The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 11 Issue 62

Monday 6 May 1991

Contents

o 9th Federal Reserve Bank Drowned
Ted Lee
o Changing class grades in Alaska
Dean Gottehrer
o On Tulips, Hacking, and Tequila
Herman J. Woltring
o Fences, bodyguards, and security (of old O/S)
Bob Estell
o Crackers: passwords & "holes" vs locks & combinations
Leonard Erickson
o Fly-by-Wire Glitch
A. Padgett Peterson
o EFFector Online 1.04
Gerard Van der Leun and Mike Godwin via Chris Davis
o Info on RISKS (comp.risks)

9th Federal Reserve Bank Drowned

<TMPLee@DOCKMASTER.NCSC.MIL>
Mon, 6 May 91 01:36 EDT
On Monday April 8 the computer center at the Minneapolis Federal Reserve Bank
was flooded out of commission by a broken air-conditioning cooling water pipe
in the ceiling.  [I'll ignore the RISKs of such a design; the point of this
note is something else.] The Minneapolis Fed covers 1,700 financial
institutions in six states; it moves something like $10 billion daily.  Note
that in addition to the normal check-clearing functions one associates with it,
a Federal Reserve bank handles things like direct-deposit of paychecks in its
region, so cessation of its function for any length of time can cripple a
regional economy.  An article in the April 29th Minneapolis Star Tribune
describes in fair detail how effective the contingency plan was -- all
functions were transferred to a back-up facility in Culpeper, Virginia, using a
not-very-well-described set of "minicomputers" at the U.S.  Postal Data Service
Center near the Minneapolis Airport as an intermediary.  (The article says:
"They would serve as the new intake center for data transmitted by financial
institutions by direct computer hookup, phone line and messenger.  From there
the information would be routed over the postal center's high-speed, secure
phone line to the auxiliary center in Culpeper.") The Culpeper center is the
back-up for 10 of the 12 federal reserve districts -- and this apparently was
the first time it was used.  The back-up was in operation within 12 hours,
although it appears to have taken almost a week before all services were fully
restored, and up to ten days for some transactions to catch up.

The point of my note is the following.  The executive director of the Upper
Midwest Automated Clearing House Association is quoted as saying, "The Fed was
concerned because it was running blind.  They really didn't want the
marketplace to know that they were in disaster recovery ...  and susceptible to
fraud." The Federal Reserve Bank's chief financial officer said there's no
evidence that anybody tried to rip off any banks electronically ...  "Our
systems were not compromised; the security was there and valid."

It sounds to me like there definitely was a window of vulnerability and that
no-one knows in fact if it was exploited.  (The cash management officer for a
large Minneapolis bank is quoted as saying "We had ...  some large dollar
transactions, say $200,000, that were lost for up to 10 days....  When you've
got items in the hopper [and] you haven't had time to back it up, they get
lost.")
                 [Maybe that is what is meant by a Grace Hopper?  PGN]


Changing class grades in Alaska

"Dean Gottehrer" <FFDMG@ALASKA.BITNET>
Sun, 05 May 91 18:37:23 -0900
As a university professor I wondered about the RISK of some programmer
changing a student's grades on the computer.  I never hear much about it
ever happening until the following story appeared in the local papers:

   FAIRBANKS -- The University of Alaska Fairbanks has fired a computer
specialist accused of using his access to electronically change a student's
grades.  Robert Concannon, 38, has pleaded not guilty to the felony tampering
charge and is scheduled to go to trial in July.  He faces up to five years in
jail and a $50,000 fine if convicted of the class-C felony.
   University officials say the incident has not affected the integrity of the
University of Alaska system. "This was a highly isolated incident that was
dealt with very quickly," said David Leone, head of the statewide computer
network.
   Concannon, a database specialist at the university's statewide computer
center was fired after a series of audits confirmed a suspicion in the
admission's office that UAF student Colleen Gallagher's grades were changed
last fall.  University spokeswoman Debra Damron said the audits and an
independent consultant discovered that Concannon, one of a staff of five, had
access to the information.  He is accused of changing Gallagher's grades of two
"F's" and a "D" to two "A's" and a "C."

  [Have others heard of similar cases around the country?  Are the penalties
  as stiff as the ones here in Alaska?  Are they actually applied?
  Dean Gottehrer, Anchorage, Alaska]

                  [Perhaps Concannon might now use his skills to
                  upgrade his class-C felony to a class-A felony?  PGN]


On Tulips, Hacking, and Tequila

"Herman J. Woltring" <UGDIST@nici.kun.nl>
Sat, 4 May 91 23:59 MET
RE: Hacking, Civil, and Criminal Law -- Reply to
    --- J. Giles        (USA) <RISKS 11(60)>
    --- Hugh Cartwright (UK)  <RISKS 11(61)>

Both posters seem to overlook the difference between civil and criminal law:
the former only requires a balance of evidence, with the court quite passive,
the latter requires clear evidence that highly specific acts, defined in the
law books as criminal, have been committed, with the court quite active in
asserting whether the law, indeed, has been broken.  It is one thing to have
private litigation between parties, where the court will take a decision by
(freely) interpreting the evidence put to it, it is something quite different
if the whole Nation is out to fine, jail, hang, or electrocute you.

In essence, most postings on this list make generalisations and comparisons
which are typical of civil law; comparisons abound of physical trespassing
or breaking & entering with unauthorised access to insufficiently secure
information systems (no passwords, known system passwords, or simplistic
passwords).  At this time, various countries including mine have not decided
yet to what extent computer trespassing should be declared a criminal offence.
Therefore, the choice is not, in the words of my UK neighbour,

> The law has to take a stance.  It can protect the interests of legitimate
> users, by making unauthorized access illegal.  Or it can protect unautho-
> rized users by making it legal.

but to decide whether the latter should be declared a criminal offence since
it is currently not  -- while it may be unlawful under civil law, depending
on the parties' arguments in front of a rather passive judge.

The decision involves policy matters of a wider scope than just the alleged
criminality of the behaviour in question: is it `opportune' to widen the
scope of so-called criminal acts?  To what extent is civil law capable of
handling these problems?  Is hacking by external intruders really so serious
as suggested in the (electronic) press?  What about internal `theft' within
institutions and organisations -- is this much more serious?  Should society
as a whole (because of the tax-payer's funding of the public prosecutor's
office) bear the burden for some private interests OR public institutions who
are too lazy to guard their own doorstep?  These are some of the questions
posed or implied in the Preliminary Comments from the Standing Committee on
the Judiciary in the Dutch House of Representatives with respect to Bill 21551
(26 Nov 1990).

I may have been slightly obscure in my Dagobert Duck example; DD is certainly
liable in civil law for solliciting criminal behaviour (in all likelihood, his
insurance will not pay his damages), and I should think that too blatantly
flaunting one's richness might even be sufficiently antisocial to qualify as
`criminal' -- the kind of behaviour that causes revolutions.

Mr Giles' example of the lady who enters a singles' bar is inappropriate: it
is a public place for which different rules exists -- unless DD's behaviour
should be interpreted as turning his vaults into such a public place ... But
even in a public place, you may have to pay for services rendered or products
provided.

I submit that criminal law is not the equivalent of John Wayne riding into your
village and protecting your peaceful and law-abiding community from the nasty
crowd that has been invading you from Mexico or The Netherlands.  Don't cry for
a Strong Man who will wipe out your troubles with a six-gun, but make sure that
you take appropriate measures to guard your own doorstep.  However, do so with
commensurate means, rather than by solliciting crime through overkill: there
are too many guns on the street already.  If you succeed in convincing your
legislators that computer trespassing is tantamount to highjacking a plane --
fine, but do realise the consequences when somebody quite by mistake lands up
in the wrong account or tries to find back his own, accidentally deleted data.

I believe that computer users deserve adequate protection under the law, not
that `unauthorised' users deserve more protection than `authorised' users.
At present, authorisation exists by default under some countries' criminal
law, and the question is simply to what extent this authorisation should be
withdrawn.

The problem reminds me of the current struggle on software copyright.  A new
right is about to be born, namely the exclusion of Fair Dealing under British
Copyright Law which has entitled you up to now to study and review a software
package in object code by decompiling or disassembling it in order to find out
about its functional properties -- whether this information is to be used for
publishing a critical review in a journal or for making a competing, and
hopefully better, software package.  The European Communities are in the
process of accepting a Directive on Software Protection in which such
activities are declared illegal as regards the central core of a software
package.  Interface aspects may be analysed confidentially, and software
`maintenance' may be performed by or on behalf of `legitimate' users.

While the proposed Directive claims that the `central ideas etc.' will remain
free and unprotected, and quite appropriately so under the Copyright Doctrine,
you may not obtain those ideas from the package unless you are licensed to do
so.  The proposed Directive curtails former `Fair Use / Fair Dealing' rights
substantially.  For example, how could Shakespeare lawfully determine under
such a system whether indeed his (way of making) thunder had been stolen ... in
other words, can patent infringement be legitimally assessed under this new
protection scheme, or do we need Anton Pillar orders for that?  If so, how do
we collect the evidence to convince the judge that such an order is
appropriate?

I am not saying that hacking is fair, but I do claim that the criminalising
responses on this Forum are incompatible with the extent of its (un)fairness.
Alas, there are no simple solutions, and that's why my reply has become so
lengthy.
                           Herman J. Woltring, Eindhoven/NL


Fences, bodyguards, and security (of old O/S)

"351M::ESTELL" <estell%351m.decnet@scfb.nwc.navy.mil>
6 May 91 07:51:00 PDT
Mike is right about better security ON THE HOST.  No quarrel there.  And Rick
is right about "no magic bullets."  I assume - wrongly? - that those who
install systems try to use them right.  Rick's cautious approach is safer,
perhaps because it's pessimistic.

However, the issue I addressed was an "old O/S" where some of the several
operational definitions of "old" include (a) poor security in partucular,
and (b) little or no networking in general; e.g., UNIVAC's O/S 1100 c. 1980.
(A far cry from the 1991 version, which I understand is B2 now, thanks to some
pioneering work by TMP Lee et al.)

Clearly, those who, like UniSys get on the ball and improve, reap multiple
benefits.  However, for that "crucial application" running on an old host
with old O/S, a "guard gate" is better than no protection.

To pursue my physical world analogy, should the next President wear a
bullet proof vest, a visored helmet, carry a .357 Magnum, and be a
martial arts expert? Or can we still rely on the Secret Service?

Broader and deeper views of the problem suggest NO ONE SOLUTION is adequate;
i.e., for "classified work" a network should comprise ONLY "multi-level secure"
operating systems (i.e., A1 rated by DoDCSC).  Today, that is not possible -
unless one uses the "guard gate" idea.  Moreover, EVEN IF all modern O/S were
A1 by say the year 2000, I doubt that DoD, NSA et al, would grant network
access to those hosts that run secret work.  No problem, in a way; i.e., some
of those secure hosts have no desire whatsoever to "offer resources" to the
network; BUT they do need to exchange information with colleagues far away -
which today they do via US registered mail, bonded courier, etc. instead of
encrypted e-mail, for example.  There is no reason why today such secret hosts
could not use "encrypted e-mail" by following the "guard gate" scheme, complete
with approved encryption devices at appropriate points; e.g., use software
encryption for the files, on the host; then use a "KG" device to bulk encrypt
that data as it passes from the host to the network server; then use STU-III
phones to connect to a remote site; all these devices and processes to reside
"in the vault" except of course for the "long lines" connecting the two STU-III
phones.  Yes that is s-l-o-w but it is also secure, and much faster than the US
mail and courier alternatives.  The fact that such transmissions cannot be
direct (host to host) does not mean that they cannot occur.  The guard gate
scheme makes a layered, but unbroken connection possible: Users must
consciously login to remote e-mail hosts; but that is better than no e-mail,
etc.
                                    Bob


crackers: passwords & "holes" vs locks & combinations

Leonard Erickson <70524.2603@compuserve.com>
03 May 91 02:22:03 EDT
I agree with Richard O'Keefe's comments in RISKS 11.58. Several of the "well
known" holes are exactly equivalent to "well known" "holes" with locks. For
example, a certain major brand of bicycle lock can be picked with a piece of
bent wire in approximately 5 seconds (as I once demonstrated to an employer who
was going to use one to secure some valuable items!)

Likewise, many OS's have equally bad shortcomings in their security IF YOU ARE
KNOWLEDGABLE. The user should only have limited responsibility for OS "holes".
Especially since, as many have noted, there may be nothing they can do about
it. If (for example) you are running a TRS-80 Model 1, you *cannot* fix the
holes in it's OS, it would cost more than the entire system is worth. And if
you are using such an old item, you either are broke, or have a *very*
compelling reason.

On the other hand, you had better not be counting on it being secure.
Ignorance *may* be forgivable the first time. After that, you have no excuse
for continuing to keep valuables in an "unsafe" environment.

Default passwords and accounts are a bit different. The user *can* change
those. Just as when you buy a briefcase with a combo lock, you either change
the combo from the factory default, or you accept responsibility for any
unauthorized access.

Note, however, that just because I haven't changed the combination on
my briefcase (and thus have some responsibility for any resulting
losses), that in no way affects the underlying fact that it is wrong to
attempt to open my locked briefcase without permission! Unauthorized
use of a password is no different from unauthorized use of a
combination. The password may be stupid, but you *still* have no
business messing with the lock!

Your curiousity regarding the contents of my briefcase, or even merely as to
whether I've changed the combo, does *not* give you the right to try and find
out. Likewise, a cracker's curiousity doesn't give him the right to go where he
isn't wanted.


Fly-by-Wire Glitch (11.55 - Joseph Nathan Hall)

A. Padgett Peterson 407-356-6384 <padgett%tccslr.dnet@uvs1.orl.mmc.com>
Wed, 1 May 91 08:15:54 -0400
This comment on the Northrop YF-23 "early generation flight-control software"
glitch was somewhat humourous since over a decade ago we faced the same
problems on the AFTI-F16 program, a multiple-redundant full-authority digital
system. As Mr. Hall suggested, we used the simple expedient of a weight-on-
wheels switch to control such things. It will be interesting to see when
Northrop starts "pushing the envelope" if they will rediscover some other
"interesting" anomalies we ran into in the "earliest generation".
                                                                     Padgett


EFFector Online 1.04

Chris Davis <ckd@eff.org>
Wed, 1 May 91 21:33:03 -0400
     ************************************************************
     ************************************************************
     ***         EFFector Online #1.04  (May 1, 1991)         ***
     ***                 (Formerly EFF News)                  ***
     ***       The Electronic Frontier Foundation, Inc.       ***
     ***               Net address: eff@eff.org               ***
     ************************************************************
     ************************************************************

Editors:    Gerard Van der Leun  (gerard@eff.org)
        Mike Godwin  (mnemonic@eff.org)

REPRINT PERMISSION GRANTED: Material in EFFector Online may be reprinted if
you cite the source.  Where an individual author has asserted copyright in
an article, please contact her directly for permission to reproduce.

E-mail subscription requests:  eff-request@eff.org
Editorial submissions: eff@eff.org

        AND NOW THE NEWS

The following press release was Faxcast to over 1,500 media
organizations and interested parties this afternoon:

EXTENDING THE CONSTITUTION TO AMERICAN CYBERSPACE:

TO ESTABLISH CONSTITUTIONAL PROTECTION FOR ELECTRONIC MEDIA AND TO OBTAIN
REDRESS FOR AN UNLAWFUL SEARCH, SEIZURE, AND PRIOR RESTRAINT ON PUBLICATION,
STEVE JACKSON GAMES AND THE ELECTRONIC FRONTIER FOUNDATION TODAY FILED A CIVIL
SUIT AGAINST THE UNITED STATES SECRET SERVICE AND OTHERS.


    On March 1, 1990, the United States Secret Service nearly
destroyed Steve Jackson Games (SJG), an award-winning publishing
business in Austin, Texas.
    In an early morning raid with an unlawful and unconstitutional warrant,
agents of the Secret Service conducted a search of the SJG office.  When they
left they took a manuscript being prepared for publication, private electronic
mail, and several computers, including the hardware and software of the SJG
Computer Bulletin Board System.  Yet Jackson and his business were not only
innocent of any crime, but never suspects in the first place.  The raid had
been staged on the unfounded suspicion that somewhere in Jackson's office there
"might be" a document compromising the security of the 911 telephone system.
    In the months that followed, Jackson saw the business he had built up
over many years dragged to the edge of bankruptcy. SJG was a successful and
prestigious publisher of books and other materials used in adventure
role-playing games.  Jackson also operated a computer bulletin board system
(BBS) to communicate with his customers and writers and obtain feedback and
suggestions on new gaming ideas.  The bulletin board was also the repository of
private electronic mail belonging to several of its users.  This private mail
was seized in the raid.  Despite repeated requests for the return of his
manuscripts and equipment, the Secret Service has refused to comply fully.
    Today, more than a year after that raid, The Electronic Frontier
Foundation, acting with SJG owner Steve Jackson, has filed a precedent setting
civil suit against the United States Secret Service, Secret Service Agents
Timothy Foley and Barbara Golden, Assistant United States Attorney William
Cook, and Henry Kluepfel.
    "This is the most important case brought to date," said EFF general
counsel Mike Godwin, "to vindicate the Constitutional rights of the users of
computer-based communications technology.  It will establish the Constitutional
dimension of electronic expression.  It also will be one of the first cases
that invokes the Electronic Communications and Privacy Act as a shield and not
as a sword -- an act that guarantees users of this digital medium the same
privacy protections enjoyed by those who use the telephone and the U.S. Mail."
    Commenting on the overall role of the Electronic Frontier Foundation in
this case and other matters, EFFs president Mitch Kapor said, "We have been
acting as an organization interested in defending the wrongly accused. But the
Electronic Frontier Foundation is also going to be active in establishing
broader principles.  We begin with this case, where the issues are clear.  But
behind this specific action, the EFF also believes that it is vital that
government, private entities, and individuals who have violated the
Constitutional rights of individuals be held accountable for their actions. We
also hope this case will help demystify the world of computer users to the
general public and inform them about the potential of computer communities."

    Representing Steve Jackson and The Electronic Frontier Foundation in
this suit is James George,Jr. of Graves, Dougherty, Hearon & Moody of Austin,
Rabinowitz, Boudin, Standard, Krinsky & Liberman of New York,and Harvey A.
Silverglate and Sharon L. Beckman of Silverglate & Good of Boston .
    Copies of the complaint, the unlawful search warrant, statements by
Steve Jackson and the Electronic Frontier Foundation, a legal fact sheet and
other pertinent materials are available by request from the EFF.

    @+@+@+@+@+@+@+@+@+@+@+@+@+@+@+@+@+@+@


Also made available to members of the press and electronic media on request
were the following statements by Mitchell Kapor and a legal fact sheet prepared
by Sharon Beckman and Harvey Silverglate of Silverglate & Good, the law firm
central to the filing of this lawsuit.


WHY THE ELECTRONIC FRONTIER FOUNDATION IS BRINGING SUIT ON BEHALF OF STEVE
JACKSON.

    With this case, the Electronic Frontier Foundation begins a new phase
of affirmative legal action. We intend to fight for broad Constitutional
protection for operators and users of computer bulletin boards.

    It is essential to establish the principle that computer bulletin
boards and computer conferencing systems are entitled to the same First
Amendment rights enjoyed by other media.  It is also critical to establish that
operators of bulletin boards JQJ whether individuals or businesses JQJ are not
subject to unconstitutional, overbroad searches and seizures of any of the
contents of their systems, including electronic mail.

    The Electronic Frontier Foundation also believes that it is vital to
hold government, private entities, and individuals who have violated the
Constitutional rights of others accountable for their actions.


           Mitchell Kapor,
           President, The Electronic Frontier Foundation

    @+@+@+@+@+@+@+@+@+@+@+@+@+@+@+@+@+@+@


LEGAL FACT SHEET: STEVE JACKSON GAMES V. UNITED STATES SECRET SERVICE, ET AL.

This lawsuit seeks to vindicate the rights of a small, successful
entrepreneur/publisher to conduct its entirely lawful business, free of
unjustified governmental interference.  It is also the goal of this litigation
to firmly establish the principle that lawful activities carried out with the
aid of computer technology, including computer communications and publishing,
are entitled to the same constitutional protections that have long been
accorded to the print medium. Computers and modems, no less than printing
presses, typewriters, the mail, and telephones -being the methods selected by
Americans to communicate with one another -- are all protected by our
constitutional rights.


Factual Background and Parties:

Steve Jackson, of Austin, Texas, is a successful small businessman.  His
company, Steve Jackson Games, is an award- winning publisher of adventure games
and related books and magazines.  In addition to its books and magazines, SJG
operates an electronic bulletin board system (the Illuminati BBS) for its
customers and for others interested in adventure games and related literary
genres.

Also named as plaintiffs are various users of the Illuminati BBS.  The
professional interests of these users range from writing to computer
technology.

Although neither Jackson nor his company were suspected of any criminal
activity, the company was rendered a near fatal blow on March 1, 1990, when
agents of the United States Secret Service, aided by other law enforcement
officials, raided its office, seizing computer equipment necessary to the
operation of its publishing business.  The government seized the Illuminati BBS
and all of the communications stored on it, including private electronic mail,
shutting down the BBS for over a month.  The Secret Service also seized
publications protected by the First Amendment, including drafts of the
about-to-be-released role playing game book GURPS Cyberpunk.  The publication
of the book was substantially delayed while SJG employees rewrote it from older
drafts.  This fantasy game book, which one agent preposterously called "a
handbook for computer crime," has since sold over 16,000 copies and been
nominated for a prestigious game industry award.  No evidence of criminal
activity was found.

The warrant application, which remained sealed at the government's request for
seven months, reveals that the agents were investigating an employee of the
company whom they believed to be engaged in activity they found questionable at
his home and on his own time.  The warrant application further reveals not only
that the Secret Service had no reason to think any evidence of criminal
activity would be found at SJG, but also that the government omitted telling
the Magistrate who issued the warrant that SJG was a publisher and that the
contemplated raid would cause a prior restraint on constitutionally protected
speech, publication, and association.

The defendants in this case are the United States Secret Service and the
individuals who, by planning and carrying out this grossly illegal search and
seizure, abused the power conferred upon them by the federal government. Those
individuals include Assistant United States Attorney William J. Cook, Secret
Service Agents Timothy M. Foley and Barbara Golden, as well Henry M. Kluepfel
of Bellcore, who actively participated in the unlawful activities as an agent
of the federal government.

These defendants are the same individuals and entities responsible for the
prosecution last year of electronic publisher Craig Neidorf.  The government in
that case charged that Neidorf's publication of materials concerning the
enhanced 911 system constituted interstate transportation of stolen property.
The prosecution was resolved in Neidorf's favor in July of 1990 when Neidorf
demonstrated that materials he published were generally available to the
public.


Legal Significance:

This case is about the constitutional and statutory rights of
publishers who conduct their activities in electronic media rather
than in the traditional print and hard copy media, as well as the
rights of individuals and companies that use computer technology to
communicate as well as to conduct personal and business affairs
generally.

The government's wholly unjustified raid on SJG, and
seizure of its books, magazines, and BBS, violated clearly
established statutory and constitutional law, including:

.    The Privacy Protection Act of 1980, which generally prohibits
the government from searching the offices of publishers for work
product and other documents, including materials that are
electronically stored;

.    The First Amendment to the U. S. Constitution, which guarantees
freedom of speech, of the press and of association, and which
prohibits the government from censoring publications, whether in
printed or electronic media.

.    The Fourth Amendment, which prohibits unreasonable governmental
searches and seizures, including both general searches and searches
conducted without probable cause to believe that specific evidence of
criminal activity will be found at the location searched.

.    The Electronic Communications Privacy Act and the Federal
Wiretap statute, which together prohibit the government from seizing
electronic communications without justification and proper
authorization.

####

For more information, contact Gerard Van der Leun at 617-864-1550.

END OF EFFECTOR ONLINE 1.04

Please report problems with the web pages to the maintainer