Subject: RISKS DIGEST 13.65 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Friday 17 July 1992 Volume 13 : Issue 65 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: NY "Hacker" Indictments (John F. McMullen) Questionmark over nuclear reactor control software (Anthony Naggs) Call for papers FTCS-23 (Mohamed Kaaniche) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line. Others may be ignored! Contributions will not be ACKed. The load is too great. **PLEASE** INCLUDE YOUR NAME & INTERNET FROM: ADDRESS, especially .UUCP folks. REQUESTS please to RISKS-Request@CSL.SRI.COM. Vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 13, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1". =CarriageReturn; FTPs may differ; UNIX prompts for username, password. If you cannot read RISKS on-line, try FAX! For info, phone 310-455-9300 (or send FAX to RISKS at 310-455-2364, or EMail to risks-fax@cv.vortex.com). ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Fri, 17 Jul 92 13:53:41 EDT From: "John F. McMullen (at Marist)" Subject: NY "Hacker" Indictments [The following editorial piece is reproduced in full with thanks from Newsbytes, under whose auspices it appeared, and is reprinted with permission of the author(s), including at least John F. McMullen, but possibly also Barbara E. McMullen -- I could not be sure from the context of the double message, one half of which is included here, the other half was an explicitly doubly authored news article. PGN] Second Thoughts On New York Computer Crime Indictments 7/13/92 NEW YORK, N.Y., U.S.A., 1992 JULY 13 (NB) -- On Wednesday, July 9th, I sat at a press briefing in New York City's Federal Court Building during which law enforcement officials presented details relating to the indictment of 5 young computer "hackers". In describing the alleged transgressions of the indicted, United States Assistant Attorney Stephen Fishbein wove a tale of a conspiracy in which members of an evil sounding group called the "Masters of Destruction" (MOD) attempted to wreck havoc with the telecommunications system of the country. The accused were charged with infiltrating computer systems belonging to telephone companies, credit bureaus, colleges and defense contractors -- Southwestern Bell, BT North America, New York Telephone, ITT, Information America, TRW, Trans Union, Pacific Bell, the University of Washington, New York University, U.S. West, Learning Link, Tymnet and Martin Marietta Electronics Information, and Missile Group. They were charged with causing injury to the telephone systems, charging long distance calls to the universities, copying private credit information and selling it to third parties -- a long list of heinous activities. The immediate reaction to the indictments were predictably knee-jerk. Those who support any so-called "hacker"-activities mocked the government and the charges that were presented, forgetting, it seems to me, that these charges are serious -- one of the accused could face up to 40 years in prison and $2 million in fines; another - 35 years in prison and $1.5 million in fines. In view of that possibility, it further seems to me that it is a wasteful diversion of effort to get all excited that the government insists on misusing the word "hacker" (The indictment defines computer hacker as "someone who uses a computer or a telephone to obtain unauthorized access to other computers.") or that the government used wiretapping evidence to obtain the indictment (I think that, for at least the time being that the wiretapping was carried out under a valid court order; if it were not, the defendants' attorneys will have a course of action.). On the other hand, those who traditionally take the government and corporate line were publicly grateful that this threat to our communications life had been removed -- they do not in my judgement properly consider that some of these charges may have been ill-conceived and a result of political considerations. Both groups, I think, oversimplify and do not give proper consideration to the wide spectrum of issues raised by the indictment document. The issues range from a simple black-and-white case of fraudulently obtaining free telephone time to the much broader question of the appropriate interaction of technology and law enforcement. The most clear cut cases are the charges such as the ones which allege that two of the indicted, Julio Fernandez a/k/a "Outlaw" and John Lee a/k/a "Corrupt" fraudulently used the computers of New York University to avoid paying long distance charges for calls to computer systems in El Paso Texas and Seattle, Washington. The individuals named either did or did not commit the acts alleged and, if it is proven that they did, they should receive the appropriate penalty (it may be argued that the 5 year, $250,000 fine maximum for each of the counts in this area is excessive but that is a sentencing issue not an indictment issue.). Other charges of this black-and-white are those that allege that Fernandez and/or Lee intercepted electronic communications over networks belonging to Tymnet and the Bank of America. Similarly, the charge that Fernandez, on December 4, 1991 possessed hundreds of user id's and passwords of Soutwestern Bell, BT North America and TRW fits in the category of "either he did it or he didn't." A more troubling count is the charge that the indicted 5 were all part of a conspiracy to "gain access to and control of computer systems in order to enhance their image and prestige among other computer hackers; to harass and intimidate rival hackers and people they did not like; to obtain telephone, credit, information, and other services without paying for them; and to obtain. passwords, account numbers and other things of value which they could sell to others." To support this allegation, the indictment lists 26, lettered A through Z, "Overt Acts" to support the conspiracy. While this section of the indictment lists numerous telephone calls between some of the individuals, it mentions the ame Paul Stira a/k/a "Scorpion" only twice with both allegations dated "on or about" January 24, 1990, a full 16 months before the next chronological incident. Additionally, Stira is never mentioned as joining in any of the wiretapped conversation -- in fact, he is never mentioned again! I find it hard to believe that he could be considered, from these charges, to have engaged in a criminal conspiracy with any of the other defendants. Additionally, some of the allegations made under the conspiracy count seem disproportionate to some of the others. Mark Abene a/k/a "Phiber Optik" is of possessing proprietary technical manuals belonging to BT North America while it is charged that Lee and Fernandez, in exchange for several hundred dollars, provided both information on how to illegally access credit reporting bureaus and an actual TRW account and password to a person, Morton Rosenfeld, who later illegally accessed TRW, obtained credit reports on 176 individuals and sold the reports to private detective (Rosenfeld, indicted separately, pled guilty to obtaining and selling the credit reports and named "Julio" and "John" as those who provided him with the information). I did not see anywhere in the charges any indication that Abene, Stira or Elias Lapodoulos conspired with or likewise encouraged Lee or Fernandez to sell information involving the credit bureaus to a third party Another troubling point is the allegation that Fernandez, Lee, Abene and "others whom they aided and abetted" performed various computer activities "that caused losses to Southwestern Bell of approximately $370,000." The $370,000 figure, according to Assistant United States Attorney Stephen Fishbein, was developed by Southwestern Bell and is based on "expenses to locate and replace computer programs and other information that had been modified or otherwise corrupted, expenses to determine the source of the unauthorized intrusions, and expenses for new computers and security devices that were necessary to prevent continued unauthorized access by the defendants and others whom they aided and abetted." While there is precedent in assigning damages for such things as "expenses for new computers and security devices that were necessary to prevent continued unauthorized access by the defendants and others whom they aided and abetted." (the Riggs, Darden & Grant case in Atlanta found that the defendants were liable for such expenses), many feel that such action is totally wrong. If a person is found uninvited in someone's house, they are appropriately charge with unlawful entry, trespassing, burglary -- whatever the statute is for the transgression; he or she is, however, not charged with the cost of the installation of an alarm system or enhanced locks to insure that no other person unlawfully enters the house. When I discussed this point with a New York MIS manager, prone to take a strong anti-intruder position, he said that an outbreak of new crimes often results in the use of new technological devices such as the nationwide installation of metal detectors in airports in the 1970's. While he meant this as a justification for liability, the analogy seems rather to support the contrary position. Air line hijackers were prosecuted for all sorts of major crimes; they were, however, never made to pay for the installation of the metal detectors or absorb the salary of the additional air marshalls hired to combat hijacking. I think the airline analogy also brings out the point that one may both support justifiable penalties for proven crimes and oppose unreasonable ones -- too often, when discussing these issues, observers choose one valid position to the unnecessary exclusion of another valid one. There is nothing contradictory, in my view, to holding both that credit agencies must be required to provide the highest possible level of security for data they have collected AND that persons invading the credit data bases, no matter how secure they are, be held liable for their intrusions. We are long past accepting the rationale that the intruders "are showing how insecure these repositories of our information are." We all know that the lack of security is scandalous; this fact, however, does not excuse criminal behavior (and it should seem evident that the selling of electronic burglar tools so that someone may copy and sell credit reports is not a public service). The final point that requires serious scrutiny is the use of the indictment as a tool in the on-going political debate over the FBI Digital Telephony proposal. Announcing the indictments, Otto G. Obermaier, United States Attorney for the Southern District of New York, said that this investigation was "the first investigative use of court-authorized wiretaps to obtain conversations and data transmissions of computer hackers." He said that this procedure was essential to the investigation and that "It demonstrates, I think, the federal government's ability to deal with criminal conduct as it moves into new technological areas." He added that the interception of data was possible only because the material was in analog form and added "Most of the new technology is in digital form and there is a pending statute in Congress which seeks the support of telecommunications companies to allow the federal government, under court authorization, to intercept digital transmission. Many of you may have read the newspaper about the laser transmission which go through fiber optics as a method of the coming telecommunications method. The federal government needs the help of Congress and, indeed, the telecommunications companies to able to intercept digital communications." The FBI proposal has been strongly attacked by the American Civil Liberties Union (ACLU), the Electronic Frontier Foundation (EFF) and Computer Professionals for Social Responsibility (CPSR) as an attempt to institutionalize, for the first time, criminal investigations as a responsibility of the communications companies; a responsibility that they feel belongs solely to law-enforcement. Critics further claim that the proposal will impede the development of technology and cause developers to have to "dumb-down" their technologies to include the requested interception facilities. The FBI, on the other hand, maintains that the request is simply an attempt to maintain its present capabilities in the face of advancing technology. Whatever the merits of the FBI position, it seems that the indictments either would not have been made at this time or, at a minimum, would not have been done with such fanfare if it were not for the desire to attempt to drum up support for the pending legislation. The press conference was the biggest thing of this type since the May 1990 "Operation Sun Devil" press conference in Phoenix, Arizona and, while that conference, wowed us with charges of "hackers" endangering lives by disrupting hospital procedures and being engaged in a nationwide, 13 state conspiracy, this one told us about a bunch of New York kids supposedly engaged in petty theft, using university computers without authorization and performing a number of other acts referred to by Obermaier as "anti-social behavior" -- not quite as heady stuff! It is not to belittle these charges -- they are quite serious -- to question the fanfare. The conference was attended by a variety of high level Justice Department, FBI and Secret Service personnel and veteran New York City crime reporters tell me that the amount of alleged damages in this case would normally not call for such a production -- New York Daily News reporter Alex Michelini publicly told Obermaier "What you've outlined, basically, except for the sales of credit information, this sounds like a big prank, most of it" (Obermaier's response -- "Well, I suppose, if you can characterize that as a prank but it's really a federal crime allowing people without authorization to rummage through the data of other people to which they do not have access and, as I point out to you again, the burglar cannot be your safety expert. He may be inside and laugh at you when you come home and say that your lock is not particularly good but I think you, if you were affected by that contact, would be somewhat miffed"). One hopes that it is only the fanfare surrounding the indictments that is tied in with the FBI initiative and not the indictments themselves. As an aside, two law enforcement people that I have spoken to have said that while the statement that the case is "the first investigative use of court-authorized wiretaps to obtain conversations and data transmissions of computer hackers.", while probably true, seems to give the impression that the case is the first one in which data transmission was intercepted. According to these sources, that is far from the case -- there have been many instances of inception of data and fax information by law enforcement officials in recent years. I know each of the accused in varying degrees. The one that I know the best, Phiber Optik, has participated in panels with myself and law enforcement officials discussing issues relating to so-called "hacker" crime. He has also appeared on various radio and television shows discussing the same issues. These high profile activities have made him an annoyance to some in law enforcement. One hopes that this annoyance played no part in the indictment. I have found Phiber's presence extremely valuable in these discussions both for the content and for the fact that his very presence attracts an audience that might never otherwise get to hear the voices of Donald Delaney, Mike Godwin, Dorothy Denning and others addressing these issues from quite different vantage points. While he has, in these appearances, said that he has "taken chances to learn things", he has always denied that he has engaged in vandalous behavior and criticized those who do. He has also called those who engage in "carding" and the like as criminals (These statements have been made not only in the panel discussion but also on the occasions that he has guest lectured to my class in "Connectivity" at the New School For Social Research in New York City. In those classes, he has discussed the history of telephone communications in a way that has held a class of professionals enthralled by over two hours. While my impressions of Phiber or any of the others are certainly not a guarantee of innocence on these charges, they should be taken as my personal statement that we re not dealing with a ring of hardened criminals that one would fear on a dark knight. In summary, knee-jerk reactions should be out and thoughtful analysis in! We should be insisting on appropriate punishment for lawbreakers -- this means neither winking at "exploration" nor allowing inordinate punishment. We should be insisting that companies that have collected data about us properly protect -- and are liable for penalties when they do not. We should not be deflected from this analysis by support or opposition to the FBI proposal before Congress -- that requires separate analysis and has nothing to do with the guilt or innocence of these young men or the appropriate punishment should any guilt be established. (John F. McMullen/1992 07 13) (Barbara E. McMullen & John F. McMullen/Press Contacts: Federico E. Virella, Jr., United States Attorney's Office, 212 791-1955; Betty Conkling, United States Secret Service, 212 466-4400; Joseph Valiquette, Jr, Federal Bureau of Investigation, 212 335-2715) ------------------------------ Date: Thu, 16 Jul 92 18:05 BST From: Anthony Naggs Subject: Questionmark over nuclear reactor control software From the Computer Weekly for Thursday July 16 1992, with full permission (so long as I forward copies of all public responses to the newspaper). The story once again raises the issue of the appropriate use of software on systems that must fail safely. A couple of background notes: 1 Sizewell B is Britain's first PWR (Pressurised Water Reactor), which is currently under construction. A major argument at the planning inquiry in favour of this reactor type was that the design was modern and had a proven track record in the US and elsewhere. 2 Nuclear Electric is the rump of the national electricity generating company, the rest was split into two companies and floated on the stock exchange. My understanding is that it owns/operates all British civil nuclear power stations, of various British designs. I have joined short paragraphs for readability, and all typos are mine. SAFETY OFFICIALS DOUBT SIZEWELL B SOFTWARE Tony Collins Safety inspectors have questioned the ability of computer protection systems to prevent a major accident at the Sizewell B nuclear power station. They want more reliance on older and trusted solid-state systems without software as a secondary fallback. But Nuclear Electric, Sizewell's operator, is unhappy at the request as it would increase costs - which have already risen from 1,700 million pounds to 2,000 million [times by 2 for US $]- and could delay Sizewell's launch, set for 1994. The issue was raised at a recent meeting at the Sizewell site of the Advisory Committee on the Safety of Nuclear Installations. It was also discussed at a British Computer Society safety critical systems task force meeting last week. It is understood that the Nuclear Installations Inspectorate (NII), part of the Government's Health and Safety watchdog, has asked Nuclear Electric to widen its dependence on magnetic core technology for protection systems. Magnetic core systems, supplied by GEC, have been used for years in UK nuclear power stations and have no programmable software. [Presumably a magnetic core is a device where failure of a current through the core causes control mechanisms to revert to a safe state.] The move by the NII is a partial victory for computer industry campaigners, who have long argued that public safety should not be entrusted to complex software. Under Nuclear Electric proposals, Sizewell B will be the first nuclear power station in the UK to rely heavily on computers in its primary protection system (PPS), which detects a major failure, and, in the event of an incident, automatically shuts down the power station in a controlled fashion. But the BCS and other safety-critical software experts say the PPS systems, supplied by US firm Westinghouse, are too complex to test for dependability. The PPS is based on between 300 and 400 Eagle-series microprocessors and 100,000 lines of code. The NII says it is up to Nuclear Electric to prove that its protection and other systems are safe. Until now inspectors have taken a neutral line, saying they are waiting for all the documentation from Nuclear Electric before deciding on whether the software is safe. However, officials now indicate that they may refuse to give Nuclear Electric consent to operate Sizewell B, unless the secondary non- computerised systems provide back-up to all aspects of the computerised PPS. Nuclear Electric admits that the GEC secondary circuits back-up most, but not all, the computer protection systems. A spokesman for the NII said it has requested, rather than stipulated, that the secondary systems be strengthened. "We have asked them (Nuclear Electric) to consider extending the secondary systems as a prudent measure." Anthony Naggs, PO Box 1080, Peacehaven BN10 8PZ, Great Britain E-mail: amn@vms.brighton.ac.uk +44 273 589701 (vox) ------------------------------ Date: Fri, 17 Jul 92 17:53:14 +0200 From: kaaniche@tsf.laas.fr Subject: Call for papers FTCS-23 * FTCS-23 : CALL FOR PAPERS * * * * The Twenty Third Annual International Symposium * * on Fault-Tolerant Computing * * * * Toulouse, France, June 22-24, 1993 * * * * Sponsored by IEEE Computer Society and LAAS-CNRS * * in cooperation with AFCET and IFIP WG 10.4 * AIMS and TOPICS The Fault-Tolerant Computing Symposium is the major international forum in computing system dependability. The symposium scope spans system, software and hardware issues, including: architectures, design, implementation, specification, modeling, test, diagnosis, evaluation and validation of dependable and fault-tolerant computing systems. In addition to regular paper presentations and panel discussions, the symposium offers special sessions on i) practical experience in fault-tolerant computing such as design and deployment of a system, failure and recovery field data, and correlation of field data with model predictions, ii) innovative ideas in early stages of research and development, iii) demonstrations of software tools and systems. Major topics include, but are not limited to: - Fault-Tolerant Architectures, - Fault Tolerance in On-line Transaction Processing Systems, - Distributed Systems and Real-Time Systems, - Safety-Critical Systems, - Software Fault Tolerance, - Testing and Verification, - Dependability Modeling and Prediction, - Defect Tolerance, - Concurrent Error Detection in VLSI circuits. INFORMATION FOR AUTHORS All submitted material (written in English) will be refereed and should be typed in 1-1/2 spaced, 12 point font. All accepted material will appear in the proceedings. PAPERS should not exceed 20 pages including figures and text. PANEL proposals should include the topic(s), a maximum two-page description of the panel objectives, names and addresses of the probable panelists. The proposed panel chair should include a one-page biographical sketch. For PRACTICAL EXPERIENCE REPORTS and EARLY INNOVATIVE IDEA REPORTS, the submission should be a 5-10 page description of the experience or the idea. These manuscripts must be marked either "Practical Experience" or "Innovative Idea" for them to be considered in their respective categories. For SOFTWARE DEMONSTRATIONS, the submission should be a 5-10 page description of the software, its context and objective, and of the planned demonstration. Sun workstations and MacIntoshes connected to a video projector will be available. Please indicate on a separate sheet the requirements for the demonstration. These manuscripts must be marked "Software Demonstration". SUBMISSIONS Six copies of a 1-page abstract and a list of 5 keywords should be submitted to program chair Ambuj Goyal before October 30, 1992. Mark the envelope "FTCS 23 submission". Abstracts will be used for referee assignments. Please submit your abstracts on time to get best possible reviewing coverage. Six copies of the papers, panel proposals, practical experience reports, early innovative idea reports and software demonstrations should be submitted to program chair Ambuj Goyal by December 4, 1992 and should be accompanied by ten copies of a title page which includes: the title, author name(s), affiliations, mailing address, phone number, fax number and e-mail, a maximum 150-word abstract, five keywords, an approximate word count and a declaration that the material has been cleared through author affiliations. For multi-authored submissions, the principal contact should be indicated. Mark the envelope "FTCS 23 submission". Submissions arriving late or significantly departing from length guide-lines, or papers published or submitted elsewhere will be returned without review. Notification of acceptance or rejection of all submissions will be made by March 12, 1993. EXHIBITS Exhibitors from both industrial and academic communities are encouraged. This will be an opportunity to present advanced products to an informed and sophisticated audience. Proposals must be submitted to exhibits chair Jean-Claude Rault by March 1, 1993 on the official application form available from the exhibits chair. GENERAL CHAIR: Jean-Claude Laprie (LAAS-CNRS) 7 Avenue du Colonel Roche 31077 Toulouse - France E-mail: Jean-Claude.Laprie@laas.fr PROGRAM COMMITTEE: CHAIR: Ambuj Goyal IBM T.J. Watson Res. Center P.O. Box 704 Yorktown Heights, NY 10598, USA E-mail: ambuj@watson.ibm.com V.Agarwal (CDN) J.Hlavicka (CS) D.Lenoski (USA) W.Sanders(USA) J. Arlat (F) R.Iyer (USA) Y.Levendel (USA) N.Saxsena(USA) D.Avresky (BG) N.Kanekawa (J) R.Leveugle (F) J.Shen(USA) M.Banatre (F) J.Karlsson (S) M.Malek (USA) S.Shrivastava(GB) P.Banerjee (USA) J.Kelly (USA) G.Masson (USA) D.Siewiorek(USA) D.Blough (USA) K.Kinoshita (J) J.Meyer (USA) L.Simoncini (I) F.Cristian (USA) H.Kopetz (A) T.Nanya (J) B.Smith(USA) T.Dahbura (USA) T.Krol (NL) M.Nicolaidis (F) Y.Tamir(USA) C.Georgiou (USA) J.Lala (USA) D.Powell (F) D.Taylor(CDN) J.Gray (USA) G.Le Lann (F) S.Reddy (USA) H.Wunderlich(D) CONFERENCE COORDINATOR Marie-Therese Ippolito (LAAS-CNRS) E-mail: Marie-Therese.Ippolito@laas.fr PUBLICATION CHAIR David Powell(LAAS-CNRS) E-mail: David.Powell@laas.fr PUBLICITY CHAIR Mohamed Kaaniche(LAAS-CNRS) E-mail: Mohamed.Kaaniche@laas.fr EXHIBITS CHAIR Jean-Claude Rault (EC2) 269 rue de la Garenne 92024 Nanterre - France Tel +(33) 1 47 80 70 00 Fax +(33) 1 47 80 66 29 EX OFFICIO Jacob Abraham, FTC-TC Chair The University of Texas at Austin 2201 Donley Drive Austin, TX 78758 - USA jaa@cerc.utexas.edu FOR FURTHER INFORMATION and/or a copy of the advance program when available, contact: Mohamed Kaaniche LAAS-CNRS 7 Avenue du Colonel Roche 31077 Toulouse - France E-mail: Mohamed.Kaaniche@laas.fr Tel +(33) 61 33 64 05 Fax +(33) 61 33 64 11 Mohamed KAANICHE email: kaaniche@laas.fr LAAS-CNRS tel: +33 / 61.33.64.05 7 av du colonel Roche fax: +33 / 61.33.64.11 31077 TOULOUSE Cedex FRANCE ------------------------------ End of RISKS-FORUM Digest 13.65 ************************