Subject: RISKS DIGEST 10.22

Subject: RISKS DIGEST 10.22
REPLY-TO: [email protected]

RISKS-LIST: RISKS-FORUM Digest Wednesday 22 August 1990 Volume 10 : Issue 22

FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Contents:
Re: NYC Parking Violations Computer ... "Rogue" (Christopher Jewell)
Debt collector proposes "total knowlege" credit database (PH)
More on Computerized Monitoring of "House Arrest" Detainees (Li Gong)
Thailand computer system (Simson L. Garfinkel)
A backup that worked (Steve Bellovin)
NCSC to be shut down (Dave Curry)
How to Lie with Statistics (N H. Cole)
Something good about Automatic Bank Tellers (Pete Mellor)
13th National Computer Security Conference, October 1-4, 1990, Washington DC
(Jack Holleran)

The RISKS Forum is moderated. Contributions should be relevant, sound, in good
taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome.
CONTRIBUTIONS to [email protected], with relevant, substantive "Subject:" line
(otherwise they may be ignored). REQUESTS to [email protected].
TO FTP VOL i ISSUE j: ftp CRVAX.sri.com<CR>login anonymous<CR>AnyNonNullPW<CR>
cd sys$user2:[risks]<CR>GET RISKS-i.j <CR>; j is TWO digits. Vol summaries in
risks-i.00 (j=0); "dir risks-*.*<CR>" gives directory listing of back issues.
ALL CONTRIBUTIONS ARE CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY.

----------------------------------------------------------------------

Date: Wed, 15 Aug 90 16:09:21 PDT
From: [email protected] (Christopher Jewell)
Subject: Re: NYC Parking Violations Computer ... "Rogue" (Davis, RISKS-10.20)

1. I'm glad that the New York Times headline put quotes around `Rogue
Computer': it's surely a matter of lousy software design or persistent
operational errors, rather than some real-life HAL from the movie _2001_, and
the Times seems to know that. (I _hope_ that the readers caught the
implication.)

2. The Times quotes PVB spokescritter Stephanie Pinto, as saying that if you
divide 42,000 (errors) by 12 million (tickets) you get 0.003, (0.0035 actually)
and asking ``Is three-tenths of one percent reckless?''. If my bank posted 3
out of every thousand transactions to the wrong account, I'd certainly take my
money elsewhere. You'd better believe that the bank's CEO would transfer the
operations VP to the mailroom in short order, too.

3. Stein's rhetoric (``... rogue computer ... terrorizing ...'') is overblown
headline-grabbing, but the problem is real, and both bringing in an outside
auditor and installing safeguards sound like good, albeit sadly overdue, ideas.

American Management Systems of Arlington, VA was hired in 1984 to design the
new system. A document written by the bureau's computer managers in 1985
outlined ``critical structural deficiencies'' and warned of ``profound and
far-reaching implications.''

4. The contractor was not competent to do the job. They have delivered trash
in return for their $11 million so far. (That is for developing the software
*and* running the system for the PVB.) Would a grep of the RISKS archives find
other stories about lousy work by American Management Systems? That name rings
a bell. [No bell prizes that I could find since Vol 7. PGN]

5. If PVB management permitted the contractor to implement the design after
their own computer folks pointed out serious deficiencies, it's hard to avoid a
choice between the hypotheses of stupidity and bribery. If, on the other hand,
the contractor was required to correct the errors in the design, then the same
choice of hypotheses applies to those responsible for monitoring contract
compliance.

6. Once the system had been implemented, it is possible that management
decided to install the system, not due to either stupidity or corruption, but
rather on the basis that 42,000 errors/year is better than 85,000.

Note that #6 does not contradict #5: the ``lesser evil'' hypothesis may apply
to the decision to install the new piece of @#$%, but it cannot excuse a
decision to permit the contractor to implement a known bad design in the first
place.

7. Speaking now as a former New Yorker, the PVB has been one of the more
obvious centers of corruption in that corrupt city gov't for decades. This is
not `whisper behind the hand' stuff: during the Koch administration, a county
leader of the Democratic Party committed suicide when his part in PVB
corruption came to light in an investigation that was making headlines even
without the suicide. If #5 turns out to be a matter of corruption, rather than
mere stupidity, few New Yorkers will be surprised.

On the other hand, stupidity about computing is *also* a tradition in the NYC
gov't: the NYC Human Resources Administration used to pay tens of thousands of
employees with a payroll system written in OS/360 Fortran, using type REAL*8
for money, and wonder why the pennies never seemed to balance. :-( (No, they
were not smart enough to avoid fractional parts by storing amounts in pennies
rather than dollars.)

Chris (Christopher T. Jewell) [email protected] apple!netcom!chrisj

------------------------------

Date: Tue, 21 Aug 90 11:56:59 EST
From: [email protected] (Rev Phil Skinque, DD (Ret.))
Subject: Debt collector proposes "total knowlege" credit database

>From the Sydney [Australia] Morning Herald, August 20th, 1990

"Sorry, you can't afford it"

CANBERRA: Debt collectors believe that in the not too distant future there will
be "total knowledge" about all individuals and envisage the Government allowing
financiers to build enormous data banks which would include confidential tax
file number information. In fact, they believe banks and other lenders will
have so much information that debt collectors will be made redundant.

The Orwellian vision is contained in an article "Back to the Future for
Commercial Agents", published in the Institute of Mercantile Agents' journal,
The Mercantile Agent. Its author, Mr Norman Owens, a former president of the
institute and owner of a debt-collecting agency, told the Herald that
governments would one day see it as "desirable" to link together and make
public all the enormous data bases containing highly sensitive personal
information.

"Tomorrow's credit grantor will be extending credit in a perfect market with
total knowledge of the debtor," Mr Owens asserted. "The credit grantor in the
future will have access to all the debtor information. This will be made
available through linked data bases in the manner of George Orwell's 1984. "

Credit cards will be of the "smart card" variety which will be
"genetically engineered implants" that capture all transactions from
cradle to grave. (In fact, Westpac [a major Australian bank] is
working on a smart card which has a small computer chip that records
all transactions and makes credit cards more secure.)

Credit files, like those held by the Credit Reference Association,
will be linked to the Government's tax file number data base.
"Some time in the future," he told the Herald, "mercantile agents
won't exist. This is because there would be total knowledge about
every individual including assets, income, credit history, and any
future liabilities. The debt collector exists to catch those debtors
that escape the creditor's receivable system. For most part the holes
in that system will disappear in a business society armed with
perfect knowledge about all transactions," he said.

Mr Owens conceded that this may sound like science fiction, but insisted that
it was "science possible". He acknowledged that the community was horrified by
such Orwellian plans and said the Government was adamantly opposed to it, but
he was confident that one day people and governments would realise that such
measures were of benefit to society.

[The thing I personally found most frightening about Norman Owens' comments -
aside from the total lack of concern about possible risks - was his choice of
words. Words like "perfect market", "total knowlege", "genetically engineered
implants", and - of course - "benefit to society". I also must add that the
basis for his Orwellian vision is the inclusion of tax file number information
currently retained by the federal government. Under current laws, this
information is confidential, so his proposed scheme would be illegal. -- PH]

------------------------------

Date: Thu, 16 Aug 90 17:22:38 EDT
From: [email protected] (Li Gong)
Subject: More on Computerized Monitoring of "House Arrest" Detainees

Monitoring "house arrest" detainees is equivalent to a common issue in computer
security. It is known as user authentication -- determinating that a
particular person is at a particular location at a particular time.

Reading the research literature on the subject of user authentication shows
that the current solutions depend on co-operation of a typical user. For
example, he won't reveal passwords to others, and won't comprise physical
security in case he uses auxiliary devices such as smart cards or credit cards.
And maybe more important, he stands to lose something if someone else can
successfully masquerade as him.

In the case of detainees, none of these assumptions holds. Plus the easy and
wide availability of such devices as master remote control unit, which can
learn signals generated by other devices of a similar type, it seems that no
cheap (and thus practical) solution is in sight, unless one can assume that no
one would attempt to grasp the potential forgery market.

Li GONG, Odyssey Research Associates, Inc.

------------------------------

Date: Fri, 17 Aug 90 10:18:23 EDT
From: [email protected] (Simson L. Garfinkel)
Subject: Thailand computer system

(From July 1990 Privacy Journal, Vol. XVI, No 9, Page 1)

TRUE COLORS

Thailand -- a constitutional monarchy with a parliament largely dominated by
the military -- has taken the Orwellian step that most Western democracies have
been afraid to take. The Thai government this month inaugurated a centralized
database system to track and to cross-reference vital information on each of
its 55 million citizens.

The system includes a Population Identification Number (PIN) with a required
computer-readable ID card with photo, thumbprint, and imbedded personal data.
The system will store date of birth, ancestral history, and family make-up and
was designed to track voting patterns, domestic and foreign travel, and social
welfare. Eventually 12,000 users, including law enforcement, will have access
by network terminals. It is the largest governmental relational database
system in the world. In the private sector, only the Church of Jesus Christ of
Later-Day Saints, the Mormon Church, has a larger one. "The people feel that
the system will protect them," says the director of the Central Population
Database Center in Bangkok.

*What is more curious than the ambitious system itself is the fact that the
federally-sponsored Smithsonian Institute chose -- on behalf of all Americans
-- to honor the Thais for their efforts*. The second annual Computerworld
Smithsonian Award for innovative information technology in the governmental
sector went last month to the Thailand Ministry of Interior for its oppressive
system for keeping tabs on its citizens. Something to ponder: Two of the three
judges making the award have major computer responsibility in the U.S.
government.

[The Privacy Journal, an independent monthly on privacy in a computer
age, is a wonderful source for this stuff. Individual subscriptions
are $35/year; Privacy Journal, P.O. Box 28577, Providence RI, 02908.]

------------------------------

Date: Fri, 17 Aug 90 09:34:50 EDT
From: [email protected]
Subject: A backup that worked

Amidst all our stories of systems that have screwed up, it's worth noting one
that did work as planned. The New York Federal Reserve bank's Fedwire EFT
system was in the area blacked out by the New York power outage. Its backup
diesel generators kept things running for several days. When one showed signs
of faltering, they moved operations to a backup site outside of the city. That
backup site had been established 3 years ago for exactly such contingencies.

--Steve Bellovin

------------------------------

Date: Sun, 19 Aug 90 12:13:42 -0700
From: [email protected]
Subject: NCSC to be shut down

By John Markoff, New York Times
Reprinted in the San Jose Mercury News, 8/19/90
[Starkly excerpted by PGN.]

COMPUTER SECURITY CAMPAIGN SHUT DOWN
Reagan-era drive targeted espionage

President Bush has ordered a quiet dismantling of an agressive effort to
restrict sources of computerized information, including data bases, collections
of commercial satellite photographs and information compiled by university
researchers. [...]

Agency being disbanded

This month the security agency began disbanding its National Computer
Security Center, moving most of its 300 employees into new jobs in the more
secret communications security section inside the agency. [...]

[Most of the functions of NCSC are intended to remain, however. PGN]

------------------------------

Date: Mon, 20 Aug 90 13:28:24 BST
From: "N H. Cole" <[email protected]>
Subject: How to Lie with Statistics [once again]

With regard to the unreliability of statistics, the only solution is to make
Darrell Huff`s book "How to lie with statistics" a compulsory text at all
schools. It is, I believe, the source of the quote "97.43% of all statistics
are made up."

Nigel Cole

------------------------------

Date: Tue, 21 Aug 90 11:03:20 PDT
From: Pete Mellor <[email protected]>
Subject: Something good about Automatic Bank Tellers

Despite the danger of severe shock to RISKS readers who see this, I thought
that someone should give due credit to the designers of a particular ABT which
is run by the National Westminster Bank, and an example of which is installed
at City University.

Last week I drew some money on my way to lunch. As usual, I requested a
receipt. When my service card popped out, I put it back in my wallet, but
(being a bit more preoccupied than usual) walked away without collecting the
money or the receipt. I realised my mistake one minute later when I reached
into my pocket to pay for a beer, and sprinted back to the machine, only to
find the receipt dangling out of the slot, but no cash. I had no option but to
draw some more money and make the best of it.

I was puzzled that there had been nobody around at the time who would have been
likely to have seen my mistake, and made off with the cash, so I rang the bank.
They explained that this type of till, in which the money comes out through
rollers, gobbles the money back if it is not pulled out of the rollers within
ten seconds. Sure enough, when they 'agreed' the till the next day, they found
it in credit by the amount I had forgotten, and a record of a 'customer
time-out'. So they promptly credited my account with that amount.

Now, *that's* what I call user-friendly! :-)

Peter Mellor, Centre for Software Reliability, City University,
Northampton Square, London EC1V 0HB

------------------------------

Date: Thu, 16 Aug 90 23:58 EDT
From: Jack Holleran <[email protected]>
Subject: 13th National Computer Security Conference, October 1-4, 1990

[Jack sent me the entire registration packet for the conference on-line.
It is much longer than just about any previous RISKS issue, so I
have highlighted the program here. This is generally the definitive
get-together for security developers and practitioners.
For those of you wishing the packet, please send him mail or FTP
it from CRVAX.SRI.COM in the usual directory as RISKS-10.NCS90 .
Registrations before 1 Sept 90 save $25; otherwise $250. PGN]

Omni Shoreham Hotel, 2500 Calvert Street, NW, Washington, DC 20008
(100 yards from Woodley Park Metro Station)

SPECIAL EVENTS:
October 2, 1990

Opening Plenary Session
0900 Welcoming Remarks
Keynote Address, Robert G. Torricelli, U.S. Representative (D - NJ)
1830 Conference Reception
Smithsonian American History Museum

October 3, 1990
1800 Conference Banquet (Omni Shoreham Regency Ballroom)
Speaker: Ms. Michelle K. VanCleave
Assistant Director for National Security Affairs
Office of Science and Technology Policy
Executive Office of the President

October 4, 1990

1100 Closing Plenary Session

Panel: Towards Harmonized International Security Criteria

1225 Closing Remarks

TRACK A - Research & Development

MONDAY, OCTOBER 1

1600 Panel: Commercial Development & Evaluation of Trusted
Systems: An Open Discussion -- Our Success to Date

TUESDAY, OCTOBER 2

Verification
1030 PAPERS
Covert Storage Channel Analysis: A Worked Example
Verification of the C/30 Microcode Using the State Delta Verification System
UNIX System V with B2 Security

1400 PANEL: Access Control: Time for A Retrospective

Electronic Authentication & Biometrics
1600 PAPERS
Key Management Systems Combining X9.17 and Public Key Techniques
Electronic Document Authorization
The Place of Biometrics in a User Authentication Taxonomy
Non-Forgeable Personal Identification System Using Cryptography and
Biometrics

WEDNESDAY, OCTOBER 3

Intelligent Tools I: Auditing
0900 PAPERS
An Audit Trail Reduction Paradigm Based on Trusted Processes
The Computerwatch Data Reduction Tool
Analysis of Audit and Protocol Data Using Methods from AI

Intelligent Tools II: Intrusion Detection
1100 PAPERS
A UNIX Prototype for Intrusion and Anomaly Detection in Secure Networks
A Neural Network Approach Towards Intrusion Detection
PANEL: Data Categorization and Labeling

1600 Panel: R&D Activities

THURSDAY, OCTOBER 4

Modeling
0900 PAPERS
A Generalized Framework for Access Control: An Informal Description
Automated Extensibility in THETA
Controlling Security Overrides
Lattices, Policies, and Implementations

TRACK B - Systems

MONDAY, OCTOBER 1

0900 PAPER NIST/NSA Services & Publications

1400 PANEL: Computer Security Standards

Embedded Systems
1600 PAPERS
The Role of "System Build" in Trusted Embedded Systems
Combining Security, Embedded Systems and Ada Puts the Emphasis on the RTE

TUESDAY, OCTOBER 2

1030 PANEL: Disclosure Protection of Sensitive Information

Network Security I
1400 PAPERS
Considerations for VSLAN(TM) Integrators and DAAs
Introduction to the Gemini Trusted Network Processor
An Overview of the USAFE Guard System

Network Security II
1600 PAPERS
Mutual Suspicion for Network Security
A Security Policy for Trusted Client-Server Distributed Networks
Network Security and the Graphical Representation Model

WEDNESDAY, OCTOBER 3

System Test & Integration
0900 PAPERS
Testing a Secure Operating System
An Assertion-Mapping Approach to Software Test Design
Security Testing: The Albatross of Secure System Integration?

Network Standards
1100 PAPERS
Low Cost Outboard Cryptographic Support for SILS and SP4
Layer 2 Security Services for Local Area Networks

Operating Systems
1400 PAPERS
Trusted MINIX: A Worked Example
Security for Real-Time Systems
Trusted XENIX(TM) Interpretation: Phase I
1600 PANEL: Vendors' Activities

THURSDAY, OCTOBER 4

Viruses
0900 PAPERS
PACL's: An Access Control List Approach to Anti-Viral Security
Static Analysis Virus Detection Tools for UNIX Systems
The Virus Intervention and Control Experiment
Classification of Computer Anomalies

TRACK C-I - Management & Administration

MONDAY, OCTOBER 1

Contingency Planning & Disaster Recovery (Part I)
0900 PAPER
Disaster Recovery / Contingency Planning
1100 PANEL: Professional Development

Contingency Planning & Disaster Recovery (Part II)
1400 PAPER
Disaster Recovery from $138 Million Fire
1600 PANEL: Plans and Assistance

TUESDAY, OCTOBER 2

Criteria: National & International
1030 PAPERS
Harmonised Criteria for the Security Evaluation of IT Systems and Products
The VME High Security Option
Rainbows and Arrows: How the Security Criteria Address Computer Misuse
Civil and Military Application of Trusted Systems Criteria

1400 PANEL: Implementation of the Computer Security Act of 1987

Approaches to Trust
1600 PAPERS
The CSO's Role in Computer Security
Implementation and Usage of Mandatory Access Controls in an Operational
Environment
Building Trust into a Multilevel File System

WEDNESDAY, OCTOBER 3

Risk Management
0900 PANEL: Risk Management
1000 PAPERS
LAVA/CIS Version 2.0: A Software System for Vulnerability and Risk
Assessment
WORKFLOW: A Methodology for Performing a Qualitative Risk Assessment
Critical Risk Certification Methodology

Acquisition
1400 PAPERS
Factors Effecting the Availability of Security Measures in Data Processing
Components
Integrating Computer Security and Software Safety in the Life Cycle of Air
Force Systems
1500 PANEL: Acquisition Discussion

Integrity
1600 PAPERS
Integrity Mechanisms in Database Management Systems
A Taxonomy of Integrity Models, Implementations and Mechanisms

THURSDAY, OCTOBER 4
0900 PANEL: National Computer Security Policy

TRACK C-II - Management & Administration

MONDAY, OCTOBER 1

DATABASE MANAGEMENT

0900 TUTORIAL: Database Management Systems and Secure Database Management
Systems
1100 PANEL: A Year of Progress in Trusted Database Systems
1400 PANEL: Trusted Database Systems: The Tough Issues
1600 PANEL: Multilevel Object Oriented Database Systems

TUESDAY, OCTOBER 2

C2 Microcomputer Security
1030 PAPERS
C2 Security and Microcomputers
Functional Implementation of C2 by 92 for Microcomputers
1400 PANEL: Electronic Certification: Has Its Time Come?
1600 PANEL: Defense Message System (DMS) Security

WEDNESDAY, OCTOBER 3

0900 PANEL: IEEE Computer Society
Limited Access to Knowledge and Information
1100 PANEL: Computer Emergency Response Team: Lessons Learned

Ethics
1400 PAPERS
Discerning an Ethos for the INFOSEC Community: What Ought We Do?
VIRUS ETHICS: Concerns and Resonsibilities of Individuals and Institutions
Concerning Hackers Who Break into Computer Systems
1600 PANEL: National Institute of Standards and Technology Activities

THURSDAY, OCTOBER 4

0900 PANEL: Hackers: "Who are They?"

Track D - The Computer Security Tutorial Track

MONDAY, October 1

0900 PAPERS
Automated Information Security: Overview of the Tutorial
Security Overview and Threat
Information Security
Life Cycle Management Requirements
Risk Management

TUESDAY, October 2, 1990

1030 PAPERS
Data Security
Physical, Personnel and Administrative Security
Office Automation Security

WEDNESDAY, October 3, 1990

0900 PAPERS
Telecommunications Security
Software Controls
Trusted Systems Concepts
Trusted Network Concepts

THURSDAY, October 4, 1990

0900 Tutorial Panel

Also a collection of Educator Sessions:

Tuesday, October 2, 1990
1400 Should Computer Security Awareness Replace Training?
A Reassessment of Computer Security Training Needs
1600 Components of an Effective Training Program
Information Security: The Development of Training Modules
Determining Your Training Needs
Panel: Lauresa Stillwell, Adele Suchinsky, Corey Schou, Roger Quane

Wednesday, October 3, 1990
0900 Training Vehicles: Cost Versus Effectiveness
Computer Based Training: The Right Choice?
1100 Training on a Shoe-String Budget
Awareness and Training in a World of Reduced Resources

------------------------------

End of RISKS-FORUM Digest 10.22
************************