RISKS-LIST: RISKS-FORUM Digest  Friday 16 December 1988   Volume 7 : Issue 95

       FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS
  ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Contents:
 Armed with a keyboard and considered dangerous (Rodney Hoffman)
 Value for money? (Part 2) (Jerry Harper)
 USAF software contractors score poorly (Henry Spencer)
 Reasoning about software (Nancy Leveson)
 Hacking the etymology (Nigel Roberts)
 [Shattering revelations] (Shatter)

The RISKS Forum is moderated.  Contributions should be relevant, sound, in good
taste, objective, coherent, concise, and nonrepetitious.  Diversity is welcome.
CONTRIBUTIONS to [email protected], with relevant, substantive "Subject:" line
(otherwise they may be ignored).  REQUESTS to [email protected].
FOR VOL i ISSUE j / ftp kl.sri.com / login anonymous (ANY NONNULL PASSWORD) /
 get stripe:<risks>risks-i.j ... (OR TRY cd stripe:<risks> / get risks-i.j ...
 Volume summaries in (i, max j) = (1,46),(2,57),(3,92),(4,97),(5,85),(6,95).

----------------------------------------------------------------------

Date: 16 Dec 88 08:13:25 PST (Friday)
From: Rodney Hoffman <[email protected]>
Subject: Armed with a keyboard and considered dangerous

The 16 Dec 88 'Los Angeles Times' contains this story (excerpts only):

        EX-COMPUTER WHIZ KID HELD ON NEW FRAUD COUNTS
                        By Kim Murphy

 Kevin Mitnick was 17 when he first cracked Pacific Bell's computer
 system, secretly channeling his computer through a pay phone to
 alter telephone bills, penetrate other computers and steal $200,000
 worth of data from a San Francisco corporation.  A Juvenile Court
 judge at the time sentenced Mitnick to six months in a youth facility....

 [After his release,] his probation officer found that her phone had
 been disconnected and the phone company had no record of it.  A
 judge's credit record at TRW Inc. was inexplicably altered.  Police
 computer files on the case were accessed from outside.... Mitnick
 fled to Israel.  Upon his return, there were new charges filed in
 Santa Cruz, accusing Mitnick of stealing software under development
 by Microport Systems, and federal prosecutors have a judgment showing
 Mitnick was convicted on the charge.  There is, however, no record
 of the conviction in Sant Cruz's computer files.

 On Thursday, Mitnick, now 25, was charged in two new criminal complaints
 accusing him of causing $4 million damage to a DEC computer, stealing
 a highly secret computer security system and gaining access to
 unauthorized MCI long-distance codes through university computers
 in L.A. and England.

 U.S. Magistrate ...took the unusual step of ordering [Mitnick] held
 without bail, ruling that when armed with a keyboard he posed a danger
 to the community.  "This thing is so massive, we're just running around
 trying to figure out what he did," said the prosecutor, an Asst. U.S.
 Atty.  "This person, we believe, is very, very dangerous, and he needs
 to be detained and kept away from a computer."  LA and FBI Investigators
 say they are only now beginning to put together a picture of Mitnick
 and his alleged high-tech escapades.  "He's several levels above what
 you would characterize as a computer hacker," said Detective James K.
 Black, head of the LA Police Dept's computer crime unit.  "He started
 out with a real driving curiosity for computers that went beyond personal
 computers.... He grew with the technology."

 Mitnick is to be arraigned on two counts of computer fraud.  The case
 is believed to be the first in the nation under a federal law that makes
 it a crime to gain access to an interstate computer network for criminal
 purposes.... Federal prosecutors also obtained a court order restricting
 Mitnick's telephone calls from jail, fearing he might gain access to a
 computer over the phone lines....

------------------------------

Date: 16 Dec 88  0103 PST
From: Les Earnest <[email protected]>
Subject: Re: Computer Virus Eradication Act of 1988

The note from Don Alvarez <[email protected]> in RISKS-7.91 gives the
text of proposed legislation that is intended to inhibit certain kinds of
computer crime.  If you look at it only as a protection against skulduggery
then it looks reasonable, but it also seems to prohibit certain plausible
defensive tactics against software piracy.

Suppose that a software developer wishes to protect his program against
theft and happens to know with certainty that the computing environments
of all customers will have a certain property and that those of thieves
may not have that property.  It would be reasonable to have the program
check for the property and, if it is missing, either self-destruct or
malfunction in subtle ways.  (Admittedly there is some risk in doing this,
given all the crazy things that customers do, but with suitable admonitions
this could be a reasonable defensive tactic.  In fact it has been used
in the past.)

The proposed legislation reportedly says:
"(a) Whoever knowingly-
 "(1) inserts into a program for a computer information or commands,
 knowing or having reason to believe that such information or commands
 will cause loss to users of a computer on which such program is run
 or to those who rely on information processed on such computer; and
 "(2) provides such a program to others in circumstances in which those
 others do not know of the insertion or its effects; or attempts to do so,
 shall if any such conduct affects interstate or foreign commerce, be fined
 under this title or imprisoned not more than 10 years, or both."

This wording, as it stands, would appear to make defensive programming of the
type described above illegal.  The problem is that it fails to distinguish
between the interests of legitimate users of programs and those who steal them.

       -Les Earnest

------------------------------

Date:     Tue, 13 Dec 88 20:43:11 GMT
From: Jerry Harper <[email protected]>
Subject:  Value for money? (Part 2)

Just a week back a note appeared from me citing an Irish Times report of
how our Department of Health spent approximately $67million on a medical
informatics system which was substandard in many respects. A lamentable fact
of the debacle is the Dept's dogged refusal to accept the advice of a range
of academics concerning inadequacies in the system.  This little anecdote
will impress RISKS readers I hope.

Shortly, after the contract had been agreed, one of the management
consultants favouring the system because of its advanced features
had the temerity to ring one of the opposed academics and ask if they
could recommend a good introduction to medical information systems!

------------------------------

Date: Wed, 14 Dec 88 01:39:45 EST
From: [email protected]
Subject: USAF software contractors score poorly

>From the Nov 14 Aviation Week & Space Technology (page 103):

       The [USAF] Electronic Systems Div. has developed a new system
       for Air Force source selection boards to use to evaluate
       contractors' software capabilities.  Using a questionnaire,
       companies are ranked from one to five.  Some 84% of the 178
       contractors checked so far rank at the lowest level, with
       chaotic or unpredictable, poorly controlled processes.  Only
       14% ranked at the second level, meaning they could repeat
       previously mastered tasks.  Two percent met the third level
       with well-understood processes.  The processes for the fourth
       level are defined as well-measured and controlled, and for
       the fifth as optimized.  So far no contractor has ranked
       above the third level.

------------------------------

Date: Fri, 16 Dec 88 11:55:44 -0800
From: Nancy Leveson <[email protected]>
Subject: reasoning about software

I have a somewhat different interpretation of the draft ICAO standard
than Steve.

I originally quoted from a draft standard that included the following:
 > "... [Software] must be developed systematically in such a way that its
 > behavior, under all possible conditions, can be established by logical
 > reasoning (to a level of formality appropriate to the application).

Steve responded with:
>> It's my opinion that strict enforcement of the above requirement simply
>> makes the developer liable for errors, but doesn't do much for actually
>> improving software reliability.  It is unlikely that "all possible
>> conditions" can be for[e]seen, let alone provided for.  The problem becomes
>> bigger as the complexity of the system increases, to the point where
>> exhaustive analysis of a system could take centuries to perform.

One of the most effective ways to increase reliability is to decrease
complexity.  I have seen safety-critical systems where the developers purposely
simplified their systems to make the above reasoning possible.  The results
were highly reliable.  I believe (and have heard those in the field of formal
verification confirm) that one of the advantages of formally verifying software
is that it encourages simplicity in the software design in order to perform the
necessary logical reasoning.

Reasoning about all conditions is currently required for hardware.  System
safety engineers use techniques such as FMECA (Failure Modes, Effects, and
Criticality Analysis, as mentioned in the standard) to accomplish this.  Should
regulatory agencies relax their standards for the software used to replace this
hardware?  Such hardware analyses currently do find many problems that are
fixed before they can cause an accident.

Microwave landing systems are used when visibility does not allow the pilot to
land the plane alone.  Current systems allow landing only when visibility is at
least 200 feet, so the pilot has a chance to abort and go around.  However,
they are now talking about allowing landings where the visibility is zero.
Perhaps we should not be putting trust in these systems if we cannot build them
in such a way that we CAN reason logically about their behavior under all
conditions.

>> The requirement is essentially that systems be perfect.  That goal has
>> proven elusive (unattainable?) in all areas of human endeavor.  Extensive
>> formalism and verification should be required of critical systems, but
>> requirements for perfect function are inane.

I don't read the requirement as requiring perfection.  It says that we must
build the software in such a way that we can reason about it under all
conditions, including presumably what happens when there are software errors.
The standards certainly should not imply that failures in such systems are
acceptable.  Would you want a standard involving the safety of commercial
aircraft to require less than perfection?  Extremely high reliability
requirements (e.g., 10^-9 probability of failure over a fixed period of time)
are merely attempts to provide virtual perfection in hardware systems where
failures are random. In fact, it has been written that the FAA 10^-9 figure is
meant to be equivalent to: "is not expected to occur within the total life span
of the whole fleet of the model." [Waterman, "FAA's certification position on
advanced avionics," AIAA Astro. and Aero., May 1978, pp. 49-51]

>> A better approach would be to require independent performance monitoring
>> and evaluation as part of the complete system.

I agree, but I don't think the standard precludes this; in fact, I read
it as implying the necessity for it.  However, independent performance
monitoring and evaluation can be flawed and implemented imperfectly also;
error detection can be quite difficult in many applications.  I would
feel most comfortable if companies do everything they can to make
such safety-critical software as good as possible and then provide
safeguards in case they had not been completely successful;  both of
these things need to be done in order for us to have the maximum confidence
in our software at our current level of technology.

------------------------------

Date: Tue, 13 Dec 88 07:00:26 PST
From: roberts%[email protected] (Nigel Roberts, D-8043 Unterfoehring)
Subject: Hacking the etymology

The recent discussions of the etymology of the terms "hacker", "cracker",
_et al_ & the recent spirited defence of the activity by one or two
contributors (at least one of them being a self-confessed "hacker") has
set me to thinking.

In RISKS & elsewhere, I see a "generation gap" between what, for want of a
better term, I would describe as the "old-time hackers", who were experimenters,
and the current cyberpunks, the "hackers" of popular mediaspeak, the
eponymous "shatterers".

I think this apparent generation gap is fundamental to the discussion.

The "old-style hackers" (of whom I am vain enough to claim I belong) learned
their computing in the 60s and 70s, often in a university or similar multi-
user environment, where, as often as not, hacking involved programming.

Today's stainless steel rats are much more likely to have discovered
computers in the home, courtesy of Apple, Commodore or IBM, and started their
"network tourist" activities by purchasing a modem.

The old school (& I include myself here) resents the way the term "hacker"
has been hi-jacked and is today being used to connotate anti-social activity.
This is despite the ambiguous roots of the term (described by Weizenbaum
in _Computer Power & Human Reason_).

Today's cyberpunks are computer burglars, who are attempting to justify their
activities by claiming a common motivation with their arguably less anti-social
predecessors.

Like any story of generation conflict, there are elements of truth in the claims
of both sides.

It is going to be impossible to prevent the media from using the word "hacker"
in a way that the "old school" dislike. It would almost be easier to claim that
the word "gay" meant "happy, carefree".

But maybe the media and the collective unconscious understand the evolution
of hackerism better than we do.

For just as there is at least a tiny thread of commonality with the hackers
of old in the network rats of the 80s, and I would say that there was some small
element of today's network rats in the hackers of old.

But of course, there IS a distinction between hacking around a system whose
sole reason of being is to teach people about computers, and hacking into
systems which are being used for serious business purposes and where outsiders
no right to be.

That difference is ethical, and has well expounded here in RISKS already.

Seeing as we can't get rid of "hackers" in the popular media, I would like
to coin the term "punk hackers" (an abbreviation of 'cyberpunk hackers')
to describe their anti-social activities.

It seems to fit only too well, just like "punk rock" is rock music with
swearing & spitting at the audience.

And using it would let us "old hackers" keep our self-respect!

       Nigel Roberts,          Munich, W. Germany.

------------------------------

Date: 15 Dec 88 04:58:42 MEZ (Thu)
From: [email protected] (Shatter)
Subject: [Shattering revelations]

First of all I would like to thank all the ppl who gave me feedback on my prev-
ious contribution to risks it has on the whole been quite positive :-)
[You will now have gathered that I have gone legit as I am now too well known
to continue with active hacking and will have to make do with the odd foray
into the net on highdays and holidays]. But there has been at least one recent contributor who does not seem to get the point that I was trying to make
and s my last effort was knocked up in 10mins I have decided to put a bit more effort into this one.
My previous article [if you can call it that] was not trying to justify anything
but was written to try to point out a major flaw that exists in the IT community
and it is one that should at least show some signs of being rectified in the
near future or more serious attacks on networks such s internet will no
doubt occur.
The contributor who compared modern day hackers to the punk rock musicians
of the 70's obviously has not spent time within the hacker community
in the last 10 to 20 years as if he had he would releise that the sense of
ethics and morality is as strong if not stronger than in his day
and his assumption is like saying all black male teenagers are muggers,
rapists and murderers.[but i wander yet again]
and I would like to say to him am I anyless of a caring,moral and intelligent
human being becoz I learned my craft on a home micro,network of tandy modal 80's
and a modem I made myself? Wot I think we have witnessed in recent issues of risks
is a kind of computer snobbery that does little to promote the spirt of goodwill
and intellectual exchange that should exist within our community [for all our sakes]. Comments have been made that Hackers of today do not inform the owners
of the systems of the holes that exist and in some instances that is true but
I ask you "When those of you who claim to be 'old-time hackers' found a possible
security breach on a machine did you immdiatly go running printout in hand to
the owner of the system?????" I think not the temptation to explore just that little bit further is too great.
and in some cases the administrator is rude and often downright abusive
when a security hole is brought to his attention [sorry I am not sexist the masculine gender is used to mean mankind in general not just the male sex]
Which is often the case on commercial sites[an exparience I myself have
expirienced]
To finish this "article" off i will just make the following points:-
1. Can we please have less of this snobbery that exists
2. Work with the hacking community as much as possible. We will both gain
from the exparience [offer an insentive if nessesary[an account that is open to
all but only usable at nite and has say a MUD on it or even MONEY :-) ]]
3. Work with each other

and finally if anyone has a need for any help with any thing that you
think I can help with then mail me at ...!unido!alter!Shatter and
i will see if I can help.
                                       Shatter

------------------------------

End of RISKS-FORUM Digest 7.95
************************

You are viewing proxied material from gopher.quux.org. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.