The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 18 Issue 45

Friday the 13 Sep 1996

Contents

o Cracker Attack Paralyzes PANIX
Edupage
o Re: PANIX SYN denial-of-service attack
Simona Nass
o 100,000 DM offer to hack GSM phones
Klaus Brunnstein
o Linguistic RISKS
Aahz
o Civilian GPS navigation errors
Jim Easton
o Ariane 5 report in Aviation Week
Alan Frisbie
o Re: Accidental shootdown of F15 plane revisited
Dick Mills
o Re: Discussing aircraft accidents
Clive D.W. Feather
Mark Jackson
o Re: Windows 95 passwords
Jack Rochester
o Re: Passwords in files
James W. Birdsall
o Re: Fax machines that tell too much
Robert Sargent
Keiji Kanazawa
o Re: Unsolicited Unsolitude
Mark Eckenwiler
o Simple solution to AOL's legal woes
Andrew Marc Greene
o Sometimes junk e-mail is already a fax, legally speaking
Dan Franklin
o Re: Removal from Lexis' Ptrax database
Jim Walters
o Info on RISKS (comp.risks)

Cracker Attack Paralyzes PANIX (Edupage, 12 Sep 1996)

Edupage Editors <educom@elanor.oit.unc.edu>
Thu, 12 Sep 1996 17:18:14 -0400 (EDT)
Repeated attacks by a computer cracker have virtually shut down New York's
Public Access Networks Corp., better known as Panix.  The attacks have
overwhelmed the computers' capacity to respond to requests for an
``electronic handshake'' by sending as many as 150 bogus requests a second.
``This is the first major attack of a kind that I believe to be the final
Internet security problem,'' says a Lucent Technologies Internet security
expert, who says he "has been waiting" for just such an event.  Internet
computers have no quick way of distinguishing these bogus requests from real
ones, and even when security software is upgraded to ease the problem, the
crackers could respond with even more intense assaults.  ``There's going to
be the usual arms race,'' predicts the Lucent security expert, between
improved security measures and crackers' ability to disable them.  (*Wall
Street Journal*, 12 Sep 1996, B1)

  [RISKS received various messages on this item, including from
     Fernando Pereira <pereira@research.att.com>.  PGN]


Re: PANIX SYN denial-of-service attack

"Simona Nass" <sn@PANIX.COM>
Fri, 13 Sep 1996 11:10:37 -0400 (EDT)
*The Washington Post* [also] did an excellent story about it on 12 Sep 1996.
AP and others also picked it up.  There's a statement on PANIX's web page,
http://www.panix.com.  We don't have the resources to answer a lot of
technical questions right now because we've got our hands full, but if
anyone who is familiar with the attack has ideas for possible defenses, we
can be reached at staff@panix.com. -S.

Simona Nass  staff@panix.com  PANIX Public Access Internet

  [At its heart, this is an unsolvable problem in general.  There are
  some useful things you can do against very specific types of attacks,
  but there are too many types of attacks for a comprehensive defense.
  The best you can do in the near future might be to have some
  early-detection capabilities to detect emerging attacks and then
  reconfigure dynamically accordingly.  In the long run, it might be
  desirable to have more secure systems overall, which would require
  (among other things) nontrivial authentication (i.e., NOT fixed passwords)
  for any resource that might be abused.  However, without draconian
  measures, denials of service will always be possible, whether they
  occur accidentally or intentionally.  De RISKibus non disputandum est?
  PGN]


100,000 DM offer to hack GSM phones

Klaus Brunnstein <brunnstein@rz.informatik.uni-hamburg.d400.de>
Fri, 13 Sep 1996 11:37:55 +0200
MobilCom, a subsidiary of German TeleKom (since 100 years monopolist onn
telephone communication in Germany, with its monopoly ending in 1998)
publicly offers 100,000 DM to a telephone hacker who is able to communicate
at the expense of the (national) number 0171-3289966. The related chipcard
is said to be safely stored in lawyer`s office. In an attempt to paint this
dubious offer somewhat "politically correct", the successful hacker will
have to donate his earnings to a social institution of his(her) choice.

Background of this offer is a recent magazine report informing the public
that German hackers know relevant details of the encryption algorithm (A5)
implemented in GSM mobile phones; this algorithm was always quoted to be
"secure" by GSM producers and service providers. According to the magazine`s
informant (a 22 year old male), he had informed German Telekom (provider of
D1 mobile phone services) with details in May 1995. TV reports next week may
"demonstrate" of how such knowledge may be used.

The story is "old vine in new bottles". Since GSM was specified in a joint
European (essentially UK/French/German) exercise, material (though
restricted to producers of GSM hardware and service personnel) were
"available" in early 1990s, including the PSL code on which the encryption
hardware is based. GSM methods implement an authentication process with
which the caller`s chipcard-based key is compared with the database of
applicable keys; after successful authentication, a session key is generated
which is used by the encryption algorithm (A5) to "unbreakably" encrypt the
communication. (Btw: for export to non-European countries, a weaker
algorithm A5x is available; this approach is similar to NSAs policy of
exporting US crypto methods :-)

"Security" of A5 and, more interestingly, A3/A8 (the algorithms for
authentication and generation of session key) are "secure because they are
not publicly known" (well-known principle of "Security by Obscurity"). This
assumption was wrong as independent experts got copies of GSM algorithms
(written in PSL) and could determine the effective length. Among others,
Ross Anderson reported (on Internet) in 1994 about insecurity of A5 (he even
published a C version of this algorithm which could have been used in
determining weaknesses). In 1993, an expert group in a UK university had
easily cracked about 75% of the 114-bit key protecting communication.

GSM technology is used in 3 different German mobile phone services (D1, D2
and E-Plus) with more than 4,5 mio users. On the background of the media
reports, users should look at details (when telephone with which number how
long) more regularly, as falsification of individual chip cards may now
become a new hacker sport, with the generous offer of Mobil Com.

Klaus Brunnstein (September Friday 13,1996)


Linguistic RISKS

Mean Green Dancing Machine <aahz@netcom.com>
Fri, 13 Sep 1996 06:16:36 -0700 (PDT)
I've recently been reading Donald Norman's latest book, _Things That
Make Us Smart_ (ISBN 0-201-62695-0 pbk).  Instead of reviewing it,
though, I'm going to illustrate how it has changed my thinking by
criticizing a portion of an article I read last night in my partner's
Wesleyan alumni magazine (Vol. LXXIX No. 1, Summer 1996).

"Which Way?" (author unclear) talks about the work of Scott Plous
(Associate Professor of Psychology) and specifically his book _The
Psychology of Judgement and Decision-Making_ (McGraw-Hill, 1993).
Here's a quote from the article:

  Plous indicates how easily decision-making can go awry with an example
  drawn from a thirty-nine question survey at the beginning of his book:
  "Linda is 31 years old, single, outspoken, and very bright.  She
  majored in philosophy.  As a student, she was deeply concerned with
  issues of discrimination and social justice, and also participated in
  antinuclear demonstrations."

  "Which is more likely," he asks, "That Linda is a back teller, or that
  Linda is a bank teller and is active in the feminist movement?"  Most
  people guess that Linda is more likely to be a bank teller *and* a
  feminist; that choice seems to be intuitively correct.  Yet adding
  detail to a scenario does not increase its likelihood.  The more
  general statement -- that Linda is a bank teller -- poses the fewest
  restrictions and is the probable.  Plous's point: Mathematical
  probability, not intuition, should guide this choice.  To do otherwise
  is to use a flawed decision-making process that increases the
  likelihood of error.

Before reading Norman's _Things That Make Us Smart_ (TTMUS), I would
have simply nodded at the quote and continued reading.  This time,
though, my immediate (almost experiential ;-) reaction was, "This is
wrong!"

TTMUS contains a large section on the fallacy of confusing formal logic
with "logic of language".  The six pages starting at 227 point this out
particularly clearly.  In the quote above, much is made of Linda's
activism; when choosing an answer, "bank teller" is almost certainly
dismissed by most people as being irrelevant to the story -- this would
be made much clearer by asking whether Linda is more likely to be a bank
teller or a computer programmer.

Which bring us back to RISKS: in user interface design, we must be
careful which information we present to the user and how we present it,
because the user will *not* interpret the information according to the
rules of formal logic.  I strongly recommend that everyone here pick up
a copy of TTMUS; with any luck, it will change the way you think, too.

Aahz (@netcom.com)


Civilian GPS navigation errors

Jim Easton <jeaston@johannsen.com>
Thu, 12 Sep 1996 22:54:59 -0700
[Background:] I am a pilot who flys a small airplane equipped with a GPS
satellite navigation system approved by the Federal Aviation Administration
for use in clouds (IFR). I have been experiencing in flight warnings that
the system has been (flagged) unusable somewhere around 1% of the time it is
used. Lest you think this is trivial, you can consider driving a car whose
windshield went opaque 1% of the time you were driving.

So far I have been told the following:

1) Some early GPS's were shipped with a defective Digital Signal Processing
chip. This was corrected in later units.

2) Several different models have substantially similar computational
algorithms.

3) When sufficient satellites are received, some units discard barometric
altitude information for purposes of position calculations. A satellite
declaring itself "healthy" is NEVER discarded automatically in these units.
Erroneous computed GPS altitude is a good warning indication of a bad
position fix. Usually barometric altitude is more accurate than the altitude
civilian GPS units compute from satellites (because of SA/AS).

4) US DOD mandates testing GPS units in its inventory against jamming. This
testing has resulted in interference to civilian units to a radius of some
100 miles.

5) Commercial GPS satellite simulators are widely available.

6) Were one to hook up a GPS satellite simulator to an amplifier and
antenna, one could disable many civilian GPS's at will. IFR certified units
would give RAIM warnings, but would not give usable navigation information.
(RAIM is a consistency check of computed positions found generally only in
IFR certified GPS units)

7) All GPS units lacking automatic satellite elimination capability are
likely to be similarly vulnerable. Presently, automatic satellite
elimination is mostly on GPS intended for sole means of navigation
overwater.

8) VFR (not certified by the FAA for use in clouds) only GPS units are not
required to indicate that their computed positions are erroneous.

9) Because GPS is extremely accurate almost all the time, many pilots have
fallen into the habit of trusting GPS positions without cross checking
against other means of navigation, or even against the computed errors
displayable by the GPS unit itself.

I would greatly appreciate knowing of any errors in this information and/or
additional information relevant to civilian GPS navigation use.

I think one can assume that a pilot getting a wrong position at night in the
mountains, or no position in clouds in the mountains could have a problem.

Jim Easton  4364 Bonita Rd., No. 166  Bonita, CA, 91902-1421
Tel: (619) 548-0138  FAX: (619) 470-8616


Ariane 5 report in Aviation Week

"Alan Frisbie" <frisbie@Flying-Disk.Com>
Fri, 13 Sep 96 09:05:47 PDT
The 9 Sep 1996 issue of *Aviation Week* contains the first section of the
inquiry board's report on the Ariane 5 failure.  The title is "Ariane 5
Report Details Software Design Errors", and is on pages 79-81.

I particularly liked the board's comment in the final paragraph: "The board
is in favor of the opposite view, that software should be assumed to be
faulty until applying the currently accepted best practice methods can
demonstrate that it is correct."

Alan E. Frisbie, Flying Disk Systems, Inc., 4759 Round Top Drive
Los Angeles, CA 90065     1-213-256-2575   Frisbie@Flying-Disk.Com


Re: Accidental shootdown of F15 plane revisited

Dick Mills <dmills@albany.net>
Thu, 12 Sep 1996 22:51:20 -0400
Mr. Dorsett, in RISKS-18.43, and Mr. Ladkin, in RISKS-18.44, disagree with
my call for discretion in public speculation about airline disasters, in
RISKS 18.42.

Both argue that open and lively dissuasion of the issues can have real
value.  True, but neither man offers substantial reasons why such
discussions aren't equally valuable if conducted more discretely. I also
think their arguments also show single-mindedness in that airline safety and
finding the correct conclusion are the only factors to consider.

Publicity about airline accidents makes people fear flying. Some fraction of
those people will choose to drive to their destination, using a much more
dangerous mode of transportation.  Public discussions could increase airline
safety but result in a net decline in total public safety. I can't prove
that the net change is positive or negative, nor do I believe anyone else
can prove it. Nevertheless, neglecting the secondary consequences of public
debates is shallow.

I may also have overstated my call for discretion in my original message.  I
have no wish to stifle serious discussion among technically oriented
interested parties.  I merely object to it being done in such a public
forum.  Surely we can arrange more closed forums or e-mail list servers.
Total secrecy and security aren't necessary, but a little more discretion
is.  If the NTSB is indiscreet, it too should be censured.  It should not be
interpreted as a signal that it is OK for us to be indiscreet too.

The Internet, Usenet in particular, is one of the most public forums ever
invented.  This is a particularly inappropriate place for sensitive
subjects.

American daytime TV has been filled with talk programs that show people
discussing the most sensitive and sensational subjects imaginable. The
public seems to enjoy the voyeurism.  I expect that nearly all of us detest
this development.  Is it surprising to realize that we may be unwittingly
engaging in analogous activities?

Finally, I must take strong exception to one part of what Mr. Dorsett
wrote:

   - The author of _Unheeded Warning_ notes his concerns (as a pilot)
   of the safety of the ATR-72 in icing conditions long prior to the
   eventual October 1994 crash.  His book notes explicit steps taken to
   keep the issue alive in the media and thereby bringing political
   pressure to bear on the NTSB and FAA to maintain appropriate
   perspective in both the investigation and regulation of the
   aircraft.  This pressure arguably resulted in FAA mandates to adjust
   the design of the anti-ice system on the airplane.  Similar pressure
   was absent after a similar crash in 1988 in the Italian Alps.

If the facts were as Mr. Dorsett states, I think this is deplorable.  Just
think what it means to "keep the issue alive in the media and thereby
bringing political pressure to bear".  This subjects questions of
engineering safety to the same kind of handling as the O.J. Simpson trial.
It stirs up fear among the general public to give the issue emotional
strength and appeal. The word that describes precisely that set of
circumstances is demagoguery.  Demagoguery is never praiseworthy.

(My apologies to non-native English speakers.  I understand that demagoguery
is one of the least translatable words in the entire English language, but
in this case, it is the only word that fits.)

Mr. Dorsett expands on that theme when he says "It's a political world, not
a technical one."  I say no, never.  Mixing demagoguery and science is
irresponsible.  It must never be tolerated.

Dick Mills  http://www.albany.net/~dmills


Re: Discussing aircraft accidents (Mills, RISKS-18.41)

"Clive D.W. Feather" <clive@demon.net>
Fri, 13 Sep 1996 14:42:10 +0100 (BST)
> No doubt there are other risks that also deserve sensitive treatment, but to
> me airplane disasters stand out most clearly.

Funny, but I read that item, and it struck me that it applied almost exactly
to railway accidents.

Clive D.W. Feather Associate Director, Demon Internet Ltd. <clive@demon.net>
Director CityScape Internet Services Ltd. <cdwf@cityscape.co.uk> +441813711138

  [Well, when I read that item, it struck me that it applies rather
  broadly to almost everything that RISKS has tried to do for the past
  11+ years.  Your humble and obedient *Designated Holist*, PGN]


Re: Discussing aircraft accidents (Mills, RISKS-18.41)

Mark Jackson <mjackson@wc.eso.mc.xerox.com>
Fri, 13 Sep 1996 05:14:48 PDT
As it happens, the *Columbia Journalism Review* web site is currently
carrying a 1990 feature on the difficulties of reporting on aircraft
accidents before all the facts are in.  See

  http://www.cjr.org/boot_reprint/boot.html

Mark Jackson - http://www.alumni.caltech.edu/~mjackson


Re: Windows 95 passwords (RISKS 18.41)

Jack Rochester <jrochester@endor.com>
Sat, 07 Sep 1996 09:45:36 -0500
Bear Giles points out that Win95's handling of passwords is annoying. What's
more, it points out the poor system design because there is no correlation
between system, screen saver, or on-line login passwords. As has been
pointed out by many, Win95 is an unsecure operating system.

I learned this in a most amusing way recently, when I was setting up my new
Hitachi notebook computer. The first task was to install Windows 95 and
select a password. After rebooting, I decided to see just how secure it was
and typed the password incorrectly several times. Each was rejected, but
then I clicked on "Cancel" in the dialog box and -- lo and behold! I was
granted access.


Jack B. Rochester, Joshua Tree Communications, Cherry Hill Farm, Cherry Hill
Road, Grafton, New Hampshire 03240  jrochester@endor.com  1-603 523 8350
                                 [*Which Is Of Endor?*  PGN]


Re: Passwords in files

"James W. Birdsall" <jwbirdsa@picarefy.picarefy.com>
Thu, 12 Sep 1996 14:32:23 -0700
   RISKS-18.42 and 18.43 discussed the possibility of passwords being found
in core files. While it is certainly a risk, there are mitigating
factors: 1) a program has to crash at a time when it still has a password
in memory, 2) an attacker must have access to the resulting core file, and
3) the attacker must inspect or copy the core file before the user (or
possibly the system) gets rid of it.

   A much worse risk, and one which is unbelievably still with us, is the
storage of cleartext passwords in "password-protected" files. There is no
need for a program to take an unusual action (crash) at a particular time,
nor is there usually any time limit, since the resulting file is usually
desired by the user and kept around for some time, if not permanently.

   This risk was brought to mind recently when I had a need to break into a
password-protected file that is part of a product made by the company I
work for. The file is used to install certain macros in another company's
product and the macros are password-protected to prevent accidental changes
by end users. We (the development team) knew what the password was supposed
to be, but it wasn't working. On an off-chance, I opened the file in a text
editor and started scrolling through the mostly binary contents. Toward the
end of the file, I found a string which matched the supposed password but
differed in case, which both turned out to be the password and explained
the problem. Bad enough that the password was stored in cleartext, but it
caught my eye because it was preceded by the cleartext string "Password:"!

   For us, this lack of security doesn't matter, since the password
protection is intended only to discourage accidents and our support group
will give the password to any user who needs it. Others may not be so
lucky, and of course who knows what other currently-shipping products may
suffer from the same risk?

--James


Re: Fax machines that tell too much (Bell, RISKS-18.44)

Robert Sargent <RSargent@Cisco.COM>
Fri, 13 Sep 1996 10:40:24 -0400
This is a known bug in the older (3.4 ??) versions of Delrina's WinFAX.

Robert Sargent   423-671-0273  Pager: 800-365-4578   cisco Systems, Inc.


Re: Fax machines that tell too much (Bell, RISKS-18.44)

"Keiji Kanazawa" <keijik@microsoft.com>
Thu, 12 Sep 1996 16:12:27 -0700
Not only does the receiver see the credit card number, a lot of fax machines
store those credit numbers as part of the record of what numbers were dialed
when.


Unsolicited Unsolitude (Re: RISKS-18.44)

Mark Eckenwiler <eck@panix.com>
13 Sep 1996 11:32:38 -0400
>From: Edward N Kittlitz <kittlitz@world.std.com>
>According to my rusty memory and 2 minutes of Altavista searching, ...

This is correct.  See 47 USC 227(d) (requiring footprint) and 227(b)
(barring unsolicited commercial faxes).   [>...]

The federal appeals court in California, the Ninth Circuit, upheld the
fax-ban provision of the TCPA in _Destination Ventures_ (1995) on
precisely this cost-shifting rationale.  For an article of mine
discussing TCPA (and concluding that while it does not now apply to
junk e-mail, it could constitutionally be expanded to do so), see

  http://techweb.cmp.com/net/issues/036issue/036law.htm

>From: David Allen <dallen@nr.infi.net>
>... I think the court erred in its comparison in a critical
>way when it cited First Amendment protection for spam.

I think it's crucial to point out that the court *did not* base the TRO on
free speech law, contrary to the suggestion of some RISKS readers.  Even
Cyberpromo's lawyer has stated that their argument was based on theories
like tortious interference with contract, and not on any supposed First
Amendment right.

I agree that the TRO was improperly issued, but I think too much has been
read into it.  It's simply the judge's way of preserving the status quo so
he doesn't have to think hard about the issues until trial.  (It's crucial
in this respect to remember that the TRO was issued in the context of an
ongoing lawsuit between the parties.)

Mark Eckenwiler eck@panix.com


Simple solution to AOL's legal woes

"Andrew Marc Greene" <amgreene@mit.edu>
Thu, 12 Sep 1996 15:55:06 -0400
Perhaps AOL should offer its users a special "spam-free" service.
Certainly, if users request that AOL filter their incoming e-mail, then the
purveyors of [ugly]-mail spams would have no leg[alism] to stand on.

- Andrew Greene


Sometimes junk e-mail is already a fax, legally speaking

Dan Franklin <dan@copernicus.bbn.com>
Thu, 12 Sep 1996 19:46:42 -0400
I've been using the following legal information, which I picked up from
another mailing list (Keith Bostic's /dev/null list), in my responses to
junk e-mail these days.  So far I haven't yet received junk e-mail on my
home computer while it had a printer attached, but one of these days...

Under US Code Title 47, Sec.227(b)(1)(C):

        "It shall be unlawful for any person within the United States to
         use any telephone facsimile machine, computer, or other device
         to send an unsolicited advertisement to a telephone facsimile
         machine"

A "telephone facsimile machine" is defined in Sec.227(a)(2)(B) as:

        "equipment which has the capacity to transcribe text or images
         (or both) from an electronic signal received over a regular
         telephone line onto paper."

Under this definition, an e-mail account, modem, computer and printer
together constitute a fax machine.

The rights of action are as follows.  Under Sec.227(b)(3)(B):

        "A person or entity may, if otherwise permitted by the laws or
         rules of court of a State, bring in an appropriate court of
         that State --

          (A) an action based on a violation of this subsection or the
              regulations prescribed under this subsection to enjoin
              such violation,
          (B) an action to recover for actual monetary loss from such a
              violation, or to receive $500 in damages for each such
              violation, whichever is greater, or
          (C) both such actions. If the court finds that the defendant
              willfully or knowingly violated this subsection or the
              regulations prescribed under this subsection, the court
              may, in its discretion, increase the amount of the award
              to an amount equal to not more than 3 times the amount
              available under subparagraph (B) of this paragraph."

For the full legal text USC Title 47, Section 227, see:
http://www.law.cornell.edu/uscode/47/227.html

Dan Franklin  dfranklin@bbn.com


Re: Removal from Lexis' Ptrax database (Re: RISKS-18.43 and 18.44)

Jim Walters <jwalters@spock.resd.honeywell.com>
Fri, 13 Sep 96 08:12:32 CDT
I was motivated (as I'm sure others were) by the RISKS-18.43 blurb about
Lexis-Nexis and their "legal community" serving database (the tiny quote is
from their pleasant-sounding recording of the day).  I first called in to
their 800 line on the afternoon of 12 Aug, 96.  I sat and listened to their
recording for about half an hour while I was working on something else.  I
had to get up, so I decided to take the nice recording-lady up on her offer
of leaving a message.  When I tried, the voice mail system declared that the
voice mailbox was full and no further messages were being taken.  The nice
recording-lady promptly hung up on me.  I tried again this morning (13 Aug
1996), and the recordings have all changed and are now instructing those
concerned with removal of names from the database to make all requests "in
writing".  They give instructions to mail to their address (given in
RISKS-18.43) or to fax them the request at (513) 865-1930 (different from
RISKS-18.43).  Just wanted to let people know that the procedure appears to
have changed, due no doubt to the overwhelming responses they have most
likely received.

Jim Walters  jwalters@spock.resd.honeywell.com

  ["Kevin Johnsrude" <kevinj@roguewave.com> reported that
      he gave up after being on hold for half an hour, finally
      voicemailing (as requested) only his full name and address --
      before the voicemailboxoverflowedwithtoomanyrequests.
   Peter.J.Scott@jpl.nasa.gov also noted the change to fax/snailmail.  PGN]

Please report problems with the web pages to the maintainer

Top