The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 6 Issue 27

Tuesday, 16 February 1988


o Sometimes doing nothing is doing something
Carl via Jerry Leichter
o More info on Compuserve Macinvirus
Max Monningh
o Viruses as copy protection
o Re: Trojan horsing around with bank statements
Henry Spencer
o Re: computer pornography
Jonathan Kamens
o Emergency Calls misdirected by Cellular Telephone System
Dave Wortman
o Software Warranties
Robert Kennedy
o Mag-stripe cards
Joel Kirsh
o Interleaving of Early Warning Systems
Herb Lin
o What is the responsibility of Administrators?
Chris McDonald
o Data Physician -- Correction (Re: RISKS-6.25)
Andrew Hastings
o Reporter seeking virus information
John Gilmore
o Info on RISKS (comp.risks)


Tue, 16 Feb 88 18:04 EST
Subject: Sometimes doing nothing is doing something

Forwarded from INFO-VAX.                        -- Jerry

Date: Wed, 10 Feb 88 18:43:53 PST
From: carl@CitHex.Caltech.Edu
Subject: The Chaos Computer Club's Trojan Horse threat was apparently successful
To: info-vax@CitHex.Caltech.Edu

A week or so ago, the Chaos Computer Club of West Berlin announced  that  they
were  going  to  trigger  trojan  horses  they'd previously planted on various
computers in the Space Physics Analysis Network.  Presumably, the  reason  for
triggering  the  trojan  horses was to throw the network into disarray; if so,
the threat has, unfortunately, with  the  help  of  numerous  fifth-columnists
within  SPAN,  succeeded.   Before  anybody  within  SPAN  replies  by  saying
something to the effect of "Nonsense, they didn't succeed  in  triggering  any
trojan  horses",  let  me  emphasize that I said the THREAT succeeded.  That's
right, for the last week SPAN hasn't been functioning very well as a  network.
All  to  many of the machines in it have cut off network communications (or at
least lost much of their connectivity), specifically in  order  to  avoid  the
possibility that the trojan horses would be triggered (the fifth-columnists to
whom I referred above are those system and network managers  who  were  thrown
into  panic  by  the  threat).   I  find  this  rather amazing (not to mention
appalling) for a number of reasons:
    1)  By reducing networking activities, SPAN demonstrated that the CCC DOES
        have the power to disrupt the network (even if there aren't really any
        trojan horses out there);
    2)  Since the break-ins that would  have  permitted  the  installation  of
        trojan  horses,  there  have  been  a  VMS release (v4.6) that entails
        replacement of ALL DEC-supplied images (well, not quite:  some layered
        products  didn't  have to be reinstalled; however, there have been new
        versions of many layered products since the break-ins).   Installation
        of  the  new  version  of  VMS provided a perfect opportunity to purge
        one's system of any trojan horses.
    3)  In addition to giving CCC's claims credibility, SPAN's response to the
        threat  seems  a  bit  foolish since it leaves open the question "What
        happens if the CCC activates trojan horses  without  first  holding  a
        press conference?".
Hiding from the problem doesn't help in any way that  I  can  see;  it  merely
makes SPAN (and NASA) look foolish.

Disclaimer:  The opinions expressed above are my own, and not necessarily
         those of my employers.  The opinion of one of my bosses is (at
         least in part) that he'd like to regain access to some of the
         databases that SPAN's managers have isolated in their panic.

More info on Compuserve Macinvirus

Sun, 14 Feb 88 23:33 CST
 Here is some more info on the Compuserve Mac-virus (see RISKS-6.22).
 (From the Chicago Tribune, without their permission of course)

          Chicago Tribune, Sunday 14 Feb. 1988, Section 7, Page 8

              "Virus gimmick is 'vandalism, pure and simple'"
                            by Daniel Brogan

"By now you've probably read a thing or two about computer viruses.  Every-
 one seems to be talking about them.  [explanation deleted]

 The matter of computer viruses is a matter of heated debate in computer
 circles. Some fear [the obvious].   Others see [it as an urban legend born
 of science fiction and societal technophobia].

 I was inclined to side with the latter group. [This guy's a reporter??]
 Every virus report I investigated seemed to have taken place in some
 foreign country or was attributed to a friend of a friend.

 Then I ran into a real honest-to-goodness virus. [more stuff we already

 As it turned out the virus was pretty tame.  On March 2, the user would
 be greeted with the following message:
        "RICHARD BRANDOW, publisher of MacMag, and its entire staff would
         like to take this opportunity to convey their UNIVERSAL MESSAGE
         OF PEACE to all Macintosh users around the world."

 After displaying the message, the virus would quietly delete itself without
 disturbing any other data.  At least 40 subscribers downloaded the virus
 from Compuserve.  The stack was also spotted on SEVERAL other commercial

 I called Brandow, who readily accepted responsibility for the virus. [Here
 comes the bilge...] 'Actually, we like to call it a message,' he told me.
 'We look at is a something that's really positive.'  MacMag is a Canadian
 monthly with a circulation of about 40,000.

 Brandow began toying with the idea of his message about 2 years ago, toyed
 with various distribution schemes, settled on a virus and HIRED A PROGRAMMER!!
 (March 2 was chosen to commemorate the 1st birthday of the Mac II.

 He then infected 2 Macs at MacMag for 2 days in December.  Already, he
 says the virus has been sighted throughout Europe. 'People there are reacting
 to it like a new form of art.  They think it's a nifty form of communication.'

 [Brogan's opinion deleted] Brandow says, 'I really think it's a difference
 of philosophy. People here in Canada and over in Europe see this for what
 it is, a message of peace.  It's you people in the United States who see
 it as something dark and nasty.' [Henry, are we really that paranoid down

 Neil Shapiro, Compuserve's Macintosh forum admin worries that 'MacMag has
 opened here a Pandora's Box of problems which will haunt our community
 for years.'"

Who the hell does this clown think he is??  How could he possibly get to the
position in life to publish his own magazine and be unable to think through
the logical, INEVITABLE implications of his actions??  American's are just
paranoid?? Oh sure, there have never been ANY Canadian crackers, the Chaos
Computer Club [Europe], the IBM Christmas card [W.Germany] and the Israeli
virus are just campfire fictions.  And what about the little American
computer geek who at THIS VERY MINUTE is probably altering the DNA inside
Brandow's message to do nasty things?  Mac users ARE particularly bad about
software hygiene,(I used to be, untill I subscribed to Risks...)  and there
ARE a lot of people who use Macs for REAL WORK.  I assert that some of these
people bought Macs because they don't like what IBM stands for, believe in
"the little guy" because they are too, are undercapitalized and could be
seriously screwed if one of their employees loads a sick disc.  Some of
these people are going to learn a painfully expen$ive le$$on because of
Brandow.  I know that someone out west uses Macs for Cray terminals...the
mind boggles.

Since Brandow lives in Canada and not here in Chicago, I can't get Vito,
the alderman's nephew, to break his knees; I don't s'pose he lives in
Toronto ;-> ...

I therefore propose economic response.  The liquidation of Brandow's business
will probably be insufficient to cover the losses which will eventually
be suffered by the Macuser community (and it wouldn't help anyway) but it
might make an impression.


I also have an opinion about his method of spreading the virus, which may
or may not have been discussed here previously.  Most of my old risks issues
are archived on tape, the robot's slow, and I don't have a quota THAT big
anyway...I'll do my homework and maybe post something on the subject later.

Max Monningh, Fermi National Accelerator Laboratory, Box 500,  MS-355 Batavia,
IL 60510            MAXWELL@FNALB.BITNET          SPAN/HEPnet:  43011MAXWELL

Viruses as copy protection

Thu, 11 Feb 88 11:55 EDT
The idea of using a virus as a copy protection mechanism is very
scary.  Here are a couple of ideas for people to try to use to
convince companies not to try this.

(1) Suppose a virus from a stolen system finds its way into someone
else's computer, who had no knowledge or involvement with the piracy.
The person who buys software ussually has a contract protecting the
company from liability, but I cannot see the company escaping legal
liability to a third party who is damaged by software doing what
they intended it to do.  If this happened to me I would certainly
sue the company for everything it had.  Consider, for example, that
you are liable for injuries to a burgler who is hurt by
a trap inside your home.

(2) Protection schemes can fire incorrectly.  Consider a *legitimate*
owner of a piece of software who runs it from an *old* disk.  A
little bit of bit-rot and all of a sudded the program thinks it is

(3) Another example, that has happened to me.  I am a *legitimate*
owner of a copy-protected macintosh game program.  I have used
it quite happily on my 512K Macintosh.  My "licence" allows me
to run it on any single machine etc., so I tried using the
original master disk on a Macintosh SE.  This wa perfectly
legitimate, but the slightly differences in the machines was
enough to set off their copy protection scheme.  Since the game
runs, but cheats, when this happens it took me quite a while to
be sure of what was happening.

The basic point is that software cannot reliably detect that is
has been illegitimately copied.

Re: Trojan horsing around with bank statements

Mon, 15 Feb 88 18:02:58 EST
>  This message was not a legitimate one.  It was developed as part of
>  a test program by a staff member, whose sense of humor was somewhat
>  misplaced, and it was inadvertently inserted in that day's statement...

Note an analogy to the "no jokes please" signs at airport security-screening
stations:  there are times and places which are just too sensitive for
certain types of humor.  Putting an "EXPLOSIVES" sticker on your friend's
suitcase, however appropriate it might be as a joke in the right situation,
is defensible only if you take precautions to be SURE it gets removed before
he tries to go through airport security.  Good intentions are not enough;
redundant precautions are in order, in case something goes wrong.

Henry Spencer @ U of Toronto Zoology {allegra,ihnp4,decvax,pyramid}!utzoo!henry

   [John Markoff told me today that Wells Fargo still does not know who
   is responsible.  By the way, despite my choice of SUBJECT: line, I have no
   inside information that would lead me to believe it was an intentional
   Trojan horse rather than an accidental leakage.  But that is certainly a
   possibility under th circumstances!  PGN]

Re: computer pornography

Mon, 15 Feb 88 14:27:55 EST
In Risks Digest 6.26, Prentiss Riddle (riddle@woton.UUCP) mentions a
wire service report about computer pornography.  We've had firsthand
experience in the "dangers" of computer pornography here at MIT's
Project Athena computer system in the past few weeks....

About a month ago, an employee of Project Athena (who is also an MIT
student) created a directory entitled "xpix" which contained all kind
of graphic files, most of which were either digitized or scanned from
pictures.  These files had been circulating around Athena in many
different users' subdirectories for some time, and the student who
organized them all was simply trying to conserve space and make them
easier to access.  Also included in the xpix directory was a program
to place any of the pictures in the directory into the background of a
workstation (Athena workstations are multiple-window environments with
a background which is normally gray.).

Included in the xpix directory were two subdirectories entitled "boys"
and "girls;" I am sure you can imagine what kinds of graphics they
contained.  After the xpix directories had existed for about a week,
the director of Project Athena announced that complaints about the
boys and girls directories had been made by a dean; the dean had said
that she had received complaints from students.  The xpix directory
was soon thereafter made totally inaccessible to Athena users.

Approximately a week later, the xpix directory was restored, but the
boys and girls directories are no longer readable.

A few observations: 

First of all, is what Athena did legitimate?  They claimed that since
the xpix directory was an independent filesystem and was not a part of
any user's home directory, Athena was "supporting" it by allowing it
to exist.  Since Athena did not want to "support" pornography, they
could not allow the offensive [to some people] directories to remain
world-readable.  Basically, what they are saying is that if any user
decides to take all of the offensive pictures (if he can get access to
them) and place them into his home directory and make them
world-readable, there is nothing Athena can do to stop him.

Second, the student who created xpix estimates that while the girls
and boys directories were taking up 4 or meg before they were
segregated, the many copies of the pictures which have been obtained
by whatever means since the directories were cut off are now taking up
about 50 meg of system space.  Was it really worth it for Athena to
install the directory protections if there are ways to get around them
and the net result is less efficient use of system resources?

What are the possible implications of Project Athena's decision?  Can
the administration of a supposedly user-privacy-secure system censor
the material that is made accessible on it?  Is the presence of a
filesystem on a machine evidence that the administration "supports"
the contents of the filesystem?

  Jonathan Kamens, MIT '91

Emergency Calls misdirected by Cellular Telephone System

Dave Wortman <>
Fri, 12 Feb 88 13:00:22 EST
Several cases have been reported here recently in which calls from cellular
telephones to the 911 emergency number have been seriously misdirected due to
automated load shedding by the cellular nodes.  The problem arises when the
node nearest a caller is overloaded and a call automatically gets switched to
the next nearest node.  For example a person calling 911 in Oakville, Ont. was
redirected to St. Catharines, Ont which is about 85 km away.  There have also
been trans-border problems, a cellular call to 911 in Bowmanville, Ont was
picked up on the other side of lake Ontario in Rochester, N.Y.  I haven't seen
any documented cases of loss of life or property due to this problem but the
potential for such loss is clearly present.  Local telephone officials are
warning cellular telephone users to fully identify their location when they
make a call to the emergency number.

I conjecture that this is a symptom of a much larger problem.  The cellular
phone system is probably incapable in general of always correctly dealing with
"generic" telephone numbers (e.g. 411, 611, 555-1212, etc.) where part of the
effective telephone number is derived from the context of the caller.  Large
trans-border municipalities like Detroit Michigan/Windsor Ontario must be a
real zoo in this regard since the INWATS (800-XXX-XXXX) numbers have different
bindings in the U.S. and Canada

Dave Wortman, Computer Systems Research Institute, University of Toronto

Software Warranties

Robert Kennedy <>
Mon, 15 Feb 88 13:58:31 GMT
Nancy Leveson writes informing us of the ABA's Legal Technology Advisory
Council and their "ABA Mark of Approval" which they grant to software
passing their tests.

I am concerned that any organization which purports to do what the LTAC
does is really sticking its neck out. How can they really be sure they
have uncovered all the "serious errors" in the software they are testing?
Of course the answer is that they can't. Shouldn't they include a disclaimer
to this effect with their mark of approval?

I think it is a very good idea to have an organization like the LTAC doing
this sort of work. Someone should certainly make it their business to evaluate
software and publicize the results. But a user who naively believes approved
software to be "without serious errors" could really get burned. I have
seen software certification people find some really obscure bugs, but never
before have I heard anyone claim to find them ALL.

Of course this problem is not unique to computer software. I am sure that
somewhere out there is a person who believed Underwriters' Labs when they
were wrong (I don't know of a specific instance of their being wrong;
perhaps they never have approved a product that was dangerous...). But
we are much better at understanding the workings of electrical and mechanical
machines than we are at understanding the workings of computer software.
Furthermore, UL, as far as I know, doesn't say whether or not the products
perform as advertised. They only say whether they are safe or not.

Robert Kennedy

Mag-stripe cards

Sun, 14 Feb 88 13:32 CST
When my bank card "lost its stripes" (and was subsequently munched by the
ATM) I was informed that the blame lay in the fact that I was storing it in
my wallet adjacent to another mag-stripe card.  Perhaps a subtle form of
competition between financial institutions?

Joel Kirsh, kirsh@nuacc.BITNET
                               [That is actually an attractive theory.  PGN]

Interleaving of Early Warning Systems

Fri, 12 Feb 1988 23:19 EST
    From: ronni at CCA.CCA.COM (Ronni Rosenberg)

    In RISKS 6.22, Ronald Wanttaja discusses a scenario in which "The Soviets
    blind most of the US Early Warning satellites..  The U.S. immediately goes
    to high DEFCON. ...  The Soviets do *nothing*."

    I believe that if the U.S. goes to a high DEFCON, the Soviets automatically
    go to a higher state of alert.

This statement is not supported by the historical data.  The US has placed
its strategic forces on DEFCON 3 three times, and DEFCON 2 once.  To my
knowledge, the USSR never changed the alert level of its nuclear forces.

On the other hand, the fact that it is not empirically supported does not mean
that it is not true.  It may mean that the US has never placed its forces at
sufficiently high DEFCON to do this.  DEFCON 1 has never been reached.

The real lesson is that the Sovs might react, and they might not.
You'll never know until it happens.

What is the responsibility of Administrators?

Chris McDonald STEWS-SD 678-2814 <cmcdonal@wsmr10.ARPA>
Fri, 12 Feb 88 13:38:02 MST
The latest edition of RISKS from Keith Peterson on "FLU_SHOT" as a virus
defense raises a question which I have posed to Keith and the administrator of
the simtel20 on which "FLU_SHOT" resides as a public domain program:  namely,
does an administrator of a public domain repository have any responsiblity to
examine software for the possiblity of a Trojan Horse before he or she posts
that package to their repository?  

If there are technical or administrative reasons as to why an administrator
cannot examine packages before posting them, I feel that users should be
advised in advance and up-front that this is the situation.  But I have the
impression that my opinion is a minority one.

The Army C2MUG public domain repository at Fort Leavenworth, which had 14,000
subscribers as of last Friday, apparently has a policy to screen all
software submissions before release.  C2MUG is the Command and Control
Microcomputer Users' Group.  But other well-known repositories on DDN, for
example, do not and have no official policy on notifying users of that fact.

Is there any written policy within the respective DDN, BITNET, CSNET, etc.,
communities which does address this question?

Chris McDonald, White Sands Missile Range

Data Physician -- Correction (Re: RISKS-6.25)

The phone number for Eric Hansen should have been 612-571-7400.

-Andrew Hastings      412/268-8734

Reporter seeking virus information

John Gilmore <hoptoad.UUCP!>
Sun, 14 Feb 88 05:28:14 PST
[Relayed from the FidoNews 5-06 of 8 Feb 1988]

                             -- VIRUS QUERY --

Reporter writing an article for the NY Times on the threat of "virus' ("mole,)
"worm" and/or trojan horse "attack code" programs seeks reports of real
experiences with these often destructive, sometimes playful, devices.  I'm
interested in any reports about incidents involving PCs, minis or micros.

Please forward replies to Vin McLellan at Fido 101/154, (voice) 617-426-2487,
or Snail: 125 Kingston St., Boston, Ma. 02111.

Please report problems with the web pages to the maintainer