Subject: RISKS DIGEST 14.87 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Wednesday 25 August 1993 Volume 14 : Issue 87 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Mars Observer (PGN) Chronicle of a bug foretold (Paul Eggert) Quote for the Day (Brinton Cooper) RISKS of elaborating on exploitation of known RISKS (David P. Reed, PGN) Cisco routers (Al Whaley) Phone Number Gridlock Looms (Sanford Sherizen) Digital markets (Phil Agre) Re: Everyone gets a 'A' for Welsh exam (Lars-Henrik Eriksson) InfoTech Security and Control, Conference Report (Klaus Brunnstein) The RISKS Forum is a moderated digest discussing risks; comp.risks is its USENET counterpart. Undigestifiers are available throughout the Internet, but not from RISKS. Contributions should be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to risks@csl.sri.com, with appropriate, substantive "Subject:" line. Others may be ignored! Contributions will not be ACKed. The load is too great. **PLEASE** INCLUDE YOUR NAME & INTERNET FROM: ADDRESS, especially .UUCP folks. PLEASE SEND REQUESTS FOR SUBSCRIPTIONS, archive problems, and other information to risks-request@csl.sri.com (not automated). BITNET users may subscribe via your favorite LISTSERV: "SUBSCRIBE RISKS". Vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 14, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1". =CarriageReturn; FTPs may differ; UNIX prompts for username, password. If you are interested in receiving RISKS via fax, please send E-mail to risks-fax@vortex.com, phone +1 (310) 455-9300, or fax +1 (310) 455-2364 for information regarding fax delivery. PLEASE DO NOT USE THOSE NUMBERS FOR GENERAL RISKS COMMUNICATIONS; instead, as a last resort you may try phone PGN at +1 (415) 859-2375 if you cannot E-mail risks-request@CSL.SRI.COM . ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Thu, 26 Aug 93 9:48:10 PDT From: "Peter G. Neumann" Subject: Mars Observer I've been holding off on running anything on the Mars Observer, hoping for either a miraculous recovery or further details on what actually happened. In this case, no news is bad news; hopes for restoring communications with the $1B spaceprobe are dwindling rapidly, and details on what happened may never be known. Communications were interrupted at 6 p.m. on Saturday, August 21, just after the Observer had pressurized its propulsion-system fuel tanks, preparatory to the rocket firings that would slow it down and allow it to be captured by Martian gravity --- placing it in orbit around Mars. The subsequent request to switch on its antenna received no response. Up until that point the mission had been relatively trouble free --- except that on two occasions the spacecraft's instructions had to be revised to overcome temporary problems. Even if command communications from the ground failed, the mission had been programmed to attain orbit anyway, if a few assumptions were satisfied --- such as that the backup programs worked and the antenna was functioning properly, On Monday (August 23), Glenn Cunningham, project manager at the Jet Propulsion Laboratory speculated on several possible scenarios that might have caused the failure: the Observer's onboard clock may have stopped; the radio could have overheated; its antenna could have gone askew. On Wednesday, John Pike of the Federation of American Scientists noted that, because the disruption of communications coincided with the precise moment that the spacecraft was programmed to pressurize its helium tank (which in turn pressurizes the hydrazine-oxygen fuel system), the increased pressure might have caused a leak in one of the helium lines or a *virtual explosion*. He added that if the leak were pinhole-sized, the spacecraft would now be spinning. If it were larger, the spacecraft would be completely out of control. Cunningham disclosed that, while the spacecraft was being built, a slow leak had been discovered in the original helium tank. which was replaced. Meanwhile, silence persists. The $1.4B Galileo spacecraft en route to Jupiter is also experiencing difficulties. Its main antenna jammed, and it can transmit only very slowly with its low-gain antenna. It is supposed to photograph an asteroid named Ida, beginning on Saturday. [Gilbert and Sullivan wrote on operetta on that subject about one hundred years ago -- Prints Is Ida.] These problems come on the heels of the continued launch delays on the latest Discovery mission, a weather satellite that died in orbit last week after an electronic malfunction, and the Navy communications satellite that was launched into an unusable orbit from Vandenburg last March ($138M). Shuttle launches are seriously delayed, which is likely to affect the planned space walk to repair the Hubble Telescope, currently scheduled for December. [This summary report is based on articles in the *San Francisco Chronicle*, August 23 by John Noble Wilford of *The New York Times*, August 24 from the *Los Angeles Times*, and August 25-26 by David Perlman, Chronicle Science Editor.] ------------------------------ Date: 25 Aug 1993 20:05:14 -0700 From: eggert@twinsun.com (Paul Eggert) Subject: Chronicle of a bug foretold I've often wanted something like a National Weather Service for software failures -- an early warning system that would let us know a few days or hours before trouble strikes. Well, sometimes daydreams can become true, at least in special domains. Here are two forecasts: On August 28, 1993, at 2 AM local time, workstations and PCs in Israel that are running Sun's Solaris 2.2 will suddenly lose an hour. On October 24, 1993, at 2 AM local time, Solaris 2.2 workstations and PCs in the British Isles will _not_ lose an hour. Unfortunately, everyone else there will be turning back their clocks that morning. These failures will occur because of errors in Solaris 2.2's time zone tables, which seem to stem from a configuration management problem. When going from Solaris 1 to Solaris 2, Sun's software developers somehow reverted to an early 1989 version of Arthur David Olson's public domain time zone tables, thus discarding all time zone changes due to laws passed by parliaments since then. Given the AT&T/Sun proprietary notices that are plastered over the Solaris 2 tables, I would guess that AT&T bears some blame for this bug and that other SVR4 Unix hosts may have similar problems. If you're technically inclined and have a Solaris 2 host handy, you can confirm the bug by running the command `/usr/sbin/zdump -v Israel | grep 1993' (similarly for `GB-Eire'). To fix the bug, apply the `zic' command to Olson's latest tables, which you can FTP from elsie.nci.nih.gov:pub/tzdata93d.tar.Z. [I wonder what happened in Kwajalein, where there was NO Friday, August 20, 1993. Thursday night at midnight Kwajalein switched sides with respect to the International Date Line, to rejoin its fellow islands, going from 11:59 p.m. Thursday to 12:00 m. Saturday in a blink. Are there any RISKS readers out there who have anything to report? PGN] ------------------------------ Date: Wed, 25 Aug 93 20:11:10 EDT From: Brinton Cooper Subject: Quote for the Day ...out of context, of course. >From "Computer Organization and Design--the Hardware Interface" by David Patterson and John Hennessy: "...minimizing the logic is both complex and error-prone and, thus, is better left to a program." _Brint ------------------------------ Date: Tue, 24 Aug 93 09:45:29 PDT From: reed@interval.com (David P. Reed) Subject: RISKS of elaborating on exploitation of known RISKS The posting on RISKS or any other mailing list of novel ways to exploit defects in systems to commit crimes is itself a RISK of the technology that makes RISKS possible. The inclusion of "smart answering machine" hacks as a new subtopic is a little disturbing to me personally. In the early '70's I devoted a reasonable amount of time to "tiger team" activities (sponsored by ARPA) to learn how secure typical computer systems were (TENEX, Unix, and Multics, e.g.). As such, I had a lot of time to think about what to do with what I learned. I offer the following suggested social ethic around mitigating the risk-amplification RISK associated with publishing RISKS, while preserving the benefit of identifying risks. There is a big difference between discovering and publishing a generic weakness such as "programming a smart answering machine with weak security to carry out tasks on your behalf", and the second level of inventing the cleverest or most profitable scenario for use, and publishing a detailed cookbook approach to using the weakness for committing various crimes. This doesn't illuminate the weakness further, unless you posit that your audience is stupid. RISKS readers are not. A reasonable rule, then, is to identify and publish broad categorizations of weaknesses, but it probably amplifies the risk for all of us to then broadcast to everyone the cleverest exploitations of those risks you can think of. I carry to my grave some wonderfully clever ways to make myself rich, destroy my enemies, and earn the perverse fame and glory associated with destructive or prankish hacking. But my conscience would hurt if others were hurt by my dissemination of these ideas. ------------------------------ Date: Thu, 26 Aug 93 10:34:12 PDT From: "Peter G. Neumann" Subject: Re: RISKS of elaborating on exploitation of known RISKS David Reed discusses a very sticky wicket that has been discussed repeatedly in RISKS. The biggest problem with not having the flaws publically discussed is that supposedly unknown flaws tend NEVER to get fixed. The general compromise strategy seems to be to inform people who might actually do something about discovered flaws, and then if those folks do nothing, let the flaws be known. There is a pervasive need for knowledge that particular schemes are intrinsically unsafe/unreliable/unsecure. Many people are living with blinders on, as is evidenced by the recurrence of the same types of problems, over and over. Almost every remotely controllable answering-machine system is vulnerable today. Cellular phones are intrinsically vulnerable today. How many installations run with the sendmail debug option enabled? How many .rhosts files permit file systems to be accessible remotely? Does anyone care? ------------------------------ Date: Wed, 25 Aug 1993 12:56:54 -0700 (PDT) From: Al Whaley Subject: Cisco routers Rumors abound that Cisco routers have a back door; that is when a TCP port is disabled, it can still be accessed from Cisco's IP number. I have personally verified this with the sendmail port. Al Whaley al@sunnyside.com +1-415 322-5411(Tel), -6481 (Fax) Sunnyside Computing, Inc., PO Box 60, Palo Alto, CA 94302 [Private trapdoors for developers and maintenance folks are remarkably common, and in many other cases represent more serious risks than this one. WarGames was not pulling your leg. PGN] [***** NOTE ADDED ON 2 SEP 1993 TO THE ARCHIVE COPY: Subsequent discussion has indicated that the above noted rumours are UNFOUNDED. PLEASE SEE RISKS-15.01 FOR CLARIFICATION. PGN *****] ------------------------------ Date: Wed, 25 Aug 93 12:31 GMT From: Sanford Sherizen <0003965782@mcimail.com> Subject: Phone Number Gridlock Looms A *Los Angeles Times* article by Jube Shiver Jr. printed in the Sunday *New Hampshire News* (Aug. 22, 1993) states that Bellcore will phase out oversight of number allocation in the next 12-18 months. Bellcore's decision will affect the rate at which new communication technologies can be put into service and the complex task of allocating numbers will have to be administered by some other organization. Number allocation includes areas codes, five-digit long distance carrier identification codes, some local phone numbers and codes for toll-free and 900-prefix information services. According to the article, Bellcore was abandoning this free role in response to what its president called unfounded complaints by its rivals that it might discriminate in favor of its owners in the distribution of new phone numbers. This change occurs at a time when federal regulators are preparing to authorized the first of a host of new communications services. Bellcore's announcement followed a surprise FCC decision earlier this month to halt the company's planned assignment of 500 service-access codes to personal communications services (PCS). The FCC cited industry concern that several of Bellcore's owners were among those vying for the new codes. Sanford Sherizen, Data Security Systems, Natick, MA ------------------------------ Date: Wed, 25 Aug 1993 17:11:21 -0700 From: pagre@weber.ucsd.edu (Phil Agre) Subject: Digital markets The following article provides an exceptionally clear account of computerized high finance centered on so-called "derivative products". These are (among other things) ways of buying and selling debt streams with given properties. For example, a company in need of short-term cash might exchange a bundle of 30-year home mortgages (which provide money with high reliability but at low rates of return and over a long period) in favor of a bundle of junk bonds (which provide money with lower reliability but at higher rates of return and on a variety of schedules). Robert Lenzner and William Heuslein, How derivatives are transforming Wall Street, Forbes 151(7), 29 March 1993, pages 62-72. This is Forbes, though, so the critical perspective is pretty much missing. For that you might turn to a new book by a New York Times reporter: Joel Kurtzman, The Death of Money, New York: Simon and Schuster, 1993. This is a wide-eyed account of how the truly gigantic international flows of cash, greatly facilitated by computers and telecommunications, are changing economic institutions and theories. For example, he interviews mathematicians and physicists who engage in high-powered zaitech (financial engineering) for Wall Street companies. I'm not entirely comfortable with the book. I don't think it's successful in its argument that a radical change in the very nature of money is making neoclassical economics obsolete. (Neoclassical economics may be obsolete anyway, of course, but that's another topic.) For example, he places an awful lot of weight on the end of the gold standard. And regular economists will argue that most fancy zaitech is just arbitrage, which (they say) simply makes markets function more efficiently. His main arguments for a computer-based risk to society are based on observations about market volatility and a critique of "speculation". On the topic of market volatility, you'll have to read his argument about the 1987 stock market crash and see for yourself. And he really doesn't give us enough information to form any very novel opinions on the common view that rapid, quantitative investment decisions, by focusing on short-term fluctuations, ignore and thus undermine market "fundamentals". Nonetheless, I do recommend the book as an introduction to the people and numbers. He also cites some of the more technical literature. On a related topic, I cannot recommend highly enough the following book: Stanley M. Davis, Future Perfect, Reading, MA: Addison-Wesley, 1987. Davis is a management consultant who sees an amazing future in which computer and telecommunications technology, among other things, changes the nature of many products and markets through dramatically more rapid and specific responses to changing customer needs. The book is hard going and downright weird in places, but it's full of remarkable speculations. For example, he suggests that businesses try as much as possible to separate the "material" and "information" dimensions of a product, combining them as close to the customer as possible. The idea is that information (a) can be moved much faster than physical materials and (b) is much more amenable to rapid and highly specific customization, and so therefore should be processed in a centralized way, whereas physical materials should be distributed as widely as possible to minimize delivery times. What does this mean in practice? You'll have to hire a management consultant to help you figure that out. Phil Agre, UCSD ------------------------------ Date: Tue, 24 Aug 93 09:29:01 +0200 From: lhe@sics.se Subject: Re: Everyone gets a 'A' for Welsh exam A similar thing happened in Sweden last week. Due to a programming errors, some positions for studying to dentists in Gothenburg were given to applicants with the poorest grades! According to Swedish law, a formal decision to enroll someone in a university program can't be revoked so the University of Gothenburg has no choice but to accept these students. Lars-Henrik Eriksson, Swedish Institute of Computer Science, Box 1263 S-164 28 KISTA, SWEDEN lhe@sics.se +46 8 752 15 09 Fax: +46 8 751 72 30 ------------------------------ Date: Mon, 23 Aug 1993 18:52:59 +0200 From: Klaus Brunnstein Subject: InfoTech Security and Control, Conference Report Report on an International IFIP Working Conference on "Security and Control of Information Technology" (Stockholm-St.Petersburg August 12-17,1993) From: Klaus Brunnstein, University of Hamburg (August 21, 1993) Under the auspices of the International Federation for Information Processing (IFIP) WG 9.6 "IT Misuse and the Law" (chairman: R.Sizer/UK), an International Working Conference on "Security and Control of IT in Society" was held on a ship plying between Stockholm and St.Petersburg, prepared by University of Stockholm (Ann Marie Bodor, Louise Yngstroem). Attended by about 60 active participants, this event included one day in St. Petersburg's Russian Academy of Science's Steklov Mathematical Institute, packed with information on the status of IT Security and Legislation in Russia, prepared by Eldar Musaev (St. Petersburg) and Simone Fischer-Huebner (Hamburg). Following the dominant professional interests of participants, almost equally divided into technical and legal aspects, the program onboard the ship was dominated by often rather controversial discussions about legal versus technical aspects. This biased approach was even stimulated by an introductory panel discussing the thesis that "Law cannot help to Control IT Security", intending to argue in traditional (Oxfordian) debate style about pro's and contra's of legal IT regulations. Though well-intended, this debate may have set an unhappy start of an otherwise stimulating event (the thesis was rejected in a voting process with majority). The onboard program's first part was devoted to legal aspects, esp. dealing with privacy. Here, a paper presented by Norwegian anthropologist Rolf Lunheim in cooperation with computer scientist Gottorm Sindre gave several examples that privacy is rather inconsistently understood in different cultures. Such different views even between Western participants became evident in the presentations of some leading privacy and law experts, which used the term in their resp. cultural understanding. Here, Bieke Spruyt and Bart de Schutter (University of Brussels) discussed whether an International Law on Security of Information Systems is emerging; they saw needs for such standardisation and pointed to few emerging building stones of future regulations, such as the OECD guidelines, which were presented in good detail later by Richard Hackworth (Berkhemstead), UK member of the OECD expert panel which developed these guidelines. Within the legal stream, Margaret Jackson (Royal Melbourne Institute of Technology) contributed significant details in describing the status of Australian IT-related legislation, including such diverse areas as intellectual property protection, civil and criminal law. She also described proactive contributions by Australian courts and commissions. Moreover, she gave interesting details about developments in selected countries in the Asia-Pacific region (e.g. Korea) in related legal fields. Completing the critical survey of state-of-law, Lawrence F. Young (University of Cincinnati, Ohio) presented his analysis of "Utopians, Cyberpunks, Players, and others Criminals: Deterrence and the Law" with special emphasis on the contemporary US situation. After describing shortcomings of US federal and state laws, he analysed diverse forms of computer crimes, including violations of privacy and intellectual property, interruption and theft of services, larceny, espionage etc. He concluded that even recent US laws need serious revision, including extension in scope and more uniform formulations to make them comparable and applicable over US federal states' boundaries. In some contrast with the analysis concentrating on the legal situation, Ruud Ketelaar (Amsterdam) and Simone Fischer-Huebner (University Hamburg) addressed both legal and technical aspects by arguing that some IT security mechanisms (e.g. collecting audit trails) further invade privacy and protection of personal data, thus even enlarging the legal problems. Besides some rather controversial discussion whether the term "confidentiality" as used in IT security discussions may be understood as somehow equivalent to "privacy" in legal fields, Ketelaar's and Fischer-Huebner's contribution were the only ones to transgress the evident gap between lawyers and technicians. The "Russian Day" held Saturday on solid ground in St. Peterburg unvealed surprising insights into implications which the recent dramatic political changes (known as "perestroyka") produce in Russian society, esp. such ones related to IT Security. In his introduction into "IT versus Security in Russia", Eldar Musaev (Steklov Mathematical Institute, Russian Academy of Sciences, St.Petersburg) presented examples of major incidents in Russia in recent years. Probably the most shocking one was the theft of a computer including a database of Chernobyl victims and related statistics; as no backup was done due to lack of magnetic media, this database was definitely lost. Until now, it is unclear whether the thieves were merely interested in the computer (which is the likely assumption) or were interested in the database. Most interesting contributions concerned the constructive approaches to improve technical and legal instruments for preventing or fighting IT misuse. Here, Yuri Andreevich Timofeef, chairman of Russia's National Subcommittee (127) on methods and means of information protection, reported about the systematic approach which is undertaken by several cooperating institutions to establish a basic concept (including definition of terms) as well as national IT security criteria for both IT products and systems, for government, commercial and private applications. These "Russian IT Security Evaluation Criteria" published in late 1992 (in Russian) in 5 volumes adapt other criteria (esp. US-TCSEC and Europe-ITSEC) to Russia's national needs. Related to this developments of concepts, a Russian IT security industry (with yet more than 50 enterprises in Moscow) has yet developed as experts from former military IT security fields are seeking for commercial jobs, and with several new products and ideas, accompanied by a National conference and a new Russian Journal on IT Security. Closely related to Russian IT Security concepts as well as to the present development of a new constitution including principles on both the right for information and the right for private life and private mail, Andrey Petrovich Kurilo (Moscow), head of department of information technologies security branch in the State Technical Commission of Russia described the structure of the emerging Russian IT related legislation. Here, the Russian Draft InfoSEC Act aims at covering almost all fields, including: 1) Administrative and Physical Protection, 2) Protection against unauthorized access to information in single systems (somehow comparable to COMPSEC), 3) Protection of information and availability in networks (comparable to COMSEC), 4) Protection of Electronic Document Interchange, including regulation of digital signatures, 5) Protection from compromising secrecy by detection of signals and electromagnetic radiation (TEMPEST-like), 6) Protection from malicious software (viruses etc), and 7) Protection against threats to Intellectual Property, illegal copying etc. In the legislation process, several "secrets" shall be legally protected (addressing operations of state and military, commerce, banks, as well as concerning personal data, microcircuits and digital signatures). Here, appropriate criminal, civil and labour laws are being developed. As examples of Russian ITSEC legal approaches, a paper on "Legal aspects of digital signature standardisation" was presented by Viktor V. Markelov (Federal Agency of Government Communication and Information, Moscow), which was later nicely complemented by a survey about work, problems and developments in Germany by Kathrin Dippel (Darmstadt/Germany). Moreover, an example of a new Russian product was the description of an AntiVirus product (AIDSTEST), which was said to protect the user against over 95% of present and future viruses. Mixed in between the Russian papers to exchange also information from West to East, overviews of Western developments presented OECD Guidelines (Hackworth), US Federal Criteria (Abrams) and IT Security Policies (White). Back onboard, the last day centered on technical discussions concerning IT security classification, education and esp. problems of electronic signatures. This was somehow "interrupted" by Larry Young's contribution and by an overview of IFIP's present activities in formulating a "Framework for Codes of Ethics and Professional Conduct", presented by Conference Chairman Richard Sizer (UK). An overview of "Recent Development in IT Security Evaluation" was presented by Kai Rannenberg (Freiburg/Germany), who overviewed and compared approaches from Orange Book to Europe's IT Security Evaluation Criteria (ITSEC), the Canadian approach (CTCPEC) and the recent US Federal Criteria (FC-ITS) with concepts discussed in ISO working groups. While Rannenberg suggests "facets of security and services" as new ordering scheme, Marshall Abrams (MITRE, McLean/Virginia) in his distinguished way described a "Symbiosis among IT Security Standards, Policies, and Criteria" where he presented both progresses and demands for research in miscellaneous fields. He esp. mentioned "assurance" as ill-understood, and he suggested that multiple policy models be analysed to select the most adequate one for an economic or governmental organisation's demand. Both presentations reviewed the IT Security with critical view towards shortcomings in the technical concepts but the papers as well as related discussions did not explicitly analyse basic paradigms inherent in InfoSEC concepts nor did they describe implied social risks. One of Marshall Abram's conclusions about IT security policies was that "If security is everybody's obligation, it is nobody's obligation". This seemed to be in contradiction with a position which Peter White, security consultant from Ipswich/UK presented in his paper on "Preparing System Security Policies". Based on a formal framework, he described results of a survey about evaluations of experienced threats and countermeasures against theft, infiltration and loss of confidence. To enforce general System Security Policies in organisations, every persons must behave according to her/his responsibility, rather than projecting security demands on "secure and safe" systems including security managers. In two final workshops, potential impact of the OECD Guidelines (chaired by Richard Hackworth) and relations between legal paradigms and InfoSEC (chaired by Peter White) were discussed. With some suggestions for future work and some clarification of terms which before may have been differently understood, the conference at this stage may have overcome some gaps in understanding between the InfoSEC and the Law parties as observed before. Apart from the rather general notion that both Law and InfoSEC act within society and affect it, it remained open what the specific social implications of InfoSEC might be which the parent committee IFIP TC-9 "Relationship between Computers and Society" is concerned with. Summarizing and assessing the value of this event, two essential steps were taken which may produce future insights. First, the start of an information exchange between Russia and other countries alone was worth the trip to St. Petersburg. Second, besides many interesting contributions, the onboard conference may be regarded as an initial step in bridging the evident gap between ITSEC professionals, law experts and other fields (like sociology and anthropology) presently less active. In this sense, the Conference Proceedings (to be published by Elsevier/North Holland in fall 1993) will surely form an interesting basis for future work. ------------------------------ End of RISKS-FORUM Digest 14.87 ************************