Subject: RISKS DIGEST 11.52 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Tuesday 24 April 1991 Volume 11 : Issue 52 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Another commuter train wreck in London (Clarinet via J.I. Kamens) [YACTWiL!] No beepers under 21 (Max Tardiveau) [sic!] Monitoring in the workplace (Jerry Leichter) University Exec Backs Hacking (Dutch crackers) (anonymous) Hacking a la Neerlandaise (Herman J. Woltring) Responsibilities of Internet sites (was Dutch crackers) (Fernando Pereira) Re: Dutch crackers and irresponsible officials (Steve Bellovin, Castor Fu) Re: Dutch hackers and KSC (Bruce Oneel) CERT Warning on Spoofs (Bill Murray) Broadcast telephone calls (Iain Douglas) Parity and SCSI (Tim Smith) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line. Others ignored! REQUESTS to RISKS-Request@CSL.SRI.COM. For vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 11, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. =CarriageReturn; FTPs may differ; UNIX prompts for username, password. If you cannot access "CRVAX.SRI.COM", try Internet address "128.18.10.1". ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Tue, 23 Apr 91 16:59:42 -0400 From: Jonathan I. Kamens Subject: Another commuter train wreck in London (Posted with permission from the ClariNet electronic newspaper service & UPI. People who want more info on ClariNet can mail to info@clarinet.com or phone 800-USE-NETS.) Date: 22 Apr 1991 08:46:20 GMT From: clarinews@clarinet.com Subject: Computer-controlled commuter trains collide in east London Newsgroups: clari.news.trouble,clari.news.europe Message-ID: LONDON (UPI) -- Two computer-controlled commuter trains collided at the height of morning rush hour in London's Docklands district, shutting down the railway system and forcing the evacuation of dozens of passengers, police and witnesses said. One two-car shuttle traveling through the Isle of Dogs from London's Tower Gateway was struck by a second-two car train approaching from the east at a junction on the West India Quay bridge, rocking the first train and throwing it off the track. Police had to erect a ladder to get passengers out of the tilting cars. No serious injuries were reported but police said two passengers were taken to hospital for treatment of shock. One commuter said passengers in the first train, which was stopped, yelled ``hold on'' and ``watch out'' as the second driverless train continued toward them. ``It was bloody frightening, because you could see it unfolding before your eyes,'' said commuter Tom Bromhead. The Docklands Light Railway, intended to serve thousands of commuters in the district, usually operates by computer, allowing the drivers to check tickets and open the doors. The newly built system has been plagued by cost overruns and frequent shutdowns in the growing business district east of London. Jonathan Kamens, MIT Project Athena jik@Athena.MIT.EDU 617-253-8085 ------------------------------ Date: Tue, 23 Apr 91 05:39:14 CDT From: root@nextserver.cs.stthomas.edu (Max Tardiveau) Subject: No beepers under 21 I saw on a news program (it may have been 48 hours) this weekend that there was a law being debated in Congress that would forbid the possession of electronic pagers (beepers) under the age of 21. The idea being that a lot of drug dealers use these devices. This strikes me as a perfect example of cause-and-effect confusion. How can any mildly intelligent person believe that forbidding the use of beepers under the age of 21 will in any way affect drug trafficking? I would appreciate any detail anyone might have, I am afraid this is all I know, but it is so mind-boggling I couldn't let it pass unnoticed. Max Tardiveau, Department of Computer Science, University of St.Thomas, St.Paul, MN 55105 Internet : m9tardiv@cs.stthomas.edu [In a lighter vein [!], almost all beepers around today are under the age of 21. Maybe the older beepers will sue for age discrimination. PGN] ------------------------------ Date: Sat, 20 Apr 91 14:52:14 EDT From: Jerry Leichter Subject: Monitoring in the workplace The issue of automated monitoring of workers has been discussed many times in this forum. The current BusinessWeek (April 29, 1991) provides some important new information about this practice: As many of us may have suspected, not only is it bad for employees, it's not even good business. The article, "How to Motivate Workers: Don't Watch 'Em" appears as a sidebar (page 56) to a larger article on white-color work quality (which I recommend, along with an interesting cover article on the unusability of too many technological objects): Electronic eavesdropping is a tempting tool for boosting office productivity. Airlines, insurers, and telecommunications com- panies, among others, often clock every second that workers spend on computers or on the phone with customers. From a hand- ful a decade ago, the number of monitored employees has reached 10 million, according to the Office of Technology Assessment. But now, the search for quality is abridging this trend. Federal Express, Bell Canada, USAA, and Northwest Airlines, among other major employers, are finding that too much speed spoils service. HANDLE TIME They have begun to stress quality over quantity, or to end moni- toring entirely. THe result seems to be happier customers and employees. Proponents also say that a focus on quality does as much as monitoring to keep productivity high and rising. "A lot of people ask, which do you want, quality or quantity?" says Rebecca Olson, head of customer service for Federal Express Corp.'s southern region. "We found that you can have both, though it took a while to sink in." FedEx was among the first to see this. In 1984, it was worried about United Parcel Service Inc.'s move into overnight deliveries. Management realized that it could save money by slicing just one second off the average time its 2,500 customer-service agents spent on each call. So, FedEx began to monitor the average "handle" time per call - and made beating the clock 50% of an agent's performance review. Two years later, the strategy came home to roost. Employees griped that limiting every call to 140 seconds created too much stress - and made them cut of customers before questions were answered.... A new system cleared that up. Today, a supervisor listens in on a random call twice a year. Afterward, the discussion with the agent focuses on quality: The length of the call isn't mentioned. Both employees and executives say that service has improved - without hurting speed. The average call even dropped to 135 sec- onds.... The article continues with a description of another positive result, at Bell Canada's operator services. -- Jerry ------------------------------ Date: Mon, 22 Apr 91 10:30:39 xxx From: [anonymous] Subject: "University Exec Backs Hacking" (Dutch crackers, RISKS-11.50,51) UTRECHT, Netherlands (AP) A Dutch university official on Monday defended a student hacker's purported use of a computer network used by his school to penetrate a U.S. military computer. The Netherlands has no law against computer intrusion, making it a hacker's paradise. However, Parliament is expected to pass a law this year that forbids unauthorized entry into computer systems, the Justice Ministry said. The New York Times reported in Sunday editions that over the past six months, three or four Dutch hackers have broken into a range of U.S.-based computers. The computers include those at the Pentagon's Pacific Fleet Command, the Kennedy Space Center, and the Lawrence Livermore National Laboratory and Stanford University in California. [see RISKS-11.50] U.S. officials said they had identified some of the intruders, but that no arrests had been made. Maarten Rook, the director of economics and personnel at Utrecht University, was present during the February filming of a hacking incident shown on a late-night Dutch television show. It showed the hacker breaking into what purportedly was a U.S. Navy computer installation in San Diego. During the broadcast, the hacker, whose face was not shown and whose voice was scrambled, linked his personal computer to the Surfnet data network used by Dutch universities. Surfnet in turn is linked to the U.S.-based Internet bulletin board, through which the intrusion was made. The televised hacker, an Amsterdam student, obtained data that he claimed pertained to U.S. Navy ships and ballistic missiles, said Rook. However, Rook said he did not believe that the break-in resulted in access to confidential information. It could not be determined if the target of the televised break-in was the Pacific Fleet Command computer. Rook said installations using computers had a responsibility to devise secure systems to protect themselves against hackers. "They should take care of their own secrets ... If they don't want to be called they shouldn't be hooked up to the system," he said. Rook said most Dutch universities encourage their students to probe other systems as much as they can as part of their computer training. Several years ago, the prestigious Delft University of Technology even offered a course in computer hacking. "In our teaching system we try to endorse exploration and make our students enthusiastic about it," he told The Associated Press. ------------------------------ Date: Tue, 23 Apr 91 03:35 MET From: "Herman J. Woltring" Subject: Hacking a la Neerlandaise Last week, I committed a series of terrible crimes. While sitting behind my PC in the wee hours of the night, I hacked into a number of university and military libraries all over the world, both in the USA and in Australia, using the TELNET facilities recently advertised in the bimonthly SURFnet Bulletin from SURFnet Inc of Utrecht, The Netherlands. In this manner, I was able to snoop around on the shelves of these libraries, and to find out what books were on hold, booked for borrowing, not to be removed from the premises, or free to be lent for shorter or longer periods. In this way, I was able to pry into the librarians' private domains, well beyond the reach of American and Australian Law. Since the Gouvernment of The Netherlands is trying hard to persuade Parliament that Computer Hacking is a capital offence, it is my solemn duty to ask the Dutch Press to film and publicly denounce my asocial behaviour, so as to convince the Legislative that the proposed revision of the Netherlands Penal Code is timely and quite appropriate. Even worse, SURFnet Inc has been aiding and abetting with my crime, because instructions on how to hack into these overseas computers are freely available by networking. Just sending the one-line query GET INTERLIB CATALOG to LISTSERV@NIC.SURFNET.NL (or to LISTSERV@HEARN.BITNET) will provide all information needed for TELNETting, FTPing, and similar lone-ranging com- puter intrusion activities. It is particularly shocking that the INTERLIB CATALOG even provides login-in data and passwords such as "anonymous" or "guest". Herman J. Woltring Eindhoven, The Netherlands (50 km SSE from Utrecht/NL) ------------------------------ Date: Tue, 23 Apr 91 11:30:35 EDT From: pereira@klee.research.att.com (Fernando Pereira) Subject: Responsibilities of Internet sites (was Dutch crackers) I don't want to start a whole discussion on this matter, which has in other guises been covered extensively on previous RISKs, but I would like to respond briefly to T. Blinn and L. T. Heberlein's responses to my recent posting. 1) I know of no area of human activity in which wilfull intrusion or condoning intrusion are seen as no more condemnable as failure to protect one's domain from intrusion to the best of one's ability. Furthermore, it has been often pointed out that many Internet sites, for economic or other reasons, do not have the resources to keep up with security updates. The Internet has never been seen as a secure environment, to my knowledge. In fact, one might well take it as an wide-open environment in whose existence depends on the restraint and common courtesy of its users. Those that do not understand these ground rules don't belong there. 2) Indeed there are intruders all over the place. The special issue with respect to Utrecht is that an official of that site condoned behavior harmful to the community of Internet users. Fernando Pereira, 2D-447, AT&T Bell Laboratories 600 Mountain Ave, Murray Hill, NJ 07974 pereira@research.att.com ------------------------------ Date: Mon, 22 Apr 91 22:38:43 EDT From: smb@ulysses.att.com Subject: Re: Dutch crackers and irresponsible officials (RISKS-11.50) I think that Thomas Blinn has missed the point. Yes, systems on the Internet are insecure, often to a scandalous degree. And yes, that's often the fault of careless or irresponsible system administrators, though vendor culpability should not be neglected. Disregarding for a moment the activities of the hackers, the offense committed by the Dutch university officials is ethical: they are failing to condemn activities that are at the least immoral, and at best downright criminal. The traditional defenses of hackers simply do not apply here, assuming that the facts have been reported accurately. There was no ingenuity or exploration demonstrated; we are told that the intruder appeared to have a ``cookbook sitting next to him telling him what to do next at each step.'' Nor was the intrusion harmless; the article mentions tampering with data. Under what moral codes are such activities acceptable? Arguably, a university is not the place to teach basic ethical behavior; it should have been learned long before. But there is at the very least the imperative to refrain from encouraging unethical behavior. I will agree that some forms of hacking are educational. Given that, schools should provide the proper targets to be probed. (By analogy, I have not heard of locksmith schools urging students to engage in unofficial lab sessions at the neighborhood bank. Why is this different?) Before I return to the ``merely'' technical, let me belabor the obvious one more time. A landowner (in the U.S.) who does not wish visitors may simply post ``No Trespassing'' signs; he or she is under no obligation, legal or moral, to install barbed-wire fences. To be sure, if the person is sufficiently concerned about privacy or protection of property, stronger measures may be taken, with the distinct encouragement of the insurance companies. So what? A lack of prudence (or paranoia) is not an invitation to burglary. Let us now consider the problem of insecure systems. Yes, they exist. Often, there's no justification for that, especially when the holes are as well-known as the ones apparently used here. But system administrators are often overworked, and -- most important -- computer systems do not exist for the purpose of being secure, any more than cars exist for the purpose of being locked. A computer system has a mission, an end-user community to serve. If its mission involves an application that won't run on a later version of the operating system -- and we've all seen those -- the operating system won't be (and shouldn't be) changed. Very often, no one has the time or energy to upgrade things, especially when the current applications are running satisfactorily. Are the latest security bug fixes even available for old releases? Does the vendor even have the capability to perform thorough testing on such fixes? Very often, with the best will in the world, the answer is ``no''. The claim has been made on RISKS that vendors should warrant their systems to be bug-free, just as is done for other products. Presumably, this applies even more to security holes. I have my doubts that this can be done -- I just don't think the state of the art of software engineering is good enough. (If it were that good, much of the RISKS digest would go away....) For the forseeable future, we will be faced with systems that, most likely, have serious holes. Administrators of systems containing precious data react by withdrawing them from the electronic community, or hide them behind gateways. Others venture forth, but keep their alarms on and their phasers at the ready. Still others place their trust in the shared values of the electronic community, and take only minimal precautions. And that trust still exists, at least in the minds of some users. A quick quiz: how many readers will set up a ``vacation'' message announcing how long they'll be away, and where they're going? How many people would put the same information on their home answering machines? In a sign on the front door of their houses? Yes, computer security is important. (I certainly think so; it's my area of research.) And yes, people shouldn't be surprised when loosely-administered systems are hacked, any more than than they should be surprised at muggings in some of the more dubious neighborhoods. But it is a fallacy, I think, to equate lack of prudence with solicitation to intrusion. --Steve Bellovin ------------------------------ Date: Tue, 23 Apr 91 10:09:30 PDT From: haz@leland.stanford.edu Subject: Re: Dutch crackers and irresponsible officials (RISKS-11.50) In reference to Mr. Blinn's letter, to call administrators of computers irresponsible for allowing "well-known" security holes to continue to exist is understandable. No one wants "bad guys" to have bases from which they can mount more systematic attacks on other, perhaps more secure, machines. However, you are missing the point. When an intruder is detected, what is the appropriate response? Should one make an effort to locate the muncher at all? If not to punish him/her, then simply to thank them for pointing out the flaws in your system, and then proceed to close the opened holes? Given the complexity of today's networked systems, it is no more easy to secure a computer than it is to secure one's own home. It seems that the same code of ethics should apply. One shouldn't be faulted for having failed to implement the latest security patch any more than one should be faulted for not having locked all the windows, not having high security locks, and not having deadbolts in place. What we are discussing here, is a case of someone who has been breaking into computer systems, and has, to some degree, been LOCATED. Given the time scales mentioned in the NYT article, the feds had known for six months about the intrusion, and had begun relatively sophisticated work to attempt to track down the intruder, and succeeded, only to discover that they could not actually pursue legal recourse. An analogy might be an anonymous flasher (who does no actual physical damage, but is potentially disruptive) who turns out to be a teenager of the family down the street. The question is whether the family has a responsibility to discipline their children or not. -castor fu castor@embezzle.stanford.edu ------------------------------ Date: 23 Apr 91 12:57:07 GMT From: oneel@heawk1.rosserv.gsfc.nasa.gov ( Bruce Oneel ) Subject: re: Dutch hackers and KSC [Kennedy Space Center] I don't believe that KSC is on the internet. bruce Bruce O'Neel, Code 664/STX,NASA/GSFC Bld 28/W281, Greenbelt MD 20771 (301)-286-4585 compuserve: 72737,1315 oneel@heasfs.gsfc.nasa.gov ------------------------------ Date: Fri, 19 Apr 91 22:42 EDT From: WHMurray@DOCKMASTER.NCSC.MIL Subject: CERT Warning on Spoofs A recent RISKS carried a warning by the CERT about spoofs. Reading it you might conclude that they were surprised by these nasty attacks. (I described these spoofs, at least in abstract terms, in "IEEE Spectrum" more than a decade ago. Landreth described them in elaborate detail in "Out of the Inner Circle" at about the same time.) The CERT proposed a remedy which was labelled in RISKS as "Social Engineering." By labelling their remedy "Social Engineering," I expect that the CERT intended to suggest that the problem of vulnerability to spoofs is one of human behavior. Nonetheless, whether they intended to or not, what they succeeded in communicating was the futility of their remedy. While it is possible to protect a user from a spoof by warning him about it, you cannot adequately protect a system with a large user population by doing so. It is attributed to Phineas T. Barnum: "There is a sucker born every minute." Far fewer than that are required to defeat the CERT's remedy. Certainly there are more than enough in the user population of any large system, let alone the internet, to ensure that all those systems that rely upon reusable passwords can be compromised by even a trivial spoof. Lincoln said "Human nature will not change." If Lincoln was wrong, it is because human nature changes too slowly to notice. The CERT, and the system managers it is exhorting, are not likely to change it in time to cope with these attacks. In attempting to solve the problem of spoofs by changing user gullibility, the CERT is attempting to prop up a house of cards. While the problem of these spoofs is aggravated by user behavior rooted in reusable passwords. Reusable passwords are fundamentally flawed: they have lasting value and the right to use them includes the right to make and give away, accidentally or intentionally, both the password and the associated privileges. Spoofs, and all other attacks against passwords, rely upon these two flaws for their efficiency. One can afford to attack them because they have residual value. The success of the attack does not deny the password's use to the legitimate user, so he is not bound, or even likely, to notice. The reliance on reusable passwords is the biggest single computer security vulnerability that we have. It dwarfs all others. It finesses all our other efforts; nothing else that we do is effective as long we are vulnerable to these spoofs. Continued exclusive reliance on reusable passwords puts all our systems at hazard. Indeed it puts public and management confidence in our systems at hazard. While spoofs are favored by insiders, most of the highly publicized penetrations by outsiders have involved attacks against reusable passwords. While most of these began with attacks against weak passwords, many subsequently went on to spoofs in order to expand the attacker's new privileges. The solution to this problem will not be found in trying to change user behavior; while it is a fundamental condition of the problem, it is not one that is subject to change. The solution will be found in one-time passwords. If the CERT really wants to address the problem, it will recommend something that has a chance of success. It will recommend the use of reusable passwords. They can enjoy the distinction of being the first authoritative institution to do so. (NIST has not done so, in spite of persistent urging from yours truly. NCSC has not done so, though of course they use them on their own systems. IBM has not done so, though they have said that they will not do anything to discourage or inhibit their use nor to favor one product over another.) While there continue to be environments and applications in which reusable passwords can be made to work, they do not include the internet or user programming. While one-time passwords are not free, they are effcient; their use covers their own cost. Their cost is trivial when compared to other costs of using computers, and when compared to the cost of continued exclusive reliance on reusable passwords. Their cost is regular and predictable, particularly when compared to the cost of the uncertainties against which they protect. William Hugh Murray, Executive Consultant, Information System Security 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 203 966 4769, WHMurray at DOCKMASTER.NCSC.MIL ------------------------------ Date: Fri, 19 Apr 91 23:44:47 GMT From: Iain Douglas Subject: Broadcast telephone calls Thursday evening (18-4-91 ) the BBC popular science program Tomorrow's World ran an article of particular interest. Reserchers for British Telecom have developed a system that uses tuneable lasers and optical fibres to connect telephone calls. Each subscriber is allocated a frequency, and when making a call the umber you dial tunes up the subscribers frequency on the laser in your phone. Gone is the electromechanical and electronic switching gear currently in use, all calls are BROADCAST across the whole system. Nobody is going to produce a reciever that is tuneable over the whole bandwidth, are they? :-) Iain ------------------------------ Date: Wed, 13 Mar 91 03:06:59 PST From: ts@cup.portal.com Subject: Parity and SCSI (RISKS-11.18,22) Martin Minow recently wrote in RISKS about the lack of error detection in SCSI. In practice, this does not seem to be a problem. Each data byte has a parity bit associated with it. Thus, you would need two or more errors in a single byte to cause a problem. In three years of extensive SCSI use (I work for a company that writes firmware for SCSI host adaptors and SCSI target devices), including very badly wire wrapped prototypes, I've never seen a single random error, let alone multiple errors in a single byte. The only times I've seen an error is when something like a cable or a pin breaks, causing a stuck bit. Parity catches these very quickly. No one else in the company has seen an error either, and at SCSI-2 standard committee meetings and CAM committee meetings we've asked other people, and they too report that errors are very rare. Tim Smith ------------------------------ End of RISKS-FORUM Digest 11.52 ************************