The Risks Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 4: Issue 88

Thursday, 21 May 1987

Contents

o Re: Phalanx
Phil Ngai
o Open meeting laws
Dave Parnas
o Concerning UN*X (in)security
Mike Carlton
o Ed Joyce, Software Bugs: A Matter of Life and Liability
Eugene Miya
o Risks and system pre-login banners
PGN
o Risks of Running RISKS, Cont'd.
PGN
o Info on RISKS (comp.risks)
---------------------------------------------

Re: Phalanx

Phil Ngai <amdcad!phil@decwrl.DEC.COM>
Thu, 21 May 87 09:53:45 PDT
The Phalanx is just a radar controlled machine gun which fires 3000
(20 mm? nearly one inch in diameter) depleted uranium slugs per minute
at anything which moves. Would you keep it on all the time? No one
(but you) said it wasn't reliable. 

What does appear to be wrong is that there was only one, to cover the
stern of the ship. The bow was not protected by a Phalanx system and
that is where the (two?) Exocet missiles hit. 

Then again, we should realize that frigates such as this one are intended
mostly for anti-submarine/mine work; although it did have surface to air
missiles which could have been used to take out the aircraft which fired the
Exocets, frigates are not really expected to provide their own air defense.
And this one was operating under the assumption that Iraq aircraft were
friendly, so it did not shoot down the aircraft when it could have.

     [Perhaps the object was to shoot down the missiles?  Was 
     that the Star Wars analogy to which Chuck was referring?  
     Also, there was a report that there might have been TWO
     planes.  (One missile landed undetonated amidship!)  PGN]

---------------------------------------------

Open meeting laws (RISKS 4.87)

<parnas%QUCIS.BITNET@wiscvm.wisc.edu>
Thu, 21 May 87 07:12:23 EDT
Do open meeting laws prevent public representatives from conversing in a bar
or a park or at a theatre?  Do they prevent telephone calls?  If not, why
should they prevent electronic mail conversations?
                                                            Dave

    [Even my home town of Palo Alto is going through the pains of trying
    to make sense of the legal and common-sense implications...  PGN]

---------------------------------------------

Concerning UN*X (in)security

Mike Carlton <carlton@ji.Berkeley.EDU>
Thu, 21 May 87 13:41:45 PDT
I think that most people would agree that UN*X is not a secure system, nor
is it intended to be.  However, a judicious choice of password can
discourage amateur or half-hearted attacks on your account. Several methods
have been proposed for choosing hard to break passwords; my favorite is
simply to use the first letter of each word of some phrase, e.g., 'The rain
in Spain falls mainly in the plain' becomes TriSfmitp.  This has the
advantages that it is not likely to appear in any dictionary, it is very
mnemonic and if the password is long enough and rich enough in case, it will
stand up to a sustained exhaustive search.

There is another risk that I haven't seen mentioned: the use of .rhosts
files (at least it's a risk in the BSD world, I've never been in the System
V world).  Around here, quite a few people have .rhosts entries for several
machines, often including at least one Sun.  Couple this with the fact that,
given physical access, anyone can become root on a Sun and you've got
widespread vulnerability without the need for any password attack.

Mike Carlton (carlton@ji.Berkeley.EDU), CS Gradual student

---------------------------------------------

Ed Joyce, Software Bugs: A Matter of Life and Liability

Eugene Miya <eugene@ames-pioneer.arpa>
Thu, 21 May 87 13:47:06 pdt
Ed Joyce, Software Bugs: A Matter of Life and Liability, Datamation 33 10,
15 May 1987, pp. 88-92 [Keywords: Malfunction 54, Therac 25, dosimetry,
radiation therapy].
                                  --eugene miya

---------------------------------------------

Risks and system pre-login banners

Peter G. Neumann <Neumann@CSL.SRI.COM>
Thu 21 May 87 20:19:10-PDT
RISKS recently ran an item about the lawsuit that was thrown out because a
user had been greeted with "Welcome to the system".  The following banner is
given by a net-accessible system (which might as well remain nameless),
and provides a nice example of the other end of the spectrum.

  WARNING ** WARNING ** WARNING ** WARNING ** WARNING ** WARNING 

  UNAUTHORIZED ACCESS TO THIS UNITED STATES GOVERNMENT COMPUTER
  SYSTEM AND OR SOFTWARE IS PROHIBITED BY PUBLIC LAW 98-473.
  PUNISHMENT FOR OFFENSE CAN BE UP TO $100,000 FINE OR UP TO 20
  YEARS IN PRISON OR BOTH.  REPORT UNAUTHORIZED USE OR ACCESS TO
  THE SYSTEM SECURITY OFFICER.

  WARNING ** WARNING ** WARNING ** WARNING ** WARNING ** WARNING 

---------------------------------------------

Waiting mail (msg.a000284) [Risks of Running RISKS, Cont'd.]

ALMSA-1 Memo Service 750 (MMDF 4/84) <mmdf@ALMSA-1.ARPA>
Thu, 21 May 87 12:31:45 CDT
            [As I have noted previously, in a list as large as RISKS there is
            an awesome volume of mailer barf messages.  I do try to be patient,
            but sometimes it becomes overbearing.  The implied threat here -- 
            to keep retrying and send me notifications -- is horrendous!  PGN]
                                                                           |
    After 14 days (326 hours), your message has not yet been               |
fully delivered.  Attempts to deliver the message will continue            |
for 178956963 more days.  No further action is required by you.            V
   [********* = = = = = = = = = = = = = = = = = = = = = = = = = = = = =  !!!!!]

    Delivery attempts are still pending for the following address(es):

    wmartin@almsa-2 (host: almsa-2) (queue: almsab)

    Problems usually are due to service interruptions at the receiving
machine.  Less often, they are caused by the communication system.


Report problems with the web pages to the maintainer