The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 7 Issue 23

Saturday 16 July 1988


o Policy Chief Indicted in Computer Misuse
Owen Blevins
o Data for Iran airliner discussion
Dave Fiske
o Re: Data "viruses"
Peter J. Denning
o Invitation to visit Disaster Research Center
o Passwords on networked systems
Steve Oualline
o Other ways to manage risks
Dave Fiske
o Colwich Junction, England, 1986
Blair P. Houghton
o Oops -- risks of writing -- SI prefixes
Richard S D'Ippolito
o Info on RISKS (comp.risks)

Policy Chief Indicted in Computer Misuse

owen blevins <>
Fri, 15 Jul 88 20:25:50 est
From New York Times Friday., July 15, 1988:

Metro-North Police Chief Indicted in Computer Misuse

The police chief of the Metro-North Commuter Railroad was indicted yesterday on
charges that he improperly used a New York State polic computer system to
investigate job applicants, their relatives and people who were suing the

The indictment against the chief, John V. Esposito, includes allegations of
"computer trespass."  Authorities said he is believed to be the first police
official to be prosecuted under a 1986 law restricting the use of confidential
criminal justice records compiled in computers.

After pleading not guilty in a courtroom in Manhattan, Mr. Esposito, who was
released without bail, said his use of the computer system "is standard
operating procedure" by police chiefs throughout the state as part of routine
background examinations of prospective employees.

Data for Iran airliner discussion

Dave Fiske <>
14 Jul 88 21:28:21 GMT
I know this is the net, but I hope I can be forgiven for doing a bit of actual
research! Here are a few excerpts from some books I happen to have at home.
Shows that with just a little effort, we could be having discussions based
loosely on fact, rather than vague memories and opinions.

First of all, despite Reagan's statement, the AEGIS system is a bit more than
your average radar unit.  The following excerpt indicates that it does some
interpretation of the data it obtains, and even performs limited

  "The AEGIS Combat System was developed to counter the saturation missile
  attacks which could be expected to form the basis of Soviet anti-carrier
  tactics during the 1980s.  Conventional rotating radars are limited both in
  data rate and in number of target tracks they can handle, whereas saturation
  missile attacks require sensors which can react immediately and have a
  virtually unlimited tracking capacity.  The solution adopted in the AEGIS
  system is to mount four fixed planar antennae each covering a sector of 45
  degrees on the superstructures of the ship.  Each SPY-1 array has more than
  4000 radiating elements that shape and direct multiple beams.  Targets
  satisfying predetermined criteria are evaluated, arranged in sequence of
  threat and engaged, either automatically or with manual override, by a
  variety of defensive systems."

  John Jordan, "An Illustrated Guide to the Modern U.S. Navy", 1986,
  Prentice Hall.

Several people have maintained in comp.risks that the F-14 would not be
much of a threat to surface ships.  However:

  "The twin-jet F-14 is indeed some airplane.  It was designed to range
  farther, fly faster, climb higher and pack more wallop than any interceptor
  ever built.  While it possesses some of the features of a fighter, fighter
  pilots certainly would prefer to call it an interceptor.  Its long suit is
  its fire control system and its missiles.  With his AWG-9 radar and
  infrared-sensor-computer system, the backseat Missile Control Officer (MCO)
  of the Tomcat can track twenty-four separate targets, from sea level to one
  hundred thousand feet, up to one hundred miles distant."

  James W. Canan, "The Superwarriors", 1975, Weybright and Talley.

  "Possibly the most complete fighter in the world today, the Grumman F-14
  Tomcat first entered service in 1975.  Armament consists of M61A1 20-mm
  rotary cannon plus AIM-9 Sidewinder short-range, AIM-7 Sparrow medium-range
  and AIM-54 Phoenix long-range air-to-air missiles.  A combination of all
  these missiles can be carried at one time, making the F-14 capable of
  shooting down any flying intruder at any range up to 200 km (125 miles).  The
  Phoenix missiles are operated in conjunction with the Tomcat's AWG-9 radar,
  and can hit targets at any altitude from ground level to over 2400 m (78,740

  "Modern Combat Aircraft", Crescent Books

According to The Military Balance, 1984-85, published by the International
Institute for Strategic Studies, Iran still has 10 F-14As (in 1975 they had
15--some undoubtedly have become inoperative since then), and does have
Sidewinders, Sparrows, and Phoenixes. 
                                        Dave Fiske  (davef@brspyr1.BRS.COM) 

Re: Data "viruses" (RISKS-7.11)

Peter J. Denning <>
Fri, 15 Jul 88 14:47:45 pdt
Dave Horstall inquired about whether the propagation of corrupted data through
a system can be considered a new form of virus.  No.

The propagation of corrupted data is an old problem that systems designers
interested in fault tolerance must face.  It is a difficult problem and many
systems do not include appropriate data consistency checks to prevent or
mitigate it.

The virus is a program designed to infect other programs with copies of itself
and to perform unwanted actions in the manner of a Trojan horse.

Peter Denning

Program viruses vs "data viruses"

Peter G. Neumann <Neumann@KL.SRI.COM>
Sat, 16 Jul 88 10:29:19 PDT
On viruses versus data propagated effects of contaminated data:

Yes, the propagation of corrupted data is an old problem, although it is
generally considered within the scope of a single program or a single process.
My favorite example of more global propagation is provided by the ARPANET
collapse (mentioned in RISKS occasionally, but newer readers should dig up Eric
Rosen's enlightening article, "Vulnerabilities of network control protocols",
in ACM Software Engineering Notes, vol 6 no 1, January 1981).  This was caused
by a status word being propagated along with two corrupted versions of itself
-- as a result of hardware malfunctions.  The consequence was that those two
corrupted versions (yes, propagated by the normal node programs, which were
unaltered) contaminated every node in the network -- because the flawed garbage
collection algorithm broke down.  True, there was no program virus.  However,
the two bogus status words effectively contaminated the entire network! This
case is interesting not because a piece of data was altered, but because three
different versions of the SAME piece of data were able to bring the entire
network to its knees -- despite the belief that distributed control was safe.
That kind of contamination deserves some sort of explicit identity such as
"data bacterium" or "data microbe" or whatever, although it has some of the
characteristics of a (data or nonprogram) virus...  PGN

Invitation to visit Disaster Research Center (DRC)

Disaster Research Center <ACJ00984%UDACSVM.BITNET@CUNYVM.CUNY.EDU>
Fri, 15 Jul 88 20:24:21 EDT
An Introduction to the Disaster Research Center for RISKS
Readers.    Come to our open house in August !

The Disaster Research Center, the first of its kind and the only one in the
United States, was established at the Ohio State University in 1963 and moved
to the University of Delaware in 1985.  The Center engages in a variety of
sociological and social science research on group and organizational
preparations for, responses to, and recovery from community-wide emergencies,
particularly natural and technological disasters.  Since the Center's
inception, there have been over 496 different field studies.  Teams have gone
to earthquakes in Japan, Chile, Yugoslavia, Italy, Iran, El Salvador, Greece,
California, and Alaska; hurricanes in the southern and eastern United States,
as well as Japan; floods in Italy, Canada, and more than a dozen states; and
tornadoes and hazardous chemical incidents in Canada, Mexico, and the United
States.  A dozen cities struck by major disasters have been restudied several
years after the initial research.  For purposes of comparison, Center personnel
have also examined organizational responses to civil disturbances and riots.

The Center has a number of professionals on its staff plus supporting clerical
and secretarial personnel.  It is directed by Professor E.L. Quarantelli, with
the assistance of Professors Dennis E. Wenger and Russell R. Dynes, all of the
Department of Sociology at the University.

Recent studies have focused on:  Social and organizational aspects of the
delivery of mental health services and of emergency medical services in mass
emergencies; and socio-behavioral responses to acute chemical hazards and the
problems involved in mass evacuation and sheltering.  Research underway
includes the ways in which information relating to disaster is processed
through news organizations, the organizational and public response to the
Mexico City earthquake, and the role of local emergency response agencies.
Center personnel have examined legal aspects of governmental responses in
disasters, the emergence and operation of rumor control centers, mass media
reporting of community crises, the functioning of relief and welfare groups in
stress situations, and the handling of the dead in catastrophes.

The research provides basic knowledge about group behavior and social life in
large scale community crises as well as information which can be applied to
develop more effective plans for future disasters.  Besides storing its own
data collected through in-depth interviewing, participant observations, and
document gathering, the Center serves as a repository for materials collected
by other agencies and researchers.  The Center's specialized library, which
contains the world's most complete collection --over 20,000 items-- on the
social and behavioral aspects of disasters, is open to all interested scholars
and public and private agencies involved in emergency planning.  With over 400
publications, the Center has its own book, monograph, and report series.  There
are close relations with Canadian, Mexican, Australian, Swedish, Japanese, and
West German disaster researchers, a number of whom have been visiting research
associates at the Center for periods of up to a year, and collaborative field
research is currently underway with groups in Japan and Mexico.  An exchange
program and very close ties with Italian researchers, especially the Mass
Emergency Program of the Institute of International Sociology in Gorizia,

Center activities have been supported by diverse sources including the Health
Resources Administration; the Center for Applied Social Problems, National
Institute of Mental Health; the Defense Civil Preparedness Agency; the Water
Resource Research Program, Department of the Interior; the State of Ohio
Department of Mental Health; but major funding has been from the National
Science Foundation, and the Federal Emergency Management Agency.

If you would like more information concerning the Disaster Research Center or
desire an updated Publications List, write to Margie Simmons, Office
Coordinator, Disaster Research Center, University of Delaware, Newark,
Delaware, 19716, United States of America.

** Special note to Risks Digest Readers **

     Anniversary Celebration Announcement

The Disaster Research Center was formed in August, 1963.
Thus, it will be 25 years old next month.

To mark the occasion, an open house will be held at the Center's
present location on the third floor of 102 East Main St., Newark,
Delaware (U.S.A.).

Time: Monday, August 22, 1988
               1 - 5 p.m.

We hope you can take some time to visit us.

    - E.L. Quarantelli, Director
    - Russell R. Dynes
    - Dennis E. Wenger

(Information forwarded by Bruce D. Crawford, Computer Services
   Coordinator, Disaster Research Center).

Passwords on networked systems

Steve Oualline <horizon!sdo@seismo.CSS.GOV>
15 Jul 88 22:31:51 GMT
Although RISKs seems to be primarily oriented toward major problems with the
cutting edge of technology, I wish to offer an example of a small problem that
can be solved by a little common sense.

At our site we have several UNIX systems running on a network.  For convenience
of the administrator, me, all the root passwords are the same.  I discovered
the hard way that this is not a good idea.  I wanted to reboot "zabbar" a small
system that no one was using, so I walked over to its console and type su root,

This shut down the system -- the problem was that I had done rlogin horizon
(horizon is our main system), and had shut it down by mistake.  If the root
passwords had been different for each machine, then horizon would have rejected
the root password for zabbar causing me to discover which system I was really

Other ways to manage risks (Re: RISKS-7.20)

Dave Fiske <>
15 Jul 88 18:58:58 GMT
> From: Doug Faunt (phone (415) 496-4727) <>
> Subject: re: lockpicking and burglars
> I would like to point out that it might be worthwhile to improve your
> locks to some degree, ...
> ...  You may not be able to keep them out, but you can make sure there's a
> record.

I'm surprised that comp.risks readers are primarily fixating only on PREVENTION
for managing risks.  Prevention is only one way to deal with them.

Nearly all homeowners therefore have insurance to cover the theft of
contents, as well as locks on the doors.  Some have burglar alarms as
well.  The prevalence of insurance and burglar alarms is an indication
that unwanted entries cannot be 100% eradicated.  Locks are only one
aspect in the management of the risk of theft.

The existence of law enforcement agencies is another deterrent--a
burglar has to (well, at least he should) consider the possibility that
he will get caught.  The consequences of entering a locked home
("burglary", or "breaking and entering") are more severe than entering
one which is not locked ("illegal entry"), and is also more easily
proved due to physical evidence.

In addition to helping to deter entry, locks help to provide evidence
to facilitate getting an insurance settlement, or to capture the
culprit and achieve return of the goods.

Similarly, a computer system can probably never be made totally secure,
since it's always possible (granted, very unlikely) that an
unauthorized user could happen to guess a correct password on the very
first try, etc.  However, log files are kept and checked, means of
disciplining system abusers are maintained, backup tapes are made, etc.
as further means of reducing the consequences of tampering.

Dave Fiske  (davef@brspyr1.BRS.COM) 

    [But don't forget that in many systems it is easy to turn off auditing
     altogether, or to bypass it, or to modify the audit trail later.  PGN]

Colwich Junction, England, 1986 (Re: Mark Brader, RISKS-7.22)

Blair P. Houghton <>
Fri, 15 Jul 88 17:50:38 edt
Mark's message points out a common misconception: that skidding provides more
stopping force than does rolling with the brakes on.

The truth is that the coefficient of friction is lowered drastically once the
surfaces involved begin to slide.  That is, the kinetic coefficient of friction
is lower than the static coefficient of friction.

Hence, a rolling wheel, which indeed has a nonsliding portion of its surface in
contact with the rail, can apply more force to the rail, thus slowing the train
faster; once the wheel locks up and begins to slide, the force decreases in a
virtual discontinuity, and the train slows slower, meaning that the stopping
distance is larger (usually much larger).

If the wheelslip protection overcompensated for impending slippage by lowering
the braking force below even the skidding-friction force, then it is utterly at
fault for an extended stopping distance, and the above mentioned report's
conclusion is correct.

However, if the wheelslip protection was properly designed, it should have
operated in the region between skidding-friction force (kinetic coefficient in
effect) and onset-of-skidding force (static coefficient in effect), then the
report is dangerously wrong and has made a suggestion that will aggravate
future accident situations.

While the "flattening" argument for wheelslip protection is good economy, the
increased stopping power is the primary reason that antilock braking was
invented, since saving lives is the best economy.
                                                       Blair P. Houghton

Oops -- risks of writing -- SI prefixes

Friday, 15 July 1988 09:29:09 EDT
I blew it. The SI prefixes for kilo (10^3), hecto (10^2), and deca (10^1)
are abbreviated with lower case letters. Those above kilo are abbreviated
with capital letters. All those below (10^-1 to 10^-18) are lowercase.  I've
seen too many KVs and KWs in the electrical industry.  I'm sorry -- next
time I'll look it up first.

Please report problems with the web pages to the maintainer