Subject: RISKS DIGEST 10.08
REPLY-TO:
[email protected]
RISKS-LIST: RISKS-FORUM Digest Tuesday 12 June 1990 Volume 10 : Issue 08
FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
Contents:
Liz Taylor and ``secret codes'' (PGN)
EEC `IT Security Evaluation Criteria' (Klaus Brunnstein)
Re: A 320 article in Aeronautique (Francois Felix Ingrand)
2600 magazine article (Arthur L. Rubin)
Self-Replicating Bugs in Floppies (Warren M. McLaughlin)
Caller ID neither necessary nor sufficient to prevent crank calls (ark)
Whom Caller ID benefits and whom it does not (Peter da Silva)
Re: egregious database and `voluntary' data submission (Bill Janssen)
Egregious Database Already Exists (William M. Bumgarner)
Re: Another egregious database (L.P. Levine)
The RISKS Forum is moderated. Contributions should be relevant, sound, in good
taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome.
CONTRIBUTIONS to
[email protected], with relevant, substantive "Subject:" line
(otherwise they may be ignored). REQUESTS to
[email protected].
TO FTP VOL i ISSUE j: ftp CRVAX.sri.com<CR>login anonymous<CR>AnyNonNullPW<CR>
cd sys$user2:[risks]<CR>GET RISKS-i.j <CR>; j is TWO digits. Vol summaries in
risks-i.00 (j=0); "dir risks-*.*<CR>" gets you directory listing of back issues.
ALL CONTRIBUTIONS ARE CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY.
----------------------------------------------------------------------
Date: Tue, 12 Jun 1990 8:41:48 PDT
From: "Peter G. Neumann" <
[email protected]>
Subject: Liz Taylor and ``secret codes''
A woman identifying herself as Lisa Flowers used the secret code for Liz
Taylor's answering service to set herself up as a cryptopublicist, returning
telephone calls and giving out bogus interviews. She told reporters about a
fabricated relationship with a 23-year Detroit man, Julian Lee Hobbs, and gave
out false medical reports. The hoax included intercepting requests from UPI
and AP for confirmation of earlier (phony) information, and providing
confirmation! So much for "secret" codes. [Source: San Francisco Chronicle,
12 June 1990, p. 2]
------------------------------
Date: 09 Jun 90 13:27 GMT+0100
From: Klaus Brunnstein <
[email protected]>
Subject: EEC `IT Security Evaluation Criteria'
This week, EEC sent the draft of the 'harmonized' Information Technology
Security Criteria (ITSEC) to some people (I don't know the adress list) for
comment. Based on the German `Green Book', an expert group with French, German,
Dutch and English contribution prepared a (greyly-white covered) booklet of
125 pages covering (after a short introduction: (1)scope) the functionality (2)
and the assurance of correctness (3: 55 pages) as well as the assurance of
effectiveness(4). The functionality chapter (2) refers, among others, to the
Green Book's functionality classes F1..F5 (derived from Orange Book) and
F6..F10 (adding availability and integrity of systems and networks to the
well-known Orange Book functionality). The assurance part (3) elaborates the
Green Books' quality Q0..Q7 into the more detailed `levels' E1..E6 (from
'inadequate assurance'=E0 equivalent to Orange Book 'D', towards E6 where
correctness is formally proven (essentially A1, but not `beyond A1!);
as in Orange Book and Green Book, each higher level encomprises the lower ones.
For each level, specific features must be evaluated for the (4) 'phases' of the
development process as well as for different `aspects' of the system and user
documentation. Moreover, the effectiveness of the assured features is roughly
described under aspects such as: suitability, binding of functionality,
strength of mechanism, assessment of vulnerability (consstruction, operation),
or ease of use.
EEC plans a conference in Brussels to happen on September 25-26, 1990. Accord-
ing to their letter, they welcome critical comments (if received by July 6th)
which might be discussed in this conference.
Klaus Brunnstein University of Hamburg
PS: based on our analysis of the benefits and shortcomings of `Trusted Computer
Evaluation Criteria' which we contributed to the IFIP SEC'90 conference, re-
cently in Helsinki, I plan to analyse this new Criteria catalog in more detail.
I would strongly appreciate any critical comments, as well on our paper on
'Risk Analysis of Trusted Computer Systems' (which I e-mail upon request) as
well as on the above draft.
[The copy I have says that Der Bundesminister des Innern, Bonn, West
Germany (Minister of the Interior) is der Herausgeber, so presumably
copies can be obtained from there or from the other three governments.
The ITSEC is a very deft merging of the earlier German criteria and the
British claims language. PGN]
------------------------------
Date: 8 Jun 90 22:46:13 GMT
From:
[email protected] (Francois Felix INGRAND)
Subject: Re: A 320 article in Aeronautique (Atkielski, RISKS-10.05)
> Minor erratum: This article actually appears in the "Aeronautique"
> section of the French science magazine "Science & Vie,"
In France, "Sciences et Vie" is considered as the "National Enquirer" of
"Sciences"...
Most of their articles do not have the scientific seriousness you expect from
a scientific publication.
Francois Felix INGRAND SRI International, AIC
"Read my Lisp... No new syntax" (nil)
------------------------------
Date: Fri, 8 Jun 90 23:17:39 PDT
From:
[email protected] (Arthur L. Rubin)
Subject: 2600 magazine article
I posted the 2600 magazine excerpts on some local BBSs, and I have the
following comment from a user and sysop:
What does the entire 911/Steve Jackson Games escapade tell us? Well, it's not
all that new that the government (like most such things) requires careful
watching, and I'm not too happy about how the last I'd heard, an agent had told
SJ games they wouldn't get all of their hardware back, even though no charges
had been filed (can you say legalized thievery boys and girls? I knew you
could.)
But the main thing that moves me to write this missive is the indications from
the published article that the authors, and thus quite likely also the party
responsible for copying that document and circulating it still do not quite
understand what the individual responsible did. Accordingly, and in the hopes
that if this circulates widely enough he or she will see it, the following
message:
OK - all you did was get into Bell South's computer system (mostly proving that
their security sucks rocks) to prove what a hotshot hacker you were, then made
a copy of something harmless to prove it. Sheer innocence; nothing to get
upset about, right?
Bull****, my friend. Want to know what you did wrong? Well, for starters, you
scared the US Government and pointed it in the direction of computer hobbyists.
There are enough control freaks in the government casting wary eyes on free
enterprises like BBS systems without you having to give them ammunition like
that. Bad move, friend, bad move. You see, the fact that you didn't damage
anything, and only took a file that would do no harm to Bell South OR the 911
system if it were spread all over the country is beside the point. What really
counts is what you COULD have done. You know that you only took one file; Bell
South only knows that one file from their system turned up all over the place.
What else might have been taken from the same system, without their happening
to see it? You know that you didn't damage their system (you THINK that you
didn't damage their system); all Bell South knows is that somebody got into the
system to swipe that file, and could have done any number of much nastier
things. Result - the entire computer you took that file from and its contents
are compromised, and possibly anything else that was connected with that
computer (we know it can be dialed into from another computer - that's how you
got on, after all!) is also compromised. And all of it has now got to be
checked. Even if it's just a batch of text files never used on the 911 system
itself, they all have to be investigated for modifications or deletions. Heck
- just bringing it down and reloading from backup from before you got in (if
they KNOW when you got in) even if no new things were added since would take a
lot of time. If this is the sort of thing that $79,449 refered to I think they
were underestimating.
You cost somebody a lot of time/money; you almost cost Steve
Jackson Games their existance; you got several folks arrested for
receiving stolen goods (in essence); you endangered a lot of
bulletin boards and maybe even BBS nets in general. Please find
some other way to prove how great you are, OK?
--Crystalsword
Arthur L. Rubin, PO Box 9245, Brea, CA 92622 (work) (714)961-3771
------------------------------
Date: Sat, 9 Jun 90 17:12 EDT
From: "Warren M. McLaughlin" <
[email protected]>
Subject: Self-Replicating Bugs in Floppies
This is a personal report, eye-witnesses are available. On Thursday, 7 June
1990, at about 1500 hrs EDT, it was conclusively demonstrated that it is
possible for self-replicating bugs to replicate themselves in floppies (5-1/4"
DSDD) _outside_ of a computer!
There is a stash of scratch disks, in boxes, on top of a file cabinet next to
my desk. Mostly, they are old backups awaiting degaussing and reformatting.
At the back of the row of six or seven boxes, I found an open box of disks,
with nine new, never-used disks. This minor treasure would have come in handy
if I hadn't noticed visible evidence of the self-replication (and defecation)
of the bugs, commonly known as "cockroaches".
A cursory examination, conducted after dropping the box in the trash bag,
revealed at least five live beasties. Droppings/eggs everywhere in the box. I
checked each disk envelope, and found spoor in all nine. Witnesses were drawn
to the scene like flies... er, spectators. The was a certain amount of noise
associated with the discovery, and the air in my cubicle is reported by some to
have turned blue. This may be an exaggeration.
The droppings/eggs seemed large enough to have caused a head crash. I have
enough bits loose in my PCs without adding more. I checked every other box,
and found no evidence of infestation. Three of the boxes came from the same
carton as the infested box.
I will not report the name of the manufacturer, as it does not seem important.
TechReps of several computer manufacturers have told me that "tower" style
cases regularly attract cockroaches. They are thought to come in for warmth,
or to eat the lacquer used on certain components. Incidentally, _real_ lacquer
is the processed shells of the lac beetle, which is remarkably like a cockroach
in appearance. (_cannabilistic self-replicating bugs?)
This may be yet another Risk of computing - or another Risk of working in an
old five-sided building on the west side of the Potomac.
[Disclaimer: The views herein are mine of this fleeting moment, and neither
represent my views upon considered reflection, nor those of the Department of
the Navy, nor any component of the Department.]
- Mike
W. M. McLaughlin, Computer Security Coordinator, SECNAV/DONIRM(C2)
Washington, DC 20350-1000
------------------------------
Date: Sat, 9 Jun 90 13:20:02 EDT
From:
[email protected]
Subject: Caller ID neither necessary nor sufficient to prevent crank calls
The people who claim Caller ID is useful for preventing crank calls are
somewhere between misguided and dishonest. Consider: do you *never* receive a
call from someone you know from a phone number you don't recognize? Has you
*never* had a friend call you from a pay phone? Of course not! So that means
that a general strategy of refusing to answer calls from unknown sources will
cut you off from some calls you would have wanted to receive.
Suppose, then, that you answer all calls. You are assured of getting a crank
call from time to time. Why doesn't Caller ID avert that by making it known to
the caller that you will identify the source?
It does, of course, but it's much more than you need for that purpose. For
example, the following facility has been available in my calling area for some
time: if after receiving a call I hang up, pick up the phone again, and dial
*51, then a copy of the identity of the last call I received will be logged in
the central office and I will be charged $1.00 . I can then call the police
and tell them that I received a crank call that was recorded in the central
office. They can find out who called and act appropriately.
So: even if I have Caller ID, I cannot avoid crank calls unless I also cut
myself off from some legitimate calls. Once I have received a crank call, I
can report the origin to the authorities even without Caller ID. How, then, is
Caller ID useful for that purpose?
------------------------------
Date: Sun Jun 10 10:34:19 1990
From:
[email protected]
From:
[email protected] (Peter da Silva)
Re: Whom Caller ID benefits and whom it does not
> As far as residential phone users are concerned, Caller ID is not much
> better than receiving anonymous calls. [ the message goes on to bring
up "member of family at phone booth" considerations. ]
I take it you have never been the target of telephone harrassment. I have.
It's not a lot of fun, but unless it goes on for a long time it's just not
possible to get the authorities to do anything about it. I have been called by
my wife's ex-boyfriend (from his place of work!), by some bozo who three-
way-called me to a third party, and by someone who calls and hangs up, we
assume to call-wait my wife off a chat system (not knowing we have another line
for the modem). In all of these cases caller-ID would be a deterrent, a channel
of recourse, or a signal to ignore that call. Even when you know the harasser,
there's not much you can do currently: when I called the ex back at work, he
convinced his boss that *I* was harassing *him* (he'd called dozens of times...
I'd called back once, then again when he hung up). If I'd had Caller- ID I
could have just ignored calls from that number (the numbers handy to his place
of work would have become quickly obvious).
In none of these cases was SWBell at all interested. In all of these cases
Caller-ID would let me stop it in the bud. Calls from pay-phones just wouldn't
have been possible for any of them (pay-phones don't have 3-way calling, and
in the other two cases the opportunity wouldn't arise).
No system is perfect, but I'm not going to leave my door unlocked just because
someone is capable of breaking a window. Making casual harassment less
convenient is by itself a good thing.
Peter da Silva. +1 713 274 5180.
------------------------------
Date: 12 Jun 90 10:41:39 GMT
Sender:
[email protected]
Reply-To:
[email protected] (Ralph P. Sobek)
Subject: Re: Risks of Laser Printouts (RISKS-9.89,91,92)
(Simson L. Garfinkel) writes:
| Not very surprising, considering that laser printers pump out gobs of ozone.
This is the first good news that I've heard!! With more and more laser
printers we will be able to reverse the ozone destruction caused by all those
CFCs floating around. :-) Can anyone quantify that figure: gobs?
Ralph P. Sobek
------------------------------
Date: Fri, 8 Jun 90 16:19:21 PDT
From: <
[email protected]>
Subject: Re: egregious database -- risks of `voluntary' data submission
in RISKS DIGEST 10.07, Edwin Wiles comments that the `egregious database' is
less troublesome because of the voluntary nature of data submission. This
ignores the risks of bureaucratization, in which the fact that one has not
`voluntarily' submitted data to a database is held against one. (There is also
the risk of inexperience, in that a student may not appreciate the consequences
of putting personal data in a such a database, but this should always be
considered.)
Bill
------------------------------
Date: Mon, 11 Jun 90 01:51:56 -0400 (EDT)
From: "William M. Bumgarner" <
[email protected]>
Subject: Egregious Database ALREADY EXISTS
In the Columbia Public Schools, of Columbia, Missouri, such a system
has been installed in the last few years-- it can keep track of
basically _everything_ that can be recorded textually that has
happened during a students K-12 academic career. Not only grades, but
personality profiles, any comments by teachers, and just about
anything that is even remotely associated with 'school' -- including
incidences that don't appear on the 'permanent' record and incidences
involving the police.
Apparently, the goal is to be able to track a student through the public
education system and then store that data permanently ... and it is all at the
fingertips (though, at many different security levels, of various random
secrataries, counselors, etc.)...
b.bumgarner, NeXT Campus Consultant
------------------------------
Date: Sun, 10 Jun 90 12:55:23 CDT
From: Prof. L. P. Levine <
[email protected]>
Subject: RE: Another egregious database (Wiles, RISKS-10.07)
In Risks 10.07 Edwin Wiles, NetExpress, Inc., misses the point entirely. He
seems pleased that the system is voluntary [...] But the next part of the
quote is missing. Reading it from Risks 10.05 we see:
>> The absence of criteria like punctuality might be noticed, however,
>> just as vital information omitted from a resume would be, he adds.
and means that leaving out such information is itself an negative mark on the
potential employee. I have students RIGHT NOW who are peeing in bottles
(voluntarily) in order to get jobs. Of course they do not take drugs, of
course they are doing it voluntarily, of course they want the job. They do it.
Voluntary release of your civil rights is not protection. The argument that
you have nothing to fear from this abuse of your rights if you are not guilty
never washes. It is always just plain wrong. Nobody expects the Spanish
Inquisition, but this is the way it begins.
Leonard P. Levine, Professor, Computer Science, U. of Wisconsin-Milwaukee
Milwaukee, WI 53201 U.S.A.
------------------------------
End of RISKS-FORUM Digest 10.08
************************
