Subject: RISKS DIGEST 10.66
REPLY-TO: risks@csl.sri.com

RISKS-LIST: RISKS-FORUM Digest  Friday 7 December 1990  Volume 10 : Issue 66

        FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS 
   ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

  Contents:
COMPUTERS AT RISK: Safe Computing in the Information Age (Marjory Blumenthal)
COMPUTERS UNDER ATTACK (Peter Denning)
Re: ``Hackers Accessed NASA's Phones'' (Jerry Hollombe)
Responses to article on "Legion of Doom" sentencing 
  (Gary Cattarin, King Ables, Brinton Cooper, Mark E. Levy)

  The RISKS Forum is moderated.  Contributions should be relevant, sound, in 
  good taste, objective, coherent, concise, and nonrepetitious.  Diversity is
  welcome.  CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive 
  "Subject:" line.  Others ignored!  REQUESTS to RISKS-Request@CSL.SRI.COM.
  FTP VOL i ISSUE j:  ftp CRVAX.sri.com<CR>login anonymous<CR>AnyNonNullPW<CR>
  CD RISKS:<CR>GET RISKS-i.j<CR>; j is TWO digits.  Vol summaries in 
  risks-i.00 (j=0); "dir risks-*.*<CR>" gives directory; bye logs out.
  ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY.
  Relevant contributions may appear in the RISKS section of regular issues
  of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise.

----------------------------------------------------------------------

Date: Fri, 07 Dec 90 10:02:00 EDT 
From: Marjory Blumenthal <MBLUMENT@NAS.BITNET>
Subject: COMPUTERS AT RISK: Safe Computing in the Information Age

COMPUTERS AT RISK: Safe Computing in the Information Age
National Research Council, System Security Study Committee

Computers play a crucial role in virtually every facet of modern life in the
United States, from transportation safety to business and banking transactions
to health care.  Yet as computer systems become more prevalent, sophisticated
and interconnected, society becomes more vulnerable to poor system design,
accidents that disable systems, and computer viruses and other attacks on
computer systems.  The result may be economic disaster, threats to human life,
and compromise of confidential information held in computer databases.
Increased use of computer networks, as well as a general rise in computer
literacy, make it likely that the nation's computer security problems are just
beginning.  Computers at Risk, a new report from the Computer Science and
Telecommunications Board of the National Research Council, presents a
comprehensive agenda for developing nationwide policies and practices for
computer security. Specific recommendations are provided for industry and for
government agencies engaged in computer security activities.  The
recommendations are fully developed and wide ranging, addressing the roles of
specific agencies, expansion of current programs, cooperation between
government and industry, and more.  The volume outlines problems and
opportunities in computer security research, recommends ways to improve the
research infrastructure, and suggests topics for investigators.  Computer
system vulnerabilities are analyzed, and government security efforts are
evaluated.  Business executives, government security specialists, hardware and
software developers, system managers, researchers, educators, and computer
users will find this book vital to their understanding of computer security
issues.

CONTENTS:

Executive Summary

Overview and Recommendations: Computer System Security Concerns, Trends, The
Need to Respond, Toward a Planned Approach, Nature of Security, Putting the
Need for Secrecy into Perspective, Building on Existing Foundations,
Recommendations

Concepts of Information Security: Security Policies, Management Controls, Risks
and Vulnerabilities, Securing the Whole System

Technology to Achieve Secure Computer Systems: Specification vs.
Implementation, Models, Services, Trusted Computing Base, Communications

Programming Methodology: Programming Languages, Specifications, Formal
Specification and Verification, Hazard Analysis, Development Process,
Procurement, Scheduling, Education and Training, Management Concerns, What
Makes Secure Software Different, Recommended Approaches

Criteria to Evaluate Computer and Network Security: Security Evaluation
Criteria, Assurance Evaluation, Trade-offs in Grouping of Criteria, Comparing
National Criteria Sets, Reciprocity, System Certification vs. Product
Evaluation

Why the Security Market Has Not Worked Well: The Market for Trustworthy
Systems, Concerns of Vendors, Federal Government Influence, Export Controls,
Consumer Awareness, Regulation

The Need to Establish an Information Security Foundation: Attributes and
Functions, Other Organizations, Charter and Startup Considerations, History of
Government Involvement, Security Practitioners

Research Topics and Funding: A Proposed Agenda, Directions for Funding Security
Research

Bibliography, Appendixes, Glossary

ISBN 0-309-04388-3; 1990, 320 pages, 6 x 9, paperbound, $19.95

Please send me _____ copy(ies) of Computers at Risk: Safe
Computing in the Information Age.

I have enclosed a check for $_______.  Please bill my _____
MasterCard   _____ VISA   _____ American Express account.

    #__________________________________________   Expires _________________

    Signature__________________________________   Phone number ____________

Name ______________________________

Address ______________________________

City___________________________ State ______ Zip Code ______________
                                                      COUNTRY if not USA________
Quantity Discounts: 5-24 copies 15%, 25+ copies 25%

Return this form with your payment to NATIONAL ACADEMY PRESS, 2101 Constitution
Avenue, NW, Washington, DC 20418.  To order by phone using
VISA/MasterCard/American Express, call toll-free 1-800-624-6242, Monday-Friday,
8:30-5:00 EST. Call (202) 334-3313 in the Washington metropolitan area.  Price
applies only in the U.S., Canada, and Mexico and may be changed without notice.

   [I have received so many requests for this information yesterday and today
   that it seemed useful to include it in RISKS forthwith.  PGN]

------------------------------

Date: Thu, 6 Dec 90 15:00:32 PST 
From: Peter Denning <pjd@riacs.edu>
Subject: Computers Under Attack

   COMPUTERS UNDER ATTACK
   Intruders, Worms, and Viruses
   Edited by Peter J. Denning
   ACM Press and Addison-Wesley, 1990, 554pp
   $18.50 ACM members, $20.50 others

On behalf of ACM Press and the authors of the 38 articles brought together in
this edition, I am proud to announce that our book on the subject of attacks on
computers is now available.

This subject continues to receive ongoing attention in the national press --
for example, the recent discovery of $12M of toll fraud at the NASA Johnson
Space Center, Operation Sun Devil, an Esquire article about computer pirates
breaking in to the Bell System, and the recent splashy appearance of the NRC
report, "Computers at Risk".

The purpose of this book is to tell the story of attacks on computers in the
words of those who are making the story and who see the broad perspective in
which it is taking place.  We have painstakingly selected the articles and have
provided connective material to bring out the global context and show that the
problem is not purely technology, not purely people, but a product of the
interaction between people and computers in a growing worldwide network.

After and introduction and preface by me, the articles are arranged in six
parts.  Most of these have been previously published, but there are a few new
pieces specifically commissioned for this volume.

PART I: THE WORLDWIDE NETWORK OF COMPUTERS

   Worldnet and ARPANET by Denning, overview of networks by Quarterman,
reflections by Thompson, survey of computer insecurities by Witten.

PART II: INTRUDERS

   Reflections by Reid, Wily hacker story by Stoll, a followup commentary by
Mandel, and a business perspective by Wilkes.

PART III: WORMS

   Internet worm overview by Denning, perspectives on the Morris worm by MIT's
Rochlis et al, Purdue's Spafford, and Utah's Seeley, executive summary of
Cornell Report, Morris indictment and trial summary by Montz, original worm
paper by Shoch and Hupp.

PART IV: VIRUSES

   Virus overview by Denning, BRAIN and other virus operation by Highland,
virus primer by Spafford et al, viral protection in MS/DOS by Brothers, and a
perspective on viruses by Cohen.

PART V:  COUNTERCULTURES

   Computer property rights by Stallman, cyberspace literature by Paul Saffo, a
dialog on hacking and security by Dorothy Denning and Frank Drake.

PART VI:  SOCIAL, LEGAL, AND ETHICAL IMPLICATIONS

   A spectrum of commentaries: moral clarity and sending a signal by Denning,
global city by Morris, virus bills in congress by Crawford, GAO report summary,
legal issues by Samuelson and by Gemingani, computer emergency response by
Scherlis et al, ethics statements by various organizations, ACM President's
letters by Kocher, ACM forum letters, law and order for the PC by Director,
RISKS perspectives by Neumann, crimoids by Parker.

To order the book, run to your local bookstore or call ACM Press Order
Department.  For credit card orders only call    800-342-6626
or in Maryland and outside the continental US call    301-528-4261
and for mail orders ACM Order Department, P. O. Box 64145, Baltimore, MD 21264.
The price for ACM members is $18.50 and for nonmembers $20.50.
Shipping is extra unless you send a check to the order department.  BE SURE TO
INCLUDE YOUR ACM MEMBER NUMBER AND THE BOOK ORDER NUMBER (706900).

-----------------------------

Date: 7 Dec 90 17:23:55 GMT
From: hollombe@ttidca.tti.com (The Polymath)
Subject: ``Hackers Accessed NASA's Phones'' (Re: RISKS-10.65)

According to yesterday's news NASA has flatly denied the theft ever took
place.  Their spokesperson said their normal annual phone bill is about $3
million and it wasn't possible for someone to steal $12 million worth of
phone services from them (i.e.:  They'd be detected long before things got
that far out of hand).

Jerry Hollombe, M.A., CDP, Citicorp(+), 3100 Ocean Park Blvd., Santa Monica, CA
90405 (213) 450-9111, x2483  {csun | philabs | psivax}!ttidca!hollombe

------------------------------

Date: Fri, 7 Dec 90 10:42:30 est
From: Gary_Cattarin@dg_support.ceo
Subject: Response to article on "Legion of Doom" sentencing (RISKS-10.65)

CEO document contents<:
    
    The article that appeared in risks 10.65 from Emmanuel Goldstein of
    "2600" Magazine displays a callous immaturity to the realities of the
    business world.  I'm not going to quibble over the exact nature of the
    sentences handed out.  The clear point, and yes, the "message" that
    the authorities tried to get across (but was clearly lost on the
    author of that article) is that unauthorized access to someone else's
    computer is just plain wrong, no matter what was or was not done
    during that access.
    
    We've heard that point reiterated numerous times in this journal, and
    I'm sure the hackers of the world have heard it and usually discounted
    it, but let me put it in the vein of the realities of modern business.
    
    Mr. Goldstein, I don't know a thing about your magazine.  I don't know
    your organization's finances, staffing, etcetera, or if you even have
    any of them.  I don't know what you do for a living.  I do know that
    in my business, we are faced with an intensely competetive global
    marketplace in which we fight to survive.  We are faced with the
    realities of staff shortages compounded by further cuts.  We are faced
    with shortages of resources, yet we still must get the job, or it will
    mean the end of our jobs, and probably the end of the company as well.
    
    We would LOVE to have enough time to do everything perfect.  We'd LOVE
    to devise security systems that could foil you and your clan.  And we
    could probably come pretty damn near doing it; we've got some pretty
    good heads here - most likely some heads who have done their share of
    hacking as well.  But we can't dedicate that kind of time to staving
    off a bunch of obnoxious intruders, just as Bell South didn't.  Bell
    South dedicated their personel to doing the business they were
    involved in, as rightly they should.
    
    So what happens when you invade Bell South's, or my company's
    computer?  If you get in, just to prove you can, then tell us about it
    in light of your supposed "spirit of pointing out flaws that should be
    fixed", what has that gained you?  Giddy joy, I suppose, but not much
    else (picture the job interview:  "So, what are our technical
    qualifications?"  "Well, sir, I'm good.  I broke into 43 systems last
    year!").  What has it gained us?  OK, we know about a flaw.  You know
    what?  We probably already did.  Perhaps you don't realize it, but in
    the resource-short business world, we know about a LOT of flaws.  We'd
    LOVE to fix them all.  We're trying.  We just don't have the resources
    to get it done immediately.
    
    So that leaves the door that you found.  Now you'll spread word of
    your door via your hacker hotlines.  And though you may have meant no
    harm, others may follow, invading our system as if it were another
    town on the interstate to be driven through.
    
    But can you or we be sure that all who enter mean no harm?  Can you be
    sure that no bit was left untouched?  That's all it takes:  one bit,
    somewhere, modified, which, as readers of RISKS well know, can have
    monumental consequences.  The downing of an airliner.  A fatal safety
    flaw in a new car.  An accounting system rendered worthless.  These
    are major cases, but the minor ones are just as important, because
    once you've been invaded, you just don't know what the invader did.
    
    If you came home at night and found your front door unlocked, what do
    you know?  Sure, you may have left it unlocked.  But did anyone take
    advantage of that?  Did they take anything?  Damage anything?  Leave
    anything unwanted inside?  Steal the extra key?  Are they perhaps even
    in your home?
    
    Didn't you check to be sure that door was locked?  Maybe you did, but
    they came in through the window.  Didn't damage anything, but still,
    you don't know that?  OK, you checked the windows, but they came in
    through the skylight.  You checked those?  They found another way...
    
    You see, you can take care of all the obvious points of entry, but a
    intruder will find another point of entry.  The hacker's view is that
    since that other point of entry wasn't blocked off, the hacker is
    welcome in.  I don't think you'd agree if it were your home.
    
    So Bell South detected an intruder.  And they chose to pursue the
    intrusion.  How much did it cost them?  Was it simply the "value" of
    the document?  (How does one place a value on a document?)  Was it
    simply the cost of the personel who investigated?  Was it perhaps the
    business lost because they spent their time looking for the intruder
    instead of pursuing Bell South's normal business?  (Remember, Bell
    South is in business to make money, like it or not.  Your nation is
    build on that principle, that's why you can get food in your grocery
    store, unlike in Moscow.)  Was it the cost of implementing modified
    procedures company-wide to protect against the likes of you?  The cost
    of business lost because people company-wide spent time on these new
    procedures rather than pursuing their intended business?  How about
    the cost (real and lost opportunity) of the personnel involved in the
    legal case, not to mention the lawyers' fees?  You see, "cost" has a
    much more far reaching meaning than you attribute to it.  And nobody
    can really even tell how high the final figure is, but I'll assure
    you, it's astronomical.
    
    In business, we've got to spend our time and resources pursuing our
    business.  We just don't have the time, money, or resources to post
    guards to keep the likes of you out of every possible entry point.
    Until you understand that, the government is going to continue to try
    to send you this message.  Perhaps my treatise here will save you and
    your colleagues a few prison terms (pity the fact that I, as a
    taxpayer, have to support those folks in prison!).  More importantly,
    perhaps it will spare a few other companies the trouble that Bell
    South has experienced.

------------------------------

Date: Fri, 7 Dec 90 10:28:22 CST
From: ables@mcc.com (King Ables)
Subject: Response to article on "Legion of Doom" sentencing (RISKS-10.65)

I read your article on the sentencing of some "Legion of Doom" members that
was posted to comp.risks and feel compelled to make a couple of remarks.

I agree that this situation is one about which we, as a community of
programmers, should be concerned.  But the tone of panic seems meant to
persuade us emotionally rather than intellectually.

> This kind of a sentence sends a message all right. The message is that the
> legal system has no idea how to handle computer hacking.

This, unfortunately, is very true.  It is also the main reason we have the
problems you describe.  If the laws were written better (i.e. the issues
involved were better understood by those who write the laws) many of these
problems wouldn't exist.

> shared information which we now know was practically worthless. And they
> never profited in any way, except to gain knowledge. Yet they are being
> treated as if they were guilty of rape or manslaughter. Why is this?

Whether or not you profit from something has nothing to do with whether or not
it was a crime.  You don't profit from beating the hell out of some homeless
person in an alley, but it's still illegal.

They are being treated like criminals because they participated in a criminal
act.  If you don't believe the activity should be considered illegal, then work
to get the laws changed.  Right now-- today-- at this moment-- the acts are
illegal.  Whether or not they SHOULD be illegal is a completely separate
question.

> We think it's time concerned people sent a message of their own. Three young
> people are going to prison because a large company left its doors wide open
> and doesn't want to take any responsibility. That in itself is a criminal act.

Nope.  Three young people are going to prison because they broke the law.

If I walk into an unlocked jewelry store and take something, it is no less
a crime.  To say that the establishment deserved it because they left
themselves wide open for it is hardly a justification for the action.

> By blowing things way out of proportion because
> computers were involved, the government is telling us they really don't know
> what's going on or how to handle it. And that is a scary situation.

This is absolutely true.  And again, by participating and contributing our
knowledge to the process, we can help to modify the process so that it makes
more sense.  To simply sit back and scream "foul" isn't going to make it any
better.

This is not to say I believe the accused received appropriate punishment, I
don't.  But to claim they are innocent victims of the big, bad government is
not correct either.

King Ables, Micro Electronics and Computer Technology Corp., 3500 W. Balcones
Center Drive Austin, TX 78759    +1 512 338 3749

------------------------------

Date:     Fri, 7 Dec 90 13:39:23 EST
From: Brinton Cooper <abc@BRL.MIL>
Subject: Response to article on "Legion of Doom" sentencing (RISKS-10.65)

Emmanuel Goldstein, Editor, 2600 Magazine, quotes from his pub:

"...We consider this to be a very major and very frightening issue...  Since we
began publishing in 1984 we've pointed out cases of hackers being unfairly
prosecuted and victimized...just a desire to learn and share information...
Here we have a case where some curious people logged into a phone company's
computer system...No cases of damage to the system were ever attributed to
them...We think it's time concerned people sent a message of their own. Three
young people are going to prison because a large company left its doors wide
open and doesn't want to take any responsibility. That in itself is a criminal
act..."

	1. Leaving one's doors open is not a criminal act.  When was was anyone
ever prosecuted for failing to lock the garage door?

	2. Breaking and entering is a crime in most jurisdictions.  Sentences
of 14 to 21 months don't sound uncommon for breaking and entering.

	3. The general public has no inherent right to "information" owned by a
phone company, any other company, or private individuals, except as prescribed
by law...and even then, not always.  Breaking and entering someone's home in
order to listen to their stereo, read from their library, or peruse their
family's financial files is no one's right.

_BRINT

------------------------------

Date: Fri, 7 Dec 90 15:43:54 CST
From: levy%fndcd.dnet@fngate (Mark E. Levy)
Subject: Response to article on "Legion of Doom" sentencing (RISKS-10.65)

Emmanuel Goldstein, Editor, 2600 Magazine writes:

>... We think it's time concerned people sent a message of their own. Three young
>people are going to prison because a large company left its doors wide open and
>doesn't want to take any responsibility. That in itself is a criminal act. ...

Sorry.  I don't buy it.  If I leave my keys in my car with the windows open,
and you get in and drive off, you're still just as guilty of stealing the car
as if you had to break in and "hot wire" it.  I may have asked for it by
leaving the keys, but that's no excuse.

By the same token, you have no implied right to come into my house and "look
around" just because I left the door open.  It's no different with computers.
Irrespective of whether of not BellSouth "left the door open," if the three you
mentioned entered the system without permission, they're guilty.  That in
itself is enought to convict, any materials taken nonwithstanding.  Case
closed.  I have NO sympathy for them.

------------------------------

End of RISKS-FORUM Digest 10.66
************************