The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 6 Issue 07

Monday, 11 January 1988

Contents

o You don't need a computer to have a technical RISK.
Joe Morris
o Leap second leaps seconds
Alan Wexelblat
o Plan to automate Federal tax collection system?
John Gilmore
o Creative quality control in missile systems?
Dave Curry
o Re: getting into ATM rooms
Eric Skinner
o Re: PCs die of New Year Cerebration
Scot E. Wilcoxon
o Computer asks you your SSI number as ID
Hank Roberts
o Computer Virus.... sources(!)
David HM Spector
o Reagan Signs Bill Governing Computer Data
Hugh Pritchard
o Indianapolis Air Force jet crash
Dave Curry
o Info on RISKS (comp.risks)

You don't need a computer to have a technical RISK. (Jackson Post-ing)

Joe Morris (jcmorris@mitre.arpa) <jcmorris@mitre.arpa>
Sat, 09 Jan 88 12:22:20 EST
With the frequent (and valid) complaints about how the computer is fostering
an impersonal society, it was with some interest that I read an article in
the Washington Post last week in which the Post reported that Jesse Jackson's
campaign headquarters had sent him a telex message which suggested some 
approaches which he could use in the upcoming primary campaigns.

The telex didn't go to Jackson; instead, it was delivered to the Washington
Post's telex machine.  The Post, of course, printed excerpts from it in the
article.  (There weren't any smoking pistols in the material.)

Jackson's campaign manager told the Post that it wasn't a staff error and
must have been the machine, since he (the manager) was the person who
operated the machine when the text was sent.  The article didn't say just
how the machine could have been at fault.

Even if this turns out to be a case in which the operator dialed the wrong
number, it does illustrate the problem of systems in which the routing system
uses non-obvious addressing.  An envelope addressed to "The Washington Post"
would have been easily seen as not appropriate for an internal political memo,
but an E-mail address of (202)-334-6100 isn't obviously an inappropriate one
unless you notice that 202 is not equal to 319 (D.C. vs. Iowa)...  and that
assumes that you aren't using a computer-driven telex system in which you
might not see the conversion from a nickname to a phone number.

What feedback mechanisms are (should) there be to prevent this kind of
misdelivery for electronic mail?  We've all seen the occasional red-faced
apologies on the net from sites which let test messages escape.

(I don't have the article in front of me, and may have some minor details
wrong, so no flames, please...)      Joe Morris


Leap second leaps seconds

Alan Wexelblat <wex%SW.MCC.COM@MCC.COM>
Wed, 6 Jan 88 15:39:46 CST
[Excerpted from the AP wire]

DETROIT - Michigan Bell Telephone Company took about 3 1/2 days to make up
one second.  The company's computer-operated telephone time service wasn't
adjusted at [...] midnight New Year's Eve, Greenwich Mean Time to account
for the "leap second" between 1987 and 1988.  The adjustment is needed to
synchronize the world's steadily running atomic clocks with the ever-slowing
rotation of the Earth.  But people who set watches or synchronized
activities by Michigan Bell's time signal were one second off during the
weekend.  We thought the change was automatically in the (computer's)
program.  We manually added the second" Monday morning, said a Michigan Bell
spokeswoman.

--Alan Wexelblat  UUCP: {harvard, gatech, pyramid, &c.}!sally!im4u!milano!wex
Information deteriorates upward through bureaucracies.


Plan to automate Federal tax collection system?

John Gilmore <hoptoad.UUCP!gnu@cgl.ucsf.edu>
Fri, 8 Jan 88 22:06:40 PST
I found this in the CPA Client Bulletin, July 1987, copyright 1987 by the
American Institute of Certified Public Accountants, reproduced without
perdition.

           Deposit Taxes by Phone:  How Easy Can It Get?

Tax practitioners are warily watching the development of a government plan to
automate the federal tax deposit system.  They're mostly in favor of getting
rid of glitches in the present system but worry that a new, computerized
method could cause added work and expense for very small businesses, some of
which would be unable to participate at all because of lack of sophistication
or even lack of such basic resources as a computer or touch telephone.

Under the present system, taxpayers remit payroll taxes, corporate taxes,
excise taxes and the like into Treasury accounts at authorized financial
depositories.  Nearly 70 percent of all government revenues are received in
this manner.

Under the new system, a taxpayer might feed the information directly into one
of Uncle Sam's computers, which would debit the taxpayer's bank account
directly.  This is another source of uneasiness among some tax practitioners
queried about preliminary plans for the new system -- IRS access to bank
accounts.


Creative quality control in missile systems?

Dave Curry <davy@intrepid.ecn.purdue.edu>
Mon, 11 Jan 88 14:45:16 EST
From O'Malley & Gratteau INC. column, Chicago Tribune, Jan. 11, 1988:

  Just in case you were gaining confidence in the U.S. Military:  A barely
noticed July 31, 1987, report by the U.S. House Armed Services Committee on
the sale of military equipment to the Islamic Republic of Iran included this
passage: "As a result of other errors within the Army, the entire last
shipment of 500 missiles had a faulty battery that has caused a dangerous
fly-back problem."  What's a fly-back?  It means the rockets had a tendency
to dribble out of the tube, fall on the ground and then ignite.  We presume
there was a no-return policy.
                                               Dave Curry, Purdue University

                                    [They returned all by themselves!  PGN]


Re: getting into ATM rooms

Eric Skinner <ERS2F%UOTTAWA.BITNET@CUNYVM.CUNY.EDU>
Wed, 06 Jan 88 21:53:38 EST
  In RISKS 6.4, mar@ATHENA.MIT.EDU writes:
  >Yesterday I tried an experiment, and discovered that my AT&T calling
  >card, and even a rapid transit pass would open the door...

Even worse, many of these locks will open if you simply stick something
thick into them.  One of those handy wallet-sized plastic calendars
does the trick on many doors.

It seems like the locks are there to inspire confidence instead of
actually protecting;  perhaps the banks feel that decent locks are
too expensive?

Eric Skinner, University of Ottawa


Re: PCs die of New Year Cerebration

Scot E. Wilcoxon <umn-cs!datapg.MN.ORG!sewilco@cs-gw.D.UMN.EDU>
Mon, 11 Jan 88 0:50:45 CST
I found more details about my previous report.  At least some Stearns brand
PC compatibles fail at boot up in 1988.  A message "bad or missing command
interpreter" is issued, perhaps due to something in the config.sys file.

A problem on Sun machines was mentioned here, and there are reports on USENET
of another PC compatible with problems due to 1988.  Three unrelated
sensitivities to 1988 may seem like a lot, except there are now hundreds of
computer manufacturers able to cause errors.  With specialty chips in wide use,
a date-sensitive error in millions of appliances is only a matter of time.

Scot E. Wilcoxon    sewilco@DataPg.MN.ORG   ihnp4!meccts!datapg!sewilco
Data Progress       C and UNIX consulting   +1 612-825-2607


computer asks you your SSI number as ID (Wang ad)

Hank Roberts <well!hank@lll-crg.llnl.gov>
7 Jan 88 22:43:20 GMT
From the 1-6-88 Wall Street Journal, ad on page 8:

"Employee Pension fund.  A guy wants to check his pension.  What he's got.
What he can borrow against.  How his fund's performing.  Calls the State office
A Wang VS computer answers.  Speaks.  Asks for social security number.  Dials
it in.  It leads him through a menu...status, equity, performance or human
interface...you know...a real person.  They handle a thousand calls a day."

 -- one hopes the machine can do voice recognition ....


Computer Virus.... sources(!)

David HM Spector <spector@vx2.GBA.NYU.EDU>
Sun, 10 Jan 88 22:27:46 EST
Just when you thought its was safe to play with computers...

With all of the traffic in Risks digest dealing with Computer Viruses,
letter bombs et al, I though I'd pass this one on.  A programmer in West
Germany has posted to Compu$erve the _source_ to a simple virus that will 
run on a Macintosh computer.

I normally wouldn't even dare to mention that such a thing exists in a
"public" forum, but it's on Compuserve, so it might as well be painted on
walls coast to coast.

The author insists that it's is a very simple virus, easily defeated, 
(which it is, having looked at and understood the sources), and is posted for 
educational uses with the intent of making people aware that such things exist 
and to inspire them to write defenses against them.  

In terms of a program, it's very small, a few pages of Pascal, and maybe
50 lines of assembly code.  The installation code has a bunch of flags to 
control whether or not the virus replicates, whether it gets installed into 
the current running application, or just the system software, etc, etc. 
The actual virus is a small piece of code disguised as a resource that 
inserts itself in a system trap handler...it's alarmingly straight forward.

The author goes on to mention, in the documentation, that this virus was
inspired by a number of viruses he has encountered that did damage to his 
systems, so he wrote a virus that won't let "unknown" programs run on any of 
his company's machines.  (i.e., if the program(s) to be run aren't already 
infected with HIS virus, they won't be allowed to run at all.)

This is the first time I have ever seen sources to something like this, and it
scares me a lot. If this code is any indication, viruses in general are a snap 
to write -- an could be placed _anywhere_; even in innocent looking HyperCard
Stacks (Apple's HyperText software...) that thousands of people and User's
Groups download and give out all over the place (and most Mac users aren't 
computer professionals -- they'll never know what hit'em).

[Come to think of it, this is right out of the story _True Names_ by 
Vernor Vinge...]

Now, let's see, first thing is to unplug my MacintoshII's modem, then...  

David HM Spector                New York University
Senior Systems Programmer           Graduate School of Business
Arpa: SPECTOR@GBA.NYU.EDU           Academic Computing Center
UUCP:...!{allegra,rocky,harvard}!cmcl2!spector  90 Trinity Place, Rm C-4
MCIMail: DSpector/Compu$erve: 71260,1410    New York, New York 10006

            [There are 10 more messages on viruses pending, but with
            considerable overlap.  I'll get to them soon!  PGN]


Reagan Signs Bill Governing Computer Data

Hugh Pritchard <<PRITCHAR%CUA.BITNET@CUNYVM.CUNY.EDU<>
Sat, 9 Jan 88 14:08 EST
[Repeated without permission from the business section of
_The_Washington_Post_ of Saturday, Jan 9, 1988]

[headlined] Reagan Signs Bill Governing Computer Data

President Reagan yesterday signed a bill intended to tighten security of
computer systems that store nonclassified data such as census, tax and
business records.  The National Bureau of Standards is to develop programs to
protect the machines from being illegally tapped by outsiders.

The law overrides a national security directive that Reagan issued in 1984
giving the Pentagon's National Security Agency responsibility for safe-
guarding the data.  Later, the White House created a new classification of
data for protection -- "sensitive but unclassified."

The measures led to criticism in Congress that the government was tightening
the flow of information and expanding military authority.  The new law places
responsibility for civilian computer security in civilian hands, but provides
for the NSA to give technical advice to the bureau.  The law also specifies
that nothing in it will be used to restrict disclosures under the Freedom of
Information Act.

[end of article]

/Hugh Pritchard,        Systems Programming             PRITCHARD@CUA.BITNET

The Catholic University of America Computer Center      (202) 635-5373
Washington, DC  20064  USA

Disclaimer:  My views aren't necessarily those of the Pope.

               [Sounds like HR 145, but none of the articles said so!  PGN]


Indianapolis Air Force jet crash

Dave Curry <davy@intrepid.ecn.purdue.edu>
Sat, 09 Jan 88 23:08:46 EST
From The Lafayette (Indiana) Journal & Courier, Jan. 9th, 1988.

  INDIANAPOLIS - A failed gearbox was blamed Friday for causing the engine to
fail in the Air Force fighter jet that crashed Oct. 29 into a hotel, killing
10 people, a published report said.
  The military jet, piloted by Maj. Bruce L. Teagarden, lost its ignition
and air-fuel mixture systems when a gearbox part failed, _The Indianapolis
Star_ reported in today's editions, quoting an unreleased Air Force report
due to be released next week.

--Dave Curry, Purdue University

Please report problems with the web pages to the maintainer

Top