Subject: RISKS DIGEST 16.12 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Wednesday 8 June 1994 Volume 16 : Issue 12 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for information on RISKS (comp.risks) ***** Contents: RISKS OF RISKS again (PGN) Hazards of the real-time switchover of a prison system (Ray T. Stevens) Campaigns and Elections (Phil Agre) Library fines unstoppable after earthquake (Geoff Kuenning) Flames and viruses in e-mail - article in the New Yorker (Martin Minow) Tetris addiction? (Mich Kabay) Re: Closed Doors in Glasgow - Trapped Guard Dies in Fire (John Vilkaitis) Re: Risks of too-simple responses (UK ATM Spoof) (Henry J. Cobb, Mathew Lodge, Jerry Leichter) Re: Clipper (Gene Spafford, Sidney Markowitz [2], A. Padgett Peterson, Paul Carl Kocher) Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc. ---------------------------------------------------------------------- Date: Wed, 8 Jun 94 12:00:01 PDT From: "Peter G. Neumann" Subject: RISKS OF RISKS again Sorry for the inconvenience on RISKS-16.11 for those of you who got a truncated original, and apologies for the duplicate in case any of you actually got an untruncated original copy. Our gateway was timing out on even moderately sized outgoing mail and FTPed files (also preventing me from updating the CRVAX archive copy). ------------------------------ Date: 04 Jun 94 15:56:30 EDT From: "Ray T. Stevens" <74074.1746@CompuServe.COM> Subject: Hazards of the real-time switchover of a prison system Our local newspaper, The Herald Times, had a several page spread on the problems relating to a switchover of the local prison to a new control system. Given the length of the spread, and considering that most of it was human interest and not technical, I summarize it here. The prison is being switched from a mechanical to a fully automated system, and this is being done while it contains prisoners. The jailers are complaining about huge amounts of overtime, and spending the whole day "on a dead run". One incident of a technology breakdown was especially insightful. The lights are going to be controlled by this new system, and the wiring for the new system must be run through some of the old wire traces. In order to safely install the new wiring, the existing wiring had to be disconnected, for both the lights and an intercom system so that inmates can contact the guards for requests. To maintain functionality, temporary wiring was used to replace the existing wiring for the lights. To save money, no on-off switches were included. The prisoners must sleep with the lights on. One of the prisoners has sued, requesting release because of cruel and unusual punishment. This has been rejected. A more serious incident occurred with another prisoner. A light had started to burn out, but since it couldn't be turned off, it couldn't be changed, and it started blinking rapidly. One of the prisoners had epilepsy, and the blinking light triggered a seizure. The inmates injuries were exacerbated by the other prisoners not being able to call for help. Pounding on the cells did no good, as this is a common sound in the prison. A lawsuit is in progress. Another prisoner is now using this as grounds for his immediate release. He has a heart condition, and is claiming that this situation puts him too much at risk. No ruling yet. I see one more lawsuit from this. The best defence in a criminal case is frequently delay. I can see what may be a very valid comment from the a defendent's lawer. "I must request a continuance on the basis of temporary incompetence of my client. The county has been illegally depriving my client of sleep, and he is now too sleepy of competently participate in his own defence." Under the right circumstances, I would say this might be worth about a two-month delay. ------------------------------ Date: Mon, 6 Jun 1994 18:09:55 -0700 From: Phil Agre Subject: Campaigns and Elections I encourage everyone to have a look at an issue of the magazine "Campaigns and Elections". It's a monthly, sold at many newsstands (in the US anyway), for the people who run political campaigns. Every issue includes numerous references to the growing role of computers in campaigning. Now I'm sure that this trend has its good sides and its neutral sides and its complicated sides. But inside the back cover of the May 1994 issue is an advertisement from a political software company whose headline is "The age of individual targeting is upon us". In other words, everyone gets their own personalized direct-mail pitch, based on a detailed database of information relevant to your likely political leanings. One use of such databases is basic demographics for choosing issues to emphasize; another is deciding who should be approached personally and urged to vote. But a scarier use of such databases, not mentioned in the ad, is the tailoring of messages to individual voters. For example, a group of land developers in San Diego is promoting an initiative for tomorrow's primary election that would open up the last parcel of wild land in San Diego to development. Their campaign has been incredibly sophisticated, including numerous tactics that aren't relevant here. The part that *is* relevant here is a letter I received over the weekend encouraging me to vote Yes on the initiative. Along with the letter were two inserts containing endorsements from the leader of the local AFL-CIO and a Hispanic city council member from another district. Did the guy around the corner with the "Rush is Right" bumper sticker get the same inserts? He didn't have to, if the developers had access to a suitably "enriched" database. In the future you won't even have to bother putting together a coherent coalition; just find out what everybody's hot issues are and make them all whatever promises you need to make, one by one, the Saturday before the election, so nobody has time to compare notes. Campaigns and Elections, 1511 K St NW #1020, Washington DC 20005, USA. Subscriptions $30/year in the US, write for prices elsewhere. Phil Agre, UCSD ------------------------------ Date: Tue, 31 May 94 13:31:29 -0700 From: geoff@FICUS.CS.UCLA.EDU (Geoff Kuenning) Subject: Library fines unstoppable after earthquake >From an article by Rebecca Bryant in the Los Angeles Times Valley Section, Thursday May 19th: The Los Angeles City library system is sending out overdue notices for books that had been checked out before the January 17th earthquake. The only problem is that readers have been told that they can hang on to their books until the damaged branches reopen. "Now wait a minute," writes Bryant. "Who[m] do you believe? The library? Or, uh, the library?" The problem arose because the computer system used to generate the notices does not allow notices to be selectively disabled based on the branch at which the book was originally checked out. The only way to stop the notices would be to stop sending notices for all branches. But many branches remain open, and of course there are always delinquent readers. According to Robert Reagan, a library spokesman, the system is due to be replaced soon. Although the article does not state this explicitly, there is an implication that the new system will support better per-branch control. This is in many ways not just a computer risk. The original programmers, designing an integrated system, can be forgiven for failing to predict the day when their customers would want to shut down only half of it, based on unforeseen criteria. Furthermore, it is easy to imagine an integrated manual system with the same (if you will excuse the expression) fault. Nevertheless, readers are confused and the library is embarrassed. I guess it's a pretty minor, though amusing, footnote to a major disaster. Geoff Kuenning geoff@ficus.cs.ucla.edu geoff@ITcorp.com ------------------------------ Date: Sat, 4 Jun 94 13:42:43 -0700 From: Martin Minow Subject: Flames and viruses in e-mail - article in the New Yorker RISKS readers might find John Seabrook's article in the June 6, 1994 issue of the New Yorker interesting. He had previously written a profile of Bill Gates, chairman of Microsoft (January 10, 1994) and received an obscene and obnoxious message from "a technology writer who does a column about personal computers for a major newspaper." In true New Yorker tradition, Seabrook used this message as a vehicle to comment on network etiquette and on the possibility that some strange aspects of the message might indicate that the message contained a "worm" or "virus." (My own reading of the evidence presented is that there is nothing to worry about.) Of particular interest to Risks readers might be Seabrook's fear that any strangeness in the message might indicate an attack, and on the general way in which extending the net to "an estimate twenty-three million users ... ten million of which have come on-line in the last nine months" has affected the culture of network communications. RISKS readers -- at least those of us who have been around since the net was a self-regulated anarchy -- will find his comments on the way this anarchy is, or soon will be, dying away very interesting. Martin Minow minow@apple.com ------------------------------ Date: 28 May 94 21:41:39 EDT From: "Mich Kabay [NCSA Sys_Op]]" <75300.3232@CompuServe.COM> Subject: Tetris addiction? >From a Canadian newspaper, _The Globe and Mail_, 28 May 1994, p. D1: <> by Jim Carlton of the Wall Street Journal <> The author continues with the following key points: <> o Nintendo estimates that 40% of the purchasers of its handheld video game, Game Boy, are women--twice the percentage of woman buyers of other game machines. Nintendo guess that the difference may be due to the Tetris game bundled into the Game Boy. o Several anecdotes are presented about women who enter trance-like states as they play the game. o Seattle psychologist Barbara Mackoff works for Nintendo; she thinks that busy women see Tetris as "a mind-soothing break." o Gini Graham Scott is a sociologist from Oakland, CA who also works for Nintendo. She wonders if "neatly aligning Tetris' falling clusters" is peculiarly satisfying to women because of their "craving for order." o Dr Scott also wonders if Tetris appeals to women's "holistic way of seeing things." o Dr Mackoff warns that playing compulsively with Game Boy can lead to "driven, pleasureless participation that excludes socializing and other creative forms of relaxation." o One woman wrote to Nintendo in alarm because her mother, a 66-year-old retired teacher, now spends an average of five hours a day playing Tetris. Her reading has fallen from two books a week to two books a month. Her mother doesn't think there's anything wrong. <> [MK comments: 1) There is no convincing evidence provided in this article about the supposedly different rates of addiction or compulsion to Tetris by men and by women. The article simply relates anecdotes and speculation. 2) Professor Mihaly Csikszentmihalyi of the University of Chicago has been studying what he terms "autotelic" behaviour for many years. Examples include computer programming, rock-climbing, many competitive sports, running, making models and so on. The essential attributes of an autotelic activity are that it is repetitive, is at the limits of one's skill, and provides many opportunities for measuring progress or achievement. When in the midst of an autotelic activity, Prof. Csikszentmihalyi explains, one loses track of time and even of normal body responses such as hunger or tiredness. Programmers who have said to themselves (or their spouses), "Just one more compile and then I'll come home" and then found themselves fourteen compiles and three hours later have experienced what Csikszentmihalyi calls "Flow" (the title of one of his recent books*). Participating in this Forum, for example, is an autotelic activity. I have to consciously govern how often I log on to check on new messages. Left to uncontrolled impulse, I might end up online all the time--to the detriment of the rest of my life and with severe consequences for my marriage (here my wife concurs vigorously). Computer games are analogous to any other kind of game. However--and this is sheer speculation--the combination of speed, colour, sounds and control may make the games even more likely to cause Flow than mechanical games do. Consider, for example, the attraction of mechanical pinball vs games with marbles; or of a mechanical shooting gallery compared with a video gun game. Another factor may increase addictiveness: computer-controlled games often increase their difficulty as a function of the player's skill; this tendency puts them in line with Csikszentmihalyi's ideas about Flow. I wonder if the propensity for flaming is an expression of Flow? Do people provide a positive feedback loop simply by seeing their own expressions of anger or dislike? Devoid of other people's reactions while they write, perhaps flamers reach a paroxysmal state of rage and bliss all by themselves. Finally, the same phenomena may be part of the attraction of role playing games, discussed in RISKS some months ago in connection with a young man who became addicted to his fantasy world.] Michel E. Kabay, Ph.D. / Dir Education / Natl Computer Security Assn *Csikszentmihaly, M. (1990). _Flow: The Psychology of Optimal Experience_. Harper and Row (New York). ISBN 0-06-016253-8. xii + 303 pp. ------------------------------ Date: Sat, 4 Jun 1994 00:37:06 -0700 From: javilk@netcom.com (John Vilkaitis) Subject: Re: Closed Doors in Glasgow - Trapped Guard Dies in Fire Failure to provide a reliable emergency exit is usually a violation of local fire and other ordinances. The RISK is civil and criminal prosecution, not MERELY lost sales. This, and many other seemingly senseless problems have at their root, a failure of the analyst to IMAGINE HIMSELF using the system. Sometimes this is the fault of the analyst, often it is simply because management refused to give the analyst (or the programmer) time to calmly "daydream" himself using the system and encountering typical situations and problems. If you cannot imagine in your head what you are building, you RISK building trash, often dangerous trash. "Imagination is more important than facts" - Albert Einstein It takes both FACTS and IMAGINATION to build good systems, but no one seems to teach us to use the broader power of our imagination, insisting we use the far narrower term "THINKING". -JVV- (J. Vilkaitis, javilk@netcom.com, 408-983-0518 voice/fax) [John, I guess you have to be THIN-KING to slip through the emergency exit. See my article, Psychosocial Implications of Computer System Development and Use: Zen and the Art of Computing, in Theory and Practice of Software Technology, D. Ferrari, M. Bolognani, and J. Goguen, eds., North-Holland, 1983, for a discussion of how both left-brain and right-brain activities must be used and properly integrated. PGN] ------------------------------ Date: Wed, 1 Jun 1994 19:52:49 -0700 From: "Henry J. Cobb" Subject: Re: Risks of too-simple responses (UK ATM Spoof) (RISKS-16.10) Jerry Leichter suggests that ATMs be "hardened" to spoofery by reading the "noise" built into the card during manufacture rather than the digital signals encoded on them. The risk to this is once the scanner that detects the noise is out in the field in large numbers, it becomes just another fixed system to spoof. Before you counter with "We'll just push down to the quantum level!" consider if you'd want real people in the real world walking around with cards depending on this. (And please no "Are you displeased to see me, or is that just a quantum in your pocket?" jokes from the moderator.) Digitally secure smartcards are not only the geek thing to do, they're the right thing to do. As for the installed base of "dumb" cards, this can be wiped clean by proper legislation or simple liability. All that is needed is to abolish the NSA and go back to being a free nation. ------------------------------ Date: Fri, 3 Jun 94 17:22:47 BST From: Mathew Lodge Subject: Re: Risks of too-simple responses (UK ATM Spoof) (RISKS-16.10) Perhaps Jerry has never been to France. All French credit cards are smart cards, and have been in mass use for several years now. The French don't seem to be having any problems with fragility or expense. As to backward compatibility, this is solved by the extraordinarily simple measure of allowing the card readers to deal with both smart cards and ordinary magnetic stripe cards. Thus I can use my Visa card in France with no problem (the only difference is that there is no immediate validation using my PIN as there is for smart cards). > In practice, my bet is that we will *never* see the replacement of magnetic > stripe cards by smart cards. I think this is a little too pessimistic. Mathew Lodge, Software Engineer, Schlumberger Technologies, Ferndown, Dorset, UK, BH21 7PP lodge@ferndown.ate.slb.com) +44 (0)202 893535 x404 ------------------------------ Date: Fri, 3 Jun 94 22:07:00 EDT From: Jerry Leichter Subject: Re: UK ATM Spoof (Cobb, Lodge, RISKS-16.12) On Henry J. Cobb's fixed system to spoof: We've been using pin-tumbler and mechanical combination locks for many, many years. In fact, that's exactly what protects the money actually stored inside of ATM's - along with fairly simple electrical alarms, which haven't changed much in many years either. All "just another fixed system to spoof". Clearly the only hope is "digitally secure smartcards", a technology that has seen all of 20 years worth of development and testing in the real world, against real attackers. By all means, let's convert everything immediately. After all, these new systems are based on *digital computers*! Clearly they are better, more secure! Computers never make mistakes, after all! On Mathew Lodge's response to my statement ("In practice, my bet is that we will *never* see the replacement of magnetic stripe cards by smart cards."), saying that he thinks this is "a little too pessimistic": As Mark Twain said, it's a difference of opinion that gives us horse races. (Well, he said it better, but I don't recall the exact words.) We've both made our predictions. I'll sharpen mine: Five years from now, smart cards will represent no more than 5% of the US market for bank and charge/debit cards; some variation of magnetic stripe technology will make up essentially all the remaining 95%. Shall we revisit this in 1999? ------------------------------ Date: Fri, 03 Jun 94 19:20:45 -0500 From: Gene Spafford Subject: Clipper In today's mail I got a glossy brochure extolling Clipper. It promises to "Expand your creative universe with real-world solutions." Is it a new ploy by the government to subvert our privacy? No, it's an advertisement by a company named Dynamic Graphics for their CD-ROM clip art magazine. "Clipper" is their registered trademark. I wonder if they registered the trademark recently? I would have pitched the flier immediately had I not noticed the word "Clipper" in large letters. I can't recall hearing about them before, either.... Has "Capstone" been registered yet, or "Tessera"? :-) On the other hand, it might be they had the name picked out over a year ago and their business will go south as a result of recent events. The risk? Naming a product something catchy just before a government agency nicknames something unpopular the same name. (Alternatively, there's a risk in trying to avoid this -- naming a product "Facist Thought Control" is likely safe from collision, but won't help sales. :-) ------------------------------ Date: Fri, 3 Jun 1994 20:14:29 -0700 From: sidney@taurus.apple.com (Sidney Markowitz) Subject: Details of flaw in Clipper I have seen lots of discussion about the New York Times report on Matt Blaze's discovery of a flaw in Clipper's key escrow system, with more confusion than anything else. Here is the best article that I have seen on the net explaining exactly what Dr. Blaze has found. There's also confusion about the implications. My understanding is that this method might allow someone with a Clipper chip device to have a secure communication with another person with a Clipper device that could not be decrypted by law enforcement *and* it does not require the cooperation of the second person. That last part is what makes this significant, since two people can agree to just encrypt their messages with, say PGP, if they want to be secure from law enforcement decryption. But if Blaze's method is practical, the widespread use of Clipper would make it harder on law enforcement by making it easier than it is now for someone to have secure communication with people without having to plan with them to do so. -- sidney markowitz [begin quote of Message-ID: crossposted to sci.crypt, talk.politics.crypto, alt.policy.clipper] [Run in RISKS with permission of "Perry E. Metzger" . PGN] Many people have misconceptions about what Matt did. Based on his paper (no, you can't have a copy since he told me not to distribute it; I'm sure he'll release it when its ready for prime time) and discussions with him, the trick is this. [The Escrowed Encryption Standard is abbreviated as EES.] The LEAF acts much as an key to tell the EES unit that it should function. It contains three elements: 1) the 32 bit unit id of the EES unit generating the LEAF 2) the 80 bit session key, encrypted in the escrowed key for that unit. 3) a 16 bit checksum based on the unencrypted session key and the initialization vector (IV) for the session. All three components are concatenated to form a 128 bit unit, which is encrypted in the family key in order to produce the LEAF, reportedly using a unique mode of Skipjack. The remote unit takes in the LEAF, decrypts it with the family key, and checks the cleartext session key and IV to see if they produce the proper 16 bit checksum. If so, it accepts the LEAF and functions properly. Note that the encrypted key inside the LEAF is useless to the remote EES since it doesn't have the other EES's escrowed key. It has to rely on the cleartext session key and IV alone to check that the checksum looks right. Sadly for the NSA, the checksum is only 16 bits long. Given a session key and initialization vector, I can fairly quickly generate a large number of fake LEAFs (chosen at random) and find one that a captive EES unit will accept as being the right LEAF for a given session key/IV. The contents of the LEAF will be garbage, but the remote unit will not know that, and will happily go along with using it. I needn't know the family key, or even the checksum algorithm. The point here is, of course, that I can freely interoperate with non-rogue EES units -- I can communicate with non-subverted units without revealing my privates hidden beneath the LEAF. (sorry for the pun.) [*] By the way, Matt had to figure out the components of the checksum on his own -- the mechanism for calculating it and where it came from were not documented. BTW, for those who have asked, in case the preceding didn't make it clear, can't you just reuse an old LEAF or a stolen LEAF because the session key/IV won't correspond and the checksum won't be right -- you have to generate and test. Perry Metzger perry@imsi.com [end quoted message] [*] [Turning over a new LEAF is better than if you LEAF well enough alone, he suggested FIGuratively. PGN] ------------------------------ Date: Mon, 6 Jun 1994 19:29:45 -0700 From: sidney@taurus.apple.com (Sidney Markowitz) Subject: Blaze's Clipper paper available via ftp Matt Blaze is the AT&T researcher who has made the news recently for discovering a flaw in the Clipper protocol. I saw an announcement from him that a preliminary draft of his paper "Protocol Failure in the Escrowed Encryption Standard" is available via anonymous ftp from resarch.att.com in the file /dist/mab/eesproto.ps in PostScript format. He cautions that there will be a final version of the paper which will likely include additional material on the production version of the PCMCIA card, and that this draft is based on his examination of a prototype card. -- sidney markowitz ------------------------------ Date: Sat, 4 Jun 94 22:35:29 -0400 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: Flaw ? in Clipper This has already gotten out of hand on the Usenet. In simplest terms, what Matt Blaze found is that is is possible to spoof a CLIPPER LEAF (law enforcement access field). IMHO this is almost meaningless since *both* ends will need to do this (AFAIR each side sends a LEAF. If only one LEAF is spoofed, it will just be necessary for a legal tapper to use the other one). Thus to be effective, both ends will need special spoofing equipment and in that case they might as well use something other than Clipper. Even better use something different but prefix a valid Clipper LEAF. Right. Remember Occam's Gillette. Dr. Blase also mentioned that it would take about 20 minutes to come up with a valid checksum. Much easier would simply be to record a valid LEAF from another chip and use that. The most important element is that the SKIPJACK algorithm is in no way affected by this and is as strong as ever, only the government's ability to use the LEAF may be compromised. I still expect the government to drop key escrow when the hardware is ready and that there will still be two means available to defeat Clipper available to the government - without using any backdoor/trapdoor and without any weakness in SKIPJACK (see my earlier postings - one is similar to the way GSM can be tapped now). Personally, I feel that Clipper is a valuable mid-range low-announced- cost device that is "good enough for government work". PGP or triple DES used in combination with Clipper is a viable next step up. Padgett P.S. Anyone notice Enigma-Logic's announcement of a one-time-password-token emulation for the PC @ US$10/user (maybe less) ? Certainly an answer to sniffers. ------------------------------ Date: Tue, 7 Jun 1994 03:19:55 -0700 From: Paul Carl Kocher Subject: Re: Flaw in Clipper detected (Huggins, RISKS-16.11) Although I doubt people will modify devices with hard-wired Clipper chips, this is seems to be a very serious blow to Tessera (the government's PCMCIA card with a Clipper chip). Tessera has a standard programming interface that passes the programmer's calls to the encryption card. Any experienced assembly language programmer could easily add "support" for Blaze's technique for bypassing the LEAF (Law Enforcement Access Field) validation check. This could be done transparently and without significantly impacting performance. It could also fix up the side effects of the attack (e.g. the first block is bad in CBC mode, etc). Under MSDOS this could be done with a TSR that would intercept calls to the card directly, so it would work with all Tessera applications. The same TSR could also substitute pre-computed and/or brute-forced LEAFs for interoperability with non-cheating users. We were told that the reason for having escrowed keys and a secret algorithm was to keep terrorists from having strong crypto. Now the bad guys have full-strength SkipJack, the public has a flawed "standard," and because the algorithm is classified we can't look for other problems. I'm also wondering what's going on inside NSA -- DSS originally had alarmingly-small keys and has been widely criticized, SHA was defective, and now this... -- Paul Kocher kocherp@leland.stanford.edu ------------------------------ Date: 31 May 1994 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc. EXCERPT. SEE OTHER ISSUES FOR FULL STATEMENT. The RISKS Forum is a moderated digest. Its USENET equivalent is comp.risks. Undigestifiers are available throughout the Internet, but not from RISKS. SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) on your system, if possible and convenient for you. BITNET folks may use a LISTSERV (e.g., LISTSERV@UGA): SUBSCRIBE RISKS or UNSUBSCRIBE RISKS. U.S. users on .mil or .gov domains should contact (Dennis Rears ). UK subscribers please contact . Local redistribution services are provided at many other sites as well. Check FIRST with your local system or netnews wizards. If that does not work, THEN please send requests to (which is not automated). CONTRIBUTIONS: to risks@csl.sri.com, with appropriate, substantive Subject: line, otherwise they may be ignored. Must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. [...] ARCHIVES: "ftp crvax.sri.comlogin anonymousYourName cd risks: Issue j of volume 16 is in that directory: "get risks-16.j". For issues of earlier volumes, "get [.i]risks-i.j" (where i=1 to 15, j always TWO digits) for Vol i Issue j. Vol i summaries in j=00, in both main directory and [.i] subdirectory; "dir" (or "dir [.i]") lists (sub)directory; "bye" logs out. CRVAX.SRI.COM = [128.18.30.65]; =CarriageReturn; FTPs may differ; bitftp@pucc.Princeton.EDU and WAIS are alternative repositories. ------------------------------ End of RISKS-FORUM Digest 16.12 ************************