RISKS-LIST: RISKS-FORUM Digest Tuesday, 13 October 1987 Volume 5 : Issue 43 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: IRS Accidentally Imposes $338.85 Lien On Reagans (Chris Koenigsberg) Another ARPANET-collapse-like accidental virus effect (Jeffrey R Kell) Computers and civil disobedience (Prentiss Riddle) YAPB (yet another password bug) (Geof Cooper) News Media about hackers and other comments (Jack Holleran) Personalized Technology Side-effects (Scot Wilcoxon) Anonymity and high-tech (Nic McPhee) Naval Contemplation [Humor] (Don Chiasson) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, nonrepetitious. Diversity is welcome. Contributions to RISKS@CSL.SRI.COM, Requests to RISKS-Request@CSL.SRI.COM. For Vol i issue j, FTP SRI.COM, CD STRIPE:, GET RISKS-i.j. Volume summaries for each i in max j: (i,j) = (1,46),(2,57),(3,92),(4,97). ---------------------------------------------------------------------- From: DowJones@andrew To: bb+dow-jones@andrew Subject: IRS Accidentally Imposes $338.85 Lien On Reagans Date: Tue, 6 Oct 87 10:12:30 -0400 (EDT) Remailed-By: ckk+@andrew.cmu.edu (Chris Koenigsberg) WASHINGTON -- The IRS acknowledged that last summer it accidentally placed a lien against President and Mrs. Reagan. The error, by a trainee in the Austin, Texas, IRS district, followed a demonstration of the agency's electronic lien system. Despite an IRS policy against using the names of real people in training, an instructor used the Reagans as a hypothetical example. Later, when the trainee was practicing, she pushed the wrong button, accidentally filing a lien of $338.85 at the Travis County courthouse in Austin. The incident was recently reported in the Kiplinger Tax Letter. Although the lien was discovered and rescinded, it will remain a permanent entry in the Travis County Court records because the courthouse doesn't routinely remove a record of a lien even after it's been lifted. But the IRS notice releasing the lien also remains part of the record. Since the entry had assigned the Reagans a fictitious address and Social Security numbers, "there was never any real danger of a real lien being filed," said an IRS spokesman. Ellen Murphy, IRS public affairs director, said the IRS has taken steps to prevent a repeat occurrence, "including appropriate disciplinary action where needed." ------------------------------ Date: FRI, OCT 9, 1987, 1:39 PM From: Jeffrey R Kell To: Peter G Neumann Subject: Another ARPANET-collapse-like accidental virus effect [Response from Jeffrey to my message to him regarding the ARPANET collapse, article by Eric Rosen, Software Engineering Notes 6 1, January 1981. PGN] Extremely interesting, and personally relevant. I wrote the "RELAY" package for Bitnet which is essentially a distributed message service of real-time interactive messages as opposed to mail. A "chat" if you prefer the Compuserv example, only there are multiple Relays across a broad geographic area (Bitnet is store-and-forward). Each Relay services users in its local area, and exchanges messages with its neighbors, who exchange redistribute locally and further send to neighbors, etc. It's a very simple flooding algorithm since it is a closed network with no loops. At any rate, a missing edit check and an innovative student discovered that Relay allowed him to sign on to channel "1.0"; the code is written in a high-level language and it asserted 1.0 to be a whole number. The message packet was created and with the "1.0" channel prefix header and was then flooded to the neighboring Relays to update their user tables. With that done, it then goes back to a ready state, which is handled by a front-end Assembler routine. The assembly code tried to download the user table, in the process tried to pack and convert to binary the "1.0" value, which abended on an data exception. Meanwhile, the neighbors receive the update, flood it, and try to go ready. Abend for same. The net result: 36 Relays on 4 continents abended almost simultaneously. Moral of the story: If it's garbage in, eat it :-) /Jeff/ ------------------------------ From: rutgers!im4u!woton!riddle@uunet.uu.net (Prentiss Riddle ) Date: 6 Oct 87 22:27:47 GMT To: comp-risks@uunet.uu.net Subject: Computers and civil disobedience Organization: Shriners Burns Institute, Galveston We've heard much about computer crime for personal gain, about vandalism committed by crackers out for kicks, and now "software warfare" in which a superpower might attempt to undermine an opponent's warfighting capability by sabotaging its software. But has there been any discussion of real or hypothetical civil disobedience by computer? A loose definition of "civil disobedience" might be nonviolent lawbreaking by morally motivated individuals, often in what they perceive as obedience to a "higher law" (e.g. constitutional or international law or a religious or ethical principle). A few famous examples of CD in the non-computer world include Rosa Parks' refusal to move to the back of a bus, occupation of power plants and weapons facilities by anti-nuclear protesters, and "Plowshares" actions in which priests and nuns have destroyed components of nuclear weapons. It seems to me that as the computerization of society continues, the idea of engaging in civil disobedience via computer is bound to come up more often. Some computer CD might resemble ordinary computer crime and sabotage except for the motivation of the individuals carrying it out. I've heard folklore about politically motivated crackers for years now; do RISKS readers know of any actual examples? Other forms of civil disobedience might be engaged in by members of the general public with no special expertise in computers, especially as computerized communications systems become more pervasive. For example, rather than physically occupy a street or building, protesters might clog up a computer network by engaging in bogus transactions. (This has already been done with telephone systems: reputedly some fundamentalist right organizations have had to abandon their toll-free numbers after it became a common pastime in certain gay and countercultural circles to call them up and waste their money. This was known as "the Falwell game.") Like all civil disobedience, computer CD raises many ethical and tactical questions. Can anyone out there think of any particularly frightening or promising scenarios for computer CD looming on the horizon? --- Prentiss Riddle ("Aprendiz de todo, maestro de nada.") --- Opinions expressed are not necessarily those of Shriners Burns Institute. --- riddle@woton.UUCP {ihnp4,harvard}!ut-sally!im4u!woton!riddle ------------------------------ Date: Tue, 6 Oct 87 17:56:53 pdt From: imagen!geof@decwrl.dec.com (Geof Cooper) To: risks@csl.sri.com Subject: YAPB (yet another password bug) I just discovered that the much-touted BSD4.3 release of Unix silently truncates passwords to 8 characters. I found this out by having an easier time guessing a password for an account than I thought I would -- because the user name had 8 characters and the password was the user name with a suffix. Let's get this info out to the user community... BEWARE! - Geof Cooper ------------------------------ Date: Wed, 7 Oct 87 23:37 EDT From: Jack Holleran Subject: News Media about hackers and other comments To: RISKS@KL.SRI.COM Two recent articles from "The Capital", the daily newspaper for Annapolis, Maryland. Both are re-typed without permission and condensed. Names of accused are deleted. = = = = = = = October 6, 1987 Teen computer 'hacker' to be tried as adult (Page D1) By Lorraine Ahern -- Staff writer A Hanover youth who police claimed used a home computer to charge thousands of dollars worth of electronic equipment to stolen credit card numbers will be tried as an adult, a judge ruled yesterday. [NAME DELETED], 18, is accused of ordering more than $6,400 worth of computer accessories and radar detectors, and having UPS deliver them to his family's home address last summer. Circuit Court Judge Eugene Lerner granted a prosecutors request that [NAME DELETED], who turned 18 last month, be charged and tried as an adult for felony theft. "It's not a kid walking into a 7-Eleven and walking out with a Snickers bar in his pocket," Assistant State's Attorney Eugene Whissel argued. "It's a mature crime for an adult --- a sophisticated crime." ... non-related discussion ... [NAME DELETED] mother said that [...] her son became depressed and "obsessed" with the home computer he had set up in his bedroom. "Initially, I did think that it was good," said [his mother], who testified that she was unaware of any UPS-credit card scheme. "Getting him down to even eat with us ... he was on it all the time. I knew it was not healthy. I even took the plugs at times." [He allegedly confessed that he got the equipment using an illegal MasterCard number from a Brooklyn, NY computer contact through an electronic bulletin board. The Secret Service is "already" being investigated by the Secret Service.] During the same period last spring when state police began investigating [NAME DELETED]' computer activities, police in Baltimore County arrested a number of computer "hackers" in the Annapolis [MD] area and charged them with gaining free illegal access to long-distance telephone service. end of article ------------------- October 7, 1987 'Hacker' pleads guilty (page A13) By Lorraine Ahern -- Staff writer An Annapolis [MD] man pleaded guilty yesterday to stealing long-distance telephone service using his home computer, which a judge ordered destroyed. In a case that began a year ago with raids on the homes of sever computer "hackers" in Annapolis and the Baltimore suburbs, J. Scott Meenen [...] pleaded guilty to theft of service in Baltimore County Circuit Court. Meenen, a 28-year-old former audio-visual repairman [...], was put on probation and ordered to pay back $477 to MCI Telecommunications for stolen long-distance service. Police claimed that Meenen had operated an electronic bulletin board known to a circle of computer hackers as "The British Exchange." Using an automatic sequential dialing device, police said, the hackers would hit upon MCI code numbers and then, sharing them on the bulletin board, use those numbers for free long-distance calls. MCI began to pick up on the unauthorized use of the codes through a switching station at Towson [MD (about 30 miles north of Annapolis], and police ultimately traced the calls to computer telephone lines at several addresses. MCI spokeswoman Pamela Small said yesterday[,] thefts that cost the long-distance carriers an estimated $500 million in 1986 alone have decreased. Under Chesapeake & Potomac's [local phone provider] gradual conversion to "equal access," long-distance carriers such as Sprint or MCI will no longer need to assign code numbers for customers to dial. Equal access, which Ms. Small said is now 80 percent complete, means that the subscriber can simply dial the long-distance number itself, as they would if they used AT&T. end of article ----------------- Comments: During the 1987 National Computer Security Conference in Baltimore, Detective McCleod (sp?) of Arizona discussed that he likes to visit and arrest youthful hackers when they turn 18. This was based on a bad experience in the court system for a case against a 14 year youth. This youth was successfully prosecuted and convicted to some community service and a 2 page, hand-writted, double-spaced paper. The "convicted" youth then demanded his computer equipment back and got it. He was not obligated to pay back the fraud. [I remember $14,000 but I could be wrong.] Maybe police and judicial activities like this will bring back the original definition of "hacker". If "equal access" reduces losses, maybe it's time to invest in those companies. ------------------------------ Subject: Personalized Technology Side-effects Date: 7 Oct 87 08:15:14 CDT (Wed) From: umn-cs!sewilco@datapg.MN.ORG (Scot Wilcoxon) To: risks@csl.sri.com "Computer Watch Aids Body ID 06-Oct-87 BLAUVELT, N.Y. (AP) - Police used a computerized wristwatch that had phone numbers stored in its memory to identify a man whose body was found last week in a park. ... State Police Inspector William Sprague said police tracked down acquaintances of Bly's through his wristwatch, which had their telephone numbers programmed into it." (remainder of article describes the death) RISKS DIGEST was recently discussing implanted transmitters. A computerized wristwatch is not as threatening to one's privacy as an implanted transmitter. But other personalized technology can pose threats to the users, or benefits to society: A recent drug arrest near Minneapolis led to several more arrests after police investigated a phone number from the memory of the drug dealer's cellular phone. These examples show the electronic equivalent of scraps of paper in pockets, except that people are presently not usually aware of them nor know how to alter them. Medical technology with serial numbers can also be used for identification, at least for dead people. An anonymous live suspect with a surgical implant would pose a dilemma, although there already have been court cases of evidence (bullets) in living people. Simple pacemakers with a serial number are already numerous. Near-future technology may cause more complications, such as a computerized nerve replacement implant with a memory of recent motions (ie, pulling a trigger or route recently walked). Scot E. Wilcoxon, Data Progress sewilco@DataPg.MN.ORG +1 612-825-2607 (Peter: Pacemakers DO have serial numbers. I called Medtronic and theirs do. I assume other manufacturers also have them in case of recall.) ------------------------------ Date: Thu, 8 Oct 87 18:57:36 CDT From: mcphee@ratliff.cs.utexas.edu (Nic McPhee) To: RISKS@sri.com Subject: Anonymity and high-tech This is in response to the recent discussion of TV licenses and Brent Laminack's comments concerning "Big Brother". One of the greatest guarantees of privacy is anonymity. For example, there's hardly a house made that absolutely can't be burgled, and most would be rather trivial, and police and crime experts have often stated that the best pro- tection is anonymity - looking less interesting than someone else. Similarly, were someone *really* interested in you and your habits it probably would not have been difficult for them to learn a great deal about you - where you live, work, shop, relax, etc. But anonymity protected you, because it was just too expensive to do this checking on a random basis with no justification. That's all changing now, because simple operations on readily available data- bases can find the needle (us) in the haystack of teeming masses with very little expense. And a degree of anonymity is lost. Many of us are still as indistinguishable as before, but not all. Going back to the example of burglary, the potential exists for some smart crooks to do some neat cross- referencing of addresses of people who buy (or even read about) high-ticket items that are small in size and easily fenceable (cameras, electronics, jewelry, etc. - many readers of this group would probably qualify) and target them. Going one step further, they might eliminate from this list people with burglar alarms or a high chance of owning a large dog, or come better prepared for such contingencies. One aspect of this that I find particularly disturbing is its affect on the notion of "innocent until proven guilty". Barring widespread, indescriminate government harassment, one of your biggest protections against being hassled by the government was your anonymity. If you're just an average Joe, then there's no reason for the government to suspect you of anything, gratuitously assuming guilt until convinced otherwise. There was no return on the invest- ment from the government's standpoint. Not anymore. Now they can assume you're guilty ("You don't have a TV license, and you must own a TV, therefore you must be guilty of not obtaining a needed license".) in some subtle ways in their uses of database cross-referencing, and get a pretty good return on their (minimal) effort. Nic McPhee (mcphee@ratliff.cs.utexas.edu) [Incidentally, for those of you wondering how you can detect whether someone's TV set is in use, read Peter Wright's SPYCATCHER. It is easily available outside of the U.K., and I understand copies are creeping into Britain at a great rate. PGN] ------------------------------ Date: Thu, 8 Oct 87 00:46:20 ADT From: Don Chiasson Subject: Naval Contemplation [Humor] [A slip of a chip can sink a ship? PGN] To: risks@KL.SRI.COM Seen in Office Management and Automation, Sept.87, p. 4: +----------------------------------+ |I've found the flaw, sir! | |It's in this little computer chip.| +----------------------------------+ | | /\ | / \ <==(huge ship, sinking) .----/ o \ / o / o / ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ (Well, their graphics were better than mine.....) ------------------------------ End of RISKS-FORUM Digest ************************