The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 6 Issue 79

Saturday 7 May 1988


o Abuse of power by the press: PCs down BBall scoreboard clocks!
Richard Cook
o Re: Is the Press impressing or depressing?
Les Earnest
Cliff Stoll
o KAL007 - the defeaning silence continues
Clifford Johnson
o Risks of auditing for risks
Doug Claar
o Viruses and write-protection
Dennis Director
o Harrier ejection-seat accident
Henry Spencer
o Re: Military Aircraft Crashes in Germany
Henry Spencer
o Risks of Halon to the environment vs. risks of other fire protection (Dave Cornutt>
o Info on RISKS (comp.risks)


303 <"Richard Cook,>
Fri, 6 May 88 09:45 MDT
Subject: Abuse of power by the press: PCs down BBall scoreboard clocks!

During the Seattle SuperSonics and Denver Nuggets basketball game last night, 5
May 1988, officials encountered several problems with game clocks. Coverage in
the Boulder, Colorado, `Daily Camera' of 6 May included the following item:

"CLOCK TROUBLES: Seattle Coliseum officials were wringing their hands Thursday
night when the 24-second clock wasn't working when the game started. They
finally got it going with 8:14 to go in the first quarter--but their troubles
were far from over.

With 8:06 left in the second quarter, the scoreboard clock went out. They
got it going again with 6:54 left--but it went out again 30 seconds later
and did not work for the rest of the half.

The problem? It seems the scoreboard circuits were on the same electrical
line that the entire media corps was using to hook up their portable computers.
And, the line finally overloaded and blew out the scoreboard. When Sonics
officials discovered the problem, they frantically moved up and down press
row, asking reporters to switch to battery power."

This is presumably reliable evidence of increased use of portables by the
press since last year's playoffs...

Re: Is the Press impressing or depressing?

Les Earnest <LES@SAIL.Stanford.EDU>
04 May 88 1900 PDT
In RISKS DIGEST 6.71, Cliff Stoll reviews his experiences in running down
a cracker and in dealing with the press.  One of Cliff's remarks that
caught my eye was the following:

> Instead of closing our doors to this bastard, we monitored and traced him
> for about a year.

I am curious about _why_ this was done.  I agree that it is necessary
to spend some time watching crackers to be sure that you understand
their principal tricks, but once you have that information, I see no
point in prolonging the game — why not start slamming doors and harassing
them off your system?  You may not catch them, but you are likely to get
rid of the problem and the drain on your time a lot quicker that way.

Re: Is the Press impressing or depressing?

Cliff Stoll <cliff@Csa5.LBL.Gov>
Fri, 6 May 88 15:16:18 PDT
Just like Les Earnest, we at LBL take computer security seriously:  
we wish to keep our data intact, and we don't tolerate break-ins.  
Our philosophies differ.  Les slams his doors when he finds someone 
in his system. As outlined on page 490 of this month's CACM, 
remaining open to an intruder is a toughy.  We decided to go after 
such bastards intending to prosecute them.  If they aren't arrested, 
we'll do our best to sue them [cf: Cal. Penal  Code S. 502].  

In this particular case, instead of a sophmoric prankster, we found a 
mercenary who apparently sold stolen information.  He wasn't 
interested in games or academics — he sought (and received) 
military data.    Simply locking him out of our system would leave 
him free to roam around the networks, breaking into many other systems. 

I believe we owe a debt to our community of Internet nodes.  As in 
a neighborhood, each of us should report burglaries and breakins, 
and cooperate in nailing the SOBs.  For this reason,  we spent a lot of 
time on this work.   Les disagrees, and sees it as a game, rather 
than a service to a community of networked computer users.  

Most of your network partners won't detect a breakin.  Most that detect 
won't follow up.  A few will doggedly chase it down, and prosecute.  
We're in the latter category.

Cliff Stoll

Re: Is the Press impressing or depressing?

Les Earnest <LES@SAIL.Stanford.EDU>
06 May 88 1724 PDT
Regarding my question about why LBL didn't slam the door on their
international cracker, Cliff Stoll says:
> Les disagrees, and sees it as a game, rather than a service to a community
> of networked computer users.

On the contrary, it is precisely because I do _not_ see it as a game that
I do not wish to prolong it.  Indeed, if Stanford spent as much as a week
chasing down each cracker on its systems, it would be necessary to hire more
programmers just to do that.

In fact, there _are_ several people around Stanford who spend large
amounts of time programming special hacks to monitor crackers and then
spending weeks or months observing their activities.  For some reason,
these people seem to be mostly reformed crackers.  Perhaps they are reliving
former exploits.

I _am_ sympathetic to Cliff's argument that this was not an ordinary cracker
and deserved special treatment, but in general it may take quite a bit of
work to distinguish such a person from J. Random Cracker.

    Les Earnest

KAL007 - the defeaning silence continues

Clifford Johnson <>
Fri, 6 May 88 20:51:18 PDT
    From: Don Wegeng <Wegeng.Henr@Xerox.COM>
    In regards to the continuing debate in RISKS about the
    KAL007 incident, it appears that one side of the argument is
    putting all of its faith in the version of the story
    reported in the book "Shootdown". It seems to me that you
    are always at RISK when you chose to put all of your faith
    in a single source, be it a pressure sensor in an engine,
    the phone company's billing system, an elected official, or
    a book about an aircraft that was shot down.

   [... and the OTHER side of the story is putting its faith on information
   that is all derived from one set of interrelated sources???  PGN]

Re Shootdown versus other books on KAL007, I don't think faith comes into it.
All the varieties of hypotheses and facts I've seen in other books are
discussed in depth (with source references) for all facts in Shootdown.  This
is not true of the other books, which by comparison cannot be taken anything
like as seriously.  Shootdown provided some 700 citations (some of which I
checked out and found accurately stated) and weighed the facts without reaching
a definite conclusion other than that an inquiry was warranted. Hirsh, without
citations, and without adding any significant new facts, told a silly story
based on a rather small subset of the facts that suited his flagrantly
unjustified assertion, delivered as fact, that KAL007 was not a spy flight.
Shootdown covered pretty much every point that Hirsh made, whereas Hirsh made
*many glaring* omissions.  Hirsh spent ages recounting a route dismissed by
Shootdown (Ewing's version), and chose to ignore most of the evidence that
pointed to espionage.  (Sure Shootdown had a few mistakes, but nothing
crucial.)  Hirsh made a huge fanfare of the fact that the administration
falsely asserted that it thought the Soviets knew KAL007 was a passenger
flight, a deception admitted a couple of years before Hirsh's "revelations."

    From: Nancy Leveson <>
       "During the first six months of 1978, 16 flights were observed
       off track by more than 50 miles, while eight were spotted by
       coastal radars 100 miles or more off track.  The three greatest
       cross track errors were 180, 400, and 700 miles."
    I believe the KAL007 flight was 250 miles off track, which
    is within the bounds of previous incidents that were
    assuredly accidental.  I have no data to determine whether
    navigation errors are more or less frequent or have a
    different average size over the North Pacific as opposed to
    the North Atlantic.

I think KAL007 was about 365 nautical miles off course.  I find it astonishing
that the contrived possibility that KAL007 could have been accidentally off
course is interpreted as proof that this was the case, and so the espionage
possibility is eliminated without even considering its affirmative evidence.
I'm sure that the mere fact that other air flights have been off course is not
a valid comparison.  The other flights seem to have been over the ocean,
whereas KAL007 passed over obvious-to-radar mountain-islands (it wasn't
supposed to) and made consecutive course changes, all "incorrectly."  How many
of the other off-course flights were delayed due to favorable winds shortening
the anticipated flight time, yet signed for additional fuel and rejected paying
cargo, and then began flying unusually slowly, and then had their false
positions relayed by a follow-on flight (KAL015)?  Far from being delayed due
to the same favorable winds, KAL015 took off six minutes *early* and proceeded
so fast that its Mach buzzer would have sounded had it not been switched off.
Facts such as KAL007 being ordered to report directly are suppressed by Hirsh,
who simply tells us that no one was concerned at KAL007's not reporting its own
position.  Hirsh doen't mention the weird speed patterns of both flights, nor
think it worth mentioning that KAL007 and KAL015 were using the wrong
transponder codes, nor that the Japanese radar tapes reported KAL007 dived when
it requested permission to ascend, nor that this maneuver improbably occured
after hours of radio silence, immediately the Soviet pilot reported having
established a lock on KAL007... etc.

As I've said, Shootdown should be read for a review of the quite astonishing
indications that KAL007 was on a deliberate mission, and for an account of the
inadequacy of computer-pilot errors for the actual route.

KAL007 "accidentally" overflew the Soviets' second largest submarine base. I
believe the world record for an off-course flight occured in 1978, when a KAL
flight was 1,000 miles off-course, "accidentally" flying over the Soviets
largest submarine base (Murmansk).  The alarm was sounded by passengers noting
the sun was on the wrong side of the plane.

Hirsh writes of his "one basic finding of the book, that the Korean airliner
was not a spy plane... The publication clearly diminished the zeal of those
public interest groups that had been insisting Flight 007 was deliberately sent
over the Soviet Union."  Hirsh's major finding is relegated to a footnote, that
dismisses the espionage hypothesis on the ground that his unnamed intelligence
sources had not heard of the flight in advance.  Not only a slender reed for
such a conclusion, but an invisible reed.  Hirsh does not address the merits of
those like me and R.W.Johnson who admit grave doubts and ask for an inquiry.
He seems to think his silly book is gospel.  I am left wondering whether he
deliberately left out key evidence, or whether he is as bad an investigative
journalist as his KAL007 book demonstrates.  Hirsh himself found a conspiracy
to cover-up the facts of KAL007's shootdown.  I think that PGN's tentative
suggestion that the matter might still be incompletely unravelled simply
cannot be denied - at least until a public inquiry is instigated.

risks of auditing for risks...

Doug Claar <dclaar%hpda@hplabs.HP.COM>
Fri, 6 May 88 17:09:34 pdt
Our site is recently underwent corporate audit. Among the things checked for
was pirated PC software. In preparation for this audit, our local EDP folks
ran a little program which looks at program files on the hard disk, and
attempts to figure out what products they represent. This introduced some
risks to the local computing community: First, the program only checks
program names against its database, and not sizes or checksums or...  In
addition, if any one file of a product is recognized, the user is assumed to
have that product. Needless to say, there were lots of false positives.
Since EDP had the secretaries running the program, there was lots of "Do you
have master floppies for X?" "No, I don't have X on my disk."  "Well, you
have to get rid of it, because this says you have it."

The second risk was potentially much more devastating--the secretary brought
around a floppy, stuck it in 'your' system, and ran the program. Of course,
you have relatively little choice in the matter, since it IS the company's
PC. The program was designed to dump its output back onto the floppy, so the
floppy wasn't write protected! (I didn't even think of this until after my
system had been checked). All I could do is hope that, if anyone had a virus
on their PC, their system was tested AFTER mine...

Doug Claar, HP Information Software Division
UUCP: { ihnp4 | mcvax!decvax }!hplabs!hpda!dclaar -or- ucbvax!hpda!dclaar

Viruses and write-protection

Dennis Director <>
Thu May 5 16:40:20 1988 CDT
Enough is Enough!

Regarding the effectiveness of hardware write-protection for protecting the
operating system and programs from computer viruses, I offer the following

I have an XT-compatible computer with DOS 3.2 and all of its utilities and
programs in the write-protected portion of the hard disk.  I invite both Dr.
Fred Cohen of the University of Cincinnati and William Murray to come to my
office at the Technology Innovation Center, Northwestern University with the
press or any other mutually agreed upon reliable witness.  I also invite them
to bring along any or all virus infected programs that they have collected or
written for the occasion.  I am (100%) sure that none of these programs will
modify my boot block, my partition table, the operating system files or any of
the DOS programs (.COM or .EXE) stored on my hard disk, which will be hardware
write-protected.  A scratch area of the hard disk will be writeable at all
times.  Simply copying a Trojan Horse into the scratch section of the disk,
should obviously not be considered "infecting my system".

Since Dr. Cohen has stated that "you cannot write protect lotus, etc because of
copy protection" we will also have a copy of Lotus 123 installed and working in
the write-protected section, as we have had for almost two years.  This will be
a fully legitimate copy-protected installed version of 123.  It runs perfectly
from the write-protected zone and cannot be infected.

Why go on debating that which can be simply demonstrated?  Seems like a fair
offer to me!                                                   Dennis Director

Harrier ejection-seat accident

Fri, 6 May 88 15:49:10 EDT
A while ago I mentioned the incident in which a Harrier pilot was apparently
pulled out of his aircraft after the parachute-deployment system on his
ejection seat fired through the canopy.  Flight International just printed
a summary of the final report on the accident.

The problem does indeed appear to have been an accidental firing of the
parachute-deployment system, which is powerful enough to punch its way
through the canopy.  The question is why it fired.  The Harrier flew west
on autopilot until it ran out of fuel, and went down in deep ocean; the
wreckage has not been located despite an extensive search.  (The general
nature of the accident is known because air traffic control, after being
unable to raise the pilot, had another aircraft take a look.)

The inquiry came up with three hypotheses.  In the absence of wreckage,
there is no way to be sure of the answer.  However, two of the hypotheses
require multiple errors and/or multiple failures.  The third is considered
most plausible:  if the seat was lowered, and there was a foreign object
underneath it in just the right place, a connecting linkage on the seat's
underside could have been bent enough to fire the deployment system.  The
Harrier cockpit equipment includes a utility light on a coiled cable; it
is strong enough and large enough to have done the trick, and could have
ended up in the right place if it fell off its bracket.  Also, there is
reason to suspect that the pilot may have lowered the seat at about the
right time:  he was to perform some tests that required a clear view of
the instrument panel, and he was flying into the setting sun, so once he
was flying safely on autopilot he might well have lowered the seat for
a better view of the panel.

Martin-Baker, manufacturers of the ejection seat (with a generally very high
reputation for quality products), are adding a guard over the linkage.  (I'm a
bit surprised that this wasn't done in the original design; somebody assumed
that the cockpit was a controlled environment in which such things couldn't
happen.)  The utility lights have been removed from the Harriers until this is

Henry Spencer @ U of Toronto Zoology   {ihnp4,decvax,uunet!mnetor}!utzoo!henry

Re: Military Aircraft Crashes in Germany

Fri, 6 May 88 15:30:26 EDT
> ... The press says that, in each case, a much worse disaster was only
> narrowly avoided ...  The crashes occured just down the flight path from:
> a nuclear generating station, a munitions dump, and an inhabited village.

I can't speak for the munitions dump and the village, but nuclear-reactor
containment buildings are deliberately designed to survive a direct hit
from a crashing airliner (not as fast as a military jet, in general, but
much, much heavier).

> In all, 35 military aircraft have fallen out of the skies here since 1960.  I
> have no idea how this compares with other countries.

I don't have regional numbers on such losses, but even peacetime military
flying is much more dangerous than most people think.  Flight International
regularly publishes flight-safety reviews that list all known crashes and
related incidents; the annual military safety review, at one line per
occurrence, typically covers a couple of pages.

Henry Spencer @ U of Toronto Zoology   {ihnp4,decvax,uunet!mnetor}!utzoo!henry

Risks of Halon to the environment vs. risks of other fire protection

Wed, 4 May 16:09:52 1988
Due to the recent concerns about depletion of the atmosphere's ozone layer,
there is a possibility that manufacture and sale of certain fluorocarbons may
be banned or severely restricted by international treaty.  One of these
fluorocarbons is Halon.

So, we have to weigh the risks of environmental harm caused by Halon against
the risks posed by other types of systems.  What exactly are the
environmental risks of using Halon?  The questions here are:

1. Does Halon disassociate in the upper atmosphere and produce ozone-destroying
free radicals, like Freon does?  (I suspect that it does, as they're chemically

2. How much Halon is discharged into the atmosphere each year?  Of the total
amount of flourocarbons which escape into the atmoshpere, what percentage of it
is Halon?

3. Does this environmental threat outweigh the risks to property and humans
posed by other systems?  (Halon does not conduct electricity, interfere with
respiration, lower the room temperature, leave a solid residue, or lower the
room temperature on discharge.  All other systems — water, CO2, nitrogen, dry
chemical, etc. — have at least one of these undesirable properties.)

If Halon were banned, what fire protection system would you use?  Is its use a
serious RISK, or is there a greater RISK in not speaking up for it?

Dave Cornutt, AT&T Bell Labs (rm 4A406,x1088), Holmdel, NJ
"The opinions expressed herein are not necessarily my employer's, not
necessarily mine, and probably not necessary"

    [See previous discussions on this subject in RISK-5.27 and 28.  PGN]

Please report problems with the web pages to the maintainer