[comp.risks] RISKS DIGEST 7.74

RISKS@KL.SRI.COM (RISKS FORUM, Peter G. Neumann -- Coordinator) (11/11/88)

RISKS-LIST: RISKS-FORUM Digest  Thursday 10 November 1988   Volume 7 : Issue 74

        FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS 
   ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Contents:
  Air traffic control and safety margins (Steve Philipson)
  UK vehicle-identification systems (Chaz Heritage)
  Re: The Computer Jam -- How it came about (Mark W. Eichin)
  The worm and the debug option (Steven Bellovin)
  Risks of unchecked input in C programs (Geoff Collyer)
  Worms/viruses/moles/etc. and the risks (Scott E. Preece)
  Nonsecure passwords/computer ethics (Christine Piatko, PGN)
  Phone-answerer/ voicemail security & voice-encryption (David A. Honig)
  University computing (James A. Schweitzer)

The RISKS Forum is moderated.  Contributions should be relevant, sound, in good
taste, objective, coherent, concise, and nonrepetitious.  Diversity is welcome.
CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line
(otherwise they may be ignored).  REQUESTS to RISKS-Request@CSL.SRI.COM.
FOR VOL i ISSUE j / ftp kl.sri.com / login anonymous (ANY NONNULL PASSWORD) /
  get stripe:<risks>risks-i.j ... (OR TRY cd stripe:<risks> / get risks-i.j ...
  Volume summaries in (i, max j) = (1,46),(2,57),(3,92),(4,97),(5,85),(6,95).

----------------------------------------------------------------------

Date: Wed, 9 Nov 88 12:19:13 PST
From: Steve Philipson <steve@aurora.arc.nasa.gov>
Subject: Air traffic control and safety margins

In rISKS-7.72, Jeffrey Mogul, Computer science unencumbered by fears about
cutting safety margins, submitted some quotes from "Airport" magazine":

>    Aviation Scientists in Britain, the US, France and West Germany are
>    now working on a data-exchange system which would reduce or even
>    eliminate the human element in air traffic control and in airport
>    approach, landing and take-off-slot technique.

   I'm not sure what "approach, landing and take-off-slot technique" means
(this is not an expression in use in the field), but I can tell you that many
of us in the field do not see terminal area control being handled by computer
control in the forseeable future.  The "human element" provides levels of
redundancy, error checking, and distributed reasonablness checks that would
likely be lost in a computer controlled system.

>    Machine-talking-to-machine would enable the system to improve
>    perhaps five-fold, because the precise nature of computer science
>    is unencumbered by fears about cutting safety margins too finely.  A
>    cold dish of comfort, perhaps; one which will not be available until
>    well after 2005.  And anyway, nobody knows yet how much such a system
>    will cost.  But we all know who's going to pay for it, don't we?

   One of the most significant losses in such a system is the loss of the
"party line".  Each flight crew hears the ATC instructions issued to other
aircraft on the frequency (and in their general area), and can recognize
instructions that put two aircraft in conflict.  We may never have a system
where an aircraft is cleared for takeoff by computer, where other aircraft
would not be aware of the issuance of that clearance.  A ground computer to
single aircraft computer system would DECREASE safety, as flight crews would
lose the knowledge of the "big picture", i.e., what other aircraft are being
told to do, and what the general flow of traffic is.  (It is of tremendos
import to know that another aircraft has been cleared for takeoff while you are
taxiing on the same runway.)  There are also substantial questions on the
viability of text-based (as opposed to human voice based) communications with
the attendant transfer from auditory to visual task loads and it's impact on
visual traffic scan duties.

   The author of the article seems to believe that computer systems are
inherently more reliable and efficient than human systems, so we can solve our
congestion and safety problems in one fell swoop just by using computer
systems.  RISKS readers recognize the falicy of that position, as do aviation
safety researchers.  On the other hand, he also seems to believe that the
computer system will be terribly expensive.  and that we'll be paying more even
though we see a "five-fold" improvement in capacity.  Sounds like a technically
naive writer to me.

						Steve Philipson

------------------------------

Date: 9 Nov 88 11:21:15 PST (Wednesday)
From: "chaz_heritage.WGC1RX"@Xerox.COM
Subject: UK vehicle-identification systems

In his Fri, 4 Nov 88 01:43:49 PST RISKS-7.72 contribution Dave Robinson writes:

> Last night, no BBC's TOP GEAR programme, a device deliberately designed
to locate cars was described.
Essentially, it is a navigational aid designed to take into account traffic
congestion.<

What Mr. Robinson did not mention (though it has been given scant treatment
by the UK media) was the scheme for 'privatising' roads. This is part of
the general policy of the UK Government that as little as possible of the
national infrastructure should be publicly owned.

Though not necessarily all roads would immediately be sold off to
speculators, the majority of tunnels, bridges and newly-constructed roads
would, were the necessary legislation to be passed, become, or remain,
privately owned.

The Government feel that the present method of collecting tolls is
antiquated and causes congestion at vital points such as the Dartford
Tunnel. They therefore have conceived an automatic toll-collection method,
based, they say, on Japanese practice.

Every vehicle in the country would have to be fitted with what is described
as an 'electronic number-plate'. Descriptions of this equipment are few,
vague and couched in the usual patronising
'you-couldn't-possibly-understand-this' terms. However, its principle
appears to be that of IFF (Identification: Friend or Foe?).

When the IFF-equipped vehicle is driven through a toll point, its IFF is
interrogated by devices installed in the road surface. It then transmits,
by some means, the vehicle's registration number to the interrogation
devices. These communicate directly with the road owner's computer system.
Clearly this computer system must either be connected to, or share a common
database with, the Driver and Vehicle Licensing Centre at Swansea, which
holds all records of registered vehicles. This would allow the road owner
to bill drivers automatically. The Government claim (as they are wont to do
in such cases) that this is 'what the majority of people want'. There has,
of course, been no suggestion that the interrogation devices might also be
connected to the Police National Computer, since such a suggestion would be
either what the Government call 'irresponsible journalism' (if it were not
demonstrably true) or a breach of the Official Secrets Acts (if it were).
However, were I a senior Police Officer, I would find it difficult to
refuse such an opportunity for what is fashionably described as
'pre-emptive policing'.

It would, of course, have to be made a crime to drive without an IFF
device, or with a faulty one (how one is supposed to establish that one's
IFF is working correctly - when its principle of operation is apparently a
secret -  is not clear).   

It is curious that the Government, ostensibly anxious to allow maximum
commercial freedom, should on the one hand declare their intention of
selling off the roads to private investors, and on the other hand prepare
to prescribe for those investors a national system of automatic vehicle
identification. Were I the owner of a road or bridge I should resent being
told by the Government that I had to use a particular,
Government-prescribed toll system (tollbooths still work, and they're
cheap!). One could almost draw the conclusion that something other than
commercial efficiency had prompted the Government's decisions in this
respect.

However, there cannot possibly be RISKS in this system, since, on the few
occasions when it is publicly mentioned, there is always a qualifying assurance
to the effect that 'the innocent have nothing to fear'. Why such assurances
should have to be made in connection with an automatic toll system - totally
unconnected, of course, with the security forces - is not clear.
                                                                      Chaz

------------------------------

Date: Wed, 9 Nov 88 19:58:41 EST
From: Mark W. Eichin <eichin@ATHENA.MIT.EDU>
Subject: re: NYT/Markoff: The Computer Jam -- How it came about

The following paragraph from Markoff's article comes from a telephone
conversation he had with me at the airport leaving the Nov. 8 "virus
conference": 

>   But Morris reasoned that another expert could defeat his program by sending
>the correct answering signal back to the rogue. To parry this, Morris
>programmed his invader so that once every 10 times it sent the query signal it
>would copy itself into the new machine regardless of the answer.
>   The choice of 1 in 10 proved disastrous because it was far too frequent. It
>should have been one in 1,000 or even one in 10,000 for the invader to escape
>detection.

	However, it is incorrect (I did think Markoff had grasped my
comments, perhaps not.) The virus design seems to have been to reinfect with
a 1 in 15 chance a machine already infected.
	The code was BACKWARD, so it reinfected with a *14* in 15
chance. Changing the denominator would have had no effect.

Mark Eichin <eichin@athena.mit.edu> SIPB Member & Project Athena "Watchmaker"
						
------------------------------

Date: Wed, 9 Nov 88 23:01:29 EST
From: smb@research.att.com <Steven Bellovin> <hector!smb>
Subject: The worm and the debug option
Cc: manis@grads.cs.ubc.ca

Sorry -- in both Berkeley's and Sun's standard distribution, debugging comes
enabled.  That's perhaps defensible from Berkeley; they're distributing a
research system, to customers prone to tinker, and sendmail is certainly
complex enough to need lot's of debugging.  Nor can I necessarily criticize
it from Sun; it's often useful to be able to trace such a program.  The flaw
is not that debug mode was possible; rather, that sendmail's debug mode (a)
was accessible remotely; and (b) expanded the range of inputs accepted by
the program, rather than just providing extra trace data.  What's even more
amazing is the statement Eric Allman (the author of sendmail) was quoted in
the N.Y. Times as making:  that he added that code to get around restrictive
management policies.  That is, it was a deliberate back door, albeit one
with a nominally-limited intended scope.  10-Nov-88

------------------------------

Date: Thu 10 Nov EST 1988 03:13:37
From: geoff@utstat.UUCP
Subject: Risks of unchecked input in C programs

A security bug in the 4.2BSD Unix finger daemon, which permitted its
invoker to obtain a shell with super-user privileges, was exposed during
the recent Internet worm discussion.  The bug was caused by use of the C
standard I/O routine "gets" which is a bug waiting to happen and which
should be stamped out.  (I have deleted gets from my standard I/O
implementation, and the folks at Bell Labs Research have deleted gets
from their C library.)  The bug was that the finger daemon used gets to
read a line of input from its network connection, and gets is unable to
check that the input line fits within the buffer handed to gets, so a
suitably-constructed line of input to the finger daemon steps on other
variables, confusing the finger daemon.

gets, as part of standard I/O, is a decade-old backward-compatibility
hack for compatibility with the Sixth Edition UNIX Portable I/O Library,
which was utterly replaced by standard I/O no later than 1979.  gets
takes one parameter, the input buffer into which a line of input from
the standard input stream is to be stored, and deletes any trailing
newline from the buffer.  Standard I/O contains an alternative to gets,
called fgets, which takes three parameters: an input buffer, its size in
bytes, and the stream to be read.  fgets does not strip trailing
newlines.  Converting programs from using gets to fgets is largely
mechanical, and stripping trailing newlines is trivial to code
yourself.  gets is inherently unsafe due to its inability to check for
overrun of the buffer provided to it.  There is no reason to use gets,
and there are good reasons to avoid gets.

Geoff Collyer	utzoo!utstat!geoff, geoff@utstat.toronto.edu

------------------------------

Date: Thu, 10 Nov 88 09:38:49 CST
From: preece@xenurus.gould.com (Scott E. Preece)
Subject: Worms/viruses/moles/etc. and the risks

  From: "Clifford Johnson" <GA.CJJ@Forsythe.Stanford.EDU>
> As for the trends, despite first appearances, the "Star Wars" system
> would greatly add to U.S. vulnerability rather than to security by
> resting U.S.  strategic execution (as well as warning) upon a huge
> network of systems, much harder to secure than the present execution
> system.  The warning system also becomes much more complex.  The funded
> National Test Bed is in essence the
> development of such vulnerable networks for strategic warning and execution.

It's also interesting to note that many of the people defending the security of
the "really" secure systems pointed to their reliance on physical security --
the lack of network or remote access.  SDI, on the other hand, is going to
depend on space-based components which CANNOT be isolated from remote access.

scott preece, motorola urbana design center
uucp:	uunet!uiucuxc!mcdurb!preece

------------------------------

Date: Wed, 9 Nov 88 15:56:43 EST
From: piatko@svax.cs.cornell.edu (Christine Piatko)
Subject: Nonsecure passwords/computer ethics

I would like to point out that the users themselves can make their passwords
more secure by not using `obvious' (i.e. English word, easily available in the
dictionary) passwords.  At the moment it is too easy to encrypt dictionary
entries and compare them to password files.  People are told this all the time,
but there are many people who use words that can be found in the dictionary.
I'm sure the situation is similar at other sites (even for root passwords).
People pick WORDS because they are easy to remember.  A better technique, to
come up with safer password, is to pick a phrase and use the initial letters
and numbers:

  'A stitch in time saves nine' for the password asits9.

Perhaps a program should be run every so often to check if people have obvious
passwords and remind them to change them.  If the message is ignored the user
could be inconvenienced by having the administrator change the password for him.

Of course this does not address other issues, like the 'bug' in sendmail (which
seemed more like a door that someone left open for himself) or other issues of
system security.  But this is one measure that users can take to protect
themselves a bit.

In defense of the alleged culprit R. Morris, I would like to say that I know of
people at several universities who have had similar escapades, although on a
smaller scale.  In this case I agree that the 'prank' got out of hand, but
there are many such pranks going all the time at any system site. For some
reason these kinds of holes are fascinating to some pretty intelligent people.
I think their fascination should be put to good use tracking down such holes.
I don't hold out much hope for completely secure systems (I don't believe there
are break-in proof safes or unsinkable ships either).  However this should
emphasize the fact that we are a community that has to work together, and
sometimes that means learning some very hard lessons together.  If just one
site had been affected, would the sendmail bug have been fixed nationwide?
Evidently not, since from what I've seen on the net this bug was known about
for at least 2 years.

As a community we have a lot to learn about how to work together.  It is
interesting to see so many different perspectives on how 'secure' computers and
networks should be.  I have been amused by people saying that we should require
CS students to take an ethics course.  Is it really so clear in the entire
community what is and isn't ethical behavior?  Obviously not, since some people
think this 'worm' incident was merely stupid, while others think it was
unethical.  We in the computer science community need to figure out a code of
ethics dealing with breaking into systems, just as we as a society are still
figuring out how to deal with people who break into our homes.

Christine Piatko 
usual disclaimers here, and no, I didn't know rtm very well.

------------------------------

Date: Wed, 9 Nov 88 13:09:18 PST
From: Peter G. Neumann <Neumann@KL.SRI.COM>
Subject: Re: Nonsecure passwords/computer ethics

But don't forget that passwords traversing Ethernets and Arpanets are
vulnerable even if they are difficult to guess.  The net communications are
unencrypted and capturable.  Many years ago someone wrote a simple
ID-and-password capture program on the Ethernet.  It still works.  In UNIX,
the /dev/mem vulnerability (a "feature" to some) can be used to capture
passwords in unencrypted form.  Even the Gould UTX/32S C2 version of Unix
still has that vulnerability.  The bottom line is this: beware of relying on
passwords.  By the way, for Unix folks, the AT&T and Sun announcements of
vastly improved security (including multilevel security) should be of
considerable interest.  But they still don't solve all the problems.

     [Ironically, perhaps, it is the classical paper by Bob Morris (Sr.)
     and Ken Thompson, "UNIX Password Security: A Case History", Comm.
     ACM 22, 11 (November 1979), pp. 594-597, that really started the
     increased awareness about password vulnerabilities!]

------------------------------

Date: Wed, 09 Nov 88 13:42:33 -0800
From: "David A. Honig" <honig@bonnie.ICS.UCI.EDU>
Subject: Phone-answerer/ voicemail security & voice-encryption

Unauthorized phone-answering-machine playback and unauthorized
centralized-voicemail message playback could be made more difficult by
encrypting the stored messages.  This could be done at the same time as data
compression preprocessing on digital systems.  (There are analog "encryption"
methods but these days everything's cheaper digitally...)

Of course, the original message could be bugged when recorded, and for
a central-voicemail system the encryption key would have to be sent
over the (unsecure) phone lines, so this is not a total solution.  But
it makes it harder for nosy voicemail sysops, including those with
warrants, to playback stored messages.  And it makes unauthorized
home-answering machine playback useless.

Encrypted voicemail and a more secure home answering machine most likely *are*
good selling points, so I will not be too surprised when they become
commercial.  Some of the (e.g., black) market desires these features now, and
when it becomes cheap, everyone will expect it.

------------------------------

Date: Thu, 10 Nov 88 10:23:19 PST
From: "James_A._Schweitzer.STHQ"@Xerox.COM
Subject: University computing (Re: RISKS-7.71)

Peter, re: your comment that "But to assume that university computing should be
relatively wide open would be a serious mistake.  Unethical and other abuses
are not uncommon."(Sun, 6 Nov 88 22:01:17 PST).

At a professional meeting last week, we had a presentation by a university data
center manager on a Trojan Horse attack which had shut down his operation. The
last part of his talk was titled "Lessons Learned".  I was dumbfounded that
these "lessons" included only technical conclusions concerning security
controls. There was no thought of teaching the student users about computer
ethics and proper behavior once you are granted computer use privileges.

I told him I though it was similar to teaching a fifteen-year-old to drive a
car while neglecting to say anything about rules of the road, traffic signals,
and so forth.

Until the universities start telling people about proper behavior, they (and I
guess we) deserve what we get.

Jim Schweitzer

------------------------------

End of RISKS-FORUM Digest 7.74
************************
-------