The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 5 Issue 45

Monday, 19 October 1987

Contents

o Stocks into Bondage? Storm prediction? Computer relevance?
PGN
o UNIX Passwords
Dave Curry
o Let the Punishment Fit the Crime...
Mike McLaughlin
o Re: Computers and civil disobedience
James Peterson
Clif Flynt
Fulk
Brent Chapman
o Unemployment Insurance Cheaters
William Smith
o Computer Services as Property
Doug Landauer
o Successor to Sun Spots
K. Richard Magill
o Info on RISKS (comp.risks)

Stocks into Bondage? Storm prediction? Computer relevance?

Peter G. Neumann <Neumann@KL.SRI.Com>
Mon 19 Oct 87 17:47:09-PDT
With the Dow losing 508 points today (down 22.6% from 2247) and 744 points
since the beginning of last week, please be on the lookout for any careful
analyses of the extent to which computers were involved in setting off and
extenuating the crash -- e.g., computer-programmed selling, rapid
responsiveness of the computer systems (despite the delays in the tickers),
trying to optimize locally, etc.  (No speculations, please.)  Certainly, margin
calls and the human tendency toward fear and panic in that kind of a crisis
contributed to an extremely unstable feedback loop.  But let's see if we can
identify precisely what roles the computers played, for better or for worse.

Also, I hope one of our European readers will follow up on any further
reports that computer systems have been partially blamed for the failure of
weather predicters to warn about the once-in-a century hurricane-force storm
that blew through England and Western Europe on 16 October 1987.  Apparently
predicters still did not have a clue even after the winds (which reached up
to 110 mph!) had begun.  But the home secretary said it would be unfair to
blame the forecasters -- the wind shifted suddenly and sped up unexpectedly.


UNIX Passwords

Dave Curry <davy@intrepid.ecn.purdue.edu>
Fri, 16 Oct 87 08:22:19 EST
The truncation of UNIX passwords to 8 characters is not a bug, it's a
feature.  If you have source, examine the code to libc/gen/crypt.c.

Your password is *not* actually encrypted on UNIX.  Rather, it is used
as the *key* to encrypt a standard block of text (a block of zeros,
although this is irrelevant) using a modified version of the DES
algorithm.  The result of this encryption is what is usually called
your "encrypted password".

The keys for DES are 56 bits long.  8 characters, at 7 bits per
character, makes 56 bits.  There's no point in using characters after
that, since you can't put them into the key.

It seems to me this isn't that serious; if I choose a password you're going
to guess easily, chances are the length isn't going to matter -- guesses
made on names, birthdates, etc. are not based on length, but based on other
criteria.  Using a list of about 2000 proper names I have, only 9% of those
names are longer than 8 characters.  Birthdates (mmddyyyy) are eight
characters long.  Phone numbers are 7 digits, unless you add area codes
(although if you use *your* area code, the cracker now has 3 characters of
your password...).

The only thing truncation makes easier is exhaustive search generating
passwords like "aaaa", "aaab", "aaac", etc.  Even with only 8 characters,
that would take a *long* time...  (although you could do it on a Cray, I
guess).  SSNs are 9 characters long, but the number of 9-digit permutations
of 10 digits is still small enough to make exhaustive search reasonably
trivial.
                                     --Dave

  [There were many contributions on this topic.  This was the most cogent. PGN]


Let the Punishment Fit the Crime...

Mike McLaughlin <mikemcl@nrl-csr.arpa>
Sat, 17 Oct 87 12:49:00 edt
Recent issues of Risks have mentioned juvenile hackers who perpetrated com-
puter crimes.  One youth's computer was destroyed, by court order.  A reader
felt that was inappropriate.  I disagree.  It should have a significant 
deterrent effect.  

In the Shenandoah Valley of Virginia there is a judge who orders that con-
victed poachers' guns be destroyed, and that the poachers watch.  When I met
the judge (socially!) I suggested that they be sold as confiscated goods 
rather than being destroyed.  He replied that the poachers were emotionally 
involved with their possessions, and that destruction was far more effective
than mere confiscation.  

After 14 years of hiking and hunting in his jurisdiction, meeting people who
lived in that area, I have to agree with him... and with the judge who 
ordered the computer destroyed.    Perhaps both judges are Gilbert and 
Sullivan fans.  
                     - Mike McLaughlin

                        ["A more humane Mikado ...: 
                          My object all sublime... 
                          To let the punishment fit the crime ..."

                        But G&S had something for the computer buff:
                          "We only suffer to ride on a buffer ..."  PGN]


Re: Computers and civil disobedience

James Peterson <peterson@MCC.COM>
Fri, 16 Oct 87 09:02:44 CDT
Prentiss Riddle raises the possibility of using computers for civil
disobedience or protest.  I remember reading a few months ago about a person
who was really upset at one of the fundamentalist religous organizations
(Falwell's) and programmed his PC to use its auto-dialer to call their
toll-free number, wait 30 seconds, hang up and call again.  The article in
the paper was because he had been arrested and his equipment confiscated,
although it was not clear to me what law he had violated.          jim 


Civil Disobedience

Clif Flynt <ucbcad!ames.UUCP!ihnp4!chinet!clif@ucbvax.Berkeley.EDU>
15 Oct 87 15:39:32 CDT (Thu)
   [... Mention of the Falwell case...]

  As an aside, and not a risk, to my mind, You might be amused to know that
one of the Michigan State Representatives (Perry Bullard) operates a
conference on a large computer bulletin board in his district.  Along with
answering questions from the BBs'ers, he posts the text of various bills he
is introducing, and accepts the comments of the readers.  On a couple of
occasions, I think he modified the bill after reading the reactions of the
folks.
  At this point, he is selecting for a small segment of  the voters he 
represents, but as more and more households acquire modems, this might
make our system more of a democracy than it's been since all the voters
in a town could attend one meeting.  
  Of course, as reading the Net shows, you also get a lot more noise...

Clif Flynt

   [And that is not a risk -- it is a certainty.  We have noted before in
   RISKS the dangers of overly instant reaction to events.  But there are also
   denial of service issues, flooding with bogus computer-generated messages 
   all appearing to come from different constituents, flooding with legitimate 
   computer-generated mass mailings sent by special-interest groups, etc.  PGN]


Civil Disobedience

<fulk@cs.rochester.edu>
Fri, 16 Oct 87 10:47:01 EDT
I think the notion of civil disobedience needs some clarification:

While the term "civil disobedience" is full of ambiguities, I believe the
most common use is to describe _public acts of protest_.  Thus the lunch
counter sit-ins, the Concord Naval Base protest, the Women's Peace Encampment
protests at Romulus, the Berrigan's blood-drenched draft files, draft card
burnings, etc.  Such acts are carried out after much consideration of the
consequences, and are planned to have an impact on public opinion.  This
is not to say that these acts always take place in a glare of publicity;
often it is hoped that a long series of such acts will draw attention and
perhaps convince some of the public of the conviction of the protestors.

Computer break-ins and BBS/800 number flooding are normally private actions.
If they were performed publicly, they would have little effect of the sort
the protestor would like: a hacker pounding away at his computer doesn't
make for high drama.


Civil Disobedience

Brent Chapman <chapman%mica.Berkeley.EDU@violet.berkeley.edu>
Fri, 16 Oct 87 00:32:35 PDT
In RISKS-5.44, Scott Dorsey (kludge@pyr.gatech.edu) writes:
>   I seem to recall a mention that the Berkeley computer center was
>occupied by protesters sometime in the sixties, who claimed that the
>computers were being used for war work.  A sit-in was staged, as well 
>as the damage of some equipment and a large number of tapes.  I don't
>know precisely if any significant damage was done.

I've been here for a little over three years, and I've always found it
curious that, in general, the users here have little or no idea where the
machine rooms are.  They're not really hidden, but their locations aren't
really advertised, either.  I don't know if that's a reaction to what Scott
mentioned, or not.  To my knowledge, there aren't any "showcase" machine
rooms; you know, the "glass cages" we all love to hate...

The EECS building at Berkeley (Cory Hall) has a fancy card-key system to
control access to critical areas (machine rooms, labs, and such), and to the
building itself after hours, apparently installed after a grad student was
injured when he opened a package found lying in a terminal room that turned
out to be a bomb.  Getting around the system is fairly easy; you just stick
your head into the terminal rooms _outside_ the controlled zone and shanghai
someone you know who has a card for a few seconds.

The building in which most of the CS division and the Computer Center are
located (Evans Hall, along with the Math Dept., Stat Dept., and several
others) is also supposedly locked up after hours.  It doesn't have a
card-key system like Cory; they just lock things up.  In theory, you can get
to the terminal and printer rooms in the basement, but not to the rest of
the building.  In practice, once you get to the basement, you can get to the
rest of the building.

At Stanford, on the other hand, in order to get to the comp center staff
offices, you have to go _through_ the machine room -- the door is wide open.

I don't know how much of this is "justified", and how much of it is just 
bureaucratic paranoia.  How "secure" are other academic and commercial
comp centers?  Is Berkeley the only campus to try the "security through 
obscurity" approach, rather than showcasing their toys?  Have there been
any cases of terrorist or political attacks on comp centers?  We're
all used to considering the electronic access considerations of computer
security (networks, dialups, etc.) here; how about the physical 
considerations?  How many of you have no idea where the machines you
use are physically located?  How many of you don't even know exactly
what type of machine you use (for example, is your VAX a 750, a 780, or
a 785?)?  Is the unawareness of the details of the underlying hardware
becoming more or less prevalent, and is that good or bad?

This should give us all some food for thought...

Brent Chapman               Senior Programmer/Analyst
koala!brent@lll-tis.arpa        Capital Market Technology, Inc.
lll-tis!koala!brent         1995 University Ave., Suite 390
Phone: 415/540-6400         Berkeley, CA  94704

     [I remember in the early 70s that the MIT computer center facilities  
     had restricted access to the machine room via a spiral staircase to the
     next higher floor -- except that the emergency exit was unalarmed 
     and sometimes left ajar.  PGN]


Unemployment Insurance Cheaters

William Smith <wsmith@m.cs.uiuc.edu>
Sun, 18 Oct 87 21:29:00 CDT
I heard on a TV news report of a computer matching between employees
of one company in Indianapolis, Indiana and a list of unemployment
check recipients.  A number of overlaps were found last week [Oct 17]
who will be prosecuted.  

<I couldn't find any references in the newspapers I had available this
weekend in Fort Wayne.  Does any one have more definite information?
-- Bill Smith>


Computer Services as Property (Re: RISKS-5.41)

Doug Landauer <landauer@Sun.COM>
Tue, 6 Oct 87 13:07:18 PDT
> From: "Arthur_Axelrod.WBST128"@Xerox.COM
> I think we all agree with the fundamental premise, i.e. that information
> is a form of property and is entitled to the same protection as any
> other form of property.

Absolutely *NOT*!!!  I know of no one who thinks (e.g.) that their
house, their car, their wallet and their Unix files (or their IBM-PC
software) are entitled to *the same* protection.

The significant difference between information and "real" property is
that if you steal real property, your victim is denied access to that
property; whereas if you "steal" information, your victim still has hir
copy of it, and may not even notice the "theft".  That is why the word
"steal" is no longer appropriate in this context.

What *I* think many of us agree on (except R.M.Stallman, of course) is
that information is a form of property and is entitled to *some*
protection.  What our linguistic, ethical and legal systems have not
yet come to cope with is just what sort of protection information is
entitled to, and what sort is feasible.

    Doug Landauer               Sun Microsystems, Inc.
    ARPA Internet:  landauer@sun.com    Software Products Division
    UUCP:  {amdahl, decwrl, hplabs, seismo, ...}!sun!landauer


Successor to Sun Spots

K. Richard Magill <umix!oxtrap!rich@uunet.UU.NET>
Fri, 16 Oct 87 13:10:15 edt
My new explanation why computers sometimes do random unexplicable
things.  (replacing my previous, "sun spots").

[about the first sentient system] ... and she amused herself by
planning, and sometimes carrying out, malicious computer failures and
data losses in order to watch the humans flail about helplessly like
ants around a crumpled hill.

        -- Orson Scott Card from "Speaker for the Dead"

Please report problems with the web pages to the maintainer

Top