Subject: RISKS DIGEST 12.59 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Tuesday 5 November 1991 Volume 12 : Issue 59 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: New Computer Center for Soviet President [anonymous] "Computer rats on students who don't show up in class" (Steve M. Barr?) Bank tries to lose 14 billion pounds (Nigel Cole) Management Often Bungles Firing Process (Jeff Helgesen) Chaos Congress 91 (Klaus Brunnstein) Japan's barriers against IT risks (Tokyo conf.report) (Klaus Brunnstein) DES is better than anyone would have guessed! (John Sullivan) DES Watch (Richard Outerbridge) Risks of ``record'' and ``replay'' terminal capabilities (Bertrand Meyer) Re: Licensing of Software Developers (David Parnas) Re: campaign against telco info services (Dave Bakken) Re: Mathematical and scientific foundations (Leslie J. Somos) Re: UCI computing survives power outage (William Walker) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line. Others may be ignored! Contributions will not be ACKed. The load is too great. REQUESTS please to RISKS-Request@CSL.SRI.COM. For vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 12, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1". =CarriageReturn; FTPs may differ; UNIX prompts for username, password. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: [lost] From: [anonymous] Subhect: New Computer Center for Soviet President Moscow (TASS, 31Oct91, by TASS special correspondent sergei zinchuk) A new scientific and technical computer center `sistema' (the system) is now in operation, aiming to provide immediate and reliable information for the Soviet president's apparatus and communicate directly with various regions of the country, as well as with capitals of other states. The new computer networks will soon enable president Mikhail Gorbachev to contact leaders of other states not only by telephone but directly through the computer displays. Boris Tolstykh, former deputy chairman of the USSR council of ministers, who also headed the state committee for science and technology and the state committee for computing machinery and informatics, has been appointed chief of the `sistema' center. "Rechner und Peripherie Vertriebs GMBH" of Germany supplied the hardware for the center and the "Software AG" transnational company arranged the software. "Creation of the `sistema' center is a vivid example of international collaboration. So, the design and the control system of the center was worked out by Soviet specialists, the office fitting was done by an Italian company, the computers were provided by our company and the software - by `Software AG' company", Gerd Lutz, head of the hardware firm told TASS. "As a result of joint international efforts we have managed to create an ultramodern computer center which can compete in efficiency with any similar computer network in the world", Gerd Lutz pointed out. ------------------------------ Date: Thu, 31 Oct 91 10:15 EST From: BARRSTEV@uncg.bitnet Subject: "Computer rats on students who don't show up in class" This is from wire reports collected into a column in the Winston-Salem Journal, October 31, 1991. "Computer rats on students who don't show up in class" Skipping class and ignoring homework won't be as easy for students at John Muir Middle School in Burbank now that a computer is waiting to call their homes. The school has installed a 24-hour homework hot line that allows Mom and Dad to find out what homework is due and what activities are going on in class. The computerized telephone system also rats on students who miss class by calling their parents each night. "The great thing about this is that the computer will keep calling until it hears a live voice or an answering machine," principal Bill Kuzma says. "In the morning, a printout tells us who it contacted and who it didn't." [It is indeed a "great thing" that the map is now equal to the territory. SMB] ------------------------------ Date: 04 Nov 91 14:35:55 EST From: Nigel Cole <100020.1170@compuserve.com> Subject: Bank tries to lose 14 billion pounds I have just seen the following on CEEFAX (BBC TV's Teletext service): BARCLAYS MAKES A NEAR MISS Barclays bank is investigating how 14000 million pounds was almost mistakenly transferred to the National Bank of Greece. A spokeswoman for Barclays said the mistake was spotted by a computer security system just before the transaction was due to go through. Fourteen thousand million pounds is the equivalent of more than the entire Greek national debt. ((Nice to see computers catching an error instead of creating or compounding one, although the whole affair sounds like another case of "Computer Operator Error". Does anyone else know more details? - NHC)) ------------------------------ Date: Mon, 4 Nov 91 15:19:14 -0600 From: Jeff Helgesen Subject: Management Often Bungles Firing Process (WSJ 10/14/91) >From the 14 October 1991 Wall Street Journal, "Firms Get Plenty of Practice at Layoffs, But They Often Bungle the Firing Process": When reporters and other employees at the Record of Hackensack newspaper tried to log onto their desktop computers on a recent Wednesday morning, a puzzling thing happened. None of them could get into the system. It had nothing to do with computer failure. Rather, it was the way workers learned which ones among them would be getting pink slips. Reporters were directed to an editor's office, where they either for an envelope containing a new password---meaning they still had a job---or a note to see a supervisor---meaning they didn't. "It was really tense," says one staffer who survived the cut of 138 employees. "People felt really angry. And a lot of people felt betrayed, too." The story goes on to describe firing methods and practices, and other horror stories regarding botched firings. After all these years, still no improvement over the time-honored method of moving the employee's desk into the hallway... :-) ------------------------------ Date: 1 Nov 91 10:36 +0100 From: Klaus Brunnstein Subject: Chaos Congress 91 According to an invitation (participation in panel "Techno-Terrorism coming?"), annual (8th) Chaos Congress 91 will be held in Hamburg (-Eidelstedt, Buergerhaus) on Dec.27-29, 1991. Besides introductions into networking, survey of networks, mailbox software, operating systems and application software (usually with several practical demonstrations), IT security will be one major focus, esp. sociological and legal aspects. Besides the 2nd topic (Techno-Terrorism, the development of which was strongly warned of by CCC chairman Frank Simon in a recent discussion), network technologies and possible applications of networks in environment protection (as started in last years) and social implications will de discussed. One discussion will be devoted to '10 years Chaos Computer Club'. Klaus Brunnstein, University of Hamburg ------------------------------ Date: 30 Oct 91 18:00 +0100 From: Klaus Brunnstein Subject: Japan's barriers against IT risks (Tokyo conf.report) Conference Report: `Information Security 91' (Tokyo, Oct.17-18,1991) During this year's Informatization Week in Japan, an international conference was held in Tokyo on `Information Security'. Invited experts from USA, Australia, United Kingdom, Germany and Japan discussed, in a plenary part (on Oct.17) and in 3 parallel streams (on Oct.18) several 'hot' topics in related areas. The conference was organized by Japanese Information Processing Development Center (JIPDEC) and Ministry for International Trade and Industries (MITI)'s Information Technology Processing Agency (IPA); attendance was well over 700. During plenary day #1, introductory lectures were given by Solomon Buchsbaum, AT&T's senior vice president, on 'Information Security Strategy Towards 21st Century', in which he outlined deficiencies in contemporary digital communication systems by analysing some accidents (e.g. INTERNET worm); he described in some detail AT&T's approach to network security. According to him, the new version of Secure (System V) UNIX designed at B2 level is currently under NCSC B2-evaluation. NCSC director Patrick Gallagher, in his contribution on 'Role of Public and Private Security Activities' introduced concepts of Orange Book and also discussed the European IT Security Evaluation Criteria (the new release of which, Version 1.2 was released by EEC in June 1991). In some background discussion, some experts said that Japan might well (after evaluating this conference and its results) look at their own Security Criteria to compete with multi-color US and EEC criteria (which both deserve scientific substance and development). Justice Michael Kirby, Judge at the High Court of New South Wales, introduced into the actual work of OECD expert group on security of information systems, whose chairman he is. In his impressive lecture (38 pages in the conference proceedings), he discussed IT risks, demands for and impediments to security harmonization efforts, and the mission and state of the OECD group. His paper is surely worth wider recognition in the community of risk analysers and security experts. The Japanese contribution was from Tadahiro Sekimoto, Chairman of (influential) Japan Electronic Industry Development Association; to analyse his country's position, his (Japanese) paper is very worthwile to be translated into English. On day#2, three parallel sessions were focused on 'Security Policies' featuring Japan (Kaoru Nakamura/MITI), USA (Bill Calvin/NASA) and UK (Michael Jones/DTI) (session 1), 'Computer Viruses' (session 2, about 200 attendants) and `Security Activities in Business Societies' (session 3), with contributions of Toshio Hiraguri (Fujitsu), William Whitehirst (IBM) and Alan Stanley (European Security Foundation). In session 2 (the only one which the author could attend), Dr. Tojo of MITI's IPA reported on experiences of IPA's Virus Control Office, founded in October 1990. From the beginning, the office asked Japanese institutions *to report any case on malicious software*. Though probably not all incidents have been reported (esp. in universities), the *detailed survey of 49 incidents* shows essential differences to Western incidents. One major part is concerned with MACINTOSH virii, among which WDEF/WDEF A/WDEF B (9+4+1 cases) and nVir B (1 case). On Japanese IBM-compatible PCs, only a small subset of the worldwide virii have appeared: Stoned (8), Jerusalem (4), Joshi, Sunday and Yankee Doodle (each: 2), and 1701, AZUSA, Invader, Keypress, Vienna (each: 1), plus a simultaneous occurrence of Dark Avenger and Liberty. Most interesting, there is also a report about a mainframe virus (VM/SP on IBM 4381/R23) which is only described in Japanese (Dr. Tojo's report is very worthwile to be translated in English/German..) Dr. Tojo reported also about 6 natively Japanese virii on DOS-PCs and Sharp X68000 'Human OS'. Following their own naming scheme, he reported on virii DBf-1, DApm-2, DBo-3, DBh-4, DAn-5 and DShm-6. In it's naming convention, IPA's Virus Control Office describes the system base (D: DOS, M: MACINTOSH, U:UNIX), infection (B=Boot, S=OS, A=application), and disease functions (F=FAT, O=OS, P=EXE/COM.., D=data, H=hangup, m=message, n=nothing). As additional information, virii are serially labeled with the number in the occurence list. The naming scheme resembles Patricia Hoffman's classification, though significantly simpler; the appended sequence number is helpful when a unique office exists to which virii must be reported. In the afternoon (after contributions of Fred Cohen and the author, see below), a major part of the panel discussion was devoted to the question why so few virus incidents have appeared, and why *Japan* is world-wide (among high developed countries) the *country with lowest per-capita-density of virii* (with no major native hacker attack reported). Among several reasons, the low PC-density (about 100,000 PCs only) as well as 'cultural' and 'language' barriers are worthwile to analyse. The *language barrier* is established by Japanese laws and regulations which require all foreign software to be adapted to Japanese standards and language. This requires all software to be adapted, and in this process, major 'anomalies' may vanish (probably, the high percentage on Mac virii comes from the fact that the exchange of Mac software is nearly as free as in Western countries). The *cultural barrier* was described by some participant with the sentence: 'In Japanese culture, students would be ashamed to damage any organisation by writing a virus'. From Western experience (e.g. in discussion with hackers and virus authors), this built-in ethics seems as the most reasonable Japanese barrier, while the 'language barrier' is often accused for the closure of Japanese markets against Western products. Consequently, political pressure may well damage this antivirii barrier, while the cultural barrier may remain strong for some time (slowly eroding, as some Japanese discutants admitted). Fred Cohen's contribution consisted of two rather controversial parts. In his first part, he analysed - in an outstanding contribution - essential features in PCs and MSDOS which are basically responsible for virus proliferation. He described concepts of his (=ASP's) integrity product which (as this part of his lecture) deserves broader recognition; his suggestion of a 'safe snapshot' (established as virus-free) which is loaded at any boot time seems promising (VTC will test it against it's virus database) against all virii which do not (mis)use hardware features to protect (stealth) themselves. Fred Cohen's second part will also be controversial in western conferences. He repeated arguments of his dissertation, recently published in Science (Sept/Oct-edition), that virus technology should be used for 'good purposes'. While his dissertation contained examples of compression and encryption, today's examples are a 'viral bill collector' and 'garbage collection'. Moreover, to get more examples, Fred has publicly devoted $1,000 in a contest to the programmer of the best good virus (Science). Fred's argument is, that in adequate (evidently not contemporary) systems environments, technology of self-replicating programs may be used for good purposes. Starting from genetic principles ('liveware'), several models of garbage collectors, bill collectors may concur, on a birth-and-death-basis: the successful ones survive (if enough 'food' is available) and replicate, while the unsucessful ones 'die'. In the wake of his Science contribution, Gene Spafford gave an essential argument that replicative techniques should not be used in cases where more controllable techniques are available. All examples up-to-now can be solved (more controllably) by a good operating system. The author mentioned moreover, that in contemporary systems, *virii steal the author's copyright as well as the user's quality guarantee*. The argument is as follows: if a user buys a software product, he/she gets a (usually written) quality assurances limited to the tested product; as virii change the assured product, the quality assurance is no longer valid for an infected product. Similarly, the copyright holds only for the product as shipped; with any change of the product at the user's site, the copyright no longer holds. In the lively discussion, Fred was alone to defend his 'good virus' idea. In his contribution 'Malicious Software: Trends and Counteraction', the author analysed essential paradigms inherent in von Neumann architectures (PCs, large systems and networks) as well as in contemporary systems analysis and software construction. He argued that known forms of malicious software (virii, worms, trojans) and future 'hybrids' (trojanized virii, virus-worms etc) are the consequence of inherent insecurity of contemporary concepts. In a live show, he demonstrated (with 28 virii, known since at least 5 months) the discrepancies in quality of selected antivirii (McAfee's V84 found 21 virii but misclassified 14 yielding in 25% success quota; Solomon's Version 5 properly classified 2, and Skulason's F-PROT 1.16 found 16). According to the author, contemporary antivirus techniques will experience more trouble when future stealth virii use hardware protection (not used by the operating systems) to undergo protection mechanisms, where contemporary integrity checkers (checksum etc) will also fail. He suggested new architectural designs which combine von Neumann concepts with functional concepts not dissimilar to Japanese 5th Generation concepts (which were not discussed in this event). While some part of the conference proceedings is in Japanese, the invited speaker's contributions are in English. The conference demonstrated Japan's interest to become a major player also in fields of Computer Security; in several areas (e.g. Classification of Computer Security), evident deficiencies (esp. ill-understood concepts in Europe's ITSEC) may be uncovered when Japan plays a major independent role. This may lead to new concepts and approaches and competitivity. Klaus Brunnstein, University of Hamburg (October 26, 1991) ------------------------------ Date: Sat, 2 Nov 91 00:23:13 CST From: sullivan@geom.umn.edu Subject: DES is better than anyone would have guessed! In the NYT "Week in Review" for 13 October, Gina Kolata writes about DES. The basic thrust of the article is that DES is a much better code than anyone would have guessed; nobody (outside the NSA, anyway) understands why it is better than any similar codes that have been tried. The recent Israeli attack on DES is only a "slight improvement over laboriously trying every key". Martin Hellman of Stanford is quoted as saying that special pupose hardware costing $10million could break DES by brute force in two hours. [So in 20 years, if costs go down 40%/yr, your desktop workstation will do this easily.] Shamir evidently says that DES is "the strongest possible code of its kind"; his method "devastates similar codes", while only denting DES. He doesn't believe DES has a trap-door for NSA. Whitfield Diffie of Sun points out that a cryptosystem must last for many years: the British got an encrypted Soviet message in the 30's and continued for 30 years to try to decode it. -John Sullivan ------------------------------ Date: 04 Nov 91 20:20:58 EST From: Richard Outerbridge <71755.204@compuserve.com> Subject: DES Watch Apropos of the robustness of DSS, RISK readers might be interested by our guesstimation of the strength of DES during the next nine years. The title says it all- "DES Watch: An Examination of the Sufficiency of the Data Encryption Standard for Financial Institution Information Security in the 1990's", Gilles Garon and Richard Outerbridge, in CRYPTOLOGIA Volume XV Number 3 July 1991, pp. 177-193. The pun on "DEATH Watch" was intentional. Highlights: Time-to-Break Investment Cost-per-Period 90 95 2000 90 95 2000 One Year $129K $52K $10K $48K $19K $4K One Month $1532K $600K $117K $45K $18K $4K One Day $46622K $18265K $3580K $45K $18K $4K If we adopt Dr. Rivest's metric of "$25 million"-worth of resistance to attack, single-key DES will be obsolete for protecting transactions with a lifespan of under 12 hours by about 1995 or so. If single length DES keys are changed less frequently than once every couple of days, single-key DES is already exposed when used to protect more than $48,000 worth of information. Richard Outerbridge, Senior Security Analyst, CIBC ------------------------------ Date: Sat, 2 Nov 91 17:35:03 PST From: bertrand@eiffel.com (Bertrand Meyer @ Interactive Software Engineering Inc.) Subject: Risks of ``record'' and ``replay'' terminal capabilities Has this risk been documented before? Bertrand Meyer From in a letter by ``Paul J. Lourd, Greenwich, CT'' to the magazine ``Enterprise Systems Journal'', October 1991: Recently there was a situation in which several customers received products from my company they claimed were never ordered. [...] The [originating] clerk claimed he never entered them, but did say that his terminal was acting ``wacky'' that morning. [...] The orders matched [others shipped] nine months ago to the same customers. [...] After much head scratching, the staff realized that these particular ``dumb'' terminals (IBM 3192) had a keystroke record and play feature. Although no one believed it was possible, it turned out that this clerk had accidentally hit the record button which recorded some of his work and assigned it to a PF key. Nine month laters, he managed to hit the play key while in just the right screen and it re-entered the orders! The staff then checked the rest of the 3192 terminals and found that more than 75 percent had accidental keystrokes recorded and assigned to various PF keys. Naturally, the staff is in the process of rendering these key inoperable. [...] ------------------------------ Date: Wed, 30 Oct 91 16:29:04 EST From: parnas@qusunt.eng.McMaster.CA (David Parnas) Subject: Re: Licensing of Software Developers (RISKS-12.58) John Gilmore, suggests that I have gone "beyond advocacy to misrepresentation". Having read his contribution twice, I still can't figure out what was misrepresented. In the jurisdictions that I know, if a professional engineer is accused of having violated some of the rules of the profession, the decision about his/her right to continue practicing is made by the professional society. In that sense, the standards are enforced by the practicing professionals. This is exactly analogous to the situation in Medicine. Government's decide that you must have a medical license to perform heart surgery. Doctor's decide who can have such a license. Doctor's consider themselves a self-enforcing profession, but the government does not allow them to determine their own "scope". Nobody is forced to get a medical license either. Although I don't recall anyone in this conversation being called a "crackpot", I was glad to read that Mr. Gilmore believes I that I don't deserve that classification. It has to be the nicest thing a self-avowed crackpot has said to me this year. I repeat that we are discussing the wrong issue. I don't believe that we can afford to ignore the issue of qualifications for software professionals, but the question we should be debating is what those qualifications should be and who should be covered. It is not an all-or-nothing problem. Prof. David Lorge Parnas, Comm.Res.Lab, Electrical and Computer Engineering Dept., McMaster University, Hamilton, ONT Canada L8S 4K1 416 525 9140 Ext. 7353 ------------------------------ Date: Wed, 30 Oct 91 15:18:23 MST From: "Dave Bakken" Subject: Re: campaign against telco info services (Seecof, RISKS-12.56) In RISKS-12.56 Mark Seecof of the Los Angeles Times used this forum to try to rally people to support HR 3515, in the name of privacy. I think that it would be very beneficial to hear exactly how he or others fear that the telecos providing information services could be a threat to privacy. (Must I note that the LA Times and the other groups he mentioned have a very big vested commercial interest in this? And yet they raised the bogeyman of ``potential invasion of privacy'' without being questioned.) I myself look forward to the telecos providing information services (and TV shows, as the FCC just allowed this last week). This greatly increases the probability that we will get fiber optic phone lines in ``the last mile'' to our houses and small businesses, and is likely to accelerate the pace at which it comes. As long as the telecos are required to rent the lines to others on a fair basis, I can see nothing but good coming out of this, and a lot of good at that. Dave Bakken, Dept. of Compter Science, U of Arizona, Tucson, AZ 85721; USA +1 602 621 4089 ------------------------------ Date: Thu, 31 Oct 91 14:23:11 -0500 From: ah739@cleveland.freenet.edu (Leslie J. Somos) Subject: Re: Mathematical and scientific foundations (Petroski, RISKS-12.51) My wife Kathy Bacon had an interesting experience in a class while getting her Computer Engineering B.S. at Case Western Reserve University: After one particular homework assignment, many of the students complained to the professor about how the problems were graded. The (engineering) students had ruled out certain of the solutions which were physically impossible (the problem was a word problem about a mechanical linkage). The professor said that the class he gave the problems to last year had no problem. He scratched his head some, and realized that last year he taught the course to mathematics students, who had solved the equations as-is, and not ruled out the answers which were negative numbers. So, it's not really engineering versus mathematics, it's more of not doing reasonability checks on your results. Leslie J. Somos ------------------------------ Date: 31 Oct 91 11:05:00 CST From: "William Walker C60223 x4570" Subject: Re: UCI computing survives power outage [almost] (Krause, RISKS-12.58) This type of power outage is really not surprising considering how most (if not all) buildings receive their electricity from the power company. To reduce the size (and subsequently cost) of power feed lines and main breakers or fuses, as well as provide a more efficient distribution of power, AC electricity is provided to buildings in three phases (houses and small buildings often have only two phases). Each phase, or "leg," is separately protected by a fuse or breaker at the point it enters the building. Each circuit coming off of each leg is also separately protected by a fuse or breaker. Here's the RISK: often the sum of the ratings of the breakers for the circuits exceeds the rating of the breaker for that leg. So, it is possible to overload and trip the breaker for that leg without tripping any breakers for the individual circuits. The other legs will not normally be affected, unless the breakers for all legs are connected to trip at once. If one leg supplies computers and one supplies lights (and maybe AC), one can see how these scenarios are possible, but more likely: The same can occur on a larger scale. OUTSIDE of the buildings, on the power poles, are line fuses for each leg of power. Sometimes several buildings (or several mains for one building) will be "downstream" of the line fuse. Then, if the line fuse is overloaded and blows, all mains served by that leg will go down. I have experienced this twice: once while at the University of Alabama in Tuscaloosa, and once while at Holly Farms Headquarters in Wilkesboro, North Carolina. The line fuse for one leg blew, knocking out power to computers but not lights (at U of A), or to the mainframe (thank goodness for UPSs) and some of the lights but not the PCs (at Holly Farms). Bill Walker, OAO Corporation, Arnold Engineering Development Center, M.S. 120, Arnold Air Force Base, TN 37389-9998 ( WALKER@AEDC-VAX.AF.MIL ) ------------------------------ End of RISKS-FORUM Digest 12.59 ************************