Subject: RISKS DIGEST 17.34 Reply-to: risko@csl.sri.com RISKS-LIST: Risks-Forum Digest Tues 12 September 1995 Volume 17 : Issue 34 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, etc. ***** Contents: Open letter to Geoff Greiveldinger, DoJ [key escrowed, export] (Carl Ellison) Santa Cruz High gives me all-time low school spirit (Zane Bock via Michael D. Crawford) Abandoned oil tank phone harasses MA woman for 6 months (Stephen McCallister) Man Upset with Computer, Falls Through Window (Matthew Hunt) Another Phony ATM (David Kennedy) Initiative for better Usenet discussions (Bertrand Meyer) "Building Internet Firewalls" by Chapman/Zwicky (Rob Slade) Re: Voting by Phone in the Netherlands (Robert I. Eachus) 'Tis too a virus! (Rob Slade, A. Padgett Peterson, Kenneth Albanowski) Re: $95000 withdrawn from bank (W. F. Linke) Re: Self-disabling software (Bruce Limber) Re: Password cracking 'improves' security (Bob Blakley III, Douglas W. Jones, Bear Giles) ABRIDGED info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Fri, 8 Sep 1995 22:11:13 -0700 From: Carl Ellison Subject: Open letter to Geoff Greiveldinger, DoJ [key escrowed, export] NIST (the National Institute of Standards and Technology) held a two-day public meeting on 6-7 September, 1995 to discuss Software Key Escrow as a possible means of achieving export of cryptography. In the morning of 7 Sept, Goeff Greiveldinger of the Department of Justice gave a description of the kinds of crimes which DoJ wants to use wiretapping to solve. He closed this litany of lawbreaking with the assertion that software manufacturers don't want to provide products which allow such lawbreakers to keep their criminal evidence hidden from law enforcement. I'm sorry to disillusion you, Geoff, but I *do* want to make such systems. Would you have Ryder stop renting trucks because some terrorist decided to fill one with explosives and kill many innocent children? Would you have Americans stop making automobiles because bank robbers have been known to use cars for getaways? Would you have all new buildings constructed with FBI microphones in every wall because some criminals meet in private rooms in order to plan crimes? When an American company sweeps its conference room for bugs, finds some and destroys them, it doesn't matter whether those bugs were planted by industrial spies or the FBI. The company has a right to eliminate them. When that company ties two such conference rooms together by video-conference equipment and encrypts the line between them using strong link encryption, it is performing the same defensive operation in cyberspace. It is protecting itself from spies and it doesn't matter that the wiretaps it frustrates might be illegal ones by industrial spies or legal ones by the FBI. The right to attempt to achieve privacy is a long-standing one in this country and not one to allow to be lost. When I design and build systems for privacy for my customers, I am providing products for law-abiding, honest people. I am aware of criminals, of course. Criminals are the threats against whom I protect my customers. These criminals are usually not in the government but that doesn't mean that I believe I should offer my honest customers up for a strip-search in cyberspace. The law enforcement agencies of this free country have no right to expect blanket access to the ciphertext of citizens. It will take legislation to get that right and I will do everything in my power to keep such legislation from passing. Barring such legislation, I will make sure that honest American citizens have cryptography with which to attempt to maintain their privacy, even from the government. We have the right to attempt to keep a secret from government agencies and continuous demonstration of that right is an important part of this free country. On the other hand, I am sympathetic to law-enforcement officers. I have several friends in that business. I have asked my friends and acquaintances who do surveillance (2 IRS agents investigating organized crime for tax evasion; 2 undercover cops in Boston's highest drug neighborhood; 1 DEA agent in the midwest) if they ever encounter encrypted communications or files. They don't. Neither does anyone in their offices. Of course, even if they did it would remain so important to preserve our right to attempt to keep secrets from the government that their frustration would just have to be accepted. The fact that this isn't a real problem makes my decision that much easier. I am left with no moral qualms at all. In summary, criminals are so few that I will not design for them. I will not treat my vast majority of honest users as if they were criminals just because some criminal might someday use my product and frustrate you. ObRisk: We run the risk of losing our fundamental right to attempt to keep a secret from the government -- a practice we need to preserve in order to protect ourselves from criminals in cyberspace. There are powerful forces in the US government attempting to cajole us into giving up that right. [see http://www.clark.net/pub/cme/html/nist-ske.html for more on this subject] ------------------------------ Date: Sun, 10 Sep 1995 19:56:03 -0700 From: crawford@scruznet.com (Michael D. Crawford) Subject: Santa Cruz High gives me all-time low school spirit The following article by a Santa Cruz High student reports how the high school was unable to operate on the first day of school because of a breakdown in the computer system, so that schedules were unavailable. Mike Crawford crawford@scruznet.com [Excerpted starkly and spelcorekted. Sorry, Zane (who ended his note with ``In every bad speller lies a genius.!'' PGN] > Date: 10 Sep 1995 04:01:17 GMT > From: zane@ns.sasquatch.com (Zane Bock) > Subject: Santa Cruz High gives me all-time low school spirit > Newsgroups: misc.education,alt.parents-teens,scruz.general,misc.kids > > ... there's a bunch of people on the lawn, and they all look > shocked, or scared or just out of place. It seems that there has been a > major breakdown with the new computer system and schedules for the > students are currently nonexistent. So we are all turned away and given > another day of summer. I guess that's not so bad, but the complete lack > of a first day of school is enough to put even the passive students like > me on the minutely shakey side. ------------------------------ Date: Mon, 11 Sep 1995 19:53:28 -0700 From: stevemc@eskimo.com (Stephen McCallister) Subject: Abandoned oil tank phone harasses MA woman for 6 months Certainly not the first such item seen in RISKS (Coke machines...), but you've got to admit that taking 6 months to identify the source of calls arriving every 90 minutes has to be some kind of record! >From CNN Web's "Fringe News - USA" page : http://www.cnn.com/US/Fringe/09-10/index.html ========================================================================== The Fringe September 10, 1995 Persistent oil tank hassles woman BILLERICA, Massachusetts - For six months, a woman thought she was in tele-marketing hell. Every 90 minutes, her phone would ring, but the caller would never say a word. The phone company eventually traced the calls to an abandoned oil tank in Maryland. It was rigged to call the oil company when the oil level was low, but the phone number was scrambled and it called her instead. Stephen McCallister Bothell, WA stevemc@eskimo.com http://www.eskimo.com/~stevemc/ ------------------------------ Date: Tue, 12 Sep 1995 10:51:29 -0400 (EDT) From: Matthew Hunt Subject: Man Upset with Computer, Falls Through Window In the Penn State _Daily_Collegian_, Sept. 12, 1995, p. 6: Computer trouble results in fatal fall NEWARK, Del. (AP) -- A University of Delaware student fell 13 floors to his death out of his dormitory window, apparently after he lost his balance when he put his fist through the glass in anger over computer trouble. Robert Keepers, 19, of Spotswood, N.J., went through the 5-foot double-pane window early Saturday. Keepers "got up and ran around the room in a pique of anger" and struck the window with his fist, said Tim Brooks, dean of students, citing the account of two students who were in Keeper's room during the accident. Well, I had never considered this risk of incorrectly operating equipment before; however, I have no need to fear. My dormitory window is a scant four feet above ground. Matthew Hunt ------------------------------ Date: 07 Sep 95 00:48:22 EDT From: David Kennedy <76702.3557@compuserve.com> Subject: Another Phony ATM Courtesy of Executive News Service on CompuServe, 5 Sept 1995 >> CROOKS NETTED THOUSANDS FROM FAKE CASH MACHINE COURT >> By Melvyn Howe, PA News >> A gang of fraudsters chalked up a criminal first when they installed a >> bogus High Street cash point machine, a court heard today. >> The highly convincing piece of equipment, set in front of a fake >> mortgage broking business, "enticed" scores of card holders to vainly >> try to withdraw money in an enterprise that eventually netted the >> crooks at least 120,000 pounds. o Account numbers and PINs were recorded, and transferred by modem to the gang. o Hit at least three locations in the London area. o The ATM's screen apologized, "Please remove your card and try later." The ATM even had a notice that, if tampered with, an alarm would ring at the local police station. o Monthly statements tipped users they had been defrauded. o The prosecutor said the criminals had manufactured false cash cards, programmed them with the information from the fake ATM and travelled throughout the UK withdrawing money. o One victim lost L1,500. At least 100 victims. Total losses L120,000 over five weeks. >> He added: "As far as police are aware this is the first time that such a >> particular kind of fraud has been perpetrated in this country." o Three arrested. One has cut a plea bargain, two have plead innocent. >> The court heard an enormous amount of detailed planning went into the >> fraud. (The prosecutor) claimed a "front" company was used to buy >> parts for the bogus cashpoint machine. A shop was then rented and a sign put up outside stating: "Hambro UK. Mortgages, design mortgages, pensions. Halifax appointed representative". Office furniture was installed and flowers and pot plants used to provide a further convincing touch. >> A genuine Halifax Building Society branch nearby received many >> complaints that it's other cashpoint machine was not working, and >> in some cases even keeping the cards. Staff investigated, immediately >> realised what was going on and called in the police ... Dave Kennedy [CISSP] Vol SysOp Nat'l Comp Security Assoc Forum on CompuServe ------------------------------ Date: 11 Sep 1995 19:39:18 GMT From: Bertrand Meyer Subject: Initiative for better Usenet discussions This initiative has been out for a while but it only now occurred to me that it is in the subject matter for comp.risks. Endless newsgroup discussions and flame wars are certainly a computer risk; yet the potential of News (as forums such as this one have demonstrated) is great and it is a pity to see it wasted. To see if I can help improve the situation I have started a modest program called SELF-DISCIPLINE. In keeping with the spirit of the program, which is to maximize signal and minimize noise, I will not describe SELF-DISCIPLINE here, but just give the pointer to the Web page that presents it: http://www.eiffel.com/discipline Please refer to that document (also available in Postscript at ftp://ftp.eiffel.com/pub/discipline) if you want to know more. If you have any comment you may send it to the mailing list (a first iteration towards a potential newsgroup mentioned in the document), although once again the idea is not to generate more meta-noise. Also, I would appreciate if the moderator could in this case leave the message's signature as it is actually part of the message. Thanks. Bertrand Meyer, ISE Inc., Santa Barbara (California) - Web home page: http://www.eiffel.com ------------------------------ Date: Sat, 9 Sep 1995 21:56:37 -0700 From: "Rob Slade"@csl.sri.com Subject: "Building Internet Firewalls" by Chapman/Zwicky [I received a draft copy of this, so some details either aren't available or might have changed. Last word I had from the publisher, this is due for release on Tuesday - rms] BKBUINFI.RVW 950712 "Building Internet Firewalls", Chapman/Zwicky, 1995, 1-56592-124-0 %A Brent Chapman %A Elizabeth Zwicky %C 103 Morris Street, Suite A, Sebastopol, CA 95472 %D 1995 %G 1-56592-124-0 %I O'Reilly & Associates, Inc. %O 800-998-9938 707-829-0515 fax: 707-829-0104 nuts@ora.com %O 519-283-6332 800-528-9994 rick.brown@onlinesys.com %T "Building Internet Firewalls" Cheswick and Bellovin's "Firewalls and Internet Security" (cf. BKFRINSC.RVW) will continue to be seen as the classic reference with the seriously technical crowd. Chapman and Zwicky, however, have here created the first reference for the more normal run of system administrators: those whose lives do not revolve around hacking the UNIX kernel. Part one could almost stand as a separate book, itself. It is an introduction to firewalls. More, it is a very down-to-earth and practical guide to evaluating security needs and planning for security systems and practices. The writing is completely clear, and the explanations first-rate. Chapter four, on firewall architectures, is a perfect introduction for the manager who, while not having a technical background, must lead or administer a security project. Part two gets into more technical details of firewall construction and the communications needs for Internet services. The writing, though, is still clear and easily accessible to any intelligent reader. Part three covers maintenance and administrative work. Appendices list information and software resources as well as a brief introduction to TCP/IP basics. This is the first book that truly explains, to the non-specialist, the various factors and functions involved in firewall choice and construction. For those building their own and for those evaluating vendor proposals, this book is a must. copyright Robert M. Slade, 1995 BKBUINFI.RVW 950712 Vancouver Institute for Research into User Security Canada V7K 2G6 ROBERTS@decus.ca Robert_Slade@sfu.ca Rob_Slade@mindlink.bc.ca ------------------------------ Date: Mon, 11 Sep 1995 19:37:49 -0400 From: "Robert I. Eachus" Subject: Re: Voting by Phone in the Netherlands (PAT, RISKS-17.33) The TELECOM Digest's Editor wrote: > They'll hear none of it ... which is odd, [...] PAT Not odd at all. The editor answered his own question. There are many people in office today who know they got there due to fraudulent voting practices. (No reason to name names, but there are still two seats in the US House of Representatives being contested due to fraud, and one state governership from last year's elections.) There have been many such "elected officials" in the past, and there will be more in the future. So there are two types of voting systems, those that work privately and without risk of fraud, and those where fraud is impossible to prove in hindsight, and often impossible to stop on the spot. There are very, very few of the former in use anywhere in the world, mostly in uncontested elections to corporate boards of directors. :-( If we really want trustworthy voting systems, someone other than the politicians will have to impose them. And now to relate this to comp.risks. It is getting to be much harder to cheat. Exit polls and computer based vote projections can show where the votes were diddled and by how much. There have been many incidents around the world where the incumbents resorted to force when massive fraud was revealed by exit polling, international observers, etc. In some cases, like the Philippines, where Cory Aquino was declared the winner in the exit polls and the streets, and the official vote tallies ignored, the net effect has been beneficial. But in many other cases the result has been years of bloodshed. Some leaders have even started wars to avoid (or win) elections they couldn't win otherwise. (No, not Maggie, the Argentinian Generals. Margaret Thatcher just called an immediate election once the war was over because she was well ahead in the polls.) If we don't insist that the quality of the actual voting procedures be at least as trustworthy as the widely available means for predicting the results, all we will be encouraging is further bloodshed. (And we also need to insist on a diversity of sources of predictions.) Right now the polls you see and hear in the news before elections have an expected error of 3 to 6 per cent. The results of exit polls are much more accurate, usually in the 1/2 to 1 per cent range. This has resulted in a strange marriage of convenience with a single organization doing almost all the exit polls and vote tabulations in the US, with the TV networks and the politicians as customers. (The different networks base their own projections on the same data. There have been lawsuits by smaller parties because their results have not been included in the published data.) Robert I. Eachus ------------------------------ Date: Fri, 08 Sep 1995 19:35:56 EST From: "Rob Slade" Subject: 'Tis too a virus! (PGN comment, RISKS-17.33) Hey, you're impuning my reputation, puny though it may be! We've been thrashing this out in some of the private virus discussion groups, and it is too a virus! Read and infected Word doc, and it infects your Word macro space. It writes itself (OK, selves, seeing as how it has various parts) to the NORMAL.DOT file, and gets stored between sessions. Once the macro space ahs been infected, any files saved with the FileSaveAs function are infected themselves. Send somebody an E-mail message over the MSN, and in one mouse click, they download, invoke Word, open the message and infect themselves, without ever having their fingers leave the rodent. [Thanks for the correction. At least I was not imPUNing it! PGN] ------------------------------ Date: Fri, 8 Sep 95 21:08:54 -0400 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: 'Tis too a virus! (PGN comment, RISKS-17.33) Must disagree. Within its target environment (default WORD 6.0 or better), it satisfies the difference between a "trojan horse" and a "virus" in that it is able to propagate. Such an AutoOpen macros could be a trojan, but in this easy-to-block case (and both of MS's fixes, WD1215 and the later one whose number I forget seem to target this virus specifically - have looked at 1215 but not the other so caveat y'all). I would be surprised if this is anything more than a "15 minutes of fame" but does point out the value of turning the default "do anything you want without notice" off. ("Prompt to save Normal" & "DisableAutoMacros" are good starting points - of course if you disable these, the MS "fix" won't work... BTW, essentially this is traceable to ANSI bombs and programmable PF keys on the VT-100 (had to put the sequence in a companion .com (DCL) but have seen it done) so capability dates back at least to the late 1970's. Same thing would work on a uVax as well as a 780 so guess that made it "cross-platform". And then there was the VT-103... Padgett ------------------------------ Date: Fri, 8 Sep 1995 23:35:24 -0400 (EDT) From: Kenneth Albanowski Subject: 'Tis too a virus! (PGN comment, RISKS-17.33) ... Quoting a bit from Gene Spafford's mention of the "virus" on VIRUS-L: > The virus adds several new macros to the global macro pool: "AAAZA0", > "AAAZFS", "Payload" and one entitled "FileSaveAs". The virus is > activated in an infected file when you choose the "Save As" feature in > the "File" menu and the virus macro is run. The altered macros are > then saved with the file, and may be saved in the global template file > as well. If it stores itself in the global template file, then it can be loaded every time Word starts. Hence, it has "infected" Word, and can cause any documents saved ("FileSaveAs") to carry the "virus", which will then execute the viral loader if these documents are loaded in another copy of Word. This seems to make a good case for being a virus: infection of a host and the ability to reproduce toward the goal of infecting other hosts. Kenneth Albanowski (kjahds@kjahds.com, CIS: 70705,126) ------------------------------ Date: Sun, 10 Sep 95 23:58:56 EDT From: carrot!wfl@uu2.psi.com (W. F. Linke) Subject: Re: $95000 withdrawn from bank (Alan Wexelblat, RISKS-17.32) I was quite distressed to read the article in the RISKS-17.32 by Alan Wexelblat about a man (Combs) who deposited a fake check for $95000 and withdrew the money. Clearly, the system failures in the case are worth discussing. But I wonder how many readers were taken aback as I was by the amoral slant to the article? On the face of it, Combs appears no more than a common thief, and the only "service" I can imagine the bank owes to him is to have him arrested for passing bad checks. Regardless of any legal quirks, or how the bank treated him, the test is simple: did he knowingly take money not belonging to him, and keep it? If so, morally he is a thief, regardless of what a lawyer might make of it. Bill Linke bill@wflco.com ------------------------------ Date: Sat, 09 Sep 95 21:10:00 -0500 From: bruce.limber@rime.com (BRUCE LIMBER) Subject: Re: Self-disabling software Concerning the ban on self-disabling software, two questions occur to me: - I wonder how often such software uses a simplistic, date-driven algorithm that is triggered if an operator mistypes the system date. And using other measures (such as total number of invocations) could lead to wildly differing period-'til-disablement values for different users, according to their work habits. - It occurs to me that it might be argued that buggy software is itself a form of self-disablement. I wonder how hard a good lawyer would have to work to argue that this law makes software with non-trivial bugs illegal _per se_. ------------------------------ Date: Mon, 11 Sep 95 13:51:09 EDT From: blakley@VNET.IBM.COM Subject: Re: Password cracking 'improves' security (Booth, RISKS-17.33) While I don't know anything about this particular program, I did hear recently about a program with similar functions. The following may be apocryphal, as I have not been able to verify details and did not hear the story from anyone who claimed to have experienced it firsthand. The marketers of the alleged program found an interesting problem: it worked so fast that it destroyed users' confidence in the security of their passwords, with the result that they just turned them off and didn't buy any more copies of the password recovery program. The reported marketing response was ingenious: the program's developer inserted a no-op loop into the password-recovery process so that instead of taking about a second, it took several minutes. This made it look like the program was doing something hard; the users liked the modified program much better and didn't lose confidence in the built-in "security" of their applications. As Laurie Anderson might say, "Hmmmmm". [Based on the net address and RISKS-15.41, I must presume that the unidentified author Blakley is G.R. (Bob) Blakley III, not Bob Blakley, Jr. or Bob Blakley, and not Jim Blakley, who is also a RISKS reader. But what would Loni Anderson say? And no jokes about Reynolds numbers, please. PGN] ------------------------------ Date: 11 Sep 1995 02:56:48 GMT From: jones@pyrite.cs.uiowa.edu (Douglas W. Jones) Subject: Re: Password cracking 'improves' security (Booth, RISKS-17.33) Duncan Booth posted a note about a product called WDPass that claims to crack passwords for a number of products. I suspect that, by reducing the risk of lost passwords, this would indeed increase the likelyhood that careless users would use password protection, and the increased use of passwords would improve security in the face of casual browsing and similar common but low-level threats. At the same time, the product clearly exposes the well known (at least in technical circles) triviality of the password protection schemes used on many common products. > The program claims to work for a variety of Wordperfect, Microsoft, Lotus > and Borland file formats. If the product works against the password protection scheme used by Lotus Ami Pro, I want to hear about it. That scheme is one I invented, and the last I heard, it was still pretty strong. Has someone found a better than brute force attack for it? Doug Jones jones@cs.uiowa.edu ------------------------------ Date: Fri, 8 Sep 1995 20:40:59 -0600 From: Bear Giles Subject: Re: Password cracking 'improves' security (Booth, RISKS-17.33) You're assuming that everyone will realize this product exists. A knowledgeable attacker would not be deterred by the encryption features of existing software, but it might be enough to deter a casual attacker. But at the same time management might downplay the encryption features from fear of a subordinate trying to "hide" crucial information. >the risk is that out there are some senior executives gullible enough to >think that this allows them to rely entirely on password protection of >documents instead of more traditional locks and keys. Alas, many environments don't even have those "traditional locks and keys." Oh, the offices will be locked at night and care will be applied when deciding which employees get keys... but then they'll have minimum wage temp employees come in to remove the trash. In this case the _only_ effective protection in place might be the encryption provided by those packages. A knowledgeable attacker will be prepared, but it might be enough to stump a compromised custodial staff member. Bear Giles bear@cs.colorado.edu ------------------------------ Date: 6 September 1995 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: ABRIDGED info on RISKS (comp.risks) The RISKS Forum is a moderated digest. Its USENET equivalent is comp.risks. SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) on your system, if possible and convenient for you. BITNET folks may use a LISTSERV (e.g., LISTSERV@UGA): SUBSCRIBE RISKS or UNSUBSCRIBE RISKS. [...] DIRECT REQUESTS to (majordomo) with one-line, SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:] INFO [for further information] CONTRIBUTIONS: to risks@csl.sri.com, with appropriate, substantive Subject: line, otherwise they may be ignored. Must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. [...] ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. RISKS can also be read on the web at URL http://catless.ncl.ac.uk/Risks RISKS ARCHIVES: "ftp unix.sri.comlogin anonymous[YourNetAddress] cd risks or cwd risks, depending on your particular FTP. [...] [Back issues are in the subdirectory corresponding to the volume number.] Individual issues can be accessed using a URL of the form http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue] ftp://unix.sri.com/risks [if your browser accepts URLs.] ------------------------------ End of RISKS-FORUM Digest 17.34 ************************