RISKS@SRI-CSL.ARPA (RISKS FORUM, Peter G. Neumann, Coordinator) (12/10/85)
RISKS-LIST: RISKS-FORUM Digest Sunday, 8 Dec 1985 Volume 1 : Issue 28
FORUM ON RISKS TO THE PUBLIC IN COMPUTER SYSTEMS
Peter G. Neumann, moderator
Contents:
Viruses and Worms (Mark S. Day, Aaron M. Ellison, Ted Lee, Dave Parnas)
Electromagnetic Interference (Chuq Von Rospach)
Crackers (Peter Reiher, Matt Bishop, Dave Dyer)
[Note: There is some duplication among these contributions.
Read lightly if that bothers you. I also note that we
are in danger of degenerating into just a Security Forum,
although clearly that is an important part of RISKS. PGN]
Summary of Groundrules:
The RISKS Forum is a moderated digest. To be distributed, submissions should
be relevant to the topic, technically sound, objective, in good taste, and
coherent. Others will be rejected. Diversity of viewpoints is welcome.
Please try to avoid repetition of earlier discussions.
(Contributions to RISKS@SRI-CSL.ARPA, Requests to RISKS-Request@SRI-CSL.ARPA)
(FTP Vol 1 : Issue n from SRI-CSL:<RISKS>RISKS-1.n)
----------------------------------------------------------------------
Date: Mon 9 Dec 85 14:57:40-EST
From: Mark S. Day <MDAY@MIT-XX.ARPA>
Subject: Viruses and Worms
To: RISKS@SRI-CSL.ARPA
Hysterical panic about viruses in programs is at least as annoying as
the more common complacent stupor about risks from computers. The
author of RISKS-1.27 seems to be dead set on Software Apocalypse Now.
We swing from viruses in software to unencrypted data links on bank
machines to teen-aged kids cracking systems. Also, the usual screams
of "mad genius hackers playing sick games" can be heard... sigh,
programmers are so misunderstood...
The discussion about viruses is actually sort of interesting, the
others fall into the category of "there are fixes which have a certain
cost; you have to decide whether it's worthwhile." Encryption and
tighter security systems raise the cost of the system and also raise
the cost of breaking the system. The question is, for the data and
functions being provided, what is an appropriate level of protection?
I'm not going to panic because many bicycles have cheap locks or no locks;
some bikes aren't worth stealing, and in some areas there's relatively little
theft of bicycles. If I have data worth protecting, I should be prepared to
protect it. I will agree that far too few people are aware of the hazards
or of what they can do to protect themselves, but that is far from saying
that I want to pay for security I don't need.
On viruses, etc.: it is certainly the case that you only want software
which is written by people you trust (and ENTIRELY by people you trust
-- see Ken Thompson's Turing Award Lecture for a further discussion of
this). But is that different from needing to have bookkeepers
and treasurers that you trust in order to avoid embezzlement? If
bankers and national security types don't take steps to ensure that
they have good software, then they certainly have a problem, but not a
hopeless one. There have been previous proposals to have independent
"software certification agencies" to ensure software quality, but I
don't know if they would really be able to solve this problem.
The "solitary programmer" mentality is at least partly to blame for
things like "unauthorized worms" -- if people expect to have their
code read by others, who may question the reasons for doing certain
things, it becomes enormously harder to conceal unauthorized features
(unless the programmer can convince the inspector(s) to join in a
conspiracy). I am still surprised at how many companies do not ask
programmers to read each other's code. Quite apart from security
worries, having inspections or walkthroughs seems to sharply improve
maintainability and finds a number of bugs and design flaws.
I have little or no sympathy for people who illegally copy a program
and then find one day that it's trashed their data. Serves 'em right.
--Mark
P.S. The term "worm" was not coined in a Scientific American column. I
believe John Brunner used it in his novel The Shockwave Rider and
Shoch and Hupp picked up the term for a paper in Communications of the ACM.
It may have been used earlier than that; I don't know.
------------------------------
Date: Mon, 09 Dec 85 08:56:27 EST
From: Aaron M. Ellison <BI467000%BROWNVM.BITNET@WISCVM.ARPA>
To: risks@sri-csl.ARPA
Subject: viruses, worms and history
Regarding Neal Macklin's "expose" of virus technology, I would only
add that the idea is not at all new. John Brunner, a well-known
speculative fiction writer, wrote a novel called "Shockwave Rider"
over 10 years ago(!) predicting the blackmailing of a then corrupt
U.S. government by a morally-upright computer hacker. Although I share
Neal's concerns, I am not at all convinced (even as a credit-card and
ATM-card-carrying young and aspiring academic) that under certain
circumstances, the collapse of the fractional reserve system, the
banking system, and the credit markets would be an awful event. Sure
there would be chaos, but who knows what could arise from the rubble.
...I would add that reading Shockwave Rider when I was in high school
prompted me to learn about computers, and although I have not the
competence to develop tapeworms and viruses, if it's just now getting
out to the "hacker world" that viruses exist, you can bet that the
NSA may already have developed one (pardon the paranoia).
Aaron Ellison
Graduate Program in Ecology & Evolutionary Biology
Brown University
Providence, Rhode Island 02912
------------------------------
Date: Sat, 7 Dec 85 22:25 EST
From: TMPLee@DOCKMASTER.ARPA
Subject: [The Worm Turns in His Gravy?]
To: Neumann@SRI-CSL.ARPA [adapted for RISKS]
I suppose it would be nice to tell the original author of the long issue
about viruses, etc., that there ARE technical solutions, although not
necessarily within his lifetime if he's using IBM systems, which most
financial institutions do ... Ted Lee
------------------------------
Date: Mon, 9 Dec 85 07:23:03 pst
From: vax-populi!dparnas@nrl-css.arpa (Dave Parnas)
To: nrl-css!RISKS@SRI-CSL.ARPA
Subject: Re: RISKS-1.27
Cc: nrl-css!neumann@SRI-CSL.ARPA
Peter,
Risks is supposed to be a digest. The huge article that just
ate up my time like worm could have been digested and the summary
put in a few lines. Worms have their place. Eating up stories
like that one is one of their good uses. Worms digest waste.
Dave [and I got THREE copies of Dave's message. Oh, well. PGN]
------------------------------
Date: Thu, 5 Dec 85 08:29:09 pst
From: sun!plaid!chuq@ucbvax.berkeley.edu (Chuq Von Rospach)
To: risks@sri-csl.arpa
Subject: Electromagnetic Interference
I was listening to a radio station the other day whose studio is on the San
Francisco Bay. In the early afternoon, the station started getting a
re-occuring noise over the air that sounded vaguely like a burp, which
distracted the DJ no end. It turned out after investigation by their
engineers that it was being caused by a Navy Aircraft Carrier that had just
entered the bay on the way to Alameda. Every time the radar pointed at the
studio, it caused the stations electronics to go bonkers (that's a powerful
radar...). I wonder what other electronics those things would interfere
with?
chuq
[Perhaps the squawks were emitted by a carrier pitch-in? PGN]
------------------------------
Date: Wed, 4 Dec 85 22:30:33 PST
From: Peter Reiher <reiher@LOCUS.UCLA.EDU>
To: risks@sri-csl.arpa
Subject: crackers
I imagine you will have numerous postings making the following point, but,
if you don't, someone should say it.
> Thomas Cox writes:
>1. no password-protected system is EVER likely to be broken into by so-called
> hackers. They can sit and guess, just like they can try and guess the
> combination to my bike lock. I'm not worried about it.
This all depends on how loosely you define "stealing a password". Does
a person who hangs around your printer room, picking up loose header
sheets with people's account names and real-world names on them stealing
passwords? Someone who does so can break into many systems, as many people
will choose passwords equal to their login ids or first or last names.
If the person communicated with people via email at your site, or was able
to guess what their login id is (not a hard job in many places), then the
same vulnerability exists. The problem is exacerbated if the cracker can get
access to a list of your users. On most UNIX systems, once he is in at all,
this is trivial.
[Not to mention the fact that passwords are usually transmitted
unencrypted within local nets and externally as well... PGN]
In fact, barring fairly stringent rules on password choices, and/or physical
security preventing intruders from accessing terminals (and, possibly,
modem features to discourage brute force guessing), most computer systems
can be broken into once a few user ids are known, provided the cracker has
the modicum of expertise and equipment necessary to write a program to
test all dictionary words against the user ids' passwords. The recent
Bell Systems Technical Journal issue on UNIX had a discouraging article
on how easy it is to break into the majority of UNIX systems, given a list
of user ids, testing only twenty or forty possible passwords per user id.
Perhaps you don't consider a lax password system a password system at all,
but, barring that, your statement is demonstrably false.
Peter Reiher
reiher@LOCUS.UCLA.EDU
{...ihnp4,ucbvax,sdcrdcf}!ucla-cs!reiher
[Unfortunately, discussions of the risks of relying on passwords
need to held over and over again. If you have not thought deeply
or been burned, it is too easy to be naive. The sophisticated
crackers -- as opposed to the simplistic ones -- find very few
boundaries they cannot get through (or go around). PGN]
------------------------------
Date: 5 Dec 1985 0959-PST (Thursday)
From: Matt Bishop <mab@riacs.ARPA>
To: risks@sri-csl.ARPA
Subject: Re: Hackers (aka "Head in the Sand")
I think Thomas Cox's article ("Hackers", Risks V1N26) is optimistic
in the extreme:
> 1. no password-protected system is EVER likely to be broken into by so-called
> hackers. They can sit and guess, just like they can try and guess the
> combination to my bike lock. I'm not worried about it.
Sorry, but I am. When you say "password-protected", I interpret that
to mean the user setting his or her password to anything other than the
site/manufacturer default. Turns out a lot of people set it to their
name, login, spouse's name, etc. (See Morris and Thompson, "Password
Security: A Case History", CACM 22(11), pp.594-597 (Nov. 1979) for more
information about this claim.) If you know anything about the system
you're attacking, such as whose account you're trying to get into,
this makes the account rather a sitting duck. So I'd disagree with
your statement above.
Of course, if you mean something else by "password-protected", could
you be more explicit? My opinion could very well be inapplicable ...
(Incidentally, bear in mind the "bike" is worth maybe a half million,
considering the information stored on it, so if you just trust the
"lock", and don't take off a wheel, you're inviting trouble ...)
Matt
------------------------------
Date: 8 Dec 1985 14:21:50 PST
Subject: Hackers' guessing passwords
From: Dave Dyer <DDYER@USC-ISIB.ARPA>
To: risks@SRI-CSL.ARPA
In Response to Thomas Cox in Risks 1.26:
"1. no password-protected system is EVER likely to be broken into by
so-called hackers. They can sit and guess, just like they can try
and guess the combination to my bike lock. I'm not worried about it."
This is patently untrue. I have personally guessed passwords on
several occasions; It isn't even hard unless you want some particular
password. One of the recent, widely publicised "hacker" cases
involved exactly what you say is impossible; the perpetrator
was merely making a sport of guessing passwords, and changing them
as a warning to the account owner. In addition to guessing,
there are multitudes of ruses to obtain passwords, some technical,
but many simply exploiting human weaknesses.
It is certainly true that "unguessable" passwords exist, but any
enforced mechanism for assuring unguessable passwords will also
be regarded as "unrememberable", and therefore more vulnerable
to non-guessing methods.
------------------------------
Date: Mon 9 Dec 85 15:52:42-PST
From: Peter G. Neumann <Neumann@SRI-CSL.ARPA>
Subject: Hackers, Crackers, and Snackers
To: RISKS@SRI-CSL.ARPA
I received an anonymous phone call this morning from someone who felt
inspired by the last two issues of RISKS to relate some experiences he/she
had had while working for the Texas Commerce bank. Apparently the computer
maintenance staff had fun with the wire-transfer programs, using passwords
that had been taped under a desk. They would randomly transfer various
amounts ($100,000 was mentioned as typical) from one account to anothe, just
for kicks. They were astounded that no one every caught on, and the
passwords were never changed. When I asked whether all such transactions
had been reversed, the answer was probably yes.
------------------------------
End of RISKS-FORUM Digest
************************
-------