The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 7 Issue 79

Wednesday 16 November 1988

Contents

o Vote Count Error
Kenneth R Jongsma
o Computer Ethics Class
Leslie Chalmers
o Teaching "Ethics"
Eric Roskos
o Re: NSA attempts to restrict virus information
Theodore Ts
o The FBI Wants You (if you were virus-ized)
Tom Zmudzinski via Dave Curry
o Access and authorization
Joe Morris
o Laws of computer evidence
Barry C. Nelson
o Call for comments on uniformity legislation for software
Conleth S. O'Connell via Alan Kaminsky
o Info on RISKS (comp.risks)

Vote Count Error

<portal!cup.portal.com!Kenneth_R_Jongsma@unix.SRI.COM>
Tue, 15-Nov-88 15:07:56 PST
The following article appeared in the local paper. I'm sure it will be
the first of many to appear after the recent elections. I will try to
refrain from commenting. There are so many obvious issues raised here!

                Tally Error Gives Logan Clear Win
                ---------------------------------
                  (Exerpted Without Permission)

Attorney Benjamin Logan won the write-in race for Grand Rapids District
Judge by 461 votes - not just 20, the Grand Rapids city clerk's office
announced today after finding the error.

The computer processing system designed to handle the write-in race did not
pick up the vote tallies from five precincts on the city's southeast side -
Logan's strongest area.

Those votes make it virtually certain that the Board of Canvassers' rulings
on name variations will not change the outcome.

City Clerk Sandra Wright said no other races were affected by the computer 
problem. A seperate computer program counted ballot cards for the other races.
The system used for the write-in election was a Lotus 1-2-3 computer program
developed by local staff, she said.

Tom McQuillan, director of management information systems for Grand Rapids, said

the error apparently stemmed from a problem with the computer program, which
ordered the computer to tally 3rd Ward votes starting with the sixth precinct,
rather than the first. "It's not what we call a computer error," he said. "It's
a human error."

Wright said she discovered the problem Saturday night while adding up the 
figures from the race manually. "I found the 3rd Ward was inconsistent," she
said. "I was further able to isolate that we were not picking up tallies
in Precincts 1,2,3,4 and 5."

(Explanation of Judges duties, salary, and reason for write-in contest deleted)

McQuillan said the error may have been inserted in the program after the city
staff ran it through a test run. The program was (then) modified so subtotals
could be released while the votes were being tallied and the original computer
formulas may not have been rechecked. ("But Boss, I just need to make this
minor change. It can't possibly hurt anything!)

Voters in the five precincts that had not been counted cast 604 votes for Logan
and 163 votes for Christensen. (Enough to change what was a virtual dead heat
that would have had to have been decided by the Board deciding what a voter's
"intent" was when they misspelled a name on the ballot, into a solid victory
for Logan.)


Computer Ethics Class

<Chalmers@DOCKMASTER.ARPA>
Tue, 15 Nov 88 15:48 EST
Regarding Bob Barger's entry, "Comments sought on proposed computer ethics
course" (RISKS 7.75), I was frankly shocked at the statement "There will be no
class meetings, except for the first and last sessions.  Students will instead
utilize electronic bulletin boards on the university's mainframe computer
network to research and discuss issues."

It has been a long time since my college days and I may be hopelessly out of
date on these matters, but why on earth would one conduct any class, and
particularly one on ethics, without any class time?

One of the problems with the computer 'hackers' of today is their isolation
from others in society who might disagree with their point of view.  Allowing
students to 'participate' in a course via a terminal only encourages this
isolation.  While a majority of students might agree on what we would consider
ethical behavior, some will not.  It is important that such students be
subjected to the direct challenge of their classmates.  Group interaction is
critical for this purpose.

I would further suggest that Barger make a point of including in his class,
lectures by people who have suffered negative consequences from the activities
of individuals who do not believe that other computer users have any rights
other than those they grant themselves by building secure systems.  Just as a
judge recently ordered a notorious slumlord to spend time in his own buildings,
people who have a belief system that condones computer hacking should be forced
to face the victims of such activities.

In the case of computer ethics, there is very little that even those of us in
computer security can say is *unambiguously* "right" or "wrong".  There are
activities which we could agree are inconvenient or destructive for other users
of computer systems such as denial of service or erasure of files.  We could
even come up with some empirical evidence of the consequences of these
activities to prove that they are inconvenient or damaging (deadlines missed
because report was erased, man-hours, excuse me, person-hours spent locating
unauthorized code and purging system, etc.)  But I have read quotes from
'hackers' and even some participants in this forum suggesting their firm belief
that anyone who does not protect himself from hacking *deserves* what he gets.
It would seem to me that one of the objectives of an ethics class should be to
modify that point of view.

There are things which may be unambiguously "illegal" (though precious few),
but this is not the same thing at all.  As one who came of age in the '60s, I
can attest to the irrelevance of the legal system to people who believe in
their heart of hearts that the laws are wrong.  If we '60s students had blindly
accepted the notion that whatever is "illegal" is ipso facto "wrong", life
would be very different today.  Clearly, ethics has only a casual relationship
to legality.  The purpose of an ethics course should be to convince students of
the importance of a code of behavior and a social context is essential for
getting that message across.
                                                                      Leslie

The standard disclaimers apply.


Teaching "Ethics"

Eric Roskos <roskos@ida.org>
Wed, 16 Nov 88 16:01:14 EST
> Perhaps if everyone were exposed to ethics courses, beginning in the
> early grades and continuing through computer ethics courses and business
> ethics courses, etc, then it would be clear `in the entire community
> what is and what isn't ethical behavior.'

Unfortunately, this is much more complex than it first appears; I wonder how
many people who recommend "ethics courses" have ever taken an ethics course.

Henry Thoreau once observed that whenever he tried to argue rationally with
someone, the person would agree with him repeatedly up until the time his final
conclusion became evident, at which point the person would vehemently refuse to
accept the conclusion, eventhough he had accepted all the premises leading to
it.

This is the case with ethics.  People all agree that everyone should behave
"ethically," yet they refuse to agree on what precisely is ethical behavior.
In an Ethics course, the most you can do is discuss ethical paradigms, which
include systems of ethics in which it is entirely acceptable to engage in any
activity that benefits you ("situation ethics" are an example of this).
"Ethics" differs from "a specific set of ethical principles"; after all, "there
is honor among thieves".

This is not to say that I advocate irresponsible behavior; and, in fact, I
attended a college which had a working "honor system" and a working "code of
responsibility," and think they were successful in teaching ethical behavior to
the students.  I just don't think that calling for "ethics classes" is going to
accomplish the desired end.  And I don't think there is enough agreement on
what should be taught to do so.

Note, however, that the ACM has a code of ethics.  Perhaps we should focus on
more effectively conveying it, as I fairly often see people violate it in the
RISKS digest.

Eric Roskos, IDA (roskos@CS.IDA.ORG or Roskos@DOCKMASTER.ARPA)


Re: NSA attempts to restrict virus information

Theodore Ts'o <tytso@ATHENA.MIT.EDU>
Tue, 15 Nov 88 02:45:16 EST
Steve Bellovin noted that the NSA was "exerting a greal deal of pressure
th have dissassembler output from the virus (to say nothing of C source)
available to as few people as possible...."  He then went on to say that
they were leaning on contacts, such as the president of the university,
etc.  Before people raise their hackles and get up to call the ACLU, I'd
like to make a few points:

First of all, the only incident that I know of where this happened was
at Purdue, where the NCSC (the public arm of the NSA) leaned on the
president to remove a copy of the disassembler output from an anonymous
ftp directory.  They went into hysterics when they thought that a copy
of C source code of the virus had been posted to phage, a mailing list
which has several hundreds of people on it, but they didn't (couldn't)
do anything about it.  (In actual fact, it was only a partial
decompilation of the virus --- about 15-20%.)  In fairness, they were
probably over-reacting after the initial shock/aftermath of the virus.  

If the NCSC has tried surpressing it elsewhere, I'd like to know about
it --- but it seems that Steve was generalizing from only one data
point.  Or perhaps he got the information from the Markoff column in
the NYT recently.  I really think that column was badly written or
perhaps badly edited --- someone apparently did not understand all of
the issues involved.

Secondly, trying to limit the source code to the decompiled virus is a
good thing.  If it were publicly distributed, there's a chance that some
person will find another security hole and just drop it into the virus
``body'' that the source code would provide.  In addition, they might
add some malicious code so that after 12 hours or so, would try to
destroy as many files as possible.  Someone might just disable the
fingerd and sendmail hack; the virus might still be able to propagate
far just cracking stupid password choices. 

There are also legal issues: if someone releases the code, and someone 
uses the code to make a really damaging virus, is the person who
released the code liable?  Does someone want to take that risk and find
out the hard way?

In addition, one of my colleagues is currently writing a paper that will 
describe, in detail, all of the algorithms used by the virus.  The paper
will be published for general reading, and should be infinitely more
useful than the actual source code.  That is, there is no legitimate
purpose that would require the source code over the algorithms.   The
only purpose for obtaining the source code itself would be to build
another virus. 

If a determined cracker wanted make another virus, yes, he could use the
algorithms.  But as the paper will demonstrate, those algorithms weren't the
best anyway, and very little will stop someone that determined.  It appears
that it took RTM at least a few weeks to write it from scratch --- and he knew
Unix fairly well.

Not releasing the source code is intended to stop the ``Freshman Twit''
who knows how to type  `system("rm -rf /");` and `cc`.  Unforunately,
many universities (including MIT) are connecting to the Internet, and we
get a constant stream of new-comers to the Internet community --- most
of them have only PC programming as their background, and no concept as
to the ethics involved.  Who knows what they might do?

According to a colleague who was at the ``Virus Conference'' at
Washington called by the NCSC, they had agreed with our decision (which
we had made before talking to them) of only distributing the algorithms
and not the source code to the virus. 
                        - Ted


The FBI Wants You (to call if you were virus-ized)

<davy@riacs.edu>
Tue, 15 Nov 88 08:12:57 -0800
The enclosed message was sent to the TCP-IP list.  As per its request
to give it maximum distribution, I am forwarding it to RISKS.  What
with all the speculation on how the FBI is going to (try to)
prosecute, it is useful for its information content as well.

I would strongly urge everyone who wasted their time cleaning up after
this mess to respond.  Regardless of whether you feel Morris (or
whoever) is a hero or a scumbag, it is important to note the last line
of the message - if we want the FBI to help us when something truly
serious happens (and you know it will...), then we had better show
them we're willing to help them now.  Otherwise, they may just ignore
us next time since we were unwilling to cooperate.

--Dave Curry

From: TomZ@DDN1.ARPA
Subject: FBI Contact re: November Internet Virus
Date: 14 Nov 88 05:03:00 GMT

         Were YOU hit by the November Internet Virus?

                      The FBI wants to hear from you!

The Federal Bureau of Investigation is attempting to gather critical
information necessary to pursue this case under the Computer Fraud and
Abuse Act of 1986.  (This is the statute that makes it a federal crime
to penetrate a computer owned by or run on the behalf of the Government.)

The FBI Case Agent has asked the Defense Data Network Project Management
Office to collect the names of organizations and Points of Contact (names
and phone numbers) that were hit by the Virus.  The Defense Communications
Agency has established an E-Mail address for this collection at:

                       INFO-VACC [at] BEAST.DDN.MIL

    Points of Contact should expect to be contacted by their local FBI
    agents for dispositions due to the wide geographical area involved.


                     I * M * P * O * R * T * A * N * T

            The FBI needs this information to pursue the case.

      If we expect their aid in the future, we need to help them now.

PLEASE GIVE THIS MESSAGE MAXIMUM DISTRIBUTION; NOT EVERYONE IS ON "TCP-IP"!

/s/  Tom Zmudzinski, DDN Security Officer    (703) 285-5206


access and authorization

Joe Morris (jcmorris@mitre.arpa) <jcmorris@mitre.arpa>
Tue, 15 Nov 88 17:34:04 EST
In Risks 7:77 Debbus Rears comments:

>   The main problem with making worms/viruses illegal is drafting the laws.
> What is authorized access?  If a friend of mine on Computer "A" gives me his
> password; does that in itself give me authorized access?  Since I am on the
> milnet I can fing, ftp anonymously, send mail to lots of computers.  All of
> these actions I have implied authorization.

There seems to be a problem here in distinguishing between authority to 
access a facility and the authority to perform some action once the access
has been successful.  For example, if I am allowed to go into the stacks of
a library, that does not imply that I have authorization to tear out pages
from books I find there.

Most computer facilities prohibit the use of an account by anyone other than
the individual to whom it was assigned.  Your friend probably had no 
authority to give you the password, and you have no authority to use it.
The fact that you can masquerade as your friend by supplying his userid
and password in no way implies legality of the action.

The TAC access cards from DDN have a section which reads:

   Authorized use of the DDN is limited to the conduct of or support
   of government business.

So if you start a chain of events which you know will involve DDN facilities
(even if you aren't directly connected to it) then your authorization is
limited to activities on behalf of Uncle.  The fact that you're on MILNET
means only that you (supposedly) have authority to be on MILNET.  What
you do once you're there is a different question.


laws of computer evidence

"Barry C. Nelson" <bnelson@ccb.bbn.com>
Tue, 15 Nov 88 20:13:55 EST
How fascinating is this collision of the mathematical with the societal --
where the common law meets the computer (user)! Two recent cases in point...

Does the UK Vehicle Ident system differ much from the already-admissible credit
transaction records. "By the records, something you control (car, credit/ATM
card) was used at that location, so is there any proof it wasn't used by YOU?"

On another topic, the problem facing the FBI may not be so much one of finding
a statute that Morris violated as being able to construct the necessary case
based on acceptable (and attributable) EVIDENCE that he actually broke that law. 

Rules of Evidence indicate that "any printout or other computer output readable
by sight, shown to reflect the data accurately, is an 'original'" for purposes
of demonstrating existence of "writings and recordings" as evidence. 

This implies that copying a program to another computer creates the source of
another "original". If the creation and use of the first original was a crime,
was creation and use of subsequent "originals" also a crime? Only some? Which?

If someone could point me to a good text on the topic, I'd appreciate it.

Barry C. Nelson


Call for comments on uniformity legislation for software

<ark%hoder@CS.RIT.EDU>
Tue, 15 Nov 88 09:51:10 EST
[The message below recently appeared in the Usenet comp.software-eng newsgroup.
Since I think it will be interesting to RISKS participants I have submitted it
verbatim.  -Alan Kaminsky, Rochester Institute of Technology]

    [Please respond directly to Conleth O'Connell and ask that the results
    be made available to RISKS.  PGN]

Conleth S. O'Connell at Ohio State University writes:

I have been asked to get opinions (both positive and negative) on the
feasibility of drafting "uniformity legislation" for software.

Uniformity legislation affects everyone in the U.S. and its
territories equally.  While there may be variances in the law of a
particular state, the fundamental law will be the same everywhere.
For example, uniformity legislation in the U.S. requires that cars
meet certain minimum pollution standards, but individual states are
free to mandate higher standards.

A government committee is now considering if uniformity legislation
for software is necessary, warranted, or desirable.  For example,
should software suppliers be required to warranty their products?
should suppliers be required to inform users of known bugs?  should
bug-fixes be distributed at cost? who should be responsible for
viruses in object code? etc.

If you have an opinion on software uniformity legislation, please
express it publicly, and I will forward your thoughts to one of the
committee members.  If you feel moved to "second" an opinion already
expressed, please send me e-mail.

Thank you,
Conleth S. O'Connell    Department of Computer and Information Science
cso@cis.ohio-state.edu      The Ohio State University
                      2036 Neil Ave. 
                   Columbus, OH USA 43210-1277

Please report problems with the web pages to the maintainer

Top