27-Jul-87 17:52:22-PDT,17791;000000000000
Return-Path: <NEUMANN@f4.csl.sri.com>
Received: from csl.csl.sri.com (CSL.SRI.COM) by F4.CSL.SRI.COM with TCP; Mon 27 Jul 87 17:42:36-PDT
Received: from F4.CSL.SRI.COM by csl.csl.sri.com (3.2/4.16)
	id AA21529 for RISKS-LIST@f4.csl.sri.com; Mon, 27 Jul 87 17:21:09 PDT
Message-Id: <8707280021.AA21529@csl.csl.sri.com>
Date: Mon 27 Jul 87 17:17:55-PDT
From: RISKS FORUM    (Peter G. Neumann -- Coordinator) <RISKS@csl.sri.com>
Subject: RISKS DIGEST 5.18 
Sender: NEUMANN@csl.sri.com
To: RISKS-LIST@csl.sri.com

RISKS-LIST: RISKS-FORUM Digest  Monday, 27 July 1987  Volume 5 : Issue 18

           FORUM ON RISKS TO THE PUBLIC IN COMPUTER SYSTEMS 
   ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Contents:
  Its Barcode is NOT worse than its Byte; Rooting for AT&T PC truffles 
    (Elizabeth Zwicky)
  Too much security? (Richard Schooler)
  "Hacker Program" -- PC Prankster (Sam Rebelsky)
  Pittsburgh credit card hackers (Chris Koenigsberg)
  Hacking and Criminal Offenses (David Sherman)
  911 Surprises (Paul Fuqua)
  Re: Taxes and who pays them (Craig E W)
  Statistics as a Fancy Name for Ignorance (Mark S. Day)
  Supermarkets (Chris Koenigsberg, Jon Mauney)

The RISKS Forum is moderated.  Contributions should be relevant, sound, in good
taste, objective, coherent, concise, nonrepetitious.  Diversity is welcome. 
Contributions to RISKS@CSL.SRI.COM, Requests to RISKS-Request@CSL.SRI.COM.
FTP back issues Vol i Issue j from F4.CSL.SRI.COM:<RISKS>RISKS-i.j.  
Volume summaries for each i in max j: (i,j) = (1,46),(2,57),(3,92),(4,97).

----------------------------------------------------------------------

Date: Mon, 27 Jul 87 11:27:38 EDT
From: Elizabeth Zwicky <zwicky@tut.cis.ohio-state.edu>
To: RISKS@csl.sri.com
Subject: Its Barcode is NOT worse than its Byte; Rooting for AT&T PC truffles 
Organization: The Ohio State University, CIS Dept.

Two security notes:

First, on the discussion about scanner errors in grocery stores.  The chance
that these are actually scanning errors is so small as to be ignorable. The
UPC barcode they use is incredibly reliable, and includes two separate check
digits encoded in different ways.  What is very likely to go wrong is the
shelf labels. Usually, the system is that the computer database is updated,
and automatically prints revised shelf labels. There then is a considerable
lag while the labels are actually put on the shelves. Of course, sometimes
they forget to update the database, especially for sales.

Second, on actual computer security. We have 40 AT&T PC7300s that are used
to teach an introductory computing course. We have had notable problems with
them (our current favorite causes students with output loops to end up losing 
the lab they're working on, source code and all), but were surprised when
the root passwords started to mutate. One of us asked the monitor in the
lab, who offered to break root for him so he could change it back. It seems
that with two mouse clicks, and two presses of the enter key, you can get a
root shell. There's a bug in the shutdown procedure, causing it to give you
all its warnings, push a root shell (complete with window system that says
"Office of root", just in case you don't know you're root), and then stop.
Most of the students don't know enough about UNIX to make any use of this
trick, but some of them seem to find changing the passwords around amusing.

Elizabeth Zwicky
                            [Suns reportedly have a similar feature!  PGN]

------------------------------

Date: Mon, 27 Jul 87 11:48:12 EDT
From: schooler@inmet.inmet.com (Richard Schooler)
To: risks@csl.sri.com
Subject: Too much security?

A mainframe system that we have occasion to use retires passwords every 28
days and does not allow any of the four previous passwords to be re-used.
Since we use the system mainly for re-hosting (i.e., not "real" work or
personal files), the onerousness of this scheme has driven many of us to
using extremely easy-to-remember passwords on that system, such as the name
of the current month.  I find this quite ironic.

Richard Schooler, Intermetrics, Inc.    	{ihnp4,ima}!inmet!schooler

    [This is an old RISKS problem, but worth including for newer readers.  PGN]

------------------------------

Date: Mon, 27 Jul 87 11:23:22 cdt
From: Sam Rebelsky <r032@sphinx.uchicago.edu>
To: risks@csl.sri.com
Subject: "Hacker Program" -- PC Prankster

I thought people might be interested in a small article that appeared in
a sidebar of today's Chicago Tribune, Business Section, Monday, 27 July 1987.

                     "You'd better watch out

  A new software program lets anybody with access to an IBM or IBM-compatible
  personal computer become a hacker, at least on a small scale.  The program,
  from Mainland Machine, San Luis Obispo, Calif., is called PC-Prankster.

  It wasn't necessarily designed with the idea of making the world a better
  place in which to live.  An electronic jokester can sneak up and install PC
  Prankster on a friend or loved one's ``boot disk,'' (the disk used to fire up
  the computer's operating system when it is turned on), whereupon it resides
  in memory waiting for its chance to pounce.

  As soon as the PC user reaches a certain set number of keystrokes, the 
  prankster takes over.  The work in progress disappears, one of five ugly
  creatures fills the screen and blows a kiss, then vanishes, and the screen
  returns to where it was before the intrusion.  The prank repeats itself
  every 5 minutes or so.

  Among the characters are a cyclops that blinks and a flasher that flashes.
  The only way to get rid of PC-Prankster is to use the delete program 
  contained on the disk.  Or you could drop your PC out the window, timing
  it to land on the perpetrator.  PC Prankster costs $19.95 and also works
  on hard disk systems.

This really bothers me.  The article (and the program) imply that fooling 
with someone's work on a computer is acceptable and that hacking is just 
harmless playing.  The article also seems to imply that the program
is otherwise harmless "..and the screen returns to where it was before
the intrustion."  I find it unlikely that such a program will be perfectly
harmless in all cases.

I'm sure other people are more qualified to comment on other risks of such
a program, including the similarity of such a program to a trojan horse.

SamR

------------------------------

Date: Sun, 26 Jul 87 23:54:50 edt
From: ckk+@andrew.cmu.edu (Chris Koenigsberg)
To: risks@csl.sri.com
Subject: Pittsburgh credit card hackers

In RISKS 5.16, someone mentioned that a ring of teenaged credit card hackers
was recently broken. What they didn't mention is that the solving of the case
had nothing to do with the computer end of it at all. One of the kids bought
a skateboard with a hot card number, and his mother was so annoyed at his use
of the skateboard that she turned him in!
                                            [The wheels of (mis)fortune!  PGN]

------------------------------

Date: Mon, 27 Jul 87 12:36:32 EDT
To: RISKS@csl.sri.com
Subject: Hacking and Criminal Offenses (Re: RISKS 5.15)
From: mnetor!lsuc!dave@seismo.css.gov (David Sherman)
Organization: Law Society of Upper Canada, Toronto

  >	The dishonest obtaining of access to a computer data bank
  >	by electronic means is not a criminal offence.
  >
  >Under the terms of the Act, Gold and Schifreen were charged with "making
  >a false instrument on, or in, which information was recorded or stored by
  >electronic means, with the intention of using it to induce the Prestel 
  >computer to accept it as genuine, and by reason of so accepting it to do 
  >an act to the prejudice of British Telecom plc".

This case is reminiscent of the Supreme Court of Canada decision in
R. v. McLaughlin (1980), 113 DLR(3d) 386-394.  In both cases the
authorities attempted to use a statute enacted for other purposes
to prosecute unauthorized computer use.

In the British case, as outlined above, the Act used was one
which makes forgery and counterfeiting illegal.  In the Canadian
case, which involved a University of Alberta student obtaining
unauthorized access to a university computer, the charge was that
of fraudulently using a "telecommunication facility", in violate
of s.287 of our Criminal Code.  (That provision is the one used
for people who use blue boxes to make long-distance calls.)

The Supreme Court's decision boiled down to this quote (at p. 394):

    Had Parliament intended to associate penal consequences the unauthorized
    operation of a computer, it no doubt would have done so in a section of 
    the Criminal Code or other penal statute in which the term which is now 
    so permanently embedded in our language is employed.

The result was that Parliament did indeed enact legislation making illegal
the unauthorized use of computers (in 1986).  It looks like the British
Parliament will have to do the same.  In the context of the quote above, the
decision of the English Court of Appeal is probably correct.  I'll be
interested in seeing whether the Court of Appeal referred to the (Canadian)
McLaughlin case.

David Sherman, The Law Society of Upper Canada, Toronto
{ uunet!mnetor  pyramid!utai  decvax!utcsri  ihnp4!utzoo } !lsuc!dave

------------------------------

Date: Mon, 27 Jul 87  14:30:54 CDT
From: Paul Fuqua <pf%islington-terrace%ti-csl.csnet@RELAY.CS.NET>
To: risks@csl.sri.com, telecom@XX.LCS.MIT.EDU
Subject: 911 Surprises

     Tarrant County (Fort Worth) is about to start a 911 emergency telephone
service, the second in the state, prompting quite a few newspaper articles
about aspects of their service and that of Harris County (Houston), which
started in January 1986.
     The details I found most interesting were the problems that had to be
overcome in both systems.  (Quoted without permission from the Dallas Morning
News)

    For instance, Harris County found initially that people dialing a
    seven-digit number with 911 in it would sometimes reach the emergency
    operator by mistake.  Telephone company computers were so quick, they
    would pick up the 911 and transfer the call before waiting for a fourth
    digit.  [There are no other magic three-digit calls in this area:  for
    411, one dials 1411, and all other numbers are seven digits.  - pf]  ...

    In the beginning, 911 operators were deluged by calls from children
    trying out the system and from people who put the 911 number on the
    speed-dialing function on their telephones and hit the number by mistake.

    Misdirected calls also come in from cordless phones whose batteries are
    low -- a situation that seems to mistakenly trigger calls to 911 ...

    Another problem Tarrant County is working on is establishing street
    addresses for rural homes.  The [911] district is working with the U.S.
    Postal Service and telephone companies to assign street addresses to more
    than 9,000 locations in Tarrant County so that a recognizable address
    will appear on the screen -- not just a rural route and box number.

    [The director] was surprised when the effort met some resistance. ...
    "Some people have said, `I'm not going to use 911 so I don't need my
    address changed.'"

Tarrant County will start up their system on August 2, despite the failure
of equipment to automatically transfer the address information from the
emergency operator to the appropriate agency.  Dallas County (Dallas)
expects to start their own service next April; the goal is that the whole
state will have 911 by 1995.

Paul Fuqua, Texas Instruments Computer Science Center, Dallas, Texas
CSNet:  pf@ti-csl    UUCP:   {smu, texsun, im4u, rice}!ti-csl!pf

------------------------------

To: RISKS@csl.sri.com (RISKS FORUM, Peter G. Neumann -- Coordinator)
Subject: Re: Taxes and who pays them (RISKS DIGEST 5.15)
Date: Mon, 27 Jul 87 11:19:18 PDT
From: cew@venera.isi.edu

This idea of "passing it on" is nonsense.  A Company, or any organization
selling a product or service, will charge as much as it can for its product
or service.  It does not matter how much the product costs them or how much
it is taxed or how much of the external costs are forcibly internalized by
regulations.  The question is simply "Does the amount received sufficiently
cover the cost of production to justify the organization continuing the
process?"  If the profit is too small or non-existent then the process is
halted.  If the profit is great, others will get into the act.

For the topic that came up in Risks, the question is "How will the companies
providing electronic communications services respond to the added costs of
FCC taxes?"  Some possible responses are (1) absorb them (not bloody
likely), (2) Add them to the price for the service (not a "passing on" but a
shift in customer base), (3) Absorb them for a while and add them slowly to
see how the customers react and (4) Get the FCC changed.

In my view, the key result of this will be to shift the customer base away
from private individuals to corporate individuals (corporations can more
easily add the extra costs to their products).  My question is then "Why is
the FCC using its taxing privileges to manipulate the electronic
communications market to force out the private individual?"  That leads us
away from the risks of computers to risks of another kind.

(If people want to argue this view of economics they should send mail to me
directly.  No need to clutter Risks with these more general questions.)

		Craig

------------------------------

Date: Mon 27 Jul 87 13:32:55-EDT
From: Mark S. Day <MDAY@XX.LCS.MIT.EDU>
Subject: Statistics as a Fancy Name for Ignorance
To: RISKS@csl.sri.com

The risk-assessment numbers put forth to justify nuclear power's safety
remind me of Mark Twain's observation that there are three kinds of lies:
lies, damned lies, and statistics.  What real evidence or experience do we
have for these projections and statistics?  How can we meaningfully discuss
the "safe" containment of wastes that are dangerous for a time span
comparable to all of recorded history so far?  How much do we really know,
and how much of it is based on "plausible" guesses and conjectures?

The fact that nuclear power plants have been run in a generally safe way in
the past tells me very little about the future danger from them.  Predicting
the future like that is similar to the statistical fallacy that if a fair
coin has come up "heads" 500 times in a row, it is somehow "more likely" to
come up "heads" the next time that I flip it.  [Alternately, some people also
believe that it's "more likely" to come up "tails", since it's "about time".]

Car wrecks and cigarette smoking kill more people than nuclear plants, sure,
but the way that they kill people is very different.  Car accidents
generally don't affect a zone of several miles' diameter, forcing evacuation
and abandonment of homes.  Cars and cigarette smoke are perceptible, whereas
radiation isn't (I know that carbon monoxide is odorless and colorless, but
you rarely get carbon monoxide from cars or cigarettes without smelly
components, too.).  Chernobyl has shown that when an accident occurs, it
doesn't matter that it's a rare event: it's an extremely unpleasant event.
Who cares if a meltdown happens "once in 100,000 years" if it happens
tomorrow?  It is perfectly rational to decide that a potential catastrophe
is undesirable, no matter how rare it is.
                                                     --Mark

------------------------------

Date: Sun, 26 Jul 87 23:59:38 edt
From: ckk+@andrew.cmu.edu (Chris Koenigsberg)
To: risks@csl.sri.com
Subject: Supermarkets

The Giant Eagle chain of supermarkets in western Pennsylvania has automated
checkout scanners at the bigger stores. But they also have a policy they call
Absolute Minimum Pricing, and as a part of this, they have a strict rule that
you can be ejected from the supermarket if you are caught writing down their
prices from the tags on the shelves (because they want to keep the jump on
the competition)! So I suppose very few people ever manage to catch scanner
price errors at Giant Eagles.
                                  [This is an interesting new twist.  PGN]

------------------------------

Date: Mon, 27 Jul 87 09:54:45 EDT
From: mauney@ece-csc.ncsu.edu (Jon Mauney)
To: risks@csl.sri.com
Subject: Grocery store scanners and shelf tags
Re: Cash register prices not agreeing with shelf tags

Don't forget the Hi-Tech creed:

 What is fouled up by technology can be fixed by further technological patches.

In the case of computerized cash registers, help is on the way in the form
of radio-updated LCD shelf tags.  (This is according to an article in last
week's Sunday News and Observer.  I can dig it out, but it is unlikely to
contain any useful facts.)

Of course, this will bring two new risks:

  The price may go up while you're waiting in line.

  The tags may be affected by teenage vandals who have gotten
  bored with breaking into computers.
                                            Jon Mauney          

  [Recalling the students who spliced themselves into the comm line to the
  Rose Bowl scoreboard and took over the display, we can certainly look forward
  to someone changing the prices downward just before checking out.  PGN]

------------------------------

End of RISKS-FORUM Digest
************************
-------