RISKS-LIST: RISKS-FORUM Digest Wednesday 12 April 1989 Volume 8 : Issue 55 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Informing the Public about Risks (Marc Rotenberg) Central Locking Systems (J M Hicks) Social Security Administration Verifying SSNs (David Gast) Not Secure Agencies (Hugh Miller) Re: Cellular Telephones (Eric Roskos) Risk to Sun 386i users (Mike O'Connor via Alan Wexelblat) Infallible Computers and Perry Mason (Brinton Cooper, Ephraim Vishniac) Air Canada and fuel-proof gauges (Robert Dorsett, John Hascall) ---------------------------------------------------------------------- Date: Wed, 12 Apr 89 07:57:52 -0700 From: mrotenberg@cdp.uucp Subject: Informing the Public about Risks "Tell the Public the Truth About Risks" (The Washington Post, 4/12/89, p. A22, letter to the editor) "Jessica Tuchman Mathew's op-ed article `Is There More Risk in the World?' (March 29, 1989) sidesteps one the most basic issues in risk management: the difference between imposed risk and assumed risk. Dr. Mathews states that once people cease to trust `those who manage and regulate the risks in their lives . . . society's responses become irrational.' "Public opposition to risky technologies - or technologies whose risks are concealed or lied about by industry and regulators - is not irrational. If they are denied complete and reliable information, people will continue to fight against the introduction of new, unknown risks in their lives. "Full public information and participation are critical elements in decisions about risk. Unfortunately, in this decade the federal government has consistently restricted public knowledge and involvement in such questions, with decisions often made on the basis of narrowly defined cost-benefit analysis. "This trend should be reversed. Complete information about various options must reach those upon whom risks will be imposed in order to ensure their involvement in final decisions. For example, in the public debate over meeting future energy needs, nuclear power and its attendant risks should be compared not only with conventional methods of power generation but with increased efficiency and renewable energy sources, federal, state and local government must cooperate and show increasing flexibility in informing, not closing out, the public. The public has a right to know - and to decide." John E. Young, Research Assistant. Worldwatch Institute, Washington, DC ------------------------------ Date: Wed, 12 Apr 89 15:29:48 +0100 From: J M Hicks Subject: Central Locking Systems I expect that the dangers of overlooking the possiblility of someone disconnecting the power supply of a security system were hammered out in this forum years ago, but I thought this story was a little different. A friend of my brother had a car whose alternator broke down. He had the alternator mended. He tried to start the car again. Nothing happened. He realised the battery was still disconnected. He left the car, shut the door, opened the bonnet and reconnected the battery. Clunk! The Central Locking System locked all the doors of the car, with the keys left in the ignition.... Disconnecting the battery again didn't allow the doors to be opened again --- the manufacturers got that one right. J. M. Hicks (a.k.a. Hilary), Computing Services, Warwick University, Coventry, England. CV4 7AL ------------------------------ Date: Wed, 12 Apr 89 00:41:33 PDT From: gast@CS.UCLA.EDU (David Gast) Subject: Social Security Administration Verifying Social Security Numbers The NYT (April 11, 1989) reports that Dorcas R. Hardy, Commisssioner of the Social Security Administration, told a Congressional committee that the agency had verified millions of SSN's for private credit companies. The risks of using SSNs and private credit companies have been discussed before. TRW, the nations largest credit reporting company recently proposed paying the SS Administration $1000000 to have 140 million numbers verified. Risks seem even greater when one company has credit information on 140 individuals--approximately 2/3 of every man, woman, and child in the country. Phil Gambino, an agency spokesman, reported last month that the agency had verified SSNs only at the request of beneficiaries or employers and had never verified more than 25 numbers at a time. He said such disclosures were required under the Freedom of Information Act. At the hearing yesterday, Dorcas R Hardy, Commissioner of the SSA, at first denied any other verifications. Later she admitted that in the early 80s, 3,000,000 SSNs were verified for Citi Corp and that last year 151,000 numbers were verified for TRW. Ms Hardy said that the 151,000 numbers were just part of a "test run." Senator David Pryor, D-Ark, chairman of the Special Committee on Aging, said that previous commissioners, the Congressional Research Service of the Library of Congress, and Donald A. Gonya, chief counsel for Social Security have all decided that such verification is illegal. David Gast {uunet,ucbvax,rutgers}!{ucla-cs,cs.ucla.edu}!gast ------------------------------ Date: Wed, 12 Apr 89 06:19:49 EDT From: Hugh Miller Subject: Not Secure Agencies Re Curtis Spangler's contribution in RISKS 8.54 ("NSA and Not Secure Agencies"), quoting the SF Chronicle, quoting the CPSR spokesperson: > "There is a constant risk that the federal agencies, under the guise > of enhancing computer security, may find their programs - to the extent > that they rely upon computer systems - increasingly under the > supervision of the largest and most secretive intelligence organization > in the country," [CPSR] said." I find the "may" most quaint. It strikes me that this is a risk to which we give all too little consideration. In the recent disputes over `hackers' and the `ethics' of hacking on this newsgroup I have occasionally noticed some pretty uncritical paeans to security. The classical philosophers held that knowledge is power. Today we hold that information is power -- not the same thing: worse, in fact. `Information' in the modern sense is much more structured, hierarchical, and systematic than the classical notion of `knowledge' allowed. It therefore permits a much greater range and freedom for the employment of our powers and a correspondingly greater degree of control over nature -- human included. As a result, it aggravates and amplifies the tendency of power to centralise itself to a much greater extent than would have been possible in premodern times. One could, in fact, state a general law of information similar to that of thermodynamics: "The information control (security) of the universe is always increasing." Just as in thermodynamics local excursions in the direction of lesser entropy occur only at the expense of a net gain in entropy for the universe, so in information systems temporary increases in access to information take place at the expense of global increases in control. Security itself is a (potential) risk -- to those who are not themselves part of the security establishment or who are not in favour therewith. The interests of those who would implement and enforce security measures in information systems must always be balanced against the rights and interests of (1)the users and (2)the subjects, i.e. those about whom the information is being gathered. Remember: just because you are a member of (1) does not mean you are not a member of (2). Hugh Miller, University of Toronto ------------------------------ Date: Tue, 11 Apr 89 10:22:10 EDT From: roskos@ida.org (Eric Roskos) Subject: Re: Cellular Telephones (Re: Thayer, RISKS-8.53) > Has the law changed? I was led to understand that the FCC does not ban > the reception of any signal. Of course, banning the reception of > certain signals is going to be tough to enforce anyway. [I originally wrote the following posting in response to the first cellular telephone posting, then decided not to send it because (a) I'd already made several RISKS postings recently and (b) I'm reluctant to comment on legal matters when many legal people seem to get upset by lay-persons doing so. However, in response to the above question I decided to send it in anyway.] (Re: Den Beste, RISKS-8.52) > The article goes on to say that Radio Shack no longer sells that model, and > that the FCC says such eavesdropping is illegal. Intentionally listening to cellular communications is a violation of PL 99-508, "The Electronic Communications Privacy Act of 1986," and the violator is subject to a $500 criminal fine if the interception was of cellular telephone and not for one of the "bad purposes" defined in the legislation (other types of violations have penalties up to $250,000 for an individual or $500,000 for an organization). Accidentally encountering such a broadcast while tuning this model of receiver is not a violation if you do not intentionally listen to it, i.e., if you just pass by it in the course of tuning the radio; this issue was specifically addressed in the ECPA. The cellular telephone frequencies are adjacent to and overlap part of the UHF TV band, so it is also possible to tune them on older, continuous (as vs. discrete)-tuning UHF TV sets. It was reported in the press that the FCC recently stated that it is not illegal to manufacture and sell radios that tune the cellular frequencies, and in the past the FCC has allegedly declined to enforce the ECPA as applied to cellular telephones. On the other hand, the Cellular Telecommunications Industry Association recently used legal measures to force Grove Enterprises, a small dealer of radio equipment in North Carolina, to stop enabling a disabled feature of Radio Shack scanners that allowed reception of cellular telephone. It's interesting to note that Radio Shack was one of the companies listed in the Senate Report 99-541 as "support[ing] the principles involved in the [ECPA] legislation," and they manufacture a radio which has an option jumper that enables reception of these communications. It is currently sold with this option disabled. There is currently an ongoing debate between radio hobbyists and various sections of the government on application of the ECPA to cellular telephone communications. Recent issues of the monthly periodical _Monitoring_Times_ contain a good bit of editorializing and news items on the subject; there was also a recent book specifically about how to intercept radio telephone communications released by a publisher oriented towards "communications monitoring" topics. It also appears to be the case that a lot of scanners are sold and modified to receive cellular communications, and that the popular opinion is that the ECPA will not be enforced with regard to cellular telephone. From a practical standpoint, this suggests that it is wise to assume that any cellular telephone communications are probably being listened to. From the viewpoint of the potential listener, like the types of unauthorized computer access discussed here recently, in the absence of strong enforcement it is probably largely an ethical consideration: whether or not it is technically legal or illegal, one has to consider whether it is ethical. And, as I've argued in the past, Ethics per se doesn't say whether this sort of activity is "ethical." It's a difficult problem to address, other than simply to realize that the problem exists, and act in an informed manner. Disclaimers: The above comments result from reading published documents on the ECPA, and are *not* the opinions of a legal professional. My interest in the subject is solely in the area of keeping up with security and privacy issues, and does not necessarily reflect the opinion of anyone else. Eric Roskos (roskos@CS.IDA.ORG or Roskos@DOCKMASTER.ARPA) ------------------------------ Date: Wed, 12 Apr 89 14:55:15 CDT From: "Alan Wexelblat" Subject: Risk to Sun 386i users (Taken from Sun-nets mailing list) DISCLAIMER: I merely receive Sun-nets because I am assistant admin here. I have no way to verify the accuracy of this report, but thought it should be distributed. People wanting more information should contact Mike O'Conner directly. --Alan Wexelblat ------- Forwarded Message Date: Wed, 12 Apr 89 13:18:49 -0400 From: oconnor@sccgate.scc.com (Mike O'Connor) Subject: Security hole in 386i login The login program supplied by Sun for its 386i machines accepts an argument which bypasses authentication. It was apparently added in order to allow the Sun program "logintool" to do the authentication and have login do the housekeeping. This allows any user who discovers the new argument to the login program to become root a couple of ways. [...] Mike O'Connor oconnor@sccgate.scc.com 301-840-4952 | 703-359-0172 ps: Mike Rigsby (rigsby@ctc.contel.com) tells me that at a 386i SOS administration class he attended, he was informed that this access path was a design feature put in for forgetful administrators but that the class was told to keep it a secret. I find this surprising, if true, since this is the OS that Sun claims "meets the spirit of C2 specifications." Then again, maybe I understand even less of the C2 specs than I thought I did. ------- End of Forwarded Message ------------------------------ Date: Wed, 12 Apr 89 17:19:05 EDT From: Brinton Cooper Subject: Infallible Computers and Perry Mason (Dave Curry, RISKS-8.54) >If I were the guy on the stand, I would have denied it all and forced Mason to >prove that the time of day clock on the computer was correct at the time I >last edited that file. Actually, in the experience of the "average viewer" of a Perry Mason show, this is probably a valid representation. If they know computers at all, they're probably PC-class things containing a clock card. Just a little diligence sets things up OK; most folks probably like the idea of a date/time stamp on documents that they're constantly revising. So, while it wouldn't have happened in many of our labs, it's probably reasonable to have skipped Mason's providing "proof" that the clock was correct since it's entirely reasonable, in this kind of case, that it probably was. _Brint ------------------------------ Date: Wed, 12 Apr 89 16:29:29 EDT From: ephraim@Think.COM Subject: Infallible computers :-) In RISKS 8.54, davy@riacs.edu reports on Perry Mason's latest: "Anyway, the show demonstrates the fallacy of assuming that since the information came from a computer, it is somehow ennobled,..." But it didn't come from just any computer, it came from a Macintosh! Seriously, I've come across several Macs here at TMC with clocks about four hours slow. Why? They were manufactured and tested on Pacific Standard Time, and here it is Eastern Daylight Time. Contrariwise, I've seen and heard about many Macs with clocks that run fast by several minutes per month. Clock accuracy requires maintenance! Ephraim Vishniac ------------------------------ Date: Tue, 11 Apr 89 20:27:16 CDT From: mentat@dewey.cc.utexas.edu (Robert Dorsett) Subject: Air Canada and fuel-proof gauges (Wales, RISKS-8.51) I have been trying to get more information on how the 767's systems work, but I think I should clarify something here. People seem to be getting the idea that the romantic notion of sticking a dipstick in a fuel tank is a practical, easy accomplished act in an airliner. It isn't. Putting aside the fact that one has to get on the wing (and add structural and maintenance support for the traffic areas), on Boeing aircraft, at least, the overwing fuelling ports are fastened with several dozen screws. It is a pain taking the ports off and putting them back on. A lengthy, expensive process. Normally, fuelling is done on the starboard wing, through an underwing high-pressure nozzle. To give an idea of how unattractive overwing fuelling is, recently, an Aero- mexico 727 diverted to an ex-WWII bomber base in Galveston, TX, during a thunderstorm. They were short on fuel. Galveston has a full-service FBO, and routinely caters to executive jets--but they didn't have the right nozzle size. Instead of opening the overwing hatches, they sent a car off to Houston to fetch the right adapter, sixty miles away--a total delay of about four hours. All of this rather makes me doubt the "dipstick" story on the Air Canada 767, unless there's a new, specialized system that avoids the filler port. Or, more likely, "dipstick" is slang for a secondary automated system. In the old days (on props), "inspections" WERE used, but often required custom- designed dipsticks. A few planes were lost because the wrong dipstick was used (improper graduations). In practical airliner work, fuel is calculated using four methods: 1. The amount pumped in (by weight, on the truck); 2. Gauges near the wing (totalizers); 3. Individual tank quantity gauges and a totalizer gauge in the cockpit (merely knowing how much fuel is left is not adequate; one must know WHERE it is, due to loading considerations). 4. The amount burned (the fuel passed through the engines, fuel flow). Fuel management is a continual cross-check of all these factors (that's what the flight engineer, if present, is there for). Occasionally, things screw up (as in the case of the UA 747 near Japan, which "ran out of fuel," but was found to have 30,000 lbs left in the center tank--they actually lost three engines). Overfilling is also more common than it should be--if you ever see a plane dripping liquid, it's probably an overfilled tank. The fire trucks won't be far behind... >Henry Spencer wrote that aviations regulations state that the "ultimate >authority and responsibility rest with the pilot, nobody else." Whereas this >is certainly true in general aviation, this is NOT true in air carrier >operations. In air carrier operations, there is a division of labor, where >many people other than the pilot in command are responsible for, and have >authority as to, various aspects of a flight. Legally, they have no authority. Under FAR 91.3, the pilot in command is directly responsible for, and is the ultimate authority as to, the proper operation of the aircraft. In PRACTICAL work, as other posters have noticed, other people assume a de facto responsibility. However, once the captain signs the dispatch papers, he is LEGALLY responsible. If the captain signs off with an improperly loaded aircraft, or with dry fuel tanks, it is HIS legal responsibility. The "ground crew" concept came into being during the 60's, and was a result of human-resource studies. It usually works, but ground people do make mis- takes. The pragmatic pilot will always double-check the figures and, at least, make an effort to determine whether the figures (and the general status of the airplane) are in the ballpark. We are starting to see a re- turn to a more "hands on" management style. Robert Dorsett ------------------------------ Date: Tue, 11 Apr 89 20:18:44 CDT From: hascall@atanasoff.cs.iastate.edu (John Hascall) Subject: Air Canada and fuel-proof gauges (Wales, RISKS-8.51) Commercial aircraft rarely take off with a full fuel tank, there is no profit to be made in lifting a bunch of extra fuel. Only enough to make it to the primary destination and secondary landing site plus some extra for holding is loaded. Any extra would just have to be dumped anyway to meet the safe landing weight. So eyeballing the tank to see if it was full would be useless, you would need to use the dipstick. John Hascall [The next step is a computer program that checks the fuel levels, the flight destination, the weather data, and the plane load (among other things) and determines whether there is enough fuel. If pilots came to trust THAT computer program -- and the sensors, computer data. etc. -- then my eyeballs would be rolling. So, let's hear it for intelligent people, whether or not they use dipsticks! PGN] ------------------------------ End of RISKS-FORUM Digest 8.55 ************************ -------