RISKS-LIST: RISKS-FORUM Digest Sunday 8 January 1989 Volume 8 : Issue 3 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Computer-related accidental death (Gegg) Re: Danish Home Companion, Kierkegaard, and Feynman (David E. Leasure) "NO CARRIER" (Jef Poskanzer via David Sherman) Re: Tales from the Vincennes tape (Maj. Doug Hardie) "Hand-written" letters (Gary Chapman) Dark Side Hacker, an Electronic Terrorist (Rodney Hoffman) The risks of trusting CBS (Phil Goetz) Hackers - pure and simple (Travis Marlatte) Viruses of all kinds (Travis Marlatte) Henry Cox's "Supercomputer used to `solve' math problem" (John C. Bazigos) ---------------------------------------------------------------------- Date: Sun, 8 Jan 89 15:27:28 EST From: USER=GEGG@ub.cc.umich.edu Subject: Computer-related accidental death COMPUTER-RELATED ACCIDENT RESULTS IN WOMAN'S DEATH JOHANNESBURG, SOUTH AFRICA, 1988 DEC 28 (NB) -- According to the Associated Press, a South African woman was killed Tuesday in a freak computer-room accident. The death occurred when 1 1/2-ton steel doors closed on Renata Espach as she stood in their path but out of sight of optical sensors intended to detect obstructions. The accident took place at the computer facilities of Liberty Life in Johannesburg as the 23-year-old woman was handing a document to a colleague in the course of her employment. found on usa today distribution bbs fido104/555 303-973-4222 1/7/89 by anonymous guest (no replies pls) ------------------------------ Date: Fri, 6 Jan 89 14:05:51 EST From: hou2d!del@att.att.com Subject: Re: Danish Home Companion, Kierkegaard, and Feynman (RISKS-8.1) R. P. Feynman in his recent book "What do you care what other people think" adapted a Buddist (possibly Shinto, I can't remember) story to explain dangers and benefits of technology. His explanation went something like this: There is a key that opens the gate of heaven and it's the same key that opens the gate of hell. The two gates cannot be distinguished from the outside and the only way to tell which is which is to open it. Obviously, it's very desirable to have this key because it allows us to experience wonderful things, but there's also the risk of hell. That key is technology. David E. Leasure - AT&T Bell Laboratories - (201) 615-4169 ------------------------------ Date: 6 Jan 89 07:57:49 EST (Fri) From: dave@lsuc.UUCP (David Sherman) Subject: "NO CARRIER" | From: jef@ace.ee.lbl.gov (Jef Poskanzer) | Newsgroups: comp.misc,comp.dcom.modems | Subject: NO CARRIER | Message-ID: <1595@helios.ee.lbl.gov> | Date: 4 Jan 89 18:38:50 GMT | | Some terminal emulator programs have an amusing bug. When they see the | text "NO CARRIER" at the beginning of a line, they stop listening to | the modem. Like this: | | NO CARRIER | | If your emulator has this bug, you are no longer on line, and are not | reading this. Yes, this sounds far-fetched, but I can personally | assure you all that it's not just another chain-letter variation like | the modem virus story. I discovered this on the WELL a while back when | I opened a topic called "NO CARRIER", and then got mail from a user | complaining that whenever he tried to read the topic his modem hung | up. He was not computer-literate enough to have been making a joke. | Recently another user reported the same problem. Forwarded from Usenet by David Sherman, lsuc!dave@ai.toronto.edu ------------------------------ Date: Thu, 5 Jan 89 14:43 EST From: "Maj. Doug Hardie" Subject: Re: Tales from the Vincennes tape I am not surprized by these relevations. I have observed the same behavior from my son when he is playing a video game on the computer. Once people get into these games, it is as if it was real, as if their life was threatened by whatever scenario is there. Perhaps games of that sort based on the particular equipment and expected mission could be used both in the development of systems to find out what strange things people will do under pressure, and to help train the eventual users to understand how to respond when those pressures do occur. Doug ------------------------------ Date: Thu, 5 Jan 89 09:14:37 PST From: chapman@csli.Stanford.EDU (Gary Chapman) Subject: "Hand-written" letters Jerry Leichter reported this item in an editorial of the New York Times: The tide of progress, in other words, sometimes flows backward. There's probably only one sure way now to write letters that are, and look, personal: by hand. Some years ago I was on the PBS television show *Computer Chronicles*, as part of a panel discussion about the use of computers in U.S. politics. The other guest on the show was a gentleman from a large direct mail firm which specializes in mailings for political causes and candidates. He brought along some of his samples to show us how sophisticated mailings are becoming. One of them was particularly interesting: the mailing was sent out to about three quarters of a million senior citizens in the state of Arizona. It had to do with some kind of issue that had an impact on senior citizens, and the polls indicated the vote was likely to be close (direct mail can make the difference only when votes are close). The direct mail company had developed a mail-merge program using handwriting instead of formed characters, and then had these letters printed on vast machines that actually wrote out the letters with high-speed pens, I gathered, so that the final product was virtually indistinguishable from a handwritten letter. The stationery the letters were printed on had only a person's name and home address at the top of the page, as if it were personal stationery. The envelopes were printed with the same handwriting sample and the same process so they appeared to be hand-addressed. The company even went so far as to affix the stamps (first class of course) on the outside of the envelope with a jig that rocked back and forth in a frame so the stamp would only rarely be glued on exactly straight up and down. This gentleman from the direct mail company told us proudly that the campaign headquarters had received something like 14,000 telephone calls the first day after this mail was delivered, and the election was turned in their client's favor. I looked at his sample letters and envelopes and could eventually tell that these were computer-generated. But I would not expect senior citizens, who typically don't imagine that technology is capable of simulating a hand-written letter so well, to be so discriminating. I would bet that a large majority of the recipients were convinced they had received a letter that someone had painstakingly written to them in a very personal fashion. -- Gary Chapman, Executive Director, Computer Professionals for Social Responsibility ------------------------------ Date: 8 Jan 89 15:09:41 PST (Sunday) From: Rodney Hoffman Subject: Dark Side Hacker, an Electronic Terrorist Kevin Mitnick, earlier characterized as "armed with a keyboard and considered dangerous" [see RISKS 7.95] is the subject of a lengthy profile by John Johnson in the 8 Jan 89 'Los Angeles Times', with the headline: Computer an 'Umbilical Cord to His Soul' 'DARK SIDE' HACKER SEEN AS 'ELECTRONIC TERRORIST' When a friend turned him in and Mitnick asked why, the friend replied, "Because you're a menace to society." Mitnick is described as 25, an overweight, bespectacled ... computer junkie known as a 'dark side' hacker for his willingness to use the computer as a weapon.... whose high school computer hobby turned into a lasting obsession .... He allegedly used computers at schools and businesses to break into Defense Dept. computer systems, sabotage business computers and electronically harass anyone -- including a probation officer and FBI agents -- who got in his way. He also learned how to disrupt telephone company operations and disconnected the phones of Hollywood celebrities such as Kristy McNichol, authorities said. So determined was Mitnick, according to friends, that when he suspected his home phone was being monitored, he carried his hand-held keyboard to a pay phone in front of a 7-Eleven store, where he hooked it up and continued to break into computers around the country. "He's an electronic terrorist, said [the friend who turned him in], "He can ruin someone's life just using his fingers." Over the last month, three federal court judges have refused at separate hearings to set bail for Mitnick, contending there would be no way to protect society from him if he were freed.... Mitnick's lack ofconscience, authorities say, makes him even more dangerous than hackers such as Robert Morris Jr., ... who is suspected of infecting computer systems around the country with a "virus" that interfered with their operations. Mitnick's family and attorney accuse federal prosecutors of blowing the case out of proportion, either out of fear or misunderstanding of the technology. The story details his "phone phreak" background, and his use of high school computers to gain access to school district files on remote computers, where he didn't alter grades, but "caused enough trouble" for administrators and teachers to watch him closely. He used the name `Condor,' after a Robert Redford movie character who outwits the government. The final digits of his unlisted home phone were 007, reportedly billed to the name "James Bond." [He and a friend] broke into a North American Air Defense Command computer in Colorado Springs in 1979.... [The friend] said they did not interfere with any defense operation. "We just got in, looked around, and got out.".... What made Mitnick "the best" said a fellow hacker and friend, was his ability to talk people into giving him privileged information.... He would call an official with a company he wanted to penetrate and say he was in the maintenance department and needed a computer password. He was so convincing, they gave him the necessary names or numbers.... He believed he was too clever to be caught. He had penetrated the DEC network in Mass. so effectively that he could read the personal electronic mail of security people working on the case of the mysterious hacker and discover just how close they were getting to him. But caught he was, again and again.... Mitnick's motive for a decade of hacking? Not money, apparently.... Friends said he did it all simply for the challenge.... [His one-time probation officer says,] "He has a very vindictive streak. A whole bunch of people were harassed. They call me all the time." .... His mastery of the computer was his "source of self-esteem," said a friend. ------------------------------ Date: Sat, 7 Jan 89 15:03 EST From: PGOETZ@LOYVAX.BITNET Subject: The risks of trusting CBS From the Jan. 89 issue of The Institute (a supplement to IEEE Spectrum), in an IEEE article by Tekla Perry: Saratoga, CA- Some 200 personal computer industry pioneers and current innovators met here Oct. 7-9 for the invitation-only fourth annual Hackers Conference... "Hackers," as defined by this group, are "artists of technology," people who "derive joy from discovering ways to circumvent limitations," or more simply, those who are willing to "hack at that computer keyboard until the computer does what you want it to." [Note that people invited to the Hackers Conference include people like Steve Wozniak, Bill Gates, Mitch Kapor, etc. (as well as CBS!). Imagine their surprise when , according to the article:] CBS... seemed not to have taken the point. Its Oct. 8 national report led with these words: "A small revolutionary army is meeting in the hills above California's Silicon Valley this weekend, plotting their next attack on the valley below..." Phil Goetz PGOETZ@LOYVAX.bitnet ------------------------------ Date: Fri, 6 Jan 89 14:05:08 PST From: att!ihlpa!travis@ucbvax.Berkeley.EDU Subject: Hackers - pure and simple I hold a more elementary definition of "hacker". One that was applicable in the early days and remains so. Very simply, a hacker is one who is keenly interested in the full capabilities of a system. This implies that experimenting is done to discover the undocumented features, the limits of the controls, and the back doors that should not exist. This was and can be done in a constructive way. This was and can be done in a malicious, irresponsible way. We, as computer professionals have, then, two responsibilities. First, we must begin to think of malicious hacking as socially unacceptable. This should not require the demise of hacking (according to my definition) altogether. The perpetrator of misdirected hacking must not be rewarded for his or her efforts. As colleagues of the irresponsible hackers, we must view them with distaste for they will destroy the profession. Second, a system of licensing should be implemented. This need not be (but could be) a knowledge certification. A general form of permission granted to all who request it would suffice. This license can then be revoked or suspended upon conviction of some computer related offense. The license number would be put on resumes, employers would demand new employees to have valid licenses, and the future of ones career would hinge upon keeping that license intact. The public has a right and, unfortunately, a need to regulate computer related activity that affects the public. Some sort of licensing proclaims that society agrees that this person is trustworthy (so far). Mr. Morris, Jr. would not, in my eyes, be eligible to receive a license to practice his trade. Travis Marlatte ihlpa!travis 312-416-4479 AT&T Bell Labs ------------------------------ Date: Fri, 6 Jan 89 14:44:20 PST From: att!ihlpa!travis@ucbvax.Berkeley.EDU Subject: Viruses of all kinds The analogy between computer viruses and medical viruses is appropriate. Medical researchers are required to use approved methods for biological research. The leverage enacting those requirements comes in the form of: licensing by a medical board with a list of expectations, laws that protect the public's safety, and even laws that protect animal rights. There is nothing to stop a researcher from suddenly going mad and applying his or her knowledge for malicious purposes. There is incentive to follow socially approved channels for conducting legitimate research - fear of losing one's license or being criminally charged. With these mechanisms and laws in place, the public has a means to deal with malicious researchers who ignore the rights of others. Travis Marlatte ihlpa!travis 312-416-4479 AT&T Bell Labs ------------------------------ Date: Thu, 05 Jan 89 19:59:44 -0800 From: "John C. Bazigos" Subject: Henry Cox's "Supercomputer used to `solve' math problem" > Date: Wed, 21 Dec 88 09:23:26 est > From: Henry Cox > Subject: Supercomputer used to "solve" math problem (RISKS-7.97) The "Montreal Gazette" errs by espousing the false belief that solving "a theoretical mathematics problem so complex that it is beyond the capability of the human mind to comprehend" implies, first, that scientists must "accept the supercomputer's solution more or less on faith"; and second, that the proof is not fully understandable for verification purposes. The necessary and sufficient condition for verifying a proof is ensuring that each step in the derivation of the final result is valid -- i.e., follows from formal definitions, postulates, rules, and validly derived results (i.e., lemmas and/or theorems). However, that condition is neither necessary nor sufficient for understanding the problem: One can, trivially, logically derive a result that one does not "comprehend"; and inversely, one can comprehend a result, whether it is true or false, for which no derivation is known --e.g., P being a strict subset of NP, or Fermat's "Last Theorem"-- or for which no derivation exists -- e.g., Godel's reflexive assertion of not being a theorem. The only faith required to verify any proof is faith in, first, the logical system on which the verification is based; and second, the verification's valid stepwise application of that logical system. Summarily, one not only can, but logically must, accept the result of validly applying valid logic to premises that one accepts, regardless of the extent to which (s)he "comprehends" the result. Now, if my information that the (non-)existence of a finite projective plane of order 10 does not qualify as "a theoretical mathematics problem so complex that it is beyond the capability of the human mind to comprehend" is correct --which seems likely, given that humans programmed the computer to (dis)prove it-- then the article was blatantly inaccurate in characterizing the problem as incomprehensible. However, whether or not the argument was thus falsely predicated, its logic was, as proven in the immediately preceding paragraph above, invalid -- and non-trivially so, as Mr. Cox's above inferences therefrom demonstrate. In response to Mr. Cox's terminal (parenthetic) sentence > [ The RISKS are obvious. The willingness of people to accept a computer's > answer on faith (whether at the cash register at the grocery store or in the > university environment) remains disturbing. Henry Cox] it would be disturbingly anti-progressive of people to continue to trust human operators more than non-human machines to perform tasks (e.g., tabulating grocery bills, and operating switching networks) that these machines have proven themselves superior to humans at executing. Verifiably yours, -- John C. Bazigos P.S. Given that the earth's present population is less than 5 billion; it follows that 1 quadrillion possibilities represents 200,000 possibilities per person -- which is 4 times the above article's claim of 50,000 per person. ------------------------------ End of RISKS-FORUM Digest 8.3 ************************ -------