The RISKS Digest
Volume 7 Issue 30

Friday, 29th July 1988

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

NASTRAN and ship steel
Lindsay F. Marshall
Is vibration a known A300 problem?
Eric Roskos
Business Week article on computer security
Woody Weaver
Computers can increase privacy, too!
Robert Weiss
Viruses - a medical view
John Pettitt
Apple viruses — don't go through the ZLINK
Practor Fime
Dr. Logic
The Byter — via Greg Prevost via Eric Haines
On IRS direct computer access
Steven C. Den Beste
Re: doing away with privileged users
Alan Silverstein
Info on RISKS (comp.risks)

NASTRAN and ship steel

"Lindsay F. Marshall" <Lindsay_Marshall%newcastle.ac.uk@NSS.Cs.Ucl.AC.UK>
Thu, 28 Jul 88 10:03:46 WET DST
Talking of NASTRAN reminds me of something that happened when I worked for a
company involved in shipbuilding. The steel ordered for a ship that was almost
completed turned out to be too thin so some extra reinforcerment was needed. In
order to find the best places for this they ran the whole ship through NASTRAN.
This job ran for 17 hours and filled several Gbytes of disc with temporary
files. The machine crashed when there was no more available disc space. It
turned out that the run involved 32000 degrees of freedom, but nobody had done
the back of an envelope calculations to see if it was practical...
                                                                      Lindsay
JANET: Lindsay_Marshall@uk.ac.newcastle 
UUCP:  ...!ukc!newcastle.ac.uk!Lindsay_Marshall


Is vibration a known A300 problem?

Eric Roskos <csed-1!csed-47!roskos@daitc.ARPA>
Thu, 28 Jul 88 13:13:34 EDT
> Pilots on France's domestic airline, Air Inter, began a new strike last
> night as part of a three-year campaign over Airbus safety. 

Are there safety concerns other than fly-by-wire involving the Airbus?
Or is this "three-year campaign" just about fly-by-wire?  The above
suggests there may be other safety issues; due to 3 experiences with
A300s, I have suspected for several years that there might be some
problem with resonance of the body to engine vibrations during takeoff.
However, I have no evidence other than firsthand observation as a
passenger on A300s to back this up.

Eric Roskos (csed-1!roskos)


Business Week article on computer security

Woody <<WWEAVER%DREW.BITNET@CUNYVM.CUNY.EDU<>
Fri, 29 Jul 88 16:21 EDT
  The August 1, 1988 issue of BusinessWeek contained as cover article, "Is
Your Computer Secure?  Hackers, Viruses, and Other Threats".  The article,
pages 64-72, is reasonably well written, without inflammatory text, and has
few errors or misleading statements.  The article is in essence examining
the risk to the public and private sectors of computer usage and loss; and
covers employee attacks (Gene Burleson's assault on the Fort Worth security
firm USPA & IRA Co., and arrest for "harmful access to a computer"), physical
security in light of accident (the Hinsdale disaster), child 'phrackers' and
Ma Bell, adult hackers (the Chaos Computer Club and the Deutsche Bundespost)
viruses, and the like.

  It's a glossy article, but is filled with interesting bits of data, such as
US expenditures on computer systems over the last four years versus estimated
sales of computer protection goods and services.  They have photographs of
Richard Brandow and the programmer who created the McMag virus, Pierre Zovile'
(err — if I ever meet them in a dark alley...) and so on.  Its nice to see
some responsible journalism coverage in a general purpose magazine.  Or
perhaps this is just a measure of how important the private sector rates
computer security...


Computers can increase privacy, too!

"Robert Weiss" <weiss@umnstat.stat.umn.edu>
Thu, 28 Jul 88 20:26:10 CDT
I regularly get reports from my congressperson on his activities, and a comment
in one of the articles grabbed my attention before I could toss the mailing:

    "Technology provides the students with privacy ..."

A different sentiment than we usually read about in RISKS.  This is from an
article on a computer-aided adult literacy teaching project in St. Paul.  PC's
placed in individual booths provide both privacy and flexibility.  If I was 30
years old and unable to read at a 4th grade level, the privacy issue would be
important to me.

This made me realize that while large computers and networks may in general be
detrimental to privacy, there _are_ possibilities for computers to increase
privacy.

Robert Weiss 

    [But probably not if untrustworthy people have authorized access to the
    system or to the data, or if people without authorized access masquerade.
    The biggest problem with putting really sensitive data about an individual
    that might be of interest to someone else (for revenge, blackmail,
    curiosity, leaking, etc.) may be that the temptation level has escalated.
    PGN]


Viruses - a medical view

John Pettitt <jpp@slxsys.specialix.co.uk>
Wed Jul 27 19:00:35 1988
Taken without permission from the Independent (which seems to have
gotten it from the British Medical Journal):

VIRUSES could invade hospitals throught their computer systems,
so new software used by doctors is being quarantined before it is
allowed contact with patients' data, Oliver Gillie writes.

The Royal Infirmary in Glasgow isolated a computer virus in its
laboratory among software destined for the cardiac intensive care
unit.  The virus was found by a technician who destroyed it before it
was able to multiply.

Dr Gavin Kenny, an anaesthetist at the Royal Infirmary, said the virus
was not malignant, but "as soon as it was found, we made a complete sweep
to look for others and now we do regular checks".

"A virus can wipe out the memory on an entire disk - that would 
cause a lot of trouble although it would not put patients' lives
in danger," he added. "But some viruses are benign. There is one which
just comes out on Tuesdays.  It says it is Tuesday and then it goes away
again."

[ stuff about what a virus is and the christmas tree deleted - jpp]

Dr John Asbury, another Glasgow anaesthetist, says a virus got
into an intensive care unit in the city where it corrupted data
and caused files to be lost.  Dr Asbury writes about computer
virus disease in the latest issue of the British Medical Journal.

John Pettitt, Specialix, Giggs Hill Rd, Thames Ditton, Surrey, U.K., KT7 0TR
{backbone}!mcvax!ukc!pyrltd!slxsys!jpp            jpp@slxsys.specialix.co.uk


Apple viruses

John Saponara <saponara@tcgould.tn.cornell.edu>
Fri, 29 Jul 88 13:06:44 EDT
From batcomputer!cornell!mailrus!uwmcsd1!ig!agate!ucbvax!pro-carolina.cts.COM!gregp Fri Jul 29 11:52:17 EDT 1988
Article 7320 of comp.sys.apple:
Path: batcomputer!cornell!mailrus!uwmcsd1!ig!agate!ucbvax!pro-carolina.cts.COM!gregp
>From: gregp@pro-carolina.cts.COM (Greg Prevost)
Newsgroups: comp.sys.apple
Subject: Virus Information
Date: 26 Jul 88 21:54:43 GMT
Reply-To: pnet01!pro-simasd!pro-carolina!gregp@nosc.mil
Organization: The Internet

Ok folks, in the past few days I have seen some major stuff going on.  There
are at least two different viruses running around.  One is called Cyberaids
and the other is made by some group called Festering Hate.  Here is some of
the info I have picked up on it in the last few days.

 - = - = - = - = - = - =

50/50: Warning Apple users
Name: Practor Fime #13 @4
Date: Sat Jul 16 17:16:14 1988

CAUTION:

        ZLink+, ZLink.PBH, ZLink are all viruses, if you run ZLink then you
now are the happy parent to a rodent virus. It seem Zlink has some sort of
virus that attaches to files and stuff.  My friend has it on his HD and it
creates some file entry in the ROOT directory that is hidden from every utility
EXCEPT APW or ORCA.  Every time you boot the prodos with the virus it will do
and ON-LINE vol check (even if you specifiy the exact pathname) and install the
virus on systems files such as, Mr Fixit, Basic.system,Copy II+ etc....

 - = - = - = - = - = - =

(92 of 100)
Titled : <*** W A R N I N G ***>
Author : Dr. Logic/Bill of [None]
Stamped: July 13, 1988 at 12:07 AM

There is a file going around (currently on the Hard Drive) called Z.LINK.PLUS.
It is supposed to be a terminal program somewhat like ProTERM.  It is a decent
program but the main reason I posted this is when you boot it up, it GOES TO
EVERY ON-LINE DRIVE AND MODIFIES >BASIC.SYSTEM

On IRS direct computer access

<denbeste@OAKLAND.BBN.COM>
Fri, 29 Jul 88 09:09:58 -0400
I think this is going to fail. High school students all over the state will
spend their evenings making up social security numbers and entering phony
returns. Perhaps one time in thirty or so they'll hit pay dirt (a real social
security number!).

The only way to prevent this is to have the machine know the names of the
people who own the SSN - and reject any return which isn't right.

Only, having done that, what happens if the legitimate owner of the SSN doesn't
enter their own name is quite the same way it is held in the database?

Perhaps the right answer is for the computer to categorize the returns into one
of two groups: "Those where the name was correct" and "those which a human
being will check for validity".

Steven C. Den Beste,   Bolt Beranek & Newman, Cambridge MA
denbeste@bbn.com(ARPA/CSNET/UUCP)    harvard!bbn.com!denbeste(UUCP)


Re: doing away with privileged users

Alan Silverstein <ajs%hpfcajs@hplabs.HP.COM>
Thu, 28 Jul 88 18:31:41 mdt
In 7.29, Allan Pratt said:

> If there is NO SUCH THING as privileged access, where can you go wrong?

Alas, there is NO SUCH THING as "NO SUCH THING as privileged access".

Why?  Because computers aren't as smart as people and as trustworthy as
their administrators.  Situations inevitably arise which require ad hoc
human intervention — by privileged users.

What if there were no distinction of "privilege"?  If any user could
handle the interventions?  There'd also be precious little protection of
users's data from other users.  Even cooperating users need protection
from each other's mistakes.

Alan Silverstein, Hewlett-Packard HP-UX DCE Lab, Fort Collins, Colorado

Please report problems with the web pages to the maintainer

x
Top