Subject: RISKS DIGEST 10.70 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Tuesday 18 December 1990 Volume 10 : Issue 70 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Telephone Voting (Bill Murray) Voting Technology (William W. Plummer) Re: Hacked NASA phones (Barton Christopher Massey) Re: "Legion of Doom" (Irving Wolfe, Mike Black) Computer Virus as Military/Political Weapon? (Sanford Sherizen) Request for Info on Undergraduate Computer Security Classes (Al Arsenault) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line. Others ignored! REQUESTS to RISKS-Request@CSL.SRI.COM. FTP VOL i ISSUE j: ftp CRVAX.sri.comlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j; j is TWO digits. Vol summaries in risks-i.00 (j=0); "dir risks-*.*" gives directory; bye logs out. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Sat, 8 Dec 90 16:23 EST From: WHMurray.Catwalk@DOCKMASTER.NCSC.MIL Subject: Telephone Voting >One risk that I don't think I saw mentioned in the discussion of >"Dial-A-Vote" systems relates to the identity of voters. To the contrary, it has been dealt with ad nauseam, usually erroneously. >Such a system, by definition, would need to know the identity of each caller >to check registration and avoid duplications. This statement is patently false. While an identity-based system would be one way to accomplish these objectives, a voucher system would serve just as well. Such voucher systems are well described in the literature, but the same issue of RISKS which carried the above assertion, contained two descriptions of such systems for voting by mail. The problem of disassociating the vote from its origin, i.e. location of the phone, is much more resistant to solution. All voting systems are subject to abuse, not the least are those systems currently in use. All voting systems have some problems of equity. In many of our current systems, these problems were deliberately engineered in for political motives. These problems resist solution precisely because any change will shift the political balance, however slightly. To the extent that we can move to systems that are more secure, more equitable, and more economic, we should do so. Such systems clearly exist. My personal preference is for more equity. While I have difficulty in believing that any new system can be any more subject to abuse than most of those in use, I would be prepared to sacrifice some security for more equity, as long as the lower security would not result in a loss of confidence in the results. Any new systems and the move to them will be fraught with problems. Much dialogue will have to precede any such moves. However, over-stating the problems of the new systems, preferring the faults of the old ones, and pandering to the fears of the ignorant are not productive. William Hugh Murray, Executive Consultant, Information System Security 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 203 966 4769 ------------------------------ Date: Mon, 17 Dec 1990 14:09:59 EST From: "William W. Plummer" Subject: Voting Technology I would like to propose a new voting system that will benefit from electronic and/or cryptographic techniques. Before going too public with this, I hope to get additional suggestions and pitfall information from you readers. The voting system that I would like to see simply weights your vote by the number of tax dollars that you pay. We have often heard that the super wealthy use tax loopholes to lower their tax to zero while manipulating laws to make this possible. On the other end of the scale, the poor are accused of using tax supported services far in excess of their tax payments; the poor tend to vote for candidates that promise to keep up the handouts. Of course, it is the middle income people that support all of this. So, my scheme has the appropriate negative feedback built into it. A major problem with the system is that it require a constitutional amendment. In other words we would no longer have "One man, one vote." But I argue that the Constitution was written before income tax and local taxes etc. In a sense everybody was taxed equally back then. All this new system does is to restore the equality of the voting power. Implementing this system is tricky unless you want to trust "the government" to correctly credit your voting power. I think the ability to check one's own account is desired, but you really don't want it to become public knowledge; worse than busybodies and neighbors would the the targeted marketing concerns and the politicians spending their resources where the voting power is. So, a secret ballot is still a must. The ballot must be unforgeable and not modifiable. One idea that is almost right is to use public key crypto technology. The IRS would issue voting stickers which have the number of votes encrypted such that only the vote counters could read them. I would use my stickers by sticking them to a paper ballot; they could not be removed without destroying them. This fails because I cannot check that the sticker is worth the number of votes that I think it should be. Making the stickers have duplicate information, one that the vote counters can read and one that I can read, is also almost right. It's a little impractical since it requires that I keep a decryption key around so that I can decode my half of the sticker. So, everybody has to be assigned a key and everybody has to avoid losing it. Does anybody out there know how to do this? Thanks. William W. Plummer Work: 508-967-4870 plummer@wang.com Home: 508-256-9570 ------------------------------ Date: Mon, 10 Dec 90 23:51:56 GMT From: bart@cs.uoregon.edu (Barton Christopher Massey) Subject: Re: Hacked NASA phones (RISKS-10.65) > [...] computer intruders have stolen some $12 million in free telephone > service through Johnson Space Center... That figure was calculated from costs > of similar break-ins described by law enforcement agents specializing in > computer crime. There *must* be some kind of mistake or error here, right? Imagine this principle applied to better-understood areas of criminal jurisprudence: "Little Johnny Nogood has stolen some $2000 worth of goods from the corner store today... That figure was calculated from costs of similar thefts described by law enforcement agents specializing in shoplifting." Right. The whole thing is especially ludicrous in light of NASA's recent report that their whole yearly phone bill is only on the order of $12 million... The computer-related risk, IMHO, is that because the law-enforcement community doesn't understand computer crime, it may be made to seem much more harmful to its victims and to society than it actually is, and resources that would be better spent elsewhere will be devoted to stopping it. This risk is especially severe in light of the "computer crime experts" who have made a name for themselves because of the imputed significance of these kinds of cases, and thus have a vested interest in exaggerating their significance. Bart Massey ------------------------------ Date: 9 Dec 90 18:26:16 GMT From: irv@happym.wa.com (Irving Wolfe) Subject: Re: Response to article on "Legion of Doom" sentencing (RISKS-10.65) I, too, am opposed to uninvited access to others' computers. In RISKS-10.65, we have >Sorry. I don't buy it. If I leave my keys in my car with the windows open, >and you get in and drive off, you're still just as guilty of stealing the car That is true. But it is also a crime in some states for you to have left the keys in the car. It is written in many insurance contracts, too, that the insurer will not have to pay you if you have encouraged the theft in this way. Thus, in this other area of life that you drew an analogy to, your "asking for trouble" by making it easy and attractive does indeed reduce or eliminate your protection under the law or constitute a punishable minor crime itself. > [several posters drew analogies to the crime of "breaking and entering"] Breaking and entering is a crime that has two parts: "breaking" and "entering." If you leave your front door ajar, one need not "break" to "enter." If a company leaves the door to its office ajar, it cannot accuse an outsider found walking down its hallway (doing no harm) of any crime, it can only tell him to leave. Since people here seem so fond of analogies, I'll suggest that to the extent that a company leaves the door to its computer system ajar, the breaking and entering analogy fails, and the mere entry of an outsider would not constitute a crime. These analogies are silly. If we are to have a law in this area, it should be simple: Attempting to log into a computer system or otherwise access it without having been explicitly invited should be a crime whether or not the attempt succeeds and whether or not any damage was done. Probably using a normally-public area like an ftp or anonymous uucp directory should be explicitly excepted, as should a small number of attempts to log into a system accidentally, provided no hacker-type activities (systematically guessing passwords, taking advantage of system defects to gain privileged access, etc.) were involved. But if this is to be a crime, it is fundamentally unrelated to old-time crimes like breaking and entering or car theft. We are making it a crime because we'd like to discourage it, not because there's a clear moral issue or any harm being done. There may or may not be. The law is for our convenience, and has no moral side, and the violator is not to be punished for his evil character, but merely for having violated a well-known law carrying a well-known penalty. irv@happym.wa.com (Irving_Wolfe) Happy Man Corp. 206/463-9399 ext.101 4410 SW Point Robinson Road, Vashon Island, WA 98070-7399 fax ext.116 SOLID VALUE, the investment letter for Benj. Graham's intelligent investors Information free (sample $20 check or credit card): email patty@happym.wa.com ------------------------------ Date: 9 Dec 90 13:18:40 GMT From: black@seismo.CSS.GOV (Mike Black) Subject: Re: Legion of Doom (RISKS-10.67) In the discussions of the Legion of Doom a few points are raised but not taken to fruition seeing as how we are talking about a new technology (relatively new that is). Allow me to paraphrase: 1. "The company left its' doors open and that was a criminal act...". Response: "Leaving your garage door unlocked isn't". Having a phone line into your company is definitely not a criminal act. However, if you leave a pile of money on the street and someone steals it, there isn't a judge in the world who would convict because you did something a reasonable person wouldn't have done. The problem crops up when you come with a new technology that has inherent risks. What the heck is a reasonable person...the two guys that invented it? On hacking, we have a case where technology allows extremely easy access to computers over phone lines. The fact that a company uses this technology does not relieve it of responsibility to behave as reasonable persons. The problem is that the hackers are perceived as a bunch of teenage hoods and they do not suffer from this technology. If every time one of them called they got electrocuted, I assure you that the company would be held liable. 2. "Leaving my keys in my car is not...". In most states, leaving the keys in your car is definitely considered criminal as you are inviting a crime. Doesn't then hooking an easy access phone line also invite a crime? 3. "We are in business to do business...". True, but businesses have a responsibility to society to ensure their business does not invite criminal behaviour. 4. "We shouldn't have to spend time closing known holes...". If I talked to your security department they might disagree. If there are known holes, is management adequately apprised of the potential for business loss and have they made a knowledgeable decision to not close them, or do the system managers just say, "The boss wouldn't understand so I'm not going to tell him"? Companies devote massive resources to security and this hacking thing is a new threat. So is the idea that your competitor could get in and muck about too. It would seem that a business shouldn't have to spend a lot of time closing security holes opened by a product they bought, so me thinks I would complain LOUDLY to whomever supplied this product to close up the holes. 5. Finally, let's try and define a reasonable person on this matter: 1. When you hook-up a phone line to your computer, a reasonable person would expect to get calls from unauthorized users. 2. A reasonable person would not expect the simple userid/passwd to foil everyone, however the same person should expect that a concerted effort not be made to overcome it. i.e. If you have userid "root" with no password, that's unreasonable, most anything else migrates toward reasonableness. 3. A reasonable person would assume that one who finally got in would do most anything. I propose the following: 1. All dial-up's contain a warning about the penalties of unauthorized entry. (virtually none do, how 'bout a trespass warning people?) 2. Entry into such a system would be a misdemeanor. Retrieval of info would be the same. 3. Damage caused would upgrade eventually to a felony depending on lost business, time to recover, etc. The trick here is the need to prove the hacker was proximate cause to the damage beyond reasonable doubt. P.S. I personally do not support "hacking". : usenet: black@beno.CSS.GOV : land line: 407-494-5853 : I want a computer: : real home: Melbourne, FL : home line: 407-242-8619 : that does it all!: ------------------------------ Date: Mon, 17 Dec 90 22:11 GMT From: Sanford Sherizen <0003965782@mcimail.com> Subject: Computer Virus as Military/Political Weapon? I would like to gather any *hard* evidence that viruses have been used for political/military purposes. It is possible that the Jerusalem virus was first set off to commemorate a Palestinian event but has there been any way to verify this? Are there other viruses that have been specifically distributed or directed to harm a political foe? It is important to differentiate this type of attack from someone setting off a virus that contains a political statement but which is not directed against a particular target. I know that this differentiation is soft but I am trying to develop an appropriate categorization. Any help on this is appreciated. What got me thinking about this is my work on developing a model of computer crime trends and development stages. The current situation in the Persian Gulf made me wonder about the use of the virus as a political weapon. Is the virus a potential "small nation's weapon"? Can viruses become terrorist surrogates, disrupting an enemy nation without leaving direct fingerprints (strings?) traceable back to the ultimate sponsor? What roles could viruses play in future small scale intensive conflicts as well as major wars? Have viruses been considered in war scenarios that military commands have developed? The flap earlier this year about the availability of a small business contract to develop a virus for the U.S. military may well be part of a larger picture of computerized warfare joining other threats such as biological and chemical warfare. Comments can be posted to me on Risks or sent directly to me at MCI MAIL: SSHERIZEN (396-5782). This message has also been posted to Virus-L. Thanks, Sandy ------------------------------ Date: Thu, 13 Dec 90 13:47:46 MST From: Al Arsenault Subject: Request for Information about Undergraduate Computer Security Classes We are requesting information from any and all colleges about Computer Security courses offered as part of the undergraduate Computer Science program. This information is needed as part of a research project on teaching Computer Security. The goal is to produce a summary of available courses, to be included in a paper we are writing. The researchers involved are: Alfred Arsenault, Visiting Professor of Computer Science, and Captain Gregory White, Instructor of Computer Science, both at the U. S. Air Force Academy. Specifically, we are seeking answers to the following questions: (1) Does your school offer a course in Computer Security as part of its undergraduate Computer Science curriculum? If so, what is the title of that course? (2) If so, is the course required or an elective for Computer Science majors? (3) What textbook is being used, if any? (4) What are the prerequisites for the Computer Security course? (Please use descriptive titles, e.g., Operating Systems, rather than course numbers or designators.) (5) Is the course offered once a year, or every semester? (6) Approximately how many students typically enroll in the course? (7) If your institution does not offer an undergraduate Computer Security course, is there a particular reason? (e.g., no faculty interest in teaching such a course; not enough students interested in taking such a course; no room in the undergraduate Computer Science curriculum for another course) (8) Who is a point of contact that we can get in touch with if we need further information? As previously stated, we are requesting this information to assist us with a research effort on "Teaching Computer Security in an Undergraduate Computer Science Curriculum." The short-term goal is to develop reasonably accurate statistics about how many institutions offer Computer Security courses. Negative responses (i.e., 'my college does not offer a Computer Security course') are welcome. We would be happy to send summaries of the responses we receive to anyone who requests one. Please send responses to either: Alfred Arsenault: arsenaul@usafa.af.mil or AArsenault@Dockmaster.ncsc.mil Greg White: white@usafa.af.mil GWhite@Dockmaster.ncsc.mil If you have questions, or want more information, we can be reached on the net at the above addresses; by telephone at (719) 472-3590; or by U. S. Mail at Department of Computer Science HQ USAFA/DFCS U. S. A. F. Academy, CO 80840 ------------------------------ End of RISKS-FORUM Digest 10.70 ************************