The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 15 Issue 11

Monday 11 October 1993

Contents

o Yet another spacecraft vanishes
Landsat 6
o Auto-response missile system
Brian Kenney
Andrew W. Hagen
o ITAR issues in PGP & Moby Crypto subpoenas
L. Detweiler
o Wiretap Laws and Procedures
Mark Day
David HM Spector
o Risks of using phone bill payment systems
Peter A. Grant
o Draft Swiss AntiVirus regulation
Klaus Brunnstein
o Risks of "security" on Apple Newton
Berry Kercheval
o Re: Disrupting Air Traffic Control
Peter B Ladkin
Peter Wayner
o Give us all your passwords
Steve VanDevender
o Politics is private property in the panopticon society
Jeffrey S. Sorensen
o Re: Control Faults cause train crash
Clive Feather
o Re: RISKS of unverified driving records
Geoff Kuenning
o Libel and Liability for incorrect databases
Terry Gerritsen via Sarah Elkins
o Info on RISKS (comp.risks)

Yet another spacecraft vanishes

"Peter G. Neumann" <neumann@csl.sri.com>
Mon, 11 Oct 93 17:34:21 PDT
Landsat 6 was launched on 5 Oct 1993, and had been variously reported as (1)
having gotten into an improper orbit, or (2) being in the correct orbit but
unable to communicate.  The $228M Landsat 6 has now been declared MISSING.
``The object being tracked turned out to be a piece of space junk, officials
said.''  [Source: The San Francisco Chronicle wire services, 9 Oct 1993]


auto-response missile system

Brian Kenney <kenney@hsi.com>
Sat, 9 Oct 1993 07:54:45 -0400
The Soviet military constructed a surefire system for retaliating against a
U.S. nuclear strike without direct human involvement, and it could still be
activated today, a private U.S. expert on nuclear command systems said Friday.

The expert, Bruce Blair, said that once the system is activated by senior
Russian military officials, it could automatically send hundreds of
nuclear-tipped missiles hurtling towards the United States.

The system would be triggered if automatic sensors - which Blair said may be
subject to error - detected a disruption of key military communication links,
as well as seismic disturbances, and flashes caused by nuclear detonations
inside Russia.

The possibility that Soviet missiles could be launched without specific
instruction from nearby military personnel was raised several years ago by
Gennadi Pavlov, a retired colonel in the Soviet Strategic Rocket Forces who
has spoken at length with Blair.

(Excerpted from The Hartford Courant, 9 Oct 1993.)

The risks are obvious, and horrific.


Russian doomsday machine

"Andrew W. Hagen" <ANDREWH@YANG.EARLHAM.EDU>
Sat, 9 Oct 1993 14:49 EST
  [Commenting on a variant of the same article, in the Cincinnati Enquirer]

Well, this sure scares me. It's enough that everyone has taken for granted
that the danger of massive nuclear war has passed, while nuclear missiles in
the former Soviet Union remain pointed at U.S. and Western targets. But now if
the software has a few bugs in the code that decides when all Russian military
leaders are dead, and it is triggered by some anomaly, then a very serious,
huge disaster would follow.

Maybe it's time to start faxing RISKS to the Kremlin.

Andrew W. Hagen  andrewh@yang.earlham.edu  voice: 317 973-2528  (U.S.)

  [All Things Considered covered the same story, as noted by Ken Hoyme,
  Honeywell Technology Center, Minneapolis, MN,  hoyme@src.honeywell.com  PGN]


ITAR issues in PGP & Moby Crypto subpoenas

"L. Detweiler" <ld231782@longs.lance.colostate.edu>
Wed, 22 Sep 93 21:19:41 -0600
As reported in many places, such as Current Underground Digest, New York Times
(Sept 21) and on AP, subpoenas were served on representatives from the
companies ViaCrypt and Austin Code Works for materials related to a grand jury
investigation in California associated with the U.S. Customs Office. Both
warrants are dated 9 Sept., but were served and received two days apart
(contrary to the NYT account), with the ViaCrypt on Tues 14 Sept and ACW on
Thur 16 Sept:

Austin Code Works:
>Any and all correspondence, contracts, payments, and record,
>including those stored as computer data, relating to the
>international distribution of the commercial product "Moby
>Crypto" and any other commercial product related to PGP and RSA
>Source Code for the time period June 1, 1991 to the present.

ViaCrypt:
>"Any and all
>correspondence, contracts, payments, and records, including those
>stored as computer data, involving international distribution related
>to ViaCrypt, PGP, Philip Zimmermann, and anyone or any entity acting
>on behalf of Philip Zimmermann for the time period June 1, 1991 to the
>present."

ViaCrypt just announced publicly a few weeks ago its intent to market a
commercial version of PGP. G. Ward, author of Moby Crypto, has been very vocal
on various newsgroups (sci.crypt, et. al.) indicating that an NSA agent had
previously contacted him over the book, essentially a cryptography tutorial
intended to be bundled with disks. Nevertheless the investigation appears at
this point to be primarily PGP-oriented based on subpoena wording, and my
following comments will focus on that aspect.

If the case progresses beyond this initial inquiry, the issues related to the
ITAR code (International Traffic and Arms Regulations) restricting the flow of
cryptographic software and documentation long debated in RISKS are likely to
receive intense scrutiny and perhaps the first significant judicial test. Many
aspects are related to the possibility of ITAR infringement in international
PGP distribution, involving highly complex import and export issues, some of
which follow.

PGP 1.0 was developed in the U.S. and soon spread internationally after its
official release in the month of June 1 1991 (the significance of the subpoena
date). Various sections of the ITAR govern the legal export of cryptographic
software and technical documentation, one critical clause defines technical
data as follows:

   $120.21 Technical data.

        Technical data means, for purposes of this subchapter:
            (a)     Classified information relating to defense articles
                    and defense services;
            (b)     Information covered by an invention secrecy order;
            (c)     Information, in any form, which is directly related
                    to the design, engineering, development, production,
                    processing, manufacture, use, operation, overhaul,
                    repair, maintenance, modification, or reconstruction
                    of defense articles. This includes, for example,
                    information in the form of blueprints, drawings,
1                   photographs, plans, instructions, computer software,
1                   and documentation. This also includes information
                    which advances the state of the art of articles on
2                   the U.S. Munitions List. This definition does not
2                   include information concerning general scientific,
2                   mathematical, or engineering principles commonly
2                   taught in academia. It also does not include basic
                    marketing information or general system descriptions
                    of defense articles.

The critical question: Is PGP (1) `computer software related to defense' or
(2) `technical documentation encompassing general scientific & engineering
principles'? Other sections of the ITAR definitely classify cryptographic
software as a defense article. In a hypothetical legal case against PGP
distribution, the defense might argue that the interpretation of PGP as (2)
takes priority over, or is more relevant and applicable, than (1).  A wide
variety of respondents on the the `cypherpunks' list have indicated that the
RSA *algorithm* embodied in PGP is unequivocally public domain knowledge in
the U.S. and regularly `taught in academia'.

As a peripheral issue to *export* of PGP above, some sources point out that
the IDEA algorithm was implemented outside the U.S. and apparently *imported*
into the US in PGP. The legality of this may be affected by sections of the
ITAR that bar import of material not legally exportable:

"123.2 Imports.

No defense article may be imported into the United States unless (a) it was
previously exported temporarily under a license issued by the Office of
Munitions Control; or (b) it constitutes a temporary import/in-transit
shipment licensed under Section 123.3; or (c) its import is authorized by the
Department of the Treasury (see 27 CFR parts 47, 178, and 179)."

Many armchair-ITAR-experts have noted that the act does not appear to
specifically address distribution mechanisms intrinsic to an Internet PGP
distribution, specifically either via newsgroups ([x].sources etc.)  or FTP.
It refers to traditional outlets associated with the "public domain" such as
libraries but has questionable, ambiguous, and debatable interpretation on
what might be termed `cyberspatial distributions' including BBSes.

Finally, If the case reaches a court, the actual outcome may also hinge on the
apparent court precedent that *willful* violation of the ITAR ("criminal
intent") must be demonstrated to exist for valid convictions under the law,
seen for example in U.S. v Lizarraga-Lizarraga (in 541 F2d 826).

I thank the following people for accounts, information, and analysis which
particularly influenced my post (which should in no way be considered
representative of their own opinions):

   J. Bidzos, G. Broiles, H. Finney, J. Markoff, G. Ward, P. Zimmermann

Note: complete ITAR text can be found via anonymous FTP at
ripem.msu.edu:/pub/crypt/docs/itar-july-93.txt.

thanks to M. Riordan and D. Bernstein.


Wiretap Laws and Procedures (Denning, RISKS-15.10)

Mark Day <mday@jukebox.lcs.mit.edu>
Fri, 8 Oct 93 23:03:16 -0400
The article by Dorothy Denning et al. reminds me a little of a civics class
summary of "How a bill becomes law."  Like such a presentation, it was
interesting and useful as an introduction to the subject; but I couldn't help
feeling that there were probably important "real-world" aspects being omitted.
Here are some of my concerns.

1. I was struck by the following statistic about wiretaps in 1992:

       number of interceptions authorized (919), denied (0), and
       installed (846)

No judge saw fit to deny *any* wiretap request that year.  I find it
difficult to reconcile this statistic with the protections that are
enumerated in the report.  I think I would feel better if there had
been at least a couple of denials out of more than 900 requests.  As
it is, it seems as though either the judges aren't really filtering
requests carefully, or the agencies aren't presenting any cases that
are marginal.

2.  I am unconvinced by the rationale for having only a select set of
judges hearing wiretap requests.  I would worry that having one judge
hear multiple wiretap requests probably encourages the review process
to become routine: "this request is just like the one you approved
last week, so just issue the court order, please."

3. Knowing that "the entire process can take as long as a month" is not
nearly as interesting as knowing how *fast* the entire process can
happen.

4. Being at least vaguely aware of some cases when people in law
enforcement agencies have placed unauthorized wiretaps, I would be
interested in knowing how often people have actually been tried and
convicted of those offenses.  Simply knowing what the law says is
useful, but one also needs a sense of how well the law is enforced.

--Mark Day
mday@lcs.mit.edu


Wiretap practices and procedures (Denning, RISKS-15.10)

<spector@jpmorgan.com>
Sun, 10 Oct 1993 19:57:06 -0400 (EDT)
Although the article by Dr. Denning et al. is very interesting and
enlightening on the subject of _legal_ wiretaps, it would seem however that
she and others continue to miss the most important issue involved in the
key-escrow/cryptography debate.  That being the fact that the citizenry has
absolutely NO ASSURANCE that the ability to monitor communications will not be
used in an extra-legal fashion.

The last 30 years of history (for starters) are rife with de-facto,
documentable, pervasive violations of the rights of individuals by a
government that has used the ability to tap/monitor/intercept or otherwise spy
on individuals outside of the bounds of what-ever wiretap laws are in effect
with impunity.

Some small examples perhaps?  Watergate, Dr. Martin Luther King and other
members of the Civil Rights Movement, Groups opposed to the wars in Viet Nam,
Central America, and elsewhere, Anti-nuclear activists...  Need I go on?

Arguments that "good choices" for the escrow agents will end this
problem border on insulting.

Perhaps Dr. Denning could explain how we can be assured this power will not be
abused in this fashion?  Perhaps a guide to "What happens then the US
Government ILLEGALLY taps a line?"

David HM Spector                                Spector_David@JPMORGAN.COM

These opinions are my own, and do not in any way represent my employer...


Risks of using phone bill payment systems

"Peter A. Grant" <grant@erich.triumf.ca>
Fri, 08 Oct 1993 23:54:52 PST
Well, I've finally been bitten by a banking system, other than the standard
ATM problems.  Our local credit union just started a phone-based bill
payment system to add to their system which allows one to check balances,
transfer funds, list cleared entries, etc.

I signed up and thought it was wonderful for the first month.  This month all
seemed to go well, but a couple of days after paying all three phone bills and
a MasterCard bill, I found a message on our answering machine from VanCity
asking one of us to give them a call.  I was positive that I hadn't bounced a
cheque, so I phoned.

It turns out that when I paid on of my phone bills, the confirmation number
that I was given by the automated system wasn't unique after all and when the
batch processing took place later that day only the first transaction with
that identifier was actually carried out.  I got to hear about it three days
later - two days after the due date.  "A work request has been filled in to
look into this problem" was what I was told.  I phoned in another transaction
as soon as I hung up, and am hoping that one went through and that some magic
will prevent me from finding a late payment charge on next month's bill.

Just when you thought it was safe to use sequence numbers, eh?

Peter Grant  Database and Systems Administration, Controls Section, TRIUMF
"Canada's National Meson Facility"  grant@triumf.ca


Draft Swiss AntiVirus regulation

Klaus Brunnstein <brunnstein@rz.informatik.uni-hamburg.d400.de>
Sat, 9 Oct 1993 13:49:29 +0100
To whom it may concern:

The Swiss Federal Agency for Informatics (Bundesamt fuer Informatik, Bern) is
preparing a legislative act against distribution of malicious code, such
as viruses, via VxBBS etc. You may know that there have been several attempts
to regulate the development and distribution of malicious software, in UK, USA
and other countries, but so far, Virus Exchange BBS seem to survive even in
countries with regulations and (some) knowledgeable crime investigators.

In order to optimize the input into the Swiss legal discussion, I suggested
that their draft be internationally distributed,  for comments and suggestions
from technical and legal experts in this area. Mr. Claudio G. Frigerio from
Bern kindly translated the (Swiss) text into English (see appended text, both
in German and English); in case of any misunderstanding, the German text is the
legally relevant one! Any discussion on this forum is helpful; please send
your comments (Cc:) also to Mr. Claudio G. Frigerio (as he's not on this list).

"The Messenger" (Klaus Brunnstein: October 9, 1993)

###############################################################
Appendix 1:
Entwurf zu Art. 144 Abs. 2 des Schweizerischen Strafgesetzbuches

"Wer unbefugt elektronisch oder in vergleichbarer Weise gespeicherte oder
uebermittelte Daten loescht, veraendert oder unbrauchbar macht, oder Mittel,
die zum unbefugten Loeschen, Aendern oder Unbrauchbarmachen solcher Daten
bestimmt sind, herstellt oder anpreist, anbietet, zugaenglich macht oder
sonstwie in Verkehr bringt, wird, auf Antrag, mit der gleichen Strafe belegt."

P.S.: gleiche Strafe =JBusse oder Gefaengnis bis zu 3 Jahren;
      bei grossem Schaden, bis zu 5 Jahren Gefaengnis sowie Verfolgung
      von Amtes wegen (Offizialdelikt)

###############################################################
Draft of article 144 paragraph 2 of the Swiss Penal Code
(English translation)

 Anyone, who, without authorization
   - erases, modifies, or destructs electronically or similarly saved or data,
 or anyone who,
   - creates, promotes, offers, makes available, or circulates in any way
     means destined for unauthorized deletion, modification, or destruction
     of such data,
 will, if a complaint is filed, receive the same punishment.

P.S.: same punishment = fine or imprisonment for a term of up to three years;
   in cases of a considerable dam-age, five years with prosecution ex officio.

Author: Claudio G. Frigerio, Attorney-At-Law, Swiss Federal Office of
Information Technology and System, e-mail: bfi@ezinfo.vmsmail.ethz.ch


Risks of "security" on Apple Newton (Siebert, RISKS-15.09)

Berry Kercheval <kerch@parc.xerox.com>
Mon, 11 Oct 1993 13:34:45 PDT
It's even worse: apparently the password must be stored in the
Newton's in-memory dictionary, or the handwriting recognizer will
refuse to recognize the password!

To be fair, you *can* instruct the Newton to recognize words not in
its dictionary, but then there is another set of problems getting it
to accept what you write.

  --berry


Re: Disrupting Air Traffic Control (Marshall, RISKS-15.09)

Dr Peter B Ladkin <pbl@compsci.stirling.ac.uk>
9 Oct 93 00:28:39 BST (Sat)
The report misstates what must have happened.

> [The couple in the Cessa 150] forgot to turn off their transmitter and
> broadcast their moments of passion  to air traffic controllers

To talk on a radio frequency, it is necessary to depress, and to maintain
depressed, the `talk' button either on a microphone or on the horn of the
control column. The condition reported in the note above is a `stuck mike', in
which release of the button does not terminate the transmission as it should.
Stuck mikes happen infrequently, although all moderately experienced pilots
have heard them. The Cessna pilot was not the cause of this abnormal condition,
neither can he be held particularly responsible for not detecting it. He *may*
be held responsible for not flying with due care and attention, under the
presumption that one cannot effectively make love and fly at the same time,
but proving that would be hard (how does the CAA know that it wasn't just a
tape on his stereo?).

If one is alert, then one might notice that radio traffic was abnormal,
and use the radio to query ATC (`Edinburgh Control, how do you read?'),
thereby (usually) `unsticking' the mike. This happens less frequently in my
experience than the case in which the mike just unsticks itself (I've never
had a stuck mike myself that I've noticed).

I don't see what any of this has to do with the subject matter of RISKS.
It's another example of amusing but misleading journalism.

Peter Ladkin


Re: Risks of disrupting air traffic control ("Mile High Club")

Peter Wayner <pcw@access.digex.net>
Sat, 9 Oct 1993 22:55:20 -0400
>The couple, flying in a private Cessna 150 plane near the Scottish city of
>Edinburgh, began by debating whether they should have sex 5,000 feet (1,500
>metres) above ground and join the "Mile High Club."  Their conversation grew
>more and more passionate and then ceased.

Of course, the real RISK here relates to a mile being 5280 feet, which is
about three or four feet more than *1600* meters.

If another plane was at 5000 feet, a near Miss would not be as good as a
smile.

-Peter Wayner


give us all your passwords

Steve VanDevender <stevev@miser.uoregon.edu>
Sun, 10 Oct 93 00:59:16 PDT
Last week, many of us at the company where I work were astonished to receive
an e-mail message from our parent company's legal department asking everyone
to send them all the passwords everyone had used on our LAN servers since
January, 1991, except for current passwords.  Fortunately, it was shortly
revealed that this did not apply to our division, but not before I had sent
back a reply telling the person in the legal department how dangerous I
thought this was.

Later we found out at a company meeting that another division in our family of
companies is being sued because of some possibly suspicious stock trading, and
our legal department wants to make sure that it can get at any records on
their network servers.  I, of course, suspect that they are being
spectacularly ignorant of how little use the password lists would be to them
and the security risks involved with having lists of individual passwords
laying around in plaintext form.  Even though none of the passwords should be
current, my experience suggests that many people stick to certain themes and
patterns for passwords, especially when password aging is used, as it is on
our servers.  Our passwords expire every 40 days, which means that everyone
working at our company since January 1991 has gone through 25 passwords by
now, giving any crackers a sizable database to extrapolate from.  And of
course, everyone will probably send their password lists by e-mail, giving
crackers an easy opportunity to intercept such lists.


politics is private property in the panopticon society

Jeffrey S. Sorensen <sorenjs@pb.com>
Mon, 11 Oct 93 10:38:53 -0400
The _New Haven Register_ had an AP story about the probe into the industrial
spying performed by a group of cable system operators.  This spying included
surveilance, tracking down license plates and investigating long-distance call
records.  According to the cable companies all of this was done using publicly
obtainable information.

The money involved in the deals between cable and television has
driven the cable companies to use such tactics because they are afraid
that regulators are fraternizing with telephone company executives.
I can almost see William Gibson's vision of the future unfolding before
my eyes.  I also see democracy being ground between the gears of industry
and government.  (Perhaps I should also mention the three part series of
articles in _In These Times_ on the new pseudo-grass roots lobbying firms
that sell the line "How many angry constituents do you want calling your
legislators each day?  Name your price.")

According to the article, a company called _Scanners_ out of Denver will "fax
a list of toll calls made by anyone, anywhere, for up to $125."  (No doubt the
company takes their name from the movie about people who make your blood boil
and your veins pop out on your head.)  It seems that while the content of
calls is private and cannot be monitored without a court order, the billing
information is not protected.

The larger problem is that our law currently only provides us with a
modicum of protection when we have a "reasonable expectation of privacy."
At the same time, it is becoming increasingly clear that no reasonable
person can ever expect to have any privacy.  I wish that someone in the
news media would get our legislators to WAKE UP by publishing a complete
list of the legislators' calls.  It worked in the Bork/Video-tape rental
records case (or at the very least, a law addressing this was put on the
books; I'm not sure it's enforced.)

Jeffrey Sorensen  sorenjs@pb.com


Re: Control Faults cause train crash (Winter, RISKS-15.09)

Clive Feather <clive@x.co.uk>
Mon, 11 Oct 93 16:55:09 BST
> Moreover, he has to take control on the station (Canary Wharf) the software
> is not yet able to deal with after all those years of operation.

The conductor does not have to take control at Canary Wharf. What is
happening is that the section from West India Quay to Canary Wharf is
under reconstruction, and the control software, rather than being
edited once a week, is set to be *extremely* conservative in its driving
habits over this section. Most conductors would rather use the manual
controls for this short section rather than delay the train.

Clive D.W. Feather, Santa Cruz Operation, Croxley Centre, Hatters Lane,
Watford, WD1 8YN, United Kingdom   clive@sco.com    Phone: +44 923 816 344


Re: RISKS of unverified driving records (Hudson, RISKS-15.09)

Geoff Kuenning <geoff@FICUS.CS.UCLA.EDU>
Mon, 11 Oct 93 11:04:42 -0700
Jim Hudson writes:

> The credit-card company readily admits that their customer-service agent
> should NEVER have changed the mailing address of the card based on only the
> magic three pieces of information.  However, their security system clearly
> failed in this case.

I recently moved, and took the "easy way out" in several cases by
filing my change of address by telephone.  I was pleased to note that
several companies sent me a followup letter of the form "we recently
processed your address change;  please contact us if this is
incorrect."  Unfortunately, in every case they sent the letter only to
the *NEW* address!  Duuuuhh.  How about sending it to both the old and
new locations, guys?  Oh no, we wouldn't want to spend that extra 29
cents on postage.
--
    Geoff Kuenning  geoff@maui.cs.ucla.edu  geoff@ITcorp.com


Libel and Liability for incorrect databases

<Sarah_M._Elkins.Wbst139@xerox.com>
Mon, 11 Oct 1993 12:27:15 PDT
I got the following extract, supposedly from the "Lawyers Weekly", a UK
publication I guess (can anyone with more information access verify this, or
better, verify the account below?), on a jokes distribution a few weeks back.
I know some aspects of libel laws are stricter there than in the U.S., but
still wonder if some variant might be used to force information distributors
(credit agencies, etc.) to correct their databases sooner, or even hold them
liable for incorrect information in the first place.

    Sarah (elkins.wbst139@xerox.com)

>From: ember!vicuna@math.uwaterloo.ca
>From: terry@gtm-inc.com (Terry Gerritsen)

SPALDING, England - -In what is being hailed as a landmark decision, a bank
that mistakenly bounced a client's cheques will pay more than 50,000 pounds in
libel damages, a British court has ruled.  The July decision from the High
Court concluded a nine-year legal battle between Brian and Margaret Allen,
operators of a Lincolnshire meat firm, and Llyods Bank.
   The conflict began in 1983 when several cheques from the Allen's company
were returned by the bank unpaid and marked "Refer to drawer, please
re-present," even though there were sufficient funds in the account to cover
them.  The Allen's counsel, Micheal Tugendhat, said that the couple took the
bank to court because they wanted to "eradicate publicly any doubt about their
financial soundness and credit worthiness" created by the error.
  The libel case is believed to be the first of its kind to reach British
courts in this century. Expert Mark Stephens commented that the problem is
common but "very few people, including lawyers, are aware that it amounts to
libel.  The suggestion is that someone issued a cheque knowing he had
insufficient funds to meet it, and that can be a very serious libel.
           (The Lawyers Weekly)

Please report problems with the web pages to the maintainer

Top