Subject: RISKS DIGEST 12.12

Subject: RISKS DIGEST 12.12
REPLY-TO: [email protected]

RISKS-LIST: RISKS-FORUM Digest Monday 12 August 1991 Volume 12 : Issue 12

FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Contents:
Teenage Hacker Emulates Hess (PAJ)
Future Risks (Hilarie Kauiolani Orman via Richard Schroeppel)
Security comes to the Free Software Foundation (Martin Minow)
Lotus Marketplace Epilogue (Marc Rotenberg)
Computer frustration (Andrew Goldberg via Les Earnest)
Yet another threat to telephone privacy (Jeff Makey)
"Enemy of the State" -- Story on risk to privacy (Richard Thomsen
Firefighters won't give first aid to AIDS patients (Sean Eric Fagan)
Lifestyle discrimination (Martyn Thomas)

The RISKS Forum is moderated. Contributions should be relevant, sound, in
good taste, objective, coherent, concise, and nonrepetitious. Diversity is
welcome. CONTRIBUTIONS to [email protected], with relevant, substantive
"Subject:" line. Others ignored! REQUESTS to [email protected]. For
vol i issue j, type "FTP CRVAX.SRI.COM<CR>login anonymous<CR>AnyNonNullPW<CR>
CD RISKS:<CR>GET RISKS-i.j<CR>" (where i=1 to 12, j always TWO digits). Vol i
summaries in j=00; "dir risks-*.*<CR>" gives directory; "bye<CR>" logs out.
The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1".
<CR>=CarriageReturn; FTPs may differ; UNIX prompts for username, password.
ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY.
Relevant contributions may appear in the RISKS section of regular issues
of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise.

----------------------------------------------------------------------

Date: 9 Aug 1991 11:54:25-BST
From: paj <[email protected]>
Subject: Teenage Hacker Emulates Hess

Summarised from Computer Weekly, 8th August 1991.

A 16 year old schoolboy named Jamie Moulding has been cautioned by
plain-clothed police after hacking into a military computer and trying to sell
secrets to the USSR. He claims to have read the Ministry of Defence personnel
and payroll files. One computer he entered held details of a British Army tank
control system. Moulding first incorporated details of the system into his own
simulation package, and then phoned the Soviet Union's London embassy to try to
sell the information. Next day two policemen turned up at his home and spoke
to his parents.

Moulding's telephone bills were unwittingly paid by his school. He wrote an
autodialer program and an automatic hack program which "planted a command which
led to a display of passwords".

DEC denied that its systems had been hacked. The police officers were
unavailable for comment.

------------------------------

Date: Sat, 10 Aug 91 02:54:22 PDT
From: ho (Hilarie Kauiolani Orman)
Subject: Future Risks

[Via [email protected] (Richard Schroeppel)]

TINY BUG IN H.S. "GENOME" CAUSES MASSIVE HUMANITY FAILURE

Officials responsible for a spiral galaxy near the middle section of the
universe revealed today that a small error in an encoding for the life form
"Homo sapiens" was responsible for the near extinction of the partly
intelligent species. The change had been introduced during routine maintenance
of the life form. Officials explained that the maintenance had been intended
to improve the survivability of the species, but inadequate testing had caused
it to become suspectible to a new sexually transmitted disease.

Senior universe officials expressed disappointment in the control of
the life forms in the galaxy, citing a series of malfunctions,
especially near a yellow star at the edge. The H.S. species has
required several patches in the field and still seems unstable. The
latest change was not tested in alternative universes due to lax
controls and lack of funding.

Other officials cited inadequate specification and design review. "How can we
guarantee that the species works without a formal definition of what it is?"
lamented one senior observer. "These things just look like collections of
cells - they just sort of grow. There's no mathematical model that can be used
to verify it. I don't see how they ever got it started in the first place."

Insiders feel that the species can be rescued, but expressed doubt
about its long-term viability. The estimate of the time needed for a
thorough review of the documentation, writing the formal specifications,
and verifying the genome encoding, expressibility, and environmental
testing, is greater than the lifetime of the universe.

Meanwhile, yet another mutation and alteration of the local laws of physics
will be required to back out of this particular upgrade. With funding
already stretched, this setback might just spell the end of H.S.

The formally verified Vulcan species, originally slated for production
next year, has been delayed due to a series of technical problems and is
now scheduled for beta testing after the next big bang.

------------------------------

Date: Tue, 6 Aug 91 05:12:02 PDT
From: Martin Minow 06-Aug-1991 0757 <[email protected]>
Subject: Security comes to the Free Software Foundation

This is summarized from a front-page article in the Boston Globe, Aug 6, 1991.

The Free Software Foundation (FSF) has been forced to institute security
(password) control because "vandals who were able to enter the foundation's
system anonymously were not only deleting and trashing files there, but were
also entering Internet ... and doing damage in other systems as well." ...

"Michael Bushnell, a programmer at the Free Software Foundation, said the
changes are making systems more inconvenient to use and creating an
international network that cannot be used without an operator putting
himself under surveilance.

"''There's not a big sharp impact because, over time, so many networks
already created security barriers,'' Bushnell said. Extension of these
restrictions ... ''is kind of like when the last critical-of-the-government
newspaper is shut down. After it's gone a while, people notice a difference.''"

"... An estimated 1,000 to 2,00 persons gained access ... and staff members
say they will try to preserve this somehow."

"''I feel ashamed not having an open system,'' says [Richard] Stallman, ...
''I feel ashamed having a system that treats everyone as vandals when in fact
very few were. ... Every time I think about this I want to cry.''"

-------

The above summarizes the first half of a long story. The remainder discusses
trust, community, hacking, and access in terms and concepts that will be
familiar to Risks readers. About a week ago, Richard Stallman was interviewed
on the local NPR morning news (the local portion of Morning Edition) on
the closure of the FSF systems.

Personal observation: a few years ago, I had "tourist" access to Internet
through an FSF computer and, many years before that, tourist access through
MIT-AI. Now, I have (password-protected) access through another MIT system,
one of the few that will allow access from "known to be trustworthy" persons.

Martin Minow [email protected]

[And here is PGN putting out this issue from New Haven, where he will be
participating in the National Conference on Computing and Values this week,
having expected to be involved in a lively discussion with Richard who
might have opposed my position on why security (at least for integrity and
availability purposes if not for confidentiality) remains necessary even in
an open world... But I am really sorry to see FSF getting cracked. PGN]

------------------------------

Date: Thu, 8 Aug 1991 20:56:02 EDT
From: Marc Rotenberg <[email protected]>
Subject: Lotus Marketplace Epilogue

Lotus Marketplace Epilogue

CPSR Endorses Equifax Privacy Decision August 8, 1991

WASHINGTON, DC -- Computer Professionals for Social Responsibility (CPSR)
announced today that it supported a decision by Equifax to discontinue the sale
of direct marketing lists derived from consumer credit files. CPSR Washington
Office Director Marc Rotenberg said, "Equifax did the right thing. Personal
financial information should not be fair game for direct marketers. "

The national membership organization of computer professionals had earlier lead
a successful campaign to stop the release of "Lotus Marketplace," a series of
computer diskettes containing detailed information on 120 million consumers.
Name and address information in Marketplace was taken directly from credit
files. CPSR has recommended that businesses follow the "Code of Fair
Information Practices," which requires that organizations obtain explicit
permission before using personal information for secondary purposes, such as
direct marketing.

Evan Hendricks, chairman of the United States Privacy Council, said that "This
is another victory for the privacy movement in the United States. Equifax
continues moving in a positive direction. We will follow this closely to see
that their actions match their words. Meanwhile, the focus shifts to TRW and
Trans Union who continue to sell mailing lists derived from credit report
data."

Marc Rotenberg said that while CPSR was pleased with the recent Equifax
decision, there were many other issues that consumers should watch on the
credit privacy front, including the indiscriminate use of the Social Security
Number, the practice of "pre-screening" credit applicants, and the continued
sale of credit information by other credit reporting agencies.

Marc Rotenberg, CPSR Washington Office, 202/544-9240
[email protected]

------------------------------

Date: Fri, 26 Jul 91 10:50:58 PDT
From: Andrew Goldberg <[email protected]>
Subject: Computer frustration

[Via Les Earnest <[email protected]>]

From the NY Times

The annual Spring Comdex computer show in Atlanta earlier this month meant a
booming business for the Bulletstop, an indoor firing range in suburban
Marietta where customers can rent firearms and bullets to shoot anything they
please, as long as it is already dead and fits through the doors. The
Bulletstop gave Comdex visitors a chance to vent their frustrations by venting
PC's, printers, hard disks, monitors and manuals with lead.

Paul LaVista, the owner, said about 10 groups of high-tech types came in during
the Comdex show. "I'm not a computer whiz, but one group brought in what
looked like a hard disk and blasted it," he said. "Another bunch brought in
some kind of technical manual. The thing was enormous, about 2,000 pages.
They rented three machine guns -- an Uzi, an M3 grease gun and a Thompson --
and when they were done it looked like confetti."

"It must have been quite a show," LaVista said of Comdex. "Doctors and
computer types usually have a lot of pent-up anxiety, but these folks were
dragging when they came in. When they left they were really up. The range
looked like a computer service center after a tornado."

LaVista said PC's were popular targets year-round. "People are frustrated with
them," he said. A year ago seven or eight men carried in a giant old
Hewlett-Packard printer. "I ran an extension cord to it, and just as it
started to whirr and spit out paper, they blasted it," he said.

------------------------------

Date: Fri, 2 Aug 91 21:04:04 PDT
From: Jeff Makey <[email protected]>
Subject: Yet another threat to telephone privacy

I recently saw an advertisement for a device that lets you plug your telephone
into any power outlet in your house, with the claimed benefit that you can use
existing wiring rather than spend money wiring every room in your house for
phone service. Intercom systems that use this principle have been around for
years, with the less-than-obvious risk that a neighbor who is connected to the
same power transformer can plug in a similar device in their own home and
listen to your conversations. Extended to your telephone, such a neighbor can
not only listen to your phone calls (apparently without violating any laws),
but can now even make phone calls on your line (surely illegal, regardless of
how it is accomplished).

The risks are comparable to those of cordless phones, only skewed a
bit. Understandably, the advertisement made no mention of these risks.

:: Jeff Makey [email protected]

------------------------------

Date: Fri, 2 Aug 91 14:58:02 -0600
From: [email protected] (Richard Thomsen)
Subject: "Enemy of the State" -- Story on risk to privacy

There is a lovely story in the August 1991 issue of _Analog_ _Science_
_Fiction_ _Science_ _Fact_ by Jack C. Haldeman II called "Enemy of the State"
that shows the risks to privacy. It is a series of messages to a consumer. It
starts out with a message from FOOD-NET, telling him about starting smoking
again and his pets (according to their records). Then comes a message from his
service station, saying his car needs a tune-up and new tires (according to
their records). Likewise, he gets messages from NED-CHECK, his dentist, the
pet store, etc.

Then he gets a message from the sheriff's office, saying that they would
like to discuss some things. For example, he gets his mail at a P.O. box,
has an unlisted number, and an answering machine. They say "It is well
known that individulas with such equipment are almost always concealing
information, especially those with unlisted numbers." They mention deposits
to his checking account, by amount and a cash transaction. They mention
he is a "substance abuser (beer, nicotine, and caffeine)", the magazines
he subscribes to, etc, and also say that "You exhibit wanton disregard for
public safety by operating your motor vehicle without the proper
maintenance any good citized would perform as a matter of course."

All in all, an interesting story and quite appropriate to some of the
discussions.
Richard Thomsen [email protected]

------------------------------

Date: Tue, 6 Aug 91 20:32:26 PDT
From: Sean Eric Fagan <[email protected]>
Subject: Firefighters won't give first aid to AIDS patients

Arvada, Colo: Volunteer firefighters in this Denver suburb no longer will
respond to first-aid calls involving people known to have AIDS or other
infectious diseases, city officials said.

[Yes, there is a risk here... read on -- sef]

The fire department's computer system has been programmed to flash a warning
to dispatchers if an assistance call comes from someone known to have an
infectious disease such as acquired immune deficiency syndrome, said an
Arvada official who spoke on ocndition of anonymity.

[end of excerpt]

Got a grudge against someone? Well, here's a way to cause them lots of
problem! (*extreme* sarcasm there)

Sean Eric Fagan [email protected]

------------------------------

Date: Mon, 12 Aug 91 15:18:53 BST
From: Martyn Thomas <[email protected]>
Subject: Lifestyle discrimination

According to a BBC news programme, there is a growing incidence of
discrimination in US employment on the basis of employees' private lives.
Examples were given of someone dismissed for smoking cigarettes at home
(detected by urine test), someone refused employment for living with someone to
whom they were not married, someone refused employment for a dangerous hobby
(hanggliding), someone sacked for being overweight.

If this is a real threat, it provides a compelling reason to shop only with
cash, to stay off lifestyle marketing databases. Even a magazine subscription
could cost you your job! Point-of-sale terminals could monitor how much alcohol
you buy, and how often; how many cigarettes, pregnancy-test kits, junk food ...

Paranoia, anyone?

Martyn Thomas, Praxis plc, 20 Manvers Street,
Bath BA1 1PX UK. Tel: +44-225-444700. Email: [email protected]

------------------------------

End of RISKS-FORUM Digest 12.12
************************