RISKS@KL.SRI.COM (RISKS FORUM, Peter G. Neumann -- Coordinator) (01/12/88)
RISKS-LIST: RISKS-FORUM Digest Monday, 11 January 1988 Volume 6 : Issue 7
FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
Contents:
You don't need a computer to have a technical RISK. (Joe Morris)
Leap second leaps seconds (Alan Wexelblat)
Plan to automate Federal tax collection system? (John Gilmore)
Creative quality control in missile systems? (Dave Curry)
Re: getting into ATM rooms (Eric Skinner)
Re: PCs die of New Year Cerebration (Scot E. Wilcoxon)
Computer asks you your SSI number as ID (Hank Roberts)
Computer Virus.... sources(!) (David HM Spector)
Reagan Signs Bill Governing Computer Data (Hugh Pritchard)
Indianapolis Air Force jet crash (Dave Curry)
The RISKS Forum is moderated. Contributions should be relevant, sound, in good
taste, objective, coherent, concise, nonrepetitious. Diversity is welcome.
Contributions to RISKS@CSL.SRI.COM, Requests to RISKS-Request@CSL.SRI.COM.
> > > > > > > > > PLEASE LIST SUBJECT in SUBJECT: LINE. < < < < < < < < <
For Vol i issue j, FTP SRI.COM, CD STRIPE:<RISKS>, GET RISKS-i.j.
Volume summaries in (i, max j) = (1,46),(2,57),(3,92),(4,97),(5,85).
----------------------------------------------------------------------
Date: Sat, 09 Jan 88 12:22:20 EST
From: Joe Morris (jcmorris@mitre.arpa) <jcmorris@mitre.arpa>
Organization: The MITRE Corp., Washington, D.C.
Subject: You don't need a computer to have a technical RISK. (Jackson Post-ing)
With the frequent (and valid) complaints about how the computer is fostering
an impersonal society, it was with some interest that I read an article in
the Washington Post last week in which the Post reported that Jesse Jackson's
campaign headquarters had sent him a telex message which suggested some
approaches which he could use in the upcoming primary campaigns.
The telex didn't go to Jackson; instead, it was delivered to the Washington
Post's telex machine. The Post, of course, printed excerpts from it in the
article. (There weren't any smoking pistols in the material.)
Jackson's campaign manager told the Post that it wasn't a staff error and
must have been the machine, since he (the manager) was the person who
operated the machine when the text was sent. The article didn't say just
how the machine could have been at fault.
Even if this turns out to be a case in which the operator dialed the wrong
number, it does illustrate the problem of systems in which the routing system
uses non-obvious addressing. An envelope addressed to "The Washington Post"
would have been easily seen as not appropriate for an internal political memo,
but an E-mail address of (202)-334-6100 isn't obviously an inappropriate one
unless you notice that 202 is not equal to 319 (D.C. vs. Iowa)... and that
assumes that you aren't using a computer-driven telex system in which you
might not see the conversion from a nickname to a phone number.
What feedback mechanisms are (should) there be to prevent this kind of
misdelivery for electronic mail? We've all seen the occasional red-faced
apologies on the net from sites which let test messages escape.
(I don't have the article in front of me, and may have some minor details
wrong, so no flames, please...) Joe Morris
------------------------------
Date: Wed, 6 Jan 88 15:39:46 CST
From: Alan Wexelblat <wex%SW.MCC.COM@MCC.COM>
Subject: Leap second leaps seconds
[Excerpted from the AP wire]
DETROIT - Michigan Bell Telephone Company took about 3 1/2 days to make up
one second. The company's computer-operated telephone time service wasn't
adjusted at [...] midnight New Year's Eve, Greenwich Mean Time to account
for the "leap second" between 1987 and 1988. The adjustment is needed to
synchronize the world's steadily running atomic clocks with the ever-slowing
rotation of the Earth. But people who set watches or synchronized
activities by Michigan Bell's time signal were one second off during the
weekend. We thought the change was automatically in the (computer's)
program. We manually added the second" Monday morning, said a Michigan Bell
spokeswoman.
--Alan Wexelblat UUCP: {harvard, gatech, pyramid, &c.}!sally!im4u!milano!wex
Information deteriorates upward through bureaucracies.
------------------------------
Date: Fri, 8 Jan 88 22:06:40 PST
From: hoptoad.UUCP!gnu@cgl.ucsf.edu (John Gilmore)
Subject: Plan to automate Federal tax collection system?
I found this in the CPA Client Bulletin, July 1987, copyright 1987 by the
American Institute of Certified Public Accountants, reproduced without
perdition.
Deposit Taxes by Phone: How Easy Can It Get?
Tax practitioners are warily watching the development of a government plan to
automate the federal tax deposit system. They're mostly in favor of getting
rid of glitches in the present system but worry that a new, computerized
method could cause added work and expense for very small businesses, some of
which would be unable to participate at all because of lack of sophistication
or even lack of such basic resources as a computer or touch telephone.
Under the present system, taxpayers remit payroll taxes, corporate taxes,
excise taxes and the like into Treasury accounts at authorized financial
depositories. Nearly 70 percent of all government revenues are received in
this manner.
Under the new system, a taxpayer might feed the information directly into one
of Uncle Sam's computers, which would debit the taxpayer's bank account
directly. This is another source of uneasiness among some tax practitioners
queried about preliminary plans for the new system -- IRS access to bank
accounts.
------------------------------
From: davy@intrepid.ecn.purdue.edu (Dave Curry)
Subject: Creative quality control in missile systems?
Date: Mon, 11 Jan 88 14:45:16 EST
From O'Malley & Gratteau INC. column, Chicago Tribune, Jan. 11, 1988:
Just in case you were gaining confidence in the U.S. Military: A barely
noticed July 31, 1987, report by the U.S. House Armed Services Committee on
the sale of military equipment to the Islamic Republic of Iran included this
passage: "As a result of other errors within the Army, the entire last
shipment of 500 missiles had a faulty battery that has caused a dangerous
fly-back problem." What's a fly-back? It means the rockets had a tendency
to dribble out of the tube, fall on the ground and then ignite. We presume
there was a no-return policy.
Dave Curry, Purdue University
[They returned all by themselves! PGN]
------------------------------
Date: Wed, 06 Jan 88 21:53:38 EST
From: Eric Skinner <ERS2F%UOTTAWA.BITNET@CUNYVM.CUNY.EDU>
Subject: Re: getting into ATM rooms
In RISKS 6.4, mar@ATHENA.MIT.EDU writes:
>Yesterday I tried an experiment, and discovered that my AT&T calling
>card, and even a rapid transit pass would open the door...
Even worse, many of these locks will open if you simply stick something
thick into them. One of those handy wallet-sized plastic calendars
does the trick on many doors.
It seems like the locks are there to inspire confidence instead of
actually protecting; perhaps the banks feel that decent locks are
too expensive?
Eric Skinner, University of Ottawa
------------------------------
From: umn-cs!datapg.MN.ORG!sewilco@cs-gw.D.UMN.EDU (Scot E. Wilcoxon)
Date: Mon, 11 Jan 88 0:50:45 CST
Subject: Re: PCs die of New Year Cerebration
I found more details about my previous report. At least some Stearns brand
PC compatibles fail at boot up in 1988. A message "bad or missing command
interpreter" is issued, perhaps due to something in the config.sys file.
A problem on Sun machines was mentioned here, and there are reports on USENET
of another PC compatible with problems due to 1988. Three unrelated
sensitivities to 1988 may seem like a lot, except there are now hundreds of
computer manufacturers able to cause errors. With specialty chips in wide use,
a date-sensitive error in millions of appliances is only a matter of time.
Scot E. Wilcoxon sewilco@DataPg.MN.ORG ihnp4!meccts!datapg!sewilco
Data Progress C and UNIX consulting +1 612-825-2607
------------------------------
From: well!hank@lll-crg.llnl.gov (Hank Roberts)
Subject: computer asks you your SSI number as ID (Wang ad)
Date: 7 Jan 88 22:43:20 GMT
From the 1-6-88 Wall Street Journal, ad on page 8:
"Employee Pension fund. A guy wants to check his pension. What he's got.
What he can borrow against. How his fund's performing. Calls the State office
A Wang VS computer answers. Speaks. Asks for social security number. Dials
it in. It leads him through a menu...status, equity, performance or human
interface...you know...a real person. They handle a thousand calls a day."
-- one hopes the machine can do voice recognition ....
------------------------------
Date: Sun, 10 Jan 88 22:27:46 EST
From: David HM Spector <spector@vx2.GBA.NYU.EDU>
Subject: Computer Virus.... sources(!)
Just when you thought its was safe to play with computers...
With all of the traffic in Risks digest dealing with Computer Viruses,
letter bombs et al, I though I'd pass this one on. A programmer in West
Germany has posted to Compu$erve the _source_ to a simple virus that will
run on a Macintosh computer.
I normally wouldn't even dare to mention that such a thing exists in a
"public" forum, but it's on Compuserve, so it might as well be painted on
walls coast to coast.
The author insists that it's is a very simple virus, easily defeated,
(which it is, having looked at and understood the sources), and is posted for
educational uses with the intent of making people aware that such things exist
and to inspire them to write defenses against them.
In terms of a program, it's very small, a few pages of Pascal, and maybe
50 lines of assembly code. The installation code has a bunch of flags to
control whether or not the virus replicates, whether it gets installed into
the current running application, or just the system software, etc, etc.
The actual virus is a small piece of code disguised as a resource that
inserts itself in a system trap handler...it's alarmingly straight forward.
The author goes on to mention, in the documentation, that this virus was
inspired by a number of viruses he has encountered that did damage to his
systems, so he wrote a virus that won't let "unknown" programs run on any of
his company's machines. (i.e., if the program(s) to be run aren't already
infected with HIS virus, they won't be allowed to run at all.)
This is the first time I have ever seen sources to something like this, and it
scares me a lot. If this code is any indication, viruses in general are a snap
to write -- an could be placed _anywhere_; even in innocent looking HyperCard
Stacks (Apple's HyperText software...) that thousands of people and User's
Groups download and give out all over the place (and most Mac users aren't
computer professionals -- they'll never know what hit'em).
[Come to think of it, this is right out of the story _True Names_ by
Vernor Vinge...]
Now, let's see, first thing is to unplug my MacintoshII's modem, then...
David HM Spector New York University
Senior Systems Programmer Graduate School of Business
Arpa: SPECTOR@GBA.NYU.EDU Academic Computing Center
UUCP:...!{allegra,rocky,harvard}!cmcl2!spector 90 Trinity Place, Rm C-4
MCIMail: DSpector/Compu$erve: 71260,1410 New York, New York 10006
[There are 10 more messages on viruses pending, but with
considerable overlap. I'll get to them soon! PGN]
------------------------------
Date: Sat, 9 Jan 88 14:08 EST
From: <PRITCHAR%CUA.BITNET@CUNYVM.CUNY.EDU> (Hugh Pritchard)
Subject: Reagan Signs Bill Governing Computer Data
[Repeated without permission from the business section of
_The_Washington_Post_ of Saturday, Jan 9, 1988]
[headlined] Reagan Signs Bill Governing Computer Data
President Reagan yesterday signed a bill intended to tighten security of
computer systems that store nonclassified data such as census, tax and
business records. The National Bureau of Standards is to develop programs to
protect the machines from being illegally tapped by outsiders.
The law overrides a national security directive that Reagan issued in 1984
giving the Pentagon's National Security Agency responsibility for safe-
guarding the data. Later, the White House created a new classification of
data for protection -- "sensitive but unclassified."
The measures led to criticism in Congress that the government was tightening
the flow of information and expanding military authority. The new law places
responsibility for civilian computer security in civilian hands, but provides
for the NSA to give technical advice to the bureau. The law also specifies
that nothing in it will be used to restrict disclosures under the Freedom of
Information Act.
[end of article]
/Hugh Pritchard, Systems Programming PRITCHARD@CUA.BITNET
The Catholic University of America Computer Center (202) 635-5373
Washington, DC 20064 USA
Disclaimer: My views aren't necessarily those of the Pope.
[Sounds like HR 145, but none of the articles said so! PGN]
------------------------------
From: davy@intrepid.ecn.purdue.edu (Dave Curry)
Subject: Indianapolis Air Force jet crash
Date: Sat, 09 Jan 88 23:08:46 EST
From The Lafayette (Indiana) Journal & Courier, Jan. 9th, 1988.
INDIANAPOLIS - A failed gearbox was blamed Friday for causing the engine to
fail in the Air Force fighter jet that crashed Oct. 29 into a hotel, killing
10 people, a published report said.
The military jet, piloted by Maj. Bruce L. Teagarden, lost its ignition
and air-fuel mixture systems when a gearbox part failed, _The Indianapolis
Star_ reported in today's editions, quoting an unreleased Air Force report
due to be released next week.
--Dave Curry, Purdue University
------------------------------
End of RISKS-FORUM Digest
************************
-------