Subject: RISKS DIGEST 13.34
REPLY-TO:
[email protected]
RISKS-LIST: RISKS-FORUM Digest Friday 3 April 1992 Volume 13 : Issue 34
FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
Contents:
Re: SDI (David Parnas)
Re: NSA and cryptographic software (Steve Bellovin, Fred Cohen)
Risks in nuclear bombs to deflect asteroids (Marvin V. Zelkowitz)
The new Simon & Schuster Royalty Accounting System (Lauren Wiener)
Bad data allowed to enter driver database and used as basis for arrest
(Eric Postpischil)
Re: U.S. Dept of Justice Rulings about Keystroke Capturing (Marc Horowitz,
Thomas Zmudzinski)
RISKS of patents on software, ideas, etc. (Bob Estell)
Backup over the phones? (Robert Ebert)
Re: Now why didn't I think of that? (Windows 3.1) (James Barrett)
The Machine That Changed the World -- Public TV Series (Jack B. Rochester)
The RISKS Forum is moderated. Contributions should be relevant, sound, in
good taste, objective, coherent, concise, and nonrepetitious. Diversity is
welcome. CONTRIBUTIONS to
[email protected], with relevant, substantive
"Subject:" line. Others may be ignored! Contributions will not be ACKed.
The load is too great. **PLEASE** INCLUDE YOUR NAME & INTERNET FROM: ADDRESS,
especially .UUCP folks. REQUESTS please to
[email protected].
Vol i issue j, type "FTP CRVAX.SRI.COM<CR>login anonymous<CR>AnyNonNullPW<CR>
CD RISKS:<CR>GET RISKS-i.j<CR>" (where i=1 to 13, j always TWO digits). Vol i
summaries in j=00; "dir risks-*.*<CR>" gives directory; "bye<CR>" logs out.
The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1".
<CR>=CarriageReturn; FTPs may differ; UNIX prompts for username, password.
ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY.
Relevant contributions may appear in the RISKS section of regular issues
of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise.
----------------------------------------------------------------------
Date: Thu, 2 Apr 92 16:07:28 EST
From:
[email protected] (David Parnas)
Subject: Re: SDI (Newsweek, March 23,1992) (RISKS-13.33)
When I read that
"[The] Pentagon disagrees that deploying a space-
and ground-based defense system poses significant
technical challenges. The complexity of the software
required to coordinate Star Wars, for instance, is no
more daunting than programs that control nuclear
reactors, it says."
I certainly breathed a sigh of relief. Having had a look at both types of
programmes, I am comforted by the impression that the Pentagon employee who
stated that opinion had never seen either type of software.
Dave Parnas
------------------------------
Date: Thu, 02 Apr 92 15:52:42 EST
From:
[email protected]
Subject: NSA and cryptographic software
The NSA and the Software Publishers' Association appear to have
reached an agreement that would allow some exports of cryptographic
software, as long as the keys are constrained to be sufficiently
short. The net effect is a slight but potentially useful
improvement over what was previously exportable.
Umm -- according to the NY Times article on the subject, things are
actually a bit murkier. The details of the algorithm are supposed
to be secret. (How long that will work is debatable, of course.
In fact, it isn't even particularly debatable; I think we know the
answer.) Naturally, a number of folks are quite upset about that
aspect.
Now that NSA and RSA have come a little closer, we need to
bring in BSA (the Boy Scouts of America). Be prepared!
Imagine, a merit badge for cryptography?
Actually, they do have one. Or rather, Way Back When, the Cub Scouts had a
something or other in cryptography. Being innocent of the distinction between
a ``code'' and its key at the time (and for that matter, of the distinction
between a code and a cipher), I persuaded the Powers That Were that I had
fulfilled that requirement *25* times, by coming up with *25* different Caesar
ciphers...
--Steve Bellovin
------------------------------
Date: Thu, 2 Apr 92 21:56 EST
From: fc <
[email protected]>
Subject: Risks of a national policy against good crypto
Just an opinion - I think financial competitiveness is far more important than
not being able to read crypto to the US at this time.
I can purchase an RSA on a smart card from Phillips in the EC, but I cannot
sell a slower RSA for the PC to people in EC. What this seems to say is that
they can have it, but I can't sell it to them - or in other words - they get
the money from our research!!!
And then there is the old wire tapping thing. As far as I am concerned, it is
the FBI's business to find a way to read my mail if they care to, but it is not
my job to help them do it. That's why I use an RSA whenever I want to send
something private.
Which brings me to the newest development at ASP. We have decided to
do all further crypto development oversees. This is because if we do it here,
it's against the law to export it, but if we do it there, we can still import
it and sell it here. Any such policy, if it is to be effective, must also
restrict import - otherwise, the financial motivations will move all crypto
oversees. This is of course happening. Want an example?
At the 5th virus conference, the people from the EC cheered when they
heard that virus defenses are export controlled. In my case, my EC competitors
get a 6 week advantage over me in everything they do, because each new version
has to go through paperwork at the US government that takes this long. As a
result, I have moved my further virus defense development to the EC. They get
the money in stead of the US getting it, but I get a smaller piece of a bigger
pie, which earns me more money in the long run.
How long will it be before we give up the little leadership we have
in information protection? Not long! All over the EC and in the far east and
in Australia, there are research groups forming at universities for computer
security researchers. They get funding and tenure, and even publish articles.
In the US, there is lip service, and a few universities offer a course or two,
but you cannot find more than 2 experts at any US university!
So I think the real risk is that in the name of maintaining national
security, we are giving up our leadership in security!
Have a nice day - FC
------------------------------
Date: Thu, 2 Apr 92 17:13:01 -0500
From:
[email protected] (Marvin V. Zelkowitz)
Subject: Risks in nuclear bombs to deflect asteroids
I just listened to a local radio station talk show concerning proposals
to use nuclear weapons to change the orbit of asteroids heading towards the
earth, and while the discussion was factual, it poses a long term risk on
science in this country. The discussion was by the radio commentator and a
physicist from a local university. The general tone of the show and the
facts presented were:
1. Neither took the threat very seriously and were very flippant about the
whole process.
2. Rationale for such proposals seemed to be the large number of
(unemployed?) nuclear scientists needing a new threat to work against
since the Soviet threat is disappearing.
3. Congress held a hearing on the potential for such a collision with an
asteroid.
4. NASA held two workshops to discuss this problem.
5. There is a non-zero probability of such a collision actually
happening.
6. The last big collision of an asteroid with the earth was about 65
million years ago, anything that large is probably already known, we
will have several near misses first before any collision, giving from
several decades to several centuries advance warning before such a
collision.
The risk here (besides the obvious one of having the earth blow up)?
There is a lack of knowledge by the public on risks,
safety, and the costs and tradeoffs of increasing safety (and decreasing
risk), especially given the flippant tone of both radio commentators.
It was probably reasonable for Congress to hold such a hearing
since the potential damage would be catastrophic. It probably was
reasonable for NASA to hold a workshop to discuss the risks of such a
collision and potential solutions. Given the extremely small probability
of such a collision and the high costs of preventing it, the process
should have probably stopped there. However, it is important for the public
(and scientists and Congress, even) to at least study such issues.
The next time some issue like this comes up, there may be a tendency
to dismiss it before there is any scientific discussion of its reality.
-- Marv Zelkowitz, Computer Science, University of Maryland, College Park
[email protected]
------------------------------
Date: Thu, 02 Apr 92 15:29:18 -0800
From: Lauren Wiener <
[email protected]>
Subject: the new Simon & Schuster Royalty Accounting System
I am writing a book about software bugs. Today I was working on a chapter
featuring development disasters. The royalty statement for a previous book
arrived. It is several days late, in a big envelope with a glossy brochure and
a form letter that begins:
"Dear Author:
"We are very pleased to provide you with your royalty statement for the current
period. This new statement is enhanced in form and content and is the initial
statement generated by the recently implemented Simon & Schuster Royalty
Accounting System."
The letter ends:
"Any major system implementation involves a transition and refinement period.
We anticipate that you may have issues that require attention, and we are
prepared to address your concerns in an expeditious manner.
If you have any questions, please call our Royalty Department toll free
number..."
The check is made out to Lauren Carter. Carter? From Wiener?
How did they do that? It's not even close!
I called the toll-free number. A human -- an agreeable and intelligent one --
is still in the loop at 5:30 P.M. EST. He promises to straighten it out.
But the first thing he says to me is, "You wouldn't believe how much
they spent on this system!"
Sometimes life is too perfect.
[Look for Lauren's Trip Report on the panels and invited talks at
SIGSOFT '91, which is just going to press in the ACM SIGSOFT Software
Engineering Notes vol 17 no 2, April 1992. I probably already noted that
the proceedings of that conference are out as SEN vol 16 no 5, December
1992. PGN]
------------------------------
Date: Thu, 2 Apr 92 05:28:44 PST
From: Eric Postpischil <
[email protected]>
Subject: Bad data allowed to enter driver database and used as basis for arrest
Below is the full version of a letter I have sent to various agencies and
representatives in New Hampshire. In summary, some person was stopped for
traffic violations, and gave a false name and address and no other personal
identification. The violations were unpaid and unchallenged and so were
recorded in the given name without that person's knowledge. License suspension
proceedings were initiated, but notice was sent to the false address since the
Department of Safety had updated their computer records with the erroneous
information. Eventually, the innocent person was stopped and arrested for
driving without a license.
-- edp (Eric Postpischil)
- - - - - - - - - - - - - - - - - -
6 Hamlett Drive, Apt. 17
Nashua, NH 03062
2 April 1992
An open letter to the Department of Safety, police officers, judiciary, and
legislative representatives of New Hampshire
Dear People:
A few months ago, an acquaintance of mine was stopped by a police officer for a
traffic violation. According to a check of their driving record, their license
had been suspended, so the officer arrested them. It turns out this person had
been the victim of a fraud, and the Department of Safety, the police, and the
courts made mistakes which compounded the consequences. The charges have been
dropped and the Department of Safety records partially corrected, but court
records remain in error, and there are lessons to be learned from this
incident. (I will not name the victim here, but appropriate parties, such as
officials who wish to correct records, can get this information by contacting
the author.)
Fraud occurred on three prior occasions, which the Department, the police, and
the courts failed to catch. Some person was stopped for traffic violations.
This person apparently did not present any identification to the police officer
who stopped them, but they gave a misspelling of the victim's name as their own
and gave the address of a relative of the victim as their own address.
(According to New Hampshire statutes, a person stopped for a traffic violation
need not have their license with them but is supposed to present their driver's
license at the peace officer's office within 24 hours.)
On three occasions, this person must have failed to present identification
within the allotted time, yet there was apparently no follow-up investigation
by any of the officers involved. The records of the violations were sent to
the Department of Safety, which accepted them as correct in spite of the fact
that there was no physical evidence at all that the person owning the affected
records was in fact the person at fault. The Department matched the misspelled
name with that of our victim and updated their database with the new, incorrect
address. The violations were placed in the victim's records. Further,
proceedings were begun to suspend the victim's license.
Notices about the violations and the suspension proceedings were sent to the
incorrect address, where it was ignored. It seems to me to have been unwise to
ignore official letters rather than forward or return them. I guess that
because they were arriving at the incorrect address, they might have been
presumed to be spurious and unimportant. Regardless, the fact that they were
ignored is not in any way the fault of the victim.
There are several lessons to be learned. It is improper to place damaging data
in a person's record when there is no supporting evidence -- no record of
violations should have been placed in the victim's record nor should any court
have made a finding of guilt until there were actual physical evidence. There
was no driver's license, no signature, no fingerprint, no match of vehicle
records, no photograph, and no witness who knew the person. Even the police
officers who made the stops could testify only that the person said they were
the victim, not that they actually were. As a society, we must recognize that
if we rely on databases to provide important information, then we are assuming
a great risk if incorrect data enters the database. There must be rigid
controls to allow only accurate information into the database. Without these
controls, the database cannot be considered accurate, and it is wrong to rely
on it. An insecure database is not a proper basis for making arrests or
otherwise penalizing human beings.
Another lesson is that the Department and police officers should be wary of
fraud. When a person fails to present proper identification within the
allotted 24 hours, this must be followed up by investigation. It must not be
followed up by mechanically completing the paperwork to record a violation.
Justice requires evidence and due process, and mechanical processing of
violations provides neither to our citizens. Further, when a person fails to
present identification during a traffic stop, the officer should secure some
other evidence of their identity, perhaps by taking a photograph for later
examination.
Finally, there is a lesson to be learned about database records and privacy.
Although the Department of Safety keeps these records, we should not consider
the Department to be the owner of the records. Each record is owned by the
person whose record it is, and the owner has a right to know what is in the
record and when changes are made. The owner has a right to control their
record to ensure that it is accurate. In this incident, the Department
accepted a change to the records without checking with the owner to verify the
change. This is like a bank allowing anybody to walk in and sign a new
signature card for your account and then letting the person withdraw funds from
your account. That is a serious flaw. Whenever any change is made to a
person's record, the Department should send a complete notice to that person.
When the change includes an address change, the notice should be sent to the
former address.
I would also like to add that I am appalled that any court, magistrate, or
other judiciary official would make a finding of fault against a person not
only without evidence but also without properly serving notice to that person
at their true address. Such administration of traffic laws is a travesty that
subverts basic principles of justice in this country.
There is one good note. After the arrest, a letter was sent to the Department
of Safety requesting correction of the mistakes. The Department responded
extremely quickly -- by phone the day after the letter was placed in the mail.
This is typical of the wonderful service the Department usually provides; they
are to be commended for doing an excellent job on the whole. I only hope the
Department can provide the same quality of service in preventing mistakes like
this from happening in the first place.
On the other hand, the Attorney General's office has not acted so responsibly.
The victim has managed to identify the guilty person and locate a witness to
the fraud, yet the Attorney General's office has refused to become involved.
Recommendations
I call upon the Department of Safety to rectify its record-keeping procedures
so that records cannot be altered without the knowledge of their owner and that
incorrect information is detected.
I call upon police officers to be wary of fraud, to follow up with
investigation when identification is not presented, and to regard their
statements on official documents and to courts as testimony. On this latter
point, observe that a police officer who has not examined identification cannot
truthfully testify that they witnessed a certain person committing a traffic
offense. The most they can testify to is that they witnessed somebody claiming
to be a certain person committing an offense, and this distinction should be
made clear in all official documents and court testimony.
I call upon judiciary officials not to make any finding of fault unless there
is physical evidence and to ensure that the rights of our citizens to due
process and to confront their accusers are fully protected. In particular, no
judiciary official should accept the presentation of a summons to an
unidentified person as proper service of a summons.
I call upon the elected representatives of our citizens to ensure that the
above tasks are accomplished. This state and this country are sorely lacking
in data protection laws. Every day, citizens become further bogged down in a
morass of databases containing information about them they cannot examine,
control, or correct. People are steadily losing the ability to control their
own lives.
You, our representatives, must fix this. You must protect people from
wrongdoing by faceless bureaucratic machinations, and you must ride herd on the
enforcement and judiciary branches of our government to ensure that our rights
to due process and fair trials are protected.
Sincerely,
(signed)
Eric Postpischil
------------------------------
Date: Thu, 02 Apr 92 12:24:18 EST
From: Marc Horowitz <
[email protected]>
Subject: Re: U.S. Dept of Justice Rulings about Keystroke Capturing
>> Unfortunately, correct. The situation is roughly analogous to having
>> to post signs saying that there are TV cameras monitoring your condo.
I must be misunderstanding you. The building I'm in (the student center at
MIT) has a bank branch and a grocery store. Both have cameras, and neither
have signs announcing them, I just checked. Neither conceal their cameras. Is
a condo special?
>> Very true. For example, an "alleged penetrator" (prosecuting attorneys
>> prefer to avoid the H(acker) word as "too warm and fuzzy") was monitored
>> while committing (what I'd consider to be) electronic breaking and entry.
>> He got off because he hadn't been warned that he was being monitored.
So, if someone breaks into my house, and I managed to follow him around, and
watch him steal stuff, is that information not admissible in court because I
never tapped him on the shoulder and said "don't mind me, I'm just watching
you"? Should I have a sign on my apartment announcing that "By entering these
premises, you consent to the possibility that the owner might actually watch
you and file charges if you are breaking and entering."?
Marc
------------------------------
Date: 2 Apr 92 15:22:00 EST
From: "zmudzinski, thomas" <
[email protected]>
Subject: In-Re: Re: U.S. Dept of Justice Rulings about Keystroke Capturing
D E F E N S E I N F O R M A T I O N S Y S T E M S A G E N C Y
Dept: DNSO/DISM
Tel No: 703 285 5459 (DSN) 356
Subject: In-Re: Re: U.S. Dept of Justice Rulings about Keystroke Captu
Apparently my dry wit was a tad too desiccated, sorry. Condos _do_ have some
special laws (a condo fee isn't rent nor is it a mortgage payment), but
surveillance isn't one of them.
I was giving a deliberately absurd, but all too real, example. There _ARE_
legal requirements relative to surveillance; what depends on where you are and
what/who you're "surveillancing" (if "there ain't no word that can't be
verbed", then such verbs can certainly be gerunded, right?).
Here, you may have a vacation-behind-bars-ish requirement to post
such a sign; there, there may be no LEGAL requirement, but you post
a warning to get a better return on your effort and scare off the
badguys; (and everywhere, the Communication Cops want to get into
your knickers?).
> So, if someone breaks into my house, and I managed to follow him ...
If you do as you said, it's your word against his, and assuming he left no
physical evidence, I doubt that you'd even get the case to court. Of course,
if you made the alleged burglar so nervous that he tripped on the throw-rug,
_YOU_ could be prosecuted under the anti-"deathtrap" laws. (You did know that
you can't leave a deadfall inside your doorway, didn't you?) By the way, I
wrote "prosecuted", not "convicted", but the way that juries are "instructed"
these days, I wouldn't rule it out.
> Should I have a sign on my apartment ... >
Given the current crazy state of our laws, it wouldn't hurt. Let me point out
that I didn't write this mess!
------------------------------
Date: 2 Apr 92 16:02:00 PST
From: "FIDLER::ESTELL" <ESTELL%
[email protected]>
Subject: RISKS of patents on software, ideas, etc.
I guess I'm getting cranky in my old age (54). But I grow weary of the
energetic youngsters (regardless of age) who want to patent every new
toy - even if it ain't new! Like "...the first ever machine independent
benchmarks..." hyped in one computer magazine; turned out they were
NOT comparable between PC's and Mac's, nor DOS and UNIX-like hosts;
i.e., one could not compare results, to help in a purchase decision.
NOW *that's* REAL independence! (Not to mention that I was doing
machine independent benchmarks in 1967-68.)
Apple's claims about "look and feel" of the icon/mouse interface should
be faced down, in federal court, by a consortium of IBM, AT&T, H-P, etc.
who graciously concede the icon/mouse interface to Apple - IF (and only
if) Apple will abandon the keyboard and command line interface, on the
ground that the plaintifs (IBM et al) got there first.
Imagine using any computer, without a keyboard, and without command lines,
even short ones - like single characters. Pretty tough.
Now, I'm not picking on Apple. (I use a Mac II.) It's just that their "look
and feel" suit has gotten more press than most others. Squelching it once and
for all might make other frivolous suits more rare.
Bob
------------------------------
Date: Thu, 2 Apr 1992 11:07:48 PST
From:
[email protected]
Subject: Backup over the phones?
Excerpted from TidBITS#114/01-Apr-92, source: BackData,
[email protected]
[Discussion of problems with existing backup systems deleted. People
either don't do them or don't do them well.]
So the BackData guys realized that the best possible option is for
all the data on your hard disk to be backed up automatically at
night to another physical place. Short of hiring elves, the only
way to do this is via modem, but with some of the current high-
speed modems and sophisticated pieces of software out there, they
figured that it would be possible with a bunch of Macs and a lot
of storage devices.
....In terms of software, you just need AppleTalk Remote Access and
Retrospect 1.3, which can back up any volume mounted on its desktop.
I haven't tried this yet, but the theory is that at some point in
the middle of the night one of their backup Macs calls your Mac
(which had better be on). A simple macro ensures that all your
volumes are mounted read-only on their systems, and then
Retrospect goes to work, backing up only the files that have
changed according to specific selectors that you set up
previously. This allows you to avoid backing up your System file
all the time, even though it will almost always be marked as
modified whether or not you've added any fonts or sounds. Once the
backup is done, another macro copies the catalog file to your hard
disk (so you can see what was backed up), dismounts your volumes,
and disconnects the modems to finish the process.
Retrieval is a slightly stickier issue. Essentially, the process
works in reverse, with one important exception. You call them and
make sure your DAT tape is in the drive of a Mac at a certain
phone number. After your Mac calls the storage Mac, you then run
Retrospect over the remote connection....
I expressed some doubt about the reliability of cobbling together
these off-the-shelf programs, and the BackData folks admitted that
they're in the process of writing several dedicated programs that
will automate the process much more cleanly, one for DOS and one
for the Mac. Their programs didn't sound as though they'd be as
flexible as Retrospect, but would work much more cleanly over the
phone lines, especially with restoring data. Interesting concept
this, and one which could eventually go national with an 800
number. It's basically a form of insurance, but one which could
save a lot of important data in the event of disaster.
[Summary of costs deleted. Initial startup fee (includes hardware)
and hourly connect fee during backups.]
The risks are numerous. Among them: granting "late night" dial-in access to
home and office PC file systems, physical and electronic security at the remote
site, authorization for backup restores, and backup data being held by a
commercial company that lives on profits and is vulnerable to bankruptcy or
hostile takeover.
--Bob (
[email protected])
------------------------------
Date: Thu, 2 Apr 1992 06:42:54 GMT
From:
[email protected] (James Barrett)
Subject: Re: Now why didn't I think of that? (Windows 3.1)
Also, Windows 3.1 has been touted as "eliminates UAEs!!!" Of course,
it does this by renaming them to be something else...
James C. Barrett (
[email protected])
Georgia Tech College of Computing
------------------------------
Date: Fri, 3 Apr 92 15:43 GMT
From: "Jack B. Rochester" <
[email protected]>
Subject: Public TV Series
I saw Bob Frankston at the coming-out party for PBS's new series, "The Machine
that Changed the World" that begins next Monday, and we both thought you should
consider posting it to the Risks Forum. Perhaps it is risky not to see how our
industry is being popularized for the mass media. In any event, credit for the
following -- this was passed on to me by my brother, who works at DEC. P.S.
Another risk: the title of the series is the same as that of a recent book
about the _auto_.
PBS COMPUTER SERIES
The Machine That Changed The World
On Monday evening, April 6, 1992 at 9:00 PM EST, and on successive Mondays
until May 4, PBS will present "The Machine that Changed the World," 5 programs
on the history of the electronic computer and its impact on society.
Produced by WGBH Boston (makers of NOVA) and the BBC, and with major funding
provided by ACM and Unisys, the series highlights the fifty year revolution in
computing and information technology -- a revolution that is still going on.
Beginning with World War II research and the ENIAC, which was co-invented by
J. Presper Eckert and the late John Mauchly (a founder of ACM). "The Machine
that Changed the World" follows the unpredictable course of information
technology from the room sized data processing centers of the 1960's to desktop
personal computers of the 1980's to virtual reality of the 1990's, describing
events that have altered society in profound and totally unexpected ways.
Check your local PBS listings for broadcast times on the
following Monday evenings:
o April 6 - "Giant Brains", covers the wartime events that led to the 1946
debut of ENIAC, the world's first general purpose electronic computer.
o April 13 - "Inventing the Future", examines how the computer rose from
obscurity to become the engine that powers business throughout the world.
o April 20 - "The Paperback Computer", explores how computers became small,
affordable and easy to use.
o April 27 - "The Thinking Machine", focuses on the most ambitious goal of all
- creating a computer that will vie with humans in intelligence.
o May 4 - "The World at Your Fingertips" looks at the social revolution wrought
by computers - and the price we pay.
------------------------------
End of RISKS-FORUM Digest 13.34
************************
