The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 6 Issue 84

Monday 16 May 1988

Contents

o Friday the 13th, Part N
PGN
o 'Jerusalem Virus' Bet Ends in a Draw; May 13th...
Amos Shapir
o Re: Risks in timestamps ...
Ken Barr
o Re: Lost homework due to the computer
David Sherman
o Chicago Phone Fire
PGN
James M. Boyle quoting Christine Winter
Paul Czarnecki
Patrick A. Townson
o Info on RISKS (comp.risks)

Friday the 13th, Part N

Peter G. Neumann <NEUMANN@csl.sri.com>
Mon 16 May 88 13:34:05-PDT
A few comments are in order on Friday the 13th, Part One and Only for 1988.

That this incident was a rumor rather than a real threat is not important.  It
did have some basis in truth -- even if only a faint glimmer.  The rumor might
have had its roots in an actual bug discovered in a test version of a test
version of Sun 4.0 on the Sun 4/110.  That bug had nothing in particular to do
with a time-bomb, and was just a garden-variety bug.  As the rumor spread, the
bug was transmogrified into a virus on all 4.0 machines, and later into a virus
in all releases back to 1.4.  But throughout, it seems there never were was any
real theat of Friday the 13th Sun spot activity, and that there never was a
time bomb.  All in all, it is my impression that Sun behaved admirably
throughout the incident, and took the entire incident with great seriousness.

There are some important lessons to be learned.

 * In our electronic age it is possible for rumors to span the networld
   within an incredibly short time.

 * The risks of such a rumor are enormous.  Entire companies could be
   threatened by a well-placed and partially founded but credible rumor.

 * Computer-network security problems (e.g., Trojan horses and viruses) 
   are intrinsic.  They are not going to go away, although better computer
   systems and networks will help a little.  

 * Simplistic solutions are vulnerable.  They may be even more dangerous
   than NO solutions if they lull people into a false sense of security.

 * Although it was probably very painful for Sun, this was in retrospect a
   valuable exercise, a little like a fire-drill but sufficiently
   indistinguishable from the real thing that people had to react as if it were
   real.  How many times have you heard people saying that they were going to
   keep backups (perhaps even off-site) of everything, but had not yet gotten
   around to it because nothing had ever happened before...  But don't get me
   wrong -- I'm not recommending this kind of fire-drill.

[By the way, recall that the ORIGINAL Friday the 13th ("Jerusalem") virus was
NOT a rumor.  See the next message.]


'Jerusalem Virus' Bet Ends in a Draw [See RISKS-6.62]; May 13th...

Amos Shapir <nsc!taux01!taux01.UUCP!amos@Sun.COM>
13 May 88 12:02:03 GMT
A 10,000 shekel (about $6000) bet between Israeli virus hunters ended in a
draw this week. The bet, started during a live TV interview, was between Yuval
Rekhavi of the Hebrew U. of Jerusalem (discoverer of the first
'jerusalem Virus'), and Ofer Akhituv of Iris Software Ltd. (which sells an
innoculation program to that virus).  Mr. Rekhavi claimed to have written a
program that can alert against the presence of any virus on a PC (IBM or
clone), while Mr. Akhituv had bet that such a program is impossible.

The bet was decided this week by two arbitrators, Dr. Israel Spiegler and Mr.
Ran Giladi, of Tel-Aviv University. While it was evident that none of the
viruses provided by Iris Software could evade detection by Mr. Rekhavi's
program, the arbitrators stated that the cycle of improvments in viruses and
detection program is infinite, so detection of all viruses, present and
future, is impossible; therefore they concluded that the bet is a draw.

The original 'Jerusalem Virus' is due to set off today, May 13. I doubt it'll
cause much damage, since it has a bug that causes each infected program to
grow by about 1000 bytes each time it is run. Any disk that has not been
sanitized by now, has probably run out of space.

Amos Shapir, National Semiconductor (Israel)
6 Maskit st. P.O.B. 3007, Herzlia 46104, Israel  Tel. +972 52 522261
amos%taux01@nsc.com  34 48 E / 32 10 N


Re: Risks in timestamps ...

Ken Barr <calma!barr@ucbvax.Berkeley.EDU>
Fri, 13 May 88 10:05:33 pdt
In RISKS DIGEST 6.81, 
Subject: Risks in timestamps (postmarks)

>At 

Re: lost homework due to the computer

David Sherman <lsuc!dave@unix.SRI.COM>
15 May 88 02:03:35 EDT (Sun)
I had to use that excuse back in 1976-77, when I was an undergraduate taking
language courses at U of Toronto.  Being a UNIX hacker, I used to typeset my
assignments on a Versatec plotter, using nroff (this was v6, before troff)
and various fonts for French, German and Hebrew.  When the Sanford Fleming
building caught fire in February 1977, I had two assignments due that day
that I hadn't yet run off.  The professors involved accepted my explanation,
and in fact the CRF lab housng the PDP-11/45 wasn't damaged, so I was able
to get the assignments out a few days later.

I'm sure others remember that fire.  My textbooks smelled of smoke for months.

David Sherman


Chicago Phone Mess Disrupts Businesses Across the Country [RISKS-6.82]

Peter G. Neumann <NEUMANN@csl.sri.com>
Mon 16 May 88 13:27:30-PDT
  Chicago (L.A. Times)
    All day last Friday, bankers trooped to an unmarked car inn a secret
  location in the western suburbs of Chicago to transfer millions of dollars
  over a car phone.  The car contained officials from the Federal Reserve
  Bank of Chicago, and the operation, carried out under the watchful eye of
  local police at the undisclosed suburban city, was just one of the
  resourceful ways people here are coping with a telephone disaster of
  unprecedented proportions.

  ... the impact on businesses has been devastating.  And the scope of the
  problems raises questions about the emergency plans in place in other
  major business centers to handle similar disasters.

  One business that had prepared for disaster was Bekins, the household moving
  company that is based in Glendale, Calif., but has its dispatch operations in
  Hillside, Ill.  [They set up temporary dispatch headquarters in Glendale.]...

  For the 80 to 100 banks located in the affected area, ... 300 automated
  teller machines were out of commission...

[FS Chron, 16 May 1988.]

There are important implications of this case for the RISKS community.  Thus
we also include the following messages, despite some duplication...


More on Chicago Telephone Fire

<boyle%antares@anl-mcs.arpa>
Wed, 11 May 88 13:20:38 CDT
The problem with telephone service in the Chicago area was much more serious
than I was aware of at the time of my original posting.  Non-local telephone
service was cut off for customers in an approximately 500 square mile area from
the Wisconsin border to Kankakee, and from Aurora to the Chicago city limits.
Among these was the FAA Air Traffic Control Center in Aurora, which lost all
its land lines to O'Hare and Midway airports [no redundancy there!], causing
delays of an hour or more.  Directory assistance was unavailable over most of
the state.  [James M. Boyle]

    [James sent in a lengthy article, "WHEN HUB IS HIT, EVERYONE IS HURT", 
    by Christine Winter, Chicago Tribune, 11 May 1988, from which I have 
    excerpted even more heavily than he did.  PGN]

"The goal behind running lines from a large number of Illinois Bell central
offices through one major superoffice, called a "hub," is to provide security
and flexibility, especially in times of emergency.  [Well, perhaps they need to
evaluate whether the goal is served by the means! JMB]

"But when an emergency occurs at the hub itself, the repercussions are more
like tidal waves than ripples.  On Sunday night, when a major fire struck
Bell's hub in Hinsdale [Ill.], those tidal waves hit the western suburbs [of
Chicago].

[...Explanation of the "hub" concept.]

"A diagram of the concept would look like a wagon wheel, with the hub office in
the cnter.  Of course, customers know nothing of all this--until the hub burns
down.  [I'll say amen! to that.  From my experience with computer networks, I
had assumed that there were all sorts of alternate paths.  JMB]

"'Normally, we feel really secure with the hub concept, because most of the
problems occur out in the field when somebody digs up a fiber-optic cable,'
said Neal Cox, director of engineering for Ametitech Mobile Communications.
Ameritech Mobile used Hinsdale as its major `link to the world' for its
cellular telephone network.

[...  Explanation of fiber-optic cables.]

"`Under a centralized setup like this, when a fiber-optic cable is damaged,
there is an enormous amount of flexibility, because so many cables come into
the hub that they can just reroute all the traffic,' Cox said.  "But who whould
have guessed the hub would burn down?"  [Ahh..., who indeed! I'm sure a
terrorist would never think of such a thing.  JMB]

[... Paragraphs about the fire damage to equipment.]

"The central processor suffered only minimal damage Sunday, and its software
was largely undamaged, so its computer operations are largely unaffected.
[You've gotta watch that software! It goes quickly in a fire...  JMB]

[... Paragraphs about a second switch in La Grange doing 98% of its operations
through the Hinsdale office, and attempts to reconnect them by microwave.]

"`This is about the worst place a disaster like this could have happened,
except for the downtown [Chicago] office.' Richards said.

"He said it would be `possible, but not practical' to have backup capabilities.
"`It would mean a duplication of all our cabling and all this equipment,' he
said, pointing to the rows and rows of metal frames, many of the first floor
singed and blackened, which hold the electronic circuitry.  [This reasoning
seems specious.  There would be some duplication, but not complete duplication.
Wouldn't distributed function, stealing cycles in many switches, be much, much
more reliable?  Perhaps he means that the economics of high-bandwidth
fiber-optic cables weigh against duplication.  JMB]

"Illinois Bell spokeswoman Pat Montgomery said only that the costs of getting
service restored, while substantial, would not be recovered through rate
increases.  [Hmmm, that's a relief! But I wonder about the lawsuits...  JMB]


Re: The Great Fire

Paul Czarnecki <ames!ll-xn!munsell!pz@spam.istc.sri.com>
Fri, 13 May 88 10:52:45 EDT
> and a few began a process known as an emergency telephone tree,
> calling other employees and company management at home to notify
> them of the circumstances.  Each employee thus notified was
> responsible for calling a few more employees. 

Does anyone else find it suprising that a telephone company's emergency
handling policy includes use of the telephone?  It sounds like you are just
asking for trouble.
                               pZ

Paul Czarnecki {{harvard,ll-xn}!adelie,{decvax,allegra}!encore}!munsell!pz

    [Telephone systems work fine on batteries during power failures.
    That is a more commonplace "emergency".  PGN]


Questions We Aren't Supposed To Ask About Hinsdale

<portal!cup.portal.com!Patrick_A_Townson@Sun.COM>
Sat May 14 16:20:12 1988
First, an update: On Friday, Jim Eibel, Vice President of Operations for
Illinois Bell announced the company was abandoning efforts to save the
water/fire damaged switch at Hinsdale. The old switch was a #1 ESS; the new
one will be a #5 ESS. They estimate 14 days of round the clock work will be
required to bring it up.

For about 21,000 of the 35,000 customers effected, limited service will resume
on May 15, gradually phased in during the evening and overnight hours. Most
network services for the Chicago area have been resumed in part, and will be
largely restored by May 15. The network will remain somewhat crippled for
another 2-3 weeks, pending complete installation of the new switch. Several
more emergency communication centers have been set up in the west suburban
area, bringing the total to eight locations where the public can go to make
calls. Complete rehabilitation is expected by mid-June.

The grim news though, is that Illinois Bell is avoiding discussion of the
'40 to 60 minute delay' in calling the Fire Department, which probably
caused the loss of the switch, and contributed to what is now openly being
called 'the worst disaster in telephone history'.

We now have this timetable of events for Sunday, May 8 --

At 3:50 PM, a technician in a Bell central office in Springfield, IL got a
fire alarm trip signal from Hinsdale. *HE CHOSE TO IGNORE THE ALARM TRIP*.
Within a period of 10 minutes, several more alarms from Hinsdale tripped,
including one for a loss of power.

Shortly after 4:00 PM, the technician called the weekend duty supervisor for
the area to ask what was going on. The duty supervisor agreed to check it
out, and drove to 120 North Lincoln Street in Hinsdale. When asked why a
technician in Springfield had to notify a supervisor for Hinsdale, Jim Eibel
responded that *THE HINSDALE OFFICE IS TOTALLY UNATTENDED ON WEEKENDS*.

This was in direct contradiction to earlier reports from Bell saying that
personnel 'on duty' discovered the fire and tried to extinguish it. *There
were no personnel on duty.*

The duty supervisor checked the building and found the fire. It is unclear
at this point if the supervisor attempted to fight the fire or returned to
a safe area of the building to call the Fire Department. In any event, the
supervisor found all the phones dead. There was no way to call the Fire
Department. Community residents we have talked to believe the phone circuits
in town had *ALREADY CEASED TO OPERATE 10-15 MINUTES EARLIER*.

At this point, now about 4:15 PM, being unable to call the Fire Department
on the phone, the supervisor leaned outside the front door of the building
and asked a passer by to please call the Fire Department. Apparently the
passer by did not call; but let us be generous and assume the person tried
to call from the payphone down the block on Lincoln. Finding that phone dead
also -- and why not? -- the person probably dismissed the matter, was
bewildered and went on about their business. Let's be that generous, anyway.

After about ten minutes, nearing 4:30 PM, when no Fire Department had
arrived, the supervisor flagged a motorist driving past, and urged that
person to go for help. Apparently that person went to the police nearby and
got help on the way. A little past 4:30 PM, the first firefighters were on
the scene. *Earlier reports, for which the media is probably to blame and
not Illinois Bell, say the fire started 'about 5:30 PM'.

So a fire starts sometime in the afternoon, maybe 3:30-3:45. By 3:50 the fire
has becoming sufficiently severe that heat/smoke sensors go off. We don't
really know the *exact minute* it started -- just that depending on the
sensitivity of the alarms, either a minute or two or several minutes passed
before a technician downstate got the message.

There were *NO SPRINKLERS OR OTHER AUTOMATIC FIRE FIGHTING DEVICES IN THE
BUILDING*. According to Jim Eibel, they don't use sprinklers for the same
reason they don't like firemen with water: the switch can be, and was
damaged.

So a fire burns at some degree of intensity or another for around an hour
before firemen even start working on it -- and this comes to light only
when Illinois Bell is pressured by the [Chicago Sun Times] to explain how
the matter could have gotten so far out of control.

Here are some questions for Jim Eibel and others in the hierarchy at Illinois
Bell to answer. I doubt you will hear them discussed or the answers given on
the Illinois Bell Communicator for obvious reasons --

1. Why did the technician in Springfield at first ignore the fire alarm?
   What does a fire alarm mean, if it does not mean a fire is going on?

2. When the person in Springfield finally was moved to call a supervisor
   in the area to see what it was all about, why were no emergency authorites
   notified at that time?

   Why didn't s/he call the Hinsdale Fire Department -- the phones may have
   still been working then! -- or the police, or *some authority in the
   the community * and tell them, 'we [may] have a serious problem. Please
   send the fire department to 120 N. Lincoln. I have a supervisor on the
   way to meet them and let them in the building.' Why? Had the weekend duty
   supervisor and the fire department and their police escorts all landed on
   location somewhere around 4:00 PM, the damage would have been greatly
   minimized.

3. Why no personnel on duty on weekends? Not even a watchman or a single
   clerk? Here sits a multi-million dollar hunk of electronic equipment,
   very sophisticated in nature, and not one person to brouse around from
   time to time in the course of the afternoon?

   It didn't have to be a fire! It could have been vandals. It could have
   been a dissident employee. It could have been a broken water pipe. It
   seems incredible Bell would essentially abandon its property in this
   way, out of some false sense of economy.

4. Was the lack of personnel -- even one person -- part of the same school
   of thought called 'economics in running a central office' which says to
   put all your eggs in one basket? Why was Hinsdale doing all these jobs
   for the area? Anyone should have the foresight to see that now and then
   the bottom falls out of the basket and all the eggs get broken.

    Is it really 'too expensive' to distribute the traffic over a few more
    offices instead of stacking everything in one big center? I'm not
    suggesting a full complement of services/features in every office, but
    a little more judicious distribution in the future. And if nothing else,
    a watchman, technician, clerk *or someone* to be on the premises at all
    times day and night.

    Many's the time such a person would sit and do nothing. Last Sunday I
    dare say they'd have earned their salary many times over. Can you imagine
    the difference it would have made if someone on site around 3:30-3:45 PM
    or whenever it was all that hell came down had been able to grab some
    halon, a celluar phone, walk into the switch and start spraying? And on
    the phone, getting people into the office immediatly?

    I guess that doesn't fit into the economics of running a switch!

5.  Finally, why no fire protection system in place? Admittedly, automatic
    water sprinklers are *not* the thing to use overhead in a central office
    switch. But why not halon piped in?

    Halon *can* be disseminated through overhead plumbing the same as water.
    When the firefighters went in the building, they took halon because they
    knew what they were dealing with. They only gave up on using the halon
    when the fire got so far out of control that halon was no longer effective.

    When that fire alarm tripped in Springfield, why didn't overhead halon
    jets start releasing their gas? It would have made short work of a fire
    at that point in time! And had there been halon extinquishers about the
    premises, a weekend duty *clerk* -- note please! on premises person! --
    could have used them also. But what did Jim Eibel say? Well...it just
    didn't fit into that sacrosanct economy. Neither does the forced purchase
    of a new switch, Mr. Eibel.
6.  Finally, a question for the duty supervisor last Sunday --
    When you found the phones were all dead, why didn't YOU immediatly go
    and get help? Why not jump in your car, drive 90 miles an hour if you
    could, flash your lights, honk your horn, scream and holler at the top
    of your lungs or otherwise find a policeman somewhere, and tell him
    'we need help now, and we need it bad.'

    Admittedly you wanted to stay there and protect the system and do what
    you could on your own, but trained firefighters could have made very
    good use of the ten minutes or so you wasted trying to find someone to
    turn in the alarm.

I began this report thinking I would conclude it by calling for the resignation
or firing of James Eibel and the two or three people directly reporting to him
who could have prevented last Sunday's disaster by proper planning. Now I am
not so sure. Perhaps Mr. Eibel has a very good explanation for how one of
the main switchers for northern Illinois could be left unattended; and a
worker in Springfield could ignore a fire alarm; and an employee responding
locally could have been not properly trained -- all at the same time.

Maybe Mr. Eibel has very good answers, and hopefully it will not take a
bit of arm twisting by the Illinois Commerce Commission and the newspapers
to get his reponse. But if Illinois Bell *even considers* the notion of
recouping their loss on this fire through the rate base -- as opposed to
the stock holders -- then my feeling is Eibel and employees reporting to
him *HAVE GOT TO GO*.

Its not as though a check for twenty five million dollars could be written
today and all would be well tomorrow. And twenty five million is a *very
low estimate* of the cost of the fiasco. The new switch alone is estimated
to cost about sixteen million dollars. Although Eibel refused to discuss
the cost of the switch, purchased on an emergency basis from American
Telephone and Telegraph, we've done some comparative shopping, if you will,
with other vendors/suppliers making similar equipment. The best we could
find was about sixteen million dollars -- for the switch alone. That does
not of course include peripheral equipment, overtime salaries to workers,
the cost of repairing the building or the month of lost revenue from the
thousands of subscribers without service.

And what of hardship to residents and businesses? What of restitution to the
community? Eibel pointed out that the affected subscribers would recieve
'a credit on their bill for the time service was out....but it is not our
corporate policy to go further...'

I have to agree with him there. There is no constitutional right to phone
service. No one should become dependent on it. Still, the fact remains that
eight telemarketing firms are closed for the duration; their employees told
to stay home. Spiegel's Catalog is closed with many employees laid off. A
major insurance claims processing center is without phone service. Numerous
travel agencies are shut. Bank ATM systems are down. Restaurants and
theatres cannot accept reservations. Credit approvals for purchases made
with plastic are jeopardized.

No, we should not have ever come to the place we are *this dependent* on a
pair of wires attached to a microphone and earpiece. But likewise, Bell must
share some of the blame. The 'economy of running a central office' espoused
by Mr. Eibel and associates caused a needless delay in resolving a serious
problem. That 40 minute delay probably cost them their switch and has caused
considerable economic hardship to west suburban Chicago.

If Eibel and his associates have an answer, perhaps they will share it with
us. Many, many dedicated people are working their hearts out to bring back
the service from a disruption that might well have been avoided. Fires cannot
be avoided. 40 minute delays *can be*.

I've been a supporter of Bell and most of its corporate policy for many, many
years. Right now, I am disgusted to think of how slipshod some of its
operations have become.
                                        Patrick Townson

Please report problems with the web pages to the maintainer

Top