Subject: RISKS DIGEST 13.31 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Friday 27 March 1992 Volume 13 : Issue 31 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: New XEROX FAX software (Jeremy Epstein) FYI: Congressional Advisory Board calls for public review (Jim Warren) Re: Microsoft and virus checkers (Alan Wexelblat) Dumbing down new systems (Lance J. Hoffman) The FBI Needs Industry's Help--OpEd in NYT (Kurt F. Sauer) Accidental stock sale: The error crept in when ... (Bob Frankston) U.S. Department of Justice Rulings about Keystroke Capturing (Sanford Sherizen) Test data used for actual operation - once again (Bertrand Meyer) Re: UA 747 Lost Door (Brian Boutel) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line. Others may be ignored! Contributions will not be ACKed. The load is too great. **PLEASE** INCLUDE YOUR NAME & INTERNET FROM: ADDRESS, especially .UUCP folks. REQUESTS please to RISKS-Request@CSL.SRI.COM. Vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 13, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1". =CarriageReturn; FTPs may differ; UNIX prompts for username, password. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Tue, 24 Mar 92 09:48:29 EST From: epstein@trwacs.fp.trw.com (Jeremy Epstein) Subject: New XEROX FAX software Today's Washington Post has an article about a new Xerox software product designed to provide remote access to a PC through a FAX. Basically, you can FAX a message to your PC with instructions on what you want, and it will FAX the file(s) to a number of your choosing. If you don't have the form handy, FAXing a blank sheet of paper will cause it to FAX the blank form back to you. The target market is people who travel but don't carry everything they might possibly need...they call it a 24-hour-a-day assistant. The product (whose name I've forgotten) is software...it works with the hardware FAX boards you can buy. The product sounds really neat, but the first thought that came to my mind was security. If I know that Jane Doe has this software on her PC, how will it prevent me from asking for a copy of anything on her PC? The article didn't mention any security measures to prevent an machine from attack. I don't have any technical product information, so this may be merely an omission from the article, rather than a weakness in the product. Jeremy Epstein, Trusted X Research Group, TRW Systems Division, Fairfax Virginia +1 703/803-4947 uunet!trwacs!epstein epstein@trwacs.fp.trw.com ------------------------------ Date: Wed, 25 Mar 92 17:16:42 PST From: autodesk!highpoint!jwarren@fernwood.mpk.ca.us (Jim Warren) Subject: FYI: Congressional Advisory Board calls for public review COMPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD RESOLUTION #1 March 18, 1992 The Board has examined the present status of the proposed Digital Signature Standard (DSS) being undertaken by the National Institute of Standards and Technology (NIST). In view of: (1) the significant public policy issues raised during the review of the proposed standard; (2) the increasingly pervasive use of digital technologies; (3) the potential impacts upon the security of the unclassified/sensitive government community; (4) the relationship of the DSS to the existing NIST cryptographic security program; and (5) the posture of the U.S. in international commerce. THE BOARD FINDS THAT: (1) a national level public review of the positive and negative implications of the widespread use of public and private key cryptography is required. This national level review must involve the national security, law enforcement, government unclassified/sensitive, and commercial communities. Representatives from the private sector should include both vendors and users. In the next several months, NIST/NSA should sponsor a workshop on the widespread use of cryptography. This national review should be concluded by June 1993. (2) NIST has made significant progress in resolving the technical issues related to the proposed DSS. The Board recommends that NIST continue to seek resolution of the patent, infrastructure, and other remaining issues raised during the public comment process. The Board recognizes that much of the work, and in particular the infrastructure, are algorithmic independent and must be continued by NIST to assure timely implementation of digital signature technology within the government. FOR: Colvin, Gallagher, Gangemi, Kuyers, Lipner, Philcox, Rand, Walker, Wills and Zeitler AGAINST: None ABSTAIN: None Motion Unanimously Approved. --------------------------------------------------- COMPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD RESOLUTION #2 March 18, 1992 The Board resolves that: The approval of the Digital Signature Standard (DSS) by the Secretary of Commerce should be considered only upon conclusion of the national review. The Board agrees to continue to monitor the activities involving the DSS and the proposed national review at future meetings. FOR: Colvin, Kuyers, Lipner, Philcox, Rand, Walker, Wills, and Zeitler AGAINST: Gallagher, Gangemi ABSTAIN: None Motion Approved. --------------------------------------------------- COMPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD RESOLUTION #3 March 18, 1992 The Board resolves that: The Board defers making a recommendation on approval of the Digital Signature Standard (DSS) pending progress on the national review. The Board agrees to continue to monitor the activities involving the DSS and the proposed national review at future meetings. FOR: Colvin, Gallagher, Gangemi, Kuyers, Lipner, Philcox, Rand, Walker, Wills, and Zeitler AGAINST: None ABSTAIN: None Motion Unanimously Approved. ------------------------------ Date: Thu, 26 Mar 92 16:28:41 -0500 From: wex@pws.ma30.bull.com Subject: Re: Microsoft and virus checkers (Martin Minow, RISKS-13.30) Well, having just installed Word 5.0 this week, I can tell you the reason: MSWord 5.0 installs things (fonts, mostly) directly into the System. All virus detectors I know of will at least trap/warn on this. But the Install program can't deal with these trap/warn windows appearing and grabbing control while Install is trying to read from disk. So you have to turn off your virus protection. You may also have to reinstall other things in your system. In my case, the Word installation blew away my Personal Laserwriter print driver. As long as I'm on the subject, MSWord 5.0 represents a significant step BACKWARD for Word, as far as I can tell. I'm seriously thinking of going back to 4.0 because the new interface is *so* bad. Word 5.0 has several instances of the "the computer is doing something but doesn't tell the user" RISK. This, of course, causes users to repeat inputs, thinking nothing happened the first time. These additional inputs are buffered and applied to the next step in the process, potentially causing damage that is hard or impossible to undo. The program is also significantly slower than version 4.0 (at least a factor of two in the tests I've done). This introduces the RISK that long-time Word users like myself will assume that the Mac is hung and begin diagnostic/repair actions which are inappropriate and cause bad effects. There is more functionality than in 4.0, but a lot of it is "stupid" functionality in the sense that the new features duplicate existing features or do flat-out dumb things (we can discuss some other time the hilariously wrong messages their grammar checker spits out). A shame, really. Microsoft does occasionally produce good products (Excel 2.2 has one of the best, most intuitive interfaces I've ever seen), but Word seems to get worse every odd-numbered release and only better with the even numbers. Alan Wexelblat Bull Worldwide Information Systems Billerica, MA : (508)294-6120 wex@pws.bull.com wexelblat.chi@xerox.com ------------------------------ Date: Fri, 27 Mar 92 8:01:39 EST From: Lance J. Hoffman Subject: Dumbing down new systems The debate on (son of) S. 266 and on whether and how to "dumb down" computer technology to satisfy law enforcement needs is joined in The New York Times of Friday, March 27, 1992 with articles by William Sessions, FBI director, and Janlori Goldman, director of the privacy and technology project of the American Civil Liberties Union. RISKS readers with an interest (or stake) should read these articles carefully, and consider responding with letters to the editor of the New York Times of their own if they have anything to add. If the technical community wishes to be heard, it should speak up now. (Letters to their congressional representatives may not hurt either ;-) ). Lance Hoffman Department of Electrical Engineering and Computer Science, The George Washington University, Washington, D. C. 20052 (202) 994-4955 ------------------------------ Date: Fri, 27 Mar 92 07:54:31 CST From: ks@stat.tamu.edu (Kurt F. Sauer) Subject: The FBI Needs Industry's Help--OpEd in NYT FBI Director William Sessions wrote an interesting op-ed piece in today's New York Times (Vol. CXLI, No. 48,918, Fri., Mar. 27, 1992, p. A15) dealing with the problems which federal law enforcement expects to encounter when placing court-ordered wiretaps on data circuits. When I read between the lines, it sounds as if Mr. Sessions doesn't want us to use data security which employs end-to-end encryption; perhaps other RISKS-DIGEST readers will draw different conclusions. [Under the rubric "Dialogue/High-Tech Wiretaps"] Keeping an Ear on Crime: The F.B.I. Needs Industry's Help By William S. Sessions Advances in telecommunications technology promise to deprive Federal, state and local law enforcement officers and the public of the incalculable benefits that can be obtained only by court-authorized wire-tapping. Wiretapping is one of the most effective means of combating drug trafficking, organized crime, kidnapping and corruption in government. The Federal Bureau of Investigation does not want the new digital technology that is spreading across America to impair this crucial law-enforcement technique. Thus, after consulting with the telecommunications industry, members of Congress and executive branch agencies, the Justice Department has proposed legislation that is intended to preserve the ability of law enforcement officers to intercept conversations of people engaged in serious crimes. This bill is consistent with legislation passed in 1968 after Congress debated the constitutional problem posed by the Government's need to address both serious criminal conduct and the individual's right to privacy. Congress struck a balance by passing the Omnibus Crime Control and Safe Streets Act. That law and later amendments created the meticulous procedure by which law enforcement officers obtain judicial authorization for electronic surveillance. Wiretaps can be used to address only the most serious criminal, sometimes violent, threats facing society. Only when a judge is satisfied that all statutory safeguards have been met and all other reasonable investigative steps have failed or will likely fail, are taps permitted. Digital technology makes possible the simultaneous transmission of multiple conversations and other data over the same lines. The problem is that voice transmission will soon be replaced by an endless, inseparable stream of electronic emissions, making it virtually impossible to capture criminal conversations. The Federal Bureau of Investigation is not complaining. As the telecommunications industry develops digital technology, new services such as Caller ID are becoming available to business and private customers. The new technology already has provided benefits for the F.B.I.--for example, it helped solve the bombing of Pan Am Flight 103. But if digital technology is fully introduced with insufficient attention to public safety, the effectiveness of law enforcement officers will be greatly impaired. As society and technology evolve, so do government's needs and responsibilities. And, yes, the burden of helping to safeguard the public often falls on those who make profits from regulated goods and services. It is reasonable for the telecommunications industry to come to the aid of law enforcement. The proposed legislation relies on it to find technical solutions that are cost effective while permitting the developement of its technology. Surely it can do both in a way that insures its competitiveness. Indisputably, there will be financial costs associated with whatever technical solutions the private sector might develop. These costs cannot be measured only in dollars; consider the price society would pay if the ability to solve complex crimes were thwarted by an end to wiretapping. In a recent large-scale military-procurement fraud case-- which was successful because of wiretaps--the fines, restitutions, forfeitures and savings to taxpayers exceeded $500 million. The cost to telecommunications companies would not be so substantial as to outweigh the consequences of an inability of law enforcement to act. But if nothing is done soon, as technology advances and the digital systems become more widespread, the cost of addressing the issue down the road will undoubtedly increase dramatically. The proposed legislation does not expand the authority of the F.B.I. or any other criminal justice agency. It simply preserves what Congress authorized in 1968--nothing more. In recent years, Congress has expanded the Federal criminal activities for which wiretapping may be obtained. As in 1968, it must decide if law enforcement should have this invaluable tool available. I am confident that congress will again support law enforcement by approving the necessary legislation. ------------------------------ Date: Fri 27 Mar 1992 14:47 -0500 From: Subject: Accidental stock sale: The error crept in when ... Speaking of rekeying the following is from the Friday March 27, 1992 in an article about Salomon Brother's accidental sale of a few million dollars of stocks: The error crept in when a clerk at the firm, in translating the order into a format that would be understood by Salomon's computer system, mistakenly put the column showing the total value of the orders into the column showing the number of shares to be traded. ------------------------------ Date: Fri, 27 Mar 92 19:55 GMT From: Sanford Sherizen <0003965782@mcimail.com> Subject: U.S. Department of Justice Rulings about Keystroke Capturing I have had two separate reports from people working for U.S. Government agencies that the Department of Justice has advised them that trapping of keystrokes is a violation of the Electronic Communications Privacy Act and similar privacy-related legislation. Those who mentioned it to me seemed to imply that the keystrokes being discussed were related to access control/audit measures rather than worker monitoring technology. Can anyone clarify and/or verify this information? I would be interested in finding out if this interpretation only applies to the Federal Government or to private sector organizations as well? If my information is correct, this may mean that important information security efforts could be considered as illegal activities. The crunch between old laws and new technology grows daily. Sanford Sherizen, Data Security Systems, Natick, MASS. ------------------------------ Date: Fri, 27 Mar 92 21:09:31 +0100 From: bertrand@eiffel.com (Bertrand Meyer @ SOL) Subject: Test data used for actual operation - once again The following is from Le Canard Enchaine, 25 March 1992. Le Canard Enchaine, a pillar of the French press for 75 years or so, is a satirical and investigative paper, with no known equivalent anywhere else. The translation, or more correctly the feeble attempt at literal adaptation since the Canard style is basically untranslatable, is by Bertrand Meyer, from whom also the comments in square brackets, some of which refer to notes at the end. MAD COMPUTER CONS SUPERMARKET CUSTOMERS --------------------------------------- TAPPING A THOUSAND BANK ACCOUNTS Seeing one's bank account being repeatedly debited over a period of several months, to the credit of a store where you have never set foot - such was the lot of about one thousand customers of a Paris supermarket. Whenever they paid for their expenses using their Visa international card, they were in fact feeding - without their knowledge ... - the coffers of a clothing store, which hadn't asked for it. Overall, because of a computer error, more than 450,000 Francs (US$ 90,000) was drawn from these involuntary customers. On October 14, 1991, the manager of the "Codec" [a food supermarket] on the rue des Amandiers [in Paris] notes that his cash registers, driven by a specialized computer program, systematically rejects all payments made by Visa International cards. He calls the PSI Alcatel ISR company, which installed the system and is responsible for its maintenance. In order to find out the source of the problem, a technician [from PSI Alcatel] makes a copy of the store's customer file into one of his company's programs [sic]. Having apparently corrected the error, he sends the file back to Codec. DEBITS UNLIMITED A few weeks later, a riot or something very close to that erupts at Codec. Dozens of irate customers storm the store's offices: their banking accounts, which were debited normally the previous month [see note 1] after they made some purchases at Codec, are being debited again; but this time it's to the credit of "Gify Center" a clothing store in Nantes [a city in Vendee, on the Atlantic Ocean, several hundred miles from Paris]. Grand total of these double payments: 229,000 F ($40,000). In early January 1992, the manager alerts PSI Alcatel. Answer, given without any trace of emotion: PSI Alcatel has know about these computer blunders for several weeks. This is because Gify Center, wondering about this unexpected manna raining full-baked from the computer, had taken the trouble to inform [PSI Alcatel]. As to the poor manager of Codec, being unable to provide any explanation, he is being called a crook by some of his customers. PSI Alcatel claims to be working hard on the problem - but to no avail since trouble starts again in February. This time it's a store in Vannes [in Brittany, also on the West Coast], also part of the Gify Center chain, which is the beneficiary. Five hudred clients are affected; some of them, according to the Codec manager, are even debited four times for the same amount. [??] At this stage the police, being flooded with complaints, opens an investigation and summons the poor Codec manager. Not hard to understand why: many of the affected customers have had to pay interest penalties to their banks [see note 2], since their accounts have had overdrafts because of these repeated payments. Others have had to pay penalties for returned checks, or have been on the brink of having their bank cards cancelled. COMPUTER HICCUPS By dint of hard work, PSI Alcatel at last discovers the source of all these computer follies. [Perhaps someone should suggest a subscription to RISKS?] The technician, who had copied the Codec's customer file into his own program [sic and resic, to use a favorite Canard expression] for the purpose of debugging it, had forgotten to erase the file. A fateful mistake: every time PSI Alcatel sold their program for managing cash registers, they were also unwittingly selling the Codec's customer file. After that, whenever the program had been inserted into a store's computer, it would direct the banks to debit the accounts of the customers recorded in that file. One piece of good news: PSI Alcatel claims to have sold this over-filled program to no one else than Gify Center. The customers of the rue des Amandiers Codec have avoided the worst: since Gify Center owns about forty stores in France, that's the number of times the mad computers could have emptied their accounts. [End of article] [Notes for foreign readers: [1] The most common use of credit cards in France is as ``debit cards''; i.e. they are tied to a bank account and expenses are automatically debited at the end of the month. [2] Overdraft is less of an abnormal situation in France than in e.g. the US. Most banks will tolerate some overdraft as long as the situation doesn't get too serious. It's actually a fairly juicy situation for them since they charge rather high ``agios'' (translated above by ``interest penalties''.)] [General note: I am surprised by the relatively small amounts of money involved.] ------------------------------ Date: Tue, 24 Mar 1992 16:14:22 +1200 From: Brian Boutel Subject: Re: UA 747 Lost Door It's worth noting that the revision in the official story, that an electrical, not mechanical fault was responsible, is entirely due to the persistance of one man, the father of one of the passengers lost in the accident. He formulated this theory, and persued it with United and Boeing, even, I believe, got permission to be present when the door was recovered from the bottom of the Pacific. The new finding vindicates his stand, and without his efforts, it is unlikely that the truth would have been found. --brian Brian Boutel, Computer Science Dept, Victoria University of Wellington, PO Box 600, Wellington, New Zealand Phone: +64 4 471-5328 Fax: +64 4 495-5232 ------------------------------ End of RISKS-FORUM Digest 13.31 ************************