The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 14 Issue 31

Friday 5 February 1993

Contents

o "Computer Blamed For Phone Jam" [Ohio Bell]
Joe Brownlee
o BNFL prosecuted for unauthorised software changes
Martyn Thomas
o Residues in a surplus bank computer
Fred Cohen
o Re: Educational computer game banned
Guy K. Haas
o Re: Clever Tactics Against Piracy
Gerd Meissner
o Anecdotes Wanted on the Risks of Information Security
Dorothy Denning
o Re: The FBI and Lotus cc:Mail
Isaac Rabinovitch
Roger D Binns
Bill Stewart
Dorothy Denning
Dorothy Denning
Dorothy Denning
Dick Joltes
Dick Joltes
Ray Ozzie via Peter Wayner
o Anyone can get your U. of Illinois transcript
Carl M. Kadie
o Phone Company Cleverness
Jon Leech
o Info on RISKS (comp.risks)

"Computer Blamed For Phone Jam"

<joe@cbcosmos.att.com>
Fri, 29 Jan 93 7:42:40 EST
  from the 1/28/93 Columbus (Ohio) "Dispatch"
  by Ron Lietzke and Bruce Cadwallader

  A three-minute computer failure at an Ohio Bell central office disrupted
  phone service for 42,000 telephone lines in the Downtown business district
  for about 45 minutes yesterday morning.  The computer problem cleared after
  a few minutes, but the disruption snowballed when a surge of callers seeking
  dial tones caused a telephone traffic jam of sorts, Ohio Bell spokesman
  David Kandel said.

  Outgoing and incoming calls on 15 Downtown prefixes were disrupted by the
  problem, which started at 9:42 AM.  The Columbus police, the Franklin County
  Sherrif's Department, Columbus Public Schools, and state offices were among
  those disrupted by the outage, Kandel said.

  Callers in the affected prefix areas who dialed 911 could not reach Columbus
  police or the Franklin County Sherrif's office for at least 3 minutes.
  However, those agencies reported that they did not receive any complaints
  after the dial tones returned.  "It was starting to clear itself within
  minutes, but because you're looking at such a huge volume of calls Downtown,
  it took the system time to recover," Kandel said.  "The system was
  delivering a very, very slow dial tone."

  Problems started when one of two computer processors failed.  The other took
  over, but it took about three minutes for it to retrieve the information
  from the failed processor, Kandel said.  Ohio Bell technicians were working
  with the equipment manufacturer yesterday to determine what caused the
  processor to fail.  It still was not working late yesterday.  [...]

  Columbus police dispatchers reported having problems for about 30 minutes.
  Chief Deputy Robert Taylor of the sheriff's department said this radio room
  used cellular phones until the problem cleared.  Neither department knew of
  any emergencies missed because of the computer problem.  Columbus
  firefighters said they were receiving 911 calls throughout the period of
  disruption.

Two items of interest I note.  One is that even a brief delay in grabbing data
from the failed computer resulted in a large backlog.  Perhaps the system was
not designed to account for the large number of lines in downtown Columbus,
which boomed during the 1980's.  Phone systems tend to use less than state-of-
the-art technology (to avoid many of the "bleeding edge" problems often noted
here), but in this case, perhaps a faster processor or live mirroring of the
data in question would have helped.

As to my second point, twice the article points out that nobody knew of any
emergency calls that were missed, with the implication that no harm was done.
Dead men tell no tales?

Joe Brownlee, Analysts International Corp. @ AT&T Network Systems 471 E Broad
St, Suite 2001, Columbus, Ohio 43215 (614) 860-7461 joe@cbcosmos.att.com


BNFL prosecuted for unauthorised software changes

Martyn Thomas <mct@praxis.co.uk>
Thu, 4 Feb 93 15:48:16 GMT
According to Computing (4 Feb), British Nuclear Fuels Ltd is being
prosecuted for making alleged unauthorised software changes to a safety
mechanism on a shield door at Sellafield.

      Martyn Thomas, Praxis plc, 20 Manvers Street, Bath BA1 1PX UK.
Tel:    +44-225-444700.   Email:   mct@praxis.co.uk     Fax: +44-225-465205


Residues in a surplus bank computer

Fred Cohen <fc@turing.duq.edu>
Wed, 3 Feb 93 18:35:52 -0500
This one goes in the `When will they ever learn?' category:

    I just got a call from a person who recently purchased a Unix based PC
as junk from a bank, and low and behold, the computer was not cleaned before
sale.  How hard is it to break in?  Not too!  All you have to do is boot from
a DOS floppy, run Norton Utilities or any similar tool, search for the `root:'
part of the password file, and change that line to look like `root::0:1::/:'.
Then you reboot from Unix and login as root with no password!

    So that's too simple to be believed, but of course it works, and now
comes the real problem.  I am not sure it's illegal to use that data however
you want! That's right, the computer crime laws don't cover computers that are
not attached to any networks, aren't part of the banking system, etc.  This
system is no longer a banking computer, the data was sold along with the
system to the new owner by the bank with no stipulations or warnings (as-is),
and the new owner, as far as I can tell, has the right to use anything on the
computer as their own.

    It's a little upsetting that the bank didn't bother to do a secure
deletion before giving all this data away (only about 120Mbytes worth of
information on customers, etc.).  How about the privacy of the customers of
the bank? How about the EFT codes stored on-line! How about all the passwords
that can now be guessed and exploited to enter the bank as if you were an
employee? Oh well, anyone want to buy a used computer - no longer so cheap?

            [Expletives deleted if there were expletives UNDELETED.
               By the way, remember that the C2 Orange Book requirement is
               for deletion prior to initial assignment and reallocation.
               Somewhere there should be a requirement for deletion prior
               to permanent deallocation as well.  PGN]


Re: Educational computer game banned (Shaun, RISKS-14.30)

<ghaas@informix.com>
Thu, 4 Feb 93 07:43:33 PST
With all due respect to Christina Kirby, the "Wizards" game is NOT a computer
game.  It is a pencil-and-paper game, like other adventure simulations.  The
students gain points by achieving goals in spelling (and perhaps other
language-related tasks), and translate these points into progress around a
game board.  It bears a superficial resemblance to "Dungeons and Dragons,"
with magicians, wizards, a winged dragon, a pit -- symbols that some
(fundamentalist) Christians equate with Satanism and/or disregard for Biblical
symbolism.  The symbols were the basis of the argument made against the game.

The teachers had two objections -- the issue of choice of instructional
materials, and that of the way the District imposed the ban.  One result of
the uproar was a rewrite of the "Challenged Instructional Materials" policy.
making the evaluation process much more accessible to the concerned public.
Another was the motivation of a parent in the district who fought the ban to
mount a (successful) run for a School Board seat last election, unseating an
incumbent.

--Guy K. Haas     (active in the MUSD since 1987)


Re: Clever Tactics Against Piracy (RISKS-14.30)

Gerd Meissner <100064.3164@compuserve.com>
03 Feb 93 04:28:01 EST
It might be interesting for readers who want to know more about the "Clever
Tactics Against Piracy" (RISKS 14.30) that the story, including some technical
details, was first published in the German news magazine DER SPIEGEL (#36,
1992, August 31st), titled "Trojanisches Pferd" (Trojan Horse). The company
used a 12-digit key that looked like the serial number of the
"free-demonstration coupon", which had to be printed out and sent back, to
identify the pirated copies found on the "customers" machine and some details
about the computer it was found on.

                 [Mark Brader just reminded me in a different context
                 of always looking a Trojan horse in the mouth.  PGN]


Anecdotes Wanted on the Risks of Information Security

Dorothy Denning <denning@cs.cosc.georgetown.edu>
Thu, 4 Feb 93 13:26:04 EST
I am seeking anecdotes of incidents where information security mechanisms or
practices led to a problem (e.g., lost work or data, wasted time, down time,
being locked out because of lost crypto keys or access tokens).  I am also
interested in descriptions of security features that are difficult to use and
lead to problems.  If you send me something, please indicate whether I can
attribute it to you or you wish to remain anonymous.

Thanks,

Dorothy Denning   denning@cs.georgetown.edu


Re: The FBI and Lotus cc:Mail (Joltes, RISKS-14.29)

Isaac Rabinovitch <ergo@netcom.com>
Sun, 31 Jan 1993 18:49:01 GMT
>Happily, the presenter said that Lotus refused to honor the FBI's request.
>Bravo!

Do not relax.  So what if an official back door doesn't exist?  Other federal
agencies are more discreet than the FBI, and would consider "their" back door
useless if any notice were taken of its existence.  Furthermore, somebody is
bound to see the profit in covertly adding a back door to a product and
quietly selling it to individuals with a commercial interest in violation of
privacy.

I checked with Lt. Colonel North, Admiral Yamamoto, and especially Captain
Murphy, and they all agree: never assume a publically-accessible medium is
secure just because it's encrypted!

    ergo@netcom.com             Isaac Rabinovitch
        {apple,amdahl,claris}!netcom!ergo   Santa Cruz, CA


The FBI and Lotus cc:Mail (Joltes, RISKS-14.29)

Roger D Binns <cs89rdb@brunel.ac.uk>
Mon, 1 Feb 93 11:47:57 GMT
: Happily, the presenter said that Lotus refused to honor the FBI's request.

Are you sure?  Lotus could quite easily have honoured their request, and
merely tell everyone they haven't.  The FBI is happy, the consumer is happy.
This brings to a mind a phrase 'ignorance is bliss'.

Roger

cs89rdb@brunel.ac.uk     Roger Binns    Brunel University - UK              |


The FBI and Lotus cc:Mail

Bill Stewart +1-908-949-0705 <wcs@anchor.ho.att.com>
Tue, 2 Feb 93 12:52:36 EST
In RISKS 14.29, joltes@husc.harvard.edu reports that Lotus says that the FBI
had asked them to place backdoors into Notes and cc:Mail, and they refused.
Assuming that they told the truth, I'll second Dick's "Bravo!".

But one RISK here is that, without *sources*, it's hard to tell -
does Lotus provide sufficient documentation on file formats and encryption
algorithms that users can verify that the program does what it claims?

Bill Stewart, AT&T Bell Labs, Holmdel, NJ, wcs@anchor.att.com

     [Even WITH sources it can be hard to tell.  Recall Ken Thompson's
     C-compiler Trojan horse in which there were no changes to the
     source code of either the C compiler or the UNIX login routine.  PGN]


Re: The FBI and Lotus cc:Mail (Joltes, RISKS-14.29)

Dorothy Denning <denning@cs.cosc.georgetown.edu>
Fri, 29 Jan 93 13:34:41 EST
In RISKS-14.29, Dick Joltes said the following about a presentation he
attended on Lotus Notes and the response of the Lotus representative to a
question about how the encryption was done:

    The presenter said that the data was considered very secure, so
    much so that the FBI had approached Lotus to ask that a "back
    door" be left in the software in order to give the Bureau a
    method for infiltrating suspects' filesystems.  She said they
    were specifically targeting "drug dealers and other bad
    people."

    Given this backdoor, what was to stop the Bureau from
    inspecting confidential materials on any system?  The risks
    seem obvious. ...

There are, in fact, very good controls to stop the FBI or any other law
enforcement agency from doing this.  They're called warrants.  In order to
execute a search and seizure on any system, the government needs to have a
court order.  To get a court order, they have to demonstrate that there is
probable cause that a crime has been commited.  Neither the FBI nor any other
law enforcement agency is allowed to "infiltrate" someone's system and poke
around to see what's there.

The "obvious" risk here is not from the government.  If the government is
unable to break through the crypto or get the key, they may be unable to
obtain evidence needed to prosecute someone who has commited a crime.  This is
potentially a very serious problem, especially as records become more heavily
computerized.

    Happily, the presenter said that Lotus refused to honor the
    FBI's request.  Bravo!

Encryption of files and communications is going to make it much more
difficult, and in some cases impossible, for law enforcers to get evidence
needed for conviction.  Unless we want a society with greater crime, we need
to find some way of meeting both our needs for information security and our
needs for law enforcement.  Then we can cheer.

Dorothy Denning
Professor & Chair, Computer Science, Georgetown University


Re: The FBI and Lotus cc:Mail

<joltes@husc.harvard.edu>
Mon, 1 Feb 93 14:16:33 EST
Dorothy Denning, responding to my posting regarding cc:Mail, says:

> There are, in fact, very good controls to stop the FBI or any other law
> enforcement agency from doing this.  They're called warrants.  In order
...
> the FBI nor any other law enforcement agency is allowed to "infiltrate"
> someone's system and poke around to see what's there.

The key word here is "allowed."  As we've seen with such scandals as Watergate
and Iran-Contra, what is allowed by law and what is actually done sometimes
are two different things.  What is to stop an agency from conducting an
initial covert search of a person or corporation's records, then requesting
the warrant after they find questionable or illegal material?

Dorothy's comments presuppose that all operatives within all governmental
bodies are completely honest.  While I would say that a majority of these
workers are honest, the risk that some are not makes the presence of known
back doors in supposedly "secure" software a highly questionable situation.

> The "obvious" risk here is not from the government.  If the government
> is unable to break through the crypto or get the key, they may be
> unable to obtain evidence needed to prosecute someone who has commited
> a crime.  This is potentially a very serious problem, especially as
> records become more heavily computerized.

Certainly it is.  However, we must evaluate whether the risks to the public
at large outweigh the advantage of having such back doors available to
legitimate authorities.  What if the codekey sequence used to activate the
alternative access method became known due to a security leak (disgruntled
Lotus employee or government agent, espionage, etc)?  Lotus would then need
to issue a binary patch to change the codekey (at their expense, no doubt).
Customer confidence in the product would sag and businesses would begin to
question the security of their own supposedly encrypted software.

If I were running a business and knew that a product I was evaluating had a
built-in back door, it would end my interest in the product.

> Encryption of files and communications is going to make it much more
> difficult, and in some cases impossible, for law enforcers to get
> evidence needed for conviction.  Unless we want a society with greater
> crime, we need to find some way of meeting both our needs for
> information security and our needs for law enforcement.  Then we can
> cheer.

My cheer was in regard to Lotus' refusal (well, they *said* they refused) to
blindly install a security hole in their most successful product simply
because a government agency said "please do it."  Knowing that acquiescence
to such a demand was a violation of the trust placed in Lotus products by
their customers, they did the "right thing" and said "no."

I agree that some balance needs to be stuck, but the scales must not be tilted
to the needs of law enforcement at the expense of the public.  Given some
recent incidents (such as "Operation Sun Devil," which nearly put a legitimate
business into bankruptcy due to the actions of paranoid and uninformed agents)
it seems obvious to me that few Federal agencies currently possess the basic
skills needed to differentiate between criminals and "fringe groups" such as
gamers and hackers whose participation in society is outside the "norm" of
American experience.

The subject of "Computing and the Law" is one that is just beginning to make
an impact on society, and both the public and the government need to feel
through the tangle of issues that surround it.  We must not make the mistake
of infringing on privacy simply to deter crime, since this will establish
legal precedents that could easily become Draconian in their use if unchecked.

Dick Joltes, Harvard University Science Center      joltes@husc.harvard.edu
Hardware & Networking Manager, Computer Services    joltes@husc.bitnet


Re: The FBI and Lotus cc:Mail

Dorothy Denning <denning@cs.cosc.georgetown.edu>
Wed, 3 Feb 93 12:03:53 EST
Dick Jotes, responding to my response to his post on cc:Mail, says:

    The key word here is "allowed."  As we've seen with such
    scandals as Watergate and Iran-Contra, what is allowed by law
    and what is actually done sometimes are two different things.
    What is to stop an agency from conducting an initial covert
    search of a person or corporation's records, then requesting
    the warrant after they find questionable or illegal material?

    Dorothy's comments presuppose that all operatives within all
    governmental bodies are completely honest.  While I would say

I do not assume that everyone in government is totally honest.  Rather,
I acknowledge that the American system of government has extensive
mechanisms to protect against abuses, including the illegality of
breaking into someone's system or conducting a search without a
warrant, Congressional oversight committees and hearings, and the use
of the media to expose abuses.

    What if the codekey sequence used to activate the alternative
    access method became known due to a security leak (disgruntled
    Lotus employee or government agent, espionage, etc)?  Lotus
    would then need to issue a binary patch to change the codekey
    (at their expense, no doubt).  Customer confidence in the
    product would sag and businesses would begin to question the
    security of their own supposedly encrypted software.

Customer confidence is an important concern, but since we don't know
exactly what the FBI requested of Lotus, we don't know what
vulnerabilities might exist and whether businesses would accept
whatever risks might be present.

    I agree that some balance needs to be stuck, but the scales
    must not be tilted to the needs of law enforcement at the
    expense of the public.  Given some recent incidents (such as

The public needs law enforcement.  This is not the public vs. law enforcement.

    "Operation Sun Devil," which nearly put a legitimate business
    into bankruptcy due to the actions of paranoid and uninformed

If you're referring to Steve Jackson Games, it was not part of the Sun Devil
investigation (which was about toll fraud and credit card fraud).

    agents) it seems obvious to me that few Federal agencies
    currently possess the basic skills needed to differentiate
    between criminals and "fringe groups" such as gamers and
    hackers whose participation in society is outside the "norm" of
    American experience.

Please don't make such sweeping generalizations based on one case or
even a few.  There have been hundreds (probably thousands) of cases
that have been handled extremely well.

    The subject of "Computing and the Law" is one that is just
    beginning to make an impact on society, and both the public and
    the government need to feel through the tangle of issues that
    surround it.  We must not make the mistake of infringing on
    privacy simply to deter crime, since this will establish legal
    precedents that could easily become Draconian in their use if
    unchecked.

I agree that this is a difficult issue that needs to be sorted out.  I also
argue that we need to find ways to satisfy both our need to control crime and
our need for privacy & security.  None of these needs will be or indeed can be
satisfied in an absolute way.  The challenge is to find ways that keep the
risks at acceptable levels.

Dorothy Denning


Re: The FBI and Lotus cc:Mail

Dorothy Denning <denning@cs.cosc.georgetown.edu>
Thu, 4 Feb 93 16:39:43 EST
I talked with a knowledgeable person in FBI Headquarters whom I know and
trust about the claim that they asked Lotus to put a "back door" into
the encryption system of Notes.  He was confident that Headquarters had
not made any such request of Lotus and was surprised to hear about it.
He did not know if someone in one of the field offices might have asked
Lotus for help in conjunction with a specific investigation.

Dorothy Denning


Re: The FBI and Lotus cc:Mail

<joltes@husc.harvard.edu>
Fri, 5 Feb 93 9:16:39 EST
There should be additional information on its way to RISKS about this
subject (from another source).  Employees of Lotus were involved in meetings
with the FBI held under the auspices of the EFF over the past 18 months.
Several proposed bills were discussed and tabled.  We have it from one of
the employees who was actually involved.

It is not surprising that Dorothy's source knew nothing (if true) of the
contacts.  Stratification and compartmentalization within federal organizations
is not uncommon, with the result that groups within the same agency do not
know of the activities of others.

Dick Joltes   joltes@husc.harvard.edu


With Regard to Lotus Notes and the FBI...

Peter Wayner <pcw@access.digex.com>
Tue, 2 Feb 1993 23:36:50 -0500
{This is the text of a letter to me from Ray Ozzie, one of the developers of
Lotus Notes.  He said it was okay to forward this to comp.risks to clarify the
recent posting about the FBI's involvement with Lotus.  I believe that the
details of the interaction are much less ominous in this rendition and more
importantly it comes from the head developer's mouth.  -PCW}

 The message entitled "The FBI and Lotus cc:Mail"  is not entirely correct,
 although it is correct "in spirit".

 As one of the developers of Notes, I have represented Lotus twice regarding
 FBI proposals.  In the first (about 18 months ago), the FBI was trying to
 persuade Congress to pass a law requiring communication service providers to
 deliver the original plain text of messages entering their systems, in
 essence requiring us to install a back door.  Lotus was not approached by the
 FBI - rather, the EFF learned of the bill and asked me to participate in a
 round-table discussion with lawmakers and others from the telecommunications
 and computer industries.  The bill was tabled shortly thereafter.

 Last year, we again participated in several discussions with the FBI related
 to a new proposal that would have required manufacturers of communication
 equipment and services to modify their products (in this case, Lotus Notes)
 to be able to, on demand and in a timely fashion and from a single access
 point, grant the FBI access to communications.  This new law would not
 require us to install a backdoor, that is, they took the issue of encryption
 off the table, but would instead require us to install logic into our message
 routers to disable dynamic adaptive least-cost path routing and also to
 disable code that breaks messages into packets for transmission on different
 virtual circuits.  It would also require us to put logic into the message
 routers to deliver copies of messages to a central monitoring point from
 anywhere in the network.  This FBI plan has also been tabled.

 If it weren't for the Electronic Frontier Foundation, we never would have had
 a chance to participate.  EFF and the CPSR are providing a great service for
 our industry, which has a pitifully small lobbying presence in Washington.
 Neither Lotus nor Lotus Notes was singled out by the FBI, rather, I
 represented Lotus voluntarily in order to defend Lotus' commercial
 interests.  Additionally, I was compelled to attend because I believe very,
 very strongly in my right to privacy as a US citizen.

 On the other hand, the FBI has a very difficult job to do, and with the
 onslaught of technology, it fears that it may soon lose its longstanding
 authority to carry out court-ordered wiretaps.  Valid wiretaps - ones that
 you would probably agree with.  From their perspective, why can't a technical
 solution be found to what appears to be a technical problem?

 From my perspective, though, the cat's out of the bag.  It's already very
 easy for the average joe to do effectively unbreakable end-to-end encryption
 of messages on standard PC hardware.  Passing laws won't stop bad guys from
 using encryption, so these laws will just have the effect of increasing the
 cost of every mail system, every PBX, every LAN router, every cellular phone,
 and so on.  Not to say what the laws will do to your privacy.

 Think about it.  And then call the EFF.


Anyone can get your U. of Illinois transcript

Carl M. Kadie <kadie@cs.uiuc.edu>
Sun, 24 Jan 1993 17:47:45 GMT
If you are a student at U. of Illinois, you should know that anyone who knows
your social security number and birthday can now see your official transcript.
To add insult to injury, if someone does looks at your transcript, *you* will
be charged a $5 transcript fee.

The administration building, room 100, now has three computer
terminals. Anyone can walk up to one and type
  1) a social security number
  2) a birthday
  3) an address

If the social security number and birthday match a current student, that
student's transcript will be send to the address and that student's account
will be charged $5.

At the very least, check your university bill. It seems that your only
protection is your ability to track down the destination address of an
improperly send transcript (assuming the university keeps a record of these
addresses).

- Carl Kadie   = kadie@cs.uiuc.edu =


Phone Company Cleverness

Jon Leech <leech@cs.unc.edu>
25 Jan 1993 21:00:58 GMT
    Seen on page 2 (e.g. the part most people throw out) of this month's bill
from Southern Bell:

   "Call RightTouch(R) service [to do various things such as
    disconnecting your phone or ordering extra-cost services]
    ....
    Please protect your access code: ####"
                     ^ actual 4-digit code printed here

Please report problems with the web pages to the maintainer

Top