The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 14 Issue 11

Friday 27 November 1992

Contents

o Re: Computer Security Act and Computerized Voting Systems
Roy G. Saltman
Rebecca Mercuri
o How Is Technology Used for Crime in the Post-Hacker Era?
Sanford Sherizen
o Re: Nuclear plant risks
Brad Dolan
o Re: Installer Programs
John Bennett
Mathew
o Re: How to tell people about risks?
Sanford Sherizen
Mark Day
o Change in the Maximum Length of International Telephone Numbers
Nigel Allen
o Humorous submissions for a book
Andrew Davison
o Info on RISKS (comp.risks)

Re: Computer Security Act and Computerized Voting Systems

Roy G. Saltman <SALTMAN@ECF.NCSL.NIST.GOV>
Fri, 27 Nov 1992 15:39:01 -0500 (EST)
This is in response to Rebecca Mercuri [RISKS-14.09] and Bill Murray
[RISKS-14.10] on the subject of the applicability of the Computer Security Act
of 1987 (P.L. 100-235) to computerized voting systems.

The purpose of the Computer Security Act was to create, according to Section 2
(a) of that act, "a means for establishing minimum acceptable security
practices" for "improving the security and privacy of sensitive information in
Federal computer systems."  Systems containing national security, i.e.,
classified, information are excluded from the purview of the act.  In Section
2 (b), the act assigned to the National Bureau of Standards (now the National
Institute of Standards and Technology, NIST) "responsibility for developing
standards and guidelines needed to assure the cost-effective security and
privacy of sensitive information in Federal computer systems..."  By assigning
primary responsibility to NIST for providing the necessary guidance, the act
limited the influence of DoD, as Mr. Murray states, although that was only one
of the purposes, not "the" explicit purpose.

The Computer Security Act of 1987 applies to "Federal computer systems," where
such a system, in the language of the act "means a computer system operated by
a Federal agency or by a contractor of a Federal agency or other organization
that processes information (using a computer system) on behalf of the Federal
Government to accomplish a Federal function."

Now, Mr. Murray is incorrect when he states that "control over voting
procedures is reserved to the states."  That is specifically untrue in the
case of Federal elections.  Federal elections are elections for President,
Vice-President, U.S. Senators, and U.S.  Representatives.  The U.S.
Constitution provides, in Article I, section 4 that the Congress may "at any
time by law alter such regulations" that the State Legislatures impose for
determining the time, places, and manner of holding [Federal] elections.  In
addition, in Article I, section 5, the Constitution states that "each House
[of Congress] shall be the judge of the elections, returns and qualifications
of its own members."

A number of Constitutional Amendments and Federal laws have changed (expanded)
voting rights.  In the most recent Congress, a bill was passed mandating very
specific procedures for voter registration.  The bill would have become law if
not vetoed successfully by President Bush.  While such laws affect only
Federal elections, the states invariably apply them to their own state
elections, because they cannot afford two sets of procedures.  This was
specifically true for the amendment granting voting rights to 18-year-olds, as
well as for the Voting Rights Act of 1965.

As the President, Vice-President, and members of Congress are Federal
officials remunerated through appropriations of the Federal budget, the votes
cast for them on a state or local government computer system is a "system
operated by ... [an] other organization that processes information ... on
behalf of the Federal Government to accomplish a Federal function."

Clearly, votes in Federal elections are sensitive information, under the
Computer Security Act.  The reason that vote-tallying in Federal elections is
not covered is that the act mandates actions by Federal agencies to implement
the act.  However, the definition given to "Federal agency" given in the act
specifically omits the U.S. Senate and the U.S. House of Representatives.
These are the agencies ultimately responsible for Federal election data, and
they have excluded themselves from coverage of the act.  Thus, the only
sensitive Federal data omitted from coverage is the most important for
continuation of our democratic government.


Re: Computer Security Act and Computerized Voting Systems

Rebecca Mercuri <mercuri@gradient.cis.upenn.edu>
Fri, 27 Nov 92 18:28:39 EST
In response to William Hugh Murray's posting in RISKS Forum 14.10:

First of all, let me state that I agree with much of what was said.  Some of
which has even appeared in my earlier writings on this subject, most notably
the observation that DREs are similar to ATMs (which I comment on extensively
in my March 1992 paper published in the Proceedings for the Fifth
International Computer Virus & Security Conference), the statement that
"control over voting procedures is reserved to the states" (which also appears
in that same paper), and I had also alluded to the insufficiency of security
standards and theory applicable to this problem in my recent (November 92
CACM) Inside Risks column. So it appears that we are in agreement here (with
sufficient citations in evidence of this fact).

Readers should note that my use of the phrase "Orange Book" was intended more
generically (as is common) than to the specific book itself. The primary
intent of my posting was to make the public aware of the fact that the FEC and
NASED have not made sufficient use of the ongoing work by NCSC in their
establishment of guidelines and controls for voting equipment. I was not
suggesting that the NCSC documents would BE SUFFICIENT for voting
applications, only that they should be consulted as it is the largest body of
standards work to date regarding computer security and MUCH (not all) of the
rainbow series material IS applicable to the voting area (as well as in
banking, where it is certainly considered), regardless of the original
intention of the Act.

Where Murray and I are not in agreement is in his assertion that the shared
resource problem is not applicable to vote recording, reporting and tallying.
He may have conceived of computerized voting as taking place on independent,
stand-alone systems, but in actuality this is often not the case. Many
computer systems used for voting purposes are networked and time-shared. The
RISKS implications of this should be obvious, now that I have pointed this
out.

A recent voting machine security document that I was asked to review contained
the following statement:

    "The proposed DEC computer operating system (VMS) is one
     of the most secure systems available today. Security
     features that comply with the National Computer Security
     System (NCSC) C2 classification have been built in as an
     integral part of the operating system."

I include these sentences not for their merit (with which I have considerable
difficulty), but to point out that the operating system problem is ALSO highly
applicable to the voting problem.

Both Peter Neumann and I are well aware of the ramifications of getting what
is asked for. We have each publically called for greater care in developing
voting systems with, as Murray said, "extraordinary, not standard, rigor and
... in the light of independent scrutiny." But I must bring to light the fact
that this is not presently the case. I also agree that the laws which affect
voting machines should be specific to their manufacture, and have personally
lobbied to improve these laws, but as some states have failed to adopt even
weak regulations, there must be some place to start, and an existing Computer
Security Act might be a good place to at least look. Note that Congress IS
responsible for overseeing FEDERAL (Presidential and Congressional) elections,
and such SHOULD be considered a matter of national security. Congress did,
though, exempt itself from the CSA and hence it does not apply to elections at
present.

Due to time constraints I am not at liberty to iterate at length on this
subject, but numerous documents and publications are available that will
confirm the fact that electronic voting systems are not being administered
with the care that should be given, that current laws are inadequate,
standards are lacking, and rigorous theories are needed in this area.  CPSR is
a good place to contact if one would like to become more fully aware of this
problem, and then I hope that more individuals will join the effort to ensure
that accurate, anonymous voting is guaranteed.

Rebecca Mercuri.


How Is Technology Used for Crime in the Post-Hacker Era?

Sanford Sherizen <0003965782@mcimail.com>
Fri, 27 Nov 92 14:38 GMT
I am working on a research project and book involving the process by which
some people have been able to "invent" computer and other high tech crimes.
The issue that I am trying to understand is how people adopt new technologies
for purposes other than those envisaged by the developers.  Specifically, some
people are very skilled in what I call thinking like a thief.  They see
technology from a particular perspective, based on how it can be used for
anti-social, deviant, and/or criminal acts.  A counterpart to this are those
who come up with new applications for technology, which may also be viewed as
negative by developers but can often lead to new applications (and even new
industries).

It could be quite important to establish how other technologies have been used
for "inventing" crimes.  How do technologies get expanded and changed,
especially by "non-official" people, i.e., they do not work for the original
technology developers or owners? These "non-official people" see new
possibilities, whether for a positive or negative use.  I know that the terms
positive and negative raise many definitional and value difficulties.  Yet, I
am interested in how people view technology, how they are able to frame
questions about other uses, how this information gets spread to others, and
the positive as well as negative consequences of this process.

Drawing on my background in criminology, sociology, and information security,
I have collected examples on how other crimes have developed and been
responded to by technologists and law enforcement. Some examples that come to
mind include how the car was relatively quickly adopted by bank robbers to
improve their chances of getting away from the crime scene.  This led to
police forces having to become motorized, which had many other consequences
for command and control of police deployment and changes in how the police had
involvements with citizens.  The Xerox or photocopying machine certainly led
to better protection of documents by allowing the making of file copies but
was quickly understood by some that it could also be used to steal copies as
well as to leak documents to unauthorized sources, e.g. the Pentagon Papers.
The automatic dial system was invented to Strowger to prevent Kansas City
telephone operators from depriving him of business by giving busy signals or
wrong numbers to potential customers.  Ithiel de Sola Pool, in his book on the
telephone, discusses how the telephone was portrayed as both the promoter and
the conquerer of crime.  "Call girls" and obscene callers were at least two of
the ways that telephones were viewed as contributing to moral decay while the
first electric police-communication system of record was installed in 1867.

Answering these questions could help establish some clues as to how computer
crime is developing and areas that require particular security attention.  We
have not been very prepared for the "Post-Hacker Era" and we have not been
raising questions about the crime potential of new technologies.

Any ideas, reactions to these comments, and suggestions of any social
historical studies about these issues are welcomed.  I will post a summary of
responses.

Sanford Sherizen, Data Security Systems, Inc., Natick, MA MCI Mail: 3965782


Re: Nuclear plant risks (RISKS-14.09, 14.10)

Brad Dolan <71431.2564@compuserve.com>
27 Nov 92 15:36:59 EST
Mr. Wexelblat points out that recent legislation (mostly) eliminates
post-construction hearings from the nuclear plant licensing process.

I believe the second stage review was often used as a platform by intervenor
groups to delay plant licensing; adding millions, even billions to plant
costs.  Utilities pass these costs along to ratepayers, who must either reduce
their consumption of electrical energy or reduce spending on other things to
pay increased electrical bills.  In the southeastern U.S., many people have
begun heating their homes with wood or (unvented!) kerosene heaters, which
expose them to potentially substantial risks.

I would like to see a comparison of safety benefits (in terms of expected
lives saved, property saved, or whatever) resulting from intervenors'
interventions with the safety detriments which have resulted from increased
electrical bills.

Brad Dolan 71431.2564@compuserve.com 10288-700-NUCLEAR N4VHH


Re: Installer Programs (Thorson alias mmm, RISKS-14.08)

John Bennett, Defence Science & Technology <BENNETT@dstos3.dsto.gov.au>
Thu, 26 Nov 1992 9:58:23 +1030 (CST)
Unfortunately, a de-installer is likely to introduce its own risks if it is
written by the writer of a buggy installer, e.g.,
  a. It might not deinstall everything which should be deinstalled
  b. It might deinstall something which should not be deinstalled
  c. Something else might go wrong.

Sometimes I think Macs are too smart, there are times when I would like some
manual intervention in automatic processes such as Mak describes.

John Bennett, DEFENCE SCIENCE AND TECHNOLOGY ORGANISATION PO Box 1500
Salisbury, South Australia 5108 Phone : +61 8 259 5292 FAX : +61 8 259 5537


Risks of Believing Install Programs

mathew <mathew@mantis.co.uk>
Thu, 26 Nov 92 12:33:59 GMT
I recently installed Microsoft Windows for Workgroups on a Toshiba T5200
"portable" computer.  (I say "portable" because the machine is a few years
old, and hence measures 37x10x40cm and weighs nearly 9kg.)

The machine is connected to our Novell Netware network, and so the process
included installation of Netware and Ethernet drivers.

Windows for Workgroups detected the Ethernet card automatically, and
presented a dialogue box suggesting that it was a Novell NE2000 Anthem card.
This was absolutely correct, so I confirmed it.  The installer then presented
another dialogue, this time with the DMA address and IRQ interrupt number.
The DMA address was correct, and I reasoned that since the machine had worked
everything else out it probably had the IRQ number correct also.  I hit the
OK button.

A warning box appeared stating that the IRQ number on my Ethernet card would
clash with the machine's second serial port, and would have to be changed if
I wanted to use that port.  I'd never used it before, but I did want to now.
I abandoned the installation.

Twenty minutes, three technical reference manuals, twelve fixing screws and
three removable covers later, I had the Ethernet card in my hands.  I
peered at the card.  It was set to address 320, IRQ 2.  Windows had reported
this as address 320, IRQ 3.  I left it exactly as it was, put the machine
back together again, and went through the install once more.

The risk, of course, is that because the install program seemed to know
exactly what sort of Ethernet card I had and what DMA address it used, I
automatically assumed it knew what it was talking about when it told me the
IRQ number.  In my defence, I must say that Windows had been spot-on at
working out the IRQ number for the card in my Elonex machine.

The message for authors of install programs is that perhaps they should avoid
making their programs supply default values using guesswork if the software
can't actually read the value.  If the program makes a couple of lucky
guesses, the user might be tempted to believe that the program knows
something he doesn't.

The message for users is: even if an install program tells you exactly what
hardware you have attached to your machine, never trust it to pick correct
settings based on that information.
                                                mathew


Re: How to tell people about risks?

Sanford Sherizen <0003965782@mcimail.com>
Fri, 27 Nov 92 14:24 GMT
Several years ago, public safety messages would appear prior to major holidays
warning drivers in the U.S. about accidents.  The messages said (paraphrase)
"350 people will die this Thanksgiving holiday.  Don't be one of these
fatalities.  Drive carefully."  Researchers from the Safety Council found that
these risk messages were not helpful at all.  Drivers thought that an accident
would not happen to them.  The risks became someone else's problem.

The Safety Council then decided to personalize risk.  They ran ads directed at
kids suggesting that the kids ask their parents to drive safely and to use
seatbelts.  This approach to risk was much more successful and may have been
one of the many reasons why traffic fatalities have declined over the years.

Sanford Sherizen, Data Security Systems, MCI MAIL: SSHERIZEN  (396-5782)


Telling people about risks (ingredient labels)

Mark Day <mday@jukebox.lcs.mit.edu>
Fri, 27 Nov 92 11:40:25 -0500
One contributor to the discussion about describing risks made two alarming
comments.  I read both comments as arguing (basically) "since ingredient
labels pose certain problems, we should eliminate them and thereby eliminate
the problems".  The comments struck me as a good example of creating a major
risk to correct a minor one, perhaps because I'm more interested in this issue
as a consumer of food than as a producer of food.

Here's the first comment:

  I do not believe that there is any point in attempting to
  convey numerical, let alone statistical, information to a 'general
  public' increasingly deskilled, de-educated, aggressive and litigious.

In essence, since the 'general public' can't be trusted to interpret
facts properly, better not to tell them.

The writer would presumably not include himself in the 'general public' that
he characterizes as so unpleasant; no doubt he could interpret the facts
properly.  But unless the information is on the carton of whatever he's
buying, he won't have access to that information either.  Realistically, the
choice is between making the information available to everyone or making it
available to no-one.  The writer will not be able to go to a special store
(reserved for those who pass a test of numerical skills) to buy goods with
labels describing their contents.

On to the second alarming comment:

  An example of the perceptions of the general public: European food
  manufacturers, who are subject to labelling requirements, find it
  expensive to produce a different label for each country, translating
  the complex chemical names of food additives for each language group.

  Solution: give each additive - they are more or less standardised - a
  European code number (e.g. "E123"). This can then be looked up in a
  language-specific list to provide the chemical name in the required
  language, if anyone is really that interested.

  [goes on to describe that consumers didn't like this]

This is a dreadful solution, and I can understand why consumers would be less
than thrilled about it.  The purpose of ingredient labels on goods is to
convey information to potential purchasers, and this code-word scheme
definitely conveys less information in the real world.

An analogous argument would eliminate ingredient labels altogether, and
require only that the manufacturers provide a telephone number to call for the
ingredients.  After all, the information is still "available", just much less
convenient to check when you actually need it.

If I've learned that I must avoid products containing monosodium glutamate
because of an allergy, I'm going to be unhappy when I need to learn a new code
name for it.  The convenience for the manufacturer is balanced by an
inconvenience for me.

And frankly, the whole business seems like a fraud to me.  It's not just
chemicals that have different names in different European languages, it's also
simple things like water, sugar, salt.  Either all of those get code numbers
(at which point the ingredient labels become utterly useless) or else the
manufacturers still have to produce multiple labels for an identical product.

--Mark Day


Change in the Maximum Length of International Telephone Numbers

Nigel Allen <nigel.allen@canrem.com>
Wed, 25 Nov 1992 19:00:00 -0500
Any application that does not allow for fifteen-digit international telephone
numbers is a potential risk today, and will become a real risk on January 1,
1997.

The following information from Stentor Canadian Network Management, the
consortium of major Canadian telephone companies, was distributed through the
Canadian Department of Communications' Terminal Attachment Program Advisory
Committee as TAPAC bulletin 92-13.

Advance Notice of Change in the Maximum Length of International Telephone
Numbers

Beginning midnight December 31, 1996, CCITT Recommendation E.164 will be
implemented.  This recommendation allows the expansion of international
telephone numbers from 12 to 15 digits.  Although the North American Numbering
Plan will not change, some foreign administrations may assign numbers up to 15
digits long to subscribers. Therefore, terminal equipment originating calls to
these subscribers must be able to handle the additional digits.

For more information on this change, please contact:
 Marion Norman
 Stentor Canadian Network Management
 410 Laurier Ave. West, 8th Floor
 P.O. Box 2410, Station D
 Ottawa, Ontario
 Canada  K1P 6H5
 telephone (613) 560-3420
 fax (613) 560-3226

Note from NDA: I think the "international telephone number" in this context
includes the country code but excludes the access prefix, such as 011 in
Canada and the United States.

Readers in the United States should presumably contact the North American
Numbering Plan Administration at Bellcore rather than Stentor.

 Nigel Allen              nigel.allen@canrem.com

Canada Remote Systems  - Toronto, Ontario
World's Largest PCBOARD System - 416-629-7000/629-7044

             [And so, dear RISKS readers, beginning 1 Jan 1997 we
             can expect various strange reports to appear...   PGN


Humorous Submissions

Andrew Davison <ad@munta.cs.mu.OZ.AU>
Fri, 27 Nov 1992 11:53:46 +1100
CALL FOR SUBMISSIONS FOR A NEW BOOK Tentatively titled:
        "Humour the Computer:
    Humorous Writings concerning Computing"

We seek contributions of a humorous nature for a new book called `Humour the
Computer', an anthology of the comic, amusing and laughable aspects of
Computing. It is scheduled to be published by MIT Press early in 1994.

Topics of interest include:

* computing experiences: e.g. `a day in the life',
  computing jobs - industry, commerce, teaching, research, etc;
  getting funded in the 90's, getting a job in the 90's,
  home computing, how computer people relax, exam marking stories,
  getting published, office politics

* the history of computing: e.g. the mistakes, the disasters, the egos
  gone mad (with names changed to prevent law suits), folklore (not
  necessarily true)

* the future of computing

* computing in the Real World: e.g. in the media, computer salesmen,
  misconceptions about computing, the misuse (abuse) of computing, faulty
  software/hardware, the `training' course

* fake journal articles: e.g. AI, expert systems, machine architectures
  software engineering, new programming languages, semantics;
  surveys of `important' fields: Virtual Reality, neural nets,
  OO, what-ever, etcl

* jokes and cartoons (these will only occupy a small portion of
  the book)

* suggestions for a better name for the collection

Contributions will be judged on clarity, insignificance, irrelevance,
incorrectness, originality, but most of all for their ability to make the
editor laugh. Authors should make their papers understandable to a broad
audience - not too many `in-jokes' please.

Authors should submit three (3) copies (preferably double-sided) of the
prospective article to the editor; people without access to a photocopier may
submit a single copy. Electronic submissions are *not* encouraged.

Each manuscript should have a title page with the title of the essay, full
name(s) and affiliation(s) of author(s), complete postal and electronic
addresses, telephone number(s), and a 150 word summary.

Contributions must *not* exceed 4000 words (approximately 8 A4 pages typeset
10-point on 16-point spacing, or 12 pages if typewritten double-spaced).
Shorter articles will be viewed more favourably than longer ones.

Previously unpublished material is preferred. Contributors of published
material must have copyright to it. All contributors will be asked to sign a
permission letter giving MIT Press the right to print the material but NOT
transferring copyright.

Submissions must be received by April 3rd, 1993. Authors will
be notified of acceptance or rejection by July 1st, 1993. Full
versions of the accepted articles must be formatted according to MIT Press
conventions, and camera-ready copy must be received by the editor
by August 24th, 1993.

For further information, contact the editor:

Dr. Andrew Davison, Department of Computer Science
University of Melbourne, Parkville, Victoria 3052, Australia
Email: ad@cs.mu.oz.au  Fax: +61 3 348 1184  Tel: +61 3 344 7207 / 5230
Telex: AA 35185

Summary of Important Dates:

April 3rd, 1993:    Due date for 3 copies of submission
July 1st, 1993:     Notification of acceptance
August 24th, 1993:  Due date for final manuscript
Early 1994:     Publication

    [If you submit something that you saw in RISKS, which even I shall
    probably do, you might be very careful to indicate all of the
    indicated sources -- including RISKS...  Good luck!  PGN]

Please report problems with the web pages to the maintainer

Top