Aucbcory.221
net.followup
utcsrgv!utzoo!decvax!ucbvax!ARPAVAX:CAD:ESVAX:Cory:cc-treas
Tue Mar  9 01:42:08 1982
Another Newspaper Article - SF Examiner
The following article appeared in the San Francisco Examiner,
Monday March 8, 1982 on page B7:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

       Experts Fear Computer Pranks lead to Crimes

               By Carl Irving
               Examiner Staff Writer

   Security experts fear that a generation of computer criminals may
emerge from the nation's universities, encouraged by their benevolent
professors to commit pranks that could lead to fraud, embezzlement,
and worse.
   Discovery of a computer technique at the University of California
at Berkeley, which has the potential to be the most serious breach yet
to computer security, brought the matter to public attention this
week.
   Two of the nation's leading computer security experts at SRI in
Menlo Park are convinced that academicians have been too lax, ignoring
or condoning what they consider light-hearted student pranks that show
up on computer programs.
   Faculty computer experts at Cal and Stanford counter that almost
all of their students behave responsibly and don't exploit the
equipment. They contend, however, moreover, that the spirit of
academic inquiry does not flourish under the shadow of suspicion or
secrecy.
   But industry people fear that secrets vital to the firm or
national security could be endangered unless students learn to
restrict computers to less imaginative uses.
   "That's always been a thorny issue," says Ralph Gorin, director of
the LOTS computer center for students at Stanford University.
"Probably at no point in time have politicians or administrators felt
the populace should know everything. In some ways, that is
antithetical to what we are trying to do at a university."
   But Charles Wood, computer security analyst at SRI, said, "We're
worried that students are rewarded for what faculty members might
consider engaging behavior, in experimenting with the computers.
   "Campuses are hotbeds for ideas. And kids [AUUUUGH! We're hardly
kids! -eef] playing with computers for 10 or 14 hours a day are so
oriented to them, it's not surprising they come up with new and
different ways to attack security systems. This is another in a long
string of vulnerabilities coming to computer systems."
   At Cal, students last year discovered a way to use the computer
privileges of another user, which Wood says could circumvent controls
in an industry system.
   "One person can do it all," he said. "It opens up to frauds and
embezzlements, and a wide range of other abuses."
   The method discovered at Berkeley, simple and undetectable, was
revealed some time later -- last September -- to M. Stuart Lynn,
director of Computing Affairs.
   Recognizing a security problem, Lynn consulted with Donn Parker,
Wood's colleague at SRI. The SRI group described the method to the
computer industry, to help block use of the method.
   Parker regarded the discovery as probably the most serious
uncovered so far, because of its simplicity and the wide range of
systems that could be vulnerable to it.
   At Berkeley, the system involved is UNIX, produced by [can you
guess?] Digital Equipment Corp. Thousands of the UNIX computer brains
are in use around the world. [UNIX computer brains? Who thought of
THAT one?!]
   Known methods to counter the discovery involve either a "monitor"
-- somebody watching over everyone's shoulder electronically -- or
removal of part of the terminal equipment. Both methods are expensive.
   Lynn defends his students, saying they "don't exploit things." He
notes that they did "the responsible thing" by bringing it to his and
others' attention.
   "The vast majority are very responsible individuals," says Lynn.
But future purchases will not have the feature that enabled students
to break through into others' files, Lynn added.
   The vice president of the Computer Sciences Student Association,
[It's actually Computer Science Undergraduate Association. -eef]
Daniel Conde, says that about a dozen "hackers" -- as those who make a
hobby of playing games on the computers are called -- spend extra time
on the terminals at the Berkeley computer center.
   "They tend to hang around and play games, but they don't do any
harmful stuff," says Conde. But the center is becoming more crowded
now with students eager to learn how to use computers, and play time
has been cut back severly, Conde adds.
   At Stanford, Gorin says the honor system -- depending on the
students to monitor themselves -- and the faculty instructions on how
to use the computers are the only security methods in use.
   "We are perhaps less thorough than we should be in trying to drum
into the students what appropriate behavior is," he concedes. "But if
you read somebody else's files, how's that different from reading
somebody's printout you find in a wastebasket?"
   Gorin also concedes that the computer, like the automobile and
other technologies, has the potential for abuse. But he'd like to
concentrate on its potential for enriching campuses -- "computers have
the potential to augment each individual's capability, so each can
accomplish more and produce better results."
   While people such as Gorin instinctively oppose such notions as
"electronic fences," Wood and Parker criss-cross the nation advising
firms about the defenses against computer break-ins.
   There have been some serious ones. The one that took $2 billion
from the Equity Funding of America in Los Angeles still leads the
list, according to Parker. Executives there created 64,000 fake life
insurance policies, declared all their holders dead, and collected the
vast proceeds.
   The policies were all drawn up on the computer. Twenty-two people
were convicted.
   Parker, who is consulted by Scotland Yard and the FBI on computer
matters, said in an earlier interview that behavior leading to this
kind of crime can begin on a campus, "because we're encouraging them
to compromise computers and teaching them it's a game."
   While students may not often abuse their computer privileges,
there have been some dramatic examples. In 1975, a student was
graduated Phi Beta Kappa from Queens College. Four years later, the
honor was revoked when the administration found that he'd upped his
grades over four years, along with those of 15 other students.
   Young people often are the most ingenious in penetrating computer
networks. A year ago, an eighth-grader was identified as one of three
to have invaded computer data banks of several companies.
   A 15-year-old Concord student, using $60 worth of second-hand
equipment, disrupted the UC system for months. He was eventually
charged with stealing more than 200 hours of time.
   According to Wood, the lastest UC "breakthrough" became possible
because of a feature that allows remote control of a terminal.
   The students made use of this feature to find a technique that
"permits one user to lead the machine to think he's someone else. So a
data entry clerk could lead a machine to believe he's a security
officer or a programmer or some other privileged user."
   The discovery or "vulnerability" at Cal applies to a number of
systems now in use around the country.
   Industry, says Wood, has lagged in realizing some of the potential
problems involved in using computers.
   Computers have been heralded "as a way to increase productivity.
People have been hypnotized by their advantages, and don't consider
the potential disadvantages," he said.
   He would like to see a government or industry clearing house for
computer security information.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Some comments:
       This `method' for zapping users (and indirectly) systems is
very old. Not discovered last spring, or this fall, but years old.
       Equity Funding had nothing to do with computer security. The
system involved was being used to aid in a Ponzi Game (A pyramid
Scheme) and the company officers all knew about it. The computer just
made the numbers bigger, because the con men could keep better records.
       UNIX (is a Trademark of Bell Laboratories) is NOT `made' by
Digital Equipment Corp. The machines may be, but (thank god and the
wise administrators of Berkeley) that does NOT mean we run their
Opsystems.
       The Computer Science Undergraduate Association gets nothing
from the Office of Computing Affairs or the Computer Center. This
account is available to me (as the Treasurer of said organization)
under the auspices of the EECS department at Berkeley. Also, our
hackers program just as much as hackers anywhere. We do NOT only
play games!
       At no time do professors at the University of California
encourage attacks on computer system security. Besides, if we don't
discover the holes in system security where "The vast majority are
responsible individuals...", then someone else will, at another place,
with nastier consequences.

               Erik E. Fair
               CSUA Treasurer
               Cory.cc-treas@Berkeley
               ucbvax!ucbcory!cc-treas

-----------------------------------------------------------------
gopher://quux.org/ conversion by John Goerzen <[email protected]>
of http://communication.ucsd.edu/A-News/


This Usenet Oldnews Archive
article may be copied and distributed freely, provided:

1. There is no money collected for the text(s) of the articles.

2. The following notice remains appended to each copy:

The Usenet Oldnews Archive: Compilation Copyright (C) 1981, 1996
Bruce Jones, Henry Spencer, David Wiseman.

You are viewing proxied material from gopher.quux.org. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.