Subject: RISKS DIGEST 11.53
REPLY-TO: risks@csl.sri.com

RISKS-LIST: RISKS-FORUM Digest  Wednesday 24 April 1991  Volume 11 : Issue 53

        FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS 
   ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

  Contents:
Canada may computer-pick personnel for constitutional problem-solving
  (Dan Freedman)
"Risks" in selection of filenames! [anonymous]
Premature ground contacts -- airplane software (Roland Ouellette)
"`Traffic crystal ball' may be in your car's future" (Jeff Helgesen)
Response to Rude Behavior (Or, Going Dutch?) (Bill Murray)
Re: Dutch crackers and irresponsible officials (Brinton Cooper)
One-time Passwords (Bill Murray)

 The RISKS Forum is moderated.  Contributions should be relevant, sound, in 
 good taste, objective, coherent, concise, and nonrepetitious.  Diversity is
 welcome.  CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive 
 "Subject:" line.  Others ignored!  REQUESTS to RISKS-Request@CSL.SRI.COM.  For
 vol i issue j, type "FTP CRVAX.SRI.COM<CR>login anonymous<CR>AnyNonNullPW<CR>
 CD RISKS:<CR>GET RISKS-i.j<CR>" (where i=1 to 11, j always TWO digits).  Vol i
 summaries in j=00; "dir risks-*.*<CR>" gives directory; "bye<CR>" logs out.
 <CR>=CarriageReturn; FTPs may differ; UNIX prompts for username, password.
 If you cannot access "CRVAX.SRI.COM", try Internet address "128.18.10.1".
 ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY.
 Relevant contributions may appear in the RISKS section of regular issues
 of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise.

----------------------------------------------------------------------

Date: Tue, 23 Apr 91 20:59:18 MDT
From: dan@cpsc.ucalgary.ca (Dan Freedman)
Subject: Canada may computer-pick personnel for constitutional problem-solving

The Calgary Sun (April 23 1991) reports that:

      A new plan to ease Canada's constitutional woes would see 260 people
      randomly picked by computer holding 'a constitutional jam session.'

	Canada's constitutional woes revolve mostly around Quebec, a Canadian
province which is considering seperation from Canada.  The politicians want to
let The People solve the problems, since they have failed pretty dismally
themselves as of late.  The suggestion for the computer selection of people to
discuss (and presumably solve) the issues is strange to say the least, but
comes from a retired Supreme Court judge, and is supported by various
politicians from both major parties.

	The risks are not with the computer-based selection itself, but with
the incorrect perception that such a selection is indeed random.  Are those who
are picked forced to participate?  Are they paid, and if so, how does the
payment compare to their job salary?  Perhaps only those righ enough or
dedicated enough to take a pay cut for a month or so will choose to
participate.  Are people who do not speak English or Franch (Canada's official
languages) allowed to be "randomly selected"?  Will the travel expenses of
those who are selected but who are working out of the country be paid?  At
best, it would be a random selection from what amounts to a biased
pre-selection.
                                     Dan Freedman

------------------------------

Date: Tue, 23 Apr 91 12:43:13 XXT
From: [anonymous]
Subject: "Risks" in selection of filenames!

     Computer File Key To Murder?
   ALEXANDRIA, Va. (AP)
   Prosecutors said Tuesday that a former Marine captain was plotting his
wife's death when he wrote computer entries including "How do I kill her?" and
"What to do with the body?"  Witnesses at the murder trial of Robert Peter
Russell testified Tuesday that he also showed a lot of interest in his new
wife's insurance policy, was found with another woman getting dressed in his
quarters the weekend before his wedding, and asked a friend questions about how
fast a body decomposes.  He also asked about technique, inquiring of at least a
couple of his fellow Marines whether it was true you could electrocute someone
by lobbing a TV or radio into the bathtub with him, witnesses said.
   But the key piece of evidence, exhibit 19A, is a 5 1/4 inch floppy disk on
which Russell stored a file labeled "Murder."  Assistant U.S. Attorney Lawrence
J. Leiser said in his opening statement at Russell's trial that the defendant
was concocting a "recipe for murder" when he created the computer entries under
the heading "murder."  Russell has pleaded innocent, contending the computer
file was merely part of a mystery novel he was working on. He is free on
$50,000 bond.
   Sgt. Maj. William Joseph Kane, a 24-year Marine, testified that he found the
computer disk when cleaning out Russell's office after the captain had been
relieved of duty in February 1988, more than a year before his wife
disappeared.
   Most of the files on the disk were clearly military, but several caught
Kane's interest, including one about him labeled with the sergeant major's name
and one called "Murder." He read them, and a day later during a phone
conversation with the captain's wife, Shirley, who was herself a Marine
captain, Kane told her what he had found.  "I told her if I was you, I'd be
careful," Kane said. "I'd watch out for myself."
   Other entries in the "Murder" file, according to court documents, include:
"Make it look as if she left... Rehearse... Mask? Plastic bags over feet...
Check in library on ways of murder electrocution??  Wash tarp!! I may need to
cut it?"
   Mrs. Russell, 29, disappeared from the Quantico Marine Corps Base in
Virginia on March 4, 1989. Despite intense searches, her body has not been
found.  Russell, 34, is being tried in U.S. District Court in Alexandria,
because, according to authorities, a crime was committed on federal property.
   Russell's wife was stationed at Parris Island, S.C., in 1988, but she was
later reassigned to Quantico and they were reunited.  In the meantime, the
Marines were moving to dishonorably discharge Russell, accusing him of
alcoholism and misconduct that included filing false reports.

------------------------------

Date: Wed, 24 Apr 91 18:31:26 EDT
From: Roland  24-Apr-1991 1604 <ouellette@tarkin.enet.dec.com>
Subject: Premature ground contacts -- airplane software

SEATTLE, WASHINGTON, U.S.A., 1991 APR 11 (NB) -- Honeywell has announced
that it has issued new software to various US and foreign registry aircraft
to correct a defect in a computerized flight navigation system that federal
authorities said could send airliners off course. The problem arises when
attempting a non-directional beacon approach for landing.

John Clabes, from the Oklahoma City Federal Aviation Office, read portions of a
document issued by the FAA in Washington to Newsbytes.  In part the document
stated that "there has been a report of an erroneous course display on the
navigation display map when the non-directional beacon approach was activated
from the Honeywell Flight Management System database." The report continued,
"This condition not corrected can result in the airplane deviating from the
published course to the runway, which could lead to premature ground contact
before reaching the runway." When Newsbytes asked Clabes if that was a
euphemism for "crash" Clabes replied, "I guess that is what you could call
that."

The airworthiness directive issued by the FAA mentioned the Boeing 747-400, 757
and 767 and the McDonnell Douglas MD-11 as being equipped with the faulty
software. It states that 400 of these aircraft are US registered.  Clabes told
Newsbytes that a total of 795 aircraft worldwide are equipped with the system.

[...] The FAA airworthiness directive requires airlines to place placards next
to the control panels of their aircraft, warning pilots not to attempt the
nondirectional beacon approach. FAA spokesperson David Duff said nondirectional
beacon approaches were rarely used in the United States because most airports
have instrument landing system (ILS) approaches. The FAA airworthiness
directive says it may consider further rule-making at a later time.

------------------------------

Date: Wed, 24 Apr 91 12:37:00 -0500
From: Jeff Helgesen <jmh@morgana.pubserv.com>
Subject: "`Traffic crystal ball' may be in your car's future" (Chi. Trib. 4/23/91)

The following article appeared in the Chicago Tribune.  I have taken the
liberty of omitting non-salient paragraphs.  Jeff

"`TRAFFIC CRYSTAL BALL' MAY BE IN YOUR CAR'S FUTURE"
Chicago Tribune - Tuesday, April 23, 1991 (Gary Washburn)

Announcement of an experimental traffic management project here, which would
have computers in cars to tell drivers when to get off one highway and onto
another to avoid tie-ups, could come as early as next month, transportation
sources said Monday.  The futuristic system could be installed and operating in
about two years, they said.

U.S. Transportation Secretary Samuel Skinner touched on the system at a speech
in Chicago on Monday, saying it is called ADVANCE.  ``I don't want to get into
all the details,'' Skinner told reporters after the speech. ``A lot of people
need to be involved. But I think there is good news to come...You will be
hearing more about it soon.''

One person who is familiar with the project explained further. ``In layman's
terms, this would provide an on-board computer for you that would give you
real-time traffic conditions ant tell you what alternate routes to select,'' he
said.  In addition, the car computers would contribute new data to the central
computer based on traffic conditions that they encounter, and this information
would quickly become available to other drivers, he said.  Transportation
experts say that such ``intelligent vehicle'' systems may be able to smooth
traffic flow and ease congestion without any new pavement being laid.

The details about the ADVANCE project include:

	o  It has been under study for at least a year, under the auspices
	   of the state and federal governments, with participation from
	   researchers from the University of Illinois at Chicago,
	   Northwestern University and Motorola, Inc.

	o  It will involve 4,000 specially-equipped vehicles.

	o  It will cover 250 square miles in the highly congested northwest
	   suburbs, targeting oft-clogged arterials that could include such
	   bust thoroughfares as Palatine, Algonquin, Golf and Higgins
	   Roads.

The Chicago area's expressway system already has sensors embedded in the
pavement. Those sensors feed congestion information to a central computer
operated by the Illinois Department of Transportation. In turn, this computer
supplies data to radio stations and traffic reporting services.  But the
metropolitan area's suburban arterials do not have such sophisticated monitors,
and motorists often have no way of knowing up-to-the-minute conditions on the
road they use.

When people visit the supermarket, they choose their checkout lanes based on
the length of lines, the speed of clerks and baggers and other data, Skinner
said in his speech, one in the Bright New City lecture series. ``We make an
informed decision,'' he said.  ``That same logic [should apply] to the highways
of this country,'' he asserted.  ``Why shouldn't you have a computer in your
car that shows you how fast traffic is moving...where it is moving quicker,
where the delays are, where the accidents are, where the congestion is, where
the construction is?  Why shouldn't we let you make informed decisions?''

European and Japanese companies are rushing to develop smart-car technology
as efforts in this country advance.

A year ago, Skinner announced an $8 million project to install computerized
traffic displays in 100 cars in Orlando.  More recently, a $1.7 million project
called Pathfinder has begun on a 13-mile stretch of California freeway between
Los Angeles and Santa Monica.  Twenty-five specially-equipped cars receive
up-to-date information about accidents, congestion, highway construction and
alternate routes.

But the proposed project here would be much larger.

The potential for computerized traffic management systems is ``immense,'' said
Rich Schuman, manager of technical information for the Intelligent Vehicle
Highway Society of America, a not-for-profit group that promotes the new
approach.

------------------------------

Date:  Wed, 24 Apr 91 08:45 EDT
From: WHMurray@DOCKMASTER.NCSC.MIL
Subject: Response to Rude Behavior

It is time to decide what kind of a network we want.

Given the age of our users, the novelty of the environment, and the absence of
authority, the internet is a surprisingly orderly place.  Who would have
believed that a multi-institutional, multi-national network of peers could be
so orderly?.

However, now we stand challenged by a group of puerile rogues, in a rogue
institution, in a rogue nation.  They insist upon their right to behave in a
rude and disorderly manner.  They flaunt their behavior and invite those of us
who do not like it to withdraw from the field.

They must be made to understand that that is the natural consequence of their
behavior.  The marginal propensity to connect to the net is a function of how
useful and how orderly it is.  If it becomes too disorderly, it will collapse.

The rest of us also need to understand it.  If we tolerate this behavior, the
network may collapse.

What are our options?  We seem to be paralyzed.  We have followed Cliff Stoll's
"scientific/law-enforcement" approach for six months.  Having found that the
rogues are in a rogue institution in a rogue nation, where law enforcement is
powerless, we do not seem to remember what to do next.

Unless we want a network that depends upon law enforcement for its order, and
which is subject to their authority, we should not have turned to them in the
first place.  Cliff's skill and daring notwithstanding, his model is wrong.  He
did the wrong thing.  We have done the wrong thing in following his example.

If you observe rogue behavior at the perimeter to your system, break the
connection.  Inform the adjacent node why you have done so.  If they are not
the source of the behavior, encourage them to follow your example.  The closer
we break the connection to the source of the behavior, the sooner it will stop.
I guarantee it.

We should not, we must not, we dare not tolerate this behavior.  If we must
isolate the University of Utrecht, then we must.  If we must isolate all of
Holland, then so be it.  We must not shrink.  The order and the future of the
network depend upon it.

Ostracism has always been the most powerful and successful of all social
controls.  It dwarfs law enforcement in its power.  In the modern world it is
so Draconian that we are reluctant to use it.  We may have forgotten how to use
it.  We may have forgotten all about it.  However, this is a case that
justifies its use.  The protection of the order and organization of the network
justify its use.  In a community of peers, it is the only one with any
opportunity of success.  It is the only one that will preserve the community.

William Hugh Murray, 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840
203 966 4769, WHMurray at DOCKMASTER.NCSC.MIL

------------------------------

Date:     Wed, 24 Apr 91 15:30:24 EDT
From: Brinton Cooper <abc@BRL.MIL>
Subject: Re: Dutch crackers and irresponsible officials (Blinn, RISKS-11.51)]

The time has come to put this debate behind us.  Clearly, as with burglary of
an unlocked home or theft of a car with keys hanging from the ignition,
carelessness by the owner does not set aside the guilt of the perpetrator.
Conversely, carelessness by the owner does not relieve her/him of
responsibility for the loss.  In the "Dutch cracker" incident, perhaps BOTH the
cracker's host and the host with known, repairable security holes should be
barred from the Internet.

_Brint

------------------------------

Date:  Wed, 24 Apr 91 19:45 EDT
From: WHMurray@DOCKMASTER.NCSC.MIL
Subject: One-time Passwords

It seems (from the amount of "hate mail" that I have received) that I erred
when I assumed that most readers of RISKS would recognize the concept of
(token-based) one-time passwords.  I have now been disabused of this
assumption.  I will explicate this concept as quickly and as briefly as I can.
 
However, there are many ramifications to the use of these mechanisms that I
will not go into.  Please try not to infer too much from what I do not say.  My
experience is that many people are intuitively hostile to this idea, that it is
difficult to describe in words, and and that it is very easy to demonstrate.
Please give me credit for trying, and the benefit of the doubt when necessary.
Remember that what we are comparing is not working.
 
These mechanisms rely upon the fact that attacks passwords would not be
efficient if the password had no residual value.  The only time that this will
be true is if the password is only used once.
 
Therefore, the mechanisms generate and expect a new password for each session.
While computers are very good at this, people are very poor (for many of the
same reasons that they are bad at selecting and managing reusable passwords.)
Therefore, we provide them with little tiny computers, tailored to this
purpose, and generically called "tokens."
 
These special purpose computers are used by the computer user to determine what
password to use for a given session.  The user need not generate the password.
He need not remember it.  He need not write it down.  He must carry the token.
 
Each token is "seeded" with one or more values (one for each independent
security domain in which the user must operate).  The value(s) that the token
contains makes it unique.  It is not like any other in the world.  There is no
non-destructive way to determine the value from the token.  Therefore, the
token cannot be counterfeited.
 
The token uses the seed value, and perhaps other values, to determine the
instant password.  (For those of you familiar with the concept, it employs a
"non-disclosure" or "zero-knowledge" proof to demonstrate that is has
beneficial use of the seed value.)  The optional values may include time, a
challenge, and/or a personal identification number.  (These provide protection
against "play-back" or "mid-night" attacks.)
 
Tokens come in many forms.  Users may sometimes choose the form that they
prefer.  Popular forms include credit cards, calculators, and keys.
 
In one scenario, when prompted for the password, the user looks at the token,
reads the current password from the display, and enters it at the keyboard.  In
another, the password prompt is replaced by a "challenge" value.  The user
reads the challenge from the terminal, enters it on the token's keyboard, reads
the "response" to the challenge from the token's display and enters it on the
terminal's keyboard.
 
If the token is lost, it can be revoked.  Since the user cannot use the target
system without the token, unlike the compromised password, he will notice.
Thus, the window of vulnerability is very narrow.  It can be narrowed further
through the use of personal identification numbers, signature verification, and
speaker verification.  However, the marginal security of the latter two may be
small when compared to their cost.
 
This technology is mature, widely available, and widely supported.  It is
clearly supported on the popular platform types within the internet.  It is
both effective and efficient.  That is, it works, and it covers its own cost.
 
The cost is measured in the tens of dollars per user.  While this seems high
when multiplied by the number of users, anything seems high when multiplied by
the users.  When compared to the other costs of computing, it is trivial.  When
compared to the cost of losses offset, it is attractive.
 
It is much more effective and efficient than other security measures, such as
access control, that we take for granted.  It is clearly more effective and
efficient than these other are in its absence, since in its absence the other
mechanisms are not effective.
 
------------------------------

End of RISKS-FORUM Digest 11.53
************************