Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
From Sat 24 Oct 1992 `Guardian', no author given. It is perhaps not too
surprising that this has not received the attention that it deserves, given the
political situation in the UK at the moment. The British Government is
currently in the process of lurching from one crisis to the next. [See Brian
Randell's contribution in RISKS-13.44 for background. PGN]
Computer software blamed as RAF pilot bombs Ark Royal.
An RAF Harrier jump-jet pilot on exchange with the Royal Navy bombed the
carrier Ark Royal, injuring five crew, because of a computer software
anomaly, it was disclosed yesterday. Four of the injured have returned to
work following the [20 April 1992] incident when the 28lb practice bomb tore
through the flight deck and exploded in one of the mess decks. The fifth ...
is still receiving medical treatment.
The incident happened when four Sea Harriers were practicing dropping bombs
on a target towed 600 yards behind Ark Royal during training .... The RAF
Flight Lieutenant, described as highly experienced, lost radar contact twice
with the ship. He `locked on' for a third time just seconds before going
into the loft manoeuvre. He did not know that the automatic aim-off was not
programmed to cut in within such a short period of time because of an anomaly
in the computer software. The bomb was aimed at the ship and not the target.
The pilot will receive a formal warning and training using loft-mode attacks
has been `put into abeyance'.''
What interested me in particular was that, in a roundabout way, the pilot is
being faulted, even though the software is blamed. It is worrying that the
evaluation of the software (which I assume took place) did not pick this up.
Of course, it could well be that the real problem was much more complicated
than the article suggests. It would not be the first time the press has
simplified a story involving modern technology. Does anyone know more on this?
It does, however, bring home the reality that computers control life and death
situations.
Simon Marshall, Dept. of Computer Science, University of Hull, Hull HU6 7RX, UK
Email: S.Marshall@Hull.ac.uk Phone: +44 482 465181 Fax: 466666
In the investigation of the process against the Brazilian President (Fernando Collor de Mello), the Federal Police found (and confiscated) an IBM-PC clone in the enterprises of Paulo Cesar Farias. In the hard disk of this computer were found dozens of indications of the corruption of Collor de Mello and P.C. Farias. The "folklore" that runs in Brazil now is that the disks were actually erased, but the FP bought in USA a software that allowed the examination of the disk and the recovery of the files. It seems that this tale is true. I would like to know which software was used, and what kind of work the FP did. Jerry / Xexeo Geraldo Xexeo, CERN - PPE Division, 1211 Geneve 23, Switzerland FAX: (41)(22)785-0207 xexeo@dxcern.cern.ch gxexeo@cernvm.bitnet
Date: Mon, 19 Oct 92 23:49:18 -0400
From: Doug Humphrey <digex@ACCESS.DIGEX.COM>
Subject: .0045 mbits/sec
Article <7610172337.AA19083@nisc.jnvc.net> Oct 17 23:37
Subject: T3 Cable Cut
From: martin@NISC.JNVC.NET (Steve Martin)
This is to inform you that Merit (NSF) has experienced a fiber cut in
East Orange, New Jersey. As a result of this, JNvCnet's T3 access to the NSF
net is temporarily out of service till repairs can be made.
All traffic to the NSF net is now being routed through the
9.6k backbone node and will be returned to the T3 as soon as possible.
[The following message came from Pandora Berman at MIT via Jerry Leichter <leichter@lrw.com>, John Robinson <jr@ksr.com>, Clark M. Baker) <cmb>, and originally from Paul M. Wexelblat <wex@cs.ulowell.edu>, who noted the original CACM item ... PGN] I stumbled across this little item in the current (October 1992) CACM: BANKS UNDERDRAWN... The banking industry spent over a billion dollars on technology last year, yet they are not even close to employing leading-edge tools. A new survey ... indicates that over 75% of bank computer programs are still written in Cobol and 84% of banking software is designed for mainframes, not PCs. Moreover, 80% of the software used by banks is over six years old and only 37% of their locations are networked. The report reveals most banks are simply not investigating new advances in computer applications. [Communications of the ACM, Vol 35, No 10, NEWSTRACK, p.9] Here is a rough translation: BANKS CONSERVATIVE... The banking industry spent over a billion dollars on technology that works, rather than the latest glitzy play toy. A new survey ... indicates that over 75% of bank computer programs are written in a language appropriate to the task as opposed to trying to force their models into the latest Object Oriented fad and 84% of banking software is designed to run on systems that have low mean time between failures, juggle hundreds of users, handle huge databases, and push megabytes at high rates, not tiny little machines that crash with great regularity, are designed for a single user, if even that, have minuscule disks, and have bandwidth the approximating that of a sclerotic soda straw. Moreover, 80% of the software used by banks has been fairly well debugged and only 37% of their locations are open to attack by thirteen year olds with modems and a lot of time on their hands. The report reveals most banks are simply not chasing the latest fad in confuser science and piddling their money away on recoding working applications unnecessarily. Paul Wexelblat
David Willcox said
Dorothy Denning suggested that anyone using high-level encryption over a public
network be required to register their encryption keys with some agency. This
agency would then distribute the keys when an appropriate court order was
presented. The risks of this are fairly obvious.
I believe this risk can be reduced to about zero. For example, using a
public-key system, your key could be encrypted under the public key belonging
to, say, the Justice Dept. The encrypted key would be given to and held by an
independent agency. But, the key could be decrypted only by Justice. Thus, if
somone gains access to a key held by the key agency, they wouldn't be able to
decrypt it.
To use a key, law enforcers would have to go through these steps:
1. Get a court order.
2. Submit the court order to the key agency and get the encrypted key.
3. Deliver the encrypted key to Justice with the court order; get back
the plaintext key.
4. Take the court order to the service provider in order to activate the tap
and get the bits.
5. Listen in and decrypt the communications.
I believe this scheme is pretty tight. Silvio Micali has evidently invented
another method of safeguarding the keys in a registry, called "fair
cryptography", but I don't know the details.
Dorothy Denning
>It took the action of citizens banding together to file a civil lawsuit to halt >the abuses after their complaints were rebuffed by the Colorado secretary of >state's office and the local district attorney. There is an interesting point related to this particular story. The Colorado Secretary of State does not have criminal powers. So in the case of vote fraud like that in Costillo County, the Secretary of State may have to turn the case over to the District Attorney. The District Attorney may have been elected with the aid of the vote fraud (s)he is supposed to prosecute. The other choice of prosecuting authority would be the Attorney General (depending on who had jurisdiction), another elected official. It is difficult to see how telephone voting will do anything but further exploit existing problems in authenticating voters and prosecuting vote fraud. Louis B. Moore, Systems Programmer, The Children's Hospital of Denver Denver, Colorado USA 80218 lbmoore@tchden.org +1 303 837 2513
"Anonymous" mentions in RISKS DIGEST 13.84 that the Department of Defense
conducted an investigation when an message marked "T*p S*cr*t" was found on an
unclassified computer system. (The asterisks are a way of ensuring that the
investigation is not triggered by the words in *his* message, I guess.)
I don't think merely putting the words "Top Secret" in a message is the
problem; putting it in in such a way that it appears to be classified data
*is*.
I have, in the past, held both Department of Energy and Department of Defense
clearances, and if I learned anything it is that the security personnel of both
agencies take their jobs very seriously and do not have much of a sense of
humor where security violations are concerned.
In my initial briefings for these clearances it was emphasized that classified
information must be strictly controlled, and in fact we were given specific
procedures for what to do if we found unattended classified documents lying
around.
It appears that [the author] thinks that the "system wide disclaimers that said
systems are not to be used for classified work" should have been sufficient to
prevent action. I feel that the exact reverse is true — the appearance of an
APPARENTLY classified message on an insecure* computer is exactly the kind of
security violation that needs to be investigated immediately.
In fact, I can remember one company that sent out "Top Secret" press releases
to their customers — which included some DoE and DoD sites — getting an
unpleasant visit from men with dark suits and sunglasses that didn't smile
much. (The gist was "Don't *do* that".)
--berry
"The Hacker Crackdown: Law and Disorder on the Electronic Frontier", Bruce Sterling, Bantam Books, November 1992, ISBN 0-553-08058-X, 328pp, US$23. Book Review by Dave Barker-Plummer (plummer@cs.swarthmore.edu) "The Hacker Crackdown" is Bruce Sterling's term for a series of seizures of computer equipment which took place during the summer of 1990. The circumstances surrounding these raids, the individuals and communities affected by them, and the consequences for the computing community and society at large, are the subjects of this book. Sterling, a cyberpunk author, is at his best when he is telling stories. He adopts a revelatory style and writes in a tone of wonder and bemusement as events take one unexpected turn after another. Particularly intriguing is his telling of the Craig Neidorf/Knight Lightning story. Neidorf was prosecuted for electronically distributing an edited version of a document copied without permission from a BellSouth computer. Sterling documents the history of the document as it was sent across the Internet many times, its publication in the "Phrack" newsletter, the arrest of Neidorf, the charges against him and the eventual collapse of the trial. As the story unfolds, one realises that truth is indeed stranger than even Sterling's bleak cyberpunk fiction. There are many other stories in the book: the story of Steve Jackson, whose legitimate games company was raided under sealed warrant, and all of his computers seized; the story of The Legion of Doom, a group of hackers who assemble in cyberspace to brag about breaking into computers and sharing stolen access codes and credit card numbers; the story of the founding of the Electronic Frontier Foundation by Mitch Kapor, author of Lotus 1-2-3, and John Perry Barlow, sometime lyricist for The Grateful Dead; and closing the book, the story of the Computers, Privacy and Freedom conference of 1992, in which hackers, law enforcement, and civil libertarian groups met to talk about these issues with unprecedented openness. Sterling attempts to make these stories take second place to the culture, or more correctly cultures, of cyberspace. He chooses to structure his book in four main parts, each dealing with one of these subcultures. While hacker stories have been told before, this examination of cultures has been neglected, and Sterling is to be praised for attempting it. However, Sterling does not seem to comfortable in his self-appointed role. Try as he might, the events keep overtaking the people, and the book ends up feeling somewhat confused --- but then the whole subject is rife with confusion: cultural, technical and ethical. Although Sterling fails to give it the emphasis it deserves, the main theme of this book is power. In the first part of the book "Crashing the System", Sterling describes the power of the telephone companies. From the fledgling technology of the telephone, through the rise of AT&T, and the significant role that it played in government and industry, to the break up of the Baby Bells. The picture that Sterling paints of the contemporary telcos is that of a power base that is under threat, and which is struggling to preserve its grip on the power that is being threatened by the more widespread availability of technology, not to mention the breaking of the economic monopoly. Lest this sounds like dull reading --- there's not a sentence in this book that can be described as dull --- I should mention that Sterling brings this history to life by taking us in detail through the duties of a switchboard operator, and observing that in the early days of the telephone teenage boys often played this role until they were found to be "hacking", when they were ejected from the system. There are intriguing parallels between the time just after the introduction of the telephone --- which Sterling identifies as the creation of cyberspace --- and the contemporary era, which represents the settling of that "place". The second section of the book, "The Digital Underground", documents the hacker subculture. Sterling steers a journalistic middle course: on the one hand stressing the illegality of hacking and debunking the myth of the talented genius, while at the same time pointing out that the typical hacker is not a hardened criminal but a teenage boy. Sterling explains the feeling of technical power for a hacker when he uses a computer to break into a voice mail PBX, or to break into a password protected system, to gain access to hitherto inaccessible regions of cyberspace. Sterling makes much of the isolation and cultural powerlessness of hackers: they are typically teenage boys who grew up in the Reagan era and have come to believe that all institutions are corrupt, and who see their computer and modem as weapons against those institutions, even if it is only to steal insignificant documents, or do no more than irritate those institutions. He also describes the material available on "underground" BBSs, illustrating the anarchistic stances adopted by these elite children of elite families, and debunks the myth that there are "gangs" of hackers working in concerted effort to bring about the downfall of the technocracy as we know it, but asserts that their's is typically a solitary "game". This isolation leads to their need to brag of their exploits to other hackers, in order to build a reputation, and often thereby to their swift arrest. Isolation also accounts for the fact that almost every hacker arrested cooperated fully and informed on his contacts in cyberspace. There is no hacker community, Sterling implies, and no honour among hackers. In the third section, "Law and Order", Sterling describes the world of the law enforcement officers. If one thing comes through from this picture it is that the law enforcement agencies in this country were/are ill-prepared to investigate and prosecute computer crime. Sterling remarks that he, a not particularly computer-literate, author has more computer power in his home than the typical computer law enforcement officer (of 1990). Sterling describes the modus operandi of a typical hacker bust, the seizure of everything that looks like it might be relevant including CDs (that might store data and be disguised as music CDs), and Sony Walkmen (because they are electronics, I guess). In his article "Crime and Puzzlement", John Perry Barlow writes "In fairness, one can imagine the government's problem. This is all pretty magical stuff to them. If I were trying to terminate the operations of a witch coven, I'd probably seize everything in sight. How would I tell the ordinary household brooms from the getaway vehicles?". While Sterling's description of the problems facing the under-funded, under-equipped and under-skilled government agencies is sympathetic, he does not seek to justify the excesses in the events of 1990. He carefully makes and maintains the distinction between hackers from legitimate computer users, and describes how members of both of these groups were equally punished by the Hacker Crackdown. Finally, in "The Civil Libertarians" Sterling describes the response of the Silicon Valley and Austin computer culture to the strange events of the hacker crackdown, which culminated in the formation of the Electronic Frontier Foundation. In this very upbeat section, Sterling describes how the computer elite used their technological power to network and organize, to seize the public relations advantage, to file suit in defense of Steve Jackson and Craig Niedorf and to set themselves up to defend civil liberties in cyberspace. In the view of the civil libertarians, the hacker crackdown was the first skirmish in the battle for control of cyberspace. The Electronic Frontier is a new "place" that is currently being populated and the rules that will govern this place are up for grabs. The civil libertarians are concerned to guarantee important rights for the citizenry of cyberspace, in particular: freedom of expression, freedom of association and privacy: in effect a constitution for cyberspace. "The Hacker Crackdown" taught me much about the events of the early 90s and it is entertaining and provoking by turns. I recommend it highly, for its discussion of the contemporary struggle for technological power, illustrated by unbelievable, but true, stories of law and disorder on the electronic frontier.
Today I bought gasoline and discovered that the station had some fancy new
pumps with credit card readers built right in. You can drive up, insert your
card, pump gas, and drive away, without even dealing with a clerk. The pump
prints a little receipt when you're finished.
The problem is the receipt. It comes out behind a small clear plastic door
(presumably the door is to protect the printer from the weather); you have to
slide it open so that you can fish the receipt out, slightly awkwardly, with
your finger. If you don't notice the receipt at all, or if you're in a hurry,
or if you aren't in the habit of saving receipts anyway, you could easily leave
it behind.
On the receipt is printed not only your credit card number and type of card
(VISA, MC, etc.), but also your full name, as retrieved from the magstripe.
If Bonnie S. Thomason happens to read this, you forgot your receipt after
buying 13.855 gallons of unleaded at 7:59 this morning, but I promise I won't
use or disclose your credit card number.
Wandering around checking these receipt slots would be reminiscent of wandering
around checking pay telephone coin return slots, but potentially much more
lucrative.
Besides RISKS, I'm writing a letter to the oil company in question today.
[This is of course an old problem for RISKS readers, but it is perhaps
worth including here as a reminder that it recurs continually. PGN]
Abstract Submission : NOVEMBER 2, 1992
Deadline Approaching : ****************
Call for Participation
International Workshop on
Fault and Error Models of Failures in Computer Systems
January 25 - 26, 1993 o Palm Beach o Florida
------------------------------------------------------------------
Sponsor The IEEE Computer Society and
IEEE Technical Committee on Fault-Tolerant Computing
Dates
Abstract Deadline: November 2, 1992
Acceptance Notification: December 15, 1992
Session Foils/Agenda: January 8, 1993
------------------------------------------------------------------
Scope
The importance of understanding Computer System failures, in terms of their
fault and error models, failure patterns, and characteristics cannot be over
emphasized. This understanding is critical in influencing the research and
practice of fault-tolerant computing. It is the kernel upon which evaluation
methods, experimental verification, modeling, algorithms and techniques are
developed. In recent years the relative mix in the causes of outage has
shifted from what it was a decade ago. Studies indicate the dominance of
software as a cause of outage, closely followed by maintenance and environment.
However, the industry lacks data and understanding of faults, errors and
failures in these dimensions - severely impacting the progress of
fault-tolerant computing as a research discipline and a practice.
This workshop is intended to bring together experts from industry, academia,
and government. The goal is to develop the needed insight, define and
calibrate models, and gain knowledge to guide research and practice in
fault-tolerant computing. This workshop will be highly interactive. It will
be run as a workshop, and will not have a conference flavor. It is intended
that at the end of the two day meeting, there will evolve a substantial
accomplishment towards these goals. These results are intended to be the
starting point of a sequel to this workshop, on fault-injection. The
fault-injection workshop, also sponsored by the Technical Committee on
Fault-Tolerant Computing, is planned to be held in Sweden in June 1993.
Submission
To participate in this workshop, submit seven copies (or use email) of a two
page abstract describing the contribution you will make to the workshop. The
program committee will review the abstracts and notify you of your acceptance.
To enhance interaction the attendance at the workshop will be limited to a
maximum of fifty.
Workshop Chair
Ram Chillarege, IBM Research, USA
Program Committee
Bob Horst - Tandem Computers, USA
Ravi Iyer - University of Illinois, USA
Karama Kanoun - LAAS-CNRS, France
Dan Siewiorek - Carnegie Mellon, USA
Yoshihiro Tohma - Tokyo Institute, Japan
Jan Torin - Chalmers University, Sweden
Submit Abstracts to
Ram Chillarege
IBM T. J. Watson Research Center
30 Saw Mill River Road
Hawthorne, NY 10532, USA
(914) 784-7375 Fax: (914) 784-6201
email: ramchill@watson.ibm.com
Important Dates
Submission Deadline: November 2, 1992
Acceptance Notification: December 15, 1992
Session Foils/Agenda: January 8, 1993
Ex Officio
Jacob Abraham, FTC-TC Chair,
University of Texas, Austin, USA
CALL FOR PAPERS
COMPUTER SECURITY FOUNDATIONS WORKSHOP VI
June 15-17, 1993
Franconia, New Hampshire
Sponsored by the IEEE Computer Society
The purpose of this workshop is to bring together researchers in computer
science to examine foundational issues in computer security, with emphasis on
formal models that provide a framework for theories of security and techniques
for verifying security as defined by these theories.
We are interested both in papers that describe new results in the theory of
computer security and in papers, panels, and working group exercises that
explore open questions and raise fundamental concerns about current theories of
security. Possible topics include access control, covert channels, information
flow, database security, secure protocols, verification techniques, integrity
and availability models, interactions of computer security requirements with
other system requirements such as dependability and timing, and the role of
formal methods in computer security.
The proceedings are published by the IEEE Computer Society and will be
available at the workshop. Selected papers will be invited for publication in a
special issue of the Journal of Computer Security.
Instructions for Participants: Workshop attendance will be limited to
thirty-five participants. Prospective participants should send four copies
of a paper (limit 7500 words), panel proposal, or working group exercise to
Catherine Meadows, Program Chair, at the address below. Please provide email
addresses and telephone numbers (voice and fax) for all authors.
The contact author should be clearly identified.
IMPORTANT DATES: Author's submission: January 29, 1993
Notification of acceptance: March 10, 1993
Camera-ready final papers: April 9, 1993
Program Committee
Marshall Abrams, MITRE John Mclean, NRL
Simon Foley, University College, Cork Jonathan Millen, MITRE
Li Gong, ORA Robert Morris, DoD
James Gray, NRL Ravi Sandhu, GMU
Jeremy Jacob, Oxford Marv Schaefer, CTA
For further information contact:
General Chair
Ravi S. Sandhu
ISSE Department
George Mason University
Fairfax, VA 22030-4444
+1 703-993-1659
sandhu@sitevax.gmu.edu
Program Chair
Catherine Meadows
Code 5543
Naval Research Laboratory
Washington, DC 20375
+1 202-767-3490
meadows@itd.nrl.navy.mil
Publications Chair
Joshua Guttman
The MITRE Corporation
Burlington Road
Bedford, MA 01730
+1 617-271-2654
guttman@linus.mitre.org
Please report problems with the web pages to the maintainer