Subject: RISKS DIGEST 10.08 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Tuesday 12 June 1990 Volume 10 : Issue 08 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Liz Taylor and ``secret codes'' (PGN) EEC `IT Security Evaluation Criteria' (Klaus Brunnstein) Re: A 320 article in Aeronautique (Francois Felix Ingrand) 2600 magazine article (Arthur L. Rubin) Self-Replicating Bugs in Floppies (Warren M. McLaughlin) Caller ID neither necessary nor sufficient to prevent crank calls (ark) Whom Caller ID benefits and whom it does not (Peter da Silva) Re: egregious database and `voluntary' data submission (Bill Janssen) Egregious Database Already Exists (William M. Bumgarner) Re: Another egregious database (L.P. Levine) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line (otherwise they may be ignored). REQUESTS to RISKS-Request@CSL.SRI.COM. TO FTP VOL i ISSUE j: ftp CRVAX.sri.comlogin anonymousAnyNonNullPW cd sys$user2:[risks]GET RISKS-i.j ; j is TWO digits. Vol summaries in risks-i.00 (j=0); "dir risks-*.*" gets you directory listing of back issues. ALL CONTRIBUTIONS ARE CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. ---------------------------------------------------------------------- Date: Tue, 12 Jun 1990 8:41:48 PDT From: "Peter G. Neumann" Subject: Liz Taylor and ``secret codes'' A woman identifying herself as Lisa Flowers used the secret code for Liz Taylor's answering service to set herself up as a cryptopublicist, returning telephone calls and giving out bogus interviews. She told reporters about a fabricated relationship with a 23-year Detroit man, Julian Lee Hobbs, and gave out false medical reports. The hoax included intercepting requests from UPI and AP for confirmation of earlier (phony) information, and providing confirmation! So much for "secret" codes. [Source: San Francisco Chronicle, 12 June 1990, p. 2] ------------------------------ Date: 09 Jun 90 13:27 GMT+0100 From: Klaus Brunnstein Subject: EEC `IT Security Evaluation Criteria' This week, EEC sent the draft of the 'harmonized' Information Technology Security Criteria (ITSEC) to some people (I don't know the adress list) for comment. Based on the German `Green Book', an expert group with French, German, Dutch and English contribution prepared a (greyly-white covered) booklet of 125 pages covering (after a short introduction: (1)scope) the functionality (2) and the assurance of correctness (3: 55 pages) as well as the assurance of effectiveness(4). The functionality chapter (2) refers, among others, to the Green Book's functionality classes F1..F5 (derived from Orange Book) and F6..F10 (adding availability and integrity of systems and networks to the well-known Orange Book functionality). The assurance part (3) elaborates the Green Books' quality Q0..Q7 into the more detailed `levels' E1..E6 (from 'inadequate assurance'=E0 equivalent to Orange Book 'D', towards E6 where correctness is formally proven (essentially A1, but not `beyond A1!); as in Orange Book and Green Book, each higher level encomprises the lower ones. For each level, specific features must be evaluated for the (4) 'phases' of the development process as well as for different `aspects' of the system and user documentation. Moreover, the effectiveness of the assured features is roughly described under aspects such as: suitability, binding of functionality, strength of mechanism, assessment of vulnerability (consstruction, operation), or ease of use. EEC plans a conference in Brussels to happen on September 25-26, 1990. Accord- ing to their letter, they welcome critical comments (if received by July 6th) which might be discussed in this conference. Klaus Brunnstein University of Hamburg PS: based on our analysis of the benefits and shortcomings of `Trusted Computer Evaluation Criteria' which we contributed to the IFIP SEC'90 conference, re- cently in Helsinki, I plan to analyse this new Criteria catalog in more detail. I would strongly appreciate any critical comments, as well on our paper on 'Risk Analysis of Trusted Computer Systems' (which I e-mail upon request) as well as on the above draft. [The copy I have says that Der Bundesminister des Innern, Bonn, West Germany (Minister of the Interior) is der Herausgeber, so presumably copies can be obtained from there or from the other three governments. The ITSEC is a very deft merging of the earlier German criteria and the British claims language. PGN] ------------------------------ Date: 8 Jun 90 22:46:13 GMT From: felix@AI.sri.com (Francois Felix INGRAND) Subject: Re: A 320 article in Aeronautique (Atkielski, RISKS-10.05) > Minor erratum: This article actually appears in the "Aeronautique" > section of the French science magazine "Science & Vie," In France, "Sciences et Vie" is considered as the "National Enquirer" of "Sciences"... Most of their articles do not have the scientific seriousness you expect from a scientific publication. Francois Felix INGRAND SRI International, AIC "Read my Lisp... No new syntax" (nil) ------------------------------ Date: Fri, 8 Jun 90 23:17:39 PDT From: arthur@pnet01.cts.com (Arthur L. Rubin) Subject: 2600 magazine article I posted the 2600 magazine excerpts on some local BBSs, and I have the following comment from a user and sysop: What does the entire 911/Steve Jackson Games escapade tell us? Well, it's not all that new that the government (like most such things) requires careful watching, and I'm not too happy about how the last I'd heard, an agent had told SJ games they wouldn't get all of their hardware back, even though no charges had been filed (can you say legalized thievery boys and girls? I knew you could.) But the main thing that moves me to write this missive is the indications from the published article that the authors, and thus quite likely also the party responsible for copying that document and circulating it still do not quite understand what the individual responsible did. Accordingly, and in the hopes that if this circulates widely enough he or she will see it, the following message: OK - all you did was get into Bell South's computer system (mostly proving that their security sucks rocks) to prove what a hotshot hacker you were, then made a copy of something harmless to prove it. Sheer innocence; nothing to get upset about, right? Bull****, my friend. Want to know what you did wrong? Well, for starters, you scared the US Government and pointed it in the direction of computer hobbyists. There are enough control freaks in the government casting wary eyes on free enterprises like BBS systems without you having to give them ammunition like that. Bad move, friend, bad move. You see, the fact that you didn't damage anything, and only took a file that would do no harm to Bell South OR the 911 system if it were spread all over the country is beside the point. What really counts is what you COULD have done. You know that you only took one file; Bell South only knows that one file from their system turned up all over the place. What else might have been taken from the same system, without their happening to see it? You know that you didn't damage their system (you THINK that you didn't damage their system); all Bell South knows is that somebody got into the system to swipe that file, and could have done any number of much nastier things. Result - the entire computer you took that file from and its contents are compromised, and possibly anything else that was connected with that computer (we know it can be dialed into from another computer - that's how you got on, after all!) is also compromised. And all of it has now got to be checked. Even if it's just a batch of text files never used on the 911 system itself, they all have to be investigated for modifications or deletions. Heck - just bringing it down and reloading from backup from before you got in (if they KNOW when you got in) even if no new things were added since would take a lot of time. If this is the sort of thing that $79,449 refered to I think they were underestimating. You cost somebody a lot of time/money; you almost cost Steve Jackson Games their existance; you got several folks arrested for receiving stolen goods (in essence); you endangered a lot of bulletin boards and maybe even BBS nets in general. Please find some other way to prove how great you are, OK? --Crystalsword Arthur L. Rubin, PO Box 9245, Brea, CA 92622 (work) (714)961-3771 ------------------------------ Date: Sat, 9 Jun 90 17:12 EDT From: "Warren M. McLaughlin" Subject: Self-Replicating Bugs in Floppies This is a personal report, eye-witnesses are available. On Thursday, 7 June 1990, at about 1500 hrs EDT, it was conclusively demonstrated that it is possible for self-replicating bugs to replicate themselves in floppies (5-1/4" DSDD) _outside_ of a computer! There is a stash of scratch disks, in boxes, on top of a file cabinet next to my desk. Mostly, they are old backups awaiting degaussing and reformatting. At the back of the row of six or seven boxes, I found an open box of disks, with nine new, never-used disks. This minor treasure would have come in handy if I hadn't noticed visible evidence of the self-replication (and defecation) of the bugs, commonly known as "cockroaches". A cursory examination, conducted after dropping the box in the trash bag, revealed at least five live beasties. Droppings/eggs everywhere in the box. I checked each disk envelope, and found spoor in all nine. Witnesses were drawn to the scene like flies... er, spectators. The was a certain amount of noise associated with the discovery, and the air in my cubicle is reported by some to have turned blue. This may be an exaggeration. The droppings/eggs seemed large enough to have caused a head crash. I have enough bits loose in my PCs without adding more. I checked every other box, and found no evidence of infestation. Three of the boxes came from the same carton as the infested box. I will not report the name of the manufacturer, as it does not seem important. TechReps of several computer manufacturers have told me that "tower" style cases regularly attract cockroaches. They are thought to come in for warmth, or to eat the lacquer used on certain components. Incidentally, _real_ lacquer is the processed shells of the lac beetle, which is remarkably like a cockroach in appearance. (_cannabilistic self-replicating bugs?) This may be yet another Risk of computing - or another Risk of working in an old five-sided building on the west side of the Potomac. [Disclaimer: The views herein are mine of this fleeting moment, and neither represent my views upon considered reflection, nor those of the Department of the Navy, nor any component of the Department.] - Mike W. M. McLaughlin, Computer Security Coordinator, SECNAV/DONIRM(C2) Washington, DC 20350-1000 ------------------------------ Date: Sat, 9 Jun 90 13:20:02 EDT From: ark@research.att.com Subject: Caller ID neither necessary nor sufficient to prevent crank calls The people who claim Caller ID is useful for preventing crank calls are somewhere between misguided and dishonest. Consider: do you *never* receive a call from someone you know from a phone number you don't recognize? Has you *never* had a friend call you from a pay phone? Of course not! So that means that a general strategy of refusing to answer calls from unknown sources will cut you off from some calls you would have wanted to receive. Suppose, then, that you answer all calls. You are assured of getting a crank call from time to time. Why doesn't Caller ID avert that by making it known to the caller that you will identify the source? It does, of course, but it's much more than you need for that purpose. For example, the following facility has been available in my calling area for some time: if after receiving a call I hang up, pick up the phone again, and dial *51, then a copy of the identity of the last call I received will be logged in the central office and I will be charged $1.00 . I can then call the police and tell them that I received a crank call that was recorded in the central office. They can find out who called and act appropriately. So: even if I have Caller ID, I cannot avoid crank calls unless I also cut myself off from some legitimate calls. Once I have received a crank call, I can report the origin to the authorities even without Caller ID. How, then, is Caller ID useful for that purpose? ------------------------------ Date: Sun Jun 10 10:34:19 1990 From: peter@ficc.UUCP From: peter@ficc.ferranti.com (Peter da Silva) Re: Whom Caller ID benefits and whom it does not > As far as residential phone users are concerned, Caller ID is not much > better than receiving anonymous calls. [ the message goes on to bring up "member of family at phone booth" considerations. ] I take it you have never been the target of telephone harrassment. I have. It's not a lot of fun, but unless it goes on for a long time it's just not possible to get the authorities to do anything about it. I have been called by my wife's ex-boyfriend (from his place of work!), by some bozo who three- way-called me to a third party, and by someone who calls and hangs up, we assume to call-wait my wife off a chat system (not knowing we have another line for the modem). In all of these cases caller-ID would be a deterrent, a channel of recourse, or a signal to ignore that call. Even when you know the harasser, there's not much you can do currently: when I called the ex back at work, he convinced his boss that *I* was harassing *him* (he'd called dozens of times... I'd called back once, then again when he hung up). If I'd had Caller- ID I could have just ignored calls from that number (the numbers handy to his place of work would have become quickly obvious). In none of these cases was SWBell at all interested. In all of these cases Caller-ID would let me stop it in the bud. Calls from pay-phones just wouldn't have been possible for any of them (pay-phones don't have 3-way calling, and in the other two cases the opportunity wouldn't arise). No system is perfect, but I'm not going to leave my door unlocked just because someone is capable of breaking a window. Making casual harassment less convenient is by itself a good thing. Peter da Silva. +1 713 274 5180. ------------------------------ Date: 12 Jun 90 10:41:39 GMT Sender: news@laas.laas.fr Reply-To: ralph@laas.fr (Ralph P. Sobek) Subject: Re: Risks of Laser Printouts (RISKS-9.89,91,92) (Simson L. Garfinkel) writes: | Not very surprising, considering that laser printers pump out gobs of ozone. This is the first good news that I've heard!! With more and more laser printers we will be able to reverse the ozone destruction caused by all those CFCs floating around. :-) Can anyone quantify that figure: gobs? Ralph P. Sobek ------------------------------ Date: Fri, 8 Jun 90 16:19:21 PDT From: Subject: Re: egregious database -- risks of `voluntary' data submission in RISKS DIGEST 10.07, Edwin Wiles comments that the `egregious database' is less troublesome because of the voluntary nature of data submission. This ignores the risks of bureaucratization, in which the fact that one has not `voluntarily' submitted data to a database is held against one. (There is also the risk of inexperience, in that a student may not appreciate the consequences of putting personal data in a such a database, but this should always be considered.) Bill ------------------------------ Date: Mon, 11 Jun 90 01:51:56 -0400 (EDT) From: "William M. Bumgarner" Subject: Egregious Database ALREADY EXISTS In the Columbia Public Schools, of Columbia, Missouri, such a system has been installed in the last few years-- it can keep track of basically _everything_ that can be recorded textually that has happened during a students K-12 academic career. Not only grades, but personality profiles, any comments by teachers, and just about anything that is even remotely associated with 'school' -- including incidences that don't appear on the 'permanent' record and incidences involving the police. Apparently, the goal is to be able to track a student through the public education system and then store that data permanently ... and it is all at the fingertips (though, at many different security levels, of various random secrataries, counselors, etc.)... b.bumgarner, NeXT Campus Consultant ------------------------------ Date: Sun, 10 Jun 90 12:55:23 CDT From: Prof. L. P. Levine Subject: RE: Another egregious database (Wiles, RISKS-10.07) In Risks 10.07 Edwin Wiles, NetExpress, Inc., misses the point entirely. He seems pleased that the system is voluntary [...] But the next part of the quote is missing. Reading it from Risks 10.05 we see: >> The absence of criteria like punctuality might be noticed, however, >> just as vital information omitted from a resume would be, he adds. and means that leaving out such information is itself an negative mark on the potential employee. I have students RIGHT NOW who are peeing in bottles (voluntarily) in order to get jobs. Of course they do not take drugs, of course they are doing it voluntarily, of course they want the job. They do it. Voluntary release of your civil rights is not protection. The argument that you have nothing to fear from this abuse of your rights if you are not guilty never washes. It is always just plain wrong. Nobody expects the Spanish Inquisition, but this is the way it begins. Leonard P. Levine, Professor, Computer Science, U. of Wisconsin-Milwaukee Milwaukee, WI 53201 U.S.A. ------------------------------ End of RISKS-FORUM Digest 10.08 ************************