risks@CSL.SRI.COM (RISKS Forum) (01/23/91)
RISKS-LIST: RISKS-FORUM Digest Tuesday 22 January 1991 Volume 10 : Issue 78
FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
***NOTE: SOME MAIL TO RISKS WAS APPARENTLY LOST OVER THE WEEKEND. PLS RSND.***
Contents:
(No) Viruses in Iraq's EXOCET? (Klaus Brunnstein)
Risks of NOT believing war game models (Bob Estell)
Re: MoD computer stolen in UK (Olivier M.J. Crepin-Leblond)
Re: Computer program gives police a bum rap (William H. Glass)
Voting by Phone (Evan Ravitz, PGN)
(More) word processor atrocities (Pete Mellor)
The RISKS Forum is moderated. Contributions should be relevant, sound, in
good taste, objective, coherent, concise, and nonrepetitious. Diversity is
welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive
"Subject:" line. Others ignored! REQUESTS to RISKS-Request@CSL.SRI.COM.
FTP VOL i ISSUE j: ftp CRVAX.sri.com<CR>login anonymous<CR>AnyNonNullPW<CR>
CD RISKS:<CR>GET RISKS-i.j<CR> (where i=1 to 10, j is always TWO digits. Vol i
summaries in j=00; "dir risks-*.*<CR>" gives directory; "bye" logs out.
ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY.
Relevant contributions may appear in the RISKS section of regular issues
of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise.
----------------------------------------------------------------------
Date: 15 Jan 91 11:10 GMT+0100
From: Klaus Brunnstein <brunnstein@rz.informatik.uni-hamburg.dbp.de>
Subject: (No) Viruses in Iraq's EXOCET? (Misguided Missiles)
French press (La Liberation) and media reported (Jan.10) in some detail that
computer viruses could be planted, either in advance or afterwards, in French
EXOCET rockets to influence their performance such as to misguide them.
Following a report of the German Press Agency (dpa), German media (on Jan.11)
were full of reports about "viruses in Hussein's rockets". According to dpa,
(unnamed) French computer scientists said:
- manufacturers of war material usually implant, "for mere commercial
reasons", viruses in exported war electronics to provoke, after some time,
faults and "profitable repair work";
- though Iraqian weapon computers are "hermetically cut-off from the outside
world", computer viruses could be implanted e.g. via "weather data";
- moreover, the built-in computers contain programs which may be triggered
remotely; the control system of (French-built) EXOCET rockets could be
switched-off from French ships; the only problem would be the mass of
weapon computers to be switched-off simultaneously.
As usual in events related to malicious code, truth is mixed up with
misunderstandings, errors and impossibilities:
- the implementation of weapon software makes self-reproducing programs
(=viruses) impossible; moreover, it is very improbable, that such systems
may be (re-)programmed remotely; French "experts" with such arguments are
non-trustable;
- on the other hand, other aspects of "malicious code" may well be present
in weapon computers; at least in the test phase, rockets can be destroyed
by triggering a self-destruction system remotely; following the
well-established principle "never change a running program", such
"backdoors" (the proper name for this type of malicious code) could
survive the test version;
- moreover, French system analysis might well have foreseen scenarios in
which to defend against French-made rockets (e.g. EXOCETS); French
warships might remotely influence the EXOCET control systems if this
remains unchanged by the (Iraqian) users of such technology; with
equivalent probability, other Western weapon control systems could contain
similar self-protection mechanisms (e.g. US' Hawk missiles having been
captured in Kuweit) ;
- finally, it is well-published (even in non-military periodicals) that and
how electronic countermeasures (ECM) may mislead weapon electronics.
Some interesting questions following from such "possibilities":
- May Iraq detect, influence or adapt such weapon software? As software
technology is not well-enough developed in Iraq (and most part of the Arab
world), they probably must rely on foreign experts (as they evidently do
in other Hi-Tech areas).
- If French EXOCET rockets are remotely controllable: why did the French not
warn their "friends" who suffered severe losses through their weaponry
(e.g., UK in Falkland crisis, or US in the Iran crisis, see accident of USS
STARK)? Do they at least now warn and properly equip their allies in
the Arabian desert?
For "RISK experienced" experts, it is not surprising that misinformation lives
best in threatening situations (such as at the Gulf); apart from general
attitudes of newsmedia, computer scientists who nominate their technological
constructs (e.g., "self-reproducing programs") in such inadequate terms as
"viruses" (see also: "intelligence", etc.) are highly responsible for
misinterpretation and misunderstanding by less well informed media people and
the public! On the other side, authorities and the public only in such
threatening circumstances become aware of riskful assumptions inherent in
contemporary computer systems. Such unfortunate experience may lead to the
cynical assumption that risks may best be conceived by (hopefully: moderately)
"ex post" experiencing them, rather than analysing and avoiding them "ex ante".
Postscriptum: computer "viruses" may nevertheless play a role in "Operation
Desert Shield". There are (yet unconfirmed) news items that several thousand
PCs (5000?) have been infected by ordinary "computer viruses". This would not
be a surprising experience, as the soldiers had to "waste" ample time waiting
for Jan.15; in the absence of other possibilities for spending free time,
computer games (usually a source of "virus" infections) may have played a major
psychological role, maybe with some impact on their "ordinary functional
behaviour".
------------------------------
Date: 14 Jan 91 17:34:00 PDT
From: "FIDLER::ESTELL" <estell%fidler.decnet@scfb.nwc.navy.mil>
Subject: risks of NOT believing war game models
The risk of NOT believing war gaming models should be revisited, in view
of the Congress' vote this past weekend.
In all such "contests" (sports games, wars ...) there is always a chance,
regardless of how low the probability, that some rare event may occur; e.g.,
"mighty Casey may strike out." This is particularly true when one side (or
both) have some players with particularly LOW vulnerability, and/or some
weapons with particularly HIGH lethality. The outcome of the "game" will vary
drastically, depending on what happens to these "superior" players/weapons -
and WHEN it happens.
To take a hypothetical case, based on history, SUPPOSE that Gen. Custer had
gone into his last stand, with a hundred Gattling Guns; and suppose that those
operating these guns had plenty of ammo, and were lucky enough to not be
wounded -- at least, until they had done their (dirty) work. One might imagine
that it would have been Custer's greatest victory.
IF the Congressional debaters were right, Iraq has some "unusual" weapons; IF
these weapons survive long enough to be used, who knows what the outcome might
be? The lesson of the Spanish Armada's defeat suggests that Gen. Eisenhower
and others were right: After the war starts, no one knows ...
Bob
------------------------------
Date: Thu, 17 Jan 91 16:20 BST
From: "Olivier M.J. Crepin-Leblond" <UMEEB37@vaxa.cc.imperial.ac.uk>
Subject: Re: MoD computer stolen in UK
Just a quick word to advise RISKS readers that the MOD laptop computer
stolen in UK has been recovered by the MOD. The information was in the press
last week. There was no mention of any arrest. Understandably, since the gulf
hostilities have just started, the MOD is keeping full secrecy about the
outcome of the story.
The fact that classified military information was present on the hard
disk of a laptop computer would certainly seem to be a risk in itself. It is
even more unbelievable that the laptop was left unattended in a car in Acton
(West London), which is not the safest of areas in London. I certainly would
not leave a laptop (if I had one) in my car in that area !
When computers were as large as a bus, there was no risk of one being
"lost" in nature. Now they are so small that one can carry them all around the
place. And since a small plastic box looks less important than 20Mb worth of
printed paper (with red ink warning notices), it is worrying that the holder of
this box becomes that negligent.
Olivier M.J. Crepin-Leblond, Elec.Eng. Dept, Imperial College London, UK.
[The computer's return was also noted by Steve Bellovin
(smb@ulysses.att.com), Margaret Fleck <fleck@robots.oxford.ac.uk>,
Tim Steele <tjfs@tadtec.uucp> (who added that although the MoD refused
to reveal the contents of the note, they said that it convinced them that
the data is secure), and Charles Bryant <ch@dce.ie>. THANKS! PGN]
------------------------------
Date: Tue, 15 Jan 1991 00:00:11 CST
From: glass@vixvax.mgi.com (William H. Glass)
Subject: Re: Computer program gives police a bum rap (Smallberg, RISKS-10.77)
In RISKS-10.77, David A Smallberg writes about the problems of a police
department determining its crime solving record. This reminds me of a problem
I observed years ago while working on a research project studying crime
statistics. The city of Philadelphia had one of the lowest auto theft rates of
any major city in the US. One of the principal reasons for this was that if
the car was recovered within 24 hours (as many are), the crime was reclassified
as "joy riding". The Philadelphia police liked this system because it looked
like good publicity to have a low auto theft rate. Then, a new federal program
was started that among other things gave funding to local police departments
based on the number of auto thefts. As you might guess, suddenly Philadelphia
suffered a major increase in auto thefts.
William H. Glass, Management Graphics, Inc., 1401 E. 79th Street, Minneapolis,
MN 55425 Phone: +1 (612) 854-1220 Internet: glass@mgi.com
------------------------------
Date: Mon, 14 Jan 91 23:39:46 MST
From: eravitz@isis.cs.du.edu (Evan Ravitz)
Subject: Voting by Phone
SECURITY & PRIVACY OF VOTING BY PHONE
The ultimate demonstration that Voting by Phone is reliable is this: we intend
to publish not only the election totals, but how each and every Voter ID number
voted, so you can check that your vote got through correctly. Since the ID
numbers would be assigned anonymously (drawn randomly from a hat, say) nobody
could possibly know how you personally voted. Since the "password" part of the
number would not be published, nobody could steal your vote at the next
election, having seen your ID number in the results.
Most usefully, the results could be published on a computer diskette (and be
available for inspection at election offices and libraries) so anyone could
check that the individual anonymous votes indeed added up to the all-important
totals.
This is in keeping with our desire to publish the program that controls the
computer that runs the phone election. Currently, all the programs (computers
already count most votes in the US) are proprietary software and not open to
our inspection and rarely that of the election officials.
The use of "Caller ID" (also called Automatic Number Identification) to
identify voters by the phone numbers they call from can be easily defeated by
simply voting from any phone other than your own. Eventually special
solid-state 'smart cards' used with your phone could encrypt your voting so
that you could vote totally anonymously from your own phone as well.
Responding to November's comments:
Voting by phone does not disenfranchise the phoneless! Phone booths are far
more common than voting booths and of course the call should be free. Some are
always further from the polls than others -- think of rural dwellers, and how
this would help them.
In Colorado as well, no ID is needed to vote. They take your signature, but it
is not compared to anything unless you are challenged, which would only occur
if the judges happened to know you personally. The system is archaic and
relies on the judges knowing us by sight.
The problem of the use of caller ID to prevent 'hackers' from constantly
calling disenfranchising poor neighborhoods with only 1 phone can be solved
thusly: register these phones so the system expects many calls from them. But
this is likely unnecessary as most attempts to 'guess' ID numbers will fail --
the system needs to lock out only phones that repeatedly try and fail.
Proxy voting should be criminalized and a reward offered for turning in anyone
offering to buy votes. If one expects coercion, 'prevoting' would preempt
anyone forcing their choice on you. And since reporting coercion (by phone)
would bring a reward this problem would be minimized.
The 'California problem' of voting on so many issues at once is actually
another benefit of voting by phone -- why struggle with 40 at once when each
could get its own week-long 'slot'? This also makes voting more timely and
your ID easier to remember. Phone voting makes this economicly practical.
Telephone service bureaus are prepared now with 1000s of lines for just such
applications as phone elections. By opening the lines for several days (voting
by mail and absentee are precedents for this) and educating people to spread
out their voting, busy signals should be a very small problem indeed.
The main problem of getting the ID numbers to the right people is solved by
having them come in to register for the new system, once. This would also
prevent them from voting in person as well, just like voting by mail (formerly
'absentee') does.
'Writing in' candidates can be replaced with 'speaking in' their names, along
with the spelling. The infrequency of writeins will prevent the transcription
from becoming a major expense.
No system is perfect. But phone voting is more secure, inexpensive,
convenient, and ecological than our archaic system. That's why most modern
business is done by phone-polling, international banking, e-mail, etc. The
reason this wasn't done long ago is because it is also the tool for a more
direct democracy -- voting on more referenda and initiatives more often -- and
this threatens the hegemony of our 'representatives', who now rule with the
approval of a diminishing minority of Americans.
The Voting by Phone Foundation can be reached at 774 19th St, #5, Boulder CO
80302 or (303) 444-3596 or eravitz@nyx.cs.du.edu. We'd be happy to send you
our brochure, or the E-mail version.
Evan Ravitz, Director
------------------------------
Date: Tue, 22 Jan 1991 15:51:51 PST
From: "Peter G. Neumann" <neumann@csl.sri.com>
Subject: Voting by Phone
Evan Ravitz' contribution makes an interesting case, although it fails to
adequately address some of our classic vulnerabilities, such as bogus votes
inserted by insiders (or outsider/insider collusions). (Insiders could also
juggle the expected total number as well.) No one would complain that HIS or
HER vote was missing, and yet no one would be able to notice the bogus votes!
Another problem is that people would tend to write down their ID/password, and
either forget it or lose it between elections. Insiders could also wait until
the last minute before closing time and instantaneously vote for those who
hadn't yet gotten around to it. But there is much merit to the idea. PGN
------------------------------
Date: Mon, 14 Jan 91 09:49:20 PST
From: Pete Mellor <pm@cs.city.ac.uk>
Subject: Word processor atrocities
On the general theme that a word processor does for words what a food processor
does for food, in his column in the Observer on the Sunday before last, Simon
Hoggart recounted the tale of a novelist who decided at the last minute to
change her main character's name from David to Jeff, with the result that a
piece of dialogue about sculpture referred to the previously unknown work
"Michaelangelo's Jeff".
He followed it up last Sunday with a medical study which was originally written
with the family name of the subject of the research given only as "B", to
preserve confidentiality. For some reason, it was decided that the full name
could, after all, be used, which led to the discovery of the new disease
"Hepatitis Blenkinsop".
Peter Mellor, Centre for Software Reliability, City University, Northampton Sq.,
London EC1V 0HB +44(0)71-253-4399 Ext. 4162/3/1 p.mellor@uk.ac.city (JANET)
[Also noted by smith@canon-research-europe.co.uk (Mark Smith).]
------------------------------
End of RISKS-FORUM Digest 10.78
************************