Subject: RISKS DIGEST 15.77 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Tuesday 19 April 1994 Volume 15 : Issue 77 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for information on RISKS (comp.risks) ***** Contents: Risks ... to the quality of science: Clifford Truesdell (Michael Tobis) Dial-in Electric Meter Readings Sans Safeguards (Scott Rose) Stun belts -- who has the remote? (Jak Kirman) Risks of Data Compression (Joe Decker) TV Guide Contest (Agris Taurins) Re: MIT student arrest (Dwight Silverman, Sidney Markowitz) Re: Green-Card Flap [Risks, Lawyers] (Ed Clarke) "Naissance d'un virus" by Ludwig/Condat (Rob Slade) IFIP SEC '94 Program (Willis H. Ware) Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc. ---------------------------------------------------------------------- Date: Mon, 18 Apr 94 22:27:56 -0500 From: tobis@skool.ssec.wisc.edu (Michael Tobis) Subject: Re: Risks ... to the quality of science (Ruderman, RISKS-15.75) This issue was addressed in a remarkable essay by the eccentric and curmudgeonly fluid dynamicist Clifford Truesdell. The essay is called "The Computer: Ruin of Science and Threat to Mankind", in _An Idiot's Fugitive Guide to Science_, Springer_Verlag, 1984. If the title is not temptation enough, the following is a list of subheadings in the essay, capitalization intact: 1. Spatial Flight would have been Impossible without Computers. 2. Spatial flight would have been impossible without the Classic Equations of Motion 3. Calculation without Classic Standards is Dangerous. A Computer is Incapable of Setting its own Standards. 4. Computers have Harmed Science Already. 5. Mathematics is the Science of Infinities. Computation is Essentially Finite. 6. Computers Bring Power and the Abuses of Power. Advocates of Computing Seek to Destroy Mathematics. 7. Computing Promotes Factual Fraud. It has Harmed Experimental and Applied Science in the Past and is Copntinuing to do so. By its Emphasis on Application of the Already Known, it can Delay Basic Discovery and thus Reduce the Field of Applications in the Future. 8. Classic Theories used Inductive and Deductive Models. Computing Encourages Floating Models. 9. Computing Promotes Logical Fraud. Computers Programmed to Confirm False Theory can Destroy Mankind. 10. Summary: Computers are Here to Stay. They Endanger Thought, Language, Science, and the Survival of Man. Like any other Dangerous Tool, they should be Put under Strict Controls. [OK, perhaps it's a bit overdrawn, but I think anyone who intends to use computers to model nature should have a look at this remarkable jeremiad. mt] ------------------------------ Date: Tue, 19 Apr 1994 09:00:25 +0100 From: Scott Rose Subject: Dial-in Electric Meter Readings Sans Safeguards My electric utility-- Madison Gas and Electric-- has embarked upon a new meter-reading scheme that seems not to have been given a whole lot of thought. Many of the electric meters in my neighborhood are not accessible from outside the house, so the chances of meter-reader getting the data on a particular visit are quite low in this era of double-income households. In the old scheme, the meter-reader left a business-reply postcard after ostensibly determining that the customer wasn't home to allow access to the meter (in practice, the meter reader just leaves the card without notice, apparently having determined that the route can be finished more quickly without those pesky delays associated with actually determining that the customer isn't home, but that's a flame for another forum). The meter-reader fills in the meter number section of the card-- a six-digit number that uniquely identifies the meter-- the customer fills in the usage section of the card and drops it in the mail, and MG&E picks up the roughly $.30 tab for the reply card postage. The new scheme is similar, except that instead of leaving a mail-in card, the meter-reader leaves a phone-in card. Customers each got a sample card in the mail the other day, and I decided to give it a trial run. Here's how the session went: I dialed the number printed on the card and listened while the friendly voice described how to punch in my six-digit meter number after the beep. Having failed to determine my meter number, I punched in "111111". The friendly voice asked me to verify that my street address was a particular four-digit number (that is now lost to memory) by pressing a particular key. It wasn't, of course, but I... ah... did. This is just a test run, right? The friendly voice asked me to enter my meter reading. I punched in "1111". The friendly voice thanked me for my cooperation and wished me a nice day. Is it relevant that the rest of the day *was* relatively nice for me? The upsides for The Company are quite apparent: the customer picks up the $.06 cost of the call, while the Company saves both the postage and keypunch costs. The Big Risk that was apparent to me in this system was that the friendly voice presented me with my street address and asked me to verify it, rather than the reverse. It's nice that they gave a bit of thought to verifying input, but isn't this approach a bit like presenting a computer user with the account password after the user name is typed and asking if it's correct? While it is true that there is no computer account to be hacked on the other side of this authentication mechanism (which is a strong malice motivator in the case of computer accounts), it is also true that there are hearts full of mischief in this world and big electric bills to be paid or protested if this system is implemented as proposed. BTW, in the same mailing was a proposal for an alternate meter-reading scheme. The customer simply provides The Company with a copy of the key to the home, and the meter-reader simply lets self into the home to read the meter as necessary. Who can spot the risks in this one? -Scott Rose ------------------------------ Date: Thu, 14 Apr 94 00:10:31 +0100 From: Jak Kirman Subject: Stun belts -- who has the remote? AP and NBC reported recently on the use of REACT belts by police. Strapped around a prisoner's waist, the belts can deliver a 50,000-volt, 4-6 mA current to the prisoner's back muscles, enough to incapacitate the prisoner. They are activated by "a remote control like a garage-door opener". These belts are used on prisoners in transit and in court. The reports supplied no details concerning the communication between the remote device and the belt. I wonder how much thought the designers gave to the possibility of unauthorized activation of the belt, e.g. by friends of the victim or simply out of malice. Judging by the footage on the NBC clip, it would be very hard indeed to get the belt off a prisoner who was being zapped by some unknown person. If the remote device actively transmits start and stop commands, it might also be possible for an associate of the prisoner's to inhibit or curtail authorized activation; this would put the prisoner at a substantial advantage in an attempt at escape, since prisoners wearing the belt are not hand-cuffed, and are presumably not expected to make a run for it. Can anyone supply technical details that would clarify the risks? Jak Kirman jak@cs.brown.edu ------------------------------ Date: Mon, 11 Apr 94 11:06:05 PDT From: joe@synaptics.com (Joe Decker) Subject: Risks of Data Compression An article in the most recent issue of _Weatherwise_ magazine contained a description of a system under development to send weather radar images to general aviation via data compression. One technique apparently used to minimize bandwidth was to not provide distinctions between the highest radar reflectivity levels, the idea being (according to the article) that you wouldn't want to be in a light plane in any of them. This neglects the RISK that you already are in one of them. A more insidious RISK was not noted in the article. Many image compression methods result in images with misleadingly high amounts of detail. Such images could mislead pilots into making decisions based on false detail in the decompressed images. Image compression in safety-related applications clearly demands caution. joe decker @synaptics.com @alumni.caltech.edu ------------------------------ Date: Tue, 19 Apr 1994 23:36:49 GMT From: neodata!taurins@sterling.com (Agris Taurins) Subject: TV Guide Contest Is it just me, or has anyone else noticed the TNG contest in the April 23-29 issue of TV Guide? As contests go, it's nothing terribly special. The winner(s) get flown out to Hollywood to watch the final episode. The most interesting item follows, directly out of the "Official Rules": ...To enter the sweepstakes electronically: Send your responses by April 29, 1994, to tvgtrek@delphi.com. Include name, address and telephone number, along with the answer to each of the seven questions. Sponsor not responsible for computer malfunctions; late, lost, or misdirected mail. Earlier in the rules it states "Enter as often as you wish but limit one entry per envelope." The only "out" them might have is another line stating that "No mechanical reproductions will be accepted." But since they've explicitly stated that they're accepting electronic entries, I would think that it doesn't apply. How many mailer daemons do you think will be spinning out there? How soon will it be (if it hasn't happened already) before the mail spool on delphi overflows? Agris Taurins (402) 697-8006 taurins@neodata.uucp ...uunet!sparky!neodata!taurins ------------------------------ Date: Mon, 18 Apr 94 21:52:54 CDT From: Dwight.Silverman@chron.com (Dwight Silverman) Subject: Re: MIT student arrest (Cohen, RISKS-15.76) Frederick B. Cohen, writing in the RISKS digest, muses about the case involving the MIT student arrested for having a BBS at that made commercial software available. Cohen implies that the student was unaware of the nature of the material at the site, an implication that I cannot let go unchallenged. According to news reports about details in the indictment, the student not only was aware of what was being posted, but posted a public notice asking that the existence of the site not be trumpeted. The indictment, according to the reports, indicated he was more than just a "patsy." Should MIT be "arrested," as Cohen suggested, because of the presence of this site on their machines? No, anymore than a phone company can be arrested because of telephone fraud. I've also seen comments on the Internet that those who uploaded the software should be arrested, as well. That's probably true, but it's not that easy. Again, according to news accounts, many of those who contributed to "Cynosure," as it was called, used anonymous account services to do so. The RISK? Appear to be breaking the law, and you'll end up in a lot of trouble. It doesn't get much simpler than that. Dwight Silverman, The Houston Chronicle dwight.silverman@chron.com ------------------------------ Date: Mon, 18 Apr 1994 19:14:07 -0700 From: sidney@apple.com (Sidney Markowitz) Subject: Pointer to details on arrest of MIT student (Cohen, RISKS-15.76) [sidney markowitz SK8Board Punk Rocket Scientist Advanced Technology Group, Apple Computer, Cupertino, CA 95014] Here is a pointer to information about the case of the MIT student who was arrested recently. Although it is a solicitation for a legal defense fund, it contains presentations from both sides of the case and will be of interest to anyone who is interested in the broader political, moral and RISKy issues that are involved. In particular, this is not a simple case of software piracy or computer "hacking". The student is not being accused of copying copyrighted software, but only of operating a BBS that others used for that purpose. He is being charged under wire-fraud laws, being applied in a manner that is unusual, to say the least. The following can be accessed via Mosaic or other World Wide Web client using the URL address http://martigny.ai.mit.edu/dldf/home.html Here's a quote extracted from the home page so you can see what is available there. In the actual Web version, the bulleted items at the end are hot links to their respective files. The David LaMacchia Defense Fund was organized to ensure that David LaMacchia gets a fair trial. LaMacchia has been indicted by the federal government for conspiracy to commit wire fraud. "This is the first time in Massachusetts that the wire fraud statute has been used in a computer bulletin board case," said Stephen Heyman, deputy chief in the US attorney's office. That makes the case interesting, law-making, and very expensive. An unfortunate side-effect of our common law system, where laws are made by decisions in particular cases, is that an individual involved in a constitutional test case is faced with the certainty of staggering legal bills as well as the possibility of imprisonment and fines. Contributions to the Fund will be used to defray a portion of LaMacchia's legal expenses. The Fund spends nothing on advertising, salaries, promotions, etc.; 100% of contributions are used for legal defense. The Fund takes no position on the merits of either side's case. Information from both sides * The Indictment * U.S. Attorney's April 7, 1994 press release * Response of Defense Counsel, April 8, 1994 * Issues Primer (from Defense Counsel), April 11, 1994 ------------------------------ Date: Tue, 19 Apr 94 11:20:50 EDT From: clarke@watson.ibm.com (Ed Clarke) Subject: Re: Green-Card Flap [Risks, Lawyers] (PGN, RISKS-15.76) PGN omitted the quantity of mail that indirect.com received; 100 megabytes! They crashed of course as most systems would when presented with that kind of a mail overload. You also did not mention that this was the second time that they'd tried this trick ( only about a hundred groups last time ) and that they deliberately did not return the signed agreement that forbids this kind of abuse. Posting their local phone number and FAX !!!! number was kind of cute though. Many more calls and faxes are going to the Tenn. Bar Association since that's where they are licensed. By the way, you can add my (home) system to the "crashed" list. I get about 35 meg of compressed news per day, it jumped to 45 meg compressed and I ran out of inodes. Loss of news is similar to a crash. My down stream sites aren't going to see it, so it's loss of service anyway. The minor 5000 crossposts could be absorbed (at my site), but the huge amount of complaints in every bloody group killed me. Reminds me of the ping-pong ball demonstration of nuclear fission that was shown on TV when I was a kid. One ball gets tossed into a room full of ping-pong balls on mouse traps ... boom! Ed Clarke clarke@acheron.UUCP clarke@watson.ibm.com ------------------------------ Date: Tue, 19 Apr 1994 10:06:47 -0600 (MDT) From: "Rob Slade, Ed. DECrypt & ComNet, 604-984-4067" Subject: "Naissance d'un virus" by Ludwig/Condat BKNAISDV.RVW 940113 "Naissance d'un virus", Ludwig translated by Condat I have previously reviewed Ludwig's original book (cf BKLUDWIG.RVW) and, basically, everything applies to this as well. I have only two brief comments to make on the translation. I am rather surprised that a publishing house with the stature of Addison- Wesley took this on. I note that the promotional material which came with the book states that the original was banned for export from the United States. Even allowing for marketing hyperbole, they must have known that it would give rise to some kind of difficulties. As, indeed, it did: a recent court challenge has attempted to ban distribution of the book. I haven't yet heard the outcome. (I also note that the book is supposed to help you choose antiviral software: didn't they even read it first?) The second addresses the issue of the educational value of the book. As previously noted, the text sections leave a great deal to be desired in terms of pedagogy. The viral code, however, is intact, and unchanged. All the comments are still in English. (I am very amused to note that the French translation of "computer virus"-- What? No, of course not. Don't be naive.--is CPA, standing for either "codes sources autopropageables" or "codes parasites autopropageables". This side of the pond CPA means a different sort of parasite.) copyright Robert M. Slade, 1994 BKNAISDV.RVW 940113 Vancouver Institute for Research into User Security Canada V7K 2G6 Robert_Slade@sfu.ca rslade@cue.bc.ca p1@arkham.wimsey.bc.ca p1@CyberStore.ca ------------------------------ Date: Fri, 08 Apr 94 11:29:46 PDT From: "Willis H. Ware" Subject: IFIP SEC '94 Program [Excerpted from long message by PGN] The Tenth International Conference on Information Security - IFIP SEC'94 FOR FULL BROCHURE, CONTACT THE FOLLOWING: FAX: IFIP SEC'94 SECRETARIAT +599 9652828 OR AIRMAIL TO: IFIP SEC'94 SECRETARIAT POSTOFFICE BOX 4 0 6 6 WILLEMSTAD - CURACAO NETHERLANDS ANTILLES CARIBBEAN OR EMAIL TO: < TC11@IAIK.TU-GRAZ.AC.AT > Organized by Technical Committee 11 of the International Federation for Information Processing, IFIP/TC 11 - in cooperation with the Special Interest Group on Information Security of the Dutch Computer Society - and hosted by the Caribbean Computer Society. I F I P S E C ' 9 4 M A Y 2 3 - 2 7 , 1 9 9 4 I T C P I S C A D E R A B A Y C U R A C A O, D U T C H C A R I B B E A N I N T E R N A T I O N A L P R O G R A M Dynamic Views on Information Security in Progress ***ABOUT THE TENTH INTERNATIONAL INFORMATION SECURITY CONFERENCE This event is the Tenth in a series of conferences on information security. Something to celebrate. The organizers have compiled a truly exceptional, unique, and especially upgraded conference in a setting suitable for celebrating its Tenth birthday. Over 75 sessions will cover just about all aspects of information security, on a senior and advanced level. The formal language of SEC'94 is English. The proceedings are published by Elsevier North Holland in its acclaimed series. ***INVITED PRESENTATIONS*** Computer based cryptanalysis: man versus machine approach by Dr. N. Balasubramanian, former director of the Joint Cipher Bureau/ Cryptographic Services of the Department of Defense of the Government of India. Establishing a CERT: Computer Emergency Response Team by Kenneth A. van Wyk, manager Assist team, Defense Information Security Agency of the Department of Defense, United States Privacy aspects of data travelling along the new 'highway' by Wayne Madsen, scientist Computer Science Corp., United States Issues in designing and implementing a practical enterprise security architecture by Ross Paul, manager information security, the Worldbank, United States (key note's and other invited speakers to be announced by special bulletin) IFIP TC 11 position paper in discussion: Security Evaluation Criteria by H. Schoone, Netherlands Special TC 11 Working group sessions: 11.8 Computer Security Education, chair: Em. Prof. Dr. Harold Highland 11.1 IT Security Management, chair: Prof. S.H. von Solms (S. Africa) 11.5 System Integrity and Control, chair: William List (UK) Special Appearance: Information Warfare: waging and winning conflict in cyberspace by Winn Schwartau (US) Panel discussion: Panel discussion of the editors of Elseviers Journal Computers and Security chaired by John Meyer, Elsevier (UK), editor Extended UNIX tutorial: Unix meets Novell Netware by Kevin H. Brady, Unix Systems Lab. (US) Extended virus tutorial: Technologically enabled crime: shifting paradigms for the year 2000 by Sara Gordon (US) Viruses: What can we really do ? by Prof. Henry Wolfe (New Zealand) Future trends in virus writing by Vesselin V. Bontchev (Bulgaria/Germany) Viral Tidings by A. Padgett Peterson (US) Integrity checking for anti viral purposes by Yisrael Radai (Israel) Special appearance: *title to be announced* Prof. Eugene Spafford (US) ***REFEREED PRESENTATIONS*** Operations Security: the real solution to the problem - A. Don Temple (US) Security in virtual reality: virtual security - Amund Hunstad (Sweden) Prohibiting the exchange attack calls for hardware signature - Prof. Reinhard Posch/Wolfgang Mayerwieser (Austria) Towards secure open systems - Dr. Paul Overbeek (Netherlands) A security officer's workbench - Prof. Dennis Longley/Lam For Kwok (Australia/ Hong Kong) An introduction to Citadel: a secure crypto coprocessor for workstations - Dr. Elaine Palmer (US) On the calculation and its proof data for PI 10-9th - Shengli Cheng et al. (P.R. of China) Securenet: a network oriented intelligent intrusion prevention and detection system - Ass. Prof. Dimitris Gritzalis et al. (Greece) A methodology for the design of security plans - Drs. Fred de Koning (Netherlands) An open architecture for security functions in workstations - Stefan Santesson (Sweden) Security systems based on exponentiation primitives, TESS - Prof. Thomas Beth (Germany) The structure and functioning of the COST privacy enhanced mail system - Prof. Sead Muftic, Nada Kapidzic, Alan Davidson (Sweden) The need for a new approach to information security - Dr. Jean Hitchings (UK) A Practical database encryption system - Prof. C. Chang/Prof. D. Buehrer (Taiwan, ROC) Security analysis and strategy of computer networks - Jie Feng et al. P.R.o.China) Information Security: legal threats and opportunities - Dr. Ian Lloyd (Scotland) Secure communication in LAN's using a hybrid encryption scheme - Prof. Mahmoud El-Hadidi, Dr. Nadia Hegazi, Heba Aslan (Egypt) Secure Network Management - Bruno Studer (Switzerland) Ramex: a prototype expert system for computer security risk analysis and management - Prof. Peter Jarratt, Muninder Kailay (UK) The need for decentralization and privacy in mobile communications networks - D.I. Frank Stoll (Germany) Is lack of quality software a password to information security problems ? - Dr. Peter Fillery, Nicholas Chantler (Western Australia) Smart: Structured, multidimensional approach to risk taking for operational information systems - Ing. Paul van Dam, et al. (Netherlands) IT Audit: the scope, relevance and the impact in developing countries - Dr. K. Subramanian (India) Program structure for secure information flow - Dr. Jingsha He (US) Security, authentication and policy management in open distributed systems - Ralf Hauser, Stefano Zatti (Switzerland/Italy) A cost model for managing information security hazards - Love Ekenberg, Subhash Oberoi, Istvan Orci (Sweden) Corporate computer crime management: a research perspective - Dr. James Backhouse (UK) A high level security policy for health care establishments - Prof. Sokratis Katsikas, Ass. Prof. Dimitris Gritzalis, et al. (Greece) Moss: a model for open system security - Prof. S.H. von Solms, Dr. P van Zyl, Dr. M. Olivier (South Africa) The risk-based information system design paradigm - Dr. Sharon Fletcher (US) Evaluation of policies, state of the art and future research directions in database security - Dr. Guenther Pernul, Dr. A.M. Tjoa (Austria) Exploring minimal ban logic proofs of authentication protocols - Anish Maturia, et al. (Australia) Security concepts for corporate networks - Prof. Rolf Oppliger, Prof. Dieter Hogrefe (Switzerland) The security process - Jeanette Ohlsson (Sweden) On the security of lucas function - Dr. C.S. Laih (Taiwan RoC) Security considerations of content and context based access controls - Donald Marks, Leonard Binns, Peter Sell, John Campbell (US) Anonymous and verifiable databases: towards a practical solution - Prof. Jennifer Seberry, Dr. Yuliang Zheng, Thomas Hardjono (Australia) A decentralized approach for authorization - Prof. Waltraud Gerhardt, Burkhard Lau (Netherlands) Applying security criteria to a distributed database example - Dr. Marshall Abrams, Michael Joyce (US) A comparison of international information security standards based on documentary microanalysis - Prof. William Caelli, Em. Prof. John Carroll (Australia/Canada) Security in EDI between bank and its client - Pauli Vahtera, Heli Salmi (Finland) Secure information exchange in organizations - D.I. Ralph Holbein (Switzerland) A framework for information system security management - Helen James, Patrick Forde (Australia) The security of computer system management - Xia Ling et al. (P.R.o.China) Development of security policies - Jon Olnes (Norway) Factors affecting the decision to report occurences of computer abuse - John Palmer (Western Australia) Secure manageable remote access for network and mobile users in an open on-line transaction processing environment - Dr. James Clark (Singapore) ------------------------------ Date: 15 April 1994 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc. The RISKS Forum is a moderated digest. Its USENET equivalent is comp.risks. Undigestifiers are available throughout the Internet, but not from RISKS. SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup on your system, if possible and convenient for you. BITNET folks may use a LISTSERV (e.g., LISTSERV@UGA) with SUBSCRIBE RISKS or UNSUBSCRIBE RISKS as needed. Users on US Military and Government machines should contact (Dennis Rears). UK subscribers please contact . Local redistribution services are provided at many other sites as well. Check FIRST with your local system or netnews wizards. If that does not work, send requests to (not automated). CONTRIBUTIONS: to risks@csl.sri.com, with appropriate, substantive Subject: line, otherwise they may be ignored. Must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. PLEASE DO NOT INCLUDE ENTIRE PREVIOUS MESSAGES in responses to them. Contributions will not be ACKed; the load is too great. **PLEASE** include your name & legitimate Internet FROM: address, especially from .UUCP and .BITNET folks. Anonymized mail is not accepted. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ARCHIVES: "ftp crvax.sri.comlogin anonymousYourName cd risks: Issue j of volume 15 is in that directory: "get risks-15.j". For issues of earlier volumes, "get [.i]risks-i.j" (where i=1 to 14, j always TWO digits) for Vol i Issue j. Vol i summaries in j=00. "dir" (or "dir [.i]") lists (sub)directory; "bye" logs out. CRVAX.SRI.COM = [128.18.30.65]; =CarriageReturn; FTPs may differ; UNIX prompts for username, password. WAIS and bitftp@pucc.Princeton.EDU are alternative repositories; risks-15.75 gives WAIS info. FAX: ONLY IF YOU CANNOT GET RISKS ON-LINE, you may be interested in receiving it via fax; phone +1 (818) 225-2800, or fax +1 (818) 225-7203 for info regarding fax delivery. PLEASE DO NOT USE THOSE NUMBERS FOR GENERAL RISKS COMMUNICATIONS; as a last resort you may try phone PGN at +1 (415) 859-2375 if you cannot E-mail risks-request@CSL.SRI.COM . ------------------------------ End of RISKS-FORUM Digest 15.77 ************************