The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 7 Issue 83

Monday 28 November 1988

Contents

o Tech Report on the Internet Worm
Gene Spafford
PGN
o Congress plans hearings on the Internet Worm
Jon Jacky
o Computer Literacy #3
Ronni Rosenberg
o More on misuses of computers
PGN
o Chain letters = next net disaster ?
Ira Baxter
o Computerized Parking Meters
James Peterson
o Data verification
Rob Gross
o Info on RISKS (comp.risks)

Tech Report on the Internet Worm

Gene Spafford <spaf@purdue.edu>
Mon, 28 Nov 88 19:53:07 EST
My tech report on the Internet Worm is finally finished! You can get a
compressed PostScript version of the formatted report via FTP as follows:

1) ftp to arthur.cs.purdue.edu         (128.10.2.1)
2) login for anonymous ftp             
3) set binary mode on
4) cd pub/reports
5) get TR823.PS.Z
6) quit

Then uncompress the file and print it.  

   [If you cannot uncompress it, you may access the UNCOMPRESSED PostScript
   file directly (280,827 bytes, by the way!):
      OMIT 3) above; it should also work in binary mode, but more slowly;
      REPLACE 5) above with "get TR823.PS", using the name of the
                                 uncompressed PS file.  Also, use a
                                 copying machine if someone you know has
                                 already FTPed it.  Spare the Internet.  PGN]

If you have already ordered a paper copy of the report and you can FTP a copy
to print it yourself, please send me mail and cancel your request for a paper
copy.

If you cannot FTP a copy and you have already ordered a paper copy, have
patience.  As soon as they get printed they will be mailed -- before the end of
this week, I am told.

If you cannot FTP a copy and would like to order a paper copy, send me your
surface mail address and I will add your name to the list.

Cheers,
--spaf


Tech report on the Internet Worm

Peter Neumann <Neumann@csl.sri.com>
28 Nov 1988 18:59:19-PST
Spaf's ``The Internet Worm Program: An Analysis'' is an extremely thoughtful
and comprehensive report.  It will be standard reading for years.  It is
offered by Spaf ``solely for the purposes of instruction and research'' (as
he states in his title-page copyright notice), and is cited in RISKS for
precisely those purposes.  There are many lessons to be learned -- including
needs for better operating systems and network protocols, better quality
programmers with greater social awareness, better ethical teaching, better
laws, and generally better understanding of THE RISKS.  Our thanks to Spaf
for his considerable contribution.  PGN


Congress plans hearings on the Internet Worm

<jon@june.cs.washington.edu>
Mon, 28 Nov 88 09:35:59 PST
The House Science, Space and Technology Committee and the House Judiciary
Committee are planning hearings on the Internet virus for the upcoming 101st
Congress.

Also, the author of the federal computer crime law says that he believes the 
virus programmer could be prosecuted under that law.  Here is the source,
from a story that appeared in THE SEATTLE TIMES, Sunday Nov 27 1988, p. B2:

CONGRESSMEN PLAN HEARINGS ON VIRUS - Newhouse news service

WASHINGTON - The computer virus that raced through a Pentagon data network
earlier this month is drawing the scrutiny of two congressional committee
chairmen who say they plan hearings on the issue during the 101st Congress.
  Democratic Reps. Robert Roe, chairman of the House Science Space and 
Technology Committee, and William Hughes, chairman of the crime subcommittee
of the House Judiciary Committee, say they want to know more about the 
self-replicating program that invaded thousands of computer systems.
  The two chairmen, both from New Jersey, say the are concerned about how 
existing federal law applies to the Nov. 2 incident in which a 23-year-old
computer prodigy created a program that jammed thousands of computers at
universities, research centers, and the Pentagon.
  Roe said his committee also will be looking at ways to protect vital
federal computers from similar viruses.
  `As we move forward and more and more of our national security is dependent
on computer systems, we have to think more about the security and safety of
those systems,' Roe said.
  Hughes, author of the nation's most far-reaching computer crime law, said
his 1986 measure is applicable in the latest case.  He said the law, which
carries criminal penalties for illegally accessing and damaging `federal
interest' computers, includes language that would cover computer viruses.
  `There is no question but that the legislation we passed in 1986 covers the
computer virus episodes,' Hughes said.
  Hughes noted that the law also includes a section creating a misdemeanor 
offense for illegally entering a government-interest computer.  The network
invaded by the virus, which included Pentagon research computers, would 
certainly meet the definition of a government-interest computer, he said.
  `The 1986 bill attempted to anticipate a whole range of criminal activity
that could involve computers,' he said.


Computer Literacy #3

Ronni Rosenberg <ronni@juicy-juice.lcs.mit.edu>
Mon, 28 Nov 88 12:36:39 EST
Expenditures of time and money on computer-literacy education represent
important tradeoffs for schools.  If you think that computer literacy should
be taught in school, how do you think schools should pay for it (hardware,
software, training, maintenance)?  How should computer-literacy courses be fit
into the school day?

Since school budgets and days are finite, these questions raise the issue of
priorities.  Should computer-literacy education be a high priority for our
education system?  Why or why not?  How do you compare computer literacy with
current education priorities?

     [Respond to Ronni, please.  PGN]


More on misuses of computers

Peter Neumann <Neumann@csl.sri.com>
28 Nov 1988 17:17:10-PST
A flurry of risks relating to antisocial computer uses has been rapidly
developing into a blizzard:

  * Hatred-promoting materials.  Jeff Stout (jstout@boeing.com) alerted me to
    an article in the Seattle Times/Post-Intelligencer, 11/20/88, excerpted
    as follows:

      The rapid spread in recent months of illegally produced floppy disks
      with anti-Semitic and racist content, promoted by the increased use of
      home computers, has alarmed West German teachers and those concerned
      with protecting young people from exposure to military, racist and
      pornographic violence.

      The neo-Nazi underground has changed tactics", says Gerhard Adams,
      deputy chairman of the government office responsible for monitoring
      "youth-endangering" materials.  "Instead of distributing leaflets,
      they now circulate in schools computer programs which are anti-Semitic
      and racist."  [...]

      While the majority of games glorifying war and Rambo-style episodes of
      self-enforced law are produced in the United States and Great Britain,
      games inciting racial hatred and propagating Nazi ideology are
      believed to have their origin in Germany.

  * A flurry of PC porno programs (including some highly interactive versions).
    For example, a porno program is apparently sweeping through the banking
    community (Lounge-suit Larry ...), some versions of which are Trojan
    horsed and rather destructive.  Many others have also been reported,
    and with pirating and direct propagation seem to be spreading rampantly.

  * Electronic chain letters such as that noted in the following message.

So, what is new?  The subject matter is certainly not new.  But the medium
offers new opportunities -- proliferability, programmability, and privacy.
(Next we will be having subliminal messages on the screen, or even buried
inside the programs?)


Chain letters = next net disaster ?

Ira Baxter <baxter@madeleine.ICS.UCI.EDU>
Fri, 25 Nov 88 23:37:04 -0800
Just received this.  Figured best way to a) satisfy RISKS readers and b)
"prevent breaking the chain" :-} was to submit this rather than victimize 20
more people.  If this sort of thing is turned loose in email, the resulting
exponential explosion could be as bad as the recent net worm (with willing
vectors, anyhow).  Unwilling vectors will just damp them out... but with 3
million PCs out there, how many do we need to keep it alive?

  [RISKS has no difficulty whatever in breaking this chain.  Chain letters
   are bad enough via SnailMail, but electronically they open up horrible
   possibilities.  PGN]


Computerized Parking Meters

James Peterson <peterson@sw.MCC.COM>
Mon, 28 Nov 88 16:40:05 CST
While visiting the University of Oregon last summer, I found a parking space
with no meter, but a sign directing me around the corner.  There was a small
terminal with a map of the adjacent parking area, about 14 spaces along the
side of the street.  The instructions indicated that the money was to be
deposited and the code number for my parking space keyed in.  Out popped a
little printed ticket with my parking space number and the time, date, etc
when I arrived and how long before my parking expired.  It's the only time
I've seen such a system (instead of the normal mechanical parking meters).

I assume the benefits of the system are that there is a centralized station
for checking what cars are legally parked (the meter maid doesn't have to
check each spot, but one central location), central collection of money,
and if one car pays for an hour but leaves after 10 minutes, there is no
visible record allowing the next car to just use the remaining 50 minutes
without paying for it.


Data verification

Rob Gross <<GROSS%BCVMS.BITNET@MITVMA.MIT.EDU<>
Mon, 28 Nov 88 20:58 EST
At Boston College, most faculty members are expected to advise between ten
and twenty students.  For various reasons (students requesting new advisors,
faculty members on leave, students changing majors), the students I advise
one semester often are not my responsibility by the time the next semester
rolls around.  So I wasn't too surprised when I received a call from a
student I had advised in September asking for an appointment to see me; I
told her that she was no longer one of my advisees, and suggested that she
call the dean to find out who her advisor was.

She called back an hour later and told me that she had been entered into the
computer as class of 1993, and the computer had duly scheduled her to
register in November of 1989.

And my computer science students worry about why I stress data verification!

Rob Gross    

Please report problems with the web pages to the maintainer