Subject: RISKS DIGEST 10.78 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Tuesday 22 January 1991 Volume 10 : Issue 78 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***NOTE: SOME MAIL TO RISKS WAS APPARENTLY LOST OVER THE WEEKEND. PLS RSND.*** Contents: (No) Viruses in Iraq's EXOCET? (Klaus Brunnstein) Risks of NOT believing war game models (Bob Estell) Re: MoD computer stolen in UK (Olivier M.J. Crepin-Leblond) Re: Computer program gives police a bum rap (William H. Glass) Voting by Phone (Evan Ravitz, PGN) (More) word processor atrocities (Pete Mellor) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line. Others ignored! REQUESTS to RISKS-Request@CSL.SRI.COM. FTP VOL i ISSUE j: ftp CRVAX.sri.comlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j (where i=1 to 10, j is always TWO digits. Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: 15 Jan 91 11:10 GMT+0100 From: Klaus Brunnstein Subject: (No) Viruses in Iraq's EXOCET? (Misguided Missiles) French press (La Liberation) and media reported (Jan.10) in some detail that computer viruses could be planted, either in advance or afterwards, in French EXOCET rockets to influence their performance such as to misguide them. Following a report of the German Press Agency (dpa), German media (on Jan.11) were full of reports about "viruses in Hussein's rockets". According to dpa, (unnamed) French computer scientists said: - manufacturers of war material usually implant, "for mere commercial reasons", viruses in exported war electronics to provoke, after some time, faults and "profitable repair work"; - though Iraqian weapon computers are "hermetically cut-off from the outside world", computer viruses could be implanted e.g. via "weather data"; - moreover, the built-in computers contain programs which may be triggered remotely; the control system of (French-built) EXOCET rockets could be switched-off from French ships; the only problem would be the mass of weapon computers to be switched-off simultaneously. As usual in events related to malicious code, truth is mixed up with misunderstandings, errors and impossibilities: - the implementation of weapon software makes self-reproducing programs (=viruses) impossible; moreover, it is very improbable, that such systems may be (re-)programmed remotely; French "experts" with such arguments are non-trustable; - on the other hand, other aspects of "malicious code" may well be present in weapon computers; at least in the test phase, rockets can be destroyed by triggering a self-destruction system remotely; following the well-established principle "never change a running program", such "backdoors" (the proper name for this type of malicious code) could survive the test version; - moreover, French system analysis might well have foreseen scenarios in which to defend against French-made rockets (e.g. EXOCETS); French warships might remotely influence the EXOCET control systems if this remains unchanged by the (Iraqian) users of such technology; with equivalent probability, other Western weapon control systems could contain similar self-protection mechanisms (e.g. US' Hawk missiles having been captured in Kuweit) ; - finally, it is well-published (even in non-military periodicals) that and how electronic countermeasures (ECM) may mislead weapon electronics. Some interesting questions following from such "possibilities": - May Iraq detect, influence or adapt such weapon software? As software technology is not well-enough developed in Iraq (and most part of the Arab world), they probably must rely on foreign experts (as they evidently do in other Hi-Tech areas). - If French EXOCET rockets are remotely controllable: why did the French not warn their "friends" who suffered severe losses through their weaponry (e.g., UK in Falkland crisis, or US in the Iran crisis, see accident of USS STARK)? Do they at least now warn and properly equip their allies in the Arabian desert? For "RISK experienced" experts, it is not surprising that misinformation lives best in threatening situations (such as at the Gulf); apart from general attitudes of newsmedia, computer scientists who nominate their technological constructs (e.g., "self-reproducing programs") in such inadequate terms as "viruses" (see also: "intelligence", etc.) are highly responsible for misinterpretation and misunderstanding by less well informed media people and the public! On the other side, authorities and the public only in such threatening circumstances become aware of riskful assumptions inherent in contemporary computer systems. Such unfortunate experience may lead to the cynical assumption that risks may best be conceived by (hopefully: moderately) "ex post" experiencing them, rather than analysing and avoiding them "ex ante". Postscriptum: computer "viruses" may nevertheless play a role in "Operation Desert Shield". There are (yet unconfirmed) news items that several thousand PCs (5000?) have been infected by ordinary "computer viruses". This would not be a surprising experience, as the soldiers had to "waste" ample time waiting for Jan.15; in the absence of other possibilities for spending free time, computer games (usually a source of "virus" infections) may have played a major psychological role, maybe with some impact on their "ordinary functional behaviour". ------------------------------ Date: 14 Jan 91 17:34:00 PDT From: "FIDLER::ESTELL" Subject: risks of NOT believing war game models The risk of NOT believing war gaming models should be revisited, in view of the Congress' vote this past weekend. In all such "contests" (sports games, wars ...) there is always a chance, regardless of how low the probability, that some rare event may occur; e.g., "mighty Casey may strike out." This is particularly true when one side (or both) have some players with particularly LOW vulnerability, and/or some weapons with particularly HIGH lethality. The outcome of the "game" will vary drastically, depending on what happens to these "superior" players/weapons - and WHEN it happens. To take a hypothetical case, based on history, SUPPOSE that Gen. Custer had gone into his last stand, with a hundred Gattling Guns; and suppose that those operating these guns had plenty of ammo, and were lucky enough to not be wounded -- at least, until they had done their (dirty) work. One might imagine that it would have been Custer's greatest victory. IF the Congressional debaters were right, Iraq has some "unusual" weapons; IF these weapons survive long enough to be used, who knows what the outcome might be? The lesson of the Spanish Armada's defeat suggests that Gen. Eisenhower and others were right: After the war starts, no one knows ... Bob ------------------------------ Date: Thu, 17 Jan 91 16:20 BST From: "Olivier M.J. Crepin-Leblond" Subject: Re: MoD computer stolen in UK Just a quick word to advise RISKS readers that the MOD laptop computer stolen in UK has been recovered by the MOD. The information was in the press last week. There was no mention of any arrest. Understandably, since the gulf hostilities have just started, the MOD is keeping full secrecy about the outcome of the story. The fact that classified military information was present on the hard disk of a laptop computer would certainly seem to be a risk in itself. It is even more unbelievable that the laptop was left unattended in a car in Acton (West London), which is not the safest of areas in London. I certainly would not leave a laptop (if I had one) in my car in that area ! When computers were as large as a bus, there was no risk of one being "lost" in nature. Now they are so small that one can carry them all around the place. And since a small plastic box looks less important than 20Mb worth of printed paper (with red ink warning notices), it is worrying that the holder of this box becomes that negligent. Olivier M.J. Crepin-Leblond, Elec.Eng. Dept, Imperial College London, UK. [The computer's return was also noted by Steve Bellovin (smb@ulysses.att.com), Margaret Fleck , Tim Steele (who added that although the MoD refused to reveal the contents of the note, they said that it convinced them that the data is secure), and Charles Bryant . THANKS! PGN] ------------------------------ Date: Tue, 15 Jan 1991 00:00:11 CST From: glass@vixvax.mgi.com (William H. Glass) Subject: Re: Computer program gives police a bum rap (Smallberg, RISKS-10.77) In RISKS-10.77, David A Smallberg writes about the problems of a police department determining its crime solving record. This reminds me of a problem I observed years ago while working on a research project studying crime statistics. The city of Philadelphia had one of the lowest auto theft rates of any major city in the US. One of the principal reasons for this was that if the car was recovered within 24 hours (as many are), the crime was reclassified as "joy riding". The Philadelphia police liked this system because it looked like good publicity to have a low auto theft rate. Then, a new federal program was started that among other things gave funding to local police departments based on the number of auto thefts. As you might guess, suddenly Philadelphia suffered a major increase in auto thefts. William H. Glass, Management Graphics, Inc., 1401 E. 79th Street, Minneapolis, MN 55425 Phone: +1 (612) 854-1220 Internet: glass@mgi.com ------------------------------ Date: Mon, 14 Jan 91 23:39:46 MST From: eravitz@isis.cs.du.edu (Evan Ravitz) Subject: Voting by Phone SECURITY & PRIVACY OF VOTING BY PHONE The ultimate demonstration that Voting by Phone is reliable is this: we intend to publish not only the election totals, but how each and every Voter ID number voted, so you can check that your vote got through correctly. Since the ID numbers would be assigned anonymously (drawn randomly from a hat, say) nobody could possibly know how you personally voted. Since the "password" part of the number would not be published, nobody could steal your vote at the next election, having seen your ID number in the results. Most usefully, the results could be published on a computer diskette (and be available for inspection at election offices and libraries) so anyone could check that the individual anonymous votes indeed added up to the all-important totals. This is in keeping with our desire to publish the program that controls the computer that runs the phone election. Currently, all the programs (computers already count most votes in the US) are proprietary software and not open to our inspection and rarely that of the election officials. The use of "Caller ID" (also called Automatic Number Identification) to identify voters by the phone numbers they call from can be easily defeated by simply voting from any phone other than your own. Eventually special solid-state 'smart cards' used with your phone could encrypt your voting so that you could vote totally anonymously from your own phone as well. Responding to November's comments: Voting by phone does not disenfranchise the phoneless! Phone booths are far more common than voting booths and of course the call should be free. Some are always further from the polls than others -- think of rural dwellers, and how this would help them. In Colorado as well, no ID is needed to vote. They take your signature, but it is not compared to anything unless you are challenged, which would only occur if the judges happened to know you personally. The system is archaic and relies on the judges knowing us by sight. The problem of the use of caller ID to prevent 'hackers' from constantly calling disenfranchising poor neighborhoods with only 1 phone can be solved thusly: register these phones so the system expects many calls from them. But this is likely unnecessary as most attempts to 'guess' ID numbers will fail -- the system needs to lock out only phones that repeatedly try and fail. Proxy voting should be criminalized and a reward offered for turning in anyone offering to buy votes. If one expects coercion, 'prevoting' would preempt anyone forcing their choice on you. And since reporting coercion (by phone) would bring a reward this problem would be minimized. The 'California problem' of voting on so many issues at once is actually another benefit of voting by phone -- why struggle with 40 at once when each could get its own week-long 'slot'? This also makes voting more timely and your ID easier to remember. Phone voting makes this economicly practical. Telephone service bureaus are prepared now with 1000s of lines for just such applications as phone elections. By opening the lines for several days (voting by mail and absentee are precedents for this) and educating people to spread out their voting, busy signals should be a very small problem indeed. The main problem of getting the ID numbers to the right people is solved by having them come in to register for the new system, once. This would also prevent them from voting in person as well, just like voting by mail (formerly 'absentee') does. 'Writing in' candidates can be replaced with 'speaking in' their names, along with the spelling. The infrequency of writeins will prevent the transcription from becoming a major expense. No system is perfect. But phone voting is more secure, inexpensive, convenient, and ecological than our archaic system. That's why most modern business is done by phone-polling, international banking, e-mail, etc. The reason this wasn't done long ago is because it is also the tool for a more direct democracy -- voting on more referenda and initiatives more often -- and this threatens the hegemony of our 'representatives', who now rule with the approval of a diminishing minority of Americans. The Voting by Phone Foundation can be reached at 774 19th St, #5, Boulder CO 80302 or (303) 444-3596 or eravitz@nyx.cs.du.edu. We'd be happy to send you our brochure, or the E-mail version. Evan Ravitz, Director ------------------------------ Date: Tue, 22 Jan 1991 15:51:51 PST From: "Peter G. Neumann" Subject: Voting by Phone Evan Ravitz' contribution makes an interesting case, although it fails to adequately address some of our classic vulnerabilities, such as bogus votes inserted by insiders (or outsider/insider collusions). (Insiders could also juggle the expected total number as well.) No one would complain that HIS or HER vote was missing, and yet no one would be able to notice the bogus votes! Another problem is that people would tend to write down their ID/password, and either forget it or lose it between elections. Insiders could also wait until the last minute before closing time and instantaneously vote for those who hadn't yet gotten around to it. But there is much merit to the idea. PGN ------------------------------ Date: Mon, 14 Jan 91 09:49:20 PST From: Pete Mellor Subject: Word processor atrocities On the general theme that a word processor does for words what a food processor does for food, in his column in the Observer on the Sunday before last, Simon Hoggart recounted the tale of a novelist who decided at the last minute to change her main character's name from David to Jeff, with the result that a piece of dialogue about sculpture referred to the previously unknown work "Michaelangelo's Jeff". He followed it up last Sunday with a medical study which was originally written with the family name of the subject of the research given only as "B", to preserve confidentiality. For some reason, it was decided that the full name could, after all, be used, which led to the discovery of the new disease "Hepatitis Blenkinsop". Peter Mellor, Centre for Software Reliability, City University, Northampton Sq., London EC1V 0HB +44(0)71-253-4399 Ext. 4162/3/1 p.mellor@uk.ac.city (JANET) [Also noted by smith@canon-research-europe.co.uk (Mark Smith).] ------------------------------ End of RISKS-FORUM Digest 10.78 ************************