27-Jul-87 17:52:22-PDT,17791;000000000000 Return-Path: Received: from csl.csl.sri.com (CSL.SRI.COM) by F4.CSL.SRI.COM with TCP; Mon 27 Jul 87 17:42:36-PDT Received: from F4.CSL.SRI.COM by csl.csl.sri.com (3.2/4.16) id AA21529 for RISKS-LIST@f4.csl.sri.com; Mon, 27 Jul 87 17:21:09 PDT Message-Id: <8707280021.AA21529@csl.csl.sri.com> Date: Mon 27 Jul 87 17:17:55-PDT From: RISKS FORUM (Peter G. Neumann -- Coordinator) Subject: RISKS DIGEST 5.18 Sender: NEUMANN@csl.sri.com To: RISKS-LIST@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Monday, 27 July 1987 Volume 5 : Issue 18 FORUM ON RISKS TO THE PUBLIC IN COMPUTER SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Its Barcode is NOT worse than its Byte; Rooting for AT&T PC truffles (Elizabeth Zwicky) Too much security? (Richard Schooler) "Hacker Program" -- PC Prankster (Sam Rebelsky) Pittsburgh credit card hackers (Chris Koenigsberg) Hacking and Criminal Offenses (David Sherman) 911 Surprises (Paul Fuqua) Re: Taxes and who pays them (Craig E W) Statistics as a Fancy Name for Ignorance (Mark S. Day) Supermarkets (Chris Koenigsberg, Jon Mauney) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, nonrepetitious. Diversity is welcome. Contributions to RISKS@CSL.SRI.COM, Requests to RISKS-Request@CSL.SRI.COM. FTP back issues Vol i Issue j from F4.CSL.SRI.COM:RISKS-i.j. Volume summaries for each i in max j: (i,j) = (1,46),(2,57),(3,92),(4,97). ---------------------------------------------------------------------- Date: Mon, 27 Jul 87 11:27:38 EDT From: Elizabeth Zwicky To: RISKS@csl.sri.com Subject: Its Barcode is NOT worse than its Byte; Rooting for AT&T PC truffles Organization: The Ohio State University, CIS Dept. Two security notes: First, on the discussion about scanner errors in grocery stores. The chance that these are actually scanning errors is so small as to be ignorable. The UPC barcode they use is incredibly reliable, and includes two separate check digits encoded in different ways. What is very likely to go wrong is the shelf labels. Usually, the system is that the computer database is updated, and automatically prints revised shelf labels. There then is a considerable lag while the labels are actually put on the shelves. Of course, sometimes they forget to update the database, especially for sales. Second, on actual computer security. We have 40 AT&T PC7300s that are used to teach an introductory computing course. We have had notable problems with them (our current favorite causes students with output loops to end up losing the lab they're working on, source code and all), but were surprised when the root passwords started to mutate. One of us asked the monitor in the lab, who offered to break root for him so he could change it back. It seems that with two mouse clicks, and two presses of the enter key, you can get a root shell. There's a bug in the shutdown procedure, causing it to give you all its warnings, push a root shell (complete with window system that says "Office of root", just in case you don't know you're root), and then stop. Most of the students don't know enough about UNIX to make any use of this trick, but some of them seem to find changing the passwords around amusing. Elizabeth Zwicky [Suns reportedly have a similar feature! PGN] ------------------------------ Date: Mon, 27 Jul 87 11:48:12 EDT From: schooler@inmet.inmet.com (Richard Schooler) To: risks@csl.sri.com Subject: Too much security? A mainframe system that we have occasion to use retires passwords every 28 days and does not allow any of the four previous passwords to be re-used. Since we use the system mainly for re-hosting (i.e., not "real" work or personal files), the onerousness of this scheme has driven many of us to using extremely easy-to-remember passwords on that system, such as the name of the current month. I find this quite ironic. Richard Schooler, Intermetrics, Inc. {ihnp4,ima}!inmet!schooler [This is an old RISKS problem, but worth including for newer readers. PGN] ------------------------------ Date: Mon, 27 Jul 87 11:23:22 cdt From: Sam Rebelsky To: risks@csl.sri.com Subject: "Hacker Program" -- PC Prankster I thought people might be interested in a small article that appeared in a sidebar of today's Chicago Tribune, Business Section, Monday, 27 July 1987. "You'd better watch out A new software program lets anybody with access to an IBM or IBM-compatible personal computer become a hacker, at least on a small scale. The program, from Mainland Machine, San Luis Obispo, Calif., is called PC-Prankster. It wasn't necessarily designed with the idea of making the world a better place in which to live. An electronic jokester can sneak up and install PC Prankster on a friend or loved one's ``boot disk,'' (the disk used to fire up the computer's operating system when it is turned on), whereupon it resides in memory waiting for its chance to pounce. As soon as the PC user reaches a certain set number of keystrokes, the prankster takes over. The work in progress disappears, one of five ugly creatures fills the screen and blows a kiss, then vanishes, and the screen returns to where it was before the intrusion. The prank repeats itself every 5 minutes or so. Among the characters are a cyclops that blinks and a flasher that flashes. The only way to get rid of PC-Prankster is to use the delete program contained on the disk. Or you could drop your PC out the window, timing it to land on the perpetrator. PC Prankster costs $19.95 and also works on hard disk systems. This really bothers me. The article (and the program) imply that fooling with someone's work on a computer is acceptable and that hacking is just harmless playing. The article also seems to imply that the program is otherwise harmless "..and the screen returns to where it was before the intrustion." I find it unlikely that such a program will be perfectly harmless in all cases. I'm sure other people are more qualified to comment on other risks of such a program, including the similarity of such a program to a trojan horse. SamR ------------------------------ Date: Sun, 26 Jul 87 23:54:50 edt From: ckk+@andrew.cmu.edu (Chris Koenigsberg) To: risks@csl.sri.com Subject: Pittsburgh credit card hackers In RISKS 5.16, someone mentioned that a ring of teenaged credit card hackers was recently broken. What they didn't mention is that the solving of the case had nothing to do with the computer end of it at all. One of the kids bought a skateboard with a hot card number, and his mother was so annoyed at his use of the skateboard that she turned him in! [The wheels of (mis)fortune! PGN] ------------------------------ Date: Mon, 27 Jul 87 12:36:32 EDT To: RISKS@csl.sri.com Subject: Hacking and Criminal Offenses (Re: RISKS 5.15) From: mnetor!lsuc!dave@seismo.css.gov (David Sherman) Organization: Law Society of Upper Canada, Toronto > The dishonest obtaining of access to a computer data bank > by electronic means is not a criminal offence. > >Under the terms of the Act, Gold and Schifreen were charged with "making >a false instrument on, or in, which information was recorded or stored by >electronic means, with the intention of using it to induce the Prestel >computer to accept it as genuine, and by reason of so accepting it to do >an act to the prejudice of British Telecom plc". This case is reminiscent of the Supreme Court of Canada decision in R. v. McLaughlin (1980), 113 DLR(3d) 386-394. In both cases the authorities attempted to use a statute enacted for other purposes to prosecute unauthorized computer use. In the British case, as outlined above, the Act used was one which makes forgery and counterfeiting illegal. In the Canadian case, which involved a University of Alberta student obtaining unauthorized access to a university computer, the charge was that of fraudulently using a "telecommunication facility", in violate of s.287 of our Criminal Code. (That provision is the one used for people who use blue boxes to make long-distance calls.) The Supreme Court's decision boiled down to this quote (at p. 394): Had Parliament intended to associate penal consequences the unauthorized operation of a computer, it no doubt would have done so in a section of the Criminal Code or other penal statute in which the term which is now so permanently embedded in our language is employed. The result was that Parliament did indeed enact legislation making illegal the unauthorized use of computers (in 1986). It looks like the British Parliament will have to do the same. In the context of the quote above, the decision of the English Court of Appeal is probably correct. I'll be interested in seeing whether the Court of Appeal referred to the (Canadian) McLaughlin case. David Sherman, The Law Society of Upper Canada, Toronto { uunet!mnetor pyramid!utai decvax!utcsri ihnp4!utzoo } !lsuc!dave ------------------------------ Date: Mon, 27 Jul 87 14:30:54 CDT From: Paul Fuqua To: risks@csl.sri.com, telecom@XX.LCS.MIT.EDU Subject: 911 Surprises Tarrant County (Fort Worth) is about to start a 911 emergency telephone service, the second in the state, prompting quite a few newspaper articles about aspects of their service and that of Harris County (Houston), which started in January 1986. The details I found most interesting were the problems that had to be overcome in both systems. (Quoted without permission from the Dallas Morning News) For instance, Harris County found initially that people dialing a seven-digit number with 911 in it would sometimes reach the emergency operator by mistake. Telephone company computers were so quick, they would pick up the 911 and transfer the call before waiting for a fourth digit. [There are no other magic three-digit calls in this area: for 411, one dials 1411, and all other numbers are seven digits. - pf] ... In the beginning, 911 operators were deluged by calls from children trying out the system and from people who put the 911 number on the speed-dialing function on their telephones and hit the number by mistake. Misdirected calls also come in from cordless phones whose batteries are low -- a situation that seems to mistakenly trigger calls to 911 ... Another problem Tarrant County is working on is establishing street addresses for rural homes. The [911] district is working with the U.S. Postal Service and telephone companies to assign street addresses to more than 9,000 locations in Tarrant County so that a recognizable address will appear on the screen -- not just a rural route and box number. [The director] was surprised when the effort met some resistance. ... "Some people have said, `I'm not going to use 911 so I don't need my address changed.'" Tarrant County will start up their system on August 2, despite the failure of equipment to automatically transfer the address information from the emergency operator to the appropriate agency. Dallas County (Dallas) expects to start their own service next April; the goal is that the whole state will have 911 by 1995. Paul Fuqua, Texas Instruments Computer Science Center, Dallas, Texas CSNet: pf@ti-csl UUCP: {smu, texsun, im4u, rice}!ti-csl!pf ------------------------------ To: RISKS@csl.sri.com (RISKS FORUM, Peter G. Neumann -- Coordinator) Subject: Re: Taxes and who pays them (RISKS DIGEST 5.15) Date: Mon, 27 Jul 87 11:19:18 PDT From: cew@venera.isi.edu This idea of "passing it on" is nonsense. A Company, or any organization selling a product or service, will charge as much as it can for its product or service. It does not matter how much the product costs them or how much it is taxed or how much of the external costs are forcibly internalized by regulations. The question is simply "Does the amount received sufficiently cover the cost of production to justify the organization continuing the process?" If the profit is too small or non-existent then the process is halted. If the profit is great, others will get into the act. For the topic that came up in Risks, the question is "How will the companies providing electronic communications services respond to the added costs of FCC taxes?" Some possible responses are (1) absorb them (not bloody likely), (2) Add them to the price for the service (not a "passing on" but a shift in customer base), (3) Absorb them for a while and add them slowly to see how the customers react and (4) Get the FCC changed. In my view, the key result of this will be to shift the customer base away from private individuals to corporate individuals (corporations can more easily add the extra costs to their products). My question is then "Why is the FCC using its taxing privileges to manipulate the electronic communications market to force out the private individual?" That leads us away from the risks of computers to risks of another kind. (If people want to argue this view of economics they should send mail to me directly. No need to clutter Risks with these more general questions.) Craig ------------------------------ Date: Mon 27 Jul 87 13:32:55-EDT From: Mark S. Day Subject: Statistics as a Fancy Name for Ignorance To: RISKS@csl.sri.com The risk-assessment numbers put forth to justify nuclear power's safety remind me of Mark Twain's observation that there are three kinds of lies: lies, damned lies, and statistics. What real evidence or experience do we have for these projections and statistics? How can we meaningfully discuss the "safe" containment of wastes that are dangerous for a time span comparable to all of recorded history so far? How much do we really know, and how much of it is based on "plausible" guesses and conjectures? The fact that nuclear power plants have been run in a generally safe way in the past tells me very little about the future danger from them. Predicting the future like that is similar to the statistical fallacy that if a fair coin has come up "heads" 500 times in a row, it is somehow "more likely" to come up "heads" the next time that I flip it. [Alternately, some people also believe that it's "more likely" to come up "tails", since it's "about time".] Car wrecks and cigarette smoking kill more people than nuclear plants, sure, but the way that they kill people is very different. Car accidents generally don't affect a zone of several miles' diameter, forcing evacuation and abandonment of homes. Cars and cigarette smoke are perceptible, whereas radiation isn't (I know that carbon monoxide is odorless and colorless, but you rarely get carbon monoxide from cars or cigarettes without smelly components, too.). Chernobyl has shown that when an accident occurs, it doesn't matter that it's a rare event: it's an extremely unpleasant event. Who cares if a meltdown happens "once in 100,000 years" if it happens tomorrow? It is perfectly rational to decide that a potential catastrophe is undesirable, no matter how rare it is. --Mark ------------------------------ Date: Sun, 26 Jul 87 23:59:38 edt From: ckk+@andrew.cmu.edu (Chris Koenigsberg) To: risks@csl.sri.com Subject: Supermarkets The Giant Eagle chain of supermarkets in western Pennsylvania has automated checkout scanners at the bigger stores. But they also have a policy they call Absolute Minimum Pricing, and as a part of this, they have a strict rule that you can be ejected from the supermarket if you are caught writing down their prices from the tags on the shelves (because they want to keep the jump on the competition)! So I suppose very few people ever manage to catch scanner price errors at Giant Eagles. [This is an interesting new twist. PGN] ------------------------------ Date: Mon, 27 Jul 87 09:54:45 EDT From: mauney@ece-csc.ncsu.edu (Jon Mauney) To: risks@csl.sri.com Subject: Grocery store scanners and shelf tags Re: Cash register prices not agreeing with shelf tags Don't forget the Hi-Tech creed: What is fouled up by technology can be fixed by further technological patches. In the case of computerized cash registers, help is on the way in the form of radio-updated LCD shelf tags. (This is according to an article in last week's Sunday News and Observer. I can dig it out, but it is unlikely to contain any useful facts.) Of course, this will bring two new risks: The price may go up while you're waiting in line. The tags may be affected by teenage vandals who have gotten bored with breaking into computers. Jon Mauney [Recalling the students who spliced themselves into the comm line to the Rose Bowl scoreboard and took over the display, we can certainly look forward to someone changing the prices downward just before checking out. PGN] ------------------------------ End of RISKS-FORUM Digest ************************ -------