Subject: RISKS DIGEST 17.34

Subject: RISKS DIGEST 17.34
Reply-to: [email protected]

RISKS-LIST: Risks-Forum Digest Tues 12 September 1995 Volume 17 : Issue 34

FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

***** See last item for further information, disclaimers, etc. *****

Contents:
Open letter to Geoff Greiveldinger, DoJ [key escrowed, export] (Carl Ellison)
Santa Cruz High gives me all-time low school spirit (Zane Bock via
Michael D. Crawford)
Abandoned oil tank phone harasses MA woman for 6 months (Stephen McCallister)
Man Upset with Computer, Falls Through Window (Matthew Hunt)
Another Phony ATM (David Kennedy)
Initiative for better Usenet discussions (Bertrand Meyer)
"Building Internet Firewalls" by Chapman/Zwicky (Rob Slade)
Re: Voting by Phone in the Netherlands (Robert I. Eachus)
'Tis too a virus! (Rob Slade, A. Padgett Peterson, Kenneth Albanowski)
Re: $95000 withdrawn from bank (W. F. Linke)
Re: Self-disabling software (Bruce Limber)
Re: Password cracking 'improves' security (Bob Blakley III,
Douglas W. Jones, Bear Giles)
ABRIDGED info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Fri, 8 Sep 1995 22:11:13 -0700
From: Carl Ellison <[email protected]>
Subject: Open letter to Geoff Greiveldinger, DoJ [key escrowed, export]

NIST (the National Institute of Standards and Technology) held a two-day
public meeting on 6-7 September, 1995 to discuss Software Key Escrow as a
possible means of achieving export of cryptography.

In the morning of 7 Sept, Goeff Greiveldinger of the Department of Justice
gave a description of the kinds of crimes which DoJ wants to use wiretapping
to solve. He closed this litany of lawbreaking with the assertion that
software manufacturers don't want to provide products which allow such
lawbreakers to keep their criminal evidence hidden from law enforcement.

I'm sorry to disillusion you, Geoff, but I *do* want to make such systems.

Would you have Ryder stop renting trucks because some terrorist decided to
fill one with explosives and kill many innocent children? Would you have
Americans stop making automobiles because bank robbers have been known to
use cars for getaways? Would you have all new buildings constructed with
FBI microphones in every wall because some criminals meet in private rooms
in order to plan crimes?

When an American company sweeps its conference room for bugs, finds some and
destroys them, it doesn't matter whether those bugs were planted by industrial
spies or the FBI. The company has a right to eliminate them. When that
company ties two such conference rooms together by video-conference equipment
and encrypts the line between them using strong link encryption, it is
performing the same defensive operation in cyberspace. It is protecting
itself from spies and it doesn't matter that the wiretaps it frustrates might
be illegal ones by industrial spies or legal ones by the FBI. The right to
attempt to achieve privacy is a long-standing one in this country and not one
to allow to be lost.

When I design and build systems for privacy for my customers, I am providing
products for law-abiding, honest people. I am aware of criminals, of
course. Criminals are the threats against whom I protect my customers.
These criminals are usually not in the government but that doesn't mean that
I believe I should offer my honest customers up for a strip-search in
cyberspace. The law enforcement agencies of this free country have no right
to expect blanket access to the ciphertext of citizens. It will take
legislation to get that right and I will do everything in my power to keep
such legislation from passing. Barring such legislation, I will make sure
that honest American citizens have cryptography with which to attempt to
maintain their privacy, even from the government. We have the right to
attempt to keep a secret from government agencies and continuous
demonstration of that right is an important part of this free country.

On the other hand, I am sympathetic to law-enforcement officers. I have
several friends in that business. I have asked my friends and acquaintances
who do surveillance (2 IRS agents investigating organized crime for tax
evasion; 2 undercover cops in Boston's highest drug neighborhood; 1 DEA
agent in the midwest) if they ever encounter encrypted communications or
files. They don't. Neither does anyone in their offices. Of course, even
if they did it would remain so important to preserve our right to attempt to
keep secrets from the government that their frustration would just have to
be accepted. The fact that this isn't a real problem makes my decision that
much easier. I am left with no moral qualms at all.

In summary, criminals are so few that I will not design for them. I will not
treat my vast majority of honest users as if they were criminals just because
some criminal might someday use my product and frustrate you.

ObRisk: We run the risk of losing our fundamental right to attempt to keep a
secret from the government -- a practice we need to preserve in order to
protect ourselves from criminals in cyberspace. There are powerful forces in
the US government attempting to cajole us into giving up that right.

[see http://www.clark.net/pub/cme/html/nist-ske.html for more on this subject]

------------------------------

Date: Sun, 10 Sep 1995 19:56:03 -0700
From: [email protected] (Michael D. Crawford)
Subject: Santa Cruz High gives me all-time low school spirit

The following article by a Santa Cruz High student reports how the high
school was unable to operate on the first day of school because of a
breakdown in the computer system, so that schedules were unavailable.

Mike Crawford [email protected]

[Excerpted starkly and spelcorekted. Sorry, Zane (who ended his
note with ``In every bad speller lies a genius.!'' PGN]

> Date: 10 Sep 1995 04:01:17 GMT
> From: [email protected] (Zane Bock)
> Subject: Santa Cruz High gives me all-time low school spirit
> Newsgroups: misc.education,alt.parents-teens,scruz.general,misc.kids
>
> ... there's a bunch of people on the lawn, and they all look
> shocked, or scared or just out of place. It seems that there has been a
> major breakdown with the new computer system and schedules for the
> students are currently nonexistent. So we are all turned away and given
> another day of summer. I guess that's not so bad, but the complete lack
> of a first day of school is enough to put even the passive students like
> me on the minutely shakey side.

------------------------------

Date: Mon, 11 Sep 1995 19:53:28 -0700
From: [email protected] (Stephen McCallister)
Subject: Abandoned oil tank phone harasses MA woman for 6 months

Certainly not the first such item seen in RISKS (Coke machines...), but
you've got to admit that taking 6 months to identify the source of calls
arriving every 90 minutes has to be some kind of record!

>From CNN Web's "Fringe News - USA" page :

http://www.cnn.com/US/Fringe/09-10/index.html
==========================================================================
The Fringe

September 10, 1995

Persistent oil tank hassles woman

BILLERICA, Massachusetts - For six months, a woman thought she was in
tele-marketing hell. Every 90 minutes, her phone would ring, but the caller
would never say a word.

The phone company eventually traced the calls to an abandoned oil tank in
Maryland. It was rigged to call the oil company when the oil level was low,
but the phone number was scrambled and it called her instead.

Stephen McCallister Bothell, WA [email protected]
http://www.eskimo.com/~stevemc/

------------------------------

Date: Tue, 12 Sep 1995 10:51:29 -0400 (EDT)
From: Matthew Hunt <[email protected]>
Subject: Man Upset with Computer, Falls Through Window

In the Penn State _Daily_Collegian_, Sept. 12, 1995, p. 6:

Computer trouble results in fatal fall

NEWARK, Del. (AP) -- A University of Delaware student fell 13 floors to
his death out of his dormitory window, apparently after he lost his balance
when he put his fist through the glass in anger over computer trouble.

Robert Keepers, 19, of Spotswood, N.J., went through the 5-foot
double-pane window early Saturday.

Keepers "got up and ran around the room in a pique of anger" and struck
the window with his fist, said Tim Brooks, dean of students, citing the
account of two students who were in Keeper's room during the accident.

Well, I had never considered this risk of incorrectly operating equipment
before; however, I have no need to fear. My dormitory window is a scant
four feet above ground.

Matthew Hunt <[email protected]>

------------------------------

Date: 07 Sep 95 00:48:22 EDT
From: David Kennedy <[email protected]>
Subject: Another Phony ATM

Courtesy of Executive News Service on CompuServe, 5 Sept 1995

>> CROOKS NETTED THOUSANDS FROM FAKE CASH MACHINE COURT
>> By Melvyn Howe, PA News
>> A gang of fraudsters chalked up a criminal first when they installed a
>> bogus High Street cash point machine, a court heard today.
>> The highly convincing piece of equipment, set in front of a fake
>> mortgage broking business, "enticed" scores of card holders to vainly
>> try to withdraw money in an enterprise that eventually netted the
>> crooks at least 120,000 pounds.

o Account numbers and PINs were recorded, and transferred by modem to the
gang.

o Hit at least three locations in the London area.

o The ATM's screen apologized, "Please remove your card and try later."
The ATM even had a notice that, if tampered with, an alarm would ring at the
local police station.

o Monthly statements tipped users they had been defrauded.

o The prosecutor said the criminals had manufactured false cash cards,
programmed them with the information from the fake ATM and travelled
throughout the UK withdrawing money.

o One victim lost L1,500. At least 100 victims. Total losses L120,000
over five weeks.

>> He added: "As far as police are aware this is the first time that such a
>> particular kind of fraud has been perpetrated in this country."

o Three arrested. One has cut a plea bargain, two have plead innocent.

>> The court heard an enormous amount of detailed planning went into the
>> fraud. (The prosecutor) claimed a "front" company was used to buy
>> parts for the bogus cashpoint machine.

A shop was then rented and a sign put up outside stating: "Hambro UK.
Mortgages, design mortgages, pensions. Halifax appointed representative".
Office furniture was installed and flowers and pot plants used to provide a
further convincing touch.

>> A genuine Halifax Building Society branch nearby received many
>> complaints that it's other cashpoint machine was not working, and
>> in some cases even keeping the cards. Staff investigated, immediately
>> realised what was going on and called in the police ...

Dave Kennedy [CISSP] Vol SysOp Nat'l Comp Security Assoc Forum on CompuServe

------------------------------

Date: 11 Sep 1995 19:39:18 GMT
From: Bertrand Meyer <[email protected]>
Subject: Initiative for better Usenet discussions

This initiative has been out for a while but it only now occurred to me that
it is in the subject matter for comp.risks. Endless newsgroup discussions
and flame wars are certainly a computer risk; yet the potential of News (as
forums such as this one have demonstrated) is great and it is a pity to see
it wasted.

To see if I can help improve the situation I have started a modest program
called SELF-DISCIPLINE. In keeping with the spirit of the program, which is
to maximize signal and minimize noise, I will not describe SELF-DISCIPLINE
here, but just give the pointer to the Web page that presents it:

http://www.eiffel.com/discipline

Please refer to that document (also available in Postscript at
ftp://ftp.eiffel.com/pub/discipline) if you want to know more. If you
have any comment you may send it to the mailing list <[email protected]>
(a first iteration towards a potential newsgroup mentioned in the document),
although once again the idea is not to generate more meta-noise. Also,
I would appreciate if the moderator could in this case leave the message's
signature as it is actually part of the message. Thanks.

Bertrand Meyer, ISE Inc., Santa Barbara (California)
<[email protected]> - Web home page: http://www.eiffel.com

------------------------------

Date: Sat, 9 Sep 1995 21:56:37 -0700
From: "Rob Slade"@csl.sri.com <[email protected]>
Subject: "Building Internet Firewalls" by Chapman/Zwicky

[I received a draft copy of this, so some details either aren't available
or might have changed. Last word I had from the publisher, this is due for
release on Tuesday - rms]

BKBUINFI.RVW 950712

"Building Internet Firewalls", Chapman/Zwicky, 1995, 1-56592-124-0
%A Brent Chapman
%A Elizabeth Zwicky
%C 103 Morris Street, Suite A, Sebastopol, CA 95472
%D 1995
%G 1-56592-124-0
%I O'Reilly & Associates, Inc.
%O 800-998-9938 707-829-0515 fax: 707-829-0104 [email protected]
%O 519-283-6332 800-528-9994 [email protected]
%T "Building Internet Firewalls"

Cheswick and Bellovin's "Firewalls and Internet Security" (cf. BKFRINSC.RVW)
will continue to be seen as the classic reference with the seriously
technical crowd. Chapman and Zwicky, however, have here created the first
reference for the more normal run of system administrators: those whose
lives do not revolve around hacking the UNIX kernel.

Part one could almost stand as a separate book, itself. It is an
introduction to firewalls. More, it is a very down-to-earth and practical
guide to evaluating security needs and planning for security systems and
practices. The writing is completely clear, and the explanations
first-rate. Chapter four, on firewall architectures, is a perfect
introduction for the manager who, while not having a technical background,
must lead or administer a security project.

Part two gets into more technical details of firewall construction and the
communications needs for Internet services. The writing, though, is still
clear and easily accessible to any intelligent reader. Part three covers
maintenance and administrative work. Appendices list information and
software resources as well as a brief introduction to TCP/IP basics.

This is the first book that truly explains, to the non-specialist, the
various factors and functions involved in firewall choice and construction.
For those building their own and for those evaluating vendor proposals, this
book is a must.

copyright Robert M. Slade, 1995 BKBUINFI.RVW 950712
Vancouver Institute for Research into User Security Canada V7K 2G6
[email protected] [email protected] [email protected]

------------------------------

Date: Mon, 11 Sep 1995 19:37:49 -0400
From: "Robert I. Eachus" <[email protected]>
Subject: Re: Voting by Phone in the Netherlands (PAT, RISKS-17.33)

The TELECOM Digest's Editor wrote:

> They'll hear none of it ... which is odd, [...] PAT

Not odd at all. The editor answered his own question. There are many
people in office today who know they got there due to fraudulent voting
practices. (No reason to name names, but there are still two seats in the
US House of Representatives being contested due to fraud, and one state
governership from last year's elections.) There have been many such
"elected officials" in the past, and there will be more in the future.

So there are two types of voting systems, those that work privately and
without risk of fraud, and those where fraud is impossible to prove in
hindsight, and often impossible to stop on the spot. There are very, very
few of the former in use anywhere in the world, mostly in uncontested
elections to corporate boards of directors. :-(

If we really want trustworthy voting systems, someone other than
the politicians will have to impose them.

And now to relate this to comp.risks. It is getting to be much harder to
cheat. Exit polls and computer based vote projections can show where the
votes were diddled and by how much. There have been many incidents around
the world where the incumbents resorted to force when massive fraud was
revealed by exit polling, international observers, etc. In some cases, like
the Philippines, where Cory Aquino was declared the winner in the exit polls
and the streets, and the official vote tallies ignored, the net effect has
been beneficial. But in many other cases the result has been years of
bloodshed. Some leaders have even started wars to avoid (or win) elections
they couldn't win otherwise. (No, not Maggie, the Argentinian Generals.
Margaret Thatcher just called an immediate election once the war was over
because she was well ahead in the polls.)

If we don't insist that the quality of the actual voting procedures be at
least as trustworthy as the widely available means for predicting the
results, all we will be encouraging is further bloodshed. (And we also need
to insist on a diversity of sources of predictions.) Right now the polls
you see and hear in the news before elections have an expected error of 3 to
6 per cent. The results of exit polls are much more accurate, usually in
the 1/2 to 1 per cent range. This has resulted in a strange marriage of
convenience with a single organization doing almost all the exit polls and
vote tabulations in the US, with the TV networks and the politicians as
customers. (The different networks base their own projections on the same
data. There have been lawsuits by smaller parties because their results
have not been included in the published data.)

Robert I. Eachus

------------------------------

Date: Fri, 08 Sep 1995 19:35:56 EST
From: "Rob Slade" <[email protected]>
Subject: 'Tis too a virus! (PGN comment, RISKS-17.33)

Hey, you're impuning my reputation, puny though it may be! We've been
thrashing this out in some of the private virus discussion groups, and it is
too a virus! Read and infected Word doc, and it infects your Word macro
space. It writes itself (OK, selves, seeing as how it has various parts) to
the NORMAL.DOT file, and gets stored between sessions. Once the macro space
ahs been infected, any files saved with the FileSaveAs function are infected
themselves. Send somebody an E-mail message over the MSN, and in one mouse
click, they download, invoke Word, open the message and infect themselves,
without ever having their fingers leave the rodent.

[Thanks for the correction. At least I was not imPUNing it! PGN]

------------------------------

Date: Fri, 8 Sep 95 21:08:54 -0400
From: [email protected] (A. Padgett Peterson)
Subject: 'Tis too a virus! (PGN comment, RISKS-17.33)

Must disagree. Within its target environment (default WORD 6.0 or better),
it satisfies the difference between a "trojan horse" and a "virus" in that it
is able to propagate. Such an AutoOpen macros could be a trojan, but in this
easy-to-block case (and both of MS's fixes, WD1215 and the later one whose
number I forget seem to target this virus specifically - have looked at 1215
but not the other so caveat y'all).

I would be surprised if this is anything more than a "15 minutes of fame" but
does point out the value of turning the default "do anything you want without
notice" off. ("Prompt to save Normal" & "DisableAutoMacros" are good starting
points - of course if you disable these, the MS "fix" won't work...

BTW, essentially this is traceable to ANSI bombs and programmable PF keys on
the VT-100 (had to put the sequence in a companion .com (DCL) but have seen
it done) so capability dates back at least to the late 1970's. Same thing
would work on a uVax as well as a 780 so guess that made it
"cross-platform". And then there was the VT-103...

Padgett

------------------------------

Date: Fri, 8 Sep 1995 23:35:24 -0400 (EDT)
From: Kenneth Albanowski <[email protected]>
Subject: 'Tis too a virus! (PGN comment, RISKS-17.33)

.. Quoting a bit from Gene Spafford's mention of the "virus"
on VIRUS-L:

> The virus adds several new macros to the global macro pool: "AAAZA0",
> "AAAZFS", "Payload" and one entitled "FileSaveAs". The virus is
> activated in an infected file when you choose the "Save As" feature in
> the "File" menu and the virus macro is run. The altered macros are
> then saved with the file, and may be saved in the global template file
> as well.

If it stores itself in the global template file, then it can be loaded every
time Word starts. Hence, it has "infected" Word, and can cause any documents
saved ("FileSaveAs") to carry the "virus", which will then execute the viral
loader if these documents are loaded in another copy of Word.

This seems to make a good case for being a virus: infection of a host and
the ability to reproduce toward the goal of infecting other hosts.

Kenneth Albanowski ([email protected], CIS: 70705,126)

------------------------------

Date: Sun, 10 Sep 95 23:58:56 EDT
From: [email protected] (W. F. Linke)
Subject: Re: $95000 withdrawn from bank (Alan Wexelblat, RISKS-17.32)

I was quite distressed to read the article in the RISKS-17.32 by Alan
Wexelblat about a man (Combs) who deposited a fake check for $95000 and
withdrew the money. Clearly, the system failures in the case are worth
discussing. But I wonder how many readers were taken aback as I was by the
amoral slant to the article? On the face of it, Combs appears no more than
a common thief, and the only "service" I can imagine the bank owes to him is
to have him arrested for passing bad checks.

Regardless of any legal quirks, or how the bank treated him, the test is
simple: did he knowingly take money not belonging to him, and keep it? If
so, morally he is a thief, regardless of what a lawyer might make of it.

Bill Linke [email protected]

------------------------------

Date: Sat, 09 Sep 95 21:10:00 -0500
From: [email protected] (BRUCE LIMBER)
Subject: Re: Self-disabling software

Concerning the ban on self-disabling software, two questions occur to me:

- I wonder how often such software uses a simplistic, date-driven algorithm
that is triggered if an operator mistypes the system date. And using other
measures (such as total number of invocations) could lead to wildly
differing period-'til-disablement values for different users, according to
their work habits.

- It occurs to me that it might be argued that buggy software is itself a
form of self-disablement. I wonder how hard a good lawyer would have to
work to argue that this law makes software with non-trivial bugs illegal
_per se_.

------------------------------

Date: Mon, 11 Sep 95 13:51:09 EDT
From: [email protected]
Subject: Re: Password cracking 'improves' security (Booth, RISKS-17.33)

While I don't know anything about this particular program, I did hear
recently about a program with similar functions. The following may be
apocryphal, as I have not been able to verify details and did not hear the
story from anyone who claimed to have experienced it firsthand.

The marketers of the alleged program found an interesting problem: it worked
so fast that it destroyed users' confidence in the security of their
passwords, with the result that they just turned them off and didn't buy any
more copies of the password recovery program.

The reported marketing response was ingenious: the program's developer
inserted a no-op loop into the password-recovery process so that instead of
taking about a second, it took several minutes. This made it look like the
program was doing something hard; the users liked the modified program much
better and didn't lose confidence in the built-in "security" of their
applications.

As Laurie Anderson might say, "Hmmmmm".

[Based on the net address and RISKS-15.41, I must presume that the
unidentified author Blakley is G.R. (Bob) Blakley III, not Bob Blakley,
Jr. or Bob Blakley, and not Jim Blakley, who is also a RISKS reader.
But what would Loni Anderson say? And no jokes about Reynolds numbers,
please. PGN]

------------------------------

Date: 11 Sep 1995 02:56:48 GMT
From: [email protected] (Douglas W. Jones)
Subject: Re: Password cracking 'improves' security (Booth, RISKS-17.33)

Duncan Booth <[email protected]> posted a note about a product called WDPass
that claims to crack passwords for a number of products. I suspect that, by
reducing the risk of lost passwords, this would indeed increase the
likelyhood that careless users would use password protection, and the
increased use of passwords would improve security in the face of casual
browsing and similar common but low-level threats. At the same time, the
product clearly exposes the well known (at least in technical circles)
triviality of the password protection schemes used on many common products.

> The program claims to work for a variety of Wordperfect, Microsoft, Lotus
> and Borland file formats.

If the product works against the password protection scheme used by Lotus
Ami Pro, I want to hear about it. That scheme is one I invented, and the
last I heard, it was still pretty strong. Has someone found a better than
brute force attack for it?

Doug Jones [email protected]

------------------------------

Date: Fri, 8 Sep 1995 20:40:59 -0600
From: Bear Giles <[email protected]>
Subject: Re: Password cracking 'improves' security (Booth, RISKS-17.33)

You're assuming that everyone will realize this product exists. A
knowledgeable attacker would not be deterred by the encryption features of
existing software, but it might be enough to deter a casual attacker. But
at the same time management might downplay the encryption features from fear
of a subordinate trying to "hide" crucial information.

>the risk is that out there are some senior executives gullible enough to
>think that this allows them to rely entirely on password protection of
>documents instead of more traditional locks and keys.

Alas, many environments don't even have those "traditional locks and keys."
Oh, the offices will be locked at night and care will be applied when
deciding which employees get keys... but then they'll have minimum wage temp
employees come in to remove the trash.

In this case the _only_ effective protection in place might be the
encryption provided by those packages. A knowledgeable attacker will be
prepared, but it might be enough to stump a compromised custodial staff
member.

Bear Giles [email protected]

------------------------------

Date: 6 September 1995 (LAST-MODIFIED)
From: [email protected]
Subject: ABRIDGED info on RISKS (comp.risks)

The RISKS Forum is a moderated digest. Its USENET equivalent is comp.risks.
SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) on
your system, if possible and convenient for you. BITNET folks may use a
LISTSERV (e.g., LISTSERV@UGA): SUBSCRIBE RISKS or UNSUBSCRIBE RISKS. [...]
DIRECT REQUESTS to <[email protected]> (majordomo) with one-line,
SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:]
INFO [for further information]

CONTRIBUTIONS: to [email protected], with appropriate, substantive Subject:
line, otherwise they may be ignored. Must be relevant, sound, in good taste,
objective, cogent, coherent, concise, and nonrepetitious. Diversity is
welcome, but not personal attacks. [...]
ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY.
Relevant contributions may appear in the RISKS section of regular issues
of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise.

RISKS can also be read on the web at URL http://catless.ncl.ac.uk/Risks

RISKS ARCHIVES: "ftp unix.sri.com<CR>login anonymous<CR>[YourNetAddress]<CR>
cd risks<CR> or cwd risks<CR>, depending on your particular FTP. [...]
[Back issues are in the subdirectory corresponding to the volume number.]
Individual issues can be accessed using a URL of the form
http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]
ftp://unix.sri.com/risks [if your browser accepts URLs.]

------------------------------

End of RISKS-FORUM Digest 17.34
************************