Subject: RISKS DIGEST 14.33 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Thursday 18 February 1993 Volume 14 : Issue 33 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Cable freeloaders (Tony Scandora) Esperanto from a computer error (Philip Brewer) A "Handy" Risk for AirTravel? (Klaus Brunnstein) Released GSA Docs Slam FBI Wiretap Proposal (A. Padgett Peterson) Re: Tapping phones (Fred Cohen) Re: Joltes Vs Denning (Gary Preckshot) Mobile phones: "too secure"? (Marc Horowitz) PLCs : Request for information (Pete Mellor) User interface at the checkout stand (Rob Slade) Where's the fire? (Jim Carroll) The RISKS Forum is a moderated digest discussing risks; comp.risks is its Usenet counterpart. Undigestifiers are available throughout the Internet, but not from RISKS. Contributions should be relevant, sound, in good taste good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with appropriate, substantive "Subject:" line. Others may be ignored! Contributions will not be ACKed. The load is too great. **PLEASE** INCLUDE YOUR NAME & INTERNET FROM: ADDRESS, especially .UUCP folks. REQUESTS please to RISKS-Request@CSL.SRI.COM. Vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 14, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1". =CarriageReturn; FTPs may differ; UNIX prompts for username, password. For information regarding delivery of RISKS by FAX, phone 310-455-9300 (or send FAX to RISKS at 310-455-2364, or EMail to risks-fax@cv.vortex.com). ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Mon, 8 Feb 1993 12:43:14 -0600 (CST) From: Tony Scandora 708-252-7541 Subject: Cable freeloaders Continental Cablevision of Hartford broadcast a special offer of a free T-shirt during last fall's Holyfield/Bowe fight (14Nov92). Unlike most pay- per-view broadcasting, this one did not show up through legitimate decoders. The ad and its 800 number only showed up when watched through illegal decoders. 140 freeloaders called the 800 number within minutes of the ad's broadcast. Continental sent the T-shirts by certified, return receipt mail, and then sent them a followup letter reminding them of the federal law (fines up to $10,000) and demanding a $2000 fine. [Chicago Tribune, 3 Feb 1993] Tony Scandora, Argonne National Lab, 708-252-7541 scandora@cmt.anl.gov or scandora@anlcmt.bitnet [Also noted by abg@beowulf.EPM.ORNL.GOV (Alex L. Bangs) in Newsweek, Feb 15, 1993 ("A Technical Knockout" -- Periscope) and mcclella@yertle.Colorado.EDU (Gary McClelland). Sorry for the long delay in getting this issue out. It was unavoidable. PGN] ------------------------------ Date: Mon, 08 Feb 93 08:36:36 CST From: Philip Brewer Subject: Esperanto from a computer error The following appeared in the November issue of _Esperanto_, the publication of the Universal Esperanto Association. (This is my translation from the original Esperanto.) > Portugal: Esperanto from a computer error > Hans Jankowski (German) was pleasantly surprised when a money-changing > machine from the bank "Totta and Acores" in the Lisbon airport gave > him his receipt in Esperanto. Because the Portuguese Esperanto > Association was also surprised, Antonio Martins decided to explore. > It seems that this was probably an error in setting up the computer: > on installation of the ten-language system, someone mistakenly > programmed Esp-eranto instead of the Spanish (esp-anol). So, no one > congratulate the bank: they would be able to repair the "mistake"! Their guess as to the origin of the situation certainly sounds plausible to me, although they apparently did not contact the bank to find out for sure. Philip Brewer pbrewer@urbana.mcd.mot.com Motorola Urbana Design Center ...!uiucuxc!udc!pbrewer Ho mia korv' ------------------------------ Date: Sat, 6 Feb 1993 15:42:07 +0100 From: brunnstein@rz.informatik.uni-hamburg.dbp.de Subject: A "Handy" Risk for AirTravel? German newspapers report broadly on risks of hand-held telephones used in flight. Following a report of a new German weekly magazine FOCUS (some sort of Anti-Spiegel published since mid-January 1993, with some remarkably well-investigated articles on IT InSecurities), Germany's federal airtransport authority (Luftfahrt-Bundesamt, LBA in Braunschweig) admitted that major problems with passengers telephoning with "handy" mobile hend-held telephones have recently been experienced in some German airplanes. Newspapers report that hand-held telephones have influenced flight instruments (e.g. indicating velocity) even in landing approach. An LBA manager responsible for analysis of flight systems' security mentioned a B737 approaching Hamburg airport under IFR conditions when slope indicator suddenly began to jump; the pilot interrupted descent and made another (successful) approach. In som. The LBA manager was quoted to say that if velocity indicators be adversely affected by some influence of such a "handy" telephone, the pilot may be tempted to diminish the velocity below the critical value, with catastrophic influence on the plane. When contacted by me, this LBA manager refused some overdrawn citations but admitted that LBA sees serious problems and had warned carriers several times. Meanwhile, passenger instruction concerning emergency exits etc now also mentions risk of hand-held telephones which (according to some old German law) are not allowed to use in-flight. According to him, wires in planes are traditionally "hardened" against some electromagnetic induction; but the order of magnitude of such protection (about 3 Volt/meter) is, according to recent measurements of MBB (part of German Airbus, DASA) significantly lower than the 30 Volt/m which some hand-helds induce. Signal induction may even be worse as effects of reflections and resonances (which may develop in edges and channels below the cabin) may well enlarge the effect in a way hardly to measure. In public debates, such new facts add to the criticism that some overly computerized systems (e.g. Electronic Flight Management Systems, Fly-by-Wire) may enlarge in-flight risks. But at least one more advanced technology may reduce the risk of electromagnetic radiation: German Airbus is preparing to replace one (of 3) wires for some part of A340 communication (at least experimentally) by Fly-by-Light connection; in such a system, risk will remain with opticouplers between electromagnetic and optic parts as well as with traditional non-optical computers but the lines near the passengers parts will become immune against electromagnetic effects. Klaus Brunnstein (Univ Hamburg, February 6,1993) PS: this year, some of you may have missed my traditional report from Chaos Conference. Luckily, I was unable to participate, because several participants independently informed me that NOTHING worthwhile to report happened. Participation was said to be significantly lower than ever before, and even some journalists which are CCC's good friends did not report this year. Moreover, due to very chaotic organisation, CCCs usual electronic articles were not available for FTP. "Downsizing" CCC seems to be in interesting contrast to US hackers (2600) which become more active, as visible from the Pentagon raids. ------------------------------ Date: Wed, 20 Jan 93 08:25:20 -0500 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: Released GSA Docs Slam FBI Wiretap Proposal (Banisar, RISKS-14.28) We knew there was some intelligence in Washington (contrary to popular belief), I have encountered many dedicated civil servants who actually understand the issues despite the pseudo-random efforts of transitory appointees. The excerpts I have seen of the GSA thoughts demonstrate this. Actually, on reflection such a law might be a *good thing*. At the moment the country is in an economic slump and numerous encryption technology companies are struggling. Think of the benefits to them ! For the 1974 automotive model year the government passed the seatbelt interlock law that mandated fastening of the seatbelts in occupied front seats before the automobile could be started. This provided a windfall for a number of people: those who made the millions of new interlock devices and wiring as well as those who were paid to disconnect them. Fortunately some cars were constructed in such a way that a simple connector disconnect under the seat would allow starting in any condition. Such forethought ! The simple fact is that such a law is unenforceable and will not have the desired effect (not that that has ever stopped Washington before), it is simply too easy to bypass by anyone who cares. We have had plenty of examples of how-to in both RISKS and PRIVACY (exercise is left to the student). Not that a few miscreants won't be caught, stupidity is not confined to the law-abiding, but all such a law does is serve notice that conversations may be monitored (as they may be now) and a new industry will be born. Those in on the ground floor will make a few more millions from both sides and business will continue as usual. One universal truth in the USA is that *every* new law, good or bad, needed or unnecessary means another piece of the pork barrel for someone. The line has undoubtedly already formed. Padgett ------------------------------ Date: Sat, 6 Feb 93 10:15:46 -0500 From: fc@turing.duq.edu (Fred Cohen) Subject: Re: Tapping phones I must strongly disagree that the government needs special capabilities for tapping phones, decoding transmissions, etc. built into these systems by the manufacturers. But perhaps my reasons are very different than the ones recently stated regarding CC:mail. Everyone seems to be arguing the issue from a standpoint of the government's need to crack down on crime vs. the civil liberties of the citizens. I personally fall heavily on the civil liberties side, but I also think that historically, we give up civil liberties to fight crime and provide security. I find it very hard to understand why cryptography should be an illegal weapon while hand guns are legal, but then I can't understand how cigarettes and alcohol can be legal when marijuana and cocaine and penicillin and RU248 (238?) are illegal. The point, I guess, is that it is political power that determines legality and not rationality. Which brings me to my point. I am concerned that the government acts unfairly toward some companies and against others based on their size, market share, political affiliations, etc. If the government approaches Lotus and not me to make a back door for them, I think they are unfairly supporting Lotus in favor of me. It is an implicit endorsement of Lotus! I want the FBI to offer me hard cash and government contracts in exchange for putting back doors in my software for them. In fact, I think we should require fairness to the extent that if the FBI wants back doors in any product, they have to make the same deal for all other products. This is not a privacy issue, it is a business issue. We have the CSPR and the SPA and other such groups that essentially provide better business connections for people and support the positions of their constituents. If their constituents want to allow a 40 bit RSA to be claimed as `secure', they support it, even though technically speaking, this is trivial to break - in a matter of minutes - on a PC! None of these companies are working for our privacy, they are working for their profits. They don't provide secure encryption because there is no profit in it. If the FBI can't read these codes, it's probably not for lack of a back door - it's probably because of a lack of technical expertise and funding. I am eager to hear some of you tell me that there is profit in security. What a bunch of malarkey! There may be a little profit in good security for a few select organizations, but the vast majority of the profit from security is from the perception and not the reality. I often hear companies tell me their cryptosystem is really good because it was approved by the NSA - they don't mention the words `for export'. People commonly buy wordperfect because of it's encryption capability, but this has never been secure in any way. In fact, they are buying the wordperfect cracking program from QUT to read files encrypted by employees who have since left. PKware sells authenticated PKzip capability, and people buy it because they want the perception of integrity, but it is easy to crack, an forged virus-infected zip files under their newest algorithm have already been shown after only a few weeks in widespread distribution. Now about Lotus. In my limited personal experience with Lotus, I have found them to be sincere about providing the best protection they can in their products, subject to the time constraints placed on them by the market which values performance over almost everything else. I think they did the right thing by claiming to have refused to put in a back door, at least from a business standpoint. I also think that if the government offered enough money in exchange for the back door, Lotus would put it in. This is not a moral issue, it is a business issue. SEMI-HUMOROUS-SEMI-SINCERE-REMARKS-ON So if you are a private citizen who wishes to maintain privacy, or a criminal who wishes not to be caught, there are at least three lessons to be learned: 1 - Buy from a small sincere company (like mine) that will (for the right amount of money) provide source code, and then get that source code vetted by a different small sincere company (like mine) that will certify the algorithm, its implementation, and report on its adequacy. Small companies do this better because you probably need a real expert for the whole process, and only the right small company will likely provide this to you. The second similar company provides you with the redundancy required for high integrity. 2 - Security costs time and money. If you aren't willing to suffer the consequences, you don't want security! Most people say they want the best security for the price and performance, but as most real experts know, you don't get much security unless you get a lot of security. The average high school level cracker can break almost every commercial security product in a matter of a few hours - most in minutes. 3 - The best encryption in the world won't make you very safe if you dial into CompuServe (NOTE I AM NOT CITING COMPUSERVE AS AN ACTUAL PERPETRATOR BUT RATHER AS A CONVENIENT NAME-RECOGNITION IDENTIFIER FOR THE LARGER CLASS OF SUCH SERVICES) from your PC to send the information. The FBI could easily provide the back door in the communications service to enter your PC from your remote connection and extract your keys, the plaintext of your message, or maybe even place the back door in your encryption package. Before you laugh at the suggestion, note that when a recently introduced communications service first came on the market, it `accidentally' transmitted private information from subscribers over the wire. If it happens accidentally, you know we can do it on purpose. SEMI-HUMOROUS-SEMI-SINCERE-REMARKS-OFF US+412-422-4134 Protection Experts US+907-344-5164 FAX US+412-422-4135 -OR- 907-344-3069 24 hours - 7 days ------------------------------ Date: 9 Feb 1993 12:50:46 U From: "Gary Preckshot" Subject: Re: Joltes Vs Denning For all the fur that's in the air, the participants in this discussion give naive trust to the assumption that "there's all this crime the FBI has to stop" without ever considering whether you could reduce the amount of crime by changing the law. It's a classic risk, and it has been exploited by Hitler, Mussolini, Bismark, Saddam Hussein, and Torquemada, to name a few. You state it thus, filling in the blanks to suit your particular needs: "Our cause is just, therefore we must ......" Nonsense. Damn little deserves this kind of credulity, certainly not the performance of the FBI, the DEA, and the Federal Government. The Joltes-Denning twain argue nits about how to stem a legal trickle while we are inundated by breaches of reason. Gary ------------------------------ Date: Sun, 07 Feb 93 01:14:11 EST From: Marc Horowitz Subject: Mobile phones: "too secure"? `The Sunday Times', 31 January 1993. Main section, p. 12. (Home News) SPYMASTERS ORDER REDESIGN OF `TOO SECURE' MOBILE PHONES by Christopher Lloyd [Cartoon of a ridiculous mobile handset with various antennaea and dishes protruding. It is being held by a dismayed, purple-suited, man whilst a sign reads: "New! GCHQ-approved mobile phone".] The next generation of mobile telephones has proved so secure against tapping that it is to be made less safe on the advice of the intelligence services. The phones, based on coded digital technology, will have their technology modified so that spies can continue to eavesdrop on private conversations. The changes, ordered by a European Community (EC) telecommunications committee in Brussels, are being made at the insistence of European governments, including Britain's. They fear that surveillance operations against drug barons, the criminal underworld and foreign powers could be undermined. Digital mobiles phones, based on a system called GSM, are already replacing standard analogue networks across the world. They are equipped with a sophisticated scrambling code called A5, offering protection from interception equivalent to many military systems. It is this code that is to be replaced by one called A5X, to allow undercover eavesdropping to continue. Last week a Department of Trade and Industry spokesman confirmed changes were being introduced to make it easier for security agencies - ranging from GCHQ, the British government's listening post near Cheltenham, to the FBI in America - to eavesdrop. "Alternative coding is being developed for the reasons you have outlined," he said. "There is a general desire for this among the governments of Europe." The department, which issues export licenses for the phones, is particularly concerned that the original A5 technology should not be sold to countries that may adapt it for military applications. In America, the FBI has voiced similar concern. Nestor Michnyak, spokesman for the FBI headquarters in Washington, said that digital technology was advancing so fast that counter-surveillance was in danger of being undermined. "We are trying to get companies and manufacturers to work with us to allow us to maintain the surveillance operations we have undertaken since the late 1960s," he said. "All we are asking is to be able to continue to do what we are currently doing and we want the same access we are having now." Manufacturers of GSM mobile phones will be forced to adapt products to work with the new codes. Motorola, one of the leading makers of the digital mobile handsets, complained that costs may rise as a result. "We are flying blind here," said Larry Conlee, the assistant general manager of Motorola's European cellular division. "The GSM system has ended up more secure than it should have been for the commercial market and now we're trying to recover from it." Vodafone, Britain's largest analogue mobile phone company, which has already installed 250 GSM base stations covering 50% of the UK population, said its network will need to be adapted to accept the new codes. "Government authorities have made it known that they don't want this high level of encoding," said Mike Caldwell, the spokesman for Vodafone. Caldwell said the problem with the original system was that it would take security services weeks rather than minutes to decode the conversations they wanted to bug. Despite the changes, it will be still virtually impossible for any amateur eavesdropper to intercept calls made on the digital mobile phones. =============== Transcript of an article in New Scientist, 30 Jan 1993 Spymasters fear bug-proof cellphones (Barry Fox, Bahrain) One of the jewels of Europe's electronics industry, the new all-digital cellular phone system GSM, may be blocked from export to other countries around the world by Britain's Department of Trade and Industry. The DTI objects to the exports because it believes the encryption system that GSM uses to code its messages is too good. Sources say this is because the security services and military establishment in Britain and the US fear they will no longer be able [to] eavesdrop on telephone conversations. Few people believe GSM needs such powerful encryption, but the makers of GSM complain that the DTI has woken to the problem five years too late. At MECOM 93, a conference on developing Arab communications held in Bahrain last week, many Gulf and Middle Eastern countries sought tenders for GSM systems, but the companies selling them could not agree terms without the go-ahead of the DTI. Qatar and the United Arab Emirates want to be first with GSM in the Gulf, with Bahrain next. GSM manufacturers are worried that the business will be lost to rival digital systems already on offer from the US and Japan. The Finnish electronics company Nokia, which is tendering for Bahrain's GSM contract, says "There is no logic. We don't know what is happening or why." A DTI spokeswoman would only say that exports outside Europe would need a licence and each case would be treated on its own merits. The GSM system was developed in the mid-1980s by the Groupe Special Mobile, a consortium of European manufacturers and telecommunications authorities. The technology was supported by European Commission and the GSM standard has now been agreed officially by 27 operators in 18 European countries. GSM was designed to allow business travellers to use the same portable phone anywhere in Europe and be billed back home. This is impossible with the existing cellphone services because different countries use different analogue technology. The plan was for GSM to be in use across Europe by 1991, but the existing analogue services have been too successful. No cellphone operator wants to invest in a second network when the first is still making profits. So GSM manufacturers have been offering the technology for export. Whereas all existing cellular phone systems transmit speech as analogue waves, GSM converts speech into digital code. Foreseeing that users would want secure communications, the GSM designers built an encryption system called A5 into the standard; it is similar to the US government's Data Encryption Standard. British Telecom was involved in developing A5, so the British government has special rights to control its use. To crack the DES and A5 codes needs huge amounts of computer power. This is what alarmed the FBI in the US, which wants to be able to listen in to criminals who are using mobile phones. It also alarmed GCHQ, the British government's listening post at Cheltenham which monitors radio traffic round the world using satellites and sensitive ground-based receivers. The DTI has now asked for the GSM standard to be changed, either by watering down the encryption system, or by removing encryption altogether. This means that GSM manufacturers must redesign their microchips. But they cannot start until a new standard is set and the earliest hope of that is May. Any change will inevitably lead to two different GSM standards, so robbing GSM of its major selling point -- freedom to roam between countries with the same phone. Manufacturing costs will also rise as new chips are put into production. ------------------------------ Date: Sat, 6 Feb 93 19:00:50 GMT From: Pete Mellor Subject: PLCs : Request for information As part of a research project, I would like to find out about Programmable Logic Controllers (PLCs), of the sort frequently used for real-time control of industrial plant. I require information about the hardware and software, any fault-tolerant architectural features, methods of program development, reports on their use, etc. Information would be particularly welcome from anyone who has worked with PLCs, but any odd stories or references would be useful. The result will probably be a project report (or two) on the application of PLCs in the control of safety-critical systems. This report will be in the public domain, but if requested I will treat sources as confidential and not attribute the information in the report. Many thanks. Please address any responses to me personally, not to RISKS. Peter Mellor, Centre for Software Reliability, City University, Northampton Sq., London EC1V 0HB, Tel: +44(0)71-477-8422, JANET: p.mellor@city.ac.uk ------------------------------ Date: 6 Feb 93 20:13 -0600 From: "Rob Slade, DECrypt Editor, 604-984-4067" Subject: User interface at the checkout stand About two months ago I was permitted to accompany my wife on an expedition to the fabric store. Our final transaction, involving a credit card, was a source of no small confusion to the clerk at the till. He punched all the requisite buttons, but was unhappy with the result. Finally, though, he punched the transmit button. Apparently he was no happier with this new result, since he (mentally) ran over the process again before again punching the transmit button. Still unhappy, he asked help from a co-worker, who quizzed him on the process. Satisfied that he had no, in fact, made an error, *she* punched the transmit button, and was no happier than he with the result. The manager, was brought in, and was still not any happier after she (the manager) had punched transmit. The situation was resolved when someone remembered to turn on the printer attached to the "swipe" unit. I was reminded of this yesterday. Why? The credit card statement came with, you guessed it, four copies of the same billing. Risks? The unit apparently was indicating an error, but did not give any indication as to what that error was. The procedure had a "fault", but was allowed to proceed without a vital component. (The printed receipt, signed by the customer, is, in fact, the only legal proof of the transaction. yes, I do know that the existence of the credit card record is a "presumption of evidence" of the transaction.) Finally, even though the transaction was only entered once, the unit still submitted four confirmed "billings", with only the transmit key being hit again. I find it odd that the transaction, having been transmitted, would not be cleared from the "till-side" unit in order to prevent such accidental duplicates. ------------------------------ Date: Mon, 8 Feb 1993 08:22:14 -0500 From: jcarroll@jacc.com (Jim Carroll) Subject: Where's the fire? On the evening of Feb. 2nd my wife and I were woken up by sounds out on the street. My wife struggled out of bed, looked through the venetian blinds, and screamed at me to put on my glasses and come to the window. The house across the street was on fire. This was no, small, contained fire : the entire, complete structure was up in flames. I was quoted in the press days later as saying that the flames were over fifty feet high; I still don't think this is an exaggeration. It was a stunning and disturbing site : so much so, that we have slept only fitfully since then. The house was completely destroyed. Fortunately, the owner escaped. What makes it all the worse is that it quickly became apparent that the fire department was not responding! For what seemed like an eternity, the fire burned out of control, with only a lone police officer on the scene. Eventually, the fire department arrived and began to do their work. As the neighbours congregated in shock outside, the story began to circulate that 'it took the fire department 22 minutes to get here', and that 'they went to the wrong address'. It turns out that when the operator at 911 received the call, Birchwood was punched into the computer. The system listed Birchwood Heights Drive first, a street a good 5 miles away! from our location. Tragically, the operator selected that location, and a full response team of 6 pumpers and trucks was sent. Meanwhile, the fire on Birchwood Drive continued to rage out of control. My neighbour across the street called three times, since it became evident that something was wrong when the fire department was not there within five minutes (being only about 1 mile away.) They realized their mistake within 10-12 minutes, after the third call (and after obviously seeing that there was no fire on Birchwood Heights Drive!) The Mississauga Fire Department has apologized to the owner of the destroyed property (estimates of loss are $1/2million or higher), and has promised to review it's dispatch procedures. Surely the system can be programmed to provide a second confirmation for streets that are phonetically similar? Surely something can be done with the system configuration to avoid this easy but tragic mistake? Jim Carroll, J.A. Carroll Consulting, Mississauga, Ontario, Canada jcarroll@jacc.com +1.416.855.2950 ------------------------------ End of RISKS-FORUM Digest 14.33 ************************