21-May-87 22:46:25-PDT,7110;000000000000
Mail-From: NEUMANN created at 21-May-87 22:45:36
Date: Thu 21 May 87 22:45:36-PDT
From: RISKS FORUM    (Peter G. Neumann -- Coordinator) <[email protected]>
Subject: RISKS DIGEST 4.88
Sender: [email protected]
To: [email protected]

RISKS-LIST: RISKS-FORUM Digest  Thursday, 21 May 1987  Volume 4 : Issue 88

          FORUM ON RISKS TO THE PUBLIC IN COMPUTER SYSTEMS
  ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Contents:
 Re: Phalanx (Phil Ngai)
 Open meeting laws (Dave Parnas)
 Concerning UN*X (in)security (Mike Carlton)
 Ed Joyce, Software Bugs: A Matter of Life and Liability (Eugene Miya)
 Risks and system pre-login banners (PGN)
 Risks of Running RISKS, Cont'd. (PGN)

The RISKS Forum is moderated.  Contributions should be relevant, sound, in good
taste, objective, coherent, concise, nonrepetitious.  Diversity is welcome.
(Contributions to [email protected], Requests to [email protected])
 (Back issues Vol i Issue j available in CSL.SRI.COM:<RISKS>RISKS-i.j.  MAXj:
 Summary Contents Vol 1: RISKS-1.46; Vol 2: RISKS-2.57; Vol 3: RISKS-3.92.)

----------------------------------------------------------------------

Date:  Thu, 21 May 87 09:53:45 PDT
From: [email protected] (Phil Ngai)
To: [email protected]
Subject: Re: Phalanx

The Phalanx is just a radar controlled machine gun which fires 3000
(20 mm? nearly one inch in diameter) depleted uranium slugs per minute
at anything which moves. Would you keep it on all the time? No one
(but you) said it wasn't reliable.

What does appear to be wrong is that there was only one, to cover the
stern of the ship. The bow was not protected by a Phalanx system and
that is where the (two?) Exocet missiles hit.

Then again, we should realize that frigates such as this one are intended
mostly for anti-submarine/mine work; although it did have surface to air
missiles which could have been used to take out the aircraft which fired the
Exocets, frigates are not really expected to provide their own air defense.
And this one was operating under the assumption that Iraq aircraft were
friendly, so it did not shoot down the aircraft when it could have.

    [Perhaps the object was to shoot down the missiles?  Was
    that the Star Wars analogy to which Chuck was referring?
    Also, there was a report that there might have been TWO
    planes.  (One missile landed undetonated amidship!)  PGN]

------------------------------

Date: Thu, 21 May 87 07:12:23 EDT
From: parnas%[email protected]
To: [email protected]
Subject: Open meeting laws (RISKS 4.87)

Do open meeting laws prevent public representatives from conversing in a bar
or a park or at a theatre?  Do they prevent telephone calls?  If not, why
should they prevent electronic mail conversations?
                                                           Dave

   [Even my home town of Palo Alto is going through the pains of trying
   to make sense of the legal and common-sense implications...  PGN]

------------------------------

Date: Thu, 21 May 87 13:41:45 PDT
From: [email protected] (Mike Carlton)
To: [email protected]
Subject: Concerning UN*X (in)security

I think that most people would agree that UN*X is not a secure system, nor
is it intended to be.  However, a judicious choice of password can
discourage amateur or half-hearted attacks on your account. Several methods
have been proposed for choosing hard to break passwords; my favorite is
simply to use the first letter of each word of some phrase, e.g., 'The rain
in Spain falls mainly in the plain' becomes TriSfmitp.  This has the
advantages that it is not likely to appear in any dictionary, it is very
mnemonic and if the password is long enough and rich enough in case, it will
stand up to a sustained exhaustive search.

There is another risk that I haven't seen mentioned: the use of .rhosts
files (at least it's a risk in the BSD world, I've never been in the System
V world).  Around here, quite a few people have .rhosts entries for several
machines, often including at least one Sun.  Couple this with the fact that,
given physical access, anyone can become root on a Sun and you've got
widespread vulnerability without the need for any password attack.

Mike Carlton ([email protected]), CS Gradual student

------------------------------

Date: Thu, 21 May 87 13:47:06 pdt
From: Eugene Miya <[email protected]>
To: [email protected]
Subject: Ed Joyce, Software Bugs: A Matter of Life and Liability

Ed Joyce, Software Bugs: A Matter of Life and Liability, Datamation 33 10,
15 May 1987, pp. 88-92 [Keywords: Malfunction 54, Therac 25, dosimetry,
radiation therapy].
                                 --eugene miya

------------------------------

Date: Thu 21 May 87 20:19:10-PDT
From: Peter G. Neumann <[email protected]>
Subject: Risks and system pre-login banners
To: [email protected]

RISKS recently ran an item about the lawsuit that was thrown out because a
user had been greeted with "Welcome to the system".  The following banner is
given by a net-accessible system (which might as well remain nameless),
and provides a nice example of the other end of the spectrum.

 WARNING ** WARNING ** WARNING ** WARNING ** WARNING ** WARNING

 UNAUTHORIZED ACCESS TO THIS UNITED STATES GOVERNMENT COMPUTER
 SYSTEM AND OR SOFTWARE IS PROHIBITED BY PUBLIC LAW 98-473.
 PUNISHMENT FOR OFFENSE CAN BE UP TO $100,000 FINE OR UP TO 20
 YEARS IN PRISON OR BOTH.  REPORT UNAUTHORIZED USE OR ACCESS TO
 THE SYSTEM SECURITY OFFICER.

 WARNING ** WARNING ** WARNING ** WARNING ** WARNING ** WARNING

------------------------------

Date:     Thu, 21 May 87 12:31:45 CDT
From:     ALMSA-1 Memo Service 750 (MMDF 4/84) <[email protected]>
Subject:  Waiting mail  (msg.a000284)       [Risks of Running RISKS, Cont'd.]
Sender:   [email protected]
To:       [email protected]

           [As I have noted previously, in a list as large as RISKS there is
           an awesome volume of mailer barf messages.  I do try to be patient,
           but sometimes it becomes overbearing.  The implied threat here --
           to keep retrying and send me notifications -- is horrendous!  PGN]
                                                                          |
   After 14 days (326 hours), your message has not yet been               |
fully delivered.  Attempts to deliver the message will continue            |
for 178956963 more days.  No further action is required by you.            V
  [********* = = = = = = = = = = = = = = = = = = = = = = = = = = = = =  !!!!!]

   Delivery attempts are still pending for the following address(es):

       wmartin@almsa-2 (host: almsa-2) (queue: almsab)

   Problems usually are due to service interruptions at the receiving
machine.  Less often, they are caused by the communication system.

------------------------------

End of RISKS-FORUM Digest
************************
-------

You are viewing proxied material from gopher.quux.org. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.