Subject: RISKS DIGEST 13.34 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Friday 3 April 1992 Volume 13 : Issue 34 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Re: SDI (David Parnas) Re: NSA and cryptographic software (Steve Bellovin, Fred Cohen) Risks in nuclear bombs to deflect asteroids (Marvin V. Zelkowitz) The new Simon & Schuster Royalty Accounting System (Lauren Wiener) Bad data allowed to enter driver database and used as basis for arrest (Eric Postpischil) Re: U.S. Dept of Justice Rulings about Keystroke Capturing (Marc Horowitz, Thomas Zmudzinski) RISKS of patents on software, ideas, etc. (Bob Estell) Backup over the phones? (Robert Ebert) Re: Now why didn't I think of that? (Windows 3.1) (James Barrett) The Machine That Changed the World -- Public TV Series (Jack B. Rochester) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line. Others may be ignored! Contributions will not be ACKed. The load is too great. **PLEASE** INCLUDE YOUR NAME & INTERNET FROM: ADDRESS, especially .UUCP folks. REQUESTS please to RISKS-Request@CSL.SRI.COM. Vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 13, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1". =CarriageReturn; FTPs may differ; UNIX prompts for username, password. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Thu, 2 Apr 92 16:07:28 EST From: parnas@qusunt.eng.McMaster.CA (David Parnas) Subject: Re: SDI (Newsweek, March 23,1992) (RISKS-13.33) When I read that "[The] Pentagon disagrees that deploying a space- and ground-based defense system poses significant technical challenges. The complexity of the software required to coordinate Star Wars, for instance, is no more daunting than programs that control nuclear reactors, it says." I certainly breathed a sigh of relief. Having had a look at both types of programmes, I am comforted by the impression that the Pentagon employee who stated that opinion had never seen either type of software. Dave Parnas ------------------------------ Date: Thu, 02 Apr 92 15:52:42 EST From: smb@ulysses.att.com Subject: NSA and cryptographic software The NSA and the Software Publishers' Association appear to have reached an agreement that would allow some exports of cryptographic software, as long as the keys are constrained to be sufficiently short. The net effect is a slight but potentially useful improvement over what was previously exportable. Umm -- according to the NY Times article on the subject, things are actually a bit murkier. The details of the algorithm are supposed to be secret. (How long that will work is debatable, of course. In fact, it isn't even particularly debatable; I think we know the answer.) Naturally, a number of folks are quite upset about that aspect. Now that NSA and RSA have come a little closer, we need to bring in BSA (the Boy Scouts of America). Be prepared! Imagine, a merit badge for cryptography? Actually, they do have one. Or rather, Way Back When, the Cub Scouts had a something or other in cryptography. Being innocent of the distinction between a ``code'' and its key at the time (and for that matter, of the distinction between a code and a cipher), I persuaded the Powers That Were that I had fulfilled that requirement *25* times, by coming up with *25* different Caesar ciphers... --Steve Bellovin ------------------------------ Date: Thu, 2 Apr 92 21:56 EST From: fc Subject: Risks of a national policy against good crypto Just an opinion - I think financial competitiveness is far more important than not being able to read crypto to the US at this time. I can purchase an RSA on a smart card from Phillips in the EC, but I cannot sell a slower RSA for the PC to people in EC. What this seems to say is that they can have it, but I can't sell it to them - or in other words - they get the money from our research!!! And then there is the old wire tapping thing. As far as I am concerned, it is the FBI's business to find a way to read my mail if they care to, but it is not my job to help them do it. That's why I use an RSA whenever I want to send something private. Which brings me to the newest development at ASP. We have decided to do all further crypto development oversees. This is because if we do it here, it's against the law to export it, but if we do it there, we can still import it and sell it here. Any such policy, if it is to be effective, must also restrict import - otherwise, the financial motivations will move all crypto oversees. This is of course happening. Want an example? At the 5th virus conference, the people from the EC cheered when they heard that virus defenses are export controlled. In my case, my EC competitors get a 6 week advantage over me in everything they do, because each new version has to go through paperwork at the US government that takes this long. As a result, I have moved my further virus defense development to the EC. They get the money in stead of the US getting it, but I get a smaller piece of a bigger pie, which earns me more money in the long run. How long will it be before we give up the little leadership we have in information protection? Not long! All over the EC and in the far east and in Australia, there are research groups forming at universities for computer security researchers. They get funding and tenure, and even publish articles. In the US, there is lip service, and a few universities offer a course or two, but you cannot find more than 2 experts at any US university! So I think the real risk is that in the name of maintaining national security, we are giving up our leadership in security! Have a nice day - FC ------------------------------ Date: Thu, 2 Apr 92 17:13:01 -0500 From: mvz@cs.UMD.EDU (Marvin V. Zelkowitz) Subject: Risks in nuclear bombs to deflect asteroids I just listened to a local radio station talk show concerning proposals to use nuclear weapons to change the orbit of asteroids heading towards the earth, and while the discussion was factual, it poses a long term risk on science in this country. The discussion was by the radio commentator and a physicist from a local university. The general tone of the show and the facts presented were: 1. Neither took the threat very seriously and were very flippant about the whole process. 2. Rationale for such proposals seemed to be the large number of (unemployed?) nuclear scientists needing a new threat to work against since the Soviet threat is disappearing. 3. Congress held a hearing on the potential for such a collision with an asteroid. 4. NASA held two workshops to discuss this problem. 5. There is a non-zero probability of such a collision actually happening. 6. The last big collision of an asteroid with the earth was about 65 million years ago, anything that large is probably already known, we will have several near misses first before any collision, giving from several decades to several centuries advance warning before such a collision. The risk here (besides the obvious one of having the earth blow up)? There is a lack of knowledge by the public on risks, safety, and the costs and tradeoffs of increasing safety (and decreasing risk), especially given the flippant tone of both radio commentators. It was probably reasonable for Congress to hold such a hearing since the potential damage would be catastrophic. It probably was reasonable for NASA to hold a workshop to discuss the risks of such a collision and potential solutions. Given the extremely small probability of such a collision and the high costs of preventing it, the process should have probably stopped there. However, it is important for the public (and scientists and Congress, even) to at least study such issues. The next time some issue like this comes up, there may be a tendency to dismiss it before there is any scientific discussion of its reality. -- Marv Zelkowitz, Computer Science, University of Maryland, College Park mvz@cs.umd.edu ------------------------------ Date: Thu, 02 Apr 92 15:29:18 -0800 From: Lauren Wiener Subject: the new Simon & Schuster Royalty Accounting System I am writing a book about software bugs. Today I was working on a chapter featuring development disasters. The royalty statement for a previous book arrived. It is several days late, in a big envelope with a glossy brochure and a form letter that begins: "Dear Author: "We are very pleased to provide you with your royalty statement for the current period. This new statement is enhanced in form and content and is the initial statement generated by the recently implemented Simon & Schuster Royalty Accounting System." The letter ends: "Any major system implementation involves a transition and refinement period. We anticipate that you may have issues that require attention, and we are prepared to address your concerns in an expeditious manner. If you have any questions, please call our Royalty Department toll free number..." The check is made out to Lauren Carter. Carter? From Wiener? How did they do that? It's not even close! I called the toll-free number. A human -- an agreeable and intelligent one -- is still in the loop at 5:30 P.M. EST. He promises to straighten it out. But the first thing he says to me is, "You wouldn't believe how much they spent on this system!" Sometimes life is too perfect. [Look for Lauren's Trip Report on the panels and invited talks at SIGSOFT '91, which is just going to press in the ACM SIGSOFT Software Engineering Notes vol 17 no 2, April 1992. I probably already noted that the proceedings of that conference are out as SEN vol 16 no 5, December 1992. PGN] ------------------------------ Date: Thu, 2 Apr 92 05:28:44 PST From: Eric Postpischil Subject: Bad data allowed to enter driver database and used as basis for arrest Below is the full version of a letter I have sent to various agencies and representatives in New Hampshire. In summary, some person was stopped for traffic violations, and gave a false name and address and no other personal identification. The violations were unpaid and unchallenged and so were recorded in the given name without that person's knowledge. License suspension proceedings were initiated, but notice was sent to the false address since the Department of Safety had updated their computer records with the erroneous information. Eventually, the innocent person was stopped and arrested for driving without a license. -- edp (Eric Postpischil) - - - - - - - - - - - - - - - - - - 6 Hamlett Drive, Apt. 17 Nashua, NH 03062 2 April 1992 An open letter to the Department of Safety, police officers, judiciary, and legislative representatives of New Hampshire Dear People: A few months ago, an acquaintance of mine was stopped by a police officer for a traffic violation. According to a check of their driving record, their license had been suspended, so the officer arrested them. It turns out this person had been the victim of a fraud, and the Department of Safety, the police, and the courts made mistakes which compounded the consequences. The charges have been dropped and the Department of Safety records partially corrected, but court records remain in error, and there are lessons to be learned from this incident. (I will not name the victim here, but appropriate parties, such as officials who wish to correct records, can get this information by contacting the author.) Fraud occurred on three prior occasions, which the Department, the police, and the courts failed to catch. Some person was stopped for traffic violations. This person apparently did not present any identification to the police officer who stopped them, but they gave a misspelling of the victim's name as their own and gave the address of a relative of the victim as their own address. (According to New Hampshire statutes, a person stopped for a traffic violation need not have their license with them but is supposed to present their driver's license at the peace officer's office within 24 hours.) On three occasions, this person must have failed to present identification within the allotted time, yet there was apparently no follow-up investigation by any of the officers involved. The records of the violations were sent to the Department of Safety, which accepted them as correct in spite of the fact that there was no physical evidence at all that the person owning the affected records was in fact the person at fault. The Department matched the misspelled name with that of our victim and updated their database with the new, incorrect address. The violations were placed in the victim's records. Further, proceedings were begun to suspend the victim's license. Notices about the violations and the suspension proceedings were sent to the incorrect address, where it was ignored. It seems to me to have been unwise to ignore official letters rather than forward or return them. I guess that because they were arriving at the incorrect address, they might have been presumed to be spurious and unimportant. Regardless, the fact that they were ignored is not in any way the fault of the victim. There are several lessons to be learned. It is improper to place damaging data in a person's record when there is no supporting evidence -- no record of violations should have been placed in the victim's record nor should any court have made a finding of guilt until there were actual physical evidence. There was no driver's license, no signature, no fingerprint, no match of vehicle records, no photograph, and no witness who knew the person. Even the police officers who made the stops could testify only that the person said they were the victim, not that they actually were. As a society, we must recognize that if we rely on databases to provide important information, then we are assuming a great risk if incorrect data enters the database. There must be rigid controls to allow only accurate information into the database. Without these controls, the database cannot be considered accurate, and it is wrong to rely on it. An insecure database is not a proper basis for making arrests or otherwise penalizing human beings. Another lesson is that the Department and police officers should be wary of fraud. When a person fails to present proper identification within the allotted 24 hours, this must be followed up by investigation. It must not be followed up by mechanically completing the paperwork to record a violation. Justice requires evidence and due process, and mechanical processing of violations provides neither to our citizens. Further, when a person fails to present identification during a traffic stop, the officer should secure some other evidence of their identity, perhaps by taking a photograph for later examination. Finally, there is a lesson to be learned about database records and privacy. Although the Department of Safety keeps these records, we should not consider the Department to be the owner of the records. Each record is owned by the person whose record it is, and the owner has a right to know what is in the record and when changes are made. The owner has a right to control their record to ensure that it is accurate. In this incident, the Department accepted a change to the records without checking with the owner to verify the change. This is like a bank allowing anybody to walk in and sign a new signature card for your account and then letting the person withdraw funds from your account. That is a serious flaw. Whenever any change is made to a person's record, the Department should send a complete notice to that person. When the change includes an address change, the notice should be sent to the former address. I would also like to add that I am appalled that any court, magistrate, or other judiciary official would make a finding of fault against a person not only without evidence but also without properly serving notice to that person at their true address. Such administration of traffic laws is a travesty that subverts basic principles of justice in this country. There is one good note. After the arrest, a letter was sent to the Department of Safety requesting correction of the mistakes. The Department responded extremely quickly -- by phone the day after the letter was placed in the mail. This is typical of the wonderful service the Department usually provides; they are to be commended for doing an excellent job on the whole. I only hope the Department can provide the same quality of service in preventing mistakes like this from happening in the first place. On the other hand, the Attorney General's office has not acted so responsibly. The victim has managed to identify the guilty person and locate a witness to the fraud, yet the Attorney General's office has refused to become involved. Recommendations I call upon the Department of Safety to rectify its record-keeping procedures so that records cannot be altered without the knowledge of their owner and that incorrect information is detected. I call upon police officers to be wary of fraud, to follow up with investigation when identification is not presented, and to regard their statements on official documents and to courts as testimony. On this latter point, observe that a police officer who has not examined identification cannot truthfully testify that they witnessed a certain person committing a traffic offense. The most they can testify to is that they witnessed somebody claiming to be a certain person committing an offense, and this distinction should be made clear in all official documents and court testimony. I call upon judiciary officials not to make any finding of fault unless there is physical evidence and to ensure that the rights of our citizens to due process and to confront their accusers are fully protected. In particular, no judiciary official should accept the presentation of a summons to an unidentified person as proper service of a summons. I call upon the elected representatives of our citizens to ensure that the above tasks are accomplished. This state and this country are sorely lacking in data protection laws. Every day, citizens become further bogged down in a morass of databases containing information about them they cannot examine, control, or correct. People are steadily losing the ability to control their own lives. You, our representatives, must fix this. You must protect people from wrongdoing by faceless bureaucratic machinations, and you must ride herd on the enforcement and judiciary branches of our government to ensure that our rights to due process and fair trials are protected. Sincerely, (signed) Eric Postpischil ------------------------------ Date: Thu, 02 Apr 92 12:24:18 EST From: Marc Horowitz Subject: Re: U.S. Dept of Justice Rulings about Keystroke Capturing >> Unfortunately, correct. The situation is roughly analogous to having >> to post signs saying that there are TV cameras monitoring your condo. I must be misunderstanding you. The building I'm in (the student center at MIT) has a bank branch and a grocery store. Both have cameras, and neither have signs announcing them, I just checked. Neither conceal their cameras. Is a condo special? >> Very true. For example, an "alleged penetrator" (prosecuting attorneys >> prefer to avoid the H(acker) word as "too warm and fuzzy") was monitored >> while committing (what I'd consider to be) electronic breaking and entry. >> He got off because he hadn't been warned that he was being monitored. So, if someone breaks into my house, and I managed to follow him around, and watch him steal stuff, is that information not admissible in court because I never tapped him on the shoulder and said "don't mind me, I'm just watching you"? Should I have a sign on my apartment announcing that "By entering these premises, you consent to the possibility that the owner might actually watch you and file charges if you are breaking and entering."? Marc ------------------------------ Date: 2 Apr 92 15:22:00 EST From: "zmudzinski, thomas" Subject: In-Re: Re: U.S. Dept of Justice Rulings about Keystroke Capturing D E F E N S E I N F O R M A T I O N S Y S T E M S A G E N C Y Dept: DNSO/DISM Tel No: 703 285 5459 (DSN) 356 Subject: In-Re: Re: U.S. Dept of Justice Rulings about Keystroke Captu Apparently my dry wit was a tad too desiccated, sorry. Condos _do_ have some special laws (a condo fee isn't rent nor is it a mortgage payment), but surveillance isn't one of them. I was giving a deliberately absurd, but all too real, example. There _ARE_ legal requirements relative to surveillance; what depends on where you are and what/who you're "surveillancing" (if "there ain't no word that can't be verbed", then such verbs can certainly be gerunded, right?). Here, you may have a vacation-behind-bars-ish requirement to post such a sign; there, there may be no LEGAL requirement, but you post a warning to get a better return on your effort and scare off the badguys; (and everywhere, the Communication Cops want to get into your knickers?). > So, if someone breaks into my house, and I managed to follow him ... If you do as you said, it's your word against his, and assuming he left no physical evidence, I doubt that you'd even get the case to court. Of course, if you made the alleged burglar so nervous that he tripped on the throw-rug, _YOU_ could be prosecuted under the anti-"deathtrap" laws. (You did know that you can't leave a deadfall inside your doorway, didn't you?) By the way, I wrote "prosecuted", not "convicted", but the way that juries are "instructed" these days, I wouldn't rule it out. > Should I have a sign on my apartment ... > Given the current crazy state of our laws, it wouldn't hurt. Let me point out that I didn't write this mess! ------------------------------ Date: 2 Apr 92 16:02:00 PST From: "FIDLER::ESTELL" Subject: RISKS of patents on software, ideas, etc. I guess I'm getting cranky in my old age (54). But I grow weary of the energetic youngsters (regardless of age) who want to patent every new toy - even if it ain't new! Like "...the first ever machine independent benchmarks..." hyped in one computer magazine; turned out they were NOT comparable between PC's and Mac's, nor DOS and UNIX-like hosts; i.e., one could not compare results, to help in a purchase decision. NOW *that's* REAL independence! (Not to mention that I was doing machine independent benchmarks in 1967-68.) Apple's claims about "look and feel" of the icon/mouse interface should be faced down, in federal court, by a consortium of IBM, AT&T, H-P, etc. who graciously concede the icon/mouse interface to Apple - IF (and only if) Apple will abandon the keyboard and command line interface, on the ground that the plaintifs (IBM et al) got there first. Imagine using any computer, without a keyboard, and without command lines, even short ones - like single characters. Pretty tough. Now, I'm not picking on Apple. (I use a Mac II.) It's just that their "look and feel" suit has gotten more press than most others. Squelching it once and for all might make other frivolous suits more rare. Bob ------------------------------ Date: Thu, 2 Apr 1992 11:07:48 PST From: Robert_Ebert.OsBU_North@xerox.com Subject: Backup over the phones? Excerpted from TidBITS#114/01-Apr-92, source: BackData, info@backdata.com [Discussion of problems with existing backup systems deleted. People either don't do them or don't do them well.] So the BackData guys realized that the best possible option is for all the data on your hard disk to be backed up automatically at night to another physical place. Short of hiring elves, the only way to do this is via modem, but with some of the current high- speed modems and sophisticated pieces of software out there, they figured that it would be possible with a bunch of Macs and a lot of storage devices. ....In terms of software, you just need AppleTalk Remote Access and Retrospect 1.3, which can back up any volume mounted on its desktop. I haven't tried this yet, but the theory is that at some point in the middle of the night one of their backup Macs calls your Mac (which had better be on). A simple macro ensures that all your volumes are mounted read-only on their systems, and then Retrospect goes to work, backing up only the files that have changed according to specific selectors that you set up previously. This allows you to avoid backing up your System file all the time, even though it will almost always be marked as modified whether or not you've added any fonts or sounds. Once the backup is done, another macro copies the catalog file to your hard disk (so you can see what was backed up), dismounts your volumes, and disconnects the modems to finish the process. Retrieval is a slightly stickier issue. Essentially, the process works in reverse, with one important exception. You call them and make sure your DAT tape is in the drive of a Mac at a certain phone number. After your Mac calls the storage Mac, you then run Retrospect over the remote connection.... I expressed some doubt about the reliability of cobbling together these off-the-shelf programs, and the BackData folks admitted that they're in the process of writing several dedicated programs that will automate the process much more cleanly, one for DOS and one for the Mac. Their programs didn't sound as though they'd be as flexible as Retrospect, but would work much more cleanly over the phone lines, especially with restoring data. Interesting concept this, and one which could eventually go national with an 800 number. It's basically a form of insurance, but one which could save a lot of important data in the event of disaster. [Summary of costs deleted. Initial startup fee (includes hardware) and hourly connect fee during backups.] The risks are numerous. Among them: granting "late night" dial-in access to home and office PC file systems, physical and electronic security at the remote site, authorization for backup restores, and backup data being held by a commercial company that lives on profits and is vulnerable to bankruptcy or hostile takeover. --Bob (bebert.osbu_north@xerox.com) ------------------------------ Date: Thu, 2 Apr 1992 06:42:54 GMT From: barrett@holly.gatech.edu (James Barrett) Subject: Re: Now why didn't I think of that? (Windows 3.1) Also, Windows 3.1 has been touted as "eliminates UAEs!!!" Of course, it does this by renaming them to be something else... James C. Barrett (barrett@cc.gatech.edu) Georgia Tech College of Computing ------------------------------ Date: Fri, 3 Apr 92 15:43 GMT From: "Jack B. Rochester" <0002757498@mcimail.com> Subject: Public TV Series I saw Bob Frankston at the coming-out party for PBS's new series, "The Machine that Changed the World" that begins next Monday, and we both thought you should consider posting it to the Risks Forum. Perhaps it is risky not to see how our industry is being popularized for the mass media. In any event, credit for the following -- this was passed on to me by my brother, who works at DEC. P.S. Another risk: the title of the series is the same as that of a recent book about the _auto_. PBS COMPUTER SERIES The Machine That Changed The World On Monday evening, April 6, 1992 at 9:00 PM EST, and on successive Mondays until May 4, PBS will present "The Machine that Changed the World," 5 programs on the history of the electronic computer and its impact on society. Produced by WGBH Boston (makers of NOVA) and the BBC, and with major funding provided by ACM and Unisys, the series highlights the fifty year revolution in computing and information technology -- a revolution that is still going on. Beginning with World War II research and the ENIAC, which was co-invented by J. Presper Eckert and the late John Mauchly (a founder of ACM). "The Machine that Changed the World" follows the unpredictable course of information technology from the room sized data processing centers of the 1960's to desktop personal computers of the 1980's to virtual reality of the 1990's, describing events that have altered society in profound and totally unexpected ways. Check your local PBS listings for broadcast times on the following Monday evenings: o April 6 - "Giant Brains", covers the wartime events that led to the 1946 debut of ENIAC, the world's first general purpose electronic computer. o April 13 - "Inventing the Future", examines how the computer rose from obscurity to become the engine that powers business throughout the world. o April 20 - "The Paperback Computer", explores how computers became small, affordable and easy to use. o April 27 - "The Thinking Machine", focuses on the most ambitious goal of all - creating a computer that will vie with humans in intelligence. o May 4 - "The World at Your Fingertips" looks at the social revolution wrought by computers - and the price we pay. ------------------------------ End of RISKS-FORUM Digest 13.34 ************************