The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 12 Issue 72

Tuesday 31 December 1991


o Airbus Fuel monitoring; tanks shown full when they were not
John Van Voorhis
o Recent Novell Software Contains a Hidden Virus
John Markoff
o Has anybody ever been spoofed on the wide network?
George Michaelson
o Re: Whole Earth Review Questions Technology
Tom White
o The Whole Earth is greater than the sum of its parts (Re: Jerry Mander)

Airbus Fuel monitoring; tanks shown full when they were not

John Van Voorhis <>
Fri, 27 Dec 1991 15:53:18 GMT
A few weeks ago I flew on an A320 for the first time.  Overall the flight was
fine; however, we were delayed at the gate while the ground crew tried to fuel
the plane.  It seems that the computer that ran the the fuel pump onboard the
aircraft would not pump in any more fuel, even though the tanks were not full.
I do not know how they managed to do it, but eventually they did load on enough
fuel to get us from Chicago to Phoenix.  Does anyone know how this system
works?  What happens if the flight or ground crews are careless and just let
the computers tell them what is going on?  It did not make me feel very safe.

John Van Voorhis, Chapin Hall Center, 1155 E 60th St  Chicago, IL 60637
                  (312) 753-5983 

Recent Novell Software Contains a Hidden Virus

"John Markoff" <>
Mon, 30 Dec 91 13:16:29 PST
By JOHN MARKOFF  (from the New York Times, 20 Dec 1991)

  The nation's largest supplier of office-network software for
personal computers has sent a letter to approximately 3,800 customers
warning that it inadvertently allowed a software virus to invade
copies of a disk shipped earlier this month.
  The letter, sent on Wednesday to customers of Novell Inc., a Provo,
Utah, software publisher, said the diskette, which was mailed on Dec.
11, had been accidentally infected with a virus known by computer
experts as "Stoned 111."
  A company official said yesterday that Novell had received a number
of reports from customers that the virus had invaded their systems,
although there had been no reports of damage.
  But a California-based computer virus expert said that the potential
for damage was significant and that the virus on the Novell diskette
frequently disabled computers that it infected.

 'Massive Potential Liabilities'

  "If this was to get into an organization and spread to 1,500 to
2,000 machines, you are looking at millions of dollars of cleanup
costs," said John McAfee, president of McAfee & Associates, a Santa
Clara, Calif. antivirus consulting firm. "It doesn't matter that only
a few are infected," he said.  "You can't tell. You have to take the
network down and there are massive potential liabilities."
  Mr. McAfee said he had received several dozen calls from Novell
users, some of whom were outraged.

  The Novell incident is the second such case this month. On Dec. 6,
Konami Inc., a software game manufacturer based in Buffalo Grove, 111.
wrote customers that disks of its Spacewrecked game had also become
infected with an earlier version of the Stoned virus. The company said
in the letter that it had identified the virus before a large volume
of disks had been shipped to dealers.

Source of Virus Unknown

  Novell officials said that after the company began getting calls
earlier this week, they traced the source of the infection to a
particular part of their manufacturing process. But the officials said
they had not been able to determine how the virus had infected their
software initially.

  Novell's customers include some of nation's largest corporations.
The software, called Netware, controls office networks ranging from
just two or three machines to a thousand systems.
  "Viruses are a challenge for the marketplace," said John Edwards,
director of marketing for Netware systems at Novell. "But we'll keep
up our vigilance. He said the virus had attacked a disk that contained
a help encyclopedia that the company had distributed to its customers.

Servers Said to Be Unaffected

  Computer viruses are small programs that are passed from computer to
computer by secretly attaching themselves to data files that are then
copied either by diskette or via a computer network. The programs can
be written to perform malicious tasks after infecting a new computer,
or do no more than copy themselves from machine to machine.
  In its letter to customers the company said that the Stoned 111
virus would not spread over computer networks to infect the file
servers that are the foundation of networks. File servers are special
computers with large disks that store and distribute data to a network
of desktop computers.
  The Stoned 111 virus works by attaching itself to a special area on
a floppy diskette and then copying itself into the computer's memory
to infect other diskettes.
  But Mr. McAfee said the program also copied itself to the hard disk
of a computer where it could occasionally disable a system. In this
case it is possible to lose data if the virus writes information over
the area where a special directory is stored.

  Mr. McAfee said that the Stoned 111 virus had first been reported in
Europe just three months ago. The new virus is representative of a
class of programs known as "stealth" viruses, because they mask their
location and are difficult to identify. Mr. McAfee speculated that
this was why the program had escaped detection by the company.

Steps Toward Detection

  Novell has been moving toward adding new technology to its software
to make it more difficult for viruses to invade it, Mr. Edwards said.
Recently, the company licensed special digital-signature software that
makes it difficult for viruses to spread undetected. Novell plans to
add this new technology to the next major release of its software, due
out at the end of 1992.

  In the past, courts have generally not held companies liable for damages in
cases where a third party is responsible, said Susan Nycum, a Palo Alto,
Calif., lawyer who is an expert on computer issues.  "If they have been prudent
it wouldn't be fair to hold them liable," she said. "But ultimately it may be a
question for a jury."

[Also noted by Werner Uhrig <>]

Has anybody ever been spoofed on the wide network?

George Michaelson <>
Fri, 20 Dec 91 11:16:44 +1100
In a mailing list for some X.400 s/w development, the `trustedness' of callers
into mail has been raised. There certainly seems to be a feeling that SMTP, in
not performing any 'application-level' checks like a password, or some of the
3rd party verification thingies like kerberos is left only with reverse-address
lookup to verify who and where the sender system really is.

X.400 provides for a password exchange between the communicating systems,
and also includes a 'turn around' mechanism that permits an inbound caller
to switch to being fed outbound queued material. SMTP provides an analogous
'TURN' command, but few of the current implementations support it. Thus X.400
developers are choosing to see this 'two way alternate' mode as a potential
security hole, and thus do not implement it.

I don't disagree that a potential hole does exist, but I am interested if
anybody in the wider community, especially the Internet and members of PTT
provided communities over X.25, is aware of EVER having been hit in
this way operationally, by somebody 'spoofing' another machines address
and thus forging (in some sense) who they are. I say operationally
since many of us at one time or another may have deliberately set a
machine to forge somebody elses IP or X.25 address, eg during an
extended downtime to provide coverage.

    X.25 switches are certainly capable of changing both sender and
    recipient addresses in processing packets

    IP routers can also do this sort of thing.

I do not belive that the 'wider community' has ever yet been hit by an
attack where a PTT provided service like X.25, let alone a distributed
and self-administered network like the Internet, permitted the sender to
mis-represent their network address. end-user identity, doubtless has been
compromised countless times. machine-address or network address, I am not
so sure has been abused in the wider network.

The holes are pretty obvious. On campus, nobody can really be trusted.
Off campus the best you know is the major network-number must be being
routed validly, and hence you know a general 'pool' of addresses the
real machine could be from.

In X.25, subaddressing can provide similar levels of networking, so you can
really only know who is sending the packets to a resolution that matches
the PTT billing policy!

I also believe the security risk is identical inbound and outbound:
classically people discussing this issue seem to assume 'you' opening a
call to 'them' is more trustworthy. I deny this, and say both are
equally risky.

I would love to see a general discussion of this, perhaps headers in
news need to be re-worked to a more appropriate newsgroup. However I
would also like to try and find out if on an operational network,
providing a service like e-mail using SMTP and related protocols, if
ANYBODY has been knowingly compromised in this way.

I will collate any replies e-mailed to me direct, respecting any
request for privacy. Simply being told such an attack HAS taken place
will be sufficient if you don't want to go into details.

George Michaelson, The Prentice Centre, University of Queensland
QLD Australia 4072                                +61 7 365 4079

Whole Earth Review Questions Technology

Tom White <well!>
Fri, 27 Dec 91 21:17:17 pst
Thanks for the invitation to let readers in the RISKS Forum learn about the
unique gathering of writers that Whole Earth Review has brought together to
question technology.

Avid online readers can access selected articles from Mead, Dialog and BRS.

            WHOLE EARTH REVIEW to Readers:
        Question Technology (while we still have the chance)

Sausalito, CA -- The Winter 1991 issue of WHOLE EARTH REVIEW, the "Access to
Tools" quarterly suppplement to the WHOLE EARTH CATALOG, questions the
political, economic, social and physical effects technology has on our lives.
WHOLE EARTH REVIEW also questions its fundamental assumption that providing
access to tools is a good and noble enterprise.

    Is technological innovation invariably beneficial?  Do we control new
technologies or do they control us?  Will books and libraries become obsolete?
These are some of the questions that authors in this special issue attempt to
answer.  Editor-in-Chief Howard Rheingold writes in the introduction: "Perhaps
our readers will be inspired to create new tools for thinking about tools."

    Among the authors showcased are Jerry Mander, whose book "In the
Absence of the Sacred" is excerpted at length in the lead article; Howard
Levine, former director of the National Science Foundation's Public
Understanding of Science Program; Langdon Winner, a political theorist and
author; Patricia Glass Schuman, president of the American Library Association
and of Neal-Schuman Publishers; Linda Garcia, a project director and senior
analyst at the Office of Technology Assessment; Gary T. Marx; Ivan Illich;
Amory and Hunter Lovins of the Rocky Mountain Institute.

    For the past two decades WHOLE EARTH REVIEW has provided its readers
"access to tools" -- practical information about technologies ranging from
manual post-hole diggers to virtual-computer systems.  Subscription price is
$27 for four issues, add $6 foreign.  No advertising accepted.

Copyright 1991, POINT.  Permission granted to redistribute freely.
Whole Earth Review, PO Box 38, Sausalito, CA 94966

CONTACT:  Tom White (415) 332-1716:

The Whole Earth is greater than the sum of its parts (Re: Jerry Mander)

"Peter G. Neumann" <>
Mon, 30 Dec 91 13:16:29 PST
Long ago I read an earlier counter-culture book by Jerry Mander, Four Arguments
for the Elimination of Television (Wm Morrow, NY 1978).  In PGN's book chapter
"Psychosocial Implications of Computer Software Development and Use: Zen and
the Art of Computing" (in Theory and Practice of Software Technology, D.
Ferrari, M. Bolognani, and J. Goguen (eds), North-Holland, 1983), I included
and discussed the following quote from that Mander book, which in retrospect
seems highly relevant to RISKS:

       Human beings no longer trust personal observation, even of the
       self-evident, until it is confirmed by scientific or technological
       institutions; human beings have lost insight into natural processes
       that are now exceedingly difficult to observe.

I also summarized Mander's enumeration of eight conditions for the flowering of
autocracy and the degeneration of human individuality (loc.cit.), which also
seem relevant here...

By the way, HAPPY NEW YEAR to all RISKS READERS.  I presume that in the coming
year we will see lots more of the same stuff that has concerned RISKS for the
past 6.5 years!  PGN

Please report problems with the web pages to the maintainer