Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
To: RISKS@SRI-CSL.ARPA Hysterical panic about viruses in programs is at least as annoying as the more common complacent stupor about risks from computers. The author of RISKS-1.27 seems to be dead set on Software Apocalypse Now. We swing from viruses in software to unencrypted data links on bank machines to teen-aged kids cracking systems. Also, the usual screams of "mad genius hackers playing sick games" can be heard... sigh, programmers are so misunderstood... The discussion about viruses is actually sort of interesting, the others fall into the category of "there are fixes which have a certain cost; you have to decide whether it's worthwhile." Encryption and tighter security systems raise the cost of the system and also raise the cost of breaking the system. The question is, for the data and functions being provided, what is an appropriate level of protection? I'm not going to panic because many bicycles have cheap locks or no locks; some bikes aren't worth stealing, and in some areas there's relatively little theft of bicycles. If I have data worth protecting, I should be prepared to protect it. I will agree that far too few people are aware of the hazards or of what they can do to protect themselves, but that is far from saying that I want to pay for security I don't need. On viruses, etc.: it is certainly the case that you only want software which is written by people you trust (and ENTIRELY by people you trust -- see Ken Thompson's Turing Award Lecture for a further discussion of this). But is that different from needing to have bookkeepers and treasurers that you trust in order to avoid embezzlement? If bankers and national security types don't take steps to ensure that they have good software, then they certainly have a problem, but not a hopeless one. There have been previous proposals to have independent "software certification agencies" to ensure software quality, but I don't know if they would really be able to solve this problem. The "solitary programmer" mentality is at least partly to blame for things like "unauthorized worms" — if people expect to have their code read by others, who may question the reasons for doing certain things, it becomes enormously harder to conceal unauthorized features (unless the programmer can convince the inspector(s) to join in a conspiracy). I am still surprised at how many companies do not ask programmers to read each other's code. Quite apart from security worries, having inspections or walkthroughs seems to sharply improve maintainability and finds a number of bugs and design flaws. I have little or no sympathy for people who illegally copy a program and then find one day that it's trashed their data. Serves 'em right. --Mark P.S. The term "worm" was not coined in a Scientific American column. I believe John Brunner used it in his novel The Shockwave Rider and Shoch and Hupp picked up the term for a paper in Communications of the ACM. It may have been used earlier than that; I don't know.
Regarding Neal Macklin's "expose" of virus technology, I would only add that the idea is not at all new. John Brunner, a well-known speculative fiction writer, wrote a novel called "Shockwave Rider" over 10 years ago(!) predicting the blackmailing of a then corrupt U.S. government by a morally-upright computer hacker. Although I share Neal's concerns, I am not at all convinced (even as a credit-card and ATM-card-carrying young and aspiring academic) that under certain circumstances, the collapse of the fractional reserve system, the banking system, and the credit markets would be an awful event. Sure there would be chaos, but who knows what could arise from the rubble. ...I would add that reading Shockwave Rider when I was in high school prompted me to learn about computers, and although I have not the competence to develop tapeworms and viruses, if it's just now getting out to the "hacker world" that viruses exist, you can bet that the NSA may already have developed one (pardon the paranoia). Aaron Ellison Graduate Program in Ecology & Evolutionary Biology Brown University Providence, Rhode Island 02912
To: Neumann@SRI-CSL.ARPA [adapted for RISKS] I suppose it would be nice to tell the original author of the long issue about viruses, etc., that there ARE technical solutions, although not necessarily within his lifetime if he's using IBM systems, which most financial institutions do ... Ted Lee
Cc: nrl-css!neumann@SRI-CSL.ARPA
Peter,
Risks is supposed to be a digest. The huge article that just
ate up my time like worm could have been digested and the summary
put in a few lines. Worms have their place. Eating up stories
like that one is one of their good uses. Worms digest waste.
Dave [and I got THREE copies of Dave's message. Oh, well. PGN]
I was listening to a radio station the other day whose studio is on the San
Francisco Bay. In the early afternoon, the station started getting a
re-occuring noise over the air that sounded vaguely like a burp, which
distracted the DJ no end. It turned out after investigation by their
engineers that it was being caused by a Navy Aircraft Carrier that had just
entered the bay on the way to Alameda. Every time the radar pointed at the
studio, it caused the stations electronics to go bonkers (that's a powerful
radar...). I wonder what other electronics those things would interfere
with?
chuq
[Perhaps the squawks were emitted by a carrier pitch-in? PGN]
I imagine you will have numerous postings making the following point, but,
if you don't, someone should say it.
> Thomas Cox writes:
>1. no password-protected system is EVER likely to be broken into by so-called
> hackers. They can sit and guess, just like they can try and guess the
> combination to my bike lock. I'm not worried about it.
This all depends on how loosely you define "stealing a password". Does
a person who hangs around your printer room, picking up loose header
sheets with people's account names and real-world names on them stealing
passwords? Someone who does so can break into many systems, as many people
will choose passwords equal to their login ids or first or last names.
If the person communicated with people via email at your site, or was able
to guess what their login id is (not a hard job in many places), then the
same vulnerability exists. The problem is exacerbated if the cracker can get
access to a list of your users. On most UNIX systems, once he is in at all,
this is trivial.
[Not to mention the fact that passwords are usually transmitted
unencrypted within local nets and externally as well... PGN]
In fact, barring fairly stringent rules on password choices, and/or physical
security preventing intruders from accessing terminals (and, possibly,
modem features to discourage brute force guessing), most computer systems
can be broken into once a few user ids are known, provided the cracker has
the modicum of expertise and equipment necessary to write a program to
test all dictionary words against the user ids' passwords. The recent
Bell Systems Technical Journal issue on UNIX had a discouraging article
on how easy it is to break into the majority of UNIX systems, given a list
of user ids, testing only twenty or forty possible passwords per user id.
Perhaps you don't consider a lax password system a password system at all,
but, barring that, your statement is demonstrably false.
Peter Reiher
reiher@LOCUS.UCLA.EDU
{...ihnp4,ucbvax,sdcrdcf}!ucla-cs!reiher
[Unfortunately, discussions of the risks of relying on passwords
need to held over and over again. If you have not thought deeply
or been burned, it is too easy to be naive. The sophisticated
crackers — as opposed to the simplistic ones — find very few
boundaries they cannot get through (or go around). PGN]
I think Thomas Cox's article ("Hackers", Risks V1N26) is optimistic
in the extreme:
> 1. no password-protected system is EVER likely to be broken into by so-called
> hackers. They can sit and guess, just like they can try and guess the
> combination to my bike lock. I'm not worried about it.
Sorry, but I am. When you say "password-protected", I interpret that
to mean the user setting his or her password to anything other than the
site/manufacturer default. Turns out a lot of people set it to their
name, login, spouse's name, etc. (See Morris and Thompson, "Password
Security: A Case History", CACM 22(11), pp.594-597 (Nov. 1979) for more
information about this claim.) If you know anything about the system
you're attacking, such as whose account you're trying to get into,
this makes the account rather a sitting duck. So I'd disagree with
your statement above.
Of course, if you mean something else by "password-protected", could
you be more explicit? My opinion could very well be inapplicable ...
(Incidentally, bear in mind the "bike" is worth maybe a half million,
considering the information stored on it, so if you just trust the
"lock", and don't take off a wheel, you're inviting trouble ...)
Matt
From: Dave Dyer <DDYER@USC-ISIB.ARPA>
To: risks@SRI-CSL.ARPA
In Response to Thomas Cox in Risks 1.26:
"1. no password-protected system is EVER likely to be broken into by
so-called hackers. They can sit and guess, just like they can try
and guess the combination to my bike lock. I'm not worried about it."
This is patently untrue. I have personally guessed passwords on
several occasions; It isn't even hard unless you want some particular
password. One of the recent, widely publicised "hacker" cases
involved exactly what you say is impossible; the perpetrator
was merely making a sport of guessing passwords, and changing them
as a warning to the account owner. In addition to guessing,
there are multitudes of ruses to obtain passwords, some technical,
but many simply exploiting human weaknesses.
It is certainly true that "unguessable" passwords exist, but any
enforced mechanism for assuring unguessable passwords will also
be regarded as "unrememberable", and therefore more vulnerable
to non-guessing methods.
To: RISKS@SRI-CSL.ARPA I received an anonymous phone call this morning from someone who felt inspired by the last two issues of RISKS to relate some experiences he/she had had while working for the Texas Commerce bank. Apparently the computer maintenance staff had fun with the wire-transfer programs, using passwords that had been taped under a desk. They would randomly transfer various amounts ($100,000 was mentioned as typical) from one account to anothe, just for kicks. They were astounded that no one every caught on, and the passwords were never changed. When I asked whether all such transactions had been reversed, the answer was probably yes.
Please report problems with the web pages to the maintainer