The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 10 Issue 70

Tuesday 18 December 1990

Contents

o Telephone Voting
Bill Murray
o Voting Technology
William W. Plummer
o Re: Hacked NASA phones
Barton Christopher Massey
o Re: "Legion of Doom"
Irving Wolfe
Mike Black
o Computer Virus as Military/Political Weapon?
Sanford Sherizen
o Request for Info on Undergraduate Computer Security Classes
Al Arsenault
o Info on RISKS (comp.risks)

Telephone Voting

<HMurray.Catwalk@DOCKMASTER.NCSC.MIL>
Sat, 8 Dec 90 16:23 EST
>One risk that I don't think I saw mentioned in the discussion of
>"Dial-A-Vote" systems relates to the identity of voters.

To the contrary, it has been dealt with ad nauseam, usually erroneously.

>Such a system, by definition,  would need to know the identity of each caller
>to check registration and avoid duplications.

This statement is patently false.  While an identity-based system would be
one way to accomplish these objectives, a voucher system would serve just as
well.  Such voucher systems are well described in the literature, but the
same issue of RISKS which carried the above assertion, contained two
descriptions of such systems for voting by mail.

The problem of disassociating the vote from its origin, i.e. location of the
phone, is much more resistant to solution.

All voting systems are subject to abuse, not the least are those systems
currently in use.  All voting systems have some problems of equity.  In
many of our current systems, these problems were deliberately engineered
in for political motives.  These problems resist solution precisely
because any change will shift the political balance, however slightly.

To the extent that we can move to systems that are more secure, more
equitable, and more economic, we should do so.  Such systems clearly
exist.  My personal preference is for more equity.  While I have
difficulty in believing that any new system can be any more subject to
abuse than most of those in use, I would be prepared to sacrifice some
security for more equity, as long as the lower security would not result
in a loss of confidence in the results.

Any new systems and the move to them will be fraught with problems.
Much dialogue will have to precede any such moves.  However, over-stating the
problems of the new systems, preferring the faults of the old ones, and
pandering to the fears of the ignorant are not productive.

William Hugh Murray, Executive Consultant, Information System Security
21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840   203 966 4769


Voting Technology

"William W. Plummer" <plummer@altacoma.wang.com>
Mon, 17 Dec 1990 14:09:59 EST
I would like to propose a new voting system that will benefit from electronic
and/or cryptographic techniques.  Before going too public with this, I hope to
get additional suggestions and pitfall information from you readers.

The voting system that I would like to see simply weights your vote by the
number of tax dollars that you pay.  We have often heard that the super wealthy
use tax loopholes to lower their tax to zero while manipulating laws to make
this possible.  On the other end of the scale, the poor are accused of using
tax supported services far in excess of their tax payments; the poor tend to
vote for candidates that promise to keep up the handouts.  Of course, it is the
middle income people that support all of this.  So, my scheme has the
appropriate negative feedback built into it.

A major problem with the system is that it require a constitutional amendment.
In other words we would no longer have "One man, one vote."  But I argue that
the Constitution was written before income tax and local taxes etc.  In a sense
everybody was taxed equally back then.  All this new system does is to restore
the equality of the voting power.

Implementing this system is tricky unless you want to trust "the government" to
correctly credit your voting power.  I think the ability to check one's own
account is desired, but you really don't want it to become public knowledge;
worse than busybodies and neighbors would the the targeted marketing concerns
and the politicians spending their resources where the voting power is.  So, a
secret ballot is still a must.   The ballot must be unforgeable and not
modifiable.

One idea that is almost right is to use public key crypto technology.  The IRS
would issue voting stickers which have the number of votes encrypted such that
only the vote counters could read them.  I would use my stickers by sticking
them to a paper ballot; they could not be removed without destroying them.
This fails because I cannot check that the sticker is worth the number of votes
that I think it should be.

Making the stickers have duplicate information, one that the vote counters can
read and one that I can read, is also almost right.  It's a little impractical
since it requires that I keep a decryption key around so that I can decode my
half of the sticker.  So, everybody has to be assigned a key and everybody has
to avoid losing it.

Does anybody out there know how to do this?  Thanks.

William W. Plummer   Work: 508-967-4870
plummer@wang.com     Home: 508-256-9570


Re: Hacked NASA phones (RISKS-10.65)

Barton Christopher Massey <bart@cs.uoregon.edu>
Mon, 10 Dec 90 23:51:56 GMT
> [...] computer intruders have stolen some $12 million in free telephone
> service through Johnson Space Center...  That figure was calculated from costs
> of similar break-ins described by law enforcement agents specializing in
> computer crime.

There *must* be some kind of mistake or error here, right?  Imagine this
principle applied to better-understood areas of criminal jurisprudence: "Little
Johnny Nogood has stolen some $2000 worth of goods from the corner store
today...  That figure was calculated from costs of similar thefts described by
law enforcement agents specializing in shoplifting."  Right.  The whole thing
is especially ludicrous in light of NASA's recent report that their whole
yearly phone bill is only on the order of $12 million...

The computer-related risk, IMHO, is that because the law-enforcement community
doesn't understand computer crime, it may be made to seem much more harmful to
its victims and to society than it actually is, and resources that would be
better spent elsewhere will be devoted to stopping it.  This risk is especially
severe in light of the "computer crime experts" who have made a name for
themselves because of the imputed significance of these kinds of cases, and
thus have a vested interest in exaggerating their significance.
                                                    Bart Massey


Re: Response to article on "Legion of Doom" sentencing (RISKS-10.65)

Irving Wolfe <irv@happym.wa.com>
9 Dec 90 18:26:16 GMT
I, too, am opposed to uninvited access to others' computers.

In RISKS-10.65, we have

>Sorry.  I don't buy it.  If I leave my keys in my car with the windows open,
>and you get in and drive off, you're still just as guilty of stealing the car

That is true.  But it is also a crime in some states for you to have left the
keys in the car.  It is written in many insurance contracts, too, that the
insurer will not have to pay you if you have encouraged the theft in this way.

Thus, in this other area of life that you drew an analogy to, your "asking for
trouble" by making it easy and attractive does indeed reduce or eliminate your
protection under the law or constitute a punishable minor crime itself.

> [several posters drew analogies to the crime of "breaking and entering"]

Breaking and entering is a crime that has two parts: "breaking" and
"entering."  If you leave your front door ajar, one need not "break" to
"enter."  If a company leaves the door to its office ajar, it cannot accuse an
outsider found walking down its hallway (doing no harm) of any crime, it can
only tell him to leave.  Since people here seem so fond of analogies, I'll
suggest that to the extent that a company leaves the door to its computer
system ajar, the breaking and entering analogy fails, and the mere entry of
an outsider would not constitute a crime.

These analogies are silly.

If we are to have a law in this area, it should be simple:  Attempting to log
into a computer system or otherwise access it without having been explicitly
invited should be a crime whether or not the attempt succeeds and whether or
not any damage was done.  Probably using a normally-public area like an ftp
or anonymous uucp directory should be explicitly excepted, as should a small
number of attempts to log into a system accidentally, provided no hacker-type
activities (systematically guessing passwords, taking advantage of system
defects to gain privileged access, etc.) were involved.

But if this is to be a crime, it is fundamentally unrelated to old-time crimes
like breaking and entering or car theft.  We are making it a crime because
we'd like to discourage it, not because there's a clear moral issue or any
harm being done.  There may or may not be.  The law is for our convenience,
and has no moral side, and the violator is not to be punished for his evil
character, but merely for having violated a well-known law carrying a
well-known penalty.

 irv@happym.wa.com (Irving_Wolfe)    Happy Man Corp.    206/463-9399 ext.101
 4410 SW Point Robinson Road,  Vashon Island, WA  98070-7399     fax ext.116
 SOLID VALUE, the investment letter for Benj. Graham's intelligent investors
Information free (sample $20 check or credit card): email patty@happym.wa.com


Re: Legion of Doom (RISKS-10.67)

Mike Black <black@seismo.CSS.GOV>
9 Dec 90 13:18:40 GMT
In the discussions of the Legion of Doom a few points are raised but
not taken to fruition seeing as how we are talking about a new
technology (relatively new that is).  Allow me to paraphrase:

1.  "The company left its' doors open and that was a criminal act...".
Response: "Leaving your garage door unlocked isn't".
    Having a phone line into your company is definitely not a criminal
act.  However, if you leave a pile of money on the street and someone steals
it, there isn't a judge in the world who would convict because you did
something a reasonable person wouldn't have done.  The problem crops up when
you come with a new technology that has inherent risks.  What the heck is
a reasonable person...the two guys that invented it?  On hacking, we have
a case where technology allows extremely easy access to computers over phone
lines.  The fact that a company uses this technology does not relieve it of
responsibility to behave as reasonable persons.  The problem is that the
hackers are perceived as a bunch of teenage hoods and they do not suffer from
this technology.  If every time one of them called they got electrocuted, I
assure you that the company would be held liable.

2.  "Leaving my keys in my car is not...".  In most states, leaving the keys
in your car is definitely considered criminal as you are inviting a crime.
Doesn't then hooking an easy access phone line also invite a crime?

3.  "We are in business to do business...".  True, but businesses have a
responsibility to society to ensure their business does not invite criminal
behaviour.

4.  "We shouldn't have to spend time closing known holes...".  If I talked to
your security department they might disagree.  If there are known holes, is
management adequately apprised of the potential for business loss and have they
made a knowledgeable decision to not close them, or do the system managers just
say, "The boss wouldn't understand so I'm not going to tell him"?  Companies
devote massive resources to security and this hacking thing is a new threat.
So is the idea that your competitor could get in and muck about too.  It would
seem that a business shouldn't have to spend a lot of time closing security
holes opened by a product they bought, so me thinks I would complain LOUDLY to
whomever supplied this product to close up the holes.

5.  Finally, let's try and define a reasonable person on this matter:

    1.  When you hook-up a phone line to your computer, a reasonable person
    would expect to get calls from unauthorized users.

    2.  A reasonable person would not expect the simple userid/passwd to
    foil everyone, however the same person should expect that a concerted
    effort not be made to overcome it.  i.e.  If you have userid "root"
    with no password, that's unreasonable, most anything else migrates
    toward reasonableness.

    3.  A reasonable person would assume that one who finally got in would
    do most anything.

    I propose the following:

    1.  All dial-up's contain a warning about the penalties of unauthorized
    entry. (virtually none do, how 'bout a trespass warning people?)

    2.  Entry into such a system would be a misdemeanor.  Retrieval of
    info would be the same.

    3.  Damage caused would upgrade eventually to a felony depending on
    lost business, time to recover, etc.  The trick here is the need to
    prove the hacker was proximate cause to the damage beyond reasonable
    doubt.

P.S.  I personally do not support "hacking".

: usenet: black@beno.CSS.GOV   :  land line: 407-494-5853  : I want a computer:
: real home: Melbourne, FL     :  home line: 407-242-8619  : that does it all!:


Computer Virus as Military/Political Weapon?

Sanford Sherizen <0003965782@mcimail.com>
Mon, 17 Dec 90 22:11 GMT
I would like to gather any *hard* evidence that viruses have been used for
political/military purposes.  It is possible that the Jerusalem virus was first
set off to commemorate a Palestinian event but has there been any way to verify
this?  Are there other viruses that have been specifically distributed or
directed to harm a political foe?  It is important to differentiate this type
of attack from someone setting off a virus that contains a political statement
but which is not directed against a particular target. I know that this
differentiation is soft but I am trying to develop an appropriate
categorization.  Any help on this is appreciated.

What got me thinking about this is my work on developing a model of computer
crime trends and development stages.  The current situation in the Persian Gulf
made me wonder about the use of the virus as a political weapon.  Is the virus
a potential "small nation's weapon"?  Can viruses become terrorist surrogates,
disrupting an enemy nation without leaving direct fingerprints (strings?)
traceable back to the ultimate sponsor?  What roles could viruses play in
future small scale intensive conflicts as well as major wars?  Have viruses
been considered in war scenarios that military commands have developed?  The
flap earlier this year about the availability of a small business contract to
develop a virus for the U.S. military may well be part of a larger picture of
computerized warfare joining other threats such as biological and chemical
warfare.

Comments can be posted to me on Risks or sent directly to me at MCI MAIL:
SSHERIZEN  (396-5782).  This message has also been posted to Virus-L.

Thanks, Sandy


Request for Information about Undergraduate Computer Security Classes

Al Arsenault <arsenaul@usafa.af.mil>
Thu, 13 Dec 90 13:47:46 MST
We are requesting information from any and all colleges about Computer
Security courses offered as part of the undergraduate Computer Science
program.  This information is needed as part of a research project on
teaching Computer Security.  The goal is to produce a summary of available
courses, to be included in a paper we are writing.

The researchers involved are:

    Alfred Arsenault, Visiting Professor of Computer Science,
and
    Captain Gregory White, Instructor of Computer Science,

both at the U. S. Air Force Academy.

Specifically, we are seeking answers to the following questions:

    (1) Does your school offer a course in Computer Security as part
of its undergraduate Computer Science curriculum?  If so, what is the
title of that course?

    (2) If so, is the course required or an elective for Computer
Science majors?

    (3) What textbook is being used, if any?

    (4) What are the prerequisites for the Computer Security course?
(Please use descriptive titles, e.g., Operating Systems, rather than
course numbers or designators.)

    (5) Is the course offered once a year, or every semester?

    (6)  Approximately how many students typically enroll in the course?

    (7) If your institution does not offer an undergraduate Computer
Security course, is there a particular reason?  (e.g., no faculty interest
in teaching such a course; not enough students interested in taking such
a course; no room in the undergraduate Computer Science curriculum for
another course)

    (8) Who is a point of contact that we can get in touch with if
we need further information?

As previously stated, we are requesting this information to assist us with
a research effort on "Teaching Computer Security in an Undergraduate Computer
Science Curriculum."  The short-term goal is to develop reasonably accurate
statistics about how many institutions offer Computer Security courses.
Negative responses (i.e., 'my college does not offer a Computer Security
course') are welcome.

We would be happy to send summaries of the responses we receive to anyone
who requests one.

    Please send responses to either:

    Alfred Arsenault:  arsenaul@usafa.af.mil  or
               AArsenault@Dockmaster.ncsc.mil

    Greg White:  white@usafa.af.mil
             GWhite@Dockmaster.ncsc.mil

If you have questions, or want more information, we can be reached on the net
at the above addresses; by telephone at (719) 472-3590; or by U. S. Mail at

    Department of Computer Science
    HQ USAFA/DFCS
    U. S. A. F. Academy, CO  80840

Please report problems with the web pages to the maintainer

Top