12-May-87 22:33:42-PDT,15794;000000000000 Mail-From: NEUMANN created at 12-May-87 22:32:02 Date: Tue 12 May 87 22:32:02-PDT From: Peter G. (coordinator) Neumann Subject: RISKS DIGEST 4.84 Sender: NEUMANN@CSL.SRI.COM To: RISKS-LIST@CSL.SRI.COM RISKS-LIST: RISKS-FORUM Digest Tuesday, 12 May 1987 Volume 4 : Issue 84 FORUM ON RISKS TO THE PUBLIC IN COMPUTER SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: [Some redundancy. Exhibits spectrum of responses.] Re: Information Age Commission (Herb Lin, Richard Cowan, Bob Estell, David LaGrone, Michael Wagner) Re: Information Age Commission; Summer Courses at UCF (William Brown III) Re: A password-breaking program (Dean Pentcheff, Jerry Saltzer, Dave Curry) Re: Computer thefts (Michael Wagner) Re: Computer-related Cadillac recall (Jeffrey R Kell) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, nonrepetitious. Diversity is welcome. (Contributions to RISKS@CSL.SRI.COM, Requests to RISKS-Request@CSL.SRI.COM) (Back issues Vol i Issue j available in CSL.SRI.COM:RISKS-i.j. MAXj: Summary Contents Vol 1: RISKS-1.46; Vol 2: RISKS-2.57; Vol 3: RISKS-3.92.) ---------------------------------------------------------------------- Date: Tue, 12 May 1987 22:45 EDT From: LIN@XX.LCS.MIT.EDU To: "Peter G. Neumann" Cc: RISKS@CSL.SRI.COM Subject: Information Age Commission legislation in the works? [Side note to Herb Lin: Herb, have you ever shown Senators Nunn and Lautenberg copies of OUR RISKS Forum??? Are we retarding (or retarded?) PGN] No. I work on the House side, rather than the Senate. I have suggested various points of contact in the House to people on software related issues, though. In response to another question, In general, I would not have qualms about showing a hard copy of RISKS to anyone, since it is a public forum. In fact, I would bet that Lautenberg probably has access to RISKS himself if he wants it, since he owns a large DP company. [On your first paragraph, I was naively assuming that House and Senate people -- particularly at the staff level -- might actually speak with one another now and then... PGN] ------------------------------ Date: Tue 12 May 87 22:31:37-EDT From: Richard A. Cowan Subject: Re: RISKS information sharing To: TMPLee@DOCKMASTER.ARPA, risks@CSL.SRI.COM Given that the RISKS digest is distributed to hundreds, or even thousands of people on a computer network that is funded, for the most part, with public funds, I think contributors should consider their messages to be public. Certainly, the messages sent on RISKS can be monitored secretly by government intelligence organizations; I would think that it would be less of a concern if those messages were monitored by Congress. As for the prospect that RISKS submissions might appear in the Congressional Record, I would doubt it. Quotes attributed to individuals must be documented, and I would guess that the electronic medium does not provide sufficient proof of the authenticity of a message. This is just a guess from personal experience; I sent a letter to Proxmire's office last year on computers and Star Wars, and I was asked a week later to send a SECOND letter giving them permission to use my letter in congressional testimony. Rich ------------------------------ Date: 12 May 87 08:18:00 GMT+492:48 From: "ESTELL ROBERT G" Subject: Risk of contributing to RISKS To: "risks" I've always assumed that "someone up there" [in DC] was probably reading everything we share on ALL the journals on ARPANET and its cousins [DDN, EDU, COM, etc.]. I think that's a fair condition of use of a resource that's funded by public taxes. Indeed, I've often HOPED that Washington [and other] government leaders in each branch, especially in several agencies of the Executive branch, read some of these journals - and then thought about what they've read. I think Ted Lee's concern is common enough; I know I've often rewritten submissions, trying to "walk on eggs" to share a truth [as I see it] that others [including perhaps my colleagues in DoD] may find unpleasant. That's why so many of my notes end with a caveat: "The opinions herein are mine alone, and may not be shared by any other person or organization, real or imaginary." The other side of this concern is that often some frustration shows through in submissions to RISKS [and Arms-D, et al]; because the writers have tried to share some knowledge or wisdom, and have been ignored. So, just when we think we're only "among friends" is the very time that "big brother" decides to pay attention. Murphy predicted that. I've often said that "The ears have walls, and the walls have ears." Bob ------------------------------ Date: Tue, 12 May 87 08:15 CDT From: David LaGrone Subject: Distribution of RISKS Digest to Congress To: NEUMANN@CSL.SRI.COM ReSent-To: RISKS@CSL.SRI.COM I vote "DO IT!!". God only knows (and s/he isn't sure) who gets copies of computer bulletin board material, anyway. Besides, I think that the purpose and intent of THIS digest is right-hearted enough for distribution to whomever would benefit from its contents. And I would hope the purpose and intent of the contributors is equally right-hearted. ...Regards...David LaGrone [Disclaimer: The opinions expressed by me are mine and not necessarily those of Texas Instruments, Inc., its other employees, their families, relatives, friends, business associates, my relatives, my friends, or anyone else I know or have ever heard of.] ------------------------------ Date: Tue, 12 May 87 17:55 CET To: RISKS@CSL.SRI.COM From: Michael Wagner +49 228 303 245 Subject: Re: Information Commission (RISKS-4.83) In issue 4.83 of RISKS, JPAnderson@DOCKMASTER.ARPA wrote > ... an uniformed, shoot-from-the-hip press. ^^^^^^^^^ This got by the (usually good) editorial pen of the moderator. I assume that the intended word was 'uninformed'. I was long into the next sentence before I realized that I had a parsing problem. While 'uniformed' is a word, I don't really know what a 'uniformed press' would be. The hint I used to correct my misunderstanding of this phrase was a pronunciation clue. If the author had intended to write "uniformed", he probably would have written 'a uniformed ... press' rather than 'an ...'. At least, that's how a Canadian (me) would say it. Now how would you teach a spelling checker that? Michael [Not Canadian, but California English? -- "(me) would say it", "him and her are going", etc. I won't press the point -- or any uniforms, either -- because I know the press is not uniform. PGN] ------------------------------ Date: Tue, 12 May 87 17:56 PDT From: Wm Brown III Subject: Information Age Commission; Summer Courses at UCF To: "Peter G. (coordinator) Neumann" In response to Ted Lee and Jim Anderson, I think it is inevitable that the government will sooner or later promulgate regulations for our industry; it is the basic nature of governments to do so. The more important questions are which branch(es) of government, what kind of regulations, etc. Personally, I'd rather see an open body such as Congress writing the rules, rather than some alphabet soup department (IRS, NSA, FBI) that would be much harder to fight. Congress at least listens to all sorts of inputs, including individuals, companies, PACs, and expert testimony. An agency generally writes rules to suit its own ends, and has lots of ways to discourage inputs that serve other interests. There are some potentially useful things government *could* do for us, such as making net hacking and unauthorized disclosure of personal files criminal offenses or making liability limitations reasonable and predictable. We also need friends to help control the (mis)use of computers by government agencies, particularly in the area of law enforcement. Left to their own, I'm certain that some enforcement types would love to create a big-brother situation by creating huge databases with no controls on their access. The only body which can realistically offer protection against such abuses is a more powerful government agency, such as Congress. If this forum can be used as a vehicle to enlighten our lawmakers, even to the minimal extent of making them aware of that the issues exist, I am all in favor of sending each congressperson a gift subscription to every issue. When topics like computer privacy and liability become the issue of the day (and they will, probably through some scandal or major screw-up), those of us outside of government will need all of the connections and communications channels we can find to make ourselves heard. = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Regarding Mark Becker on summer course registration at U. of Central Florida: When I was attending the same institution (it was then Florida Technological U) about ten years ago, the first night of registration one quarter turned into a fiasco because it took *MINUTES* for the computer system to process each registration form. As it turned out, their new registration software had been brought on line without any live testing whatever. The killer was that the program had been developed using an ordinary job control card with relatively low priority. Nobody thought to bump the priority level up when it came time to run live students (thousands of us) through the system, so the program was still running as a background task. To make matters worse, it turned out that the accounting department was running a massive batch job at that time of the evening, and they *HAD* thought to give their job the highest system priority they could get. ------------------------------ Date: Tue, 12 May 87 13:42:19 PDT To: RISKS@csl.sri.com Subject: A password-breaking program From: dean%violet.Berkeley.EDU@BERKELEY.EDU (Dean Pentcheff) Excerpt of an article I posted to RISKS: >A few days ago on our university UNIX system (4.3BSD), a friend of mine >received the message reprinted below. Very briefly, someone seems to >have cracked the passwords in the "passwd" file ... PGN's reply: > [I thought using the SALT offset was standard by now! Ho hum, > another lesson ignored. So, we run it ONE MORE TIME here. PGN] Bad news, I'm afraid: we _do_ use the salt offset. That's one reason I thought the incident interesting enough to post. ------------------------------ Date: Tue, 12 May 87 10:46:45 EDT To: Peter G. (coordinator) Neumann Subject: Password attacks (RISKS-4.83) From: Jerome H. Saltzer Unless I missed something, the SALT offset doesn't help against the attack this guy was hit with. It just slows things down, but not enough to make it infeasible. The attack consists of taking a copy of the system's one-way password encrypting program, and a dictionary, list of popular first names, list of names of rock groups, or whatever, and encrypting every string in the list, using the SALT of the first user. Then you do it again for the second user. Etc. Depending on the consciousness level of the installation, you typically discover anywhere from 10% to 90% of the passwords that way. We run the program on our staff occasionally, just to keep them on their toes. These days, if you have a MicroVAX II available -- or a VAX 8600 -- and one of the better DES implementations, you can check out an astonishing number of BSD UNIX possibilities overnight. Jerry [The problem is that the SALT for each user is implicitly available to the attacker, so that individualized attacks are still possible -- although the system-wide dictionary attack is no longer available. The conclusion is that this approach is not really worth its SALT. For those of you new to this one, dig up the paper "UNIX Password Security: A Case History", by Bob Morris and Ken Thompson, CACM, November 1979, vol 22, no 11, pp. 594-597. PGN] ------------------------------ Date: Tue, 12 May 87 08:18:27 EST From: davy@ee.ecn.purdue.edu (Dave Curry) To: risks@csl.sri.com Subject: Re: password cracking Before this starts a flurry of speculation about whether or not the UNIX password encryption is secure or not... I seriously doubt that this person has actually *cracked* the algorithm. If you examine the code, you will see how truly difficult that would be, since much of the information you need is discarded and not present in the encrypted result. > As an experiment, and something of an unofficial public service, I > have been experimenting with a password breaking program that was > recently released into the public domain... This sounds very much like a program I wrote a few years ago to check for "stupid" passwords on our machines. My program simply made some educated guesses on passwords - first name forwards, backwards, capitalized, not capitalized... last name the same way... login name the same way. In all a total of 12 guesses per account. In one night's processing time on our Gould PN9080, I got about 480/10,000 a real word. [...] --Dave Curry ------------------------------ Date: Tue, 12 May 87 18:21 CET To: RISKS@CSL.SRI.COM From: Michael Wagner +49 228 303 245 Subject: Re: Computer thefts (Jerome H. Saltzer, RISKS-4.83) At University of Toronto, where I used to work, we convinced our terminal vendor to supply us with special terminals for public terminal clusters. These terminals had bolts, built into the base, that were intended to bolt through the terminal table. Once attached, the bolts could not be removed with standard tools. Neither could the terminal be opened to remove the bolts that way. It helped, although I gather there were still some terminals that walked away. I think that, at least in some cases, the table went too. After all, it was a nice terminal table! Michael ------------------------------ Date: Tue, 12 May 87 10:41:05 EDT From: Jeffrey R Kell Subject: Computer-related Cadillac recall (RISKS-4.81) To: RISKS@CSL.SRI.COM This incident (and many others) represents one excellent reason why some systems are best left 'low-tech'. Headlights can burn out, electrical systems fail, batteries die, alternators short, switches malfunction, and so forth. Adding a computer into the chain only adds another item which can possibly fail WITHOUT providing any greater reliability in the process; in perfect working order it is STILL prone to previous faults PLUS the possibility of hardware/software/RFI/etc. failures. ------------------------------ End of RISKS-FORUM Digest ************************ -------