would not see the number on the screen, only a 'P' [what do you suppose 'P' stands for?] or some other symbol. Like an apartment dweller who sees that the front door peephole has been blocked, he could simply decline to respond to the call. The trouble with Call Blocking is that it undermines Caller ID. Why would people buy Called ID if it could be so easily defeated?'' The answer is easy: they would for the same reason they install peepholes--they will know when it is being defeated. The editorial goes on to distort the balance of privacy issues: ``Three privacy interests intersect here. It is difficult choosing between two--the interest of the recipient of calls who wishes not to be harassed and the interest of the caller who wishes no to be identified. The third interest, however, might be overriding: society's interest in discouraging offensive phone calls generally.'' Simply repeating one side of the argument twice (from an individual and a societal point of view) does not make it carry twice the weight. The editorial concludes that a bill sponsored by Sen. Herbert Kohl to require free Call Blocking should be defeated, until the impact on privacy of Caller ID with and without Call Blocking can be measured. I wrote a response to the editor, which concludes: Even without Call Blocking, those wishing to harass could do so anonymously from pay phones. But this might be too much discouragement for those wishing to place anonymous calls to crisis hotlines, as you suggest. Of course the organizations running those hotlines can probably be trusted not to use Caller ID to trace their calls. But people considering placing such calls need all the encouragement they can get to go ahead without fear of identification. The real danger to society in Caller ID comes from the ability of large companies to maintain databases by phone number. It will be convenient if corporations can quickly identify and service their regular customers by looking up the phone number when a call comes in. But one might wish to make a call inquiring about some product without running the risks of receiving follow-up calls or being placed on a related mailing list. Call Blocking provides the perfect solution. While private individuals with Caller ID would refuse blocked calls if they feared harassment, I am sure that even those corporations that made use of a phone database would be willing to accept some anonymous inquiries. Although the drop in obscene phone calls is easy to measure, the risks to callers' privacy are much harder to quantify. I sense that you do not even plan to measure them at the end of the experiment you propose, in which New Jersey will be the guinea pig. John M. Sullivan Princeton Univ. Math Dept. sullivan@math.princeton.edu ------------------------------ Date: Fri, 9 Feb 90 20:21:00 est From: dcoskun@alias (Denis Coskun) Subject: Defeating answering machine security codes In RISKS-7.69 Vince Manis tells us that his General Electric answering machine has only 256 possible access codes for remote message retrieval. I have the same machine. Valid combinations are 3 consecutive touch tones of the form [0-7][0-7][0-3]. In RISKS-7.73 William Curtiss points out that most answering machines just ignore digits until you get the correct security code. "As long as the incoming stream contains the code somewhere you are given access. Since 256 combinations needs three digits, a carefully constructed string of 258 digits will contain every possible combination (for example, if the code is a triplet composed of just the numbers 1 and 2 then the string 1211122212 contains all eight triplets)." The shortest string of digits that I was able to generate for defeating my answering machine was 452 digits: 000100200301101201302102202303103203304004104204305005105205 306006106206307007107207311121131221231321331401411421431501 511521531601611621631701711721732223233240241242243250251252 253260261262263270271272273330034034134234335035135235336036 136236337037137237344044144244345045145245346046146246347047 147247354054154254355055155255356056156256357057157257364064 164264365065165265366066166266367067167267307407417427437507 51752753760761762763770771772773 DTMF decoding chips are required to recognize a tone as short as 50 milliseconds with an interdigit interval of another 50 milliseconds, making a total of 100 ms for each digit. So the whole 452 digit string could be dialed within 45.2 seconds using a demon dialer. Since my answering machine will wait a minute or more while you leave a message, it could be cracked with just one phone call. Can anyone suggest an algorithm to generate a shorter string than I have above, or better yet, an optimal string? A string length of 258 digits is a lower bound, but is there necessarily a solution that short? I checked more than a dozen different answering machines on the market that allow remote message retrieval using touch tones, and the best let you select combinations of the form [0-9][0-9][0-9]. A key space of 1000 combinations is hardly any improvement. Denis Coskun dcoskun%alias@csri.utoronto.ca utcsri!alias!dcoskun ------------------------------ Date: Fri, 9 Feb 90 20:22:57 est dcoskun@alias (Denis Coskun) Subject: How to make answering machines deliver ransom messages I discovered a security weakness that would allow you to trick answering machines with remote message retrieval into making phone calls and delivering untraceable ransom messages! Here's how: Dial someone's answering machine and leave a message with the format: 1. 14 seconds of nonsense talking (to keep the tape running) 2. dial, say, 555-1234 using touch tones (which will be recorded) 3. a few more seconds of random talking 4. finally your ransom message Now dial the security code (which you discovered as described in my companion article) to get the answering machine to play back the messages. As soon as you hear the start of your nonsense message, hang up. The machine will continue playing the messages, oblivious to the fact that no one is listening. The telephone exchange will supply dial tone to the answering machine's line 12 seconds after you hang up (12 seconds at my exchange). Two seconds later, the answering machine will play the recorded touch tones 555-1234, effectively dialing that number. A few seconds later, the person at 555-1234 answers and your message is delivered! And it cannot be traced to you. Of course, you would call back the answering machine and clean up the evidence. I believe that the technique will work on all answering machines with remote message retrieval provided that: 1. You have the security code (see my other posting about how good these are). 2. The exchange will supply dial tone to the callee after the caller hangs up. This is true on all modern switches. 3. The phone line of the answering machine permits touch tone dialing. This is a way to secure your answering machine: switch to pulse dialing only service. 4. The machine and its tape reproduce touch tones with enough fidelity. Mine do. 5. The machine will ignore dial tone. There are no guaranteed electrical changes on the line when a caller hangs up, so watching for dial tone would be the only reliable indicator, which my machine ignores. 6. The machine will record touch tones. Mine will record everything (except that the 3 digit security code gets it to play back the messages). The security hole could be plugged if the machine would stop recording as soon as it got any touch tone. 7. The machine will play all touch tones recorded on its tape. I did have some trouble here since the machine cannot tell if a tone is coming from the tape or from the caller on the line. During playback, my machine will interpret a "1" as a command to fast forward and "3" to fast reverse, and thus disrupt the dialing if these digits are part of the number. A more likely hazard than untraceable ransom messages is the relaying of long distance messages that are charged to some innocent answering machine owner, or harassing the owner by having him billed for random toll calls (long distance, overseas, 976, 900, etc.). Denis Coskun dcoskun%alias@csri.utoronto.ca utcsri!alias!dcoskun ------------------------------ Date: 12 February 1990 0909-PST (Monday) From: strub%cogsci@ucsd.edu (Hank Strub) Subject: More on the Hubble Space Telescope The 2/11/90 New York Times Magazine has a long article on the space telescope. This article goes into some detail on the project's software problems ". . .scientists were aiming for a 1985 launching, but because so much of the technology related to secret military systems, the Pentagon dictated that only 116 managers in the project could have access to the contractors' plans. 'This lack of manpower came back to haunt us many times,' Robert O'Dell, who now teaches at Rice University, wrote in Sky & Telescope magazine last July. 'It kept NASA from closely following the contractors' work and made it very difficult to know what was happening at any given time. Costs soared and deadlines were missed. The system that controls the telescope's directional pointing encountered difficulties, which made matters worse. Only after a management reshuffling at Marshall Space Center, and the addition of more overseers, did the project finally get back on track, but with launching delayed until late 1986." The article continues explaining problems that resulted from launching the telescope from the shuttle to a 380 mile orbit instead of to the originally planned on 22,300 mile equatorial orbit. Leading into: "Rodger Doxsey, chief of engineering support for the space telescope institute, concedes that the delay caused by the Challenger disaster was not all bad: 'We were not ready to operate the telescope in 1986. There would have been a big scramble just to get it operating. But that's a route history didn't take.' The biggest problem was in developing the computer software to control the constantly orbiting telescope: slewing it into position, pointing it to targets and keeping them in the field of view, making adjustments dictated by the interference of Earth and the need to avoid looking at the Sun. (To prevent damaging glare to the optics, the telescope cannot point within 20 degrees of the bright limb of Earth or within 50 degrees of the Sun.) Computers also instruct the telescope about which cameras or sensors to operate for a particular observation, and which of the many camera filters it should use. The computer must then schedule a time when the resulting data can be radioed to Earth through the two tracking and data relay satellites, which are not always available, because of commitments to shuttle missions and various spy satellites. Each observation, whether for a few hours or several days, must be meticulously planned down to the second. 'The entire architecture for this software has had to be very much redefined in the last four years,' Doxsey says." Hank Strub hbstrub@ucsd.edu hbstrub@ucsd.bitnet Cognitive Science UCSD, D-015 La Jolla, CA 92093-0515 (619) 534-2541 ------------------------------ Date: Mon, 12 Feb 90 13:02:49 EST From: "Lee S. Ridgway" Subject: Human blamed, not the computer! -- jury duty Last week I fulfilled one of my civic obligations by complying with a summons for jury duty - which meant showing up at the appointed time and place, in order to sit and wait until called or dismissed. [This on the same day the Commonwealth announced it would file misdemeanor charges against no shows. But I digress.] In Massachusetts, you are called to serve one day or one trial. The one day is covered by sitting in the jury assembly room, waiting. Once the one-day / one-trial obligation is met, you are not supposed to be summoned again for three years. In the introductory remarks given by the jury clerk, he admonished us to stash our certificate of service in a safe place, because it will be the only sure-fire proof that we did, indeed, do our duty. He continued, and I quote, "SOMEONE did something to the computer, and so a lot of people who should not be receiving jury summonses are - sometimes monthly..." I was struck by the fact that the clerk did not blame the computer for having messed up the records of who was eligible for a summons and who wasn't, that he blamed it on a human. And this was a person who, although articulate, would not normally be thought of as terribly concerned with such fine distinctions. ------------------------------ Date: Tue, 13 Feb 90 10:10:17 +0100 From: d85-kai@nada.kth.se (Kai-Mikael J{{-Aro) Subject: Accents are more than just decorations Accents are more than just decorations The ASCII character set has (obviously) been developed by Americans for Americans. This is all very well, but since most nations use American computers they, too, get to use the ASCII character set. One consequence of this is that one gets into problems when trying to display characters not present in the original ASCII set. What has been done, then, in most instances is the replacement of certain less commonly used characters, mainly [\]{|}, with "national" characters. But this isn't problem-free. One thing soon noticed is that even though the characters display as letters on the screen, they are still by most programs interpreted as non-alphabetics to the confusion of (not exclusively) novice users. This also means that programming languages which use these special characters, C is a prime example, look strange, to say the least, when displayed with national characters. Another problem that soon crops up is that of sort sequence. Most languages treat accented characters as letters with decorations, thus aacute, agrave, acircumflex and so on, all count as a's. However, in the Nordic languages the situation is somewhat different. Aring, Adieresis and Odieresis in Finnish and Swedish, and their Danish and Norwegian counterparts Aring, AE and Oslash count as actual letters - thus they have an alphabetic order of their own. To further complicate the matter, this order isn't the same in the different languages - Finnish and Swedish have ...X Y Z Aring Adieresis Odieresis while Danish and Norwegian has the order ...X Y Z AE Oslash Aring. In spite of this, the decision was taken to use the same order in all four countries and the Danish/Norwegian order was chosen. This means that when you sort something alphabetically in Swedish, all words containing Aring will end up in the wrong place. If they end up at all, that is to say - a few years ago I read in the newspaper that the literary magazine BLM had failed to send out any issues to subscribers who's name started with Aring. This was blamed on "computer error", but a little afterthought gave the realization that some programmer had used a test like if ch >= 'A' and ch <= 'Odieresis' then ... and thought he had handled the entire alphabet. Eight-bit character sets solve the problem of displaying both national characters and braces/brackets but they generally don't solve the problem with different sort orders. There are then some added complications: At least in Swedish, V and W are considered to be equivalent, thus "Walle" comes before "Ville" in a sort. The Aring has been introduced in Danish and Norvegian very lately, as a replacement for the Aa-digram. However, proper names are still often spelled with aa, and thus aa and aring have to be sorted as if they were equivalent, but then again, there are foreign words that contain the combination aa, and these are to be sorted as if they had tow a's in a row, so one would get "(den) Haag", "Hb", "Haagerup". This is probably not very easily done on a computer... Kai-Mikael J{{-Aro (d85-kai@nada.kth.se) ^^These are adiereses Thanks to Mogens Lemvig Hansen for explaining the Danish alphabet to me. ------------------------------ Date: Mon, 12 Feb 90 07:30:09 PST From: "Martin Minow, ML3-5/U26 12-Feb-1990 1023" Subject: [Parse-ly, Rosemary, Time, Light, Control & Other SAGE Remarks] (Comments on various postings in Risks 9.67:) Les Earnest's memoir of SAGE reminded me of a story told by a high-school buddy who went into the Air Force before college. He ended up as a technician at a SAGE installation. As Les relates, SAGE used a dual-processor system for reliability: one online, one offline for testing. One day, the officer in charge stepped out for coffee. The technicians switched to the other cpu and started running diagnostics on the system that had been online. One of these diagnostics turned on all lamps to check whether any were burned out. The officer then came back with a cup of coffee, glanced at the system he thought was defending America and decided that the Hour Of Destiny had arrived. The coffee cup was tossed aside as he lept to battle stations. The next day, as my friend related, a very prominent "ON LINE" sign was added to the system. My friend also mentioned that the graphics system could be used to display pictures of young women that were somewhat unrelated to national defense -- unless one takes a very long view -- with the light pen being used to select articles of clothing that were considered inappropriate in the mind of the viewer. (Predating the "look and feel" of MacPlaymate by almost 30 years.) Perhaps Les could expand on this; paying special consideration to the risks involved in this type of programming. .... The discussion of whether the Vincennes' missile control system must obey "rules of engagement" brings up an interesting problem that has no simple solution: who is in charge of the technology? To simplify the problem somewhat, should the engine control computer in my car allow me to drive faster than 55 miles per hour? Should I reprogram that computer when I enter an Interstate highway or ship the car to Germany? A few years ago, I was one of the developers of the DECtalk speech synthesizer. I took some care to make sure that the most common English obscenities were properly pronounced. One of my goals with DECtalk was to build a tool that could be used by a speech-impaired person and I felt that, no matter how improper the language, it was not my job to restrict the user's expression. The purpose of a missile control computer is to kill people. It strikes me as bizarre to require the computer program to obey international law as well. Why should a machine be held more -- or even as -- responsible than the ship's captain? .... In Scandinavia, car headlights are to be kept on 24 hours per day. The local manufacturers have added relays to shut the headlights off when the ignition is turned off. This seems both simpler and more effective than buzzers and synthesized voices. Of course, this is technology being used to aid compliance with the law. .... When I started this note, I thought I was commenting on three unrelated topics. Apparently, everything is related. Martin Minow ------------------------------ Date: 11 Feb 90 17:24:49 GMT From: Jeff Berkowitz Subject: Blazers (Re: Woodhead, RISKS-9.67) Robert J Woodhead writes: >Fortunately for many of us, after about 40 years of intense debate in the >automotive industry on this complex and challenging "lights on" problem, some >manufacturers are adding a simple device that alerts you if your lights are on >when the ignition is off. These range from a simple analog "BReeee!" in my >Chevy Blazer... I have a Blazer (actually a GMC Jimmy, the same vehicle) with the "analog BReeee!" feature referred to by Mr. Woodhead. I won't disagree that the buzzer is a nice feature. The observed rate of "battery dead due to lights on" with this vehicle, however, is higher than any other vehicles we have ever owned (two occurrences in 18 months). The problem is caused by a small convenience light located on the ceiling of the vehicle just inside the rear cargo compartment door. The light housing includes a rocker switch, which requires very low pressure to operate and is aligned axially rather than longitudinally. The switch is therefore easily operated by accident. The act of lifting a grocery bag from the rear compartment can cause the lip of the bag to move the switch, for example. This tiny light is NOT coupled into the manufacturer's "beeper system", of course - that would be too annoying. The light is very faint, so faint that one can fail to observe it when peeking into the garage at night. We believe that about three days of continuous operation of the light are sufficient to drain the battery to the point that it will not start the car (we're not sure about this, since we never really know when the switch was thrown as we scurry around, days later, connecting jumper cables :-). To my mind, this is an excellent "microexample" of how a complex system design can fail miserably to achieve the intent of the designer. Although this system is not computerized, it contains an obvious message: reliability can't be glued on. Jeff Berkowitz N6QOM uunet!sequent!jjb Sequent Computer Systems Custom Systems Group ------------------------------ Date: Fri, 9 Feb 90 10:29:41 EST From: gateh@CONNCOLL.BITNET Subject: Re: Computers, good and evil (Sicherman, RISKS-9.67) > "Apple pie is in itself neither good nor bad; it is the way it is used... I have read none of the works on this topic, but (unless I am thoroughly confused) it seems that McLuhan's apple pie analogy is a somewhat sarcastic attempt at supporting his argument that technologies (and apple pie) do have inherent qualities or a "nature" which renders them "good or bad" of their own. Apparently he feels that the "nature" of apple pie is good, and Certainly he could not infer such a quality unless he liked apple pie, something which is obviously not true for all people. In fact, for those allergic to apples, the nature of apple pie is, if anything, bad. And so he has succeeded in proving the very point made by Sarnoff. Gregg TeHennepe | Minicomputer Specialist gateh@conncoll.bitnet | Connecticut College, New London, CT ------------------------------ Date: Mon, 12 Feb 90 19:36:28 CST From: rouellet@polaris.cs.uiuc.edu (Roland Ouellette) Subject: Telephone Switch Security Lately there has been little lack of discussion about reliability of telecomunications systems. I have also seen several articles which discuss the security of the same systems. MIT has recently installed an ISDN system using a #5ESS system. There has been a whole lot of discussion about what the system can and cannot do. October '89's issue of Technology Review has an article entitled "The Twilight Phone." In February's issue there is an editorial and two replies. The editorial claims that it is possible to use the phone system to bug rooms. The replies claim that, while theoretically possible, getting the switch to do that would require programming expertise and physical access to the switch. There then is the possibility that folks in charge could order the owners of the switch to bug a room. This is more invasive than a normal wire tap, because the phone's microphone could be left on all of the time. Then there is this article which appeared in the WSJ. It does not state how said hackers "entered the company's computer," but it makes me wonder. I'd be interested to hear how these calls were rerouted. Hackers - Accused of scheme against BellSouth. Legion of Doom group. {The Wall Street Journal, 8-Feb-90, p. C20} Federal grand juries in Chicago and Atlanta indicted four alleged computer hackers in what authorities called a fraud scheme that could potentially disrupt emergency "911" telephone service throughout nine Southern states. The men, alleged to be part of a closely knit cadre of computer hackers known as the Legion of Doom, gained access to the computer system controlling telephone emergency service of BellSouth Corp., the Atlanta-based telecommunications giant. The Chicago indictment said members of the Legion of Doom are engaged in disrupting telephone service by entering a telephone company's computers and changing the routing of telephone calls. The hackers in the group also fraudulently obtain money from companies by altering information in their computers, the indictment said. The hackers transferred stolen telephone-computer information from BellSouth to what prosecutors termed a "computer bulletin board system" in Lockport, Ill. In turn, the men planned to publish the computer data in a hacker's magazine, the grand jury charged. Roland G. Ouellette rgog1070@uxa.cso.uiuc.edu rouellet@babym.cs.uiuc.edu ------------------------------ End of RISKS-FORUM Digest 9.68 ************************