Subject: RISKS DIGEST 11.43 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Wednesday 10 April 1991 Volume 11 : Issue 43 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: U.S. Senate S. 266 (Bill Murray) U.S. Senate 266, Section 2201 (cryptographics) (Bill Murray) The price of quality (David G. Novick) Some more data on Len Rose (Jerry Leichter) "LIVING AGAINST THE ODDS" abuses statistics (Jeremy Grodberg) Re: Rapid dissemination of half-truths, lies, ... (Robert E. Van Cleef) Re: Bogus License Upends Life (Steve Elias Establish and use clearing houses for sensitive information (Steve Elias) Re: Computer Ballot Tally (Erik Nilsson) Security does not come through obscurity (Alan Wexelblat) Re: Tricky application of Caller ID (Bill Woodcock) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line. Others ignored! REQUESTS to RISKS-Request@CSL.SRI.COM. For vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 11, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Wed, 10 Apr 91 17:23 EDT From: WHMurray@DOCKMASTER.NCSC.MIL Subject: U.S. Senate S. 266 Senate 266 introduced by Mr. Biden (for himself and Mr. DeConcini) contains the following section: SEC. 2201. COOPERATION OF TELECOMMUNICATIONS PROVIDERS WITH LAW ENFORCEMENT It is the sense of Congress that providers of electronic communications services and manufacturers of electronic communications service equipment shall ensure that communications systems permit the government to obtain the plain text contents of voice, data, and other communications when appropriately authorized by law. ------------------------------ Date: Wed, 10 Apr 91 18:20 EDT From: WHMurray@DOCKMASTER.NCSC.MIL Subject: U.S. Senate 266, Section 2201 (cryptographics) The referenced language requires that manufacturers build trap-doors into all cryptographic equipment and that providers of cconfidential channels reserve to themselves, their agents, and assigns the ability to read all traffic. Are there readers of this list that believe that it is possible for manufacturers of crypto gear to include such a mechanism and also to reserve its use to those "appropriately authorized by law" to employ it? Are there readers of this list who believe that providers of electronic communications services can reserve to themselves the ability to read all the traffic and still keep the traffic "confidential" in any meaningful sense? Is there anybody out there who would buy crypto gear or confidential services from vendors who were subject to such a law? David Kahn asserts that the sovereign always attempts to reserve the use of cryptography to himself. Nonetheless, if this language were to be enacted into law, it would represent a major departure. An earlier Senate went to great pains to assure itself that there were no trapdoors in the DES. Mr. Biden and Mr. DeConcini want to mandate them. The historical justification of such reservation has been "national security;" just when that justification begins to wane, Mr. Biden wants to use "law enforcement." Both justifications rest upon appeals to fear. In the United States the people, not the Congress, are sovereign; it should not be illegal for the people to have access tto communications that the government cannot read. We should be free from unreasonable search and seizure; we should be free from self-incrimination. The government already has powerful tools of investigation at its disposal; it has demonstrated precious little restraint in their use. Any assertion that all use of any such trap-doors would be only "when appropriately authorized by law" is absurd on its face. It is not humanly possible to construct a mechanism that could meet that requirement; any such mechanism would be subject to abuse. I suggest that you begin to stock up on crypto gear while you can still get it. Watch the progress of this law carefully. Begin to identify vendors across the pond. William Hugh Murray, Executive Consultant, Information System Security 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 203 966 4769 ------------------------------ Date: Wed, 10 Apr 91 14:53:01 -0700 From: "David G. Novick" Subject: The price of quality I noticed an interesting column by Joshua J. Kaufman on computers for lawyers in the March/April edition of The Washington Lawyer, the official journal of the District of Columbia Bar. The column began: On Second Thought "What do you expect from a $69 program?" were the last words said to me by the technical department at Isogon Corporation. The comment was made after its product NewSpace, a data compression utility (which I have reviewed favorably in the past), managed to destroy 1,400 files and 42 megabytes of my data. I spent over an hour on the phone with technicians trying to find a way to correct the problem--all to no avail. What happened to Kaufman is that he had been using NewSpace successfully to compress files on his hard disk. One night he started up the program, left work, and came back in the morning to discover that his computer had "frozen." When he rebooted, the "file allocation table" was damaged in a way that could not be recovered. Thus while his files were almost all fine, he could not retrieve them, despite the fact that he could list the files in his directory. The RISKS I see here are (1) relying on reviewers of software who use a product casually but who do not systematically test, and (2) producing software that can, without prior notice, leave your system in an unrecoverable state. For $69, perhaps Kaufman was entitled to a product that, even though possibly buggy, would be designed to fail safely. David G. Novick, Department of Computer Science and Engineering, Oregon Graduate Institute of Science and Technology, Beaverton, OR 97006-1999 ------------------------------ Date: Mon, 8 Apr 91 22:29:15 EDT From: Jerry Leichter Subject: Some data on Len Rose With all the verbiage about whether Len Rose was a "hacker" and why he did what he in fact did, everyone has had to work on ASSUMPTIONS. Well, it turns out there's now some data: A press release from the US Attorney in Chicago, posted to the Computer Underground Digest by Gene Spafford. I've extracted one interesting portion concerning the famous "modified login.c" program: In pleading guilty to the Chicago charges, Rose acknowledged that when he distributed his trojan horse program to others he inserted several warnings so that the potential users would be alerted to the fact that they were in posession of proprietary AT&T information. In the text of the program Rose advised that the source code originally came from AT&T "so it's definitely not something you wish to get caught with." and "Warning: This is AT&T proprietary source code. DO NOT get caught with it." The text of the trojan horse program also stated: Hacked by Terminus to enable stealing passwords. This is obviously not a tool to be used for initial system penetration, but instead will allow you to collect passwords and accounts once it's been installed. (I)deal for situations where you have a one-shot opportunity for super user privileges.. This source code is not public domain..(so don't get caught with it). Rose admitted that "Terminus" was a name used by him in communications with other computer users. I can't imagine a clearer statement of an active interest in breaking into systems, along with a reasonable explanation of how and when such code could be effective. (BTW, back in the early 70's, some friends of mine and I dis- covered that a newly-installed APL system still had no password, or a standard password, set on its operator account. Because we had quick access to some code that would let us to "trap" the resulting privileges, we were able to continue to play God on that system for years - although the operator password was changed within a day or two. "One-shot opportunities" DO occur.) The only thing that will convince me, after reading this, that Rose was NOT an active system breaker is a believable claim that either (a) this text was not quoted correctly from the modified login.c source; or (b) Rose didn't write the text, but was essentially forced by the admitted duress of his situation to acknowledge it as his own. -- Jerry ------------------------------ Date: Mon, 8 Apr 91 13:30:50 PDT From: jgro@lia.com (Jeremy Grodberg) Subject: "LIVING AGAINST THE ODDS" abuses statistics (what else is new) The PBS Special "Living Against the Odds" showed some signs of statistics abuse which were especially annoying for a special which is supposed to enlighten the masses about this kind of thing. It is bad enought that this king of abuse is the foundation of much of our current public policy debates, but to see it emphasized like this: isn't there anything we can do? 2 examples: The statistic they used to judge the risk of an activity was deaths per 100,000 participants. In other words, they said that 20 out of 100,000 people who climb rocks die while climbing rocks, and 20 out of 100,000 people who drive cars die while driving cars, so the two activities are equally dangerous. This conclusion does not follow, for it does not take into account the very likely possibility that people who climb rocks spend a significantly different amount of time climbing rocks than people who drive cars spend driving cars, over the course of a lifetime. If the average rock climber spends 1,000 hours of his life climbing rocks, and the average driver spends 10,000 hours driving, then the mortality statistics suggest that rock climbing is 10 times as dangerous. One of the "experts" was shown saying (I quote from memory) "80% of people surveyed think they are safer than average drivers. Obviously this can't be true." Unfortunately for the expert, it can be true, and it wouldn't surprise me if it *were* true. For a very simple example, take the case where 80% of the people have exactly 1 accident every 2 years, and 20% of the people have exactly 2 accidents every 2 years. The "average" driver therefore has 0.6 accidents per year, and 80% of the drivers are better than average, since they only have 0.5 accidents per year. How can we survive as a democracy in a technological age when even the experts can't understand the complexities of the data they are evaluating? Jeremy Grodberg ------------------------------ Date: Tue, 9 Apr 91 09:48:42 -0700 From: vancleef@garg.nas.nasa.gov (Robert E. Van Cleef) Subject: Re: Rapid dissemination of half-truths, lies, disinformation (11.41) Accepting the statements of "those who should know" without question is an old problem. If my memory serves, one of the reasons given for the success of the Communist Revolution in China was a belief on the part of the Chinese population that written statements were "Truth"; leading them to believe the propoganda posters without question. I have seen the same factor at play with individuals who believe everything they read in the paper, or hear on a TV news programs, or learn from their friend, neighbor, or pastor. The FCC has been repeatedly hit by unfounded petition drives of various sorts. Most of these problems have been well documented as Urban Legends. The computer related risk, like always, is in the speed and ease of propagation. It is too easy to mail a copy of this "important" message to hundreds of people, where it can sit in someone's mailbox until they decide to pass it on. There are two things that we can do as individuals: 1) Establish and use clearing houses for sensitive information. Having the CERT validate and announce security problems will help prevent the problem of people ignoring a security bug in ftp because of too many previous false messages. 2) Identify your sources: If all you have is hearsay, note it as such! If you have a reference, list it. One of the most valuable features of the RISKS digest is the fact that most of the posters identify the sources of their information. As long as people believe what they want to believe, be it the National Enquirerer or alt.rumors, this will be a problem. Bob Van Cleef, NASA Ames Research Center (415) 604-4366 vancleef@nas.nasa.gov ------------------------------ Date: Tue, 09 Apr 91 10:43:47 MDT From: Steve Elias Subject: Re: Bogus License Upends Life I'd like to point out that the woman who had her life upended by someone stealing her identity probably would have been able to avoid this problem if she had been a member of TRW Credentials service. Many of you usenet-folk love to slam this TRW service, but in a case like this woman's, it may have saved her all that trouble. /eli ------------------------------ Date: 09 Apr 91 10:42:24 PDT (Tue) From: erikn@tekcae.cax.tek.com Subject: Re: Computer Ballot Tally Oops, I forgot an important point. A big advantage of precincts is that you pick precincts to recount at random, then verify the recount numbers against the original counts for that precinct. If you start seeing discrepancies, then you need to recount everything. Then, the recount actually tells you something about the original count. I also didn't say anything about pre- and post-election testing of the system, yet another BIG AREA. - Erik erikn@tekcae.cax.tek.com (503)690-8350 690-9292[fax] ------------------------------ Date: Tue, 9 Apr 91 17:29:12 edt From: wex@PWS.BULL.COM Subject: Security does not come through obscurity (B.J. Herbison, RISKS-11.42) Herbison takes Richard Wexelblat to task for asking if a ballot-verification method is secure by stating: > [The method] *might* have been reasonable before you published it, but now > that you have provided the information needed to cook the vote and avoid > detection--just modify the electronic vote counter so it is accurate until > the ballot count is larger than 2% of the expected returns and does > anything it wants after that point. This argument is fallacious on two counts. One, it assumes that if Richard hadn't publicised the verification method, no one with ill intent would have known it. Any system security manager can tell you that those with ill intent are often the best-informed on system vulnerabilities. Security through obscurity just doesn't work. Two, it implicitly assumes that someone could be in a position to "modify the electronic vote counter" and yet not know the verification method. Highly unlikely, I'd say. [For the record, Richard Wexelblat is my father. That doesn't make Herbison's argument any less unreasonable.] --Alan Wexelblat, Bull Worldwide Information Systems, phone: (508)294-7485 ------------------------------ Date: Mon, 8 Apr 91 20:39:56 -0700 From: woody@ucscb.UCSC.EDU (Bill Woodcock) Subject: Re: Tricky application of Caller ID (Davis, RISKS-11.42) > Consider the scenario for a moment and imagine, say, 10,000 kids in the > audience actually do what they're told. You've got 10,000 phones dialing the > same number simultaneously. How many of those calls do you think will > actually get through? In answer to your question, all 10,000 of them will get through. Sprint has a service called "Mass Event 900/800" for doing exactly this. It can handle, coincidentally, 10,000 calls simultaneously, and is offered to all their larger 800 and 900 customers. I've heard, but not been able to substantiate, that AT&T has a similar service. -Bill Woodcock, BMUG NetAdmin ------------------------------ End of RISKS-FORUM Digest 11.43 ************************