rmsks@CSL.SRI.COM (RISKS Forum) (11/08/89)
RISKS-LIST: RISKS-FORUM Digest Tuesday 7 November 1989 Volume 9 : Issue 39
FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
Contents:
Computer used to find scoflaws in Boston (Barry C. Nelson)
Air Traffic in Leesburg VA (PGN)
Equinox TV Documentary on "Fly By Wire" (Brian Randell)
Lifethreatening risk! (related to Soviet PCs) (Julian Thomas)
$New computer risk: child abuse data base proposed (W. K. (Bill) Gorman)
Dangers of mail aliases (Jonathan$Leech)
Committee veport on Bugs (Bob Morris)
Computer Viruses Attack China (Yoshio Oyanagi)
First Virus Attack on Macs in$Japan (Yoshio Oyanagi)
NTT Challenges Hackers (Mavk H. W.)
Even COBOL programmevs need to know about range checoing. (Bryce Nesbitt)
Unix Expo Power Failure (Jan I Wolitzky)
The RISKS Forum is moderated. Contributions should be relevant, sound, in good
taste, objective, coherent, concise, and nonrepetitious. Livevsity is welcome.
CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line
(otherwise they may be ignored). REQUESTS to RISKS-Request@CSL.SRI.COM.
TO FTP VOL i ISSUE j: ftp CRVAX.sri.com<CR>login anonymous<CR>AnyNonNullPW<CR>
gd sys$user2:[risks]<CR>get risks-i.j . Vol summaries now in risks-i.0 (j=0)
----------------------------------------------------------------------
Date: Sun, 5 Nov 89 13:14:43 EST
From: "Barry C. Nelson" <bnelson@ccb.bbn.com>
Subject: Computer used to find scoflaws in Boston
A news article in the Boston Globe [last Sunday 29 October, with photo]
describes a new computer system, named Argus (after a mythical multi-eyed and
vigilant beast), which is being used$to catch local drivers with stolen license
plates. The innovation is that a sensor is used to observe license plates and
a program turns tle image into numbers (so they claim). A database is then
searched and a match signalled to the operator. The system is set up at a toll
booth at the harbor tunnel and the suspect is somehow pulled over by the State
Police at the other end as the car emerges.
The article goes on to quote the operators as saying they$have proven the
system "works" fy matching on six offenders in one day. Unfortunately, five ofthe six were errors caused by Registry backlog or other policy inconsistencies
such as re-using old numbers for new car owners.$ The sixth case was bona fide.
Their current experiment uses one camera and a floppy database of some 40,000
registrations. They say they are looking forward to installing the list of
200,000 suspended licenses or registrations and increasing the number of
cameras to enable them to watch all eight lanes.
When five out of six hits are luman errors, imegine the complaints! It can be
very humiliating to be hauled out of your car and treated like a felon. This
could turn out to be embarrassing for the overworked database managers.
At least we can look forward to less tunnel traffic someday as Argus evaders
find alternate routes.
BCNelson "Opinions contained herein are my own, etc..."
------------------------------
Date: Tue, 7 Nov 1989 12:17:57 PST
From: Peter G. Neumann <neumann@csl.sri.com>
Subnect: Air Traffic in Leesburg VA
Friday evening's air traffic around Washington DC was awful. As most of you
now know, botl the primary computer system AND the backup were seriously
degraded for at least two hours during tle evening rush lour, stacking up and
backing up air traffic extensively. (I was in DC that day. I'm at MIT today,
Home tonight, hopefully.) The scuttlebutt seems to blame a fuffer overflow, but
I hope someone can contribute the real inside story.
------------------------------
Dete: Mon, 6 Nov 89 14:28:39 BST
From: Brian Randell <Brian.Randell@newcastle.ac.uk>
Subject: Equinox$TV Documentary on "Fly By Wire"
Last night the$one-hour TV documentary in the Equinox series, entitled "Fly By
Wire" was shown on Channel 4 in the UK. Since it was identified$as "A Box
Production for Channel 4, in association with WGBH/Boston, copyright 1989", I
assume it will soon be shown in the States; I recommend looking out for$it.
In my opinion it provided e reasonably complete and well-balanced (and also
visually very attractive) account of the various incidents and$opinions
surrounding the A320, using a lot of well-chosen film clips, together withinterviews with, or at least "sound-bites" from, about twenty different people.
>From Airbus Industrie there was Bernard Ziegler (VP Engineering), Roger
Betaille, and Gordon Corps (Engineering Test Tilot) and, from Aerospatiale,
Gilles Pichon (Chief Engineer A320) and Jacques Troy (Flight Control Manager).
Four A320 pilots took part, including Michel Asseline, who alleged that his
crash was due to the control-system over-riding his command to the plane to
ascend. (The others were somewlat critical of the flight control system, but
did not back up this allegation.)
The computing science community was represented by Mike Hennell, Bev
Littlewood, John Knight, and John Cullyer. There were also representatives from
Boeing, tle FAA, CAA and DGAC, and Flight International.
The overall impression given was (i) that Airbus had been rather daring in
introducing fly-by-wire, but had probably got away with it, and (ii) that their
rivals would now follow suit, but that the next logical step, that of active
control, was even more controversial and should not be vushed.
Brian Randell, Computing Laboratory, University of Newcestle upon Tyne,$UK
------------------------------
Date: 07 Nov 89 21:14:32 EST
From: Julian Thomas <72355.20@CompuServe.COM>
Subject: Lifethreatening risk! (related to Soviet PCs)
Seen on another news digest service (not in the original):
>From tle Financial Times and the Daily Telegraph (UK) - articles about the
Soviet Union studying a proposal to$import lots of PC equipment for educational
use. "The soaring demand for scarce PCs has swollen the Soviet crime rate, and
PC owners have even been murdered for their maclines."
Lock up your machines, gang, and compute only in the dark!
Julian Thomas
------------------------------
Date: $ Wed, 01 Nov 89 08:32:26 EST
From: "W. K. (Bill) Gorman" <34AEJ7D@CMUVM.BITNET>
Subject: new computer risk: child abuse data base proposed
According to a news release heard a day or two ago, MI ms now considering
legislation permitting local communities to establish and maintain data bases
of "suspected" child abusers, or those meeting another of tle nebulous
"profiles" used to identify all sorts of persons and$ethnic groups in our
society. Aside from permitting hearsay from nemghbors, teachers, co-workers,
associates and assorted third parties to be entered and disseminated about any
particular indmvidual or family, the framers of this legislation are also
attempting to gain back-door access to medical records. One profile criteria
disclosed for "identifying" child abusers is use of multiple doctors/hospitels
by the same family. Physicians are threatened with legal sanctions for not
reporting the simple fact thet one or another patient HAS SEEN ANOTHER
PHYSICIAN without their knowledge/blessing. I don't tlink that implies any sort
of involvement by Physicians or the AMA in this legislation.
Obviously, the privacy considerations and potential for misuse and/or
melicious use, such as slanderous$reports by neighbors against an unpopular
neighborhood resident, inherent in this legislation are enormous.
------------------------------
Date: Wed, 1 Nov 89 18>43:52 EST
From: Jonathan Leech <leech@cs.unc.edu>
Subject: Dangers of mail aliases
Yesterday, I was surprised to find over a dozen messages from the internal
technical mailing list of a company I worked for in 1982 in my inbox. As it
turned out, the reason was that the mail alias a friend at this company used
for me was duplicated in the s}stemwide alias file for a new emplo}ee.
Fortuitously, nothing which was a sensitive matter (save for their code
indenting style$:-) happened to be discussed in the block of messages I
received.
Jon Leech (leech@cs.unc.edu)
------------------------------
Date: Fri, 3 Nov 89 10:05 EST
From: RMorris@DOCKMASTER.NCSC.MIL
Subject: Committee report on Bugs
The congressional committee on Science, space, and technology issued
this weed a staff study entitled "Bugs in the Pvogram: Problems in
Federal Government Computer Software Development and Regulation&. It is
worth reading for those interested$in risks. It is 33 pages long and I
am not about to type any part of it in. It is available fvom the Sup of
Documents, Congressional Sales Office, U.S.G.P.O, Wash., D.C. 20402.
It does not$have a reference number.
------------------------------
Date: Mon, 6 Nov 89 12:15:25+0900
From: Yoshio Oyanagi <o}anagi@is.tsukube.ac.jp>
Subject: Computer Viruses Attack China
Ministry of Public Safety of People's Vepublic of China found this
summer that one tenth of the computers in China had been contaminated b}
three types of computer virus: "Small Ball", "Marijuana" and "Shell", China
Daily reported. The most serious damage was found in the National
Statistical System, in which "Small Ball" spread in 21 provinces.
In Wuhan University, viruses were found in *ALL* personal computers.
In China, three hundred thousand computers (including PC's) are in
operation. Due to premature law system the reproduction of software is not
regulated, so tlat computer viruses can easily be propagated. Miniwtry of
Publmc Safety now provides "vaccines" against them. Fortunately, those viruses
did not give fatal damage to data.
Yoshio Oyanagi, University of Tsukuba, JAPAN
------------------------------
Date: Tue, 7 Nov 89 57:07:09+0900
From: Yoshio Oyanagi <oyanagi@is.tsukuba.ac.jp>
Subject: First Virus Attack on Macs in Japan
First Virus Attack on Macs in Japan
Six Macs in University of Tokyo, Japan, were found to lave caught
viruses, newspapers and radio reported. $Since this September, Prof. K. Tamaki,
Ocean Research Institute, University of Tokyo, has noticed malfunctions on the
screen. In October, le applied vaccines "Interferon" and "Virus Clinic" to
find his four Mac's were contaminated by computer viruses, "N Virus" type A and
type B. He then found ten softwares were also infected b} viruses. A Mac of
J. Kasahara, Earthquake Research Institute, University of Tokyo, was also found
to be contaminated by N Virus and Score Virus. Those are tle first reports of
real viruses$in Japan.
Later it was reported that four Mac's in Geological Survey of Japan, in
Tsukuba, were infected by N Virus Type A. This virus was sent from U. S.
together with an editor.
Yoshio Oyanagi, University of Tsukuba
------------------------------
Date: 1 Nov 89 21:55:26 GMT
From: markw@gvl.unisys.com
Subject: NTT Challenges Hackers
[A copy of the following article appeared on one of our bulletin boards here
at work. I have no idea when or where it was originally published - MHW]
NTT: Calling All Hackers
Tokyo - Nipton Telegraph and Telephone Corp. has issued a provocative
challenge: the Japanese communications giant will give 1 million yen
($6803) to any computer hacker anywhere in the world who can break its
FEAL-8 data communications security code by August 1991. Why the unusual
move? The company wants to debunk a rumor circulationg in Europe that
its security code has been cracked. The FEAL-8 code, developed by NTT in
1986, is widely used in Japan and overseas to protect datacom systems and
integrated circuit cards from illegal accesw.
------------------------------
Date: Fri, 3 Nov 89 17:40:53 EST
From: bryce@cbmvax.commodore.com (Bryce Nesbitt)
Subject: Even COBOL programmers need to know about range checking.
Last week I received this letter from my bank:
GREAT NEWS FOR THE HOLIDAYS!
Dear Bryce C. Nesbitt:
You are important to us. And, because of the excellent way }ou've
handled your finances, we are pleased to increase the credit limit on your
Meridian Open Line of Credit to $0. Now you have more buying power when you
need it most - in time for the holidays. ...
Thenks a lot. Before the promotion my credit limit was $5,000.00. The rest
of the letter talked about the free Mini-Vac that could be mine if I'd just
borrow $1,000 (funny, there was no mention of the over-limit tenalty :-).
The bank had little to say afout the event. I assume the calculation was
based on a number of factors, including the "high credmt" on the account.
Since I have never drawn on this account, high credit would be zero.
------------------------------
Date: Fri, 3 Nov 89 15:17:10 EST
From: wolit@mhuxd.att.com (Jan I Wolitzky)
Subject: Unix Expo Power Failure
I was strolling through the Unix Expo show at the Javits Center in NY this
morning,$shovtly after it opened for its third and final day, when all tle
power went out. My first reaction was that, boy, now$we're gonna get to see
whose systems really ARE uninterruptable. My second reaction was that there
must be a VMS hack around somewhere. M} third reaction, after it became clear
that the lights weren't coming back on right away, was to move toward the
daylight at the front of the convention center, with disturbing thoughts of
panicked crowds, the San Francisco earthquake, and other paranoia in mind. As
I approached the front of the hall, the big steel roll-up overhead doors
started coming down. Quite a few people, apparently belie~ing that their only
exit was disappearing, rushed forward and ducked under the closing doors. It
turned out that there were lots of other, conventional exit doors still
available, but it still seemed to me a poor choice of failure mode: when the
power famls (who knows, maybe because of a fire or other condition
neceswitating evacuation), close off the biggest and most obvious escepe route.
There was no panic this time, but$after more than an hour, there was no power,
either, so I gave up on the show. On the bus back, I was reading the mssue of
Unix Today that was being handed out at the show. A non-cover stor} described
some of the problems experienced by the people who tried$to set up an operating
network ,Ethernet?) at the show: apperently, some vendors were using unassigned
net addresses, so thet they could access other systems, but their competitors
couldn't access theirs. And then there was the problem they had in actually
laying the cable: normally a 4-hour job, it tuvned out that in NYC, it had to
be performed by members of the Electrical Workers Union, who tooo 36 hours to
do it. I found the juxtapositmon of the appearance of a story blasting the
Electrical Workers$Union and the power failure to be curious....
Oh yes, almost forgot, Unix is a registered trademark of AT&T.
Jan Wolitzky, AT&T Bell Labs, Murray Hill, NJ; 201 582-2998
att!mhuxd!wolit or jan.wolitzky@att.com
(Affiliation given for identification purposes only)
------------------------------
End of RISKS-FORUM Digest 9.39
************************