Subject: RISKS DIGEST 15.67 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Friday 18 March 1994 Volume 15 : Issue 67 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for information on RISKS (comp.risks) ***** Contents: Hazards on the Superhighway (Erskine Widemon) The RISKS of whale removal (Tom Mahoney via Mark Stalzer) The Handmaid's Tale, Giuliani-Style (Chris Kreussling) IRS Surveillance (J. Cooper) Risk Conference - Two for the price of one! (Patrick J. O'Toole) 911 (again) (Richard Johnson) Re: Clipper Compromised (Dorothy Denning) It's Apple and it's grammar. (John Oram) L.A. phone fire (a.k.a. "Risks of believing ...) (Lauren Weinstein) RSAREF/RIPEM Free and Legal Worldwide (Jim Bidzos) CERT ADVISORY - MD5 Checksums (CERT) Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc. ---------------------------------------------------------------------- Date: Fri, 18 Mar 94 10:32:52 PDT From: tzw2446@ddrw.dla.mil (Erskine Widemon) Subject: Hazards on the Superhighway The following incidents were mentioned in the March 14, 1994 Modesto Bee. - Laurie Powell joined an on-line service to discuss the joys and pitfalls of raising children. An elusive cyberstalker called Vito has threatened her life, sent her pornographic e-mail and may be following her around the country. - Larry Greenberg of New York could have lost his job when someone sent his boss a fax from a phony law firm accusing him of being a convicted rapist and child molester. Greenberg suspects the fax was sent by an on-line foe. - A 14-year-old New Jersey girl was forced off the network last month after continuing to receive unwanted computer-generated sexual images of young boys. - Evelyn McHugh, a New Jersey housewife, discovered a Chicago man was sending obscene messages in her name. - A 14-year-old Boston boy disappeared after running away to meet a man in Texas who sent him on-line love letters and airline tickets. Erskine Widemon ------------------------------ Date: Fri, 18 Mar 1994 08:33:48 +0800 From: stalzer@macaw.hrl.hac.com Subject: The RISKS of whale removal This has absolutely nothing to do with computers, but it is heartening to know that our industry isn't the only one that does foolish things. -- Mark ----- Begin Included Message ----- The Farside comes to life in Oregon. I am absolutely not making this incident up; in fact I have it all on videotape. The tape is from a local TV news show in Oregon, which sent a reporter out to cover the removal of a 45-foot, eight-ton dead whale that washed up on the beach. The responsibility for getting rid of the carcass was placed on the Oregon State Highway Division, apparently on the theory that highways and whales are very similar in the sense of being large objects. So anyway, the highway engineers hit upon the plan--remember, I am not making this up--of blowing up the whale with dynamite. The thinking is that the whale would be blown into small pieces, which would be eaten by seagulls, and that would be that. A textbook whale removal. So they moved the spectators back up the beach, put a half-ton of dynamite next to the whale and set it off. I am probably not guilty of understatement when I say that what follows, on the videotape, is the most wonderful event in the history of the universe. First you see the whale carcass disappear in a huge blast of smoke and flame. Then you hear the happy spectators shouting "Yayy!" and "Whee!" Then, suddenly, the crowd's tone changes. You hear a new sound like "splud." You hear a woman's voice shouting "Here come pieces of...MY GOD!" Something smears the camera lens. Later, the reporter explains: "The humor of the entire situation suddenly gave way to a run for survival as huge chunks of whale blubber fell everywhere." One piece caved in the roof of a car parked more than a quarter of a mile away. Remaining on the beach were several rotting whale sectors the size of condominium units. There was no sign of the seagulls who had no doubt permanently relocated to Brazil. This is a very sobering videotape. Here at the institute we watch it often, especially at parties. But this is no time for gaiety. This is a time to get hold of the folks at the Oregon State Highway Division and ask them, when they get done cleaning up the beaches, to give us an estimate on the US Capitol. Tom Mahoney, #9, Coast Guard Sqn.1/Div.13 CatLo ----- End Included Message ----- ------------------------------ Date: 18 Mar 94 09:26:45 EST From: Chris Kreussling <70700.266@CompuServe.COM> Subject: The Handmaid's Tale, Giuliani-Style The following appeared in the New York Times on Tuesday, March 1, front page of the Metro Section (page B1). I haven't seen reference to this in Risks digests since then. And if there's been anything about it since in the local press, I've missed it. My comments and questions: - Anyone know more about this than appeared in the Times? - Those with the *technical* ability to affect Board of Ed funding had no *legal* authority to do so. The design of the system - and its security - does not reflect the legal and political boundaries of the organizations it's supposed to serve. - Probably easy to overlook one budget code out of "399 different budget categories." Unless they were informed by the administration, the agency and personnel who actually installed the change probably didn't know its full impact. They were "just following orders" ... - The funds were not just "frozen" they were "transferred" to another account. I think the technical term is "stealing"? - The Mayor, his administration, and the City Comptroller violated state law. Are there computer-specific laws they may also have broken? Wire fraud, for example? Giuliani Tries Electronic School-Spending Freeze, by Josh Barnabel Without warning the Board of Education, the Giuliani administration last week loaded software on a computer accounting system to block spending on school supplies. But the administration reversed the spending freeze after the Board considered legal action ... School officials said they discovered that the $68 million spending freeze had been imposed only when budget analysts ... noticed that spending authorizations were rejected by the city's accounting system for lack of funds ... At the direction of the Mayor and the city's Comptroller, the [Financial Information Services Agency] loaded new software on the city's accounting system after business hours on Thursday. The software sent instructions to the city's computers blocking spending of 90 percent of the available funds in 399 different budget categories for all city agencies, from supplies and materials, to out-of-town travel, to temporary service and consulting contracts. The software in effect froze the school system's checking accounts, and transferred the available balances into reserve accounts controlled by the Mayor ... The board receives less than half its money from city taxes, and is not required to submit its detailed line-item budget to the Mayor or the City for approval ... ------------------------------ Date: Fri, 18 Mar 94 08:12:00 BST From: j.cooper6@genie.geis.com Subject: IRS Surveillance >From COMMERCE BUSINESS DAILY, 940317 (Government notice of bids) < -------< Department of the Treasury (DY), Internal Revenue Service, Constellation Centre, 6009 Oxon Hill Rd., Rm. 700, M:P:O:S Oxon Hill, MD 20745 < 36 -- REMOTE DIAL NUMBER RECORDERS SOL IRS-94-0051 POC Shirley Campbell, Contract Specialist, (202) 283-1144. The Internal Revenue Service intends to procure 28 remote telephone data collection units, including software. Capable of collecting and storing information from the target line on at least 700 telephone calls (time of call, length of call, number dialed, caller ID, call progress tone detection, etc.). The unit must be no larger than 5.9x1.5x3.2 inches. The unit is controlled and records are transmitted through the dial- up line through a computer modem. The instrument must be transparent to the target line. The unit will be powered through the dial-up line. 100% Small Business Set-Aside. Telephone requests for the solicitation package will not be accepted. (0075) [Great for identifying anonymous callers who request information on whether illegal acts must be declared, and other such revealing queries? PGN] ------------------------------ Reply-To: potoole@consultant.win.net (Patrick J. O'Toole) Date: Thu, 17 Mar 1994 16:11:47 From: potoole@consultant.win.net (Patrick J. O'Toole) Subject: Risk Conference - Two for the price of one! I recently registered for the upcoming Software Engineering Institute (SEI) Conference on Software Risk and provided my Master Card information for billing purposes. About a week later, I received a confirmation letter and receipt from the SEI; two days later, I received a second confirmation letter and receipt. Since the registration and payment numbers were different on the two receipts, I suspected a double booking/billing may have occurred, and called the SEI to rectify the problem. After looking into the situation, the SEI informed me that I had tripped a bug in a program which resulted in my being double registered, but *not* double billed. They assured me that I was the only one affected, and that the problem had indeed been resolved. Today I received two separate invitations to participate in an upcoming Software Engineering Process Group meeting. I am not planning to attend this particular event, but if anyone is interested in a "buy one, get one free" offer, please give me a call! ------------------------------ Date: Mon, 14 Mar 1994 07:37:53 -0800 (PST) From: rdj@plaza.ds.adp.com (Richard Johnson) Subject: 911 (again) Yeah, we've beaten 911 problems to death historically, but it's a change from Clipper. :=) I have a friend. His family and mine are quite close. We call each other's houses daily, sometimes multiple times in one day. His phone number begins 591-1xxx. As you guessed, about once a month, something happens with the phone company switching, and we get 911--as a wrong number. So far the emergency response people have been quite nice about this, and I haven't seen any penalty-type charges on our phone bill. The risks: Aside from the obvious one, that we're discussing a safety-critical system, is the sheer volume of calls this represents. Ten thousand different phone numbers could get automatically diverted to 911. If we figure 500 hours each month when people are awake and calling (that's 16 a day), and each one gets redirected once a month, then 911 must be seeing a wrong number every three minutes! No wonder they're so nice about it... Richard Johnson (rdj@plaza.ds.adp.com) (richard@agora.rain.com) ------------------------------ Date: Fri, 18 Mar 94 09:52:54 EST From: denning@chair.cosc.georgetown.edu (Dorothy Denning) Subject: Re: Clipper Compromised RISKS-15.66 included a brief from "Network World," which referenced a story in the "Security Insider Report" suggesting that Aldrich Ames could have had access to Clipper's classified SKIPJACK algorithm or Clipper keys. A New York Times reporter asked me about this rumor a few weeks ago, and the whole idea struck me as so obviously absurd that I could hardly stop laughing. Nevertheless, I did check it out with people who would know. They confirmed what I thought. The whole rumor is total nonsense. What I don't understand is why people persist is spreading rumors and speculation that have no basis and don't even make sense. Dorothy Denning ------------------------------ Date: Fri, 18 Mar 1994 00:24:57 -0800 From: oramy92@halcyon.com (John Oram) Subject: It's Apple and it's grammar. This was in the TidBITS newsletter (#217/14-Mar-94). Evidently the AppleScript creators don't read this newsgroup... >**John Baxter** writes: > I've run into something that grammar mavens may find interesting. > Consider this correct [English version] AppleScript code: > > tell word 4 of paragraph 2 of document 1 of application > "Scriptable Text Editor" > get it's text > end tell > > Here, Apple has managed to make AppleScript syntax so English-like > that it commits the all-too-common mistake of using "it's" instead > of "its" as the possessive. > > You can of course also write that statement as: > > get the text of it > > That sounds terribly stilted, but at least avoids the incorrect > use of the contraction in place of the possessive. One of the > amusing things is that Apple has the potential of running into > such problems in each language for which they provide an > AppleScript dialect. ------------------------------ Date: Thu, 17 Mar 94 21:02 PST From: lauren@vortex.com (Lauren Weinstein) Subject: L.A. phone fire (a.k.a. "Risks of believing all news reports...") > From: "George Feil" > A news bulletin just in: A fire in a Pacific Bell switching complex > has knocked out local phone service to most of Los Angeles, CA. The fire's impact was considerably overstated by press accounts. It occurred in the downtown L.A. "Madison" C.O. complex (in particular, LSAN-0470T), which is one of several downtown high-rise switching centers. The fire knocked out primary and secondary power supplies that (unlike many of the other supplies in the building, apparently) were co-located. Failure of SS7 links caused disruption of interoffice service for customers whose local subscriber lines were served by that office, and wider disruption of 911 service throughout a broader portion of the L.A. area, since the citywide 911 center is downtown. There was also apparently some limited long-distance access problems to some areas for some carriers. Media and local telephone operators quickly began publicizing local direct dial emergency numbers to offset the 911 failure. There were no reports that I heard of any serious problems relating to the 911 disruption. Some operations were switched to secondary facilities in other areas. Outside of the 911 problems, most areas of the city and the surrounding metro area (except the immediate downtown area served by Madison) noticed few obvious effects. --Lauren-- ------------------------------ Date: Fri, 18 Mar 94 03:32:48 PST From: jim@RSA.COM (Jim Bidzos) Subject: RSAREF/RIPEM Free and Legal Worldwide For more info, contact Kurt Stammberger, RSA Data Security, Inc. 415/595-8782. To download RSAREF and RIPEM, send any message to rsaref@rsa.com or ftp from msu.edu RSA DATA SECURITY ANNOUNCES DIGITAL SIGNATURE SOFTWARE THAT IS FREE AND LEGAL WORLDWIDE Information superhighway gets free tool to authenticate information; an answer to Vice-president Gore's concerns over Internet break-ins --------------------------------------------------------- Redwood City, Calif. (March 21, 1994) - RSA Data Security, Inc. announced today a first: digital signature software that is both free and legal worldwide. RSA applied for and received a "commodities jurisdiction," or CJ for a software package called RIPEM/SIG, which was built with RSA Data Security's RSAREF toolkit, a freeware package. A CJ, which is a ruling that the software falls under the Commerce Department's jurisdiction as opposed to the State Department, allows RIPEM to be freely and legally exported. Further, RSA has relaxed the use restrictions in its free crypto toolkit. RSAREF, and any application built with it, may now be used in commercial settings as long as it is not sold or used to provide a direct for-profit service. Digital signatures are produced using the RSA cryptosystem, which is a public-key cryptosystem. Each user has two keys - one public and one private. The public key can be disclosed without compromising the private key. The RSA cryptosystem was invented and patented in the late 1970's by Drs. Rivest, Shamir, and Adleman at the Massachusetts Institute of Technology. Electronic documents can be "signed" with an unforgeable "signature" by using a document/private-key combination to produce a signature unique to the author/document. Anyone, by using only RIPEM and the public key of the author, can verify the authenticity of the document. Applications of digital signatures are endless. One reason that the paperless office has never materialized is that paper must still be printed so that handwritten signatures can be applied. RSAREF and RIPEM solve that problem. Expense reports, any electronic forms, administrative documents, even tax returns can be electronically signed to speed electronic document flow and eliminate fraud. Information on the Internet can be signed and verified to prevent spoofing. Recently, unauthenticated messages at Dartmouth College caused an important test to be cancelled; messages impersonating faculty were sent out. "Data mailed, posted, or put on servers on the Internet is inherently untrustable today," said Jim Bidzos, president of RSA. "Tampering with electronic documents takes no special skills, and leaves no trace. With the availability of a free, legal, and exportable tool such as RIPEM, there's no need for such a situation to continue. It can be used by individuals, corporations, and government agencies at no cost." In a February 4th announcement, Vice-president Gore stated that the recent Internet break-ins could have been prevented with digital signatures. "Here they are," said Bidzos. Recently, cryptography has caused clashes between government and industry, over privacy issues, law enforcement concerns, and export issues. "The US government has approved this software for export," said Bidzos. "Clearly, it's no threat to them. And it's free." Digital signatures can also be used to detect any virus before a program is executed, since any change whatsoever is detected. The RIPEM application was developed using the RSAREF toolkit by Mark Riordan of Michigan State University. A Macintosh version, developed by Ray Lau of MIT, the author of the popular "Stufit" program, is also available. Versions for DOS, Unix, and all popular platforms are supported. "PEM" stands for Privacy Enhanced Mail, a published Internet standard for secure electronic mail. Other innovative applications can also be built with RSAREF and distributed at no cost. The full encryption-capable RIPEM is available only in the US. RSA digital signatures are a standard feature of Lotus Notes, the Apple System 7 Pro Operating System, Novell NetWare, Microsoft Windows at Work, Windows NT, IBM System Security Products, DelRina PerformPro, WordPerfect InForms, SHANA InFormed, BLOC F3 Forms, Fischer International Workflow, and numerous other products. Over 3 million commercial products in the market today already use RSA signatures under license from RSA Data. Other RSA licensees include General Magic, Hewlett-Packard, Oracle, Unisys, DIgital Equipment Corp, Motorola, and numerous others. RSA Data Security, Inc. designs, develops, markets, and supports cryptographic solutions toolkits and products. The company was founded by the inventors of the RSA cryptosystem in 1982 and is headquartered in Redwood City, California. ------------------------------ Date: Fri, 18 Mar 94 16:46:58 EST From: CERT Advisory Subject: CERT ADVISORY - MD5 Checksums CA-94:05 CERT Advisory March 18, 1994 MD5 Checksums This advisory gives the MD5 checksums for a number of SunOS files, along with a tool for checking them. The checksums can be used to assure the integrity of those files. The CERT Coordination Center is distributing these checksums because of an increasing number of incidents in which intruders who gain root access are modifying system files to install Trojan horses. Moreover, intruders are modifying files so that they have the same checksum as the original file. This is possible because the standard "sum" program that comes with most UNIX systems was designed to detect accidental modifications to files and is not strong enough to prevent deliberate attempts to yield a specific checksum. The MD5 algorithm by RSA Data Security, Inc. is specifically designed to provide checksums that cannot be deliberately spoofed. We strongly recommend that sites install the MD5 software and use it to validate system software. More information on obtaining MD5 is given below. The list of checksums in Appendix B of this advisory is provided for your convenience. In addition, we are providing a program that can assist you in checking your MD5 output against the values in the database. This checksum list is not complete. We have begun with a number of the more common locations for Trojan horses that we have seen in connection with the continuing "sniffer" attacks reported in CA-94:01 "Ongoing Network Monitoring Attacks." We intend to work with all vendors to expand this list and make more MD5 checksums widely available for anonymous FTP. We encourage sites to consider installing a more complete package for monitoring system integrity, such as Tripwire from the COAST project (anonymous FTP on ftp.cs.purdue in "/pub/spaf/COAST/Tripwire") or the TIGER system from TAMU (anonymous FTP on net.tamu.edu in "pub/security/TAMU"). We will maintain a file, CA-94:05.README, that will contain pointers to additional databases and other updates as they become available. [The entire Advisory is in RISKS-15.67MD5. Contact the CERT for further information. PGN] ------------------------------ Date: ongoing From: RISKS-request@csl.sri.com Subject: Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc. The RISKS Forum is a moderated digest. Its USENET equivalent is comp.risks. Undigestifiers are available throughout the Internet, but not from RISKS. SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup on your system, if possible and convenient for you. BITNET folks may use a LISTSERV (e.g., LISTSERV@UGA) with SUBSCRIBE RISKS or UNSUBSCRIBE RISKS as needed. Users on US Military and Government machines should contact (Dennis Rears). UK subscribers please contact . Local redistribution services are provided at many other sites as well. Check FIRST with your local system or netnews wizards. If that does not work, send requests to (not automated). CONTRIBUTIONS: to risks@csl.sri.com, with appropriate, substantive Subject: line, otherwise they may be ignored. Must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. PLEASE DO NOT INCLUDE ENTIRE PREVIOUS MESSAGES in responses to them. Contributions will not be ACKed; the load is too great. **PLEASE** include your name & legitimate Internet FROM: address, especially from .UUCP and .BITNET folks. Anonymized mail is not accepted. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ARCHIVES: "ftp crvax.sri.comlogin anonymousYourName cd risks: Issue j of volume 15 is in that directory: "get risks-15.j". For issues of earlier volumes, "get [.i]risks-i.j" (where i=1 to 14, j always TWO digits) for Vol i Issue j. Vol i summaries in j=00. "dir" (or "dir [.i]") lists (sub)directory; "bye" logs out. CRVAX.SRI.COM = [128.18.30.65]; =CarriageReturn; FTPs may differ; UNIX prompts for username, password. WAIS and bitftp@pucc.Princeton.EDU are alternative repositories. FAX: ONLY IF YOU CANNOT GET RISKS ON-LINE, you may be interested in receiving it via fax; phone +1 (818) 225-2800, or fax +1 (818) 225-7203 for info regarding fax delivery. PLEASE DO NOT USE THOSE NUMBERS FOR GENERAL RISKS COMMUNICATIONS; as a last resort you may try phone PGN at +1 (415) 859-2375 if you cannot E-mail risks-request@CSL.SRI.COM . ------------------------------ End of RISKS-FORUM Digest 15.67 ************************