12-May-87 00:27:30-PDT,15012;000000000000
Mail-From: NEUMANN created at 12-May-87 00:26:13
Date: Tue 12 May 87 00:26:13-PDT
From: Peter G. (coordinator) Neumann <
[email protected]>
Subject: RISKS DIGEST 4.83
Sender:
[email protected]
To:
[email protected]
RISKS-LIST: RISKS-FORUM Digest Tuesday, 12 May 1987 Volume 4 : Issue 83
FORUM ON RISKS TO THE PUBLIC IN COMPUTER SYSTEMS
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
Contents:
Risks of sharing RISKS (Ted Lee)
Information Commission (Jim Anderson)
``How a Computer Hacker Raided the Customs Service'' (Michael Melliar-Smith)
Computer thefts (Jerry Saltzer)
Bomb Detection by Nuclear Radiation (Michael Newbery)
Computer floods summer course registration at U. of Central Florida
(Mark Becker)
A password-breaking program (Dean Pentcheff)
Sidelight on the Marconi Deaths (Lindsay F. Marshall)
Software Reliability book by Musa, Iannino and Okumoto (Dave Benson)
"The Whistle Blower" (Jeff Mogul, via Jon Jacky)
The RISKS Forum is moderated. Contributions should be relevant, sound, in good
taste, objective, coherent, concise, nonrepetitious. Diversity is welcome.
(Contributions to
[email protected], Requests to
[email protected])
(Back issues Vol i Issue j available in CSL.SRI.COM:<RISKS>RISKS-i.j. MAXj:
Summary Contents Vol 1: RISKS-1.46; Vol 2: RISKS-2.57; Vol 3: RISKS-3.92.)
----------------------------------------------------------------------
Date: Mon, 11 May 87 10:39 EDT
From:
[email protected]
Subject: Risks of sharing RISKS
To:
[email protected]
In the last issue PGN asked if someone had shown previous issues of RISKS to
a couple of senators drafting legislation. This treads on the boundary of
inappropriate and risky in itself use of this medium. It is generally
understood, I thought, that this kind of forum is private to its readers,
although the larger the subscriber list the harder it is to maintain that
fiction. Although I don't contribute much here, had I known there was a
likelihood that what I wrote might end up in the Congressional Record I'm
not sure I would have contributed it -- how do others think, or can our
moderator state what he thinks the policy is?
Ted
[Interesting question. We agreed way back in Volume 1 or 2 that
material in RISKS was open for noncommercial redistribution, as long
as that did not violate any explicitly stated caveats or copyright
limitations. It is important to keep RISKS informal and unencumbered
by red tape. Besides, IDEAS HAVE NO BOUNDARIES (except in closed minds).
One of the main purposes of RISKS is to disseminate ideas and awareness.
My question to Herb (who is on leave from MIT, deeply embroiled in the
legislative process) was sort of a bemused wonderment as to whether the
proposed legislation had in any way been influenced by the existence of
the RISKS Forum, since some of the goals are quite similar... PGN]
------------------------------
Date: Mon, 11 May 87 17:36 EDT
From:
[email protected]
Subject: Information Commission
To:
[email protected]
ReSent-To:
[email protected] <with permission>
Peter, I am sorely troubled by the prospect of our Congress providing
'oversight' or whatever it is they do down there to our industry. Even
in areas where they have a clear mission and even one might expect
some expertise, the attention span of the Congress is measured in
Microseconds between headlines. You will recall that last year, the
Congress created and then jumped on the bandwagon of war on drugs. To
my local knowledge, there has been no *action* in that war since. [I
do recall the House passing a bill calling for some $400 Million to be
spent on that war, but was saved from any notion of accountability by
the Gramm-Rudman act or some such.] I really do worry about the
grandstanding that such a commission would engender, and the
sycophantic interaction between the congresspeople and an uniformed,
shoot-from-the-hip press. Really a bad idea.
Cheers, Jim
[I noted in my comments that there are many pitfalls in the proposed
legislation. But, an implication of what you say is very depressing:
the difficulties of government are so great that meaningful oversight
is almost impossible anyway. The fox shouldn't watch the chickens;
the chickens can't watch the chickens; even the computers can't
be trusted to watch the chickens. So what do we do -- throw out
the chickens with the egg water? PGN]
------------------------------
Date: Tue 12 May 87 00:10:54-PDT
From: Peter G. Neumann <
[email protected]>
Subject: ``How a Computer Hacker Raided the Customs Service''
To:
[email protected]
Last year two radar-equipped planes that had been promised to Customs were
given to the Coast Guard instead as a result of late-night Senate actions
on the federal budget. Customs Commissioner William von Raab then promised
Coast Guard Commandant Paul A Yost Jr. that Customs would provide $8M in
reparations to help the CG's airborne drug interdiction problem. But Senator
Dennis DeConcini (D-AZ) told von Raab not to transfer the money, and to wait
for the appropriations process instead. The Coast Guard decided to act on its
own. Somehow acquiring Customs' computer account numbers, they simply caused
$8M to be transferred from the Customs account to the CG account. To make a
long story short, there were protests from Customs, and just as mysteriously
as the money disappeared, it reappeared (although in two increments).
[I adapted this from the Washington Post National Weekly, 18 May 87,
p.34, thanks to Michael Melliar-Smith. Perhaps the HACKER was really
a Coast Guard CUTTER (or was he a CONS CAR'd CDR (LISPing to starboard?)
Just think what could be done in reprogramming government funds! PGN]
------------------------------
Date: Mon, 11 May 87 11:21:38 EDT
To: Peter G. (coordinator) Neumann <
[email protected]>
Subject: Computer thefts (re: RISKS-4.82)
From: Jerome H. Saltzer <
[email protected]>
At Project Athena for some time we've been trying to convince our
vendors that if they hope to sell personal workstations worth $2K or
more to students they are going to have to include in the physical
design a top-to-bottom hole that penetrates the major box covers and
the mother board, suitable for dropping a bicycle lock through, so
that the machine can be chained to a dorm-room or apartment radiator,
or a desk in an office. The reaction so far has been uproarious
laughter (and several reports of newly-designed compact workstations
stolen from one of the vendors).
Jerry
------------------------------
From:
[email protected] (Michael Newbery)
Subject: Bomb Detection by Nuclear Radiation (RISKS-4.79)
Date: 11 May 87 02:22:08 GMT
Some years ago, the Ariande column in New Scientist proposed a novel and,
as usual (?), unworkable (??) bomb 'detector'. You zap your 'bomb' with
radiation of a flavour selectively absorbed by Mercury (but not otherwise
strong enough to hurt.) The Mercury gets a little agitated by this and, if
it happens to be part of Fulminate of Mercury, an explosion occurs.
So, you just march your passengers and their luggage, one at a time, down
a bomb-proof tunnel and if they DON't go boom, let them on board. Even if
they do have explosives/bullets they can't set them off without a detonator.
Unless they use Lead Azide.
Or carry little bottles of nitro-glycerine, or...
Michael Newbery, Comp Sci, Victoria Univ, Wellington, New Zealand
ACSnet:
[email protected] UUCP: {ubc-vision,alberta}!calgary!vuwcomp!newbery
[All kidding azide, this is another of our classical unsolvabled
problems. Technology cannot provide 100% guarantees. It also
transforms the technology it is trying to protect against. Heisenberg
strikes again, with a longer time constant. PGN]
------------------------------
Date: Mon 11 May 87 22:59:41-EDT
From: "Mark Becker" <Cent.Mbeck%
[email protected]>
Subject: Computer floods summer course registration at U. of Central Florida
To:
[email protected]
"SNAFU ENDS HAPPILY AT UCF AS STUDENTS GET EVERY CLASS THEY WANTED"
by Laura Ost, The Orlando Sentinal, Saturday, May 9, 1987, Page D-3
[Reproduced with permission]
Thanks to a computer snafu, a nightmare for University of Central
Florida students has turned into a dream.
UCF's new computer system failed to cut off pre-registration for
summer classes as they filled. The happy result for students who often
wait years to take required courses: They got everything they wanted.
At first, the glitch meant that 56 courses overflowed, and 700 of
8,000 spring students who pre-registered were in danger of being tossed
out of classes they planned on.
But after discovering the problem April 24, officials decided there
was only one answer: Give them what they want.
"From the student standpoint, it turned out splendiferous," UCF
spokesman Dean McFall said Friday.
The solution was to add more than 40 class sections in education,
engineering, and arts and sciences, and to extend employment of part-
time and nine-month faculty members who want summer work.
The worst case was a speech course required for students without
community college degrees. More than 300 signed up for three sections
with a total capacity of 84. So, eight sections were added.
The expanded schedule is a big relief for students; some courses
have had long waiting lists, meaning that students often had to delay
required freshman courses until their senior year. Solving the
registration problems wiped out the backlog.
"It showed us the full market for those courses," said Charlie
Micarelli, vice president for undergraduate studies. "For the first
time we could see the number of courses needed. It was kind of
overwhelming... So there's nothing bad that doesn't bring out some
good."
This was UCF's first use of the new computer system and the
software that operates it. The software was developed by the Florida
Board of Regents technical staff, which uses UCF as a testing ground for
the state university system.
The malfunctioning software was repaired in time for regular
registration Wednesday, officials said. Classes began Thursday.
Provost Richard Astro said the expanded summer schedule won't cost
extra because it eliminates the need for some classes next academic
year. He said the university usually has enough regular staff members
to cover summer classes.
"What you don't want to do is put an ad in the paper and say,
'Anybody who can teach, come on in'," Astro said. "Basically what we're
saying [to regular staff] is 'Hey, do you want to work this summer?'"
------------------------------
Date: Mon, 11 May 87 21:24:45 PDT
From: dean%
[email protected] (Dean Pentcheff)
To:
[email protected]
Subject: A password-breaking program
Organization: University of California, Berkeley Department of Zoology
A few days ago on our university UNIX system (4.3BSD), a friend of mine
received the message reprinted below. Very briefly, someone seems to
have cracked the passwords in the "passwd" file and sent a piece of
warning mail to all the users whose password he cracked. Note that my
friend's password was a dictionary word, while mine (uncracked) was a
proper name beginning with a capital letter.
> To: xxxxxx
> Subject: A matter of security..
>
> Your password: zzzzzzz [correctly stated]
>
> As an experiment, and something of an unofficial public service, I
> have been experimenting with a password breaking program that was
> recently released into the public domain. Since anyone can use this
> program now, I thought I'd run it on violet's password file to see
> which passwords could be broken. Yours was one of them. If you're
> security conscious, or just don't like the idea of your password
> being so easily broken, then I would advise that you change it to
> a word not found in the english dictionary, or use a combination of
> upper and lower case letters. Either of these methods will render
> your password fairly invulnerable to attack..
>
> Yyyyyyyyy Yyyyyyyy
[I thought using the SALT offset was standard by now! Ho hum,
another lesson ignored. So, we run it ONE MORE TIME here. PGN]
------------------------------
From: "Lindsay F. Marshall" <lindsay%
[email protected]>
Date: Mon, 11 May 87 16:07:33 bst
To:
[email protected]
Subject: Sidelight on the Marconi Deaths
According to one of my colleagues who has just returned from a visit
to Italy, the Marconi deaths are in all the papers, and many of his
friends were worried about him returning to the UK as his life must be
at risk because he works in Computer Science research...
______________________________
Date: Mon, 11 May 87 11:37:09 PDT
From: Dave Benson <benson%
[email protected]>
To: risks%
[email protected]
Subject: Software Reliability book
Software Reliability: Measurement, Prediction, Application,
by J. Musa, A. Iannino and K. Okumoto (McGraw-Hill Book Co., NY, 1987),
is now available. I cannot contain my enthusiasm for this well-organized,
thoughtful, thought-provoking, well-written, [accolades]* book. A sample
from 7.4.3 Measuring Ultrahigh Reliability, Case Study 7.1 on Nuclear
Power computer-based monitoring system:
...we are 95 percent certain that at least ... 3 more (failures)
will occur at some time. The ... failure intensity in 0.895/1000 yr
(of computer operation) using the logarithmic Poisson model.
Yes, that's less than one software failure per millenium of operation.
The point is that these three AT&T Bell researchers have an excellent
collection of methods for measuring and predicting software reliability,
and have made these techniques easily accessable in this supurb book.
------------------------------
Date: 11 May 1987 1113-PDT (Monday)
From: Jeff Mogul <
[email protected]>
To:
[email protected] <FORWARDED TO RISKS>
Subject: "The Whistle Blower"
Stanford's on-line library catalog made short work of finding this:
AUTHOR: Hale, John.
TITLE: The whistle blower / John Hale.
IMPRINT: 1st American ed. New York : Atheneum, 1985, c1984. 239 pp.; 23 cm.
LOCATION: PR6058.A438W5 1985: Green Stacks
NOTES: Item CSUG85-B26608 (Books) Language: eng Year: 1985
------------------------------
End of RISKS-FORUM Digest
************************
-------
