University of Bielefeld -  Faculty of technology
Networks and distributed Systems
Research group of Prof. Peter B. Ladkin, Ph.D.
Back to Abstracts of References and Incidents Back to Root
This page was copied from:

Previous Issue Index Next Issue Info Searching Submit Article

The Risks Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 16, Issue 19

Tuesday 5 July 1994

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator


o A330 crash: Press Release
Pete Mellor
o States crack down on "cyberfraud"
Mark Seecof
o AI to screen bad from good cops in Chicago
Christopher Maag
o Going to a Computer Conference? Don't use your real name!
Steve L. Rhoades
o Fraud on the Internet
Mich Kabay
o ACM Releases Crypto Study
DC Office
o USACM Calls for Clipper Withdrawal
DC Office
o Re: Physical Location via Cell Phone
Lauren Weinstein
Willis H. Ware
Robert Morrell Jr.
o Cellular Confusion
Bob Frankston
o Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc.

A330 crash: Press Release

Pete Mellor <>
Fri, 1 Jul 94 16:44:40 BST
     The following are the contents of a fax message sent to me today by 
     Dan Hawkes of the CAA (to whom my thanks). 
     Peter Mellor, Centre for Software Reliability, City Univ. Northampton Square, 
     London EC1V 0HB   +44 (71) 477-8422, 
     AI/GC-I 22/94R                             30th June 1994 
     Issue 1 
     Airbus Industrie regrets to confirm that a flight test A330, powered by Pratt
     & Whitney PW4168 engines, crashed at 17.50 today at Blagnac Airport, Toulouse,
     within the airport boundary.  Seven people were on board the aircraft: four
     members of Airbus Industrie personnel, including the Chief Test Pilot, and
     three airline pilots. There were no survivors.
     The aircraft involved in the accident was serial number 042, which made its
     first flight on 14th October 1993 and had accumulated 362 flight hours as part
     of Airbus Industrie A330 flight test programme.
     The flight being undertaken aimed to test a new autopilot standard intended
     for certification with Pratt & Whitney engines for all-weather Category III
     The test was planned to take place with maximum aft centre of gravity, at
     minimum speed and with maximum angle of climb.
     Immediately after take-off, once the maximum flight attitude was reached
     (between 25 and 30 degrees), the test sequence involved switching on the
     aircraft's autopilot, simulating an engine failure and cutting off the
     engine's associated hydraulic circuit.
     For reasons which are yet to be determined, the aircraft suffered a sudden
     loss of lateral control. Although it would appear that the pilot regained
     control, the altitude of the aircraft was too low to avoid impact with the
     ground, especially bearing in mind the extreme conditions of this particular
     test flight.
     For further information, please contact: 
     Tel.: (33) or 
       [A list of the deceased was appended to the original.  PGN]

States crack down on "cyberfraud"

Mark Seecof PSD x77605 < >
Fri, 1 Jul 1994 13:25:43 -0700
     Commentary, quote choice, and paraphrasing by Mark Seecof <>.
     In a story on page D-2 of the 1 July 1994 Los Angeles Times by Scot J. Paltrow,
     we learn of "investigations and enforcement actions directed at individuals who
     solicit money for dubious or fraudulent investments through the financial
     bulletin boards of on-line services such as Prodigy, America Online, and
     Missouri, New Jersy, and Texas regulators are leading the charge with the
     members of the "North American Securities Administrators Assn., the
     organization of state regulators" behind them.
     "The action also represents an effort by state regulators to assert
     jurisdiction over financial solicitations on the bulletin boards, even if the
     messages are posted from other states or countries.  The Securities and
     Exchange Commission enforcement staff confirmed Thursday that the federal
     agency is also looking into the issue."
     Among other things, "regulators say penny-stock scammers have moved onto the
     bulletin boards, hyping thinly traded low-priced stocks by posting notes with
     wildly inflated claims about the companies' propects."
     "The on-line services say they are cooperating with regulators but are not
     equipped to police the thousands of messages posted daily.  They also say it
     is not a proper role for service operators to limit the free flow of
     communication, although on-line services often censor sexually explicit or
     politically offensive messages."

AI to screen bad from good cops in Chicago

Christopher Maag <>
Mon, 4 Jul 1994 15:55:12 -0400 (EDT)
     [PGN excerpting]
     Good cop, bad cop at fingertips: Computer could see possibilities
     Peter Kendall, The Chicago Tribune, 1 July, 1994
       The Chicago Police Department has a new computer program that they say will
     produce a list of officers likely to "go bad" by committing crimes using
     excessive force or participating in other offenses that can get them fired.
     The program, built on an $850 off-the-shelf software package, looks at
     demographic data and work histories of officers who have been fired for
     disciplinary reasons, then scours police personnel databases for current
     officers with similar profiles.  Officers who appear on the list would be
     contacted by supervisors and counseled on how to avoid committing acts that
     could get them fired, sued or even arrested.
       The profile of "bad" cops was developed on the basis race, sex, age,
     education, number of traffic accidents, reports of lost weapons or badges,
     marital status and other factors, relating to 191 officers discharged between
     1988 and 1993.  A comparison of that profile with 2,000 current officers
     turned up 141 of those officers who were considered "at risk" for committing
     an offense that could get them fired.
       Not surprisingly, the officers' union, the Fraternal Order of Police, is
     wary.  "It's another form of Big Brother watching you," said Bill Nolan,
     president of the FOP.

Going to a Computer Conference? Don't use your real name!

Steve L. Rhoades < >
Wed, 4 May 1994 01:54:33 GMT
     [Excerpted from MicroTimes  April 18, 1994  Issue #122]
     At the fourth Computers, Freedom, & Privacy conference in Chicago last month,
     the spotlight was on the growing conflict between the rights of individuals
     and the role of government in the digital age.  A luckless Whitehouse House
     representative and a lawyer for the NSA tried to convince a varied and
     skeptical crowd that government control of cryptography was somehow a Good
     Meanwhile, in their search for fugitive criminals Kevin Mitnick and
     wooden-legged "Agent Steal", the FBI erroneously arrested one unfortunate
     attendee whose name happened to resemble one of Mitnick's aliases and
     interrogated two others, including an ex-Marine and CIA veteran Robert David
     Steele of Open Sources. ...
     Steve L. Rhoades, :30 Second Street, Mt. Wilson, Calif 91023    
     (818) 794-6004
       [An article by John Markoff on Mitnick appeared on the 
       front page of The New York Times, July 4, 1994.  PGN]

Fraud on the Internet

"Mich Kabay [NCSA Sys_Op]" <>
30 Jun 94 12:13:32 EDT
     From the Associated Press newswire via Executive News Service (GO ENS) on
     "I-Way Robbery", By DAVID GRAM, AP Writer
        MONTPELIER, Vt. (AP) -- Say you're cruising the information superhighway
     from the comfort of your home computer and come across what appears to be
     private, inside information on a hot new company. 
        "You spend $10,000 on stock -- and lose your money. 
        "You've just become a victim of what securities regulators say is the
     latest trend in investment scams: frauds perpetrated over computer networks or
     bulletin board services by hard-to-track hucksters.
        "Call it I-way robbery."
     The author explains that there is a growing number of scams on the Internet and
     local BBSs.
     Some of the frauds perpetrated through Cyberspace are no different from the
     usual techniques: false claims of expertise, theft of investments.  The only
     specific technique involves deliberately posting what is intended to look like
     private communications in a public venue, then taking advantage of
     unscrupulous people's attempt to make a killing in the stock market.  The
     specific case mentioned by the author involved two "Canadian companies ...
     heavily hyped on computer bulletin board services. Their stock prices tripled
     or more in a short period of time, then collapsed. One of the companies was
     said to have won a major housing contract in the former Soviet Union; the
     other was said to own a diamond mine in Zaire where a major strike had been
     The author identifies the nominal non-commerciality of the Internet as a reason
     for its popularity among thieves.
     [Comment from MK: perhaps these frauds will eventually lead to requirements for
     effective identification and authentication of users.  Ultimately, it would be
     helpful to see non-repudiation as a feature of all electronic communications.
     For the time being, caveat lector.]
     Michel E. Kabay, Ph.D. / Dir Education / Natl Computer Security Assn

ACM Releases Crypto Study

"US ACM, DC Office" <>
Thu, 30 Jun 1994 16:34:47 +0000
                     Association for Computing Machinery
                                PRESS RELEASE
     Thursday, June 30, 1994
     Joseph DeBlasi, ACM Executive Director (212) 869-7440 
     Dr. Stephen Kent, Panel Chair (617) 873-3988 
     Dr. Susan Landau, Panel Staff (413) 545-0263
          WASHINGTON, DC - A panel of experts convened by the nation's foremost
     computing society today released a comprehensive report on U.S. cryptography
     policy.  The report, "Codes, Keys and Conflicts: Issues in U.S Crypto Policy,"
     is the culmination of a ten-month review conducted by the panel of
     representatives of the computer industry and academia, government officials,
     and attorneys.  The 50-page document explores the complex technical and social
     issues underlying the current debate over the Clipper Chip and the export
     control of information security technology.
          "With the development of the information superhighway, cryptography has
     become a hotly debated policy issue," according to Joseph DeBlasi, Executive
     Director of the Association for Computing Machinery (ACM), which convened the
     expert panel.  "The ACM believes that this report is a significant
     contribution to the ongoing debate on the Clipper Chip and encryption policy.
     It cuts through the rhetoric and lays out the facts."
          Dr. Stephen Kent, Chief Scientist for Security Technology with the firm
     of Bolt Beranek and Newman, said that he was pleased with the final report.
     "It provides a very balanced discussion of many of the issues that surround
     the debate on crypto policy, and we hope that it will serve as a foundation
     for further public debate on this topic."
          The ACM report addresses the competing interests of the various
     stakeholders in the encryption debate -- law enforcement agencies, the
     intelligence community, industry and users of communications services.  It
     reviews the recent history of U.S. cryptography policy and identifies key
     questions that policymakers must resolve as they grapple with this
     controversial issue.
          The ACM cryptography panel was chaired by Dr. Stephen Kent.  Dr. Susan
     Landau, Research Associate Professor in Computer Science at the University of
     Massachusetts, co-ordinated the work of the panel and did most of the writing.
     Other panel members were Dr.  Clinton Brooks, Advisor to the Director,
     National Security Agency; Scott Charney, Chief of the Computer Crime Unit,
     Criminal Division, U.S. Department of Justice; Dr. Dorothy Denning, Computer
     Science Chair, Georgetown University; Dr. Whitfield Diffie, Distinguished
     Engineer, Sun Microsystems; Dr. Anthony Lauck, Corporate Consulting Engineer,
     Digital Equipment Corporation; Douglas Miller, Government Affairs Manager,
     Software Publishers Association; Dr. Peter Neumann, Principal Scientist, SRI
     International; and David Sobel, Legal Counsel, Electronic Privacy Information
     Center.  Funding for the cryptography study was provided in part by the
     National Science Foundation.
          The ACM, founded in 1947, is a 85,000 member non-profit educational and
     scientific society dedicated to the development and use of information
     technology, and to addressing the impact of that technology on the world's
     major social challenges.  For general information, contact ACM, 1515 Broadway,
     New York, NY 10036. (212) 869-7440 (tel), (212) 869-0481 (fax).
          Information on accessing the report electronically will be 
     posted soon in this newsgroup.

USACM Calls for Clipper Withdrawal

"US ACM, DC Office" <>
Thu, 30 Jun 1994 16:35:37 +0000
                                   U S A C M
      Association for Computing Machinery, U.S. Public Policy Committee
                               * PRESS  RELEASE *
     Thursday, June 30, 1994	
     Barbara Simons (408) 463-5661, (e-mail)
     Jim Horning  (415) 853-2216, (e-mail)
     Rob Kling (714) 856-5955, (e-mail)
                          SECRET DECISION-MAKING
          WASHINGTON, DC - The public policy arm of the oldest and largest
     international computing society today urged the White House to withdraw the
     controversial "Clipper Chip" encryption proposal.  Noting that the "security
     and privacy of electronic communications are vital to the development of
     national and international information infrastructures," the Association for
     Computing Machinery's U.S. Public Policy Committee (USACM) added its voice to
     the growing debate over encryption and privacy policy.
          In a position statement released at a press conference on Capitol Hill,
     the USACM said that "communications security is too important to be left to
     secret processes and classified algorithms."  The Clipper technology was
     developed by the National Security Agency, which classified the cryptographic
     algorithm that underlies the encryption device.  The USACM believes that
     Clipper "will put U.S. manufacturers at a disadvantage in the global market
     and will adversely affect technological development within the United States."
     The technology has been championed by the Federal Bureau of Investigation and
     the NSA, which claim that "non-escrowed" encryption technology threatens law
     enforcement and national security.
          "As a body concerned with the development of government technology
     policy, USACM is troubled by the process that gave rise to the Clipper
     initiative," said Dr. Barbara Simons, a computer scientist with IBM who chairs
     the USACM.  "It is vitally important that privacy protections for our
     communications networks be developed openly and with full public
          The USACM position statement was issued after completion of a
     comprehensive study of cryptography policy sponsored by the ACM (see companion
     release).  The study, "Codes, Keys and Conflicts: Issues in U.S Crypto
     Policy," was prepared by a panel of experts representing various
     constituencies involved in the debate over encryption.
          The ACM, founded in 1947, is a 85,000 member non-profit educational and
     scientific society dedicated to the development and use of information
     technology, and to addressing the impact of that technology on the world's
     major social challenges.  USACM was created by ACM to provide a means for
     presenting and discussing technological issues to and with U.S. policymakers
     and the general public.  For further information on USACM, please call (202)
     298- 0842.
            USACM Position on the Escrowed Encryption Standard
     The ACM study "Codes, Keys and Conflicts: Issues in U.S Crypto Policy" sets
     forth the complex technical and social issues underlying the current debate
     over widespread use of encryption.  The importance of encryption, and the need
     for appropriate policies, will increase as networked communication grows.
     Security and privacy of electronic communications are vital to the development
     of national and international information infrastructures.
     The Clipper Chip, or "Escrowed Encryption Standard" (EES) Initiative, raises
     fundamental policy issues that must be fully addressed and publicly debated.
     After reviewing the ACM study, which provides a balanced discussion of the
     issues, the U.S.  Public Policy Committee of ACM (USACM) makes the following
       1.  The USACM supports the development of public policies and technical
     standards for communications security in open forums in which all stakeholders
     -- government, industry, and the public -- participate.  Because we are moving
     rapidly to open networks, a prerequisite for the success of those networks
     must be standards for which there is widespread consensus, including
     international acceptance.  The USACM believes that communications security is
     too important to be left to secret processes and classified algorithms.  We
     support the principles underlying the Computer Security Act of 1987, in which
     Congress expressed its preference for the development of open and unclassified
     security standards.
       2.  The USACM recommends that any encryption standard adopted by the U.S.
     government not place U.S. manufacturers at a disadvantage in the global market
     or adversely affect technological development within the United States.  Few
     other nations are likely to adopt a standard that includes a classified
     algorithm and keys escrowed with the U.S. government.
       3.  The USACM supports changes in the process of developing Federal
     Information Processing Standards (FIPS) employed by the National Institute of
     Standards and Technology.  This process is currently predicated on the use of
     such standards solely to support Federal procurement.  Increasingly, the
     standards set through the FIPS process directly affect non-federal
     organizations and the public at large.  In the case of the EES, the vast
     majority of comments solicited by NIST opposed the standard, but were openly
     ignored.  The USACM recommends that the standards process be placed under the
     Administrative Procedures Act so that citizens may have the same opportunity
     to challenge government actions in the area of information processing
     standards as they do in other important aspects of Federal agency policy
       4.  The USACM urges the Administration at this point to withdraw the Clipper
     Chip proposal and to begin an open and public review of encryption policy.
     The escrowed encryption initiative raises vital issues of privacy, law
     enforcement, competitiveness and scientific innovation that must be openly
       5.  The USACM reaffirms its support for privacy protection and urges the
     administration to encourage the development of technologies and institutional
     practices that will provide real privacy for future users of the National
     Information Infrastructure.

Re: Physical Location via Cell Phone

Lauren Weinstein < >
Tue, 21 Jun 94 10:39 PDT
     A particularly disturbing aspect of the cell phone story as it relates to the
     Simpson case is that one of the local L.A. television stations had obtained,
     by the night of the chase, the printout of all calls made from Simpson's
     phone, and was showing the printout, in detail with all numbers exposed, on
     the air.  They were also busily calling the numbers and questioning whoever
     answered.  By Monday evening, the station was demonstrating how Simpson's
     original voicemail announce message had been changed (I would presume by a
     hacker) to something I'll categorize as being in very bad taste.

Re: Physical Location via Cell Phone (Atkins, RISKS-16.17)

"Willis H. Ware" <>
Tue, 21 Jun 94 11:43:54 PDT
     There is some apparent confusion in what was reported by Atkins re locating
     the Cawlings-Simpson Bronco.  The following is from local media reporting.
     The local TV news interviewed a young couple who were on the way to the
     beach, pulled alongside the Bronco, recognized Cawlings, fell back and got
     the license number, stopped at the first roadside emergency fone [which
     are spaced every mile along Southern California freeways], and reported
     the event/location.  Parts of the phone conversation with the emergency
     dispatcher were played over TV, and the young couple were both present on
     TV to tell their story.
     Shortly thereafter, a police [Santa Ana ??] patrol car spotted the Bronco
     and the Great Freeway Chase was underway.  The same car was said to be the
     lead vehicle throughout the chase right up into the driveway at the home.
     The Sunday LATimes did have an article concerning the role of the cell
     phone in the event.  It is correct that the car received and originated
     many calls during the chase.  Some of the calls were from people trying to
     persuade Simpson to surrender [e.g., McCabe his former coach], others were
     from the police in a negotiating mode, others were with the chase cars
     alerting them intended turnoffs onto other freeways and reporting the
     status of the occupants.  Parts of some of these calls have been played on
     TV, and the content of others described verbally.
     The Sunday article reported that "local law enforcement" subpoenaed the
     cellular carrier [AirTouch] to cooperate, and the company reported that it
     did monitor calls to/from the cellular number.  The article also reports
     that law enforcement had obtained a court warrant authorizing tapping of
     the cell phone, but it is not completely clear whether this was a separate
     action or related to the subpoena action.
     The legal facts are that actual tapping does require a court-authorized
     warrant [the Wiretap Act of 1968] but access to "transaction records"
     requires only a subpoena.  It is possible that law enforcement did both
     things just to be safely legal.
     The Times interviewed a security consultant from Houston who seemingly
     speculated that triangulation had been used to locate the Bronco.  I put it
     that way because there has been no statement by law enforcement that it did
     more than have AirTouch monitor the calls. Moreover triangulation equipment
     for a fast moving nearby target is not likely something that the local law
     enforcement authorities would have.  There has been no mention of the
     FBI but it is conceivable that it played a support shadow role; it probably
     does have triangulation equipment.
     The local reporting has been quite explicit that visible sighting of the
     car was the basis of locating it, and that the cellphone became involved
     only in attempting to resolve the situation.  There have been no official
     statements that the cellphone was involved in location; there were the
     comments by the consultant that triangulation was - or could have been -
     General comment.  A cellular system must know which cell an active call is
     in because the system control must monitor adjacent cells and be prepared
     to pass the call to one of them when the signal level falls below some
     threshold.  So the Bronco's location within some cell could have been
     known but it would not be very precise.  If cells get smaller in the
     future, then the precision of location will increase - as Derek Atkins
     properly points out.  In the case of the Cawlings-Simpson chase, however,
     the evidence is that visible sightings were the basis for initiating and
     conducting the chase.  Seemingly the facts got garbled as they wandered
     around the country and were rewritten for various media occasions.
     A cellphone in standby mode also is in contact with cell stations so that
     its location will be known for incoming calls.  Again, the location will be
     known by the system but only to within the extent of a cell-size.  A
     cellphone that is turned off does not transmit and is invisible to the
     system.  Whether system designs are such that "sustaining background
     monitoring data" is available to the operators is beyond my knowledge --
     the same LATimes article did make reference to AirTouch conducting
     monitoring for the purpose of detecting fraud.
     				Willis H. Ware
       [Some of this was also noted by Mark Stalzer, .]

Re: Physical Location via Cell Phone (Atkins, RISKS-16.17)

"Robert Morrell Jr." <>
Tue, 21 Jun 1994 14:26:50 -0400 (EDT)
     Derek Atkins wrote of the risk of cellular phones as exemplified by the OJ
     Simpson case. I say, what risk? The risk that an accused double murderer will
     be arrested? That is a RISK?  Often I have heard of politicians, criminals (my
     redundancy checker is broken) caught unawares by the lack of privacy of
     cellular phones. There is no insidious plot to this, only the fortunate
     stupidity of the cell phone user, who has forgotten how the technology works.
     Just because a previous form of communication afforded a degree of privacy,
     one cannot assume, or logically legislate that all succeeding forms have the
     same. If you use a form of communication it is incumbent upon you to match
     your expectations of privacy with the technology, not the other way around.
     Bob Morrell

Cellular confusion

Sun, 3 Jul 1994 17:27 -0400
     Just ran across confusion about cellular service in two disparate sources.
     Ann Landers and CNN.
     The AL column mentioned Cellular in the headline. The centerpiece was a claim 
     by Ameritech about how hard it is to listen in and that it was possible to 
     get secure phones (from whom?). This is, of course, disinformation. The risks 
     of listening in are not that someone will carefully follow both sides of a 
     conversation, but that listeners will glean key information from portions of 
     random conversations. One can argue about how big the threat is, but we know 
     it is real. The key to the confusion is that the risk is viewed in terms of 
     tapping a land phone line rather than recognizing that the nature of the risk 
     has changed because cellular phones are not simply phones with long wires but 
     a very different base technology.
     This same confusion is the basis for the CNN story. As with Ann Landers, CNN 
     itself is confused. First it reported the story as if this is a new problem 
     that occurs only far away in the Philippines. The issue is a simple one -- 
     assigning duplicate ESN numbers to phone. The "legitimate" excuse is that 
     multiple ESN's are simply a way to allow a relative to use your number 
     without an additional monthly charge and the theft of service is viewed as 
     the real threat. The loss was quoted as $1,000,000 a year -- obviously a 
     serious underestimate. I would guess that the provider is attempting to 
     minimize the fears. What was interesting was the terminology used mimicked 
     landlines. In fact, they talked about using some one else's "line". The use  
     of duplicate ESN's is also based on the model of adding an extension not 
     recognizing the complexities of call routing.
     Whatever the risks are of new technologies, viewing them in terms of the old 
     technology adds a new level of risk and confusion.
     As an aside, I'll give the local Cellular One provider (SW Bell) credit for 
     having a companion phone charge of just $10/month. But, in general, I'm 
     frustrated by getting a separate bill for each number as opposed to having an 
     account.  This is a different aspect of the inability of the Telcos to move 
     beyond a model of single line phone service to the home. (OK, Sprint and some 
     others supposedly do have smarter ways of handling this).
     Of course, there are those that would view this difficulty in changing models 
     as what keeps technology from changing too fast and is thus a way to reduce 

Previous Issue Index Next Issue Info Searching Submit Article

Report problems with the web pages to
This page was copied from:
Last modification on 1999-06-15
by Michael Blume