[comp.risks] RISKS DIGEST 11.67

risks@CSL.SRI.COM (RISKS Forum) (05/14/91)

RISKS-LIST: RISKS-FORUM Digest  Tuesday 14 May 1991  Volume 11 : Issue 67

        FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS 
   ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

  Contents:
The UK Data Protection Act and email/net and university users (Chris Reynolds)
DEC copies system software, charges pirates (Bremner)
Re: Free speech & government control of information (Larry Hunter)
Re: Case of the Replicated Errors: An Internet Postmaster's Horror Story
    (Neil Rickert, Erik E. Fair, Dan Boyd)
Re: Netware LOGIN problems (Leonard Erickson)
Re: Emergency off switch - IBM 1620 (R.I. Cook)

 The RISKS Forum is moderated.  Contributions should be relevant, sound, in 
 good taste, objective, coherent, concise, and nonrepetitious.  Diversity is
 welcome.  CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive 
 "Subject:" line.  Others ignored!  REQUESTS to RISKS-Request@CSL.SRI.COM.  For
 vol i issue j, type "FTP CRVAX.SRI.COM<CR>login anonymous<CR>AnyNonNullPW<CR>
 CD RISKS:<CR>GET RISKS-i.j<CR>" (where i=1 to 11, j always TWO digits).  Vol i
 summaries in j=00; "dir risks-*.*<CR>" gives directory; "bye<CR>" logs out.
 The COLON in "CD RISKS:" is essential.  "CRVAX.SRI.COM" = "128.18.10.1".
 <CR>=CarriageReturn; FTPs may differ; UNIX prompts for username, password.
 ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY.
 Relevant contributions may appear in the RISKS section of regular issues
 of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise.

----------------------------------------------------------------------

Date: Tue, 14 May 1991 09:37:14 +1000
From: reynolds@syd.dit.CSIRO.AU
Subject: The UK Data Protection Act and email/net and university users

One of the problems of the UK Data Protection Act is that it is only concerned
with the use of the data and not the contents. An author writing a biography is
not covered by the Act because he is word-processing - but if he seachs the
text ONCE for the occurrence of a personal name, or creates a name index, the
Act immediately applies.

This applies to all UK users of email and usenet. If they just read their mail
and discard it the Act does not apply. If they keep a copy of the text for
later reference by name (or scan their mailbox to select mail) the Act applies.
(If you have a personal name in a usenet kill file this could well be
processing under the Act!)

The matter gets worse. If you have ANY data under the Act you have to register
(or be covered by an employers registration) with only a few exceptions. In
addition the usenet postmaster acts as a bureau under the Act so that if any of
his users process personal information from usenet he should register as a
bureau....

Registration is a complex, time consuming and expensive process in which you
have to detail the kinds of personal information you hold, where you get it
from, and what you use it for. There are NO minimum levels. I produced some
schools software, including a dozen teaching examples. One of these used a list
of the English monarchs, and included the personal information that Queen
Elizabeth II came to the throne in 1952. Technically speaking, whenever I sold
a copy of the software to Hong Kong (or the Isle of Man!) I would need to be
registered as an overseas dealer in personal information, and any UK school
using the package should be careful not to reveal the information about the
Queen to a passing adult on an open day display unless their registration
included disclosure to members of the general public.

As far as examination marks are concerned, the Act contains specific provisions
which most UK Universities have chosen to ignore. They escape by using the 40
day maximum period allowed to execute disclosure, by saying they will always
take 40 days to disclose, and because exam marks are never in the computer for
more than 39 days they will never be disclosed. The Data Protection Registrar
(effectively the relevant ombudsman) has commented that this is probably legal
but violates the spirit of the Act.  If universities keep exam data (including
continuing assessment results) on the computer, or print out/OCR techniques to
"cheat", they are definitely in breach of the Act. If they manually re-input a
previous years data, they have deliberately chosen a risky route, with
obviously increased possibility of error, they may end up violating the
principles that "Personal data shall be accurate ..." and "Appropriate security
measures shall be taken ... against accidental loss or destruction of personal
data".

Needless to say these aspect of the Act is totally unworkable, and only serve
to encourage people to ignore it, even when it matters, which has a serious
"risks" component. An Act which failed to distinguish between automated and
manual methods, and which avoided the need for registration by allowing anyone
to ask anyone for data (if they have any) would be far less risky.

For further information see my paper "Computer Conferencing and Data
Protection" in The Computer Law and Security Report, March/April 1990, or the
more popular "Letter of the Law" in the (UK) Personal Computer World for May
1990. (If anyone knows of any relevant UK court case developments in the last
year, please let me know.)

Chris Reynolds    CSIRO, Division of Information Technology, PO Box 1599, 
NORTH RYDE, NSW 2113, AUSTRALIA                            +61-2-887-9480

------------------------------

Date: 13 May 91 12:16 -0700
From: bremner@cs.sfu.ca
Subject: DEC copies system software, charges pirates [ Digital Forgery ]

RISKS readers will recall the story of a DEC UK employee who attended a seminar
and copied the system software off the machine the seminar was taught on.  The
firm that gave the seminar was subsequently charged with pirating the software.

My concern is not with the cloak and dagger aspect or the actual copying, but
with the admissability of digital media as evidence.  Audio recordings are not
admissable as evidence in any jurisdiction that I am familiar with; compared
with the tricky job of splicing together an audio tape, forging a copy of a mag
tape with system software on it is trivial.

My conclusion ( as a legal layman ) would be that the presentation of a tape
with and incriminating serial number on it would have exactly the same weight
as the presentation of a piece of paper with the same serial number scribbled
on it: none ( actually, I guess it might convince me that the witness was not
misremembering ).  What counts here is the word of the DEC employee who says:
yes, I copied this ( to tape or paper ) off of the system in question.

                               bremner@cs.sfu.ca     ubc-cs!fornax!bremner

------------------------------

Date: Mon, 13 May 91 11:41:45 EDT
From: owner-cpsr-dc@nlm.nih.gov (Larry Hunter)
Subject: Re: Free speech & government control of information (RISKS-11.60)

I feel compelled to continue the debate that Jerry Leichter and I have been
having on goverment control of information, particularly as it applies to the
current attempts to regulate effective encryption.  In RISKS-11.60 Leichter
says:

     There are two basic areas in which we differ.  First, Hunter
     believes I'm attempting to prescribe appropriate actions.  If I
     gave this impression, let me correct it: I'm trying to PREDICT.
     My claim is not that stricter controls are a good idea.  Rather,
     I suggest that they are an inevitable result of the direction in
     which our technologies are headed.

If Liechter thought stricter controls on the flow of information were a bad
idea, he certainly fooled me.  And the way I read the rest of his message,
doesn't seem to object that strongly.

     (There's certainly room for a good deal of debate about
     "technological determinism" here.  It's not that I don't believe
     that alternative paths are POSSIBLE; I'm just projecting what I
     think is by far the most likely path.)

I agree that the government is very likely to attempt to dramatically extend
its already quite intrusive control over the flow of information.  Major
corporations and other socially powerful entities will also attempt to control
the flow of information that effects them.  I further agree that alternative
paths are possible.  Does it not seem to follow from those stipulations and
implication above that this control is not good, that we, as a sophisticated
and priviledged (i.e. well educated, financially secure) computer scientists,
OUGHT to be working to PREVENT new controls on of the flow of information,
especially something as nasty and unnecessary as the prohibition of effective
encryption??!!

     The second issue grows from the first, and Hunter's view of how
     the fundamental laws of our society are determined.  To state it
     starkly: If "society" comes to believe that government controls
     on information are necessary, will constitutional limitations
     still prevent them from coming into being?  Hunter believes so; I
     think he's being naive.

I believe that I (and others) OUGHT to work hard to keep the government from
imposing the controls that it has proposed, and others like them.  The
constitution is a very powerful tool that can be used in this battle to
preserve rights that lawmakers (and even political majorities) may wish to
curtail.  I think it is one of our best tools in this battle.  It may be naive,
but it seems to me that you have a very cynical view of the role of the
consitution in this society.  (To my mind, it is America's most positive
contribution to political history.)

     The Constitution protects "speech", "religion", "the press".  It
     never defines any of these terms; case law does.  We think we
     know what they mean, and that the "clear meaning" will not
     change, but history makes it clear that these terms are quite
     malleable. ....  Note that we don't need a constitutional
     amendment to effectively change the definitions of crucial terms
     in the Constitution - all we need is a majority of the Supreme
     Court.  ... I see little reason to suppose that the courts will
     blindly accept that all computerized information is "speech", if
     society decides that some limitations on it are necessary.

True, and somewhat cynical, but recall that I am not arguing for reliance on
the supreme court to protect the ability of Americans to use effective
encryption.  I think that we ought to be education, lobbying, FIGHTING to
preserve this aspect of the right to free speech, and that the constitution is
an important tool in this fight.  "Society" is not an entity that believes and
decides; people do.  People who, these days, are being called upon to have
opinions about many issues that were recently obscure technical minutia.  I
suggest that we as responsible computer scientists have an obligation to
communicate, educate and act as concerned experts in the political process.

     In the past, we've generally been able to draw the line between
     things or acts and information - "mere speech"....  In the
     information age, this line becomes fuzzy.  For export, a
     description of DES is OK, a chip implementing it is not.  How
     about a good software implementation?  Should a computer virus -
     simultaneously speech (pure information) and a potentially
     dangerous "thing" - be freely publishable?

These are important questions that can (and will) be settled by in the
political process, as is the question of whether the government should be able
to break all encryption schemes sold to American citizens.  Some of these
questions are easier than others.  For example, letting loose a virus or any
other kind destructive program seems clearly action.  E.g. Robert Morris, Jr.
didn't even try a free speech defense at his trial.  Free speech is not an
international guarantee (there are many people who are denied visas to visit
the US because of their opinions or comments), so the export issue seems moot,
although someone from DEC ought to know that export restrictions can include
software...

     Let me give a non-computer example of the kind of problem we will
     face: Mr. M is a numerologist and conspiracy theorist.  He
     believes that he can track down conspiracies in the world by
     examining various numerical data related to people.  He starts a
     magazine, OutNumber, in which he regularly publishes any numbers
     he can find concerning (mainly) the rich and powerful.  Mr. M has
     a following, and he has money to pay for tips, so he has no
     problem finding all sorts of interesting numbers concerning
     people.  Soon he is publishing people's charge account numbers,
     checking account numbers, PIN's, private telephone numbers,
     cellular phone numbers, and so on.  At no time is there any
     question of Mr. M's involvement in any attempt to use this data
     for fraudulent purposes - he is sincerely interested only in his
     numerological research.

     OutNumber, and Mr. M, are probably protected under the
     Constitution as we currently construe it.  My question is, should
     they be?  Do you think there's really a social concensus that
     it's essential to protect the ravings of a Mr.  M, even in the
     face of (let us imagine) clear evidence of massive fraud by
     OutNumber readers against those "profiled" in the magazine?  How
     long do you think the courts will stand up in the face of a new
     concensus that says, hey, get rid of this guy?

I leave this intact because I think it is a good example.  I would say
that Mr. M should indeed be allowed to publish his magazine.  I for
one would suspect that anything that shut him down would also be used
to close down David Burnham's Transactional Records Analysis Center
(TRAC) which has made some remarkable inferences about the IRS and
other government activities on the basis of analysis of public
records.  I'm sure there are lots of people in the government who
would like to shut him down, and that such a law would be applied to
TRAC long before it would be applied to Mr. M's hypothetical gossip
rag.  And I suspect that existing law would adequately protect the
celebrities defrauded by readers - that's what fraud laws are for.  As
for social consensus, I recognize that the content of the Bill of
Rights is consistantly supported by less than half of the population
in polls, but that does not mean it ought to be overturned or ignored.
It means that we have to act to preserve it.

     Finally, Hunter responds to my suggestion of some fiction stories
     with readings on political theory.  I have no problem with this.
     The reason I suggest fiction is that social concensus, and
     ultimately law, grow as much out of the gut as out of the head.
     Good fiction lets you explore your own gut feelings.

Emerson's book is not political theory, it is a history and explication of free
speech rights.  Read whatever you like. After all, that is the whole point of
this argument, isn't it?

Lawrence Hunter, National Library of Medicine.  Please note that I am not
speaking as a representative of the government.

------------------------------

Date: Mon, 13 May 91 13:36:50 -0500
From: Neil Rickert <rickert@cs.niu.edu>
Subject: Re: Case of the Replicated Errors: An Internet Postmaster's Horror Story

In RISKS DIGEST 11.66, Erik Fair <fair@APPLE.COM> reports on a mail problem
encountered at Apple.COM, at relay.cs.net, and at uunet.uu.net

 Erik's report made interesting reading, and does raise some issues of concern.

 However, in pointing the finger at the culprit, I believe he has pointed it
fairly and squarely in the wrong place.

>The important part is that the "To:" field contained exactly one "<" character,
>without a matching ">" character. This minor point caused the massive
>devastation, because it interacted with a bug in sendmail.

 This "minor point", as Erik calls it, is a violation of the standard for
Internet addresses (RFC822).  Many would say that this is a MAJOR point.

>Sendmail, arguably the standard SMTP daemon and mailer for UNIX, doesn't like
>"To:" fields which are constructed as described. What it does about this is the
>real problem: it sends an error message back to the sender of the message, AND
>delivers the original message onward to whatever specified destinations are
>listed in the recipient list.
>This is deadly.

  Excuse me, but this by itself is not deadly.

  Let's look at the exact set of conditions which were involved:

  1.  Mail was sent with an invalid "To:" header.

  2.  The mail was completely deliverable, in spite of the syntax error, so
      sendmail proceeded to deliver it.

  3.  Sendmail reported the error to the message originator.

  4.  Sendmail did not "repair" the syntax error.

  5.  The message was destined for a mailing list with many recipients,
      implying that the error would be rediscovered at each of a large
      number of relay points.

 The combination of all of these was involved in the error.

 Erik points his finger only at items 2 and 3.  This, I believe, is incorrect.

 In spite of the syntax error, it is correct to attempt to deliver the mail
if this is still possible.  Robustness requires this.

 Once a serious error has been discovered, it is correct to report this.
Reliability of systems depends on reporting of errors.

 Items 2 and 3, then are just plain good programming practice.  They cannot
be blamed for this problem.

 Look now at item 4.  There is no question that had 'sendmail' repaired the
problem header this would have avoided the problem.  Unfortunately there are
no standards as to how this should be done.  The RFCs recommend against
modifying headers.  Perhaps some provision should be included that where a
an invalid header causes an error to be reported, that header must be
"repaired" in some way before the message is sent on.  Perhaps the best way
to repair the header would have been to relabel it as say "Invalid-To:"
or something equivalent, which hopefully would prevent a further syntax
analysis at future sites.  But, to implement something like this requires
a standard.

 Certainly sendmail can be indicted for item 4.  But it's guilt is secondary
to that of the originating mailer which emitted the erroneous header in the
first place.  Thus the finger here should be pointed back fairly and squarely
to Apple.COM, with only contributory negligence on the part of sendmail.

 The primary problem, however, is in item 5.  For a normal mail message
with a handful of recipients, each relayed through a modest number of hosts,
the number of messages would have been quite small.  It is because this
message is to a mailing list that so many problems arose.

 The conclusion is clear.  Administrators of mailing lists have a special
responsibility.  It is not enough to use an aliases entry to replicate the
original message.  The mailing list must be considered to be creating a new
message based on the contents of the original message.  As such it must
take care to meet the various standards for mail (such as RFC822).  This
should involve validation and repair, if necessary, of any required headers.

Neil W. Rickert, Computer Science, Northern Illinois Univ., DeKalb, IL 60115
                                   +1-815-753-6940

------------------------------

Date: Mon, 13 May 91 17:16:06 -0700
From: "Erik E. Fair" (Your Friendly Postmaster) <fair@apple.com>
Subject: Re: Case of the Replicated Errors: An Internet Postmaster's Horror Story 
To: Neil Rickert <rickert@cs.niu.edu>

I disagree [with Neil].  I would have no problem with sendmail logging that a
syntax error was found. What I object to is that it BOTH reported the error
back in a separate message to the sender, AND forwarded the message onward to
other waiting sendmail which would do the same thing. This is a recipie for
disaster, as I saw.

Sendmail should either bounce the letter, or deliver it with no further
comment than a log entry. It should NEVER report an error in a return
message when it is not the MTA doing final delivery, unless it is
actually bouncing the letter, and will not forward it further.

And this has nothing to do with mailing lists - it can (and will)
happen if a user just sends out to a list of 100 people, with no
formally set up mailing list involved.

	Erik E. Fair	apple!fair	fair@apple.com

------------------------------

Date: 13 May 91 14:43:39
From: consp04@bingsunp.bingsuns.cc.binghamton.edu (Dan Boyd)
Subject: Re: Case of the Replicated Errors: An Internet Postmaster's Horror Story
Sender: usenet@bingvaxu.cc.binghamton.edu (Mr UseNet)

Just goes to show you how hairy sendmail is -- a single misplaced open-bracket,
and suddenly your site switches into Craig-Shergold mode...
                    						-- Dan
Daniel F. Boyd      

------------------------------

Date: 14 May 91 01:39:24 EDT
From: Leonard Erickson <70524.2603@compuserve.com>
Subject: Re: Netware LOGIN problems (John Graham-Cumming, RISKS-11.65)

>I'm managing (at least for the moment) a Novell network running Netware
>286. I've recently realised that it is possible to pipe a file into the LOGIN
>command.  This has the rather unfortunate affect that it is possible to
>write a Trojan horse which simulates login

Well, under Netware 2.11 (the oldest version that I've worked with), piping
does *not* work. The password must be entered from the keyboard (or stuffed
into the keyboard buffer)

So the first solution would be to update your software. Stuffing the
keyboard buffer is still a loophole, but vulnerability is very limited if
proper security is used. For instance, not allowing users to write files
in the LOGIN directory on the network. This requires the trojan to be
installed on a particular machine. And requires the "owner" of the program
to visit that machine to get the info.

For statistical purposes, we wrote a program that is run as part of the system
login script that saves whatever strings are passed to it to a globally
*writable* file. We save the Physcal-ID, the login name, the date, time and a
few other things.

This turned out to be *very* useful the one time someone submitted a "fake"
request for a user account. Once the fake user was called to our attention (he
wrote some objectionable email). It was a matter of a few minutes to grep thrhu
the log and find which stations he'd used and when... from there, it was easy
to find him.

We also limit most users to *one* connection at a time. This makes it very
obvious if anybody tries to use someone else's account at the same time as they
are on line.

As others have noted, it is users ignoring good security practices that is
the biggest problem. I've come in early on a monday morning and discovered
that users in an open area (office cubicles), had not only left their
machine logged in all weekend, but that they had left them inside the mail
program. I wandered over and sent them a letter "from themselves" warning
them that I could have sent *anything* to *anyone*. Didn't faze them. 
<sigh>

------------------------------

Date: Mon, 13 May 91 15:57:53 EDT
From: cook@csel4.eng.ohio-state.edu
Subject: Emergency off switch - IBM 1620

There was real concern in the days of the IBM-1620 and early 360's that the
need to destroy the link to power would arise.  In some versions, pulling the
switch caused a sort of knife blade to sever the cables.

These precautions were seldom needed.  Most centers, including the one in which
I operated the 1620 and 360, had an elaborate power control system which shut
off power to the computer, the lights, the terminals, and the air conditioning.
R.I.Cook, M.D.

------------------------------

End of RISKS-FORUM Digest 11.67
************************