The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 11 Issue 48

Thursday 18 April 1991


o US Gov't is not careful with its supplies
Garrett Wollman
o Trap doors and such
Jerry Leichter
o Re: S. 266
Steve Bellovin
Bill Murray [2]
Brint Cooper
o On Toffler
Rob Kling
o Simulation: Minus heart disease, etc...
Gregory G. Woodbury
o Social Engineering
CERT Advisory
o Info on RISKS (comp.risks)

US Gov't is not careful with its supplies

Garrett Wollman <wollman@emily.UVM.EDU>
Wed, 17 Apr 91 7:58:13 GMT-6:40
[Related to me by my father, who works for the Federal Courts.  -GW]

On Monday, April 15, a truck containing thousands of dollars worth of US
Government forms, stationery, and supplies (250 line-items, as it happened) was
delivered to the US District Court in Burlington, Vt.  At about the same time,
five small items ordered by the court were delivered to the US Mint in San
Francisco.  Neither office got what it needed--"did you say *six* paper

How did this happen?  It turned out, on further investigation, that there is a
very large flaw in the computerized ordering system the General Services
Administration uses for Government offices to enter their supply orders.  When
logging in, the user is required to enter a location code and a password.
However, it seems that the program *never bothered to check* whether the
password (which was, of course, valid) corresponded to the location code that
was entered.  Thus, anyone who has access to this system could literally cause
millions of dollars of equipment to be shipped--and billed--to another agency
which doesn't need or want it, without anyone being the wiser until the trucks
pull in.

The cause of our error?  A single letter in the location code was changed from
'c' to 'd'.

Garrett A. Wollman -

Trap doors and such

Jerry Leichter <>
Wed, 17 Apr 91 12:23:34 EDT
Bill Murray dislikes my claim that S. 266 would not require "trap doors", and
goes on to long philosophical discussions of whether one should trust the

Let's try and keep the issues separate.

    a)  The phrase "trap door", as used in computer science, has a
        fairly specific referent:  It is a technique for getting
        around a security provision in a system, inserted into
        that system by its designers, of which the user of the
        system is generally unaware.

        A cryptographic system based on a central authority that
        issues keys does NOT have a trap door.  It is plain to
        every user of the system that the issuing authority has
        access to the key.

        Beyond the difference in knowledge, there is another
        quite significant distinction:  A trap door is a general
        mechanism.  Knowledge of the trap door may leak out, or
        an outside party may discover the trap door on its own.
        Once that knowledge is out, ALL users of the system have
        been compromised.  This makes a trap door an extremely
        dangerous thing to have in a cryptosystem.

        On the other hand, compromise of a given user's key by
        the central authority only compromises that given user's
        security.  Yes, the central authority adds one additional
        place for compromise to occur.  However, there is no analog
        in this setup to a third party finding the trap door:  The
        only thing he can do is find the key, i.e., make a tradi-
        tional attack on the cryptosystem.

    b)  There is a difference between the government HAVING THE CAPA-
        BILITY to decrypt your private mail, and its actually
        choosing to do so.  The government today has the capability
        to tap your phone, intercept your mail, plant bugs in your
        office, and so on.  Your ONLY protection from such actions
        (and it's certainly a protection that has at many times proved
        insufficient) are the legal limitations on what the government
        may do.

    c)  As a result of (b), I'll repeat:  Truly strong widely-available
        cryptosystems would provide a capability that no one in
        history has ever really had:  The ability to shield communi-
        cations and records in a way that the government cannot
        get around, whether or not it is bound by law.

Whether, on balance, we wish to provide a capability as in (c) is worth
debating.  There are strong arguments on both sides.  But a rational debate on
these issues isn't possible unless we begin by being clear about what the
choices actually are.
                     -- Jerry

Re: S. 266

Wed, 17 Apr 91 14:17:17 EDT
I think we should separate any discussion of S. 266 from discussion of the
secure telephone units (STU-III) that NSA is willing to let its friends buy.
Paranoia aside, there are sound technical reasons, or at least justifications,
for some of the decisions made by NSA (there -- I've uttered the Name) in the
design of the new cryptogear.  And there are reasons to doubt that NSA has
quite as much control of the key space as has been portrayed; if there's a
trapdoor, it's more subtle.  I'll try to explain what little I know without
straying into material more suited to sci.crypt.

I should preface my comments with a few disclaimers.  First, I don't really
know that much about what I'm talking about; I've never had (and don't want)
any sort of security clearance.  Second, very little about this system has been
disclosed to the public.  For the most part, those who do know something aren't
talking, even if they are reading this.  (And some probably are reading RISKS,
often quite legitimately.  The parent organization of NCSC is not classified
information....)  For the most part, my information about the secure phones
comes from Diffie's paper ``The First Ten Years of Public Key Cryptography'',
Proc. IEEE 76,5, May, 1988; other information comes from Aviation Week, June 2,
1986 and Feb 27, 1989.

There is little doubt that public-key technology is used for key distribution.
Among other useful properties, this means that the actual session keys are
generated randomly by the STU-IIIs themselves, for each conversation, and no
permanent record of them exists.  NSA's key distribution center is manifestly
not involved in supplying such keys.  Rather, its role appears to be limited to
issuing and renewing the public-key certificates used for authentication, as
opposed to secrecy.  They certainly could issue themselves bogus certificates
to allow them to impersonate any user, but that's a different issue entirely.
(The KDC might be involved in authorizing pairs of individuals to talk; I'm not
sure.  I'd welcome any (public) information on that topic.  A revoked
certificate list is definitely maintained by the KDC; some references indicate
that this list is consulted on every call, though that seems unwieldy.)

Next, it strikes me as highly improbable that the actual encryption algorithm
used contains trap doors.  That's just too big a risk to take.  Those phones,
in some versions, are rated for top-secret traffic; NSA cannot assume that its
opponents (whomever they may be) are incompetent cryptanalysts.  Nor would they
take the risk that one defection could blow the entire secure phone network.
If there is a back door, I'd speculate (note: *speculate*) that it's more along
the lines of the ``key-or'' techniques discussed by Gifford in ``Cryptographic
Sealing for Information Secrecy and Authentication'' (CACM 25,4, April 1982),
or perhaps Shamir's multipart keys (``How to Share a Secret'', CACM 22,11,
November 1979).

Furthermore, there are often valid technical reasons for a restricted key
space.  DES itself has a handful of weak and semi-weak keys.  Historically, the
M-209 cipher machine used by the U.S. Army during World War II had a number of
restrictions on key selection.  (``Cipher Systems'', Beker and Piper.)  These
restrictions are often inherent in the design of an otherwise-excellent
cryptosystem.  Again, I'll use DES as an example.  The first step in employing
DES is to expand the 56-bit key into a ``key schedule'' of 16 48-bit subkeys.
The key schedule only has 56 bits of information; an obvious way to try to
strengthen DES is to let the user specify all 768 bits.  Remarkably enough,
that doesn't work nearly as well as might be expected -- among other things,
Biham and Shamir (Crypto '90, I think) showed that that variant of DES was only
slightly stronger than the standard version.  And you'd likely lose other
valuable properties, such as independence of the key bits.  In DES, if you flip
one key bit, you'll (statistically) invert half of the output bits for a given
plaintext.  I doubt that that's true if you change individual subkey bits.

Incidentally, it also seems apparent now that NSA actually strengthened DES
against outside attacks.  While they may have buried a trap door in the
S-boxes, they also produced one that's very resistant to the Biham-Shamir
attack.  Regardless of whether or not they can now crack DES (and there's some
reason to think that they can, even if they couldn't 15 years ago), they did do
a credible job of helping folks protect their secrets from other opponents.

If the equipment is really as good as I say it is, why do I think NSA runs the
KDC?  Simply because the equipment really is that good, and they want to make
sure that only their friends have that quality of encryption gear.  NSA, as an
organization, has at several different goals: protecting U.S. confidential
information, reading foreign traffic, and -- maybe -- reading as much domestic
traffic as they can.  While deploying weak cryptosystems furthers the latter
two goals, it directly conflicts with the first.  They won't give up that
mission lightly.

To summarize, while there's ample reason to be suspicious of NSA's motives,
either in general or with respect to S.266 or the secure phones, I don't think
the evidence presented supports the conclusions drawn.  (Of course, there's
always Nixon's Law: just because you're paranoid doesn't mean they aren't out
to get you....)
                            --Steve Bellovin

Re: S. 266

Wed, 17 Apr 91 14:44 EDT
>I think we should separate any discussion of S. 266 from discussion of the
>secure telephone units (STU-III) that NSA is willing to let its friends buy.

Steve, okay.  I am not sure that they are not related, but I will agree
to the separation for sake of orderly argument.

However, if you are thinking of Jerry Leichter's posting to RISKS and my
response, we did not have STU-III in mind.  We were talking about a different
proposal; one that was proposed as a replacement for the DES in commercial data
applications.  While it had many of the same properties, and may have shared
some origins, it was different.

William Hugh Murray, Information System Security, Consultant to Deloitte &
Touche Wilton, Connecticut 203-966-4769

Re: S. 266

Wed, 17 Apr 91 14:58 EDT
Steve, my original reply stands.  We were not talking about STU-III and your
new reply, if anything is more restricted to that than the original.  I think
that there may be some small errors in your response, and I think that you
insert some discussion that is not relevant to Jerry's point or my rebuttal.
However, I am not moved to a response.
                                                William Hugh Murray

[WHMurray: Status of S. 266]

Brinton Cooper <abc@BRL.MIL>
Mon, 15 Apr 91 22:44:09 EDT
NO!  NO!  Mr Biden of DELAWARE, Please!!!   [not Maryland]

On Toffler

Rob Kling <>
Thu, 18 Apr 91 09:24:16 -0700
I just saw an enthusiastic posting about Alvin Toffler's books "Future Shock"
and "The Third Wave" on RISKS. Toffler's a provocative and popular journalist.
But I recommend that readers of RISKS read him VERY critically. Toffler's Third
Wave is a technologically utopian treatise whose assumptions undermine the
kinds of social realism which are essential commentaries on RISKS. In Toffler's
Third Wave, there would be no need for a RISKS!

I see some value to utopian and anti-utopian analyses. But technological
utopianism is so seductive to technologists, and dangerous (IMHO), that we
should be aware of how its rhetoric "works."

I've written about the character of technological utopianism, anti-utopianism,
and social realism as genres of analysis which give selective insight into
issues of computerization, but which also have important systematic
limitations, in:

     "Reading 'All About' Computerization: Five Common
     Genres of Social Analysis" in Directions in Advanced
     Computer Systems, 1990 Doug Schuler (Ed.). Norwood,
     NJ:Ablex Pub. Co. (in press) and

my new book,

     "Computerization and Controversy: Value Conflicts and
     Social Choices" (co-edited with Chuck Dunlop).
     (Academic Press, 1991).

I'm attaching a commentary Toffler's "The Third Wave" from "Computerization and
Controversy." The following paragraphs are from the introduction to a section
I, which examines Technological Utopianism and Technological Anti-Utopianism.


Alvin Toffler's best seller, The Third Wave, helped stimulate popular
enthusiasm for computerization. Toffler characterized major social
transformations in terms of large shifts in the organization of society, driven
by technological change.  The "Second Wave" was the shift from agricultural
societies to industrial societies. Toffler contrasts industrial ways of
organizing societies to new social trends that he links to computer and
microelectronic technologies. He is masterful employing succinct breathless
prose to suggest major social changes.  He also invented terminology to help
characterize some of these social changes -- terms like "second wave", "third
wave", "electronic cottage", "infosphere", "technosphere", "prosumer",
"intelligent environment", etc.  Many of Toffler's new terms did not become
commonly accepted.  Even so, they help frame a seductive description of social
change.  These lines from his chapter, "The Intelligent Environment" illustrate
his approach. (Toffler devoted ONLY ONE PARAGRAPH in his chapter to possible
problems of computerization.)

     Today, as we construct a new info-sphere for a Third Wave
     civilization, we are imparting to the "dead" environment
     around us, not life, but intelligence. A key to this
     revolutionary advances, of course, the computer (Toffler,
     1980:168) . . . .

     As miniaturization advanced with lightning rapidity, as
     computer capacity soared and prices per function plunged,
     small cheap powerful minicomputers began to sprout
     everywhere. Every branch factory, laboratory, sales office,
     or engineering department claimed its own . . . .  The
     brainpower of the computer . . . was "distributed." This
     dispersion of computer intelligence is now moving ahead at
     high speed (Toffler, 1980:169).

     The dispersal of computers in the home, not to mention their
     interconnection in ramified networks, represents another
     advance in the construction of an intelligent environment.
     Yet even this is not all.  The spread of machine
     intelligence reaches another level altogether with the
     arrival of microprocessors and microcomputers, those tiny
     chips of congealed intelligence that are about to become a
     part, it seems, of nearly all the things we make and use . .
     . . (Toffler, 1980:170)

     What is inescapably clear, however, whatever we choose to
     believe, is that we are altering our infosphere fundamental-
     ly . . . we are adding  a whole new strata of communication
     to the social system.  The emerging Third Wave infosphere
     makes that of the Second Wave era -- dominated by its mass
     media, the post office, and the telephone -- seem hopelessly
     primitive by contrast. . . . (Toffler, 1980:172)
     In all previous societies, the infosphere provided the means
     for communication between human beings. The Third Wave
     multiplies  these means. But it also provides powerful
     facilities, for the first time in history, for machine-to-
     machine communication, and, even more astonishing, for con-
     versation between humans and the intelligent environment
     around them. When we stand back and look at the larger
     picture, it becomes clear that the revolution in the info-
     sphere is at least as dramatic as that of the technosphere -
     - in the energy system and the technological base of soci-
     ety. The work of constructing a new civilization is racing
     forward on many levels at once. (Toffler, 1980:177--178).
     [(pages from paperback edition of 1980].

Toffler's breathless enthusiasm can be contagious -- but it also stymies
critical thought.  He illustrates changes in the infosphere with The Source --
a large commercial computer-communication and messaging system which has
thousands of individual and corporate subscribers.  (Today, he could multiply
that example with the emergence of competing commercial systems, such as
CompuServe, Genie, and Prodigy, as well as tens of thousands of inexpensive
computerized bulletin boards that people have set up in hundreds of cities and
towns.)  However, there have been a myriad of other changes in the information
environment in the United States which are not quite as exciting to people who
would like to see a more thoughtful culture.

For example, television has become a a major source of information about world
events for many children and adults.  (Many children and adults report that
they watch television for well over 5 hours a day.)  Television news, the most
popular "factual" kind of television programming, slices stories into
salami-thin 30 to 90-second segments.  Moreover, there is some evidence that
functional illiteracy is rising in the United States (Kozol, 1985).  The
problems of literacy in the United States are probably not a byproduct of
television's popularity.  But it is hard to take Toffler's optimistic account
seriously when a large fraction of the population has trouble understanding key
parts of the instruction manuals for automobiles and for commonplace home
appliances, like televisions, VCRs, and microwave ovens.

Toffler opens up important questions about the way that information
technologies alter the ways that people perceive information, the kinds of
information they can get easily, and how they handle the information they get.
Yet his account -- like many popular accounts -- caricatures the answers by
using only illustrations that support his generally buoyant theses.  And he
skillfully sidesteps tough questions while creating excitement (e.g., "The work
of constructing a new civilization is racing forward on many levels at once.").


Utopian images permeate the literatures about computerization in society.
Unfortunately, we have found that many utopian writers distort social
situations to fit their preferences .....  We are not critical of utopian
ideals concerned with a good life for all. The United States was founded on
premises that were utopian premises in the 1700s. The Declaration of
Independence asserts that "all men are created equal" and that they would be
guaranteed the right to "life, liberty, and the pursuit of happiness".

Although utopian visions often serve important roles in stimulating hope and
giving people a positive sense of direction, they can mislead when their
architects exaggerate the likelihood of easy and desirable social changes. We
are particularly interested in what can be learned, and how we can be misled,
by a particular brand of utopian thought -- technological utopianism.  This
line of analysis places the use of some specific technology -- computers,
nuclear energy, or low-energy low-impact technologies -- as the central
enabling element of a utopian vision. Sometimes people will casually refer to
exotic technologies -- like pocket computers that understand spoken language --
as "utopian gadgets." Technological utopianism does not refer to a set of
technologies. It refers to analyses in which the use of specific technologies
plays a key role in shaping a utopian social vision.  In contrast,
technological anti-utopianism examines how certain broad families of technology
facilitate a social order that is relentlessly harsh, destructive, and

[From Introduction to Section I of Computerization and Controversy: Value
Conflicts and Social Choices Charles Dunlop and Rob Kling (Editors). Academic
Press, Boston, 1991.]

Rob Kling, Information & Computer Science, University of California - Irvine

Simulation: Minus heart disease, etc...

Gregory G. Woodbury <ggw@wolves.uucp>
Thu, 18 Apr 1991 02:15:45 GMT
>From: [anonymous]
>New Heart Disease Study Issued
>   BOSTON (AP) [14 Apr 91]
>   Completely eliminating heart disease, the nation's leading killer, would
>increase the average 35-year-old American's life span by just three years, a
>new study concludes.
>   [What are the computer-related risks, you ask?  Here are people using
>   computer models to yield results that could have drastic impact on health
>   care and research funding...]
>     [But the results may be quite sound...  On the other hand, the elimination
>     of heart disease would undoubtably have many concomitant effects, which
>     overall probably could dramatically increase longevity.  PGN]

    As System Programmer for one of the leading competitors to the
program cited in the Circulation article I would like to comment on the
AP article and the problems that the general press has with statistics.

    The readers of RISKS (I am sure) are aware of the difference between
the median and the mean.  The popular press is much less prone to keep the fine
distinction in mind when writing.

    We have a set of programs that allow us to deal with similar public
health interventions and the resulting population shifts (I think that our
population stuff is unique).  Both their program and our program create
actuarial "life tables" which trace a group of individuals over time and
calculate various statistics on the basis of mathematical models.

    Briefly, our results tend to agree with theirs in most categories.  The
main thing to note, though, is that the shift of three years or so is in median
expectation of life!  Not the mean life expectancy at the starting age.  What
this means is that the projections are ONLY useable for populations and mean
nothing applied to individuals.

    It is interesting to note that this "insignificant" gain in median life
expectancy produces a dramatic change in the population pyramid in the future.
For example, in a paper to be published in one of the gerontological journals,
we are showing results that are more than twice as large for males and females
over age 65 in the year 2060 than the census bureau "high" figures.

    All the details (of course) are at the office right now (and I'm at

    The RISKs are even more striking when one knows what use these models
are being put to for future policy making.  Our models are used by NIA(NIH) and
WHO(UN) in providing information about future population structures here and
abroad.  The models get more and more complex and draw on larger and larger
data sets, and (I suspect) that we run on the verge of some kind of chaotic
condition where the results are wildly sensitive to input conditions.  We DO do
some checking for non-chaotic behaviour in the models, but there could be some
places in the function space that are chaotic that we have not seen.

    Other models that I help program and compute on my work network are
used in other fields of medical economics (like HCFA (medicare) and SS) to
project and analyze the results of the Medicare Prospective Payment System and
the Diagnosis Related Groups (DRGs) for budget projections and changes in the

    Certainly, my office is NOT the only think tank that advises HCFA and
NIA and WHO, but ALL of the advising grantees and contractors use computer
modelling with varying degrees of sophistication.  From simple LOTUS-1-2-3 and
Excell spreadsheets on DOS micros, to large scale economic models running on
supercomputers, computing power underlies all of modern economic medical

Gregory G. Woodbury @ The Wolves Den UNIX, Durham NC
           UUCP: ...dukcds!wolves!ggw   ...mcnc!wolves!ggw

CERT Advisory - Social Engineering

CERT Advisory <>
Thu, 18 Apr 91 16:57:35 EDT
CA-91:04                       CERT Advisory
                               April 18, 1991
                 Social Engineering


The Computer Emergency Response Team/Coordination Center (CERT/CC) has received
several incident reports concerning users receiving requests to take an action
that results in the capturing of their password.  The request could come in the
form of an e-mail message, a broadcast, or a telephone call.  The latest ploy
instructs the user to run a "test" program, previously installed by the
intruder, which will prompt the user for his or her password.  When the user
executes the program, the user's name and password are e-mailed to a remote
site.  We are including an example message at the end of this advisory.

These messages can appear to be from a site administrator or root.  In reality,
they may have been sent by an individual at a remote site, who is trying to
gain access or additional access to the local machine via the user's account.

While this advisory may seem very trivial to some experienced users, the fact
remains that MANY users have fallen for these tricks (refer to CERT Advisory


An intruder can gain access to a system through the unauthorized use of the
(possibly privileged) accounts whose passwords have been compromised.  This
problem could affect all systems, not just UNIX systems or systems on the


The CERT/CC recommends the following actions:

    1)  Any users receiving such a request should verify its authenticity
        with their system administrator before acting on the instructions
        within the message.  If a user has received this type of
        request and actually entered a password, he/she should immediately
        change his/her password to a new one and alert the system

    2)  System administrators should check with their user communities
        to ensure that no user has followed the instructions in such
        a message. Further, the system should be carefully examined for
    damage or changes that the intruder may have caused.  We also
    ask that you contact the CERT/CC.

    3)  The CERT/CC urges system administrators to educate their users
    so that they will not fall prey to such tricks.

SAMPLE MESSAGE as received by the CERT (including spelling errors, etc.)

     OmniCore is experimenting in online - high resolution graphics
     display on the UNIX BSD 4.3 system and it's derivitaves [sic]. But, we
     need you're help in testing our new product - TurboTetris.
     So, if you are not to busy, please try out the ttetris game in your
     machine's /tmp directory. just type:


     Because of the graphics handling and screen-reinitialazation [sic], you
     will be prompted to log on again. Please do so, and use your real password.
     Thanks you for your support. You'll be hearing from us soon!



If you believe that your system has been compromised, contact CERT/CC via
telephone or e-mail.

Computer Emergency Response Team/Coordination Center (CERT/CC), Software
Engineering Institute, Carnegie Mellon University, Pittsburgh, PA 15213-3890

412-268-7090 24-hour hotline: CERT/CC personnel answer 7:30a.m.-6:00p.m. EST,
on call for emergencies during other hours.     E-mail:

Past advisories and other computer security related information are available
for anonymous ftp from the ( system.

                        [Don't forget Tom Lehrer's "Don't write naughty words
                        on walls that you can't spell.  "sic"s added by PGN]

Please report problems with the web pages to the maintainer