The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 16 Issue 12

Wednesday 8 June 1994

Contents

o RISKS OF RISKS again
PGN
o Hazards of the real-time switchover of a prison system
Ray T. Stevens
o Campaigns and Elections
Phil Agre
o Library fines unstoppable after earthquake
Geoff Kuenning
o Flames and viruses in e-mail - article in the New Yorker
Martin Minow
o Tetris addiction?
Mich Kabay
o Re: Closed Doors in Glasgow - Trapped Guard Dies in Fire
John Vilkaitis
o Re: Risks of too-simple responses (UK ATM Spoof)
Henry J. Cobb
Mathew Lodge
Jerry Leichter
o Re: Clipper
Gene Spafford
Sidney Markowitz [2]
A. Padgett Peterson
Paul Carl Kocher
o Info on RISKS (comp.risks)

RISKS OF RISKS again

"Peter G. Neumann" <neumann@csl.sri.com>
Wed, 8 Jun 94 12:00:01 PDT
Sorry for the inconvenience on RISKS-16.11 for those of you who got a
truncated original, and apologies for the duplicate in case any of you
actually got an untruncated original copy.  Our gateway was timing out on even
moderately sized outgoing mail and FTPed files (also preventing me from
updating the CRVAX archive copy).


Hazards of the real-time switchover of a prison system

"Ray T. Stevens" <74074.1746@CompuServe.COM>
04 Jun 94 15:56:30 EDT
Our local newspaper, The Herald Times, had a several page spread on the
problems relating to a switchover of the local prison to a new control system.
Given the length of the spread, and considering that most of it was human
interest and not technical, I summarize it here.

The prison is being switched from a mechanical to a fully automated system,
and this is being done while it contains prisoners.  The jailers are
complaining about huge amounts of overtime, and spending the whole day "on a
dead run".

One incident of a technology breakdown was especially insightful.  The lights
are going to be controlled by this new system, and the wiring for the new
system must be run through some of the old wire traces.  In order to safely
install the new wiring, the existing wiring had to be disconnected, for both
the lights and an intercom system so that inmates can contact the guards for
requests.  To maintain functionality, temporary wiring was used to replace the
existing wiring for the lights.  To save money, no on-off switches were
included.  The prisoners must sleep with the lights on.

One of the prisoners has sued, requesting release because of cruel and unusual
punishment.  This has been rejected.

A more serious incident occurred with another prisoner.  A light had started
to burn out, but since it couldn't be turned off, it couldn't be changed, and
it started blinking rapidly.  One of the prisoners had epilepsy, and the
blinking light triggered a seizure.  The inmates injuries were exacerbated by
the other prisoners not being able to call for help.  Pounding on the cells
did no good, as this is a common sound in the prison.  A lawsuit is in
progress.

Another prisoner is now using this as grounds for his immediate release.  He
has a heart condition, and is claiming that this situation puts him too much
at risk.  No ruling yet.

I see one more lawsuit from this.  The best defence in a criminal case is
frequently delay.  I can see what may be a very valid comment from the a
defendent's lawer.  "I must request a continuance on the basis of temporary
incompetence of my client.  The county has been illegally depriving my client
of sleep, and he is now too sleepy of competently participate in his own
defence."  Under the right circumstances, I would say this might be worth
about a two-month delay.


Campaigns and Elections

Phil Agre <pagre@weber.ucsd.edu>
Mon, 6 Jun 1994 18:09:55 -0700
I encourage everyone to have a look at an issue of the magazine "Campaigns
and Elections".  It's a monthly, sold at many newsstands (in the US anyway),
for the people who run political campaigns.  Every issue includes numerous
references to the growing role of computers in campaigning.  Now I'm sure that
this trend has its good sides and its neutral sides and its complicated sides.
But inside the back cover of the May 1994 issue is an advertisement from a
political software company whose headline is "The age of individual targeting
is upon us".  In other words, everyone gets their own personalized direct-mail
pitch, based on a detailed database of information relevant to your likely
political leanings.  One use of such databases is basic demographics for
choosing issues to emphasize; another is deciding who should be approached
personally and urged to vote.

But a scarier use of such databases, not mentioned in the ad, is the tailoring
of messages to individual voters.  For example, a group of land developers
in San Diego is promoting an initiative for tomorrow's primary election that
would open up the last parcel of wild land in San Diego to development.  Their
campaign has been incredibly sophisticated, including numerous tactics that
aren't relevant here.  The part that *is* relevant here is a letter I received
over the weekend encouraging me to vote Yes on the initiative.  Along with
the letter were two inserts containing endorsements from the leader of the
local AFL-CIO and a Hispanic city council member from another district.  Did
the guy around the corner with the "Rush is Right" bumper sticker get the
same inserts?  He didn't have to, if the developers had access to a suitably
"enriched" database.  In the future you won't even have to bother putting
together a coherent coalition; just find out what everybody's hot issues are
and make them all whatever promises you need to make, one by one, the Saturday
before the election, so nobody has time to compare notes.

Campaigns and Elections, 1511 K St NW #1020, Washington DC 20005, USA.
Subscriptions $30/year in the US, write for prices elsewhere.

Phil Agre, UCSD


Library fines unstoppable after earthquake

Geoff Kuenning <geoff@FICUS.CS.UCLA.EDU>
Tue, 31 May 94 13:31:29 -0700
>From an article by Rebecca Bryant in the Los Angeles Times Valley
Section, Thursday May 19th:

The Los Angeles City library system is sending out overdue notices for books
that had been checked out before the January 17th earthquake.  The only
problem is that readers have been told that they can hang on to their books
until the damaged branches reopen.

"Now wait a minute," writes Bryant.  "Who[m] do you believe?  The library?
Or, uh, the library?"

The problem arose because the computer system used to generate the notices
does not allow notices to be selectively disabled based on the branch at which
the book was originally checked out.  The only way to stop the notices would
be to stop sending notices for all branches.  But many branches remain open,
and of course there are always delinquent readers.  According to Robert
Reagan, a library spokesman, the system is due to be replaced soon.  Although
the article does not state this explicitly, there is an implication that the
new system will support better per-branch control.

This is in many ways not just a computer risk.  The original programmers,
designing an integrated system, can be forgiven for failing to predict the day
when their customers would want to shut down only half of it, based on
unforeseen criteria.  Furthermore, it is easy to imagine an integrated manual
system with the same (if you will excuse the expression) fault.

Nevertheless, readers are confused and the library is embarrassed.  I guess
it's a pretty minor, though amusing, footnote to a major disaster.

    Geoff Kuenning  geoff@ficus.cs.ucla.edu geoff@ITcorp.com


Flames and viruses in e-mail - article in the New Yorker

Martin Minow <minow@apple.com>
Sat, 4 Jun 94 13:42:43 -0700
RISKS readers might find John Seabrook's article in the June 6, 1994
issue of the New Yorker interesting. He had previously written a profile
of Bill Gates, chairman of Microsoft (January 10, 1994) and received
an obscene and obnoxious message from "a technology writer who does a
column about personal computers for a major newspaper."

In true New Yorker tradition, Seabrook used this message as a vehicle to
comment on network etiquette and on the possibility that some strange aspects
of the message might indicate that the message contained a "worm" or "virus."
(My own reading of the evidence presented is that there is nothing to worry
about.)

Of particular interest to Risks readers might be Seabrook's fear that any
strangeness in the message might indicate an attack, and on the general way in
which extending the net to "an estimate twenty-three million users ... ten
million of which have come on-line in the last nine months" has affected the
culture of network communications.

RISKS readers -- at least those of us who have been around since the net was a
self-regulated anarchy -- will find his comments on the way this anarchy is,
or soon will be, dying away very interesting.

Martin Minow  minow@apple.com


Tetris addiction?

"Mich Kabay [NCSA Sys_Op]]" <75300.3232@CompuServe.COM>
28 May 94 21:41:39 EDT
>From a Canadian newspaper, _The Globe and Mail_, 28 May 1994, p. D1:

<<Stay out of the laundry room, son, your mother is playing Tetris: Computer
software houses want to know why grown women are transfixed by one particular
video game.  Psychologists have been hired.<>

by Jim Carlton of the Wall Street Journal

<<Nintendo Co., master peddler of cyberpuzzles to young boys, has a riddle of
its own: Why are so many grown women hooked on Tetris, the geometric video
game?  Fourteen-year-old Bobby Meade would certainly like to know.  "Almost 24
hours a day she plays Tetris," the Johnstown, Ohio boy writes of his mother in
a letter to Nintendo.  "I can't hardly play more than one game a day."  Peggy
Rudden's family would also like to know.  "My husband thinks I'm hooked on
it," says 46-year-old mother of six in Englewood, Colo., who plays in her
laundry room, away from the kids.<>

The author continues with the following key points:

<

Re: Closed Doors in Glasgow - Trapped Guard Dies in Fire

John Vilkaitis <javilk@netcom.com>
Sat, 4 Jun 1994 00:37:06 -0700
    Failure to provide a reliable emergency exit is usually a violation of
local fire and other ordinances. The RISK is civil and criminal prosecution,
not MERELY lost sales.

    This, and many other seemingly senseless problems have at their root, a
failure of the analyst to IMAGINE HIMSELF using the system.  Sometimes this is
the fault of the analyst, often it is simply because management refused to
give the analyst (or the programmer) time to calmly "daydream" himself using
the system and encountering typical situations and problems.  If you cannot
imagine in your head what you are building, you RISK building trash, often
dangerous trash.

        "Imagination is more important than facts" - Albert Einstein

   It takes both FACTS and IMAGINATION to build good systems, but no one seems
to teach us to use the broader power of our imagination, insisting we use the
far narrower term "THINKING".

-JVV- (J. Vilkaitis,  javilk@netcom.com, 408-983-0518 voice/fax)

  [John, I guess you have to be THIN-KING to slip through the emergency exit.
  See my article, Psychosocial Implications of Computer System Development
  and Use: Zen and the Art of Computing, in Theory and Practice of Software
  Technology, D. Ferrari, M. Bolognani, and J. Goguen, eds., North-Holland,
  1983, for a discussion of how both left-brain and right-brain activities
  must be used and properly integrated.  PGN]


Re: Risks of too-simple responses (UK ATM Spoof) (RISKS-16.10)

"Henry J. Cobb" <hcobb@fly2.berkeley.edu>
Wed, 1 Jun 1994 19:52:49 -0700
    Jerry Leichter suggests that ATMs be "hardened" to spoofery by reading
the "noise" built into the card during manufacture rather than the digital
signals encoded on them.

    The risk to this is once the scanner that detects the noise is out in
the field in large numbers, it becomes just another fixed system to spoof.

    Before you counter with "We'll just push down to the quantum level!"
consider if you'd want real people in the real world walking around with cards
depending on this. (And please no "Are you displeased to see me, or is that
just a quantum in your pocket?" jokes from the moderator.)

    Digitally secure smartcards are not only the geek thing to do, they're
the right thing to do.  As for the installed base of "dumb" cards, this can be
wiped clean by proper legislation or simple liability.  All that is needed is
to abolish the NSA and go back to being a free nation.


Re: Risks of too-simple responses (UK ATM Spoof) (RISKS-16.10)

Mathew Lodge <lodge@ferndown.ate.slb.com>
Fri, 3 Jun 94 17:22:47 BST
Perhaps Jerry has never been to France. All French credit cards are smart
cards, and have been in mass use for several years now. The French don't
seem to be having any problems with fragility or expense.

As to backward compatibility, this is solved by the extraordinarily simple
measure of allowing the card readers to deal with both smart cards and
ordinary magnetic stripe cards. Thus I can use my Visa card in France with
no problem (the only difference is that there is no immediate validation
using my PIN as there is for smart cards).

> In practice, my bet is that we will *never* see the replacement of magnetic
> stripe cards by smart cards.

I think this is a little too pessimistic.

Mathew Lodge, Software Engineer, Schlumberger Technologies, Ferndown, Dorset,
UK, BH21 7PP    lodge@ferndown.ate.slb.com)   +44 (0)202 893535 x404


Re: UK ATM Spoof (Cobb, Lodge, RISKS-16.12)

Jerry Leichter <leichter@lrw.com>
Fri, 3 Jun 94 22:07:00 EDT
On Henry J. Cobb's fixed system to spoof:

We've been using pin-tumbler and mechanical combination locks for many, many
years.  In fact, that's exactly what protects the money actually stored inside
of ATM's - along with fairly simple electrical alarms, which haven't changed
much in many years either.  All "just another fixed system to spoof".

Clearly the only hope is "digitally secure smartcards", a technology that
has seen all of 20 years worth of development and testing in the real world,
against real attackers.  By all means, let's convert everything immediately.
After all, these new systems are based on *digital computers*!  Clearly they
are better, more secure!  Computers never make mistakes, after all!

On Mathew Lodge's response to my statement ("In practice, my bet is that we
will *never* see the replacement of magnetic stripe cards by smart cards."),
saying that he thinks this is "a little too pessimistic":

As Mark Twain said, it's a difference of opinion that gives us horse races.
(Well, he said it better, but I don't recall the exact words.)  We've both
made our predictions.  I'll sharpen mine: Five years from now, smart cards
will represent no more than 5% of the US market for bank and charge/debit
cards; some variation of magnetic stripe technology will make up essentially
all the remaining 95%.  Shall we revisit this in 1999?


Clipper

Gene Spafford <spaf@cs.purdue.edu>
Fri, 03 Jun 94 19:20:45 -0500
In today's mail I got a glossy brochure extolling Clipper.  It
promises to "Expand your creative universe with real-world solutions."

Is it a new ploy by the government to subvert our privacy?  No, it's an
advertisement by a company named Dynamic Graphics for their CD-ROM clip art
magazine.  "Clipper" is their registered trademark.

I wonder if they registered the trademark recently?  I would have pitched the
flier immediately had I not noticed the word "Clipper" in large letters.  I
can't recall hearing about them before, either....  Has "Capstone" been
registered yet, or "Tessera"? :-) On the other hand, it might be they had the
name picked out over a year ago and their business will go south as a result
of recent events.

The risk?  Naming a product something catchy just before a government agency
nicknames something unpopular the same name.  (Alternatively, there's a risk
in trying to avoid this -- naming a product "Facist Thought Control" is likely
safe from collision, but won't help sales.  :-)


Details of flaw in Clipper

Sidney Markowitz <sidney@taurus.apple.com>
Fri, 3 Jun 1994 20:14:29 -0700
I have seen lots of discussion about the New York Times report on Matt Blaze's
discovery of a flaw in Clipper's key escrow system, with more confusion than
anything else. Here is the best article that I have seen on the net explaining
exactly what Dr. Blaze has found. There's also confusion about the
implications. My understanding is that this method might allow someone with a
Clipper chip device to have a secure communication with another person with a
Clipper device that could not be decrypted by law enforcement *and* it does
not require the cooperation of the second person.  That last part is what
makes this significant, since two people can agree to just encrypt their
messages with, say PGP, if they want to be secure from law enforcement
decryption. But if Blaze's method is practical, the widespread use of Clipper
would make it harder on law enforcement by making it easier than it is now for
someone to have secure communication with people without having to plan with
them to do so.

 -- sidney markowitz <sidney@taurus.apple.com>

[begin quote of Message-ID: <PERRY.94Jun3182655@snark.imsi.com>
 crossposted to sci.crypt, talk.politics.crypto, alt.policy.clipper]

   [Run in RISKS with permission of "Perry E. Metzger" <perry@imsi.com>.  PGN]

Many people have misconceptions about what Matt did.

Based on his paper (no, you can't have a copy since he told me not to
distribute it; I'm sure he'll release it when its ready for prime time) and
discussions with him, the trick is this.

[The Escrowed Encryption Standard is abbreviated as EES.]

The LEAF acts much as an key to tell the EES unit that it should
function. It contains three elements:

1) the 32 bit unit id of the EES unit generating the LEAF
2) the 80 bit session key, encrypted in the escrowed key for that unit.
3) a 16 bit checksum based on the unencrypted session key and the
   initialization vector (IV) for the session.

All three components are concatenated to form a 128 bit unit, which is
encrypted in the family key in order to produce the LEAF, reportedly using a
unique mode of Skipjack.

The remote unit takes in the LEAF, decrypts it with the family key, and checks
the cleartext session key and IV to see if they produce the proper 16 bit
checksum. If so, it accepts the LEAF and functions properly. Note that the
encrypted key inside the LEAF is useless to the remote EES since it doesn't
have the other EES's escrowed key. It has to rely on the cleartext session key
and IV alone to check that the checksum looks right.

Sadly for the NSA, the checksum is only 16 bits long. Given a session key and
initialization vector, I can fairly quickly generate a large number of fake
LEAFs (chosen at random) and find one that a captive EES unit will accept as
being the right LEAF for a given session key/IV. The contents of the LEAF will
be garbage, but the remote unit will not know that, and will happily go along
with using it. I needn't know the family key, or even the checksum algorithm.

The point here is, of course, that I can freely interoperate with non-rogue
EES units -- I can communicate with non-subverted units without revealing my
privates hidden beneath the LEAF. (sorry for the pun.) [*]

By the way, Matt had to figure out the components of the checksum on his own
-- the mechanism for calculating it and where it came from were not
documented.

BTW, for those who have asked, in case the preceding didn't make it clear,
can't you just reuse an old LEAF or a stolen LEAF because the session key/IV
won't correspond and the checksum won't be right -- you have to generate and
test.

Perry Metzger       perry@imsi.com

[end quoted message]

     [*] [Turning over a new LEAF is better than if you LEAF
         well enough alone, he suggested FIGuratively.  PGN]


Blaze's Clipper paper available via ftp

Sidney Markowitz <sidney@taurus.apple.com>
Mon, 6 Jun 1994 19:29:45 -0700
Matt Blaze is the AT&T researcher who has made the news recently for
discovering a flaw in the Clipper protocol. I saw an announcement from him
that a preliminary draft of his paper "Protocol Failure in the Escrowed
Encryption Standard" is available via anonymous ftp from resarch.att.com in
the file /dist/mab/eesproto.ps in PostScript format. He cautions that there
will be a final version of the paper which will likely include additional
material on the production version of the PCMCIA card, and that this draft is
based on his examination of a prototype card.

 -- sidney markowitz <sidney@apple.com>


Flaw ? in Clipper

A. Padgett Peterson <padgett@tccslr.dnet.mmc.com>
Sat, 4 Jun 94 22:35:29 -0400
This has already gotten out of hand on the Usenet. In simplest terms, what
Matt Blaze found is that is is possible to spoof a CLIPPER LEAF (law
enforcement access field).

IMHO this is almost meaningless since *both* ends will need to do this (AFAIR
each side sends a LEAF. If only one LEAF is spoofed, it will just be
necessary for a legal tapper to use the other one).

Thus to be effective, both ends will need special spoofing equipment and in
that case they might as well use something other than Clipper. Even better use
something different but prefix a valid Clipper LEAF. Right. Remember Occam's
Gillette.

Dr. Blase also mentioned that it would take about 20 minutes to come up with a
valid checksum. Much easier would simply be to record a valid LEAF from
another chip and use that.

The most important element is that the SKIPJACK algorithm is in no way
affected by this and is as strong as ever, only the government's ability to
use the LEAF may be compromised.

I still expect the government to drop key escrow when the hardware is ready
and that there will still be two means available to defeat Clipper available
to the government - without using any backdoor/trapdoor and without any
weakness in SKIPJACK (see my earlier postings - one is similar to the way GSM
can be tapped now).

Personally, I feel that Clipper is a valuable mid-range low-announced- cost
device that is "good enough for government work". PGP or triple DES used in
combination with Clipper is a viable next step up.

Padgett

P.S. Anyone notice Enigma-Logic's announcement of a one-time-password-token
   emulation for the PC @ US$10/user (maybe less) ? Certainly an answer to
   sniffers.


Re: Flaw in Clipper detected (Huggins, RISKS-16.11)

Paul Carl Kocher <kocherp@leland.Stanford.EDU>
Tue, 7 Jun 1994 03:19:55 -0700
Although I doubt people will modify devices with hard-wired Clipper chips,
this is seems to be a very serious blow to Tessera (the government's PCMCIA
card with a Clipper chip).

Tessera has a standard programming interface that passes the programmer's
calls to the encryption card.  Any experienced assembly language programmer
could easily add "support" for Blaze's technique for bypassing the LEAF (Law
Enforcement Access Field) validation check.  This could be done transparently
and without significantly impacting performance.  It could also fix up the
side effects of the attack (e.g. the first block is bad in CBC mode, etc).
Under MSDOS this could be done with a TSR that would intercept calls to the
card directly, so it would work with all Tessera applications.  The same TSR
could also substitute pre-computed and/or brute-forced LEAFs for
interoperability with non-cheating users.

We were told that the reason for having escrowed keys and a secret algorithm
was to keep terrorists from having strong crypto.  Now the bad guys have
full-strength SkipJack, the public has a flawed "standard," and because the
algorithm is classified we can't look for other problems.  I'm also wondering
what's going on inside NSA -- DSS originally had alarmingly-small keys and has
been widely criticized, SHA was defective, and now this...

-- Paul Kocher  kocherp@leland.stanford.edu

Please report problems with the web pages to the maintainer

Top