The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 11 Issue 43

Wednesday 10 April 1991


o U.S. Senate S. 266
Bill Murray
o U.S. Senate 266, Section 2201 (cryptographics)
Bill Murray
o The price of quality
David G. Novick
o Some more data on Len Rose
Jerry Leichter
o "LIVING AGAINST THE ODDS" abuses statistics
Jeremy Grodberg
o Re: Rapid dissemination of half-truths, lies, ...
Robert E. Van Cleef
o Re: Bogus License Upends Life
Steve Elias
o Establish and use clearing houses for sensitive information
Steve Elias
o Re: Computer Ballot Tally
Erik Nilsson
o Security does not come through obscurity
Alan Wexelblat
o Re: Tricky application of Caller ID
Bill Woodcock
o Info on RISKS (comp.risks)

U.S. Senate S. 266

Wed, 10 Apr 91 17:23 EDT
Senate 266 introduced by Mr. Biden (for himself and Mr. DeConcini)
contains the following section:


It is the sense of Congress that providers of electronic communications
services and manufacturers of electronic communications service equipment shall
ensure that communications systems permit the government to obtain the plain
text contents of voice, data, and other communications when appropriately
authorized by law.

U.S. Senate 266, Section 2201 (cryptographics)

Wed, 10 Apr 91 18:20 EDT
The referenced language requires that manufacturers build trap-doors
into all cryptographic equipment and that providers of cconfidential
channels reserve to themselves, their agents, and assigns the ability to
read all traffic.

Are there readers of this list that believe that it is possible for
manufacturers of crypto gear to include such a mechanism and also to reserve
its use to those "appropriately authorized by law" to employ it?

Are there readers of this list who believe that providers of electronic
communications services can reserve to themselves the ability to read all the
traffic and still keep the traffic "confidential" in any meaningful sense?

Is there anybody out there who would buy crypto gear or confidential services
from vendors who were subject to such a law?

David Kahn asserts that the sovereign always attempts to reserve the use of
cryptography to himself.  Nonetheless, if this language were to be enacted into
law, it would represent a major departure.  An earlier Senate went to great
pains to assure itself that there were no trapdoors in the DES. Mr. Biden and
Mr. DeConcini want to mandate them.  The historical justification of such
reservation has been "national security;" just when that justification begins
to wane, Mr. Biden wants to use "law enforcement."  Both justifications rest
upon appeals to fear.

In the United States the people, not the Congress, are sovereign; it should not
be illegal for the people to have access tto communications that the government
cannot read.  We should be free from unreasonable search and seizure; we should
be free from self-incrimination.  The government already has powerful tools of
investigation at its disposal; it has demonstrated precious little restraint in
their use.

Any assertion that all use of any such trap-doors would be only
"when appropriately authorized by law" is absurd on its face.  It is not
humanly possible to construct a mechanism that could meet that
requirement;  any such mechanism would be subject to abuse.

I suggest that you begin to stock up on crypto gear while you can still get it.
Watch the progress of this law carefully.  Begin to identify vendors across the

William Hugh Murray, Executive Consultant, Information System Security 21
Locust Avenue, Suite 2D, New Canaan, Connecticut 06840       203 966 4769

The price of quality

"David G. Novick" <>
Wed, 10 Apr 91 14:53:01 -0700
I noticed an interesting column by Joshua J. Kaufman on computers for lawyers
in the March/April edition of The Washington Lawyer, the official journal of
the District of Columbia Bar.  The column began:

  On Second Thought

  "What do you expect from a $69 program?" were the last words said to
  me by the technical department at Isogon Corporation.  The comment was
  made after its product NewSpace, a data compression utility (which I
  have reviewed favorably in the past), managed to destroy 1,400 files
  and 42 megabytes of my data.  I spent over an hour on the phone with
  technicians trying to find a way to correct the problem--all to no avail.

What happened to Kaufman is that he had been using NewSpace successfully
to compress files on his hard disk.  One night he started up the program,
left work, and came back in the morning to discover that his computer had
"frozen."  When he rebooted, the "file allocation table" was damaged in a
way that could not be recovered.  Thus while his files were almost all
fine, he could not retrieve them, despite the fact that he could list
the files in his directory.

The RISKS I see here are (1) relying on reviewers of software who use
a product casually but who do not systematically test, and (2)
producing software that can, without prior notice, leave your system
in an unrecoverable state.  For $69, perhaps Kaufman was entitled to a
product that, even though possibly buggy, would be designed to fail

David G. Novick, Department of Computer Science and Engineering, Oregon
Graduate Institute of Science and Technology, Beaverton, OR 97006-1999

Some data on Len Rose

Jerry Leichter <>
Mon, 8 Apr 91 22:29:15 EDT
With all the verbiage about whether Len Rose was a "hacker" and why he did
what he in fact did, everyone has had to work on ASSUMPTIONS.  Well, it turns
out there's now some data:  A press release from the US Attorney in Chicago,
posted to the Computer Underground Digest by Gene Spafford.  I've extracted
one interesting portion concerning the famous "modified login.c" program:

    In pleading guilty to the Chicago charges, Rose acknowledged that when
    he distributed his trojan horse program to others he inserted several
    warnings so that the potential users would be alerted to the fact that
    they were in posession of proprietary AT&T information. In the text of
    the program Rose advised that the source code originally came from
    AT&T "so it's definitely not something you wish to get caught with."
    and "Warning: This is AT&T proprietary source code. DO NOT get caught
    with it." The text of the trojan horse program also stated:

        Hacked by Terminus to enable stealing passwords.
        This is obviously not a tool to be used for initial
        system penetration, but instead will allow you to
        collect passwords and accounts once it's been
        installed.  (I)deal for situations where you have a
        one-shot opportunity for super user privileges..
        This source code is not public domain..(so don't get
        caught with it).

    Rose admitted that "Terminus" was a name used by him in communications
    with other computer users.

I can't imagine a clearer statement of an active interest in breaking into
systems, along with a reasonable explanation of how and when such code could
be effective.  (BTW, back in the early 70's, some friends of mine and I dis-
covered that a newly-installed APL system still had no password, or a standard
password, set on its operator account.  Because we had quick access to some
code that would let us to "trap" the resulting privileges, we were able to
continue to play God on that system for years - although the operator password
was changed within a day or two.  "One-shot opportunities" DO occur.)

The only thing that will convince me, after reading this, that Rose was NOT an
active system breaker is a believable claim that either (a) this text was not
quoted correctly from the modified login.c source; or (b) Rose didn't write
the text, but was essentially forced by the admitted duress of his situation
to acknowledge it as his own.
                            -- Jerry

"LIVING AGAINST THE ODDS" abuses statistics (what else is new)

Jeremy Grodberg <>
Mon, 8 Apr 91 13:30:50 PDT
The PBS Special "Living Against the Odds" showed some signs of statistics
abuse which were especially annoying for a special which is supposed to
enlighten the masses about this kind of thing.  It is bad enought that this
king of abuse is the foundation of much of our current public policy
debates, but to see it emphasized like this: isn't there anything we can do?

2 examples:

The statistic they used to judge the risk of an activity was deaths per
100,000 participants.  In other words, they said that 20 out of 100,000
people who climb rocks die while climbing rocks, and 20 out of 100,000
people who drive cars die while driving cars, so the two activities are
equally dangerous.  This conclusion does not follow, for it does not
take into account the very likely possibility that people who climb
rocks spend a significantly different amount of time climbing rocks
than people who drive cars spend driving cars, over the course of a
lifetime.  If the average rock climber spends 1,000 hours of his life
climbing rocks, and the average driver spends 10,000 hours driving,
then the mortality statistics suggest that rock climbing is 10 times as

One of the "experts" was shown saying (I quote from memory) "80% of people
surveyed think they are safer than average drivers. Obviously this can't
be true."  Unfortunately for the expert, it can be true, and it wouldn't
surprise me if it *were* true.  For a very simple example, take the case
where 80% of the people have exactly 1 accident every 2 years, and 20% of
the people have exactly 2 accidents every 2 years.  The "average" driver
therefore has 0.6 accidents per year, and 80% of the drivers are better
than average, since they only have 0.5 accidents per year.

How can we survive as a democracy in a technological age when even the experts
can't understand the complexities of the data they are evaluating?
                                                                Jeremy Grodberg

Re: Rapid dissemination of half-truths, lies, disinformation (11.41)

Robert E. Van Cleef <>
Tue, 9 Apr 91 09:48:42 -0700
Accepting the statements of "those who should know" without question is an old
problem.  If my memory serves, one of the reasons given for the success of the
Communist Revolution in China was a belief on the part of the Chinese
population that written statements were "Truth"; leading them to believe the
propoganda posters without question.

I have seen the same factor at play with individuals who believe everything
they read in the paper, or hear on a TV news programs, or learn from their
friend, neighbor, or pastor. The FCC has been repeatedly hit by unfounded
petition drives of various sorts. Most of these problems have been well
documented as Urban Legends.

The computer related risk, like always, is in the speed and ease of
propagation.  It is too easy to mail a copy of this "important" message to
hundreds of people, where it can sit in someone's mailbox until they decide to
pass it on.

There are two things that we can do as individuals:

    1) Establish and use clearing houses for sensitive information.

       Having the CERT validate and announce security problems will
       help prevent the problem of people ignoring a security bug
       in ftp because of too many previous false messages.

    2) Identify your sources:

       If all you have is hearsay, note it as such! If you have a
       reference, list it. One of the most valuable features of the
       RISKS digest is the fact that most of the posters identify
       the sources of their information.

As long as people believe what they want to believe, be it the National
Enquirerer or alt.rumors, this will be a problem.

Bob Van Cleef, NASA Ames Research Center (415) 604-4366

Re: Bogus License Upends Life

Steve Elias <>
Tue, 09 Apr 91 10:43:47 MDT
I'd like to point out that the woman who had her life upended by someone
stealing her identity probably would have been able to avoid this problem if
she had been a member of TRW Credentials service.  Many of you usenet-folk love
to slam this TRW service, but in a case like this woman's, it may have saved
her all that trouble.

Re: Computer Ballot Tally

09 Apr 91 10:42:24 PDT (Tue)
Oops, I forgot an important point.  A big advantage of precincts is that you
pick precincts to recount at random, then verify the recount numbers against
the original counts for that precinct.  If you start seeing discrepancies, then
you need to recount everything.  Then, the recount actually tells you something
about the original count.

I also didn't say anything about pre- and post-election testing of the system,
yet another BIG AREA.
                                         - Erik          (503)690-8350          690-9292[fax]

Security does not come through obscurity (B.J. Herbison, RISKS-11.42)

Tue, 9 Apr 91 17:29:12 edt
Herbison takes Richard Wexelblat to task for asking if a ballot-verification
method is secure by stating:

> [The method] *might* have been reasonable before you published it, but now
> that you have provided the information needed to cook the vote and avoid
> detection--just modify the electronic vote counter so it is accurate until
> the ballot count is larger than 2% of the expected returns and does
> anything it wants after that point.

This argument is fallacious on two counts.  One, it assumes that if Richard
hadn't publicised the verification method, no one with ill intent would have
known it.  Any system security manager can tell you that those with ill intent
are often the best-informed on system vulnerabilities.  Security through
obscurity just doesn't work.

Two, it implicitly assumes that someone could be in a position to "modify the
electronic vote counter" and yet not know the verification method.  Highly
unlikely, I'd say.

[For the record, Richard Wexelblat is my father.  That doesn't make Herbison's
argument any less unreasonable.]

--Alan Wexelblat, Bull Worldwide Information Systems, phone: (508)294-7485

Re: Tricky application of Caller ID (Davis, RISKS-11.42)

Bill Woodcock <woody@ucscb.UCSC.EDU>
Mon, 8 Apr 91 20:39:56 -0700
> Consider the scenario for a moment and imagine, say, 10,000 kids in the
> audience actually do what they're told.  You've got 10,000 phones dialing the
> same number simultaneously.  How many of those calls do you think will
> actually get through?

In answer to your question, all 10,000 of them will get through.  Sprint has a
service called "Mass Event 900/800" for doing exactly this.  It can handle,
coincidentally, 10,000 calls simultaneously, and is offered to all their larger
800 and 900 customers.  I've heard, but not been able to substantiate, that
AT&T has a similar service.
                                -Bill Woodcock, BMUG NetAdmin

Please report problems with the web pages to the maintainer