The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 12 Issue 32

Thursdy 12 September 1991


o Security in software distribution
Joe Morris
o Re: Crackers for hire
Joan Eslinger
James Deibele
o Re: Helpful Viruses?
Stan Kurzban
Bob Johnson
Chuck Royalty
o Re: Cheap air tix
Mark Seecof
o Re: EMP
Phil Agre
Tom Faller
o Re: The seriousness of statistics mistakes ...
Mark Fulk
Ronald A. Thisted
Eric Florack
Mark Seecof
o Info on RISKS (comp.risks)

Security in software distribution

Joe Morris <>
Thu, 12 Sep 91 13:48:16 -0400
Although the (in)famous technique of shrink-wrapping personal computer
software has been around for a long time, mainframe software has generally
been shipped with no seals other than those on the shipping box.  A
frequently-proposed trojan horse technique (never used, as far as I know)
has been to send a computer center a box with media and documentation which
appears to have come from the operating system vendor, but in reality is
a trojan horse.  A modification of that procedure involves intercepting
a legitimate shipment and changing the contents.

This may be changing.  I recently received a shipment of IBM's RS/6000 AIX
system on tape cartridges.  Each cartridge is enclosed in a heat-sealed
heavy plastic bag on which the IBM logo is printed, along with the legend:

  This tamper evident bag ensures the integrity of your software.  If
  tamper is evident, please call the IBM software distribution center
  (1-800-879-2755) to report problem and have center replace the
  questioned software.

(Incidentally, the bad grammar in the above paragraph is correctly copied
from the text on the bag.)

The fact that I don't have an RS/6000 is irrelevent.  Maybe one of these days
IBM will figure out how to fix the data base systems used to generate mailing
addresses for software shipments...although in this case I suspect that the
problem was bad data entry, unlike the dozen or so other RS/6000 packages I've
received over the past year which were addressed to me by name.
                                                                  Joe Morris

re: Crackers for hire

Joan Eslinger <>
Thu, 12 Sep 91 10:31:03 PDT
A few press releases from IBM yesterday make the cracker-for-hire
business a little more serious. More interesting data will be available
in local offices soon, so instead of spying on co-workers in the same
office, the opportunity will exist to spy on vice-presidents. The
announcements cover products that will be available sometime next year.

* "Information Warehouse," intended to allow easy access to all data
owned by a large corporation from any desktop computer within the
company, in most popular formats (Lotus, DB/2, SQL, ...).

* a partnership with Aristacom, a company which makes telephone switch /
computer interfaces:

    "With Aristacom's [earlier] applications a call is automatically
    routed to the targeted service agent with the information
    required to permit immediate service to the customer. This
    eliminates the frustrating interaction between customer and agent
    about the nature of the call and the identity of the customer."

* operating system enhancements and applications to assist in the development
of client/server applications between IBM mainframes and pc's running OS/2,
DOS, and Windows. They are also starting to support more interactions with Suns
and Macintoshes. Two of the new applications are described as follows:

  -- IBM SAA ImagePlus(a)/2, a new LAN-based application for
  tracking and distributing image applications such as
  insurance claims, loan applications and legal contracts.

  --  Financial Branch Systems Services, a client/server
  software package that supports financial applications
  such as those used in a banking branch office.  Also
  announced is support for DOS Windows users, which
  supplements the OS/2 and DOS support already available.

Joan Eslinger /

Re: Crackers for hire (Linda Edwards via Seecof, RISKS-12.29)

James Deibele <>
Thu, 12 Sep 1991 21:38:29 GMT
>In the September 19th Rolling Stone at page 67 an article titled "Samurai
>Hackers" by Lynda Edwards tells us that a: "new breed of hacker has been
>finding a niche in the corporate world in the last two years.  ...

Having read this article, _The Cuckoo's Egg_, and _Cyberpunk_, I was struck by
the "samurai hackers" referring to their customers and victims as "stupids".
True, those people may not know a whole lot about computers, but these hackers
don't seem to know that much more.  What they do have is the persistence to sit
in front of a machine for hours, trying passwords until they finally get one.
The fact that they do seem to often guess a password is certainly a
risks-related matter.

But having someone sitting for hours in front of the console entering names
should be picked up by almost anybody.  "Hmmmm, Joe complained about the
phone line being busy all weekend, but nobody logged in.  I wonder if there's
something wrong ..." would seem an unavoidable concern in such cases.

These "hackers" seem the equivalent of the smash-and-grab bandit: they throw a
brick through the window, grab what they can, then run.  They're limited in
effectiveness by the crudeness of their methods, but they can be effective
nonetheless.  Almost all of the sophisticated computer types seem more
attracted to the "good side," but given a large enough dislocation in the
economy, as we might see in a serious recession, the temptation to invade other
computers might seem attractive to computer professionals.

Another item was how willing people were to give out information over the
phone.  In _Cyberpunk_, the hackers in California were repeatedly able to
impersonate someone at the phone company or in the military well enough to get
information that they had no business having.  "I'm General Shotfoot's aide,
and he wants to know what his password is ..." seems to work fairly well.
Elementary security would be to get the number of the person calling, and call
them back.  But as long as there are humans in the loop, computers will be
vulnerable to this type of attack.

One last thing that was interesting was how abusive most of the people using
e-mail were of others.  As shown by other articles on electronics
communications, people have no hesitation saying things in e-mail that they
wouldn't dream of doing face-to-face or on paper.  One article I read talked
about how two groups were assigned tasks; the group that met only in the flesh
conducted their meetings without incident.  The one that was conducted partly
using electronic communications had people who had to be separated and sent out
through different exits to keep them apart.  Might one of the increasing risks
of electronic communications be getting attacked by someone outraged by what
you said about them electronically?

Public Access UNIX at +1 503 644-8135 (1200/2400) Voice: +1 503 646-8257

Helpful Virus?

Wed, 11 Sep 91 15:38:31 EDT
  Fred Cohen says in a number of his papers that (quoting from Computers &
Security, Vol. 6, # 1, PP. 22-23) "The term virus has also been used in
conjunction with an augmentation to APL in which the author places a generic
call at the beginning of each function which in turn invokes a preprocessor to
augment the default APL interpreter." (Although Fred always attributes the idea
to a paper by Gunn in "ACM" in 1974, the paper actually appeared in ACM Quote
Quad in 1984, in the Proceedings of a Helsinki conference.)  What Gunn
described does not fit Fred's definition of a virus, but something that does
could serve the purpose Gunn described, as best I can remember.  Note that APL
is a logical place to expect a useful virus because APL users may leave
functions vulnerable to modification in the hope of benefiting from
improvements that others make.

Re: Prize for Most Useful Computer Virus (Rice, RISKS-12.30)

Contractor Bob Johnson;SCSS <>
Wed, 11 Sep 91 16:59:01 -0600
Brian Rice writes:
> ...all viruses are bad, because they take
> me out of control of my system and make me afraid to do things with it.

Novice users feel this same fear, until they learn how to get along with
the computer.  Viruses, however, tend to make their computers unpredictable.
When something drastic happens because the user isn't knowledgeable, they
"chalk it up to experience" and go on.  The damage done by a virus, though,
is entirely out of their control.  The user feels violated because someone
came into their "territory" and damaged them in some way, even if the
"damage" was just to their confidence.  (Administrators of large systems
have to be very careful during system maintenance to avoid invoking the
same territorial feelings in their "users" ;-).

Configuration management within a community of PCs presents many of the same
problems as system maintenance on large systems, and invokes the territorial
tendencies of most users ("Whaddaya mean, I can't use PD software on my
machine!?!?!").  It gets more important when all of these PCs are connected
through local area networks.  In a previous job, we experimented with having
each PC automatically log into a central server, compare it's binaries with
the "distribution version", and automatically download anything new.  We
discussed having this routine remove "unauthorized" software, but figured it
would be too easy to mess up and remove something valid by mistake.

More recently, I have learned of a product which loads a TSR when you boot each
workstation, which can give control of that machine to a central administrator
via the LAN.  The administrator can then "poll" the workstation and perform
maintenance over the LAN - including making filesystem maintenance and even
copying new executables onto the PC.  This sort of maintenance can happen
"in the background", invisible to the user (who has no idea his/her system
is being "maintained").

If you extend the idea, you could create a "configuration checker" virus that
wandered thru the network, reporting system configurations back to a central
authority.  Is this a good idea?  Depends on whether you're the user or the
administrator.  It wouldn't be hard to add other "useful" features.  Perhaps
it could find files that haven't been used in six months, archive them to tape,
and then delete them from the user's system.  Where do you stop?

IMHO, any time "my" computer is changed without my knowledge, I have the right
to become upset - even if somebody else actually owns it.  This includes
viruses, configuration management, maintenance, or whatever.  The underlying
risk (the one which would lead to "good viruses") is what I call the "God
Syndrome" -- "I know what's best for you because I'm [your_title_here]".
That risk is prevalent EVERYWHERE, not just in computers.  We see the risk
more readily in other fields (such as government).  Because most people don't
understand computers well (yet), the risk is not so clearly seen.

Bob Johnson, Control Data Corp (contractor to...) Tinker Air Force Base,
Oklahoma DSN: 339-5038, (405) 739-5038

'beneficial virus' is an oxymoron

Chuck Royalty <>
Thu, 12 Sep 91 13:06:30 PDT
No one has addressed the question of a 'beneficial' virus in terms of the
growing concern in business over the amount of trust that can be placed in the
results produced by computer systems.  That concern is manifesting itself in
several ways:

    1.  An increasing amount of attention is being paid to configuration
        control of support (engineering, manufacturing, etc.) systems.  We
        can't test everything and we can't test anything exhaustively, but we
        want to know that what we're relying on has been tested to the extent
        possible and necessary so we have an idea where we're at risk.  This
        breaks down if we can't pin software configurations down to the bit
        level -- any virus, beneficial or not, clearly compromises this effort.

    2.  We are seeking reasonable ways to hold vendors responsible for the
        results produced by the software they deliver.  As the public begins
        to demand warranties (beyond the usefulness of media) for software,
        vendors will increasingly have to protect themselves by carefully
        specifying the system configurations for which warranties apply.
        Modification of underlying software by viruses, no matter what their
        intent, would also be contrary to a vendor's ability to guarantee

It seems apparent to me that we have to work towards the ability to completely
specify and audit the configuration of systems on demand in order to have a
chance of dealing with the legal and safety implications surrounding general
use of computer based systems by lay people.  Much as a piece of digital
hardware refuses to be functional if it fails its own self test, software must
be able to identify its configuration and respond appropriately prior to
providing service in critical situations.  We take this for granted in
ROM-based embedded systems, but their safety is due solely to their isolation
and resistance to alteration.  Both of these conditions are rapidly

Chuck Royalty          (206) 957-5197   

Cheap air tix (re: RISKS 11.60)

Mark Seecof <>
Wed, 11 Sep 91 14:05:10 -0700
In RISKS-11.60, Jerry Leichter told us about the new struggle between airlines'
load-management software and travel agents' computer programs which search for
elusive low fare offerings.  (I cannot do justice to Mr. Leichter's fine piece

He pointed out a risk to consumers:

> The computers battle it out--and anyone without computer
> assistance is likely to be left on the ground.

The next chapter in the saga is discussed in an L.A. Times article by Denise
Gellene titled "Airlines Discourage Bargain Hunts" (9-10-'91, page D1).
[Bracketed interjections and elisions mine -MS] The article:

[...] Only a handful of travel agents use this new technology [automatic
fare-finding software which "electronically scan[s] thousands of fares listed
in an airline reservation system"], which can potentially save [individual]
consumers hundreds of dollars.  [...] Santa Ana-based Associated Travel
Management says its computer program saves an average of $150 for one customer
in four.

But the new computer programs have drawn a strong reaction from the airlines.
Sabre and Apollo, the reservation systems controlled by American Airlines and
United Airlines, have socked the agencies with new fees to discourage extensive
fare searches.  Associated Travel said the new charges could cost it $300,000 a

The conflict over the new software has important implications for travel
agencies, airlines, and consumers.  Travel agents need an edge to draw
customers, but airlines make most of their profits from higher-priced tickets.
Consumers are caught in the middle.

The software helps travel agencies keep up with the thousands of fare changes
airlines make daily.  Working 30 times faster than a travel agent, the software
can scan through a reservation system and snare customer-pleasing bargains that
an agent might never spot.

[...] The reservation systems say the new fees are justified because the new
programs cause reservation networks to work harder.  But agents and other
industry experts say that the airlines are also concerned that the new
technology finds low fares for business travellers [...] who normally pay full

``I think the main intent is to limit the user of these programs,'' said Steve
Ballinger, editor of Travel Management Daily, an industry newsletter.  ``It
seems the airlines are saying that just because there is a cheap fare out there
doesn't mean you have an unlimited right to find it.''

The controversy comes at a time when both airlines and travel agents are doing
poorly.  Airline traffic fell in July and was expected to decline overall in
August as recession-battered consumers cut back on travel. [...]

[stuff about airlines trying to avoid selling low-priced tickets; and agents
looking for ways to improve customer service by saving clients' money]

[the reservation systems are imposing fees designed to penalize automated
searching.  Searches which appear to be manual based on pattern of keystrokes
and number of records retrieved aren't surcharged.]

The fees are likely to discourage small agencies from investing in the new
[searching] software, which costs up to $150,000.  ``There is no way a small
agency can afford it,'' said USTravel's Nugent.

[some more details]

Not every agent finds the new limits easy to live with.  Boston-based Woodside
Travel said some agents in highly competitive markets, such as Los Angeles,
exceed the new keystroke-thresholds manually because there are so many airlines
to check.

[various back and forth about the new fees]

Travel agencies say they've taken steps to avoid hefty fees.

Associated Travel developed what it calls a "steath" version of its original
software that is capable of taking an electronic picture of the information in
the airline reservation system.  Associated's computer then scans the
electronic copy for bargains.  By using this technique, the agency immediately
reduced the [usual] number of hits [per fare query] to 112 from 200.  Though it
may still pay a fee, it is less than the $300,000 it stood to pay without the
revised software.

Other agencies have taken different approaches.  Woodside travel said it now
looks for aisle or window seats less often.  USTravel says it now conducts most
of its searches at night, when fees are lower and most fare changes are made.

``We don't think American's Sabre is out to destroy our program,'' Woodside's
Barros said.  ``We think they would like to control how we use it.'' [-30-]

[Begin Mark S.'s comments.]

The tactic of caching replies from reservation systems to avoid repeating
costly queries seems wise, but cache-consistency problems must come up.

The reservation systems' argument--that a high query load is costly for
them--is valid so far as it goes, but the reservation systems are deliberately
organized so as to preclude direct searching for low fares.  If they maintained
methods (and indices) to permit searching for fares, then the number of queries
necessary to find low ones would drop dramatically.  Of course, this gets back
to the "antitrust" problems with reservation systems owned by airlines.
You-all know all about that stuff, but I'll remind you that the government is
in the middle of hassling a bunch of airlines for allegedly conspiring to fix
fares using the O.A.G. as a signalling channel, so an "independent" system for
such flight/fare info may not be a total fix.

The airline vs. agency computer wars would not be necessary if the airline
systems supported the sorts of queries the agents want to process.  The high
price of fare-search software means that ordinary consumers are left at the
mercy of the battling giants.  One sure fix for all of this would be to force
the airlines to provide low-fare searching.  One big cost to that would be the
blow it would surely deal to airline profits, and, I suggest, to the
availability of low fares.  The airlines have been amazingly successful at
flying everyone for exactly the (maximum, it's true) price s/he can or will
pay.  If it looks like they'll have to let some people travel for less (than
they can/will pay), the airlines'll just eliminate the lowest fares, leaving
some impecunious would-be travellers on the ground.

Is computer reservation system low-fare searching compatible with reasonable
"load management" by airlines?  Who should take the risks in reservation-system
design, consumers looking for low fares or airlines looking for efficiency?

Mark Seecof <>, Publishing Systems Dept., Los Angeles Times

EMP (Faller, RISKS-12.31)

Phil Agre <>
Thu, 12 Sep 91 13:31:09 pdt
    [...] There are estimates that one good nuke, exploded in near-space over
    Kansas could fry most of the missile controls, computers, radios, phone
    switches, smart weapons, late-model automobile engine electronics, ...

I think this logic might be a little backwards.  If the first shot really does
neutralize everything larger than a rifle, then (as many have pointed out in
other contexts) this is a strong motive for a first strike.  This fact is in
turn a strong motive for a policy of launch-on-warning.  The destabilizing
results, though, are proportionate to the state of knowledge about EMP, or
rather to our perception of the other folks' perception of ... .  With any luck
the darn things will be scrapped soon.
                                                  Phil Agre, UCSD


Tom Faller <>
Thu, 12 Sep 91 16:07:35 CDT
Actually, I agree with Phil Agre that the initial reaction of the military mind
would be to go to a launch on warning policy, and that the military leader's
usual scenario is that he rides it out in the bunker while we take damage, but
manage to pound the enemy into the stone age. I didn't mention that most of our
subs would still be around to throw some weight in after the initial salvo,
making it potentially a long war.

What I think really scares the brass is the possibility that each side would
try a strike, fry a few missile sites, but also 95% of each other's consumer
electronics and military CCC (Command, Control, and Communication) circuits,
and face a completely hostile home population with a relatively impotent
military force, and a few subs capable of nuclear war only. I can see the
entire population of Denver, relatively unscathed but for their cars, TV's,
Walkmans and PCs walking out to "The Mountain" with shovels in hand, and a
couple of hemp ropes.

This is not the kind of scenario you can model on a wargame computer, but I'm
sure it's run through the generals minds at least once. The Soviets are getting
a version of this right now, except substitute "economic planning" for "nukes"
as the catalyst.

Phil's right though; the more we learn about nuclear war, it seems the less we
know; that realization is probably the biggest deterrent.
                                                               Tom Faller

Re: The seriousness of statistics mistakes and MSAFP

Thu, 12 Sep 91 15:30:10 -0400
Jeremy Grodberg may be correct in assailing my article, but he assails the
wrong thing.  I may have misused the term ``False positive rate.''

Roughly 10% of MSAFP tests are positive; very few of those tests are
true positives.  My source is the pamphlet on MSAFP passed out by our
obstetrician, which does not use the phrase "false positive rate."
I don't have it immediately to hand, but a paraphrase would go: ``1 in
10 MSAFP tests are positive.  In the vast majority of cases, this means
nothing.  If you have a positive MSAFP, your doctor will recommend
amniocentesis to make sure that your baby is healthy.''

Other phrases: MSAFP detects about 2/3 of neural tube defects and about
1/3 of cases of Down's syndrome.

By the way, I also had my figures confirmed by my friendly genetic counsellor
at Strong Hospital.

Am I alone in feeling that phrases like ``False positive rate,'' although they
may have unambiguous technical definitions, are misleading in normal use?

Mark Fulk

  [You are not alone.  There are some people who prefer TYPE ONE ERRORS and
  TYPE TWO ERRORS to False Positives and False Negatives.  PGN]

Re: The seriousness of statistics mistakes (Grodberg, RISKS-12.31)

Ronald A. Thisted <>
Thu, 12 Sep 1991 23:17:57 GMT
First, if we consider only the risk of Down Syndrome and not other conditions
which alter MSAFP, approximately 1 in 800 term deliveries have the disease.
The age-specific risk (=incidence) at birth ranges from 1:1700 at age 20 to
about 1:30 at age 45.  The risk of spontaneous abortion with amniocentesis is
generally estimated between 0.5% and 1%.

Second, MSAFP is used as a screening test, not a diagnostic test.  Roughly
speaking, a screening test is used to obtain a more accurate person-specific
risk estimate.  The MSAFP results can affect the risk estimate by a factor of
four in either direction.

Third, Mr Grodberg takes Mr Fulk to task for incorrectly interpreting
the term "False positive rate".  Unfortunately, the term has *no*
unambiguous meaning, and is routinely used to refer to either of two
rates, depending on which is more appropriate to the setting.  I have
seen standard books in epidemiology define the term differently, and
th only safe course is to avoid the term altogether or to be careful
in defining it.

"False positives" (N+) are people without the disease (N) with a positive test
(+).  As such, they are a subset of people without the disease.  They are also
a subset of the people who will have a positive test result.  If we are
interested in the effect of screening on a population, we are interested in
FPR1 = (N+)/(N), the fraction of normals who will falsely be screened positive.
On the other hand, if we are interested in how much credence to give to a
positive result, we are interested in the FPR2 = (N+)/(+) = 1 - Positive
Predictive Value.  The second formulation concerns the diagnostic value of the
test, when applied in a particular population.  The greater the prevalence of
the disease in this population, the greater the fraction of positive testers
who actually have the disease.

In the case of MSAFP, the a "positive" result occurs when the risk, adjusted
for age and MSAFP level, exceeds some threshold (1:250 is often used).
Individual physicians and patients may well select other thresholds.  Using the
typical value for the threshold, about 5% of normals will screen positive, and
about 30% of Down cases would be detected.

In point of fact, then, Mr Fulk's assumption was closer to the truth
than Mr Grodberg's.  But the point is similar:
  (1) Bad data may result in less than optimal decisions
  (2) Bad statistics may result in less than optimal decisions
  (3) It helps to make damn certain that the other guy is actually
saying what you think he is.

Ron Thisted     Department of Statistics/The University of Chicago

Re: ASCII (RISKS-12.31)

Thu, 12 Sep 1991 12:46:35 PDT
<>Incidentally, the designers of ASCII wrought better than we might think. The
ESCAPE character is supposedly intended to allow a system to insert non-ASCII
characters (to "escape" from the ASCII set). Pity it's never used that way.<<

What, you've never heard of ANSI? What of the attempt at international chrs in
THAT set? Dose this count for nothing? I know of damn few DOS  systems that do
not have an ANSI driver mounted at all times....

Poor ASCII (RISKS 12.29-31)

Mark Seecof <>
Thu, 12 Sep 91 15:52:15 -0700
The moldy political odor rising from some of the remarks about ASCII and
limited character sets recently published in RISKS bothers me a lot.  ASCII is
not some poison forced down non-English speakers' throats at gunpoint.  It is
not an evil scheme to enforce American cultural hegemony on long-suffering
Europeans, or Asians, or anybody.  Dammit, people did and do buy all that
ASCII-based software and firmware of their own free will.  When it doesn't suit
them, they buy something else or roll their own.

We're lucky we've got 8-bit 8859 and 7-bit ASCII instead of a 6-bit code like
CDC used to use (ever look at Jensen+Wirth, the "Pascal User Manual and
Report"?).  Soon we'll have wider codes.  The falling price of computer
storage, both core and secondary (e.g., disk), alleviates the pressure to keep
character representations small (in terms of bits).  It would not have been
rational to use 16- or 32-bit chars on a machine like the 1401 or PDP-8; so how
many of those fancy latin-characters-with-diacriticals (of little use in the
States) would you have expected U.S. developers to support on yesterday's
hardware?  And you can forget other alphabets or ideographic systems.

The risk here lies in imputing political meaning to technical decisions taken
long ago which were quite rationally based upon the technical constraints felt
at the time.  People tend to think of a computer as some magic thing; if it
doesn't do what they want they suppose that the system developers were wicked
or subject to sinister influences.  It just isn't so...

As customers demand and are willing to PAY FOR computer stuff which works with
more characters, various writing directions, context-dependent writing schemes,
etc., the world's vendors are making it available.  Don't dismiss the cost
factor--a developer in the U.S. might have to demand a lot of money from a
client in Yemen to make it worthwhile diverting his scarce manpower and short
time into making an Arabic version of some software.

Some people whine about the fact that one package or another which they want to
use isn't "internationalized" but those people are rarely willing to pay the
cost of "internationalizing" (or merely "other-nationalizing") the stuff just
for them.  Vendors looking to do well in markets outside the U.S. and the
British Commonwealth do make efforts to accomodate their customers.  As the
problem of data interchange across linguistic or orthographic boundaries grows
with improved data communications, people work on schemes like DPIS10646 for
characters and other, fancier schemes for non-English orthographies and to
support message translation.

Mark Seecof <>

Please report problems with the web pages to the maintainer