RISKS-LIST: RISKS-FORUM Digest Monday 27 February 1989 Volume 8 : Issue 31 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Bank fraud was "easy" (Stephen Page) Men accused of `hacker' crime (Michael C Polinske) Stanford bboard censorship (Les Earnest, John McCarthy, Jerry Hollombe) Computer writing coach / friend (Rodney Hoffman) British Computer Society policy on safety-critical systems (Martyn Thomas) Reach out and spy (gls) Risks of Running a Hotel (Chuck Weinstock) Singing in the Rain (Kent Borg) [RISKS BARFMAIL] (PGN) ---------------------------------------------------------------------- Return-Path: <@csl.sri.com:sdpage%prg.oxford.ac.uk@NSS.Cs.Ucl.AC.UK> Date: Sun, 26 Feb 89 10:03:38 gmt From: Stephen Page Subject: Bank fraud was "easy" From The Independent [London], 24 February 1989, p. 2: "A 17-year-old junior cashier cheated the National Westminster Bank out of 1m pounds in a computer fraud, a court heard yesterday. ... Judge Helen Palin criticised the bank for lax security and refused to make a compensation order for 15,000 pounds which the bank has not been able to recover. ... After being given access to the bank's computer system he began by paying 10 pounds into his own account. He then paid himself 12,000 in imaginary cheques. Later, he transferred a credit for 984,252 pounds into the account of a friend ... and celebrated by buying 50 bottles of champagne. ... The judge said: "One of the worrying features of this case is that a young man who hasn't long left school is able to work the system in the NatWest bank on a number of occasions without being found out. Indeed, the general chat within the bank seems to be how easy it is to defraud that bank." This is a good example of what ensues when system designers build weak controls - or perhaps when users fail to implement them? Too often in the IT community I hear security and controls described as dull and uninteresting - anyone who has had the dreary job of producing a risks/controls matrix will sympathise - but it should NEVER be neglected. I'm glad the judge denied the compensation order. ------------------------------ Date: Mon, 27 Feb 89 10:12:07 CDT From: Michael C Polinske Subject: Men accused of `hacker' crime This appeared in Friday, February 24th's _Milwaukee Journal_ 2 MEN ACCUSED OF `HACKER' CRIME By James Gribble of the Journal staff. Vowing to step up efforts to stop computer crime, a Milwaukee County prosecutor has charged two Milwaukee men with fraudulently obtaining free long-distance telephone service. The felony charges filed Thursday against Alan Carr, 35 and David Kelsey, 26 are the first so-called hacker crimes to be prosecuted by the district attorney's office. Working independently, using home computers and similar software programs, the men are alleged to have obtained calling card codes for customers of an independent long-distance telephone company, Schneider Communications. They then used the codes to bill their personal calls to Schneider's customers, according to a criminal complaint prepared by Asst. Dist. Atty. Jon N. Reddin, head of the district attorney's White Collar Crime Unit. Reddin said the total theft probably was less than $1,000, but he said the case reflected a growing problem. "I have the feeling, from our investigation, that there's a lot of people out there doing this," he said. "The only way to stop it is to prosecute them, because this is theft. It's almost like some one stealing your credit card and using it to make purchases." Schneider Communications was the victim in this case, Reddin said, because the company had to write off the customer billings for which Carr and Kelsey turned out to be responsible. According to court records and Reddin, the investigation was prompted by a complaint from Schneider Communications. The company's computer keeps track of all calls that are rejected because of an improper access code. Clients dialing incorrectly would cause 10 to 30 rejected calls a month, but sometime last year the number jumped to 1,000 or 2,000 per month. Computer printouts showed the unknown parties were repeatedly dialing the computer and changing the access code sequentially, Reddin said. Hundreds of calls at a time were being made in this fashion, and each time the code was changed one digit at a time until a working code was encountered. Because the company had no way of knowing where the calls were coming from, Wisconsin Bell placed a tracing device on the line, through which the calls were traced to the phone numbers of Carr and Kelsey. The men were apparently unaware of each other and simply happened to be involved in similar schemes, Reddin said. Carr is alleged to have used a bootleg computer called "Hacking Construction Set Documentation." Kelsey is alleged to have used a similar bootleg program called "Mickey-Dialer." The programs were seized in raids at the defendant's houses, according to court records. Reddin acknowledged that technological safeguards can detect such thefts after the fact but not prevent them. What Carr and Kelsey are alleged to have done can be done by any computer buff with the right software and know-how, Reddin said. The key to deterring computer crime, in Reddin's view, lies in it's prompt reporting to authorities. "The best way I can think of to do that is by filing a complaint with our office," Reddin said. ------------------------------ Date: 25 Feb 89 01:57:48 GMT From: les@gang-of-four.stanford.edu (Les Earnest) Subject: Stanford bboard censorship Public accounts of the Stanford bboard censorship case, including the San Jose Mercury News article that appeared in RISKS 8.30, give the impression that the administration's ban on newsgroup rec.humor.funny has been effective. Nothing could be farther from the truth -- the "banned" jokes continue to be available on all computers where they were available before and are now more widely read than ever before. Usenet newsgroups are stored on 9 primary distribution machines at Stanford but are accessed via ethernet from hundreds of computers and workstations on campus. Two of these distribution machines were affected by the administration's ban on rec.humor.funny. The rest of the system, which I organized several years ago, still carries all newsgroups. Since the "ban" began, every message from rec.humor.funny has been cross-posted to another bboard at Stanford (su.etc) that goes to all machines, including those that are supposed to be censored. There has been no move so far by the administration to deal with this "civil disobedience." Interestingly enough, the bureaucrats who decided to ban rec.humor.funny didn't have the technical expertise to carry out their intentions, so they came to the Computer Science Department for help. This help was provided even though the individual involved disagreed with what they were doing. The Usenet primary feed for Stanford is under the control of the Computer Science Department. There was a plan to turn control over to the administration but that plan has now been shelved. The Computer Science faculty voted this week to oppose newsgroup censorship. Stanford's President Kennedy, who approved the original censorship decision, is now carefully dancing around the issue and has agreed that the Faculty Senate should review and decide on what the University's policy should be. It appears likely that the Senate will agree with the Computer Science Department. Les Earnest Phone: 415 723-9729 Internet: Les@Sail.Stanford.edu USMail: Computer Science Dept. UUCP: . . . decwrl!Sail.Stanford.edu!Les Stanford, CA 94305 ------------------------------ Date: 26 Feb 89 1343 PST From: John McCarthy [via ] Subject: Stanford bboard censorship The following statement was passed unanimously at a meeting of the Computer Science Department faculty on Tuesday, Feb 21, 1989. Statement of Protest about the AIR Censorship of rec.humor.funny. Computer scientists and computer users have been involved in making information resources widely available since the 1960s. Such resources are analogous to libraries. The newsgroups available on various networks are the computer analog of magazines and partial prototypes of future universal computer libraries. These libraries will make available the information resources of the whole world to anyone's terminal or personal computer. Therefore, the criteria for including newsgroups in computer systems or removing them should be identical to those for including books in or removing books from libraries. For this reason, and since the resource requirements for keeping newsgroups available are very small, we consider it contrary to the function of a university to censor the presence of newsgroups in University computers. We regard it as analogous to removing a book from the library. To be able to read anything subject only to cost limitations is an essential part of academic freedom. Censorship is not an appropriate tool for preventing or dealing with offensive behavior. We therefore think that AIR and SDC should rescind the purge of rec.humor.funny. The Computer Science Department has also decided not to censor Department Computers. ------------------------------ Date: 27 Feb 89 23:48:37 GMT Return-Path: <@philabs.philips.com,@ttidca:hollombe@ttidca.TTI.COM> From: hollombe@ttidca.tti.com (The Polymath) Subject: Censorship (Re: RISKS-8.30) This is the same silly, emotional argument raised every time some form of public or semi-public media refuses to carry someone's pet hobby horse. If you throw out all the emotional baggage about "freedom of speech" and "censorship", Stanford's decision not to carry rec.humor.funny is no more illegal, unconstitutional or censorious then their (de facto) decision not to sell hard-core pornography in the Student's Store. Only governments can commit censorship, by prohibiting all access to a set of facts. Rec.humor.funny still exists and is still accessible. Those at Stanford who wish to continue accessing it will simply have to sign up with a public access Unix site. (I believe the WELL is conveniently close, as are one or two free-access sites). Stanford is well within it's rights to refuse to spend campus resources to support it. The Polymath (aka: Jerry Hollombe, hollombe@ttidca.tti.com) Citicorp(+)TTI 3100 Ocean Park Blvd. (213) 452-9191, x2483 Santa Monica, CA 90405 {csun|philabs|psivax}!ttidca!hollombe ------------------------------ Date: 26 Feb 89 14:07:56 PST (Sunday) Subject: Computer writing coach / friend From: Rodney Hoffman From the "Bits and Bytes" page in 'Business Week' 6 March 89: A PROGRAM SWITCHES FROM THERAPIST TO WRITING COACH Sometimes talking over a subject with a friend can help you sort out your thoughts before you write a speech or business presentation. A Carrollton (Tex.) company called Xpercom now offers a computer- based "friend" for just that purpose -- a program called Thoughtline that runs on IBM personal computers and clones. It's based on Joseph Weizenbaum's famous Eliza program, written in the early 1960s at MIT. Named after the character in 'My Fair Lady,' Eliza could mimic the conversational skills of a psychotherapist so convincingly that many people believed it actually understood them as a human would and shared with it intimate details of their lives. [See RISKS 8.17 and 8.18] A shocked Weizenbaum ended up writing 'Computer Power and Human Reason,' a leading book on man's relationship to the computer. Thoughtline, selling for $295, works a lot like that. It engages authors in written conversations about what they want to say, asking questions based on a script that it constantly adapts as each dis- cussion progresses. It then spits out an outline based on what it has been told. Just like its predecessor Eliza, though, Thoughtline "understands" nothing at all. ------------------------------ Date: Thu, 23 Feb 89 16:34:20 BST From: Martyn Thomas Subject: British Computer Society policy on safety-critical systems The BCS recently issued the following policy statement on safety-related computer systems (SRCS) in an attempt to raise awareness of the special problems created by programmable systems in safety-related applications. The policy attempts to steer a responsible course between the need to alert society to the increasing risks from poorly-developed SRCS, and the need to avoid creating irrational panic. We would welcome constructive criticism of this policy from Risks readers. [declaration of interest: I chair the BCS safety-critical systems group, and wrote the policy statement. It was reviewed and amended by my colleagues in the group before being approved as BCS policy by the Vice-President (Professional), on behalf of the Professional Board.] The complete text of the policy statement is given below. THE BRITISH COMPUTER SOCIETY, 13 Mansfield Street, London W1M 0BP BCS SAFETY CRITICAL SYSTEMS GROUP Policy Statement on Safety-Related Computer Systems PREAMBLE Safety-Related Computer Systems (SRCS) are defined as those systems which, if they go wrong, can lead directly to physical injury of humans. In almost every case, the potential for injury lies in the system which the SRCS is controlling or monitoring. Assuring the safety of the total system therefore involves several branches of engineering, depending on the application. Most industries are justifiably proud of their safety records. POLICY 1 Computer systems, appropriately developed and deployed, can enhance the safety of many processes and products, and bring other economic benefits. 2 The safety of a system is a system-wide issue, and the safety of a SRCS cannot usefully be considered in isolation from the total system of which it forms part. 3 Safety is a relative term; system safety can always be improved at increase cost. The developer therefore has to identify the level of adequate safety and to develop all the subsystems so that this level is achieved overall. 4 The probability of error in a system increases with increasing complexity. SRCS should be designed so that their complexity is kept to a minimum, and so that they are isolated from interference from non safety-related subsystems. 5 SRCS should be developed and supported by suitably-qualified staff. 6 The quality of every SRCS should be the responsibility of a named engineer within an accredited organisation who has up to date training and certification in the relevant technologies. 7 Wherever possible, the methods used for developing, supporting and assessing SRCS should be based on sound, scientific and mathematical principles. 8 There is urgent need for harmonisation of development standards for SRCS between industries and internationally. The BCS will work with the relevant authorities to achieve this harmonisation. 9 The science and technology necessary to achieve and assess highly reliable computer systems is not yet fully developed, and research and development are therefore urgently needed. The BCS calls upon the DTI and SERC to encourage and support the necessary work. 10 In view of the limited experience with SRCS, the wide variation in development methods, and the rapid growth in their use, the BCS calls for a system of registration of SRCS, with mandatory fault reporting, so that minimum standards can be enforced and data can be gathered which will allow the success of different approaches to be assessed. 11 The BCS wishes to emphasise that there is no evidence that current SRCS pose a serious threat to the public. There is therefore no cause for alarm, although action is urgently recommended on the points listed above. Martyn Thomas, Chairman, BCS Safety Critical Systems Group Martyn Thomas, Praxis plc, 20 Manvers Street, Bath BA1 1PX UK. Tel: +44-225-444700. Email: ...!uunet!mcvax!ukc!praxis!mct ------------------------------ Date: Sun, 26 Feb 11:15:09 1989 From: odyssey!gls@att.att.com Subject: Reach out and spy The VAX/VMS "spying" package that Peter Scott describes in Risks Digest 8.30 has an old precedent. Aiken C. C. got a Scientific Data Systems "Sigma" time-sharing system around 1969, with terminals in several locations on the Harvard campus. A few months after it was installed I wrote an interactive program called RADIO that monitored any other terminal in the system. RADIO required no privilege, because the pages of system space that were mapped into user memory included the terminal buffers for the whole system! RADIO made a mockery of confidentiality, and since you could use it to monitor a login sequence, it also made a mockery of authentication. Incidentally, there was no source code for RADIO. Access to the assembler was restricted (as a security feature), so I wrote the program in machine language using the debugger. The staff at Aiken _eventually_ succeeded in destroying all copies of RADIO ... but not without reluctance. They had meanwhile learned the RADIO users' practice of using two RADIOs to talk to each other. If the facility of "talking" seems useful now, it seemed miraculous then. In those days computer system engineers were careful to leave out any kind of "talking" facility for fear of subjecting their systems to FCC regulations. So far as I know, the only harm that RADIO did was to explode password security. If not for that it might have lived for years. ------------------------------ Date: Mon, 27 Feb 89 09:55:33 EST From: Chuck Weinstock Subject: Risks of Running a Hotel Those of you who have been ripped off by the alternative operator services (AOS) that provide long distance telephone services to many hotels will be interested in an article that appeared in Friday's Wall Street Journal. It seems that most hotels are neither equipped to bill 976 or 900 calls properly nor to block them. As more and more people discover this, the hotels are finding they are getting interesting phone bills at the end of the month! ------------------------------ Date: Fri, 24 Feb 89 15:07:03 EST From: kent@lloyd.UUCP (Kent Borg) Subject: Singing in the Rain Not only have our eyes been the victims of trickery for years (Fred dancing on the ceiling), but so have our ears: In the famous Singing in the Rain dance scene we saw Gene Kelly get rather wet, but we were hearing Gwen Verden (sp?) doing the tapping on the sound track (would that be foot syncing?). (Ever notice how very well lit the `rain' drops were in that scene? In real life you often have to put your hand out to find out whether it is raining, in the movies you can always *SEE* the rain.) Hollywood has been using pictures and recordings to `lie' for years. As a famous camera man once said: "There is nothing natural about natural lighting." The digital doctoring of photos is, in many ways, nothing new, just more powerful. Kent Borg P.S. Deception has a long history: "But I *WATCHED* him saw her in two!!" ------------------------------ Date: Mon, 27 Feb 89 12:30:19 PST From: The Mailer Daemon [via PGN] Subject: [RISKS BARFMAIL] [THIS HAS BEEN GOING ON FOR WEEKS NOW. NO ONE HAS COMPLAINED. IS THE NET GOING TO HELL? ARE THESE RISKS READERS FINDING OTHER SOURCES? I AM GIVING UP ON THESE ADDRESSES. PLEASE NOTIFY YOUR FRIENDS. I GOT 400,000 characters in barf mail over the weekend. PGN] Message undelivered after 3 days -- will try for another 2 days: ...@VAXA.ISI.EDU: Cannot connect to host ...@lll-crg.llnl.gov.#Internet: Cannot connect to host ...@EWD.DREO.DND.CA: Cannot connect to host ...@LA.TIS.COM.#Internet: Cannot connect to host ...@mitre.arpa: Cannot connect to host ...@xx.drea.dnd.ca: Cannot connect to host ...@red.ipsa.dnd.ca: Cannot connect to host ...@sealion.gcy.nytel.com: Cannot connect to host ...@wr-hits.arpa: Cannot connect to host ...@afsc-bmo.af.mil: Cannot connect to host ...@epsilon.jpl.nasa.gov: Cannot connect to host risks-p@brl.arpa: 550 (USER) Unknown user name in "risks-p@brl.arpa" AND THEN I GOT EIGHT COPIES OF THE ENTIRE RISKS MAILING BACK FROM Return-Path: 554 mailer mail died with signal 4 THIS IS GETTING MORE AND MORE RIDICULOUS! ------------------------------ End of RISKS-FORUM Digest 8.31 ************************ -------