RISKS@KL.SRI.COM (RISKS FORUM, Peter G. Neumann -- Coordinator) (04/14/89)
RISKS-LIST: RISKS-FORUM Digest Thursday 13 April 1989 Volume 8 : Issue 56
FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
Contents:
Student grants debited instead of credited (John Harper)
Electronic Truant Officers (Mike McNally)
"Virus" arrest in New Jersey (A. Michael Berman)
H.D. Thoreau on Risks of Believing Computations (David A Honig)
Knowledge and Power (David Guaspari)
"Malicious" computers? (Clifford Johnson)
Re: Infallible Computers and Mason (Jack Holleran)
HP MPE V/E Batch Security (Brown)
More on the Sun 386i security hole (David C. Kovar via Alan Wexelblat)
The RISKS Forum is moderated. Contributions should be relevant, sound, in good
taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome.
* RISKS MOVES SOON TO csl.sri.com. FTPable ARCHIVES WILL REMAIN ON KL.sri.com.
CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line
(otherwise they may be ignored). REQUESTS to RISKS-Request@CSL.SRI.COM.
FOR VOL i ISSUE j / ftp KL.sri.com / login anonymous (ANY NONNULL PASSWORD) /
get stripe:<risks>risks-i.j ... (OR TRY cd stripe:<risks> / get risks-i.j ...
Volume summaries in (i.j)=(1.46),(2.57),(3.92),(4.97),(5.85),(6.95),(7.99).
----------------------------------------------------------------------
Date: Thu, 13 Apr 89 16:58:30 NZT
From: John Harper <HARPER@rs1.vuw.ac.nz>
Subject: Student grants debited instead of credited
Student grants in New Zealand are now paid by direct credit from the
university's bank account to the student's. On Tuesday Victoria University sent
a tape with the details to its bank, the Bank of NZ, which passed it on to
Databank, the NZ banks' centralised computer centre. One (human) error meant
the university was apparently asking for debits of a total of about $2,000,000
from some 4700 students instead of credits to their accounts. Databank did
this although of course the university was not authorised to debit the
students. According to today's "Dominion" newspaper BNZ may have spotted the
error. On Wednesday a certain amount of chaos ensued, with students' banks
saying all their cheques would be honoured that day and no overdraft fees
applied. Corrections were made that night. It seems that Databank had no
senior staff on duty on Tuesday night when the wrong transactions occurred, and
guessed wrong on finding conflict between BNZ and Victoria University of
Wellington instructions.
John Harper, Mathematics Department, Victoria University, Wellington, NZ
------------------------------
Date: Thu, 13 Apr 89 11:18:43 PDT
From: m5@lynx.uucp (Mike McNally)
Subject: Electronic Truant Officers
During a recent episode of the PBS series "Learning in America", the cameras
were taken through a trade show at which computer and software vendors pitched
high-tech teaching aids to school board purchasing agents. Aside from possible
(and clearly debatable) RISKs to the brains of American schoolchildren (my
child was taught by a computer; she must always be right!), a more ominous idea
was presented. A company whose name I cannot recall was demonstrating a
software system to track attendance. It included a feature whereby parents
would be automatically notified (by mail, I suppose) of their childrens'
absences:
"Where were you last week?!?"
"In school, mom!"
"Wrongo! The school computer says you were absent 12 days last week!"
(**whack**)
Mike McNally, Lynx Real-Time Systems
[Incorporeal banishment leads to corporal punishment! PGN]
------------------------------
Date: Thu, 13 Apr 89 10:03:47 EDT
From: berman@pilot.njin.net (A. Michael Berman)
Subject: "Virus" arrest in New Jersey
From the Phila. Inquirer, April 12, 1989. Page One, New Jersey/Metro section.
"Ex-worker charged in virus case -- Databases were alleged target",
by Jane M. Von Bergen, Inquirer Staff Writer
A former employee was charged yesterday with infecting his company's computer
database in what is believed to be the first computer-virus arrest in the
Philadelphia area.
"We believe he was doing this as an act of revenge," said Camden County
Assistant Prosecutor Norman Muhlbaier said [sic] yesterday, commenting on a
motive for the employee who allegedly installed a program to erase databases at
his former company, Datacomp Corp. in Voorhees [N.J.].
Chris Young, 21, of the 2000 block of Liberty Street, Trenton, was charged in
Camden County with one count of computer theft by altering a database.
Superior Court Judge E. Stevenson Fluharty released Young on his promise to pay
$10,000 if he failed to appear in court. If convicted, Young faces a 10-year
prison term and a $100,000 fine. Young could not be reached for comment.
"No damage was done," Muhlbaier said, because the company discovered the virus
before it could cause harm. Had the virus gone into effect, it could have
damaged databases worth several hundred thousand dollars, Muhlbaier said.
Datacomp Corp., in the Echelon Mall, is involved in telephone marketing. The
company, which has between 30 and 35 employees, had a contract with a major
telephone company to verify the contents of its white pages and try to sell
bold-faced or other special listings in the white pages, a Datacomp company
spokeswoman said. The database Young is accused of trying to destroy is the
list of names from the phone company, she [sic] said.
Muhlbaier said that the day Young resigned from the company, Oct. 7, he used
fictitious passwords to obtain entry into the company computer, programming the
virus to begin its destruction Dec. 7 --- Pearl Harbor Day. Young, who had
worked for the company on and off for two years --- most recently as a
supervisor --- was disgruntled because he had received some unfavorable
job-performance reviews, the prosecutor said.
Eventually, operators at the company picked up glitches in the computer system.
A programmer, called in to straighten out the mess, noticed that the program
had been altered and discovered the data-destroying virus, Muhlbaier said.
"What Mr. Young did not know was that the computer system has a lot of security
features so they could track it back to a particular date, time and terminal,"
Muhlbaier said. "We were able to ... prove that he was at that terminal."
Young's virus, Muhlbaier said, is the type known as a "time bomb" because it is
programmed to go off at a specific time. In this case, the database would have
been sickened the first time someone switched on a computer Dec. 7, he said
[note -- it makes me kind of sick to see the term "sickened" applied to a
database... sigh]
Norma Kraus, a vice president of Datacomp's parent company, Volt Information
Sciences Inc, said yesterday that the company's potential loss included not
only the databases, but also the time it took to find and cure the virus. "All
the work has to stop," causing delivery backups on contracts, she said. "We're
just fortunate that we have employees who can determine what's wrong and then
have the interest to do something. In this case, the employee didn't stop at
fixing the system, but continued on to determine what the problem was." [hear,
hear!]
The Volt company, based in New York, does $500 million worth of business a year
with such services as telephone marketing, data processing and technical
support. It also arranges temporary workers, particularly in the
data-processing field, and installs telecommunication services, Kraus said.
[As usual, everything is now a `virus', even a nonreplicating timebomb. PGN]
------------------------------
Date: Thu, 13 Apr 89 17:28:16 -0700
From: David A Honig <honig@BONNIE.ICS.UCI.EDU>
Subject: H.D. Thoreau on Risks of Believing Computations
From Walden, Ch. 1 "Economy":
..to keep yourself informed of the state of the markets, prospects of war and
peace every where, and anticipate the tendencies of trade and civilization ,
--taking advantage of the results of all exploring expeditions, using new
passages and all improvements in navigation; ---charts to be studied, the
position of reefs and new lights and buoys to be ascertained, and ever, and
ever, the logarithmic tables to be corrected, for by error of some calculator
the vessel often splits upon a rock that should have reached a friendly pier...
------------------------------
Date: Thu, 13 Apr 89 15:26:23 EDT
From: oravax!nestor.UUCP!davidg@wrath.cs.cornell.edu
Subject: Knowledge and Power
Corrections to some semi-philosophical remarks in a recent posting:
Hugh Miller, Not Secure Agencies, in RISKS-8.55:
> The classical philosophers held that knowledge is power.
If we give "classical" its usual meaning, no such philosopher "held
that power is knowledge" (or, at any rate, none known to me). The
famous aphorism comes from Bacon, and what he was doing was proposing
a radically new definition: that nothing counts as true knowledge
unless it enables us to intervene in and control the material world.
All the rest was mumbo-jumbo. This was part of an explicit attack on
(more or less) everybody who preceded him, especially the Schoolmen.
Note: There's a meta-problem with phrases like "the classical
philosophers [believed this or that]" -- for the simple reason that
there were many different ones, and they often disagreed.
> 'Information' in the modern sense is much more structured ...
than the classical notion of 'knowledge' allowed.
Comparing information and knowledge is like asking whether the fatness of a pig
is more or less green than the designated hitter rule. Let's take Plato and
Aristotle as exemplars of "classical" views on "knowledge." For both of them,
knowledge concerns the highest truths about the cosmos and mankind's place in
it, and is aspired to by the very best kind of human being. Such cannot be
said of lists of social security numbers.
David Guaspari
------------------------------
Date: Thu, 13 Apr 89 16:45:19 PDT
From: "Clifford Johnson" <GA.CJJ@Forsythe.Stanford.EDU>
Subject: "Malicious" computers?
From: ficc!peter@uunet.UU.NET
> One thing to bear in mind is that the computer can be mistaken, but
> it can't be malicious. The computer program won't deliberately try to defraud
Hmmm. Depends on your definition of "malicious." A large bank I worked for was
found in court to have programmed its computers so as to systematically defraud
its customers of their full compound interest. Whether the program into which
the fraud was built was "malicious" is largely a matter of terminology.
Let me turn the issue around somewhat - can a computer recognize "malice" in a
person? Believe it or not, some computerized psychological tests (that are
regularly admissible in court as evidence) purport to be able to diagnose
malicious tendencies. I was once compelled by a court to submit to such an
examination, despite my academic protest that such tests were scientifically
invalid (which was established statistically in the 1960s).
The computer reported that I didn't have a sense of humor, which I still find
amusing. However, the widespread use of such tests is definitely not amusing.
------------------------------
Date: Thu, 13 Apr 89 10:06 EDT
From: Jack Holleran <Holleran@DOCKMASTER.NCSC.MIL>
Subject: Re: Infallible Computers and Mason (RISKS-8.54)
In reference to Dave Curry's response about the guy on the stand. Mason
doesn't have to prove he was guilty of the crime; he has to prove that his
client is not guilty. Ergo, it wouldn't matter if the guy on the stand denied
everything and forced Mason to prove anything. The bottom line is Mason by
discussing the "directory" could introduce some doubt to the District
Attorney`s argument. Normally, if the case is not provable "beyond a
reasonable doubt", a verdict of "not guilty" is usually given.
Of course, since Mason always does such a good job, the DA doesn't have to
work hard for the next trial. But then again, Mason might defend the "guilty"
guy successfully since "was the directory acquisition legal"?
So much for supporting Mason writers...
I agree strongly with Dave's arguments since many people do accept computer
printouts as infallible facts and gospel. I wonder how many RISK debates
are accepted because they appear in the RISK forum... I also wonder how many
people use the RISKS forum discussions/debates to support local opinions...
The computer word/document/listing has become a very powerful tool (just like
statistics) and many people use it to their advantage.
Jack Holleran (This is strictly an opinion not based on anything legal.)
------------------------------
Date: Thu, 13 Apr 89 08:43:46 -0700
From: brown@aerospace.aero.org
Subject: HP MPE V/E Batch Security
I'd like to respond to a posting by Brian McMahon, Administrative Computing,
University of Maryland in which he states : "May I add to the list of flagrant
security violators the Hewlett Packard Corporation? Under MPE/V (the current OS
for HP/3000 machines), all batch jobs must begin with a JOB card (those of you
living in the late 1980s, substitute "line of text") which contains user and
group passwords in plain text.
"Interestingly, one of our systems programmers (who shall remain nameless)
spoke of this as a FEATURE, because it allows users to submit batch jobs
for other accounts!"
The C2 evaluated version of MPE V/E, which was announced in October of 1988,
allows the security administrator to configure the system to remove this
vulnerability. In particular, to quote from the Final Evaluation Report:
"Prevention of password exposure in batch submissions is effected by
rejecting embedded passwords in job cards, prohibiting cross streaming
[mentioned in the second paragraph above], and allowing System Manager and
Account Manager to stream subordinate's jobs, and a user to stream one's own
jobs, without having to supply passwords. A privileged interface, STREAMJOB,
is provided which allows privileged mode programs to start jobs without having
to supply passwords."
Obviously, word hasn't gotten out to everyone about how the C2 secure version
of MPE V/E works, but I know it does since I was team leader of the National
Computer Security Center evaluation team. It is true that a customer must pay
extra to get the Security Configurator software which will turn on the above
features, but the ability to prevent job STREAMing with exposed passwords is
there in all versions of release G.03.04 and later. You have to have the
Security Configurator to configure it that way; otherwise it will default to
the previous way of handling STREAMing, which requires embedded passwords.
This is known as backward compatibility, and HP is hardly the first company to
worry about that.
------------------------------
Date: Wed, 12 Apr 89 16:59:41 CDT
From: "Alan Wexelblat" <WEX@dsg.csc.ti.com>
Subject: More on the Sun 386i security hole
Taken from Sun-nets again:
Date: Wed, 12 Apr 89 15:48:28 -0400
From: -David C. Kovar <daedalus!corwin@talcott.harvard.edu>
Subject: Re: Security hole in 386i login
Reply-To: daedalus!kovar%husc4@talcott.harvard.edu
Several phone calls to Sun later ... Someone at Sun claims that it is a
"known security hole in 4.0.1 and will be patched in the next release due
out at the end of May." I pointed out that it was more like a known security
trapdoor feature and there wasn't much argument on the point. [...]
-David C. Kovar
Technical Consultant ARPA: kovar@husc4.harvard.edu
Office of Information Technology BITNET: corwin@harvarda.bitnet
Harvard University Ma Bell: 617-495-5947
------------------------------
End of RISKS-FORUM Digest 8.56
************************
-------