The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 15 Issue 15

Tuesday 19 October 1993

Contents

o Confirmed reservation ... for non-existent flight
Mathai Joseph
o Physical Security of ATM Password
Jeff Schultz
o Re: RISKs of trusting e-mail
Lars-Henrik Eriksson
Frederick M Avolio
o Re: Porn, Wiretapping, DES, HERF
Phil Karn
o Re: The FAA and HERF
Ted Wong
Jack Boatman
o Re: Digital Signatures
Robert J Woodhead
o Re: Risks of Virtual Reality
Robert Carolina
o Re: Wiretap Laws and Procedures
Steve Bellovin
o Re: Australian government to replace DES
Steve Bellovin
o Re: Software safety on UK national news
Pete Mellor
o Re: Libraries and Imagined Communities
Bruce Hamilton
o Re: Separating parts in privileged applications
Bob Frankston
Tom Thomson
o Info on RISKS (comp.risks)

Confirmed reservation ... for non-existent flight

Mathai Joseph <mathai@dcs.warwick.ac.uk>
Tue, 19 Oct 1993 09:42:15 +0100
One Sunday in August this year I was booked on a scheduled flight from Buffalo
to Ithaca. The ticket was issued in the UK and the reservation was confirmed.

It was a little surprising therefore to be told at Buffalo airport that I had
been booked on a non-existent flight: there just is no such flight on a Sunday
and the printed timetable confirms this.

How was I issued with such a ticket? The airline informs me that "it is rare
for a problem of this nature to occur". Apparently, "when your agency made
reservations for the two flights in question, our system accepted the
reservation as confirmed even though the flights did not operate". They are
"unable to determine where an error may have occurred" but "it is generally
thought to be due to a software or message switching malfunction".

That it is "rare" does not really help much. Must I (and everyone else
travelling by the airline) now check *every* ticket to ensure both that the
reservation status is OK and that there is actually such a flight? Or just
some tickets? Which ones?

(For information, this is a large international airline, not a small
operator.)
        Mathai Joseph

Department of Computer Science, University of Warwick, Coventry CV4 7AL
+44 (203) 523987  mathai@dcs.warwick.ac.uk


Physical Security of ATM Password

Jeff Schultz <jws@cs.mu.oz.au>
Tue, 19 Oct 93 11:30:43 +1200
>From The Age, Melbourne, 18 October, p. 2:

    I'm not happy, said the bloke on the phone to his bank's head
    office.  "What did you have to go and paint it for?"

    . . . "My local branch . . . you've just painted the outside of it."

    "Um," said the nonplussed executive at the other end, . . . .

    "You're missing the point.  I'd scratched my PIN number into the
    paint work.  Now you've covered it over and I can't use my bloody
    card!"

A new meaning for "bricks and mortar security."

    Jeff Schultz (jws@cs.mu.oz.au)


Re: Corrigenda: RISKs of trusting e-mail (Lee, RISKS-15.13)

Lars-Henrik Eriksson <lhe@hume.Informatik.Uni-Tuebingen.De>
Fri, 15 Oct 93 10:27:57 +0100
  ...The incident itself has "undermined the confidence" of the clients of the
  University's computer systems.

Given the poor security of the e-mail system, perhaps one could say that the
incident has given the clients an appropriate level of confidence for the
computer systems involved!

Lars-Henrik Eriksson, Wilhelm-Schickard-Institut, Tuebingen University
On leave from the Swedish Institute of Computer Science until Oct. 20, 1993.


Re: Corrigenda: RISKs of trusting e-mail (Lee, RISKS-15.13)

Frederick M Avolio <avolio@TIS.COM>
Fri, 15 Oct 93 10:57:54 -0400
The *real* problem is the perceptions casual users of computers and
computer networks have.  A few, but not all, are:

    - If you are reading it on a computer, it must be true
    (similar to people believing photos, television, newspapers, etc.

    - Electronic mail is private and untamperable

    - Falsification of e-mail indicates that the security of the
    system, network, or user account has been compromised.

We know that it is easier to falsify e-mail than p-mail, but not *much*
easier.  It is very easy in every organization I have been associated with
(high school, 2 universities, a no such agency in the government, a large
computer firm, and now, TIS) to get official stationery.  Now, with PostScript
and PCs, it is trvial to create your own stationery.

The wet signature on p-mail sets it apart from most (sans digital signatures
with or without certificates) e-mail.  But, this is significant, in this
instance, only if the recipient recognizes the wet signature.

> 2. The FBI was not called in and the students (three, not five) were not
> expelled, but reprimanded and (temporarily, according to another source)
> denied their e-mail privileges. I suspect here my sources were telling me
> actions that were being contemplated but upon which a final decision had
> not yet been made.

What organizations need to do is set policy on such rude behaviour.  E.g., a
statement indicating that misrepresenting yourself as, or impersonating,
someone else -- whether in e-mail, p-mail, or on the telephone -- is against
the rules and will result in certain sanctions.  Faking p-mail is less common
because there are a bunch of steps to go through along the way, allowing
multiple decision points for the person's conscience to kick in (getting
paper, typing, putting in envelope, sealing, addressing, stamping, taking to
mail drop, and mailing).  E-mail is typed up and gone in less than a minute.
Most e-mail systems treat that like p-mail dropped into a postal box: from
that point on it is the "property" of the recipient.

Fred


Re: Porn, Wiretapping, DES, HERF (RISKS-15.14)

Phil Karn <karn@unix.ka9q.ampr.org>
Mon, 18 Oct 93 23:56:28 -0700
Several items in this digest struck my interest.

First was John Gray's comments on "porn" accidentally making it onto a
CATV "children's channel".

>Have you ever wondered how much trust you place on what you see on television?
>Not only that broadcasters will show "appropriate" programs but that the
>service will provide information when you need it.

Very little. And I do not expect this to change. I really do wish the
population at large would discover the "end to end principle" for
itself. They should stop demanding that the CATV companies, satellite
uplinkers, broadcasters, video store owners, the government, i.e.,
anyone and everyone but themselves, be responsible for controlling
what they and their children watch.

I have this product idea should make me millions once I patent and sell it to
all those easily offended households: it's call an "off switch".

>From firth@sei.cmu.edu's comment on Denning's wiretap article:
>In other words, these wiretapping capabilities are not being used against real
>crimes, but against actions that are defined as criminal for no better reason
>than that Leviathan has a boot with which to stamp, and we have faces to be
>stamped on.

Bingo! This was one of the things that convinced me that the
widespread use of strong cryptography to defeat wiretapping will on
balance be a Good Thing.  But to be honest, when this happens (and it
will, whether the government likes it or not) it will admittedly
become more difficult, though not impossible, to prosecute a few
crimes that actually ought to *be* crimes. Foremost among them is
influence peddling and bribery among government officials.

I had resigned myself to this as an unfortunate consequence of an
otherwise positive development. But then it occurred to me: the only
reason crimes like influence peddling and bribery are possible is
because the public has granted government officials so much trust and
power in the first place! Who knows? Perhaps one of the consequences
of universal cryptography will be a lessening of the power of
centralized government and the delegation of much less personal
authority to those within it.

Re Kevin Burfitt's note on a new Australian cipher to replace DES,
does anyone know if the algorithm will be publicly available?

|> Isn't part of the security with DES its slowness, which implies that this
|> new encryption method will be inherently risky because of its speed ?

Not necessarily. DES was originally designed for hardware
implementation, and many of its operations are inherently slow in
software. A good example are the initial and final permutations, which
consist simply of renumbering the input and output bits. This is
trivial in hardware but a real pain in software. Some even suspect
that these permutations were added solely to sabotage efficient
software implementation, as they contribute nothing to the strength of
the algorithm. Certainly not to a brute-force keysearch attack, which
can be conducted after the permutations have been "factored out".

A new encryption algorithm designed specifically for efficient
software implementation could run much faster than software DES
without necessarily being less secure. It would use the native
operations and native data sizes found on most modern computers.
Examples include IDEA and MD5 (although MD5 is not, strictly speaking,
a cipher, it does have a cipher-like structure).

|> Subject: The FAA and HERF

Winn Schwartau's article on "The FAA and HERF" is exactly the kind of article
we've been seeing far too many of in the media lately. Not because the subject
isn't worth investigating, but because the article is long on scary anecdotes,
impressive sounding jargon and calls for action, and short on cold,
quantitative information and logical reasoning.

The term "High Energy RF" is something I'd associate with broadcast
transmitters, long range radars and microwave ovens, not your average laptop
computer. Exactly what constitutes "high energy"?  A few orders of magnitude
would be good enough.

And there are quite a few radionavigation systems in use by commercial
aviation, each with its own uses, strengths and weaknesses, including
vulnerability to interference. Which ones are we talking about?  Over land,
VOR and DME are the most common. And they work by two very different
principles on widely separated radio frequencies. DME is inherently much more
resistant to interference than VOR.  ILS (instrument landing system), is a
cousin to VOR.  It probably has about the same susceptibility to interference,
but in a situation with a much smaller margin for error -- which is why many
airlines now ban electronics during landing, even though it may not be
strictly necessary.  And over the oceans you have Omega, operating at VLF
frequencies, usually combined with an Inertial Navigation System (INS). (GPS
is not yet permitted as a primary navigation reference, and LORAN-C is common
in US private planes and helicopters but rare in commercial aircraft.)

So exactly which system was in use by the 747-400 in question? Chances are it
was an INS, found on almost all commercial transoceanic aircraft. And INS's
main feature is that it lacks a radio receiver, making it virtually immune to
radio interference! This makes the anecdote just a *little* less credible.

Again, I'm not trying to belittle those concerned about interference to
aviation navigation. I myself fly frequently with a laptop. If there really
were a hazard, believe me, I'd want to know about it. But what we need are
some carefully controlled tests producing reliable, quantitative information.
The closest I've seen to this appears in the October 1993 issue of PC
Computing magazine. They actually measured the RF emissions from a variety of
personal electronic devices, including cellular phones, AM/FM broadcast
radios, walkmans, laptop computers, CD players and handheld games. Their
conclusion:

"...it was highly unlikely for laptops and most PEDs [portable electronic
devices] to cause navigational interference. Of the devices tested, nearly
half produced signals so weak they couldn't be measured above the baseline
noise present on all radio frequencies... In general, we were unable to
produce any real VOR interference except when we used FM receivers and
cellular phones, and when we placed other devices unrealistically close --
within 6 to 12 inches of the VOR receiver antenna."

Phil


Re: The FAA and HERF (Schwartau, RISKS-15.14)

Ted Wong <tmw5@cornell.edu>
Tue, 19 Oct 1993 00:50:15
>"We're descending below 10,000 feet for our approach into (safe major
>metropolitan airport).  Please turn off all laptop computers, CD and cassette
>players.  Thank you for flying US Scare."

A recent issue of PC Magazine conducted a series of tests using an HERF
detector to determine the amount of leakage generated by portable computing
equipment. They found that common equipment did NOT generate HERF
interference above the background noise level. In other words, apart from
widespread anecdotes, there is yet no evidence to back up claims that
portable computers are responsible for interfering with in-flight equipment.
I accept that the author's experience with corrupt FCC certification labs
means that some very badly made portables could be exceptions.

However, PC Magazine did find that most common non-computing devices, such
as Discmans or Walkmans, DID cause measurable levels of HERF interference.
It is conceivable that if such a device is used close to a control board,
interference will occur.

[Incident involving possible HERF interference due to a laptop.]
>Investigating the incident, Boeing engineers bought the same model
>laptop and tried to replicate the glitch in another 747.  They couldn't."

This demonstrates the point of the first paragraph. All that is available
are anecdotes, which show only a weak cause/effect link, and which in many
cases aren't reproducible.

>There are plenty of crazies out there; and with terrorist concerns on the
>rise, who knows what they might pull.  Well, here are a couple of
>possibilities.

>Suppose I'm a real crazy bad guy, and I bring a specially modified laptop onto
>an airplane.  The airport security is dismal and you can get just about any
>electronic device through with no trouble.  But this laptop is modified to
>emit very high levels of radiation; either automatically or upon command.  If
>I'm real nuts, and am totally committed to my cause celebre, I might be
>willing to bring the plane down with me on board.  More than a few people meet
>that criteria.  It might take a little tinkering and get on the right
>fly-by-wire plane to do it, but with the number of events already on the
>books, it's doable.

>Or, if my survival is important, I might check my luggage through with a HERF
>device, timed to 'go-off' at some point during the flight.  Without me on
>board, of course.  Luggage scanning can't tell the difference between a 'good'
>electronic device and a 'bad' one.  If the FAA has something to worry about in
>this realm, this certainly qualifies.

While the possibility of HERF interference does suggest the possbility of
new devices for carrying out terrorist acts, consider the following:

1. Most airlines require you to declare whether you have any electrical
items in your baggage, and will ask you to remove the batteries (e.g.
British Airways, Cathay Pacific)

2. Some airlines will not carry unaccompanied baggage (El Al is a pretty
good example).

3. Some airports require you to turn on electrical devices at the security
check to demonstrate that they work normally. At the levels of radiation
output suggested, the X-ray/metal detector equipment would probably
malfunction, which ought to make the security personnel suspicious.

The ability to circumvent these procedures and successfully smuggle a 'HERF
bomb' onto a plane does NOT make HERF interference any more RISKy than
other devices which could destroy a plane. Instead, it points to poor
execution of security procedures. If an airport's security is really bad,
then one could probably smuggle a real bomb on board.

As for a HERF gun aimed at planes taking off - why is this a serious risk
beyond that posed by more conventional weapons? A guy standing off the end
of the runway with a rifle could probably put enough holes in the fuel tank
to cause trouble, and it's easier than building a HERF gun.

>Cyberspace has indeed come of age, and modern airplanes are as much a part
>of it as computer networks.

>It's just that the FAA doesn't know what to do about it yet.

>Let's hope they get up to speed quickly.  Very quickly.

Current research (of which there is admittedly little) indicates that
portable computers are extremely unlikely to be the cause of HERF
interference; the FAA would be wise to do a study on the effects of
electrical devices on in-flight control systems. The security threat posed
by malicious HERF bombs or guns seems no more (or no less) serious than the
threat posed by conventional terrorist devices, and certainly does not
justify the shock-horror writing style of the original article. There are as
many RISKS in creating unnecessary panic as there are in overlooking
hazards.

Ted Wong, Cornell University <tmw5@cornell.edu>


HERF Danger to JQ Public

Jack Boatman <c23jrb@kocrsv01.delcoelect.com>
Tue, 19 Oct 93 09:06:21 EST
HERF is *high energy*. It doesn't come from laptops, CD players, or FM radios.

My understanding is that HERF comes from the government's testing of directed
energy weapons. The characteristics of the directed energy are classified.

Design and test for electromagnetic compatibility is not easy; especially when
the electromagnetic environment is not defined. And that is the root of the
HERF risk.

BTW: I don't deny that there are risks associated with radio frequency
interference from laptops, mobile transmitters, and other electronic devices.
I just don't want HERF to be put in the same risk category.


Re: Digital Signatures (Smith, RISKS-15.14)

Robert J Woodhead <trebor@foretune.co.jp>
Tue, 19 Oct 93 15:02:02 JST
In Risks 15.14, Karl Smith writes (regarding Digital Signatures):

> Well, now the businesses have our number. Our public key identifies us,
>uniquely. Nobody else will have the same public key. This means that
>businesses no longer have to try to track us down via our SSN or Driver's
>license number - they've got a much better number to use to refer to us in
>their database - our signature.

Using the same technology, it is possible to create digital pseudonyms that
can both assure a retailer of the purchaser's credentials while protecting his
or her (or it's) identity.  It is even possible to create "digital cash" that
can be anonymously handed from person to person, copied ad infinitum, yet
spent only once.

A simple example: you register several pseudonyms with a credentials agency;
the retailer can present your pseudo to the agency and be told "it's ok, he's
on the up and up."  Yet you can give each retailer different pseudos if you so
desire.

Of course, this requires you to trust the credentials agency; there are other
protocols that eliminate this need, but they are more complicated.

| Robert J. Woodhead, Biar Games / AnimEigo, Incs.    trebor@forEtune.co.jp |
| AnimEigo US Office Email (for general questions): 72447.37@compuserve.com |


Re: Risks of Virtual Reality

"Carolina, Robert" <Robert.Carolina@cchance.co.uk>
Tue, 19 Oct 93 10:05:40
The newspaper article you mentioned was published in the *Independent on
Sunday* of 4 September 1993. It is probably only fair to point out that on 3
October 1993, the *Independent* printed a clarification. In the first
paragraph, they state:

  In fact, although Sega is developing virtual reality games for both arcade
  and home use, the company does not yet have any such games on the market. We
  accept that any suggestion in our heading that Sega is selling a game which
  has been found to be potentially damaging to eyesight is misleading. We
  apologise for any embarrassment caused.

In the second (and last) paragraph:

  The company [Sega] also claims that the research [cited in the article] used
  a prototype with very high powered lenses, designed for a different
  application, and that the technology is so different that a comparison is
  not valid.

Robert.Carolina@cchance.co.uk  Clifford Chance  200 Aldersgate Street
London   EC1A  4JJ        +44 71 600 1000 (work)


Re: Wiretap Laws and Procedures (Leigh, RISKS-15.14)

<smb@research.att.com>
Tue, 19 Oct 93 10:46:56 EDT
    This implies that applying a DNR to a suspect's line does _not_
    require a court order and is not considered wiretapping.  In
    other words, the list of numbers called by a suspect is not
    protected as rigorously as the content of those calls.  I'd
    like to hear more about how this data is protected or made
    available to investigators and others.

Use of ``pen registers'', which record the numbers you dial, or ``trap and
trace'' devices, which records who has called you, are regulated by 18 USC
3121-3126.  The requirements for court orders are somewhat similar, though at
first glance, they're somewhat easier to obtain; as I recall, the wiretap laws
restrict the use of wiretaps to serious crimes, while there's no such
provision in the pen register law.

Steve Bellovin


Re: Australian government to replace DES (Burfitt, RISKS-15.14)

<smb@research.att.com>
Tue, 19 Oct 93 10:56:43 EDT
Burfitt describes a new Australian encryption algorithm, notes that
it runs at 20 Mbps, and asks:

     Isn't part of the security with DES its slowness, which
     implies that this new encryption method will be inherently
     risky because of its speed ?

No, DES was never designed to be slow, though there are some aspects of
its design which are inherently quite slow if done in software.  You
may be thinking of the UNIX system password hashing algorithm, which is
based on DES, and which was indeed intended to be slow.

Not that 20 Mbps is particularly fast today.  Eberle and Thacker have
described a 1 Gbps DES chip (Proceedings of the IEEE 1992 Custom Integrated
Circuits Conference), and 40 Mbps chips are readily available.

There is some slight risk in an encryptor being able to run too quickly, in
that it makes exhaustive search somewhat more feasible.  But key size is a
much more important variable.  DES's 56 bits are too few; see Wiener's design
(CRYPTO '93) for a US$1 million DES-cracking machine, or for that matter the
Diffie-Hellman critique of DES in 1977 on just those grounds.

In evaluating this new algorithm, I'd look at the key size, whether or not the
algorithm is open to public scrutiny, and whether or not the Australian
government is fond of things like key escrow.

Steve Bellovin


Re: Software safety on UK national news (RISKS DIGEST 15.13)

Pete Mellor <pm@csr.city.ac.uk>
Fri, 15 Oct 93 10:43:55 BST
In RISKS DIGEST 15.13, Jonathan.Bowen <Jonathan.Bowen@prg.ox.ac.uk> writes:

> The Wednesday 13th October 9 o'clock evening news on BBC1 TV in the UK
> featured a new report from the UK HSE (Health and Safety Executive) ...
> ... Does any RISKS reader have a full reference for the report?

>From a telephone call to the HSE information centre just now, I gather that
the news report probably referred to the latest issue of "Statement of Nuclear
Incidents at Nuclear Installations", which is a regular quarterly report.

It can be obtained free by post (at least in the UK) by telephoning the
London Information Office of HSE on: +44 (71) 243 6385

Other useful numbers:

Main HSE Information Office:  Tel.: +44 (742) 892345
                              Fax.: +44 (742) 892333

Main HSE Publications Orders: Tel.: +44 (787) 881165

I should warn readers that none of the people to whom I spoke were sure
exactly to which report the news item referred.

Although they are not relevant to the original topic, readers may also be
interested in the following publications of HSE:

Guidance leaflet on safety of Visual Display Units (free from London office).

"Display Screen Equipment Work: Guidance on Regulations", ISBN 0 11 886331 2,
available also from any Dillon's bookshop, price: 5 pounds sterling.
This is a guide to the EEC regulations which came into force in Jan. 93.

"Programmable Electronic Systems in Safety Related Applications", in two parts:
1. An Introductory Guide, ISBN 0 11 883913 6

2. General Technical Guidelines, ISBN 0 11 883906 3

Peter Mellor, Centre for Software Reliability, City University, Northampton
Sq., London EC1V 0HB, Tel: +44(0)71-477-8422, JANET: p.mellor@csr.city.ac.uk


Re: Libraries and Imagined Communities

<Bruce_Hamilton.LAX1B@xerox.com>
Fri, 8 Oct 1993 16:52:38 PDT
I think that far too much is made of the supposed "imagined communities" of
readers that exist today.  I never read the LA Times sports section; other
readers probably read ONLY the sports section.  Even specialized journals
contain very few articles which are of interest to *all* readers.

We associate with people we like and who already tend to share common mindsets.
By word-of-mouth we refine our knowledge and opinions.  I believe that the
shattering, enabled by Internet, of age- and geography-based ghettos, is far
more important than whatever new limitations might be imposed by a-priori
electronic information filtering.

I welcome the day when both source and destination filters are so refined that
I open with pleasure all of my "junk" mail, and I no longer have bookshelves
full of magazines and journals where 80% of the content is of no interest to
me.  I'm confident that personal contacts plus "news flash" features, "best of"
anthologies, and the ramblings of a few favorite columnists (Jerry Pournelle,
Dave Barry, P.J. O'Rourke, Ann Landers,...) are quite sufficient to bring any
truly important items past any electronic filters.

--Bruce  BHamilton.LAX1B@Xerox.COM  310/333-3538


Re: Separating parts in privileged applications

<Bob_Frankston@frankston.com>
Sat, 9 Oct 1993 01:06 -0400
There was a good discussion of the Multics ring structure in the new (this
year) ALT.OS.MULTICS discussion (we don't give up easily!). What was
interesting was that the revisionist view is that rings were not all that
useful. Rings were useful internally to provide a supervisor and
supersupervisor (kernel) mode and a user mode, though they were overkill for
that purpose. Nontrivial attempts to use rings ran up against the mutually
suspicious subsystem problem. Similarly the hardware pointer validation was
insufficient for real applications.

Basically, protecting the operating system is a minor problem as systems
become more complex and the focus shifts from operating system as master of
the universe to the operating system as a nice utility that helps keep the
local system intact but the real action is in the interactions between
subsystems and physically separate systems.


Separating privileged parts - Ring structures

Tom Thomson <tom@fiveg.icl.co.uk>
Wed, 13 Oct 93 16:23:02 BST
Yves_Royer in risks 15.08 only knows one OS that uses privilege rings for
protection.  When I was young everyone expected that all OS would in future be
like that.  It's amusing to note that the only manufacturer currently making a
substantial profit out "conventional" mainframes is also the only manufacturer
offering this style of protection in the system.  Maybe the loss of this 30
year old technology from the mainstream of OS development indicates a strange
risk: if it was developed in academia so that you can't patent it most of
industry will go for a patentable alternative even if that's patently
inferior.  Tom Thomson tom@fiveg.icl.com P.S. for anyone interested, the
manufacturer, mainframe series, and OS referred to above are ICL, Series 39,
and VME respectively; 16 ring hardware protection fully exploited by the
software, with an OS that's been around for 20 years.

Please report problems with the web pages to the maintainer

Top