Subject: RISKS DIGEST 13.79
REPLY-TO:
[email protected]
RISKS-LIST: RISKS-FORUM Digest Friday 11 September 1992 Volume 13 : Issue 79
FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
Contents:
"Sneakers" -- A Topical Movie Review (Donn Parker)
Police probe mans death in Citibank disk case (Pat Cain)
Arrest warrant database problems (James Hanlon)
New computer delays Berlin Fire Department (Debora Weber-Wulff)
Hardware failure stops school (Andrew Marchant-Shapiro)
PC board waste in San Francisco Bay (Phil Agre)
Re: TCAS (Nancy Leveson)
Registration and Hotel Information - 15th National Computer Security Conference
(Jack Holleran)
The RISKS Forum is moderated. Contributions should be relevant, sound, in
good taste, objective, coherent, concise, and nonrepetitious. Diversity is
welcome. CONTRIBUTIONS to
[email protected], with relevant, substantive
"Subject:" line. Others may be ignored! Contributions will not be ACKed.
The load is too great. **PLEASE** INCLUDE YOUR NAME & INTERNET FROM: ADDRESS,
especially .UUCP folks. REQUESTS please to
[email protected].
Vol i issue j, type "FTP CRVAX.SRI.COM<CR>login anonymous<CR>AnyNonNullPW<CR>
CD RISKS:<CR>GET RISKS-i.j<CR>" (where i=1 to 13, j always TWO digits). Vol i
summaries in j=00; "dir risks-*.*<CR>" gives directory; "bye<CR>" logs out.
The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1".
<CR>=CarriageReturn; FTPs may differ; UNIX prompts for username, password.
For information regarding delivery of RISKS by FAX, phone 310-455-9300
(or send FAX to RISKS at 310-455-2364, or EMail to
[email protected]).
ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY.
Relevant contributions may appear in the RISKS section of regular issues
of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise.
----------------------------------------------------------------------
Date: 11 Sep 1992 08:00:03 -0800
From:
[email protected]
Subject: "Sneakers" -- A Topical Movie Review
[The following review was prepared by Donn Parker for distribution to the
members of the International Information Integrity Institute (known as
I-4), an organization consisting of something like 60 companies with
significant interest in improved computer security and integrity, which
is managed by SRI -- with Donn as one of its key players. This review is
reproduced here with his permission, and is authorized for further
distribution, with appropriate attribution. Sneakers opens today to the
general public, although in a few selected theaters it opened on Wednesday,
presumably to get early reviews. (Both Donn and I had been visited by
Parkes and Lasker regarding security risks, in their preparation for the
screenplay for WarGames. They even used some of our ideas. In general,
Sneakers seems technologically sounder, and is certainly of interest to
RISKS readers. For those of you who don't know Donn, he is often
referred to as the Great Bald Eagle of Computer Security.) PGN]
FILM REVIEW OF SNEAKERS
by Donn B. Parker
September 1992
Sneakers (released September 11, 1992 by Universal Studios, owned by Matsushita
Electric Industrial Co. Ltd., and promoted in association with CompuServe,
owned by H&R Block) starring Robert Redford, Dan Aykroyd, Ben Kingsley, Mary
McDonnell, River Phoenix, Sidney Poitier, and David Strathairn; directed by
Phil Alden Robinson (Field of Dreams director); and produced and written by
Walter F. Parkes and Lawrence Lasker (writers and producers of WarGames in
1981).
The new computer crime movie, Sneakers (as in hackers who wear sneakers and
sneak into computers) was previewed in a San Francisco showing sponsored by
Universal Studios and Mondo 2000 Magazine (a slick-cover psychedelic
publication of the Timothy Leary genre appealing to hackers) and attended by a
large segment of the Bay Area hacker community including Cap'n Crunch. I had
assisted the writers, Messrs. Lasker and Parkes, with their first movie,
Wargames-much to my chagrin because the technology was so distorted. This time
they had the technical assistance of Len Adleman (the A in RSA Crypto) from
USC and Robert Abbott, an information security consultant of long standing.
This Mission Impossible, PG-rated (only three "God damn"s and almost no sex)
film is mostly technologically believable, unlike Wargames. We can forgive
them for showing a Cray computer with a terminal displaying Windows 3.1.
All information security professionals should see this film and use it to
promote security awareness. Some critics may pan it, but it has all the
ingredients for financial success. It has:
o great chase and other street action scenes in the
beautiful San Francisco Bay Area
o an interesting but predictable plot
o the blind technician who finds the bad guys' hideout
from sounds heard from the trunk of a car
o the old technique of the bad guy shooting into the
ceiling tiles at his hidden enemy hiding in ceiling duct area
o three bloodless murders
o total unconsciousness produced by simple taps on
the head followed by immediate concussion-less
revival with little visible damage
o popular stars, Redford, Poitier, Aykroyd, and
Kingsley, who look like the oldest hackers in the
world (except for me and Cap'n Crunch)
o great human melodrama with good character
development and not too much technical sci-fi stuff
o the good guy and his girlfriend at the mercy of the
bad guy in the grand finale
o cryptography very well explained and used for a
general audience
o the proverbial spinning computer tape drive, and
o as usual with Lasker and Parkes, a moral at the end.
Universal has uniquely teamed up with CompuServe and CompUSA computer stores to
promote the movie. A chat board has been set up to fire questions about the
movie at Mr. Robinson, the director, who has been using CompuServe for 8
years. Anagram and secret password games can be played, with prizes including
trips to Hollywood and Robert Redford's jacket worn in the film. The film is
sure to be a big hit in Europe and Japan as well as in the United States and
should appeal to the juvenile hacker culture throughout the world.
One unbelievable item is the skimpy $175,000 accepted by Redford's security
penetration (read "tiger team") consulting company for a record-breaking
information security project. Redford's team plus all the high-priced
technical equipment were worth much more than that. They had to steal the
universal decryption black box-the Maltese Falcon of the movie-and then steal
it again from the bad guys posing as NSA types who steal it from Redford.
There is a neat shoulder-surfing password pickup by video recording. There are
hacker antics such as a transfer of President Nixon's net worth to the National
Organization for the Reform of Marijuana Laws (NORML), credit record and
license plate registration privacy invasions, trashing of the NSA, CIA, and
FBI, and liberal-politics slams at President Bush and the Republican Party
well-timed for the upcoming national elections. However, this is all tolerable
since it is done by Redford's character and his team who all have serious
criminal and other highly unethical practices in their backgrounds.
A tiger team attack on a client bank that has relatively good security is
excessively elaborate and would have left the bank guard in a good position to
sue his employer for aggravated assault and mental anguish. We will probably
have to assure our company management people that we don't do things like
that-but the time to justify your budget and staff is soon after they see this
movie.
The film ends with the rather patronizing and simplistic advice that whoever
controls the information, controls the world. Just the straightforward action
and technology without all the liberal politics and moralizing would have made
it even better.
You and your teenage children and your computer users and management should all
see and enjoy this much-to-be-talked-about film.
------------------------------
Date: Wed, 09 Sep 1992 13:24:18 +1200
From: Pat Cain <
[email protected]>
Subject: Police probe mans death in Citibank disk case
Early on Saturday (5th Sept) morning in Auckland, New Zealand, Paul Gordon
Edward White, 26, a computer broker, was found in a crashed car by the Auckland
harbour bridge; he died shortly afterwards. A police investigation into the
accident began. But last night (Tuesday) the Police Minister, John Banks,
asked police to begin high priority investigations into allegations that his
death may not have been accidental.
White had purchased $525 of surplus office and computer equipment from Citibank
in Auckland. Accidentally included with the equipment were around 90 computer
disks. TV3 reported the disks contained details overseas bank accounts of some
politicians and of some companies laundering money overseas. White is
understood to have offered to sell the material back to the bank for $50,000.
In an out-of-court settlement on Friday, Citibank paid White $15,000 cash for
the return of all outstanding information in his control. The suitcase in
which White had the money was found in the car along with his body, but the
money was missing.
White's lawyer, Mark Blomkamp told TV3 that someone may well have considered
the information on the disks serious enough to kill for. Asked if it was
possible that because the money was not in White's briefcase in his crashed car
the accident could have been invoked, Blomkamp said: "You might well think that
but I couldn't possibly comment".
Radio NZ last night quoted an unidentified source saying that White's car was
not as badly damaged as could be expected from an impact with a concrete
pillar. The front of the car was significantly damaged by the 5.15am crash on
the Fanshawe St, city side, approach to the harbour bridge, but the dashboard
and steering wheel were not and there was no blood in the vehicle.
Bits and pieces ..
* Neighbours reported White's home in Birkenhead had been broken
into several times and that he had met Tauranga MP Winston
Peters (who is a member of the current government and several
months ago alleged government links with big business and corruption).
* In one of three earlier burglaries, White was attacked as he
returned home one night.
* White reported that in July he had been approached by people
who identified themselves as members of the Security Intelligence
Service, wanting to discuss the Citibank information. After the
meeting, White told an acquaintance that the supposed SIS agents
had warned him that the police were about to search his property.
The search took place two days later. (NZSIS is NZ's approximate
equivalent to the US's CIA.)
* On Friday, White celebrated at the Centra hotel in Auckland, he
then left with a man and a woman (who have since been interviewed)
at 10pm and went to the Regent Hotel for a meal. After that he
went to a nightclub and left about 4am. What happened between
then and 5.15am when he was found is unclear.
* Citibank is the New Zealand subsidiary of one of the largest
banks in the United States, Citicorp. It operates as a clearing
bank and provides a range of non-retail banking services.
* The Ambulance service received "two or three" emergency calls from
mobile phones -- it is not known who made the calls, or whether
they witnessed the car crash. White died shortly after the ambulance
arrived.
(Summarized from {The Dominion} and {The New Zealand Herald}, 9 Sept 1992).
------------------------------
Date: Wed, 9 Sep 92 17:01:51 CDT
From:
[email protected] (James Hanlon)
Subject: Arrest warrant database problems
Note: I recently posted a similar note to misc.legal.computing; I suspect the
problem is common enough to enlist the help of the RISKS community.
An attorney acquaintance has a number of clients who have been picked up and
detained for various lengths of time, on the basis of warrants, later shown to
be incorrect. Reasons range from sloppy administrative work (clerical errors,
name confusions), to accumulated delays in the record-keeping process.
BACKGROUND INFORMATION
Police officers in the US need a few things in order to take a person into
custody ("arrest" them): chief among them is probable cause to believe that
they have committed a crime. The fact that an arrest warrant exists is in
itself probable cause. In practice, one can be taken into custody if the
arresting officer believes that a warrant exists--and someone on the radio
telling him that "the computer" shows an outstanding warrant is reason enough.
Problems occur in areas where numerous law enforcement agencies overlap, i.e.,
most urban areas in the US. Although there is normally a regional database of
warrant information, any agency can keep a database of warrants its own
officers have issued. Should a judge order a warrant killed ("quashed" is the
legalism), and should the kill order not be properly accomplished, the stage is
set: person leaves courtroom relieved, goes about his business, is stopped some
months (or years) later, officer checks central database, finds warrant
information, calls warrant-issuing police department, which checks **its**
warrant database. Conclusion: you are under arrest. There follows a collection
of more or less unpleasant and inconvenient experiences (e.g., a weekend in the
county lockup).
My question: is there an archive of these, or similar, occurrences on the net?
Is there a model of how the problem should be solved, perhaps in Jurisdiction
X?
I should mention that the attorney is presently suing the government units
involved, in federal district court in Chicago.
Thanks for all help.
James E. Hanlon
[email protected]
------------------------------
Date: Tue, 8 Sep 1992 10:11:09 GMT
From:
[email protected] (Debora Weber-Wulff)
Subject: New computer delays Berlin Fire Department
Sigh. It's like no one reads comp.risks :-(.
The "Tagespiegel" announced this morning that the Berlin Fire Department has
been having terrible trouble with it's new dispatching system. Seems they went
on line after just a few "tests" (no running the system in parallel to the old
one) because they now have to take care of the whole city and not just West
Berlin. They are having problems with fire-trucks being listed more than once,
phantom fire trucks, disappearing fire-trucks and messages, and the wrong
trucks being alerted. Seems the data entry people or the algorithm for finding
the closest fire station (or both) are not working, and trucks are being called
from far away, or they are alerted and then not told where to go. There have
been cases of it taking 30 minutes to get a fire truck to the scene of a fire.
Not a nice thought when youths are increasingly setting fires to refugee
hostels and such.
The company that installed the program is busy fixing the bugs, the newspaper
assures us, and will have it running soon. Won't we all sleep better knowing
that it is sure to run when that last bug is gone?!
Debora Weber-Wulff, Institut fuer Informatik, Nestorstr. 8-9,
D-W-1000 Berlin 31 +49 30 89691 124
[email protected]
------------------------------
Date: 9 Sep 92 15:16:00 EST
From: "MARCHANT-SHAPIRO, ANDREW" <
[email protected]>
Subject: hardware failure stops school
My institution, Union College, fell victim to a computer problem today: A
Hewlett-Packard machine used to handle registration died, leaving the College
unable to complete freshfolk registration. Consequently, classes that were
scheduled to start on 9/10 cannot meet until next Tuesday, and an extra day (or
two??) will have to be added to the term calendar to make things work out. All
faculty received notices marked URGENT that spoke of a 'massive computer
failure.'
I have little data on the failure, other than that it was apparently NOT a
software failure, but a real hardware breakdown.
Now, I suppose that the software and data on that machine are backed up -- but
there's the rub. What do you do when you only have one piece of HARDWARE?
It's ironic, because most of the campus is hooked up to a 3-machine VAX cluster
-- while Administration runs on the single HP. Good for security, but bad for
reliability. Since many of the copiers went down at the same time (yep, in the
midst of syllabusing) I suspect a technological conspiracy...;-)
Andrew Marchant-Shapiro, Depts of Sociology and Political Science,
Union College, Schenectady NY 12308 (518) 370-6225
[email protected]
------------------------------
Date: Wed, 9 Sep 92 17:11:53 -0700
From:
[email protected] (Phil Agre)
Subject: PC board waste in San Francisco Bay
The lead article in the current issue of "Global Electronics" (issue 115,
August 1992) concerns the pollution of San Francisco Bay by heavy metals
running off from small printed circuit board assembly shops in Silicon Valley.
It traces the problem to the common electronics industry practice of
subcontracting to these small firms rather than doing the dirty work in larger
and safer facilities of its own. "Global Electronics" is published by the
Pacific Studies Center, 222B View Street, Mountain View CA 94041. It costs $12
per year (12 issues of four pages each).
Phil Agre, UCSD
------------------------------
Date: Fri, 04 Sep 92 16:23:40 -0700
From: Nancy Leveson <
[email protected]>
Subject: Re: TCAS (RISKS-13.78)
>From RISKS 13.78,
In the version of the TCAS story I saw locally about the 2 USair jets
near-miss, it mentioned that for the period june -June of the previous year,
over 60% of the warnings/advisements from TCAS systems nationwide have been
erroneous. Many of these have been of the same sort reported -- the system
told two planes that were "safe" to maneuver into an "unsafe" flight path...
This is totally and completely untrue and is evidence of what I warned about
in my previous message. Even if you don't have the facts, does anyone
seriously think that a system with this error rate would be used at all?
Pilots are just not that stupid or suicidal and neither are those at the FAA..
It is very important that forums such as RISKS do not become sources of
dangerous misinformation.
[I agree. I have been somewhat too lenient in recent times, permitting
material to emerge that is lacking in credibility, scholarship,
carefulness, etc. Time to ratchet up the quality again. But I am very
much at the mercy of our contributors. Please observe the masthead
guidelines. Thanks. PGN]
------------------------------
Date: Wed, 9 Sep 92 11:10 EDT
From: Jack Holleran <
[email protected]>
Subject: Registration and Hotel Information - 15th National Computer
Security Conference
The following information includes registration and hotel information for the
upcoming 15th National Computer Security Conference. Appropriate phone numbers
are included. (The program is contained in RISKS-13.78.)
=-+-=
CONFERENCE REGISTRATION FORM
15th National Computer Security Conference
October 13-16, 1992
Baltimore Convention Center
1 East Pratt Street
Baltimore, Maryland
NAME: ___________________________________________________________
COMPANY: ________________________________________________________
ADDRESS: ________________________________________________________
CITY: ___________________ STATE: ___________ ZIP: ______________
COUNTRY: ______________________ TELEPHONE NO: ___________________
HOW WOULD YOU LIKE YOUR NAME TO APPEAR ON YOUR BADGE?
_________________________________
Registration Fee $280.00 before October 1, 1992;
$315.00 on or after October 1, 1992
Payment Enclosed in the Amount of: __________
Form of Payment:
___ Check. Make checks payable to NIST/15th National
Computer Security Conference. All checks
must be drawn on U.S. banks only.
___ Purchase Order Attached. P.O. No.: __________
___ Federal Government Training Form
___ MasterCard ___Visa
Account No.: _______________ Exp. Date _______
Authorized Signature: _______________________
PLEASE NOTE: No other credit cards will be accepted.
Please return conference registration form and payment to:
c/o 15th National Computer Security Conference
Office of the Comptroller
National Institute of Standards and Technology
Room A807, Administration Building
Gaithersburg, MD 20899
Credit card registration may be faxed to
Tammie Grice at (301) 926-1630.
Is this the first time you have attended the National Computer Security
Conference? ______________
Conference Participants List:
__ I do want my name on the Conference Participants List which is
distributed to conference attendees.
__ I do not want my name on the Conference Participants List.
=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=
HOTEL RESERVATION FORM
15th National Computer Security Conference
October 13-16, 1992
Baltimore Convention Center
Baltimore, Maryland
Hyatt Regency Baltimore (410) 528-1234
300 Light Street
Baltimore, MD 21202
Holiday Inn Baltimore Inner Harbor (410) 685-3500
301 West Lombard Street
Baltimore, MD 21201
Radisson Plaza Baltimore Hotel (410) 539-8400
20 West Baltimore Street
Baltimore, MD 21201
Tremont Plaza (410) 727-2222
222 St. Paul Place
Baltimore, MD 21202
(An all suites hotel)
Baltimore Marriott Inner Harbor (410) 962-0202
110 South Eutaw Street
Baltimore, MD 21201
Tremont Hotels (410) 576-1200
8 East Plesant Street
Baltimore, MD 21202
(An all suites hotel)
NAME:
COMPANY:
ADDRESS:
CITY: ____________________ STATE: ________ ZIP: ____
COUNTRY: ___________ TELEPHONE NO: __________
(include country access code if appropriate)
Please Reserve: Single Room(s) ______ Double Room(s) _______
Arrival Date: _________ Departure Date: _________
Person Sharing Room: ___________________________
RATE (Refer to Conference Brochure): ____Corporate; _____Government
Method of Guarantee: _____Deposit Enclosed; _____ Credit Card
Check
One: __ American Express __ Visa __MasterCard __Diners Club __Carte Blanche
Credit Card #: _________________ Exp. Date: ______
Signature of Cardholder: ________________________
------------------------------
End of RISKS-FORUM Digest 13.79
************************
