The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 4 Issue 83

Tuesday, 12 May 1987

Contents

o Risks of sharing RISKS
Ted Lee
o Information Commission
Jim Anderson
o ``How a Computer Hacker Raided the Customs Service''
Michael Melliar-Smith
o Computer thefts
Jerry Saltzer
o Bomb Detection by Nuclear Radiation
Michael Newbery
o Computer floods summer course registration at U. of Central Florida
Mark Becker
o A password-breaking program
Dean Pentcheff
o Sidelight on the Marconi Deaths
Lindsay F. Marshall
o Software Reliability book by Musa, Iannino and Okumoto
Dave Benson
o "The Whistle Blower"
Jeff Mogul
via Jon Jacky
o Info on RISKS (comp.risks)

Risks of sharing RISKS

<TMPLee@DOCKMASTER.ARPA>
Mon, 11 May 87 10:39 EDT
In the last issue PGN asked if someone had shown previous issues of RISKS to 
a couple of senators drafting legislation.  This treads on the boundary of 
inappropriate and risky in itself use of this medium.  It is generally 
understood, I thought, that this kind of forum is private to its readers, 
although the larger the subscriber list the harder it is to maintain that 
fiction.  Although I don't contribute much here, had I known there was a 
likelihood that what I wrote might end up in the Congressional Record I'm 
not sure I would have contributed it -- how do others think, or can our 
moderator state what he thinks the policy is?
                                                       Ted

   [Interesting question.  We agreed way back in Volume 1 or 2 that
   material in RISKS was open for noncommercial redistribution, as long  
   as that did not violate any explicitly stated caveats or copyright
   limitations.  It is important to keep RISKS informal and unencumbered 
   by red tape.  Besides, IDEAS HAVE NO BOUNDARIES (except in closed minds).
   One of the main purposes of RISKS is to disseminate ideas and awareness.

   My question to Herb (who is on leave from MIT, deeply embroiled in the 
   legislative process) was sort of a bemused wonderment as to whether the
   proposed legislation had in any way been influenced by the existence of 
   the RISKS Forum, since some of the goals are quite similar...  PGN]


Information Commission

<JPAnderson@DOCKMASTER.ARPA>
Mon, 11 May 87 17:36 EDT
Peter, I am sorely troubled by the prospect of our Congress providing
'oversight' or whatever it is they do down there to our industry.  Even
in areas where they have a clear mission and even one might expect
some expertise, the attention span of the Congress is measured in
Microseconds between headlines.  You will recall that last year, the
Congress created and then jumped on the bandwagon of war on drugs.  To
my local knowledge, there has been no *action* in that war since.  [I
do recall the House passing a bill calling for some $400 Million to be
spent on that war, but was saved from any notion of accountability by
the Gramm-Rudman act or some such.] I really do worry about the
grandstanding that such a commission would engender, and the
sycophantic interaction between the congresspeople and an uniformed,
shoot-from-the-hip press.  Really a bad idea.
                                                  Cheers, Jim

     [I noted in my comments that there are many pitfalls in the proposed
     legislation.  But, an implication of what you say is very depressing:
     the difficulties of government are so great that meaningful oversight
     is almost impossible anyway.  The fox shouldn't watch the chickens;
     the chickens can't watch the chickens; even the computers can't
     be trusted to watch the chickens.  So what do we do -- throw out 
     the chickens with the egg water?  PGN]


``How a Computer Hacker Raided the Customs Service''

Peter G. Neumann <NEUMANN@CSL.SRI.COM>
Tue 12 May 87 00:10:54-PDT
Last year two radar-equipped planes that had been promised to Customs were
given to the Coast Guard instead as a result of late-night Senate actions 
on the federal budget.  Customs Commissioner William von Raab then promised
Coast Guard Commandant Paul A Yost Jr. that Customs would provide $8M in
reparations to help the CG's airborne drug interdiction problem.  But Senator
Dennis DeConcini (D-AZ) told von Raab not to transfer the money, and to wait
for the appropriations process instead.  The Coast Guard decided to act on its
own.  Somehow acquiring Customs' computer account numbers, they simply caused
$8M to be transferred from the Customs account to the CG account.  To make a
long story short, there were protests from Customs, and just as mysteriously
as the money disappeared, it reappeared (although in two increments).

      [I adapted this from the Washington Post National Weekly, 18 May 87,
      p.34, thanks to Michael Melliar-Smith.  Perhaps the HACKER was really
      a Coast Guard CUTTER (or was he a CONS CAR'd CDR (LISPing to starboard?)
      Just think what could be done in reprogramming government funds!  PGN]


Computer thefts (re: RISKS-4.82)

Jerome H. Saltzer <Saltzer@ATHENA.MIT.EDU>
Mon, 11 May 87 11:21:38 EDT
At Project Athena for some time we've been trying to convince our
vendors that if they hope to sell personal workstations worth $2K or
more to students they are going to have to include in the physical
design a top-to-bottom hole that penetrates the major box covers and
the mother board, suitable for dropping a bicycle lock through, so
that the machine can be chained to a dorm-room or apartment radiator,
or a desk in an office.  The reaction so far has been uproarious
laughter (and several reports of newly-designed compact workstations
stolen from one of the vendors).
                        Jerry


Bomb Detection by Nuclear Radiation (RISKS-4.79)

Michael Newbery <ubc-vision!calgary!vuwcomp!newbery@seismo.CSS.GOV>
11 May 87 02:22:08 GMT
Some years ago, the Ariande column in New Scientist proposed a novel and,
as usual (?), unworkable (??) bomb 'detector'. You zap your 'bomb' with
radiation of a flavour selectively absorbed by Mercury (but not otherwise
strong enough to hurt.) The Mercury gets a little agitated by this and, if
it happens to be part of Fulminate of Mercury, an explosion occurs.
So, you just march your passengers and their luggage, one at a time, down
a bomb-proof tunnel and if they DON't go boom, let them on board. Even if
they do have explosives/bullets they can't set them off without a detonator.
Unless they use Lead Azide.
Or carry little bottles of nitro-glycerine, or...

Michael Newbery, Comp Sci, Victoria Univ, Wellington, New Zealand
ACSnet: newbery@vuwcomp.nz  UUCP: {ubc-vision,alberta}!calgary!vuwcomp!newbery

    [All kidding azide, this is another of our classical unsolvabled
    problems.  Technology cannot provide 100% guarantees.  It also
    transforms the technology it is trying to protect against.  Heisenberg
    strikes again, with a longer time constant.  PGN]


Computer floods summer course registration at U. of Central Florida

"Mark Becker" <Cent.Mbeck%OZ.AI.MIT.EDU@XX.LCS.MIT.EDU>
Mon 11 May 87 22:59:41-EDT
  "SNAFU ENDS HAPPILY AT UCF AS STUDENTS GET EVERY CLASS THEY WANTED"
  by Laura Ost, The Orlando Sentinal, Saturday, May 9, 1987, Page D-3

[Reproduced with permission]

     Thanks to a computer snafu, a nightmare for University of Central 
Florida students has turned into a dream.

     UCF's new computer system failed to cut off pre-registration for 
summer classes as they filled.  The happy result for students who often 
wait years to take required courses: They got everything they wanted.

     At first, the glitch meant that 56 courses overflowed, and 700 of 
8,000 spring students who pre-registered were in danger of being tossed 
out of classes they planned on.

     But after discovering the problem April 24, officials decided there 
was only one answer: Give them what they want.

     "From the student standpoint, it turned out splendiferous," UCF 
spokesman Dean McFall said Friday.

     The solution was to add more than 40 class sections in education, 
engineering, and arts and sciences, and to extend employment of part-
time and nine-month faculty members who want summer work.

     The worst case was a speech course required for students without 
community college degrees.  More than 300 signed up for three sections 
with a total capacity of 84.  So, eight sections were added.

     The expanded schedule is a big relief for students; some courses 
have had long waiting lists, meaning that students often had to delay 
required freshman courses until their senior year.  Solving the 
registration problems wiped out the backlog.

     "It showed us the full market for those courses," said Charlie 
Micarelli, vice president for undergraduate studies.  "For the first 
time we could see the number of courses needed.  It was kind of 
overwhelming... So there's nothing bad that doesn't bring out some 
good."

     This was UCF's first use of the new computer system and the 
software that operates it.  The software was developed by the Florida 
Board of Regents technical staff, which uses UCF as a testing ground for 
the state university system.

     The malfunctioning software was repaired in time for regular 
registration Wednesday, officials said.  Classes began Thursday.

     Provost Richard Astro said the expanded summer schedule won't cost 
extra because it eliminates the need for some classes next academic 
year.  He said the university usually has enough regular staff members 
to cover summer classes.

     "What you don't want to do is put an ad in the paper and say, 
'Anybody who can teach, come on in'," Astro said.  "Basically what we're 
saying [to regular staff] is 'Hey, do you want to work this summer?'"


A password-breaking program

Dean Pentcheff <dean%violet.Berkeley.EDU@berkeley.edu>
Mon, 11 May 87 21:24:45 PDT
A few days ago on our university UNIX system (4.3BSD), a friend of mine
received the message reprinted below. Very briefly, someone seems to
have cracked the passwords in the "passwd" file and sent a piece of
warning mail to all the users whose password he cracked.  Note that my
friend's password was a dictionary word, while mine (uncracked) was a
proper name beginning with a capital letter.

> To: xxxxxx
> Subject: A matter of security..
> 
> Your password:  zzzzzzz [correctly stated]
> 
> As an experiment, and something of an unofficial public service, I
> have been experimenting with a password breaking program that was
> recently released into the public domain. Since anyone can use this
> program now, I thought I'd run it on violet's password file to see
> which passwords could be broken. Yours was one of them. If you're
> security conscious, or just don't like the idea of your password
> being so easily broken, then I would advise that you change it to
> a word not found in the english dictionary, or use a combination of
> upper and lower case letters. Either of these methods will render
> your password fairly invulnerable to attack..
> 
>                    Yyyyyyyyy Yyyyyyyy

    [I thought using the SALT offset was standard by now!  Ho hum,
    another lesson ignored.  So, we run it ONE MORE TIME here.  PGN]


Sidelight on the Marconi Deaths

"Lindsay F. Marshall" <lindsay%kelpie.newcastle.ac.uk@Cs.Ucl.AC.UK>
Mon, 11 May 87 16:07:33 bst
According to one of my colleagues who has just returned from a visit
to Italy, the Marconi deaths are in all the papers, and many of his
friends were worried about him returning to the UK as his life must be
at risk because he works in Computer Science research...

______________________________

Date: Mon, 11 May 87 11:37:09 PDT
From: Dave Benson <benson%cs1.wsu.edu@RELAY.CS.NET>
To: risks%csl.sri.com@RELAY.CS.NET
Subject:  Software Reliability book

     Software Reliability: Measurement, Prediction, Application,
by J. Musa, A. Iannino and K. Okumoto (McGraw-Hill Book Co., NY, 1987),
is now available.  I cannot contain my enthusiasm for this well-organized,
thoughtful, thought-provoking, well-written, [accolades]* book.  A sample
from 7.4.3 Measuring Ultrahigh Reliability, Case Study 7.1 on Nuclear
Power computer-based monitoring system:
    ...we are 95 percent certain that at least ... 3 more (failures)
    will occur at some time.  The ... failure intensity in 0.895/1000 yr
    (of computer operation) using the logarithmic Poisson model.
Yes, that's less than one software failure per millenium of operation.

The point is that these three AT&T Bell researchers have an excellent
collection of methods for measuring and predicting software reliability,
and have made these techniques easily accessable in this supurb book.


"The Whistle Blower"

Jeff Mogul <mogul@shasta.stanford.edu>
11 May 1987 1113-PDT (Monday)
Stanford's on-line library catalog made short work of finding this:

AUTHOR:   Hale, John.
TITLE:    The whistle blower / John Hale.
IMPRINT:  1st American ed.  New York : Atheneum, 1985, c1984. 239 pp.; 23 cm.
LOCATION: PR6058.A438W5 1985: Green Stacks
NOTES:    Item CSUG85-B26608 (Books)   Language: eng   Year: 1985

Please report problems with the web pages to the maintainer

Top