9-Dec-85 16:23:54-PST,14088;000000000000 Mail-From: NEUMANN created at 9-Dec-85 16:21:36 Date: Mon 9 Dec 85 16:21:36-PST From: RISKS FORUM (Peter G. Neumann, Coordinator) Subject: RISKS-1.28 Sender: NEUMANN@SRI-CSL.ARPA To: RISKS-LIST@SRI-CSL.ARPA RISKS-LIST: RISKS-FORUM Digest Sunday, 8 Dec 1985 Volume 1 : Issue 28 FORUM ON RISKS TO THE PUBLIC IN COMPUTER SYSTEMS Peter G. Neumann, moderator Contents: Viruses and Worms (Mark S. Day, Aaron M. Ellison, Ted Lee, Dave Parnas) Electromagnetic Interference (Chuq Von Rospach) Crackers (Peter Reiher, Matt Bishop, Dave Dyer) [Note: There is some duplication among these contributions. Read lightly if that bothers you. I also note that we are in danger of degenerating into just a Security Forum, although clearly that is an important part of RISKS. PGN] Summary of Groundrules: The RISKS Forum is a moderated digest. To be distributed, submissions should be relevant to the topic, technically sound, objective, in good taste, and coherent. Others will be rejected. Diversity of viewpoints is welcome. Please try to avoid repetition of earlier discussions. (Contributions to RISKS@SRI-CSL.ARPA, Requests to RISKS-Request@SRI-CSL.ARPA) (FTP Vol 1 : Issue n from SRI-CSL:RISKS-1.n) ---------------------------------------------------------------------- Date: Mon 9 Dec 85 14:57:40-EST From: Mark S. Day Subject: Viruses and Worms To: RISKS@SRI-CSL.ARPA Hysterical panic about viruses in programs is at least as annoying as the more common complacent stupor about risks from computers. The author of RISKS-1.27 seems to be dead set on Software Apocalypse Now. We swing from viruses in software to unencrypted data links on bank machines to teen-aged kids cracking systems. Also, the usual screams of "mad genius hackers playing sick games" can be heard... sigh, programmers are so misunderstood... The discussion about viruses is actually sort of interesting, the others fall into the category of "there are fixes which have a certain cost; you have to decide whether it's worthwhile." Encryption and tighter security systems raise the cost of the system and also raise the cost of breaking the system. The question is, for the data and functions being provided, what is an appropriate level of protection? I'm not going to panic because many bicycles have cheap locks or no locks; some bikes aren't worth stealing, and in some areas there's relatively little theft of bicycles. If I have data worth protecting, I should be prepared to protect it. I will agree that far too few people are aware of the hazards or of what they can do to protect themselves, but that is far from saying that I want to pay for security I don't need. On viruses, etc.: it is certainly the case that you only want software which is written by people you trust (and ENTIRELY by people you trust -- see Ken Thompson's Turing Award Lecture for a further discussion of this). But is that different from needing to have bookkeepers and treasurers that you trust in order to avoid embezzlement? If bankers and national security types don't take steps to ensure that they have good software, then they certainly have a problem, but not a hopeless one. There have been previous proposals to have independent "software certification agencies" to ensure software quality, but I don't know if they would really be able to solve this problem. The "solitary programmer" mentality is at least partly to blame for things like "unauthorized worms" -- if people expect to have their code read by others, who may question the reasons for doing certain things, it becomes enormously harder to conceal unauthorized features (unless the programmer can convince the inspector(s) to join in a conspiracy). I am still surprised at how many companies do not ask programmers to read each other's code. Quite apart from security worries, having inspections or walkthroughs seems to sharply improve maintainability and finds a number of bugs and design flaws. I have little or no sympathy for people who illegally copy a program and then find one day that it's trashed their data. Serves 'em right. --Mark P.S. The term "worm" was not coined in a Scientific American column. I believe John Brunner used it in his novel The Shockwave Rider and Shoch and Hupp picked up the term for a paper in Communications of the ACM. It may have been used earlier than that; I don't know. ------------------------------ Date: Mon, 09 Dec 85 08:56:27 EST From: Aaron M. Ellison To: risks@sri-csl.ARPA Subject: viruses, worms and history Regarding Neal Macklin's "expose" of virus technology, I would only add that the idea is not at all new. John Brunner, a well-known speculative fiction writer, wrote a novel called "Shockwave Rider" over 10 years ago(!) predicting the blackmailing of a then corrupt U.S. government by a morally-upright computer hacker. Although I share Neal's concerns, I am not at all convinced (even as a credit-card and ATM-card-carrying young and aspiring academic) that under certain circumstances, the collapse of the fractional reserve system, the banking system, and the credit markets would be an awful event. Sure there would be chaos, but who knows what could arise from the rubble. ...I would add that reading Shockwave Rider when I was in high school prompted me to learn about computers, and although I have not the competence to develop tapeworms and viruses, if it's just now getting out to the "hacker world" that viruses exist, you can bet that the NSA may already have developed one (pardon the paranoia). Aaron Ellison Graduate Program in Ecology & Evolutionary Biology Brown University Providence, Rhode Island 02912 ------------------------------ Date: Sat, 7 Dec 85 22:25 EST From: TMPLee@DOCKMASTER.ARPA Subject: [The Worm Turns in His Gravy?] To: Neumann@SRI-CSL.ARPA [adapted for RISKS] I suppose it would be nice to tell the original author of the long issue about viruses, etc., that there ARE technical solutions, although not necessarily within his lifetime if he's using IBM systems, which most financial institutions do ... Ted Lee ------------------------------ Date: Mon, 9 Dec 85 07:23:03 pst From: vax-populi!dparnas@nrl-css.arpa (Dave Parnas) To: nrl-css!RISKS@SRI-CSL.ARPA Subject: Re: RISKS-1.27 Cc: nrl-css!neumann@SRI-CSL.ARPA Peter, Risks is supposed to be a digest. The huge article that just ate up my time like worm could have been digested and the summary put in a few lines. Worms have their place. Eating up stories like that one is one of their good uses. Worms digest waste. Dave [and I got THREE copies of Dave's message. Oh, well. PGN] ------------------------------ Date: Thu, 5 Dec 85 08:29:09 pst From: sun!plaid!chuq@ucbvax.berkeley.edu (Chuq Von Rospach) To: risks@sri-csl.arpa Subject: Electromagnetic Interference I was listening to a radio station the other day whose studio is on the San Francisco Bay. In the early afternoon, the station started getting a re-occuring noise over the air that sounded vaguely like a burp, which distracted the DJ no end. It turned out after investigation by their engineers that it was being caused by a Navy Aircraft Carrier that had just entered the bay on the way to Alameda. Every time the radar pointed at the studio, it caused the stations electronics to go bonkers (that's a powerful radar...). I wonder what other electronics those things would interfere with? chuq [Perhaps the squawks were emitted by a carrier pitch-in? PGN] ------------------------------ Date: Wed, 4 Dec 85 22:30:33 PST From: Peter Reiher To: risks@sri-csl.arpa Subject: crackers I imagine you will have numerous postings making the following point, but, if you don't, someone should say it. > Thomas Cox writes: >1. no password-protected system is EVER likely to be broken into by so-called > hackers. They can sit and guess, just like they can try and guess the > combination to my bike lock. I'm not worried about it. This all depends on how loosely you define "stealing a password". Does a person who hangs around your printer room, picking up loose header sheets with people's account names and real-world names on them stealing passwords? Someone who does so can break into many systems, as many people will choose passwords equal to their login ids or first or last names. If the person communicated with people via email at your site, or was able to guess what their login id is (not a hard job in many places), then the same vulnerability exists. The problem is exacerbated if the cracker can get access to a list of your users. On most UNIX systems, once he is in at all, this is trivial. [Not to mention the fact that passwords are usually transmitted unencrypted within local nets and externally as well... PGN] In fact, barring fairly stringent rules on password choices, and/or physical security preventing intruders from accessing terminals (and, possibly, modem features to discourage brute force guessing), most computer systems can be broken into once a few user ids are known, provided the cracker has the modicum of expertise and equipment necessary to write a program to test all dictionary words against the user ids' passwords. The recent Bell Systems Technical Journal issue on UNIX had a discouraging article on how easy it is to break into the majority of UNIX systems, given a list of user ids, testing only twenty or forty possible passwords per user id. Perhaps you don't consider a lax password system a password system at all, but, barring that, your statement is demonstrably false. Peter Reiher reiher@LOCUS.UCLA.EDU {...ihnp4,ucbvax,sdcrdcf}!ucla-cs!reiher [Unfortunately, discussions of the risks of relying on passwords need to held over and over again. If you have not thought deeply or been burned, it is too easy to be naive. The sophisticated crackers -- as opposed to the simplistic ones -- find very few boundaries they cannot get through (or go around). PGN] ------------------------------ Date: 5 Dec 1985 0959-PST (Thursday) From: Matt Bishop To: risks@sri-csl.ARPA Subject: Re: Hackers (aka "Head in the Sand") I think Thomas Cox's article ("Hackers", Risks V1N26) is optimistic in the extreme: > 1. no password-protected system is EVER likely to be broken into by so-called > hackers. They can sit and guess, just like they can try and guess the > combination to my bike lock. I'm not worried about it. Sorry, but I am. When you say "password-protected", I interpret that to mean the user setting his or her password to anything other than the site/manufacturer default. Turns out a lot of people set it to their name, login, spouse's name, etc. (See Morris and Thompson, "Password Security: A Case History", CACM 22(11), pp.594-597 (Nov. 1979) for more information about this claim.) If you know anything about the system you're attacking, such as whose account you're trying to get into, this makes the account rather a sitting duck. So I'd disagree with your statement above. Of course, if you mean something else by "password-protected", could you be more explicit? My opinion could very well be inapplicable ... (Incidentally, bear in mind the "bike" is worth maybe a half million, considering the information stored on it, so if you just trust the "lock", and don't take off a wheel, you're inviting trouble ...) Matt ------------------------------ Date: 8 Dec 1985 14:21:50 PST Subject: Hackers' guessing passwords From: Dave Dyer To: risks@SRI-CSL.ARPA In Response to Thomas Cox in Risks 1.26: "1. no password-protected system is EVER likely to be broken into by so-called hackers. They can sit and guess, just like they can try and guess the combination to my bike lock. I'm not worried about it." This is patently untrue. I have personally guessed passwords on several occasions; It isn't even hard unless you want some particular password. One of the recent, widely publicised "hacker" cases involved exactly what you say is impossible; the perpetrator was merely making a sport of guessing passwords, and changing them as a warning to the account owner. In addition to guessing, there are multitudes of ruses to obtain passwords, some technical, but many simply exploiting human weaknesses. It is certainly true that "unguessable" passwords exist, but any enforced mechanism for assuring unguessable passwords will also be regarded as "unrememberable", and therefore more vulnerable to non-guessing methods. ------------------------------ Date: Mon 9 Dec 85 15:52:42-PST From: Peter G. Neumann Subject: Hackers, Crackers, and Snackers To: RISKS@SRI-CSL.ARPA I received an anonymous phone call this morning from someone who felt inspired by the last two issues of RISKS to relate some experiences he/she had had while working for the Texas Commerce bank. Apparently the computer maintenance staff had fun with the wire-transfer programs, using passwords that had been taped under a desk. They would randomly transfer various amounts ($100,000 was mentioned as typical) from one account to anothe, just for kicks. They were astounded that no one every caught on, and the passwords were never changed. When I asked whether all such transactions had been reversed, the answer was probably yes. ------------------------------ End of RISKS-FORUM Digest ************************ -------