RISKS@KL.SRI.COM (RISKS FORUM, Peter G. Neumann -- Coordinator) (03/21/89)
RISKS-LIST: RISKS-FORUM Digest Monday 20 March 1989 Volume 8 : Issue 41
FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
Contents:
20+ year, $100+ million Army software project (Jon Jacky)
Formal methods to be applied in Australian railroad switching (Jon Jacky)
Error in updating new specifications for call-routing (Pertti Jarvinen)
Risks of Registering Shareware (A. Lester Buck)
Risks of helpfulness (Jerome H Saltzer)
Remote Smart-Cards (Ian W Moor)
Re: so-called multi-gigabuck theft of information (Mark Brader)
Re: NASA to replace top-level personnel with Expert Systems (Robert English)
Meter Readers an Endangered Species? (David K. Black)
Security of Electronic Mail (Karl Lehenbauer)
Star Trek computer virus (Colin P.)
The RISKS Forum is moderated. Contributions should be relevant, sound, in good
taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome.
* RISKS MOVES SOON TO csl.sri.com. FTPable ARCHIVES WILL REMAIN ON KL.sri.com.
CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line
(otherwise they may be ignored). REQUESTS to RISKS-Request@CSL.SRI.COM.
FOR VOL i ISSUE j / ftp KL.sri.com / login anonymous (ANY NONNULL PASSWORD) /
get stripe:<risks>risks-i.j ... (OR TRY cd stripe:<risks> / get risks-i.j ...
Volume summaries in (i.j)=(1.46),(2.57),(3.92),(4.97),(5.85),(6.95),(7.99).
----------------------------------------------------------------------
Date: Fri, 17 Mar 89 17:15:06 PST
From: jon@june.cs.washington.edu (Jon Jacky)
Subject: 20+ year, $100+ million Army software project
In view of all the postings a while back about runaway software projects,
I found very interesting these excerpts from GOVERNMENT COMPUTER NEWS,
Feb. 20, 1989, p. 59:
ARMY TO CONVERT `CENTRAL NERVOUS SYSTEM' TO ADA by Karen D. Schwarz
The Army issued a request for information last month to convert its
All Source Analysis System (ASAS) to Ada code. ... ASAS is being
developed by the Joint Tactical Fusion Program Management Office (JTFPMO)
on behalf of the Army and the Air Force. It has been in development for more
than 10 years. ...
More than 800,000 lines of code have been written in FORTRAN 77 so far.
The project is expected to begin using Ada code in fiscal 1991. By that
time, more than 1 million lines of FORTRAN 77 code also will have been
written.
A document detailing JTFMPO's major programs refers to ASAS as the "central
nervous system" guiding field commanders in battle. ASAS is a key component
of the Army Command and Control System and will automate command and control
of intelligence/electronic warfare operations. ASAS will fuse raw battlefield
data into intelligence for analysis on a workstation. The services can then
distribute resulting information to battlefield commanders, fire support
elements and the Air Force to help control electronic warfare equipment. ...
The project is scheduled to be completed sometime after the year 2000.
Although he would not estimate the total costs of the program, deputy
for plans and integration at JTFPMO Bennet Hart said software costs alone
might exceed $100 million over the life of the contract. ...
The JTFPMO has received many replies to the request for information, Hart
said. "Response from industry has been very good. No one is conspicuous by
their absence."
The Jet Propulsion Laboratory (JPL) in Pasadena, Calif., currently holds a
contract for the first phase of the project.
- Jonathan Jacky, University of Washington
------------------------------
Date: 17 Mar 1989 16:49:02 EST
From: JON.JACKY@GAFFER.RAD.WASHINGTON.EDU
Subject: Formal methods to be applied in Australian railroad switching
Here are excerpts from ELECTRONICS ENGINEERING TIMES, Feb. 20 1989, p. 28:
High-integrity uP wins first big order: Railroad signals go-ahead for Viper
by Roger Woolnough
Worcester, England --- In the first significant order for the chip, the
Australian National Railways Commission has placed a contract for signaling
systems incorporating Viper to control two long-distance rail routes. ...
Viper is a 32-bit RISC device designed to overcome the shortcomings of
conventional microprocessors, which can be unreliable in safety-critical
applications because they can perform in unpredictable ways. The design
of Viper was undertaken using formal mathematical methods and was then
subjected to a series of formal proofs to ensure that the implementation
conforms to the design specification. ...
In Australia, the contract to develop and supply railroad signaling equipment
using Viper was won by Teknis Systems (Australia) Pty. Ltd. Support was
provided by Charter Technologies Ltd. (the British Viper specialist), and
the two companies believe that proposing Viper as the system processor was
a major factor in Teknis being chosen against strong competition.
The contract is to design and supply signaling for automatic crossing sections
on the Trans Australian and the Central Australian rail routes, operated
by the Australian National Railways Commission, a federal government statutory
authority. ...
The installations will include trackside equipment, systems on board trains,
radio links and a computer-controlled center in Adelaide. ...
Formal methods will be used throughout the development. ... Charter
Technologies is sponsoring a study by the Department of Engineering in the
University of Warwick, England, into the use of formal methods for railroad
signalling. ...
Railroad signalling systems around the world are based on concepts of
interlocking and routing which have developed over the past 150 years. The
first-class safety record of railroads is due to a large extent to the rigor of
the regulations.
The aim of the joint study by Charter Technologies and Warwick University is to
consider whether the well-established rules can be formulated in a mathematical
way, so as to suit the increasing use of computer-controlled interlocking and
routing. ... It will consider the application of the specification language
HOL developed at the University of Cambridge, England; programming in subsets
of computer languages such as Pascal; and the use of Viper. ...
- Jonathan Jacky, University of Washington
------------------------------
Date: Mon, 20 Mar 89 08:43:56 +0200
From: pj@utacs.uta.fi (Pertti J{rvinen) (from Pertti Jarvinen, Finland)
Subject: Error in updating new specifications for call-routing
The Finnish Post and Telepohone office was March 6 changing call-routing
specifications in one of three main computer-controlled switches at Helsinki,
the capital of Finland. Some of necessary changes was forgotten. To this end
traffic via the switch was broken for two hours. The error was located and
corrected in six hours. Domestic calls were turned to go via two correctly
functioning switches. But some international calls, for example, to Canada,
Portugal, Iran, Turkey and Cyprus were totally hindered.
As a remedy to prevent similar errors in the future systems analysts propose a
programmed checking for implementation of all the necessary changes.
------------------------------
Date: Wed, 8 Mar 89 03:38:55 EST
From: @sri-unix.UUCP, @rutgers, @texbell, buck%siswat@moray
Subject: Risks of Registering Shareware
I just sat through a user's group demo of a new shareware package called
BackMail, which is a background electronic mail package for MS-DOS. It is a
slick program with many fine features for supporting local and long-distance
mail networks. The authors were leery of the standard shareware registration
procedure. Quoting from the BackMail Newsletter:
"The problem was that the whole process of payment
was so cumbersome. If only there was a simple way to
communicate one's payment... Hold it! Communication is
just what BackMail was about. We had the first program
that could be used to _literally_ pay for itself!
And so TeleWare was born."
Yes, your copy of BackMail is registered by filling in a screen
with your credit card information and the program automatically
calls an 800 number to deliver the information. And most users
will register ($30), since BackMail asks you to register on every
fourth access of the program's main functions, and complains for
twenty seconds if you don't register.
The risks of this scheme for freely redistributable shareware are
obvious, from simply patching the stored 800 number to saving the
credit card information and making one "extra call" at the
program's convenience.
A. Lester Buck ...!texbell!moray!siswat!buck
------------------------------
Date: Mon, 20 Mar 89 11:03:05 gmt
From: Jerome H Saltzer <jhs%computer-lab.cambridge.ac.uk@NSS.Cs.Ucl.AC.UK>
Subject: Risks of helpfulness (RISKS-8.40)
> intrudesr got into AT&T systems by being talked through the sign-on
> procedures by AT&T help desks!
> Henry Spencer at U of Toronto Zoology
The specific incident may not have been mentioned in RISKS, but the general
technique is widely enough known that it is casually mentioned in the hacker
periodicals (such as the magazine "2600") when they run an article of tips for
beginners. If you are having trouble getting into someone's system, call up
their consulting office and act like you are authorized but encountering
unexpected trouble logging in; often someone there will give you just the clues
you need.
Jerry Saltzer
------------------------------
Date: Mon, 20 Mar 89 04:17:24 PST
From: iwm@doc.imperial.ac.uk
Subject: Remote Smart-Cards
Backround:
A bill to require all major football (Soccer) grounds in the UK to require
a valid machine readable membership card before admitting a spectator is
currently going through Parliament. The clubs will be given lists of people who
should not be admitted; the object is to stop violence in the grounds.
Several objections have been raised -
Civil Liberties:
People object to having to carry the cards, and to having football clubs
provided with information about them.
Practicalities:
The card readers, turnstiles, or the computer controlling them may fail,
leaving thousands of angry fans outside.
Last month New Scientist carried an item describing a proposed solution,
remotely readable and writeable smart-cards. (In this case the card has to be
writeable to prevent it being passed over the fence and used again.) The cards
are made by Plessey and the read/write range is quoted as about a meter;
power is taken from the signal.
Consider the risks: the card can be read (AND WRITTEN) without you knowing and
without your control. Obviously the card could check that it was being
interrogated by a legal reader using some kind of validation (public key
challenge and response?) but there will be a limit to how much processing
the card can do and as the reader has to broadcast to activate the card, it
may be very easy to record a dialog and spoof either the card or reader.
Ian W Moor, Department of Computing, Imperial College, 180 Queensgate,
London SW7 UK UUCP: uunet!mcvax!ukc!icdoc!iwm JANET: iwm@uk.ac.ic.doc
------------------------------
Date: Fri, 17 Mar 89 16:43:13 EST
From: Mark Brader <msb@sq.sq.com>
Subject: Re: so-called multi-gigabuck theft of information (RISKS-8.23 ff.)
> From msb Fri Feb 24 06:40:01 1989
> To: utzoo!attcan!uunet!csl.sri.com!risks
> Subject: Re: so-called multi-gigabuck theft of information
> Bcc: hcr!mike
There appeared in Risks 8.23 my summary of a newspaper item I'd noticed
about what was said to be a "theft" of highly valuable computer data.
A followup newspaper article, which I summarized in Risks 8.28, provided
a good deal more information and placed a much lower value on the data,
but while it identified the victim (HCR Corp., of Toronto), it did not
identify the "stolen" data.
So I was surprised to see Jeff Makey assert in 8.26, which I read after
submitting my second item, that what was taken was a copy of the UNIX source.
I emailed him and he replied in part:
> I heard it *somewhere* during the last few months (it seems like
> it was before Christmas, which is why I said it wasn't news).
Since the HCR case was much more recent, Jeff had to be talking about
a different one. In fact, with that hint I remember the one he had in
mind; the confusing thing is that it happened to also have occurred in
the same geographical area. (Toronto: Canadian computer crime capital?)
The earlier case hasn't been mentioned in Risks before. [???] What happened,
as I recall, was that someone bought a used computer at auction, found a copy
of the UNIX source on its disks, and claimed all rights (!) to use the source,
thus making the newspapers. AT&T of course disagreed, and I believe the case
dropped out of the news before it was resolved.
Someone I was chatting about this with conjectured that the $4 billion
(Canadian) valuation that appeared in the first newspaper article might
have resulted from a reporter also confusing the two cases and assuming
that because HCR has UNIX source then that must be the valuable thing in
question, and then taking the highest possible valuation. Such a speculation
would also explain why the second article suddenly started talking about
AT&T, which had not been mentioned in connection with the case. Simple
press speculation/sensationalism.
Of course, there's more than one way to value copyable things like computer
programs or data. It's correct to say that the UNIX source is worth kilo-
bucks because you can buy a copy for your own use for that much. It's also
correct to say that it's worth gigabucks, if that's how much money AT&T
earns from it over the lifespan of the system. In addition, one must
distinguish between theft and illegal copying. The former, I think, would
be better defined as involving loss to the owner of one or more copies of the
original. (Of course, the newspapers prefer to use the more dramatic word.)
Anyway, if ALL copies were stolen in this sense, then the value of the
loss to the owner suddenly becomes much greater.
Also since submitting to Risks the second newspaper article, I have spoken
to Mike Tilson, president of HCR, who was quoted in it. He confirmed
that the first article was "wildly inaccurate" and the second one was
substantially, though not entirely, correct. (He noted that Risks readers
ought to be aware of the risks of believing what they read in the paper...)
He also confirmed that HCR was not saying what was taken, only that they had
regained complete control of it.
So I think that wraps up this case as far as Risks is concerned.
Mark Brader utzoo!sq!msb msb@sq.com
------------------------------
Date: Mon, 20 Mar 89 11:19:06 pst
From: Robert English <renglish%hpda@hp-sde.sde.hp.com>
Subject: Re: NASA to replace top-level personnel with Expert Systems
An AI friend of mine told me recently that most expert systems have a
relatively short useful lifespan. It seems that if you assign a human
to operate the system, the human will soon stop using the ES, and do a
better, faster job without it. The ES makes an excellent training
system, however, and creating it does a good job of recording what the
job entails, information which is often lost when people change jobs.
--bob-- renglish%hpda@sde.hp.com
------------------------------
Date: Mon, 20 Mar 89 16:26:03 est
From: black%par1@cs.umass.edu
Subject: Meter Readers an Endangered Species?
The following appeared in the March 13 Wall Street Journal:
Human Meter Readers Step Toward Extinction
Meter readers' jobs are being threatened by technology.
Boston Gas Co. recently became the firsr utility in the country to commit
itself to installing a radio-based automated meter-reading system for all its
customers. It plans to install the AccuRead system, made by Enscan Inc. of
Minneapolis, in some 400,000 homes at a cost of over $20 million. The system
will eliminate most of the utility's 100 meter readers who make an average of
$28,000 a year.
The AccuRead system ... uses a cigarette-pack-sized radio receiver and
transmitter that is attached to the gas meter. The device counts the number of
times the dials spin. Once a month, a computer-equipped van cruises the
streets nearby and sends out a "wake-up" signal to the reader device, which
then transmits the gas consumption. the devices have 10-year batteries and a 32
year meantime between failures, Enscan says.
Boston Gas says the remote readings have a number of pluses. Homeowners don't
have to be in for readings; unlike humans, THE DEVICES DON'T MAKE MISTAKES, and
the information can be sent automatically from the van to the billing computer
without retyping.
Moreover, says a spokesman: " It will elimimate estimated bills which
are the biggest complaint we have...."
....no doubt the devices are as reliable as the average garage door opener.
David K. Black Umass Amherst
------------------------------
Date: 19 Mar 89 18:08:29 GMT
From: karl@sugar.hackercorp.com (Karl Lehenbauer)
Subject: Security of Electronic Mail
While "everybody knows" or should know that electronic mail is not secure in
that its contents can be read en route, the reason people generally trust
their email as being authentic is because it usually is; that is, there has
been very little email forgery hence it hasn't been much of a problem, thus
people tend to regard their email as being genuine. When it starts to become
a problem, people will stop trusting it, at least when it's important.
It seems that faking comments on a grant proposal would be prosecutable as
fraud.
As for security from interception, a DES encryption program that is free of
U.S. export controls (as it was written and distributed from outside the
country) was recently posted to one of the Usenet source groups. By using
this and something like uuencode (a common program on Usenet that reversibly
maps unprintable characters to printable ones) on one's text, one can keep
their mail private from the prying eyes of most individuals.
The security of one's electronic mail from decryption by the National
Security Agency is a different matter, and one that I hope is merely
academic to most RISKS readers. As to whether or not they can relatively
easily decrypt DES-encoded material, let me say that I would not expect
such a group to widely promote an encryption scheme that they were incapable
of breaking and that, from a national security standpoint, doing so would
not be such a good idea.
Within the Internet, it is my understanding that the steering committee has
endorsed the RSA encryption scheme for email. This addresses both the
privacy and forgery issues. I think we will see further movement toward
routine encryption of email, and it is high time that we do so.
Cellular phone data encryption is a relatively simple matter as well. I don't
think we'll see any movement in that area until the users demand it, and the
government isn't likely to push heavily for it, a few strong proponents of
personal privacy in the legislature nonwithstanding.
------------------------------
Date: Sun Mar 19 22:05:13 1989
From: microsoft!w-colinp@uunet.UU.NET
Subject: Star Trek computer virus
This (including threats to take over the ship) has already happened on
Star Trek: The Next Generation. Data was playing Sherlock Holmes in a
computer-generated simulacrum, but since he had memorised all existing
Holmes plots, the computer was asked to come up with a new one, involving
an enemy "capable of defeating Data." Because Data, unlike Holmes, lives
in the "real" world, this one-word slip produced an opponent also capable
of affecting the "real" world, which attempted to take over the ship.
It was portrayed more as a question of sentience (the conclusion was that
the created personality was stored until technically feasible to give it
corporeal existence), but we had a computer program, in this case
inadvertantly created (grave RISK indeed!), attempting to control the ship.
I suspect that treating the problem directly, the writres will massacre
the issues. But I may just be overly pessimistic.
-Colin (uunet!microsoft!w-colinp)
------------------------------
End of RISKS-FORUM Digest 8.41
************************
-------