12-May-87 00:27:30-PDT,15012;000000000000 Mail-From: NEUMANN created at 12-May-87 00:26:13 Date: Tue 12 May 87 00:26:13-PDT From: Peter G. (coordinator) Neumann Subject: RISKS DIGEST 4.83 Sender: NEUMANN@CSL.SRI.COM To: risks-list@CSL.SRI.COM RISKS-LIST: RISKS-FORUM Digest Tuesday, 12 May 1987 Volume 4 : Issue 83 FORUM ON RISKS TO THE PUBLIC IN COMPUTER SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Risks of sharing RISKS (Ted Lee) Information Commission (Jim Anderson) ``How a Computer Hacker Raided the Customs Service'' (Michael Melliar-Smith) Computer thefts (Jerry Saltzer) Bomb Detection by Nuclear Radiation (Michael Newbery) Computer floods summer course registration at U. of Central Florida (Mark Becker) A password-breaking program (Dean Pentcheff) Sidelight on the Marconi Deaths (Lindsay F. Marshall) Software Reliability book by Musa, Iannino and Okumoto (Dave Benson) "The Whistle Blower" (Jeff Mogul, via Jon Jacky) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, nonrepetitious. Diversity is welcome. (Contributions to RISKS@CSL.SRI.COM, Requests to RISKS-Request@CSL.SRI.COM) (Back issues Vol i Issue j available in CSL.SRI.COM:RISKS-i.j. MAXj: Summary Contents Vol 1: RISKS-1.46; Vol 2: RISKS-2.57; Vol 3: RISKS-3.92.) ---------------------------------------------------------------------- Date: Mon, 11 May 87 10:39 EDT From: TMPLee@DOCKMASTER.ARPA Subject: Risks of sharing RISKS To: Risks@CSL.SRI.COM In the last issue PGN asked if someone had shown previous issues of RISKS to a couple of senators drafting legislation. This treads on the boundary of inappropriate and risky in itself use of this medium. It is generally understood, I thought, that this kind of forum is private to its readers, although the larger the subscriber list the harder it is to maintain that fiction. Although I don't contribute much here, had I known there was a likelihood that what I wrote might end up in the Congressional Record I'm not sure I would have contributed it -- how do others think, or can our moderator state what he thinks the policy is? Ted [Interesting question. We agreed way back in Volume 1 or 2 that material in RISKS was open for noncommercial redistribution, as long as that did not violate any explicitly stated caveats or copyright limitations. It is important to keep RISKS informal and unencumbered by red tape. Besides, IDEAS HAVE NO BOUNDARIES (except in closed minds). One of the main purposes of RISKS is to disseminate ideas and awareness. My question to Herb (who is on leave from MIT, deeply embroiled in the legislative process) was sort of a bemused wonderment as to whether the proposed legislation had in any way been influenced by the existence of the RISKS Forum, since some of the goals are quite similar... PGN] ------------------------------ Date: Mon, 11 May 87 17:36 EDT From: JPAnderson@DOCKMASTER.ARPA Subject: Information Commission To: Neumann@CSL.SRI.COM ReSent-To: RISKS@CSL.SRI.COM Peter, I am sorely troubled by the prospect of our Congress providing 'oversight' or whatever it is they do down there to our industry. Even in areas where they have a clear mission and even one might expect some expertise, the attention span of the Congress is measured in Microseconds between headlines. You will recall that last year, the Congress created and then jumped on the bandwagon of war on drugs. To my local knowledge, there has been no *action* in that war since. [I do recall the House passing a bill calling for some $400 Million to be spent on that war, but was saved from any notion of accountability by the Gramm-Rudman act or some such.] I really do worry about the grandstanding that such a commission would engender, and the sycophantic interaction between the congresspeople and an uniformed, shoot-from-the-hip press. Really a bad idea. Cheers, Jim [I noted in my comments that there are many pitfalls in the proposed legislation. But, an implication of what you say is very depressing: the difficulties of government are so great that meaningful oversight is almost impossible anyway. The fox shouldn't watch the chickens; the chickens can't watch the chickens; even the computers can't be trusted to watch the chickens. So what do we do -- throw out the chickens with the egg water? PGN] ------------------------------ Date: Tue 12 May 87 00:10:54-PDT From: Peter G. Neumann Subject: ``How a Computer Hacker Raided the Customs Service'' To: RISKS@CSL.SRI.COM Last year two radar-equipped planes that had been promised to Customs were given to the Coast Guard instead as a result of late-night Senate actions on the federal budget. Customs Commissioner William von Raab then promised Coast Guard Commandant Paul A Yost Jr. that Customs would provide $8M in reparations to help the CG's airborne drug interdiction problem. But Senator Dennis DeConcini (D-AZ) told von Raab not to transfer the money, and to wait for the appropriations process instead. The Coast Guard decided to act on its own. Somehow acquiring Customs' computer account numbers, they simply caused $8M to be transferred from the Customs account to the CG account. To make a long story short, there were protests from Customs, and just as mysteriously as the money disappeared, it reappeared (although in two increments). [I adapted this from the Washington Post National Weekly, 18 May 87, p.34, thanks to Michael Melliar-Smith. Perhaps the HACKER was really a Coast Guard CUTTER (or was he a CONS CAR'd CDR (LISPing to starboard?) Just think what could be done in reprogramming government funds! PGN] ------------------------------ Date: Mon, 11 May 87 11:21:38 EDT To: Peter G. (coordinator) Neumann Subject: Computer thefts (re: RISKS-4.82) From: Jerome H. Saltzer At Project Athena for some time we've been trying to convince our vendors that if they hope to sell personal workstations worth $2K or more to students they are going to have to include in the physical design a top-to-bottom hole that penetrates the major box covers and the mother board, suitable for dropping a bicycle lock through, so that the machine can be chained to a dorm-room or apartment radiator, or a desk in an office. The reaction so far has been uproarious laughter (and several reports of newly-designed compact workstations stolen from one of the vendors). Jerry ------------------------------ From: ubc-vision!calgary!vuwcomp!newbery@seismo.CSS.GOV (Michael Newbery) Subject: Bomb Detection by Nuclear Radiation (RISKS-4.79) Date: 11 May 87 02:22:08 GMT Some years ago, the Ariande column in New Scientist proposed a novel and, as usual (?), unworkable (??) bomb 'detector'. You zap your 'bomb' with radiation of a flavour selectively absorbed by Mercury (but not otherwise strong enough to hurt.) The Mercury gets a little agitated by this and, if it happens to be part of Fulminate of Mercury, an explosion occurs. So, you just march your passengers and their luggage, one at a time, down a bomb-proof tunnel and if they DON't go boom, let them on board. Even if they do have explosives/bullets they can't set them off without a detonator. Unless they use Lead Azide. Or carry little bottles of nitro-glycerine, or... Michael Newbery, Comp Sci, Victoria Univ, Wellington, New Zealand ACSnet: newbery@vuwcomp.nz UUCP: {ubc-vision,alberta}!calgary!vuwcomp!newbery [All kidding azide, this is another of our classical unsolvabled problems. Technology cannot provide 100% guarantees. It also transforms the technology it is trying to protect against. Heisenberg strikes again, with a longer time constant. PGN] ------------------------------ Date: Mon 11 May 87 22:59:41-EDT From: "Mark Becker" Subject: Computer floods summer course registration at U. of Central Florida To: RISKS@CSL.SRI.COM "SNAFU ENDS HAPPILY AT UCF AS STUDENTS GET EVERY CLASS THEY WANTED" by Laura Ost, The Orlando Sentinal, Saturday, May 9, 1987, Page D-3 [Reproduced with permission] Thanks to a computer snafu, a nightmare for University of Central Florida students has turned into a dream. UCF's new computer system failed to cut off pre-registration for summer classes as they filled. The happy result for students who often wait years to take required courses: They got everything they wanted. At first, the glitch meant that 56 courses overflowed, and 700 of 8,000 spring students who pre-registered were in danger of being tossed out of classes they planned on. But after discovering the problem April 24, officials decided there was only one answer: Give them what they want. "From the student standpoint, it turned out splendiferous," UCF spokesman Dean McFall said Friday. The solution was to add more than 40 class sections in education, engineering, and arts and sciences, and to extend employment of part- time and nine-month faculty members who want summer work. The worst case was a speech course required for students without community college degrees. More than 300 signed up for three sections with a total capacity of 84. So, eight sections were added. The expanded schedule is a big relief for students; some courses have had long waiting lists, meaning that students often had to delay required freshman courses until their senior year. Solving the registration problems wiped out the backlog. "It showed us the full market for those courses," said Charlie Micarelli, vice president for undergraduate studies. "For the first time we could see the number of courses needed. It was kind of overwhelming... So there's nothing bad that doesn't bring out some good." This was UCF's first use of the new computer system and the software that operates it. The software was developed by the Florida Board of Regents technical staff, which uses UCF as a testing ground for the state university system. The malfunctioning software was repaired in time for regular registration Wednesday, officials said. Classes began Thursday. Provost Richard Astro said the expanded summer schedule won't cost extra because it eliminates the need for some classes next academic year. He said the university usually has enough regular staff members to cover summer classes. "What you don't want to do is put an ad in the paper and say, 'Anybody who can teach, come on in'," Astro said. "Basically what we're saying [to regular staff] is 'Hey, do you want to work this summer?'" ------------------------------ Date: Mon, 11 May 87 21:24:45 PDT From: dean%violet.Berkeley.EDU@berkeley.edu (Dean Pentcheff) To: RISKS@csl.sri.com Subject: A password-breaking program Organization: University of California, Berkeley Department of Zoology A few days ago on our university UNIX system (4.3BSD), a friend of mine received the message reprinted below. Very briefly, someone seems to have cracked the passwords in the "passwd" file and sent a piece of warning mail to all the users whose password he cracked. Note that my friend's password was a dictionary word, while mine (uncracked) was a proper name beginning with a capital letter. > To: xxxxxx > Subject: A matter of security.. > > Your password: zzzzzzz [correctly stated] > > As an experiment, and something of an unofficial public service, I > have been experimenting with a password breaking program that was > recently released into the public domain. Since anyone can use this > program now, I thought I'd run it on violet's password file to see > which passwords could be broken. Yours was one of them. If you're > security conscious, or just don't like the idea of your password > being so easily broken, then I would advise that you change it to > a word not found in the english dictionary, or use a combination of > upper and lower case letters. Either of these methods will render > your password fairly invulnerable to attack.. > > Yyyyyyyyy Yyyyyyyy [I thought using the SALT offset was standard by now! Ho hum, another lesson ignored. So, we run it ONE MORE TIME here. PGN] ------------------------------ From: "Lindsay F. Marshall" Date: Mon, 11 May 87 16:07:33 bst To: risks@csl.sri.com Subject: Sidelight on the Marconi Deaths According to one of my colleagues who has just returned from a visit to Italy, the Marconi deaths are in all the papers, and many of his friends were worried about him returning to the UK as his life must be at risk because he works in Computer Science research... ______________________________ Date: Mon, 11 May 87 11:37:09 PDT From: Dave Benson To: risks%csl.sri.com@RELAY.CS.NET Subject: Software Reliability book Software Reliability: Measurement, Prediction, Application, by J. Musa, A. Iannino and K. Okumoto (McGraw-Hill Book Co., NY, 1987), is now available. I cannot contain my enthusiasm for this well-organized, thoughtful, thought-provoking, well-written, [accolades]* book. A sample from 7.4.3 Measuring Ultrahigh Reliability, Case Study 7.1 on Nuclear Power computer-based monitoring system: ...we are 95 percent certain that at least ... 3 more (failures) will occur at some time. The ... failure intensity in 0.895/1000 yr (of computer operation) using the logarithmic Poisson model. Yes, that's less than one software failure per millenium of operation. The point is that these three AT&T Bell researchers have an excellent collection of methods for measuring and predicting software reliability, and have made these techniques easily accessable in this supurb book. ------------------------------ Date: 11 May 1987 1113-PDT (Monday) From: Jeff Mogul To: jon@june.cs.washington.edu Subject: "The Whistle Blower" Stanford's on-line library catalog made short work of finding this: AUTHOR: Hale, John. TITLE: The whistle blower / John Hale. IMPRINT: 1st American ed. New York : Atheneum, 1985, c1984. 239 pp.; 23 cm. LOCATION: PR6058.A438W5 1985: Green Stacks NOTES: Item CSUG85-B26608 (Books) Language: eng Year: 1985 ------------------------------ End of RISKS-FORUM Digest ************************ -------