From: CRDGW2::CRDGW2::MRGATE::"SMTP::ELIOT.CSL.SRI.COM::RISKS" 1-APR-1991 17:03:41.76 To: ARISIA::EVERHART CC: Subj: RISKS DIGEST 11.35 From: risks@eliot.csl.sri.com@SMTP@CRDGW2 To: EVERHART@ARISIA@MRGATE Received: by crdgw1.ge.com (5.57/GE 1.92) id AA15067; Fri, 29 Mar 91 19:23:29 EST Received: by eliot.csl.sri.com at Fri, 29 Mar 91 16:07:18 -0800. (5.61.14/XIDA-1.2.8.27) id AA27310 for From: RISKS Forum Sender: RISKS Forum Date: Fri, 29 Mar 1991 16:07:10 PST Subject: RISKS DIGEST 11.35 Reply-To: risks@csl.sri.com To: RISKS-LIST:;@eliot.csl.sri.com Message-Id: RISKS-LIST: RISKS-FORUM Digest Friday 29 March 1991 Volume 11 : Issue 35 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Soviet Space Station (James H. Paul) Tribe proposes computer freedom/privacy amendment to US Constitution (Paul Eggert, Rodney Hoffman) Privacy Updates (Peter Marshall via Brint Cooper) Legion of Doom's "Terminus" sentenced (Rodney Hoffman) Court allows appeal over computer error (Martyn Thomas) RISK of being honest ["surplus" FBI data] (Peter Kendell) USSR BBSList (Serge Terekhov via Frank Topping via Selden E. Ball, Jr.) A Consciously Chosen Risk [anonymous] Compass 1991 Program (John Cherniavsky) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line. Others ignored! REQUESTS to RISKS-Request@CSL.SRI.COM. For vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 11, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Fri, 29 Mar 91 21:11 GMT From: "James H. Paul" <0002296540@mcimail.com> Subject: Soviet Space Station [PGN Excerpting Service] REUTERS 03-28-91 05:40 PET SOVIET SPACE STATION AVOIDS DOCKING DISASTER BY 40 FEET MOSCOW, Reuters - The Soviet space station Mir came within 40 feet of a collision with a cargo module which would almost certainly have killed the two cosmonauts on board, Soviet television reported Thursday. Ground control staff noticed only seconds before impact that computers which should have been docking an unmanned Progress-7 cargo module onto Mir were in fact steering it on a collision course. [...] The cargo module was only 65 feet from impact when an alert ground controller watching television pictures of the docking had to make a snap decision to override the computers and change Progress-7's course. Rockets deflected the module, which had already failed to dock once last week, so that it passed within 40 feet of the space station and narrowly missed protruding antennae and solar panels. [...] The space station's next crew will have to make more extensive repairs to a faulty antenna which was found to be the cause of the near miss. [...] ------------------------------ Date: Wed, 27 Mar 91 09:26:05 PST From: eggert@twinsun.com (Paul Eggert) Subject: Tribe proposes computer freedom/privacy amendment to US Constitution Here are excerpts from the Los Angeles Times, 1991/03/27, pages A3 and A12. The issues are familiar to Risks readers, but awareness has spread to the non-computer legal community, and it's worth noting how their reactions are reported in the mainstream press. On page A12 the article runs in parallel with the continuation of the day's biggest story, whose page one headline reads ``High Court Allows Forced Confessions in Criminal Trials ... A key pillar of constitutional law is upset.'' -- Paul Eggert Subject: Computer Privacy Amendment Urged Writing in today's 'Los Angeles Times' (p. A3), Henry Weinstein reports on one of the keynote addresses from this week's Conference on Computers, Freedom, and Privacy, sponsored by Computer Professionals for Social Responsibility. According to the article, renowned constitutional scholar Laurence Tribe called for a 27th Amendment to the US Constitution "in order to preserve privacy and other individual rights threatened by the spread of computer technology.... to cope with the many questions raised by the advent of 'cyberspace,' a place without physical walls, or even physical dimensions, where an increasing amount of the world's communication and business -- ranging from ordinary letters to huge global transfers of money -- is taking place, via computer and telephone lines." Further quotes from the article: "The existence of such a place creates all sorts of potential problems, Tribe noted, because the nation's constitutional order historically has carved up the social, legal and political universe along the lines of 'physical places' which, in many situations, no longer exist. There is a 'clear and present danger' that the Constitution's core values of freedom, equality and privacy will be 'metamorphosed into oblivion' unless policy-makers come to grips with the ramifications of technological change, Tribe said...." "The proposed new amendment would provide that the Constitution's protections for free speech and against unreasonable searches shall be fully applicable, regardless of the technological method or medium used to transmit, store, alter or control information. The point, he said, would be to make it clear that the Constitution, as a whole, 'protects people, not places.'... [N]ormally wary of Constitutional amendments, .... he said the computer revolution has created 'substantial gray areas' that need to be addressed." "Lance Hoffman, a George Washington University professor of computer science [And occasional RISKS contributor. And no relation to me! -- RH] said, .... 'We're casting about, because we're in a new age in our technological development, an age where a person can spend $1,000 and buy the computer equivalent of a Saturday Night Special and take down a large computer system.'" ------------------------------ Date: Fri, 29 Mar 91 14:47:47 PST From: Peter G. Neumann Subject: More on Computers, Freedom, and Privacy The Conference on Computers, Freedom, and Privacy (Tuesday through Thursday of this week, sponsored by CPSR and cosponsored by and in-cooperation with numerous other organizations including ACM groups and committees) at which Professor Lawrence Tribe spoke (see previous messages) had a broadly based interdisciplinary audience, including law enforcers, lawyers, developers, vendors, marketers, computer scientists, (nonpejorative-sense) hackers, as well as crackers, whackers, and snackers (pejorative-sense hackers), trackers, backers, flackers (journalists), claquers, EFF-ers Kapor and Barlow, and a video crew one of whom was fresh from the Academy Awards Monday evening. Very few quackers (who duck the hard issues) or slackers. It was one of the most enjoyable meetings I have ever attended. All of my notes on the first two days seem to have been lost somewhere in the hotel (I was keeping my comments on the back of a bunch of laser printout pages that I happened to have with me), so my plans to write a detailed summary for RISKS have been scratched unless someone found the pages and saved them. I hope that some other RISKS reader will do so. There were a lot of RISKSers there, and a lot of valuable discussion, including various people arguing -- for DIFFERENT REASONS -- why they did or did not think the proposed amendment was a good idea. Also, a formation meeting was held for a U.S. Privacy Council, hoping to help privacy and privacy legislation in the U.S. catch up with various other countries. I hope that the organizers of that Council will provide details in RISKS. ------------------------------ Date: Mon, 25 Mar 91 22:19:27 EST From: Brinton Cooper Subject: [Peter Marshall: Re: Privacy Updates] Perhaps someone is listening after all! Brint ----- Forwarded message # 1: Subject: Re: Privacy Updates Keywords: CallerID/Privacy/Legislation From: Peter Marshall Date: Thu, 21 Mar 91 11:52:24 PST Organization: The 23:00 News and Mail Service In Washington, HB1774, setting up a joint committee on privacy and information technology, passed the House Tuesday on a 98-0 vote and is now in the Senate Law & Justice Committee, which has not yet set a hearing date on the bill. Also in Washington, HB1489, on Caller ID, which had previously passed the House, will have hearings in the Senate Energy & Utilities Committee at 10 a.m. next Tuesday and Thursday. In that other Washington, Sen. Leahy has set up a task force on CallerID; the Kohl "blocking bill" has been re-introduced, and Rep. Markey has introduced HR1305, which although it merely requires per-call blocking of CallerID, also restricts re-use and disclosure of ANI-delivered information without informed consent. Peter Marshall halcyon!peterm@seattleu.edu The 23:00 News and Mail Service - +1 206 292 9048 - Seattle, WA USA ------------------------------ Date: Wed, 27 Mar 1991 10:40:59 PST From: Rodney Hoffman Subject: Legion of Doom's "Terminus" sentenced According to a story by Henry Weinstein in the 23 March 'Los Angeles Times', computer consultant Leonard Rose pleaded guilty to federal felony wire fraud charges for stealing UNIX source code and distributing Trojan horse programs designed to gain unauthorized access to computer systems. He will serve a year in prison. Rose, known as "Terminus", was alledgedly associated with the Legion of Doom "hacker group". In 1990, the Secret Service seized much of his computer equipment. ------------------------------ Date: Thu, 28 Mar 91 18:01:35 GMT From: Martyn Thomas Subject: Court allows appeal over computer error A UK computer company was fined #21,000 for misdeclaring #71,000 of VAT (turnover tax). The misdeclaration occurred because software errors in an accounts package led to May invoices being included in a tax return which should have only included invoices up to April. An appeal tribunal allowed the appeal against the fine, on the basis that the company had shown reasonable care in preparing the return, and was not aware of the bugs. Martyn Thomas, Praxis plc, 20 Manvers Street, Bath BA1 1PX UK. Tel: +44-225-444700. Email: mct@praxis.co.uk ------------------------------ Date: Tue, 26 Mar 91 08:46:01 GMT From: Peter Kendell Subject: RISK of being honest ["surplus" FBI data] >From the Guardian newspaper, London, 26 March 1991 Secret FBI files sold off inside $45 surplus computers FBI informants given secret identities after testifying against the Mafia and other criminals may be at risk after the US Justice Department sold its computers without clearing the data banks. Last summer, Charles Hayes, of Lexington, Kentucky, paid $45 (about 25 pounds) for a surplus computer from the local Justice Department office. When he plugged it in, he found himself reading sealed grand jury indictments and the confidential report of an FBI investigation into organised crime. The computer contained information on FBI informants and witnesses who had been given new identities. When Mr Hayes informed the Justice Department, it sued him for return of the equipment, which came from the US Attorney's office. The federal government's watchdog office said it knew of many similar cases and urged the department to recover the rest. --- Agent Cooper, your secret is out! Seriously, though, what kind of incentive for honesty is it when someone points out to a goverment agency that they have made a serious security breach and they respond by suing him? It would have been nice if the article had told us whether action had been taken within the Justice Department to prevent future cock-ups. Peter [It struck me that I'd missed the greatest RISK in the story about the surplus computers holding highly confidential information. That is, that the Lexington Justice Department thought that, by recovering the computers with the sensitive data stored in them, they could also recover the data. I suppose the computers had removable media? PK] ------------------------------ Date: 23 Mar 91 09:05:00 EST From: "Selden E. Ball, Jr." Subject: USSR BBSList To: "virus-l" Cc: "risks" Gentle folk, Many people are doubtless already aware of this, but it came as a bit of a surprise to me. It is now possible to direct-dial computer bulletin boards in the USSR and eastern European countries. Many of them are already on FidoNet. The following list of BBSs was recently posted to a widely read news group. The potential transmission speed for computer viruses is increasing faster than your favorite comparison. sigh. Selden Ball seb@lns61.tn.cornell.edu ----------------------------- From: LNS61::WINS%"" 22-MAR-1991 18:56:05.24 To: SEB Subj: USSR BBSList Return-Path: Received: from vms.cis.pitt.edu by lns61.tn.cornell.edu with SMTP ; Fri, 22 Mar 91 18:55:52 EST Date: Fri, 22 Mar 91 17:07 EDT From: KIDSNET MAILING LIST Subject: USSR BBSList To: kids-l@vms.cis.pitt.edu Message-id: X-Envelope-to: seb@lns61.tn.cornell.EDU X-VMS-To: IN%"kids-l" Date: 15 Mar 91 23:01:15 EST From: Frank Topping <76537.1713@CompuServe.COM> Subject: USSR BBSList I thought some teachers might be interested in this - they're growing like wildfire & connectivity opportunities abound! -frank ..................... |Area : K12Net Sysops |From : Serge Terekhov 15-Mar-91 00:05:00 |To : All 15-Mar-91 17:28:42 |Subj.: Full list of USSR BBSes! Known USSR Bulletin Board Systems Version 10c of 3/13/91 Compilation (C) 1991 Serge Terekhov BBS name ! Data phone ! Modem ! FIDO addr -----------------------------!----------------!----------!------------ PsychodeliQ Hacker Club BBS +7-351-237-3700 2400 2:5010/2 Kaunas #7 BBS +7-012-720-0274 ? - Villa Metamorph BBS +7-012-720-0228 ? - WolfBox +7-012-773-0134 1200 2:49/10 Spark System Designs +7-057-233-9344 1200 2:489/1 Post Square BBS +7-044-417-5700 2400 - Ozz Land +7-017-277-8327 2400 - Alan BBS +7-095-532-2943 2400/MNP 2:5020/11 Angel Station BBS +7-095-939-5977 2400 2:5020/10 Bargain +7-095-383-9171 2400 2:5020/7 Bowhill +7-095-939-0274 2400/MNP 2:5020/9 JV Dialogue 1st +7-095-329-2192 2400/MNP 2:5020/6 Kremlin +7-095-205-3554 2400 2:480/100 Moscow Fair +7-095-366-5209 9600/MNP 2:5020/0 Nightmare +7-095-128-4661 2400/MNP 2:5020/1 MoSTNet 2nd +7-095-193-4761 2400/MNP 2:5020/4 Wild Moon +7-095-366-5175 9600/MNP 2:5020/2 Hall of Guild +7-383-235-4457 2400/MNP 2:5000/0 The Court of Crimson King +7-383-235-6722 2400/MNP 2:50/0 Sine Lex BBS +7-383-235-4811 19200/PEP 2:5000/30 The Communication Tube +7-812-315-1158 2400/MNP 2:50/200 KREIT BBS +7-812-164-5396 2400 2:50/201 Petersburg's Future +7-812-310-4864 2400 - Eesti #1 +7-014-242-2583 9600/MNP - Flying Disks BBS +7-014-268-4911 2400/MNP 2:490/40.401 Goodwin BBS +7-014-269-1872 2400/MNP 2:490/20 Great White of Kopli +7-014-247-3943 2400 2:490/90 Hacker's Night System #1 +7-014-244-2143 9600/HST 2:490/1 Lion's Cave +7-014-253-6246 9600/HST 2:490/70 Mailbox for citizens of galaxy +7-014-253-2350 1200 2:490/30 MamBox +7-014-244-3360 19200/PEP 2:490/40 New Age System +7-014-260-6319 2400 2:490/12 Space Island +7-014-245-1611 2400 - XBase System +7-014-249-3091 2400/MNP 2:490/40.403 LUCIFER +7-014-347-7218 2400 2:490/11 MESO +7-014-343-3434 2400/MNP 2:490/60 PaPer +7-014-343-3351 1200 2:490/70 -----------------------------!----------------!----------!------------ |--- Maximus-CBCS v1.02 | * Origin: The Court of the Crimson King (2:50/0) .................................................. Frank Topping, sysop Sacramento Peace Child - NorCal K-12Net Feed (916)451-0225 (1:203/454) conference moderator: "The Educational Exchange Conference" - "OERI" BBS (800)222-4922 operated by: Office of Educational Research and Improvement - (OERI) U.S. Dept. of Education, Washington, D.C. ------------------------------ Date: Sat, 23 Mar 91 12:40 xxT From: [anonymous] Subject: A Consciously Chosen Risk Even in time of personal loss there are lessons learned that might be helpful to others. In this case I'm not exactly sure what the lesson is, but the RISK is readily apparent. My mother-in-law died recently and my wife and I have the burden of handling all the financial and legal details. Among those were notifying Social Security, two state-run pensions, and two insurance carriers (Blue Cross and the Medicare carrier.) All of the details were handled over the phone -- we did not have to send in any proof of death or even just a letter. (It happens that one of the state pensions has someone who reads the obituary column and had already started the necessary action for that account, but presumably they don't read every small town newspaper.) In all cases all we had to give was her name and social security number. The RISK is obvious: if one wanted to harass someone who was dependent on social security and pensions all one would need do is phone in and pose as some relative and announce their death. (getting the SSN shouldn't be hard.) When I realized during my first call (to Social Security) what the situation was I asked the person I was talking to about it. He replied that they had quite consciously decided to place as little extra burden as possible on what are usually still grieving relatives, even though they knew the risk involved. He pointed out that had there been survivors' benefits involved (which there weren't), proof would have had to be supplied. It should also be noted that in each case a letter will be sent to the address of record, so if there were a harassment it would presumably be discovered quickly. I'm not too sure however that the way that is handled is not without its flaws: one of the places we called asked if they had the right address; since in all cases the address had already been changed to ours I don't know if the others would have asked or given us an opportunity to change it to prevent the letter from going to the last known address. (We also stopped the telephone service the same way, supplying only the phone number and confirming the name and address.) ------------------------------ Date: Mon, 25 Mar 91 12:38:00 EST From: jchernia@NSF.GOV Subject: Compass 1991 Program [EXCERPT. EMail to jchernia for details.] COMPASS '91 6th Annual Conference on Computer Assurance National Institute of Standards and Technology, Gaithersburg, MD June 24-28, 1991 Sponsored by IEEE National Capital Area Council & IEEE Aerospace and Electronic Systems Society COMPASS '91 PRE-CONFERENCE TUTORIALS, Monday, June 24th 0900 Registration for Tutorial 1 1000 Tutorial 1: Safe Systems--A Disciplined Approach John McDermid, University of York John Cullyer, University of Warwick 1200 Lunch; Registration for Tutorial 2 1300 Tutorial 1: Safe Systems--A Disciplined Approach (continued) Tutorial 2: Software Safety Analysis--Linking Fault Trees and Petri Nets Janet Gill, Patuxent River Naval Air Test Center 1700 Close of tutorials Safe Systems--A Disciplined Approach Professor John McDermid, University of York, and Professor John Cullyer, University of Warwick, will discuss the integration of formal methods into the life cycle development of safety-critical software. Professor McDermid will discuss the safety life cycle and the safety analysis of software. Professor Cullyer will discuss the integration of formal methods during the requirements and specification phases, design phases (including hardware), and the verification and validation phase. Finally, Professor McDermid will discuss the skills, education and training required to apply formal methods to safety-critical software. Software Safety Analysis--Linking Fault Trees and Petri Nets Independently, fault trees and Petri nets serve limited evaluation purposes in safety-critical systems. This tutorial presents a technique for converting and linking fault tree analysis (FTA) with Petri net modeling and vice versa. This technique permits the analyst to determine if a software fault can be reached be analyzing the software in detail with FTA. COMPASS '91 PROGRAM, Tuesday, June 25th 0800 Registration 0900 Opening Remarks, General Chair, Lt. Col. Anthony Shumskas, Office of the Secretary of Defense, Department of Defense 0915 Honorary Chair Address 0930 Keynote Address, David L. Parnas, Queens University 1030 Break 1100 Conference Topic Panel: Educating Computer Scientists for the Year 2000 Chair, John Cherniavsky, National Science Foundation David L. Parnas, Queens University Peter J. Denning, NASA Ames Research Center William L. Sherlis, DARPA John A. McDermid, University of York/British Computer Society Bruce Barnes, National Science Foundation Raymond Miller, University of Maryland 1245 Lunch 1345 Panel (continued) 1515 Break 1545 Questions from the audience to panel members 1830 Cocktail Reception/Banquet (Holiday Inn) The Accidents of Life--From Conception to Our Last Moments John Cullyer, University of Warwick COMPASS '91 PROGRAM, Wednesday, June 26th 0800 Registration 0830 Computer Related Risk of the Year: Weak Links and Correlated Events Peter G. Neumann, SRI International 0915 SESSION 1: EUROPEAN ECONOMIC COMMUNITY '92 PERSPECTIVES Chair, John Cullyer, University of Warwick Computer Software and Aircraft J. Peter Potocki de Montalk, Airbus Industrie Some Results From DRIVE Thomas Buckley, University of Leeds 1015 Break 1045 SESSION 2: HOW INDUSTRY TRAINING IN COMPUTER ASSURANCE CAN BE IMPROVED THROUGH EDUCATION Chair, Diane Jachinowski, Nellcor Peter G. Neumann, SRI International J. Alan Taylor, British Computer Society Claire Lohr, Lohr Systems William Junk, University of Idaho 1245 Lunch 1345 SESSION 3A: CERTIFICATION AND SAFETY OF CRITICAL SYSTEMS Chair, Michael Brown, Naval Surface Warfare Center Certification of Production Representative/Production Software Intensive Systems for Dedicated Test and Evaluation Lt. Col. Anthony F. Shumskas, Office of the Secretary of Defense Interrelationships of Problematic Components of Safety-Related Automated Information Systems Morey J. Chick, General Accounting Office A Case-Study of Security Policy for Manual and Automated Systems Edgar H. Sibley, James B. Michael, and Ravi Sandhu George Mason University 1515 Break 1545 SESSION 3B: CERTIFICATION AND SAFETY OF CRITICAL SYSTEMS (CONTINUED) Safety Criteria and Model for Mission-Critical Embedded Software Systems R. A. Gove and Janene Heinzman, Booz Allen, and Hamilton A Case-Study on Isolation of Safety-Critical Software Edward A. Addy, Logicon, Incorporated 1830 Birds of a Feather Meeting (Holiday Inn) Presentation: Software Development Methods in Practice J. V. Hill, Rolls-Royce and Associates Limited COMPASS '91 PROGRAM, Wednesday, June 26th 0800 Registration 0830 Day's Keynote: High Assurance Computing H. O. Lubbes, Naval Research Laboratory 0900 SESSION 4A: FORMAL METHODS Chair, Andrew Moore, Naval Research Laboratory Report on the Formal Specification and Partial Verification of the VIPER Microprocessor Bishop Brock and Warren A. Hunt, Computational Logic, Incorporated Using Correctness Results to Verify Behavioral Properties of Microprocessors Phillip J. Windley, University of Idaho Estella: A Facility for Specifying Behavorial Constraint Assertions in Real-Time Rule-Based Systems Albert Mo Kim Cheng, University of Houston; and James C. Browne, Aloysius K. Mok, and Rwo-Hsi Wang, University of Texas at Austin 1000 Break 1030 SESSION 4B: FORMAL METHODS (CONTINUED) Design Strategy for a Formally Verified Reliable Computing Platform Ricky Butler and James L. Caldwell, NASA Langley Research Center; and Ben L. De Vito, Vigyan, Inc. Specifying and Verifying Real-Time Systems Using Time Petri Nets and Real-Time Temporal Logic Xudong He, North Dakota State University Developing Implementations of Estelle Specifications Using the PEDS Toolkit William Majurski, NIST 1245 Lunch 1345 SESSION 5: US AND INTERNATIONAL SPONSORED INITIATIVES Chair, H. O. Lubbes, Naval Research Laboratory NIST: Workshop on Assurance of High Integrity Software Dolores R. Wallace, D. Richard Kuhn, NIST, and John Cherniavsky, National Science Foundation NASA Langley: Research Program in Formal Methods Ricky Butler, NASA Langley Research Center 1445 Break 1515 SESSION 6: RISK CONTAINMENT PLANNING AND QUALITY MEASUREMENTS Chair, Michael Brown, Naval Surface Warfare Center Planning and Implementing and IV&V Program in a Large Scale DoD Software Development Program Florence Sippel and Kevin Mello, Naval Underwater Systems Center Quality and Security, They Work Together Richard Carr, Marie Tynan, NASA Headquarters; and Russell Davis, PRC, Inc. Data Collection and Descriptive Analysis: A First Step for Developing Quality Software Anita Shagnea, Kelly Hayhurst, and B. Edward Withers, Research Triangle Park Fault Locator and Weighting System Jeffrey Bulow, General Electric, Syracuse 1715 Closing Remarks Friday, June 28th 0830 - 1400 Forum: US and International Standards for High Integrity Systems (DoD, Government, and Industry) Chair, Dolores Wallace, National Institute of Standards and Technology [The packet was very long, including registration and hotel information. You may get the complete version from John, or even from me. PGN] ------------------------------ End of RISKS-FORUM Digest 11.35 ************************