From: MERC::"uunet!csl.sri.com!risks" 19-JAN-1993 23:45:57.27 To: RISKS-LIST:;@csl.sri.com CC: Subj: RISKS DIGEST 14.28 RISKS-LIST: RISKS-FORUM Digest Tuesday 19 January 1993 Volume 14 : Issue 28 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Racetrack goes to the dogs as computer fails (Mark Colan via John Markoff) Earthwinds balloon crash (John Sullivan) More on the Air-Inter politics (Peter B Ladkin) Attempted Mindvox Break-in (John F. McMullen) New E-journal on computer security (J.B. Condat) Lautro assessment of computer reliability (Pete Mellor) Released GSA Docs Slam FBI Wiretap Proposal (Dave Banisar) Four charged with theft of registration microfilms in Sapporo Japan (Hank) Nintendo and Epileptic attacks (Marvin Moskowitz, Robert A. Morris) The RISKS Forum is a moderated digest discussing risks; comp.risks is its undigested Usenet counterpart. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with appropriate, substantive "Subject:" line. Others may be ignored! Contributions will not be ACKed. The load is too great. **PLEASE** INCLUDE YOUR NAME & INTERNET FROM: ADDRESS, especially .UUCP folks. REQUESTS please to RISKS-Request@CSL.SRI.COM. Vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 14, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1". =CarriageReturn; FTPs may differ; UNIX prompts for username, password. For information regarding delivery of RISKS by FAX, phone 310-455-9300 (or send FAX to RISKS at 310-455-2364, or EMail to risks-fax@cv.vortex.com). ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Thu, 14 Jan 1993 10:32:04 -0800 From: markoff@nyt.com (John Markoff, NY Times, San Fran 1-415 362 3912) Subject: Racetrack goes to the dogs as computer fails (from Mark Colan) > Date: Thu, 14 Jan 93 10:21:45 EST > From: Mark_Colan.LOTUS@CRD.lotus.com > Subject: heard on BBC this morning > At the tail end of the sports news at the end of NewsHour, the morning BBC > show heard on WBUR, was the mention of an error in a betting computer at a > greyhound race track. The computer continued to accept bets well after the > conclusion of the race. Needless to say, many gleeful track-betters bought > tickets for the dog that had already won, and claimed their winnings. > The article also mentioned that some people are just born losers. > After the race had finished, 139 people bet on dogs that had *lost*! > The government management reported that they intended to reclaim all of the > unfairly-won monies. However, they stated that they intend to *keep* the > money from the losers. [Slight edit by PGN.] ------------------------------ Date: Tue, 19 Jan 93 12:26:02 CST From: sullivan@geom.umn.edu Subject: Earthwinds balloon crash There is a long article in the NYTimes Science section on Jan 19, 1993, about the crash last week of the Earthwinds balloon just after it took off to try to fly around the world. The three men of the crew have been trading accusations since the crash, and many people blame the problems on the lack of "adequate engineering and planning, particularly in the integration of its labyrinthine electronic and plumbing systems". -John Sullivan@geom.umn.edu ------------------------------ Date: 19 Jan 93 13:38:39 GMT (Tue) From: Dr Peter B Ladkin Subject: More on the Air-Inter politics >From the International Herald Tribune, 19 Jan 1993 Paris Charges Ex-Official in Air Crash COLMAR, France (AP) - A former official of the French domestic airline Air-Inter was charged Monday with negligent homicide in the crash of a passenger jet a year ago that killed 87 people. Jacques Rantet, Air-Inter's former director of flight security, was charged ... with negligence leading to death and injury in the crash of the Airbus A320. Nine people survived after the airliner crashed into a mountainside as it approached Strasbourg airport on Jan. 20, 1992. ------------------------------ Date: Mon, 18 Jan 93 13:55:17 EST From: mcmullen@mindvox.phantom.com (John F. McMullen) Subject: Attempted Mindvox Break-in The following appeared on Newbytes, a copyrighted commercial service, on January 18, 1993. It is republished here with the express consent of the authors: Phantom Access Foils Cracking Attempt 01/18/93 NEW YORK, NEW YORK, U.S.A.,1993 JAN 18 (NB) -- An attempt to illegally break into, or "crack" the "Mindvox" conferencing stem contained in Phantom Access, a flat-rate New York-based online service recently featured in various news publications, was detected and rebuffed. Bruce Fancher, co-owner of Phantom Access, told Newsbytes, "There was no real damage and we have notified all of our users about the attempt in the hope that they will be even more conscious of security. The nature of this attempt points out one of the things that users of any on-line system must be aware of in order to protect her/his privacy." The attempt came to the attention of the owners of the system, Fancher and Patrick Kroupa, when subscribers reported receiving the following message: It has been brought to my attention that your account has been 'hacked' by an outside source. The charges added were quite significant which is how the error was caught. Please temporarily change your password to 'DPH7' so that we can judge the severity of the intrusion. I will notify you when the problems has been taken care of. Thank you for your help in this matter. -System Administrator" The system owners immediately sent a message to all subscribers declaring the message to be fraudulent. In addition to pointing out the textual errors in the message -- for example, Mindvox is a "flat rate" system and charges are not accumulated -- the owners admonished users to both safeguard their passwords and insure that they are not easy to decipher. Fancher told Newsbytes that the review of Mindvox in a recent issue of Mondo 2000, its mention in an issue of Forbes, and his speaking engagements on behalf of the system have led to more rapid growth than had been anticipated. He said, "We are moving to larger space on February 1st and will be upgrading our equipment from a single Next system to multiple Suns. We will also increase the number of dial-in ports and greatly increase the speed of our Internet connection. We are very grateful for the user response to date." (Barbara E. McMullen & John F. McMullen/Press Contact: Bruce Fancher, Phantom Access, dead@phantom.com (e-mail), 212-254-3226 70210.172@compuserve.com mcmullen@mindvox.phantom.com knxd@maristb.bitnet mcmullen@well.sf.ca.us [...] ------------------------------ Date: 31 Dec 69 23:59:59 GMT From: jbcondat@attmail.com Subject: New E-journal on computer security A new computer security e-journal is being published in France. It's the first in my country: * weekly; * name: _Chaos Digest_; * latest issue available: #1.03 (18 Jan 1993); * for a subscription send an e-message to: jbcondat@attmail.com Thanks, and hope to hear from you soon! Fax: +33 1 47877070 Jean-Bernard Condat, Chaos Computer Club France [CCCF], B.P. 8005, 69351 Lyon Cedex 08, France jbcondat@attmail.com +33 1 40101775 ------------------------------ Date: Mon, 18 Jan 93 17:55:52 GMT From: Pete Mellor Subject: Lautro assessment of computer reliability A student on a short course on software reliability that I gave late last year informed me that Lautro, the UK insurance companies' watch-dog organisation, has recently been putting the wind up a lot of companies by doing spot checks on computer systems. Lautro has real "teeth", and can stop a company from trading if they are not satisfied with the service it provides to the public. Nowadays, this includes deficiencies in service due to computer cock-ups. Apparently, a number of insurance companies are beginning to take software reliability rather seriously all of a sudden! Unfortunately, we only had time for a short conversation, and I do not have any further information. I would be extremely interested to know, for example, what Lautro measure when they perform their audit. Peter Mellor, Centre for Software Reliability, City University, Northampton Sq., London EC1V 0HB, Tel: +44(0)71-477-8422, JANET: p.mellor@city.ac.uk ------------------------------ Date: Fri, 15 Jan 1993 23:22:47 -0500 From: Dave Banisar Subject: Released GSA Docs Slam FBI Wiretap Proposal "GSA Memos Reveal that FBI Wiretap Plan was Opposed by Government's Top Telecomm Purchaser" The New York Times reported today on a document obtained by CPSR through the Freedom of Information Act. ("FBI's Proposal on Wiretaps Draws Criticism from G.S.A.," New York Times, January 15, 1993, p. A12) The document, an internal memo prepared by the General Services Administration, describes many problems with the FBI's wiretap plan and also shows that the GSA strongly opposed the sweeping proposal. The GSA is the largest purchaser of telecommunications equipment in the federal government. The FBI wiretap proposal, first announced in March of 1992, would have required telephone manufacturers to design all communications equipment to facilitate wire surveillance. The proposal was defeated last year. The FBI has said that it plans to reintroduce a similar proposal this year. The documents were released to Computer Professionals for Social Responsibility, a public interest organization, after CPSR submitted Freedom of Information Act requests about the FBI's wiretap plan to several federal agencies last year. The documents obtained by CPSR reveal that the GSA, which is responsible for equipment procurement for the Federal government, strongly opposed two different versions of the wiretap plan developed by the FBI. According to the GSA, the FBI proposal would complicate interoperability, increase cost, and diminish privacy and network security. The GSA also stated that the proposal could "adversely _affect national security._" In the second memo, the GSA concluded that it would be a mistake to give the Attorney General sole authority to waive provisions of the bill. The GSA's objections to the proposal were overruled by the Office of Management and Budget, a branch of the White House which oversees administrative agencies for the President. However, none of GSA's objections were disclosed to the public or made available to policy makers in Washington. Secrecy surrounds this proposal. Critical sections of a report on the FBI wiretap plan prepared by the General Accounting Office were earlier withhold after the FBI designated these sections "National Security Information." These sections included analysis by GAO on alternatives to the FBI's wiretap plan. CPSR is also pursuing a FOIA lawsuit to obtain the FBI's internal documents concerning the wiretap proposal. The GSA memos, the GAO report and others that CPSR is now seeking indicate that there are many important documents within the government which have still not been disclosed to the public. Marc Rotenberg, CPSR Washington office rotenberg@washofc.cpsr.org Note: Underscores indicate underlining in the original text. Dashes that go across pages indicate page breaks. [Computer Professionals for Social Responsibility is a nonprofit, public interest membership organization. For membership information about CPSR, contact cpsr@csli.stanford.edu or call 415/322-3778. For information on CPSR's FOIA work, contact David Sobel at 202/544-9240 (sobel@washofc.cpsr.org).] - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (#4A) Control No. X92050405 Due Date: 5/5/92 Brenda Robinson (S) After KMR consultations, we still _"cannot support"_ Draft Bill. No. 118 as substantially revised by Justice after its purported full consideration of other agencies' "substantive concerns." Aside from the third paragraph of our 3/13/92 attachment response for the original draft bill, which was adopted as GSA's position (copy attached), Justice has failed to fully address other major GSA concerns (i.e., technological changes and associated costs). Further, by merely eliminating the FCC and any discussion of cost issues in the revision, we can not agree as contended by Justice that it now " ... takes care of kinds of problems raised by FCC and others ...." Finally, the revision gives Justice sole unilateral exclusive authority to enforce and except or waive the provisions of any resultant Iaw in Federal District Courts. Our other concerns are also shown in the current attachment for the revised draft bill. Once again OMB has not allowed sufficient time for a more through review, a comprehensive internal staffing, or a formal response. /Signature/ Wm. R. Loy KMR 5/5/92 Info: K(Peay),KD,KA,KB,KE,KG,KV,KM,KMP,KMR,R/F,LP-Rm.4002 (O/F) - 9C1h (2) (a) - File (#4A) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ATTACHMENT REVISED JUSTICE DRAFT BILL DIGITAL TELEPHONY The proposed legislation could have a widespread impact on the government's ability to acquire _new_ telecommunications equipment and provide electronic communications services. _Existing_ Federal government telecommunications resources will be affected by the proposed new technology techniques and equipment. An incompatibility and interoperability of existing Federal government telecommunications system, and resources would result due to the new technological changes proposed. The Federal Communications Commission (FCC) has been removed from the legislation, but the Justice implementation may require modifications to the "Communications Act of 1934," and other FCC policies and regulations to remove inconsistencies. This could also cause an unknown effect on the wire and electronic communications systems operations, services, equipment, and regulations within the Federal government. Further, to change a major portion of the United States telecommunications infrastructure (the public switched network within eighteen months and others within three years) seems very optimistic, no matter how trivial or minimal the proposed modifications are to implement. In the proposed legislation the Attorney General has sole _unilateral exclusive_ authority to enforce, grant exceptions or waive the provisions of any resultant law and enforce it in Federal District Courts. The Attorney General would, as appropriate, only "consult" with the FCC, Department of Commerce, or Small Business Administration. The Attorney General has exclusive authority in Section 2 of the legislation; it appears the Attorney General has taken over several FCC functions and placed the FCC in a mere consulting capacity. The proposed legislation would apply to all forms of wire and electronic communications to include computer data bases, facsimile, imagery etc., as well as voice transmissions. The proposed legislation would assist eavesdropping by law enforcement, but it would also apply to users who acquire the technology capability and make it easier for criminals, terrorists, foreign intelligence (spies) and computer hackers to electronically penetrate the public network and pry into areas previously not open to snooping. This situation of easier access due to new technology changes could therefore affect _national security_. (1) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - The proposed legislation does not address standards and specifications for telecommunications equipment nor security considerations. These issues must be addressed as they effect both the government and private industry. There are also civil liberty implications and the public's constitutional rights to privacy which are not mentioned. It must be noted that equipment already exists that can be used to wiretap the digital communications lines and support court-authorized wiretaps, criminal investigations and probes of voice communications. The total number of interception applications authorized within the United States (Federal and State) has been averaging under nine hundred per year. There is concern that the proposed changes are not cost effective and worth the effort to revamp all the existing and new telecommunications systems. The proposed bill would have to have the FCC or another agency approve or reject new telephone equipment mainly on the basis of whether the FBI has the capability to wiretap it. The federal-approval process is normally lengthy and the United States may not be able to keep pace with foreign industries to develop new technology and install secure communications. As a matter of interest, the proposed restrictive new technology could impede the United States' ability to compete in digital telephony and participate in the international trade arena. Finally, there will be unknown associated costs to implement the proposed new technological procedures and equipment. These costs would be borne by the Federal government, consumers, and all other communications ratepayers to finance the effort. Both the Federal government and private industry communications regular phone service, data transmissions, satellite and microwave transmissions, and encrypted communications could be effected at increased costs. (2) [Documents disclosed to Computer Professionals for Social Responsibility (CPSR), under the Freedom of Information Act December 1992.] ------------------------------ Date: Mon, 18 Jan 93 01:39:10 EST From: hank@westford.ccur.com Subject: Four charged with theft of registration microfilms in Sapporo Japan >From The Japan Times Wednesday January 13,1993 SAPPORO (Kyodo) Four men went on trial here Tuesday for allegedly taking out residency register microfilm from a Sapporo ward office, then selling duplicates of it that they had made. The defendants are accused [of] duplicating all of the Sapporo citizens' residency registrations, using the microfilm and selling it to direct marketing companies. Katsumi Shibuki, 32, an office worker of Chuo Ward Sapporo, Jun Hongo, 24, a company executive of the same ward, and two others were charged with theft. During their first trial hearing at the Sapporo District Court, all four admitted taking microfilm that is kept at the ward office for resident perusal. However, an attorney for Hongo entered a plea of innocent of behalf of his client, contending that the defendants took out the microfilm only for temporary use and therefore the act does not constitute theft. The three other defendants refused to enter a plea Tuesday as their attorneys argued that legal problems are involved in charging their clients with theft for their act. In their opening statement, prosecutors said the four made several preliminary inspections of the ward office where the microfilm was kept and then purchased a microfilm duplicator, thus premeditating the crime. They noted that Shibuki borrowed the microfilm on the pretext of reading it, but his accomplices took it out and duplicated it in their Sapporo office. The prosecutors charged that the defendants collaborated and each assumed a different role. According to the indictments, the four were accused of taking out 482 residency register microfilm entries kept at all of Sapporo's eight ward offices between April and May 1992. A few comments. Japan has a universal citizen registration law that requires all residents to report their place of residence to their local government. This is in addition to a family registration system that tracks all births deaths, marriages and divorces. That data may be similarly ill secured however it is of less interest to direct marketeers than the residence data which is kept up to date within about 15 days. Although this system is very ancient the law regarding data security has obviously not caught up with the technology. As more and more local governments are keeping this data on personal computers all of the attendant risks to privacy will appear. Obviously what is needed is a law that relates specifically to the data and not to the media. It is clear from the article that the prosecutors believe that the accused did something illegal but they don't seem to have a statute appropriate for the circumstances. A final observation is that while the case for theft seems very weak to someone familiar with American or English law things in Japan are not so obvious. People have been convicted in Japan for intent to commit a felony when no felony was actually committed. The courts may also take a similarly broad interpretation of theft even though the physical objects taken were promptly returned. ------------------------------ Date: Fri, 15 Jan 93 07:52:56 PST From: marvinm@catman.tti.com (Marvin Moskowitz) Subject: Nintendo and Epileptic attacks In article Rick Russell writes: > The Super Nintendo Entertainment System "Consumer Information and Precautions > Booklet", which comes with SNES and NES systems sold in the US (and the UK, > to the best of my knowledge), issues the following warning: > > EPILEPSY WARNING: READ BEFORE USING YOUR NES OR SUPER NES Well, I guess all this should be no surprise to anyone who has read Crichton's "Andromeda Strain." The flashing lights causing a seizure was a major device he used. His background as a physician lent some credibility to the novel. Marvin S. Moskowitz, Transaction Tech, Inc., 3100 Ocean Park Blvd., Santa Monica, CA 90405 1-310-450-9111 x3197 marvinm@soldev.tti.com ------------------------------ Date: Sun, 17 Jan 1993 18:07:40 -0500 From: Robert A. Morris Subject: Re: Computer games may endanger your health (Russell, RISKS-14.27) > EPILEPSY WARNING: READ BEFORE USING YOUR NES OR SUPER NES > Consult your physician if you experience any of the following symptoms while > playing video games: altered vision, muscle twitching, other involuntary > movements, loss of awareness of your surroundings, mental confusion, and/or > convulsions. Of course, the search for most of these conditions are among the _goals_ of video game players.... ------------------------------ End of RISKS-FORUM Digest 14.28 ************************