Subject: RISKS DIGEST 16.30 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Tuesday 2 August 1994 Volume 16 : Issue 30 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for information on RISKS (comp.risks) ***** Contents: Squirrels again bring down Nasdaq (PGN) MCI inbound internet gateways choked (Mich Kabay) RISKs of electrical wiring (Robert Rose) How to clean out a checking account (Paul Dineen) FBI hunting for Agent Steal, flashy computer hacker (Mich Kabay) PCMCIA cards (Mich Kabay) Progress on RFI in aircraft (Mich Kabay) Porn Peddlers Convicted in Memphis (Mich Kabay) Re: Video Cameras (Nap van Zuuren) Computer telephony (Phil Agre) Re: Crashed bank teller (Ted Lemon, Patrick O'Callaghan) The Cult of Information by Ted Roszak (WN Peters) Report Released on Public Key Law and Policy (Michael S Baum) Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc. ---------------------------------------------------------------------- Date: Tue, 2 Aug 94 7:55:36 PDT From: "Peter G. Neumann" Subject: Squirrels again bring down Nasdaq Nasdaq once again was shut down by an energetic squirrel who apparently chomped on a power line near the stock market's computer center in Trumbull, Connecticut, yesterday. The system failed to perform the automatic switchover to the temporary backup power supply (designed to last until the backup system in Rockville, Maryland, could be brought up), and consequently the market was down for 34 minutes. A similar problem occurred in December 1987. (A 2.5-hour outage on 15 July was reported in RISKS-16.25, due to risky software upgrades.) ------------------------------ Date: 01 Aug 94 10:47:51 EDT From: "Mich Kabay [NCSA Sys_Op]" <75300.3232@compuserve.com> Subject: MCI inbound internet gateways choked According to the Washington Post newswire (94.08.01 via CompuServe's Executive News Service), MCI's inbound Internet gateways were saturated last month, resulting in days of delay in delivery to MCI customers. M. E. Kabay, Ph.D. / Dir Education / Natl Computer Security Assn ------------------------------ Date: Mon, 1 Aug 94 17:47:37 EDT From: robert_rose@VNET.IBM.COM Subject: RISKs of electrical wiring I had a really interesting experience in one of our labs today, an electrician was adding a new outlet into an office and tied the outlet into a junction point in the dropped ceiling. While tying in the neutral line he let the 'home-run' neutral line (the one going back to the main 3-phase distribution I assume) come loose from the junction. After a minute he discovered this at reconnected it... he didn't notice a thing. All of us in our offices however were really charged up.... There was smoke, sparks and crackling belching from numerous PCs, X terminals, surge protectors and fluorescent lamps. One of our programmers who is an EE figured that when he dropped the main neutral the current instead started to flow between two branches of the three phase and that one office had very little equipment turned on and the other had great gobs of stuff powered up so that the office with everything turned on had almost the full 220V across its outlets. Total body count: 2 surge protectors, a fan, and one Gateway 2000 (which was spewing sparks out of the fan opening!) [I'm not a EE-minded person so hopefully I haven't botched this description too bad] Lessons: 1. Don't trust your surge protectors blindly, the Gateway that got fried was plugged into one. 2. Its worth the money to buy an autoswitching 110/220 power supply, the Gateway was right next to an RS/6000 that has an autoswitching supply. We figure the RS/6000 was running until the breakers blew... it just thought it had made a quick trip to Europe. Another IBM machine with an auto supply made it too. I would have thought that some type of automatic device could prevent these type of overvoltages, but given the electrician's actions I guess not. (This electrical contractor was *real* happy when we discovered the RS/6000 wasn't toast!) --Rob Rose OS/2 Development IBM Boca Raton ------------------------------ Date: Fri, 29 Jul 1994 18:01:45 -0600 From: Paul Dineen Subject: How to clean out a checking account I lost my checkbook a couple of weeks ago. Despite turning the house inside out that evening, I couldn't find it. So, I called the bank and had them put a watch on the account. Yesterday, I found the checkbook. (Wedged behind the seat of the lawn mower, must have fallen when I was cleaning the garage.) I called the bank to cancel the watch, needing to tell them only the account number and my name (printed on the check, naturally). They didn't ask me my mother's maiden name or anything. Obviously, what's to stop a finder or thief from making the same call? I didn't raise this question then because I didn't want to raise suspicion and have to go through some trouble to get the watch lifted, but I will raise it with them on the next working day. Paul Dineen, pld@fc.hp.com ------------------------------ Date: 01 Aug 94 10:47:38 EDT From: "Mich Kabay [NCSA Sys_Op]" <75300.3232@compuserve.com> Subject: FBI hunting for Agent Steal, flashy computer hacker >From the Reuter newswire (94.07.31 @ 21:10 EDST) via CompuServe's Executive News Service: "FBI HUNTING FOR AGENT STEAL, FLASHY COMPUTER HACKER. "LOS ANGELES, July 31 (Reuter) - The FBI is searching for a computer hacker suspected of committing high-tech crimes at the same time he allegedly worked undercover for the bureau catching other computer hackers, the Los Angeles Times reported Sunday. The hacker, who goes by the moniker "Agent Steal" and whose real name is Justin Tanner Petersen, vanished last October and is on the run from the very federal agency -- the Federal Bureau of Investigation -- he told friends was paying his rent and flying him to computer conferences to spy on other hackers, the paper said." Key points from the article: o Petersen admitted having committed computer crimes even while working with federal prosecutors. o He is alleged to have cracked federal computers and stolen information from a credit card information bureau. o He was involved in Kevin Poulson's fraudulent successes in radio phone-in contests in L.A. o Petersen claimed to have been responsible for "nailing" Kevin Mitnick, the infamous criminal hacker who is sought by authorities for breaking into police computers and impersonating a police officer. o J. Michael Gibbons, an FBI computer crime specialist, is sceptical that his agency ever hired Petersen: "It's not safe. Across the board, hackers cannot be trusted to work -- they play both sides against the middle." o "Petersen was arrested in Texas in 1991, where a grand jury returned an eight-count indictment accusing him of assuming false names, accessing a computer without authorisation, possessing stolen mail and fraudulently obtaining and using credit cards." o Convicted of six counts after pleading guilty, Petersen faces imprisonment for up to 40 years plus a fine of $1.5 million. o "...[O]n Oct. 18, 1993, 15 months after entering his first guilty plea, Petersen was confronted outside federal court by Assistant U.S. Attorney David Schindler, who asked if Agent Steal had committed any crimes while free on bail. "Petersen said he had, according to the federal prosecutor. Petersen fled immediately after that meeting." M. E. Kabay, Ph.D. / Dir Education / Natl Computer Security Assn ------------------------------ Date: 01 Aug 94 10:47:47 EDT From: "Mich Kabay [NCSA Sys_Op]" <75300.3232@compuserve.com> Subject: PCMCIA Cards The Washington Post newswire (94.08.01; via CompuServe's Executive News Service) provides an analysis of PCMCIA card problems: "Add-In Card Standard: Good Plan, Bad Execution," by Brit Hume. Hume summarizes the situation when the Personal Computer Memory Card International Association (PCMCIA) was founded in 1990: lack of slot standards made it difficult for manufacturers and users to have economical add-in devices. The new association devised three standards, but unfortunately the bugs are not quite out yet. The author describes the problems trying to work with a new PCMCIA fax/modem card. It worked OK with PC-DOS 6.1 but the drivers failed with DOS 6.2. Even on 6.1, after resuming from both the "suspend" and "hibernate" operations, the operating system had lost track of its PCMCIA port. After extensive discussion with IBM support, the writer got function back after resuming from "suspend" but still lost the I/O port after "hibernate." M. E. Kabay, Ph.D. / Dir Education / Natl Computer Security Assn ------------------------------ Date: 01 Aug 94 11:51:35 EDT From: "Mich Kabay [NCSA Sys_Op]" <75300.3232@compuserve.com> Subject: Progress on RFI in aircraft >From the NIST UPDATE for 94.08.01: ELECTROMAGNETIC FIELDS Paper Details EMF Shielding Theory In work supported by the Federal Aviation Administration, NIST researchers have developed a mathematical model and theory for predicting the electromagnetic field shielding effectiveness of large metal enclosures with apertures and interior loading. The model also should allow for estimations of the average field strength inside enclosures such as electronic equipment cases and aircraft bodies. It can be used for any enclosure regardless of size, shape, type of material and number of apertures, as well as for any frequency above a lower limit related to the dimensions of the enclosure. The model was experimentally evaluated using a rectangular aluminum cavity of about 0.57 cubic meter (approximately 20 cubic feet), with one aperture, and for a microwave frequency range from 1 gigahertz to 18 gigahertz. The agreement between model and actual measurement was within 20 percent after a number of additional sources of loss were incorporated into the original model. A report, "Aperture Excitation of Electrically Large, Lossy Cavities" (NIST Technical Note 1361), is available from the National Technical Information Service, Springfield, Va. 22161, (703) 487-4650, for $19.50 prepaid. Order by PB 94-145711. Media Contact: Collier Smith (Boulder), (303) 497-3198 smithcn@micf.nist.gov M. E. Kabay, Ph.D. / Dir Education / Natl Computer Security Assn ------------------------------ Date: 31 Jul 94 19:54:57 EDT From: "Mich Kabay [NCSA Sys_Op]" <75300.3232@compuserve.com> Subject: Porn Peddlers Convicted in Memphis The Associated Press newswire (94.07.28 and 29) via CompuServe's Executive News Service) reported on the recent conviction of Internet porn peddlers The following summary is based on reports by WOODY BAIRD and ELIZABETH WEISE, Associated Press Writers. The first, by Baird, deals with the legal issues. "MEMPHIS, Tenn. (AP) -- A husband and wife were convicted of distributing pornography via computer Thursday in a case that raised questions about how to apply federal obscenity law to the information superhighway. Robert and Carleen Thomas, both 38, of Milpitas, Calif., were each convicted of 11 counts of transmitting obscenity through interstate phone lines via their members-only computer bulletin board. Each count carries up to five years in prison and $250,000 fine." Apparently the Thomases sold pornographic graphics files on their BBS. A Memphis postal inspector deliberately joined the BBS under an assumed name, downloaded some of the pics to his system and then complained to law enforcement authorities. There's discussion of just what it means to try someone on the Internet under local pornography laws which refer to "community standards." "The opinion was designed to let local citizens say whether they want X-rated bookstores or movie theaters in their communities and get judges out of the business of deciding what is obscene, said Stephen Bates, a senior fellow with the Annenberg Washington Program, a communications think tank." However, if this approach is applied to the Internet, "federal juries in the most conservative parts of the country could decide what sexually explicit images and words get on the information superhighway, Bates said." Weise's article covers reactions on the Internet: "SAN FRANCISCO (AP) -- Hours after a couple were convicted of sending images of bestiality and sexual fetishes over a computer bulletin board, the Internet was humming with warnings and protests. "`If this case stands, you can bet there will be a hell of a lot more prosecutions on the same basis in extremely short order," Karl Denninger of Chicago wrote Friday on the computer network.'" The EFF's Mike Godwin is reported as saying, "This case ... has one community attempting to dictate standards for the whole country." At least one BBS operator has stated that he'll quit as a result of the ruling, although he didn't explain what kind of files his BBS stocks.... Michel E. Kabay, Ph.D. / Dir Education / Natl Computer Security Assn ------------------------------ Date: 29 Jul 94 05:44:02 EDT From: Nap & Erik van Zuuren <100042.3164@compuserve.com> Subject: Re: Video Cameras (RISKS-16.20) Assume, that we need a 'balance' in the RISK Digest, the balance between "benefits" of certain techniques against their "risks" I have to react, as we are in a limbo on this issue. As a Dutchman, living in Belgium, I follow the outcome of a weekly T.V. program, called "Opsporing verzocht" (Help sought on Criminal Investigation), a program in which the Police Forces try to get necessary input for solving serious crimes. In that program, the presence of video-material from shopping malls and within shops has proven to be a big help in getting required input, and so we have to accept that we are "video-ed" when we are, for example, shopping; also for our "own" protection. - Would not you feel better, with a camera 'at your shoulder', as e.g. a cashier in a petrol station at a highway ? So: Benefits appear to outweigh risk ! Note: Apparently the Dutch Police Forces, and related Forces, are still considered -- in general -- to be the "friends" of the population by the Dutch population. I thought that the same attitude towards the Police Forces was true for the U.K.; the relation to the "Bobbie". (As the original "risks message" originated in the U.K., I also refer to the "Bobbie") I wish, this would be the case in other countries as well; but the requirements for reaching such a relation with the 'public' are: - to be "of assistance to the public" - to be trustworthy, accompanied by a free press and political will - to be supported by the judicial apparatus, for the Forces to stay motivated - a "quality of life" worth defending it We will need a lot of "trustworthy" energy to protect us -- and our children -- against the "criminal" energy. Do NOT get me wrong: - I also fell victim to injustice (in my opinion) in a case versus an 'official' - I even have been insulted in writing by a member of the Council of Ministers But, we have to trust (and at the same time: control) the forces which should protect the "law-abiding" (or = sullen ?) citizen, and are paid by that same citizen to do so ! Might the price of "democracy". Nap van Zuuren, CompuServe 100042,3164 ------------------------------ Date: Sun, 24 Jul 1994 14:09:10 -0700 From: Phil Agre Subject: Computer telephony The July issue of Byte has a good technical review of systems for integrating PC's and telephones. The full reference is: Jon Udell, Computer telephony, Byte 19(7), 1994, pages 80-96. The applications are still pretty primitive, since the necessary capabilities within the phone system itself don't quite exist yet, are just coming on-line, or are just receiving regulatory approval. Still, enough stuff is just over the horizon that non-trivial architectures are being built. Many of them use Caller-ID, for which the FCC just set US national standards over the dead bodies of several state utilities commissions; and despite the strange idea that Caller-ID is mostly for residential use, the article makes clear that developers see a world of commercial applications. In general, as the article points out in the case of sales and collections systems, "As these tools find their way into the hands of smaller, more mainstream businesses, you can expect better service in some cases and more efficient harassment in others." Indeed. Phil Agre, UCSD ------------------------------ Date: Thu, 21 Jul 94 18:03:51 PDT From: Ted Lemon Subject: Re: Crashed bank teller (Murray, RISKS-16.27) > [...] Setuid has hurt instead of helped. [...] While it is > appropriate for my program to fail by returning ME to the operating > system, my program should not fail by returning YOU to the operating > system prompt with privileges that are different from those that you > have on your own. Mr. Murray's article on the behaviour of various historical systems is interesting, but makes a rather bizarre claim about the behaviour of setuid under Unix. In fact, a setuid program only has privileges in the process in which it is running and any child processes that it creates without first disabling the setuid privilege. The problems we've seen on the Internet with setuid programs generally are the result of poor coding which leaves loopholes in the executing setuid program that a clever cracker can exploit. I don't see any reason to believe that OS/400 setuid-like programs are any safer from this sort of exploitation. The proper solution to this problem is probably either to program more carefully, or to set up an environment in which it's harder to make mistakes like this. _MelloN_ ------------------------------ Date: Fri, 22 Jul 1994 08:14:13 -0400 From: "Patrick O'Callaghan" Subject: Re: Crashed bank teller (Murray, RISKS-16.27) From his description, Mr. Murray appears to think that setuid was introduced in order to restrict access rights, and has been abused by lazy programmers. Quite the contrary. The purpose of the `setuid' bit is to allow a program to run with the permissions afforded to the program's owner, rather than those of the user. To say that `setuid has hurt rather than helped' is like saying `electricity has hurt rather than helped'. Setuid is *fundamental* to how Unix operates and its invention by Dennis Ritchie has been described as the only genuinely original idea in the Unix design (which is not to say it doesn't have problems). William> ... However, they do not permit the user to retain William> those privileges across the failure of the application. Neither does Unix. If my setuid program fails, I fall back to whatever invoked it, usually a Shell. I do *not* retain setuid privileges. Prof. Patrick O'Callaghan, Departamento de Computacion, Universidad Simon Bolivar, Caracas, Venezuela poc@usb.ve +058 (2) 906-{3241,3242,3254} ------------------------------ Date: Fri, 29 Jul 1994 11:17:37 -0400 (EDT) From: WN_PETERS@wmich.edu Subject: The Cult of Information I highly recommend a book entitled The Cult of Information: a Neo-Luddite Treatise on High-Tech, Artificial intelligence, and the True Art of Thinking, by Theodore Roszak (second edition, c1994). Roszak, in this book, is not attacking the idea of computerization, but he is warning our society against equating information with knowledge (the idea that if one can access information one, therefore, has knowledge on that given subject) and against over-computerization of our society. I found it to be a very readable book and quite illuminating. University of California Press, ISBN: 0-520-08584-1 ------------------------------ Date: Sun, 31 Jul 1994 08:51:33 -0400 (EDT) From: Michael S Baum Subject: Report Released on Public Key Law and Policy **NEW INFO. SECURITY BOOK ON PUBLIC KEY LAW & POLICY** TITLE: FEDERAL CERTIFICATION AUTHORITY LIABILITY AND POLICY -- Law and Policy of Certificate-Based Public Key and Digital Signatures AUTHOR: MICHAEL S. BAUM, J.D., M.B.A. Independent Monitoring Report No. NIST-GCR-94-654 450+ pages, highly annotated; multiple appendices; indexed. U.S. DEPARTMENT OF COMMERCE National Institute of Standards and Technology Produced in support of the Federal Government's public key infrastructure study, this book identifies diverse technical, legal and policy issues affecting a certificate-based public key cryptographic infrastructure utilizing digital signatures supported by "trusted entities." It examines potential legal implications, surveys existing legal paradigms and the structures and roles of relevant governmental agencies and presents various institutional approaches to controlling liability. It considers the underpinnings of a legal and policy framework which might serve as a foundation for security policies and their implementation and concludes with a series of recommendations, both general and specific concerning certificate-based public key. Both public and private sector issues are addressed. This publication is the result of legal, business and security management research, as well as interviews and analysis predominantly with public- and private-sector lawyers, policy makers, managers and management information system and security professionals in the United States and abroad. SUMMARY OF CONTENTS: - PREFACE - ACKNOWLEDGMENTS - TABLE OF CONTENTS I. INTRODUCTION II. SCOPE III. DEFINITIONS IV. ASSUMPTIONS V. SURVEY OF FCA ACTIVITIES CREATING LIABILITY EXPOSURE VI. LEGAL CONSIDERATIONS VII. FCA INFRASTRUCTURE - PROPOSALS AND PARADIGMS VIII. SURVEY OF, AND APPROACHES TO, TRUSTED ENTITY LIABILITY IX. OTHER APPROACHES TO MITIGATE LIABILITY X. CONCLUSIONS AND RECOMMENDATIONS XI. APPENDICES XII. GLOSSARY XIII. INDEX OBTAINING COPIES: Copies may be purchased through the National Technical Information Service, Springfield, Virginia 22161, U.S.A., Phone +1 (703) 487-4650 or 1-800-553-6847. Request NTIS Document No: PB94-191-202. Cost: $61.00 ABOUT THE AUTHOR: Michael S. Baum is Principal of Independent Monitoring, a consultancy focused on electronic commerce and information security law. He serves as a Delegate from the International Chamber of Commerce (ICC) to the United Nations Commission on International Trade Law (UNCITRAL); Chair of the EDI and Information Technology Division, Section of Science and Technology, American Bar Association (ABA) and its Information Security Committee; and Chairman of the ICC Working Party on Legal Aspects of Electronic Commerce. Michael S. Baum, Independent Monitoring, Cambridge, Massachusetts baum@im.com [RISKS normally does not run advertising for books. However, this is a NIST/NTIS report. (Yes, NITS, ISN'T, SNIT are also anagrams.) It is also fair game for a review, in case someone wants to submit one. PGN] ------------------------------ Date: 31 May 1994 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc. The RISKS Forum is a moderated digest. Its USENET equivalent is comp.risks. Undigestifiers are available throughout the Internet, but not from RISKS. SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) on your system, if possible and convenient for you. BITNET folks may use a LISTSERV (e.g., LISTSERV@UGA): SUBSCRIBE RISKS or UNSUBSCRIBE RISKS. U.S. users on .mil or .gov domains should contact (Dennis Rears ). UK subscribers please contact . Local redistribution services are provided at many other sites as well. Check FIRST with your local system or netnews wizards. If that does not work, THEN please send requests to (which is not automated). CONTRIBUTIONS: to risks@csl.sri.com, with appropriate, substantive Subject: line, otherwise they may be ignored. Must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. PLEASE DO NOT INCLUDE ENTIRE PREVIOUS MESSAGES in responses to them. Contributions will not be ACKed; the load is too great. **PLEASE** include your name & legitimate Internet FROM: address, especially from .UUCP and .BITNET folks. Anonymized mail is not accepted. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ARCHIVES: "ftp crvax.sri.comlogin anonymousYourName cd risks: Issue j of volume 16 is in that directory: "get risks-16.j". For issues of earlier volumes, "get [.i]risks-i.j" (where i=1 to 15, j always TWO digits) for Vol i Issue j. Vol i summaries in j=00, in both main directory and [.i] subdirectory; "dir" (or "dir [.i]") lists (sub)directory; "bye" logs out. CRVAX.SRI.COM = [128.18.30.65]; =CarriageReturn; FTPs may differ; UNIX prompts for username, password; bitftp@pucc.Princeton.EDU and WAIS are alternative repositories. See risks-15.75 for WAIS info. To search back issues with WAIS, use risks-digest.src. With Mosaic, use http://www.wais.com/wais-dbs/risks-digest.html. FAX: ONLY IF YOU CANNOT GET RISKS ON-LINE, you may be interested in receiving it via fax; phone +1 (818) 225-2800, or fax +1 (818) 225-7203 for info regarding fax delivery. PLEASE DO NOT USE THOSE NUMBERS FOR GENERAL RISKS COMMUNICATIONS; as a last resort you may try phone PGN at +1 (415) 859-2375 if you cannot E-mail risks-request@CSL.SRI.COM . ------------------------------ End of RISKS-FORUM Digest 16.30 ************************