The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 13 Issue 32

Wednesday 1 April 1992

Contents

o Pentagon homes in on Patriot critic
Lord John Wodehouse
o Overly clever failsafe system
Mark Bartelt
o Now why didn't I think of that? (Windows 3.1)
J Chapman Flack
o Re: U.S. Dept of Justice Rulings about Keystroke Capturing
Tom Zmudzinski
o Re: Dumbing down the FBI
Janlori Goldman via Daniel B. Dobkin
Brian Kantor
Dave Banisar via Lance Hoffman
Heather Hinton
o Conference Announcement: DIAC-92
Pavel Curtis
o Info on RISKS (comp.risks)

Pentagon homes in on Patriot critic

Lord Wodehouse <w0400@uk0x08.ggr.co.uk>
30 Mar 92 11:36:00 GMT
>From the New Scientist 28 March 1992 - a follow up to "Patriot missiles misled
by `accidental' decoys" (RISKS-13.19).

The Pentagon is accusing one of its scientific critics of publishing secret
data on the Patriot missile. The scientist, Ted Postol of MIT, says that all
his information came from published sources and his own calculations.

The row began after Postol published a 50-page article on the Patriot's
performance in the Gulf War in the journal "International Security". The
article presents evidence that the Patriot missed most, and perhaps all, the
Iraqi warheads it was fired at. (New Scientist 15 Feb 1992)

Postol has worked for the US Navy and consulted nuclear weapon laboratories in
the past. He has a security clearance that allows him access to classified
information. But he says he purposely stayed away form all classified briefings
on the Patriot so that he could make his conclusions public.

On 13 March, Postol was visited by an investigator from the Defense
Investigative Service. The DIS officer wanted Postol to attend a classified
meeting to discuss where he had obtained the information for his article.
Postol refused, saying that if he did, he would really learn secret information
about the Patriot, which would prevent him from talking about it.

The investigator then informed Postol that he would have to stop discussing the
article in public anyway, because the US Army had decided that it contained
secret data. If Postol refused, he would be in violation of his secrecy
agreement with the government and could lose his security clearance.

Postol says he found his order incredible, and asked to have it in writing.
More than a week later, on 19 March, he was told that a letter was waiting for
him at the Mitre Corporation, a nearby military contractor. In a Kafkaesque
twist. the letter itself was classified, so Postol is refusing to read it.

Last week, the Pentagon disclosed that the Raytheon Corporation, which
manufacturers the Patriot, had started the entire affair. Raytheon executives
had sent a copy of Postol's article to the Army. suggesting that it might
contain secret information.

Pete Williams, the Pentagon spokesman, tried to play down the affair last week.
He told reporters that the DIS was carrying out a routine investigation and "no
final determination has been made" on whether Postol's article contained
secrets.

A Congressional committee has taken up Postol's cause, and is investigating
whether the Pentagon is abusing its classification system to silence a critic.

  [I feel that Postol must have a point, given the rather backdoor methods
  being used to stop him blowing the whistle any more.]

Lord John - the programming peer


overly clever failsafe system

Mark Bartelt <sysmark@orca.cita.utoronto.ca>
Mon, 30 Mar 92 13:27:00 EST
The following appeared in my mailbox.  (Don't know the name
of the person who originally sent it; I was at the end of a
moderate-sized forwarding chain.)

   On Peter Ross's ABC-TV arts show on Sunday Afternoon,
   the avant garde composer John Cage was featured
   performing his 4'33".  It consists of the performer(s),
   armed with a stopwatch, sitting silently on stage for
   four minutes 33 seconds, with the music consisting of
   whatever noises come from the audience or outside the
   auditorium.  The TV performance went well, but the ABC
   was caught out by technology - a fail-safe device turns
   off studio transmission if there's more than 90 seconds
   of silence, and puts up a test pattern.  It went into
   operation three times during the performance.

Mark Bartelt, Canadian Institute for Theoretical Astrophysics 416/978-5619


Now why didn't I think of that? (Windows 3.1)

j chapman flack <chap@art-sy.detroit.mi.us>
Sun, 22 Mar 92 18:13:46 GMT
Just read in a direct-mail promotional piece for Microsoft Windows 3.1:

  You may be wondering _how_ Windows version 3.1 reduces application
  errors and system crashes.  One of the most powerful additions to
  Windows 3.1 is "parameter validation."  Parameter validation means
  that when information is passed from an application to the Windows
  operating system, Windows checks the information to make sure it is valid.

"Focus on Windows," page 8.
                                   Chap Flack     chap@art-sy.detroit.mi.us


Re: U.S. Dept of Justice Rulings about Keystroke Capturing

"zmudzinski, thomas" <ZMUDZINSKIT@imo-uvax6.dca.mil>
30 Mar 92 10:45:00 EST
      D E F E N S E   I N F O R M A T I O N   S Y S T E M S   A G E N C Y
                                        Dept:     DNSO/DISM
                                        Tel No:   703 285 5459  (DSN) 356

In RISKS-13.31, Sanford Sherizen wrote:

<> I have had two separate reports from people working for U.S. Government
 agencies that the Department of Justice has advised them that trapping
 of keystrokes is a violation of the Electronic Communications Privacy
 Act and similar privacy-related legislation.  Those who mentioned it to
 me seemed to imply that the keystrokes being discussed were related to
 access control/audit measures rather than worker monitoring technology.

    Unfortunately, correct.  The situation is roughly analogous to having
to post signs saying that there are TV cameras monitoring your condo.

<> Can anyone clarify and/or verify this information?  I would be
 interested in finding out if this interpretation only applies to
 the Federal Government or to private sector organizations as well?

    I don't know about the Electronic Communications Privacy Act, but
National Telecommunications and Information Systems Security Directive
(NTISSD) NO. 600, "Communications Security (COMSEC) Monitoring," 10 Apr 90
(FOUO), makes it a requirement that users of Government telecommunications
systems be notified in advance that their use of these systems constitutes
consent to monitoring for COMSEC purposes.  (No, I don't have a copy.)

    I'm not a lawyer (my parents are married), but I've been given to
understand that "Government telecommunications systems" means ANY computer
or network whether OWNED or merely FUNDED by the Government.  (Can you
say "nearly every system in the U.S."?  I knew you could!)  If you have
any question as to the applicability to your own situation, I suggest
you hire a member of the Legal Guild who can spell "telecommunications".

    F.Y.I., DISA (via DDN Security Bulletin 9123)* strongly "recommended"
that all DDN hosts insert one or the other of the following in their
"WELCOME" messages, either:

    "GOVERNMENT TELECOMMUNICATIONS SYSTEMS AND AUTOMATED INFORMATION
    SYSTEMS ARE SUBJECT TO A PERIODIC SECURITY TESTING AND MONITORING TO
    ENSURE PROPER COMMUNICATIONS SECURITY (COMSEC) PROCEDURES ARE BEING
    OBSERVED.  USE OF THESE SYSTEMS CONSTITUTES CONSENT TO SECURITY
    TESTING AND COMSEC MONITORING."

         -- or, for those sites with limited bandwidth, --

    "USE CONSTITUTES CONSENT TO SECURITY TESTING AND MONITORING."

    It's my understanding that the wording of these "un-WELCOME" messages
was worked out with no little blood on the rug.

<> If my information is correct, this may mean that important information
 security efforts could be considered as illegal activities.

    Very true.  For example, an "alleged penetrator" (prosecuting attorneys
prefer to avoid the H(acker) word as "too warm and fuzzy") was monitored
while committing (what I'd consider to be) electronic breaking and entry.
He got off because he hadn't been warned that he was being monitored.
(This may be hearsay, but it is NOT apocryphal; I know some of the parties
involved and have suppressed the names to protect those found Not Guilty.)

<> The crunch between old laws and new technology grows daily.

    This is news?  (Rhetorical question)

                Tom Zmudzinski,
                Non-Specializing Specialist in AIS Security
                for the Defense Information Systems Agency

* DDN Security Bulletin 9123, 5 November 1991, may be obtained via FTP
(or Kermit) from NIC.DDN.MIL [192.112.36.5] using login="anonymous" and
password="guest".  The bulletin pathname is SCC:DDN-SECURITY-9123.


Dumbing down the FBI

"Daniel B. Dobkin" <dbd@ans.net>
Mon, 30 Mar 92 20:40:26 EST
Lance Hoffman's posting on Friday mentioned the New York Times Op-Ed dialogue
between FBI Director William Sessions and Janlori Goldman, director of the ACLU
Privacy and Technology Project.  Kurt Sauer posted Director Session's article;
at the risk of preaching to the choir, herewith is Ms. Goldman's reply.


Keeping an Ear on Crime: Why Cater To Luddites?

By Janlori Goldman

The Federal Bureau of Investigation says advances in the telecommunications
industry are likely to make it difficult to use its old-fashioned wiretapping
techniques to listen in on telephone conversations.  The F.B.I.'s solution, in
legislation the Justice Department is asking Congress to pass, is to force the
telecommunications and computer industries to redesign their modernized systems
to accommodate the bureau's needs.  Unfairly, the F.B.I. wants consumers to pay
for it through rate increases and higher equipment costs. The
telecommunications and computer industries both oppose a bill that would
mandate such sweeping regulations.

The proposal makes the bureau look like Luddites, the 19th century English
weavers who smashed new machines that they claimed put them out of work.
Instead of keeping up with new developments, the F.B.I. wants to freeze
progress.

It is wrongheaded and dangerous to require the industry to put surveillance
first by slowing innovation and retarding efficiency. How can the F.B.I.
justify this policy at home while the White House is wringing its hands over
U.S. competitiveness in the international market?

The F.B.I. fears that new digital technology will make it difficult, even
impossible, to listen in on conversations by using traditional wiretapping
equipment. The new technology converts voices and data into electronic
blips and reconverts the blips into voices and data near the receiving end
on high-speed fiberoptic lines.

The bureau overstates its concern. The telecommunications industry says it is
not aware of a single instance in which the F.B.I. has been unable to tap a
line because of the widespread new technology. Even the Director, William S.
Sessions, admitted in a Congressional hearing last week that no warrant has
been issued that could not be executed.

At issue is the F.B.I.'s ability to wiretap in the future. But the answer is
not a legislative fix that freezes technology. The F.B.I. is not only asking
the industry to dumb down existing software, it wants to prohibit it from
developing new technologies that might interfere with the Government's ability
to intercept various oral and electronic communications. The proposed
restrictions not only cover phone companies but also on-line computer services
(such as as Prodigy and Compuserve), electronic mail systems and bulletin
boards, and switchboards.

The F.B.I. says its proposal only seeks to preserve its legal authority to
wiretap. Actually, it wants to expand the power of the Federal Communications
Commission, which regulates the telecommunications industry, to make the
F.B.I.'s needs a priority in designing new technologies. In its legislation,
the Government threatens to impose a $10,000-a-day fine on companies that
develop technologies that exceed the F.B.I.'s technical competence.  The F.B.I.
has it backward.  If the Government wants to engage in surveillance, it must
bear the burden of keeping pace with new developments.  Last year, Congress
appropriated $80 million for a five-year F.B.I. research effort focused on
telecommunications advances.

There is a serious risk that rollbacks in advances may make telecommunications
networks more vulnerable to unauthorized intrusion. One of the industry's main
goals is to design secure systems that thwart illegal interception of
electronic funds transfers, proprietary information and other sensitive data.

The F.B.I. is not the only agency trying to block progress. The National
Security Agency has tried to put a cap on the private development of technology
in encryption, the electronic encoding of data to guard against unauthorized
use.

As the private sector develops more effective encryption codes to protect
information in its data bases, the N.S.A. worries that it may have trouble
breaking such codes in its intelligence gathering overseas. The agency is
denying export licenses for certain encryption codes, thus inhibiting the
private sector's development and use of the technology.  Congress should defeat
the proposal. Otherwise, we may be prohibited from erecting sturdy buildings if
the thick walls prevent an F.B.I. agent from eavesdropping on a conversation
through a cup pressed to a wall.


Re: dumbing down new systems (FBI vs digital phones)

Brian Kantor <brian@UCSD.EDU>
Fri, 27 Mar 92 21:00:18 -0800
Every telephone switch I have ever encountered had the capability of monitoring
individual conversations, even when those conversations are multiplexed
together with other connections in the switch.  While my experience is not as
wide as others in the telephone field, it would seem to me that such a
monitoring capability is an essential switch design element for diagnostic
purposes, if nothing else.

Thus I do not believe that the FBI has any need for this law; they need only
take their court order to the telephone company and they will be provided with
the tap they have been authorized.

No, it seems to me that the ONLY purpose the FBI has in proposing such a law
would be so that it can make telephone taps WITHOUT the cooperation of the
telephone company.  Presumably, the only reason for not wanting the cooperation
of the telephone company is that the FBI in such cases might well not have the
cooperation of the court either - in other words, what they are asking for is
the ability to make warrantless taps.

End-to-end encryption, of course, would NOT fit this model.  Nor would it be
prevented by this law, since encryptors can be fitted to any phone without the
cooperation of the phone company.
                                                - Brian


Washington Post editorial on dumbing down new systems (fwd)

Dave Banisar, CPSR Washington <banisar@washofc.cpsr.org>
Fri, 27 Mar 1992 14:15:25 EDT
     [Forwarded to RISKS by Lance J. Hoffman <hoffman@seas.gwu.edu>

The Washington Post
March 26, 1992
Back to Smoke Signals?

 The Justice Department spent years in court breaking up the nation's
telecommunications monopoly in order to foster competition and technological
advances. Now the same department has gone to Congress asking that improvements
in telecommunications technology be halted, and in some cases even reversed, in
the name of law enforcement. The problems facing the FBI are real, but the
proposed solution is extreme and unacceptable on a number of grounds.

    Wiretaps are an important tool in fighting crime, especially the kind of
large-scale, complicated crime -- such as drug conspiracies, terrorism and
racketeering -- that is the responsibility of the FBI.  When they are installed
pursuant to court order, taps are perfectly legal and usually most productive.
But advances in phone technology have been so rapid that the government can't
keep up. Agents can no longer just put a tap on phone company equipment a few
blocks from the target and expect to monitor calls. Communications occur now
through regular and cellular phones via satellite and microwave, on fax
machines and computers.  Information is transmitted in the form of computer
digits and pulses of light through strands of glass, and none of this is easily
intercepted or understood.

   The Justice Department wants to deal with these complications by forbidding
them. The department's proposal is to require the Federal Communications
Commission to establish such standards for the industry "as may be necessary to
maintain the ability of the government to lawfully intercept communications."
Any technology now in use would have to be modified within 180 days, with the
costs passed on to the rate payers. Any new technology must meet the
suitable-for- wiretap standard, and violators could be punished by fines of $
10,000 a day. As a final insult, commission proceedings concerning these
regulations could be ordered closed by the attorney general.

   The civil liberties problems here are obvious, for the purposeful designing
of telecommunications systems that can be intercepted will certainly lead to
invasions of privacy by all sorts of individuals and organizations operating
without court authorization. Further, it is an assault on progress, on
scientific endeavor and on the competitive position of American industry. It's
comparable to requiring Detroit to produce only automobiles that can be
overtaken by faster police cars. And it smacks of repressive government.

   The proposal has been drafted as an amendment rather than a separate bill,
and there is some concern that it will be slipped into a bill that has already
passed one house and be sent quietly to conference. That would be
unconscionable. We believe, as the industry suggests, that the kind of informal
cooperation between law enforcement agencies and telecommunications companies
that has always characterized efforts in the past, is preferable to this
stifling legislation. But certainly no proposal should be considered by
Congress without open and extensive hearings and considerable debate.


Re: The FBI Needs Industry's Help--OpEd in NYT

Heather Hinton <heather@hub.toronto.edu>
Mon, 30 Mar 1992 10:22:20 -0500
>...  When I read between the lines, it
>sounds as if Mr. Sessions doesn't want us to use data security which employs
>end-to-end encryption; perhaps other RISKS-DIGEST readers will draw different
>conclusions.

I agree with your conclusions.  What I want to know, is wire-tapping really the
best way of catching criminals?  Sounds like this fellow is belly-aching
because his comfy method of listening to other peoples private lives may be in
jeopardy!

Just wait till the FBI demands that all encryption keys and routines be
registered with the FBI for 'security' reasons!

Heather M Hinton    (mail: heather @ hub.toronto.edu)
Dept of Electrical Engineering, 10 King's College Road, University of Toronto


Conference Announcement: DIAC-92

Pavel Curtis <Pavel@parc.xerox.com>
Sat, 21 Mar 1992 21:26:11 PST
Are computers part of the problem or ...  ?

     DIRECTIONS AND IMPLICATIONS OF ADVANCED COMPUTING
     DIAC-92 Symposium   Berkeley, California   U.S.A
    Sponsored by Computer Professionals for Social Responsibility
           May 2 - 3, 1992   8:30 AM - 5:30 PM

The DIAC Symposia are biannual explorations of the social implications
of computing.  In previous symposia such topics as virtual reality, high
tech weaponry, computers and education, affectionate technology,
computing and the disabled, and many others have been highlighted.  Our
fourth DIAC Symposium, DIAC-92, offers insights on computer networks,
computers in the workplace, national R&D priorities and many other
topics.

      DIAC-92 will be an invigorating experience for anyone
        with an interest in computers and society.


May 2, 1992

Morris E. Cox Auditorium
100 Genetics and Plant Biology Building (NW Corner of Campus)
University of California at Berkeley


8:30 - 9:00 Registration and Continental Breakfast
9:00 - 9:15 Welcome to DIAC-92, Doug Schuler, DIAC-92 Chair
9:15 - 10:15 Opening Address

Building Communities with Online Tools
 - John Coate, Director of Interactive Services, 101 OnLIne

When people log into online communication systems, they use new tools to engage
in an ancient activity - talking to each other.  Systems become a kind of
virtual village.  At the personal level they help people find their kindred
spirits.  At the social level, they serve as an important conduit of
information, and become an essential element in a democratic society.

John was known as a Community Builder at the WELL (Whole Earth 'Lectronic Link)
where he worked tirelessly to build the WELL into a place with clearly
recognizable social cohesion.

10:15 - 10:45 Break
10:45 - 11:15 Presentation

Computer Networks in the Workplace: Factors Affecting the Use of
Electronic Communications
 - Linda Parry and Robert Wharton, University of Minnesota

11:15 - 11:45 Presentation

Computer Workstations: The Occupational Hazard of the 21st Century
 - Hal Sackman, California State University at Los Angeles

11:45 - 12:15 Presentation

MUDDING: Social Phenomena in Text-Based Virtual Realities
 - Pavel Curtis, Xerox PARC

12:15 - 1:30 Lunch in Berkeley
1:30 - 2:00 Presentation

Community Memory: a Case Study in Community Communication
 - Carl Farrington and Evelyn Pine, Community Memory

2:00 - 3:15 Panel Discussion

Funding Computer Science R&D

What is the current state of computer science funding in the U.S.?  What policy
issues relate to funding?  Should there be a civilian DARPA?  How does funding
policy affect the universities? industry?  Organized by Barbara Simons, IBM
Almaden Research Center.  Moderated by Mike Ubell, Digital Equipment
Corporation.

Panelists include
  Mike Harrison, Computer Science Division, U.C. Berkeley
  Gary Chapman, 21st Century Project Director, CPSR, Cambridge Office
  Joel Yudken, Project on Regional and Industrial Economics, Rutgers University

3:15 - 3:45 Break
3:45 - 5:00 Panel Discussion

Virtual Society and Virtual Community

This panel looks at the phenomenon of virtual sociality.  What are the
implications for society at large, and for network and interactive
system design in general?  Moderated by Michael Travers, MIT Media Lab.

Panelists include:
   Pavel Curtis, Xerox PARC
   Allucquere Rosanne Stone, University of California at San Diego

5:00 - 5:15 Closing Remarks, Eric Roberts, CPSR President


May 3, 1992 Tolman Hall and Genetics and Plant Biology Building (NW
Corner of Campus) University of California at Berkeley

8:30 - 9:00   Registration and Continental Breakfast

Workshops in Tolman Hall

The second day will consist of a wide variety of interactive workshops.
Many of the workshops will be working sessions.

9:00 - 10:40 Parallel Workshops I

Toward a Truly Global Network
 - Larry Press, California State University, Dominguez Hills

Integration of an Ethics MetaFramework into the New CS Curriculum
 - Dianne Martin, George Washington University

A Computer & Information Technologies Platform
 - The Peace and Justice Working Group, CPSR/Berkeley

Hacking in the 90's: Toward a Hacker's League
 - Steve Sawyer, CJS Systems
 - Lee Felsenstein, Golemics, Incorporated, Berkeley CA

10:40 - 11:00 Break
11:00 - 12:40 Parallel Workshops II

Designing Computer Systems for Human (and Humane) Use
 - Batya Friedman, Colby College

Examining Different Approaches to Community Access to Telecommunications
Systems
 - Evelyn Pine

Third World Computing: Appropriate Technology for the Developed World?
 - Philip Machanick, University of the Witwatersrand, South Africa

Can We Talk?  Engineers, Machinists, and the Barriers to a Skill-Based
Approach to Production
 - Sarah Kuhn, University of Massachusetts --Lowell

12:40 - 1:40 Lunch in Berkeley

1:40 - 3:20 Parallel Workshops III

Defining the Community Computing Movement: Some projects in and around
Boston
 - Peter Miller, Somerville Community Computing Center

Future Directions in Developing Social Virtual Realities
 - Pavel Curtis, Xerox PARC

Work Power, and Computers
 - Viborg Andersen, University of California at Irvine

Designing Local Civic Networks:  Principles and Policies
 - Richard Civille, CPSR, Washington Office

3:20 - 3:40 Break
3:40 - 5:00 Plenary Panel Discussion

Work in the Computer Industry

     ---  This panel discussion is free to the public. --

Morris E. Cox Auditorium 100 Genetics and Plant Biology Building (NW
Corner of UCB Campus)

Is work in the computer industry different from work in other
industries?  What is the nature of the work we do?  In what ways is our
situation similar to other workers in relation to job security, layoffs,
and unions?  Moderated by Denise Caruso, editor of Digital Media.

Panelists include
  Dennis Hayes, writer and author of "Behind the Silicon Curtain"
  John Markoff, New York Times  (tentative)

5:00 - 5:15 Closing remarks, Coralee Whitcomb, CPSR Board


There will also be demonstrations of a variety of community networking and
MUDDING systems during the symposium.

Sponsored by Computer Professionals for Social Responsibility
             P.O. Box 717
             Palo Alto, CA  94301

DIAC-92 is co-sponsored by the American Association for Artificial
Intelligence, the IEEE Society for Social Implications of Technology,
and the Boston Computer Society Social Impact Group, in cooperation with
ACM SIGCHI and ACM SIGCAS.  DIAC-92 is partially supported by the
National Science Foundation under Grant No. DIR-9112572, Ethics and
Values Studies Office.

CPSR is a non-profit, national organization of computer professionals
concerned about the social implications of computing technologies in the
modern world.  Since its founding in 1983, CPSR has achieved a strong
international reputation.  CPSR has over 2500 members nationwide with
chapters in over 20 cities.

If you need additional information please contact Doug Schuler,
206-865-3832 (work) or 206-632-1659 (home), or Internet
dschuler@cs.washington.edu.

   - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =

        --- DIAC-92 Registration ---

Registration includes proceedings, continental breakfasts, and refreshments
during breaks.  Proceedings and are also available by mail.

Send completed form with check or money order to:
    DIAC-92 Registration
    P.O. Box 2648
    Sausalito, CA, 94966
    USA

Name  _______________________________________________________________

Address: ____________________________________________________________

City: ____________________  State: _______ Zip: _____________________

Electronic mail: ____________________________________________________

Symposium registration:
    CPSR Member (or AAAI, BCS, IEEE SSIT, ACM SIGCAS, ACM SIGCHI)   $40 __
    Non-member                              $50 __
    Student                             $25 __
    Proceedings Only                            $20 __
    Proceedings Only (foreign)                      $25 __
    New CPSR Membership (includes DIAC-92 Registration)         $80 __

One day registration:
    CPSR Member (or AAAI, BCS, IEEE SSIT, ACM SIGCAS, ACM SIGCHI)   $25 __
    Non-member                              $30 __
    Student                             $15 __

    Additional Donation                      $ _______

Total enclosed                                                   $ _______

   - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =

There are TWO buildings called Genetics and Plant Biology at UCB.  We
are using the smaller, southern one of the two.  There are UC parking
lots near the NW side of the campus for $3.00 a day.  Parking meters use
quarters ($.25).

Please report problems with the web pages to the maintainer

Top