Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Taken from the San Jose Mercury News, Oct. 12, 1988, Page 8A:
Computers able to make light work of cracking code (Los Angeles Times)
Some secret codes intended to restrict access to military secrets and Swiss
bank accounts may not be as safe as had been presumed, a team of computer
experts demonstrated Tuesday.
The team succeeded in doing what security experts thought could not be done:
using ordinary computers to break down a 100-digit number into the components
that produce it when multiplied together.
That process, called factoring, holds the key to many security codes.
Before Tuesday, experts had believed that if the number was large enough -
up to 100 digits - its factoring would take about 10 months with a Cray super-
computer, one of the most powerful computers in the world.
But computer experts across the United States, Europe and Australia solved
the problem more quickly by using 400 processors simultaneously. They linked
their computers electronically and factored a 100-digit number in just 26 days.
The number has two factors, one 41 digits long and the other 60 digits long.
And that, according to Arjen Lenstra, professor of computer science at the
University of Chicago, should be quite sobering to experts who believe they
are secure with codes based on numbers that large. Lenstra headed the project,
along with Mark S. Manasse of the Digital Equipment Corp.'s Systems Research
Center in Palo Alto.
[ quotes from experts ]
Rodney M. Goodman, associate professor of electrical engineering and an
expert on cryptography at the California Institute of Technology in Pasadena,
described the achievement as "significant," because it means that some systems
may not be as secure as had been thought. But he said it did not mean that
security experts around the world would have to rebuild their systems.
"All the cryptographers will do is increase the length of the number by a
few more digits," he said, "because the problem gets exponentially worse as
you increase the size of the number." A larger number is more cumbersome, and
cryptographers had tried to kep the number as small as possible.
[ explanation of the idea behind using large numbers with
prime factors in cryptography ]
Last year, Lenstra decided to tackle the problem on "a small scale, just to
see if he could do it," according to Larry Arbeiter, spokesman for the Univ-
ersity of Chicago. "It was a pure science type of effort."
Several months ago, Lenstra presented his idea to Manasse, a computer re-
search scientist with Digital. Manasse became so intrigued with the problem
that his company agreed to fund much of the cost, including the use of more
than 300 computer processors at the Palo Alto company during off-duty hours.
The company manufactures DEC computers.
"I was interested in the general problem of taking a program and breaking it
up into small pieces" so that many could work simultaneously toward the sol-
ution, Manasse said.
Other computer enthusiasts from the "factoring community" clamored aboard
and this fall more than 400 computers around the globe were ready to give it a
try.
The computers ranged in size from microcomputers to a Cray supercomputer,
but even personal computers with large memories could have been used, Lenstra
said. Each of the participating computers was given a different part of the
problem to solve, and success came early Tuesday morning.
Amsterdam, The Netherlands The new Amsterdam Stopera (combined town hall - music theater) has to undergo $1 million of upgrading, although it is only a few years old. One of the things to be done is redoing the computers controlling the doors, as several people have had the experience of being locked up. Piet van Oostrum, Dept of Computer Science, University of Utrecht Padualaan 14, P.O. Box 80.089, 3508 TB Utrecht, The Netherlands Telephone: +31-30-531806 UUCP: ...!mcvax!ruuinf!piet
The following mail was forwarded to me a few minutes ago. This refers to
the MCI fiber used to carry the NSFnet backbone. No wonder some of my mail
has disappeared recently! [From: field inadvertently deleted?]
=> Date: Wed, 12 Oct 88 12:47:00 EDT
=> To: watchdogs@um.cc.umich.edu, ie@merit.edu
=> Subject: A bit of trivia
=>
=> The fiber that goes from Houston to Pittsburgh was broken due
=> to a gun blast....that is right, a gun blast.
=> Somewhere in the swamps of the Bayou (between Alabama and New Orleans)
=> the fiber cables are suspended above the swamps and a good ol'
=> boy was apparently target practicing on the cable.
=>
=> Traffic has been rerouted and when the investigation has taken place
=> and the cable fixed we will be put back on the original circuit.
Gene Spafford
NSF/Purdue/U of Florida Software Engineering Research Center,
Dept. of Computer Sciences, Purdue University, W. Lafayette IN 47907-2004
Internet: spaf@cs.purdue.edu uucp: ...!{decwrl,gatech,ucbvax}!purdue!spaf
Recent reports in RISKS of nefarious deeds committed by hackers who entered a system via voice mail prompted me to inquire about the voice mail security of my university's system. A year ago the U bought its own fancy switch for on-campus communications. Some of the goodies include voice mail and ANI. I tried the voice mail once but since I much prefer e-mail I long ago forgot my voice mail password (yep, only 4 digits if the hackers want to start guessing). I called the telecommunications office to determine where I needed to go in person and with how many photo ID's to get my voice mail password. Even though I hadn't identified myself, the clerk said, "Oh that won't be necessary, Mr. McClelland, I'll just change your password back to the default password and you can then change it to whatever you want." I said, "But how do you know that I'm McClelland?" He replies, "Because it shows on the digital display on my phone both the phone number and name of the caller." [Most phones are in private offices so a unique name can be attached to each number.] I tried to explain that all he really knew was that I was someone calling from the phone in McClelland's office and that I could be the janitor, a grad student, or almost anyone. But security wasn't his problem so he wasn't very concerned. I was afraid to ask how many folks never bother to change their default password. As I was about to hang up, he said, "By the way, if you check your voice mail from your own extension you don't even need to enter your password." I said , "Thanks, that's reassuring" but I don't think he caught the sarcasm. Gary McClelland
I remembered that many fans of RISKS are also Richard Feynman fans. I ran into Stacey's briefly today and just happened to see this: %A Richard P. Feynman %T "What Do YOU Care What Other People Think?" %I W. W. Norton %C New York %D 1988 %$ 18 Relevance to RISKs readers comes in two forms (his essay on the Value of Science at the end and the appendix to the Challenger report which makes up over 50% of the book). Note that the text is longer and not verbaum to the articles in Engineering and Science or Physics Today. --eugene miya, NASA Ames
I have an old disreputable '82 Volvo which gave me an object lesson in sensor circuit design recently. Beginning several months back the car began to exhibit a mind of its own about engine speed. The local ace Volvo dealer couldn't find anything wrong after $400 worth of effort, and since the car's independence of mind seemed to be limited to brief and infrequent periods, I let the matter slide. Poor idea. I took the car to the wilds of northern Wisconsin, far from the nearest Volvo fixit shop, where the old car turned on me. Previously my problems with engine speed had been limited to surges in speed at idle, up to no more than 2500 RPM. There had been no signs of bad behavior when the car was in gear. Once up in the great frozen north however, the car decided it was going to idle at fifty MPH, as in 2700 RPM in fourth gear up a hill. Kept doing it too. Made it hard to drive thru the camp ground, observe nature, stay alive. I studied the owner's manual. It has an elementary schematic of the fuel system, and one particular element which caught my eye was the constant idle control, a servo motor that appeared to affect manifold vacuum. Got inputs from several sensors and the engine microprocessor. When I disconnected the control, idle dropped to nominal, and the car was drivable. In the end the Volvo dealer found the problem, which was that a spade connector had come adrift from one of the engine sensors. The idle control interpreted lack of signal from the sensor as low engine speed, so it exerted its maximum effort to raise the idle speed to acceptable levels. It strikes me as poor design that an open circuit mimics the operative signal in a sensor system. Automotive engine compartments are well knows as hell on earth for electronics, and loose connections and broken wires are to be expected. Lack of signal should cause the automated system to go off line, not off its head.
The following is regrettably anecdotal and I wish I had more
firsthand info on it; anyway, here goes:
For one of his tours, Stevie Wonder contracted with Northwest Sound
to build a set of PA speakers of extraordinary capability — response
nearly flat out to 45 kHz, etc. A few weeks into the tour, though,
the performances seemed to be souring. Everybody — artists, crew,
even the audience — seemed irritable and impatient. Indeed, the
performances started out well enough, but an hour or so into the
show the audience became testy and actually were moved to boo during
pauses, for no apparent reason.
Finally, during one show, one of the sound guys was examining
the audio spectrum analyzer screen, and mistakenly pushed the 20 kHz -
200 kHz range button instead of the 2 kHz - 20 kHz button. Imagine
his alarm at the sight of a potent 28 kHz component, the product of
all the synthesizers' DAC update clocks. It was lying just outside
the (ordinarily) high hearing limit of 20 kHz, so it was never noticed
by the sound crew and their instrumentation. Cause discovered, the
noxious 28 kHz spike was eliminated with an equalizer, and everybody
went home happy but chastened.
The person who related this story to me suspects that the event
is not widely known, being of large embarrassment and trivial cause.
Is he right? Has anyone else heard about this?
I am reminded of the not-computer-related experience of the Columbia professor who noticed that his body went limp in a record store whose speakers were blaring a particular rock tune. He took the record back to his lab and analyzed it — discovering some sort of a alpha- or beta-wave resonant frequency with the human brain of his students, for that particular rhythm -- an AN-A-PEST with the accent on the last syllable — DA-DA-DUM. It was many years ago, but still worth relating for the younger folks who like to listen to hard-beat music... Beware of the anapest.
The following appeared in the 1987 annual report of Project Censored,
a U.S. group operating out of Sonoma State University. They compile an annual
list of what they consider to be the 25 most un- or under-reported stories of
the year. This is #22 on the latest hit parade. The collection is widely
available on local RCPM's; the one I pulled down was labelled CENSOR.ARC.
[Hugh Miller, University of Toronto, (416)536-4441]
OMB COMPILING NATION-WIDE BLACKLIST OF GRANT VIOLATORS
The Office of Management and Budget is compiling a master
computer list of those debarred or suspended from participating in
government agency grant programs. Gary Bass, executive director of
OMB Watch, a public interest group that monitors the budget office,
said the goal of reducing waste, fraud and abuse is laudable but
warned that the program "can become a hit list for individuals and
organizations that the administration does not agree with."
The controversial program will cover a wide range of
transactions, including grants, cooperative agreements, scholarships,
fellowships, loans and subsidies. It would apply to both recipients
of federal funds and those "doing business" with them. The system is
expected to be fully operational by May, 1988.
Under the new law (Reagan's Executive Order 12549), 20
agencies which disburse $100 billion in grants will forward their
debarred lists to the OMB. The master list will be computerized and
placed on a nation-wide automated telephone system. Regulations
published in the Federal Register (5/29/87) say that the master list
will contain names and "other information" about currently debarred
or suspended grant recipients, as well as about those whose debarment
is pending.
Under the directive, federal, state and local agencies,
private organizations and individuals handling federal funds must
check the list before providing anyone a federally-aided service,
grant, loan or other assistance such as day care. Any person or
organization that fails to check the list may also be placed on it.
In addition, employees of federally-funded agencies and
organizations, as well as anyone "doing business" with them or
wishing to do business with them must submit annual certifications
that neither they nor anyone "associated with" them are on the list,
or being considered for it.
Grounds for placement on the list include 1) violating any
term of a "public agreement," regardless of whether federal funds
were involved; 2) failure to repay a government-backed or assisted
loan, such as a home mortgage, student or crop loan; 3) "failure to
perform" or poor performance on a grant or other "public agreement;"
4) lack of "business integrity or honesty" or conviction of
"business" crimes; 5) debarment or suspension by a public agency at
any level of government, federal, state, or local.
One can also make the blacklist if one: is a public school
teacher and goes on strike despite a no-strike clause in one's
contract; performs poorly on any grant from a public agency,
regardless of whether federal funds were involved; does business with
anyone known to be on OMB's new list.
Various agencies already keep records of those who violate
rules of grants, using the lists to prevent such recipients from
getting additional grants from the agency involved. But, under
current law those same recipients may obtain grants from other
federal agencies.
Rep. Jack Brooks (D-TX), chair of the House Government
Operations Committee warned that the OMB's implementing guidelines
"endorse guilt by association, reverse the presumption that a person
is innocent until proven guilty, and define the operative offenses so
vaguely as to potentially encompass many entirely legitimate
activities."
SOURCES: THE NEW YORK TIMES, 12/23/87, "U.S. Plans to Make
Master List ...", by Martin Tolchin; OMB WATCH 1987 ANNUAL REPORT;
FOUNDATION NEWS, July/August 1987, page 8.
In RISKS-FORUM 7.55, Mike Trout makes several statements regarding the past and present state of the conflict simulation industry. While I do not wish to digress too far from the purpose of this list, I feel that the picture he presents is somewhat inaccurate. The main issue confronting game designers doing work for the military is one of integrity, as Mike pointed out. The problem is not some nebulous fear of the Pentagon "poisoning" the industry as a whole, but rather that they would interfere _with the particular game under consideration_. The designers want to be free to model a situation as they see it. The military, however, gets upset when someone gives them a simulation that says their high tech weapons have an expected lifetime of 3 minutes in actual combat. As a result, most designers will not consider working for the govt. unless they are assured of complete freedom in doing their designs. As for Pentagon influence "subverting" the game industry, I have yet to see any indication that anything more than a small fraction of game designers and publishers revenues come from military contracts. Many games have been produced dealing with hypothetical modern conflicts, but I believe this is a reflection of the interests of gamers , not the result of some sinister military infiltration. I definitely feel there is no justification for saying these games were developed to find "better ways to slaughter people". Only a handful of games on the market were originally developed as simulations for the military. Mike's statement about having fun is somewhat puzzling. These designs are _GAMES_. Most people play them for the enjoyment of intellectual competition. They also play them to more fully understand history (and future possibilities). The two are not incompatible goals. Scott Wilde ...bunny!hor-res!wilde
Please report problems with the web pages to the maintainer