The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 10 Issue 08

Tuesday 12 June 1990

Contents

o Liz Taylor and ``secret codes''
PGN
o EEC `IT Security Evaluation Criteria'
Klaus Brunnstein
o Re: A 320 article in Aeronautique
Francois Felix Ingrand
o 2600 magazine article
Arthur L. Rubin
o Self-Replicating Bugs in Floppies
Warren M. McLaughlin
o Caller ID neither necessary nor sufficient to prevent crank calls
ark
o Whom Caller ID benefits and whom it does not
Peter da Silva
o Re: egregious database and `voluntary' data submission
Bill Janssen
o Egregious Database Already Exists
William M. Bumgarner
o Re: Another egregious database
L.P. Levine
o Info on RISKS (comp.risks)

Liz Taylor and ``secret codes''

"Peter G. Neumann" <neumann@csl.sri.com>
Tue, 12 Jun 1990 8:41:48 PDT
A woman identifying herself as Lisa Flowers used the secret code for Liz
Taylor's answering service to set herself up as a cryptopublicist, returning
telephone calls and giving out bogus interviews.  She told reporters about a
fabricated relationship with a 23-year Detroit man, Julian Lee Hobbs, and gave
out false medical reports.  The hoax included intercepting requests from UPI
and AP for confirmation of earlier (phony) information, and providing
confirmation!  So much for "secret" codes.  [Source: San Francisco Chronicle,
12 June 1990, p. 2]


EEC `IT Security Evaluation Criteria'

Klaus Brunnstein <brunnstein@rz.informatik.uni-hamburg.dbp.de>
09 Jun 90 13:27 GMT+0100
This week, EEC sent the draft of the 'harmonized' Information Technology
Security Criteria (ITSEC) to some people (I don't know the adress list) for
comment. Based on the German `Green Book', an expert group with French, German,
Dutch and English contribution prepared a (greyly-white covered) booklet of
125 pages covering (after a short introduction: (1)scope) the functionality (2)
and the assurance of correctness (3: 55 pages) as well as the assurance of
effectiveness(4). The functionality chapter (2) refers, among others, to the
Green Book's functionality classes F1..F5 (derived from Orange Book) and
F6..F10 (adding availability and integrity of systems and networks to the
well-known Orange Book functionality). The assurance part (3) elaborates the
Green Books' quality Q0..Q7 into the more detailed `levels' E1..E6 (from
'inadequate assurance'=E0 equivalent to Orange Book 'D', towards E6 where
correctness is formally proven (essentially A1, but not `beyond A1!);
as in Orange Book and Green Book, each higher level encomprises the lower ones.
For each level, specific features must be evaluated for the (4) 'phases' of the
development process as well as for different `aspects' of the system and user
documentation. Moreover, the effectiveness of the assured features is roughly
described under aspects such as: suitability, binding of functionality,
strength of mechanism, assessment of vulnerability (consstruction, operation),
or ease of use.

EEC plans a conference in Brussels to happen on September 25-26, 1990. Accord-
ing to their letter, they welcome critical comments (if received by July 6th)
which might be discussed in this conference.

Klaus Brunnstein    University of Hamburg

PS: based on our analysis of the benefits and shortcomings of `Trusted Computer
Evaluation Criteria' which we contributed to the IFIP SEC'90 conference, re-
cently in Helsinki, I plan to analyse this new Criteria catalog in more detail.
I would strongly appreciate any critical comments, as well on our paper on
'Risk Analysis of Trusted Computer Systems' (which I e-mail upon request) as
well as on the above draft.

     [The copy I have says that Der Bundesminister des Innern, Bonn, West
     Germany (Minister of the Interior) is der Herausgeber, so presumably
     copies can be obtained from there or from the other three governments.
     The ITSEC is a very deft merging of the earlier German criteria and the
     British claims language.  PGN]


Re: A 320 article in Aeronautique (Atkielski, RISKS-10.05)

Francois Felix INGRAND <felix@AI.sri.com>
8 Jun 90 22:46:13 GMT
>  Minor erratum:  This article actually appears in the "Aeronautique"
>    section of the French science magazine "Science & Vie,"

In France, "Sciences et Vie" is considered as the "National Enquirer" of
"Sciences"...

Most of their articles do not have the scientific seriousness you expect from
a scientific publication.

Francois Felix INGRAND                          SRI International, AIC
"Read my Lisp... No new syntax" (nil)


2600 magazine article

Arthur L. Rubin <arthur@pnet01.cts.com>
Fri, 8 Jun 90 23:17:39 PDT
        I posted the 2600 magazine excerpts on some local BBSs, and I have the
following comment from a user and sysop:

What does the entire 911/Steve Jackson Games escapade tell us?  Well, it's not
all that new that the government (like most such things) requires careful
watching, and I'm not too happy about how the last I'd heard, an agent had told
SJ games they wouldn't get all of their hardware back, even though no charges
had been filed (can you say legalized thievery boys and girls?  I knew you
could.)

But the main thing that moves me to write this missive is the indications from
the published article that the authors, and thus quite likely also the party
responsible for copying that document and circulating it still do not quite
understand what the individual responsible did. Accordingly, and in the hopes
that if this circulates widely enough he or she will see it, the following
message:

OK - all you did was get into Bell South's computer system (mostly proving that
their security sucks rocks) to prove what a hotshot hacker you were, then made
a copy of something harmless to prove it.  Sheer innocence; nothing to get
upset about, right?

Bull****, my friend.  Want to know what you did wrong?  Well, for starters, you
scared the US Government and pointed it in the direction of computer hobbyists.
There are enough control freaks in the government casting wary eyes on free
enterprises like BBS systems without you having to give them ammunition like
that.  Bad move, friend, bad move.  You see, the fact that you didn't damage
anything, and only took a file that would do no harm to Bell South OR the 911
system if it were spread all over the country is beside the point.  What really
counts is what you COULD have done.  You know that you only took one file; Bell
South only knows that one file from their system turned up all over the place.
What else might have been taken from the same system, without their happening
to see it?  You know that you didn't damage their system (you THINK that you
didn't damage their system); all Bell South knows is that somebody got into the
system to swipe that file, and could have done any number of much nastier
things.  Result - the entire computer you took that file from and its contents
are compromised, and possibly anything else that was connected with that
computer (we know it can be dialed into from another computer - that's how you
got on, after all!)  is also compromised.  And all of it has now got to be
checked.  Even if it's just a batch of text files never used on the 911 system
itself, they all have to be investigated for modifications or deletions.  Heck
- just bringing it down and reloading from backup from before you got in (if
they KNOW when you got in) even if no new things were added since would take a
lot of time.  If this is the sort of thing that $79,449 refered to I think they
were underestimating.

You cost somebody a lot of time/money; you almost cost Steve
Jackson Games their existance; you got several folks arrested for
receiving stolen goods (in essence); you endangered a lot of
bulletin boards and maybe even BBS nets in general.  Please find
some other way to prove how great you are, OK?
                                                   --Crystalsword

Arthur L. Rubin, PO Box 9245, Brea, CA  92622  (work) (714)961-3771


Self-Replicating Bugs in Floppies

"Warren M. McLaughlin" &cLaughlin@DOCKMASTER.NCSC.MIL>
Sat, 9 Jun 90 17:12 EDT
This is a personal report, eye-witnesses are available.  On Thursday, 7 June
1990, at about 1500 hrs EDT, it was conclusively demonstrated that it is
possible for self-replicating bugs to replicate themselves in floppies (5-1/4"
DSDD) _outside_ of a computer!

There is a stash of scratch disks, in boxes, on top of a file cabinet next to
my desk.  Mostly, they are old backups awaiting degaussing and reformatting.
At the back of the row of six or seven boxes, I found an open box of disks,
with nine new, never-used disks.  This minor treasure would have come in handy
if I hadn't noticed visible evidence of the self-replication (and defecation)
of the bugs, commonly known as "cockroaches".

A cursory examination, conducted after dropping the box in the trash bag,
revealed at least five live beasties.  Droppings/eggs everywhere in the box.  I
checked each disk envelope, and found spoor in all nine.  Witnesses were drawn
to the scene like flies... er, spectators.  The was a certain amount of noise
associated with the discovery, and the air in my cubicle is reported by some to
have turned blue.  This may be an exaggeration.

The droppings/eggs seemed large enough to have caused a head crash.  I have
enough bits loose in my PCs without adding more.  I checked every other box,
and found no evidence of infestation.  Three of the boxes came from the same
carton as the infested box.

I will not report the name of the manufacturer, as it does not seem important.
TechReps of several computer manufacturers have told me that "tower" style
cases regularly attract cockroaches.  They are thought to come in for warmth,
or to eat the lacquer used on certain components.  Incidentally, _real_ lacquer
is the processed shells of the lac beetle, which is remarkably like a cockroach
in appearance.  (_cannabilistic self-replicating bugs?)

This may be yet another Risk of computing - or another Risk of working in an
old five-sided building on the west side of the Potomac.

[Disclaimer: The views herein are mine of this fleeting moment, and neither
represent my views upon considered reflection, nor those of the Department of
the Navy, nor any component of the Department.]

                             - Mike

W. M. McLaughlin, Computer Security Coordinator, SECNAV/DONIRM(C2)
Washington, DC  20350-1000


Caller ID neither necessary nor sufficient to prevent crank calls

<ark@research.att.com>
Sat, 9 Jun 90 13:20:02 EDT
The people who claim Caller ID is useful for preventing crank calls are
somewhere between misguided and dishonest.  Consider: do you *never* receive a
call from someone you know from a phone number you don't recognize?  Has you
*never* had a friend call you from a pay phone?  Of course not!  So that means
that a general strategy of refusing to answer calls from unknown sources will
cut you off from some calls you would have wanted to receive.

Suppose, then, that you answer all calls.  You are assured of getting a crank
call from time to time.  Why doesn't Caller ID avert that by making it known to
the caller that you will identify the source?

It does, of course, but it's much more than you need for that purpose.  For
example, the following facility has been available in my calling area for some
time: if after receiving a call I hang up, pick up the phone again, and dial
*51, then a copy of the identity of the last call I received will be logged in
the central office and I will be charged $1.00 .  I can then call the police
and tell them that I received a crank call that was recorded in the central
office.  They can find out who called and act appropriately.

So: even if I have Caller ID, I cannot avoid crank calls unless I also cut
myself off from some legitimate calls.  Once I have received a crank call, I
can report the origin to the authorities even without Caller ID.  How, then, is
Caller ID useful for that purpose?


Peter da Silva <peter@ficc.ferranti.com>
Sun Jun 10 10:34:19 1990
> As far as residential phone users are concerned, Caller ID is not much
> better than receiving anonymous calls.  [ the message goes on to bring
  up "member of family at phone booth" considerations. ]

I take it you have never been the target of telephone harrassment. I have.
It's not a lot of fun, but unless it goes on for a long time it's just not
possible to get the authorities to do anything about it. I have been called by
my wife's ex-boyfriend (from his place of work!), by some bozo who three-
way-called me to a third party, and by someone who calls and hangs up, we
assume to call-wait my wife off a chat system (not knowing we have another line
for the modem). In all of these cases caller-ID would be a deterrent, a channel
of recourse, or a signal to ignore that call. Even when you know the harasser,
there's not much you can do currently: when I called the ex back at work, he
convinced his boss that *I* was harassing *him* (he'd called dozens of times...
I'd called back once, then again when he hung up). If I'd had Caller- ID I
could have just ignored calls from that number (the numbers handy to his place
of work would have become quickly obvious).

In none of these cases was SWBell at all interested. In all of these cases
Caller-ID would let me stop it in the bud. Calls from pay-phones just wouldn't
have been possible for any of them (pay-phones don't have 3-way calling, and
in the other two cases the opportunity wouldn't arise).

No system is perfect, but I'm not going to leave my door unlocked just because
someone is capable of breaking a window. Making casual harassment less
convenient is by itself a good thing.

Peter da Silva. +1 713 274 5180.


Re: Risks of Laser Printouts (RISKS-9.89,91,92)

12 Jun 90 10:41:39 GMT
(Simson L. Garfinkel) writes:
|  Not very surprising, considering that laser printers pump out gobs of ozone.

This is the first good news that I've heard!!  With more and more laser
printers we will be able to reverse the ozone destruction caused by all those
CFCs floating around.  :-) Can anyone quantify that figure: gobs?
                                                                    Ralph P. Sobek


Re: egregious database -- risks of `voluntary' data submission

<janssen@parc.xerox.com>
Fri, 8 Jun 90 16:19:21 PDT
in RISKS DIGEST 10.07, Edwin Wiles comments that the `egregious database' is
less troublesome because of the voluntary nature of data submission.  This
ignores the risks of bureaucratization, in which the fact that one has not
`voluntarily' submitted data to a database is held against one.  (There is also
the risk of inexperience, in that a student may not appreciate the consequences
of putting personal data in a such a database, but this should always be
considered.)
                                        Bill


Egregious Database ALREADY EXISTS

"William M. Bumgarner" <wb1j+@andrew.cmu.edu>
Mon, 11 Jun 90 01:51:56 -0400 (EDT)
In the Columbia Public Schools, of Columbia, Missouri, such a system
has been installed in the last few years-- it can keep track of
basically _everything_ that can be recorded textually that has
happened during a students K-12 academic career.  Not only grades, but
personality profiles, any comments by teachers, and just about
anything that is even remotely associated with 'school' -- including
incidences that don't appear on the 'permanent' record and incidences
involving the police.

Apparently, the goal is to be able to track a student through the public
education system and then store that data permanently ... and it is all at the
fingertips (though, at many different security levels, of various random
secrataries, counselors, etc.)...
                                       b.bumgarner, NeXT Campus Consultant


RE: Another egregious database (Wiles, RISKS-10.07)

Prof. L. P. Levine <levine@cvax.cs.uwm.edu>
Sun, 10 Jun 90 12:55:23 CDT
In Risks 10.07 Edwin Wiles, NetExpress, Inc., misses the point entirely.  He
seems pleased that the system is voluntary [...]  But the next part of the
quote is missing.  Reading it from Risks 10.05 we see:

<> The absence of criteria like punctuality might be noticed, however,
<> just as vital information omitted from a resume would be, he adds.

and means that leaving out such information is itself an negative mark on the
potential employee.  I have students RIGHT NOW who are peeing in bottles
(voluntarily) in order to get jobs.  Of course they do not take drugs, of
course they are doing it voluntarily, of course they want the job.  They do it.
Voluntary release of your civil rights is not protection.  The argument that
you have nothing to fear from this abuse of your rights if you are not guilty
never washes.  It is always just plain wrong.  Nobody expects the Spanish
Inquisition, but this is the way it begins.

Leonard P. Levine, Professor, Computer Science, U. of Wisconsin-Milwaukee
Milwaukee, WI 53201 U.S.A.

Please report problems with the web pages to the maintainer

Top