The RISKS Digest
Volume 12 Issue 2

Tuesday, 2nd July 1991

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

Insecure Superman leads to Superbill
Paul Leyland
Too Many Computer Systems Hurt War on Drugs, study says
PGN
Colombian Constitution Erased
Brian Snow
More phone disruptions
Fernando Pereira
Bell Atlantic 26 June Failure
Robert McClenon
Re: The Risks of Undelete and the Law
Al Donaldson
Searching the RISKS archives via WAIS
Ephraim Vishniac
"On the Danger of Simple Answers"
elnitsky via Rob Slade
Videotape of the pilot discussing the crash of UAL 232
Mary Shafer
Risk of posting to RISKS
Jerry Hollombe
Info on RISKS (comp.risks)

Insecure Superman leads to Superbill.

Paul Leyland <pcl@convex.oxford.ac.uk>
Mon, 1 Jul 91 14:18:30 +0100
Victim of computer hackers fights BT over \pounds 8,000 bill
_The Times_ (London), 1 July 1991

A director of video films is embroiled in a dispute with British Telecom over
an \pounds 8,000 bill after becoming a victim of hackers — people who steal
computer passwords to break into international data bases and use services
illegally.

George Snow says the bill will ruin him.  Experts say the case highlights
increasing concern over one of Britain's most under-reported crimes.  For
several years, Mr Snow has kept abreast of developments in 3-D computer
graphics by using access to an American information service called Compuserve.
To cut costs, he became a customer of BT's Dial Plus service, which allows
customers to connect their office or home computers to international data bases
for the price of a local rather than an international call.

Mr Snow, who has directed programmes for Channel 4 and the Arts Council, and
whose pop video credits include Howard Jones, had found the service useful and
inexpensive until recently.  "My quarterly bill would be around \pounds 30,"
said the director whose company, WKBC TV, is based in west London.  Mr Snow,
aged 42, now faces a big unscheduled bill for calls he never made.  It appears
that hackers illegally obtained Mr Snow's password and BT agrees.  The dispute
is about who pays the \pounds 5,500 and \pounds 2,500 bills which have been
run-up in recent months.

BT says that Mr Snow chose a password that hackers could easily borrow [sic].
He says that the company has a responsibility to ensure its networks are
secure.  "To clock up \pounds 8,000 worth of bills you have to be talking about
someone using the service 24 hours-a-day day in day out," he said.

To break into a data base, hackers will generally first try obvious passwords
such as Christian names.  They also use programmes that run randomly through
words in a dictionary until one opens a data base.

Customers with Dial Plus have to sign a disclaimer stating that they will not
use obvious passwords otherwise they might be liable for hackers' bills.  A BT
spokesman admitted, however, that Mr Snow had joined the service before the
agreement came into force.

Mr Snow also says that it was BT which approved Superman, the password stolen
by the hackers.  The company says that Mr Snow was warned that his account was
running up huge bills in early February but that it was sometime later that the
password was changed.  Mr Snow says that it was changed within days and that by
the time BT contacted him the damage had been done with most of the bill having
been run up.

He believes that he, and possibly others, are being forced to pay the price for
the company's poor security and has called in the Computer Crime Unit at
Scotland Yard to investigate.

David Frost, a computer security expert with accountants Price Waterhouse, said
yesterday that the amount of hacking taking place in Britain was being
seriously undeerplayed by companies.

BT rejects suggestions that it is cavalier with security.  A spokesman said the
company would write to Mr Snow this week.  He says that he willfight BT in
court if it prosecutes him.  "\pounds 8,000 is about 10 per cent of my
turnover," he said.

  [I have a few comments, based solely on the report as printed.  I do not know
  what truly happened. I draw attention to the BT's apparent attitude to
  password security.  They used the term "borrow", rather than "steal" or "use
  illegally".  They vetted the password, implying that Mr Snow was asked to
  reveal his password rather than keep it secret.  Even so, they gave the OK to
  a password which is of dubious security.  It is generally agreed that proper
  names, dictionary words, literay characters and the like are easily guessed.

  More generally, it is interesting how British newspapers, and _The Times_ in
  particular, are beginning to take an informed interest in he subject of
  computer security and, indeed, in computer-related risks in general.  Apart
  from some quaint terminology ("programmes", "data bases") they seem
  reasonably competent at understanding the issues and reporting them clearly
  to a non-expert audience.

  Paul Leyland, pcl@convex.oxford.ac.uk  ]


Too Many Computer Systems Hurt War on Drugs, study says

"Peter G. Neumann" <neumann@csl.sri.com>
Tue, 2 Jul 91 20:08:30 PDT
The 2 Jul 91 Washington Post noted that the government's war on drugs is being
seriously impeded by having to rely on more than 100 different computer
systems, according to a report of the General Accounting Office.  Many of the
computers cannot communicate.  Also, "the government has no measures for
ensuring that its information is correct and that its systems are protected
from outsiders."


Columbian Constitution 'lost' due to lack of data backup procedures.

<BSnow@DOCKMASTER.NCSC.MIL>
Sun, 30 Jun 91 10:19 EDT
Excerpted from The Washington Post, 30 Jun 1991, p.A23:

Computer Glitch 'Kills' Constitution;
Columbian Charter Appears in Jeopardy
by Douglas Farah, Special to The Washington Post

   BOGOTA, Columbia, June 29 — The approval of Colombia's new constitution,
which modernizes the nation's judicial, political and economic structures, is
in jeopardy because a computer apparently ate the text. ...
   The committee writing the final version was to turn over the text for final
voting Wednesday.  However, a technician storing the material in a computer,
borrowed from the office of the presidency, erased or lost the final document
-- after many of the papers with the drafts of the articles had been thrown
away. ...  "We literally have people going through trash cans looking for
scraps of paper," said one source close to the process.  "We do not know how
this was allowed to happen, and we have lost an almost vital three days. We
cannot debate or vote on a text we do not have in front of us." ...
   While there are different versions of how the computer foul-up occurred,
sources said a member of the codification committee refused to allow
technicians from the office of the president to have access to the computer,
fearing that some of the material could be pirated or changed.  Instead, he had
a nephew hired to do the computer work.
   It turned out that the nephew had only taken a one-year correspondence
course in computer programming. ...

    [Also noted by Les Earnest, and by "Raleigh F. Romine"
    <romine@cise.nsf.gov>, who added
       "It has all the traditional ingredients — no backups, inexperienced
        operators, etc.  The final quote is the best part."   ]


More phone disruptions

Fernando Pereira <pereira@klee.research.att.com>
Tue, 2 Jul 91 11:17:25 EDT
Associated Press writer Jim Stader reports today (July 2nd) on another
software-induced disruption of phone service affecting over 1 millon customers
(area code 412 around Pittsburgh) of Pennsylvania Bell for over 6 hours. The
problem was probably caused by the same recently installed signalling software
that is under suspicion for earlier disruptions in the Washington DC and Los
Angeles areas.  The bug has not yet been identified, and the possibilities of a
virus or other sabotage have not been ruled out. Pennsylvania Bell's president
stated that the triggering event might have been different in the various
disruptions, but that once the problem is triggered, the symptoms are very
similar. In all cases, lines carrying signaling between switches became jammed.

  [A subsequent revised version of the AP story summarized above reports
  on speculation that the cause of the phone disruptions may be sabotage
  originating in the Middle East. The alleged reason for this is the claim
  that in most cases the network failures followed the appearance of
  animated hieroglyphics on operators's terminals.]

Fernando Pereira, 2D-447, AT&T Bell Laboratories
600 Mountain Ave, Murray Hill, NJ 07974    pereira@research.att.com

   [The San Francisco Chronicle front page this morning recorded the
   Pennsylvania problems, and also noted similar problems in San Francisco,
   although only for five minutes.  It quoted Don Burns, a Bell Atlantic
   VP: "The fact that we've had, in the short period of a month, several
   outages causes us to believe that something has been introduced" into
   the systems.  The complexity of highly distributed systems continues to
   confront us.  PGN]


Bell Atlantic 26 June Failure

Robert McClenon <76476.337@compuserve.com>
01 Jul 91 22:53:08 EDT
     In my opinion, the spreading of the failure of the telephone system on
Wednesday (26 June) from Baltimore to Washington and Northern Virginia was an
example of a risk of a high degree of connectedness in a network.  In
particular, connectedness increases the vulnerability to spreading failures,
unless special provisions are made to limit that spread.  I think a similar
lesson was exhibited (but perhaps not learned) by the failure of the electrical
grid connecting the Northeast in 1965 resulting in the New York blackout.

     It eventually was necessary to C&P (a subsidiary of Bell Atlantic) to
break the links between the four SS7 computers and take each of them down and
bring them up separately.

     The Washington Post says:

>    Bell Atlantic said yesterday that it had probably worsened the scope
>of the failure inadvertently because it had recently linked all four of
>the traffic cop computers [Signaling System 7 computers] temporarily...

     In other words, connecting the four computers was a two-edged sword, and
it cut the wrong way on 26 June 1991.  Also, there had obviously been
inadequate testing of the software.  Something as large as a telephone
switching system is not easy to test adequately, and requires a high level of
thoroughness in planning the tests.
                                                Robert McClenon


Re: The Risks of Undelete and the Law (Dippold, RISKS-12.01)

Al Donaldson <al@escom.com>
Tue, 2 Jul 91 11:33:14 EDT
In RISKS-12.01, Ron Dippold writes about a case in which a murderer
used a computer to plan his crime, and then claimed that when he "deleted"
his files he had an "expectation of privacy" regarding the data:

>The court soundly, and IMO correctly, rejected this claim, analogizing the
>retrieval of the deleted file data (by an FBI agent who was a computer expert)
>to deciphering a coded message in a diary, after the diary was obtained under a
>valid subpoena.

I agree that the information was properly used in the trial, but I think
the analogy given was incorrect or incomplete.  While most people think
of computers simply as electronic filing cabinets, there are some weak
analogies between writing messages to disk and coding data in a diary
(e.g., use of ASCII, way in which bits are written to media).  I suspect
that these analogies were not appreciated by the court.  Instead, they seem
to have concluded that "deleting" a file is analogous to encrypting it.

File deletion (actually, removing links to the data) is more analogous
to shredding or burning the diary, or tearing out pages and throwing them
in the trash (imagine an Apple wastebasket icon.. :-)  The defendant did
have an expectation of privacy based on his (lack of) knowledge of how
file deletion worked, just as someone who sets fire to a stack of papers
may expect them to burn completely all the way through and obliterate all
of the data written on them.  But in the case of burned papers, it may
still be possible to carefully peel them apart and read some information.
If you really want to obliterate the *data*, you burn the paper completely
and then grind the charred paper to small pieces of ash.  Similarly,
if you want to remove *data* from a disk, you overwrite it.  If it is
really important, like national secrets or murder evidence, then you
hacksaw the disk platters into little bitty pieces and throw them into
the Potomac.  Ask Ollie North.

I agree they should fry Mr. Copenhefer, but I don't like the justification.
This will probably establish precedence in future trials, further removing
legal practice from physical reality.  Wouldn't it have been nice if the
court had simply decided to use "un-deleted" data, without any half-baked
analogies?

Al

Incidentally, I seem to remember a similar case in Northern Virginia
recently in which a Marine was accused of murdering his wife (also a
Marine, who disappeared and whose body has not been found).  As I
remember, investigators found plans on how to carry out a murder and
hide the body on a disk belonging to the suspect.  His explanation,
supported by his mother, was that he was working on a book, a murder
mystery, and he has no idea where his wife is.  Murder, he wrote?


Searching the RISKS archives via WAIS (Wollman, RISKS-11.95)

Ephraim Vishniac <ephraim@Think.COM>
Mon, 1 Jul 91 10:55:48 EDT
I'm the database maintainer, and I just want to add a few notes.

1. The public WAIS server is down right now. With last week's record heat and
some inadequate air-conditioning here, we temporarily killed cmns-vax. It's
possible that it will be up sometime tomorrow (July 2nd) after moving to a new
machine room, but it might be another day or two.

2. The database is automatically updated. (I should fix the source
description.) Issues arriving during the night are saved until we start up in
the morning; issues arriving while the system is up are added within ten
minutes.

3. A variety of user interfaces for the WAIS system are available by anonymous
ftp from think.com, in /public/wais. There's a Macintosh interface in
WAIStation-0-62.sit.hqx, and there are gnu emacs and X-Windows interfaces in
wais-8-b1.tar.Z. The latter package also includes code for setting up your own
servers using whatever Unix host you've got handy. (The public WAIS server uses
a Connection Machine.  Code for that server is not generally available.)

4. The public WAIS server contains a variety of other databases, including the
info-mac digest, Sun-Spots digest, Sun Managers mailing list, King James
Version of the Bible, National Institutes of Health Guide to Grants and
Programs, and the CIA World Factbook 1990.

Ephraim Vishniac    ephraim@think.com   ThinkingCorp@applelink.apple.com
 Thinking Machines Corporation / 245 First Street / Cambridge, MA 02142


"On the Danger of Simple Answers"

Rob Slade <p1@arkham.wimsey.bc.ca>
Mon, 01 Jul 91 20:26:12 PDT
The following was posted on rec.humor.funny.  On the one hand, it shows an
apalling naivete.  On the other hand, that isn't funny at all:

  From: elnitsky@math.lsa.umich.edu
  Subject: global warming
  Date: 30 Jun 91 23:30:04 GMT

   "... Perhaps of even greater significance is the continuous and profound
distrust of science and technology that the environmental movement displays.
The environmental movement maintains that science and technology cannot be
relied upon to build a safe atomic power plant, to produce a pesticide that is
safe, or even bake a loaf of bread that is safe, if that loaf of bread contains
chemical preservatives.  When it comes to global warming, however, it turns out
that there is one area in which the environmental movement displays the most
breathtaking confidence in the reliability of science and technology, an area
in which, until recently, no one — even the staunchest supporters of science
and technology — had ever thought to assert very much confidence at all. The
one thing, the environmental movement holds, that science and technology can do
so well that we are entitled to have unlimited confidence in them, is FORECAST
THE WEATHER! — for the next one hundred years..."

            George Reisman, "The Toxicity of Environmentalism"

This kind of thinking is, unfortunately, all too common, even in the scientific
community.  If I disagree with it, it must be wrong.  If it supports what I
believe, it must be right.

True "critical" thinking: that facility which allows us to discriminate between
correct and incorrect information and points of view, is too often lacking in
our society and world.  In additon, all too few people have taken the time to
acquire the technical knowledge which allows one to judge scientific
pronouncements.

(My subject line is the title of the editorial for the Journal of the American
Scientific Affiliation special issue on nuclear power some years back.)

Robert_Slade@mtsg.sfu.ca Vancouver Institute for Research into User Security
              Canada V7K 2G6


Videotape of the pilot discussing the crash of UAL 232

Mary Shafer <shafer@skipper.dfrf.nasa.gov>
Mon, 1 Jul 91 14:01:06 PDT
I wrote:
>There's been a lot of discussion of the safety of fly-by-wire aircraft, so
>here's the discussion of an accident that very possibly would have been
>prevented were the DC-10 fly-by-wire rather than hydraulic.

And Robert Dorsett comments:

   As I'm sure Mary realizes, FBW does not alleviate the necessity for
   multiple- redundant hydraulics, and all the plumbing that comes
   with them.  As currently implemented on most aircraft, it simply
   replaces the means by which the *hydraulic* actuators are operated.
   Instead of cables, there are electrical wires.  These leads to one
   or more computers, which in turn process command inputs from the
   pilot, leading to the possibility of unconventional control laws.
   Most of the controversy of FBW occurs at this stage.  The severity
   of the failure involved would have happened whether the DC-10 were
   FBW or not.

No, Robert, it wouldn't have.  The loss of two of the hydraulic systems was
caused by shrapnel damage to the hydraulic lines.  Had this not happened, the
airplane would have flown along with two working hydraulic systems and have
done just fine.  However, the design of the conventional hydraulic system
dictates hydraulic runs that were vulnerable to the precise damage caused by
this accident.

DC-10s don't use cables, they use nonreversible hydraulic systems.  I don't
believe that any airliner since the DC-4 or so has had cables.

This has nothing to do with the control laws, nothing to do with redundancy,
nothing to do with unconventional systems, it has everything to do with the
physical vulnerability of the hydraulic lines and the fact that the wiring is
better armored and less vulnerable to shrapnel damage and that other hydraulic
runs are better protected from this particular damage.

This is, of course, why battle damage resistance is an important benefit of
fly-by-wire and why the military is so fond of it.  I worked on the Survivable
Flight Conditions Systems F-4 Phantom in the early to mid-70s.  The Air Force
wasn't interested in fancy control systems or lighter weight, they were
interested in surviving battle damage.  That's the easiest payoff to FBW.

   Now, in rebuttal, I'm sure Mary'd point out that the FBW issue
   would only enter in the form of *control* issues subsequent to the
   accident, introducing unconventional control laws to effectively
   duplicate (or improve upon) the differential thrust technique
   Haynes used.  And she has a point.  But there's always the question
   of whether the complexity and cost of such software will ever
   justify its usefulness in the "1:1e-9" catastrophic control failure
   case.  In safety management, there is a point of negative return.

Nope, I wouldn't point this out because it never even occurred to me
until you mentioned it.  My only thought was shrapnel damage.

I think you're quite correct about some sort of thrust-only flight path control
system.  There've only been a very few accidents that resulted in total
hydraulic loss with an otherwise flyable airplane.  (Two pressure vessel
failures--Paris in a DC-10, Japan in a 747--and this one for airliners, the
birdstrike to the B-1B out of Dyess.)  It doesn't seem to me that there's any
reason to develop a system to deal with such a remote possibility.  Sometimes
you just go ahead and accept the risk, when it's an extremely small risk.  Life
isn't completely risk-free.

   Perhaps a more salient observation would have been: this accident
   would not have happened if there was full manual reversion on the
   DC-10, ala the Boeing 707? :-)

This accident wouldn't have happened if the airplane had completely armored
hydraulic lines.  It happened to a DC-10, it happened to a B-1B, but it's
easier to prevent in a fly-by-wire aircraft because you have safer hydraulic
runs available and because fly-by-wire wires are more easily armored.

Mary Shafer  shafer@skipper.dfrf.nasa.gov  ames!skipper.dfrf.nasa.gov!shafer
           NASA Ames Dryden Flight Research Facility, Edwards, CA


Risk of posting to RISKS

The Polymath <hollombe@ttidcb.tti.com>
Tue, 2 Jul 91 16:33:19 -0700
Some years ago, as an apprentice programmer, I learned to craft even my
personal, quick-and-dirty utility programs carefully and thoughtfully.  The
lesson was first driven home as I stood by and watched in horror while one of
my uglier personal "tools" was packaged and shipped as part of a product.

Recently, a similar phenomenon caught me again.  I received an e-mail query
asking permission to include the text of one of my postings to RISKS in a
forthcoming book.  The request came so long after the fact, I had to ask the
publisher to send me a copy of the article in question.  I'd long since
forgotten it.

The article turned out to be a minor diatribe on the nature of censorship and
its relation to Stanford's attempt to ban rec.humor.funny.  It was a bit
embarrassing to read it again and note its flamish style.  All in all, I was
mildly surprised our moderator let it through.

I gave my permission for its publication, but requested a footnote be added
clarifying my position on the matter.  I received a copy of the book in the
mail a few days ago, footnote and all. (It also contains RISKS comments on the
same subject from Les Earnest and John McCarthy.  I'm honored to be found in
such company).

The risk?  The words we exchange here aren't as ephemeral as they may appear on
a VDT screen, so be careful what you say and how you say it.  You never know
who might decide to package and ship it to a customer. (-:

Oh, yes.  The book:

  _Computerization and Controversy:  Value Conflicts and Social Choices_
  Edited by Charles Dunlop and Rob Kling,   Academic Press, Inc.
  Harcourt, Brace, Jovanovich, Publishers     ISBN 0-12-224356-0

(No, I don't get any royalties).

Jerry Hollombe, Citicorp, 3100 Ocean Park Blvd. Santa Monica, CA  90405
 (213) 450-9111, x2483   {rutgers|pyramid|philabs|psivax}!ttidca!hollombe

Please report problems with the web pages to the maintainer

x
Top