The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 16 Issue 30

Tuesday 2 August 1994

Contents

o Squirrels again bring down Nasdaq
PGN
o MCI inbound internet gateways choked
Mich Kabay
o RISKs of electrical wiring
Robert Rose
o How to clean out a checking account
Paul Dineen
o FBI hunting for Agent Steal, flashy computer hacker
Mich Kabay
o PCMCIA cards
Mich Kabay
o Progress on RFI in aircraft
Mich Kabay
o Porn Peddlers Convicted in Memphis
Mich Kabay
o Re: Video Cameras
Nap van Zuuren
o Computer telephony
Phil Agre
o Re: Crashed bank teller
Ted Lemon
Patrick O'Callaghan
o The Cult of Information by Ted Roszak
WN Peters
o Report Released on Public Key Law and Policy
Michael S Baum
o Info on RISKS (comp.risks)

Squirrels again bring down Nasdaq

"Peter G. Neumann" <neumann@chiron.csl.sri.com>
Tue, 2 Aug 94 7:55:36 PDT
Nasdaq once again was shut down by an energetic squirrel who apparently
chomped on a power line near the stock market's computer center in Trumbull,
Connecticut, yesterday.  The system failed to perform the automatic
switchover to the temporary backup power supply (designed to last until the
backup system in Rockville, Maryland, could be brought up), and consequently
the market was down for 34 minutes.  A similar problem occurred in December
1987.  (A 2.5-hour outage on 15 July was reported in RISKS-16.25, due to
risky software upgrades.)


MCI inbound internet gateways choked

"Mich Kabay [NCSA Sys_Op]" <75300.3232@compuserve.com>
01 Aug 94 10:47:51 EDT
According to the Washington Post newswire (94.08.01 via CompuServe's Executive
News Service), MCI's inbound Internet gateways were saturated last month,
resulting in days of delay in delivery to MCI customers.

M. E. Kabay, Ph.D. / Dir Education / Natl Computer Security Assn


RISKs of electrical wiring

<robert_rose@VNET.IBM.COM>
Mon, 1 Aug 94 17:47:37 EDT
I had a really interesting experience in one of our labs today, an
electrician was adding a new outlet into an office and tied the outlet into a
junction point in the dropped ceiling.  While tying in the neutral line he
let the 'home-run' neutral line (the one going back to the main 3-phase
distribution I assume) come loose from the junction.  After a minute he
discovered this at reconnected it... he didn't notice a thing.  All of us in
our offices however were really charged up....  There was smoke, sparks and
crackling belching from numerous PCs, X terminals, surge protectors and
fluorescent lamps.

One of our programmers who is an EE figured that when he dropped the main
neutral the current instead started to flow between two branches of the three
phase and that one office had very little equipment turned on and the other
had great gobs of stuff powered up so that the office with everything turned
on had almost the full 220V across its outlets.  Total body count: 2 surge
protectors, a fan, and one Gateway 2000 (which was spewing sparks out of the
fan opening!) [I'm not a EE-minded person so hopefully I haven't botched this
description too bad]

Lessons:
1. Don't trust your surge protectors blindly, the Gateway that got fried
   was plugged into one.
2. Its worth the money to buy an autoswitching 110/220 power supply, the
   Gateway was right next to an RS/6000 that has an autoswitching supply.
   We figure the RS/6000 was running until the breakers blew... it just thought
   it had made a quick trip to Europe.  Another IBM machine with an auto
   supply made it too.

I would have thought that some type of automatic device could prevent these
type of overvoltages, but given the electrician's actions I guess not.  (This
electrical contractor was *real* happy when we discovered the RS/6000 wasn't
toast!)

--Rob Rose   OS/2 Development  IBM Boca Raton


How to clean out a checking account

Paul Dineen <pld@swttools.fc.hp.com>
Fri, 29 Jul 1994 18:01:45 -0600
I lost my checkbook a couple of weeks ago.  Despite turning the house inside
out that evening, I couldn't find it.  So, I called the bank and had them put
a watch on the account.  Yesterday, I found the checkbook.  (Wedged behind the
seat of the lawn mower, must have fallen when I was cleaning the garage.)  I
called the bank to cancel the watch, needing to tell them only the account
number and my name (printed on the check, naturally).  They didn't ask me my
mother's maiden name or anything.  Obviously, what's to stop a finder or thief
from making the same call?  I didn't raise this question then because I didn't
want to raise suspicion and have to go through some trouble to get the watch
lifted, but I will raise it with them on the next working day.

Paul Dineen, pld@fc.hp.com


FBI hunting for Agent Steal, flashy computer hacker

"Mich Kabay [NCSA Sys_Op]" <75300.3232@compuserve.com>
01 Aug 94 10:47:38 EDT
>From the Reuter newswire (94.07.31 @ 21:10 EDST) via CompuServe's Executive
News Service:

"FBI HUNTING FOR AGENT STEAL, FLASHY COMPUTER HACKER.

    "LOS ANGELES, July 31 (Reuter) - The FBI is searching for a computer
hacker suspected of committing high-tech crimes at the same time he allegedly
worked undercover for the bureau catching other computer hackers, the Los
Angeles Times reported Sunday.
     The hacker, who goes by the moniker "Agent Steal" and whose real name is
Justin Tanner Petersen, vanished last October and is on the run from the very
federal agency -- the Federal Bureau of Investigation -- he told friends was
paying his rent and flying him to computer conferences to spy on other
hackers, the paper said."

Key points from the article:

o   Petersen admitted having committed computer crimes even while working
with federal prosecutors.

o   He is alleged to have cracked federal computers and stolen information
from a credit card information bureau.

o   He was involved in Kevin Poulson's fraudulent successes in radio
phone-in contests in L.A.

o   Petersen claimed to have been responsible for "nailing" Kevin Mitnick,
the infamous criminal hacker who is sought by authorities for breaking into
police computers and impersonating a police officer.

o   J. Michael Gibbons, an FBI computer crime specialist, is sceptical
that his agency ever hired Petersen: "It's not safe. Across the board, hackers
cannot be trusted to work -- they play both sides against the middle."

o   "Petersen was arrested in Texas in 1991, where a grand jury returned
an eight-count indictment accusing him of assuming false names, accessing a
computer without authorisation, possessing stolen mail and fraudulently
obtaining and using credit cards."

o   Convicted of six counts after pleading guilty, Petersen faces
imprisonment for up to 40 years plus a fine of $1.5 million.

o   "...[O]n Oct. 18, 1993, 15 months after entering his first guilty
plea, Petersen was confronted outside federal court by Assistant U.S. Attorney
David Schindler, who asked if Agent Steal had committed any crimes while free
on bail.
     "Petersen said he had, according to the federal prosecutor. Petersen fled
immediately after that meeting."

M. E. Kabay, Ph.D. / Dir Education / Natl Computer Security Assn


PCMCIA Cards

"Mich Kabay [NCSA Sys_Op]" <75300.3232@compuserve.com>
01 Aug 94 10:47:47 EDT
The Washington Post newswire (94.08.01; via CompuServe's Executive News
Service) provides an analysis of PCMCIA card problems:

"Add-In Card Standard: Good Plan, Bad Execution," by Brit Hume.

Hume summarizes the situation when the Personal Computer Memory Card
International Association (PCMCIA) was founded in 1990: lack of slot standards
made it difficult for manufacturers and users to have economical add-in
devices.  The new association devised three standards, but unfortunately the
bugs are not quite out yet.

The author describes the problems trying to work with a new PCMCIA fax/modem
card.  It worked OK with PC-DOS 6.1 but the drivers failed with DOS 6.2.

Even on 6.1, after resuming from both the "suspend" and "hibernate"
operations, the operating system had lost track of its PCMCIA port.  After
extensive discussion with IBM support, the writer got function back after
resuming from "suspend" but still lost the I/O port after "hibernate."

M. E. Kabay, Ph.D. / Dir Education / Natl Computer Security Assn


Progress on RFI in aircraft

"Mich Kabay [NCSA Sys_Op]" <75300.3232@compuserve.com>
01 Aug 94 11:51:35 EDT
>From the NIST UPDATE for 94.08.01:

ELECTROMAGNETIC FIELDS

   Paper Details EMF Shielding Theory

   In work supported by the Federal Aviation Administration, NIST
   researchers have developed a mathematical model and theory for
   predicting the electromagnetic field shielding effectiveness of large
   metal enclosures with apertures and interior loading. The model also
   should allow for estimations of the average field strength inside
   enclosures such as electronic equipment cases and aircraft bodies. It
   can be used for any enclosure regardless of size, shape, type of
   material and number of apertures, as well as for any frequency above
   a lower limit related to the dimensions of the enclosure. The model
   was experimentally evaluated using a rectangular aluminum cavity of
   about 0.57 cubic meter (approximately 20 cubic feet), with one
   aperture, and for a microwave frequency range from 1 gigahertz to 18
   gigahertz. The agreement between model and actual measurement was
   within 20 percent after a number of additional sources of loss were
   incorporated into the original model. A report, "Aperture Excitation
   of Electrically Large, Lossy Cavities" (NIST Technical Note 1361), is
   available from the National Technical Information Service,
   Springfield, Va. 22161, (703) 487-4650, for $19.50 prepaid. Order by
   PB 94-145711.
   Media Contact: Collier Smith (Boulder), (303) 497-3198
                  smithcn@micf.nist.gov

M. E. Kabay, Ph.D. / Dir Education / Natl Computer Security Assn


Porn Peddlers Convicted in Memphis

"Mich Kabay [NCSA Sys_Op]" <75300.3232@compuserve.com>
31 Jul 94 19:54:57 EDT
The Associated Press newswire (94.07.28 and 29) via CompuServe's Executive News
Service) reported on the recent conviction of Internet porn peddlers

The following summary is based on reports by WOODY BAIRD and ELIZABETH WEISE,
Associated Press Writers.  The first, by Baird, deals with the legal issues.

 "MEMPHIS, Tenn. (AP) -- A husband and wife were convicted of distributing
pornography via computer Thursday in a case that raised questions about how to
apply federal obscenity law to the information superhighway.
   Robert and Carleen Thomas, both 38, of Milpitas, Calif., were each
convicted of 11 counts of transmitting obscenity through interstate phone
lines via their members-only computer bulletin board. Each count carries up to
five years in prison and $250,000 fine."

Apparently the Thomases sold pornographic graphics files on their BBS.  A
Memphis postal inspector deliberately joined the BBS under an assumed name,
downloaded some of the pics to his system and then complained to law
enforcement authorities.

There's discussion of just what it means to try someone on the Internet under
local pornography laws which refer to "community standards."  "The opinion was
designed to let local citizens say whether they want X-rated bookstores or
movie theaters in their communities and get judges out of the business of
deciding what is obscene, said Stephen Bates, a senior fellow with the
Annenberg Washington Program, a communications think tank."

However, if this approach is applied to the Internet, "federal juries in the
most conservative parts of the country could decide what sexually explicit
images and words get on the information superhighway, Bates said."

Weise's article covers reactions on the Internet:

   "SAN FRANCISCO (AP) -- Hours after a couple were convicted of sending images
of bestiality and sexual fetishes over a computer bulletin board, the Internet
was humming with warnings and protests.
   "`If this case stands, you can bet there will be a hell of a lot more
prosecutions on the same basis in extremely short order," Karl Denninger of
Chicago wrote Friday on the computer network.'"

The EFF's Mike Godwin is reported as saying, "This case ... has one community
attempting to dictate standards for the whole country."

At least one BBS operator has stated that he'll quit as a result of the ruling,
although he didn't explain what kind of files his BBS stocks....

Michel E. Kabay, Ph.D. / Dir Education / Natl Computer Security Assn


Re: Video Cameras (RISKS-16.20)

Nap & Erik van Zuuren <100042.3164@compuserve.com>
29 Jul 94 05:44:02 EDT
Assume, that we need a 'balance' in the RISK Digest, the balance between
"benefits" of certain techniques against their "risks"

I have to react, as we are in a limbo on this issue.  As a Dutchman, living in
Belgium, I follow the outcome of a weekly T.V. program, called "Opsporing
verzocht" (Help sought on Criminal Investigation), a program in which the
Police Forces try to get necessary input for solving serious crimes.  In that
program, the presence of video-material from shopping malls and within shops
has proven to be a big help in getting required input, and so we have to
accept that we are "video-ed" when we are, for example, shopping; also for our
"own" protection.

- Would not you feel better, with a camera 'at your shoulder',
  as e.g. a cashier in a petrol station at a highway ?

So: Benefits appear to outweigh risk !

Note: Apparently the Dutch Police Forces, and related Forces,
      are still considered -- in general -- to be the "friends" of
      the population by the Dutch population.
      I thought that the same attitude towards the Police Forces
      was true for the U.K.; the relation to the "Bobbie".
      (As the original "risks message" originated in the U.K.,
      I also refer to the "Bobbie")

          I wish, this would be the case in other countries as
          well; but the requirements for reaching such a
          relation with the 'public' are:

         - to be "of assistance to the public"
         - to be trustworthy, accompanied by a free press
           and political will
         - to be supported by the judicial apparatus, for
           the Forces to stay motivated
         - a "quality of life" worth defending it

      We will need a lot of "trustworthy" energy to protect us --
      and our children -- against the "criminal" energy.

Do NOT get me wrong:
- I also fell victim to injustice (in my opinion) in a case
  versus an 'official'
- I even have been insulted in writing by a member of the Council
  of Ministers

But, we have to trust (and at the same time: control) the forces which
should protect the "law-abiding" (or = sullen ?) citizen, and are paid by
that same citizen to do so !  Might the price of "democracy".

Nap van Zuuren, CompuServe 100042,3164


Computer telephony

Phil Agre <pagre@weber.ucsd.edu>
Sun, 24 Jul 1994 14:09:10 -0700
The July issue of Byte has a good technical review of systems for integrating
PC's and telephones.  The full reference is:

  Jon Udell, Computer telephony, Byte 19(7), 1994, pages 80-96.

The applications are still pretty primitive, since the necessary capabilities
within the phone system itself don't quite exist yet, are just coming on-line,
or are just receiving regulatory approval.  Still, enough stuff is just over
the horizon that non-trivial architectures are being built.  Many of them
use Caller-ID, for which the FCC just set US national standards over the dead
bodies of several state utilities commissions; and despite the strange idea
that Caller-ID is mostly for residential use, the article makes clear that
developers see a world of commercial applications.  In general, as the article
points out in the case of sales and collections systems,

  "As these tools find their way into the hands of smaller, more mainstream
   businesses, you can expect better service in some cases and more efficient
   harassment in others."

Indeed.

Phil Agre, UCSD


Re: Crashed bank teller (Murray, RISKS-16.27)

Ted Lemon <mellon@ncd.com>
Thu, 21 Jul 94 18:03:51 PDT
> [...] Setuid has hurt instead of helped. [...]  While it is
> appropriate for my program to fail by returning ME to the operating
> system, my program should not fail by returning YOU to the operating
> system prompt with privileges that are different from those that you
> have on your own.

Mr. Murray's article on the behaviour of various historical systems is
interesting, but makes a rather bizarre claim about the behaviour of setuid
under Unix.  In fact, a setuid program only has privileges in the process in
which it is running and any child processes that it creates without first
disabling the setuid privilege.

The problems we've seen on the Internet with setuid programs generally are the
result of poor coding which leaves loopholes in the executing setuid program
that a clever cracker can exploit.  I don't see any reason to believe that
OS/400 setuid-like programs are any safer from this sort of exploitation.  The
proper solution to this problem is probably either to program more carefully,
or to set up an environment in which it's harder to make mistakes like this.

      _MelloN_


Re: Crashed bank teller (Murray, RISKS-16.27)

"Patrick O'Callaghan" <poc@usb.ve>
Fri, 22 Jul 1994 08:14:13 -0400
From his description, Mr. Murray appears to think that setuid was introduced
in order to restrict access rights, and has been abused by lazy programmers.
Quite the contrary. The purpose of the `setuid' bit is to allow a program to
run with the permissions afforded to the program's owner, rather than those of
the user. To say that `setuid has hurt rather than helped' is like saying
`electricity has hurt rather than helped'. Setuid is *fundamental* to how Unix
operates and its invention by Dennis Ritchie has been described as the only
genuinely original idea in the Unix design (which is not to say it doesn't
have problems).

  William> ...  However, they do not permit the user to retain
  William> those privileges across the failure of the application.

Neither does Unix. If my setuid program fails, I fall back to whatever
invoked it, usually a Shell. I do *not* retain setuid privileges.

Prof. Patrick O'Callaghan, Departamento de Computacion, Universidad Simon
Bolivar, Caracas, Venezuela   poc@usb.ve    +058 (2) 906-{3241,3242,3254}


The Cult of Information

<WN_PETERS@wmich.edu>
Fri, 29 Jul 1994 11:17:37 -0400 (EDT)
I highly recommend a book entitled The Cult of Information: a Neo-Luddite
Treatise on High-Tech, Artificial intelligence, and the True Art of Thinking,
by Theodore Roszak (second edition, c1994).  Roszak, in this book, is not
attacking the idea of computerization, but he is warning our society against
equating information with knowledge (the idea that if one can access
information one, therefore, has knowledge on that given subject) and against
over-computerization of our society. I found it to be a very readable book and
quite illuminating.

University of California Press, ISBN: 0-520-08584-1


Report Released on Public Key Law and Policy

Michael S Baum <baum@world.std.com>
Sun, 31 Jul 1994 08:51:33 -0400 (EDT)
**NEW INFO. SECURITY BOOK ON PUBLIC KEY LAW & POLICY**

TITLE:   FEDERAL CERTIFICATION AUTHORITY LIABILITY AND POLICY --
 Law and Policy of Certificate-Based Public Key and Digital Signatures

AUTHOR:   MICHAEL S. BAUM, J.D., M.B.A.
      Independent Monitoring

Report No. NIST-GCR-94-654
450+ pages, highly annotated; multiple appendices; indexed.

   U.S. DEPARTMENT OF COMMERCE
   National Institute of Standards and Technology

Produced in support of the Federal Government's public key infrastructure
study, this book identifies diverse technical, legal and policy issues
affecting a certificate-based public key cryptographic infrastructure
utilizing digital signatures supported by "trusted entities." It examines
potential legal implications, surveys existing legal paradigms and the
structures and roles of relevant governmental agencies and presents various
institutional approaches to controlling liability. It considers the
underpinnings of a legal and policy framework which might serve as a
foundation for security policies and their implementation and concludes with
a series of recommendations, both general and specific concerning
certificate-based public key. Both public and private sector issues are
addressed.

This publication is the result of legal, business and security management
research, as well as interviews and analysis predominantly with public- and
private-sector lawyers, policy makers, managers and management information
system and security professionals in the United States and abroad.

SUMMARY OF CONTENTS:
-   PREFACE
-   ACKNOWLEDGMENTS
-   TABLE OF CONTENTS
I.  INTRODUCTION
II. SCOPE
III.    DEFINITIONS
IV. ASSUMPTIONS
V.  SURVEY OF FCA ACTIVITIES CREATING LIABILITY EXPOSURE
VI. LEGAL CONSIDERATIONS
VII.    FCA INFRASTRUCTURE - PROPOSALS AND PARADIGMS
VIII.   SURVEY OF, AND APPROACHES TO, TRUSTED ENTITY LIABILITY
IX. OTHER APPROACHES TO MITIGATE LIABILITY
X.  CONCLUSIONS AND RECOMMENDATIONS
XI. APPENDICES
XII.    GLOSSARY
XIII.   INDEX

OBTAINING COPIES: Copies may be purchased through the National Technical
Information Service, Springfield, Virginia 22161, U.S.A., Phone +1 (703)
487-4650 or 1-800-553-6847.  Request NTIS Document No: PB94-191-202.  Cost:
$61.00

ABOUT THE AUTHOR: Michael S. Baum is Principal of Independent Monitoring, a
consultancy focused on electronic commerce and information security law. He
serves as a Delegate from the International Chamber of Commerce (ICC) to the
United Nations Commission on International Trade Law (UNCITRAL); Chair of the
EDI and Information Technology Division, Section of Science and Technology,
American Bar Association (ABA) and its Information Security Committee; and
Chairman of the ICC Working Party on Legal Aspects of Electronic Commerce.

Michael S. Baum, Independent Monitoring, Cambridge, Massachusetts  baum@im.com

   [RISKS normally does not run advertising for books.  However, this is
   a NIST/NTIS report.  (Yes, NITS, ISN'T, SNIT are also anagrams.)  It is
   also fair game for a review, in case someone wants to submit one.    PGN]

Please report problems with the web pages to the maintainer

Top