RISKS-LIST: RISKS-FORUM Digest Sunday 1 May 1988 Volume 6 : Issue 74 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: KAL007 and Bourland's Electronic Warfare Theorem (Clifford Johnson) Prestel Hacking (Brian Randell) Uncritical acceptance of computer results (Paul L. Schauble) Supermarket buying habits databases (Richard Wiggins) Virus protection (Phil Goetz) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, nonrepetitious. Diversity is welcome. Contributions to RISKS@CSL.SRI.COM, Requests to RISKS-Request@CSL.SRI.COM. For Vol i issue j, ftp kl.sri.com, get stripe:risks-i.j ... . Volume summaries in (i, max j) = (1,46),(2,57),(3,92),(4,97),(5,85). ---------------------------------------------------------------------- Date: Sat, 30 Apr 88 10:43:57 PDT From: Clifford Johnson Subject: KAL007 and Bourland's Electronic Warfare Theorem From: Steve Philipson The article in RISKS 6.70 by Clifford Johnson sent me reeling. The evidence in R.W.Johnson's Shootdown sent me reeling too. To quote NTSB Part 830.1 Applicability: This part contains rules pertaining to: (a) Notification and reporting aircraft accidents and incidents and certain other occurrences in the operation of aircraft when they involve CIVIL AIRCRAFT OF THE UNITED STATES wherever they occur, or FOREIGN CIVIL AIRCRAFT WHEN SUCH EVENTS OCCUR IN THE UNITED STATES, ITS TERRITORIES OR POSSESSIONS. [emphasis added] Besides the careful rebuttals in Shootdown, and besides the fact that the NTSB automatically began an investigation in recognition of its plain duty, the statutory definition indisputably applies. KAL007 was off course RIGHT FROM TAKEOFF - the cause of the accident happened in the U.S.A., maybe in Washington.,D.C. The error was major by the time the flight left the guiding auspices of U.S.A. controllers. I know the wording you quote was the official excuse for squelching the inquiry, but that's all it was, a lame excuse. Do you seriously contend that the NTSB has no duty to investigate why American-made planes with navigational systems that are standard might take off in the wrong direction from U.S. airfields? Johnson refers to _Shootdown_ by R.W. Johnson, who provides "astonishing" evidence that KAL007 was on an espionage mission. This certainly is astonishing, as all other available information leads away from this conclusion. One of the astonishing things about the evidence in Shootdown is the fact that it shows amazing failures to report key evidence in the United States press. I doubt if you can find any potentially important piece of information not covered in Shootdown, and books like Hersh's are a joke by comparison. I understand your incredulity, because the U.S. media has all but successfully stamped out proper consideration of the evidence. There is a sort of presumption that the press would report and evaluate key evidence, and that it has kept quiet is interpreted as a sort of proof that the evidence does not exist. Indeed, you make this very argument, citing the reliability of the NYT. But the New York Times in not reliable in reporting such matters. For example, after the U-2 shootdown, it parroted Eisenhower's lying denial, although it was later learned that the editor had known about the illegal spy flights for months, without informing the readership. The disinformative disregard of KAL007 facts by the American press is noted in detail as appropriate throughout Shootdown. What has all this to do with RISKS? If we classify a massive error as a deliberate act, we dismiss the need for investigation as to why the error occured, and remove all possibility of discovering and/or correcting any problems. The "deliberate act" explanation is a variation on "pilot error". If an accident is simply hand-waved away as "pilot error", we lose the opportunity to understand what in the system allowed that error to occur, and we do nothing to decrease risk and the possibility that the error will occur again. So you think that the NTSB should have investigated the cause of KAL007's taking off in the wrong direction? Here, here! The really interesting things that have come up in the investigation of this incident are the multiplicity of ways designing systems that are more safe. No one designed a safer navigation computer because of all these theories. All of the multiplicity of theories of errors have been demonstrated to be fatally inconsistent with KAL007's course, unless one chooses to believe that the radars were all wrong. It's the inability to devise even one not incredible sequence of errors to fit the route that is of interest. And that is why my submission belonged on RISKS. There are instances in which we should point to the inadequacy of "computer/operator error" explanations, i.e. excuses, and in my opinion this is one of those instances. Since virtually all my information is from Shootdown, I will simply refer readers to this book for further facts, and not respond further myself re KAL007. But setting this aside, I'd be interested any other applications of Bourland's Electronic Warfare Theorem. ------------------------------ Date: Sun, 1 May 88 13:33:11 +0100 From: Brian Randell Subject: Prestel Hacking The most celebrated "telephone hacking" court case in Britain so far involved penetration of British Telecom's Prestel viewdata service. Legal history seemed to have been made when the perpetrators were convicted of having committed forgery! However the Appeal Court threw out the conviction, and this decision has just been finally confirmed by the House of Lords. Thus in Britain, at any rate, it seems that new laws will be needed to cope with such activities. On April 28, the Guardian carried a lengthy article, written by one of the hackers. It is given here, in its entirety (without permssion), for the editor to hack out those parts which are most likely to be of interest to the RISKS readership. [Why should PGN have a British Telecom-like monopoly on bad puns!] Brian Randell HACKERS LET OFF THE HOOK Steve Gold explains what really happened in the Prestel case, resolved by the the Lords last week: "The first inkling I had that there was a world ready to be dialled up was when British Telecom installed international direct dialling in my home town, Sheffield, back in 1971. I soon discovered that you could dial certain codes and, subject to a slight deterioration in call quality, not incur any charges. This cost me dear. In May 1975, along with several other Sheffield students, I was fined (pounds)100 for placing national and international telephone calls without payment. Several years later, in 1983, I bought a computer. And while I was fiddling away with my Sinclair Spectrum, East Midlands Allied Press was busy negotiating with British Telecom to launch a microcomputing service on Prestel: Micronet 800. Initially the service was available to users of the Acorn BBC micro, but soon Micronet and Prestel launched a Sinclair Spectrum hard-wired modem, the Prism VTX5000. In August 1984 I bought one for (pounds) 74.95. I was equipped to use Prestel, but Prestel was boring. While waiting to be admitted to Micronet 800, I discovered that, if you sounded plausible enough, you could gain editing rights to unrouted pages on the Prestel database. These pages were known as the prestel Scratchpad. A friend and I joined forces and developed a software editor for the Spectrum/VTX5000 combination and, much to Prestel's incredulity, began to use it to edit Prestel pages offline and upload them to the database. Before long, Micronet 800 hired us to edit pages on their database. In the summer of 1984, an electronic acquaintance (we had never met) told me that he'd discovered a simple ID of ten 2s and a password (1234) which gained admission to Prestel without paying. That was Robert Schifreen, and the ID was a Mr G. Reynolds, whose profile on Prestel identified him as a member of BT staff. He was entitled to look at areas on the database not normally accessible to members of the general public. Those pages contained the nucleus of how Prestel worked, right down to the telephone numbers of Prestel computers we'd never even heard of. One of these "development computers" had an unusual log-on frame: it welcomed modem users with, and prompted them to enter, their ID and password. It had a series of numbers on its log-on frame which both Robert and myself recognised as a Prestel ID and password. Keying in these numbers resulted in the user logging on (that is, gaining admission to the database) as the system manager. The system manager could do things with Prestel that no other user could do. this included interrogating the user files to obtain IDs and passwords by the cartload. Thus, at the press of a few keys, the system manager could obtain information that enabled him or her to log on as any other subscriber on the system. Also, using information-provider IDs and passwords, it was possible to alter or amend pages. We had hacked Prestel at the highest level. However, power brings responsibility, and since we were both active contributors to the Micronet database, we approached Micronet's staff to show them. Micronet duly contacted Prestel, who were made aware of the incredible loophole in their security. Prestel strove to protect the integrity of their database. Changing everyone's ID on the database was not worthwhile, in its opinion. Information providers - high-ranking subscribers who rented their own pages - were seen as a high risk, since anyone using their IDs and passwords (obtained using the system manager ID) could alter or delete pages at will. So within a matter of days, Prestel changed the information-provider passwords. But they made a mistake. Instead of changing them completely, they merely transposed the access and editing passwords! Since Robert and I were editors on the system (using Micronet-supplied IDs) we were notified that our original passwords of (say) ABCD and 1234 had turned into 1234 and ABCD. After a phenomenal process of deduction, we applied the same transposition to a selection of information-provider passwords in our possession. They worked. Fortunately for BT, information providers realised the crassness of Prestel's attempt to plug its security and changed their own passwords, thereby barring normal (but unauthorised) access to Prestel editing facilities to Robert and myself. But amazingly, Prestel had left a trapdoor for us to use. The high-speed update ports, by which information providers could edit their pages in bulk, required only an editing password. Most information providers kept their own editing password, believing that their access passwords had been changed. After noting a little judicious editing, Prestel was faced with the awful truth: it's security division had said that the hacker problem had been resolved, yet pages were being changed again under their noses. Prestel finally changed its information-provider IDs and passwords, thereby plugging the gap. And that seemed to be that. We had told Prestel (via Micronet) about the security lapse. We'd also had a little fun at Prestel's expense. Prestel recognised what we had done, and that we hadn't done anything stupid such as altering or deleting pages on the database. The incident passed into history, or so we thought. During October and November, Prestel placed a telephone tap on Robert's north London home telephone line. After monitoring his activities they found he was frequently calling a Sheffield number (he was comparing notes with me). By January 1985, they thought they had enough information to prosecute us both. Had we know about it, we would have expected a prosecution under the Theft Act - for theft of (minute amounts of) electricity. But Prestel and BT were worried about computer-hacking. IDs and passwords were being exchanged at an alarming rate. Prestel IDs (as passwords) were assuming the same level of security as train numbers. ID spotters (apprentice hackers) were hanging around on Prestel, using the message boards (chatlines) to exchange passwords. BT logged Robert sending me an electronic mail message (using someone else's ID and password). The message contained the ID and password of that account. BT later produced that message in court as confirmation of our hacking activities. Unknown to BT (and Robert) however, I had already obtained this particular ID and password from the Prestel chatlines. I already knew that these particular details were passing around dozens of users. Prestel had problems. Hordes of youthful users were staging multiple log-ons. One particular group even boasted of its intention to "clock' an account one weekend. Like car mileometers, Prestel accounts had a rolling tally of the charges on an account. These went up to (pounds) 9,999.99, at which point the meter would roll over to zero and start again. The chatline boasters intended continually to access chargeable areas of the database until the (pounds) 10,000 mark was broached. Such pointless activities took place often in 1985. Prestel thought they had tracked two major hackers in Robert and myself. In fact they had latched onto two journalists who were compiling a dossier of online security breaches. The real hackers were - and are - still at large. On Tuesday March 26, two groups of police officers and BT staff simultaneously raided my house in Sheffield and Robert's house in north London. We were both driven to Holborn police station in London and held overnight and throughout most of the following day. It was with some amazement that I discovered in the course of my interview with Detective Inspector John Austin and BT security chief Ron Aston, that I had been arrested for hacking. Up to that point I had suspected that someone - probably an online acquaintance - had committed a major bank robbery. We were subsequently charged with committing a number of offences contrary to the Forgery Act 1981. Forgery is, we were told, a serious offence and can carry a prison sentence of ten years. Ten years - just for breaking into Prestel, and telling them what we had done! Rather than printing dud fivers in our kitchens we had "forged" an area of Ram (random access memory) in the Prestel computer - using our modems over the telephone line - which existed for about one fortieth of a second before being wiped clean. Could BT provide the instrument (the area of Ram) in court, the judge asked. No, since the area of Ram was etherial. It was, in fact, an area of the program known as the user segment. Our guilt or innocence hinged on how an electronic signal was interpreted by the court. We were convicted and fined, but the case came up for appeal in July last year. The three Appeal Court judges - presided over by Lord Justice Lane - mulled over the arguments. Several weeks later, Lord Lane announced he was quashing the conviction, calling the case a blatant attempt to mould the facts of the case to fit the scope of the Forgery Act. I was dismayed to discover that BT had applied to take the case further, to the House of Lords. But the highest court in the land concurred with Lord Lane's decision from the Appeal Courts that, if hacking was to be considered a crime, then a change in the law was required. We are free, but the issue remains unresolved." ------------------------------ Date: Sat Apr 30 17:04:33 1988 From: portal!cup.portal.com!Paul_L_Schauble@Sun.COM Subject: Uncritical acceptance of computer results My mental library of computer system risks contains an item about an experiment involving electronic calculators. The researchers assembled a group of engineering undergraduate students and gave them gimmicked calculators. These calculators would give answers that were related to the numbers entered, but which were wrong by various amounts. They then gave the students problems from their lab work to calculate. They were looking to see how far wrong the calculators could be before the students noticed problems. As I recall the results of the experiments, they effectively never did notice. It seems that the fine art of estimating reasonable answers as a check went out with slide rules. Now, I need a specific reference to this study. A friend is considering doing something similar to update the work to computers. I recall reading about the original sometime in the mid seventies. Can anyone help out? ------------------------------ Date: Fri, 29 Apr 88 23:22:40 EDT From: Richard_Wiggins@um.cc.umich.edu Subject: Supermarket buying habits databases Stanley Quayle's report of supermarkets using Social Security Numbers to keep up with buying habits is a matter for concern, but it's probably not uniquely nefarious. In Michigan we have driver licenses that are not based on SSN. Instead, they are a hash function on the person's name. (In fact, the same function is used by some other states; I once knew someone who moved to Michigan and was surprised to learn his driver license number remained the same.) Supermarkets that I use also perform online validation of checks. A department store that I shop at also allows credit card customers to cash checks. When you do so, they key in the driver license number as well. Once I noticed the clerk make a typo as she typed mine in. Before I could speak up, the register said "Approved" and she'd finished the transaction. It seems clear that in fact the check approval process is simply querying a list of hot numbers. If your driver license number has not been added to the list, you are approved, and the transaction continues. This is a read-only transaction. Now, clearly down the road there is cause for concern. As storage capacity gets cheaper and cheaper it might become economical for stores to keep up with this information. I've read claims that stores would like to send personalized brochures based on your buying habits. In fact, I've wondered if stores like Sears don't already do so. I assume Sears keeps mailing me its Big and Tall catalog because I occasionally order their products. So, although I think the supermarkets have too much traffic to keep up with how many avocados each of us buys, it may only be a matter of time until they can. When they do, I don't think those of us in states that don't use SSN have any greater privacy than Ohioans. ------------------------------ Date: Sat, 30 Apr 88 16:04 EST From: Subject: Virus protection Somebody (I forget who) said, >To suggest that [write-protection] is 100% effective against a virus is to >overstate. Studies in biology suggest that a virus can thrive even in a >population in which a large percentage of the members are immune, if a there >is sufficient commerce among the non-immune members... >Depending upon design of the virus, the target system and population, and the >chosen distribution vector, the effectiveness of this mechanism against the >spread of the virus might vary from high to none at all. Now, think about that for 2 or 3 seconds. If you turn on your machine, write-protect all the drives, run a virus unknowingly, and turn off your machine, you will NOT be infected by any possible virus. It is IMPOSSIBLE unless you have bubble memory or FRAMs or something like that. When you turn the machine on next, it is in the same startup configuration as before. The biology analogy is unapplicable. Of course, if you are using your computer as a terminal, you might move a virus between accounts on a mainframe, or between different computers you dial up. But your computer is protected. Conclusion: Write-protecting the hard drive can offer 100% protection. Phil Goetz [But you are assuming that between the time you "turn on your machine" and the time you write-protect all the drives that you have not already been done in. How do you know the operating system has not already been compromised? How about workstations on which files must be downloaded from a file server? How about workstations with no hard disk? In general there is no such thing as 100% protection (despite Fred Cohen saying he can detect all viruses). There are far too many vulnerabilities in most systems, with lots of security flaws and opportunities for Trojan horses that run with all of your normal privileges... "Anything you can do, I can do better," said the Trojan horse. PGN] ------------------------------ End of RISKS-FORUM Digest ************************