The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 6 Issue 44

Wednesday 16 March 1988

Contents

o Terry Dean Rogan, concluded (for now)
Hal Perkins
o RISKS in Bell lawsuit
Alan Wexelblat
o Hackers to Face Jail or Fines
Anne Morrison
o Risk in submarine accident; MAC Virus arrives in Germany; German Hacker arrested in Paris
Klaus Brunnstein
o RISKS in the U.S. Government Archives
sethk
o MacMag virus infects commercial software
Dave Platt
o More on the Brandow virus
Dave Curry
o Info on RISKS (comp.risks)

Terry Dean Rogan, concluded (for now)

Hal Perkins <hal@gvax.cs.cornell.edu>
Tue, 15 Mar 88 13:10:13 EST
[This case has been discussed in Risks in the past, so readers might
be interested in the outcome.]

From the New York Times, Sunday March 6, 1988, section 1, page 30.

Wrong Suspect Settles His Case for $55,000

Saginaw, Mich., March 5 (AP) -- Terry Dean Rogan, who [was] arrested
five times in Michigan and Texas for crimes he did not commit, has
settled a lawsuit against the City of Los Angeles for failing to remove
his name from a crime computer's file.

Mr. Rogan, who is 30 years old, sued Los Angeles, its Police Department
and two detectives, saying his civil rights were violated when the
department neglected to remove his name from a nationwide crime
computer file.  The settlement, approved by the Los Angeles City
Council Friday, calls for Mr. Rogan to receive $55,000.

Last July, a Federal district judge in Los Angeles ruled that Mr. Rogan
should be paid damages.  The murders and robberies he was charged with
were ultimately traced to an Alabama jail inmate, Bernard McKandes.

Mr. McKandes was found to have assumed Mr. Rogan's identity after Mr.
Rogan apparently discarded a copy of his birth certificate.


RISKS in Bell lawsuit

Alan Wexelblat <wex%SW.MCC.COM@MCC.COM>
Tue, 15 Mar 88 15:20:20 CST
I'm sure everyone has, by now, read about Bell Helicopter's settlement
with the government in which they repaid $85.1 million in overcharges.
However, in an article by Mark Thompson (Knight-Ridder News Service),
the following quotes caught my eye:

    "[The settlement] stems from Bell's computerized accounting
    system which government investigators claim shifted costs
    among the contracts..."

[note how the computer is blamed, not the programmer, nor the people who
used it nor the people who ordered it programmed/used in that way!]

    "The $85.1 million settlement is only half the size of the
    government's estimated loss ...  But [government] officials
    said the case was so complex that court action to recoup the
    funds probably would have failed."

It struck me that here we may have a case of someone(s) using a
computer to deliberately complicate/obfuscate what they are doing not
only for profit but to avoid detection.  And, even when detected, the
use of a computer may have complicated things beyond the point where
the average juryperson can understand them.

--Alan Wexelblat
ARPA: WEX@MCC.COM
UUCP: {harvard, gatech, pyramid, &c.}!sally!im4u!milano!wex


Hackers to Face Jail or Fines

Anne Morrison <munnari!murdu.oz.au!anne@uunet.UU.NET>
Tue, 15 Mar 88 11:07:30 EST
From the Age, Melbourne, Monday March 14 1988

  Computer Hackers to Face Jail or Fines

  Convicted computer hackers will face huge fines under new laws being prepared
  for Victoria.  The State Government is planning to create an offence of
  computer trespass, with a maximum fine of $2500, under a bill soon to be
  debated in Parliament. 

  The Attorney-General, Mr McCutcheon, said yesterday that while many computer 
  hackers were no more than technological voyeurs, there was a need for some 
  kind of deterrent.  He said the legislation was the first in Australia to 
  deal specifically with technological crime. 

  The Government had previously thought it sufficient to ensure that computer 
  hackers could be prosecuted if they altered or erased data, Mr McCutcheon 
  said.  But submissions from police, the computer industry and legal experts
  had led to the inclusion of penalties for hackers who simply looked at
  material after breaking into a computer system. 

  People were understandably concerned that hackers could gain access to 
  sensitive data of great commercial value or of a personal and private nature,
  Mr McCutcheon said.

  The new offence of computer trespass was similar to the offence of willful 
  trespass on property or being unlawfully on premises.  The bill before
  Parliament also creates offences of falsifying or altering data held in a
  computer system, punishable by fines of up to $100,000 or 10 years jail. 

  Existing laws applying to criminal damage will be applied to technological 
  crime, enabling prosecution of anyone releasing "viruses" or "bugs" into 
  computer systems to cause damage.  People spreading these "viruses" or "logic
  bombs" -- programming instructions timed to destroy data later -- would face
  up to 10 years jail or a $100,000 fine, or 15 years jail if they acted for
  gain, Mr McCutcheon said. 

This raises an interesting point - does "accidentally" spreading a virus or
logic bomb (i.e. if you don't know it's there) make you liable for prosecution?
Can you prove that you passed on sabotaged software in good faith? This
legislation may prove to be a major deterrent to software piracy - IF it is 
strictly enforced.

Anne Morrison
University of Melbourne Computing Services, Parkville, Victoria, AUSTRALIA
ACSnet: anne@murdu.mu.oz       ARPA: anne%murdu.mu.oz.au@uunet.uu.net


1. Risk in submarine accident

Klaus Brunnstein <brunnstein%rz.informatik.uni-hamburg.dbp.de@RELAY.CS.NET>
         2. MAC Virus arrives in Germany  
         3. German Hacker arrested in Paris
Organisation: University of Hamburg, FRG, Faculty for Informatics

1. Electronic Navigation Aids fail on German Submarine?

According to German newsmedia, the collision of a German submarine (NATO
code:  S 176) on March 6, 1988 with the Norwegian oil-drilling platform
Oseberg B in the North Sea Ekofisk field was caused either by `human
failure' or by undetected malfunctioning of a previously `repaired'
navigation aid.  The submarine had a first collision with one leg of the
platform in 30 m depth; when trying to escape by diving to the 115 m deep
North Sea bottom at that point, several more collisions occured with legs
and iron chains, which anchor this platform and the neighboring `hotel
platform Polyconfidence', floating 40 m away. The collisions continued for
over 15 minutes and were experienced by the platform's workers as `some kind
of seaquake'. Some report said that the platform has been checked and is
again operational but workers must leave it when waves become 15 m high
(instead of 30 m before accident). The damage of the platform is reported to
coast `several 10 Mill.DM'.

After the heavily damaged boat returned to it's naval base at Kiel, FRG, the
commanding "Captain Lieutenant" (`Kaleu') argued that he had `seen' the
platform, through his periscope, 15 minutes before the collision and he was
sure, that his course would keep him clear of the platform. Probably, no
further 'visual control' of the subsequent course had been undertaken.

Norwegian media reports that German official seacharts don't register the two
platforms are incorrect; the president of the German office responsible for
updating seacharts said that updates show every change in position. Such
updates are stored electronically, but avalailable (today) only in printed
form.  Electronic devices and methods are being prepared, in close
collaboration with IMO (I have close contact to this group and inform them on
risks experienced in electronic air traffic aids).

Since this chart is 1:750.000, German navy vessels use detailed British special
charts on stationary or movable oil-drilling platforms. On the other hand,
navigation is difficult there due to strong tidal flows; every responsible
captain uses therefore as much information and sources as possible, including
computerized device and `eye contact'.

The commander reported that an electronic navigation aid, probably a sonar
detector, had been repaired shortly before.  Details of cross-check procedures
and spare devices have not been reported, but most interestingly, the commander
said in a press conference that usually several persons `indepently' steer the
boat, thus `human failure' was extremely improbable to him and navy officials.
An examination has been started (I will report the results to RISK FORUM).

Apart from the risk of overreliance on (badly checked) hardware, the behaviour
of officers and crew presents another risk.  While the commander argued, that
his crew behaved in a calm and controlled manner, the helmsman of a nearby
working Norwegian supply vessel, Mr. Per Rogne, reportedly said:  `the
commander and his officers were totally confused' when they finally came back
to surface. Norwegian newspapers reported on `blockheads of German submarines
which meet the only obstacle in a large area', but they added that a Norwegian
submarine recently had damaging `contact' with a wall of rock'.

While the risk to the crew seems `calculable', the public risk accorded to
such officer's may be the worse problem. The boat belongs to the NATO fleet
to protect Western Europe from sea invasion from North-East of Norway.

(Maybe, Norwegian workers should be better protected against unforeseen,
illegal visits of friends.)


2. MAC-virus arrived in Germany:

Surprisingly fast, Apple Germany found out about the MacInVirus and informed
it's users by email with the following text (cited without permission):

  `A product manager in Apple Germany, Kurt Bierbaum (BIERBAUM1) has found a
  disk in Germany which destroys hard disks and the applications that run on
  them.

  `This program is called VIRUS. I believe that it installs something in the
  CODE resources of the System file. In addition, it installs INIT32 and the
  resource MVIR in the System file.  I think that it installs the MVIR
  resource in the applications as well. I have the disk in my office if you
  would like a copy.  This program can be found on CompuServe in a Hypercard
  stack.  A user named David HM Spector sent this information to all other
  users. ...... This program seems to be widespread.'

With this rather quick information, Apple reacted much faster than DEC did
in 1987 when the missing CLOSE in the password control routine in it's VMS
4.4/4.5 versions was detected, with well known results of hackers invading
science and commercial VAX-systems (e.g. Philips France, see 3.). Though DEC
people knew of the severe fault since early 1987 (if not before), a proper
system patch was only available, in Germany, by summer 1987. Moreover, DEC
missed to inform the respective German computer center heads properly.


3. German leading `Computer Chaos Hacker' arrested in Paris

A leading German hacker, Mr. Steffen Wernery of `Computer Chaos Club' of
Hamburg, has been arrested in Paris, on March 14.  He is accused of having
participated in the invasion of a Philips France VAX computer (under a
`buggy' VNS) in 1987; while being a speaker at SECURICOM, Philips officials
had arranged a meeting, but police awaited him before. French police wanted
to arrest Mr.Wernery since some time, but German institutions refused to
deport him due to German law.

After having done some analysis of CCC's respective activities, to me the
arrest seems rather arbitrary; the invaded system evidently lacked any
reasonable protection, and the particip- ation of Mr. Wernery seems
doubtful, at least he has only superficial knowledge of VAX/VMS.

(To be precise: I don't wish to help hackers in cases of criminal actions;
but the analysis of what they do and what they can should be based on facts.
I would hope that police concentrates itself on real damages done by
professional computer criminals; but I admit that is more difficult to
understand their actions than that of hackers.)


Klaus Brunnstein, University of Hamburg, Faculty for Informatics


RISKS in the U.S. Government Archives

<sco!sethk@ucscc.UCSC.EDU>
Tue Mar 15 11:32:03 1988
>From The Nation, March 12, 1988, p. 332, "Beltway Bandits" column.

Archive's Black Hole

The government is in danger of losing its memory. That's the message of Don
Wilson, the Federal Archivist. Testifying before a House subcommittee last
month, Wilson emphasized the problems posed by the "increased usage of
electronic records and the expanded use of computers in the Federal
Government." He complained that "data held on computers is frequently
altered or updated" - shades of the deeds done by Oliver North and Fawn Hall
- and that much material never reaches the National Archives. While the
government uses an estimated 13 million reels of computer tape, the archives
now holds only 3,000 reels. All this hinders the National Archives and
Records Administration in preserving the documents generated by each
presidency. Unless Congress and NARA find a way to address these matters,
the bureacracy's broadening reliance on computer technology will rob the
public of pieces of history as well as information that may be needed by a
future independent counsel or Congressional committee.


MacMag virus infects commercial software

Dave Platt <dplatt@coherent.com>
Tue, 15 Mar 88 09:13:14 PST
According to an article in this morning's San Jose Mercury News, the "DREW"
INIT-virus has been found to have infected a commercial software product.

The virus, which was a "benign" time-bomb designed to display a message of
world peace on March 2nd, is present on disks containing Aldus Freehand.
The virus was inadvertently passed to Aldus by Marc Canter, president of
MacroMind Inc., which makes training disks for Aldus.  Canter avisited
Canada some time ago, and was given a disk containing a program called
"Mr. Potato Head", which lets users play with a computerized version of the
toy character.  Canter ran the program only once, and his machine was
apparently infected by the virus at this time.  Subsequently, the virus
infected a disk of training software that Canter then delivered to Aldus;
at Aldus, the virus infected disks that were then sold to customers.

Although this virus was believed to be harmless, Canter reports that it forced
his Macintosh II computer to shut down and caused him to lose some computer
information.  "My system crashed," Canter said, "I was really angry."

    (( Not all that surprising... quite a few popular but nonstandard
           programming tricks used on the classic Mac don't work on the Mac II
           due to its different video card/monitor architecture...  many
           games, etc. don't run on the II for this reason and can cause some
           very impressive system crashes...  dcp ))

Canter fears that more of his customers may have been infected by the virus.
MacroMind's clients include Microsoft Corp., Lotus Development Corp., Apple
Computer Inc. and Ashton-Tate.

Microsoft has determined that none of its software has been infected, a
company spokeswoman said.  Apple and Lotus could not be reached for comment.
Ashton-Tate declined to comment.

Aldus would not comment on how many copies of FreeHand are infected, but
admits that a disk-duplicating machine copied the infected disk for three
days.  Half of the infected disks have been distributed to retail outlets;
the other half are in Aldus' warehouse.

Aldus will replace the infected disks with new, uninfected copies to any
FreeHand buyer who requests it, according to Aldus spokeswoman Laury Bryant.
The company will also replace the infected disks in its warehouse.

    (( As I recall, the DREW virus infects the System file on affected
           disks, but doesn't affect applications directly.  I suppose that
           Aldus could salvage the damaged disks by replacing the System
           folders with copies from a locked, uninfected disk... but it'll
           probably be faster for them to simply erase and reduplicate.

       I have no idea what Canadian liability laws are like these days...
           but I rather suspect that if MacMag were a United States company
           rather than a Canadian one, its publisher would now be extremely
           vulnerable to a liability-and-damages suit of some sort.  This
           escapade will probably cost Aldus a pretty piece of change in
           damage-control expenses and perhaps loss-of-sales or injury-to-
           reputation.

           Kids, don't try this sort of thing at home!      --- dcp ))


More on the Brandow virus [ANOTHER VERSION]

Dave Curry <davy@intrepid.ecn.purdue.edu>
Wed, 16 Mar 88 08:39:15 EST
From the Lafayette (IN) Journal & Courier, 3/16/88, p. A-12:

Publisher blamed for computer virus

  SEATTLE (AP) - Officials at Seattle's Aldus Corp. are blaming the publisher
of a Canadian computer magazine for a rogue computer program virus that has
popped up in commercial software, apparently for the first time.
  Richard Brandow, publisher of *MacMag* in Montreal, acknowledged Tuesday that
he wrote the so-called "March 2 peace message," but said he did so to point out
the dangers of software piracy.
  The relatively benign virus was discovered in FreeHand, a new program Aldus
developed for Apple Macintosh computers, according to spokeswoman Laury Bryant.
It apparently did not harm any computers and only flashed a brief message on
the computer screen.
  Nevertheless, the virus forced Aldus to recall or rework thousands of pack-
ages of the new software and has prompted the company to threaten legal action.
  It also has sent a scare through the computer industry because of the manner
in which the virus apparently spread and because it challenged the previous
belief that off-the-shelf software largely was immune.
  "We feel that Richard Brandow's actions deserve to be condemned by every
member of the Macintosh community," Bryant said.

    [ description of what a virus is and warnings about getting software
      from bulletin boards ]

  The Aldus virus also caused consternation because several of the nation's
largest software companies are clients of a [sic] MacroMind, Inc. of Chicago,
a subcontractor that inadvertently spread the virus to Aldus.
  Brandow said the full message read: "Richard Brandow, the publisher of
MacMag, and its entire staff would like to take this opportunity to convey
their universal message of peace to all Macintosh users around the world."
Beneath that was a graphic of the globe.
  Brandow and Bryant said the virsu erased itself after March 2, the anniver-
sary of the introduction of Apple's Macintosh SE and Macintosh II models.
  MacroMind president Marc Canter said Tuesday that he believed Aldus was the
only customer that received the virus.
  Among Canter's clients are the nation's three largest software producers -
Microsoft Corp. of Redmond, Ashton-Tate, and Lotus Development Corp. - and
Apple.
  Ashton-Tate declined comment, but officials at Microsoft, Apple and Lotus all
said none of their software was infected.

--Dave Curry, Purdue University

Please report problems with the web pages to the maintainer

Top