University of Bielefeld - Faculty of technology | |
---|---|
Networks and distributed Systems
Research group of Prof. Peter B. Ladkin, Ph.D. |
|
Back to Abstracts of References and Incidents | Back to Root |
This page was copied from: http://catless.ncl.ac.uk/Risks/16.19.html |
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
The following are the contents of a fax message sent to me today by Dan Hawkes of the CAA (to whom my thanks). Peter Mellor, Centre for Software Reliability, City Univ. Northampton Square, London EC1V 0HB +44 (71) 477-8422, p.mellor@csr.city.ac.uk AI/GC-I 22/94R 30th June 1994 Issue 1 A330 FLIGHT TEST ACCIDENT, 30TH JUNE 1994 Airbus Industrie regrets to confirm that a flight test A330, powered by Pratt & Whitney PW4168 engines, crashed at 17.50 today at Blagnac Airport, Toulouse, within the airport boundary. Seven people were on board the aircraft: four members of Airbus Industrie personnel, including the Chief Test Pilot, and three airline pilots. There were no survivors. The aircraft involved in the accident was serial number 042, which made its first flight on 14th October 1993 and had accumulated 362 flight hours as part of Airbus Industrie A330 flight test programme. The flight being undertaken aimed to test a new autopilot standard intended for certification with Pratt & Whitney engines for all-weather Category III operations. The test was planned to take place with maximum aft centre of gravity, at minimum speed and with maximum angle of climb. Immediately after take-off, once the maximum flight attitude was reached (between 25 and 30 degrees), the test sequence involved switching on the aircraft's autopilot, simulating an engine failure and cutting off the engine's associated hydraulic circuit. For reasons which are yet to be determined, the aircraft suffered a sudden loss of lateral control. Although it would appear that the pilot regained control, the altitude of the aircraft was too low to avoid impact with the ground, especially bearing in mind the extreme conditions of this particular test flight. For further information, please contact: AIRBUS INDUSTRIE - PRESS DEPARTMENT Tel.: (33) 61.93.33.87 or 61.93.34.31 [A list of the deceased was appended to the original. PGN]
Commentary, quote choice, and paraphrasing by Mark Seecof <marks@latimes.com>. In a story on page D-2 of the 1 July 1994 Los Angeles Times by Scot J. Paltrow, we learn of "investigations and enforcement actions directed at individuals who solicit money for dubious or fraudulent investments through the financial bulletin boards of on-line services such as Prodigy, America Online, and CompuServe." Missouri, New Jersy, and Texas regulators are leading the charge with the members of the "North American Securities Administrators Assn., the organization of state regulators" behind them. "The action also represents an effort by state regulators to assert jurisdiction over financial solicitations on the bulletin boards, even if the messages are posted from other states or countries. The Securities and Exchange Commission enforcement staff confirmed Thursday that the federal agency is also looking into the issue." Among other things, "regulators say penny-stock scammers have moved onto the bulletin boards, hyping thinly traded low-priced stocks by posting notes with wildly inflated claims about the companies' propects." "The on-line services say they are cooperating with regulators but are not equipped to police the thousands of messages posted daily. They also say it is not a proper role for service operators to limit the free flow of communication, although on-line services often censor sexually explicit or politically offensive messages."
[PGN excerpting] Good cop, bad cop at fingertips: Computer could see possibilities Peter Kendall, The Chicago Tribune, 1 July, 1994 The Chicago Police Department has a new computer program that they say will produce a list of officers likely to "go bad" by committing crimes using excessive force or participating in other offenses that can get them fired. The program, built on an $850 off-the-shelf software package, looks at demographic data and work histories of officers who have been fired for disciplinary reasons, then scours police personnel databases for current officers with similar profiles. Officers who appear on the list would be contacted by supervisors and counseled on how to avoid committing acts that could get them fired, sued or even arrested. The profile of "bad" cops was developed on the basis race, sex, age, education, number of traffic accidents, reports of lost weapons or badges, marital status and other factors, relating to 191 officers discharged between 1988 and 1993. A comparison of that profile with 2,000 current officers turned up 141 of those officers who were considered "at risk" for committing an offense that could get them fired. Not surprisingly, the officers' union, the Fraternal Order of Police, is wary. "It's another form of Big Brother watching you," said Bill Nolan, president of the FOP.
[Excerpted from MicroTimes April 18, 1994 Issue #122] At the fourth Computers, Freedom, & Privacy conference in Chicago last month, the spotlight was on the growing conflict between the rights of individuals and the role of government in the digital age. A luckless Whitehouse House representative and a lawyer for the NSA tried to convince a varied and skeptical crowd that government control of cryptography was somehow a Good Thing; Meanwhile, in their search for fugitive criminals Kevin Mitnick and wooden-legged "Agent Steal", the FBI erroneously arrested one unfortunate attendee whose name happened to resemble one of Mitnick's aliases and interrogated two others, including an ex-Marine and CIA veteran Robert David Steele of Open Sources. ... Steve L. Rhoades, :30 Second Street, Mt. Wilson, Calif 91023 (818) 794-6004 srhoades@netcom.com [An article by John Markoff on Mitnick appeared on the front page of The New York Times, July 4, 1994. PGN]
From the Associated Press newswire via Executive News Service (GO ENS) on CompuServe: "I-Way Robbery", By DAVID GRAM, AP Writer MONTPELIER, Vt. (AP) -- Say you're cruising the information superhighway from the comfort of your home computer and come across what appears to be private, inside information on a hot new company. "You spend $10,000 on stock -- and lose your money. "You've just become a victim of what securities regulators say is the latest trend in investment scams: frauds perpetrated over computer networks or bulletin board services by hard-to-track hucksters. "Call it I-way robbery." The author explains that there is a growing number of scams on the Internet and local BBSs. Some of the frauds perpetrated through Cyberspace are no different from the usual techniques: false claims of expertise, theft of investments. The only specific technique involves deliberately posting what is intended to look like private communications in a public venue, then taking advantage of unscrupulous people's attempt to make a killing in the stock market. The specific case mentioned by the author involved two "Canadian companies ... heavily hyped on computer bulletin board services. Their stock prices tripled or more in a short period of time, then collapsed. One of the companies was said to have won a major housing contract in the former Soviet Union; the other was said to own a diamond mine in Zaire where a major strike had been made." The author identifies the nominal non-commerciality of the Internet as a reason for its popularity among thieves. [Comment from MK: perhaps these frauds will eventually lead to requirements for effective identification and authentication of users. Ultimately, it would be helpful to see non-repudiation as a feature of all electronic communications. For the time being, caveat lector.] Michel E. Kabay, Ph.D. / Dir Education / Natl Computer Security Assn
Association for Computing Machinery PRESS RELEASE Thursday, June 30, 1994 Contact: Joseph DeBlasi, ACM Executive Director (212) 869-7440 Dr. Stephen Kent, Panel Chair (617) 873-3988 Dr. Susan Landau, Panel Staff (413) 545-0263 COMPUTING SOCIETY RELEASES REPORT ON ENCRYPTION POLICY; "CLIPPER CHIP" CONTROVERSY EXPLORED BY EXPERT PANEL WASHINGTON, DC - A panel of experts convened by the nation's foremost computing society today released a comprehensive report on U.S. cryptography policy. The report, "Codes, Keys and Conflicts: Issues in U.S Crypto Policy," is the culmination of a ten-month review conducted by the panel of representatives of the computer industry and academia, government officials, and attorneys. The 50-page document explores the complex technical and social issues underlying the current debate over the Clipper Chip and the export control of information security technology. "With the development of the information superhighway, cryptography has become a hotly debated policy issue," according to Joseph DeBlasi, Executive Director of the Association for Computing Machinery (ACM), which convened the expert panel. "The ACM believes that this report is a significant contribution to the ongoing debate on the Clipper Chip and encryption policy. It cuts through the rhetoric and lays out the facts." Dr. Stephen Kent, Chief Scientist for Security Technology with the firm of Bolt Beranek and Newman, said that he was pleased with the final report. "It provides a very balanced discussion of many of the issues that surround the debate on crypto policy, and we hope that it will serve as a foundation for further public debate on this topic." The ACM report addresses the competing interests of the various stakeholders in the encryption debate -- law enforcement agencies, the intelligence community, industry and users of communications services. It reviews the recent history of U.S. cryptography policy and identifies key questions that policymakers must resolve as they grapple with this controversial issue. The ACM cryptography panel was chaired by Dr. Stephen Kent. Dr. Susan Landau, Research Associate Professor in Computer Science at the University of Massachusetts, co-ordinated the work of the panel and did most of the writing. Other panel members were Dr. Clinton Brooks, Advisor to the Director, National Security Agency; Scott Charney, Chief of the Computer Crime Unit, Criminal Division, U.S. Department of Justice; Dr. Dorothy Denning, Computer Science Chair, Georgetown University; Dr. Whitfield Diffie, Distinguished Engineer, Sun Microsystems; Dr. Anthony Lauck, Corporate Consulting Engineer, Digital Equipment Corporation; Douglas Miller, Government Affairs Manager, Software Publishers Association; Dr. Peter Neumann, Principal Scientist, SRI International; and David Sobel, Legal Counsel, Electronic Privacy Information Center. Funding for the cryptography study was provided in part by the National Science Foundation. The ACM, founded in 1947, is a 85,000 member non-profit educational and scientific society dedicated to the development and use of information technology, and to addressing the impact of that technology on the world's major social challenges. For general information, contact ACM, 1515 Broadway, New York, NY 10036. (212) 869-7440 (tel), (212) 869-0481 (fax). Information on accessing the report electronically will be posted soon in this newsgroup.
U S A C M Association for Computing Machinery, U.S. Public Policy Committee * PRESS RELEASE * Thursday, June 30, 1994 Contact: Barbara Simons (408) 463-5661, simons@acm.org (e-mail) Jim Horning (415) 853-2216, horning@src.dec.com (e-mail) Rob Kling (714) 856-5955, kling@ics.uci.edu (e-mail) COMPUTER POLICY COMMITTEE CALLS FOR WITHDRAWAL OF CLIPPER COMMUNICATIONS PRIVACY "TOO IMPORTANT" FOR SECRET DECISION-MAKING WASHINGTON, DC - The public policy arm of the oldest and largest international computing society today urged the White House to withdraw the controversial "Clipper Chip" encryption proposal. Noting that the "security and privacy of electronic communications are vital to the development of national and international information infrastructures," the Association for Computing Machinery's U.S. Public Policy Committee (USACM) added its voice to the growing debate over encryption and privacy policy. In a position statement released at a press conference on Capitol Hill, the USACM said that "communications security is too important to be left to secret processes and classified algorithms." The Clipper technology was developed by the National Security Agency, which classified the cryptographic algorithm that underlies the encryption device. The USACM believes that Clipper "will put U.S. manufacturers at a disadvantage in the global market and will adversely affect technological development within the United States." The technology has been championed by the Federal Bureau of Investigation and the NSA, which claim that "non-escrowed" encryption technology threatens law enforcement and national security. "As a body concerned with the development of government technology policy, USACM is troubled by the process that gave rise to the Clipper initiative," said Dr. Barbara Simons, a computer scientist with IBM who chairs the USACM. "It is vitally important that privacy protections for our communications networks be developed openly and with full public participation." The USACM position statement was issued after completion of a comprehensive study of cryptography policy sponsored by the ACM (see companion release). The study, "Codes, Keys and Conflicts: Issues in U.S Crypto Policy," was prepared by a panel of experts representing various constituencies involved in the debate over encryption. The ACM, founded in 1947, is a 85,000 member non-profit educational and scientific society dedicated to the development and use of information technology, and to addressing the impact of that technology on the world's major social challenges. USACM was created by ACM to provide a means for presenting and discussing technological issues to and with U.S. policymakers and the general public. For further information on USACM, please call (202) 298- 0842. ============================================================= USACM Position on the Escrowed Encryption Standard The ACM study "Codes, Keys and Conflicts: Issues in U.S Crypto Policy" sets forth the complex technical and social issues underlying the current debate over widespread use of encryption. The importance of encryption, and the need for appropriate policies, will increase as networked communication grows. Security and privacy of electronic communications are vital to the development of national and international information infrastructures. The Clipper Chip, or "Escrowed Encryption Standard" (EES) Initiative, raises fundamental policy issues that must be fully addressed and publicly debated. After reviewing the ACM study, which provides a balanced discussion of the issues, the U.S. Public Policy Committee of ACM (USACM) makes the following recommendations. 1. The USACM supports the development of public policies and technical standards for communications security in open forums in which all stakeholders -- government, industry, and the public -- participate. Because we are moving rapidly to open networks, a prerequisite for the success of those networks must be standards for which there is widespread consensus, including international acceptance. The USACM believes that communications security is too important to be left to secret processes and classified algorithms. We support the principles underlying the Computer Security Act of 1987, in which Congress expressed its preference for the development of open and unclassified security standards. 2. The USACM recommends that any encryption standard adopted by the U.S. government not place U.S. manufacturers at a disadvantage in the global market or adversely affect technological development within the United States. Few other nations are likely to adopt a standard that includes a classified algorithm and keys escrowed with the U.S. government. 3. The USACM supports changes in the process of developing Federal Information Processing Standards (FIPS) employed by the National Institute of Standards and Technology. This process is currently predicated on the use of such standards solely to support Federal procurement. Increasingly, the standards set through the FIPS process directly affect non-federal organizations and the public at large. In the case of the EES, the vast majority of comments solicited by NIST opposed the standard, but were openly ignored. The USACM recommends that the standards process be placed under the Administrative Procedures Act so that citizens may have the same opportunity to challenge government actions in the area of information processing standards as they do in other important aspects of Federal agency policy making. 4. The USACM urges the Administration at this point to withdraw the Clipper Chip proposal and to begin an open and public review of encryption policy. The escrowed encryption initiative raises vital issues of privacy, law enforcement, competitiveness and scientific innovation that must be openly discussed. 5. The USACM reaffirms its support for privacy protection and urges the administration to encourage the development of technologies and institutional practices that will provide real privacy for future users of the National Information Infrastructure.
A particularly disturbing aspect of the cell phone story as it relates to the Simpson case is that one of the local L.A. television stations had obtained, by the night of the chase, the printout of all calls made from Simpson's phone, and was showing the printout, in detail with all numbers exposed, on the air. They were also busily calling the numbers and questioning whoever answered. By Monday evening, the station was demonstrating how Simpson's original voicemail announce message had been changed (I would presume by a hacker) to something I'll categorize as being in very bad taste. --Lauren--
There is some apparent confusion in what was reported by Atkins re locating the Cawlings-Simpson Bronco. The following is from local media reporting. The local TV news interviewed a young couple who were on the way to the beach, pulled alongside the Bronco, recognized Cawlings, fell back and got the license number, stopped at the first roadside emergency fone [which are spaced every mile along Southern California freeways], and reported the event/location. Parts of the phone conversation with the emergency dispatcher were played over TV, and the young couple were both present on TV to tell their story. Shortly thereafter, a police [Santa Ana ??] patrol car spotted the Bronco and the Great Freeway Chase was underway. The same car was said to be the lead vehicle throughout the chase right up into the driveway at the home. The Sunday LATimes did have an article concerning the role of the cell phone in the event. It is correct that the car received and originated many calls during the chase. Some of the calls were from people trying to persuade Simpson to surrender [e.g., McCabe his former coach], others were from the police in a negotiating mode, others were with the chase cars alerting them intended turnoffs onto other freeways and reporting the status of the occupants. Parts of some of these calls have been played on TV, and the content of others described verbally. The Sunday article reported that "local law enforcement" subpoenaed the cellular carrier [AirTouch] to cooperate, and the company reported that it did monitor calls to/from the cellular number. The article also reports that law enforcement had obtained a court warrant authorizing tapping of the cell phone, but it is not completely clear whether this was a separate action or related to the subpoena action. The legal facts are that actual tapping does require a court-authorized warrant [the Wiretap Act of 1968] but access to "transaction records" requires only a subpoena. It is possible that law enforcement did both things just to be safely legal. The Times interviewed a security consultant from Houston who seemingly speculated that triangulation had been used to locate the Bronco. I put it that way because there has been no statement by law enforcement that it did more than have AirTouch monitor the calls. Moreover triangulation equipment for a fast moving nearby target is not likely something that the local law enforcement authorities would have. There has been no mention of the FBI but it is conceivable that it played a support shadow role; it probably does have triangulation equipment. The local reporting has been quite explicit that visible sighting of the car was the basis of locating it, and that the cellphone became involved only in attempting to resolve the situation. There have been no official statements that the cellphone was involved in location; there were the comments by the consultant that triangulation was - or could have been - used. General comment. A cellular system must know which cell an active call is in because the system control must monitor adjacent cells and be prepared to pass the call to one of them when the signal level falls below some threshold. So the Bronco's location within some cell could have been known but it would not be very precise. If cells get smaller in the future, then the precision of location will increase - as Derek Atkins properly points out. In the case of the Cawlings-Simpson chase, however, the evidence is that visible sightings were the basis for initiating and conducting the chase. Seemingly the facts got garbled as they wandered around the country and were rewritten for various media occasions. A cellphone in standby mode also is in contact with cell stations so that its location will be known for incoming calls. Again, the location will be known by the system but only to within the extent of a cell-size. A cellphone that is turned off does not transmit and is invisible to the system. Whether system designs are such that "sustaining background monitoring data" is available to the operators is beyond my knowledge -- the same LATimes article did make reference to AirTouch conducting monitoring for the purpose of detecting fraud. Willis H. Ware [Some of this was also noted by Mark Stalzer, stalzer@macaw.hrl.hac.com .]
Derek Atkins wrote of the risk of cellular phones as exemplified by the OJ Simpson case. I say, what risk? The risk that an accused double murderer will be arrested? That is a RISK? Often I have heard of politicians, criminals (my redundancy checker is broken) caught unawares by the lack of privacy of cellular phones. There is no insidious plot to this, only the fortunate stupidity of the cell phone user, who has forgotten how the technology works. Just because a previous form of communication afforded a degree of privacy, one cannot assume, or logically legislate that all succeeding forms have the same. If you use a form of communication it is incumbent upon you to match your expectations of privacy with the technology, not the other way around. Bob Morrell
Just ran across confusion about cellular service in two disparate sources. Ann Landers and CNN. The AL column mentioned Cellular in the headline. The centerpiece was a claim by Ameritech about how hard it is to listen in and that it was possible to get secure phones (from whom?). This is, of course, disinformation. The risks of listening in are not that someone will carefully follow both sides of a conversation, but that listeners will glean key information from portions of random conversations. One can argue about how big the threat is, but we know it is real. The key to the confusion is that the risk is viewed in terms of tapping a land phone line rather than recognizing that the nature of the risk has changed because cellular phones are not simply phones with long wires but a very different base technology. This same confusion is the basis for the CNN story. As with Ann Landers, CNN itself is confused. First it reported the story as if this is a new problem that occurs only far away in the Philippines. The issue is a simple one -- assigning duplicate ESN numbers to phone. The "legitimate" excuse is that multiple ESN's are simply a way to allow a relative to use your number without an additional monthly charge and the theft of service is viewed as the real threat. The loss was quoted as $1,000,000 a year -- obviously a serious underestimate. I would guess that the provider is attempting to minimize the fears. What was interesting was the terminology used mimicked landlines. In fact, they talked about using some one else's "line". The use of duplicate ESN's is also based on the model of adding an extension not recognizing the complexities of call routing. Whatever the risks are of new technologies, viewing them in terms of the old technology adds a new level of risk and confusion. As an aside, I'll give the local Cellular One provider (SW Bell) credit for having a companion phone charge of just $10/month. But, in general, I'm frustrated by getting a separate bill for each number as opposed to having an account. This is a different aspect of the inability of the Telcos to move beyond a model of single line phone service to the home. (OK, Sprint and some others supposedly do have smarter ways of handling this). Of course, there are those that would view this difficulty in changing models as what keeps technology from changing too fast and is thus a way to reduce risk.
This page was copied from: | http://catless.ncl.ac.uk/Risks/16.19.html |
COPY! | |
COPY! |
by Michael Blume |