RISKS-LIST: RISKS-FORUM Digest Wednesday 16 November 1988 Volume 7 : Issue 79 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Vote Count Error(Kenneth R Jongsma) Computer Ethics Class (Leslie Chalmers) Teaching "Ethics" (Eric Roskos) Re: NSA attempts to restrict virus information (Theodore Ts) The FBI Wants You (if you were virus-ized) (Tom Zmudzinski via Dave Curry) Access and authorization (Joe Morris) Laws of computer evidence (Barry C. Nelson) Call for comments on uniformity legislation for software (Conleth S. O'Connell via Alan Kaminsky) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line (otherwise they may be ignored). REQUESTS to RISKS-Request@CSL.SRI.COM. FOR VOL i ISSUE j / ftp kl.sri.com / login anonymous (ANY NONNULL PASSWORD) / get stripe:risks-i.j ... (OR TRY cd stripe: / get risks-i.j ... Volume summaries in (i, max j) = (1,46),(2,57),(3,92),(4,97),(5,85),(6,95). ---------------------------------------------------------------------- From: portal!cup.portal.com!Kenneth_R_Jongsma@unix.SRI.COM Return-Path: Subject: Vote Count Error Date: Tue, 15-Nov-88 15:07:56 PST The following article appeared in the local paper. I'm sure it will be the first of many to appear after the recent elections. I will try to refrain from commenting. There are so many obvious issues raised here! Tally Error Gives Logan Clear Win --------------------------------- (Exerpted Without Permission) Attorney Benjamin Logan won the write-in race for Grand Rapids District Judge by 461 votes - not just 20, the Grand Rapids city clerk's office announced today after finding the error. The computer processing system designed to handle the write-in race did not pick up the vote tallies from five precincts on the city's southeast side - Logan's strongest area. Those votes make it virtually certain that the Board of Canvassers' rulings on name variations will not change the outcome. City Clerk Sandra Wright said no other races were affected by the computer problem. A seperate computer program counted ballot cards for the other races. The system used for the write-in election was a Lotus 1-2-3 computer program developed by local staff, she said. Tom McQuillan, director of management information systems for Grand Rapids, said the error apparently stemmed from a problem with the computer program, which ordered the computer to tally 3rd Ward votes starting with the sixth precinct, rather than the first. "It's not what we call a computer error," he said. "It's a human error." Wright said she discovered the problem Saturday night while adding up the figures from the race manually. "I found the 3rd Ward was inconsistent," she said. "I was further able to isolate that we were not picking up tallies in Precincts 1,2,3,4 and 5." (Explanation of Judges duties, salary, and reason for write-in contest deleted) McQuillan said the error may have been inserted in the program after the city staff ran it through a test run. The program was (then) modified so subtotals could be released while the votes were being tallied and the original computer formulas may not have been rechecked. ("But Boss, I just need to make this minor change. It can't possibly hurt anything!) Voters in the five precincts that had not been counted cast 604 votes for Logan and 163 votes for Christensen. (Enough to change what was a virtual dead heat that would have had to have been decided by the Board deciding what a voter's "intent" was when they misspelled a name on the ballot, into a solid victory for Logan.) ------------------------------ Date: Tue, 15 Nov 88 15:48 EST From: Chalmers@DOCKMASTER.ARPA Subject: Computer Ethics Class Regarding Bob Barger's entry, "Comments sought on proposed computer ethics course" (RISKS 7.75), I was frankly shocked at the statement "There will be no class meetings, except for the first and last sessions. Students will instead utilize electronic bulletin boards on the university's mainframe computer network to research and discuss issues." It has been a long time since my college days and I may be hopelessly out of date on these matters, but why on earth would one conduct any class, and particularly one on ethics, without any class time? One of the problems with the computer 'hackers' of today is their isolation from others in society who might disagree with their point of view. Allowing students to 'participate' in a course via a terminal only encourages this isolation. While a majority of students might agree on what we would consider ethical behavior, some will not. It is important that such students be subjected to the direct challenge of their classmates. Group interaction is critical for this purpose. I would further suggest that Barger make a point of including in his class, lectures by people who have suffered negative consequences from the activities of individuals who do not believe that other computer users have any rights other than those they grant themselves by building secure systems. Just as a judge recently ordered a notorious slumlord to spend time in his own buildings, people who have a belief system that condones computer hacking should be forced to face the victims of such activities. In the case of computer ethics, there is very little that even those of us in computer security can say is *unambiguously* "right" or "wrong". There are activities which we could agree are inconvenient or destructive for other users of computer systems such as denial of service or erasure of files. We could even come up with some empirical evidence of the consequences of these activities to prove that they are inconvenient or damaging (deadlines missed because report was erased, man-hours, excuse me, person-hours spent locating unauthorized code and purging system, etc.) But I have read quotes from 'hackers' and even some participants in this forum suggesting their firm belief that anyone who does not protect himself from hacking *deserves* what he gets. It would seem to me that one of the objectives of an ethics class should be to modify that point of view. There are things which may be unambiguously "illegal" (though precious few), but this is not the same thing at all. As one who came of age in the '60s, I can attest to the irrelevance of the legal system to people who believe in their heart of hearts that the laws are wrong. If we '60s students had blindly accepted the notion that whatever is "illegal" is ipso facto "wrong", life would be very different today. Clearly, ethics has only a casual relationship to legality. The purpose of an ethics course should be to convince students of the importance of a code of behavior and a social context is essential for getting that message across. Leslie The standard disclaimers apply. ------------------------------ Date: Wed, 16 Nov 88 16:01:14 EST From: roskos@ida.org (Eric Roskos) Subject: Teaching "Ethics" > Perhaps if everyone were exposed to ethics courses, beginning in the > early grades and continuing through computer ethics courses and business > ethics courses, etc, then it would be clear `in the entire community > what is and what isn't ethical behavior.' Unfortunately, this is much more complex than it first appears; I wonder how many people who recommend "ethics courses" have ever taken an ethics course. Henry Thoreau once observed that whenever he tried to argue rationally with someone, the person would agree with him repeatedly up until the time his final conclusion became evident, at which point the person would vehemently refuse to accept the conclusion, eventhough he had accepted all the premises leading to it. This is the case with ethics. People all agree that everyone should behave "ethically," yet they refuse to agree on what precisely is ethical behavior. In an Ethics course, the most you can do is discuss ethical paradigms, which include systems of ethics in which it is entirely acceptable to engage in any activity that benefits you ("situation ethics" are an example of this). "Ethics" differs from "a specific set of ethical principles"; after all, "there is honor among thieves". This is not to say that I advocate irresponsible behavior; and, in fact, I attended a college which had a working "honor system" and a working "code of responsibility," and think they were successful in teaching ethical behavior to the students. I just don't think that calling for "ethics classes" is going to accomplish the desired end. And I don't think there is enough agreement on what should be taught to do so. Note, however, that the ACM has a code of ethics. Perhaps we should focus on more effectively conveying it, as I fairly often see people violate it in the RISKS digest. Eric Roskos, IDA (roskos@CS.IDA.ORG or Roskos@DOCKMASTER.ARPA) ------------------------------ Date: Tue, 15 Nov 88 02:45:16 EST From: Theodore Ts'o Subject: Re: NSA attempts to restrict virus information Steve Bellovin noted that the NSA was "exerting a greal deal of pressure th have dissassembler output from the virus (to say nothing of C source) available to as few people as possible...." He then went on to say that they were leaning on contacts, such as the president of the university, etc. Before people raise their hackles and get up to call the ACLU, I'd like to make a few points: First of all, the only incident that I know of where this happened was at Purdue, where the NCSC (the public arm of the NSA) leaned on the president to remove a copy of the disassembler output from an anonymous ftp directory. They went into hysterics when they thought that a copy of C source code of the virus had been posted to phage, a mailing list which has several hundreds of people on it, but they didn't (couldn't) do anything about it. (In actual fact, it was only a partial decompilation of the virus --- about 15-20%.) In fairness, they were probably over-reacting after the initial shock/aftermath of the virus. If the NCSC has tried surpressing it elsewhere, I'd like to know about it --- but it seems that Steve was generalizing from only one data point. Or perhaps he got the information from the Markoff column in the NYT recently. I really think that column was badly written or perhaps badly edited --- someone apparently did not understand all of the issues involved. Secondly, trying to limit the source code to the decompiled virus is a good thing. If it were publicly distributed, there's a chance that some person will find another security hole and just drop it into the virus ``body'' that the source code would provide. In addition, they might add some malicious code so that after 12 hours or so, would try to destroy as many files as possible. Someone might just disable the fingerd and sendmail hack; the virus might still be able to propagate far just cracking stupid password choices. There are also legal issues: if someone releases the code, and someone uses the code to make a really damaging virus, is the person who released the code liable? Does someone want to take that risk and find out the hard way? In addition, one of my colleagues is currently writing a paper that will describe, in detail, all of the algorithms used by the virus. The paper will be published for general reading, and should be infinitely more useful than the actual source code. That is, there is no legitimate purpose that would require the source code over the algorithms. The only purpose for obtaining the source code itself would be to build another virus. If a determined cracker wanted make another virus, yes, he could use the algorithms. But as the paper will demonstrate, those algorithms weren't the best anyway, and very little will stop someone that determined. It appears that it took RTM at least a few weeks to write it from scratch --- and he knew Unix fairly well. Not releasing the source code is intended to stop the ``Freshman Twit'' who knows how to type `system("rm -rf /");` and `cc`. Unforunately, many universities (including MIT) are connecting to the Internet, and we get a constant stream of new-comers to the Internet community --- most of them have only PC programming as their background, and no concept as to the ethics involved. Who knows what they might do? According to a colleague who was at the ``Virus Conference'' at Washington called by the NCSC, they had agreed with our decision (which we had made before talking to them) of only distributing the algorithms and not the source code to the virus. - Ted ------------------------------ Date: Tue, 15 Nov 88 08:12:57 -0800 From: davy@riacs.edu Subject: The FBI Wants You (to call if you were virus-ized) The enclosed message was sent to the TCP-IP list. As per its request to give it maximum distribution, I am forwarding it to RISKS. What with all the speculation on how the FBI is going to (try to) prosecute, it is useful for its information content as well. I would strongly urge everyone who wasted their time cleaning up after this mess to respond. Regardless of whether you feel Morris (or whoever) is a hero or a scumbag, it is important to note the last line of the message - if we want the FBI to help us when something truly serious happens (and you know it will...), then we had better show them we're willing to help them now. Otherwise, they may just ignore us next time since we were unwilling to cooperate. --Dave Curry From: TomZ@DDN1.ARPA Subject: FBI Contact re: November Internet Virus Date: 14 Nov 88 05:03:00 GMT Were YOU hit by the November Internet Virus? The FBI wants to hear from you! The Federal Bureau of Investigation is attempting to gather critical information necessary to pursue this case under the Computer Fraud and Abuse Act of 1986. (This is the statute that makes it a federal crime to penetrate a computer owned by or run on the behalf of the Government.) The FBI Case Agent has asked the Defense Data Network Project Management Office to collect the names of organizations and Points of Contact (names and phone numbers) that were hit by the Virus. The Defense Communications Agency has established an E-Mail address for this collection at: INFO-VACC [at] BEAST.DDN.MIL Points of Contact should expect to be contacted by their local FBI agents for dispositions due to the wide geographical area involved. I * M * P * O * R * T * A * N * T The FBI needs this information to pursue the case. If we expect their aid in the future, we need to help them now. PLEASE GIVE THIS MESSAGE MAXIMUM DISTRIBUTION; NOT EVERYONE IS ON "TCP-IP"! /s/ Tom Zmudzinski, DDN Security Officer (703) 285-5206 ------------------------------ Date: Tue, 15 Nov 88 17:34:04 EST From: Joe Morris (jcmorris@mitre.arpa) Subject: access and authorization In Risks 7:77 Debbus Rears comments: > The main problem with making worms/viruses illegal is drafting the laws. > What is authorized access? If a friend of mine on Computer "A" gives me his > password; does that in itself give me authorized access? Since I am on the > milnet I can fing, ftp anonymously, send mail to lots of computers. All of > these actions I have implied authorization. There seems to be a problem here in distinguishing between authority to access a facility and the authority to perform some action once the access has been successful. For example, if I am allowed to go into the stacks of a library, that does not imply that I have authorization to tear out pages from books I find there. Most computer facilities prohibit the use of an account by anyone other than the individual to whom it was assigned. Your friend probably had no authority to give you the password, and you have no authority to use it. The fact that you can masquerade as your friend by supplying his userid and password in no way implies legality of the action. The TAC access cards from DDN have a section which reads: Authorized use of the DDN is limited to the conduct of or support of government business. So if you start a chain of events which you know will involve DDN facilities (even if you aren't directly connected to it) then your authorization is limited to activities on behalf of Uncle. The fact that you're on MILNET means only that you (supposedly) have authority to be on MILNET. What you do once you're there is a different question. ------------------------------ Date: Tue, 15 Nov 88 20:13:55 EST From: "Barry C. Nelson" Subject: laws of computer evidence How fascinating is this collision of the mathematical with the societal -- where the common law meets the computer (user)! Two recent cases in point... Does the UK Vehicle Ident system differ much from the already-admissible credit transaction records. "By the records, something you control (car, credit/ATM card) was used at that location, so is there any proof it wasn't used by YOU?" On another topic, the problem facing the FBI may not be so much one of finding a statute that Morris violated as being able to construct the necessary case based on acceptable (and attributable) EVIDENCE that he actually broke that law. Rules of Evidence indicate that "any printout or other computer output readable by sight, shown to reflect the data accurately, is an 'original'" for purposes of demonstrating existence of "writings and recordings" as evidence. This implies that copying a program to another computer creates the source of another "original". If the creation and use of the first original was a crime, was creation and use of subsequent "originals" also a crime? Only some? Which? If someone could point me to a good text on the topic, I'd appreciate it. Barry C. Nelson ------------------------------ Date: Tue, 15 Nov 88 09:51:10 EST From: ark%hoder@CS.RIT.EDU Subject: Call for comments on uniformity legislation for software [The message below recently appeared in the Usenet comp.software-eng newsgroup. Since I think it will be interesting to RISKS participants I have submitted it verbatim. -Alan Kaminsky, Rochester Institute of Technology] [Please respond directly to Conleth O'Connell and ask that the results be made available to RISKS. PGN] Conleth S. O'Connell at Ohio State University writes: I have been asked to get opinions (both positive and negative) on the feasibility of drafting "uniformity legislation" for software. Uniformity legislation affects everyone in the U.S. and its territories equally. While there may be variances in the law of a particular state, the fundamental law will be the same everywhere. For example, uniformity legislation in the U.S. requires that cars meet certain minimum pollution standards, but individual states are free to mandate higher standards. A government committee is now considering if uniformity legislation for software is necessary, warranted, or desirable. For example, should software suppliers be required to warranty their products? should suppliers be required to inform users of known bugs? should bug-fixes be distributed at cost? who should be responsible for viruses in object code? etc. If you have an opinion on software uniformity legislation, please express it publicly, and I will forward your thoughts to one of the committee members. If you feel moved to "second" an opinion already expressed, please send me e-mail. Thank you, Conleth S. O'Connell Department of Computer and Information Science cso@cis.ohio-state.edu The Ohio State University 2036 Neil Ave. Columbus, OH USA 43210-1277 ------------------------------ End of RISKS-FORUM Digest 7.79 ************************