RISKS-LIST: RISKS-FORUM Digest Thursday, 10 September 1987 Volume 5 : Issue 35 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Drugs, DES, and the criminal world (Jerry Leichter) More on the Irish Tax Swindle (Jerry Harper) Costs and Liability in Good Systems (David Collier-Brown) Re: The influence of RISKS on car design? (Benjamin Thompson) Re: Computer Syndrome; Dutch Crime Computer (Brian Douglass) Reach out, touch someone (Brad Miller, Richard Kovalcik, Jr., Curtis Abbott) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, nonrepetitious. Diversity is welcome. Contributions to RISKS@CSL.SRI.COM, Requests to RISKS-Request@CSL.SRI.COM. FTP back issues Vol i Issue j from F4.CSL.SRI.COM:RISKS-i.j. Volume summaries for each i in max j: (i,j) = (1,46),(2,57),(3,92),(4,97). ---------------------------------------------------------------------- Date: 8 Sep 87 15:38:00 EDT From: "Jerry Leichter" Subject: Drugs, DES, and the criminal world (A New Connection?) To: "forum" Cc: risks@csl.sri.com, security@rutgers.edu From "Logged On", by Vin McLellan - Digital Review, August 24, 1987, page 87 Anthony Prince Fairchild is doubtless a colorful rogue. Five years ago, when People magazine reported on a dispute between the Aspen sheriff and the Drug Enforcement Administration (DEA) about lax law enforcement in the Colorado resort town, Fairchild stepped forth - not to deny the DEA's allegations that he was running an Aspen "drug factory," but, rather, to defend eccentricity. "It's not against the law to be bizarre," he told People, which featured a photograph of him leaning back against a nude female mannequin he called Christina. Some may have found Fairchild's face familiar. An engineer by education and trade, Fairchild had also been a model: His Salem-smoking visage has adorned millions of magazines and billboards. He's now 50 years old, but police still call him a "pretty boy." Last month at a pre-trial hearing in San Jose, Calif., Fairchild curled up on a courthouse bench reading Firestarter, while the curious strolled by to check him out. After all, Fairchild had just had his bail changed from $2.5 million to "no bail" out of fear that he would post the money and disappear. "He looks just like Timothy Leary," said an onlooker, referring to the LSD guru the '60s. If Fairchild isn't a legend like Leary, it may be because federal authorities have never publicized the extent of their interest in him, even though they've sought him several times over the years. But after being arrested last November with eight kilos of cocaine, $12,000 in counterfeit money and 85 pounds of high explosives, Fairchild became a topic of rumor in Silicon Valley, in the California drug culture and, oddly enough, among the nation's top security consultants as well. "The guy's got a brain," remarked one California investigator. "You maybe couldn't guess it to see the mess he's in, but he's done a lot of things - legit things - and some say he's just slightly short of being absolutely brilliant." Fairchild's resume indicates success in a half-dozen careers, most recently as an EDP consultant in Silicon Valley. It claims he holds 11 U.S. patents, and states that he was one of the authors of Digital Research's Concurrent PC-DOS. The police say this work record is accurate. Predictably, Silicon Valley police have been among the first to confront the probleme of criminal enterprises that digitally encrypt incriminating records. "There's one case like that every six weeks around here," noted a local police reporter. "It's become quite common." The method of choice is, of course, the Digital Encryption Standard (DES), the cipher approved by the U.S. government for commercial data security. Fairchild used a Winterhalter DES board in a DOS micro to keep what police believe to be an extensive diary of the affairs of a "large international drug ring." Local, state and federal narcotics agents are all very eager to gain access to Fairchild's records. Indeed, Santa Clara, Calif., police reportedly used covert FBI funds to have a privately owned supercomputer grind away at cracking the DES-encrypted data. The attempt was not a big secret. Several EDP security consultants were asked to suggest crypto attacks. What made the DES attack feasible, if still unlikely to succeed, was that the Winterhalter device uses a program to transform a 6-to-16-character password into the 64-bit DES key. The cops got lucky: With a pass through a full English dictionary, and by culling significant names and such from Fairchild's personal history, they were apparently able to guess three of four passwords that were used to encrypt files stored on his micro. The passwords were all eight or fewer characters in length, and all in lowercase letters. The diary file continued to elude their efforts, but the police reasoned that if the DES password for the diary was less than eight characters, a "brute force" approach to finding it was possible. A cryptoanalyst who is a leading consultant for California banks was hired to make the attempt. The supercomputer may have actually been chewing away when the Justice Department stepped in late last month to confiscate copies of the encrypted diary, presumably as evidence in a federal drug case against Fairchild. This pre-empted local authorities from possibly making the big score. ------------------------------ Date: Tue, 8 Sep 87 17:01:04 BST From: Jerry Harper To: risks@csl.sri.com Subject: More on the Irish Tax Swindle (RISKS-4.33) The situation is in fact much worse (and farcical) than seems credible. Firstly, there is no accurate estimate of the size of the fraud, with the revenue preferring to err in low figures. To date the "figure" of 300,000IR (about $4.2m) is being suggested as the *most* accurate. However, no one seriously believes this, least of all tax consultants in the large accountancy firms. Secondly, John's comments about officials causing the disappearance of defaulters files is not quite accurate. Many of the cheques which were altered came from quite respectable companies and self-employed business people -- I am trading on the knowledge of friends who are in taxation consultancy -- it was the deposit time lag in revenue which provided the gateway to the fraud. Between the receipt of a cheque and its lodgement there could be a delay of three months. Finally, and I think this is what John was referring to, the revenue have a "pending file" where information on possible defaulters is kept. By flicking through this file it would have been easy to select the right targets. P.S. Since the banks no longer have a policy of automatically returning cheques many companies and individuals may be totally unaware that theirs' have been altered. This is the second major fraud to affect the revenue services here. I reported a previous fraud involving tax repayments to RISKS a few months back. It remains to be seen what comprehensive overhaul of the system will be pursued. ------------------------------ To: seismo!comp-risks@seismo.CSS.GOV From: geac!daveb@seismo.CSS.GOV (Brown) Subject: Re Pogo Wins a Free Lunch -- Costs and Liability in Good Systems Summary: It can make a $ignificant difference. Date: 8 Sep 87 17:18:32 GMT The argument probably does not apply to long-lived systems such as operating systems and major suites of applications. Honeywell-Bull found some years ago that the cost of fixing things that could have been done correctly before release was significant, and started a rather successful quality programme, thereby saving themselves money. Most of the areas they saved money were in the maintenance and correction of old, long-running systems, both hardware and software. Moral: We have met the enemy and ... oh-oh, do we really want this war? Disclaimer: the above is the opinion of neither Honeywell-Bull nor Geac. David Collier-Brown, Geac Computers International Inc., 350 Steelcase Road, Markham, Ontario, CANADA, L3R 1B3 (416) 475-0525 x3279 {mnetor|yetti|utgpu}!geac!daveb ------------------------------ Date: Tue, 8 Sep 87 17:05:59 EST From: munnari!mulga.OZ!bjpt@uunet.UU.NET (Benjamin Thompson) To: RISKS@csl.sri.com Subject: Re: The influence of RISKS on car design? Organization: Comp Sci, Melbourne Uni, Australia There seems to be quite a lot of public criticism of steer-by-wire etc. at the moment. Perhaps Honda is just trying to cash in on the current wave of Luddism. Perhaps their electronics don't work. Perhaps they can't produce electronic cars fast enough. These reasons are all fairly legitimate, and all could explain why Honda plugs the lack of electronics and points out that the car is "mechanical and sure". Honda doesn't have to be particularly safety-conscious to make a profit. Ben Thompson ------------------------------ To: risks@csl.sri.com Subject: Re: Computer Syndrome; Dutch Crime Computer (RISKS 5.34) Organization: Applied Systems Consultants, Inc. Las Vegas Date: 9 Sep 87 10:38:47 PDT (Wed) From: Brian Douglass In regards to the 18 year old that developed "computer syndrome" in Denmark. My question is did the kid develop it because he was working on the computer, as if they pose some inherent social risk, or was the kid already at risk to developing some type of neurosis and because he had a computer it settled on that? Was the kid just as likely to develop a drug habit in an effort to conform and have friends, or possibly take his own life out of frustration and loneliness due to an illogical world he could not fit into. If so, then did the computer save his life by temporarily giving him the logic and structure he craved? Sort of like using a small bomb to destroy a larger bomb, but its still a bomb. About the inventor who has a developed a telephone receiver that can be implanted behind a human's ear: Sometimes, no matter how much the potential for good, the dangers can far out weigh them, and therefore the potential good must be denied. A perfect example is the recent Supreme Court ruling for Preventative Detention, that persons can be held with out bail if they are shown to be a danger to the community. The intent was to hold drug pushers and Mafia figures that could easily make bails of 5 or 10 million dollars, and then continue to run their empires, or skip out and not thing twice about it. Well now a D.A. in Florida is using that ruling to hold juveniles that are accused of murder or drugs, or simply have a history of arrests, showing that history as a pattern to prove they are a danger to the community. Suddenly we have incarceration without trial. Preventative Detention was viewed as having both good and bad effects, but was thought that properly controlled and regulated, it could be used for the good of society without the bad effects. Thomas Jefferson argued for strict interpretation of the Constitution, so that such finely cut interpretations as Preventative Detention could not be legislated by the courts. In our modern society, we feel "smart" enough to be able to maximise the good and minimize the bad. I agree with the original poster and PGN [You mean "MS"? PGN], sometimes no matter how helpful some technological innovations may be, you must take into account their implications, which are sometimes to grave and it is better left uninvented. I think the article about the Dutch Crime Computer is a perfect example that we are human and do err (even something as *stupid* as dropping your backup system). Could you imagine the chaos if the Dutch allowed Preventative Detention and you couldn't get bail while you waited around for the authorities to straighten things out. That's exactly why Preventative Dentention is supposed to be forbidden by the constitution, but we just think we're so smart. What a glorious 200th birthday present for our constitution. Brian Douglass, Applied Systems Consultants, Inc. (ASCI), P.O. Box 13301, Las Vegas, NV 89103 Office: (702) 733-6761 UUCP: {mirror,sdcrdcf}!otto!jimi!asci!brian ------------------------------ Date: Tue, 8 Sep 87 22:41 EDT From: Brad Miller Subject: Reach out, touch someone [RISKS-5.32] To: "RISKS FORUM, Peter G. Neumann -- Coordinator" [What will it take before inventors of technology consider implications of their work as part of their responsibilities? MS] Umm, jobs that pay regardless of productivity? Brad Miller University of Rochester, Department of Computer Science 716-275-1118 Computer Science Department, University of Rochester, Rochester NY 14627 miller@cs.rochester.edu {...[allegra|seismo]!rochester!miller} ------------------------------ Date: Tue, 8 Sep 87 12:29 EDT From: "Richard Kovalcik, Jr." Subject: Reach out, touch someone [RISKS-5.32] To: RISKS@csl.sri.com, preece%mycroft@GSWD-VMS.ARPA I don't think the moderator or anyone else is being paranoid here. It is issues like this that make me very glad there are groups like the ACLU. There is a real risk of Big Brother in this. The issues here are very similiar to those of mandatory AIDS testing - when is violating individual rights outweighed by the good to society? Given that such a device would violate existing laws, be easily abusable, and / or be unnecessary because there are other ways of accomplishing the same thing, it should be banned. Engineers and professionals do have a duty to act responsibly. The moderator is correct. [Actually the comment prompting this was marked with "MS", the contributor, NOT the moderator. PGN] 1) The parole laws were not written with the idea that the Government know where the parolee was at every instant in time. To implant a device that did so is certainly violating the existing law and the most probably the parolee's constitutional rights. 2) Parent's should not be allowed to implant this sort of thing. While parents have a responsibility to take care of their children. They should do so by taking an active interest rather than using technology to snoop on their children. Perhaps you think it is OK for parents to bug phones their children might use too? And what about employers recording calls employees make without telling them? Besides, unless there is someway to remove this "wonderful" device onc the person reaches 18, it is subject to being misused later by Government. 3) As to pet owners, anyone who lets their pet roam freely tearing up lawns, breaking into garbage, and playing "chicken" with cars shouldn't be allowed to be a pet owner. I'm sure a lot of people will disagree with me on this one but as far as I am concerned this is another misuse of techology. 4) As for criminals in jail, implanting them would be OK as long as the device was removable after they were released so as not to violate their rights. But, then if it is removable, they could get a shady doctor to do it if they escaped (which is presumably (hopefully?) what you are trying to guard against here). 5) If someone wants to have one implanted to guard against kidnapping that if fine, but I would urge such a person to consider the disadvantages. ------------------------------ Date: Tue, 8 Sep 87 18:03:44 PDT From: abbott.pa@Xerox.COM Subject: Re: Reach out, touch someone To: risks@csl.sri.com This should be an interesting case for the patent attorneys, because the idea Dr. Man has patented was used as the climactic plot twist in "The President's Analyst", a wonderful film that came out around 1969. ------------------------------ End of RISKS-FORUM Digest ************************