12-May-87 22:33:42-PDT,15794;000000000000

12-May-87 22:33:42-PDT,15794;000000000000
Mail-From: NEUMANN created at 12-May-87 22:32:02
Date: Tue 12 May 87 22:32:02-PDT
From: Peter G. (coordinator) Neumann <[email protected]>
Subject: RISKS DIGEST 4.84
Sender: [email protected]
To: [email protected]

RISKS-LIST: RISKS-FORUM Digest Tuesday, 12 May 1987 Volume 4 : Issue 84

FORUM ON RISKS TO THE PUBLIC IN COMPUTER SYSTEMS
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Contents: [Some redundancy. Exhibits spectrum of responses.]
Re: Information Age Commission
(Herb Lin, Richard Cowan, Bob Estell, David LaGrone, Michael Wagner)
Re: Information Age Commission; Summer Courses at UCF (William Brown III)
Re: A password-breaking program (Dean Pentcheff, Jerry Saltzer, Dave Curry)
Re: Computer thefts (Michael Wagner)
Re: Computer-related Cadillac recall (Jeffrey R Kell)

The RISKS Forum is moderated. Contributions should be relevant, sound, in good
taste, objective, coherent, concise, nonrepetitious. Diversity is welcome.
(Contributions to [email protected], Requests to [email protected])
(Back issues Vol i Issue j available in CSL.SRI.COM:<RISKS>RISKS-i.j. MAXj:
Summary Contents Vol 1: RISKS-1.46; Vol 2: RISKS-2.57; Vol 3: RISKS-3.92.)

----------------------------------------------------------------------

Date: Tue, 12 May 1987 22:45 EDT
From: [email protected]
To: "Peter G. Neumann" <[email protected]>
Cc: [email protected]
Subject: Information Age Commission legislation in the works?

[Side note to Herb Lin: Herb, have you ever shown
Senators Nunn and Lautenberg copies of OUR RISKS
Forum??? Are we retarding (or retarded?) PGN]

No. I work on the House side, rather than the Senate. I have
suggested various points of contact in the House to people on software
related issues, though.

In response to another question, In general, I would not have qualms
about showing a hard copy of RISKS to anyone, since it is a public
forum. In fact, I would bet that Lautenberg probably has access to
RISKS himself if he wants it, since he owns a large DP company.

[On your first paragraph, I was naively assuming that House and
Senate people -- particularly at the staff level -- might actually
speak with one another now and then... PGN]

------------------------------

Date: Tue 12 May 87 22:31:37-EDT
From: Richard A. Cowan <[email protected]>
Subject: Re: RISKS information sharing
To: [email protected], [email protected]

Given that the RISKS digest is distributed to hundreds, or even thousands of
people on a computer network that is funded, for the most part, with public
funds, I think contributors should consider their messages to be public.
Certainly, the messages sent on RISKS can be monitored secretly by government
intelligence organizations; I would think that it would be less of a concern
if those messages were monitored by Congress.

As for the prospect that RISKS submissions might appear in the Congressional
Record, I would doubt it. Quotes attributed to individuals must be documented,
and I would guess that the electronic medium does not provide sufficient proof
of the authenticity of a message. This is just a guess from personal
experience; I sent a letter to Proxmire's office last year on computers and
Star Wars, and I was asked a week later to send a SECOND letter giving them
permission to use my letter in congressional testimony.
Rich

------------------------------

Date: 12 May 87 08:18:00 GMT+492:48
From: "ESTELL ROBERT G" <[email protected]>
Subject: Risk of contributing to RISKS
To: "risks" <[email protected]>

I've always assumed that "someone up there" [in DC] was probably reading
everything we share on ALL the journals on ARPANET and its cousins [DDN,
EDU, COM, etc.]. I think that's a fair condition of use of a resource
that's funded by public taxes.

Indeed, I've often HOPED that Washington [and other] government leaders
in each branch, especially in several agencies of the Executive branch,
read some of these journals - and then thought about what they've read.

I think Ted Lee's concern is common enough; I know I've often rewritten
submissions, trying to "walk on eggs" to share a truth [as I see it] that
others [including perhaps my colleagues in DoD] may find unpleasant.
That's why so many of my notes end with a caveat: "The opinions herein
are mine alone, and may not be shared by any other person or organization,
real or imaginary."

The other side of this concern is that often some frustration shows through in
submissions to RISKS [and Arms-D, et al]; because the writers have tried to
share some knowledge or wisdom, and have been ignored. So, just when we think
we're only "among friends" is the very time that "big brother" decides to
pay attention. Murphy predicted that. I've often said that "The ears have
walls, and the walls have ears."
Bob

------------------------------

Date: Tue, 12 May 87 08:15 CDT
From: David LaGrone <LAGRONE%[email protected]>
Subject: Distribution of RISKS Digest to Congress
To: [email protected]
ReSent-To: [email protected]

I vote "DO IT!!". God only knows (and s/he isn't sure) who gets copies of
computer bulletin board material, anyway. Besides, I think that the purpose
and intent of THIS digest is right-hearted enough for distribution to whomever
would benefit from its contents. And I would hope the purpose and intent of
the contributors is equally right-hearted.
...Regards...David LaGrone

[Disclaimer: The opinions expressed by me are mine and not necessarily those
of Texas Instruments, Inc., its other employees, their families, relatives,
friends, business associates, my relatives, my friends, or anyone else I
know or have ever heard of.]

------------------------------

Date: Tue, 12 May 87 17:55 CET
To: [email protected]
From: Michael Wagner +49 228 303 245
<WAGNER%[email protected]>
Subject: Re: Information Commission (RISKS-4.83)

In issue 4.83 of RISKS, [email protected] wrote

> ... an uniformed, shoot-from-the-hip press.
^^^^^^^^^

This got by the (usually good) editorial pen of the moderator. I assume that
the intended word was 'uninformed'. I was long into the next sentence before
I realized that I had a parsing problem. While 'uniformed' is a word, I don't
really know what a 'uniformed press' would be.

The hint I used to correct my misunderstanding of this phrase was a
pronunciation clue. If the author had intended to write "uniformed", he
probably would have written 'a uniformed ... press' rather than 'an
..'. At least, that's how a Canadian (me) would say it.

Now how would you teach a spelling checker that? Michael

[Not Canadian, but California English? -- "(me) would say it",
"him and her are going", etc. I won't press the point -- or
any uniforms, either -- because I know the press is not uniform. PGN]

------------------------------

Date: Tue, 12 May 87 17:56 PDT
From: Wm Brown III <[email protected]>
Subject: Information Age Commission; Summer Courses at UCF
To: "Peter G. (coordinator) Neumann" <[email protected]>

In response to Ted Lee and Jim Anderson, I think it is inevitable that the
government will sooner or later promulgate regulations for our industry; it
is the basic nature of governments to do so. The more important questions
are which branch(es) of government, what kind of regulations, etc.
Personally, I'd rather see an open body such as Congress writing the rules,
rather than some alphabet soup department (IRS, NSA, FBI) that would be much
harder to fight. Congress at least listens to all sorts of inputs, including
individuals, companies, PACs, and expert testimony. An agency generally writes
rules to suit its own ends, and has lots of ways to discourage inputs that
serve other interests.

There are some potentially useful things government *could* do for us, such
as making net hacking and unauthorized disclosure of personal files criminal
offenses or making liability limitations reasonable and predictable. We also
need friends to help control the (mis)use of computers by government agencies,
particularly in the area of law enforcement. Left to their own, I'm certain
that some enforcement types would love to create a big-brother situation by
creating huge databases with no controls on their access. The only body which
can realistically offer protection against such abuses is a more powerful
government agency, such as Congress.

If this forum can be used as a vehicle to enlighten our lawmakers, even to
the minimal extent of making them aware of that the issues exist, I am all in
favor of sending each congressperson a gift subscription to every issue. When
topics like computer privacy and liability become the issue of the day (and
they will, probably through some scandal or major screw-up), those of us
outside of government will need all of the connections and communications
channels we can find to make ourselves heard.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Regarding Mark Becker on summer course registration at U. of Central Florida:

When I was attending the same institution (it was then Florida Technological
U) about ten years ago, the first night of registration one quarter turned
into a fiasco because it took *MINUTES* for the computer system to process
each registration form. As it turned out, their new registration software
had been brought on line without any live testing whatever.

The killer was that the program had been developed using an ordinary job
control card with relatively low priority. Nobody thought to bump the
priority level up when it came time to run live students (thousands of us)
through the system, so the program was still running as a background task.
To make matters worse, it turned out that the accounting department was
running a massive batch job at that time of the evening, and they *HAD*
thought to give their job the highest system priority they could get.

------------------------------

Date: Tue, 12 May 87 13:42:19 PDT
To: [email protected]
Subject: A password-breaking program
From: dean%[email protected] (Dean Pentcheff)

Excerpt of an article I posted to RISKS:
>A few days ago on our university UNIX system (4.3BSD), a friend of mine
>received the message reprinted below. Very briefly, someone seems to
>have cracked the passwords in the "passwd" file ...
PGN's reply:
> [I thought using the SALT offset was standard by now! Ho hum,
> another lesson ignored. So, we run it ONE MORE TIME here. PGN]

Bad news, I'm afraid: we _do_ use the salt offset. That's one reason I
thought the incident interesting enough to post.

------------------------------

Date: Tue, 12 May 87 10:46:45 EDT
To: Peter G. (coordinator) Neumann <[email protected]>
Subject: Password attacks (RISKS-4.83)
From: Jerome H. Saltzer <[email protected]>

Unless I missed something, the SALT offset doesn't help against
the attack this guy was hit with. It just slows things down, but not
enough to make it infeasible. The attack consists of taking a copy
of the system's one-way password encrypting program, and a
dictionary, list of popular first names, list of names of rock
groups, or whatever, and encrypting every string in the list, using
the SALT of the first user. Then you do it again for the second
user. Etc. Depending on the consciousness level of the
installation, you typically discover anywhere from 10% to 90% of the
passwords that way. We run the program on our staff occasionally,
just to keep them on their toes.

These days, if you have a MicroVAX II available -- or a VAX 8600 -- and one
of the better DES implementations, you can check out an astonishing number
of BSD UNIX possibilities overnight.
Jerry

[The problem is that the SALT for each user is implicitly available
to the attacker, so that individualized attacks are still possible --
although the system-wide dictionary attack is no longer available.
The conclusion is that this approach is not really worth its SALT.
For those of you new to this one, dig up the paper "UNIX Password
Security: A Case History", by Bob Morris and Ken Thompson, CACM,
November 1979, vol 22, no 11, pp. 594-597. PGN]

------------------------------

Date: Tue, 12 May 87 08:18:27 EST
From: [email protected] (Dave Curry)
To: [email protected]
Subject: Re: password cracking

Before this starts a flurry of speculation about whether or not the UNIX
password encryption is secure or not... I seriously doubt that this person
has actually *cracked* the algorithm. If you examine the code, you will
see how truly difficult that would be, since much of the information you
need is discarded and not present in the encrypted result.

> As an experiment, and something of an unofficial public service, I
> have been experimenting with a password breaking program that was
> recently released into the public domain...

This sounds very much like a program I wrote a few years ago to check
for "stupid" passwords on our machines. My program simply made some
educated guesses on passwords - first name forwards, backwards,
capitalized, not capitalized... last name the same way... login name
the same way. In all a total of 12 guesses per account. In one
night's processing time on our Gould PN9080, I got about 480/10,000
a real word. [...]

--Dave Curry

------------------------------

Date: Tue, 12 May 87 18:21 CET
To: [email protected]
From: Michael Wagner +49 228 303 245 <WAGNER%[email protected]>
Subject: Re: Computer thefts (Jerome H. Saltzer, RISKS-4.83)

At University of Toronto, where I used to work, we convinced our terminal
vendor to supply us with special terminals for public terminal clusters.
These terminals had bolts, built into the base, that were intended to bolt
through the terminal table. Once attached, the bolts could not be removed
with standard tools. Neither could the terminal be opened to remove the
bolts that way. It helped, although I gather there were still some terminals
that walked away. I think that, at least in some cases, the table went too.
After all, it was a nice terminal table!
Michael

------------------------------

Date: Tue, 12 May 87 10:41:05 EDT
From: Jeffrey R Kell <JEFF%[email protected]>
Subject: Computer-related Cadillac recall (RISKS-4.81)
To: [email protected]

This incident (and many others) represents one excellent reason why some
systems are best left 'low-tech'. Headlights can burn out, electrical
systems fail, batteries die, alternators short, switches malfunction,
and so forth. Adding a computer into the chain only adds another item
which can possibly fail WITHOUT providing any greater reliability in the
process; in perfect working order it is STILL prone to previous faults
PLUS the possibility of hardware/software/RFI/etc. failures.

------------------------------

End of RISKS-FORUM Digest
************************
-------