Subject: RISKS DIGEST 14.31 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Friday 5 February 1993 Volume 14 : Issue 31 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: "Computer Blamed For Phone Jam" [Ohio Bell] (Joe Brownlee) BNFL prosecuted for unauthorised software changes (Martyn Thomas) Residues in a surplus bank computer (Fred Cohen) Re: Educational computer game banned (Guy K. Haas) Re: Clever Tactics Against Piracy (Gerd Meissner) Anecdotes Wanted on the Risks of Information Security (Dorothy Denning) Re: The FBI and Lotus cc:Mail (Isaac Rabinovitch, Roger D Binns, Bill Stewart, Dorothy Denning [3x], Dick Joltes [2x], Ray Ozzie via Peter Wayner) Anyone can get your U. of Illinois transcript (Carl M. Kadie) Phone Company Cleverness (Jon Leech) The RISKS Forum is a moderated digest discussing risks; comp.risks is its undigested Usenet counterpart. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with appropriate, substantive "Subject:" line. Others may be ignored! Contributions will not be ACKed. The load is too great. **PLEASE** INCLUDE YOUR NAME & INTERNET FROM: ADDRESS, especially .UUCP folks. REQUESTS please to RISKS-Request@CSL.SRI.COM. Vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 14, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1". =CarriageReturn; FTPs may differ; UNIX prompts for username, password. For information regarding delivery of RISKS by FAX, phone 310-455-9300 (or send FAX to RISKS at 310-455-2364, or EMail to risks-fax@cv.vortex.com). ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Fri, 29 Jan 93 7:42:40 EST From: joe@cbcosmos.att.com Subject: "Computer Blamed For Phone Jam" from the 1/28/93 Columbus (Ohio) "Dispatch" by Ron Lietzke and Bruce Cadwallader A three-minute computer failure at an Ohio Bell central office disrupted phone service for 42,000 telephone lines in the Downtown business district for about 45 minutes yesterday morning. The computer problem cleared after a few minutes, but the disruption snowballed when a surge of callers seeking dial tones caused a telephone traffic jam of sorts, Ohio Bell spokesman David Kandel said. Outgoing and incoming calls on 15 Downtown prefixes were disrupted by the problem, which started at 9:42 AM. The Columbus police, the Franklin County Sherrif's Department, Columbus Public Schools, and state offices were among those disrupted by the outage, Kandel said. Callers in the affected prefix areas who dialed 911 could not reach Columbus police or the Franklin County Sherrif's office for at least 3 minutes. However, those agencies reported that they did not receive any complaints after the dial tones returned. "It was starting to clear itself within minutes, but because you're looking at such a huge volume of calls Downtown, it took the system time to recover," Kandel said. "The system was delivering a very, very slow dial tone." Problems started when one of two computer processors failed. The other took over, but it took about three minutes for it to retrieve the information from the failed processor, Kandel said. Ohio Bell technicians were working with the equipment manufacturer yesterday to determine what caused the processor to fail. It still was not working late yesterday. [...] Columbus police dispatchers reported having problems for about 30 minutes. Chief Deputy Robert Taylor of the sheriff's department said this radio room used cellular phones until the problem cleared. Neither department knew of any emergencies missed because of the computer problem. Columbus firefighters said they were receiving 911 calls throughout the period of disruption. Two items of interest I note. One is that even a brief delay in grabbing data from the failed computer resulted in a large backlog. Perhaps the system was not designed to account for the large number of lines in downtown Columbus, which boomed during the 1980's. Phone systems tend to use less than state-of- the-art technology (to avoid many of the "bleeding edge" problems often noted here), but in this case, perhaps a faster processor or live mirroring of the data in question would have helped. As to my second point, twice the article points out that nobody knew of any emergency calls that were missed, with the implication that no harm was done. Dead men tell no tales? Joe Brownlee, Analysts International Corp. @ AT&T Network Systems 471 E Broad St, Suite 2001, Columbus, Ohio 43215 (614) 860-7461 joe@cbcosmos.att.com ------------------------------ Date: Thu, 4 Feb 93 15:48:16 GMT From: Martyn Thomas Subject: BNFL prosecuted for unauthorised software changes According to Computing (4 Feb), British Nuclear Fuels Ltd is being prosecuted for making alleged unauthorised software changes to a safety mechanism on a shield door at Sellafield. Martyn Thomas, Praxis plc, 20 Manvers Street, Bath BA1 1PX UK. Tel: +44-225-444700. Email: mct@praxis.co.uk Fax: +44-225-465205 ------------------------------ Date: Wed, 3 Feb 93 18:35:52 -0500 From: fc@turing.duq.edu (Fred Cohen) Subject: Residues in a surplus bank computer This one goes in the `When will they ever learn?' category: I just got a call from a person who recently purchased a Unix based PC as junk from a bank, and low and behold, the computer was not cleaned before sale. How hard is it to break in? Not too! All you have to do is boot from a DOS floppy, run Norton Utilities or any similar tool, search for the `root:' part of the password file, and change that line to look like `root::0:1::/:'. Then you reboot from Unix and login as root with no password! So that's too simple to be believed, but of course it works, and now comes the real problem. I am not sure it's illegal to use that data however you want! That's right, the computer crime laws don't cover computers that are not attached to any networks, aren't part of the banking system, etc. This system is no longer a banking computer, the data was sold along with the system to the new owner by the bank with no stipulations or warnings (as-is), and the new owner, as far as I can tell, has the right to use anything on the computer as their own. It's a little upsetting that the bank didn't bother to do a secure deletion before giving all this data away (only about 120Mbytes worth of information on customers, etc.). How about the privacy of the customers of the bank? How about the EFT codes stored on-line! How about all the passwords that can now be guessed and exploited to enter the bank as if you were an employee? Oh well, anyone want to buy a used computer - no longer so cheap? [Expletives deleted if there were expletives UNDELETED. By the way, remember that the C2 Orange Book requirement is for deletion prior to initial assignment and reallocation. Somewhere there should be a requirement for deletion prior to permanent deallocation as well. PGN] ------------------------------ Date: Thu, 4 Feb 93 07:43:33 PST From: ghaas@informix.com Subject: Re: Educational computer game banned (Shaun, RISKS-14.30) With all due respect to Christina Kirby, the "Wizards" game is NOT a computer game. It is a pencil-and-paper game, like other adventure simulations. The students gain points by achieving goals in spelling (and perhaps other language-related tasks), and translate these points into progress around a game board. It bears a superficial resemblance to "Dungeons and Dragons," with magicians, wizards, a winged dragon, a pit -- symbols that some (fundamentalist) Christians equate with Satanism and/or disregard for Biblical symbolism. The symbols were the basis of the argument made against the game. The teachers had two objections -- the issue of choice of instructional materials, and that of the way the District imposed the ban. One result of the uproar was a rewrite of the "Challenged Instructional Materials" policy. making the evaluation process much more accessible to the concerned public. Another was the motivation of a parent in the district who fought the ban to mount a (successful) run for a School Board seat last election, unseating an incumbent. --Guy K. Haas (active in the MUSD since 1987) ------------------------------ Date: 03 Feb 93 04:28:01 EST From: Gerd Meissner <100064.3164@compuserve.com> Subject: Re: Clever Tactics Against Piracy (RISKS-14.30) It might be interesting for readers who want to know more about the "Clever Tactics Against Piracy" (RISKS 14.30) that the story, including some technical details, was first published in the German news magazine DER SPIEGEL (#36, 1992, August 31st), titled "Trojanisches Pferd" (Trojan Horse). The company used a 12-digit key that looked like the serial number of the "free-demonstration coupon", which had to be printed out and sent back, to identify the pirated copies found on the "customers" machine and some details about the computer it was found on. [Mark Brader just reminded me in a different context of always looking a Trojan horse in the mouth. PGN] ------------------------------ Date: Thu, 4 Feb 93 13:26:04 EST From: denning@cs.cosc.georgetown.edu (Dorothy Denning) Subject: Anecdotes Wanted on the Risks of Information Security I am seeking anecdotes of incidents where information security mechanisms or practices led to a problem (e.g., lost work or data, wasted time, down time, being locked out because of lost crypto keys or access tokens). I am also interested in descriptions of security features that are difficult to use and lead to problems. If you send me something, please indicate whether I can attribute it to you or you wish to remain anonymous. Thanks, Dorothy Denning denning@cs.georgetown.edu ------------------------------ Date: Sun, 31 Jan 1993 18:49:01 GMT From: ergo@netcom.com (Isaac Rabinovitch) Subject: Re: The FBI and Lotus cc:Mail (Joltes, RISKS-14.29) >Happily, the presenter said that Lotus refused to honor the FBI's request. >Bravo! Do not relax. So what if an official back door doesn't exist? Other federal agencies are more discreet than the FBI, and would consider "their" back door useless if any notice were taken of its existence. Furthermore, somebody is bound to see the profit in covertly adding a back door to a product and quietly selling it to individuals with a commercial interest in violation of privacy. I checked with Lt. Colonel North, Admiral Yamamoto, and especially Captain Murphy, and they all agree: never assume a publically-accessible medium is secure just because it's encrypted! ergo@netcom.com Isaac Rabinovitch {apple,amdahl,claris}!netcom!ergo Santa Cruz, CA ------------------------------ Date: Mon, 1 Feb 93 11:47:57 GMT From: Roger D Binns Subject: The FBI and Lotus cc:Mail (Joltes, RISKS-14.29) : Happily, the presenter said that Lotus refused to honor the FBI's request. Are you sure? Lotus could quite easily have honoured their request, and merely tell everyone they haven't. The FBI is happy, the consumer is happy. This brings to a mind a phrase 'ignorance is bliss'. Roger cs89rdb@brunel.ac.uk Roger Binns Brunel University - UK | ------------------------------ Date: Tue, 2 Feb 93 12:52:36 EST From: wcs@anchor.ho.att.com (Bill Stewart +1-908-949-0705) Subject: The FBI and Lotus cc:Mail In RISKS 14.29, joltes@husc.harvard.edu reports that Lotus says that the FBI had asked them to place backdoors into Notes and cc:Mail, and they refused. Assuming that they told the truth, I'll second Dick's "Bravo!". But one RISK here is that, without *sources*, it's hard to tell - does Lotus provide sufficient documentation on file formats and encryption algorithms that users can verify that the program does what it claims? Bill Stewart, AT&T Bell Labs, Holmdel, NJ, wcs@anchor.att.com [Even WITH sources it can be hard to tell. Recall Ken Thompson's C-compiler Trojan horse in which there were no changes to the source code of either the C compiler or the UNIX login routine. PGN] ------------------------------ Date: Fri, 29 Jan 93 13:34:41 EST From: denning@cs.cosc.georgetown.edu (Dorothy Denning) Subject: Re: The FBI and Lotus cc:Mail (Joltes, RISKS-14.29) In RISKS-14.29, Dick Joltes said the following about a presentation he attended on Lotus Notes and the response of the Lotus representative to a question about how the encryption was done: The presenter said that the data was considered very secure, so much so that the FBI had approached Lotus to ask that a "back door" be left in the software in order to give the Bureau a method for infiltrating suspects' filesystems. She said they were specifically targeting "drug dealers and other bad people." Given this backdoor, what was to stop the Bureau from inspecting confidential materials on any system? The risks seem obvious. ... There are, in fact, very good controls to stop the FBI or any other law enforcement agency from doing this. They're called warrants. In order to execute a search and seizure on any system, the government needs to have a court order. To get a court order, they have to demonstrate that there is probable cause that a crime has been commited. Neither the FBI nor any other law enforcement agency is allowed to "infiltrate" someone's system and poke around to see what's there. The "obvious" risk here is not from the government. If the government is unable to break through the crypto or get the key, they may be unable to obtain evidence needed to prosecute someone who has commited a crime. This is potentially a very serious problem, especially as records become more heavily computerized. Happily, the presenter said that Lotus refused to honor the FBI's request. Bravo! Encryption of files and communications is going to make it much more difficult, and in some cases impossible, for law enforcers to get evidence needed for conviction. Unless we want a society with greater crime, we need to find some way of meeting both our needs for information security and our needs for law enforcement. Then we can cheer. Dorothy Denning Professor & Chair, Computer Science, Georgetown University ------------------------------ Date: Mon, 1 Feb 93 14:16:33 EST From: joltes@husc.harvard.edu Subject: Re: The FBI and Lotus cc:Mail Dorothy Denning, responding to my posting regarding cc:Mail, says: > There are, in fact, very good controls to stop the FBI or any other law > enforcement agency from doing this. They're called warrants. In order ... > the FBI nor any other law enforcement agency is allowed to "infiltrate" > someone's system and poke around to see what's there. The key word here is "allowed." As we've seen with such scandals as Watergate and Iran-Contra, what is allowed by law and what is actually done sometimes are two different things. What is to stop an agency from conducting an initial covert search of a person or corporation's records, then requesting the warrant after they find questionable or illegal material? Dorothy's comments presuppose that all operatives within all governmental bodies are completely honest. While I would say that a majority of these workers are honest, the risk that some are not makes the presence of known back doors in supposedly "secure" software a highly questionable situation. > The "obvious" risk here is not from the government. If the government > is unable to break through the crypto or get the key, they may be > unable to obtain evidence needed to prosecute someone who has commited > a crime. This is potentially a very serious problem, especially as > records become more heavily computerized. Certainly it is. However, we must evaluate whether the risks to the public at large outweigh the advantage of having such back doors available to legitimate authorities. What if the codekey sequence used to activate the alternative access method became known due to a security leak (disgruntled Lotus employee or government agent, espionage, etc)? Lotus would then need to issue a binary patch to change the codekey (at their expense, no doubt). Customer confidence in the product would sag and businesses would begin to question the security of their own supposedly encrypted software. If I were running a business and knew that a product I was evaluating had a built-in back door, it would end my interest in the product. > Encryption of files and communications is going to make it much more > difficult, and in some cases impossible, for law enforcers to get > evidence needed for conviction. Unless we want a society with greater > crime, we need to find some way of meeting both our needs for > information security and our needs for law enforcement. Then we can > cheer. My cheer was in regard to Lotus' refusal (well, they *said* they refused) to blindly install a security hole in their most successful product simply because a government agency said "please do it." Knowing that acquiescence to such a demand was a violation of the trust placed in Lotus products by their customers, they did the "right thing" and said "no." I agree that some balance needs to be stuck, but the scales must not be tilted to the needs of law enforcement at the expense of the public. Given some recent incidents (such as "Operation Sun Devil," which nearly put a legitimate business into bankruptcy due to the actions of paranoid and uninformed agents) it seems obvious to me that few Federal agencies currently possess the basic skills needed to differentiate between criminals and "fringe groups" such as gamers and hackers whose participation in society is outside the "norm" of American experience. The subject of "Computing and the Law" is one that is just beginning to make an impact on society, and both the public and the government need to feel through the tangle of issues that surround it. We must not make the mistake of infringing on privacy simply to deter crime, since this will establish legal precedents that could easily become Draconian in their use if unchecked. Dick Joltes, Harvard University Science Center joltes@husc.harvard.edu Hardware & Networking Manager, Computer Services joltes@husc.bitnet ------------------------------ Date: Wed, 3 Feb 93 12:03:53 EST From: denning@cs.cosc.georgetown.edu (Dorothy Denning) Subject: Re: The FBI and Lotus cc:Mail Dick Jotes, responding to my response to his post on cc:Mail, says: The key word here is "allowed." As we've seen with such scandals as Watergate and Iran-Contra, what is allowed by law and what is actually done sometimes are two different things. What is to stop an agency from conducting an initial covert search of a person or corporation's records, then requesting the warrant after they find questionable or illegal material? Dorothy's comments presuppose that all operatives within all governmental bodies are completely honest. While I would say I do not assume that everyone in government is totally honest. Rather, I acknowledge that the American system of government has extensive mechanisms to protect against abuses, including the illegality of breaking into someone's system or conducting a search without a warrant, Congressional oversight committees and hearings, and the use of the media to expose abuses. What if the codekey sequence used to activate the alternative access method became known due to a security leak (disgruntled Lotus employee or government agent, espionage, etc)? Lotus would then need to issue a binary patch to change the codekey (at their expense, no doubt). Customer confidence in the product would sag and businesses would begin to question the security of their own supposedly encrypted software. Customer confidence is an important concern, but since we don't know exactly what the FBI requested of Lotus, we don't know what vulnerabilities might exist and whether businesses would accept whatever risks might be present. I agree that some balance needs to be stuck, but the scales must not be tilted to the needs of law enforcement at the expense of the public. Given some recent incidents (such as The public needs law enforcement. This is not the public vs. law enforcement. "Operation Sun Devil," which nearly put a legitimate business into bankruptcy due to the actions of paranoid and uninformed If you're referring to Steve Jackson Games, it was not part of the Sun Devil investigation (which was about toll fraud and credit card fraud). agents) it seems obvious to me that few Federal agencies currently possess the basic skills needed to differentiate between criminals and "fringe groups" such as gamers and hackers whose participation in society is outside the "norm" of American experience. Please don't make such sweeping generalizations based on one case or even a few. There have been hundreds (probably thousands) of cases that have been handled extremely well. The subject of "Computing and the Law" is one that is just beginning to make an impact on society, and both the public and the government need to feel through the tangle of issues that surround it. We must not make the mistake of infringing on privacy simply to deter crime, since this will establish legal precedents that could easily become Draconian in their use if unchecked. I agree that this is a difficult issue that needs to be sorted out. I also argue that we need to find ways to satisfy both our need to control crime and our need for privacy & security. None of these needs will be or indeed can be satisfied in an absolute way. The challenge is to find ways that keep the risks at acceptable levels. Dorothy Denning ------------------------------ Date: Thu, 4 Feb 93 16:39:43 EST From: denning@cs.cosc.georgetown.edu (Dorothy Denning) Subject: Re: The FBI and Lotus cc:Mail I talked with a knowledgeable person in FBI Headquarters whom I know and trust about the claim that they asked Lotus to put a "back door" into the encryption system of Notes. He was confident that Headquarters had not made any such request of Lotus and was surprised to hear about it. He did not know if someone in one of the field offices might have asked Lotus for help in conjunction with a specific investigation. Dorothy Denning ------------------------------ Date: Fri, 5 Feb 93 9:16:39 EST From: joltes@husc.harvard.edu Subject: Re: The FBI and Lotus cc:Mail There should be additional information on its way to RISKS about this subject (from another source). Employees of Lotus were involved in meetings with the FBI held under the auspices of the EFF over the past 18 months. Several proposed bills were discussed and tabled. We have it from one of the employees who was actually involved. It is not surprising that Dorothy's source knew nothing (if true) of the contacts. Stratification and compartmentalization within federal organizations is not uncommon, with the result that groups within the same agency do not know of the activities of others. Dick Joltes joltes@husc.harvard.edu ------------------------------ Date: Tue, 2 Feb 1993 23:36:50 -0500 From: Peter Wayner Subject: With Regard to Lotus Notes and the FBI... {This is the text of a letter to me from Ray Ozzie, one of the developers of Lotus Notes. He said it was okay to forward this to comp.risks to clarify the recent posting about the FBI's involvement with Lotus. I believe that the details of the interaction are much less ominous in this rendition and more importantly it comes from the head developer's mouth. -PCW} The message entitled "The FBI and Lotus cc:Mail" is not entirely correct, although it is correct "in spirit". As one of the developers of Notes, I have represented Lotus twice regarding FBI proposals. In the first (about 18 months ago), the FBI was trying to persuade Congress to pass a law requiring communication service providers to deliver the original plain text of messages entering their systems, in essence requiring us to install a back door. Lotus was not approached by the FBI - rather, the EFF learned of the bill and asked me to participate in a round-table discussion with lawmakers and others from the telecommunications and computer industries. The bill was tabled shortly thereafter. Last year, we again participated in several discussions with the FBI related to a new proposal that would have required manufacturers of communication equipment and services to modify their products (in this case, Lotus Notes) to be able to, on demand and in a timely fashion and from a single access point, grant the FBI access to communications. This new law would not require us to install a backdoor, that is, they took the issue of encryption off the table, but would instead require us to install logic into our message routers to disable dynamic adaptive least-cost path routing and also to disable code that breaks messages into packets for transmission on different virtual circuits. It would also require us to put logic into the message routers to deliver copies of messages to a central monitoring point from anywhere in the network. This FBI plan has also been tabled. If it weren't for the Electronic Frontier Foundation, we never would have had a chance to participate. EFF and the CPSR are providing a great service for our industry, which has a pitifully small lobbying presence in Washington. Neither Lotus nor Lotus Notes was singled out by the FBI, rather, I represented Lotus voluntarily in order to defend Lotus' commercial interests. Additionally, I was compelled to attend because I believe very, very strongly in my right to privacy as a US citizen. On the other hand, the FBI has a very difficult job to do, and with the onslaught of technology, it fears that it may soon lose its longstanding authority to carry out court-ordered wiretaps. Valid wiretaps - ones that you would probably agree with. From their perspective, why can't a technical solution be found to what appears to be a technical problem? From my perspective, though, the cat's out of the bag. It's already very easy for the average joe to do effectively unbreakable end-to-end encryption of messages on standard PC hardware. Passing laws won't stop bad guys from using encryption, so these laws will just have the effect of increasing the cost of every mail system, every PBX, every LAN router, every cellular phone, and so on. Not to say what the laws will do to your privacy. Think about it. And then call the EFF. ------------------------------ Date: Sun, 24 Jan 1993 17:47:45 GMT From: kadie@cs.uiuc.edu (Carl M. Kadie) Subject: Anyone can get your U. of Illinois transcript If you are a student at U. of Illinois, you should know that anyone who knows your social security number and birthday can now see your official transcript. To add insult to injury, if someone does looks at your transcript, *you* will be charged a $5 transcript fee. The administration building, room 100, now has three computer terminals. Anyone can walk up to one and type 1) a social security number 2) a birthday 3) an address If the social security number and birthday match a current student, that student's transcript will be send to the address and that student's account will be charged $5. At the very least, check your university bill. It seems that your only protection is your ability to track down the destination address of an improperly send transcript (assuming the university keeps a record of these addresses). - Carl Kadie = kadie@cs.uiuc.edu = ------------------------------ Date: 25 Jan 1993 21:00:58 GMT From: leech@cs.unc.edu (Jon Leech) Subject: Phone Company Cleverness Seen on page 2 (e.g. the part most people throw out) of this month's bill from Southern Bell: "Call RightTouch(R) service [to do various things such as disconnecting your phone or ordering extra-cost services] .... Please protect your access code: ####" ^ actual 4-digit code printed here ------------------------------ End of RISKS-FORUM Digest 14.31 ************************