The RISKS Digest
Volume 4 Issue 89

Sunday, 24th May 1987

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


o Factory Robots Killing Humans, Japan Reports
o Mysterious BART power outage
o More on the Master Password attack
o Measures, countermeasures, and under-the-countermeasures
o Phalanx
Scott Dorsey
Henry Spencer
o rhosts
Anthony A. Datri
o Computer Bill of Rights
Eugene Miya
o Credit Information Access
Ron Heiby
o Open meeting laws
Jonathan Handel
o Privacy and Email - The Law Takes Notice
Jerry Leichter
o Info on RISKS (comp.risks)

Factory Robots Killing Humans, Japan Reports

Peter G. Neumann <Neumann@CSL.SRI.COM>
Fri 22 May 87 17:18:46-PDT
A series of mysterious deaths in which industrial robots suddenly attacked
and killed humans is being investigated in Japan, news reports said
yesterday.  Ten people have been killed by robots in the last eight years.
In four cases, operating errors were blamed.  In the other accidents, the
robots suddenly started working for unexplained reasons, according to
reports.  Witnesses listed a number of cases in which the robot suddenly
stretched out its mechanical arms, killing its victim.  Experts plan to test
a theory that electromagnetic waves in factories have been responsible for
setting off the sensitive computer mechanisms in the robots.

SF Chronicle 22 May 87, from Deutsche Presse-Agentur.

         [We had previously documented the 1981 Kawasaki case, and noted
         reports of at least four more (and possibly as many as 19) 
         robot-related deaths.  If we have any readers in the far East who
         can tell us what is really happening, please ...  PGN]

Mysterious BART power outage

Peter G. Neumann <Neumann@CSL.SRI.COM>
Sun 24 May 87 11:24:24-PDT
The San Francisco Bay Area Rapid Transit had an unexplained power failure on
17 May 1987, unprecedented in their 15-year history.  17 switches (which act
like breakers and shut off power when a short circuit or overload occurs)
kicked open in the rush to get runners to the Bay-to-Breakers race (no pun
intended), with still no cause having been identified.  A train stalled in a
tunnel beneath 7th Street in Oakland, and 150 passengers had to walk for 20
minutes to get out.  Engineers were unable to restore power in the
computer-controlled system.  5 hours later the switches suddenly closed
again, just as mysteriously as they had opened.

More on the Master Password attack

Peter G. Neumann <Neumann@CSL.SRI.COM>
Fri 22 May 87 09:56:13-PDT
I received a message questioning my apparent coyness in not divulging the
name of a system that had a reported serious flaw.  In general I always try
to opt for openness, except when I am explicitly not at liberty to divulge
something.  In the case of the master password bug, it was found long ago in
UNIX Version 6 by some colleagues who never disclosed it.  The published
version that just appeared, and to which I referred, chose not to associate
the name of the system with the story.  Here are the details.

[Following is my own adaptation of Young and McHugh's presentation, with
notation changed to avoid an amazing quadruple overloading of the letter
"c"..., and triple overloading of "a" and "b".  PGN]

     "Constructive" Password Attack: Master-password-generation algorithm 
 = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = 
Young and McHugh (Coding for a Believable Specification to Implementation
Mapping), pp. 141-142, Proc. IEEE Symp. Security and  Privacy, April 1987.

      Data structure
 = = = = = = = = = = = = = = =
a. User login name
b. User typed password
c. Stored encrypted password
d. Encrypted typed password

The Password Checking Algorithm
 = = = = = = = = = = = = = = = = 
1. User typed login name --> a.
2. Stored encrypted PW --> c. 
3. User typed password --> b.
4. Encrypt user typed PW --> d.
5. Compare c and d.

Step 1.     3.       2.       4.

  Login | Typed | Stored | Encryp
  Name  | PW    | Encryp | Typed 
        |       | PW     | PW    
= = = = = = = = = = = = = = = = =
| a     | b     | c      | d    |
= = = = = = = = = = = = = = = = =
Step 5 compares c and d.    

The Master Password Attack
= = = = = = = = = = = = = = = = =
Choose any string, "rst"
Encrypt it, obtaining "xyz"
Enter ANY legitimate user name.
Type password "rstxyz"

The Password Algorithm Overwhelmed
      |  a   | b | c | d |
    1.|Name  |   |   |   |
    2.|Name  |   |uvw|   |
    3.|Name  |rst|xyz|   |
    4.|Name  |rst|xyz|xyz|

    5.            xyz=xyz

The design was more or less sound sound (apart from the intrinsic password
problems that we have been discussing in RISKS).  However, the
implementation was seriously flawed by the absence of bounds checking.
Thanks to Young and McHugh for publishing this one.

Measures, countermeasures, and under-the-counter-measures

Peter G. Neumann <Neumann@CSL.SRI.COM>
Sat 23 May 87 11:50:31-PDT
On page 9 of the SF Chron, 23 May 87, there is a small item on the Speaker
of the Iranian Parliament.  He claimed that the Iranians electronically
countermanded the missiles (an Exocet [which did not explode] and the other
still unidentified missile, possibly an AS-30 laser-guided missile) AWAY
FROM one of their tankers.  If that is true, would the Iraqis have realized
what happened? (Were any countermeasure devices included in the arms sales
to the Iranis?)

Reports persist (with an official denial) that computer systems on the Stark
had not been working, and that they were waiting for spare parts.
Investigation continues.

Phalanx (RISKS 4.88)

Scott Dorsey <kludge@gitpyr>
Fri, 22 May 87 13:07:50 edt
  >What does appear to be wrong is that there was only one, to cover the
  >stern of the ship. The bow was not protected by a Phalanx system and
  >that is where the (two?) Exocet missiles hit. 

   The standard configuration on guided missile carriers (I regret to say
that I have not seen a frigate with the things yet), is to have one port,
one starboard, about 2/3 of the way from the stern.  This way, the bow
is well protected.  The Phalanx is a very short-range system, which is to
be used only if everything else fails and the long-range defenses are
penetrated.  The system was not designed to be rapidly armed.  It is expected
that the long-range defenses will be able to hold off fire until the
Phalanx is available.

  >... frigates are not really expected to provide their own air defense.
  >And this one was operating under the assumption that Iraq aircraft were
  >friendly, so it did not shoot down the aircraft when it could have.

    If you shoot at friendly aircraft, they will cease to be friendly.
If you don't shoot them, you have to trust them.  And sometimes trust is
not always justified.  The risks involved here are not if you can trust
your own systems, but if you can trust your allies' systems.

Scott Dorsey   Kaptain_Kludge
ICS Programming Lab (Where old terminals go to die),  Rich 110,
    Georgia Institute of Technology, Box 36681, Atlanta, Georgia 30332

     [Once again, you can't shoot down everything that flies near you.
     But you can try to shoot down missiles.  One report in this morning's
     paper noted that the Phalanx gets aout 8 out of 10...  PGN]

Re: Phalanx

Sat, 23 May 87 22:18:25 edt
> If the defense weapons were not reliable enough to keep on all of the time...

There are actually a couple of issues here.  One is the question of wear and
tear on continuously-operating mechanical hardware (the Phalanx radar is
mechanically scanned, I believe).  More significantly, though, *any* such
defensive system has some small probability of shooting down a friendly
aircraft.  Note that this problem is *not* restricted to automated systems!
Experienced combat pilots tend to consider "friendly" gunners to be almost as
big a threat as "hostile" ones, with good reason.  "Own goal" hits are common 
in real fighting; there were several in the Falklands War, on both sides.

One reason for having different levels of alert is simply to minimize the
chances of shooting down the wrong thing at a time when there is little real
danger.  The problem is particularly touchy when operating in a known war zone
with the intent of remaining uninvolved.
                              Henry Spencer @ U of Toronto Zoology

Computer Bill of Rights

Eugene Miya <>
Fri, 22 May 87 11:26:20 PDT
I recall 20 years ago (not that I was doing computers then) someone wrote a
computer Bill of Rights (for people).  Could anyone send me a copy of that?
If need be, I will make the document ftp'able on one of our machines here.

--eugene miya, NASA Ames

Credit Information Access

22 May 87 14:51:32 CDT (Fri)
The following appeared on page 48 of the May 18, 1987 issue of Insight
magazine.  It seems relevant to many issues discussed recently.

            Credit Report Access

Car loans, mortgages and credit card applications are approved based on
information found in an individual's credit history, but most consumers have
never seen their computerized credit profile.  Now consumers can get the
same easy access to their credit report that banks and other lenders have
had for years.

TRW Inc., one of the nation's largest credit reporting agencies with files
on some 140 million people, is launching Credentials, the first credit and
financial information service sold directly to consumers.  For an annual fee
of $35, a member gets unlimited access to the credit report supplied to
lenders, notification when any lender reads the file and a credit
application that is kept on file and can be electronically sent to lenders
with the member's consent.

More than 250,000 became members last year during a pilot program in
California.  The service is now expanding nationwide.

"Credentials offers consumers greater control over their credit profiles
by ensuring their accuracy." says Mel Wellerstein, a vice president at TRW.
"Furthermore, with full knowledge of their credit history, consumers are
less likely to be taken advantage of or be intimidated by lenders."

Ron Heiby, heiby@mcdchg.UUCP    Moderator: comp.newprod & comp.unix
Motorola Microcomputer Division (MCD), Schaumburg, IL

Open meeting laws

Fri, 22 May 87 20:01 EST
    Subject: Open meeting laws (RISKS 4.87)

    Do open meeting laws prevent public representatives from
    conversing in a bar or a park or at a theatre?  Do they
    prevent telephone calls?  If not, why should they prevent
    electronic mail conversations?         Dave

I'm the chair of the Cambridge Human Rights Commission, a local agency that
is covered by the Massachusetts open meeting law.  That law applies to
deliberate meetings of a quorum of members for the purpose of taking actions, 
or discussing actions that the board or commission might take.  Any such
meetings must be public and announced in advance, minutes must be taken, etc.

With such a law, a phone call or meeting in a bar is okay, so long as
there's not a quorum present, or if the meeting was by chance, or serves a
social function (rather than the discussion of business).

On the other hand, a computer conferencing system or e-mail, like a
conference telephone call or meeting in a bar, is not okay if used for
discussions and negotiations among the members of the commission or board,
at least not if a quorum of members participate.  So the legal advice given
by the Gresham City Attorney seems sound to me, assuming the Oregon law is
similar to ours.

Roughly speaking, it might be okay to use e-mail or computer conferencing
the way you'd use a postal (USPS) mailing list:  to send out information
unidirectionally.  But using it for two-way, back-and-forth interaction is
using it as a substitute for a meeting, and that's precisely what's
disallowed, because the public doesn't have access.  (Even if the computer
system were open to the public, you'd be on shaky ground, because most
people don't own modems or know how to use e-mail.  They'd have as much
"access" as if the meeting were held a thousand miles away.)

From a techno standpoint, that's too bad; computer conferencing has some
advantages over meetings (among them, potentially, the existence of a
written record).  But it's good public policy.  As it is, people have
difficulty understanding and participating in their government; apathy,
bureaucracy, bad public transportation, and the grinding difficulty of
9-to-5 existence are among the culprits.  Let's not add computers to the
list until we have systems that are truly accessible to lay people from all
walks of life.
                                -Jonathan Handel

PS:  I'm not an attorney, so my reasoning is certainly far from definitive.
Also, I don't have a copy of the Mass. law in front of me, so this is based
on my best recollections.  And of course, open meeting laws vary by state,
so the issues will vary by state as well.

                 [Bruce Baker wondered how I could have avoided making a pun
                 on Gresham's Law in RISKS-4.88.  I thought this issue was
                 more like Gresham Slaw, carrying Coles to New Facile.  In
                 this case, the bad votes drive out the good?  PGN]

Privacy and Email - The Law Takes Notice

22 MAY 1987 12:52:33 EST
(Forwarded (ultimately) from a UDEL NEWS bboard.)           Jerry

    This is a copy of a letter published in MIT Tech Talk. Anyone who
did not read that memo should look read it. Be sure to note that
operators of electronic communication systems now have legal
responsibilities for the privacy of data. 


To:         The MIT Community
From:       James D.Bruce, Vice President for Information Systems
Re:         The Electronic Communications Privacy Act

    The Electronic Communications Privacy Act of 1986 was enacted by
the United States Congress in October of last year to protect the
privacy of users of wire and electronic communications.

    Legal counsel has advised MIT that its computer network and the
files stored on its computers are covered by the law's provisions.
Specifically, individuals who access electronic files without
appropriate authorization could find themselves subject to criminal
penalties under this new law.

    At this time, we can only make broad generalizations about the
impact of the Act on MIT's computing environment.  Its actual scope
will develop as federal actions are brought against individuals who
are charged with inappropriate access to electronic mail and other
electronic files.

    It is clear, however, that under the Act, an individual who,
without authorization, accesses an electronic mail queue is liable and
may be subject to a fine of $5,000 and up to six months in prison, if
charged and convicted.  Penalties are higher if the objective is
malicious destruction or damage of information, or private gain.

    The law also bars unauthorized disclosure of information within an
electronic mail system by the provider of the service.  This bars MIT
(and other providers) from disclosing information from an individual's
electronic data files without authorization from the individual.

    MIT students and staff should be aware that it is against
Institute policy and federal law to access the private files of others
without authorization.  MIT employees should also note that they are
personally liable under the Act if they exceed their authorization to
access electronic files.


Anthony A. Datri <>
Fri, 22 May 87 10:33:05 edt
I believe that a year or two ago someone did indeed use rhosts files to cause
a lot of trouble at berkeley.  Here at CMU we're in the middle of developing
a terribly trendy distributed system of sun2/3's, uvaxes, and ibm rt's (ugh).
The problems of console access have been causing major headaches, to the
point where there now exists an authentication scheme that I admit that I
don't understand.   
                        anthony a datri, carnegie-mellon univer$ity

Please report problems with the web pages to the maintainer