RISKS-LIST: RISKS-FORUM Digest Monday, 19 October 1987 Volume 5 : Issue 45 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Stocks into Bondage? Storm prediction? Computer relevance? (PGN) UNIX Passwords (Dave Curry) Let the Punishment Fit the Crime... (Mike McLaughlin) Re: Computers and civil disobedience (James Peterson, Clif Flynt, Fulk, Brent Chapman) Unemployment Insurance Cheaters (William Smith) Computer Services as Property (Doug Landauer) Successor to Sun Spots (K. Richard Magill) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, nonrepetitious. Diversity is welcome. Contributions to RISKS@CSL.SRI.COM, Requests to RISKS-Request@CSL.SRI.COM. For Vol i issue j, FTP SRI.COM, CD STRIPE:, GET RISKS-i.j. Volume summaries for each i in max j: (i,j) = (1,46),(2,57),(3,92),(4,97). ---------------------------------------------------------------------- Date: Mon 19 Oct 87 17:47:09-PDT From: Peter G. Neumann Subject: Stocks into Bondage? Storm prediction? Computer relevance? To: RISKS@KL.SRI.Com With the Dow losing 508 points today (down 22.6% from 2247) and 744 points since the beginning of last week, please be on the lookout for any careful analyses of the extent to which computers were involved in setting off and extenuating the crash -- e.g., computer-programmed selling, rapid responsiveness of the computer systems (despite the delays in the tickers), trying to optimize locally, etc. (No speculations, please.) Certainly, margin calls and the human tendency toward fear and panic in that kind of a crisis contributed to an extremely unstable feedback loop. But let's see if we can identify precisely what roles the computers played, for better or for worse. Also, I hope one of our European readers will follow up on any further reports that computer systems have been partially blamed for the failure of weather predicters to warn about the once-in-a century hurricane-force storm that blew through England and Western Europe on 16 October 1987. Apparently predicters still did not have a clue even after the winds (which reached up to 110 mph!) had begun. But the home secretary said it would be unfair to blame the forecasters -- the wind shifted suddenly and sped up unexpectedly. ------------------------------ Date: Fri, 16 Oct 87 08:22:19 EST From: davy@intrepid.ecn.purdue.edu (Dave Curry) To: risks@kl.sri.com Subject: UNIX Passwords The truncation of UNIX passwords to 8 characters is not a bug, it's a feature. If you have source, examine the code to libc/gen/crypt.c. Your password is *not* actually encrypted on UNIX. Rather, it is used as the *key* to encrypt a standard block of text (a block of zeros, although this is irrelevant) using a modified version of the DES algorithm. The result of this encryption is what is usually called your "encrypted password". The keys for DES are 56 bits long. 8 characters, at 7 bits per character, makes 56 bits. There's no point in using characters after that, since you can't put them into the key. It seems to me this isn't that serious; if I choose a password you're going to guess easily, chances are the length isn't going to matter -- guesses made on names, birthdates, etc. are not based on length, but based on other criteria. Using a list of about 2000 proper names I have, only 9% of those names are longer than 8 characters. Birthdates (mmddyyyy) are eight characters long. Phone numbers are 7 digits, unless you add area codes (although if you use *your* area code, the cracker now has 3 characters of your password...). The only thing truncation makes easier is exhaustive search generating passwords like "aaaa", "aaab", "aaac", etc. Even with only 8 characters, that would take a *long* time... (although you could do it on a Cray, I guess). SSNs are 9 characters long, but the number of 9-digit permutations of 10 digits is still small enough to make exhaustive search reasonably trivial. --Dave [There were many contributions on this topic. This was the most cogent. PGN] ------------------------------ Date: Sat, 17 Oct 87 12:49:00 edt From: mikemcl@nrl-csr.arpa (Mike McLaughlin) To: RISKS@csl.sri.com Subject: Let the Punishment Fit the Crime... Recent issues of Risks have mentioned juvenile hackers who perpetrated com- puter crimes. One youth's computer was destroyed, by court order. A reader felt that was inappropriate. I disagree. It should have a significant deterrent effect. In the Shenandoah Valley of Virginia there is a judge who orders that con- victed poachers' guns be destroyed, and that the poachers watch. When I met the judge (socially!) I suggested that they be sold as confiscated goods rather than being destroyed. He replied that the poachers were emotionally involved with their possessions, and that destruction was far more effective than mere confiscation. After 14 years of hiking and hunting in his jurisdiction, meeting people who lived in that area, I have to agree with him... and with the judge who ordered the computer destroyed. Perhaps both judges are Gilbert and Sullivan fans. - Mike McLaughlin ["A more humane Mikado ...: My object all sublime... To let the punishment fit the crime ..." But G&S had something for the computer buff: "We only suffer to ride on a buffer ..." PGN] ------------------------------ Date: Fri, 16 Oct 87 09:02:44 CDT From: James Peterson To: RISKS@KL.SRI.COM Subject: Re: Computers and civil disobedience Prentiss Riddle raises the possibility of using computers for civil disobedience or protest. I remember reading a few months ago about a person who was really upset at one of the fundamentalist religous organizations (Falwell's) and programmed his PC to use its auto-dialer to call their toll-free number, wait 30 seconds, hang up and call again. The article in the paper was because he had been arrested and his equipment confiscated, although it was not clear to me what law he had violated. jim ------------------------------ To: ptsfa!KL.SRI.COM!RISKS Subject: Civil Disobedience Organization: Chinet - Public Access Unix Date: 15 Oct 87 15:39:32 CDT (Thu) From: ucbcad!ames.UUCP!ihnp4!chinet!clif@ucbvax.Berkeley.EDU (Clif Flynt) [... Mention of the Falwell case...] As an aside, and not a risk, to my mind, You might be amused to know that one of the Michigan State Representatives (Perry Bullard) operates a conference on a large computer bulletin board in his district. Along with answering questions from the BBs'ers, he posts the text of various bills he is introducing, and accepts the comments of the readers. On a couple of occasions, I think he modified the bill after reading the reactions of the folks. At this point, he is selecting for a small segment of the voters he represents, but as more and more households acquire modems, this might make our system more of a democracy than it's been since all the voters in a town could attend one meeting. Of course, as reading the Net shows, you also get a lot more noise... Clif Flynt [And that is not a risk -- it is a certainty. We have noted before in RISKS the dangers of overly instant reaction to events. But there are also denial of service issues, flooding with bogus computer-generated messages all appearing to come from different constituents, flooding with legitimate computer-generated mass mailings sent by special-interest groups, etc. PGN] ------------------------------ Date: Fri, 16 Oct 87 10:47:01 EDT From: fulk@cs.rochester.edu To: RISKS@csl.sri.com Subject: Civil Disobedience I think the notion of civil disobedience needs some clarification: While the term "civil disobedience" is full of ambiguities, I believe the most common use is to describe _public acts of protest_. Thus the lunch counter sit-ins, the Concord Naval Base protest, the Women's Peace Encampment protests at Romulus, the Berrigan's blood-drenched draft files, draft card burnings, etc. Such acts are carried out after much consideration of the consequences, and are planned to have an impact on public opinion. This is not to say that these acts always take place in a glare of publicity; often it is hoped that a long series of such acts will draw attention and perhaps convince some of the public of the conviction of the protestors. Computer break-ins and BBS/800 number flooding are normally private actions. If they were performed publicly, they would have little effect of the sort the protestor would like: a hacker pounding away at his computer doesn't make for high drama. ------------------------------ To: risks@kl.sri.com Subject: Civil Disobedience Date: Fri, 16 Oct 87 00:32:35 PDT From: Brent Chapman In RISKS-5.44, Scott Dorsey (kludge@pyr.gatech.edu) writes: > I seem to recall a mention that the Berkeley computer center was >occupied by protesters sometime in the sixties, who claimed that the >computers were being used for war work. A sit-in was staged, as well >as the damage of some equipment and a large number of tapes. I don't >know precisely if any significant damage was done. I've been here for a little over three years, and I've always found it curious that, in general, the users here have little or no idea where the machine rooms are. They're not really hidden, but their locations aren't really advertised, either. I don't know if that's a reaction to what Scott mentioned, or not. To my knowledge, there aren't any "showcase" machine rooms; you know, the "glass cages" we all love to hate... The EECS building at Berkeley (Cory Hall) has a fancy card-key system to control access to critical areas (machine rooms, labs, and such), and to the building itself after hours, apparently installed after a grad student was injured when he opened a package found lying in a terminal room that turned out to be a bomb. Getting around the system is fairly easy; you just stick your head into the terminal rooms _outside_ the controlled zone and shanghai someone you know who has a card for a few seconds. The building in which most of the CS division and the Computer Center are located (Evans Hall, along with the Math Dept., Stat Dept., and several others) is also supposedly locked up after hours. It doesn't have a card-key system like Cory; they just lock things up. In theory, you can get to the terminal and printer rooms in the basement, but not to the rest of the building. In practice, once you get to the basement, you can get to the rest of the building. At Stanford, on the other hand, in order to get to the comp center staff offices, you have to go _through_ the machine room -- the door is wide open. I don't know how much of this is "justified", and how much of it is just bureaucratic paranoia. How "secure" are other academic and commercial comp centers? Is Berkeley the only campus to try the "security through obscurity" approach, rather than showcasing their toys? Have there been any cases of terrorist or political attacks on comp centers? We're all used to considering the electronic access considerations of computer security (networks, dialups, etc.) here; how about the physical considerations? How many of you have no idea where the machines you use are physically located? How many of you don't even know exactly what type of machine you use (for example, is your VAX a 750, a 780, or a 785?)? Is the unawareness of the details of the underlying hardware becoming more or less prevalent, and is that good or bad? This should give us all some food for thought... Brent Chapman Senior Programmer/Analyst koala!brent@lll-tis.arpa Capital Market Technology, Inc. lll-tis!koala!brent 1995 University Ave., Suite 390 Phone: 415/540-6400 Berkeley, CA 94704 [I remember in the early 70s that the MIT computer center facilities had restricted access to the machine room via a spiral staircase to the next higher floor -- except that the emergency exit was unalarmed and sometimes left ajar. PGN] ------------------------------ Date: Sun, 18 Oct 87 21:29:00 CDT From: wsmith@m.cs.uiuc.edu (William Smith) To: RISKS@csl.sri.com Subject: Unemployment Insurance Cheaters I heard on a TV news report of a computer matching between employees of one company in Indianapolis, Indiana and a list of unemployment check recipients. A number of overlaps were found last week [Oct 17] who will be prosecuted. ------------------------------ Date: Tue, 6 Oct 87 13:07:18 PDT From: landauer@Sun.COM (Doug Landauer) To: RISKS@SRI.COM Subject: Computer Services as Property (Re: RISKS-5.41) > From: "Arthur_Axelrod.WBST128"@Xerox.COM > I think we all agree with the fundamental premise, i.e. that information > is a form of property and is entitled to the same protection as any > other form of property. Absolutely *NOT*!!! I know of no one who thinks (e.g.) that their house, their car, their wallet and their Unix files (or their IBM-PC software) are entitled to *the same* protection. The significant difference between information and "real" property is that if you steal real property, your victim is denied access to that property; whereas if you "steal" information, your victim still has hir copy of it, and may not even notice the "theft". That is why the word "steal" is no longer appropriate in this context. What *I* think many of us agree on (except R.M.Stallman, of course) is that information is a form of property and is entitled to *some* protection. What our linguistic, ethical and legal systems have not yet come to cope with is just what sort of protection information is entitled to, and what sort is feasible. Doug Landauer Sun Microsystems, Inc. ARPA Internet: landauer@sun.com Software Products Division UUCP: {amdahl, decwrl, hplabs, seismo, ...}!sun!landauer ------------------------------ Date: Fri, 16 Oct 87 13:10:15 edt From: umix!oxtrap!rich@uunet.UU.NET (K. Richard Magill) To: umix!csl.sri!risks@uunet.UU.NET Subject: Successor to Sun Spots My new explanation why computers sometimes do random unexplicable things. (replacing my previous, "sun spots"). [about the first sentient system] ... and she amused herself by planning, and sometimes carrying out, malicious computer failures and data losses in order to watch the humans flail about helplessly like ants around a crumpled hill. -- Orson Scott Card from "Speaker for the Dead" ------------------------------ End of RISKS-FORUM Digest ************************