The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 1 Issue 28

Sunday, 8 Dec 1985


oViruses and Worms
Mark S. Day
Aaron M. Ellison
Ted Lee
Dave Parnas
o Electromagnetic Interference
Chuq Von Rospach
o Crackers
Peter Reiher
Matt Bishop
Dave Dyer

Viruses and Worms

Mon 9 Dec 85 14:57:40-EST

Hysterical panic about viruses in programs is at least as annoying as
the more common complacent stupor about risks from computers.  The
author of RISKS-1.27 seems to be dead set on Software Apocalypse Now.
We swing from viruses in software to unencrypted data links on bank
machines to teen-aged kids cracking systems.  Also, the usual screams
of "mad genius hackers playing sick games" can be heard... sigh,
programmers are so misunderstood...

The discussion about viruses is actually sort of interesting, the
others fall into the category of "there are fixes which have a certain
cost; you have to decide whether it's worthwhile."  Encryption and
tighter security systems raise the cost of the system and also raise
the cost of breaking the system.  The question is, for the data and
functions being provided, what is an appropriate level of protection?  
I'm not going to panic because many bicycles have cheap locks or no locks;
some bikes aren't worth stealing, and in some areas there's relatively little
theft of bicycles.  If I have data worth protecting, I should be prepared to
protect it.  I will agree that far too few people are aware of the hazards
or of what they can do to protect themselves, but that is far from saying 
that I want to pay for security I don't need.

On viruses, etc.: it is certainly the case that you only want software
which is written by people you trust (and ENTIRELY by people you trust
-- see Ken Thompson's Turing Award Lecture for a further discussion of
this).  But is that different from needing to have bookkeepers
and treasurers that you trust in order to avoid embezzlement?  If
bankers and national security types don't take steps to ensure that
they have good software, then they certainly have a problem, but not a
hopeless one.  There have been previous proposals to have independent
"software certification agencies" to ensure software quality, but I
don't know if they would really be able to solve this problem.

The "solitary programmer" mentality is at least partly to blame for
things like "unauthorized worms" — if people expect to have their
code read by others, who may question the reasons for doing certain
things, it becomes enormously harder to conceal unauthorized features
(unless the programmer can convince the inspector(s) to join in a
conspiracy).  I am still surprised at how many companies do not ask
programmers to read each other's code.  Quite apart from security
worries, having inspections or walkthroughs seems to sharply improve
maintainability and finds a number of bugs and design flaws.

I have little or no sympathy for people who illegally copy a program
and then find one day that it's trashed their data.  Serves 'em right.


P.S. The term "worm" was not coined in a Scientific American column.  I
believe John Brunner used it in his novel The Shockwave Rider and 
Shoch and Hupp picked up the term for a paper in Communications of the ACM.
It may have been used earlier than that; I don't know.

viruses, worms and history

Mon, 09 Dec 85 08:56:27 EST
Regarding Neal Macklin's "expose" of virus technology, I would only
add that the idea is not at all new. John Brunner, a well-known
speculative fiction writer, wrote a novel called "Shockwave Rider"
over 10 years ago(!) predicting the blackmailing of a then corrupt
U.S. government by a morally-upright computer hacker. Although I share
Neal's concerns, I am not at all convinced (even as a credit-card and
ATM-card-carrying young and aspiring academic) that under certain
circumstances, the collapse of the fractional reserve system, the
banking system, and the credit markets would be an awful event. Sure
there would be chaos, but who knows what could arise from the rubble.
...I would add that reading Shockwave Rider when I was in high school
prompted me to learn about computers, and although I have not the
competence to develop tapeworms and viruses, if it's just now getting
out to the "hacker world" that viruses exist, you can bet that the
NSA may already have developed one (pardon the paranoia).

Aaron Ellison
Graduate Program in Ecology & Evolutionary Biology
Brown University
Providence, Rhode Island 02912

[The Worm Turns in His Gravy?]

Sat, 7 Dec 85 22:25 EST
To:  Neumann@SRI-CSL.ARPA [adapted for RISKS]

I suppose it would be nice to tell the original author of the long issue
about viruses, etc., that there ARE technical solutions, although not
necessarily within his lifetime if he's using IBM systems, which most
financial institutions do ...  Ted Lee

Re: RISKS-1.27

Dave Parnas <vax-populi! >
Mon, 9 Dec 85 07:23:03 pst
Cc: nrl-css!neumann@SRI-CSL.ARPA

    Risks is supposed to be a digest.  The huge article that just
ate up my time like worm could have been digested and the summary
put in a few lines.  Worms have their place.  Eating up stories
like that one is one of their good uses.  Worms digest waste.

Dave          [and I got THREE copies of Dave's message.  Oh, well.  PGN]

Electromagnetic Interference

Chuq Von Rospach <sun!plaid! >
Thu, 5 Dec 85 08:29:09 pst
I was listening to a radio station the other day whose studio is on the San
Francisco Bay. In the early afternoon, the station started getting a
re-occuring noise over the air that sounded vaguely like a burp, which
distracted the DJ no end. It turned out after investigation by their
engineers that it was being caused by a Navy Aircraft Carrier that had just
entered the bay on the way to Alameda. Every time the radar pointed at the
studio, it caused the stations electronics to go bonkers (that's a powerful
radar...). I wonder what other electronics those things would interfere


      [Perhaps the squawks were emitted by a carrier pitch-in?  PGN]


Peter Reiher <reiher@LOCUS.UCLA.EDU>
Wed, 4 Dec 85 22:30:33 PST
I imagine you will have numerous postings making the following point, but,
if you don't, someone should say it.  

> Thomas Cox writes:

>1. no password-protected system is EVER likely to be broken into by so-called
>     hackers.  They can sit and guess, just like they can try and guess the 
>     combination to my bike lock.  I'm not worried about it.

This all depends on how loosely you define "stealing a password".  Does
a person who hangs around your printer room, picking up loose header
sheets with people's account names and real-world names on them stealing 
passwords?  Someone who does so can break into many systems, as many people
will choose passwords equal to their login ids or first or last names.
If the person communicated with people via email at your site, or was able
to guess what their login id is (not a hard job in many places), then the
same vulnerability exists.  The problem is exacerbated if the cracker can get
access to a list of your users.  On most UNIX systems, once he is in at all,
this is trivial.

     [Not to mention the fact that passwords are usually transmitted 
      unencrypted within local nets and externally as well...  PGN]

In fact, barring fairly stringent rules on password choices, and/or physical
security preventing intruders from accessing terminals (and, possibly,
modem features to discourage brute force guessing), most computer systems
can be broken into once a few user ids are known, provided the cracker has
the modicum of expertise and equipment necessary to write a program to
test all dictionary words against the user ids' passwords.   The recent
Bell Systems Technical Journal issue on UNIX had a discouraging article
on how easy it is to break into the majority of UNIX systems, given a list
of user ids, testing only twenty or forty possible passwords per user id.

Perhaps you don't consider a lax password system a password system at all,
but, barring that, your statement is demonstrably false.
                    Peter Reiher

       [Unfortunately, discussions of the risks of relying on passwords
        need to held over and over again.  If you have not thought deeply
        or been burned, it is too easy to be naive.  The sophisticated
        crackers — as opposed to the simplistic ones — find very few
        boundaries they cannot get through (or go around).  PGN]

Re: Hackers (aka "Head in the Sand")

Matt Bishop <mab@riacs.ARPA>
5 Dec 1985 0959-PST (Thursday)
   I think Thomas Cox's article ("Hackers", Risks V1N26) is optimistic
in the extreme:

> 1. no password-protected system is EVER likely to be broken into by so-called
>      hackers.  They can sit and guess, just like they can try and guess the 
>      combination to my bike lock.  I'm not worried about it.

Sorry, but I am.  When you say "password-protected", I interpret that
to mean the user setting his or her password to anything other than the
site/manufacturer default.  Turns out a lot of people set it to their
name, login, spouse's name, etc.  (See Morris and Thompson, "Password
Security: A Case History", CACM 22(11), pp.594-597 (Nov. 1979) for more
information about this claim.)  If you know anything about the system
you're attacking, such as whose account you're trying to get into,
this makes the account rather a sitting duck.  So I'd disagree with
your statement above.
   Of course, if you mean something else by "password-protected", could
you be more explicit?  My opinion could very well be inapplicable ...
   (Incidentally, bear in mind the "bike" is worth maybe a half million,
considering the information stored on it, so if you just trust the
"lock", and don't take off a wheel, you're inviting trouble ...)


Hackers' guessing passwords

8 Dec 1985 14:21:50 PST
From: Dave Dyer       <DDYER@USC-ISIB.ARPA>
To: risks@SRI-CSL.ARPA

In Response to Thomas Cox in Risks 1.26:
  "1. no password-protected system is EVER likely to be broken into by 
     so-called hackers.  They can sit and guess, just like they can try 
     and guess the combination to my bike lock.  I'm not worried about it."

This is patently untrue.   I have personally guessed passwords on
several occasions;  It isn't even hard unless you want some particular 
password.   One of the recent, widely publicised "hacker" cases
involved exactly what you say is impossible;  the perpetrator
was merely making a sport of guessing passwords, and changing them
as a warning to the account owner.  In addition to guessing,
there are multitudes of ruses to obtain passwords, some technical,
but many simply exploiting human weaknesses.    

It is certainly true that "unguessable" passwords exist, but any 
enforced mechanism for assuring unguessable passwords will also
be regarded as "unrememberable", and therefore more vulnerable
to non-guessing methods.

Hackers, Crackers, and Snackers

Peter G. Neumann <Neumann@SRI-CSL.ARPA>
Mon 9 Dec 85 15:52:42-PST

I received an anonymous phone call this morning from someone who felt
inspired by the last two issues of RISKS to relate some experiences he/she
had had while working for the Texas Commerce bank.  Apparently the computer
maintenance staff had fun with the wire-transfer programs, using passwords
that had been taped under a desk.  They would randomly transfer various
amounts ($100,000 was mentioned as typical) from one account to anothe, just
for kicks.  They were astounded that no one every caught on, and the
passwords were never changed.  When I asked whether all such transactions
had been reversed, the answer was probably yes.

Please report problems with the web pages to the maintainer