Subject: RISKS DIGEST 13.16
REPLY-TO:
[email protected]
RISKS-LIST: RISKS-FORUM Digest Monday 24 February 1992 Volume 13 : Issue 16
FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
Contents:
Computer causes Olympics scoring error (David Shepherd)
Strasbourg Airbus crash report leaked (James Paul)
More on Privacy in Australia (Bruce Howarth)
Italian crooks let others pay phone bill (Debora Weber-Wulff)
Risk of Voice Mail Command Choices (Randall C Gellens)
RISCs of AP news reports (John Sullivan)
Proposal for policy on calculator use during exams (Todd M. Bezenek)
The Worth of Computing (Tony Buckland)
Computer Hackers Get Into Credit Records (Joe Brownlee)
VT Caller ID Decision (Marc Rotenberg)
Carpal Syndrome reports rise sharply (Brinton Cooper)
Re: System certification again (Dave Parnas)
MBDF Macintosh virus (Tom Young)
FBI Eavesdropping Challenged
The RISKS Forum is moderated. Contributions should be relevant, sound, in
good taste, objective, coherent, concise, and nonrepetitious. Diversity is
welcome. CONTRIBUTIONS to
[email protected], with relevant, substantive
"Subject:" line. Others may be ignored! Contributions will not be ACKed.
The load is too great. **PLEASE** INCLUDE YOUR NAME & INTERNET FROM: ADDRESS,
especially .UUCP domain folks. REQUESTS please to
[email protected].
Vol i issue j, type "FTP CRVAX.SRI.COM<CR>login anonymous<CR>AnyNonNullPW<CR>
CD RISKS:<CR>GET RISKS-i.j<CR>" (where i=1 to 13, j always TWO digits). Vol i
summaries in j=00; "dir risks-*.*<CR>" gives directory; "bye<CR>" logs out.
The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1".
<CR>=CarriageReturn; FTPs may differ; UNIX prompts for username, password.
ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY.
Relevant contributions may appear in the RISKS section of regular issues
of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise.
----------------------------------------------------------------------
Date: Fri, 21 Feb 92 16:52:27 GMT
From: David Shepherd <
[email protected]>
Subject: Computer causes Olympics scoring error
During the first session of the women's ice skating competition, the UKs number
1 skater, Joanne Conway, complained of biased scoring after the Canadian judge
gave her only 4.2 marks while all the other judges gave around 5.0 to 5.5.
Subsequently the Canadian judge has revealed that she intended to give 5.2
marks. Each possible score has a separate button to press to signal the score
to the computerized scoring system. By mistake the judge pressed 4.2 instead
of 5.2 and, even though she realized her mistake, there was no provision to
correct the mark. The only way of correcting it would have been for the UK
team to lodge an official appeal - which wasn't considered worthwhile as it was
only the difference between 17th and 15th place.
In another incident the UK 2 man bob team, in the lead at that stage, went out
of contention after being kept at the start of 7 minutes while one of the
intermediate timing controls was fixed - note that this timer was not needed
for the actual result, just to give an intermediate split time. Perhaps another
indication of where technology becomes the master rather than the servant of
sport. (Some people have tried to read a more sinister implication of a Swiss
engineer holding the leading team up for 7 minutes which help the Swiss No 1
bob go into the lead!)
david shepherd:
[email protected] or
[email protected] tel: 0454-616616 x 625
inmos ltd, 1000 aztec west, almondsbury, bristol, bs12 4sq
[The old Swisseroo? Bobbing for Apples (if they were using a Mac)?
The "Unified" team now has to settle for good marks and Lennon music.
Next time someone will figure out how to hack into the scoring computers.
I wondered on several very obviously partisan judge's scorings, with
outrageous (+/- outlier/outliar) scores, whether the judge was overtly
trying to cheat ... I thought they used to discount the highest and
the lowest scores on judged events, but apparently not. PGN]
------------------------------
Date: Fri, 21 Feb 1992 10:46:30 -0500 (EST)
From: "NOVA::PAUL"@yttrium.house.gov (James Paul, U.S. House Science Committee)
Subject: Strasbourg Airbus crash report leaked
AIRBUS CRASH PROBE CITES HUMAN, TECHNICAL ERROR
PARIS, Feb 20, Reuters - French television said on Thursday a preliminary
report to be published next week on the causes of last month's Airbus A320
crash which killed 87 people did not blame the disaster on any single factor or
person. The TF-1 channel said the independent commission's report concluded
that a mixture of human and technical error had caused the Air Inter flight
from Strasbourg to Lyon to plough into a snow-covered mountainside on January
20, just five minutes before it was scheduled to land. Nine people survived.
TF-1 said the commission's findings showed the Strasbourg airport was not
equipped with landing approach systems matched to the sophistication of the
Airbus, and that there were serious failings in the crash plane's altimeter
system. The commission concluded the pilot either did not know how or was
unable to stop the plane's abnormally rapid descent, according to TF-1. The
station did not reveal how it gained access to the report.
Publication of the report was delayed because Transport Minister Paul Quiles
is visiting Portugal on Friday and wants to study the findings before
commenting.
The French civil aviation authority has already taken some preliminary
measures, urging all airlines flying the A320 to review their procedures for
using the VOR-DME beacon system for landing. But the authorities decided
against grounding the planes, saying there was no initial evidence that
mechanical problems caused the disaster.
National carriers Air France and Air Inter earlier this month banned their
pilots from using the automatic landing procedure until further notice.
A spokeswoman for Toulouse-based Airbus Industrie said earlier the aircraft
maker did not yet have a copy of the report and would have no comment until it
did. Meanwhile a judge investigating legal responsibility for the crash staged
a reconstruction flight on Thursday, circling the accident site three times.
------------------------------
Date: Wed, 19 Feb 92 08:55:55 EST
From:
[email protected]
Subject: More on Privacy in Australia
[RISKS-13.14 included "Australian Government Bungles Private Data".
Bruce submitted the article "DSS blames printer restart for bungle", by
John Hilvert, in Computerworld Australia, 14 Feb 1992, omitted here. That
article supports the printer-restart synchronization glitch theory. PGN]
By one of *those* coincidences, it was reported on TV the same week that a
branch of the Australian Taxation Office (ATO) sent similarly misprinted forms
to some (as I recall, 80) taxpayers. Two of the taxpayers had contacted each
other, then presumably the media, to share their disgust at the release of
income and savings data. An ATO employee on the TV claimed that the misprints
had been caused by a folded page in a box of paper.
Bruce Howarth, Uni of Technology Sydney
------------------------------
Date: Sat, 22 Feb 1992 12:54:43 GMT
From:
[email protected] (Debora Weber-Wulff)
Subject: Italian crooks let others pay phone bill
[Translated by DWW from the Berlin daily Newspaper "Tagespiegel", 22 Feb 1992]
lui, Rome, 21. February 1992. [...] Half a million Italians are the proud
owners of portable telephones. The cordless appliance has become the favorite
toy of the Southerners, but the game may soon be over: the "telefonini" are not
protected.
Under the motto "Buy one, pay for two", crooks sell manipulated phones that are
used so that the buyer has to pay for the toll calls of the seller. The trick
works like this: the crooks take a computer with a computing program [whatever
that is ;-) dww] like the ones uses to crack automatic teller machines, and
fuss with it until they find the secret code for the telephone. The code is a
combination of the telephone number and the serial number that is supposed to
only be available to the telephone company SIP. When the code has been
cracked, it is no problem to transfer it to a second telephone, so that both
telephones have the same license number. One phone is sold "under the hand" by
the crooks. As an added deal, the buyer not only gets to pay his own phone
bill, but the fees run up on the second phone as well. The Italian underworld
is especially keen on using this method.[...] The mafia uses the "portabili"
for conducting their unclean business.
[... The police] have not been able to find the instigators, but they suspect
that employees of the telephone manufacturing company are involved, as they
have the knowledge of how the phones are constructed. [...] The portable
telephone is well-known for the ease of tapping the telephone conversations
[which cannot, however, be traced to the place of origin. A book calle "Italy,
I hear you calling" with some of the more interesting tapped conversations has
just been published.]
[Why is such a telephone easy to crack and easy to reprogram? dww]
Debora Weber-Wulff, Institut fuer Informatik, Nestorstr. 8-9, D-W-1000
Berlin 31 +49 30 89691 124
[email protected]
------------------------------
Date: Wed, 19 Feb 92 09:15 GMT
From: Randall C Gellens <
[email protected]>
Subject: Risk of Voice Mail Command Choices
[I sent this as a reply to Telecom. It's probably not a serious enough
risk to go into Risks, but I thought I'd let you decide. --Randy]
In TELECOM Digest Volume 12 : Issue 108, the moderator (Patrick A.
Townson) discusses Ameritech Voice Mail Commands and Security Flaws:
> After the message has played out, 5 to delete it; 7 to save it.
Considering that the Aspen voice mail product (from Octel,I think) uses 7 to
delete a message, and that Aspen is widely used by businesses, this seems an
unfortunate choice, as people with Aspen at work and IBT RVMS at home will be
likely to confuse 7 and end up deleting messages by accident. Of course, this
is not as serious a risk of nonstandardization as airline flight controls which
differ from model to model :-).
--Randy
------------------------------
Date: Mon, 24 Feb 1992 10:55:18 -0600
From:
[email protected]
Subject: RISCs of AP news reports
An Associated Press article on new processor chips announced at the
International Solid State Circuits Conference appeared in the (Minneapolis)
Star Tribune last Thursday. It says, in the middle:
Most of the chips use a technology called reduced instruction
set computing (RISC), which speeds the processing of data
by limiting the number of instructions the processor must execute.
The microprocessors that power personal computers, by contrast,
use a different technology.
Of course, limiting the number of instructions a processor knows how to execute
typically increases the number of instructions it must execute.
The Op-Ed page of The New York Times yesterday (Feb 23) has an essay by David
Gelernter from Yale's CS dept complaining that when newspapers (even The Times)
use the term "operating system", they feel obliged to define it. But someone
who doesn't know what one is is "not going to learn on the basis of a single
phrase, no matter how artfully crafted".
He doesn't mention how misleading a single phrase can be, if crafted by
a reporter who doesn't know technology.
-John Sullivan,
[email protected]
------------------------------
Date: 21 Feb 92 07:01:23 GMT
From:
[email protected] (Todd M. Bezenek KO0N)
Subject: proposal for policy on calculator use during exams
[This is an article which I recently posted to comp.sys.handhelds and
comp.sys.hp48. It is in response to a discussion regarding the use of
calculators on university exams. I am posting it to comp.risks because it
demonstrates the risk of introducing computing power into the classroom
where it may be misused. TMB]
I have reviewed the responses concerning calculator policies at universities
from all over the world. Thank you to everyone for sending them. The
following is my proposed policy. This policy is intended to eliminate problems
associated with using note-style information, without eliminating the use of
the calculating power of these devices. If you have any comments, please post
them after thinking them through fully.
Proposed Policy Regarding the Use of Portable Calculating
Devices during Closed-Note Examinations
If a student uses a portable calculating device during a closed-note
examination for the purpose of storing notes, that student shall be considered
guilty of an infraction equivalent to using said notes as they would appear on
paper.
In the case that a proctor believes beyond a reasonable doubt that a
student is violating the above policy, that proctor shall immediately remove
the calculating device from the student's possession. The proctor may then
choose whether or not the student should be allowed to complete the
examination. The calculating device shall remain in the possession of the
proctor until the contents of its memory--both vendor supplied and user
programmed--can be examined.
The decision of whether or not the above policy has been violated
should be based upon the judgement of a faculty member who shall examine the
memory of the calculating device before it is returned to the student. In the
case that the memory is found to contain information which, when transferred to
paper, would be considered an unallowable aid, the student shall be considered
guilty of the infraction described above.
In the case that the student is found to not be in violation of the
above infraction, the student should be allowed to rewrite the examination if
the student so chooses. Alternately, if the student is found to be in
violation, the student is subject to the same university policies that govern
the use of unallowed notes equivalent to that which would result from
transferring the memory of the calculating device to paper.
In no case will the student forfeit possession of the calculating device
indefinitely.
Respectfully submitted, Todd M. Bezenek
Todd Michael Bezenek, KO0N Internet:
[email protected]
UUCP: uunet!plains!bezenek Bitnet: bezenek@plains
------------------------------
Date: 24 Feb 92 15:04 -0800
From: Tony Buckland <
[email protected]>
Subject: The Worth of Computing
>From @yonge.csri.toronto.edu:
[email protected] Mon Feb 24 14:50:45 1992
You write in can.general:
> Yesterday, thieves broke into a VanCity Savings branch and stole
> two bags from a night deposit box. But not to worry - unless
> you're in the computing game and proud of it - " ... all they
> got were worthless computer printouts and administration documents."
Mark Brader, Toronto, utzoo!sq!msb,
[email protected]
------------------------------
Date: 20 Feb 1992 7:15 EST
From:
[email protected]
Subject: Computer Hackers Get Into Credit Records
>From the Columbus, Ohio, _Dispatch_. Any typos are mine.
Computer Hackers Get Into Private Credit Records
DAYTON - Computer hackers obtained confidential credit reports of Midwest
consumers from a credit reporting firm in Atlanta. Atlanta-based Equifax said
a ring of 30 hackers in Dayton [Ohio] stole credit card numbers and bill-paying
histories of the consumers by using an Equifax customer's password.
Ronald J. Horst, security consultant for the company said the break-in
apparently began in January. Police don't know if the password was stolen
or if an employee of the client company cooperated with the hackers. Horst
said the hackers were apparently doing it just for fun. No charges have
been filed. Equifax will notify customers whose credit reports were taken.
[End of quotation]
The usual caveats about media reporting of computer-related topics apply here.
One thing I don't like about this article is the implication that since the
hackers were doing this for "fun", they won't be prosecuted. Of course, the
article doesn't say that exactly, but I'll be watching to see if this case
goes any farther.
I'll also be waiting to see of I'm one of those people whose credit reports
were stolen, and, if so, what Equifax intends to do about it other than to
notify me.
Joe Brownlee, Analysts International Corp. @ AT&T Network Systems, 471 E Broad
St, Suite 2001, Columbus, Ohio 43215 (614) 860-7461
[email protected]
------------------------------
Date: Wed, 19 Feb 92 11:59:52 PST
From: Marc Rotenberg <
[email protected]>
Subject: VT Caller ID Decision
VT Caller ID Decision
The Vermont Public Service Board has just released its Caller ID decision.
It's good result with an interesting new wrinkle.
Vermont will require that New England Telephone (NET) make free, per-call
blocking available to all subscribers. NET will also be required to provide
free, per-line blocking to all subscribers with non-published telephone
numbers. And NET will be required to provide free, per-line blocking to all
subscribers who have "a legitimate concern that it would be unsafe to transmit"
their telephone numbers, including clients, volunteers and staff associated
with domestic violence and sexual assault agencies.
The Hearing Officer initially recommended that such requests should be subject
to review by NET, but the Public Service Board rejected this approach. The
Board ruled that all customers should be entitled to receive free per-line
blocking through a "simple declaration."
The Vermont Public Service Board thus found a clever solution to a difficult
problem that was first identified in the Pennsylvania Caller ID case. In that
case, as in Vermont, concern was expressed that certain individuals may require
blocking to maintain personal safety. But the Bell company's proposed
"certification procedure" left it unclear as to who would qualify for privacy
protection or how adverse decisions could be appealed.
For these reasons, the Pennsylvania court held that the certification procedure
violated basic due process rights. (The Pennsylvania court also found that
Caller ID violated the state wiretap statute and the state constitutional right
of privacy and ruled that the service could not be offered in the state).
The due process problem -- deciding who is entitled to greater privacy
protection and who gets to makes the decision -- remains one of the most
interesting and difficult issues in the Caller ID debate.
In ruling that phone subscribers should be entitled to decide for themselves
whether per-line blocking is appropriate, Vermont has avoided the due process
problem that arose in Pennsylvania.
In the Vermont proceeding, CPSR was asked to serve as the Board's expert
witness after the Board determined that "there existed a serious imbalance in
the respective parties' ability to present evidence on all relevant issues."
New England Telephone then retained Harvard Law School Professor and Legal
Affairs TV Commentator Arthur Miller as their expert. Professor Miller had
earlier stated that Caller ID should be offered without blocking, but in this
case acknowledged that per-call blocking might be an appropriate solution.
CPSR provided extensive testimony for the Vermont Public Service Board on the
privacy implications of Caller ID after carefully reviewing concerns expressed
by those affiliated with domestic violence shelters in the state.
Marc Rotenberg, CPSR Washington Office
------------------------------
Date: Wed, 19 Feb 92 16:26:07 EST
From: Brinton Cooper <
[email protected]>
Subject: Carpal Syndrome reports rise sharply (Helgesen, RISKS-13.14)
Jeff Helgesen relates a Chicago Tribune article on the sharp increase in Carpal
Tunnel Syndrome (repetitive-motion disorder) and the discussion about high-risk
workplace environments. The article said, in part,
|When someone applies force over and over to the same group of muscles,
|the same joint or the tendon, the result may be tissue tears and trauma.
|Other factors causing damage are awkward joint posture and prolonged
|constrained posture.
I have no doubt that this is true as stated. However, anecdotal
evidence causes me to wonder if we're missing something. (I emphasize
that this is anecdotal.) Every sufferer of carpal tunnel of whom I am
personally aware is a cashier at a supermarket. Yet, I work in a
laboratory where some very intensive computing activity takes place. We
have people who frequently spend more than 10 hours out of 24 at
keyboards. I am unaware of any carpal tunnel cases here (although I
admit the possibility). This causes me to wonder:
What part does psychological or emotional stress play in the
development of repetitive-motion disorders?
Supermarket cashiers do the work largely for the money. Folks at this lab work
here for the same reason, but there is great job satisfaction, (dare I call it
"fun?") here that doesn't exist at the grocery store. Does it matter?
(It's no less a risk either way, but it's better to understand the risk as much
as possible.)
Brint
[By the way, apologies for losing Elizabeth Willey's contribution in
RISKS-13.15. She pointed out that there are lots of parts of the body
that can suffer from repetitive motion syndromes, not just the carpal
tunnel areas. Somehow her message got lost. Sorry. PGN
------------------------------
Date: Wed, 19 Feb 92 08:45:28 EST
From:
[email protected] (Dave Parnas)
Subject: Re: System certification again (RISKS-13.15)
Marc Horowitz was correct and Perry E. Metzger and Rich Kulawiec, with the
support of Peter Neumann, proved him correct.
Dave
------------------------------
Date: Fri, 21 Feb 92 23:20:10 GMT
From:
[email protected] (Tom Young)
Subject: MBDF Macintosh virus
(This is being posted on behalf of M. Stuart Lynn)
As I am sure you are aware, a new Macintosh virus, MBDF-A, has been detected in
the Info-Mac archives at SUMEX-AIM that has also been mirrored to other
archives. Furthermore, it appears that the virus may have originated from or
have been vectored through a machine at Cornell.
Other folks are addressing issues of detection, elimination, and prevention. I
just want you to know that we at Cornell take this situation most seriously,
and are doing everything we can to track down the origin and the originator of
this virus. The university absolutely deplores this kind of behavior, and
should it indeed prove that the originator was a member of this community we
will pursue all appropriate remedies under our computer abuse policy.
If anyone out there has any relevant technical information that would help us
track down the originator, I would appreciate it if you would send it to Tom
Young (
[email protected]).
M. Stuart Lynn, Vice President for Information Technologies, Cornell University
607-255-7445
[Also posted to RISKS by
[email protected] (Laurie Collinsworth)]
------------------------------
Date: Tue, 18 Feb 92 10:01:34 PST
From: [anonymous]
Subject: FBI Eavesdropping Challenged
FBI Eavesdropping Challenged
WASHINGTON (AP, 17 Feb 1992)
Cellular telephones and other state-of-the art telecommunications technology
are seriously challenging the FBI's ability to listen to the telephone
conversations of criminal suspects, law enforcement officials say. The FBI is
seeking $26.6 million next year to update its eavesdropping techniques.
Normally tight-lipped FBI officials become even more closed-mouthed when the
subject of investigative "sources and methods" comes up. But a review of the
bureau's 1993 budget request provides an unusual glimpse into the FBI's
research on electronic surveillance and its concerns about new technologies.
"Law enforcement is playing catchup with the telecommunications industry's
migration to this technology," said the FBI's budget proposal to Congress. "If
electronic surveillance is to remain available as a law enforcement tool,
hardware and software supporting it must be developed."
The new technologies include digital signals and cellular telephones. At
the same time, there has been an increase in over-the-phone transmission of
computer data, which can be encrypted through readily available software
programs, say industry experts and government officials.
The FBI's five-year research effort to develop equipment compatible with
digital phone systems is expected to cost $82 million, according to
administration figures.
The FBI effort is just a part of a wider research program also financed by
the Pentagon's secret intelligence budget, said officials who spoke on
condition of anonymity.
Electronic surveillance, which includes both telephone wiretaps and
microphones hidden in places frequented by criminal suspects, is a key tool for
investigating drug traffickers as well as white-collar and organized crime.
Conversations recorded by microphones the FBI placed in the New York City
hangouts of the Gambino crime family are the centerpiece of the government's
case against reputed mob boss John Gotti, now on trial for ordering the murder
of his predecessor, Paul Castellano.
Taps on the phones of defense consultants provided key evidence in the
Justice Department's long running investigation of Pentagon procurement fraud,
dubbed "Operation Ill Wind." But with the advent of digital phone signals, it
is difficult to unscramble a single conversation from the thousands that are
transmitted simultaneously with computer generated data and images, industry
officials said.
"In the old days all you had to do was take a pair of clip leads and a head
set, put it on the right terminal and you could listen to the conversation,"
said James Sylvester, an official of Bell Atlantic Network Services Inc. But
digital signal transmission makes this task much more difficult. Conversations
are broken into an incoherent stream of digits and put back together again at
the other end of the line.
John D. Podesta, a former counsel to the Senate Judiciary's law and
technology subcommittee, said the FBI and other law enforcement agencies are
simply victims of a technological revolution. For more than 50 years the basic
telephone technology remained the same.
------------------------------
End of RISKS-FORUM Digest 13.16
************************
