risks@CSL.SRI.COM (RISKS Forum) (11/15/90)
RISKS-LIST: RISKS-FORUM Digest Wednesday 14 November 1990 Volume 10 : Issue 60 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Computer Mishap Forces shift in Election Coverage (bahn_pr) Voting electronically from home (revisited) (John Roe) Barclays' security: apologies! (Pete Mellor) Juicy 911 RISKS (Steve Smaha) Re: UK Software Engineer Certification (Brian Tompsett) Software Protection Tool (Dave Erstad) Sprint's voice-card system (Steve Elias, Jerry Glomph Black) Re: Carbons (Douglas W. Jones) Your Flood Stories, Please (Lindsay F. Marshall) Corrected version of Virus Conf announcement (Gene Spafford) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line. Others ignored! REQUESTS to RISKS-Request@CSL.SRI.COM. FTP VOL i ISSUE j: ftp CRVAX.sri.com<CR>login anonymous<CR>AnyNonNullPW<CR> CD RISKS:<CR>GET RISKS-i.j<CR>; j is TWO digits. Vol summaries in risks-i.00 (j=0); "dir risks-*.*<CR>" gives directory; bye logs out. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Fri, 9 Nov 90 16:04:31 -0500 From: bahn_pr%ncsd.dnet@gte.com Subject: Computer Mishap Forces shift in Election Coverage The Washington Post, New York Times and USA Today had ordered national vote trend analyses from Voter Research and Surveys, a company set up to do exit poll surveys and have the results analyzed by 3:30pm on Election Day, 6 Nov 90. A computer glitch prevented the results from being available at all on that day. VRS had the data, but the weighting program did not work. [Abstracted by PGN from `Computer Mishap Forces shift in election coverage, Major Newspapers faced with delays in polling data', by Lynn Duke, staff writer Washington Post, 7 Nov 90] Now what i found interesting was the idea of Sam Donaldson screaming into some programmers ear while a camera is pointed on him. "Fix the program or we'll do a story on you buddy." :-) There are some interesting risks. First that unclean data was used and second that the big news agencies now all use the same polling source. What a risk if someone hacked them to create false trends. [bahn_pr] ------------------------------ Date: Mon, 12 Nov 90 13:27:39 MST From: John Roe <johnr@hpltbg.fc.hp.com> Subject: Voting electronically from home (revisited) A Boulder CO group has rediscovered Bucky Fuller's 50-year-old suggestion that everyone should be able to vote telephonically from home or wherever. "The system is based on a personal computer hooked into [the] telephone line. [Local activist Evan Ravitz] also loaded a list of registered Boulder County voters into the computer's memory, and the system checks names against a six-digit code based on date of birth. Callers enter their selections for the ballot by entering numbers on a Touch-Tone telephone. [...] "Boulder County Clerk and Recorder Charlotte Houston ... placed a call to the system on Monday and found that could could have voted for her son and daughter by providing their birth dates or Social Security numbers." [Abstracted by PGN from `Phone voting? Boulder group says it's time', an AP story from the Loveland, Colorado, Reporter-Herald, 6 Nov 1990.] I found this article alarming for a number of reasons: First, the possibilities for massive fraud are probably obvious to all RISKs readers. For example, if (as implied by the article) one can vote for another by simply knowing either the birth date or their Social Security number, with the hardware already in my own basement plus an appropriate database (which shouldn't be too hard to come by) I could have easily changed the outcome of a number of races and constitutional amendments here in Colorado during the November 6th election. With a concerted effort I could have chosen any candidate I wished. If I knew which registered voters had not voted recently, I could even make a reasonable effort at making my fraud somewhat less detectable. Second, I was disturbed (but not surprised) that the article emphasized the "gee-wiz" aspect of the idea, but mentioned the RISKs only in passing, and ended with a statement that implied that concern over fraud were irrelevant and paranoid. The token assurances of Mr. Pelton only serve to support this perception. I have come to expect that the popular press is ill-equipped to understand, evaluate, and explain the risks of technology to their readers (or viewers, in the case of television). This latest example only reinforces my expectations. Finally, and perhaps most significant, was the cavalier attitude of Mr. Ravitz toward the possibility of fraud, and his obvious lack of understanding of the problem. The current system is NOT based on honesty: it is based on physical security. If it is sufficiently hard for the same person to vote multiple times, voter fraud can be reduced to acceptable levels (but not eliminated, of course). In my precinct, I could conceivably vote two or three times before the election officials would start getting suspicious. If I spent the entire day driving around to various polling places in northern Colorado, I could perhaps vote a few dozen times. But to influence the outcome of the election would require a large number of cohorts; a task I could accomplish by myself from the comfort of my own home if Mr. Ravitz's proposal becomes law. I wonder if we would be permitted to vote on changing Colorado's election laws to permit voting by phone, by voting by phone? The outcome of such a vote could be enlightening ... John Roe, Hewlett-Packard, Colorado Integrated Circuits Division, 3404 East Harmony Road, Fort Collins, Colorado 80525-9599 (303) 229-4554 ------------------------------ Date: Tue, 13 Nov 90 11:30:57 PST From: Pete Mellor <pm@cs.city.ac.uk> Subject: Barclays' security: apologies! In RISKS-10.50, in an item entitled "Hackers blackmail five banks (UK)", I gave excerpts from a newspaper report about the breach. I followed this with an anecdote told by the manager of the local branch of a chain of off-licences, who found that, after sending in his completed order to the main warehouse, what appeared to be credit card transactions from Barclays' Bank were displayed on his screen. Shortly thereafter, I received a phone call from the head of Information Security at Barclays, who was puzzled by the incident, and requested further information. Barclays' investigation revealed that the credit card transactions were in fact records of purchases made using the particular card at that off-licence, and others of the chain in the area. There was therefore no breach of security, since, of course, the manager had the right of access to that information. The incident was *not*, as I first thought, due to unencrypted transactions being transmitted over the public telephone lines being received by the wrong terminal. The only problem appears to have been a minor glitch which caused a file of credit transactions on the local machine to be displayed when my friend was not expecting it. So apologies to Barclays Bank! I hope that Barclays' security department are happy to let me set the record straight via RISKS, which they obviously monitor, and perhaps they would care to add some comments of their own. Moral: Check your facts before passing on anecdotes which you hear in pubs! Peter Mellor, Centre for Software Reliability, City University, Northampton Sq., London EC1V 0HB +44(0)71-253-4399 Ext. 4162/3/1 p.mellor@uk.ac.city (JANET) ------------------------------ Date: Sun, 11 Nov 90 13:51 EST From: Steve Smaha <Smaha@DOCKMASTER.NCSC.MIL> Subject: Juicy 911 RISKS "911 calls are ripe for trouble" 11 Nov 90 Austin American-Statesman, BLACKSBURG, VA (AP) These are hardly salad days for Montgomery county law officials. Last week, police were testing the county's 911 system, scheduled to begin operating next month, when the dispatcher received 10 calls that were traced to the home of Linda and Danny Hurst. She tried to call the line, but it was busy. When she hung up, she received another call from the same line. And another. Deputy sheriff tracked down Linda Hurst. "I told them I'd locked my house and there shouldn't be anyone in there," she said. Police, concerned that someone had broken in, asked Hurst to meet them at her house. She parked in front of the house, and walked up to the front door. "But they said, 'Ma'am, step back please.' I looked back and they had their guns drawn. They were serious," Linda Hurst said. "They went through the house, but they couldn't find anybody, so I went inside." Finally, Linda Hurst's brother spotted the culprit - an overripe tomato. The tomato was hanging over the telephone in a wire basket, dripping juice into the couple's answering machine. Chief Deputy Milton Graham said the tomato juice apparently got into the telephone's dialing system and caused it to dial the sheriff's office. "We're not sure how. Maybe they had speed dialing and it shorted out," he said. "I didn't know the answering machine could even dial out," Linda Hurst said. "It's just supposed to take messages." ------------------------------ Date: Mon, 12 Nov 90 12:24:00 GMT From: Brian Tompsett <bct@cs.hull.ac.uk> Subject: Re: UK Software Engineer Certification This note supplies greater detail about the steps involved in the certification of Software Engineers in the UK. It is in response to several inquiries requesting more detail after my last contribution to RISKS (Sept 21, 1990). In answering the questions let me point out that the UK does not have Software Engineering *specific* certification. Nor does it have *certification* in the strict sense that is being discussed in the US at present. When I have detailed the routes available in the UK you can decide for yourself how this relates to what does/will exist in the US. Let me start by describing the qualification route from High School through the maze of qualifications and certifications. I can deal with how existing Engineers fit into the picture later. .------------------ Government --------------. | Approves Charters | | Curriculum Body | v | High School | | v | University Engineering | Entrance Council | Exams | Accredits | | Society v v University <-------Accredits Degree Course--- Professional | Society | Accredited | | | Engineering .---------' | Join Society | Degree | | v | v Graduate | Student member Employment <--Approves training-----' | | | Get experience | Certified | | Engineering | | training and experience | v v Chartered Corporate Member Engineer-------------------. | Status | | More | | | Experience | Outstanding | | | Achievement | | v v v Fellowship European Fellowship of Society of Engineering Engineer The route illustrated in the above diagram is not specific to Software Engineers, but is the generic model for all Engineers in the UK. The student starts by taking a degree course at a University; this may be a B.Eng, M.Eng or B.Sc. degree. In order for this degree to be considered a suitable education for an Engineer the course must be accredited by the appropriate professional body. The accreditation examines the curriculum, the facilities, the teaching department and the institution itself. After graduating the student is expected to take a position that will provide practical engineering training and real experience. The training and experience is logged in the graduates own engineers logbook and signed-off by qualified engineers and trainers. The professional society provides the employer with the basic structure for this. When the Graduate Engineer has gained sufficient experience (minimum 4 years) he may apply to be a Chartered Engineer. Admission to Chartered Engineer can only be made through a professional society and normally corporate membership of the society requires the same entry qualifications as Chartered Engineership. On joining the society the member is required to follow professional code of conduct and code of practice. The admission procedure involves vetting the applicants qualifications, receiving references from the applicant's sponsors who are normally two other professional members and an interview. The Professional Society itself is accredited by the Engineering Council. The accreditation examines the Societies methods and procedures for admission, course accreditation and so on. The Engineering Council needs to ensure that Engineers from all the different disciplines are equally qualified to be Chartered Engineers. The area represented by the Society must also be one that is considered as Engineering. This was a major hurdle for the British Computer Society to show that "Information Systems Engineering" is Engineering and qualified practitioners are worthy to be Chartered Engineers. This process took four years. The Pan-European Engineering element should also be noted. Someone qualified as a Chartered Engineer may also apply for the title "European Engineer". This is a title that is recognised across Europe. It also has its own code of conduct in addition to the one applied by the professional society. A fully qualified Software Engineer in the UK would therefore be attributed as: Eur.Ing John Doe B.Sc, C.Eng, MBCS (or similar.) Others may qualify as Chartered Engineers who do not follow the above route. They may have become Software Engineers before the terms Computer Science or Software Engineering existed, or have switched disciplines and previously qualified in something else. They may have no formal qualifications at all and have come into the profession through experience alone or they may have overseas qualifications and experience. These groups of people are admitted after having their qualifications and experience verified in a similar manner to other applicants. Their education and training is compared to the standard curricula. This sometimes involves examination of the students class transcripts and the details of the course syllabus. In the absence of a contemporaneous experience and training record a detailed Curriculum Vitae needs to be validated. This usually involves finding other Engineers who can act as referees and certify that the actual work experience claimed actually took place and was of sufficient quality. This is usually done by initialing copies of the curriculum vitae item by item. Just to confuse the issue, the UK has a Software Engineering Examination Board who issue certificates of competence in Software Engineering. These are not related to the kind of Software Engineer certification we have been discussing. The SEAB is involved in the training of people in the SSADM method that has been mandated for use on UK Government work. Brian Tompsett, Computer Science, Hull University. ------------------------------ Date: 9 Nov 90 17:06:00 CST From: "DAVE ERSTAD" <derstad@cim-vax.honeywell.com> Subject: Software Protection Tool In the October 18th issue of Electronic Design News there's a blurb about a new product which obfuscates source code by changing variable names, removing comments, etc. The intent is to allow software to be distributed in source form while still protecting proprietary knowledge. The RISKy part is what some people believe (either the company or the reviewer, I'm not sure which). The last statement in the article is "Distribution also ensure that the producer receives virus-free code, because VIRUSES CANNOT OPERATE IN SOURCE CODE" (emphasis added). Dave Erstad, Honeywell SSEC DERSTAD@cim-vax.honeywell.com ------------------------------ Date: Sat, 10 Nov 90 14:17:36 -0500 From: Steve Elias <eli@PWS.BULL.COM> Subject: complaints about Sprint's voice-card system These complaints about Sprint's voice-card system are a bit silly! Where do yall get the idea that Sprint insists that one use their SSN as their ID number? A friend at US Sprint confirms that their internal literature makes no mention of forcing people to use their SSN. Until you get some evidence that Sprint will not allow people to use numbers other than their SSN, please refrain from flaming! /eli ------------------------------ Date: Fri, 9 Nov 90 16:49:14 EST From: black@ll-null.ll.mit.edu (Jerry Glomph Black) Subject: Sprint's New Calling Card Obviously using the Social Security number as the basis of your FONCARD security number is pretty dumb. However, WHO tells Sprint this number? Presumably YOU, the customer. So, just feed them a number sequence which has high mnemonic value for you. Like maybe your phone number, or a slightly modified version of same. I've memorized my 14-digit `random' FONCARD number, but I use it a lot. Sometimes it's annoying to dial 11 digits of access code(1-800-877-8000), then the 11 digits of the destination number, then the bloody 14-digit number. My wife refuses to do this, so we got an AT&T card, where all you have to remember is FOUR DIGITS (tacked on to your 10-digit home number, which you presumably know). Anybody know why Sprint didn't just adopt this method? Chauvinism? Even the police-state People's Republic of Massachusetts allows you to specify a bogus SS No. for your driver's license, instead of your real one, so long as your bogus no. doesn't duplicate somebody else's license no. I recently took out a Hawaii driver's license, and they DEMANDED (over my vociferous objection) the SS No. or else! I'm not mega-paranoid, so I complied. Any Federal privacy laws involved here? Jerry Glomph Black, black@MICRO.LL.MIT.EDU ------------------------------ Date: 9 Nov 90 21:31:15 GMT From: jones@pyrite.cs.uiowa.edu (Douglas W. Jones,201H MLH,3193350740,3193382879) Subject: Re: Carbons (RISKS-10.59) > I saw that all messages printed on the FAX, are also 'burned' in the carbon > paper ... This means that even if I stand next to the machine to receive > a private message, people can later just open the FAX machine and read the > message. This is not a new risk! For years, typewriters that use a carbon film ribbon have recorded every word typed on their ribbon. All you have to do to find out what was typed on a typewriter is to take out the ribbon cartridge, pull out the used ribbon and read it. The more errors and corrections made during tye typing, the more garbled the ribbon will be. The risk is at least as old as the IBM Selectric typewriter, and is well-enough known that it has appeared in many cheap detective stories. Doug Jones ------------------------------ Date: Mon, 12 Nov 90 16:16:05 GMT From: "Lindsay F. Marshall" <Lindsay.Marshall@newcastle.ac.uk> Subject: Your Flood Stories Please. Can anyone who has suffered a problem at their installation caused by water in *any* form (or in fact any other liquids....) or who has heard of such events please send me a summary of your experience. Information will of course be treated in confidence if you should so desire. Lindsay MAIL : Lindsay.Marshall@newcastle.ac.uk (UUCP: s/\(.*\)/...!ukc!\1/) POST : Computing Laboratory, The University, Newcastle upon Tyne, UK NE1 7RU VOICE: +44-91-222-8267 FAX: +44-91-222-8232 ------------------------------ Date: Fri, 09 Nov 90 21:04:16 EST From: Gene Spafford <spaf@cs.purdue.edu> Subject: Re: Corrected version of Virus Conf announcement (Re: RISKS-10.59) The following address was missing from the announcement of the 4th Annual Computer Virus & Security Conference, in RISKS-10.59: Dr. Richard Lefkon Virus Conference Program Chair 609 West 114th Street New York, NY 10025 (212) 663-2315 ------------------------------ End of RISKS-FORUM Digest 10.60 ************************