The RISKS Digest
Volume 13 Issue 31

Friday, 27th March 1992

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

New XEROX FAX software
Jeremy Epstein
FYI: Congressional Advisory Board calls for public review
Jim Warren
Re: Microsoft and virus checkers
Alan Wexelblat
Dumbing down new systems
Lance J. Hoffman
The FBI Needs Industry's Help--OpEd in NYT
Kurt F. Sauer
Accidental stock sale: The error crept in when ...
Bob Frankston
U.S. Department of Justice Rulings about Keystroke Capturing
Sanford Sherizen
Test data used for actual operation - once again
Bertrand Meyer
Re: UA 747 Lost Door
Brian Boutel
Info on RISKS (comp.risks)

New XEROX FAX software

Jeremy Epstein <epstein@trwacs.fp.trw.com>
Tue, 24 Mar 92 09:48:29 EST
Today's Washington Post has an article about a new Xerox software product
designed to provide remote access to a PC through a FAX.  Basically, you can
FAX a message to your PC with instructions on what you want, and it will FAX
the file(s) to a number of your choosing.  If you don't have the form handy,
FAXing a blank sheet of paper will cause it to FAX the blank form back to you.
The target market is people who travel but don't carry everything they might
possibly need...they call it a 24-hour-a-day assistant.

The product (whose name I've forgotten) is software...it works with
the hardware FAX boards you can buy.

The product sounds really neat, but the first thought that came to my mind was
security.  If I know that Jane Doe has this software on her PC, how will it
prevent me from asking for a copy of anything on her PC?  The article didn't
mention any security measures to prevent an machine from attack.

I don't have any technical product information, so this may be merely
an omission from the article, rather than a weakness in the product.

Jeremy Epstein, Trusted X Research Group, TRW Systems Division, Fairfax
Virginia +1 703/803-4947 uunet!trwacs!epstein epstein@trwacs.fp.trw.com


FYI: Congressional Advisory Board calls for public review

Jim Warren <autodesk!highpoint!jwarren@fernwood.mpk.ca.us>
Wed, 25 Mar 92 17:16:42 PST
       COMPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD
                          RESOLUTION #1
                         March 18, 1992

The Board has examined the present status of the proposed Digital
Signature Standard (DSS) being undertaken by the National
Institute of Standards and Technology (NIST).  In view of:

(1)  the significant public policy issues raised during the
     review of the proposed standard;

(2)  the increasingly pervasive use of digital technologies;

(3)  the potential impacts upon the security of the
     unclassified/sensitive government community;

(4)  the relationship of the DSS to the existing NIST
     cryptographic security program; and

(5)  the posture of the U.S. in international commerce.

THE BOARD FINDS THAT:

(1)  a national level public review of the positive and negative
     implications of the widespread use of public and private key
     cryptography is required.  This national level review must
     involve the national security, law enforcement, government
     unclassified/sensitive, and commercial communities.
     Representatives from the private sector should include both
     vendors and users.  In the next several months, NIST/NSA
     should sponsor a workshop on the widespread use of
     cryptography.  This national review should be concluded by
     June 1993.

(2)  NIST has made significant progress in resolving the
     technical issues related to the proposed DSS.  The Board
     recommends that NIST continue to seek resolution of the
     patent, infrastructure, and other remaining issues raised
     during the public comment process.  The Board recognizes
     that much of the work, and in particular the infrastructure,
     are algorithmic independent and must be continued by NIST to
     assure timely implementation of digital signature technology
     within the government.

FOR:  Colvin, Gallagher, Gangemi, Kuyers, Lipner, Philcox, Rand,
Walker, Wills  and Zeitler
AGAINST: None
ABSTAIN: None

Motion Unanimously Approved.

       ---------------------------------------------------

       COMPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD
                          RESOLUTION #2
                         March 18, 1992

The Board resolves that:

     The approval of the Digital Signature Standard (DSS) by the
     Secretary of Commerce should be considered only upon
     conclusion of the national review.

The Board agrees to continue to monitor the activities involving
the DSS and the proposed national review at future meetings.


FOR: Colvin, Kuyers, Lipner, Philcox, Rand, Walker, Wills, and
Zeitler
AGAINST: Gallagher, Gangemi
ABSTAIN: None

Motion Approved.

       ---------------------------------------------------

       COMPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD
                          RESOLUTION #3
                         March 18, 1992

The Board resolves that:

     The Board defers making a recommendation on approval of the
     Digital Signature Standard (DSS) pending progress on the
     national review.

The Board agrees to continue to monitor the activities involving
the DSS and the proposed national review at future meetings.

FOR: Colvin, Gallagher, Gangemi, Kuyers, Lipner, Philcox, Rand,
     Walker, Wills, and Zeitler
AGAINST: None
ABSTAIN: None

Motion Unanimously Approved.


Re: Microsoft and virus checkers (Martin Minow, RISKS-13.30)

<wex@pws.ma30.bull.com>
Thu, 26 Mar 92 16:28:41 -0500
Well, having just installed Word 5.0 this week, I can tell you the reason:
MSWord 5.0 installs things (fonts, mostly) directly into the System.  All
virus detectors I know of will at least trap/warn on this.  But the Install
program can't deal with these trap/warn windows appearing and grabbing
control while Install is trying to read from disk.

So you have to turn off your virus protection.  You may also have to
reinstall other things in your system.  In my case, the Word installation
blew away my Personal Laserwriter print driver.

As long as I'm on the subject, MSWord 5.0 represents a significant step
BACKWARD for Word, as far as I can tell.  I'm seriously thinking of going
back to 4.0 because the new interface is *so* bad.

Word 5.0 has several instances of the "the computer is doing something but
doesn't tell the user" RISK.  This, of course, causes users to repeat
inputs, thinking nothing happened the first time.  These additional inputs
are buffered and applied to the next step in the process, potentially
causing damage that is hard or impossible to undo.

The program is also significantly slower than version 4.0 (at least a factor
of two in the tests I've done).  This introduces the RISK that long-time
Word users like myself will assume that the Mac is hung and begin
diagnostic/repair actions which are inappropriate and cause bad effects.

There is more functionality than in 4.0, but a lot of it is "stupid"
functionality in the sense that the new features duplicate existing features
or do flat-out dumb things (we can discuss some other time the hilariously
wrong messages their grammar checker spits out).

A shame, really.  Microsoft does occasionally produce good products (Excel
2.2 has one of the best, most intuitive interfaces I've ever seen), but Word
seems to get worse every odd-numbered release and only better with the even
numbers.

Alan Wexelblat Bull Worldwide Information Systems Billerica, MA : (508)294-6120
     wex@pws.bull.com       wexelblat.chi@xerox.com


Dumbing down new systems

Lance J. Hoffman <hoffman@seas.gwu.edu>
Fri, 27 Mar 92 8:01:39 EST
The debate on (son of) S. 266 and on whether and how to "dumb down" computer
technology to satisfy law enforcement needs is joined in The New York Times of
Friday, March 27, 1992 with articles by William Sessions, FBI director, and
Janlori Goldman, director of the privacy and technology project of the American
Civil Liberties Union. RISKS readers with an interest (or stake) should read
these articles carefully, and consider responding with letters to the editor of
the New York Times of their own if they have anything to add.  If the technical
community wishes to be heard, it should speak up now.  (Letters to their
congressional representatives may not hurt either ;-) ).
                                                            Lance Hoffman

Department of Electrical Engineering and Computer Science, The George
Washington University, Washington, D. C. 20052  (202) 994-4955


The FBI Needs Industry's Help--OpEd in NYT

Kurt F. Sauer <ks@stat.tamu.edu>
Fri, 27 Mar 92 07:54:31 CST
FBI Director William Sessions wrote an interesting op-ed piece in today's New
York Times (Vol. CXLI, No. 48,918, Fri., Mar. 27, 1992, p. A15) dealing with
the problems which federal law enforcement expects to encounter when placing
court-ordered wiretaps on data circuits.  When I read between the lines, it
sounds as if Mr. Sessions doesn't want us to use data security which employs
end-to-end encryption; perhaps other RISKS-DIGEST readers will draw different
conclusions.

[Under the rubric "Dialogue/High-Tech Wiretaps"]

                Keeping an Ear on Crime:
            The F.B.I. Needs Industry's Help

By William S. Sessions

     Advances in telecommunications technology promise to deprive Federal,
state and local law enforcement officers and the public of the incalculable
benefits that can be obtained only by court-authorized wire-tapping.
     Wiretapping is one of the most effective means of combating drug
trafficking, organized crime, kidnapping and corruption in government.  The
Federal Bureau of Investigation does not want the new digital technology that
is spreading across America to impair this crucial law-enforcement technique.
Thus, after consulting with the telecommunications industry, members of
Congress and executive branch agencies, the Justice Department has proposed
legislation that is intended to preserve the ability of law enforcement
officers to intercept conversations of people engaged in serious crimes.
     This bill is consistent with legislation passed in 1968 after Congress
debated the constitutional problem posed by the Government's need to address
both serious criminal conduct and the individual's right to privacy.  Congress
struck a balance by passing the Omnibus Crime Control and Safe Streets Act.
     That law and later amendments created the meticulous procedure by which
law enforcement officers obtain judicial authorization for electronic
surveillance.  Wiretaps can be used to address only the most serious criminal,
sometimes violent, threats facing society.  Only when a judge is satisfied that
all statutory safeguards have been met and all other reasonable investigative
steps have failed or will likely fail, are taps permitted.
     Digital technology makes possible the simultaneous transmission of
multiple conversations and other data over the same lines.  The problem is that
voice transmission will soon be replaced by an endless, inseparable stream of
electronic emissions, making it virtually impossible to capture criminal
conversations.
     The Federal Bureau of Investigation is not complaining.  As the
telecommunications industry develops digital technology, new services such as
Caller ID are becoming available to business and private customers.  The new
technology already has provided benefits for the F.B.I.--for example, it helped
solve the bombing of Pan Am Flight 103.
     But if digital technology is fully introduced with insufficient attention
to public safety, the effectiveness of law enforcement officers will be greatly
impaired.
     As society and technology evolve, so do government's needs and
responsibilities.  And, yes, the burden of helping to safeguard the public
often falls on those who make profits from regulated goods and services.  It is
reasonable for the telecommunications industry to come to the aid of law
enforcement.  The proposed legislation relies on it to find technical solutions
that are cost effective while permitting the developement of its technology.
Surely it can do both in a way that insures its competitiveness.
     Indisputably, there will be financial costs associated with whatever
technical solutions the private sector might develop.  These costs cannot be
measured only in dollars; consider the price society would pay if the ability
to solve complex crimes were thwarted by an end to wiretapping.  In a recent
large-scale military-procurement fraud case-- which was successful because of
wiretaps--the fines, restitutions, forfeitures and savings to taxpayers
exceeded $500 million.
     The cost to telecommunications companies would not be so substantial as to
outweigh the consequences of an inability of law enforcement to act.  But if
nothing is done soon, as technology advances and the digital systems become
more widespread, the cost of addressing the issue down the road will
undoubtedly increase dramatically.
     The proposed legislation does not expand the authority of the F.B.I.  or
any other criminal justice agency.  It simply preserves what Congress
authorized in 1968--nothing more.
     In recent years, Congress has expanded the Federal criminal activities for
which wiretapping may be obtained.  As in 1968, it must decide if law
enforcement should have this invaluable tool available.  I am confident that
congress will again support law enforcement by approving the necessary
legislation.


Accidental stock sale: The error crept in when ...

<Bob_Frankston@frankston.std.com>
Fri 27 Mar 1992 14:47 -0500
Speaking of rekeying the following is from the Friday March 27, 1992 in an
article about Salomon Brother's accidental sale of a few million dollars of
stocks:

The error crept in when a clerk at the firm, in translating the order into a
format that would be understood by Salomon's computer system, mistakenly put
the column showing the total value of the orders into the column showing the
number of shares to be traded.


U.S. Department of Justice Rulings about Keystroke Capturing

Sanford Sherizen <0003965782@mcimail.com>
Fri, 27 Mar 92 19:55 GMT
I have had two separate reports from people working for U.S. Government
agencies that the Department of Justice has advised them that trapping of
keystrokes is a violation of the Electronic Communications Privacy Act and
similar privacy-related legislation.  Those who mentioned it to me seemed to
imply that the keystrokes being discussed were related to access control/audit
measures rather than worker monitoring technology.

Can anyone clarify and/or verify this information?  I would be interested in
finding out if this interpretation only applies to the Federal Government or to
private sector organizations as well?  If my information is correct, this may
mean that important information security efforts could be considered as illegal
activities.  The crunch between old laws and new technology grows daily.

Sanford Sherizen, Data Security Systems, Natick, MASS.


Test data used for actual operation - once again

Bertrand Meyer @ SOL <bertrand@eiffel.com>
Fri, 27 Mar 92 21:09:31 +0100
The following is from Le Canard Enchaine, 25 March 1992. Le Canard Enchaine, a
pillar of the French press for 75 years or so, is a satirical and investigative
paper, with no known equivalent anywhere else.

The translation, or more correctly the feeble attempt at literal adaptation
since the Canard style is basically untranslatable, is by Bertrand Meyer, from
whom also the comments in square brackets, some of which refer to notes at the
end.

         MAD COMPUTER CONS SUPERMARKET CUSTOMERS
             ---------------------------------------

TAPPING A THOUSAND BANK ACCOUNTS

Seeing one's bank account being repeatedly debited over a period of several
months, to the credit of a store where you have never set foot - such was the
lot of about one thousand customers of a Paris supermarket. Whenever they paid
for their expenses using their Visa international card, they were in fact
feeding - without their knowledge ... - the coffers of a clothing store, which
hadn't asked for it.  Overall, because of a computer error, more than 450,000
Francs (US$ 90,000) was drawn from these involuntary customers.

On October 14, 1991, the manager of the "Codec" [a food supermarket] on the rue
des Amandiers [in Paris] notes that his cash registers, driven by a specialized
computer program, systematically rejects all payments made by Visa
International cards. He calls the PSI Alcatel ISR company, which installed the
system and is responsible for its maintenance. In order to find out the source
of the problem, a technician [from PSI Alcatel] makes a copy of the store's
customer file into one of his company's programs [sic]. Having apparently
corrected the error, he sends the file back to Codec.

DEBITS UNLIMITED

A few weeks later, a riot or something very close to that erupts at Codec.
Dozens of irate customers storm the store's offices: their banking accounts,
which were debited normally the previous month [see note 1] after they made
some purchases at Codec, are being debited again; but this time it's to the
credit of "Gify Center" a clothing store in Nantes [a city in Vendee, on the
Atlantic Ocean, several hundred miles from Paris]. Grand total of these double
payments: 229,000 F ($40,000).

In early January 1992, the manager alerts PSI Alcatel. Answer, given without
any trace of emotion: PSI Alcatel has know about these computer blunders for
several weeks. This is because Gify Center, wondering about this unexpected
manna raining full-baked from the computer, had taken the trouble to inform
[PSI Alcatel]. As to the poor manager of Codec, being unable to provide any
explanation, he is being called a crook by some of his customers.

PSI Alcatel claims to be working hard on the problem - but to no avail since
trouble starts again in February. This time it's a store in Vannes [in
Brittany, also on the West Coast], also part of the Gify Center chain, which is
the beneficiary. Five hudred clients are affected; some of them, according to
the Codec manager, are even debited four times for the same amount. [??]

At this stage the police, being flooded with complaints, opens an investigation
and summons the poor Codec manager. Not hard to understand why: many of the
affected customers have had to pay interest penalties to their banks [see note
2], since their accounts have had overdrafts because of these repeated
payments. Others have had to pay penalties for returned checks, or have been on
the brink of having their bank cards cancelled.

COMPUTER HICCUPS

By dint of hard work, PSI Alcatel at last discovers the source of all these
computer follies. [Perhaps someone should suggest a subscription to RISKS?] The
technician, who had copied the Codec's customer file into his own program [sic
and resic, to use a favorite Canard expression] for the purpose of debugging
it, had forgotten to erase the file. A fateful mistake: every time PSI Alcatel
sold their program for managing cash registers, they were also unwittingly
selling the Codec's customer file. After that, whenever the program had been
inserted into a store's computer, it would direct the banks to debit the
accounts of the customers recorded in that file.

One piece of good news: PSI Alcatel claims to have sold this over-filled
program to no one else than Gify Center. The customers of the rue des Amandiers
Codec have avoided the worst: since Gify Center owns about forty stores in
France, that's the number of times the mad computers could have emptied their
accounts.

[End of article]


[Notes for foreign readers:

[1] The most common use of credit cards in France is as ``debit cards''; i.e.
they are tied to a bank account and expenses are automatically debited at the
end of the month.

[2] Overdraft is less of an abnormal situation in France than in e.g.  the US.
Most banks will tolerate some overdraft as long as the situation doesn't get
too serious. It's actually a fairly juicy situation for them since they charge
rather high ``agios'' (translated above by ``interest penalties''.)]

[General note: I am surprised by the relatively small amounts of money
involved.]


Re: UA 747 Lost Door

Brian Boutel <brian@comp.vuw.ac.nz>
Tue, 24 Mar 1992 16:14:22 +1200
It's worth noting that the revision in the official story, that an electrical,
not mechanical fault was responsible, is entirely due to the persistance of one
man, the father of one of the passengers lost in the accident.  He formulated
this theory, and persued it with United and Boeing, even, I believe, got
permission to be present when the door was recovered from the bottom of the
Pacific. The new finding vindicates his stand, and without his efforts, it is
unlikely that the truth would have been found.
                                                        --brian

Brian Boutel, Computer Science Dept, Victoria University of Wellington, PO Box
600, Wellington, New Zealand  Phone: +64 4 471-5328 Fax: +64 4 495-5232

Please report problems with the web pages to the maintainer

x
Top