Aucbcory.221 net.followup utcsrgv!utzoo!decvax!ucbvax!ARPAVAX:CAD:ESVAX:Cory:cc-treas Tue Mar 9 01:42:08 1982 Another Newspaper Article - SF Examiner The following article appeared in the San Francisco Examiner, Monday March 8, 1982 on page B7: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Experts Fear Computer Pranks lead to Crimes By Carl Irving Examiner Staff Writer Security experts fear that a generation of computer criminals may emerge from the nation's universities, encouraged by their benevolent professors to commit pranks that could lead to fraud, embezzlement, and worse. Discovery of a computer technique at the University of California at Berkeley, which has the potential to be the most serious breach yet to computer security, brought the matter to public attention this week. Two of the nation's leading computer security experts at SRI in Menlo Park are convinced that academicians have been too lax, ignoring or condoning what they consider light-hearted student pranks that show up on computer programs. Faculty computer experts at Cal and Stanford counter that almost all of their students behave responsibly and don't exploit the equipment. They contend, however, moreover, that the spirit of academic inquiry does not flourish under the shadow of suspicion or secrecy. But industry people fear that secrets vital to the firm or national security could be endangered unless students learn to restrict computers to less imaginative uses. "That's always been a thorny issue," says Ralph Gorin, director of the LOTS computer center for students at Stanford University. "Probably at no point in time have politicians or administrators felt the populace should know everything. In some ways, that is antithetical to what we are trying to do at a university." But Charles Wood, computer security analyst at SRI, said, "We're worried that students are rewarded for what faculty members might consider engaging behavior, in experimenting with the computers. "Campuses are hotbeds for ideas. And kids [AUUUUGH! We're hardly kids! -eef] playing with computers for 10 or 14 hours a day are so oriented to them, it's not surprising they come up with new and different ways to attack security systems. This is another in a long string of vulnerabilities coming to computer systems." At Cal, students last year discovered a way to use the computer privileges of another user, which Wood says could circumvent controls in an industry system. "One person can do it all," he said. "It opens up to frauds and embezzlements, and a wide range of other abuses." The method discovered at Berkeley, simple and undetectable, was revealed some time later -- last September -- to M. Stuart Lynn, director of Computing Affairs. Recognizing a security problem, Lynn consulted with Donn Parker, Wood's colleague at SRI. The SRI group described the method to the computer industry, to help block use of the method. Parker regarded the discovery as probably the most serious uncovered so far, because of its simplicity and the wide range of systems that could be vulnerable to it. At Berkeley, the system involved is UNIX, produced by [can you guess?] Digital Equipment Corp. Thousands of the UNIX computer brains are in use around the world. [UNIX computer brains? Who thought of THAT one?!] Known methods to counter the discovery involve either a "monitor" -- somebody watching over everyone's shoulder electronically -- or removal of part of the terminal equipment. Both methods are expensive. Lynn defends his students, saying they "don't exploit things." He notes that they did "the responsible thing" by bringing it to his and others' attention. "The vast majority are very responsible individuals," says Lynn. But future purchases will not have the feature that enabled students to break through into others' files, Lynn added. The vice president of the Computer Sciences Student Association, [It's actually Computer Science Undergraduate Association. -eef] Daniel Conde, says that about a dozen "hackers" -- as those who make a hobby of playing games on the computers are called -- spend extra time on the terminals at the Berkeley computer center. "They tend to hang around and play games, but they don't do any harmful stuff," says Conde. But the center is becoming more crowded now with students eager to learn how to use computers, and play time has been cut back severly, Conde adds. At Stanford, Gorin says the honor system -- depending on the students to monitor themselves -- and the faculty instructions on how to use the computers are the only security methods in use. "We are perhaps less thorough than we should be in trying to drum into the students what appropriate behavior is," he concedes. "But if you read somebody else's files, how's that different from reading somebody's printout you find in a wastebasket?" Gorin also concedes that the computer, like the automobile and other technologies, has the potential for abuse. But he'd like to concentrate on its potential for enriching campuses -- "computers have the potential to augment each individual's capability, so each can accomplish more and produce better results." While people such as Gorin instinctively oppose such notions as "electronic fences," Wood and Parker criss-cross the nation advising firms about the defenses against computer break-ins. There have been some serious ones. The one that took $2 billion from the Equity Funding of America in Los Angeles still leads the list, according to Parker. Executives there created 64,000 fake life insurance policies, declared all their holders dead, and collected the vast proceeds. The policies were all drawn up on the computer. Twenty-two people were convicted. Parker, who is consulted by Scotland Yard and the FBI on computer matters, said in an earlier interview that behavior leading to this kind of crime can begin on a campus, "because we're encouraging them to compromise computers and teaching them it's a game." While students may not often abuse their computer privileges, there have been some dramatic examples. In 1975, a student was graduated Phi Beta Kappa from Queens College. Four years later, the honor was revoked when the administration found that he'd upped his grades over four years, along with those of 15 other students. Young people often are the most ingenious in penetrating computer networks. A year ago, an eighth-grader was identified as one of three to have invaded computer data banks of several companies. A 15-year-old Concord student, using $60 worth of second-hand equipment, disrupted the UC system for months. He was eventually charged with stealing more than 200 hours of time. According to Wood, the lastest UC "breakthrough" became possible because of a feature that allows remote control of a terminal. The students made use of this feature to find a technique that "permits one user to lead the machine to think he's someone else. So a data entry clerk could lead a machine to believe he's a security officer or a programmer or some other privileged user." The discovery or "vulnerability" at Cal applies to a number of systems now in use around the country. Industry, says Wood, has lagged in realizing some of the potential problems involved in using computers. Computers have been heralded "as a way to increase productivity. People have been hypnotized by their advantages, and don't consider the potential disadvantages," he said. He would like to see a government or industry clearing house for computer security information. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Some comments: This `method' for zapping users (and indirectly) systems is very old. Not discovered last spring, or this fall, but years old. Equity Funding had nothing to do with computer security. The system involved was being used to aid in a Ponzi Game (A pyramid Scheme) and the company officers all knew about it. The computer just made the numbers bigger, because the con men could keep better records. UNIX (is a Trademark of Bell Laboratories) is NOT `made' by Digital Equipment Corp. The machines may be, but (thank god and the wise administrators of Berkeley) that does NOT mean we run their Opsystems. The Computer Science Undergraduate Association gets nothing from the Office of Computing Affairs or the Computer Center. This account is available to me (as the Treasurer of said organization) under the auspices of the EECS department at Berkeley. Also, our hackers program just as much as hackers anywhere. We do NOT only play games! At no time do professors at the University of California encourage attacks on computer system security. Besides, if we don't discover the holes in system security where "The vast majority are responsible individuals...", then someone else will, at another place, with nastier consequences. Erik E. Fair CSUA Treasurer Cory.cc-treas@Berkeley ucbvax!ucbcory!cc-treas ----------------------------------------------------------------- gopher://quux.org/ conversion by John Goerzen of http://communication.ucsd.edu/A-News/ This Usenet Oldnews Archive article may be copied and distributed freely, provided: 1. There is no money collected for the text(s) of the articles. 2. The following notice remains appended to each copy: The Usenet Oldnews Archive: Compilation Copyright (C) 1981, 1996 Bruce Jones, Henry Spencer, David Wiseman.