RISKS@KL.SRI.COM (RISKS FORUM, Peter G. Neumann -- Coordinator) (10/13/88)
RISKS-LIST: RISKS-FORUM Digest Thursday 1 October 1988 Volume 7 : Issue 64
FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
Contents:
100 digit primes no longer safe in crypto (Dave Curry)
Risks of computer controlled doors (Piet van Oostrum)
NSFnet Backbone Shot (Gene Spafford)
Intersection of ANI and Voice Mail Risks (Gary McClelland)
New Feynman book (Eugene Miya)
High `Rev'ing Volvo (Hartel)
Stevie Wonder gives an Ear-itating Performance (Marshall Jose, PGN)
OMB "Blacklist"? (Hugh Miller)
Re: Ethics of Conflict Simulation (Scott Wilde)
The RISKS Forum is moderated. Contributions should be relevant, sound, in good
taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome.
CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line
(otherwise they may be ignored). REQUESTS to RISKS-Request@CSL.SRI.COM.
FOR VOL i ISSUE j / ftp kl.sri.com / login anonymous (ANY NONNULL PASSWORD) /
get stripe:<risks>risks-i.j ... (OR TRY cd stripe:<risks> / get risks-i.j ...
Volume summaries in (i, max j) = (1,46),(2,57),(3,92),(4,97),(5,85),(6,95).
----------------------------------------------------------------------
Date: Wed, 12 Oct 88 20:34:01 -0700
From: davy@riacs.edu <David A. Curry>
Subject: 100 digit primes no longer safe in crypto
Taken from the San Jose Mercury News, Oct. 12, 1988, Page 8A:
Computers able to make light work of cracking code (Los Angeles Times)
Some secret codes intended to restrict access to military secrets and Swiss
bank accounts may not be as safe as had been presumed, a team of computer
experts demonstrated Tuesday.
The team succeeded in doing what security experts thought could not be done:
using ordinary computers to break down a 100-digit number into the components
that produce it when multiplied together.
That process, called factoring, holds the key to many security codes.
Before Tuesday, experts had believed that if the number was large enough -
up to 100 digits - its factoring would take about 10 months with a Cray super-
computer, one of the most powerful computers in the world.
But computer experts across the United States, Europe and Australia solved
the problem more quickly by using 400 processors simultaneously. They linked
their computers electronically and factored a 100-digit number in just 26 days.
The number has two factors, one 41 digits long and the other 60 digits long.
And that, according to Arjen Lenstra, professor of computer science at the
University of Chicago, should be quite sobering to experts who believe they
are secure with codes based on numbers that large. Lenstra headed the project,
along with Mark S. Manasse of the Digital Equipment Corp.'s Systems Research
Center in Palo Alto.
[ quotes from experts ]
Rodney M. Goodman, associate professor of electrical engineering and an
expert on cryptography at the California Institute of Technology in Pasadena,
described the achievement as "significant," because it means that some systems
may not be as secure as had been thought. But he said it did not mean that
security experts around the world would have to rebuild their systems.
"All the cryptographers will do is increase the length of the number by a
few more digits," he said, "because the problem gets exponentially worse as
you increase the size of the number." A larger number is more cumbersome, and
cryptographers had tried to kep the number as small as possible.
[ explanation of the idea behind using large numbers with
prime factors in cryptography ]
Last year, Lenstra decided to tackle the problem on "a small scale, just to
see if he could do it," according to Larry Arbeiter, spokesman for the Univ-
ersity of Chicago. "It was a pure science type of effort."
Several months ago, Lenstra presented his idea to Manasse, a computer re-
search scientist with Digital. Manasse became so intrigued with the problem
that his company agreed to fund much of the cost, including the use of more
than 300 computer processors at the Palo Alto company during off-duty hours.
The company manufactures DEC computers.
"I was interested in the general problem of taking a program and breaking it
up into small pieces" so that many could work simultaneously toward the sol-
ution, Manasse said.
Other computer enthusiasts from the "factoring community" clamored aboard
and this fall more than 400 computers around the globe were ready to give it a
try.
The computers ranged in size from microcomputers to a Cray supercomputer,
but even personal computers with large memories could have been used, Lenstra
said. Each of the participating computers was given a different part of the
problem to solve, and success came early Tuesday morning.
------------------------------
Date: 12 Oct 88 11:20:12 GMT
From: piet@ruuinf.UUCP (Piet van Oostrum)
Subject: Risks of computer controlled doors
Amsterdam, The Netherlands
The new Amsterdam Stopera (combined town hall - music theater) has to
undergo $1 million of upgrading, although it is only a few years old. One
of the things to be done is redoing the computers controlling the doors, as
several people have had the experience of being locked up.
Piet van Oostrum, Dept of Computer Science, University of Utrecht
Padualaan 14, P.O. Box 80.089, 3508 TB Utrecht, The Netherlands
Telephone: +31-30-531806 UUCP: ...!mcvax!ruuinf!piet
------------------------------
Date: 12 Oct 88 19:14:22 GMT
From: spaf@purdue.edu (Gene Spafford)
Subject: NSFnet Backbone Shot
The following mail was forwarded to me a few minutes ago. This refers to
the MCI fiber used to carry the NSFnet backbone. No wonder some of my mail
has disappeared recently! [From: field inadvertently deleted?]
=> Date: Wed, 12 Oct 88 12:47:00 EDT
=> To: watchdogs@um.cc.umich.edu, ie@merit.edu
=> Subject: A bit of trivia
=>
=> The fiber that goes from Houston to Pittsburgh was broken due
=> to a gun blast....that is right, a gun blast.
=> Somewhere in the swamps of the Bayou (between Alabama and New Orleans)
=> the fiber cables are suspended above the swamps and a good ol'
=> boy was apparently target practicing on the cable.
=>
=> Traffic has been rerouted and when the investigation has taken place
=> and the cable fixed we will be put back on the original circuit.
Gene Spafford
NSF/Purdue/U of Florida Software Engineering Research Center,
Dept. of Computer Sciences, Purdue University, W. Lafayette IN 47907-2004
Internet: spaf@cs.purdue.edu uucp: ...!{decwrl,gatech,ucbvax}!purdue!spaf
------------------------------
Date: Tue, 11 Oct 88 00:14 MDT
From: MCCLELLAND_G%CUBLDR@VAXF.COLORADO.EDU
Subject: Intersection of ANI and Voice Mail Risks
Recent reports in RISKS of nefarious deeds committed by hackers who
entered a system via voice mail prompted me to inquire about the voice mail
security of my university's system. A year ago the U bought its own fancy
switch for on-campus communications. Some of the goodies include voice
mail and ANI. I tried the voice mail once but since I much prefer e-mail
I long ago forgot my voice mail password (yep, only 4 digits if the
hackers want to start guessing). I called the telecommunications office
to determine where I needed to go in person and with how many photo ID's
to get my voice mail password. Even though I hadn't identified myself,
the clerk said, "Oh that won't be necessary, Mr. McClelland, I'll just
change your password back to the default password and you can then change
it to whatever you want." I said, "But how do you know that I'm
McClelland?" He replies, "Because it shows on the digital display on my
phone both the phone number and name of the caller." [Most phones are in
private offices so a unique name can be attached to each number.] I tried
to explain that all he really knew was that I was someone calling from the
phone in McClelland's office and that I could be the janitor, a grad
student, or almost anyone. But security wasn't his problem so he wasn't
very concerned. I was afraid to ask how many folks never bother to change
their default password. As I was about to hang up, he said, "By the way, if
you check your voice mail from your own extension you don't even need to enter
your password." I said , "Thanks, that's reassuring" but I don't think he
caught the sarcasm.
Gary McClelland
------------------------------
Date: Wed, 12 Oct 88 23:41:09 PDT
From: Eugene Miya <eugene@amelia.nas.nasa.gov>
Subject: New Feynman book
I remembered that many fans of RISKS are also Richard Feynman fans.
I ran into Stacey's briefly today and just happened to see this:
%A Richard P. Feynman
%T "What Do YOU Care What Other People Think?"
%I W. W. Norton
%C New York
%D 1988
%$ 18
Relevance to RISKs readers comes in two forms (his essay on the Value
of Science at the end and the appendix to the Challenger report
which makes up over 50% of the book). Note that the text is longer
and not verbaum to the articles in Engineering and Science or Physics Today.
--eugene miya, NASA Ames
------------------------------
Date: Tue, 11 Oct 88 10:10:15 EDT
From: hartel@mitre.arpa
Subject: High `Rev'ing Volvo
I have an old disreputable '82 Volvo which gave me an object lesson in sensor
circuit design recently. Beginning several months back the car began to
exhibit a mind of its own about engine speed. The local ace Volvo dealer
couldn't find anything wrong after $400 worth of effort, and since the car's
independence of mind seemed to be limited to brief and infrequent periods, I
let the matter slide. Poor idea. I took the car to the wilds of northern
Wisconsin, far from the nearest Volvo fixit shop, where the old car turned on
me. Previously my problems with engine speed had been limited to surges in
speed at idle, up to no more than 2500 RPM. There had been no signs of bad
behavior when the car was in gear. Once up in the great frozen north however,
the car decided it was going to idle at fifty MPH, as in 2700 RPM in fourth
gear up a hill. Kept doing it too. Made it hard to drive thru the camp
ground, observe nature, stay alive.
I studied the owner's manual. It has an elementary schematic of the fuel
system, and one particular element which caught my eye was the constant idle
control, a servo motor that appeared to affect manifold vacuum. Got inputs
from several sensors and the engine microprocessor. When I disconnected the
control, idle dropped to nominal, and the car was drivable.
In the end the Volvo dealer found the problem, which was that a spade connector
had come adrift from one of the engine sensors. The idle control interpreted
lack of signal from the sensor as low engine speed, so it exerted its maximum
effort to raise the idle speed to acceptable levels. It strikes me as poor
design that an open circuit mimics the operative signal in a sensor system.
Automotive engine compartments are well knows as hell on earth for electronics,
and loose connections and broken wires are to be expected. Lack of signal
should cause the automated system to go off line, not off its head.
------------------------------
Date: Tue, 11 Oct 88 11:06:37 EDT
From: mjj@stda.jhuapl.edu (Marshall Jose) <@aplvax.jhuapl.edu:mjj@ ...>
Subject: Stevie Wonder gives an Ear-itating Performance
The following is regrettably anecdotal and I wish I had more
firsthand info on it; anyway, here goes:
For one of his tours, Stevie Wonder contracted with Northwest Sound
to build a set of PA speakers of extraordinary capability -- response
nearly flat out to 45 kHz, etc. A few weeks into the tour, though,
the performances seemed to be souring. Everybody -- artists, crew,
even the audience -- seemed irritable and impatient. Indeed, the
performances started out well enough, but an hour or so into the
show the audience became testy and actually were moved to boo during
pauses, for no apparent reason.
Finally, during one show, one of the sound guys was examining
the audio spectrum analyzer screen, and mistakenly pushed the 20 kHz -
200 kHz range button instead of the 2 kHz - 20 kHz button. Imagine
his alarm at the sight of a potent 28 kHz component, the product of
all the synthesizers' DAC update clocks. It was lying just outside
the (ordinarily) high hearing limit of 20 kHz, so it was never noticed
by the sound crew and their instrumentation. Cause discovered, the
noxious 28 kHz spike was eliminated with an equalizer, and everybody
went home happy but chastened.
The person who related this story to me suspects that the event
is not widely known, being of large embarrassment and trivial cause.
Is he right? Has anyone else heard about this?
------------------------------
Date: Wed, 12 Oct 88 15:00:28 PDT
From: Peter G. Neumann <Neumann@KL.SRI.COM>
Subject: Ear-itation
I am reminded of the not-computer-related experience of the Columbia professor
who noticed that his body went limp in a record store whose speakers were
blaring a particular rock tune. He took the record back to his lab and
analyzed it -- discovering some sort of a alpha- or beta-wave resonant
frequency with the human brain of his students, for that particular rhythm --
an AN-A-PEST with the accent on the last syllable -- DA-DA-DUM. It was many
years ago, but still worth relating for the younger folks who like to listen to
hard-beat music... Beware of the anapest.
------------------------------
From: Hugh Miller <@CORNELLC.CCS.CORNELL.EDU:HUGH@vm.utcs.utoronto.ca>
Subject: OMB "Blacklist"?
To: RISKS Moderator <RISKS@csl.sri.com>
The following appeared in the 1987 annual report of Project Censored,
a U.S. group operating out of Sonoma State University. They compile an annual
list of what they consider to be the 25 most un- or under-reported stories of
the year. This is #22 on the latest hit parade. The collection is widely
available on local RCPM's; the one I pulled down was labelled CENSOR.ARC.
[Hugh Miller, University of Toronto, (416)536-4441]
OMB COMPILING NATION-WIDE BLACKLIST OF GRANT VIOLATORS
The Office of Management and Budget is compiling a master
computer list of those debarred or suspended from participating in
government agency grant programs. Gary Bass, executive director of
OMB Watch, a public interest group that monitors the budget office,
said the goal of reducing waste, fraud and abuse is laudable but
warned that the program "can become a hit list for individuals and
organizations that the administration does not agree with."
The controversial program will cover a wide range of
transactions, including grants, cooperative agreements, scholarships,
fellowships, loans and subsidies. It would apply to both recipients
of federal funds and those "doing business" with them. The system is
expected to be fully operational by May, 1988.
Under the new law (Reagan's Executive Order 12549), 20
agencies which disburse $100 billion in grants will forward their
debarred lists to the OMB. The master list will be computerized and
placed on a nation-wide automated telephone system. Regulations
published in the Federal Register (5/29/87) say that the master list
will contain names and "other information" about currently debarred
or suspended grant recipients, as well as about those whose debarment
is pending.
Under the directive, federal, state and local agencies,
private organizations and individuals handling federal funds must
check the list before providing anyone a federally-aided service,
grant, loan or other assistance such as day care. Any person or
organization that fails to check the list may also be placed on it.
In addition, employees of federally-funded agencies and
organizations, as well as anyone "doing business" with them or
wishing to do business with them must submit annual certifications
that neither they nor anyone "associated with" them are on the list,
or being considered for it.
Grounds for placement on the list include 1) violating any
term of a "public agreement," regardless of whether federal funds
were involved; 2) failure to repay a government-backed or assisted
loan, such as a home mortgage, student or crop loan; 3) "failure to
perform" or poor performance on a grant or other "public agreement;"
4) lack of "business integrity or honesty" or conviction of
"business" crimes; 5) debarment or suspension by a public agency at
any level of government, federal, state, or local.
One can also make the blacklist if one: is a public school
teacher and goes on strike despite a no-strike clause in one's
contract; performs poorly on any grant from a public agency,
regardless of whether federal funds were involved; does business with
anyone known to be on OMB's new list.
Various agencies already keep records of those who violate
rules of grants, using the lists to prevent such recipients from
getting additional grants from the agency involved. But, under
current law those same recipients may obtain grants from other
federal agencies.
Rep. Jack Brooks (D-TX), chair of the House Government
Operations Committee warned that the OMB's implementing guidelines
"endorse guilt by association, reverse the presumption that a person
is innocent until proven guilty, and define the operative offenses so
vaguely as to potentially encompass many entirely legitimate
activities."
SOURCES: THE NEW YORK TIMES, 12/23/87, "U.S. Plans to Make
Master List ...", by Martin Tolchin; OMB WATCH 1987 ANNUAL REPORT;
FOUNDATION NEWS, July/August 1987, page 8.
------------------------------
Date: Mon Sep 26 15:08:41 1988
From: wilde@hor-res.UUCP <@RELAY.CS.NET:hor-res!wilde@gte.com>
Subject: Re: Ethics of Conflict Simulation
In RISKS-FORUM 7.55, Mike Trout makes several statements regarding the
past and present state of the conflict simulation industry. While I
do not wish to digress too far from the purpose of this list, I feel that
the picture he presents is somewhat inaccurate.
The main issue confronting game designers doing work for the military
is one of integrity, as Mike pointed out. The problem is not some nebulous
fear of the Pentagon "poisoning" the industry as a whole, but rather
that they would interfere _with the particular game under consideration_.
The designers want to be free to model a situation as they see it. The
military, however, gets upset when someone gives them a simulation that
says their high tech weapons have an expected lifetime of 3 minutes in
actual combat. As a result, most designers will not consider working
for the govt. unless they are assured of complete freedom in doing their
designs.
As for Pentagon influence "subverting" the game industry, I have yet to see
any indication that anything more than a small fraction of game designers
and publishers revenues come from military contracts. Many games have been
produced dealing with hypothetical modern conflicts, but I believe this is
a reflection of the interests of gamers , not the result of some sinister
military infiltration. I definitely feel there is no justification for
saying these games were developed to find "better ways to slaughter people".
Only a handful of games on the market were originally developed as
simulations for the military.
Mike's statement about having fun is somewhat puzzling. These designs
are _GAMES_. Most people play them for the enjoyment of intellectual
competition. They also play them to more fully understand history (and
future possibilities). The two are not incompatible goals.
Scott Wilde ...bunny!hor-res!wilde
------------------------------
End of RISKS-FORUM Digest 7.64
************************
-------