The Risks Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 11 Issue 35

Friday 29 March 1991

Contents

o Soviet Space Station
James H. Paul
o Tribe proposes computer freedom/privacy amendment to US Constitution
Paul Eggert
Rodney Hoffman
o Privacy Updates
Peter Marshall via Brint Cooper
o Legion of Doom's "Terminus" sentenced
Rodney Hoffman
o Court allows appeal over computer error
Martyn Thomas
o RISK of being honest ["surplus" FBI data]
Peter Kendell
o USSR BBSList
Serge Terekhov via Frank Topping via Selden E. Ball
Jr.
o A Consciously Chosen Risk
anonymous
o Compass 1991 Program
John Cherniavsky
o Info on RISKS (comp.risks)

Soviet Space Station [PGN Excerpting Service]

"James H. Paul" <0002296540@mcimail.com>
Fri, 29 Mar 91 21:11 GMT
                 REUTERS  03-28-91 05:40 PET
   SOVIET SPACE STATION AVOIDS DOCKING DISASTER BY 40 FEET

   MOSCOW, Reuters - The Soviet space station Mir came within 40 feet of a
collision with a cargo module which would almost certainly have killed the two
cosmonauts on board, Soviet television reported Thursday.  Ground control staff
noticed only seconds before impact that computers which should have been
docking an unmanned Progress-7 cargo module onto Mir were in fact steering it
on a collision course. [...]
   The cargo module was only 65 feet from impact when an alert ground
controller watching television pictures of the docking had to make a snap
decision to override the computers and change Progress-7's course.  Rockets
deflected the module, which had already failed to dock once last week, so that
it passed within 40 feet of the space station and narrowly missed protruding
antennae and solar panels.  [...]
   The space station's next crew will have to make more extensive repairs to a
faulty antenna which was found to be the cause of the near miss.  [...]


Tribe proposes computer freedom/privacy amendment to US Constitution

Paul Eggert <eggert@twinsun.com>
Wed, 27 Mar 91 09:26:05 PST
Here are excerpts from the Los Angeles Times, 1991/03/27, pages A3 and A12.
The issues are familiar to Risks readers, but awareness has spread to the
non-computer legal community, and it's worth noting how their reactions are
reported in the mainstream press.  On page A12 the article runs in parallel
with the continuation of the day's biggest story, whose page one headline
reads ``High Court Allows Forced Confessions in Criminal Trials ...  A key
pillar of constitutional law is upset.''

-- Paul Eggert 

Computer Privacy Amendment Urged

Rodney Hoffman <Hoffman.El_Segundo@Xerox.com>
Wed, 27 Mar 1991 19:44:07 PST
Writing in today's 'Los Angeles Times' (p. A3), Henry Weinstein reports on one
of the keynote addresses from this week's Conference on Computers, Freedom, and
Privacy, sponsored by Computer Professionals for Social Responsibility.

According to the article, renowned constitutional scholar Laurence Tribe called
for a 27th Amendment to the US Constitution "in order to preserve privacy and
other individual rights threatened by the spread of computer technology.... to
cope with the many questions raised by the advent of 'cyberspace,' a place
without physical walls, or even physical dimensions, where an increasing amount
of the world's communication and business -- ranging from ordinary letters to
huge global transfers of money -- is taking place, via computer and telephone
lines."

Further quotes from the article:

"The existence of such a place creates all sorts of potential problems, Tribe
noted, because the nation's constitutional order historically has carved up the
social, legal and political universe along the lines of 'physical places'
which, in many situations, no longer exist.  There is a 'clear and present
danger' that the Constitution's core values of freedom, equality and privacy
will be 'metamorphosed into oblivion' unless policy-makers come to grips with
the ramifications of technological change, Tribe said...."

"The proposed new amendment would provide that the Constitution's protections
for free speech and against unreasonable searches shall be fully applicable,
regardless of the technological method or medium used to transmit, store, alter
or control information.  The point, he said, would be to make it clear that the
Constitution, as a whole, 'protects people, not places.'...  [N]ormally wary
of Constitutional amendments, .... he said the computer revolution has created
'substantial gray areas' that need to be addressed."

"Lance Hoffman, a George Washington University professor of computer science
[And occasional RISKS contributor.  And no relation to me!  -- RH] said, ....
'We're casting about, because we're in a new age in our technological
development, an age where a person can spend $1,000 and buy the computer
equivalent of a Saturday Night Special and take down a large computer system.'"


More on Computers, Freedom, and Privacy

Peter G. Neumann <neumann@csl.sri.com>
Fri, 29 Mar 91 14:47:47 PST
The Conference on Computers, Freedom, and Privacy (Tuesday through Thursday of
this week, sponsored by CPSR and cosponsored by and in-cooperation with
numerous other organizations including ACM groups and committees) at which
Professor Lawrence Tribe spoke (see previous messages) had a broadly based
interdisciplinary audience, including law enforcers, lawyers, developers,
vendors, marketers, computer scientists, (nonpejorative-sense) hackers, as well
as crackers, whackers, and snackers (pejorative-sense hackers), trackers,
backers, flackers (journalists), claquers, EFF-ers Kapor and Barlow, and a
video crew one of whom was fresh from the Academy Awards Monday evening.  Very
few quackers (who duck the hard issues) or slackers.  It was one of the most
enjoyable meetings I have ever attended.  All of my notes on the first two days
seem to have been lost somewhere in the hotel (I was keeping my comments on the
back of a bunch of laser printout pages that I happened to have with me), so my
plans to write a detailed summary for RISKS have been scratched unless someone
found the pages and saved them.  I hope that some other RISKS reader will do
so.  There were a lot of RISKSers there, and a lot of valuable discussion,
including various people arguing -- for DIFFERENT REASONS -- why they did or
did not think the proposed amendment was a good idea.  Also, a formation
meeting was held for a U.S. Privacy Council, hoping to help privacy and privacy
legislation in the U.S. catch up with various other countries.  I hope that the
organizers of that Council will provide details in RISKS.


[Peter Marshall: Re: Privacy Updates]

Brinton Cooper <abc@BRL.MIL>
Mon, 25 Mar 91 22:19:27 EST
Perhaps someone is listening after all!    Brint

----- Forwarded message # 1:

Subject: Re: Privacy Updates
Keywords: CallerID/Privacy/Legislation
From: Peter Marshall <halcyon!peterm@sumax.seattleu.edu>
Date: Thu, 21 Mar 91 11:52:24 PST
Organization: The 23:00 News and Mail Service

In Washington, HB1774, setting up a joint committee on privacy and information
technology, passed the House Tuesday on a 98-0 vote and is now in the Senate
Law & Justice Committee, which has not yet set a hearing date on the bill.
Also in Washington, HB1489, on Caller ID, which had previously passed the
House, will have hearings in the Senate Energy & Utilities Committee at 10 a.m.
next Tuesday and Thursday.  In that other Washington, Sen. Leahy has set up a
task force on CallerID; the Kohl "blocking bill" has been re-introduced, and
Rep. Markey has introduced HR1305, which although it merely requires per-call
blocking of CallerID, also restricts re-use and disclosure of ANI-delivered
information without informed consent.

Peter Marshall
                    halcyon!peterm@seattleu.edu
  The 23:00 News and Mail Service - +1 206 292 9048 - Seattle, WA USA


Legion of Doom's "Terminus" sentenced

Rodney Hoffman <Hoffman.El_Segundo@Xerox.com>
Wed, 27 Mar 1991 10:40:59 PST
According to a story by Henry Weinstein in the 23 March 'Los Angeles Times',
computer consultant Leonard Rose pleaded guilty to federal felony wire fraud
charges for stealing UNIX source code and distributing Trojan horse programs
designed to gain unauthorized access to computer systems.  He will serve a year
in prison.

Rose, known as "Terminus", was alledgedly associated with the Legion of Doom
"hacker group".  In 1990, the Secret Service seized much of his computer
equipment.


Court allows appeal over computer error

Martyn Thomas <mct@praxis.co.uk>
Thu, 28 Mar 91 18:01:35 GMT
A UK computer company was fined #21,000 for misdeclaring #71,000 of VAT
(turnover tax). The misdeclaration occurred because software errors in an
accounts package led to May invoices being included in a tax return which
should have only included invoices up to April.

An appeal tribunal allowed the appeal against the fine, on the basis that
the company had shown reasonable care in preparing the return, and was not
aware of the bugs.

Martyn Thomas, Praxis plc, 20 Manvers Street, Bath BA1 1PX UK.
Tel:    +44-225-444700.   Email:   mct@praxis.co.uk


RISK of being honest ["surplus" FBI data]

Peter Kendell <pete@tcom.stc.co.uk>
Tue, 26 Mar 91 08:46:01 GMT
>From the Guardian newspaper, London, 26 March 1991

Secret FBI files sold off inside $45 surplus computers

FBI informants given secret identities after testifying against the
Mafia and other criminals may be at risk after the US Justice
Department sold its computers without clearing the data banks.

Last summer, Charles Hayes, of Lexington, Kentucky, paid $45 (about 25
pounds) for a surplus computer from the local Justice Department
office.  When he plugged it in, he found himself reading sealed grand
jury indictments and the confidential report of an FBI investigation
into organised crime.  The computer contained information on FBI
informants and witnesses who had been given new identities.

When Mr Hayes informed the Justice Department, it sued him for return
of the equipment, which came from the US Attorney's office.

The federal government's watchdog office said it knew of many similar
cases and urged the department to recover the rest.

---

Agent Cooper, your secret is out!  Seriously, though, what kind of incentive
for honesty is it when someone points out to a goverment agency that they have
made a serious security breach and they respond by suing him?

It would have been nice if the article had told us whether action had been
taken within the Justice Department to prevent future cock-ups.

Peter

  [It struck me that I'd missed the greatest RISK in the story about the
  surplus computers holding highly confidential information.

  That is, that the Lexington Justice Department thought that, by recovering
  the computers with the sensitive data stored in them, they could also recover
  the data.  I suppose the computers had removable media?   PK]


USSR BBSList

"Selden E. Ball, Jr." <seb@lns61.tn.cornell.edu>
23 Mar 91 09:05:00 EST
Gentle folk,

Many people are doubtless already aware of this, but it came as a bit of a
surprise to me.

It is now possible to direct-dial computer bulletin boards in the USSR and
eastern European countries. Many of them are already on FidoNet.  The following
list of BBSs was recently posted to a widely read news group.

The potential transmission speed for computer viruses is increasing faster than
your favorite comparison.  sigh.

Selden Ball
seb@lns61.tn.cornell.edu
   -----------------------------

From:   LNS61::WINS%"<KIDSNET@vms.cis.pitt.edu>" 22-MAR-1991 18:56:05.24
To: SEB
Subj:   USSR BBSList

Return-Path: <KIDSNET@vms.cis.pitt.edu>
Received: from vms.cis.pitt.edu by lns61.tn.cornell.edu with SMTP ;
          Fri, 22 Mar 91 18:55:52 EST
Date: Fri, 22 Mar 91 17:07 EDT
From: KIDSNET MAILING LIST <KIDSNET@vms.cis.pitt.edu>
Subject: USSR BBSList
To: kids-l@vms.cis.pitt.edu
Message-id: <A00DB88427FF407349@vms.cis.pitt.edu>
X-Envelope-to: seb@lns61.tn.cornell.EDU
X-VMS-To: IN%"kids-l"

Date: 15 Mar 91 23:01:15 EST
From: Frank Topping <76537.1713@CompuServe.COM>
Subject: USSR BBSList

I thought some teachers might be interested in this - they're growing like
wildfire & connectivity opportunities abound!

-frank

.....................
|Area : K12Net Sysops
|From : Serge Terekhov                      15-Mar-91 00:05:00
|To   : All                                 15-Mar-91 17:28:42
|Subj.: Full list of USSR BBSes!

                   Known USSR Bulletin Board Systems
                        Version 10c of 3/13/91
                 Compilation  (C) 1991 Serge Terekhov

 BBS name                     ! Data phone     ! Modem    ! FIDO addr
 -----------------------------!----------------!----------!------------
 PsychodeliQ Hacker Club BBS    +7-351-237-3700  2400      2:5010/2
 Kaunas #7 BBS                  +7-012-720-0274  ?         -
 Villa Metamorph BBS            +7-012-720-0228  ?         -
 WolfBox                        +7-012-773-0134  1200      2:49/10
 Spark System Designs           +7-057-233-9344  1200      2:489/1
 Post Square BBS                +7-044-417-5700  2400      -
 Ozz Land                       +7-017-277-8327  2400      -
 Alan BBS                       +7-095-532-2943  2400/MNP  2:5020/11
 Angel Station BBS              +7-095-939-5977  2400      2:5020/10
 Bargain                        +7-095-383-9171  2400      2:5020/7
 Bowhill                        +7-095-939-0274  2400/MNP  2:5020/9
 JV Dialogue 1st                +7-095-329-2192  2400/MNP  2:5020/6
 Kremlin                        +7-095-205-3554  2400      2:480/100
 Moscow Fair                    +7-095-366-5209  9600/MNP  2:5020/0
 Nightmare                      +7-095-128-4661  2400/MNP  2:5020/1
 MoSTNet 2nd                    +7-095-193-4761  2400/MNP  2:5020/4
 Wild Moon                      +7-095-366-5175  9600/MNP  2:5020/2
 Hall of Guild                  +7-383-235-4457  2400/MNP  2:5000/0
 The Court of Crimson King      +7-383-235-6722  2400/MNP  2:50/0
 Sine Lex BBS                   +7-383-235-4811  19200/PEP 2:5000/30
 The Communication Tube         +7-812-315-1158  2400/MNP  2:50/200
 KREIT BBS                      +7-812-164-5396  2400      2:50/201
 Petersburg's Future            +7-812-310-4864  2400      -
 Eesti #1                       +7-014-242-2583  9600/MNP  -
 Flying Disks BBS               +7-014-268-4911  2400/MNP  2:490/40.401
 Goodwin BBS                    +7-014-269-1872  2400/MNP  2:490/20
 Great White of Kopli           +7-014-247-3943  2400      2:490/90
 Hacker's Night System #1       +7-014-244-2143  9600/HST  2:490/1
 Lion's Cave                    +7-014-253-6246  9600/HST  2:490/70
 Mailbox for citizens of galaxy +7-014-253-2350  1200      2:490/30
 MamBox                         +7-014-244-3360  19200/PEP 2:490/40
 New Age System                 +7-014-260-6319  2400      2:490/12
 Space Island                   +7-014-245-1611  2400      -
 XBase System                   +7-014-249-3091  2400/MNP  2:490/40.403
 LUCIFER                        +7-014-347-7218  2400      2:490/11
 MESO                           +7-014-343-3434  2400/MNP  2:490/60
 PaPer                          +7-014-343-3351  1200      2:490/70
 -----------------------------!----------------!----------!------------


|--- Maximus-CBCS v1.02
| * Origin: The Court of the Crimson King (2:50/0)

..................................................

Frank Topping, sysop
Sacramento Peace Child - NorCal K-12Net Feed (916)451-0225 (1:203/454)

conference moderator:
"The Educational Exchange Conference" - "OERI" BBS  (800)222-4922

operated by: Office of Educational Research and Improvement - (OERI)
U.S. Dept. of Education, Washington, D.C.


A Consciously Chosen Risk

<[anonymous]>
Sat, 23 Mar 91 12:40 xxT
Even in time of personal loss there are lessons learned that might be helpful
to others.  In this case I'm not exactly sure what the lesson is, but the RISK
is readily apparent.  My mother-in-law died recently and my wife and I have the
burden of handling all the financial and legal details.  Among those were
notifying Social Security, two state-run pensions, and two insurance carriers
(Blue Cross and the Medicare carrier.)  All of the details were handled over
the phone -- we did not have to send in any proof of death or even just a
letter.  (It happens that one of the state pensions has someone who reads the
obituary column and had already started the necessary action for that account,
but presumably they don't read every small town newspaper.)  In all cases all
we had to give was her name and social security number.

The RISK is obvious: if one wanted to harass someone who was dependent on
social security and pensions all one would need do is phone in and pose as some
relative and announce their death.  (getting the SSN shouldn't be hard.)

When I realized during my first call (to Social Security) what the situation
was I asked the person I was talking to about it.  He replied that they had
quite consciously decided to place as little extra burden as possible on what
are usually still grieving relatives, even though they knew the risk involved.
He pointed out that had there been survivors' benefits involved (which there
weren't), proof would have had to be supplied.  It should also be noted that in
each case a letter will be sent to the address of record, so if there were a
harassment it would presumably be discovered quickly.  I'm not too sure however
that the way that is handled is not without its flaws: one of the places we
called asked if they had the right address; since in all cases the address had
already been changed to ours I don't know if the others would have asked or
given us an opportunity to change it to prevent the letter from going to the
last known address.  (We also stopped the telephone service the same way,
supplying only the phone number and confirming the name and address.)


Compass 1991 Program [EXCERPT. EMail to jchernia for details.]

<jchernia@NSF.GOV>
Mon, 25 Mar 91 12:38:00 EST
                COMPASS '91
        6th Annual Conference on Computer Assurance
     National Institute of Standards and Technology, Gaithersburg, MD
                 June 24-28, 1991

       Sponsored by IEEE National Capital Area Council &
             IEEE Aerospace and Electronic Systems Society

COMPASS '91 PRE-CONFERENCE TUTORIALS, Monday, June 24th

0900    Registration for Tutorial 1
1000    Tutorial 1:  Safe Systems--A Disciplined Approach
    John McDermid, University of York
    John Cullyer, University of Warwick
1200    Lunch; Registration for Tutorial 2
1300    Tutorial 1:  Safe Systems--A Disciplined Approach (continued)
    Tutorial 2:  Software Safety Analysis--Linking Fault Trees
             and Petri Nets
    Janet Gill, Patuxent River Naval Air Test Center
1700    Close of tutorials

Safe Systems--A Disciplined Approach

Professor John McDermid, University of York, and Professor John Cullyer,
University of Warwick, will discuss the integration of formal methods into
the life cycle development of safety-critical software.  Professor McDermid
will discuss the safety life cycle and the safety analysis of software.
Professor Cullyer will discuss the integration of formal methods during
the requirements and specification phases, design phases (including
hardware), and the verification and validation phase.  Finally, Professor
McDermid will discuss the skills, education and training required to apply
formal methods to safety-critical software.

Software Safety Analysis--Linking Fault Trees and Petri Nets

Independently, fault trees and Petri nets serve limited evaluation purposes
in safety-critical systems.  This tutorial presents a technique for
converting and linking fault tree analysis (FTA) with Petri net modeling
and vice versa.  This technique permits the analyst to determine if a
software fault can be reached be analyzing the software in detail with FTA.


COMPASS '91 PROGRAM, Tuesday, June 25th

0800    Registration
0900    Opening Remarks, General Chair, Lt. Col. Anthony Shumskas,
    Office of the Secretary of Defense, Department of Defense
0915    Honorary Chair Address
0930    Keynote Address, David L. Parnas, Queens University
1030    Break
1100    Conference Topic Panel:  Educating Computer Scientists for the
        Year 2000
    Chair, John Cherniavsky, National Science Foundation
      David L. Parnas, Queens University
      Peter J. Denning, NASA Ames Research Center
      William L. Sherlis, DARPA
      John A. McDermid, University of York/British Computer Society
      Bruce Barnes, National Science Foundation
      Raymond Miller, University of Maryland
1245    Lunch
1345    Panel (continued)
1515    Break
1545    Questions from the audience to panel members
1830    Cocktail Reception/Banquet (Holiday Inn)
    The Accidents of Life--From Conception to Our Last Moments
          John Cullyer, University of Warwick

COMPASS '91 PROGRAM, Wednesday, June 26th

0800    Registration
0830    Computer Related Risk of the Year:  Weak Links and Correlated Events
    Peter G. Neumann, SRI International
0915    SESSION 1:  EUROPEAN ECONOMIC COMMUNITY '92 PERSPECTIVES
    Chair, John Cullyer, University of Warwick

    Computer Software and Aircraft
      J. Peter Potocki de Montalk, Airbus Industrie

    Some Results From DRIVE
      Thomas Buckley, University of Leeds

1015    Break
1045    SESSION 2:  HOW INDUSTRY TRAINING IN COMPUTER ASSURANCE CAN BE
    IMPROVED THROUGH EDUCATION
    Chair, Diane Jachinowski, Nellcor
      Peter G. Neumann, SRI International
      J. Alan Taylor, British Computer Society
      Claire Lohr, Lohr Systems
      William Junk, University of Idaho
1245    Lunch
1345    SESSION 3A:  CERTIFICATION AND SAFETY OF CRITICAL SYSTEMS
    Chair, Michael Brown, Naval Surface Warfare Center

    Certification of Production Representative/Production Software
    Intensive Systems for Dedicated Test and Evaluation
      Lt. Col. Anthony F. Shumskas, Office of the Secretary of Defense

    Interrelationships of Problematic Components of Safety-Related
    Automated Information Systems
      Morey J. Chick, General Accounting Office

    A Case-Study of Security Policy for Manual and Automated Systems
      Edgar H. Sibley, James B. Michael, and Ravi Sandhu
      George Mason University

1515    Break
1545    SESSION 3B:  CERTIFICATION AND SAFETY OF CRITICAL SYSTEMS (CONTINUED)

    Safety Criteria and Model for Mission-Critical Embedded Software
    Systems
      R. A. Gove and Janene Heinzman, Booz Allen, and Hamilton

    A Case-Study on Isolation of Safety-Critical Software
      Edward A. Addy, Logicon, Incorporated

1830    Birds of a Feather Meeting (Holiday Inn)
    Presentation:  Software Development Methods in Practice
    J. V. Hill, Rolls-Royce and Associates Limited


COMPASS '91 PROGRAM, Wednesday, June 26th

0800    Registration
0830    Day's Keynote:  High Assurance Computing
    H. O. Lubbes, Naval Research Laboratory
0900    SESSION 4A:  FORMAL METHODS
    Chair, Andrew Moore, Naval Research Laboratory

    Report on the Formal Specification and Partial Verification of
    the VIPER Microprocessor
      Bishop Brock and Warren A. Hunt, Computational Logic, Incorporated

    Using Correctness Results to Verify Behavioral Properties of
    Microprocessors
      Phillip J. Windley, University of Idaho

    Estella:  A Facility for Specifying Behavorial Constraint Assertions
    in Real-Time Rule-Based Systems
      Albert Mo Kim Cheng, University of Houston; and
      James C. Browne, Aloysius K. Mok, and Rwo-Hsi Wang,
      University of Texas at Austin

1000    Break
1030    SESSION 4B:  FORMAL METHODS (CONTINUED)

    Design Strategy for a Formally Verified Reliable Computing Platform
      Ricky Butler and James L. Caldwell, NASA Langley Research Center;
      and Ben L. De Vito, Vigyan, Inc.

    Specifying and Verifying Real-Time Systems Using Time Petri Nets and
    Real-Time Temporal Logic
      Xudong He, North Dakota State University

    Developing Implementations of Estelle Specifications Using the PEDS
    Toolkit
      William Majurski, NIST

1245    Lunch
1345    SESSION 5:  US AND INTERNATIONAL SPONSORED INITIATIVES
    Chair, H. O. Lubbes, Naval Research Laboratory

    NIST:  Workshop on Assurance of High Integrity Software
      Dolores R. Wallace, D. Richard Kuhn, NIST, and
      John Cherniavsky, National Science Foundation

    NASA Langley:  Research Program in Formal Methods
      Ricky Butler, NASA Langley Research Center

1445    Break
1515    SESSION 6:  RISK CONTAINMENT PLANNING AND QUALITY MEASUREMENTS
    Chair, Michael Brown, Naval Surface Warfare Center

    Planning and Implementing and IV&V Program in a Large Scale DoD
    Software Development Program
      Florence Sippel and Kevin Mello, Naval Underwater Systems Center

    Quality and Security, They Work Together
      Richard Carr, Marie Tynan, NASA Headquarters; and
      Russell Davis, PRC, Inc.

    Data Collection and Descriptive Analysis:  A First Step for
    Developing Quality Software
      Anita Shagnea, Kelly Hayhurst, and B. Edward Withers,
      Research Triangle Park

    Fault Locator and Weighting System
      Jeffrey Bulow, General Electric, Syracuse

1715    Closing Remarks


Friday, June 28th

0830 - 1400 Forum:  US and International Standards for High Integrity
        Systems (DoD, Government, and Industry)
        Chair, Dolores Wallace, National Institute of Standards and
        Technology

     [The packet was very long, including registration and hotel information.
     You may get the complete version from John, or even from me.  PGN]

Please report problems with the web pages to the maintainer