Subject: RISKS DIGEST 16.26 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Wednesday 20 July 1994 Volume 16 : Issue 26 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for information on RISKS (comp.risks) ***** Contents: IRS (Phil Agre) Crashed bank teller (Kees Goossens) HERF Vindication II (Winn Schwartau) The digital individual (Phil Agre) Victim on the infobahn (Bill Donahue) Benefits Agency Smart Payment Card (Shaggy) Risks of confusing "headlines" with "in depth news" (Bob Estell) Re: Aircraft Avionic Vulnerabilities (A. Padgett Peterson) Re: Inmates con jail computer (Amos Shapir) "Firewalls and Internet Security" by Cheswick/Bellovin (review by Rob Slade) "The Fool's Run" by Camp (review by Rob Slade) InfoWar II--First Call for Participation (Mich Kabay) Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc. ---------------------------------------------------------------------- Date: Wed, 20 Jul 1994 15:36:55 -0700 From: Phil Agre Subject: IRS The 19 August 1994 New York Times carries a long article about hundreds of IRS (Internal Revenue Service, the American tax collection people) employees being disciplined for peeking at tax returns that they shouldn't have been. The IRS's investigations concluded that the employees' suspicious behavior ranged from out-and-out fraud to simple curiosity. The discovered the need for guidelines about which degrees of wrongdoing merited which punishments. The full reference is: Robert D. Hershey, Jr., IRS staff is cited in snoopings, New York Times, 19 July 1994, pages C1, C12. It's one of those stories that can be invoked as evidence for either of two contradictory positions: that employees' illicit use of personal files is a serious problem, or that it's not a real problem since the wrongdoers are getting caught. It's clear that private businesses have the same problems with illicit peeking at personal information. We might ask whether public or private organizations have a greater incentive to prevent this kind of thing. Since information can be copied readily, it's not like pilfering in a warehouse, where the organization loses capital in a straightforward sense and thus has a straightforward interest in preventing it. An exception would be information that is leaked to customers who would otherwise purchase the information from the organization, as opposed to being leaked to people whose status or purposes would not otherwise permit them to buy the information through the front door. Instead, the organization's interest is generally more indirect, having primarily to do with its reputation and the reputations of its leaders. In a society without privacy activists or a free press serving a public that is aware that its privacy is threatened, I think organizations would have little incentive to do anything about leaks of personal information. In the society we have right now, I would suggest that the IRS has a greater incentive to prevent leaks of personal information than does a credit bureau or other private information holder, since it is politically much more practical for the legislature to make the IRS bureaucrats miserable than to make the officers of private firms miserable. Others may disagree, but the important thing is to understand the mechanisms which create, or *could* create, organizational interests in genuinely protecting private information. Fear of legislation is a good one, but others exist as well. Phil Agre, UCSD ------------------------------ Date: Tue, 19 Jul 94 10:55:35 +0100 From: Kees Goossens Subject: Crashed bank teller [I presume you call a cash till that does not give cash a TELLER? KGG] [Well, we might as well for the purposes of this message. It is certainly not an ASKER! PGN] Today, in my local branch of Banca di Roma, in central Rome, Italy I encountered a bank teller which had crashed. These machines allow you to obtain bank statements but do not dispense cash. The display I encountered contained a number of error messages (file not found, could not create file, etc) followed by the prompt (A>). Feeling somewhat guilty, I typed DIR, which worked and listed a number of executables and some documents. I looked at one called "fine", meaning "end" in Italian, which contained instructions for the shutdown of the system. At this point I alerted the lady at the counter: "Are you aware that your system has crashed and that I can modify whatever I want in the system?". The latter to emphasise the gravity of the situation; I'm not sure how much I could have done in practice. This did indeed produce some alarm, and I was told that there was a systems person who'd take of the situation. I did not see this person arrive during my subsequent wait in the queue (which this teller is supposed to diminish btw). As for the cause of the crash, the computer terminals at the counters were dead at roughly the same time, perhaps due to a common cause. Kees Goossens http://www.dcs.ed.ac.uk/staff/kgg Dip. di Scienze dell'Informazione, Universita di Roma "La Sapienza", Italy [A considerable risks would exist if there is a way to crash the system intentionally in order to reach that prompt... Knowing what we know about risks, we might suspect that to be the case. PGN] ------------------------------ Date: Mon, 18 Jul 94 11:58:19 -0500 From: "Winn Schwartau" Subject: HERF Vindication II As RISKS readers know, I have ruffled more than a few feathers here in the US and with foreign governments over the issue of HERF (High Energy Radio Frequency) interference as a potential weapon system. Recently, RISKS readers have seen mounting evidenced of anomalous electrical interference behavior at 37,000 feet. Boeing and Apple and others companies have tried to quantify the phenomenon but EMI and RFI interference is highly elusive. Maybe the July 18, 1994 issue of the New York Times will shed additional light. The FBI mounted a whistle blower sting operation against General Electric with the assistance of one of their engineers who alleged that the company was improperly grounding its jet engines to the detriment of safety to both commercial and military aircraft. So alarmed was the Air Force One pilot that he refused to take off from Rome's airport with President Clinton until he was assured it was safe to do so. The GE engineer and whistle blower Ian Johnson, said he discovered the problems with improper engine grounding in 1989 but was subsequently brushed aside by his concerns. Engine grounding is critical to proper electrical performance in the air, and the technique GE uses to insure a quality connection is called electrical bonding. Is it any coincidence that laptop EMI stories began about a year later when protable digital electronics became popular? As any electrical engineer knows, any connection will introduce a given amount of electrical resistance (measured in ohms . . . Ohm's law, remember?) into a circuit. The goal is to approach zero resistance in any connection. Period. Poor connections not only change the values in the circuit thus changing the circuit performance, but can also become diode-like and act like unpredictable rectifiers. Not good. According to the article, GE engine's electrical bonding should result in an added impedance (resistance) of 2.5 milliohms (.0025 ohms) but were found to in some cases exceed 60,000 milliohms (60 ohms) and that is a lot: off by a factor of 24,000! In my former life as a circuit/systems designer, such an intolerable error would GUARANTEE a failure. The need for adequate bonding is clear: make sure that stray electrical signals such as from lightening bolts or from laptop computers or other consumer electronic devices do not interfere with the safe and reliable operation of a 100 tons of metal hurtling through the atmosphere. GE denies it (what else is new!) and there is bound to be a debate as to whether there really was an intentional cover-up as stated by Mr. Johnson. In an interesting side note, the FBI had Mr. Johnson wear a wire (a tap recorder on his person) over a period of 6 months to get the goods on GE. I guess this case will take over our minds and souls soon enough, on the "All O.J. Network." ------------------------------ Date: Sat, 16 Jul 1994 14:09:31 -0700 From: Phil Agre Subject: The digital individual An academic journal called _The Information Society_ has just published a special issue (volume 10, number 2, April-June 1994) entitled "The Digital Individual". (I'm the issue's guest editor.) It includes five articles whose general theme is that people's activities increasingly cast "shadows" onto the insides of computers. As a result, the whole notion of a human individual is beginning to change. Everyone has their physical self and surroundings and possessions, but they also have an elaborate digital aspect to their selves which follows them around through life. People use their digital shadows in a variety of beneficial ways, for example in sending messages to mailing lists like Risks, but they are often managed and controlled through their digital shadows as well. Since the outcome of this ambivalent situation is neither all-good or all-bad, it helps to make distinctions and put things in contexts, and that's what the articles in this special issue try to do. If you would like to see the full contents and abstracts for the special issue, send a message that looks like this: To: rre-request@weber.ucsd.edu Subject: archive send tis-digital Phil Agre, UCSD [Remember to sniff it out. The shadow nose! PGN] ------------------------------ Date: 18 Jul 94 21:08:20 EDT From: Bill Donahue <74562.3064@compuserve.com> Subject: Victim on the infobahn I learned the other day that I am a victim on the information superhighway. It's a long story; I'll relate it in hopes that there are folks out there who have had similar experiences and can tell me about them. My wife and I had been getting about 15 anonymous calls a day for the past three weeks. The caller would contact us at all hours, and would never say anything at all. We were quite rattled because, as it happened, the calls began coming just as I, a freelance journalist, began work on a murder story and just as we prepared for the birth of our first child. The unknown man on the other end of the line was, in our haunted imagination, a crazed murderer after our new child. We tried to invoke "Caller ID" to catch our harasser, but this did not work. Next, we called our phone carrier, US West, and our local sheriff to get them to look into the matter. We kept a log of all the "harassing" calls, and asked ourselves who so hated us that they would spend the money to call us via long distance 15 times a day and hang up each time. Finally, the other day we got an answer: A computer software firm had inadvertently entered our number into a database and prompted one of its modems to keep trying our number, over and over. The lawyer for the company called me today to apologize for the disturbance his firm had caused us. He said, "I guess you were just a victim on the information highway. I'm sorry," but I was quite struck how minimal this whole thing was on his end (a few misstrokes on the keyboard) and how massive the disturbance was on our end--getting woken in the middle of the night, etc. I'm thinking now of writing a magazine article on our experience, and am posting for two reasons. First, I'd like to hear from people who, like me, have become "victims on the infobahn," and second, I'd like to get some broader perspective. Do people know of any groups which monitor modem-caused problems? Are you aware of any laws covering such matters, and do you know how frequently mishaps like mine occur? Any imput would be greatly appreciated. Thank you, Bill Donahue 74562,3064@CompuServe.com ------------------------------ Date: Thu, 14 Jul 94 23:07:36 GMT From: Shaggy@moose.demon.co.uk (Shag the Moose) Subject: Benefits Agency Smart Payment Card The Benefits Agency (the 65,000 strong government agency responsible for the administration and payment of welfare benefits in the UK) has announced a new method of payment system, to be introduced over the next three years throughout the UK. Customers will present their personalised smart card to the Post Office, who will swipe it, do an (as yet unspecified) id check from info held electronically on the card, and check on-line to the BA office to find out how much money the person is due. This will replace Girocheques and order books; a system of 'valuable paper' which has been essentially unchanged since 1948. The prototype uses a digitised photo and pressure-pad signature. As the cards will have no inherent value, rough estimates are that payment- related benefit fraud will be reduced by approximately 90%. The BA has some 23,000,000 customers at any given time; approximately half the adult population of the UK. Customers will have an alternative to the smart card, in the form of ACT payments to their bank. Shaggy ------------------------------ Date: Tue, 19 Jul 1994 09:30:26 PDT From: Bob Estell - The Ancient Mariner Subject: Risks of confusing "headlines" with "in depth news" One of the several RISKS of using computers is that ordinary people (i.e., NOT computer gurus) may tend to listen TOO much to computer gurus. Why? Probably for reasons akin to why we listen to our doctors or our auto mechanics: if they are good they know more than we do about something that is important to us. OK so far. But we (too many of us) are spoiled to getting news in "sound bytes" (or their e-mail or paper memo or slide presentation equivalents). Too many of us do not appreciate the difference between CNN's Headline News and PBS's McNeil-Lehrer Report; or their computing equivalents, for example INFORMATIONWEEK and IEEE COMPUTER. Both valuable, but very different. So we hear one week that ISDN (or some other recent technology) has been revised and is now thriving; and within a month we hear from some other guru that the same technology has not lived up to its promise. Promise? or just hype? not only that, but hype by those same gurus, perhaps a bit too eager for more clients? or just not reading each other's stuff? OK, gurus have only 24 hours a day, and can't keep up either. In early Aug 94, I retire from 34 years of federal service; and will thus for a while at least be off the InterNet. I'll especially miss RISKS because it is one of the very few forums that is both current and thorough which is a tribute to its clients and especially its Moderator. According to some of these same gurus I am an old dog not able to learn new tricks; but others say that people like me are a valuable resource. I believe the latter opinion, not only because it is flattering, but also because the former may misunderstand the difference between 30 years experience and 3 years repeated 10 times. Bob Estell (542 Mary Ann Ave., Ridgecrest, CA 93555) ------------------------------ Date: Wed, 20 Jul 94 10:17:20 -0400 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: Re: Aircraft Avionic Vulnerabilities (RISKS-16.25) I have been wearing hearing aids for over twenty years and on numerous occasions have allowed me to listen to things most people are "deaf" to. This is made possible by the inductive pickups in my hearing aids, throwing a switch turns off the microphone and on the inductive pickup & a whole new world appears. Just as an example, once upon a time, many people in a particular section of the building I worked in began complaining of headaches though no reason could be found. I happened to walk through the area in inductive mode & began to hear a beeping. Turned out that a RADAR unit at the nearby airbase had become misaligned and was sweeping the corner of the building. Realignment cured the headaches. Through the years I have had many such incidents of being able to identify electrical problems this way by characteristic "sounds". The point is that the interior of a commercial aircraft is one of the "noisiest" environments I have ever encountered with the 400 hz being almost "deafening" and a myriad of other jingles, jangles, and hums also apparent. One cannot but think that there must be almost no shielding of any signals in a modern aircraft and to me the amazing part is not that instruments are affected by laptops (low amplitude but I can "hear" them) but that they manage to operate at all in such an electronic bedlam. Padgett ps I have no idea what the spectrum of my hearing aids is, just that they have enabled the detection of too many diverse things to be very limited. Once they determined that a "haunted" corner in a house was nothing more than a power box on the other side of the wall. [Ah, Padgett is an auditory canary, similar to the canary the miners used to take down with them to provide an early warning on toxic gases! Think of it as a *gift*. PGN] ------------------------------ Date: 17 Jul 1994 13:29:47 +0300 From: amos@cs.huji.ac.il (Amos Shapir) Subject: Re: Inmates con jail computer (Ilieve, RISKS-16.23) Peter Ilieve writes: >`The sophisticated computerised security system was designed to end slopping >out by allowing one prisoner at a time from each landing to go to the toilet >during the night. [Sanitation is not the UK prison system's strong point, >prisoners usually have to make do with a bucket in the corner of the >cell (...) This incident demonstrates a far more important RISK than just subverting the computerized system; the real RISK is that such a system was installed to solve a problem which should have been solved by a better sewage system! Amos Shapir, The Hebrew Univ. of Jerusalem, Dept. of Comp. Science. Givat-Ram, Jerusalem 91904, Israel +972 2 585706,586950 amos@cs.huji.ac.il ------------------------------ Date: Mon, 18 Jul 1994 01:37:32 -0600 (MDT) From: "Rob Slade, Ed. DECrypt & ComNet, VARUG rep, 604-984-4067" Subject: "Firewalls and Internet Security" by Cheswick/Bellovin BKFRINSC.RVW 940502 Addison-Wesley Publishing Company P.O. Box 520 26 Prince Andrew Place Don Mills, Ontario M3C 2T8 416-447-5101 fax: 416-443-0948 Heather Rignanesi, Marketing, x340, 73171.657@Compuserve.com or Tiffany Moore, Publicity tiffanym@aw.com Bob Donegon bobd@aw.com John Wait, Editor, Corporate and Professional Publishing johnw@aw.com Tom Stone, Editor, Higher Education Division tomsto@aw.com Philip Sutherland, Schulman Series 74640.2405@compuserve.com Keith Wollman, Trade Computer Group keithw@aw.com Lisa Roth Blackman, Trade Computer Group lisaro@aw.com 1 Jacob Way Reading, MA 01867-9984 800-822-6339 617-944-3700 Fax: (617) 944-7273 5851 Guion Road Indianapolis, IN 46254 800-447-2226 "Firewalls and Internet Security", Cheswick/Bellovin, 1994, 0-201-63357-4, U$26.95. firewall-book@research.att.com ches@research.att.com smb@research.att.com The Internet has a reputation for a lack of security. Those books which mention security on the Internet generally suggest setting up a firewall machine in order to protect yourself, but stop short of giving anything resembling details of how to do such a thing. Cheswick and Bellovin not only give practical suggestions for firewall construction, they also address other aspects of Internet security, as well. Part one gives a basic background, both of security, and of TCP/IP. If you didn't think you needed security before, you will after reading chapter two. Part two details the construction of firewall gateways, as well as authentication, tools, traps, and cracking tools for use in testing the integrity of your system. Part three discusses attacks, and the logging and analysis, thereof. The book also looks at legal aspects, secure communication over insecure links, resources and various helpful information. Although the book deals specifically with TCP/IP, the concepts, which are the parts stressed, are applicable to any network-connected systems. This is probably destined to become one of the security classics within its specialized field. copyright Robert M. Slade, 1994 BKFRINSC.RVW 940502 ============== Vancouver Institute for Research into User Security Canada V7K 2G6 ROBERTS@decus.ca Robert_Slade@sfu.ca rslade@cue.bc.ca p1@CyberStore.ca ------------------------------ Date: Wed, 20 Jul 1994 13:05:39 -0600 (MDT) From: "Rob Slade, Ed. DECrypt & ComNet, VARUG rep, 604-984-4067" Subject: "The Fool's Run" by Camp BKFLSRUN.RVW 940428 %A Camp, John %C 2801 John Street, Markham, Ontario, Canada L3R 1B4 %D 1989 %G 0-451-16712-0 %I Penguin/Signet %O U$4.95/C$5.95 %T "The Fool's Run" I very strongly suspect that whoever wrote the screenplay for "Sneakers" read this first. There is a mob connected corporation. They wish to do some espionage. They hire a tiger team to do it for them. They try to betray, and possibly destroy, the tiger team. The team is then forced to "crack" their former client. There is the same paranoia about the National Security Agency. I don't know who the technical consultant was for this book, but he, she or it did an even better job here than Captain Crunch did for the movie. We have insider information, phone phreaking, database surfing, social engineering and overconfident systems managers. Chapter thirteen introduces computer viral programs, and I had to go back and check the copyright date. At a time when the supposedly technical books were printing absolute garbage, this novel had the concepts down pat (although slightly shaky on the details). Probably it won't become a classic in either literature or data security, but a reasonably fun read, and refreshingly accurate technical details. copyright Robert M. Slade, 1994 BKFLSRUN.RVW 940428 ============== Vancouver Institute for Research into User Security Canada V7K 2G6 ROBERTS@decus.ca Robert_Slade@sfu.ca rslade@cue.bc.ca p1@CyberStore.ca ------------------------------ Date: 19 Jul 94 12:22:13 EDT From: "Mich Kabay [NCSA Sys_Op]" <75300.3232@compuserve.com> Subject: InfoWar II--First Call for Participation [For further information, contact Mich at 75300.3232@compuserve.com. PGN] FIRST CALL FOR PARTICIPATION Second International Conference on Information Warfare: "Chaos on the Electronic Superhighway" Conference Date: Wed 18 January 1995 Conference Locale: Dorval Airport Hilton Hotel Montreal, Canada 1. INTRODUCTION Cultures that depend on information systems are vulnerable to Information Warfare. Attacks on data confidentiality, data integrity and data availability will damage individuals, corporations and other private organizations, government departments and agencies, nation-states and supranational bodies. It is essential to erect legal, organizational, and cultural defences against information warfare. The Second International Conference on Information Warfare will focus on panel discussions of Winn Schwartau's new book, _Information Warfare: Chaos on the Electronic Superhighway_, published in 1994 by Thunder's Mouth Press (ISBN 1-56025-080-1). This announcement serves as a request for participation by those wishing to appear on panels, those wishing to suggest speakers, and others wishing to be added to a mailing list (electronic and snailmail) for further details as they develop. Panelists will be asked to analyze selected portions of _Information Warfare_ and to present refutations or support for the author's statements, assertions, predictions, warnings and recommendations. The Conference will serve the interests of information security specialists and strategic planners from the corporate world, military and government circles, and academia. The Press will be permitted to cover the event, providing opportunities for increased public awareness of vulnerabilities of the information infrastructure. The Conference Proceedings will contribute to the national and international debates about information warfare and the need for careful planning to avoid disruption by hostile forces as national and international information highways develop worldwide. Following recommendations from last year's participants in the First International Conference on Information Warfare, we have scheduled more free time for the animated discussion among participants. Informal discussions will be aided by Special Interest Group signs allowing people with specific interests to congregate. The organizers are making a special effort to reach members of the defence establishments of Canada and the United States. In order to foster the greatest degree of serious and productive discussion, room has been reserved for no more than 100 participants. 2. PROGRAM: 07:30-08:30 Registration and Continental Breakfast 08:30-09:00 Keynote Address:Warfare and InfoSec 09:00-10:15 Class I InfoWar: Attacks on Personal Information 10:15-10:45 Break for informal discussions by topic: Privacy, Cryptography, Laws, Law Enforcement 10:45-12:00 Class II InfoWar: Corporate InfoSec 12:00-13:30 Buffet lunch and informal discussions by sector: Corporate, Government, Military, Academic 13:30-14:45 Class III InfoWar: Global InfoSec 14:45-15:30 Informal discussions by network technology: PCs, LANs, WANs, Internet 15:30-16:15 General discussions among panelists and other participants 16:15-16:30 Closing comments The official language of the Conference is English. 3. SUBMISSIONS The Program Committee will select a suitable number of participants for the panel discussions. Selection will be based on subjective judgements of who is likely to offer the most thoughtful and stimulating expositions and analyses of the topics. Once panelists have been selected, the Program Committee requests that they submit a brief written analysis of the topic they agreed to speak on. This one- to ten-page document will be published in the Conference Handbook and will then appear in the Conference Proceedings along with additional materials added during the Conference. Deadline for consideration as a panelist: 30 Sep 1994. Confirmation of panel participation: 15 Oct 1994. Deadline for submissions for inclusion in Conference Handbook: 15 Nov 94. [Rest deleted. Write Mich for full text. PGN] ------------------------------ Date: 31 May 1994 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc. The RISKS Forum is a moderated digest. Its USENET equivalent is comp.risks. Undigestifiers are available throughout the Internet, but not from RISKS. SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) on your system, if possible and convenient for you. BITNET folks may use a LISTSERV (e.g., LISTSERV@UGA): SUBSCRIBE RISKS or UNSUBSCRIBE RISKS. U.S. users on .mil or .gov domains should contact (Dennis Rears ). UK subscribers please contact . Local redistribution services are provided at many other sites as well. Check FIRST with your local system or netnews wizards. If that does not work, THEN please send requests to (which is not automated). CONTRIBUTIONS: to risks@csl.sri.com, with appropriate, substantive Subject: line, otherwise they may be ignored. Must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. PLEASE DO NOT INCLUDE ENTIRE PREVIOUS MESSAGES in responses to them. Contributions will not be ACKed; the load is too great. **PLEASE** include your name & legitimate Internet FROM: address, especially from .UUCP and .BITNET folks. Anonymized mail is not accepted. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ARCHIVES: "ftp crvax.sri.comlogin anonymousYourName cd risks: Issue j of volume 16 is in that directory: "get risks-16.j". For issues of earlier volumes, "get [.i]risks-i.j" (where i=1 to 15, j always TWO digits) for Vol i Issue j. Vol i summaries in j=00, in both main directory and [.i] subdirectory; "dir" (or "dir [.i]") lists (sub)directory; "bye" logs out. CRVAX.SRI.COM = [128.18.30.65]; =CarriageReturn; FTPs may differ; UNIX prompts for username, password; bitftp@pucc.Princeton.EDU and WAIS are alternative repositories. See risks-15.75 for WAIS info. To search back issues with WAIS, use risks-digest.src. With Mosaic, use http://www.wais.com/wais-dbs/risks-digest.html. FAX: ONLY IF YOU CANNOT GET RISKS ON-LINE, you may be interested in receiving it via fax; phone +1 (818) 225-2800, or fax +1 (818) 225-7203 for info regarding fax delivery. PLEASE DO NOT USE THOSE NUMBERS FOR GENERAL RISKS COMMUNICATIONS; as a last resort you may try phone PGN at +1 (415) 859-2375 if you cannot E-mail risks-request@CSL.SRI.COM . ------------------------------ End of RISKS-FORUM Digest 16.26 ************************