The RISKS Digest
Volume 14 Issue 87

Wednesday, 25th August 1993

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

Mars Observer
PGN
Chronicle of a bug foretold
Paul Eggert
Quote for the Day
Brinton Cooper
RISKS of elaborating on exploitation of known RISKS
David P. Reed
PGN
Cisco routers
Al Whaley
Phone Number Gridlock Looms
Sanford Sherizen
Digital markets
Phil Agre
Re: Everyone gets a 'A' for Welsh exam
Lars-Henrik Eriksson
InfoTech Security and Control, Conference Report
Klaus Brunnstein
Info on RISKS (comp.risks)

Mars Observer

"Peter G. Neumann" <neumann@csl.sri.com>
Thu, 26 Aug 93 9:48:10 PDT
I've been holding off on running anything on the Mars Observer, hoping for
either a miraculous recovery or further details on what actually happened.  In
this case, no news is bad news; hopes for restoring communications with the
$1B spaceprobe are dwindling rapidly, and details on what happened may never
be known.  Communications were interrupted at 6 p.m. on Saturday, August 21,
just after the Observer had pressurized its propulsion-system fuel tanks,
preparatory to the rocket firings that would slow it down and allow it to be
captured by Martian gravity --- placing it in orbit around Mars.  The
subsequent request to switch on its antenna received no response.  Up until
that point the mission had been relatively trouble free --- except that on two
occasions the spacecraft's instructions had to be revised to overcome
temporary problems.  Even if command communications from the ground failed,
the mission had been programmed to attain orbit anyway, if a few assumptions
were satisfied --- such as that the backup programs worked and the antenna was
functioning properly,

On Monday (August 23), Glenn Cunningham, project manager at the Jet Propulsion
Laboratory speculated on several possible scenarios that might have caused the
failure: the Observer's onboard clock may have stopped; the radio could have
overheated; its antenna could have gone askew.  On Wednesday, John Pike of the
Federation of American Scientists noted that, because the disruption of
communications coincided with the precise moment that the spacecraft was
programmed to pressurize its helium tank (which in turn pressurizes the
hydrazine-oxygen fuel system), the increased pressure might have caused a leak
in one of the helium lines or a *virtual explosion*.  He added that if the
leak were pinhole-sized, the spacecraft would now be spinning.  If it were
larger, the spacecraft would be completely out of control.  Cunningham
disclosed that, while the spacecraft was being built, a slow leak had been
discovered in the original helium tank. which was replaced.  Meanwhile,
silence persists.

The $1.4B Galileo spacecraft en route to Jupiter is also experiencing
difficulties.  Its main antenna jammed, and it can transmit only very slowly
with its low-gain antenna.  It is supposed to photograph an asteroid named
Ida, beginning on Saturday.  [Gilbert and Sullivan wrote on operetta on that
subject about one hundred years ago — Prints Is Ida.]

These problems come on the heels of the continued launch delays on the latest
Discovery mission, a weather satellite that died in orbit last week after an
electronic malfunction, and the Navy communications satellite that was
launched into an unusable orbit from Vandenburg last March ($138M).  Shuttle
launches are seriously delayed, which is likely to affect the planned space
walk to repair the Hubble Telescope, currently scheduled for December.

[This summary report is based on articles in the *San Francisco Chronicle*,
August 23 by John Noble Wilford of *The New York Times*, August 24 from the
*Los Angeles Times*, and August 25-26 by David Perlman, Chronicle Science
Editor.]


Chronicle of a bug foretold

Paul Eggert <eggert@twinsun.com>
25 Aug 1993 20:05:14 -0700
I've often wanted something like a National Weather Service for software
failures — an early warning system that would let us know a few days or hours
before trouble strikes.  Well, sometimes daydreams can become true, at least
in special domains.  Here are two forecasts:

    On August 28, 1993, at 2 AM local time, workstations and PCs in Israel
    that are running Sun's Solaris 2.2 will suddenly lose an hour.

    On October 24, 1993, at 2 AM local time, Solaris 2.2 workstations and
    PCs in the British Isles will _not_ lose an hour.  Unfortunately,
    everyone else there will be turning back their clocks that morning.

These failures will occur because of errors in Solaris 2.2's time zone tables,
which seem to stem from a configuration management problem.  When going from
Solaris 1 to Solaris 2, Sun's software developers somehow reverted to an early
1989 version of Arthur David Olson's public domain time zone tables, thus
discarding all time zone changes due to laws passed by parliaments since then.
Given the AT&T/Sun proprietary notices that are plastered over the Solaris 2
tables, I would guess that AT&T bears some blame for this bug and that other
SVR4 Unix hosts may have similar problems.

If you're technically inclined and have a Solaris 2 host handy, you can
confirm the bug by running the command `/usr/sbin/zdump -v Israel | grep 1993'
(similarly for `GB-Eire').  To fix the bug, apply the `zic' command to Olson's
latest tables, which you can FTP from elsie.nci.nih.gov:pub/tzdata93d.tar.Z.

    [I wonder what happened in Kwajalein, where there was NO Friday,
    August 20, 1993.  Thursday night at midnight Kwajalein switched sides with
    respect to the International Date Line, to rejoin its fellow islands,
    going from 11:59 p.m. Thursday to 12:00 m. Saturday in a blink.  Are there
    any RISKS readers out there who have anything to report?  PGN]


Quote for the Day

Brinton Cooper <abc@ARL.ARMY.MIL>
Wed, 25 Aug 93 20:11:10 EDT
...out of context, of course.

>From "Computer Organization and Design--the Hardware Interface" by David
Patterson and John Hennessy:

    "...minimizing the logic is both complex and error-prone
    and, thus, is better left to a program."

_Brint


RISKS of elaborating on exploitation of known RISKS

David P. Reed <reed@interval.com>
Tue, 24 Aug 93 09:45:29 PDT
The posting on RISKS or any other mailing list of novel ways to exploit
defects in systems to commit crimes is itself a RISK of the technology that
makes RISKS possible.  The inclusion of "smart answering machine" hacks as a
new subtopic is a little disturbing to me personally.  In the early '70's I
devoted a reasonable amount of time to "tiger team" activities (sponsored by
ARPA) to learn how secure typical computer systems were (TENEX, Unix, and
Multics, e.g.).

As such, I had a lot of time to think about what to do with what I learned.
I offer the following suggested social ethic around mitigating the
risk-amplification RISK associated with publishing RISKS, while preserving
the benefit of identifying risks.

There is a big difference between discovering and publishing a generic
weakness such as "programming a smart answering machine with weak security to
carry out tasks on your behalf", and the second level of inventing the
cleverest or most profitable scenario for use, and publishing a detailed
cookbook approach to using the weakness for committing various crimes.  This
doesn't illuminate the weakness further, unless you posit that your audience
is stupid.  RISKS readers are not.

A reasonable rule, then, is to identify and publish broad categorizations of
weaknesses, but it probably amplifies the risk for all of us to then broadcast
to everyone the cleverest exploitations of those risks you can think of.

I carry to my grave some wonderfully clever ways to make myself rich, destroy
my enemies, and earn the perverse fame and glory associated with destructive
or prankish hacking.  But my conscience would hurt if others were hurt by my
dissemination of these ideas.


Re: RISKS of elaborating on exploitation of known RISKS

"Peter G. Neumann" <neumann@csl.sri.com>
Thu, 26 Aug 93 10:34:12 PDT
David Reed discusses a very sticky wicket that has been discussed repeatedly
in RISKS.  The biggest problem with not having the flaws publically discussed
is that supposedly unknown flaws tend NEVER to get fixed.  The general
compromise strategy seems to be to inform people who might actually do
something about discovered flaws, and then if those folks do nothing, let the
flaws be known.

There is a pervasive need for knowledge that particular schemes are
intrinsically unsafe/unreliable/unsecure.  Many people are living with
blinders on, as is evidenced by the recurrence of the same types of problems,
over and over.  Almost every remotely controllable answering-machine system is
vulnerable today.  Cellular phones are intrinsically vulnerable today.  How
many installations run with the sendmail debug option enabled?  How many
.rhosts files permit file systems to be accessible remotely?  Does anyone
care?


Cisco routers

Al Whaley <Al.Whaley@sunnyside.com>
Wed, 25 Aug 1993 12:56:54 -0700 (PDT)
Rumors abound that Cisco routers have a back door; that is when a TCP port is
disabled, it can still be accessed from Cisco's IP number.

I have personally verified this with the sendmail port.

Al Whaley        al@sunnyside.com       +1-415 322-5411(Tel), -6481 (Fax)
Sunnyside Computing, Inc., PO Box 60, Palo Alto, CA 94302

   [Private trapdoors for developers and maintenance folks are remarkably
   common, and in many other cases represent more serious risks than this
   one.  WarGames was not pulling your leg.  PGN]

     [***** NOTE ADDED ON 2 SEP 1993 TO THE ARCHIVE COPY: Subsequent
     discussion has indicated that the above noted rumours are UNFOUNDED.
     PLEASE SEE RISKS-15.01 FOR CLARIFICATION.  PGN *****]


Phone Number Gridlock Looms

Sanford Sherizen <0003965782@mcimail.com>
Wed, 25 Aug 93 12:31 GMT
A *Los Angeles Times* article by Jube Shiver Jr. printed in the Sunday *New
Hampshire News* (Aug. 22, 1993) states that Bellcore will phase out oversight
of number allocation in the next 12-18 months.  Bellcore's decision will
affect the rate at which new communication technologies can be put into
service and the complex task of allocating numbers will have to be
administered by some other organization.

Number allocation includes areas codes, five-digit long distance carrier
identification codes, some local phone numbers and codes for toll-free and
900-prefix information services.

According to the article, Bellcore was abandoning this free role in response
to what its president called unfounded complaints by its rivals that it might
discriminate in favor of its owners in the distribution of new phone numbers.

This change occurs at a time when federal regulators are preparing to
authorized the first of a host of new communications services.  Bellcore's
announcement followed a surprise FCC decision earlier this month to halt the
company's planned assignment of 500 service-access codes to personal
communications services (PCS).  The FCC cited industry concern that several of
Bellcore's owners were among those vying for the new codes.

Sanford Sherizen, Data Security Systems, Natick, MA


Digital markets

Phil Agre <pagre@weber.ucsd.edu>
Wed, 25 Aug 1993 17:11:21 -0700
The following article provides an exceptionally clear account of computerized
high finance centered on so-called "derivative products".  These are (among
other things) ways of buying and selling debt streams with given properties.
For example, a company in need of short-term cash might exchange a bundle of
30-year home mortgages (which provide money with high reliability but at low
rates of return and over a long period) in favor of a bundle of junk bonds
(which provide money with lower reliability but at higher rates of return and
on a variety of schedules).

  Robert Lenzner and William Heuslein, How derivatives are transforming Wall
  Street, Forbes 151(7), 29 March 1993, pages 62-72.

This is Forbes, though, so the critical perspective is pretty much missing.
For that you might turn to a new book by a New York Times reporter:

  Joel Kurtzman, The Death of Money, New York: Simon and Schuster, 1993.

This is a wide-eyed account of how the truly gigantic international flows of
cash, greatly facilitated by computers and telecommunications, are changing
economic institutions and theories.  For example, he interviews mathematicians
and physicists who engage in high-powered zaitech (financial engineering) for
Wall Street companies.

I'm not entirely comfortable with the book.  I don't think it's successful
in its argument that a radical change in the very nature of money is making
neoclassical economics obsolete.  (Neoclassical economics may be obsolete
anyway, of course, but that's another topic.)  For example, he places an awful
lot of weight on the end of the gold standard.  And regular economists will
argue that most fancy zaitech is just arbitrage, which (they say) simply makes
markets function more efficiently.

His main arguments for a computer-based risk to society are based on
observations about market volatility and a critique of "speculation".  On the
topic of market volatility, you'll have to read his argument about the 1987
stock market crash and see for yourself.  And he really doesn't give us enough
information to form any very novel opinions on the common view that rapid,
quantitative investment decisions, by focusing on short-term fluctuations,
ignore and thus undermine market "fundamentals".  Nonetheless, I do recommend
the book as an introduction to the people and numbers.  He also cites some of
the more technical literature.

On a related topic, I cannot recommend highly enough the following book:

  Stanley M. Davis, Future Perfect, Reading, MA: Addison-Wesley, 1987.

Davis is a management consultant who sees an amazing future in which computer
and telecommunications technology, among other things, changes the nature
of many products and markets through dramatically more rapid and specific
responses to changing customer needs.

The book is hard going and downright weird in places, but it's full of
remarkable speculations.  For example, he suggests that businesses try as
much as possible to separate the "material" and "information" dimensions of
a product, combining them as close to the customer as possible.  The idea
is that information (a) can be moved much faster than physical materials and
(b) is much more amenable to rapid and highly specific customization, and so
therefore should be processed in a centralized way, whereas physical materials
should be distributed as widely as possible to minimize delivery times.

What does this mean in practice?  You'll have to hire a management consultant
to help you figure that out.

Phil Agre, UCSD


Re: Everyone gets a 'A' for Welsh exam

<lhe@sics.se>
Tue, 24 Aug 93 09:29:01 +0200
A similar thing happened in Sweden last week. Due to a programming errors,
some positions for studying to dentists in Gothenburg were given to applicants
with the poorest grades!

According to Swedish law, a formal decision to enroll someone in a university
program can't be revoked so the University of Gothenburg has no choice but to
accept these students.

Lars-Henrik Eriksson, Swedish Institute of Computer Science, Box 1263
S-164 28  KISTA, SWEDEN   lhe@sics.se   +46 8 752 15 09  Fax: +46 8 751 72 30


InfoTech Security and Control, Conference Report

Klaus Brunnstein <brunnstein@rz.informatik.uni-hamburg.d400.de>
Mon, 23 Aug 1993 18:52:59 +0200
Report on an International IFIP Working Conference on
          "Security and Control of Information Technology"
             (Stockholm-St.Petersburg August 12-17,1993)

   From: Klaus Brunnstein, University of Hamburg (August 21, 1993)

Under the auspices of the International Federation for Information Processing
(IFIP) WG 9.6 "IT Misuse and the Law" (chairman: R.Sizer/UK), an International
Working Conference on "Security and Control of IT in Society" was held on a
ship plying between Stockholm and St.Petersburg, prepared by University of
Stockholm (Ann Marie Bodor, Louise Yngstroem).  Attended by about 60 active
participants, this event included one day in St. Petersburg's Russian Academy
of Science's Steklov Mathematical Institute, packed with information on the
status of IT Security and Legislation in Russia, prepared by Eldar Musaev (St.
Petersburg) and Simone Fischer-Huebner (Hamburg).

Following the dominant professional interests of participants, almost equally
divided into technical and legal aspects, the program onboard the ship was
dominated by often rather controversial discussions about legal versus
technical aspects. This biased approach was even stimulated by an introductory
panel discussing the thesis that "Law cannot help to Control IT Security",
intending to argue in traditional (Oxfordian) debate style about pro's and
contra's of legal IT regulations. Though well-intended, this debate may have
set an unhappy start of an otherwise stimulating event (the thesis was
rejected in a voting process with majority).

The onboard program's first part was devoted to legal aspects, esp.  dealing
with privacy. Here, a paper presented by Norwegian anthropologist Rolf Lunheim
in cooperation with computer scientist Gottorm Sindre gave several examples
that privacy is rather inconsistently understood in different cultures. Such
different views even between Western participants became evident in the
presentations of some leading privacy and law experts, which used the term in
their resp. cultural understanding. Here, Bieke Spruyt and Bart de Schutter
(University of Brussels) discussed whether an International Law on Security of
Information Systems is emerging; they saw needs for such standardisation and
pointed to few emerging building stones of future regulations, such as the
OECD guidelines, which were presented in good detail later by Richard
Hackworth (Berkhemstead), UK member of the OECD expert panel which developed
these guidelines.

Within the legal stream, Margaret Jackson (Royal Melbourne Institute of
Technology) contributed significant details in describing the status of
Australian IT-related legislation, including such diverse areas as
intellectual property protection, civil and criminal law. She also described
proactive contributions by Australian courts and commissions. Moreover, she
gave interesting details about developments in selected countries in the
Asia-Pacific region (e.g. Korea) in related legal fields.

Completing the critical survey of state-of-law, Lawrence F. Young (University
of Cincinnati, Ohio) presented his analysis of "Utopians, Cyberpunks, Players,
and others Criminals: Deterrence and the Law" with special emphasis on the
contemporary US situation. After describing shortcomings of US federal and
state laws, he analysed diverse forms of computer crimes, including violations
of privacy and intellectual property, interruption and theft of services,
larceny, espionage etc. He concluded that even recent US laws need serious
revision, including extension in scope and more uniform formulations to make
them comparable and applicable over US federal states' boundaries.

In some contrast with the analysis concentrating on the legal situation, Ruud
Ketelaar (Amsterdam) and Simone Fischer-Huebner (University Hamburg) addressed
both legal and technical aspects by arguing that some IT security mechanisms
(e.g. collecting audit trails) further invade privacy and protection of
personal data, thus even enlarging the legal problems.  Besides some rather
controversial discussion whether the term "confidentiality" as used in IT
security discussions may be understood as somehow equivalent to "privacy" in
legal fields, Ketelaar's and Fischer-Huebner's contribution were the only ones
to transgress the evident gap between lawyers and technicians.

The "Russian Day" held Saturday on solid ground in St. Peterburg unvealed
surprising insights into implications which the recent dramatic political
changes (known as "perestroyka") produce in Russian society, esp. such ones
related to IT Security. In his introduction into "IT versus Security in
Russia", Eldar Musaev (Steklov Mathematical Institute, Russian Academy of
Sciences, St.Petersburg) presented examples of major incidents in Russia in
recent years. Probably the most shocking one was the theft of a computer
including a database of Chernobyl victims and related statistics; as no
backup was done due to lack of magnetic media, this database was definitely
lost. Until now, it is unclear whether the thieves were merely interested in
the computer (which is the likely assumption) or were interested in the
database.

Most interesting contributions concerned the constructive approaches to
improve technical and legal instruments for preventing or fighting IT misuse.
Here, Yuri Andreevich Timofeef, chairman of Russia's National Subcommittee
(127) on methods and means of information protection, reported about the
systematic approach which is undertaken by several cooperating institutions to
establish a basic concept (including definition of terms) as well as national
IT security criteria for both IT products and systems, for government,
commercial and private applications.  These "Russian IT Security Evaluation
Criteria" published in late 1992 (in Russian) in 5 volumes adapt other
criteria (esp. US-TCSEC and Europe-ITSEC) to Russia's national needs. Related
to this developments of concepts, a Russian IT security industry (with yet
more than 50 enterprises in Moscow) has yet developed as experts from former
military IT security fields are seeking for commercial jobs, and with several
new products and ideas, accompanied by a National conference and a new Russian
Journal on IT Security.

Closely related to Russian IT Security concepts as well as to the present
development of a new constitution including principles on both the right for
information and the right for private life and private mail, Andrey Petrovich
Kurilo (Moscow), head of department of information technologies security
branch in the State Technical Commission of Russia described the structure of
the emerging Russian IT related legislation. Here, the Russian Draft InfoSEC
Act aims at covering almost all fields, including:

      1) Administrative and Physical Protection,
      2) Protection against unauthorized access to information
         in single systems (somehow comparable to COMPSEC),
      3) Protection of information and availability in networks
         (comparable to COMSEC),
      4) Protection of Electronic Document Interchange, including
         regulation of digital signatures,
      5) Protection from compromising secrecy by detection of
         signals and electromagnetic radiation (TEMPEST-like),
      6) Protection from malicious software (viruses etc), and
      7) Protection against threats to Intellectual Property,
         illegal copying etc.

In the legislation process, several "secrets" shall be legally protected
(addressing operations of state and military, commerce, banks, as well as
concerning personal data, microcircuits and digital signatures). Here,
appropriate criminal, civil and labour laws are being developed.

As examples of Russian ITSEC legal approaches, a paper on "Legal aspects of
digital signature standardisation" was presented by Viktor V. Markelov
(Federal Agency of Government Communication and Information, Moscow), which
was later nicely complemented by a survey about work, problems and
developments in Germany by Kathrin Dippel (Darmstadt/Germany). Moreover, an
example of a new Russian product was the description of an AntiVirus product
(AIDSTEST), which was said to protect the user against over 95% of present and
future viruses. Mixed in between the Russian papers to exchange also
information from West to East, overviews of Western developments presented
OECD Guidelines (Hackworth), US Federal Criteria (Abrams) and IT Security
Policies (White).

Back onboard, the last day centered on technical discussions concerning IT
security classification, education and esp. problems of electronic signatures.
This was somehow "interrupted" by Larry Young's contribution and by an
overview of IFIP's present activities in formulating a "Framework for Codes of
Ethics and Professional Conduct", presented by Conference Chairman Richard
Sizer (UK).

An overview of "Recent Development in IT Security Evaluation" was presented by
Kai Rannenberg (Freiburg/Germany), who overviewed and compared approaches from
Orange Book to Europe's IT Security Evaluation Criteria (ITSEC), the Canadian
approach (CTCPEC) and the recent US Federal Criteria (FC-ITS) with concepts
discussed in ISO working groups. While Rannenberg suggests "facets of security
and services" as new ordering scheme, Marshall Abrams (MITRE, McLean/Virginia)
in his distinguished way described a "Symbiosis among IT Security Standards,
Policies, and Criteria" where he presented both progresses and demands for
research in miscellaneous fields. He esp. mentioned "assurance" as
ill-understood, and he suggested that multiple policy models be analysed to
select the most adequate one for an economic or governmental organisation's
demand. Both presentations reviewed the IT Security with critical view towards
shortcomings in the technical concepts but the papers as well as related
discussions did not explicitly analyse basic paradigms inherent in InfoSEC
concepts nor did they describe implied social risks.

One of Marshall Abram's conclusions about IT security policies was that "If
security is everybody's obligation, it is nobody's obligation". This seemed to
be in contradiction with a position which Peter White, security consultant
from Ipswich/UK presented in his paper on "Preparing System Security
Policies". Based on a formal framework, he described results of a survey about
evaluations of experienced threats and countermeasures against theft,
infiltration and loss of confidence. To enforce general System Security
Policies in organisations, every persons must behave according to her/his
responsibility, rather than projecting security demands on "secure and safe"
systems including security managers.

In two final workshops, potential impact of the OECD Guidelines (chaired by
Richard Hackworth) and relations between legal paradigms and InfoSEC (chaired
by Peter White) were discussed. With some suggestions for future work and some
clarification of terms which before may have been differently understood, the
conference at this stage may have overcome some gaps in understanding between
the InfoSEC and the Law parties as observed before.  Apart from the rather
general notion that both Law and InfoSEC act within society and affect it, it
remained open what the specific social implications of InfoSEC might be which
the parent committee IFIP TC-9 "Relationship between Computers and Society" is
concerned with.

Summarizing and assessing the value of this event, two essential steps were
taken which may produce future insights. First, the start of an information
exchange between Russia and other countries alone was worth the trip to St.
Petersburg. Second, besides many interesting contributions, the onboard
conference may be regarded as an initial step in bridging the evident gap
between ITSEC professionals, law experts and other fields (like sociology and
anthropology) presently less active. In this sense, the Conference Proceedings
(to be published by Elsevier/North Holland in fall 1993) will surely form an
interesting basis for future work.

Please report problems with the web pages to the maintainer

x
Top