From risks-request@pica.army.mil Wed Sep 16 21:15:20 1992 Return-Path: Received: from csmes.ncsl.nist.gov (MACBETH.NCSL.NIST.GOV) by csrc.ncsl.nist.gov (4.1/NIST) id AA11350; Wed, 16 Sep 92 21:14:28 EDT Posted-Date: Wed, 16 Sep 92 17:52:46 PDT Received-Date: Wed, 16 Sep 92 21:14:28 EDT Received: from PICA.ARMY.MIL (fsac5.pica.army.mil) by csmes.ncsl.nist.gov (4.1/NIST(rbj/dougm)) id AA29232; Wed, 16 Sep 92 21:09:31 EDT Received: from PICA.ARMY.MIL by Fsac5.pica.army.mil id aa21318; 16 Sep 92 21:01 EDT Received: from aed.pica.army.mil by Fsac5.pica.army.mil id aa21314; 16 Sep 92 21:00 EDT Received: from chiron.csl.sri.com by AED.PICA.ARMY.MIL id aa16643; 16 Sep 92 20:58 EDT Received: by chiron.csl.sri.com id AA13012 (5.65b/IDA-1.4.3.12 for risks-mil@pica.army.mil); Wed, 16 Sep 92 17:52:50 -0700 From: RISKS Forum Sender: RISKS Forum Date: Wed, 16 Sep 92 17:52:46 PDT Subject: RISKS DIGEST 13.80 Reply-To: risks@csl.sri.com To: ;@risks-list.ncsl.nist.gov Message-Id: Status: R RISKS-LIST: RISKS-FORUM Digest Weds 16 September 1992 Volume 13 : Issue 80 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Arrest Warrants (Joseph Nathan Hall) Stop the presses, call the police! (Frans Heeman) A Financial risk avoided (Rob Horn) >From the Jury Room - Alcohol breath analyzer (Jim Haynes) Automatic DUI (Driving Under the Influence) (Jane Beckman) Re: update: Barclay voice mail insecurity (Flint Pellett) Re: "Sneakers" -- A Topical Movie Review (Mark Brader, James Zuchelli) Greening of Computers (Mark J. Crosbie) Michigan Awarded Funds to Improve Criminal History Records (Nigel Allen) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line. Others may be ignored! Contributions will not be ACKed. The load is too great. **PLEASE** INCLUDE YOUR NAME & INTERNET FROM: ADDRESS, especially .UUCP folks. REQUESTS please to RISKS-Request@CSL.SRI.COM. Vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 13, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1". =CarriageReturn; FTPs may differ; UNIX prompts for username, password. For information regarding delivery of RISKS by FAX, phone 310-455-9300 (or send FAX to RISKS at 310-455-2364, or EMail to risks-fax@cv.vortex.com). ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Sat, 12 Sep 92 13:57:25 EDT >From: joseph@joebloe.maple-shade.nj.us (Joseph Nathan Hall) Subject: Arrest Warrants The son of a former employer of mine was met at the door one Saturday morning by two local police officers, who presented him with a felony arrest warrant and took him off to jail. The charges involved were something like passing bad commercial paper and perhaps interstate flight. I gather that he was a little surprised. It turned out that he had left some money in a checking account in a bank in another state (Missouri, I think) before moving to his new residence. After a while, the service charges ate up the funds in the account and the last charge "bounced." The bank treated it as a bad check. They looked for him for a while, and then, since bad paper in the state in question is a felony, regardless of the amount, they passed the info to the local authorities and an arrest warrant resulted. (I wonder whether there was any human intervention up to the point where the judge issued the warrant.) Apparently there is a pretty good interstate commerce in arrest warrants, and somehow the out-of-state warrant wound up at the local police station, along with the "suspect's" current address. Most stations keep a pile of warrants that need to be served handy for slow times--like Saturday morning. It could happen to YOU! Disclaimer: This story was related to me a few years ago by a former employer. I believe that the facts as I have stated them are essentially correct, though the details are no longer clear in my memory. uunet!joebloe!joseph (609) 273-8200 day joseph%joebloe@uunet.uu.net 2102 Ryan's Run East, Rt. 38 & 41, Maple Shade NJ 08052 ------------------------------ Date: Tue, 15 Sep 1992 07:53:35 GMT >From: Frans.Heeman@cwi.nl Subject: Stop the presses, call the police! [From the Dutch national paper "De Volkskrant", September 3, 1992:] On Saturday morning, August 29, the presses at the local newspaper "De Gelderlander" went down, causing delivery to be delayed. Many subscribers called the newspaper at its phone number 650611. The telephone exchange at the newspaper got jammed. One of the consequences was, that when people tried to call the newspaper, often only the last four digits, 0611, came through. Now it happens that 0611 is the national emergency number in the Netherlands. So the police was swamped with calls from people, informing about the delivery of their newspaper, jamming the emergency number. In a reaction, the PTT said that they would be careful with giving numbers ending in 0611 to large companies. Frans Heeman, CWI dept. of Interactive Systems, Kruislaan 413, 1098 SJ Amsterdam P.O. Box 4079, 1009 AB Amsterdam frans@cwi.nl phone: +31 20 592 4164 ------------------------------ Date: Fri, 11 Sep 1992 14:29 EST >From: HORN%athena@leia.polaroid.com Subject: A Financial risk avoided In light of all the financial problems that get reported I decided to recognize a firm that made an intelligent decision. Recently Citizen's Utilities had a stock split: 3 for 2. People who use the dividend reinvestment alternative generally have fractional share balances. So someone with 0.70 fractional shares would now have 1.05 shares. Rather than merge the full shares from the split with the full share from the fractional share account, they chose to wait until the next regular quarterly dividend. At this time the routine processing shifts full shares. In the letter accompanying the newly issued shares they called attention to this and gave the name of the person who could manually issue the extra share if for some reason you needed that share before the next dividend (about ten weeks later). They gave the reason for all this as: excessive programming complexity Considering how few people will need that one share certificate during the next ten weeks I think they made a good choice by sticking to the regularly used and reliable procedures, providing a manual override, and informing their owners. We usually hear about various kinds of mistakes, oversights, and maliciousness. It is also appropriate to point out things done well. Rob Horn horn%hydra@polaroid.com ------------------------------ Date: Sun, 13 Sep 92 22:00:43 -0700 >From: haynes@cats.UCSC.EDU (Jim Haynes) Subject: From the Jury Room - Alcohol breath analyzer I was on a jury last week (trial now over so I can talk about it) and part of the case involved a breath alcohol machine. We were not shown the machine but it was described by expert witnesses and we saw its output. The machine in question is microprocessor controlled and displays two digits of output - any other significance is truncated. To use it the officer first puts a blank card into a slot and types in the suspect's name and date and time and the like. The machine prints all this on the card along with the test results. The test consists of an air purge, when the machine checks itself for a zero reading; then the suspect blows; then another air purge and zero check; then another blow; then a final air purge and zero check and all these results are printed on the card. During the blowing a tone sounds to signal that the suspect is blowing hard enough. Whatever it is the machine measures, it takes a measurement every 0.6 seconds and waits for three of these to be the same before treating that as a reading. Hence as the alcohol concentration in the blow increases the machine is supposed to wait for a plateau and record the plateau value. The machine is supposed to measure and subtract something else to eliminate the effects of substances such as acetone that were known to throw off earlier model machines. Supposedly the calibration of the machine is fixed at manufacture; but the calibration is verified about once a week by the forensic lab which takes care of it. There is an alcohol-water solution in a breath simulator attached to the machine. The lab dials up using a modem and commands the machine to verify its calibration. The machine measures the simulated breath and sends the measurement and its identification back to the lab, where the information is kept in their computer and can produce a printed report as needed. The test solution is supposed to make the machine read 0.14% +/- 0.01%. For the machine in question there was a verification a few days before the crucial test, and another one a few days later. Both times the machine read 0.15%, which is acceptable. We saw the results of several other verifications and this machine usually read 0.15%, although once or twice in the past it had read 0.13%. On the test in question the machine had read 0.09% . A blood alcohol level of 0.08% makes it illegal to drive a car in California. I convinced myself and the rest of the jury that a blood alcohol level of 0.08% in the defendant was unproven. First, when the machine read 0.15% that could mean anything between 0.1500... and 0.1599... Second, we were not told any more about the test solution than that it should produce a reading of 0.14%. I know chemists can mix up solutions very accurately, and for good science you would want to mix the solution as close to 0.14500.. as possible; but we had to assume the solution could be anywhere between 0.1400... and 0.1499... So we could have a solution at the high end of 0.14 and the machine could be measuring at the low end of 0.15 and it is measuring pretty close. Or we could have a solution at the low end of 0.14 and the machine could be measuring at the high end of 0.15 and it is off by just under 0.02%. If errors are additive offsets then the defendant's blood alcohol could be anywhere between 0.0700... and 0.0899... and that absolutely fails to prove 0.08% or more. I used an analogy at the time that this is like trying to verify the accuracy of a yardstick by comparing it with another yardstick. There's an interesting psychological phenomenon that I observed. There was a lot of testimony by experts about errors and possible errors in the machine. Invariably they and the attorneys would add and subtract 0.01 here and 0.02 there from machine readings as if all the errors are additive offsets. There was never any testimony as to whether the errors in the machine are really offsets or proportional to the reading, or completely nonlinear, or anything else. Nobody ever mentioned an error of so many per-cent, or suggested that multiplication be used. So I conjecture: when people deal with numerical data where there are only two digits they tend to assume that any adjustments to the data are to be made by addition and subtraction. Maybe this phenomenon results from habit dealing with dollars and cents; or maybe it's just that people are lazy and addition is easier than multiplication. Both experts agreed that the readings are affected by the suspect's body temperature. I was surprised that the machine doesn't measure and correct for this, or that the temperature isn't taken and recorded at the time of the test. If we had not been doubtful of guilt from the above accuracy considerations alone we would have had to consider the defense expert's suggestion of various confounding factors, a much more speculative undertaking. He and his colleagues have done experiments and published in the field. They have a few instances in which the subject got a false high reading by blowing very hard. This is not fully understood. He said something about the mucous membranes drying out and releasing extra alcohol. He drew a graph showing that the machine sees a first plateau, at which the reading is good; but then the alcohol level increases and goes to a second higher plateau and the machine takes that as its reading instead of the first. They have also found the machine will read too high if the suspect is still absorbing ingested alcohol, which can happen for example if the alcohol was taken with food. He didn't offer an explanation for this, but only evidence that it can happen. There are formulas to predict blood alcohol level based on the amount of alcohol ingested and the weight of the subject and other factors. Our defendant admitted to drinking only one pint of stout with food about 2 hours before the arrest. Both experts calculated this was not enough alcohol to get anywhere near 0.08% blood alcohol. It was maybe barely enough to get the machine to read 0.09% with all of the confounding factors such as temperature and blowing hard and the absorptive-phase phenomenon. Maybe she drank more than she admitted; maybe the machine really is that lousy inaccurate; maybe there are other unconsidered factors leading to errors; we didn't have to go into that. Advice to drivers would seem to be: if you are arrested for DUI and believe you are innocent then don't choose the breath test - it's not very accurate. If you think you might barely be guilty then choose the breath test and fight it in court. ------------------------------ Date: Mon, 14 Sep 92 17:50:55 PDT >From: jane@stratus.swdc.stratus.com (Jane Beckman) Subject: Automatic DUI (Driving Under the Influence) A friend's husband just recently got a shock. A notice showed up in the mail that his driver's license was suspended. He called up the California Department of Motor Vehicles (DMV) to find out what was going on. He had recently been involved in a dispute involving his auto, so he suspected it might have something to do with that. Well, they asked him, didn't you recently plead guilty to a charge of Reckless Driving? Yes, he said. Well, that explains it. Wait a minute, he said, explains what? He said it was his understanding that Reckless Driving was not something they normally pulled your license for, or he would have fought it. Oh no, they said, that was for the liquor. You have a DUI (Driving Under the Influence). WHAT? he asked. Your Reckless Driving in connection with DUI. At this point, he knew he had a problem since there was no alcohol involved. He explained to the woman that the Reckless Driving charge was a plea bargain. He had been stopped and threatened by a juvenile gang who had blocked his car. He had stepped on the gas and hit one of them in trying to get out of there. He was charged with Battery and Assault With a Deadly Weapon (his car) by the gang member, who pressed charges. His lawyer had advised him that fighting the charge, despite circumstances, would be a long and costly battle, especially since where juveniles were involved, it was possible that the jury would find against him. They plea-bargained to a lesser charge of Reckless Driving, and he was fined $250 and sentenced to do 60 hours of community service work (which he was doing, anyway). Fine up until that point. The woman at the DMV insisted that there was a DUI on the record. He explained all of the above, and she asked where the liquor came into it. He explained that there was *never* any liquor involved. Finally, he went down to the office and hassled with the officials there, and the court records were pulled. Surprise, no DUI! It was entered into the system again, and bingo, a DUI came up. I suspect that regular RISKS readers already suspect what the problem was. The system programming on traffic offenses was set up so that a count of Reckless Driving *automatically* entered in a paired count of Driving Under the Influence. The programmer had made the assumption that the two counts were so intimately connected that you would almost *never* have one without the other. To enter a count of Reckless Driving without a DUI, you had to manually override it, and the data-entry clerk was not instructed on this peculiarity, nor was there any flag that Reckless Driving was paired with DUI. And a "guilty" on that count was paired to an automatic license suspension. The problem of overriding the DUI was finally resolved, but it took several days and a lot of arguing hyperventilating on his part. I would suspect that his is not the first, nor the last, case where this "automatic conviction" came up. Jane Beckman [jane@swdc.stratus.com] ------------------------------ Date: 14 Sep 92 19:59:51 GMT >From: flint@gistdev.gist.com (Flint Pellett) Subject: Re: update: Barclay voice mail insecurity (Brunnstein, RISKS-13.79) >... Northern Telecom requires for the US/Canada product *at least 4 >digits code*, whereas the German version was reduced to require *at least 3... This discussion reminded me of something that I was involved in way back in 1979, which I think is still relevant. The point to be made is that merely the number of bytes in the codeword is insufficient protection. What matters is the product of the number of different combinations by the amount of time required to try each one. (I think this principle applies to other things such as garage door openers as well, and would love to see someone telling me that once my garage door opener circuitry has recognized that a code was sent which was not the right one, it would not respond to any other code (even the right one) for a period of, perhaps, 15 seconds.) I could then calculate that if there were 10,000 possible codes, that an automated attack would take an average of 20.5 hours, and know how lousy the protection was.) As it stands now, I don't really know how secure the system is, and I don't have any idea how secure the 4-digit or 3-digit codes above are. The incident in question that I had experience with: note that I was not a part of the system staff, so parts of the following are 2nd hand information and may not be completely correct. This particular mainframe system allowed access to files based on the entry of a codeword, which could have up to 10 characters, and it was quite secure even if you used a 5 character password, given the fact that it would accept input at a maximum of 1200 baud: the average time required to enter all the codes even with a machine doing your typing was years. Normal users were not allowed to access files through programs. The obvious extension of allowing a user program to open a file was made, and the risk that a program could try passwords a lot faster than 1200 baud was noted. The solution adopted was to write the file opening code so that it would re-read the disk to get the password on every attempt: thus, the speed of the disk access limited the speed at which passwords could be tried, and given agonizingly slow disk performance, things were still secure. Unfortunately, at some time later disk cache software was incorporated into the system which made the system smart enough that it would not re-read something if it still had it available in memory. The result was that the 5 character passwords which had been pretty secure suddenly became worthless, because even a brute-force program to try all combinations would run in a few hours. Bottom line: if you're trying to tell me how secure something is, don't tell me how many combinations there are on the lock, tell me how long it would take to try 1/2 of the combinations, and convince me that you have a way to insure that that time will not decrease as faster and more powerful hardware becomes available. Flint Pellett, Global Information Systems Technology, Inc., 100 Trade Centre Drive, Suite 301, Champaign, IL 61820 (217) 352-1165 uunet!gistdev!flint ------------------------------ Date: Mon, 14 Sep 1992 02:06:00 -0400 >From: msb@sq.com (Mark Brader) Subject: Re: "Sneakers" -- A Topical Movie Review (Parker, RISKS-13.79) Anyone who has not already seen "Sneakers", but would like to, should be careful to have NOT read RISKS-13.79, where a so-called review, right at the top of the issue, reveals most of the storyline and many of the nicer "touches", WITHOUT SO MUCH AS A SPOILER WARNING. Mark Brader SoftQuad Inc., Toronto utzoo!sq!msb, msb@sq.com [Donn Parker's review was written for his I-4 audience, consisting largely of corporate folks with serious security concerns. He was undoubtedly trying to encourage them to see the movie. Perhaps that review was less suitable for the RISKS audience, so I suppose next time Mark or I will have write a review specifically aimed at you all, tantalizing you without revealing any of the plot or technological devices. There are also lots of in-jokes, which will NOT appear here. Incidentally, Sneakers was ranked NUMBER 1 in box-office this week. PGN] ------------------------------ Date: 15 Sep 92 01:23 GMT >From: TMUG@applelink.apple.com (Tri-Valley Macintosh Users Group,UG) Subject: Re: Sneakers, the movie (RISKS-13.79) The phone number they mention in the movie "Sneakers" is a valid 510 area code number; it gets you the IRS in the East Bay. I wonder if this was a glitch. (Movies usually use the 555 prefix for phone numbers.) When I told the IRS person they would probably get lots of phone calls, they did not sound very happy. James Zuchelli [It certainly is a departure from the usual 555 regime. But what is interesting is that the number is now permanently problematic, as VCRs will go on forever with that number. PGN] ------------------------------ Date: Tue, 15 Sep 92 11:52:18 +0100 >From: mcrosbie@unix1.tcd.ie (Mark J. Crosbie) Subject: Greening of Computers Re: PC board waste in San Francisco Bay (Agre, RISKS-13.79), In a similar vein, this month's (Sept.) issue of Byte has an article on the "Greening of Computers". It certainly opened my eyes to the various issues involved when disposing of computer hardware. I wonder if there would be a call for a newsgroup to discuss these environmental issues in relation to computers (including, I suppose, research into the adverse effects of over-exposure to monitor radiation etc.) as against comp.risks which discusses hardware/software failures and such like. The group would take into account the more wide-ranging impact of computing on the environment as a whole, and also discussions of methods of minimising the harmful effects could take place. If it already exists, what is it called, if it doesn't would comp.risks.environmental would be a good name for it? Does this entail a call for votes to set it up?? Any ideas, takers, or comments??? Mark Crosbie, Dept. of Computer Science, Trinity College, Dublin, Dublin 2 IRELAND. mcrosbie@vax1.tcd.ie [RISKS is certainly a good place for technology related environmental issues. PGN] ------------------------------ Date: Tue, 15 Sep 1992 23:03:06 GMT >From: Nigel.Allen@lambada.oit.unc.edu (Nigel Allen) Subject: Michigan Awarded Funds to Improve Criminal History Records After someone mentioned problems with incorrect information about outstanding arrest warrants in police databases, I thought I should mention that the U.S. Justice Department is awarding state governments grants to improve their criminal history databases. The following press release from the U.S. Justice Department is typical of the announcements it makes when it announces a grant to a state government. Michigan Awarded Funds to Improve Criminal History Records To: Michigan Correspondents Contact: Stu Smith of the Office of Justice Programs, U.S. Department of Justice, 202-307-0784 or 301-983-9354 (after hours) WASHINGTON, Sept. 9 -- The U.S. Department of Justice has awarded Michigan $50,000 to continue improving the quality of the state's criminal history recordkeeping, the Bureau of Justice Statistics (BJS) announced today. The project, administered by BJS in the Office of Justice Programs (OJP), is part of a three-year, $27 million Criminal History Record Improvement (CHRI) program established by the attorney general to help states upgrade current systems used to maintain records of arrests, prosecutions, convictions and sentences. The Bureau of Justice Assistance is providing the funding through the Edward Byrne Memorial State and Local Law Enforcement Assistance Program. "The major objective of this cooperative agreement is to improve the overall quality of the state's criminal history record information by improving disposition reporting," said BJS Director Steven D. Dillingham. "This administration is making every effort to assure the highest standards of accuracy and timeliness in criminal history record information across the country. "It is critical that law enforcement officers, prosecutors, judges and corrections officials have access to complete and accurate information on each individual within the purview of the criminal justice system," Dillingham commented. The Michigan State Police will use the assistance to identify, retrieve and enter missing court disposition records and develop an automated court records system. "The program emphasizes the recording of arrest, conviction and sentencing information in a form that will make felony history information more reliable and complete," Dillingham commented. "This is a crucial component of the overall objective of insuring that state criminal history records are up-to-date and available to all criminal justice agencies." Additional information about this program is available from BJS. Publications and statistical and research data may be obtained from the National Criminal Justice Reference Service, Box 6000, Rockville, Md. 20850. The telephone number is 1-301-251-5500. The toll-free number is 1-800-732-3277. internet: bbs.oit.unc.edu or 152.2.22.80 [rampant disclaimers deleted. All are in effect.] ------------------------------ End of RISKS-FORUM Digest 13.80 ************************ Downloaded From P-80 International Information Systems 304-744-2253