The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 17 Issue 16

Friday 2 June 1995

Contents

o New Yorker Article on Potential Building Collapse: The 59-Story Crisis
Andy Huber
o ``Woodpeckers could delay shuttle''
o Ariane-5 test aborted
o Military (hi-res) GPS to be opened up?
Cris Pedregal Martin
o Bogus PKZIP 3.00 Trojan horse
Sidney Markowitz
o British man convicted as malicious virus writer
George Smith
o Internet Security -- Oxymoron or Actual Fact?
Edupage
o Pay-Phone Price Gouging
Mich Kabay
o Cellular Roaming broken
Bob Frankston
o Re: Microsoft plans corporate espionage
ASaunders
o MS SMS product, others pose risks
Mark Seecof
o Re: Prodigy held liable
Bob Morrell
o Re: "Nautilus foils wiretaps"
Adam Back
o Re: Ahperader
Paul Andrew Olson
o Re: Negative Ions
Winn Schwartau
o ABRIDGED Info on RISKS (comp.risks) [See other issues for full info]

New Yorker Article on Potential Building Collapse: The 59-Story Crisis

Andy Huber <arhuber@SEI.CMU.EDU>
Thu, 01 Jun 95 10:02:50 EDT

"If they built buildings they way we build software...."

There's a fascinating article in the current issue of The New Yorker ("The Fifty-Nine-Story Crisis", Joe Morgenstern, The New Yorker, vol. LXXI, no. 14, May 29, 1995, pp. 45-53) that should be of great interest to all with an interest in software engineering. It's the story of the discovery and patching of a design/implementation flaw in a 59-story building in New York City (the Citicorp Center) that had the potential to cause the building to collapse disastrously under high winds.

The parallels with software are uncanny, because the reasons the problem occurs are exactly the things that occur in so many software projects:

  1. An unusual or novel aspect to the problem. (Building around an existing structure, a church).
  2. A creative, innovative solution that required new design & analysis. (Putting the main support columns in the middle of each side of the building, rather than at the corners.)
  3. Not quite getting all the implications & analysis of the innovation right. (The reviewers of the design treated some special, new diagonal wind braces as trusses rather than columns, thereby disregarding a required standard and exempting them from a safety standard.)
  4. A critical change in the specification made by the contractor during construction to save time & money that was not reflected back to the designers and/or re-analyzed/reviewed for its impact that greatly weakened the design.
  5. A resulting flaw that would only show up in heavy load, and not under normal use/test.
Anyone interested in making software engineering a profession will also find the article of interest. Everyone involved exhibited a high degree of professionalism throughout the discovery, analysis, and fixing of the problem. (Even the lawyers!) Another amazing thing is that there's been little if any publicity of this before (at least to my knowledge; this is the first report I remember seeing). Part of that may be due to the fact there just happened to be a newspaper strike going on in New York City at the crucial time.)

WARNING: Do not start reading this until you have time to finish it; I found it a case of "can't put it down" reading.

[Note: I'm unable to always follow the risks forum closely, but haven't seen anything on this in there, either recently or in the past. It will certainly appeal to risks readers. Apologies if others have submitted this or it's been covered in the past & I just missed it, in which case simply hit the delete key. Might note also that if people find this interesting, an interesting book on similar things that I read a couple of years ago while doing some investigating on operating system reliability is: "Why Buildings Fall Down", by Matthys Levy & Mario Salvador, New York, W.W. Norton, 1992. One of the conclusions is that many buildings fail due to a lack of redundancy, which I find very interesting since very few operating systems (or software of any kind) has any kind of redundancy designed or built into it.]

Andy Huber Data General (919) 248-6072 huber@dg-rtp.dg.com


``Woodpeckers could delay shuttle''

"Peter G. Neumann" <neumann@csl.sri.com>
Fri, 2 Jun 95 10:11:54 PDT

Our risks-to-technology annals have another case of animal-kingdom behavior. For the past several days, yellow-shafted flicker woodpeckers have been chipping away at the insulating foam on the space shuttle Discovery's external fuel tank, causing at least 71 holes, from half-inch to four inches in diameter. [Source: AP item, San Francisco Chronicle, 1 June 1995, p. C2] [Poly(styrene?), wanna crack 'er? Oh for the old days of silent flickers.]


Ariane-5 test aborted

"Peter G. Neumann" <neumann@csl.sri.com>
Fri, 2 Jun 95 10:02:08 PDT

After the failure of the main cryogenic motor earlier in May resulted in the death of two technicians, another test on 30 May (in Cayenne, French Guiana) was aborted by the computer control system several seconds after ignition of the new European rocket. I suppose this case counts as a success story for computers, but a failure for the rocket motor. PGN [Source: A Reuters item, San Francisco Chronicle, 1 Jun 1995, p. A10.]


Military (hi-res) GPS to be opened up?

Cris Pedregal Martin <pedregal@ocean.cs.umass.edu>
Thu, 1 Jun 1995 11:48:21 -0400 (EDT)

On 31 May 1995, I heard a story about GPS on NPR-All Things Considered of interest to RISKS readers. Apologies for any omissions, I didn't take notes so the following is from memory.

A "blue-ribbon" panel just issued a report on whether to open all of the satellite-based Global Positioning System (GPS) to civilian use. As it works now, GPS transmits a low-resolution signal for civilian use, which has random errors added to it (resolution: about 100m), and an encrypted signal for military use that's much more precise. The civilian capability was made available worldwide after the KAL 007 downing over Soviet Airspace during the Reagan administration, and it is now widely used not just by ships and planes, but also by hikers and tourists (a palmtop GPS locator sells for about $300 in the US).

The panel concluded that the hi-res signal had to be opened to use by all. The military's objection is that enemies could use it to e.g. guide missiles (one of their own applications) to US targets. They're proposing that the error may be increased, or the system turned off altogether, at the discretion of the US President, in "time of war". Civilian aviation authorities aren't thrilled about using a system on which they don't have their "hand on the switch," as an official from the British aviation authority said.

The cat may already be out of the bag. FAA is testing a system that uses the civilian GPS on an aircraft in concert with a ground-based civilian GPS, through a radio link. Since the ground based GPS knows its coordinates, it can listen to the signal from satellites, figure the error, and inform its airborne partner. Precision is in the 1 meter range now, enough to put a plane on a glide path and land it in dense fog.

The various RISKs are left as an exercise to the reader.

Cris Pedregal Martin pedregal@cs.umass.edu
Computer Science Department UMass / Amherst, MA 01003-4610

[Also reported by Fred Ballard <72400.1525@compuserve.com>, who added ``As our dependence on GPS increases, so do the risks. It might be wise to check the international scene as well as the weather before flying or boating when GPS is being relied on.'' PGN]


Bogus PKZIP 3.00 Trojan horse

Sidney Markowitz <sidney@apple.com>
Fri, 2 Jun 1995 11:50:44 -0700

I saw the following notice on PKWARE's support forum on CompuServe and have more recently seen it forwarded via the COOL mailing list. The RISK involved is obvious, but I'm forwarding it in case any of RISK's readers still use DOS :-). For those who don't: PKZIP is a widely used file compression/archiving program that is sold as shareware. It's been at version 2.04G for quite a long time, so people would be quite likely to grab up a new version quickly.

sidney markowitz <sidney@apple.com>

Some joker out there is distributing a file called PKZ300B.EXE and PKZ300B.ZIP. This is NOT a version of PKZIP and will try to erase your harddrive if you use it. The most recent version is 2.04G. Please tell all your friends and favorite BBS stops about this hack.

Thank You.

Patrick Weeks Product Support PKWARE, Inc.


British man convicted as malicious virus writer

Crypt Newsletter <crypt@sun.soci.niu.edu>
Thu, 1 Jun 1995 18:38:49 -0500 (CDT)

Finally, after months of delay and postponement, a 26 year old unemployed computer programmer, Chris Pile, pleaded guilty Friday, May 26, to eleven charges related to computer virus writing. The case at Plymouth Crown Court was the first of its kind in British legal history since passage of the Computer Misuse Act in 1990.

Pile, known as the Black Baron, pleaded guilty to hacking into business computers and planting the computer viruses known as SMEG/Pathogen and SMEG/Queeg. The case followed an investigation by fraud squad officers and experts from Scotland Yard. The eleven charges stemmed from a period between October 1993 and April 1994 when the Black Baron obtained unauthorized access to computer programs and seeded them with viruses he'd written. He also pleaded guilty to one charge of inciting others to plant his viruses. Authorities state that tracing the viruses and repairing damage caused by them cost "well in excess of half a million pounds." Pile was released on bail and the trial adjourned for two months to allow the defence to prepare a pre-sentencing report.

Pile, a Devon man, wrote the SMEG viruses which quickly gained the attention of anti-virus developers worldwide in mid-1994. Due to publicity on the nets and in the computer underground, they were rapidly distributed around the Internet at approximated the same time Pile was arrested in connection with the charges on which he was tried.

Sentencing will probably depend upon the interpretation of Pile's intent to incite others to write viruses using his "SMEG" encryption kernel which was distributed internationally to virus exchange underground bulletin board systems in mid-1994. It is an arcane issue which calls for the examination and tracking of a computer archive containing a detailed technical "how-to" on installing Pile's "SMEG" virus encryption kernel into new viruses, the encryption software and a sample demonstration virus.

In 1993, another English virus writer, Stephen Kapp, was arrested in connection with telephone fraud charges. Kapp was known as the "President of ARCV," or ARCV virus writing group which stood for Association of Really Cruel Viruses.

It is worth noting that in 1992 at the height of the Michelangelo virus scare, few virus writers were easily identified. This is no longer the case. Due to the growth in computer networks and an increasing desire for underground network celebrity, many of the most prominent virus writers in the world live in plain sight.

Australia's Clinton Haines, a student at the University of Queensland, is responsible for writing and putting the Dudley and NoFrills computer viruses into the wild in his country. At various times since 1992, these viruses have infected SunCorp, a large Australian insurance firm; Australian Telecom and the Australian Taxation Office, which is similar to the IRS. Haines has been interviewed at length by the Australian newsmedia.

In America, James Gentile, a teenager living in San Diego, has written a number of viruses, all of which have emerged in the wild. His Satan Bug crashed US Secret Service networks in 1993. Since then another of his creations, known as Natas - Satan spelled backwards - has become one of the most common computer viruses in North America. It has been reported as far south in the hemisphere as Argentina.

George Smith crypt@sun.soci.niu.edu
On the World Wide Web: URL: http://www.soci.niu.edu:80/~crypt


Internet Security -- Oxymoron or Actual Fact? (Edupage 1 June 1995)

Edupage <info@ivory.educom.edu>
Thu, 1 Jun 1995 21:09:03 -0400

William Cheswick, a senior researcher at Bell Labs, thinks the Internet is risky business and "a bad neighborhood," in which "hackers can eavesdrop on the packet flow... It is past time for the deployment of encrypted sessions." But investment banker and consultant Ted Prince says: "What we have is a tiny number of hacker incidents that have been blown out of proportion by the tabloid technoliterati... You have more chance of getting your credit-card number stolen in a restaurant or on a phone in Grand Central Station than you do of having it stolen on the Internet." (Computerworld 5/29/95 p.96)

[Perhaps Prince is correct at the moment, but Cheswick seems to be thinking further ahead. Someday <your> Prince will come <around>. PGN]


Pay-Phone Price Gouging

"Mich Kabay [NCSA Sys_Op]" <75300.3232@compuserve.com>
30 May 95 14:47:14 EDT

From the Associated Press news wire via CompuServe's Executive News Service:

Pricey Pay Phones,, By JEANNINE AVERSA, Associated Press Writer

WASHINGTON (AP, 29 May 1995) -- Between appointments, Mary Viar dashed to a pay phone in Hagerstown, Md., to wish her daughter in Pittsburgh a happy birthday. A week later, she got the bill: $21.39 for her 22-minute call. For the same amount, she could have called Paris and talked for half an hour.

Key points:

In a related article, the author included the following information:

If you believe you have been unfairly charged for a long-distance call, you can file a complaint to the FCC, which oversees interstate service. For local calls, contact the state's public utility commission, which oversees local phone service. You may also want to send a letter to the state attorney general, many of whom have raised concerns about rate gouging.

Complaints may be sent to the Federal Communications Commission, Enforcement Division, 2025 M Street, N.W., Washington, D.C., 20554. Additional information also can be obtained by calling the FCC at 202-418-0190.

M.E.Kabay,Ph.D. / Dir. Education, Natl Computer Security Assn (Carlisle, PA)


Cellular Roaming broken

<Bob_Frankston@frankston.com>
Tue, 23 May 1995 22:50 -0400

Last week I was trying to use my cellular phone in Seattle. I couldn't get it to work because it is a Boston based phone and the Boston database was being upgraded last week and, basically, got screwed up. I didn't now about this till Thursday evening but apparently it was a week long problem according to the Boston Cellular One. The Seattle people said that they couldn't do anything about it. The first time I called customer support the suggested solution was to power off and try again in a little while since they were clueless as to the cause of the problem. Later I spoke to someone who was more familiar yet was still unable to help.

Perhaps no one really roams on these phones, but one would think a major outage like this would get more attention and be taken more seriously. But then, the reality of the cellular network is that it is not a reliable service. Before automatic roaming you'd have to register locally but that was only available on a 9 to 5 basis.

Perhaps this is a nonrisk. By not providing a really reliable service, people are not going to be overly dependent upon the network. Actually, they will be dependent upon it for emergency services until the first emergency ...


re: Microsoft plans corporate espionage

<ASaunders@aol.com>
Wed, 24 May 1995 15:02:16 -0400

cnorloff@tecnet1.jcte.jcs.mil writes:

" Microsoft officials confirm that beta versions of Windows 95 include a small viral routine called Registration Wizard. ...

Unfortunately Information Week got it wrong. The registration wizard is nothing more than an electronic version of the ordinary reg card that ships with every software product today. Its use is optional, it does not interrogate every PC on a network, and the user chooses what information will be transmitted.

I have enclosed a copy of a response we wrote on this, which you can get from ftp.microsoft.com/peropsys/win_news/regwiz.txt if you wish.

Alec Saunders, Microsoft Corporation, alecs@microsoft.com

--

A recent trade publication article contained inaccuracies regarding the purpose and operation of the Registration Wizard, the on-line registration application in Windows 95. The purpose of the Registration Wizard is to offer an electronic version of the paper-based Registration Card that traditionally comes with all Microsoft products. The Registration Wizard asks for similar information to that listed in the paper-based registration card, such as your hardware configuration and applications usage. Just like with a traditional registration card, providing this information is optional. A customer using the Registration Wizard receives dialog prompts asking them whether they would like to send this information. They must actively click 'send' for any information to be sent.

There are lots of benefits to customers that provide this information - such as product update mailings and improved product support because the product support engineer can refer to your exact system configuration information on-line. In the end, though, sending this information is optional and a conscious decision by the user.

Microsoft traditionally does not make information gathered during the registration process available to third-parties. If the customer chooses to send system and software information to Microsoft with the Registration Wizard, it is a one-way, one-time occurrence and takes place at the time the customer selects 'send.'


MS SMS product, others pose risks

Mark Seecof <marks@news.latimes.com>
Fri, 26 May 1995 16:45:33 -0700

The June 5 Information Week has a big product review story about network- distributed PC management products which using software on PC's and on servers to let administrators inventory PC contents, update PC files, distribute software, monitor usage, and so-on and so-forth. Two of the products, including most notably Microsoft's SMS, will put any PC into promiscuous mode to sniff packets from the LAN's to which it may be attached and forward the data to another machine for analysis.

I feel disappointed that the story doesn't even mention the possibility that these products may pose security risks. Three such occur to me instantly: that people can place bad data onto PC's using the distribution facilities; that people can retrieve confidential data from PC's using the inspection and monitoring facilities; and that people can steal confidential data from the network using the remote packet sniffing facilities. I'm sure there are many more problems. Not only does the story ignore risks, but consequently it does not mention or rate any product features which might mitigate such risks (e.g., schemes by which PC's could authenticate purported management server commands before responding to them).

Doesn't anyone out there in the software business give a hoot about these issues?

Mark Seecof <marks@latimes.com>


Re: Prodigy held liable

Bob Morrell <bmorrell@isnet.is.wfu.edu>
Fri, 2 Jun 1995 11:25:32 -0400 (EDT)

So, let me get this straight: Prodigy, by exercising even a modicum of control is completely liable for whatever appears, while other forums, which allow anything, no matter how vile, outrageous and slanderous, get off scott free.

I know I should never be surprised at stupidity, but it does appear they are encouraging exactly the behavior that the laws are meant to discourage.

Bob Morrell bmorrell@isnet.is.wfu.edu

[It also bodes ill for even the most carefully moderated newsgroups! PGN]


Re: "Nautilus foils wiretaps" (Vincent, RISKS-17.13)

<aba@atlas.ex.ac.uk>
Sun, 21 May 95 17:53:44 +0100

Malcolm Vincent from a UK email address writes:
> [...] but I do have an account on a FreeNet site in the US which for
> the moment will remain nameless. Now really, what is to prevent me
> downloading nautilus to my free-net and from thence to home.

It may not even be necessary to have a US based account. The mechanism used is to do a DNS name lookup on your IP number. However there are plenty of non-US sites with DNS names which look American (end in .com for instance). Some of the sites have weaker checks, merely requiring you to agree by virtue of downloading that you are a US citizen.

There are plenty of routes whereby crypto software can leave the US with very low risk of detection. Consider, for instance, that the software could be encrypted with PGP, and mailed through a chain of encrypting anonymous remailers. In fact something of this nature must already have happened for it is available for ftp in the UK from Oxford University:

ftp://ftp.ox.ac.uk/pub/crypto/misc/nautilus-0.9.0.tar.gz

Also, ITAR only clearly holds if you are a US citizen, currently living in the US. I don't believe this situation (ftp from outside the US of US export controlled software) has ever been explored in court, but it is not immediately obvious that a US law which makes an action illegal in the US could be held to apply outside the US. Particularly as the physical jurisdiction in question does not have a similar law.

The whole question rests on the legal interpretation of the action of ftping a file, which jurisdiction is ftp initiator considered to be in. A non-computer based example which could be used as a metaphor: obtaining information from a foreigner on the phone. Say that a US citizen had made a phone call to the former Soviet Union and had requested KGB classified information, information which was freely available in the US, would the US person have committed an offense on Russian soil and hence expect to be extradited? The telephone example is very similar to the modern computerised example, ftp is merely an automated information retrieval system.

Another somewhat related risk, is people outside the US posting crypto code to USENET, for instance my sig file below implements RSA encryption in 3 lines of perl. If you are not familiar with encryption schemes, RSA is one of the most secure public key encryption schemes, and is the one used in PGP. It is also very firmly on the ITAR export control list.

Information on the sig is at:

http://dcs.ex.ac.uk/~aba/rsa/

Some US folks are printing a T-shirt with this code on it, in honour of ITAR, to produce an export controlled "munitions" T-shirt. Also on the web page is postscript for a 1x4" mailing label with the code as handed out by New York lawyer Duncan Frissell at Computers, Freedom and Privacy '95 - for an export-controlled mailing label. A picture of one of these labels was printed on the front page of the business section of the New York Times (April 10th).

[As I recall, the left margins were (intentionally?) fuzzied. PGN]

In using this sig, there is the risk that news distribution paths cross the US borders a few times on the way, does this constitute "export"? What about a mailing list, members will receive copies via the US list server. Some unsuspecting US usenet reader might quote the sig by accident.

Living in the UK, I feel fairly confident of the safety, and legality of using my sig, but what about larger programs posted by those outside the US. I mean if a non-US citizen living outside the US were to fetch nautilus from the Oxford ftp site and post it (speaking hypothetically here of course) uuencoded to sci.crypt, would that person be in trouble? I am not sure that this would be a good idea, but it is an interesting question from a legal point of view. But the perl rsa implementation is okay at 3 lines? The question arises about where the cut off point is: 10 lines, 1000?

Adam Back >aba@dcs.ex.ac.uk>

HAVE *YOU* EXPORTED A CRYPTO SYSTEM TODAY? --> http://dcs.ex.ac.uk/~aba/rsa/ --rsa--------------------------------8<------------------------------------- #!/usr/local/bin/perl -s-- -export-a-crypto-system-sig -RSA-in-3-lines-PERL XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXX **CENSORED** - export controlled software XXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX


re: Ahperader

Paul Andrew Olson <PAOlson@DOCKMASTER.NCSC.MIL>
Thu, 1 Jun 95 13:25 EDT

This reminds me of something a colleague told me a few years ago, when her employer first installed voice mail. Mysteriously, the system would often prevent her from leaving messages. After the beep, she would start leaving a message, and then at some point (usually near when she was almost finished) it would cut her off, saying "That is not a valid code, please re-enter your message", for no apparent reason. Naturally, this drove her up the wall. It did not behave this way for anyone else.

It turns out that since her voice is pitched relatively high, the voice mail system mistook her voice for one of the phone number tones. I guess it wasn't zero or one, or she would have gotten further instructions. Last I heard, she started leaving messages with her best James Earl Jones-impression, and that worked. I don't know if the problem was ever fixed. Again, the RISK is assuming certain things about the human voice.


Re: Negative Ions

<winn@Infowar.Com>
Thu, 1 Jun 1995 14:04:41 -0400

This talk about positive and negative ions is really nothing new. If you go through the literature, especially the medical literature of the 60's and 70's on the subject, early research suggested (perhaps empirically in some cases) that negatively ionized environment promote health, accelerated healing, and an overall sense of well being.

I have had negative ion generators at home for years, but never too near computers because `crashes' became too common. In the late 70's and early 80's, companies were attempting to market humongous negative ion generators for use in the air conditioning systems of new buildings to neutralize the `positive ion effects of computer equipment.'

I've not yet seen a study of whether wholesale ionization of air-conditioned buildings with no ventilation is a justified investment or not; some have claimed that increased worker productivity and fewer sick days were an immediate benefit.

But that assumes the computers still work.

I'd like to see more of the recent work on the subject, as my file cabinets full of these files are `antique' - more than 15 years old.

Winn Schwartau Interpact, Inc., Information Security & Warfare
V:813.393.6600 F:813.393.6361 Winn@Infowar.Com

Please report problems with the web pages to the maintainer

Top