Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
<LEICHTER@VENUS.YCC.YALE.EDU>
Subject: Sometimes doing nothing is doing something
Forwarded from INFO-VAX. — Jerry
Date: Wed, 10 Feb 88 18:43:53 PST
From: carl@CitHex.Caltech.Edu
Subject: The Chaos Computer Club's Trojan Horse threat was apparently successful
To: info-vax@CitHex.Caltech.Edu
A week or so ago, the Chaos Computer Club of West Berlin announced that they
were going to trigger trojan horses they'd previously planted on various
computers in the Space Physics Analysis Network. Presumably, the reason for
triggering the trojan horses was to throw the network into disarray; if so,
the threat has, unfortunately, with the help of numerous fifth-columnists
within SPAN, succeeded. Before anybody within SPAN replies by saying
something to the effect of "Nonsense, they didn't succeed in triggering any
trojan horses", let me emphasize that I said the THREAT succeeded. That's
right, for the last week SPAN hasn't been functioning very well as a network.
All to many of the machines in it have cut off network communications (or at
least lost much of their connectivity), specifically in order to avoid the
possibility that the trojan horses would be triggered (the fifth-columnists to
whom I referred above are those system and network managers who were thrown
into panic by the threat). I find this rather amazing (not to mention
appalling) for a number of reasons:
1) By reducing networking activities, SPAN demonstrated that the CCC DOES
have the power to disrupt the network (even if there aren't really any
trojan horses out there);
2) Since the break-ins that would have permitted the installation of
trojan horses, there have been a VMS release (v4.6) that entails
replacement of ALL DEC-supplied images (well, not quite: some layered
products didn't have to be reinstalled; however, there have been new
versions of many layered products since the break-ins). Installation
of the new version of VMS provided a perfect opportunity to purge
one's system of any trojan horses.
3) In addition to giving CCC's claims credibility, SPAN's response to the
threat seems a bit foolish since it leaves open the question "What
happens if the CCC activates trojan horses without first holding a
press conference?".
Hiding from the problem doesn't help in any way that I can see; it merely
makes SPAN (and NASA) look foolish.
Disclaimer: The opinions expressed above are my own, and not necessarily
those of my employers. The opinion of one of my bosses is (at
least in part) that he'd like to regain access to some of the
databases that SPAN's managers have isolated in their panic.
Here is some more info on the Compuserve Mac-virus (see RISKS-6.22).
(From the Chicago Tribune, without their permission of course)
Chicago Tribune, Sunday 14 Feb. 1988, Section 7, Page 8
"Virus gimmick is 'vandalism, pure and simple'"
by Daniel Brogan
"By now you've probably read a thing or two about computer viruses. Every-
one seems to be talking about them. [explanation deleted]
The matter of computer viruses is a matter of heated debate in computer
circles. Some fear [the obvious]. Others see [it as an urban legend born
of science fiction and societal technophobia].
I was inclined to side with the latter group. [This guy's a reporter??]
Every virus report I investigated seemed to have taken place in some
foreign country or was attributed to a friend of a friend.
Then I ran into a real honest-to-goodness virus. [more stuff we already
know]
As it turned out the virus was pretty tame. On March 2, the user would
be greeted with the following message:
"RICHARD BRANDOW, publisher of MacMag, and its entire staff would
like to take this opportunity to convey their UNIVERSAL MESSAGE
OF PEACE to all Macintosh users around the world."
After displaying the message, the virus would quietly delete itself without
disturbing any other data. At least 40 subscribers downloaded the virus
from Compuserve. The stack was also spotted on SEVERAL other commercial
databases.
I called Brandow, who readily accepted responsibility for the virus. [Here
comes the bilge...] 'Actually, we like to call it a message,' he told me.
'We look at is a something that's really positive.' MacMag is a Canadian
monthly with a circulation of about 40,000.
Brandow began toying with the idea of his message about 2 years ago, toyed
with various distribution schemes, settled on a virus and HIRED A PROGRAMMER!!
(March 2 was chosen to commemorate the 1st birthday of the Mac II.
He then infected 2 Macs at MacMag for 2 days in December. Already, he
says the virus has been sighted throughout Europe. 'People there are reacting
to it like a new form of art. They think it's a nifty form of communication.'
[Brogan's opinion deleted] Brandow says, 'I really think it's a difference
of philosophy. People here in Canada and over in Europe see this for what
it is, a message of peace. It's you people in the United States who see
it as something dark and nasty.' [Henry, are we really that paranoid down
here?]
Neil Shapiro, Compuserve's Macintosh forum admin worries that 'MacMag has
opened here a Pandora's Box of problems which will haunt our community
for years.'"
[beg.flame]
Who the hell does this clown think he is?? How could he possibly get to the
position in life to publish his own magazine and be unable to think through
the logical, INEVITABLE implications of his actions?? American's are just
paranoid?? Oh sure, there have never been ANY Canadian crackers, the Chaos
Computer Club [Europe], the IBM Christmas card [W.Germany] and the Israeli
virus are just campfire fictions. And what about the little American
computer geek who at THIS VERY MINUTE is probably altering the DNA inside
Brandow's message to do nasty things? Mac users ARE particularly bad about
software hygiene,(I used to be, untill I subscribed to Risks...) and there
ARE a lot of people who use Macs for REAL WORK. I assert that some of these
people bought Macs because they don't like what IBM stands for, believe in
"the little guy" because they are too, are undercapitalized and could be
seriously screwed if one of their employees loads a sick disc. Some of
these people are going to learn a painfully expen$ive le$$on because of
Brandow. I know that someone out west uses Macs for Cray terminals...the
mind boggles.
Since Brandow lives in Canada and not here in Chicago, I can't get Vito,
the alderman's nephew, to break his knees; I don't s'pose he lives in
Toronto ;-> ...
I therefore propose economic response. The liquidation of Brandow's business
will probably be insufficient to cover the losses which will eventually
be suffered by the Macuser community (and it wouldn't help anyway) but it
might make an impression.
[end.flame]
I also have an opinion about his method of spreading the virus, which may
or may not have been discussed here previously. Most of my old risks issues
are archived on tape, the robot's slow, and I don't have a quota THAT big
anyway...I'll do my homework and maybe post something on the subject later.
Max Monningh, Fermi National Accelerator Laboratory, Box 500, MS-355 Batavia,
IL 60510 MAXWELL@FNALB.BITNET SPAN/HEPnet: 43011MAXWELL
The idea of using a virus as a copy protection mechanism is very scary. Here are a couple of ideas for people to try to use to convince companies not to try this. (1) Suppose a virus from a stolen system finds its way into someone else's computer, who had no knowledge or involvement with the piracy. The person who buys software ussually has a contract protecting the company from liability, but I cannot see the company escaping legal liability to a third party who is damaged by software doing what they intended it to do. If this happened to me I would certainly sue the company for everything it had. Consider, for example, that you are liable for injuries to a burgler who is hurt by a trap inside your home. (2) Protection schemes can fire incorrectly. Consider a *legitimate* owner of a piece of software who runs it from an *old* disk. A little bit of bit-rot and all of a sudded the program thinks it is stolen... (3) Another example, that has happened to me. I am a *legitimate* owner of a copy-protected macintosh game program. I have used it quite happily on my 512K Macintosh. My "licence" allows me to run it on any single machine etc., so I tried using the original master disk on a Macintosh SE. This wa perfectly legitimate, but the slightly differences in the machines was enough to set off their copy protection scheme. Since the game runs, but cheats, when this happens it took me quite a while to be sure of what was happening. The basic point is that software cannot reliably detect that is has been illegitimately copied.
> This message was not a legitimate one. It was developed as part of
> a test program by a staff member, whose sense of humor was somewhat
> misplaced, and it was inadvertently inserted in that day's statement...
Note an analogy to the "no jokes please" signs at airport security-screening
stations: there are times and places which are just too sensitive for
certain types of humor. Putting an "EXPLOSIVES" sticker on your friend's
suitcase, however appropriate it might be as a joke in the right situation,
is defensible only if you take precautions to be SURE it gets removed before
he tries to go through airport security. Good intentions are not enough;
redundant precautions are in order, in case something goes wrong.
Henry Spencer @ U of Toronto Zoology {allegra,ihnp4,decvax,pyramid}!utzoo!henry
[John Markoff told me today that Wells Fargo still does not know who
is responsible. By the way, despite my choice of SUBJECT: line, I have no
inside information that would lead me to believe it was an intentional
Trojan horse rather than an accidental leakage. But that is certainly a
possibility under th circumstances! PGN]
In Risks Digest 6.26, Prentiss Riddle (riddle@woton.UUCP) mentions a wire service report about computer pornography. We've had firsthand experience in the "dangers" of computer pornography here at MIT's Project Athena computer system in the past few weeks.... About a month ago, an employee of Project Athena (who is also an MIT student) created a directory entitled "xpix" which contained all kind of graphic files, most of which were either digitized or scanned from pictures. These files had been circulating around Athena in many different users' subdirectories for some time, and the student who organized them all was simply trying to conserve space and make them easier to access. Also included in the xpix directory was a program to place any of the pictures in the directory into the background of a workstation (Athena workstations are multiple-window environments with a background which is normally gray.). Included in the xpix directory were two subdirectories entitled "boys" and "girls;" I am sure you can imagine what kinds of graphics they contained. After the xpix directories had existed for about a week, the director of Project Athena announced that complaints about the boys and girls directories had been made by a dean; the dean had said that she had received complaints from students. The xpix directory was soon thereafter made totally inaccessible to Athena users. Approximately a week later, the xpix directory was restored, but the boys and girls directories are no longer readable. A few observations: First of all, is what Athena did legitimate? They claimed that since the xpix directory was an independent filesystem and was not a part of any user's home directory, Athena was "supporting" it by allowing it to exist. Since Athena did not want to "support" pornography, they could not allow the offensive [to some people] directories to remain world-readable. Basically, what they are saying is that if any user decides to take all of the offensive pictures (if he can get access to them) and place them into his home directory and make them world-readable, there is nothing Athena can do to stop him. Second, the student who created xpix estimates that while the girls and boys directories were taking up 4 or meg before they were segregated, the many copies of the pictures which have been obtained by whatever means since the directories were cut off are now taking up about 50 meg of system space. Was it really worth it for Athena to install the directory protections if there are ways to get around them and the net result is less efficient use of system resources? What are the possible implications of Project Athena's decision? Can the administration of a supposedly user-privacy-secure system censor the material that is made accessible on it? Is the presence of a filesystem on a machine evidence that the administration "supports" the contents of the filesystem? Jonathan Kamens, MIT '91
Several cases have been reported here recently in which calls from cellular telephones to the 911 emergency number have been seriously misdirected due to automated load shedding by the cellular nodes. The problem arises when the node nearest a caller is overloaded and a call automatically gets switched to the next nearest node. For example a person calling 911 in Oakville, Ont. was redirected to St. Catharines, Ont which is about 85 km away. There have also been trans-border problems, a cellular call to 911 in Bowmanville, Ont was picked up on the other side of lake Ontario in Rochester, N.Y. I haven't seen any documented cases of loss of life or property due to this problem but the potential for such loss is clearly present. Local telephone officials are warning cellular telephone users to fully identify their location when they make a call to the emergency number. I conjecture that this is a symptom of a much larger problem. The cellular phone system is probably incapable in general of always correctly dealing with "generic" telephone numbers (e.g. 411, 611, 555-1212, etc.) where part of the effective telephone number is derived from the context of the caller. Large trans-border municipalities like Detroit Michigan/Windsor Ontario must be a real zoo in this regard since the INWATS (800-XXX-XXXX) numbers have different bindings in the U.S. and Canada Dave Wortman, Computer Systems Research Institute, University of Toronto
Nancy Leveson writes informing us of the ABA's Legal Technology Advisory Council and their "ABA Mark of Approval" which they grant to software passing their tests. I am concerned that any organization which purports to do what the LTAC does is really sticking its neck out. How can they really be sure they have uncovered all the "serious errors" in the software they are testing? Of course the answer is that they can't. Shouldn't they include a disclaimer to this effect with their mark of approval? I think it is a very good idea to have an organization like the LTAC doing this sort of work. Someone should certainly make it their business to evaluate software and publicize the results. But a user who naively believes approved software to be "without serious errors" could really get burned. I have seen software certification people find some really obscure bugs, but never before have I heard anyone claim to find them ALL. Of course this problem is not unique to computer software. I am sure that somewhere out there is a person who believed Underwriters' Labs when they were wrong (I don't know of a specific instance of their being wrong; perhaps they never have approved a product that was dangerous...). But we are much better at understanding the workings of electrical and mechanical machines than we are at understanding the workings of computer software. Furthermore, UL, as far as I know, doesn't say whether or not the products perform as advertised. They only say whether they are safe or not. Robert Kennedy
When my bank card "lost its stripes" (and was subsequently munched by the
ATM) I was informed that the blame lay in the fact that I was storing it in
my wallet adjacent to another mag-stripe card. Perhaps a subtle form of
competition between financial institutions?
Joel Kirsh, kirsh@nuacc.BITNET
[That is actually an attractive theory. PGN]
From: ronni at CCA.CCA.COM (Ronni Rosenberg)
In RISKS 6.22, Ronald Wanttaja discusses a scenario in which "The Soviets
blind most of the US Early Warning satellites.. The U.S. immediately goes
to high DEFCON. ... The Soviets do *nothing*."
I believe that if the U.S. goes to a high DEFCON, the Soviets automatically
go to a higher state of alert.
This statement is not supported by the historical data. The US has placed
its strategic forces on DEFCON 3 three times, and DEFCON 2 once. To my
knowledge, the USSR never changed the alert level of its nuclear forces.
On the other hand, the fact that it is not empirically supported does not mean
that it is not true. It may mean that the US has never placed its forces at
sufficiently high DEFCON to do this. DEFCON 1 has never been reached.
The real lesson is that the Sovs might react, and they might not.
You'll never know until it happens.
The latest edition of RISKS from Keith Peterson on "FLU_SHOT" as a virus defense raises a question which I have posed to Keith and the administrator of the simtel20 on which "FLU_SHOT" resides as a public domain program: namely, does an administrator of a public domain repository have any responsiblity to examine software for the possiblity of a Trojan Horse before he or she posts that package to their repository? If there are technical or administrative reasons as to why an administrator cannot examine packages before posting them, I feel that users should be advised in advance and up-front that this is the situation. But I have the impression that my opinion is a minority one. The Army C2MUG public domain repository at Fort Leavenworth, which had 14,000 subscribers as of last Friday, apparently has a policy to screen all software submissions before release. C2MUG is the Command and Control Microcomputer Users' Group. But other well-known repositories on DDN, for example, do not and have no official policy on notifying users of that fact. Is there any written policy within the respective DDN, BITNET, CSNET, etc., communities which does address this question? Chris McDonald, White Sands Missile Range
The phone number for Eric Hansen should have been 612-571-7400. -Andrew Hastings abh@cs.cmu.edu 412/268-8734
[Relayed from the FidoNews 5-06 of 8 Feb 1988]
— VIRUS QUERY --
Reporter writing an article for the NY Times on the threat of "virus' ("mole,)
"worm" and/or trojan horse "attack code" programs seeks reports of real
experiences with these often destructive, sometimes playful, devices. I'm
interested in any reports about incidents involving PCs, minis or micros.
Please forward replies to Vin McLellan at Fido 101/154, (voice) 617-426-2487,
or Snail: 125 Kingston St., Boston, Ma. 02111.
Please report problems with the web pages to the maintainer