The RISKS Digest
Volume 7 Issue 08

Thursday, 16th June 1988

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


New Jersey wants computer audit trails disabled
Joe Morris
C H Longmore
More on Blackhawk helicopter
Dave Horsfall
Root typos
Ken Yap
Costs/risks of impregnable telephone booths
Geoff Goodfellow
Science, Journalism, and Whistle-Blowing
Shrink Wrap
Hard-disk risks from vendors
Jerry Harper
An old CTSS virus
Tom Van Vleck
Info on RISKS (comp.risks)

New Jersey wants computer audit trails disabled

Joe Morris ( <>
From _Computerworld_, 13 June 1988, p. 4 (without permission, of course):


   Atlantic City — In a major dispute over government access to corporate
   computers, 11 Atlantic City casinos are fighting a proposal by the New
   Jersey Division of Gaming Enforcement (DGE) to obtain direct access to
   casino computers for investigations.

   Unfettered computer access is necessary to fully investigate and regulate
   casino operations, DGE officials say.[...]

   The casinos have been joined in their battle by privacy experts, who say the
   proposal would set a dangerous precedent by allowing government agents to
   go on secret "fishing expeditions" through business computers.  Public
   comments on the proposal are due this week.

   [discussion of parallel paper-and-electronic records, due process
   requirements, etc...]

   The proposed regulation, published last month and pending before the state's
   Casino Control commission, would require the licensed casinos to provide DGE
   investigator with inquiry-only access to ALL [emphasis supplied] computer

   The requirement would have the following conditions:

   * The New Jersey casinos must provide the DGE with an on-site terminal and
     the capability to make printouts.

   * DGE personnnel must be given "reasonable privacy in which to conduct such

   * Casinos may not track or monitor the DGE inquiries, and casino computers
     must be programmed to preclude any such tracking.

   * Casinos may request a log of DGE inquiries that shows the general category
     of information examined and the time of the inquiry.

   * Each casino must train DGE personnel in the use of its computer system.

   [The DGE tried to get this done four years ago but was blocked by a court
   order requiring extensive hearings.  DGE changed the procedures under which
   the demands were made, prompting] an April 7 filing by 11 of the 12 Atlantic
   City casinos [which] raised numerous objections and argued that the new
   proceeding defies the 1985 court order.

   [discussion of the loss of audit trail info for inquiries, which would make
   it impossible for anyone to know if compromised information had been leaked
   by a DGE employee or someone else.]

Wow.  Regardless of one's stand on how deeply the Mob owns the casinos,
you've got to wonder just who if anyone at DGE knows how to spell "Computer
Security".  After we've been careful to build security audit capability into
systems (and screaming about how dumb designers of the older systems were
for not doing so), now comes DGE with orders to shut them down.  Anyone want
to give some odds on some other part of DGE filing charges against the casinos
for failing to maintain an audit trail of access to the detailed profiles they
keep of the high rollers?

Disclaimer: the odds are very high that you won't be able to show any link
between yours truly and any casino or the DGE, mainly because there isn't
any.  Of course, we all know how easily computer records can be changed...


Wed, 15 Jun 88 19:23+0100
The following is from The Independent of 15th June 1988, reproduced without

                                   * * * *


The Home Office has suspended installation of a critical part of the
Government's wartime communications network, a multi-million pound
computerised link-up for local authority bunkers.

A national programme for the installation of the County Message Switch system
was halted at the end of March because of "Software Problems"

The Home Office confirmed yesterday that the software was still being tested.

One county emergency planning officer has privately described the situation as
"an absolute botch-up".

Bunkers in Lancashire, North Yorkshire, Cornwall and Somerset have been
affected by the delay following extensive teething problems encountered during
a pilot installation in Bedfordshire.

It is understood that the system's memory specifications are so limited that
district computers can only take about eight messages before previous files
are automatically deleted.

One source said yesterday that the Home Office had suggested that punctuation
and spaces should be left out of messages in an attempt to avoid overloading
the system. But there have been complaints that this would make messages more
difficult to decipher.

There are also complaints that because of a lack of back-up batteries, a power
cut would result in the computer system's entire memory being automatically
wiped out. [Note: bunkers have their own generators, but EMP from a nuclear
airburst could easily disrupt the supply]

                                   * * * *

[Note: In the UK, the Civil Defence plans in time of war are to keep the
population in the towns and cities where they live, and devolve power to
Emergency Regional Seats of Government if central Government is

One of the thoughts that occurred to me was this:

Why upgrade from teletypes to a new [?] computer system. After all, the
message capacity of a teletype in that of the roll of paper attached, and they
don't need rebooting after a power failure. You can also read them in the dark
by using a torch. If you were getting really technical you could use an
incoming teletype, and outgoing terminal/teletype.

And another one was:

Upgrading this sort of computer system is very dangerous. The more complex the
technology involved (ICs, DRAMS, Magnetic Media etc) the more prone it is to
damage from ElectroMagnetic Pulse from Nuclear Weapons, fluctuations in the
generator supply and other adverse operating conditions. A simple teletype is
less technologically advanced and therefore probably *more reliable* in these

And finally:

Is this going to end up as another Nimrod fiasco, where the UK government
spends millions of pounds on a system, and then scraps it and buys from the US

                                   — -- --

              C H Longmore:

More on Blackhawk helicopter

Dave Horsfall <munnari!!dave@uunet.UU.NET>
Fri, 10 Jun 88 16:42:13 est
From "The Australian" 31st May 1988:

    "German incident sours Blackhawk shield plan

 The United States Army says it will speed up plans to shield the UH-60
 Blackhawk helicopter from radio-wave interference following an incident
 in West Germany earlier this month [May].  On May 11, a Blackhawk flying
 near a large group of powerful antennae banked into a right-hand turn for
 five seconds without any pilot commands.

 [...] An Army spokesman, Major Phil Soucy, said on Friday that tests had
 shown the problem of electromagnetic interference did not jeopardise
 flight safety.  ``We certainly are not going to ground the (Blackhawk)
 fleet because there's no reason to'' Major Soucy said.  He said the Army
 had begun talks with the helicopter's manufacturer, Sikorsky Aircraft,
 on shielding a number of electronic components.

 [Details on Knight-Ridder report of 5 accidents and 22 deaths, since 1982]

 The Army and Sikorsky, a subsidiary of United Technologies Corp of
 Hartford, Connecticut, disputed that report, saying there was no
 evidence that electromagnetic interference had caused any crashes."

Dave Horsfall (VK2KFU), Alcatel-STC Australia,, ...munnari!!dave

root typos

Ken Yap <>
Fri, 10 Jun 88 17:55:24 -0400
You don't even have to be root to wreak havoc. I have the escape
character in rlogin set to ^P because I want to keep ~ for my own use.
One day I was using the console on a Vax to make a backup tape and
logged in to another machine to read my mail while waiting. When I
decided to escape back to the Vax to check how the backup was going, I


(For those not familiar with Vaxes, this is the bootstrap prompt.)
Fortunately I realized that I had halted the machine and typed C
<return> immediately.

These days I do one of the following:

(1) Ensure the console switch is on LOCK.
(2) Avoid using the console.


costs/risks of impregnable telephone booths.

Geoff Goodfellow <>
Mon, 13 Jun 88 11:56:59 PDT
The following was passed to me from David Kucharczyk <>:  Taken
from the Sydney Morning Herald and the May 22, 1988 issue of Awake magazine.

In an effort to outwit phonebooth thieves, Telecom, Australia's government-
owned telephone company, has fitted the susceptible booths with Kirk safes.
Named after the worker who invented them, the safe has so far proved 100-
percent effective. As mentioned in the Sydney Morning Herald, it has with-
stood 'oxy torches, ramset guns, angle-grinders, hydraulic jacks, pulley
clamps, centre-punches and bricks.' Ironically, the new safes appear to have
led to an increase in vandalism, as theives frustrated by the tough safes
vent their anger on the booths. Telecom reports that the current rate of
smashed glass and ruined handsets and cords is at a new high of 3,000 cases
per month.

[note by Geoff:  reminds me of the time my car was broken into in an 
unsucessful attempt to steal the stero/casette player.  the shattered glass
everywhere, the mangled radio face plate, storage of the car in a secure
location until i could obtain an appointment at the fix-it shop, the overhead
of taking the car in / pick-up, etc — all besides the expense/insurance
deductable.  quite a hassle, for which i would have given the radio away to
have avoided!]

Science, Journalism, and Whistle-Blowing

Fri, 10 Jun 88 18:05:34 EDT
The following is the editorial by Daniel E. Koshland Jr. in the 29 April
1988 issue of Science; it has relevance beyond the scientific community.
[Reprinted (sigh) without permission.]

  "Discussion of fraud in science is becoming a cottage industry in need of an
  environmental impact report.  Fraud is devastating to science; it undermines
  the basic respect for the literature on which the rapidity of scientific
  advance depends.  It must be rooted out wherever and whenever it is
  discovered.  That makes it all the more imperative that charges of fraud be
  made responsibly and that the performance record of whistle-blowers be
  scrutinized as well as those of the scientists they criticize.  In recent
  times we have been exposed to excesses in whistle-blowing and journalism
  that come close to the evils they wish to eradicate.  We see, for example,
  the charge that there is widespread fraud, followed by a text defining fraud
  as a broad concept including "misconduct".  Misconduct is then interpreted
  to include such items as poor proofreading or incomplete references.  In a
  recent congressional hearing, misconduct was further broadened to include
  a difference in interpretation of complex data.  Crying wolf tends to lose
  effectiveness when the wolf is redefined as a vicious mouse and then it is
  further conceded that the viciousness is a matter of opinion.

  "The slowness of institutions in conducting investigations is viewed by some
  as evidence of an "old boy" conspiracy.  But there are good reasons to be
  slow to accuse a colleague.  A student works in close cooperation with a
  professor for months or years and finally solves a problem.  A statement
  by the professor that "we can't publish until the result is checked" might
  eliminate a few cases of fraud, but it would forever damage the relation
  between student and professor.  Institutions that are quick to accuse
  distinguished faculty members of misconduct or worse on the basis of gossip
  or flimsy data will not long have a distinguished faculty.  The fate of
  whistle-blowers who have lost their jobs or failed to continue in science
  is often recounted as evidence of retaliation, but the quality of the
  whistle-blowers' work is relevant to this conclusion.  The idea that
  scientists may cut corners to achieve fame, but whistle-blowers never do,
  is nonsense.  Past track records are not always a guide to future conduct --
  some distinguished scientists err, some erratic whistle-blowers are right
  on occasion — but scientists, like ordinary citizens, are innocent until
  proven guilty.  Investigation of their integrity should require substance.
  It is not a cover-up for an institution to refuse to initiate an inquiry
  if the only evidence is the accusation by an unreliable source.

  "The scientific apparatus cannot afford to disregard accusations of fraud,
  and competent whistle-blowers help science.  Investigations should be
  pursued meticulously, but the final report should strongly state the
  outcome:  If the accusation is correct the miscreant should be punished
  and the whistle-blower commended.  If, however, the accusation is incorrect,
  in addition to the usual bland announcement of exoneration there should be
  a denunciation of the false charges and a documentation of the time,
  anguish, and delay that has been occasioned.  Science cannot tolerate
  fraud, but it should not be at the mercy of headline-happy journalists
  or incompetent whistle-blowers.

  "Journalists must distinguish between fraud, sloppiness, and differences of
  opinion.  When an accusation of fraud is made, if the evidence appears
  weak or the charge exaggerated a careful journalist should be alerted to
  probe more deeply.  Opinions of noninvolved experts on the likelihood of
  error and the track record of the accuser should be documented early on,
  even in the initial story.  The original story may have to state the facts
  of an accusation before all the background is obtained, but in most cases
  the story can be delayed, and in all cases pertinent doubts should be
  expressed.  The final outcome should be publicized appropriately.  Finally,
  the setting in which a story is reported must be considered by a journalist.
  A story involving a prominent scientist in an inquiry on fraud is bound to
  make headlines, even if the story is only a question of judgement.  The late
  Senator Joseph McCarthy was particularly clever at manipulating journalists
  in this way; the techniques should be familiar by now.

  "Scientists respect integrity, scholarship, and good judgement as much as
  they abhor fraud, sloppiness, and poor judgement, but these are very
  different phenomena.  Those who mix them together in uncritical ways may
  decrease our chances of eliminating true fraud, may damage reputations
  unfairly, and may diminish enthusiasm for healthy differences of opinion at
  the cutting edge of science."

                Henry Spencer @ U of Toronto Zoology

Shrink Wrap

Wed, 15 Jun 88 09:41 EDT
Yesterday I received an unsolicited package in the mail.  From the
source and the marking "magnetic media," I conclude that the package
contains a program sent to me for evaluation and review.

I am usually cautious about unsolicited mail.  However, this one came
with its own warning.  It was sealed with a sticker with the following
warning:  "The program on the enclosed disk is licensed to the user.  By
opening this package, you indicate your acceptance of the ENCLOSED
(emphasis mine) license agreement."  

Goodness!  What might I be agreeing to?  The fantasies are simply endless.

Hard-disk risks from vendors

Jerry Harper <mcvax!euroies!jharper@uunet.UU.NET>
Wed, 15 Jun 88 15:41:59 GMT
We use a number of 286 machines (American Research Corporation -made in
Taiwan) for some development work before uploading the code to an MVS/XA
environment.  REcently, one of the machines has given considerable trouble
and, indirectly, an insight into the obligations of the vendor we dealt
with.  The system unit emits quite a noticeable vibration which transmits
itself forcibly to the keyboard and desk - that problem has been there
from its purchase.  On several occasions the vendor has checked the unit
to ascertain the source of the vibration but to no avail.  Almost from
the start I mentioned that the vibration was bound to cause some damage
to the hard-disk in the long run (increased oscillation of the heads,etc).
In the last month one of the crimped connections to the hard-disk
controller board fell out with the result that drives C and D were not
recognised and some 30mb, it appeared were either lost or inaccessible.
I took the shroud off the unit and pushed home the connector - we lost two
recent files (yes, we have floppy backups).  A week later the same occured only 
but this time I couldn't locate any loose connections, so I rang the
vendor.  Firstly, he said he was too "busy" to come out, and then he
told me in a matter of fact manner that the hard-disk was probably corrupt
and all the data was lost.  We have had this machine *four* months.
He then proceeded to give a telephone analysis of what might have
happened.  Eventually, I was tiring and demanded that someone appear
quickly.  Two days later a technician came and once again it turned out
that a power connection to the the hard-disk had worked itself loose.
At this point, I decided that we should have a replacement machine.
No dice.  I was assured that the machine was in fine form.  A week later
the CMOS went sick and the hard-disk was inaccessible.  Once again 
a telephone analysis was conducted and I reconfigured the system.
I know this is getting long-winded but the point is that at no stage
in any of the exchanges did the vendor admit any liability, nor did
he seriously offer a replacement. This is of some concern to a number of
companies here in Ireland as quite a number of vendors have suffered
financial difficulties leaving their customers with pitiful after
sales support.  Are too many people getting into the VAR market by
the seat of their pants?
Jerry Harper : Merrion Gates Software (Logic Programming)
             : 89 Booterstown Avenue, Blackrock, Co Dublin, IRELAND.
Phone-net : 353-1-88 52 51
email : jharper@euroies.uucp

An old CTSS virus

Mon Jun 13 11:42:06 1988
   SENT: 88-06-11  19:00

This may qualify as one of the oldest viruses: Just before the July 4th
holiday in 1966, two undergraduate CTSS users decided to write a RUNCOM (like
a shell script) which would invoke itself.  They knew that this would create a
new SAVED file on each invocation and eventually use all the disk space on the
Project MAC CTSS system, but they thought this would just lead to a documented
error return.  Unfortunately, there was a bug in the system and CTSS crashed.
Noel Morris and I spent a long time repairing the system disk tables by hand.
Well, was this a virus? The program launched a new copy of itself, and this
proliferation led to the death of the host.

(Note the early fascination with self-reference.  The other well-known way to
crash CTSS was to issue the XEC * instruction, which said "execute the
instruction at the location where this instruction is."  The 7094 CPU looped
taking I cycles only and couldn't be interrupted.  Bill Matthews once did this
deliberately to stop the system when an unwary system administrator
accidentally put the password file in the "message of the day."  Once again,
at 5PM Friday.)

The most important lesson is "don't get clever at 5PM Friday."

Please report problems with the web pages to the maintainer