Subject: RISKS DIGEST 14.55 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Tuesday 27 April 1993 Volume 14 : Issue 55 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Computer criminal executed in China (Jani Pekkanen) New Disclosures in 2600 Case (Dave Banisar) Hacker Accused of Rigging Radio Contests (Don Clark via Peter Shipley) Photocopier operation monitored totally by computer (Ian Staines) Risk of using too much electricity (Phil Miller) Incidents in civil airliners (Martyn Thomas) CLIPPER CHIP (Jim Bidzos, Bill Campbell, Robert Firth, Padgett Peterson, John A. Pershing Jr., Magnus Kempe) The RISKS Forum is a moderated digest discussing risks; comp.risks is its Usenet counterpart. Undigestifiers are available throughout the Internet, but not from RISKS. Contributions should be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with appropriate, substantive "Subject:" line. Others may be ignored! Contributions will not be ACKed. The load is too great. **PLEASE** INCLUDE YOUR NAME & INTERNET FROM: ADDRESS, especially .UUCP folks. REQUESTS please to RISKS-Request@CSL.SRI.COM. Vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 14, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1". =CarriageReturn; FTPs may differ; UNIX prompts for username, password. For information regarding delivery of RISKS by FAX, phone 310-455-9300 (or send FAX to RISKS at 310-455-2364, or EMail to risks-fax@vortex.com). ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Tue, 27 Apr 93 19:51 +1000 From: ITB234PEKKAN@qut.edu.au Subject: Computer criminal executed in China RISKS readers might be interested to note a short snippet that appeared in the Courier Mail, the daily newspaper here in Queensland. Tuesday, 27 April 1993. BEIJING: The first person in China to be convicted of embezzling bank funds by computer has been executed. Mr Jani PEKKANEN, Queensland University of Technology, Brisbane, AUSTRALIA AARnet: itb234pekkan@qut.edu.au ------------------------------ Date: Sun, 25 Apr 1993 9:43:32 EST From: Dave Banisar Subject: New Disclosures in 2600 Case As you may recall, last November at a shopping mall outside of Washington, DC, a group of people affiliated with the computer magazine "2600" was confronted by mall security personnel, local police officers and several unidentified individuals. The group members were ordered to identify themselves and to submit to searches of their personal property. Their names were recorded by mall security personnel and some of their property was confiscated. However, no charges were ever brought against any of the individuals at the meeting. Computer Professionals for Social Responsibility ("CPSR") filed suit under the Freedom of Information Act and today received the Secret Service's response to the FOIA lawsuit, in which we are seeking agency records concerning the break-up of the meeting. I think it's safe to say that our suspicions have now been confirmed -- the Secret Service *did* obtain a list of names from mall security identifying the people in attendance at the meeting. There are three main points contained in the Secret Service's court papers that are significant: 1) The agency states that the information it possesses concerning the incident was obtained "in the course of a criminal investigation that is being conducted pursuant to the Secret Service's authority to investigate access device and computer fraud." 2) The agency possesses two relevant documents and the information in those documents "consists solely of information identifying individuals." 3) The information was obtained from a "confidential source," and the agency emphasizes that the FOIA's definition of such a source includes "any private institution which provided information on a confidential basis." Taken together, these facts seem to prove that the Secret Service wanted names, they had the mall security people collect them, and they came away from the incident with the list they wanted. The agency asserts that "[t]he premature release of the identities of the individual(s) at issue could easily result in interference to the Secret Service's investigation by alerting these individual(s) that they are under investigation and thus allowing the individual(s) to alter their behavior and/or evidence." CPSR, in conjunction with EFF and the ACLU, is planning to challenge the actions of the mall security personnel, the local police and the Secret Service on the ground that the incident amounted to a warrantless search and seizure conducted at the behest of the Secret Service. David Sobel, CPSR Legal Counsel dsobel@washofc.cpsr.org ------------------------------ Date: Fri, 23 Apr 1993 13:25:21 -0700 From: Peter shipley Subject: Hacker Accused of Rigging Radio Contests Hacker Accused of Rigging Radio Contests [By Don Clark Chronicle staff writer] [San Francisco Chronicle 22 Apr 1993] A notorious hacker was charged yesterday with using computers to rig promotional contest at three Los Angeles radio stations, in a scheme that allegedly netted two Porsches, $20,000 in cash and at least two trips to Hawaii. Kevin Lee Poulsen, now awaiting trial on earlier federal charges, is accused of conspiring with two other hackers to seize control of incoming phone lines at the radio stations. By making sure that only their calls got through, the conspirators were assured of winning the contests, federal prosecutors said. A new 19-count federal indictment filed in Los Angeles charges that Poulsen also set up his own wire taps and hacked into computers owned by California Department of Motor Vehicles and Pacific Bell. Through the latter, he obtained information about the undercover businesses and wiretaps run by the FBI, the indictment states. Poulsen, 27, is accused of committing the crimes during 17 months on the lam from earlier charges of telecommunications and computers fraud filed in San Jose. He was arrested in April 1991 and is now in the federal Correctional Institution in Dublin. In December, prosecutors added an espionage charge against him for his alleged theft of a classified military document. The indictment announced yesterday adds additional charges of computer and mail fraud, money laundering, interception of wire communications and obstruction of justice. Ronald Mark Austin and Justin Tanner Peterson have pleaded guilty to conspiracy and violating computer crime laws and have agreed to help against Poulsen. Both are Los Angeles residents. Poulsen and Austin have made headlines together before. As teenagers in Los Angeles, the two computer prodigies allegedly broke into a Pentagon-organized computer network that links researchers and defense contractors around the country. Between 1985 and 1988, after taking a job at Menlo Park-based SRI International, Poulsen allegedly burglarized or used phony identification to sneak into several Pacific Bell offices to steal equipment and confidential access codes that helped him change records and monitor calls. After being indicted on these charges in 1989, Poulsen skipped bail and fled to Los Angeles where he was eventually arrested at a suburban grocery store. One of the unanswered mysteries about the case is how he supported himself as a fugitive. The new indictment suggests that radio stations KIIS-FM, KRTH-FM and KPWR-FM unwittingly helped out. Poulsen and his conspirators are accused of hacking into Pacific Bell computers to block out other callers seeking to respond to contests at the stations. The conspirators allegedly used the scheme to let Poulsen and Austin win Porsches from KIIS and let a confederate win $20,000 from KPWR. Poulsen created aliases and phony identification to retrieve and sell one of his Porsches and launder the proceeds of the sale, the indictment states. In February 1989, they arranged for Poulsen's sister to win a trip to Hawaii and $1,000 from KRTH, the indictment states. [Included in RISKS with permission of the author] ------------------------------ Date: Fri, 23 Apr 93 18:28 PDT From: Ian_Staines@mindlink.bc.ca (Ian Staines) Subject: Photocopier operation monitored totally by computer Our office recently acquired a new photocopier. A sophisticated onboard computer constantly monitors and controls all aspects of the photocopiers operation, and maintenance. The sorter trays on this machine are driven up and down by servo motors to collate the output. Under normal operation the tray would never be directed by the computer to raise beyond a certain height; however, should there be a problem, two sensors were placed at both limits of the tray's movement to detect a possible over-run. In keeping with the integrated nature of this copier, sensors were of course not wired directly into the servo-motors, but instead were monitored by the main computer. Today I watched the copier attempt to recover from an interrupted print job: In error, it failed to note the starting position of the sorter tray, and directed the servo-motors to move the tray upwards. unfortunately there did not appear to be a software check in the 'recover' routine to check the over-run sensors. The tray crashed upwards off its rails damaging several components. Ian_Staines@mindlink.bc.ca ------------------------------ Date: Thu, 22 Apr 1993 11:57:46 -0500 (CDT) From: phil@wubios.wustl.edu (J. Philip Miller) Subject: Risk of using too much electricity In today's St. Louis Post Dispatch there was an article about a local man who had been convicted of growing marijuana for resale. His defense was primarily related to using it to treat his asthma, but what was far more interesting was the way that he was originally arrested. According to the story, he first came to the attention of the authorities because he was using substantially more electricity than his neighbors. They then utilized an airborne infrared detector to infer that he had a substantial number of growlamps in his attic. Based on this they were able to obtain a search warrant and discovered his crop of 150 plants. It would be interesting to know if the utilities actually have routines that identify "unusual" customers and routinely report this to the authorities or if there was some other reason that this man came to the attention of the authorities. -phil J. Philip Miller, Professor, Division of Biostatistics, Box 8067, Washington Univ. Medical School, St. Louis MO 63110 (314) 362-3617 phil@wubios.WUstl.edu ------------------------------ Date: Mon, 26 Apr 93 15:16:50 BST From: Martyn Thomas Subject: Incidents in civil airliners The latest "Feedback" (the newsletter of the confidential human factors incident reporting programme, run by the RAF institute of aviation medicine for the UK civil aviation community) contains two reports relevant to this forum. I copy them without editing - I can't translate the abbreviations. [Comments in square brackets are mine] [First report] A Question: It is now accepted practice to "clear" the many spurious (?) messages which seem to occur for random reasons ("tyre pressure indicators" when the Reversers were locked out AD wise) by pulling and resetting the breaker, often after speaking to Tech. Control. These are "non events" and few are reported, but ought not each one to be MOR/ASR'd with full details so that the software engineers can at least attempt to trace the bugs? [Feedback replies:] The question is really: "When does "just a bug" in the software constitute a broken bit of equipment?" With automatic recording and testing of faults this information should not be lost to the software engineers. There is currently no way of knowing what interrelated combinations of switching have been built up. These could be waiting for one further critical selection to provide a major problem. [... and the power reset presumably clears these latent problems back to a known state - but it all seems rather arbitrary for important systems. I wonder if the incidents are really logged by the software. If so, someone must know how common they are. Second report:] Foreign airline look-alike Boeing twin (glass cockpit) lined up on westerly runway. 2+ aircraft positioning downwind, right hand, for duty runway. Subject aircraft instructed "When airborne, disregard standard instrument departure (which turns right) after noise, turn left, radar heading 190 degrees climbing to flight level 60". Expected readback was verbatim, in fairly un-accented English. When aircraft observed to turn right the pilot was reminded of previous instruction and responded - "We want to turn left and you want us to turn left but the aeroplane, she wants to turn right, so we are turning right. I sorry (sic)". At the time, the humour was lost on us. Is the Flight Management System really the boss, or is there the rumoured cut-out/override switch? [Feedback replied:] Even if this pilot had taken the autopilot out the flight director was going to take him the same way, which shows how much re-programming skill is needed in the Glass Cockpit. [... and the accident report would say "pilot error", but surely the system is deficient in design if it is so hard to obey a simple ATC instruction]. Martyn Thomas, Praxis plc, 20 Manvers Street, Bath BA1 1PX UK. Tel: +44-225-444700. Email: mct@praxis.co.uk Fax: +44-225-465205 ------------------------------ Date: Mon, 26 Apr 93 23:25:44 PDT From: jim@RSA.COM (Jim Bidzos) Subject: Clipper questions Much has been said about Clipper and Capstone (the term Clipper will be used to describe both) recently. Essentially, Clipper is a government-sponsored tamper-resistant chip that employs a classified algorithm and a key escrow facility that allows law enforcement, with the cooperation of two other parties, to decipher Clipper-encrypted traffic. The stated purpose of the program is to offer telecommunications privacy to individuals, businesses, and government, while protecting the ability of law enforcement to conduct court-authorized wiretapping. The announcement said, among other things, that there is currently no plan to attempt to legislate Clipper as the only legal means to protect telecommunications. Many have speculated that Clipper, since it is only effective in achieving its stated objectives if everyone uses it, will be followed by legislative attempts to make it the only legal telecommunications protection allowed. This remains to be seen. The proposal, taken at face value, still raises a number of serious questions. What is the smallest number of people who are in a position to compromise the security of the system? This would include people employed at a number of places such as Mikotronyx, VSLI, NSA, FBI, and at the trustee facilities. Is there an available study on the cost and security risks of the escrow process? How were the vendors participating in the program chosen? Was the process open? A significant percentage of US companies are or have been the subject of an investigation by the FBI, IRS, SEC, EPA, FTC, and other government agencies. Since records are routinely subpoenaed, shouldn't these companies now assume that all their communications are likely compromised if they find themselves the subject of an investigation by a government agency? If not, why not? What companies or individuals in industry were consulted (as stated in the announcement) on this program prior to its announcement? (This question seeks to identify those who may have been involved at the policy level; certainly ATT, Mikotronyx and VLSI are part of industry, and surely they were involved in some way.) Is there a study available that estimates the cost to the US government of the Clipper program? There are a number of companies that employ non-escrowed cryptography in their products today. These products range from secure voice, data, and fax to secure email, electronic forms, and software distribution, to name but a few. With over a million such products in use today, what does the Clipper program envision for the future of these products and the many corporations and individuals that have invested in and use them? Will the investment made by the vendors in encryption-enhanced products be protected? If so, how? Since Clipper, as currently defined, cannot be implemented in software, what options are available to those who can benefit from cryptography in software? Was a study of the impact on these vendors or of the potential cost to the software industry conducted? (Much of the use of cryptography by software companies, particularly those in the entertainment industry, is for the protection of their intellectual property. Using hardware is not economically feasible for most of them.) Banking and finance (as well as general commerce) are truly global today. Most European financial institutions use technology described in standards such as ISO 9796. Many innovative new financial products and services will employ the reversible cryptography described in these standards. Clipper does not comply with these standards. Will US financial institutions be able to export Clipper? If so, will their overseas customers find Clipper acceptable? Was a study of the potential impact of Clipper on US competitiveness conducted? If so, is it available? If not, why not? I realize they are probably still trying to assess the impact of Clipper, but it would be interesting to hear from some major US financial institutions on this issue. Did the administration ask these questions (and get acceptable answers) before supporting this program? If so, can they share the answers with us? If not, can we seek answers before the program is launched? ------------------------------ Date: Mon, 26 Apr 93 15:39:13 PDT From: billc@glacier.sierra.com (Bill Campbell) Subject: The Real Risk of Clipper I've been browsing through as much as I could this morning on comp.risks and comp.security.misc about the Cripple Chip. Personally, I will boycott any products that incorporate this insidious device, as well as encouraging any within my own circle of influence to do the same. Unfortunately, these newsgroups are read primarily by individuals who understand well the risks of the chip and its attendant policy. We are "preaching to the choir". After a brief discussion, I offer an idea for how to address a broader audience. ======== The Real Risk of the Clipper Chip ======== Proponents/apologists for the chip make, as I see it, one (and only one) valid point: use of the chip will protect me against the casual eavesdropper better than no encryption at all. I fear, however, that unless something high-profile is done (and done quickly) the real risk associated with this technology-policy will be borne to fruition. To wit, the American public is by and large profoundly ignorant of technical "stuff", and often very indifferent about protecting their own Constitutional rights. This same gullible public may very easily be convinced by the government that not only is their privacy protected from their nosy neighbor, but also from unlawful invasion by law enforcement and/or other more determined individuals and organizations. This is what I see as the real risk of Clipper. There are dozens, perhaps hundreds, of commercial, criminal and governmental entities with access to government resources who would not hesitate for a moment to violate my rights if they found it expedient to do so. These individuals and organizations have demonstrated beyond question that they are not constrained by legal or ethical considerations, and as has been suggested in a number of other postings, the technology employed by Clipper (including the dual escrow sham) will probably not even pose so much as an inconvenience to a determined adversary. To suggest otherwise is, at best, profoundly naive. I believe that as a society we have at least two challenges with respect to addressing this public gullibility/naivete: 1) we need to find some way to dispel the assumption held by many that the government ultimately acts with the best interests of the public in mind. This is unmitigated hogwash. Government by its very nature is a consumer, not a producer. Left to its own, government will progressively consume more and more of a nation's productivity until the nation finally collapses under the weight of its inevitably oppressive and corrupt government, as in the Soviet Union. This can only be prevented by an informed and active citizenry. 2) we need to find a way to effectively educate the public about _specific_ threats to our freedom and prosperity from government action (such as the Cripple Chip) as they arise. ========== The average person's capacity for self-delusion makes #1 an unlikely candidate for solution, but I have an idea for #2: does anyone out there have a personal acquaintance with, say, Tom "Red October" Clancy, or Michael "Jurassic Park" Crichton? It occurs to me that a best-selling techno-thriller about a government "sponsored" cryptology initiative gone awry might be a very effective method for raising the awareness of the general public. There have already been a number of highly plausible scenarios suggested in both comp.risks and comp.security.misc, that could probably be developed into a story line. Bill Campbell, Software Engineer, Sierra Geophysics, Inc. billc@sierra.com ------------------------------ Date: Tue, 27 Apr 93 08:08:58 -0400 From: firth@SEI.CMU.EDU Subject: Worries over the Clipper Chip Cui bono? Who stands to gain from the Clipper Chip encryption system, and what do they stand to gain? From the reports, it seems pretty clear that the users gain very little - the government is providing them with a less secure system at marginally less cost than a more secure one. So, why would the government go to all this trouble to do badly what the market is already doing quite well? As other have pointed out, one obvious motive is to maintain, and indeed extend, the supposed "right" of the authorities to snoop on private conversations. However, that won't work. Why should anyone worried about snoopers use an encryption scheme designed to allow snooping? In this, as in much else, Gresham's Law will drive the Clipper from the market. The answer, of course, is indeed that all other encryption schemes must be outlawed. Given the intense devotion to freedom and individual rights in this country, it is very doubtful whether this could be done directly, by legislative fiat. Hence what I believe to be a deliberate ruse by the government to finesse away this freedom. You see, friends, if the Clipper becomes the normal, standard, or accepted means of encryption, then *the use of any other encryption scheme can of itself be considered "probable cause" for search and seizure*. And thereby could be lost in the courts what was won at such great cost. For which reason, I believe the Clipper proposal warrants our united, vocal, and implacable opposition. Robert Firth ------------------------------ Date: Tue, 27 Apr 93 08:08:35 -0400 From: padgett@tccslr.dnet.mmc.com (A. PADGETT PETERSON, (407)826-1101) Subject: Baltimore Clipper LXVIII Amazing how diversified the discussion has become with people deciding just what Clipper will do and taking stands against it. I'm taking the opposite approach. The people who designed it are talented and dedicated. The criteria for design may not be exactly what we might like but it must be *Good Enough* (C). Therefore a few postulates are submitted for consideration. (Haven't been briefed so am free to think out loud 8*). 1) There will be many family keys. There may be only one *right now* but a single key makes no sense. I expect that corporations may be able to buy groups of Clipper chips with a single family key just as I expect corporations to be able to monitor their chips (owner's rights have nothing to do with wiretaps). See the court cases in California concerning monitoring if you doubt this. 2) Once a key is released for a wiretap, there is no way to protect the key and the future use of the chip would be invalidated. Therefore, keys will not be released. When a tap is authorized, the requesting authority will receive a duplicate Clipper chip. A physical device is much easier to account for and a duplicate can process anything the original can. If the plaintext is available, who cares what the key was ? 3) There will be several varieties of Clipper chips, some will allow key programming (Master Clippers ?) but the ones for the general public will be fixed. 4) (Stretching a bit) The algorithm will be kept secret simply because there is no one true algorithm. Reverse engineer two chips and they will not be alike. There are many different ways to say the same thing (and confuse engineers e.g. polymorphic viruses). If so can lay claim to prior art c.a. 1984, 1981 nee IBM 1957 8*). 5) Further suspect there might be some *traps* in the Clipper that will render chip useless if given the wrong inputs ("China Clippers" ?) - see #4. Like I said, both the government and corporate America *need* Clipper, the designers are some of the best in the world, and the administration has more to lose than we do. Given that, Clipper will work as advertised. Again, pure conjecture but phun ;*) Padgett [Usual disclaimers apply] ------------------------------ Date: Tue, 27 Apr 93 09:37:01 EDT From: "John A. Pershing Jr." Subject: Clipper Chip, et al. I'm wondering how the Clipper Chip (actually, the entire genre of encrypted telephone technology) impacts the rules of evidence presented in a court of law. I believe that current rules of evidence require that, when a phone is being tapped, that a person be listening in on the phone at the time that it is being recorded (tapped). A tape recording by itself is not admissible; there must be a person who will testify that he (she), indeed, listened in on the phone line and that the tape recording is an accurate representation of what was said. With encrypted (digital) telephony and POST-HOC decryption, it is not possible to have a human listen in on the live conversation in order to testify to the authenticity of the tape. The only way for this to work is to get the keys in advance and decrypt the conversation in real time. (Of course, this assumes that federal agents will not purjure themselves regarding evidence. It also does not rule out "fishing expeditions" in which phones are tapped to gather information (never intended to be used as evidence), perhaps as a "pointer" to other hard evidence... ...naww -- it can't happen here!) jp ------------------------------ Date: Tue, 27 Apr 93 17:14:51 +0200 From: Magnus.Kempe@di.epfl.ch (Magnus Kempe) Subject: Re: Responses to Clipper Chip Discussion (Denning, RISKS-14.54) The RISKS, weaknesses and anti-constitutional aspects of the Clipper scheme are becoming more and more apparent. For instance, Dorothy Denning writes: : Only law enforcement will have a decoder box that allows the law : enforcement field to be decrypted. Initially, there will be just one ^^^^^^^^^ : box, and it will be operated by the FBI. Who else is going to receive/develop such boxes? I see many possibilities: the IRS/EPA/DEA, criminals, enemy dictatorships, etc. : After a tap has been completed [...] the subjects are certainly free : to purchase a new device with a new chip [...] Wonderful. The feudal "subjects" are _free_ to spend their own money to purchase a new device. It is quite interesting that the protection offered by the Constitution (no taking without compensation) is simply disregarded. A reminder seems in order: We are not subjects--we are freemen. Even a suspect is under the protection of the Bill of Rights. In particular, property that is taken away must be compensated (the disclosure of the secret key destroys the value of the chip), especially when _no_evidence_of_crime_ is found. I would have thought it was an essential aspect of the government's proposal: respect and uphold the U.S. Constitution--including the Bill of Rights. : With the new technologies, law enforcers will be incapable of executing : a tap without the assistance of the service provider. This is an irresponsible promise, not a fact. The new technologies increasingly rely on radio transmissions. Listening (i.e. tapping) radio transmissions is the easiest thing in the world, whether the listener is a bureaucrat, a criminal, a spook, or a competitor. : The NSA has a long record of success with crypto, far better than any : individual or organization in the public community. The question is: what _kind_ of success? universal _de_cryption? Clearly, the prime mover of the Clipper scheme is not to protect the people, but to make it easier for the government (and any government in the future) to monitor the people. The highest RISK is that the government should some day take advantage of the new power it could acquire given the precedent established by this proposal. I can't wait for government mandated holes in our doors and walls in order to make it possible for the FBI to listen to and watch "criminal activities at home". Where is the difference? Magnus Kempe, Magnus.Kempe@di.epfl.ch ------------------------------ End of RISKS-FORUM Digest 14.55 ************************