risks@CSL.SRI.COM (RISKS Forum) (04/04/91)
RISKS-LIST: RISKS-FORUM Digest Wednesday 2 April 1991 Volume 11 : Issue 37
FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
Contents:
An ancient method for assuring software quality (Martin Minow)
Risks of using your telephone Calling Card in a COCOT (John R. Covert)
Computers and evidence (Steve Bellovin)
E-mail role in LA cop probe (Sean Eric Fagan, PGN)
Sierra Club and Electronic Voting (Ed Ravin)
Leonard Rose and UNIX root access (Steve Bellovin)
Justice Department's One Big File (Clifford Johnson)
The RISKS Forum is moderated. Contributions should be relevant, sound, in
good taste, objective, coherent, concise, and nonrepetitious. Diversity is
welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive
"Subject:" line. Others ignored! REQUESTS to RISKS-Request@CSL.SRI.COM. For
vol i issue j, type "FTP CRVAX.SRI.COM<CR>login anonymous<CR>AnyNonNullPW<CR>
CD RISKS:<CR>GET RISKS-i.j<CR>" (where i=1 to 11, j always TWO digits). Vol i
summaries in j=00; "dir risks-*.*<CR>" gives directory; "bye<CR>" logs out.
ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY.
Relevant contributions may appear in the RISKS section of regular issues
of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise.
----------------------------------------------------------------------
Date: Sun, 31 Mar 91 21:03:08 PST
From: Martin Minow 01-Apr-1991 0000 <minow@ranger.enet.dec.com>
Subject: An ancient method for assuring software quality
Is it possible that the solution to the software quality crisis was discovered
in Korea in the 15th century? The following is from Daniel J. Boorstin, "The
Discoverers" quoting, apparently, Kim Won-Yong, "Early Movable Type in Korea"
(1954):
"The supervisor and compositor shall be flogged thirty times for an error
per chapter; the printer shall be flogged thirty times for bad impression,
either too dark or too light, of one character per chapter."
Boorstin continues, "This helps explain both the reputation for accuracy earned
by the earliest Korean imprints and the difficulty that Koreans found in
recruiting printers."
Martin Minow minow@ranger.enet.dec.com
[The date of submission of this is a coincidence, of course.]
[This gives a new meaning to the concept of making a good impression.
Both the Imprints of Darkness and Imprints of Lightness are evil!
Kiss either one and he (distractedly) turns into a Flog.
But if they succeed, they can have a moveable type feast.
Strongly typed, at that. PGN]
------------------------------
Date: 2 Apr 91 16:21:37 GMT
From: covert@covert.enet.dec.com (John R. Covert)
Subject: Risks of using your telephone Calling Card in a COCOT
Newsgroups: comp.risks,comp.dcom.telecom,alt.drugs
I cannot vouch for the accuracy of the following story, which I heard
yesterday. There does seem to be substantial risk here:
According to the story, a company which leased COCOTs (Customer Owned Coin
Operated Telephones) to businesses in New York, Chicago, and Los Angeles was
discovered to have turned all 1000 of their phones into Calling Card thieves.
The scheme was simple: The phones, like most COCOTs, are located inside or
outside small businesses. The business contracts with the leasing company for
maintenance of the phones; as part of the contract the leasing company obtains
a percentage of all money collected by the phone, paid by the small business
out of the receipts in the coin box. In addition, the leasing company pays the
business a percentage of the money collected by Alternate Operator Services
(AOSs) for calls billed to Calling Cards.
The COCOTs include a modem used by the COCOT operator to call into the phone in
order to set rate tables and to collect usage data for accounting purposes.
This COCOT operator had modified the accounting program to collect and report
the calling card numbers used by people placing calls from the phone. The
calling card numbers (AT&T, Sprint, and MCI) were then sold to drug dealers and
resulted in over ten million dollars in fraudulent calling before the pattern
was discovered and the owners of the COCOT service company were arrested.
Police recommended using cash, not calling cards, from all telephones not
bearing the identification of the local phone company.
/john
------------------------------
Date: Mon, 01 Apr 91 22:15:07 EST
From: smb@ulysses.att.com
Subject: Computers and evidence
There's a fairly sensational murder trial going on now in New York that may be
of interest to RISKS readers. Of course, I'm not referring to the more mundane
attractions of the trial -- plenty of sex, a seedy private eye, and all manner
of fascinating behavior -- but rather to some conflicting pieces of evidence
that the prosecution and defense have introduced.
The entire case is circumstantial, so every item counts. To demonstrate that
the defendant called a particular gun store the day of the murder, the district
attorney introduced a printout made from MCI's microfiche copies of phone
bills. Sure enough, the call was listed. The defense countered with what it
claimed was the original of the phone bill. That call wasn't shown, but a call
to the defendant's mother was shown, at a time that would provide an alibi for
the time of the killing.
The prosecution countered with a billing systems expert who claimed that MCI
bills for the month in question should include a particular slogan; this one
lacked it. Another MCI employee said that he had reviewed the original tapes
in question, and the gunshop call was there, but not the alibi call. The
defense attorney was astute enough to ask what proof there was that no one had
tampered with the tape, and how good the access controls were on the tape
library. The next go-round featured an FBI computer type who said that he,
too, had reviewed the tapes, and found the prosecutor's call; however, he
apparently couldn't explain why other calls shown on the microfiche were not on
the tape. (I may have some details wrong; local media coverage has been less
than stellar. One radio station has been doing things like calling defense
questions ``desparation tactics''. And the New York Times referred to the
tapes as the ``Volser tapes'', as if that were the name of the billing system.
I suppose it might be, though given IBM's JCL nomenclature I find that notion a
bit improbable...)
I won't even say that the jury is still out on this case, since it hasn't
progressed that far yet. Stay tuned for the next episode of ``As the Disk
Turns''....
--Steve Bellovin
------------------------------
Date: Mon, 1 Apr 91 13:00:04 PST
From: Sean Eric Fagan <seanf@sco.com>
Subject: E-mail role in LA cop probe
Taken from the March 25 Computerworld
Electronic messages transmitted between computers assigned to three Los
Angeles police officers suspected in the beating of a black motorist could
be used as evidence to show "intent to harm," according to legal experts.
[...] [Dialogue ommitted]
Legal experts say they know of no previous case in which electronic messages
have been used as evidence in a criminal case. Most agreed that such
communications are likely to be treated as recorded voice transmissions.
[end excerpts]
Obvious RISKS spring to mind, such as: how secure is the identification (or,
put another way, how easy is it to forge messages)? Giving electronic messages
the same validity as recorded voice is a bad move, it seems to me.
Sean.
------------------------------
Date: Tue, 2 Apr 91 9:13:40 PST
From: RISKS Forum <risks@csl.sri.com>
Subject: Re: E-mail role in LA cop probe
We have been around on this one numerous times before in RISKS. Even with
elaborate techniques (e.g., multikey encryption facilities), essentially any
message can be spoofed, tampered with, or destroyed altogether, given suitable
system access. Therefore, essentially any evidence provided by a system COULD
have been tampered with, even though it may be unlikely in a particular case.
------------------------------
Date: Wed, 3 Apr 91 16:41:41 GMT
From: eravin@panix.UUCP (Ed Ravin)
Subject: Sierra Club and Electronic Voting
The Sierra Club, in their board elections, have sent paper ballots to all
their members, who are asked to return the ballot with the appropriate
votes checked in. There is no name or other identification on the ballot,
except for a computer-printed number and the caption "This random number
tells the computer that the voter is a member in good standing... It is
not related to the membership number".
Annonymous verification of ballots? If their scheme is sound, then it
shouldn't matter if the ballots are mailed in or keyed in over the phone
or some other computer-assisted device. Does anyone out there know
what system Sierra Club is using or is able to comment on simliar systems?
Ed Ravin, cmcl2!panix!eravin philabs!trintex!elr
------------------------------
Date: Mon, 01 Apr 91 21:31:23 EST
From: smb@ulysses.att.com
Subject: Leonard Rose
If one had root access, there was no need to hack into a system
because one was already there.
... [text deleted and reordered]
I have yet to hear even a marginally literate Unix type claim
that login.c is a realistic "hacking device."
OK, I'll byte [sic]. I consider myself more than ``marginally literate'' on
both subjects, UNIX and system security, and I'll make the blatant assertion
that login.c is a very realistic ``hacking device''. Why? Because many people
tend to use the same password on different machines. If I can get your
password on some machine I've already penetrated, the odds are quite good that
I can then log in to some other machine you use. And even if you follow proper
practice, and don't reuse passwords in different security domains, the
probability is near unity that someone on your machine isn't so careful.
Possession of a hacked login.c is the electronic equivalent of being caught
with burglar's tools or a ``deadly weapon'' (which may be as innocuous in other
contexts as a baseball bat). The prosecutor must demonstrate intent to misuse
in such cases. If possesion of ``hacking tools'' were against the law (as far
as I know, it's not, and given how loosely many such statutes are drawn, that's
probably just as well), there would be a considerable burden of proof. Maybe
such evidence could be produced in this case, maybe not. But it's far from
unreasonable to claim that hacking is at issue.
At least one computer security consultant indicated that he
used login.c to log passwords as a way of protecting security,
not subverting it.
Maybe so. In that case, the charge should be extreme negligence. I don't care
what your motives are; no responsible system administrator should ever store
cleartext user passwords online. If you really want to analyze them, do the
analysis immediately, and dispose of the input text as soon as possible. A
list of passwords, no matter how well protected, is an open invitation to
trouble. The classic Morris-Thompson paper on password security gives several
lovely examples of this.
--Steve Bellovin
------------------------------
Date: Mon, 25 Mar 91 14:24:18 PST
From: "Clifford Johnson" <GA.CJJ@Forsythe.Stanford.EDU>
Subject: Justice Department's One Big File
The Privacy Act was supposed to prohibit file-matching across government
databases. It contained a broad EXCEPTION to this rule, if matching was
required in order for an agency to perform a special duty. This was supposed
to permit only individual case exceptions, but it turned out to be such a big
loophole that in no cases is matching prohibited, and automatic bulk file
matching is now routine. What privacy advocates often fail to address in their
conceptual attacks on matching is the simple fact that the critical government
databases on people sit on the same mainframes, managed by people who report to
the same person. Fighting file-matching is at best Quixotic -- because there's
de facto One Big File. I.e.:
Harry H. Flickinger is Assistant attorney general for administration in the
Justice Department. Under him are officers responsible for databases that
support the FBI, the DEA, the INS, the Bureau of Prisons, civil/tax and other
divisions. There is a new vacant post under him, for Deputy Assistant Attorney
General, Information Resources Management. This single position is to be
responsible for ALL the Justice Department's computational needs, as reported
in Gov't Computer Week, March 18:
Q: What is your IRM philosophy?
Flickinger: [It's] unitary. Although it is diversified in what it does, the
components tend to impact one another. Investigators go out and conduct
investigations that lead to prosecution. We have lawyers that handle that.
Prosecution may lead to incarceration. We have the Bureau of Prisons. This
attorney general and others have said we have to look at the department as a
single entity -- to provide as much uniformity and standardization of support
as we possibly cann... The theory is, we ought to have one system that lets
virtually anybody in this department regardless of location talk to anybody
else. We're trying to promote that uniformity right across all the
administrative activities... We're going to have... theoretically one data
center. WE THINK IT'S SMARTER TO PUT IT IN ONE LOCATION.
The article continues:
"The Justice Department's two data centers [each has 4 Amdahl 5870s, one has
another 4 IBM 3090-400Es] ... keep humming about 99 percent of the time
'sometimes 100,' [!] according to Lee Brown... The 56 major customers include
the Drug Enforcement Administration, Immigration and Naturalization Service,
U.S. Marshals Service, Bureau of Prisons, and Interpol..."
------------------------------
End of RISKS-FORUM Digest 11.37
************************