Subject: RISKS DIGEST 11.62 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Monday 6 May 1991 Volume 11 : Issue 62 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: 9th Federal Reserve Bank Drowned (Ted Lee) Changing class grades in Alaska (Dean Gottehrer) On Tulips, Hacking, and Tequila (Herman J. Woltring) [Re: Civil/Criminal Law] Fences, bodyguards, and security (of old O/S) (Bob Estell) Crackers: passwords & "holes" vs locks & combinations (Leonard Erickson) Fly-by-Wire Glitch (A. Padgett Peterson) EFFector Online 1.04 (Gerard Van der Leun and Mike Godwin via Chris Davis) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line. Others ignored! REQUESTS to RISKS-Request@CSL.SRI.COM. For vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 11, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. =CarriageReturn; FTPs may differ; UNIX prompts for username, password. If you cannot access "CRVAX.SRI.COM", try Internet address "128.18.10.1". ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Mon, 6 May 91 01:36 EDT From: TMPLee@DOCKMASTER.NCSC.MIL Subject: 9th Federal Reserve Bank Drowned On Monday April 8 the computer center at the Minneapolis Federal Reserve Bank was flooded out of commission by a broken air-conditioning cooling water pipe in the ceiling. [I'll ignore the RISKs of such a design; the point of this note is something else.] The Minneapolis Fed covers 1,700 financial institutions in six states; it moves something like $10 billion daily. Note that in addition to the normal check-clearing functions one associates with it, a Federal Reserve bank handles things like direct-deposit of paychecks in its region, so cessation of its function for any length of time can cripple a regional economy. An article in the April 29th Minneapolis Star Tribune describes in fair detail how effective the contingency plan was -- all functions were transferred to a back-up facility in Culpeper, Virginia, using a not-very-well-described set of "minicomputers" at the U.S. Postal Data Service Center near the Minneapolis Airport as an intermediary. (The article says: "They would serve as the new intake center for data transmitted by financial institutions by direct computer hookup, phone line and messenger. From there the information would be routed over the postal center's high-speed, secure phone line to the auxiliary center in Culpeper.") The Culpeper center is the back-up for 10 of the 12 federal reserve districts -- and this apparently was the first time it was used. The back-up was in operation within 12 hours, although it appears to have taken almost a week before all services were fully restored, and up to ten days for some transactions to catch up. The point of my note is the following. The executive director of the Upper Midwest Automated Clearing House Association is quoted as saying, "The Fed was concerned because it was running blind. They really didn't want the marketplace to know that they were in disaster recovery ... and susceptible to fraud." The Federal Reserve Bank's chief financial officer said there's no evidence that anybody tried to rip off any banks electronically ... "Our systems were not compromised; the security was there and valid." It sounds to me like there definitely was a window of vulnerability and that no-one knows in fact if it was exploited. (The cash management officer for a large Minneapolis bank is quoted as saying "We had ... some large dollar transactions, say $200,000, that were lost for up to 10 days.... When you've got items in the hopper [and] you haven't had time to back it up, they get lost.") [Maybe that is what is meant by a Grace Hopper? PGN] ------------------------------ Date: Sun, 05 May 91 18:37:23 -0900 From: "Dean Gottehrer" Subject: Changing class grades in Alaska As a university professor I wondered about the RISK of some programmer changing a student's grades on the computer. I never hear much about it ever happening until the following story appeared in the local papers: FAIRBANKS -- The University of Alaska Fairbanks has fired a computer specialist accused of using his access to electronically change a student's grades. Robert Concannon, 38, has pleaded not guilty to the felony tampering charge and is scheduled to go to trial in July. He faces up to five years in jail and a $50,000 fine if convicted of the class-C felony. University officials say the incident has not affected the integrity of the University of Alaska system. "This was a highly isolated incident that was dealt with very quickly," said David Leone, head of the statewide computer network. Concannon, a database specialist at the university's statewide computer center was fired after a series of audits confirmed a suspicion in the admission's office that UAF student Colleen Gallagher's grades were changed last fall. University spokeswoman Debra Damron said the audits and an independent consultant discovered that Concannon, one of a staff of five, had access to the information. He is accused of changing Gallagher's grades of two "F's" and a "D" to two "A's" and a "C." [Have others heard of similar cases around the country? Are the penalties as stiff as the ones here in Alaska? Are they actually applied? Dean Gottehrer, Anchorage, Alaska] [Perhaps Concannon might now use his skills to upgrade his class-C felony to a class-A felony? PGN] ------------------------------ Date: Sat, 4 May 91 23:59 MET From: "Herman J. Woltring" Subject: On Tulips, Hacking, and Tequila RE: Hacking, Civil, and Criminal Law -- Reply to --- J. Giles (USA) --- Hugh Cartwright (UK) Both posters seem to overlook the difference between civil and criminal law: the former only requires a balance of evidence, with the court quite passive, the latter requires clear evidence that highly specific acts, defined in the law books as criminal, have been committed, with the court quite active in asserting whether the law, indeed, has been broken. It is one thing to have private litigation between parties, where the court will take a decision by (freely) interpreting the evidence put to it, it is something quite different if the whole Nation is out to fine, jail, hang, or electrocute you. In essence, most postings on this list make generalisations and comparisons which are typical of civil law; comparisons abound of physical trespassing or breaking & entering with unauthorised access to insufficiently secure information systems (no passwords, known system passwords, or simplistic passwords). At this time, various countries including mine have not decided yet to what extent computer trespassing should be declared a criminal offence. Therefore, the choice is not, in the words of my UK neighbour, > The law has to take a stance. It can protect the interests of legitimate > users, by making unauthorized access illegal. Or it can protect unautho- > rized users by making it legal. but to decide whether the latter should be declared a criminal offence since it is currently not -- while it may be unlawful under civil law, depending on the parties' arguments in front of a rather passive judge. The decision involves policy matters of a wider scope than just the alleged criminality of the behaviour in question: is it `opportune' to widen the scope of so-called criminal acts? To what extent is civil law capable of handling these problems? Is hacking by external intruders really so serious as suggested in the (electronic) press? What about internal `theft' within institutions and organisations -- is this much more serious? Should society as a whole (because of the tax-payer's funding of the public prosecutor's office) bear the burden for some private interests OR public institutions who are too lazy to guard their own doorstep? These are some of the questions posed or implied in the Preliminary Comments from the Standing Committee on the Judiciary in the Dutch House of Representatives with respect to Bill 21551 (26 Nov 1990). I may have been slightly obscure in my Dagobert Duck example; DD is certainly liable in civil law for solliciting criminal behaviour (in all likelihood, his insurance will not pay his damages), and I should think that too blatantly flaunting one's richness might even be sufficiently antisocial to qualify as `criminal' -- the kind of behaviour that causes revolutions. Mr Giles' example of the lady who enters a singles' bar is inappropriate: it is a public place for which different rules exists -- unless DD's behaviour should be interpreted as turning his vaults into such a public place ... But even in a public place, you may have to pay for services rendered or products provided. I submit that criminal law is not the equivalent of John Wayne riding into your village and protecting your peaceful and law-abiding community from the nasty crowd that has been invading you from Mexico or The Netherlands. Don't cry for a Strong Man who will wipe out your troubles with a six-gun, but make sure that you take appropriate measures to guard your own doorstep. However, do so with commensurate means, rather than by solliciting crime through overkill: there are too many guns on the street already. If you succeed in convincing your legislators that computer trespassing is tantamount to highjacking a plane -- fine, but do realise the consequences when somebody quite by mistake lands up in the wrong account or tries to find back his own, accidentally deleted data. I believe that computer users deserve adequate protection under the law, not that `unauthorised' users deserve more protection than `authorised' users. At present, authorisation exists by default under some countries' criminal law, and the question is simply to what extent this authorisation should be withdrawn. The problem reminds me of the current struggle on software copyright. A new right is about to be born, namely the exclusion of Fair Dealing under British Copyright Law which has entitled you up to now to study and review a software package in object code by decompiling or disassembling it in order to find out about its functional properties -- whether this information is to be used for publishing a critical review in a journal or for making a competing, and hopefully better, software package. The European Communities are in the process of accepting a Directive on Software Protection in which such activities are declared illegal as regards the central core of a software package. Interface aspects may be analysed confidentially, and software `maintenance' may be performed by or on behalf of `legitimate' users. While the proposed Directive claims that the `central ideas etc.' will remain free and unprotected, and quite appropriately so under the Copyright Doctrine, you may not obtain those ideas from the package unless you are licensed to do so. The proposed Directive curtails former `Fair Use / Fair Dealing' rights substantially. For example, how could Shakespeare lawfully determine under such a system whether indeed his (way of making) thunder had been stolen ... in other words, can patent infringement be legitimally assessed under this new protection scheme, or do we need Anton Pillar orders for that? If so, how do we collect the evidence to convince the judge that such an order is appropriate? I am not saying that hacking is fair, but I do claim that the criminalising responses on this Forum are incompatible with the extent of its (un)fairness. Alas, there are no simple solutions, and that's why my reply has become so lengthy. Herman J. Woltring, Eindhoven/NL ------------------------------ Date: 6 May 91 07:51:00 PDT From: "351M::ESTELL" Subject: Fences, bodyguards, and security (of old O/S) Mike is right about better security ON THE HOST. No quarrel there. And Rick is right about "no magic bullets." I assume - wrongly? - that those who install systems try to use them right. Rick's cautious approach is safer, perhaps because it's pessimistic. However, the issue I addressed was an "old O/S" where some of the several operational definitions of "old" include (a) poor security in partucular, and (b) little or no networking in general; e.g., UNIVAC's O/S 1100 c. 1980. (A far cry from the 1991 version, which I understand is B2 now, thanks to some pioneering work by TMP Lee et al.) Clearly, those who, like UniSys get on the ball and improve, reap multiple benefits. However, for that "crucial application" running on an old host with old O/S, a "guard gate" is better than no protection. To pursue my physical world analogy, should the next President wear a bullet proof vest, a visored helmet, carry a .357 Magnum, and be a martial arts expert? Or can we still rely on the Secret Service? Broader and deeper views of the problem suggest NO ONE SOLUTION is adequate; i.e., for "classified work" a network should comprise ONLY "multi-level secure" operating systems (i.e., A1 rated by DoDCSC). Today, that is not possible - unless one uses the "guard gate" idea. Moreover, EVEN IF all modern O/S were A1 by say the year 2000, I doubt that DoD, NSA et al, would grant network access to those hosts that run secret work. No problem, in a way; i.e., some of those secure hosts have no desire whatsoever to "offer resources" to the network; BUT they do need to exchange information with colleagues far away - which today they do via US registered mail, bonded courier, etc. instead of encrypted e-mail, for example. There is no reason why today such secret hosts could not use "encrypted e-mail" by following the "guard gate" scheme, complete with approved encryption devices at appropriate points; e.g., use software encryption for the files, on the host; then use a "KG" device to bulk encrypt that data as it passes from the host to the network server; then use STU-III phones to connect to a remote site; all these devices and processes to reside "in the vault" except of course for the "long lines" connecting the two STU-III phones. Yes that is s-l-o-w but it is also secure, and much faster than the US mail and courier alternatives. The fact that such transmissions cannot be direct (host to host) does not mean that they cannot occur. The guard gate scheme makes a layered, but unbroken connection possible: Users must consciously login to remote e-mail hosts; but that is better than no e-mail, etc. Bob ------------------------------ Date: 03 May 91 02:22:03 EDT From: Leonard Erickson <70524.2603@compuserve.com> Subject: crackers: passwords & "holes" vs locks & combinations I agree with Richard O'Keefe's comments in RISKS 11.58. Several of the "well known" holes are exactly equivalent to "well known" "holes" with locks. For example, a certain major brand of bicycle lock can be picked with a piece of bent wire in approximately 5 seconds (as I once demonstrated to an employer who was going to use one to secure some valuable items!) Likewise, many OS's have equally bad shortcomings in their security IF YOU ARE KNOWLEDGABLE. The user should only have limited responsibility for OS "holes". Especially since, as many have noted, there may be nothing they can do about it. If (for example) you are running a TRS-80 Model 1, you *cannot* fix the holes in it's OS, it would cost more than the entire system is worth. And if you are using such an old item, you either are broke, or have a *very* compelling reason. On the other hand, you had better not be counting on it being secure. Ignorance *may* be forgivable the first time. After that, you have no excuse for continuing to keep valuables in an "unsafe" environment. Default passwords and accounts are a bit different. The user *can* change those. Just as when you buy a briefcase with a combo lock, you either change the combo from the factory default, or you accept responsibility for any unauthorized access. Note, however, that just because I haven't changed the combination on my briefcase (and thus have some responsibility for any resulting losses), that in no way affects the underlying fact that it is wrong to attempt to open my locked briefcase without permission! Unauthorized use of a password is no different from unauthorized use of a combination. The password may be stupid, but you *still* have no business messing with the lock! Your curiousity regarding the contents of my briefcase, or even merely as to whether I've changed the combo, does *not* give you the right to try and find out. Likewise, a cracker's curiousity doesn't give him the right to go where he isn't wanted. ------------------------------ Date: Wed, 1 May 91 08:15:54 -0400 From: padgett%tccslr.dnet@uvs1.orl.mmc.com (A. Padgett Peterson 407-356-6384) Subject: Fly-by-Wire Glitch (11.55 - Joseph Nathan Hall) This comment on the Northrop YF-23 "early generation flight-control software" glitch was somewhat humourous since over a decade ago we faced the same problems on the AFTI-F16 program, a multiple-redundant full-authority digital system. As Mr. Hall suggested, we used the simple expedient of a weight-on- wheels switch to control such things. It will be interesting to see when Northrop starts "pushing the envelope" if they will rediscover some other "interesting" anomalies we ran into in the "earliest generation". Padgett ------------------------------ Date: Wed, 1 May 91 21:33:03 -0400 From: ckd@eff.org (Chris Davis) Subject: EFFector Online 1.04 ************************************************************ ************************************************************ *** EFFector Online #1.04 (May 1, 1991) *** *** (Formerly EFF News) *** *** The Electronic Frontier Foundation, Inc. *** *** Net address: eff@eff.org *** ************************************************************ ************************************************************ Editors: Gerard Van der Leun (gerard@eff.org) Mike Godwin (mnemonic@eff.org) REPRINT PERMISSION GRANTED: Material in EFFector Online may be reprinted if you cite the source. Where an individual author has asserted copyright in an article, please contact her directly for permission to reproduce. E-mail subscription requests: eff-request@eff.org Editorial submissions: eff@eff.org AND NOW THE NEWS The following press release was Faxcast to over 1,500 media organizations and interested parties this afternoon: EXTENDING THE CONSTITUTION TO AMERICAN CYBERSPACE: TO ESTABLISH CONSTITUTIONAL PROTECTION FOR ELECTRONIC MEDIA AND TO OBTAIN REDRESS FOR AN UNLAWFUL SEARCH, SEIZURE, AND PRIOR RESTRAINT ON PUBLICATION, STEVE JACKSON GAMES AND THE ELECTRONIC FRONTIER FOUNDATION TODAY FILED A CIVIL SUIT AGAINST THE UNITED STATES SECRET SERVICE AND OTHERS. On March 1, 1990, the United States Secret Service nearly destroyed Steve Jackson Games (SJG), an award-winning publishing business in Austin, Texas. In an early morning raid with an unlawful and unconstitutional warrant, agents of the Secret Service conducted a search of the SJG office. When they left they took a manuscript being prepared for publication, private electronic mail, and several computers, including the hardware and software of the SJG Computer Bulletin Board System. Yet Jackson and his business were not only innocent of any crime, but never suspects in the first place. The raid had been staged on the unfounded suspicion that somewhere in Jackson's office there "might be" a document compromising the security of the 911 telephone system. In the months that followed, Jackson saw the business he had built up over many years dragged to the edge of bankruptcy. SJG was a successful and prestigious publisher of books and other materials used in adventure role-playing games. Jackson also operated a computer bulletin board system (BBS) to communicate with his customers and writers and obtain feedback and suggestions on new gaming ideas. The bulletin board was also the repository of private electronic mail belonging to several of its users. This private mail was seized in the raid. Despite repeated requests for the return of his manuscripts and equipment, the Secret Service has refused to comply fully. Today, more than a year after that raid, The Electronic Frontier Foundation, acting with SJG owner Steve Jackson, has filed a precedent setting civil suit against the United States Secret Service, Secret Service Agents Timothy Foley and Barbara Golden, Assistant United States Attorney William Cook, and Henry Kluepfel. "This is the most important case brought to date," said EFF general counsel Mike Godwin, "to vindicate the Constitutional rights of the users of computer-based communications technology. It will establish the Constitutional dimension of electronic expression. It also will be one of the first cases that invokes the Electronic Communications and Privacy Act as a shield and not as a sword -- an act that guarantees users of this digital medium the same privacy protections enjoyed by those who use the telephone and the U.S. Mail." Commenting on the overall role of the Electronic Frontier Foundation in this case and other matters, EFFs president Mitch Kapor said, "We have been acting as an organization interested in defending the wrongly accused. But the Electronic Frontier Foundation is also going to be active in establishing broader principles. We begin with this case, where the issues are clear. But behind this specific action, the EFF also believes that it is vital that government, private entities, and individuals who have violated the Constitutional rights of individuals be held accountable for their actions. We also hope this case will help demystify the world of computer users to the general public and inform them about the potential of computer communities." Representing Steve Jackson and The Electronic Frontier Foundation in this suit is James George,Jr. of Graves, Dougherty, Hearon & Moody of Austin, Rabinowitz, Boudin, Standard, Krinsky & Liberman of New York,and Harvey A. Silverglate and Sharon L. Beckman of Silverglate & Good of Boston . Copies of the complaint, the unlawful search warrant, statements by Steve Jackson and the Electronic Frontier Foundation, a legal fact sheet and other pertinent materials are available by request from the EFF. @+@+@+@+@+@+@+@+@+@+@+@+@+@+@+@+@+@+@ Also made available to members of the press and electronic media on request were the following statements by Mitchell Kapor and a legal fact sheet prepared by Sharon Beckman and Harvey Silverglate of Silverglate & Good, the law firm central to the filing of this lawsuit. WHY THE ELECTRONIC FRONTIER FOUNDATION IS BRINGING SUIT ON BEHALF OF STEVE JACKSON. With this case, the Electronic Frontier Foundation begins a new phase of affirmative legal action. We intend to fight for broad Constitutional protection for operators and users of computer bulletin boards. It is essential to establish the principle that computer bulletin boards and computer conferencing systems are entitled to the same First Amendment rights enjoyed by other media. It is also critical to establish that operators of bulletin boards JQJ whether individuals or businesses JQJ are not subject to unconstitutional, overbroad searches and seizures of any of the contents of their systems, including electronic mail. The Electronic Frontier Foundation also believes that it is vital to hold government, private entities, and individuals who have violated the Constitutional rights of others accountable for their actions. Mitchell Kapor, President, The Electronic Frontier Foundation @+@+@+@+@+@+@+@+@+@+@+@+@+@+@+@+@+@+@ LEGAL FACT SHEET: STEVE JACKSON GAMES V. UNITED STATES SECRET SERVICE, ET AL. This lawsuit seeks to vindicate the rights of a small, successful entrepreneur/publisher to conduct its entirely lawful business, free of unjustified governmental interference. It is also the goal of this litigation to firmly establish the principle that lawful activities carried out with the aid of computer technology, including computer communications and publishing, are entitled to the same constitutional protections that have long been accorded to the print medium. Computers and modems, no less than printing presses, typewriters, the mail, and telephones -being the methods selected by Americans to communicate with one another -- are all protected by our constitutional rights. Factual Background and Parties: Steve Jackson, of Austin, Texas, is a successful small businessman. His company, Steve Jackson Games, is an award- winning publisher of adventure games and related books and magazines. In addition to its books and magazines, SJG operates an electronic bulletin board system (the Illuminati BBS) for its customers and for others interested in adventure games and related literary genres. Also named as plaintiffs are various users of the Illuminati BBS. The professional interests of these users range from writing to computer technology. Although neither Jackson nor his company were suspected of any criminal activity, the company was rendered a near fatal blow on March 1, 1990, when agents of the United States Secret Service, aided by other law enforcement officials, raided its office, seizing computer equipment necessary to the operation of its publishing business. The government seized the Illuminati BBS and all of the communications stored on it, including private electronic mail, shutting down the BBS for over a month. The Secret Service also seized publications protected by the First Amendment, including drafts of the about-to-be-released role playing game book GURPS Cyberpunk. The publication of the book was substantially delayed while SJG employees rewrote it from older drafts. This fantasy game book, which one agent preposterously called "a handbook for computer crime," has since sold over 16,000 copies and been nominated for a prestigious game industry award. No evidence of criminal activity was found. The warrant application, which remained sealed at the government's request for seven months, reveals that the agents were investigating an employee of the company whom they believed to be engaged in activity they found questionable at his home and on his own time. The warrant application further reveals not only that the Secret Service had no reason to think any evidence of criminal activity would be found at SJG, but also that the government omitted telling the Magistrate who issued the warrant that SJG was a publisher and that the contemplated raid would cause a prior restraint on constitutionally protected speech, publication, and association. The defendants in this case are the United States Secret Service and the individuals who, by planning and carrying out this grossly illegal search and seizure, abused the power conferred upon them by the federal government. Those individuals include Assistant United States Attorney William J. Cook, Secret Service Agents Timothy M. Foley and Barbara Golden, as well Henry M. Kluepfel of Bellcore, who actively participated in the unlawful activities as an agent of the federal government. These defendants are the same individuals and entities responsible for the prosecution last year of electronic publisher Craig Neidorf. The government in that case charged that Neidorf's publication of materials concerning the enhanced 911 system constituted interstate transportation of stolen property. The prosecution was resolved in Neidorf's favor in July of 1990 when Neidorf demonstrated that materials he published were generally available to the public. Legal Significance: This case is about the constitutional and statutory rights of publishers who conduct their activities in electronic media rather than in the traditional print and hard copy media, as well as the rights of individuals and companies that use computer technology to communicate as well as to conduct personal and business affairs generally. The government's wholly unjustified raid on SJG, and seizure of its books, magazines, and BBS, violated clearly established statutory and constitutional law, including: . The Privacy Protection Act of 1980, which generally prohibits the government from searching the offices of publishers for work product and other documents, including materials that are electronically stored; . The First Amendment to the U. S. Constitution, which guarantees freedom of speech, of the press and of association, and which prohibits the government from censoring publications, whether in printed or electronic media. . The Fourth Amendment, which prohibits unreasonable governmental searches and seizures, including both general searches and searches conducted without probable cause to believe that specific evidence of criminal activity will be found at the location searched. . The Electronic Communications Privacy Act and the Federal Wiretap statute, which together prohibit the government from seizing electronic communications without justification and proper authorization. #### For more information, contact Gerard Van der Leun at 617-864-1550. END OF EFFECTOR ONLINE 1.04 ------------------------------ End of RISKS-FORUM Digest 11.62 ************************