Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
The following story appeared in the paper almost two months ago. Since it hasn't been reported in RISKS before, I thought I would pass it along. It is interesting mainly because of comments by DDN spokesmen and consultants. While taking pains to assure reporters that classified data is not kept on the network, they also made the point that information on MILNET might be useful "in aggregrate" - foreign intelligence agencies could piece together information from diverse sources to infer some classified information. This same argument has been used to justify restrictions on presentations of non-classified material judged "sensitive." I find it interesting that this doctrine is invoked in this case; it mitigates against the usual attempt of the breakin victims to assure the press that the breakin was really no big deal. I think usually it is the press that exaggerates the importance of these incidents, but clearly the blame must be shared here. Incidentally, it appears that the breakins were accomplished by taking advantage of well-known holes in typical Unix security practices that have been explained at length in RISKS, in articles in CACM and lots of other places, probably including THE WEEKLY READER by now. Here are some excerpts from the August 3, 1987, story in THE SEATTLE TIMES, p. A5. It is attributed to NEWSDAY: 'HACKERS MAY HAVE CRACKED PENTAGON COMPUTER SYSTEM' NEW YORK - Young computer users under investigation in connections with recent seizures of equipment and records in Brooklyn and elsewhere have penetrated ... a network of computers used by military researchers and bases - MILNET - that the Pentagon said in 1983 it overhauled to prevent casual breakins and data vandalism. A Pentagon computer specialist, Lt. Col. Taylor Landrum of the architecture and planning group of the Defense Department's Defense Data Network ... said the methods the youths described were plausible ... He and other security experts emphasized that the Pentagon does not keep classified data on the network. But he agreed taht some data on the network was sensitive and could be useful "in aggregate" - by piecing together the work product of many people - to foreign intelligence agencies." ... A 15-year-old West Coast youth who calls himself "Solid State" (said) "They (the Secret Service) told me I was a national security problem. They said I could have comitted treason and stuff." The Secret Service will not comment on the case. (End of excerpts. There was a lot more largely accurate information on the difficulties of network security. - Jon Jacky )
The following story got a full page, with artwork, inside the front section
of the Sunday, Sept. 20 1987 SEATTLE TIMES:
A NEW BATTLEFIELD: SOFTWARE WARFARE - RISING FORM OF COMPUTER SABOTAGE MAY
BE NEXT GREAT MILITARY EQUALIZER
by Scott A. Boorman and Paul R. Levitt - Chicago Tribune
If members of the John Walker spy ring could betray their positions of trust
to the Soviets for nearly 20 years, what could US adversaries do to sabotage-
quietly, from the inside - the complex computer programs on which US weapons
vitally depend? ...
Software warfare - attacking the software that controls or operates such
weapons - may be the cheapest, simplest, and most effective way to cripple
US defenses. Such sabotage is coming of age as a new type of systematic
warfare, which can be waged far removed from space and time from any
battlefield to influence not only combat outcomes but also peacetime
balances of power ...
Given a host of recent US spy scandals, it is easy to envision a computer
programmer offering, if the price is right, to add or modify critical lines
of software to benefit a hostile country...
Given its scale and mission ... it is SDI that merits special scrutiny in
light of software concerns. ... The effort to develop and coordinate all the
necessary SDI software seems destined to involve several thousand software
professionals working alone, working over many years. ... The extreme
complexity of SDI software also suggests that significant bugs may be nearly
impossible to trace - even after some future software saboteur is caught...
Software warfare's relative cheapness .. may make it the next great military
equalizer. ... (It) certainly lies well within the grasp of any number of
agressive lesser military poweers with the means to buy insiders to plant
crippling bugs ...
It is vital to bring software warfare into focus in broad arenas of US
national security planning.
(End of excerpts)
The story cited an article by the late Rear Adm. Henry Eccles in the June 1986
Naval War College Review. It did not cite other sources who have mentioned
this idea, including David Parnas and the French authors of a thriller
titled SOFTWAR that appeared in translation in the USA a few years ago.
The article also claims "American teenagers using home computers have
developed the capability to alter orbits of commercial satellites, as
demonstrated by a recent incident in New Jersey." Surely this must be an
exaggeration?
- Jon Jacky
The following appeared in the "Dear Ann Landers" advice column in the Seattle Post Intelligencer, Saturday Sept. 26 1987, under the headline, "HERE'S PROOF THAT COMPUTERS CAN GOOF UP." It is interesting for several reasons: the correspondent's apparent prior unfamiliarity with computer bug stories, and the antics of the service people. I pass it along without permission from the newspaper or from Ann Landers: Dear Ann Landers: I've read one too many articles that proclaim "computers don't make mistakes." Five of us would like to challange that statement. We made an audit of one month's business and found that accounts were out of balance by more than $80,000. Everything was on the computer. We worked far into the night and finally discovered that 21 bank deposits were on the printout but the total was dropping one. A programmer was called in. He worked seven days and called another from the home office. They worked another two weeks. They had the original entries re-entered 50 times. More than 150 reprintouts were made, but the same error kept occurring. They admitted it was not a human error. The machine was crated and sent back to the factory. A replacement arrived within days. We were asked not to discuss this matter with anyone. - It Happened in Texas (End of excerpt from 'Ann Landers' - Jon Jacky)
Three men in Rochester, Minnesota, have been arrested after they telephoned the police for a prostitute. After a family complained that men were calling their new phone number and asking for women, Northwestern Bell agreed to give the number to the Rochester Law Enforcement Center. If a call comes in and a vice team is available, a female officer wired for sound is sent out. Lt. Barry Fritz, supervisor of the vice unit in Richfield, MN, says they have not used abandoned outcall service numbers because of the difficulty of finding such numbers and possible data privacy violations. The above information is from a well-balanced article by Bill McAuliffe in the 9/25 Minneapolis Star Tribune, pg 14B. Scot E. Wilcoxon, Data Progress sewilco@DataPg.MN.ORG +1 612-825-2607
Flight International for Aug. 29 reports that a British Airways Concorde
burst five tires on landing at JFK on Aug. 11. Nobody was hurt and no
emergency evacuation was necessary, but two engines were later replaced
as a precaution because they had ingested debris. (If the Concorde was
being designed over again, in hindsight one definitely would not put the
landing gear directly in front of the engine intakes!) The interesting
part is the reason for the tirebursts: the main hydraulic system was
down due to a "minor fault", leaving the brakes on the standby hydraulic
system... which has no antiskid control. The disturbing aspect here is
that the crew evidently had come to rely completely on the antiskid
braking system. Unless, perhaps, the pilots were unaware that they were
back to "dumb" brakes — seems unlikely — it's disturbing that they made
such a drastic error in braking procedure. These were not second-rate
pilots, by the way; my understanding is that the Concorde is the most
sought-after assignment in BA, and it is likely to have BA's best crews.
Henry Spencer @ U of Toronto Zoology
{allegra,ihnp4,decvax,pyramid}!utzoo!henry
I wouldn't ever pay for a copy of the Toronto Sun, but if I find one
abandoned on the subway, I flip through it. In this morning's Sun, I found
this rendering of a UPI article:
U.S. Computers Snatched
Stockholm (UPI) — Swedish police issued a national alert for two stolen
U.S. microcomputers classified as strategic materials, fearing a thief would
sell them to Soviet-bloc countries. The two Micro-Wax 2 computers were
stolen Saturday from Uppsala University.
Mark Brader utzoo!sq!msb
[If only Icarus had had one of them! PGN]
>From: Brint Cooper <abc@BRL.ARPA>
>Correct me if I'm wrong but isn't this info used merely for the enforcement
>authorities to decide where to search for unlicensed TV receivers? They
>won't arrest you solely because you're not in the database, will they?
I can't speak about the UK, but here in New Jersey, any evidence
obtained through such a database cross-match would probably be ruled
inadmissable in court. The N.J. Supreme Court has held on several
occasions that a search warrant (as would be needed to actually enter a
house to find a TV set) cannot be issued on the basis of such "fishing
expeditions". Rather, the Court expects the person requesting the warrant
to show "probable cause" that a crime has been committed, thus justifying
the search. The legal requirements to demonstrate probable cause do not
allow generalizations, such as "No persons without a TV License may own a TV
set, therefore all persons not owning TV Licenses should be searched." The
preferred form is to limit the request to those suspected of committing a
crime, as in "No persons without a TV License may own a TV set, therefore
all persons whose homes openly sport a TV antenna and who do not own a TV
License should be searched." This, of course, means that the database
cross-match provides the police with no additional homes to be searched,
since they still must identify the homes in question by some criminal criteria.
>What's the alternative? When we uncover risks or abuses in the use of
>computer systems, we are obliged to compare these with the risks or abuses
>in accomplishing the same job without computer systems. The only effect of
>the automated databases is to help find unlicenced TV sets more quickly than
>by searching manually. In either case, some number of such sets will be
>found. Only the numbers differ.
More important is the ability to derive a new datum from the conjoining
of existing data. Specifically, the cross-matching of a list of all
addresses in Berlin with a list of all Christians in Berlin would yield a
list which would contain all Jews in Berlin. This is a far more efficient
method of locating groups of people that Hitler had at his disposal, and as
you say, provides quicker results than by searching manually. Only the
numbers differ.
Before the flamers start complaining about the use of loaded terms, my
point is that ethics and social responsibility, while largely ignored in
computing to date, are rapidly becoming critical to our continued survival
as a planet and a race.
Ross Patterson, Rutgers University
I was/am quite offended by the use of my letter out of context to
advertise the uncertainty of star wars. I said nothing about SDI itself nor
about my beliefs. All I was talking about were detailed problems in a
distributed simulation. That letter was part of a larger discussion. Taking
what I said out of context, and making assumptions about my perceptions,
judgements and opinions on the real thing and then indicating surprise and
indignance over the result is intellectually dishonest and unfair. I think
the issues raised by SDI are important enough not to need this sort of
puerile potboiling.
Jerry Freedman,Jr
Of course the site "IPFRCVM" must be ficticious!
There might be an "Iowa HOG Farm Research Center"
but never an "Iowa PIG Farm Research Center"! :-)
"Billy Bob" Somsky - A transplanted Iowan
William R. Somsky Physics Dept ; Princeton Univ
wrs@pupthy.Princeton.EDU PO Box 708 ; Princeton NJ 08544
Please report problems with the web pages to the maintainer