RISKS-LIST: RISKS-FORUM Digest Thursday, 15 October 1987 Volume 5 : Issue 44 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Costly computer risks (Gary A. Kremen) Re: News Media about hackers and other comments (Amos Shapir) Mailing Lists (Lindsay F. Marshall) Discrimination considered pejorative (Geraint Jones) Re: Anonymity and high-tech (Brint Cooper) Pacemakers (Hal Schloss) News Media about hackers and other comments (Bob English) Password bug - It's everywhere. (Mike Russell) Re: YAPB (yet another password bug) (Brint Cooper) Civil Disobedience (Scott Dorsey, Bill Fisher, Eugene Miya) Phalanx Revisited (Risks to Carrier Aircraft) (Marco Barbarisi) SSNs (Bill Gunshannon) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, nonrepetitious. Diversity is welcome. Contributions to RISKS@CSL.SRI.COM, Requests to RISKS-Request@CSL.SRI.COM. For Vol i issue j, FTP SRI.COM, CD STRIPE:, GET RISKS-i.j. Volume summaries for each i in max j: (i,j) = (1,46),(2,57),(3,92),(4,97). ---------------------------------------------------------------------- Date: Tue 13 Oct 87 17:28:10-PDT From: Gary A. Kremen <89.KREMEN@GSB-HOW.Stanford.EDU> Subject: Costly computer risks To: risks@csl.sri.com From The Wall Street Journal of October 13, 1987 page 47: "But the DOT [Direct Order Transfer - a computer system that makes large-scale stock trading faster and more efficient] system isn't foolproof, either. Mr. Nelson [whom the article is about] said he heard a story about a man who pushed his DOT button intending to buy one $25 million package of securities. When he didn't get a confirmation of his order, he hit the button again, and then again and again. A few minutes later, he received four confirmations showing that he had just bought $100 million of stock." The article itself is very interesting for those who are looking for another view on a topic that has been discussed is RISKS for some time - computer assisted stock trading and "program trading." ------------------------------ To: nsc!comp-risks@Sun.COM From: nsc!taux01!taux01.UUCP!amos@Sun.COM (Amos Shapir) Subject: Re: News Media about hackers and other comments Date: 14 Oct 87 14:22:44 GMT Jack Holleran writes: > An Annapolis [MD] man pleaded guilty yesterday to stealing long-distance >telephone service using his home computer, which a judge ordered destroyed. ^^^^^^^^^^^^^^^^^^^^^^^^^ Talk about computer phobia! This must be the silliest court decision since a boat was put to the gallows in the 17th century! Amos Shapir, National Semiconductor (Israel) 6 Maskit st. P.O.B. 3007, Herzlia 46104, Israel Tel. +972 52 522261 amos%taux01@nsc.com (used to be amos%nsta@nsc.com) 34 48 E / 32 10 N ------------------------------ From: "Lindsay F. Marshall" Subject: Mailing Lists To: risks@kl.sri.com Date: Thu, 15 Oct 87 10:28:59 BST Only 17 categories of people!! That's not very sophisticated - Britain is broken down into 45 distinct groups by one of the companies who sell mailing lists. They have a very neat acronym for this system which eludes me at the moment. They have also introduced a new system called "Monica" which classifies people by their first names (Monica is a slang pun - I don't know if it is meaningful in the US). The idea is actually very obvious - certain first names are popular at certain times and don't get recycled at regular intervals so having a first name like "Florence" tends to indicate that you are older, whereas "Darren" is a younger person's name. I don't know how this would apply in the US, but the short extracts I have seen are strikingly accurate when compared with people I know. It does fall down on names like "John" and "David" which are perennial favourites, and also on very unusual names or he/she names like Lindsay of course. Also on the subject of mailing lists, there was an interesting letter in the Guardian from someone who received a batch of junk mail about investments, expensive holidays and subscribing to the Tory party. The man has no money and has been unemployed for 2 years. The letters started arriving six weeks after he had a letter printed in the Times newspaper... Lindsay [I wouldn't want to Harm Monica, but a moniker is a nickname, as is Nick, and Phil (Harmonica?). PGN] ------------------------------ Date: Tue, 13 Oct 87 21:11:53 EDT From: Brint Cooper To: mcphee@ratliff.cs.utexas.EDU cc: RISKS@sri.COM Subject: Re: Anonymity and high-tech Nic McPhee's essay on anonymity reminded me of an innocent-looking way that names and demographic information are entered into frequently-merged databases: the so-called "warranty registration" cards that come with nearly everything that we buy. What our sex, job, age, and gross annual income have to do with validating the warranty on a TV or a computer escapes me. While government doesn't necessary get ahold of these databases, shady characters in the private sector should have no trouble posing as legitimate businesses and buying these databases. On a related note, and one not directly related to risks in computers (sorry Peter), the British Government's use of "questionable" means of searching for unlicensed TV receivers may not in fact be a violation of THEIR law or traditions. In many ways, the British system is far less protective of an individual's rights than is ours in the U.S. ------------------------------ Date: Thu, 15 Oct 87 10:04:04 BST From: Geraint Jones To: risks Subject: Discrimination considered pejorative Yes, yes, I too get the annoying annual letter asking me why I haven't got a licence for my non-existent television. I thought everyone did. You can't mean to say that some people have televisions? Surely the greatest risk of all this information refining is the risk to the ego of the individual who thought he was unique, or at least in an `elite'-sized minority. I mean, I thought I was the only bald, bearded, Methodist, owner of a tandem south of the Trent; what am I going to think when I get the direct-mail advertisment for a hair restorer and a beard trimmer in with my invitation to a tandem rally from the church's home mission division? Perhaps there is some comfort here for Cliff Jones' original paranoia. He was originally bothered -- RISKS 5.38 -- by the suggestion that he was being marked down as a potential lawbreaker and that someone might carelessly treat that as being the same as having a criminal record. I cannot yet conceive of being in a mechanically-detectable minority small enough for it to be safe to make wild generalisations about us. To be lumped in with a large enough proportion of the population is not to be discriminated against in any new or unusual way. There are, for example, one in twenty of us (not 1%, as Ian Batten RISKS 5.42) in the UK without haunted goldfish-bowls in our houses. I forget whether that is 5% of the population, or 5% of households -- we are uncommonly likely to be one- or two- person households, so it is a different proportion. What is depressing is the number of us who seem to be in computer science. gj ------------------------------ From: psivax!woof%psivax@csl.sri.com Date: Wed, 14 Oct 87 17:04:29 PDT To: Risks@rdlvax.rdl.com Subject: Pacemakers (Re: RISKS-5.43) Organization: Pacesetter Systems Inc., Sylmar, CA In this issue of comp.risks you wrote . . . >(Peter: Pacemakers DO have serial numbers. I called Medtronic and theirs >do. I assume other manufacturers also have them in case of recall.) Why don't you drop us a line if you have questions about pacemakers. I believe we are the only pacemaker company on the net right now. Currently we are about #3 worldwide and growing. We currently have pacemakers with and without serial numbers; they made be read electronically without explanting the pacemaker. In general the trend in the future will be towards such numbers. They are actually most useful for identifying whether we have a problem with our manufacturing process. If we know the serial number of the problem pacer, then we can identify which components when into it, and who worked on it here. (All our pacemakers have serial numbers, but the older one can be read only on the outside of the pacemaker. Our more complicated pacemakers store their number electronically, which can be read by a pacemaker programmer. I work on pacemaker programmers.) -- Hal Schloss Pacesetter Systems Inc., A Siemens Company {sdcrdcf|ttidca|scgvaxd|nrcvax|jplpro|hoptoad|csun|quad1|harvard|csufres| bellcore|logico|rdlvax|ihnp4|ashtate}! psivax!woof ARPA: woof@rdlvax.rdl.com ------------------------------ Date: Tue, 13 Oct 87 18:56:11 PDT From: Bob English To: RISKS@KL.SRI.Com Subject: News Media about hackers and other comments (Re: RISKS-5.43) > From: Jack Holleran > Subject: News Media about hackers and other comments > MCI spokeswoman Pamela Small said yesterday[,] thefts that cost the long- > distance carriers an estimated $500 million in 1986 alone have decreased. > If "equal access" reduces losses, maybe it's time to invest in those > companies. This is a very curious kind of loss. If they stole $500 million dollars in services, the company didn't lose $500 million, unless somehow they were unable to provide $500 million dollars in service to someone else as a result of the misappropriation of resources. While there would be some of that, I find it very difficult to believe that the real number is even a significant fraction of that. There are other real costs associated with this sort of theft--loss of goodwill by the mischarged party, accounting costs associated with rebalancing the books, etc--but those are probably small as well. In short, the companies have a vested interest in making their losses appear as large as possible. While they show a paper loss of $500 million to theft, all that was stolen was paper money that will not be replaced if the theft ceases, and their revenues will not increase by an appreciable amount. Phone theft is not so much an economic problem as a social one. The phone companies pursue the legal aspects of it quite aggressively because they want to prevent it from becoming widespread enough to do actual damage, but they don't take obvious preventative measures to prevent it or detect it earlier. They don't, for example, look for sudden large changes in service levels and flag them as suspicious. --bob-- P.S. I heard the other day that the average driver commits about 10 traffic violations every mile here in California. I'm looking forward to the day when the CHP can track my car through its computers. ------------------------------ Date: Thu, 15 Oct 87 15:00 EDT From: To: risks@csl.sri.com Mike Russell Subject: Password bug - It's everywhere. After reading Geof Cooper's posting on the password truncation problem, I tried it on every Unix machine I could find. Only the first 8 characters counted on any of them. Here's the list: Machine Operating System ---------- -------------------- VAX 750 Ultrix 1.2 VAX 8600 Ultrix 2.0-1 VAX 750 Berkeley 4.3 Celerity 1260D Accel Unix 3.4.78 IBM RT-PC AIX 1.2 Sun 3/160 3.0 Looks like this bug has been there for quite some time - maybe since the beginning. Can you spell propagation? Maybe this bug can be used for some copyright infringement suits? I suppose all of the Unix-computer producing companies assumed this part of the code worked and didn't need looking at. My guess is that there are actually few of us who use more than 8 characters anyway, so the implications are not as severe as it might seem, but it sure decreases the search time. Where might the most serious implications of this be? Unicos machines with classified data? Other defense machines? -Mike Russell ------------------------------ Date: Tue, 13 Oct 87 20:57:11 EDT From: Brint Cooper To: imagen!geof@decwrl.dec.COM Cc: risks@csl.sri.com Subject: Re: YAPB (yet another password bug) Geof (no relation) expresses surprise that 4.3 Unix "silently" truncates passwords to 8 characters. Was this a secret? Did not 4.2 and 4.1 do the same? I don't believe that there has been a 14-character password since the days of the PDP-11. Brint [More importantly, any algorithmically generated password is easier to crack... In this case, once you know more than one password, you could easily infer the algorithm... With my 7-character name, I get only one free character. The password generating scheme Geof refers to is much dumber than the 8-character truncation. But it is nice to know about the truncation! PGN] ------------------------------ Date: Wed, 14 Oct 87 17:52:39 EDT From: kludge@pyr.gatech.edu (Scott Dorsey) To: RISKS@kl.sri.com Subject: Civil Disobedience (Re: RISKS-5.43) In Risks Digest 5.43, I find: >It seems to me that as the computerization of society continues, the idea of >engaging in civil disobedience via computer is bound to come up more often. >Some computer CD might resemble ordinary computer crime and sabotage except >for the motivation of the individuals carrying it out. I've heard folklore >about politically motivated crackers for years now; do RISKS readers know of >any actual examples? I seem to recall a mention that the Berkeley computer center was occupied by protesters sometime in the sixties, who claimed that the computers were being used for war work. A sit-in was staged, as well as the damage of some equipment and a large number of tapes. I don't know precisely if any significant damage was done. On a slightly more current note, a couple of years back, a student who was upset with the student government policies here at Georgia Tech formed an organization called the Barbecue Liberation Front (the gripe, as I recall, had something to do with a cancelled cookout), which among other things froze the student government accounts, and sent messages to all users each second on one of the undergraduate class machines, making it unusable. This is as close to political motivation as I have ever seen on the Tech campus. Although it may be a rather pitiful example, it is as political as anything ever gets in a place where Poly Sci profs refer to the Washington Post as an "anarchist rag." Scott Dorsey Kaptain_Kludge SnailMail: ICS Programming Lab, Georgia Tech, Box 36681, Atlanta, Georgia 30332 Internet: kludge@pyr.gatech.edu uucp: ...!{decvax,hplabs,ihnp4,linus,rutgers,seismo}!gatech!gitpyr!kludge ------------------------------ Date: 14 Oct 87 13:19:13 PDT (Wednesday) From: bfisher.ES@Xerox.COM Subject: Civil Disobedience (Re: RISKS-5.43) To: RISKS FORUM (Peter G. Neumann -- Coordinator) Anent Prentiss Riddle's comments on Civil Disobedience - (CD)-- I suggest that 'Civil Recalcitrance' (CR) is already here. This is defined as nonviolent copping out by using the 'computer' as a shield. Two recent examples --(1). Eight weeks for one of the country's largest insurance companies to issue a check for a health insurance claim -- ("I'm sorry - it's in the computer and there's nothing we can (read 'want') do about it; (2). Repeated billing for an item no longer in use and returned to the lessor. (I'm sorry, the rental data base is in a different computer than the return for credit base and they don't talk to each other). The only (simple) way to clear this was to pay the rental data base people for the item, even though the sales data base people had already been paid by return of the item. Bill Fisher ------------------------------ To: risks@kl.sri.com Subject: Computer civil disobedience Date: 14 Oct 87 10:31:20 PDT (Wed) From: eugene@ames-nas.arpa Prentiss Riddle brought up the topic of computer civil disobedience. The example of Falwell is an excellent one, and I believe that some organizations have thought about this type of blocking both for offense and defense. First, the organizations that are really worth blocking typically don't have dial-in access. Second, some "good organizations" might be `blocked' by those with differing opinions (creationists blocking science BBSs?). But the real reason I wanted to send you this is to point out that some bureaucratic organizations like the FBI and Service Service take dim views of civil disobedience, partly this is because of their mission. Recently, a Vietnam Viet lost his legs to a train in an act of civil disobedience at the Concord Naval Weapons Station. All parties agree this is a tragic act. If anyone is going to embark on computer civil disobedience, they had better think about all possible consequences INCLUDING getting shot. The people who work for the SS and FBI may not know computers very well, but computers are increasingly used in criminal capacities. At the time of suspicion, they (their perspective) might not have the time to evaluate, but might run into a building with guns drawn when there are only teenagers there. The situation for them is something similar to the issue of Toy Guns; it's that WE see the situation from a different perspective. Softwar is a real possibility for these people (even though they may not be aware of it, now). One of the risks of computers we have not discussed is the "evil" unintended (and non-military) uses of computers. One BBS in the Bay Area (noted as a headline story) was a neo-Nazi BBS. Dan Pasquale of the Fremont PD is most concerned with the BBSs of pedophiles. More likely than not there are neo-Nazis and pedophiles reading RISKs, so "evil" is a minority perspective. The problem becomes discriminating between crime and liberties, disobedence versus threat [sorry, I lost the "real" word]. I don't wish to defend the actions of what I regard as an increasingly police-state mentality of the country (it's largely, "WE" the people who are pushing this BTW), but I do wish to avoid severed legs and teenagers shot by carrying laser tag pistols. --eugene miya ------------------------------ Date: Wed, 7 Oct 87 13:34:20 CDT From: marco@ncsc.ARPA (Barbarisi) To: risks@csl.sri.com Subject: Phalanx Revisited (Risks to Carrier Aircraft) Are US Navy aviators at risk from Phalanx systems on their own ships? I mention this because I noticed that aircraft carriers have Phalanx guns mounted at the stern of the ships - in a perfect position to shoot at aircraft approaching a carrier for a landing. I noticed this while glancing at a Varian advertisement on page 2 of the Oct. 87 issue of Defense Electronics. Marco ------------------------------ From: bill@uunet.uu.net (Bill Gunshannon) Date: 5 Oct 87 13:17:57 GMT To: comp-risks@uunet.uu.net Subject: SSNs From: bill@trotter.usma.edu (Bill Gunshannon) Organization: US Military Academy, West Point, NY In response to an article in: RISKS-LIST: RISKS-FORUM Digest Wenesday, 30 Sept 1987 Volume 5 : Issue 41 >From: P. T. Withington >Subject: Re: Risks in the Misuse of Databases? [RISKS-5.40] > All >this despite existing laws that state SSN's are to be used only for >social security and not as a identification number. I think it is time we put this notion to rest once and for all. How can you say that is the only legal use for the SSN when I was just required by law to get my daughter (8 yrs old) a SSN and I will have to include that number on MY income tax return from now on. Now, unless they have revoked the child labor laws, she is unlikely to need that number, for Social Security purposes, for at least 9 more years. :-) bill gunshannon Martin Marietta Data Systems USMA, Bldg 600, Room 26 West Point, NY 10996 UUCP: {philabs}\ WORK (914)446-7747 {phri } >!trotter.usma.edu!bill {sunybcs}/ ------------------------------ End of RISKS-FORUM Digest ************************