The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 6 Issue 50

Monday 28 March 1988

Contents

o Short stories of old computer risks
Les Earnest
o NY TIMES on risks of cockpit automation
Jon Jacky
o Credit-limit handling found overly restrictive
Wayne H. Badger
o Decomposing checks
David Rogers
o Notifying users of security problems
Andy Goldstein
o Entrepreneurial Viruses
Chuck Weinstock
o Early viruses
Sayed A. Banawan
o Person-in-the-Loop Amendment Signed into Law
Fred Baube
o Info on RISKS (comp.risks)

Short stories of old computer risks

Les Earnest <LES@SAIL.Stanford.EDU>
28 Mar 88 1641 PST
Tired of viruses?  I was just purging some old files and ran across a
trilogy of true short stories that I posted on the Stanford bboards two
years ago.  The incidents described span a period of twenty years ending 25
years ago, but I think they are still amusingly relevant.  


Kick the Mongrel   

In a previous account I told how reading a book on cryptography led to my
getting an F.B.I. record at the age of 12 and about subsequent awkwardness in
obtaining a security clearance.  I will now describe how I learned that putting
provocative information on a security clearance form can accelerate the
clearance process.  First let me describe the environment that gave rise to
this occurrence.

            White Faces in New Places

In 1963, after living in Lexington, Massachusetts for 7 years, my wife and I
moved to the Washington D.C. area to help set up a new office for Mitre
Corporation.  After three days of searching, we bought a house then under
construction in a pleasant new suburb called Mantua Hills, near Fairfax,
Virginia.  I hadn't noticed it during our search, but it soon became evident
that there were nothing but white faces in this area.  In fact, there were
nothing but white faces for miles around.

We expected to find some cultural differences and did.  For example, people
drove much less aggressively than in Boston.  The first time that I did a
Boston-style bluff at a traffic circle, the other cars yielded! This took all
the fun out of it and I was embarrassed into driving more conservatively.

When I applied for a Virginia driver's license, I noticed that the second
question on the application, just after "Name," was "Race."  When filling out
forms, I have always made it a practice to omit information that I think is
irrelevant.  It seemed to me that my race had nothing to do with driving a car,
so I left it blank.

When I handed the application to the clerk along with the fee, he just looked
at me, marked "W" in the blank field and threw it on a stack.  I guess that he
had learned that this was the easiest way to deal with outlanders.

Our contractor was a bit slow in finishing the house.  We knew that there was
mail headed our way that was probably accumulating in the post office, so we
put up the mailbox even before the house was finished.  The first day we got
just two letters -- from the American Civil Liberties Union and Martin Luther
King's organization.  We figured that this was the Post Office staff's way of
letting us know that they were on to us.  Sure enough, the next day we got the
rest of our accumulated mail, a large stack.

It shortly became apparent that on all forms in Virginia, the second question
was "Race."  Someone informed me that as far as the Commonwealth of Virginia
was concerned, there were just two races: "white" and "colored."  When our kids
brought forms home from school, I started putting a "C" after the second
question, leaving it to the authorities to figure out whether that meant
"Colored" or "Caucasian."

            Racing Clearance

About this time, my boss and I and another colleague applied for a special
security clearance that we needed.  There are certain clearances that can't be
named in public -- it was one of those.  I had held an ordinary Top Secret
clearance for a number of years and had held the un-namable clearance a short
time before, so I did not anticipate any problems.

When I filled out the security form, I noticed that question #5 was "Race."  In
the past I had not paid attention to this question; I had always thoughtlessly
written "Caucasian."  Having been sensitized by my new environment, I
re-examined the question.

All of my known forebears came from Europe, mostly from Southern Germany with a
few from England, Ireland, and Scotland.  A glance in the mirror, however,
indicated that there was Middle Eastern blood in my veins.  I have a semitic
nose and skin that tans so easily that I am often darker than many people who
pass for black.  Did I inherit this from a Hebrew, an Arab, a Gypsy or perhaps
one of the Turks who periodically pillaged Central Europe?  Maybe it was from a
Blackfoot Indian that an imaginative aunt thinks was in our family tree.  I
will probably never know.

As an arrogant young computer scientist, I believed that if there is any
decision that you can't figure out how to program, the question is wrong.  I
couldn't figure out how to program racial classification, so I concluded that
there isn't such a thing.  I subsequently reviewed some scientific literature
that confirmed this belief.  "Race" is, at best, a fuzzy concept about typical
physical properties of certain populations.  At worst, of course, it is used to
justify more contemptible behavior than any concept other than religion.

In answer to the race question on the security form, I decided to put
"mongrel."  This seemed like an appropriate answer to a meaningless question.

Shortly after I handed in the form, I received a call from a secretary in the
security office of the Defense Communications Agency.  She said that she had
noticed a typographical error in the fifth question where it said "mongrel."
She asked if I didn't mean "Mongol."  "No thanks," I said, "I really meant
`mongrel.'"  She ended the conversation rather quickly.

A few hours later I received a call from the chief security officer of D.C.A.,
who I happened to know.  "Hey, Les," he said in a friendly way, "I'd like to
talk to you the next time you're over here."  I agreed to meet him the
following week.

When I got there, he tried to talk me out of answering the race question
"incorrectly."  I asked him what he thought was the right answer.  "You know,
Caucasian," he replied.  "Oh, you mean someone from the Caucusus Mountains of
the U.S.S.R.?" I asked pointedly.  "No, you know, `white.'"  "Actually, I don't
know," I said.

We got into a lengthy discussion in which he informed me that as far as the
Defense Department was concerned there were five races:  Caucasian, Negro,
Oriental, American Indian, and something else that I don't remember.  I asked
him how he would classify someone who was, by his definition, 7/8 Caucasian and
1/8 Negro.  He said he wasn't sure.  I asked how he classified Egyptians and
Ethiopians.  He wasn't sure.

I said that I wasn't sure either and that "mongrel" seemed like the best answer
for me.  He finally agreed to forward my form to the security authorities but
warned that I was asking for trouble.

            A Question of Stability

I knew what to expect from a security background investigation: neighbors and
former acquaintances let you know it is going on by asking "What are they
trying to get you for?" and kidding you about what they told the investigators.
Within a week after my application for the new clearance was submitted, it
became apparent that the investigation was already underway and that the agents
were hammering everyone they talked to about my "mental stability."

The personnel manager where I worked was interviewed quite early and came to me
saying "My God! They think you're crazy! What did you do, rape a polo pony?"
He also remarked that they had asked him if he knew me socially and that he had
answered "Yes, we just celebrated Guy Fawkes Day together."  When the
investigator wanted to know "What is Guy Fawkes Day?"  he started to explain
the gunpowder plot but thought better of it.  He settled for the explanation
that "It's a British holiday."

An artist friend named Linda, who lived two houses away from us, said that she
had no trouble answering the investigator's questions about my stability.  She
said that she recalled our party the week before when we had formed two teams
to "Walk the plank."  In this game, participants take turns walking the length
of a 2 x 4 set on edge and drinking a small amount of beer.  Anyone who steps
off is eliminated and the team with the most total crossings after some number
of rounds wins.  Linda said that she remembered I was one of the most stable
participants.

I was glad that she had not remembered my instability at an earlier party of
hers when I had fallen off a skateboard, broken my watch and bruised my ribs.
The embarrassing cause of the accident was that I had run over the bottom of my
own toga!

The investigation continued full tilt everywhere I had lived.  After about
three months it stopped and a month later I was suddenly informed that the
clearance had been granted.  The other two people whose investigations were
begun at the same time did not receive their clearances until several months
later.

In comparing notes, it appeared that the investigators did the background
checks on my colleagues in a much more leisurely manner.  We concluded that my
application had received priority treatment.  The investigators had done their
best to pin something on me and, having failed, gave me the clearance.

The lesson was clear:  if you want a clearance in a hurry, put something on
your history form that will make the investigators suspicious but that is not
damning.  They get so many dull backgrounds to check that they relish the
possibility of actually nailing someone.  By being a bit provocative, you draw
priority attention and quicker service.

After I received the clearance, I expected no further effects from my
provocative answer.  As it turned out, there was an unexpected repercussion a
year later and an unexpected victory the year after that.  But that is another
story.
                                   Les Earnest

  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -

The Missed Punch   

An earlier account described how I came to list my race as "mongrel" on a
security clearance application and how the clearance was granted in an
unusually short time.  I will now describe a subsequent repercussion
that was a byproduct of a new computer application.

            Mongrel in a Star-chamber

In early 1965, about a year after I had been granted a supplementary security
clearance, I received a certified letter directing me to report to the Air
Force Office of Special Investigations at Suitland, Maryland very early in the
morning on a certain day four weeks later.  To one whose brain seldom functions
before 10am, this was a singularly unappealing trip request.

My wife somehow got me up early on the appointed day and I drove off in my TR-3
with the top down, as usual, even though it was a cold winter morning.  I hoped
that the air would stimulate my transition to an awakened state.

When I arrived and identified myself, I was immediately ushered into a long
narrow room with venetian blinds on one side turned to block the meager morning
light.  I was seated on one side of a table on which there were two goose-neck
lamps directed into my eyes.  There was no other light in the room, so I could
barely see the three inquisitors who took positions on the opposite side of the
table.

Someone punched on a tape recorder and the trio began taking turns at poking
into my past.  They appeared to be trying to convince me that I was in deep
trouble.  While the pace and tone of their questions were clearly aimed at
intimidation, they showed surprisingly little interest in my answers.  I
managed to stay relaxed, partly because I was not yet fully awake.

They asked whether I had any association with a certain professor at San Diego
State College, which I had attended for one year.  I recognized his name as
being one who was harassed as an alleged Communist sympathizer by the House
Un-American Activities Committee during the McCarthy Era.

Responding to the interrogator's question, I answered that I did not know him
but that I might have met him socially since he and my mother were on the
faculty concurrently.  They wanted to know with certainty whether I had taken
any classes from him.  I said that I had not.

They next wanted to know how well I knew Linus Pauling, who they knew was a
professor at Caltech when I was a student there.  I acknowledged that he was my
freshman chemistry professor and that I had visited his home once.  (I did not
mention that Pauling's lectures had so inspired me that I decided to become a
chemist.  It was not until I took a sophomore course in physical chemistry that
I realized that chemistry wasn't as much fun as I had thought.  After that, I
switched majors in rapid succession to Geology, Civil Engineering, then
Electrical Engineering.  I ended up working in a still different field.)

I recalled that Pauling had been regularly harassed by certain government
agencies during the McCarthy Era because of his leftist "peacenik" views.  He
was barred from overseas travel on occasion and the harassment continued even
after he won his first Nobel Prize but seemed to diminish after the second one,
the peace prize.

The inquisitors next wanted to know how often I got together with one of my
uncles.  I acknowledged that we met occasionally, the last time being a few
months earlier when our families dined together.  It sounded as though they
thought they had something on him.  I knew him to be a very able person with a
distinguished career in public service.  He had been City Manager of Ft.
Lauderdale and several other cities and had held a number of diplomatic posts
with the State Department.  It occurred to me that they might be planning to
nail him for associating with a known mongrel.

The questions continued in this vein for hours without a break.  I kept waiting
for them to bring up a Caltech acquaintance named Bernon Mitchell, who had
lived in the same student house as me.  Mitchell had later taken a position at
the National Security Agency, working in cryptography, then defected to the
Soviet Union with a fellow employee.  They were apparently closet gays.

In fact, the inquisitors never mentioned Mitchell.  This suggested that they
may not have done a very thorough investigation.  A more likely explanation was
that Mitchell and his boyfriend represented a serious failure of the security
clearance establishment -- one that they would rather not talk about.

After about three and a half hours of nonstop questioning I was beginning to
wake up.  I was also beginning to get pissed off over their seemingly endless
fishing expedition.  At this point there was a short pause and a rustling of
papers.  I sensed that they were finally getting around to the main course.

"We note that on your history form you claim to be a mongrel," said the man in
the middle.  "What makes you think you are a mongrel?"  "That seems to be the
best available answer to an ill-defined question," I responded.  We began an
exchange that was very much like my earlier discussion with the security
officer in the Defense Communications Agency.  As before, I asked how they
identified various racial groups and how they classified people who were
mixtures of these "races."

The interrogators seemed to be taken aback at my asking them questions.  They
asked why I was trying to make trouble.  I asked them why they would not answer
my questions.  When no answers were forthcoming, I finally pointed out that "It
is clear that you do not know how to determine the race of any given person, so
it is unreasonable for you to expect me to.  I would now like to know what you
want from me."

The interrogators began whispering among themselves.  They had apparently
planned to force me to admit my true race and were not prepared for an
alternative outcome.  Finally, the man in the center spoke up saying, "Are you
willing to sign a sworn statement about your race?"  "Certainly," I said.  They
then turned up the lights and called for a secretary.

She appeared with notebook in hand and I dictated a statement: "I declare that
to the best of my knowledge I am a mongrel."  "Don't you think you should say
more than that," said the chief interrogator.  "I think that covers it," I
replied.  The secretary shrugged and went off to type the statement.

            Punch Line

With the main business out of the way, things lightened up -- literally.  They
opened the venetian blinds to let in some sunlight and offered me a cup of
coffee, which I accepted.  We had some friendly conversation, then I signed the
typed statement, which was duly notarized.

My former tormentors now seemed slightly apologetic about the whole affair.  I
asked them what had prompted this investigation.  After some glances back and
forth, one of them admitted that "We were putting our clearance data base on
punched cards and found that there was no punch for `mongrel'."

I thought about this for a moment, then asked "Why didn't you add a new punch?"
"We don't have any programmers here" was the answer.  "We got the program from
another agency."

I said, "Surely I am not the only person to give a non-standard answer.  With
all the civil rights activists now in government service, some of them must
have at least refused to answer the race question."  The atmosphere became
noticeably chillier as one of them answered, with clinched teeth, "You're the
only one.  The rest of those people seem to know their race."

It was clear that they believed I had caused this problem, but it appeared to
me that the entire thrash was triggered by the combination of a stupid question
and the common programmer's blunder of creating a categorization that does not
include "Other" as an option.

The security people apparently found it impractical to obtain the hour or two
of a programmer's time that would have been needed to fix the code to deal with
my case, so they chose instead to work with their standard tools.  This led to
an expenditure of hundreds of man-hours of effort in gathering information to
try to intimidate me into changing my answer.

I was surprised to learn that nearly everyone believed in the mythical concept
of racial classification.  It appeared that even people who were victims of
discrimination acknowledged their classification as part of their identity.

I never did find out how the security investigators coped with the fact that I
remained a mongrel, but in 1966 I discovered that something very good had
happened: the "race" question had disappeared from the security clearance form.
I liked to think that I helped that change along.

Unfortunately, almost the same question reappeared on that form and most other
personnel forms a few years later, under the guise of "ethnic" classification.
I believe that that question is just as meaningless as the race question and I
have consistently answered it the same way during the intervening 20 years.

I now invite others to join me in this self-declassification, with the hope and
expectation that one day the bureaucrats and politicians will be forced to quit
playing with this issue and will come to realize that the United States of
America is a nation of egalitarian mongrels.  I believe that we will all be
better off.

In any case, whenever you design a database, please don't forget the "other"
category.
                                Les Earnest

     [A Shaggy Database Story, for a change.  PGN]


NY TIMES on risks of cockpit automation

Jon Jacky <jon@june.cs.washington.edu>
Mon, 28 Mar 88 09:45:52 PST
The cover story of the March 27, 1988 NEW YORK TIMES MAGAZINE is "Trouble in
the Cockpit: The Airlines Tackle Pilot Error," by William Stockton.  The 
story relates several incidents in which over-reliance on autopilots is
thought to have contributed to accidents or near-accidents:

"Last July 8, the crew in a Delta Airlines L-1011 en route to the US from
Europe strayed 60 miles off course and came within 100 feet of colliding
with a Continental Airlines 747.  The consensus among safety experts
is that the Delta pilots entered the wrong data in a computer navigation
system and then failed to frequently verify their position by other means."

"(Three years ago) a China Airlines 747 ... went out of control and fell
30,000 feet in less than two minutes,  upside down much of the time ...
(First) the outboard engine on the right wing ... quit.  The loss of the
engine cause the airplane to try to turn to the right. (The autopilot
tried to compensate, turning the plane to the left).  With his attention
focused, inappropriately, almost exclusively on the engine problem, the
captain failed... to realize that the airplane and the autopilot had become
engaged in a tug-of-war ... The captain was entirely oblivious to it because
he was letting the autopilot fly and did not actually have his hands on the
control wheel ... Finally, he disconnected the autopilot and took hold of the
control wheel to fly the plane himself.  In that instant, the plane
immediately won the tug of war with the autopilot .. The 747 rolled 
dramatically to the right (The pilot apparently did not immediately 
understand what was happening and did not compensate appropriately) and 
within a few seconds the 747 was on its back, plummeting earthward.
"If he had just turned the autopilot off when the engine problem first
developed, none of it would have happened," says (a human factors expert).

"In 1972, an Eastern Airlines L-1011 crashed in the Florida Everglades
killing 100 people.  When a light that indicates whether the landing gear
are up or down did not illuminate, all three pilots in the cockpit became
engrossed in the problem, which turned out to be a faulty light bulb.  The
tape recording of the cockpit conversation revealed that no one had noticed
that the autopilot had been inadvertantly disengaged and the airplane had
begun a gradual descent which finally led to its crashing"

The article cites recent human factors research that reveals crews often
handle sudden catastrophes better than a series of small nuisance incidents
which gradually builds into a disaster.

- Jon Jacky, University of Washington


Credit-limit handling found overly restrictive

<LENOIL@XX.LCS.MIT.EDU>
Mon, 28 Mar 1988 19:06 EST
I called my Mastercard bank and they informed me that authorizations remain in
effect for 10 days if not removed.  Authorizations can be removed in two ways:

    1.  If a bill comes in for the exact amount of the authorization
    on the same day, the authorization will be replaced with the bill.

    2.  A company can remove the authorization by arrangements through
    their bank in what is apparently a difficult procedure.

This sounds totally bogus.  Whenever a merchant calls for authorization, (s)he
is given an authorization number and writes that number on the charge slip.  I
assume that the number is used to remove the associated hold, which is then
replaced with the actual charge.  If your bank doesn't work this way, you
should switch to one that does. (I've never had a problem with my Citibank
MasterCard, so I don't think the problem is endemic to MasterCards.)


Decomposing checks

David Rogers <drogers@riacs.edu>
Mon, 28 Mar 88 13:16:42 PST
Actually, the reason the scheme worked is more subtle that PGN mentioned (the
national news got this wrong, also).  When you deposit a check, the money is
automatically deposited in your account, but a `hold' for that amount is also
placed on your account.  If the bank does *not* receive a notice that the check
bounced in 5 days, the hold expires, and the money can be removed.  There is no
rush to get the money out, since the decomposed check cannot be traced back to
the original account.

Because this scheme requires a knowledge of bank's procedures for depositing
checks, they think this was an inside job, done by someone who works or worked
at a bank.

David Rogers     <Also noted by Bob Frankston>


Notifying users of security problems

Andy Goldstein <goldstein%star.DEC@decwrl.dec.com>
Mon, 28 Mar 88 08:28:40 PST
Klaus Brunnstein, University of Hamburg, Faculty for Informatics writes:
> Surprisingly fast, Apple Germany found out about the MacInVirus and informed
> it's users by email with the following text (cited without permission):
>   `A product manager in Apple Germany, Kurt Bierbaum (BIERBAUM1) has found a
>   disk in Germany which destroys hard disks and the applications that run on
>   them. [...]
> With this rather quick information, Apple reacted much faster than DEC did
> in 1987 when the missing CLOSE in the password control routine in it's VMS
> 4.4/4.5 versions was detected, [...]

I would be more impressed with this comparison if Apple had

(1) Notified all Mac users worldwide of this problem, and

(2) included with the notification machine readable copy an anti-virus
    which one could install to defeat the virus.

This would be more equivalent to what DEC did regarding the V4.4/V4/5 bug. I do
not know exactly what form of "email" Mr. Brunnstein refers to in his message,
but for the sake of argument I will presume it to mean the various networks
that join most academic and research institutions. For DEC, at least, such
networks reach only a small percentage of its customer base. Sending out notice
of a security problem to a subset of one's user base, even if the notice
includes a correction for the problem, does a great disservice to the remaining
users. (Sending out notice of the presence of a bug without a correction or
workaround is of course even more irresponsible.)

A virus is most harmful when users are unaware of it (and thus take no
precautions to prevent its spread). The seriousness of a security bug, on the
other hand, is directly proportional to how far knowledge of the bug has
propagated, because knowledge of the bug is what permits an attacker to exploit
it. By informing a subset of one's user community, one spreads knowledge of the
bug and thus raises the exposure to attack of the remaining users who are not
yet so informed.  For example, circumstantial evidence suggests that
publication of the patch for the V4.4/V4.5 bug in INFO-VAX may have been the
means by which the CCC learned of the bug's existence. Only when all computer
installations in the world are offered access at reasonable terms to ARPAnet,
Bitnet, or their siblings will I be convinced that such electronic distribution
is a fair and viable means of informing users about security problems. In the
meantime, DEC must use its own means to reach all its users.

I do not for a moment mean to imply that DEC's response in 1987 is the best
that we can do. A number of mishaps of the sort that tend to befall large
corporations conspired to delay getting the fix into all users hands.
Additional delays occurred with some customers in the form of the fix sitting
on the wrong person's desk or other confusion.  The difficulties in dealing
with the V4.5 bug have gotten the corporation's attention in a serious way, and
I think it's fair to say that should the need for a repeat performance occur,
we will do a lot better.
                    - Andy Goldstein, VMS Development


Entrepreneurial Viruses

Chuck Weinstock <weinstoc@SEI.CMU.EDU>
Mon, 28 Mar 88 11:11:32 EST
An obvious next step in the virus business is to develop a virus, watch it
spread, and then sell a vaccination and/or a cure at a high price.


Early viruses (RE: RISKS-6.48)

<BANAWAN%houston.csnet@RELAY.CS.NET>
Thu, 24 Mar 88 11:54 CST
Commenting on Kevin Driscoll, if the first virus was: 
       Move(program counter) program counter+1

I used a similar instruction all the time when my school was using IBM 1620.
The instruction set of this machine operates on fields of arbitrary length.
For those readers who do not know, there was no operating system. Furthmore,
it was used exclusively by a single user. To have a fresh start, each time a
new program is to run the memory is fully cleared by a statement that move
the field that starts in byte 2 to the field that starts at byte 3.  This
instruction was entered and executed by the operator from the console.  The
result can be seen at the panel: the memory is filled by zeros continutously
It was quite legitimate (and highly recommended) thing to do before you run
a new program.
                       Sayed A. Banawan, University of Houston


Person-in-the-Loop Amendment Signed into Law

<fbaube@note.nsf.gov>
Thu, 24 Mar 88 13:20:39 -0500
This from the Winter 1988 CPSR Newsletter:  The 1988 Defense Authorization
Act, signed into law, had this amendment, sponsored by Dale Bumpers:

  "No agency of the Federal government may pay for, fund, or otherwise
  support the development of command and control systems for strategic defense
  in the boost or post-boost phase against ballistic missile threats that
  would permit such strategic defense to initiate the directing of damaging or
  lethal fire except by affirmative human discretion at an appropriate level
  of authority."

For bureaucracy-watchers, the full citation is:

  National Defense Authorization Act for FY 1988-89
  H.R. 1748
  Division A  (Dept. of Defense Authorizations)
  Title II    (Research, Development, Test, and Evaluation)
  Part C      (Strategic Defense Initiative)
  Subpart 1   (SDI Funding and Program Limitations and Req'ts)
  Section 224 (SDI Architecture to Require Human Decisionmaking)

Not that a loophole mentality would be slowed a bit by this ..

#include <disclaimer.h>

Please report problems with the web pages to the maintainer

Top