The RISKS Digest
Volume 12 Issue 43

Monday, 7th October 1991

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

Full (16 rounds) DES Broken
Li Gong
Dave Roberts
AT&T "Deeply Distressed" over Outage
Mark Seecof
Michael F Eastman
Fred Cohen's contest and ``good viruses''
Gene Spafford
John Markoff excerpt
Info on RISKS (comp.risks)

full (16 rounds) DES Broken (reported in NY Times)

Li Gong <li@cambridge.oracorp.com>
Fri, 4 Oct 91 14:18:26 EDT
John Markoff in The New York Times (03Oct91, p.A18) reported that Adi Shamir
and his student Eli Biham had emailed their American colleagues and told them
that the full 16-round DES had been broken with chosen-ciphertext attacks
(probably the follow-up of what they reported last year at Crypto).  The
article said that Adi is not willing to comment on anything until the research
result is published in a journal later this (yes, this) year.

Li Gong,  ORA Corp, 675 Mass Ave, Cambridge, MA 02139


Demise of DES

Dave Roberts <dwr@datasci.co.uk>
Mon, 7 Oct 91 11:45:14 GMT
>From THE DAILY TELEGRAPH,  London,  Saturday, October 5th 1991

"Secret" bank code cracked warns GCHQ, By Adrian Berry

Banks and financial houses are being warned by GCHQ at Cheltenham to stop
sending messages in their most widely used secret code [DES], because it has
been cracked. [...]  GCHQ, which supervises the security of secret codes, wants
banks to use the more advanced code known as Rambutan.

[A known plaintext attack] helped the Americans to win the Battle of Midway in
1942.  An American base radioed falsely that its water supplies had broken
down.  The Japanese then reported the message in a cipher.  The Americans
simply compared the two texts and learned to read secret enemy traffic.

Bank officials said yesterday that they would probably continue to use
the DES code until officially warned against it, or until another
Government-approved encryption package was made available.

   [Nobody is selling commercial Rambutan chips in the UK so the banks cannot
   (to the best of my knowledge) get them.  D.W. Roberts  dwr@uk.co.datasci]


AT&T "Deeply Distressed" over Outage

Mark Seecof <marks@capnet.latimes.com>
Tue, 1 Oct 91 09:47:41 -0700
The Wall Street Journal reports on page C18 of the October 1 issue that "AT&T
Tells FCC a Lapse In Procedure Led to Outage."  [Elisions and bracketed
comments from Mark S.]

[Story Begins]

An [AT&T] executive told the FCC that AT&T was ``deeply distressed by the
lapses in procedure'' that led to a network failure in New York City last
month.  Kenneth L. Garrett, a senior vice-president in charge of AT&T's network
services, said that the failure of the Manhattan switching center on Sept. 17
could have been averted if ``AT&T's existing procedures'' had been followed by
a supervisor.  Mr. Garrett made his remarks in a letter to FCC Chairman Alfred
C. Sikes released late yesterday.  While AT&T's report said alarms in the
building were not working properly, Mr.  Garrett's letter, which accompanied
AT&T's report on the outage, noted the failure wasn't a systemic breakdown of
the AT&T network.

AT&T said standard procedure calls for the supervisor, whom AT&T didn't name,
to assign a technician to inspect each of the Thomas St. facility's power
plants when AT&T switched to its own electrical power from the grid operated by
New York utility [Con Ed].  Instead, the supervisor took his technicians to a
class on a new power alarm system, leaving the plant unsupervised.

The switchover blew rectifiers, which convert Con Ed's AC power to DC current,
sending the switching center to emergency batteries, which quickly ran out of
juice [sic!].  The switching center gradually lost power, stalling
communications traffic, including critical air-traffic control information.  It
was AT&T's third major network failure in 18 months.


from telecom — att outage

"Peter G. Neumann" <neumann@csl.sri.com>
Mon, 7 Oct 91 9:42:00 PDT
Date: Wed,  2 Oct 91 12:16:44 EDT
From: mfe@ihlpy.att.com (Michael F Eastman)
Subject: Update on 9/17/91 AT&T Outage
Organization: AT&T Bell Laboratories

The following report was posted on our internal news network by Corporate Media
Relations. It is a good summary of the events surrounding the outage. I hope
that you will find it informative.

Mike Eastman - 4ESS Development - AT&T Bell Laboratories

                       -----------

FOR THE RECORD *** Following is a synopsis of the events leading to the service
disruption on Sept. 17:

    Late in the afternoon on Sept. 17, the AT&T switching center at 33
Thomas St. in lower Manhattan experienced a battery power failure in its 20th
floor power room facilities, disrupting service, including voice and data
communications for all three New York area airports.  The events leading to the
disruption began earlier, between 6-7 a.m., when the Building Operations Group
was contacted by Con Edison with a request to take the facility off commercial
power during the day.  We agreed to do so.

    At 10:10 a.m., AT&T cut over from commercial power supplied by Con
Edison to backup, diesel-generated power.  Such a cutover is standard
procedure; it is a result of the interruptible power arrangement AT&T has with
Con Edison, and was accomplished four times without incident this summer alone,
most recently on August 15 and 29.  The interruptible power arrangement with
Con Edison has been in effect formally since 1990.  It capitalizes on AT&T's
ability to generate at 33 Thomas St. sufficient power to cover the building's
needs.  By having the means on-site to generate the building's electricity,
AT&T both protects itself from voltage brown outs that could damage equipment
and impair service, an fulfills a corporate citizenship obligation to shed
electrical load during power emergencies.

    At 10:10 a.m. the AC power supervisor threw a switch, engaging the
diesel generator and taking the building off commercial power.  Throughout the
building, in each of the telecommunications power plants but one, that transfer
of power from commercial AC to diesel-generated AC, was accomplished smoothly.
On the 20th floor, where the power plant for DS3 and other high-capacity
transmission facilities is located, there was a problem.  A rectifier there
sensed a spike in voltage level; to protect the power plant and facilities the
plant supported, AC power was removed from the rectifier input and the power
plant began operating on battery reserve.  Subsequent tests have determined
that the overload protection relay was misadjusted during recent plant
modernization, making the shutdown circuit overly sensitive to overvoltage.
This is the only power plant in the building that did not cutover normally.

    From that moment, approximately 10:10 a.m., the batteries supporting
all DS3-and-higher-capacity facilities at 33 Thomas St. were removed from their
recharging system and were operating on emergency reserve.  That emergency
reserve power is designed to last six hours.  Standard operating procedure
requires the DC power supervisor to dispatch a power technician to walk through
each of the building's power plants during a shift from commercial power to
diesel power.  Had such a walkthrough occurred on Sept.  17, the technician
would have seen a "POWER" alarm in the 20th floor power room.  A power
technician performs such walkthroughs as a matter of standard methods of
procedure.  However, on the morning of September 17, the DC power supervisor
decided not to dispatch a technician to verify the transfer for the following
reasons:

     o  All six power technicians (and the supervisor) were scheduled
    for a power alarm training class in another building, about
    15 minutes away.

     o  33 Thomas St. had not experienced a power problem in six to
    eight years.

     o  The rectifiers had been refurbished in the last year and the
    batteries were new with a six (6) hour reserve.

     o  Four (4) power transfers had been conducted during the summer
    without problem.

Additionally, the supervisor did not arrange for a substitute by
requesting the use of one of the fifty-two power-qualified technicians
 — a technician normally charged with other duties, but capable of responding
to a power emergency — remaining within the building.

    In the absence of a power technician, if an alarm had been recognized,
one of these power-qualified technicians could have handled the problem.  Doing
so would have enabled the batteries in the 20th floor power room to be
recharged by the diesel generator, even as they were being drained by providing
power to the high-capacity telecommunications facilities in the building.
There was a failure to follow standard operating procedure.  Had a power
technician or any power-qualified communications technician been required to
perform the power plant walkthrough as methods of procedure mandated, the
tripped rectifier would have been discovered and reset, and a service outage
would have been avoided.

    But the power plant walkthrough was not performed.  All of the
building's six power plant technicians had been dispatched to receive training,
ironically, on a new computerized alarm system that will be cut over at 33
Thomas St. in October.  The equipment for that new alarm system is functioning
already at the building where the training class was being conducted; it is
being installed, but has not yet been brought into service at 33 Thomas St.

        From 10:10 a.m. until 4:30 p.m., all high-capacity telecommunications
facilities in the building were being run on emergency battery reserve power
from the 20th floor power room.  All other equipment, such as the three 4ESS
switching systems in the building, was supplied with electricity from other
power plants, and was fully operational and functioning normally.

    At 4:30 p.m., a communications technician who was just coming on duty
for the evening tour, noticed a visual display indicating the emergency battery
power condition.  This visual alarm is in a location that is normally
unstaffed.  At this point, the technician, who is power qualified, made an
attempt to cut back from batteries to AC power.  That attempt was unsuccessful;
the batteries had been discharged to a point where they would not physically
accept recharging current without being disconnected from the facilities they
were supporting.  At 4:40 p.m., as battery life expired, those facilities began
to go down.

    The restoral effort got under way virtually immediately.  During the
first 30 minutes, 144 non-terminating T3 circuits, carrying traffic passing
through but not terminating in the New York area, were restored.  This amounted
to some 19,200 message circuits and approximately 1,400 private line T1 lines.
By 6:00 p.m., all equipment was disconnected from the 20th floor power plant,
and rectifiers were manually reset to force current into the batteries to
recharge them.  As the rectifiers recharged the power plant, facilities were
gradually brought back on line.  By 9 p.m., 43% of domestic and 8% of
international traffic was restored, by 10 p.m., 51% of domestic and 56% of
international traffic was restored, and by midnight, virtually 100% of domestic
and 95% of international traffic was restored.

FYI:

1. The 48-volt battery plant at 33 Thomas St. is scheduled to be replaced by
the end of the year.  The new plant will have restart capability, in contrast
to the existing plant.

2. A diversification of load distribution is now planned for both call-handling
systems and power systems within the local node.  This diversification will
mean that any future outages would be limited to a maximum of 50% of an
office's high-capacity transmission facilities.  Rerouting is expected to be
completed at 33 Thomas St. by March, 1992; at all major metropolitan New York
offices by the end of 1992, and at all offices in the nation by the end of
1993.

3. A new power alarm system, now being installed at 33 Thomas St., will have
built-in redundancy, with alarm connections to both the local building and to a
surveillance center in Conyers, Ga.  In the event of a failure, alarms will go
off in both locations, providing a backup if the local alarms are not
functioning.

4. Nationwide, AT&T has stepped up plans to spend $200 million over the next 12
months to improve the reliability and backup of its power systems, which is
expected to greatly diminish the risk of similar equipment problems.

Mike Eastman    att!ihlpy!mfe    (708) 979-6569
AT&T Bell Laboratories  Rm. 4F-328  Naperville, IL 60566


Fred Cohen's contest

Gene Spafford <spaf@cs.purdue.edu>
Mon, 30 Sep 1991 17:17:13 -0500
The September/October issue of "The Sciences," published by the New York
Academy of Sciences, had an article by Fred Cohen.  In it, he tried to make a
case for the existence of "good" viruses, and he pulled out a number of
supporting examples that really weren't viruses or weren't clearly done well by
viruses.  He concluded the article with an announcement of a contest.  His
publishing company, ASP (which may be run by Fred for all I know) will award
$1000 for the best "good" virus as per vague rules laid down by Fred in the
article.

I was quite upset by the article, and especially the contest, because I think
it quite unethical to encourage the writing of viruses as he is doing.  I also
think there is a very clear and significant conflict of interest for him and/or
ASP to be encouraging such a contest.

I wrote a letter of response to the editor a few weeks ago, and I have spent
the time since then thinking about it.  The toned-down letter that I actually
sent is reproduced below, minus some italics and bold-facing.

Whether you agree or disagree with my comments, if you wish to make your own
comments to the editor, his address is below; his fax number is
212-260-1356.    I doubt I am the only person with an opinion on this matter.
(Naturally, I could be the lone voice of dissent; I hope not, but it may be the
case.)

    = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Mr. Peter G. Brown, Editor
The Sciences
622 Broadway
New York, NY  10012

Dear Mr. Brown:

I began to read the recent article by Dr. Fred Cohen [1] with considerable
interest.  Dr. Cohen is a pioneer in the field of computer virus research, and
I have found many of his writings quite thought-provoking.  Unfortunately, by
the time I finished his article, I was quite dismayed.  I believe that Dr.
Cohen has failed to adequately consider both the practicality and the ethics of
his proposal.

First of all, I believe that there is an obvious conflict of interest involved
when the vendor of a computer virus prevention product sponsors a contest
soliciting the development of new viruses.  I am further troubled by the lack
of a list of the judges of the contest and the criteria for winning.  I will
not discuss these points further, however, as they are minor matters compared
with my main concern: I believe that the writing of computer viruses is
unethical, [2--3] and to encourage their development in an unsupervised manner
is likewise unethical.

Computer viruses spread without the informed consent of the owner of the
software (``host'') they ``infect,'' and they are usually not limited in their
spread, in time or space.  If scientists were to experiment with organic
viruses capable of infecting humans and possessing these same properties, we
would likely be taking vigilante action against them, contest or no.
Encouraging the general populace to develop organic viruses would bring about
widespread condemnation; yet, oddly, encouraging the development of computer
viruses leads to publication in a journal.

To his credit, Dr. Cohen explicitly prohibits viruses that exhibit the above
two dangerous properties from being eligible for his contest.  However, many
viruses cause damage because of flaws within the code, or unexpected properties
of their target computing environment; examples include the ``Stoned'' virus
for IBM PCs, and the ``WDEF'' virus for Apple Macintoshes (cf., [3--5]).  What
will be the attitude of the community as a whole if a new destructive virus
appears on the scene because of a bug in the software meant to contain it?
What if something similar to Robert T. Morris's Internet Worm were to be
discovered and explained as a buggy test version intended for Cohen's contest?

This brings me to another argument with Dr. Cohen's article: we disagree about
the definition of the term ``computer virus.''  Cohen describes Morris's
Internet program as a ``virus,'' while I (and others) would define it as a
``worm.'' [6--7] Morris's program did not alter existing software to include a
copy of itself as do viruses.  His program was no more a virus than is a
compiler (suggesting an interesting class of potential submissions to the
contest).  In fact, if we intuit a definition of ``contest-acceptable virus''
from Cohen's article to be something that spreads from system to system, that
requires permission to install itself, and has limited potential for spread
(like the Worm), it is no longer clear we are speaking about viruses at all!

Harold Thimbleby of Stirling University, Scotland and Ian Witten of Calgary
University, Canada have done extensive work on software that would meet the
above intuited definition of a computer virus.  They have developed some very
sophisticated self-propagating applications, including self-updating databases
with window-based interfaces.  [8--9] It is not at all clear that the community
recognizes these as viruses. Professor Thimbleby himself has chosen to call
them ``liveware'' to make the distinction clear.  I am surprised that Dr. Cohen
is unfamiliar with their work and did not cite it in his Sciences article; it
would be a clear favorite if it were to be entered in the ASP contest.
However, it also serves to illustrate how something that might win the contest
is not likely to be viewed as a ``virus'' by the community of researchers.

This brings me to the second of my two major objections to Cohen's article and
contest.  I believe that his underlying thesis is flawed: I do not believe that
there are any practical ``good'' viruses.  During the Second Conference on
Artificial Life, held in Santa Fe in 1990 (cf. [10]), I was on a panel
discussing computer viruses.  Russell Brand, another panelist, made the
observation that there is nothing that can be done by a computer virus that
cannot be done more efficiently and generally by other means.  This observation
was debated by the panel, and discussed extensively by others since that time.
To my knowledge, everyone involved in these discussions now believes that is a
true statement.

Consider that a computer virus is nothing other than a program coupled with
code to transport and install itself as part of existing software.  It will be
more difficult (or impossible) than a stand-alone program to update for new
releases, customize, and maintain.  A virus will also be more difficult to
write and test for correctness than will a stand-alone program because of its
interaction with its environment.  Viruses are simply not the most practical or
efficient approach to any particular task.  His example in the article of the
billing system demonstrates an inadequacy in the data model used and tools
available, and not the superiority of using a quasi-virus.  Even the example
Cohen gave in his PhD dissertation of a compression virus would be better
served by a well-written stand-alone program over which the user has more
control.  I believe that any attempt made to promote ``useful'' viruses
involves a contradiction of the word ``useful,'' assuming that ``useful'' does
not also imply ``malicious.''

To return to my first fundamental objection (and the one I feel most strongly
about) — the impropriety of encouraging virus authorship.  We have been
battling computer viruses for five years now, and the indications are that the
problem is growing exponentially (cf. [11--12]).  Computer viruses --- even
those intended to be harmless, and limited in scope and duration --- continue
to cause untold amounts of damage to computer systems.  For someone of Dr.
Cohen's reputation within the field to actually promote the uncontrolled
writing of any kind of virus, even with his stated stipulations, is to act
irresponsibly and immorally.  To act in such a manner is likely to encourage
the development of yet more viruses ``in the wild'' by muddling the ethics and
dangers involved.  It will reinforce the attitude that there may be some
benefit to be gained from writing viruses (when there is as yet absolutely no
clear indication that such is the case), and may encourage people to begin
uncontrolled experiments with viruses they might not otherwise have undertaken.
We have seen cases already where well-trained virus researchers have
accidentally released experimental computer viruses into the population; to
encourage amateurs to also engage in risky behavior that may lead to similar or
worse results is quite appalling.  It is my fond hope that no one attempts to
enter Dr. Cohen's contest, and that he quickly recognizes the dangers and
cancels it.

A few decades ago, physicists talked about peaceful uses of atomic weapons,
such as blasting out canals and destroying threatening icebergs.  They were
attempting, in good faith, to put a better moral cast on their research.
Thankfully, none of them offered money in a contest for the best demonstration
of such an application!  Alfred Nobel, horrified at the use to which his
invention of stabilized explosives were being put, did not establish a contest
for the best peaceful use of dynamite.  Instead, he established world-reknowned
awards for research in peaceful pursuits, funded by the income from his
discovery.  It is quite unfortunate that ASP and Dr. Cohen could not have taken
a similar approach with their $1000 prize.  They could have made a powerful
statement about responsible behavior, but instead have increased the danger to
the community and generated doubts about their own motivations.

Eugene H. Spafford, PhD

REFERENCES

[1] Friendly Contagion: Harnessing the Subtle Power of Computer
Viruses, by Fred Cohen, The Sciences, Sep/Oct 1991, pp. 22--28.

[2] Computer Viruses and Ethics, by Eugene H. Spafford, in Collegiate
Microcomputer, special issue on the Rose-Hullman/GTE Computing and
Ethics Seminars, to appear, 1992.

[3] Computer Viruses: Dealing with Electronic Vandalism and
Programmed Threats, by Eugene H. Spafford, Kathleen A. Heaphy and
David J. Ferbrache, ADAPSO, 1989.

[4] Rogue Programs: Viruses, Worms, and Trojan Horses, edited
by Lance J. Hoffman, Van Nostrand Reinhold, 1990.

[5] Computers Under Attack: Intruders, Worms and Viruses, edited
by Peter J. Denning, ACM Press/Addison-Wesley, 1990.

[6] What is A Computer Virus?, by Eugene H. Spafford, Kathleen A.
Heaphy and David J. Ferbrache, Chapter 2 in [4].

[7] An Analysis of the Internet Worm, by Eugene H. Spafford, in
Lecture Notes in Computer Science 387, Springer-Verlag,
1989.

[8] Bugs, Viruses and Liveware: Collected Papers by Harold Thimbleby,
technical report of the Department of Computer Science, Stirling
University, Scotland, 1990.

[9] Liveware: A New Approach to Sharing Data in Social Networks, by I.
H. Witten, H. W. Thimbleby, G. F. Coulouris, and S.  Greenberg, in
International Journal of Man-Machine Studies, 1990.

[10] Artificial Life II, Studies in the Sciences of Complexity, Volume
XII, edited by D. Farmer, C. Langton, S. Rasmussen, and C. Taylor,
Addison-Wesley, 1992.

[11] Virus Trends: Up, Up, Up by David Stang in National Computer
Security Association News, 2(2), March/April 1991.

[12] The Kinetics of Computer Virus Replication by Peter S. Tippet in
Proceedings of the Fourth Annual DPMA Computer Virus Security
Conference, New York, March 1991.


"Peter G. Neumann" <neumann@csl.sri.com>
Mon, 7 Oct 91 10:07:30 PDT
Excerpt from JOHN MARKOFF, New York Times, News of the Week in Review, 6oct91

   Biologists have learned to harness viruses to create vaccines
and, in recent years, to reprogram faulty chromosomes by using
viruses to smuggle new genes into cells.
   Now a small but growing group of computer scientists is
examining the possibility of designing computer viruses and similar
programs called worms to burrow into computer networks and set in
motion a whole range of beneficial activities
   Many computer users have been the victims of malicious virus
programs propagating through networks and erasing data or causing
the whole system to fail. But now some researchers are suggesting
that it is possible to harness the subtle power of computer viruses
to perform useful tasks.

   [The article goes on to quote Cohen, Spafford, and others, and revisits
   the 1960s Bell Labs Darwin Days of McIlroy and Vyssotsky (Bob Morris was
   around then, too), Bob Thomas at BBN for ATC software, John Shoch and
   Jon Hepp's Xerox Worms, and Danny Hillis of Thinking Machines.  PGN]

Please report problems with the web pages to the maintainer

x
Top