Subject: RISKS DIGEST 11.37 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Wednesday 2 April 1991 Volume 11 : Issue 37 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: An ancient method for assuring software quality (Martin Minow) Risks of using your telephone Calling Card in a COCOT (John R. Covert) Computers and evidence (Steve Bellovin) E-mail role in LA cop probe (Sean Eric Fagan, PGN) Sierra Club and Electronic Voting (Ed Ravin) Leonard Rose and UNIX root access (Steve Bellovin) Justice Department's One Big File (Clifford Johnson) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line. Others ignored! REQUESTS to RISKS-Request@CSL.SRI.COM. For vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 11, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Sun, 31 Mar 91 21:03:08 PST From: Martin Minow 01-Apr-1991 0000 Subject: An ancient method for assuring software quality Is it possible that the solution to the software quality crisis was discovered in Korea in the 15th century? The following is from Daniel J. Boorstin, "The Discoverers" quoting, apparently, Kim Won-Yong, "Early Movable Type in Korea" (1954): "The supervisor and compositor shall be flogged thirty times for an error per chapter; the printer shall be flogged thirty times for bad impression, either too dark or too light, of one character per chapter." Boorstin continues, "This helps explain both the reputation for accuracy earned by the earliest Korean imprints and the difficulty that Koreans found in recruiting printers." Martin Minow minow@ranger.enet.dec.com [The date of submission of this is a coincidence, of course.] [This gives a new meaning to the concept of making a good impression. Both the Imprints of Darkness and Imprints of Lightness are evil! Kiss either one and he (distractedly) turns into a Flog. But if they succeed, they can have a moveable type feast. Strongly typed, at that. PGN] ------------------------------ Date: 2 Apr 91 16:21:37 GMT From: covert@covert.enet.dec.com (John R. Covert) Subject: Risks of using your telephone Calling Card in a COCOT Newsgroups: comp.risks,comp.dcom.telecom,alt.drugs I cannot vouch for the accuracy of the following story, which I heard yesterday. There does seem to be substantial risk here: According to the story, a company which leased COCOTs (Customer Owned Coin Operated Telephones) to businesses in New York, Chicago, and Los Angeles was discovered to have turned all 1000 of their phones into Calling Card thieves. The scheme was simple: The phones, like most COCOTs, are located inside or outside small businesses. The business contracts with the leasing company for maintenance of the phones; as part of the contract the leasing company obtains a percentage of all money collected by the phone, paid by the small business out of the receipts in the coin box. In addition, the leasing company pays the business a percentage of the money collected by Alternate Operator Services (AOSs) for calls billed to Calling Cards. The COCOTs include a modem used by the COCOT operator to call into the phone in order to set rate tables and to collect usage data for accounting purposes. This COCOT operator had modified the accounting program to collect and report the calling card numbers used by people placing calls from the phone. The calling card numbers (AT&T, Sprint, and MCI) were then sold to drug dealers and resulted in over ten million dollars in fraudulent calling before the pattern was discovered and the owners of the COCOT service company were arrested. Police recommended using cash, not calling cards, from all telephones not bearing the identification of the local phone company. /john ------------------------------ Date: Mon, 01 Apr 91 22:15:07 EST From: smb@ulysses.att.com Subject: Computers and evidence There's a fairly sensational murder trial going on now in New York that may be of interest to RISKS readers. Of course, I'm not referring to the more mundane attractions of the trial -- plenty of sex, a seedy private eye, and all manner of fascinating behavior -- but rather to some conflicting pieces of evidence that the prosecution and defense have introduced. The entire case is circumstantial, so every item counts. To demonstrate that the defendant called a particular gun store the day of the murder, the district attorney introduced a printout made from MCI's microfiche copies of phone bills. Sure enough, the call was listed. The defense countered with what it claimed was the original of the phone bill. That call wasn't shown, but a call to the defendant's mother was shown, at a time that would provide an alibi for the time of the killing. The prosecution countered with a billing systems expert who claimed that MCI bills for the month in question should include a particular slogan; this one lacked it. Another MCI employee said that he had reviewed the original tapes in question, and the gunshop call was there, but not the alibi call. The defense attorney was astute enough to ask what proof there was that no one had tampered with the tape, and how good the access controls were on the tape library. The next go-round featured an FBI computer type who said that he, too, had reviewed the tapes, and found the prosecutor's call; however, he apparently couldn't explain why other calls shown on the microfiche were not on the tape. (I may have some details wrong; local media coverage has been less than stellar. One radio station has been doing things like calling defense questions ``desparation tactics''. And the New York Times referred to the tapes as the ``Volser tapes'', as if that were the name of the billing system. I suppose it might be, though given IBM's JCL nomenclature I find that notion a bit improbable...) I won't even say that the jury is still out on this case, since it hasn't progressed that far yet. Stay tuned for the next episode of ``As the Disk Turns''.... --Steve Bellovin ------------------------------ Date: Mon, 1 Apr 91 13:00:04 PST From: Sean Eric Fagan Subject: E-mail role in LA cop probe Taken from the March 25 Computerworld Electronic messages transmitted between computers assigned to three Los Angeles police officers suspected in the beating of a black motorist could be used as evidence to show "intent to harm," according to legal experts. [...] [Dialogue ommitted] Legal experts say they know of no previous case in which electronic messages have been used as evidence in a criminal case. Most agreed that such communications are likely to be treated as recorded voice transmissions. [end excerpts] Obvious RISKS spring to mind, such as: how secure is the identification (or, put another way, how easy is it to forge messages)? Giving electronic messages the same validity as recorded voice is a bad move, it seems to me. Sean. ------------------------------ Date: Tue, 2 Apr 91 9:13:40 PST From: RISKS Forum Subject: Re: E-mail role in LA cop probe We have been around on this one numerous times before in RISKS. Even with elaborate techniques (e.g., multikey encryption facilities), essentially any message can be spoofed, tampered with, or destroyed altogether, given suitable system access. Therefore, essentially any evidence provided by a system COULD have been tampered with, even though it may be unlikely in a particular case. ------------------------------ Date: Wed, 3 Apr 91 16:41:41 GMT From: eravin@panix.UUCP (Ed Ravin) Subject: Sierra Club and Electronic Voting The Sierra Club, in their board elections, have sent paper ballots to all their members, who are asked to return the ballot with the appropriate votes checked in. There is no name or other identification on the ballot, except for a computer-printed number and the caption "This random number tells the computer that the voter is a member in good standing... It is not related to the membership number". Annonymous verification of ballots? If their scheme is sound, then it shouldn't matter if the ballots are mailed in or keyed in over the phone or some other computer-assisted device. Does anyone out there know what system Sierra Club is using or is able to comment on simliar systems? Ed Ravin, cmcl2!panix!eravin philabs!trintex!elr ------------------------------ Date: Mon, 01 Apr 91 21:31:23 EST From: smb@ulysses.att.com Subject: Leonard Rose If one had root access, there was no need to hack into a system because one was already there. ... [text deleted and reordered] I have yet to hear even a marginally literate Unix type claim that login.c is a realistic "hacking device." OK, I'll byte [sic]. I consider myself more than ``marginally literate'' on both subjects, UNIX and system security, and I'll make the blatant assertion that login.c is a very realistic ``hacking device''. Why? Because many people tend to use the same password on different machines. If I can get your password on some machine I've already penetrated, the odds are quite good that I can then log in to some other machine you use. And even if you follow proper practice, and don't reuse passwords in different security domains, the probability is near unity that someone on your machine isn't so careful. Possession of a hacked login.c is the electronic equivalent of being caught with burglar's tools or a ``deadly weapon'' (which may be as innocuous in other contexts as a baseball bat). The prosecutor must demonstrate intent to misuse in such cases. If possesion of ``hacking tools'' were against the law (as far as I know, it's not, and given how loosely many such statutes are drawn, that's probably just as well), there would be a considerable burden of proof. Maybe such evidence could be produced in this case, maybe not. But it's far from unreasonable to claim that hacking is at issue. At least one computer security consultant indicated that he used login.c to log passwords as a way of protecting security, not subverting it. Maybe so. In that case, the charge should be extreme negligence. I don't care what your motives are; no responsible system administrator should ever store cleartext user passwords online. If you really want to analyze them, do the analysis immediately, and dispose of the input text as soon as possible. A list of passwords, no matter how well protected, is an open invitation to trouble. The classic Morris-Thompson paper on password security gives several lovely examples of this. --Steve Bellovin ------------------------------ Date: Mon, 25 Mar 91 14:24:18 PST From: "Clifford Johnson" Subject: Justice Department's One Big File The Privacy Act was supposed to prohibit file-matching across government databases. It contained a broad EXCEPTION to this rule, if matching was required in order for an agency to perform a special duty. This was supposed to permit only individual case exceptions, but it turned out to be such a big loophole that in no cases is matching prohibited, and automatic bulk file matching is now routine. What privacy advocates often fail to address in their conceptual attacks on matching is the simple fact that the critical government databases on people sit on the same mainframes, managed by people who report to the same person. Fighting file-matching is at best Quixotic -- because there's de facto One Big File. I.e.: Harry H. Flickinger is Assistant attorney general for administration in the Justice Department. Under him are officers responsible for databases that support the FBI, the DEA, the INS, the Bureau of Prisons, civil/tax and other divisions. There is a new vacant post under him, for Deputy Assistant Attorney General, Information Resources Management. This single position is to be responsible for ALL the Justice Department's computational needs, as reported in Gov't Computer Week, March 18: Q: What is your IRM philosophy? Flickinger: [It's] unitary. Although it is diversified in what it does, the components tend to impact one another. Investigators go out and conduct investigations that lead to prosecution. We have lawyers that handle that. Prosecution may lead to incarceration. We have the Bureau of Prisons. This attorney general and others have said we have to look at the department as a single entity -- to provide as much uniformity and standardization of support as we possibly cann... The theory is, we ought to have one system that lets virtually anybody in this department regardless of location talk to anybody else. We're trying to promote that uniformity right across all the administrative activities... We're going to have... theoretically one data center. WE THINK IT'S SMARTER TO PUT IT IN ONE LOCATION. The article continues: "The Justice Department's two data centers [each has 4 Amdahl 5870s, one has another 4 IBM 3090-400Es] ... keep humming about 99 percent of the time 'sometimes 100,' [!] according to Lee Brown... The 56 major customers include the Drug Enforcement Administration, Immigration and Naturalization Service, U.S. Marshals Service, Bureau of Prisons, and Interpol..." ------------------------------ End of RISKS-FORUM Digest 11.37 ************************