21-May-87 22:46:25-PDT,7110;000000000000 Mail-From: NEUMANN created at 21-May-87 22:45:36 Date: Thu 21 May 87 22:45:36-PDT From: RISKS FORUM (Peter G. Neumann -- Coordinator) Subject: RISKS DIGEST 4.88 Sender: NEUMANN@CSL.SRI.COM To: RISKS-LIST@CSL.SRI.COM RISKS-LIST: RISKS-FORUM Digest Thursday, 21 May 1987 Volume 4 : Issue 88 FORUM ON RISKS TO THE PUBLIC IN COMPUTER SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Re: Phalanx (Phil Ngai) Open meeting laws (Dave Parnas) Concerning UN*X (in)security (Mike Carlton) Ed Joyce, Software Bugs: A Matter of Life and Liability (Eugene Miya) Risks and system pre-login banners (PGN) Risks of Running RISKS, Cont'd. (PGN) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, nonrepetitious. Diversity is welcome. (Contributions to RISKS@CSL.SRI.COM, Requests to RISKS-Request@CSL.SRI.COM) (Back issues Vol i Issue j available in CSL.SRI.COM:RISKS-i.j. MAXj: Summary Contents Vol 1: RISKS-1.46; Vol 2: RISKS-2.57; Vol 3: RISKS-3.92.) ---------------------------------------------------------------------- Date: Thu, 21 May 87 09:53:45 PDT From: amdcad!phil@decwrl.DEC.COM (Phil Ngai) To: RISKS@CSL.SRI.COM Subject: Re: Phalanx The Phalanx is just a radar controlled machine gun which fires 3000 (20 mm? nearly one inch in diameter) depleted uranium slugs per minute at anything which moves. Would you keep it on all the time? No one (but you) said it wasn't reliable. What does appear to be wrong is that there was only one, to cover the stern of the ship. The bow was not protected by a Phalanx system and that is where the (two?) Exocet missiles hit. Then again, we should realize that frigates such as this one are intended mostly for anti-submarine/mine work; although it did have surface to air missiles which could have been used to take out the aircraft which fired the Exocets, frigates are not really expected to provide their own air defense. And this one was operating under the assumption that Iraq aircraft were friendly, so it did not shoot down the aircraft when it could have. [Perhaps the object was to shoot down the missiles? Was that the Star Wars analogy to which Chuck was referring? Also, there was a report that there might have been TWO planes. (One missile landed undetonated amidship!) PGN] ------------------------------ Date: Thu, 21 May 87 07:12:23 EDT From: parnas%QUCIS.BITNET@wiscvm.wisc.edu To: RISKS@CSL.SRI.COM Subject: Open meeting laws (RISKS 4.87) Do open meeting laws prevent public representatives from conversing in a bar or a park or at a theatre? Do they prevent telephone calls? If not, why should they prevent electronic mail conversations? Dave [Even my home town of Palo Alto is going through the pains of trying to make sense of the legal and common-sense implications... PGN] ------------------------------ Date: Thu, 21 May 87 13:41:45 PDT From: carlton@ji.Berkeley.EDU (Mike Carlton) To: risks@csl.sri.com Subject: Concerning UN*X (in)security I think that most people would agree that UN*X is not a secure system, nor is it intended to be. However, a judicious choice of password can discourage amateur or half-hearted attacks on your account. Several methods have been proposed for choosing hard to break passwords; my favorite is simply to use the first letter of each word of some phrase, e.g., 'The rain in Spain falls mainly in the plain' becomes TriSfmitp. This has the advantages that it is not likely to appear in any dictionary, it is very mnemonic and if the password is long enough and rich enough in case, it will stand up to a sustained exhaustive search. There is another risk that I haven't seen mentioned: the use of .rhosts files (at least it's a risk in the BSD world, I've never been in the System V world). Around here, quite a few people have .rhosts entries for several machines, often including at least one Sun. Couple this with the fact that, given physical access, anyone can become root on a Sun and you've got widespread vulnerability without the need for any password attack. Mike Carlton (carlton@ji.Berkeley.EDU), CS Gradual student ------------------------------ Date: Thu, 21 May 87 13:47:06 pdt From: Eugene Miya To: risks@csl.sri.com Subject: Ed Joyce, Software Bugs: A Matter of Life and Liability Ed Joyce, Software Bugs: A Matter of Life and Liability, Datamation 33 10, 15 May 1987, pp. 88-92 [Keywords: Malfunction 54, Therac 25, dosimetry, radiation therapy]. --eugene miya ------------------------------ Date: Thu 21 May 87 20:19:10-PDT From: Peter G. Neumann Subject: Risks and system pre-login banners To: RISKS@CSL.SRI.COM RISKS recently ran an item about the lawsuit that was thrown out because a user had been greeted with "Welcome to the system". The following banner is given by a net-accessible system (which might as well remain nameless), and provides a nice example of the other end of the spectrum. WARNING ** WARNING ** WARNING ** WARNING ** WARNING ** WARNING UNAUTHORIZED ACCESS TO THIS UNITED STATES GOVERNMENT COMPUTER SYSTEM AND OR SOFTWARE IS PROHIBITED BY PUBLIC LAW 98-473. PUNISHMENT FOR OFFENSE CAN BE UP TO $100,000 FINE OR UP TO 20 YEARS IN PRISON OR BOTH. REPORT UNAUTHORIZED USE OR ACCESS TO THE SYSTEM SECURITY OFFICER. WARNING ** WARNING ** WARNING ** WARNING ** WARNING ** WARNING ------------------------------ Date: Thu, 21 May 87 12:31:45 CDT From: ALMSA-1 Memo Service 750 (MMDF 4/84) Subject: Waiting mail (msg.a000284) [Risks of Running RISKS, Cont'd.] Sender: root@ALMSA-1.ARPA To: NEUMANN@CSL.SRI.COM [As I have noted previously, in a list as large as RISKS there is an awesome volume of mailer barf messages. I do try to be patient, but sometimes it becomes overbearing. The implied threat here -- to keep retrying and send me notifications -- is horrendous! PGN] | After 14 days (326 hours), your message has not yet been | fully delivered. Attempts to deliver the message will continue | for 178956963 more days. No further action is required by you. V [********* = = = = = = = = = = = = = = = = = = = = = = = = = = = = = !!!!!] Delivery attempts are still pending for the following address(es): wmartin@almsa-2 (host: almsa-2) (queue: almsab) Problems usually are due to service interruptions at the receiving machine. Less often, they are caused by the communication system. ------------------------------ End of RISKS-FORUM Digest ************************ -------