Subject: RISKS DIGEST 13.87 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Monday 26 October 1992 Volume 13 : Issue 87 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: US presidential election year politics help cause time zone bugs (Paul Eggert) Privacy of e-mail (Symantec/Borland suit) (Robert Bowdidge) New risk reports (Jonathan Bowen) The DC-10 Case (Robert Dorsett) Re: Erased Disk used against Brazilian President (Bob Frankston, Robert Slade) Re: Risks in banking (Steve Lamont) T*p S*cr*t II and William Safire (Bob Devine) Conference on Computers, Security and the Law (Kimble) Re: 15th National Computer Security Conference (A. Padgett Peterson, Peter K. Boucher, Larry Hunter, Pete Kaiser) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line. Others may be ignored! Contributions will not be ACKed. The load is too great. **PLEASE** INCLUDE YOUR NAME & INTERNET FROM: ADDRESS, especially .UUCP folks. REQUESTS please to RISKS-Request@CSL.SRI.COM. Vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 13, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1". =CarriageReturn; FTPs may differ; UNIX prompts for username, password. For information regarding delivery of RISKS by FAX, phone 310-455-9300 (or send FAX to RISKS at 310-455-2364, or EMail to risks-fax@cv.vortex.com). ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Mon, 26 Oct 92 14:47:57 PST From: eggert@twinsun.com (Paul Eggert) Subject: US presidential election year politics help cause time zone bugs Several people on the west coast of the US reported that their Unix systems failed to switch from daylight savings time to standard time yesterday, 25 October 1992. The reason? When they originally configured their systems, they were asked to choose one of the following time zone rules: US/Alaska US/Central US/Hawaii US/Pacific US/Aleutian US/East-Indiana US/Michigan US/Pacific-New US/Arizona US/Eastern US/Mountain US/Samoa ... Some people chose `US/Pacific-New' instead of `US/Pacific'. After all, who wants the old version when you can have the new version? Unfortunately, `US/Pacific-New' stands for ``Pacific Presidential Election Time'', which was passed by the House in April 1989 but never signed into law. In presidential election years, this rule would have delayed the PDT-to-PST switchover until after the election, to lessen the effect of broadcast news election projections on last-minute west-coast voters. Thus, US/Pacific-New and US/Pacific have always been identical -- until yesterday. This problem comes from combining Arthur David Olson's deservedly popular time zone software (which you can FTP from elsie.nci.nih.gov in pub/tz92b.tar.Z) with some overly terse vendor-supplied installation procedures. No doubt Olson did not use a more informative name like `US/Pacific-Presidential-Election' because of the 14-character file name length limit in many Unix file systems. In view of yesterday's experience, though, it seems unwise to make the hypothetical choice available under any name, since it gives free rein to Murphy's Law. ------------------------------ Date: Tue, 6 Oct 92 12:54:30 -0700 From: bowdidge@cs.UCSD.EDU (Robert Bowdidge) Subject: Privacy of e-mail (Symantec/Borland suit) In the Los Angeles Times business section on Monday, 5 October 1992, there was an article describing some of the difficulties of Symantec, a publisher of software for the Macintosh and IBM-PC markets. One of the more interesting situations for the company was a criminal complaint and civil suit filed by Borland International charging a former Borland vice president with passing trade secrets. >From the article: (Eugene) Wang, disappointed after a management reshuffle two months earlier, resigned from Borland earlier the same day [that Symantec announced he had been hired as a vice president]. Acting on a tip, Borland officials searched records of electronic mail that Wang had sent via MCI Mail. They found ten messages he had sent to Eubanks and others that allegedly contained proprietary information on Borland's product plans. Normally, that might lead to a civil suit. Such actions have become relatively common in an industry where the expertise of a few people is often a company's key asset. But Borland took matters a step further, filing a criminal complaint with the Scotts Valley Police Department in addition to a civil suit. Police said they found the information in the messages sufficient grounds to seek a search warrant [for Symantec's offices and Wang's home.]... Legal experts who aren't involved in the case don't know what to make of it. ``At first blush, it seems like they (Borland) must have had some pretty good evidence,'' said Kaufman of [Brobeck, Phleger, and Harrison, a San Francisco law firm]. ``But it's bizarre -- Wang, a premier computer scientist, doesn't know that when you use MCI mail, it's recorded? It's a very strange set of facts. [Yet another reason to encrypt my mail... Robert Bowdidge bowdidge@cs.ucsd.edu] ------------------------------ Date: Mon, 26 Oct 92 14:46:11 GMT From: Jonathan.Bowen@prg.ox.ac.uk Subject: New risk reports There is an article on risk in today's (Monday, 26 October 1992) UK Independent newspaper (p14) which RISKS readers may find interesting entitled "The chances of being run over by a bus" by Tom Wilkie. It advertises two reports which sound as if they are worth looking at: "The Tolerability of Risk from Nuclear Power Stations", HMSO, PO Box 276, London SW8 5DT, UK. (12 pounds sterling.) "Risk: Analysis, Perception and Management", The Royal Society, 6 Carlton House Terrace, London SW1Y 5AG, UK. (15.50 pounds sterling.) The latter values "a statistical life" at 2-3 millions pounds sterling (c $4 million) in that this is the sort of amount of money that should be spent on saving one life. However the article states that John MacGregor, the Secretary of State for Transport, for his department values a life at only around 500,000 pounds sterling. Jonathan Bowen, Oxford University (Of course, the value of a human life in the UK has been devalued by about 10% recently. :-) ------------------------------ Date: Fri, 9 Oct 92 01:17:11 CDT From: rdd@cactus.org (Robert Dorsett) Subject: The DC-10 Case [also in sci.aeronautics,rec.travel.air] Ran across this. It looks like a nice little anthology, covering many aspects of the DC-10. Probably worth it for the NTSB reports alone ($20 each from NTIS). I haven't read the more "thematic" articles, though, and no endorsement is meant or implied. Robert Dorsett ...cs.utexas.edu!cactus.org!rdd Title: The DC-10 Case Subtitle: A study in applied ethics, technology, and society. Editors: John H. Fielder and Douglas Birsch Publisher: State University of New York Press Date: 1992 Pages: 346 ISBN: 0-7914-1087-0 (hardcover) 0-7914-1088-9 (paper) Illustrated. CONTENTS: Preface Introduction Ethical Analysis of Case Studies/John H. Fielder HISTORY AND EARLY WARNINGS 1. Regulatory and Institutional Framework 2. High Risks, Sinking Fortunes/John Newhouse 3. Floors, Doors, Latches and Locks/John Fielder 4. The 1970 Ground Testing Incident/Paul Eddy, Elaine Potter, Bruce Page 5. National Transportation Safety Board Report on the Windsor Incident 6. The Applegate Memorandum/Paul Eddy, Elaine Potter, Bruce Page 7. Fat, Dumb and Happy: The Failure of the FAA/Paul Eddy, Elaine Potter, Bruce Page 8. Compliance with Service Bulletin SB 52-37 9. Conclusions of the US Senate Oversight Hearings and Investigation of the DC-10 Aircraft THE 1974 PARIS CRASH 10. French Government Report on the 1974 Paris Crash 11. Engineers Who Kill: Professional Ethics and the Paramountcy of Public Safety/Kenneth Kipnis 12. Whistleblowing, Ethical Obligation, and the DC-10/Douglas Birsch 13. What is Hamlet to McDonnell Douglas or McDonnell Douglas to Hamlet?: DC-10/Peter French Commentary/Homer Stewell 14. Statement of John C. Brizendine, President, Douglas Aircraft Company, McDonnell Douglas Corporation THE 1979 CHICAGO CRASH 15. National Transportation Safety Board Report on the 1979 Chicago Crash 16. The DC-10: A Special Report/McDonnell Douglas 17. Two Models of Professional Responsibility/Martin Curd and Larry May THE 1989 SIOUX CITY CRASH 18. National Transportation Safety Board Report on the 1989 Sioux City Crash 19. The 1989 Sioux City Crash/John Fielder 20. Statement of Ralph Nader 21. Aviation Safety: Management Improvement Needed in FAA's Airworthiness Directive Program 22. The FAA, the Carriers, and Safety/Charles Perrow 23. International Airline Passengers Association Critique of the DC-10 24. Moral Responsibility for Engineers/Kenneth D. Alpern Commentary/Andrew Oldenquist Commentary/Samuel C. Florman Select Bibliography IEEE Code of Ethics Index Back Cover: "Designed as a textbook for courses in ethics, this book provides the material needed to understand the accidents in which more than 700 people were killed-- accidents that many believe were the result of unethical actions and inactions by individuals, organizations, and government agencies. An introduction to ethical analysis and discussions of the ethical responsibilities involved are also provided. The case study offers material for a sustained inquiry into every level of ethical responsibility reflecting the rich complexity of actual events. "_The DC-10 Case_ presents these issues through a collection of original and published articles, excerpts from official accident reports, congressional hearings, and other writings on the DC-10. The authors allow the readers to examine the ethical issues of airline safety as they actually occur, taking account of the circumstances in which they arise. "John H. Fielder is is Professor and Douglas Birsch is Assistant Professor of Philosophy at Villanova University." ------------------------------ Date: Sun 25 Oct 1992 01:57 -0400 From: Bob_Frankston@frankston.com Subject: Re: Erased Disk used against Brazilian President Of course, as RISKS readers know, getting rid of information is very difficult. On the PC erase only erases the name of a file not the contents. With proper backup, as Oliver North discovered, it is very hard to remove all copies of data. There are also other caches such as email pools where one might be able to retrieve recent data. There is a more general issue of living in a society with a very good memory. It is one thing to knowingly do something illegal and leaving a trail. A more subtle danger is a changing society that might look back at an innocuous act and ex post facto, decide it was reprehensible. ------------------------------ Date: Mon, 26 Oct 1992 20:05:30 GMT From: rslade@sfu.ca (Robert Slade) Subject: Re: Brazilian Presidential Erased Disks (RISKS-13.86) The software used here is probably very simple. When a computer file is "erased", actually only the directory entry is changed, and the sectors used are marked as again being available for use. The file can easily be "undeleted": numerous utilities exist for this purpose, including (I am assuming, from the original posting, that the computer in question uses MS-DOS) one that is part of the MS-DOS 5 system. In fact, such utilities need not be used: if no changes have been made on the disk, the FAT can be changed manually with a sector editing program. If the file cannot be "undeleted" in this manner, part of the file may still exist on the disk, and can be read with a sector editor or viewer. (I recently checked a diskette with the CHKDSK utility, and found portions of files that had been deleted three or four years ago. This particular disk has been in daily use with three or four large files being written to it each day.) The fact that files are not actually "destroyed" has come as a shock to a number of people. I seem to recall that this fact had some significance to Ollie North. Also, Prodigy scared the pants off some people by creating a large "swap" file area on disk without "clearing" it first. Portions of deleted files were, of course, found within it, leading to (somewhat unjustified) charges that Prodigy was somehow violating system security. The fact that erased files may still physically exist is one that some antiviral programs try to address. When an infected file cannot be "disinfected", some antivirals will delete the existing file ... and then overwrite the area previously occupied with standard characters. There are utility programs which will do this with files you wish to keep secret: some make five or more passes with different characters each time. Vancouver Institute for Research into User Security, Canada V7K 2G6 ROBERTS@decus.ca rslade@cue.bc.ca p1@CyberStore.ca 604-526-3676 [Also noted by ray@philmtl.philips.ca (Ray Dunn). PGN] ------------------------------ Date: Sun, 25 Oct 92 15:45:40 -0800 From: spl@golgi.ucsd.edu (Steve Lamont) Subject: Re: Risks in banking For what its worth and just as a matter of record, I am the original author of the item "Risks in Banking, Translation, etc.," which appeared in RISKS-13.86. It was a submission to a recent issue of Gene Spafford's Yucks Digest mailing list. Steve Lamont, SciViGuy -- (619) 534-7968 -- spl@szechuan.ucsd.edu UCSD Microscopy and Imaging Resource/UCSD Med School/La Jolla, CA 92093-0608 [Also noted by Paul M. Wexelblat . Actually the ORIGINAL AUTHOR was someone unidentified on the CACM staff. Steve was the original contributor, to YUCKS. PGN] ------------------------------ Date: Mon, 26 Oct 92 17:53:53 -0800 From: Subject: T*p S*cr*t II and William Safire Berry Kercheval write: >In my initial briefings for these clearances it was emphasized that classified >information must be strictly controlled, and in fact we were given specific >procedures for what to do if we found unattended classified documents lying >around. Political columnist William Safire told the story that he would get his personal documents past government security officers by putting a printed heading on each document. The heading came from a very high security level document that he once saw as part of reporting. All went fine for a long time because he could take his "protected" document that contained his notes into meetings. Unfortunately, one day a security person confiscated the document because he wasn't supposed to have such a highly secret codeword on it! This is analogous to protective coloration in nature... Bob Devine ------------------------------ Date: Thu, 22 Oct 92 15:43:51 From: kimble@minster.york.ac.uk Subject: Conference on Computers, Security and the Law COMPUTERS SECURITY AND THE LAW, A CONFERENCE TO BE HELD AT THE UNIVERSITY OF YORK 31 March - 01 April 1993 The conference will be run by the Department of Computer Science at the University of York in association with the Licensing Executives Society and the Society of Computers and the Law. The aim of the conference is to highlight some of the important legal issues that surround the use, and abuse, of computer technology in a way that should be accessible to the non-specialist, such as lawyers or computer scientists. The target audience for the conference are senior managers and others in both public and private sector organisations who wish to improve their knowledge about the legal aspects of buying, using or creating computer related products and services. The conference will be of interest to the police, the civil service, banks, insurance and building societies. The programme will take place over two consecutive days. The first day will deal with the legal aspects of intellectual property rights, copyright and contract law as it relates to computer products and services. The second day will deal with the topics of computer crime and its prevention, security, data protection and privacy. The conference dinner will be held at the end of the first day with a keynote speaker who will provide the link between the themes. Delegates will be able to register for either of the two days separately if they wish. Proceedings of the conference will be published and available to participant after the conference. FEES: Fees will range from #275 for the full conference to #165 for one day. Discounts are available for early booking. Provisional Programme Day One: 10.30 - 11.15 Overview of law relating to intellectual property rights 11.15 - 12.00 Copyright law 12.00 - 12.45 (Questions & Answers) 14.00 - 14.45 Computer contracts. (Software) 14.45 - 15.30 Computer contracts. (Hardware) 16.00 - 16.45 (Questions & Answers) 19.00 - 22.00 Conference Dinner and keynote speaker at St William's College in York Day Two: 10.00 - 10.45 Computer Crime 10.45 - 11.30 Damage to programs or data 11.30 - 12.15 (Questions and Answers) 13.30 - 14.15 Hacking 14.15 - 15.00 Data Protection Act, Security & Privacy 15.30 - 16.15 (Questions and Answers) THE UNIVERSITY OF YORK is situated in Heslington, two miles away from the centre of York. The campus has been described as one of the finest examples of twentieth century English romantic landscape architecture. Its main feature is a large man-made lake supporting a wide variety of wild fowl. The Department of Computer Science has an international reputation for being at the leading edge of developments in the fields of Software Engineering, Safety Critical Systems, Human Computer Interaction and New Computer Architectures It has recently expanded both its teaching and research to include the many faceted and dynamic field of the application of Information Technology to Business Management and maintains many contacts in both industry and government agencies. LICENSING EXECUTIVES SOCIETY The Society is committed to providing education and information to present and future users of licensing, and gladly supports the University of York in this conference, which will answer an ever increasing demand in the business and licensing communities for up-to-date information on this important subject. SOCIETY OF COMPUTERS AND THE LAW The Society was founded in 1973 as a forum to promote the effective and profitable use of computer technology for lawyers. The Society informs and promotes interest both in the development of information technology for the practice and teaching of law, as well as in the law relating to computers - not only for Society members but also for members of the public at large. FURTHER DETAILS FROM: Conference Organiser: Francoise Vassie, Centre for Continuing Education, King's Manor, York, YO1 2EP, The University of York Tel 0904 433900 Fax 0904 433906, E-Mail KIMBLE@UK.AC.YORK.MINSTER ------------------------------ Date: Sat, 24 Oct 92 17:25:53 -0400 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: 15th National Computer Security Conference (Denning, RISKS-13.86) >From: denning@cs.cosc.georgetown.edu (Dorothy Denning) ... >5. Listen in and decrypt the communications. With all due respect to Mrs. Denning, I suspect that item number five would not be "Listen in and decrypt the communications" but rather "Listen in and discover that a secondary encryption was also used". Anyone intelligent enough to realize that a process for disclosure existed would be intelligent enough to use the approved scheme to mask the real encryption, or even just to use a different key from the "approved" one if they really had something to hide. The only advantage to the suggested scheme would be to the "bad guys" since steps 1-5 would have to be processed before the deception would be discovered - or is there a suggestion that "someone" should randomly test messages to see if the approved key is sufficient to decrypt ? Point is, the technology exists to encrypt transmissions, even if it is as simple as the DE knowing that when I say "stop" I really mean "go". Legislating breakability has about as much chance as commanding the sun to rise in the East: it will appear to be effective only until it is tested. Padgett ------------------------------ Date: Mon, 26 Oct 92 10:52:02 -0800 From: "Peter K. Boucher" Subject: Re: (Denning, RISKS-13.86) Dorothy Denning writes: > I believe this risk [abuse of encryption keys registered with a government agency] > can be reduced to about zero. For example, using a > public-key system, your key could be encrypted under the public key belonging > to, say, the Justice Dept. The encrypted key would be given to and held by an > independent agency. But, the key could be decrypted only by Justice. Thus, if > someone gains access to a key held by the key agency, they wouldn't be able to > decrypt it. 1) Can you trust the criminals to provide the keys to their data and to use those keys (and no others) when transmitting incriminating data? If not, what's the point? 2) If you send mangled random data (garbage), can you be prosecuted for not giving the Gov't the proper keys? Will they believe your assertion that your transmission was truly meaningless? 3) What exactly are the anticipated benefits of registering keys with a federal agency, and, given your answers to the above, how do they justify the cost and inconvenience of creating such a system? Peter K. Boucher, Computer Science Lab, SRI International #EL-237 Menlo Park, CA 94025 boucher@csl.sri.com (415) 859-3927 ------------------------------ Date: Mon, 26 Oct 92 12:38:23 -0500 From: hunter@nlm.nih.gov (Larry Hunter) Subject: (Re: Denning, RISKS-13.86) In Risks 13.86, Dorothy Denning claims that it is easy to set up a government depository into which all decryption keys for all encrypted messages send over public networks which would be safe from non-court ordered government interception. I must disagree. Her plan is (quoting): [U]sing a public-key system, your key could be encrypted under the public key belonging to, say, the Justice Dept. The encrypted key would be given to and held by an independent agency. But, the key could be decrypted only by Justice. Thus, if somone gains access to a key held by the key agency, they wouldn't be able to decrypt it. To use a key, law enforcers would have to go through these steps: 1. Get a court order. ... However, if the _Justice Department_ gains access to a key held by the agency (or the agency's whole database), they would indeed be able to decrypt traffic. For Dr. Denning's scheme to work, I have to trust the "independent" agency not to collude with the Justice Department. I certainly would not trust any executive branch agency not to cooperate with another executive branch agency. It is also extremely unlikely a "key agency" would be formed outside of the Executive. The only precedent I can think of is the Federal Reserve system, and even its independence in circumstances of significant interest to the executive (e.g. interest rates around election time) is suspect. In my personal opinion, Dr. Denning's proposal does not adequately address the issues raised by socio-political context of her weak encryption scheme. Without extremely stiff penalties and personal liability for illegal decryption in addition to a technical system that identified decrypting parties, it is hard to imagine how any system could require key registration and still offer some protection against nonwarrant government surveillance. The political difficulty of passing legislation that involves the potential for such penalties to be applied to law enforcement officers suggests to me that all "weak" schemes are unlikely to offer such protection. ------------------------------ Date: Sun, 25 Oct 92 22:54:19 -0800 From: kaiser@heron.enet.dec.com (European Technology & Architecture) Subject: The "independent agency" to hold cryptokeys Dorothy Denning writes: The encrypted key would be given to and held by an independent agency. But there is in fact no such agency in the federal government, which means that all such discussion is empty theorizing. Judging the events of the last several decades make me pessimistic that we could ever have one (again?). ___Pete kaiser@heron.enet.dec.com +33 92.95.62.97 ------------------------------ End of RISKS-FORUM Digest 13.87 ************************