RISKS-LIST: RISKS-FORUM Digest Friday 17 March 1989 Volume 8 : Issue 40 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: [Clean-up of loose ends] Re: Sunspots & Communications (Jordan Brown, Gasbarro) Ethics of Copying Fonts (Jerry Schwarz) Policy Statement Request (Dave Grisham) Re: Incoming-call identification (Brint Cooper) Risks of telephone access to your bank account (Brint Cooper) Limitless ATMs (Emily H. Lonsford) Re: A Touching Faith in Technology (Henry Spencer) Risks of helpfulness (Henry Spencer) Work monitoring survey (Goun) Faking Internet mail (Robert C. Lehman) Spying on or intercepting UUCP mail (David Sherman) Hackers, cartoons, and computers (Doug Claar) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. * RISKS MOVES SOON TO csl.sri.com. FTPable ARCHIVES WILL REMAIN ON KL.sri.com. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line (otherwise they may be ignored). REQUESTS to RISKS-Request@CSL.SRI.COM. FOR VOL i ISSUE j / ftp KL.sri.com / login anonymous (ANY NONNULL PASSWORD) / get stripe:risks-i.j ... (OR TRY cd stripe: / get risks-i.j ... Volume summaries in (i.j)=(1.46),(2.57),(3.92),(4.97),(5.85),(6.95),(7.99). ---------------------------------------------------------------------- Date: Fri, 17 Mar 89 10:09:13 PDT From: Jordan Brown Subject: Re: Sunspots & Communications PGN writes: > In the Mount Diablo area of California, there have been many reports of > garage door openers failing to operate. KFWB reported that this was caused by some form of radio transmitter that the Navy was using in the area (paraphrased) "to provide communications to a ship at Alameda while its communications gear was being repaired". It's been turned off. The report was technically quite vague, so I can't provide more detail. Jordan Brown [Also noted by Barry Klawans and Steve Wilson] [The old joke used to be "When is a door not a door?" "When it is ajar." Now we have a new joke, "When is a door not a door?" "When it is ajam(b)." PGN] ------------------------------ Date: 16 Mar 89 17:26:07 PST From: Gasbarro.pa@Xerox.COM Subject: Re: Sunspots & Communications > I thought that [garage door] openers operated in the microwave range; > isn't this power level of transmission unhealthy? Most garage door openers that I've encountered operate in the 380MHz range. Water resonates at 2.4GHz. Besides, the power level is only a few tens of milliwatts. ------------------------------ Date: Fri, 17 Mar 89 11:02:24 EST From: jss@ulysses.UUCP Subject: Ethics of Copying Fonts Marc Mengel ... exactly illustrates why this is a gray area. Suppose that they didn't pick out the letters but were distributing the whole page? Cleary a violation of copyright. Individual columns? Still a clear violation. Indiviual pixels? Clearly permitted, but only because they used no NYT information content. Why bother digitizing the NYT to get bits in simple patterns when you can generate them yourself? Somewhere in between (around the word or letter level) lies a gray area. My (moral) conclusion is that if its worth copying something then there is value in whats being copyied. If the value derives from effort that is not required to make the copy then there ought to be a way to protect that effort. Jerry Schwarz ------------------------------ Date: Fri, 17 Mar 89 10:52:44 MST From: Dave `White Water' Grisham Subject: Policy Statement Request I am currently (re)writing our Univ. policy on "computer misuse". Rather than reinvent the wheel, I ask anyone who has access to an enforceable, yet comprehensive policy statement to please share it with me. My research to date has shown many universities to be behind in their written-published policies. I believe courts will find that policies written before networking and viruses are of little value. I will be glad to post the results of my efforts individually or to the group. Thanks in advance. dave Dave Grisham Senior Staff Consultant/Virus Security Phone (505) 277-8148 Information Resource Center USENET DAVE@UNMA.UNM.EDU Computer & Information Resources & Technology BITNET DAVE@UNMB University of New Mexico Albuquerque, New Mexico 87131 ------------------------------ Date: Thu, 16 Mar 89 9:24:50 EST From: Brint Cooper Subject: Re: Incoming-call identification Incoming-call ID is a difficult problem. Still, doesn't a person, in the privacy of Home, have the right to an "electronic peep-hole" to control his/her privacy? This is a larger issue than screening out the vendors who call at dinnertime. The police and telecos simply are ineffective at dealing with persistent, harrasing and/or obscene callers. Their methods are cumbersome and non-responsive to the harrassment. Any caller can protect his/her privacy by calling from a work phone (which is a very common practice, prohibitions notwithstanding) or from a pay phone. Incidentally, what is the "scope" of Incoming Call-ID? Does it identify only calls from the same central office? local calling area? area code? or country? A function similar to Incoming Call-ID is how our teleco gathers "evidence" on harrassing phone calls. The harrassed plaintiff keeps a date/time log of objectionable calls; the teleco may be able to tell the originating phone number. However, in our case, it could resolve only phone numbers in the same central office as the harrassee and, perhaps, a small number of other, specified, central offices. I'm a firm believer in privacy, too. But that includes my right to privacy in my own home. _Brint ------------------------------ Date: Thu, 16 Mar 89 9:29:31 EST From: Brint Cooper Subject: Risks of telephone access to your bank account In discussing "Risks of telephone access to your bank account," Michael McClary relates the identifying information required to transfer funds by telephone, then observes: > Now combine that with cellular phones that: > - are not scrambled, > - don't switch channels enough to break up a conversation, > - can be rec[ei]ved on the high end of an old TV set's UHF dial > - are generally owned by busy people with money > and you've got the makings of some nasty surprises. Get the word out, folks: CELLULAR PHONE IS NOT "TELEPHONE." IT'S BROADCAST RADIO! DON'T SAY ANYTHING ON CELLULAR PHONE THAT YOU WOULDN'T SAY ON YOUR LOCAL RADIO STATION! _Brint ------------------------------ Date: Friday, 17 Mar 1989 17:02:51 EST From: m19940@mwvm.mitre.org (Emily H. Lonsford) Subject: Limitless ATMs (Re: RISKS DIGEST 8.37) Some years back, when ATMs were first coming out, I signed up for a card at my bank. The first time I used it was a memorable experience. The machine was very primitive. Instead of a CRT, it had colored buttons with messages like "Insert card" or "Enter your PIN" which were illuminated to instruct the user. I dutifully inserted my card and followed the instructions. "Clickety click!" responded the machine, and then told me to enter my PIN. After each action on my part, there was a noticeable pause and more "clickety clicks" from the machine. I soon decided that the clicks were there to keep me, the poor dumb user, occupied while the machine communicated with the host. This struck me as terribly funny, and I began to chuckle. Each set of clicks made me laugh harder, and people were beginning to stare. The best part was yet to come: when the machine finally spit out the money, it was crisp and new - and WARM, as if it had just been printed! It was all I could do not to roll around on the floor laughing; I grabbed the money and my card and left. A couple of years later, one of the bank's systems programmers explained the machines to me. "Oh," he said very seriously, "the clicks really had a purpose. The machine had no link to the bank; instead it had a ticker tape inside, and it recorded every transaction (hence the clicks.) A technician came around every day, collected the tape (which was keyed into the bank's main computer) and refreshed the money supply." And as for the crisp new bills? "Well, those machines were so cantankerous that they would jam if anything but new money was used." As usual, there was a logical reason for everything the computer did. I think I liked my interpretation better. The moral is, these machines were vulnerable to the kind of attack mentioned in RISKS 8.37. They depended on the cooperation of the user not to go around and collect $300 from each machine. Security via ignorance.... Emily H. Lonsford, MITRE Houston W123 (713) 333-0922 ------------------------------ Date: Fri, 10 Mar 89 16:08:28 -0500 From: henry@utzoo.UUCP Subject: Re: A Touching Faith in Technology >"The adoption of an identity card, at least on a voluntary basis, which would >carry such numbers - name, date of birth, nationality, signature and perhaps >blood group - would surely be an advantage for everybody... Of course, "voluntary" is likely to mean "compulsory" very quickly, unless this is specifically illegal. I have neither an age-of-majority card (the only legal proof of drinking age here) nor a driver's licence, and you'd be surprised at the looks this sometimes gets me. Blood group, eh? How soon before AIDS-test status gets included? >... GIVEN THAT TECHNOLOGY SHOULD MAKE IT IMPOSSIBLE TO FORGE THEM, >such cards could quickly establish one's bona fide. . . ." This runs into the same problem that (I understand) Germany ran into after WW2. There were many people with little or no identification in the chaos that followed Germany's defeat. Some of them were wanted men. There was felt to be a need for one solid form of ID, something sufficiently well- researched to be definitive. The obvious choice was the passport. What this meant, in practice, was that if one could get a forged passport (not easy, but not impossible), nobody would ever question one's new identity. Henry Spencer at U of Toronto Zoology ------------------------------ Date: Fri, 10 Mar 89 15:49:27 -0500 From: henry@utzoo.UUCP Subject: Risks of helpfulness I haven't seen this one mentioned here yet... At the San Diego Usenix conference at the beginning of last month, in his keynote speech, William T. O'Shea (VP of AT&T) said that twice recently, intruders got into AT&T systems by being talked through the sign-on procedures by AT&T help desks! Henry Spencer at U of Toronto Zoology ------------------------------ Date: 10 Mar 89 09:47 From: goun%evetpu.DEC@decwrl.dec.com Subject: Work monitoring survey From The Boston Globe, Thursday, March 9, 1989: Most workers in survey think employers use electronic means to spy on them By Ronald Rosenberg, Globe Staff A survey said that 75 percent of mostly unionized workers in Greater Boston feel ``spied on at their jobs'' by electronic monitoring. The survey, conducted by the Massachusetts Coalition on new Office Technology, which represents over 40 unions and women's organizations, has filed state legislation that would require notifying employees in advance of any monitoring or surveillance. A legislative hearing on the measure is scheduled Monday at the State House. Several insurance firms, banks, airlines and industry groups oppose the legislation, saying it is unnecessary and violates an employer's right to monitor how employees work. At issue is the use of computerized or electronic monitoring systems to keep track of an employee's work performance and activities. This kind of surveillance includes computer monitoring where the computer counts keystrokes, error rate, time to complete each task and break time. Another way checking [sic] on employee productivity is service observation where supervisors listen into conversations between employees and customers. A third form, known as telephone call accounting, monitors the time, length and destination of all calls dialed from each extension but does not record the conversation. It is used by telemarketing firms and large sales organizations. ``There have been clear abuses of electronic monitoring and it violates a person's right of privacy and right of due process,'' said Lisa Gallatin, the coalition's executive director. ------------------------------ Date: Tue, 14 Mar 89 14:54:23 EST From: Robert C. Lehman Subject: Faking Internet mail While "faking" electronic mail may be easy, it's not as easy as faking "physical" mail. More specifically, getting some company or university letterhead (or having some printed, for that matter) and typing up a letter requires less specific knowledge than hacking some system's SMTP mailer, for example. However, people perceive computers as being reasonably secure entities, and therefore they assume that electronic mail generated by a computer system is genuine. While an organization such as NSF, which is accepting reviews of proposals via electronic mail, should be concerned about the authenticity of reviews it receives, reviews sent by electronic mail are, in the long run, no more or less likely to be bogus than those sent by surface mail. Robert Lehman, Columbia University ------------------------------ Date: Wed, 8 Mar 89 23:51:24 EST From: dave@lsuc.uucp (David Sherman) Subject: Spying on or intercepting UUCP mail Peter Scott (pjs@grouch.jpl.nasa.gov) writes in RISKS 8.28: > > Walter Roberson in RISKS-8.27 > >How about the > >other way around: how much danger is there that someone can spoof mail in > >order to receive messages destined for someone else? > > The only way I know of doing this is if your machine is on the path for > the mail in the first place, in which case you can look at everything > that passes through anyway. All it takes is a published "mysite uunet(LOCAL), att(LOCAL)". Now that most sites on the net use automated routing with pathalias, a sysadmin with long-term general spying goals need only show very fast connections to major sites in the system's official UUCP map entries. Within a few months a lot of mail from nearby sites will be coming through. Keeping a copy of everything that passes through is as trivial as setting a #define in smail. David Sherman, The Law Society of Upper Canada (att!lsuc!dave :-)) ------------------------------ Date: Mon, 13 Mar 89 17:32:44 pst From: Doug Claar Subject: Hackers, cartoons, and computers Recently, while watching my kids watch Saturday cartoons, I noticed a "Computer Minute" public service type add from the network. In it, the father, who was portrayed as clueless, was trying to organize his towering stack of papers. His son, Hacker, tried to tell dad all about Data Base Management Systems. Why, even sister had her (girl stuff) on the computer, and gee, mom had her recipies. Hacker had his (boy stuff) on it as well. Having only seen one, I don't know for certain, but given the girl's name (which I don't remember, but wasn't computer-oriented), and the son's name, it seemed to perpetuate the young male as the hacker stereotype. Relationship to risks? Well, I've seen discussions on the term "hacker," and on comics and computing. Doug Claar, HP Computer Systems Division UUCP: mcvax!decvax!hplabs!hpda!dclaar -or- ucbvax!hpda!dclaar ------------------------------ End of RISKS-FORUM Digest 8.40 ************************