The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 7 Issue 96

Tuesday 20 December 1988

Contents

o Soviets Claim Computer-Virus Shield
PGN
o UNICEF Belated Greetings
David Andrew Segal and Chris Koenigsberg
o Computer Ethics or just Ethics
David Clayton
o Those Who Do Not Learn From History
F. Baube
o Re: Armed with a keyboard and considered dangerous
F. Baube
o Re: Computer Virus Eradication Act of 1988
David Keegel
o Manslaughter caused by computer error
Herman J. Woltring
o New EMI Shielding Material
Earl Boebert
o Info on RISKS (comp.risks)

Soviets Claim Computer-Virus Shield

Peter Neumann <neumann@csl.sri.com>
Mon, 19 Dec 1988 13:15:45 PST
  The Soviet Union said yesterday that so-called computer viruses have invaded
systems in at least five government-run institutions since August, but Soviet
scientists say they have developed a way to detect known viruses and prevent
serious damage.
  In August 1988, a virus infected 80 computers at the Soviet Academy of
Sciences before it was brought under control 18 hours later.  It was traced to
a group of Soviet and foreign schoolchildren attending the Institute's summer
computer studies program, apparently resulting from the copying of game programs.
  Sergei Abramov of the Soviet Academy of Sciences claims they have developed a
protective system, PC-shield, that protects Soviet computers against known
virus strains.  It has been tested on IBM computers in the Soviet Union.  "This
protective system has no counterpart in the world," he said (although the
details remain a state secret).

[Paraphrase of a UPI item in the San Francisco Chronicle, 19 Dec 88, p. A16]


UNICEF Belated Greetings

David Andrew Segal <dasegal@brokaw.LCS.MIT.EDU>
Sun, 18 Dec 88 13:02:52 EST
From the New York Times, Saturday, December 17, 1988 

A computer problem has brought frustration instead of glad tidings to hundreds
of people who ordered Unicef Christmas cards through the organization's
toll-free telephone number.  Many orders have been delayed or lost.

"We have a little bug in the system," said Colin J. Rainsbury, vice president
of the greeting-card division ....

Unicef's direct-marketing manager, Laura A. Colassano, said the organization
had processed more than 90,000 orders in the United States for the cards, ...
She said almost 1,000 people had called about missing orders.

TMI Inbound Inc., a telemarketing agency in Omaha, receives orders from
customers who call 800-FOR-KIDS and transmits the orders to BSA-Fulfillment
Service Inc. in Lakewood, N.J., which fills the orders.  "There's a problem
with the computers speaking to each other," Ms. Colassano said.

[info about refunds...]

David Andrew Segal, Laboratory for Computer Science, MIT

    [Also contributed by Chris Koenigsberg 

Computer Ethics or just Ethics

David Clayton <LCO101@URIACC.BITNET>
Tue, 20 Dec 88 08:18:38 EST
There is a recent book titled "Everything I Need to Know I Learned in
Kindergarten".  I've only read excerpts and this is not a book review but I
thought of the title as I was reading many contributors' comments regarding
ethics for computer users.  What I find interesting is the implicit assumption
that a different (higher? lower? more stringent?  more lenient?) set of ethics
apply to those who by chance or choice work with computers.  Apparently,
because I use a keyboard and stare at a VDT, the rules of right and wrong, the
definitions of proper -vs- improper behavior that were taught me as a child no
longer apply.  For some reason my choice of a profession has somehow rendered
obsolete those rules I (we?) learned in kindergarten about respecting others
and not taking what isn't ours.

We make attempts to wrap common snooping in terms of honor by making claims of
"respecting data" and "exercising the system" to find bugs and point out
weaknesses in design and implementation.  And we ignore or dismiss acts of
thievery and vandalism by faulting the designers and administrators of pilfered
systems.  There is no doubt that systems must be secure, but we don't tear down
the prisons because we can't build thief-proof banks.  Courses in computer
ethics may be an interesting forum for the discussion of ideas but let's not
kid ourselves that these problems are so unique (and by association, we are so
special) that we must be treated differently and so develop a new ethos.

David Clayton; Academic Computing; University of Rhode Island

    The opinions are my own.  I don't know what, or if, the University
    thinks about these things!


Those Who Do Not Learn From History ..

"F.Baube" <fbaube@note.nsf.gov>
Mon, 19 Dec 88 18:04:34 -0500
Some old mail, from one year ago .. Mr Patterson can hardly be blamed for
not foreseeing what no-one else on the Internet did, either ..

And, what does 1989 have in store for Netland ?

------- Forwarded Message

Date: Mon, 21 Dec 87 15:22:26 EST
From: Ross Patterson <A024012%RUTVM1.BITNET@CUNYVM.CUNY.EDU>
Subject: IBM Christmas Virus

>Subject: IBM Xmas Prank {RISKS 5.79}
>(5) Is the Internet similarly vulnerable ?

    Not to  this one.  It  plays on  several things that  the Internet
doesn't have:

   1) A  large number of IBM  VM/CMS systems.  The program  would only
      run in a CMS environment.  There is no reason one couldn't write
      something similar in any other language, though.

   2) A  suitable file transfer  system.  FTP doesn't apply.   It must
      provide a  way for a user  to receive an unsolicited  file, in a
      runnable form.

   3) A good method of determining  targets.  The CMS NAMES and NETLOG
      files provided an excellent source of information.  I suppose in
      a Unix environment, ".alias" and "/etc/aliases" would be ok, but
      .alias  is  comparatively rare,  while  NAMES  files are  almost
      universal in CMS.

Browsing this message is no fun at all.  Just type Christmas ..

------- End of Forwarded Message


Re: Armed with a keyboard and considered dangerous

"F.Baube" <fbaube@note.nsf.gov>
Mon, 19 Dec 88 12:03:36 -0500
Rodney Hoffman (quoting a news article):
> [..] Federal prosecutors also obtained a court order restricting
> Mitnick's telephone calls from jail, fearing he might gain access
> to a computer over the phone lines....

.. and presumably he would whistle at 1200 bps.


Re: Computer Virus Eradication Act of 1988

David Keegel <munnari!murrumbong.cs.mu.oz.au!djk@uunet.UU.NET>
Tue, 20 Dec 88 17:11:03 EST
In Risks 7.92, Jonathan Sweedler wrote:
] In other words, can I break into any computer I want to and look at
] whatever files I want to, as long as I announce I'm there and don't
] cause any harm?  Why do these laws center on causing harm to computers
] and not just illegal/unauthorized entry?

I think we need to be a bit more careful about what "harm" or "loss" means.
For instance, if someone reads your private files, you can say that you have
lost some of your privacy. If someone infects your computer with a "benign"
worm/virus whose only effect is to use a few kilobytes of disk and some CPU
time, you can still claim loss of processing power (assuming someone was
using the machine).

When taken literally, this could even apply to such things as remote
fingering: information is given to the finger program which causes it to
use CPU time on another system. It seems that this cannot be called "loss"
otherwise by running a non-optimised program I am potentially depriving
others of processing power.

On the other hand, to say that loss means loss of data (files) allows a
{h,cr,sn}acker to run a program that may crash your machine. Is there a
clear dividing line between this and using 100% of the CPU? Where could
we draw such a line?

I believe it _is_ important to avoid making laws which prohibit _all_
unauthorised access. Apart from questions about the fuzziness of the word
"authorised" (eg: who is authorised to use "login"?), the important problem
is that you do not allow people to test your security, without previous
authorisation (try to imagine a one-man, part-time "tiger team" :-).

The possible advantages of "hack attacks" and the like have been covered
before, so consider another facet of this: imagine that Joe User (joe@host)
one day mistypes his login name and discovers, by accident, that jo@host has
no password required. He is dropped into Jo Bloggs' shell, without
authorisation from her. Already he has broken the law.

Now (the interesting part), he is faced with the following dilemma: does he
tell jo@host or root@host of this security problem, and face being charged;
or does he keep his mouth closed about the situation? There is now a
definite DISincentive to informing the sysadmins that jo has no password.

As if this weren't bad enough, imagine the hypothetical law made no
distinction between "unauthorised use" and "harm". Since he has already
broken this law, he may as well play around. For instance, to erase
indications of his presence. Or to see who Jo is, and what she is doing.

Admittedly, this is a contrived situation which is highly unlikely in
practice, but the point is that it is possible to use someone else's
account, with absolutely _no_ malicious intent and yet become a criminal.
A more realistic example is the person who is bored waiting for a print-out,
and tries a few <user,password> combinations, or someone exploring some
outside system to see what they can find out about it.

I contend that any legislation must not only charge the guilty, but also
avoid charging the innocent.

        David Keegel    (djk%munnari.oz.au@uunet)
   "Flattery will get you nowhere, unless someone else does it to you"


Manslaughter caused by computer error

<WWTMHJW@HEITUE5.BITNET>
Mon, 19 Dec 88 18:04 N
* * * Software bugs and copyright -- is the author a (re)liable owner? * * *

Six years ago, the Dutch journal Computable reported a case of manslaughter,
attempted manslaughter, and attempted suicide in Western Germany caused by a
computer error.

A print-out error caused a medical insurer to convince a 54-year old woman
that she suffered from a fatal form of syphilis, and that she had transmitted
the disease to her children; in panick, she strangled her 15-year old daughter
and tried to kill her 13-year old son.  The boy escaped, and succeeded in
preventing his mother's death from a drugs overdose.  The Duesseldorf court
dismissed the accusation of murder, laid all blame with the computer error,
and declared the woman unaccountable for her actions.  It is not known whether
any civil liability action followed this tradegy.

Two years ago, a software bug in a (canadian) radiation therapy machine in
Texas caused a number of fatal accidents due to a radiation overdose (cf.
Datamation, May 1987).

It seems that such (re)liability factors were partly responsible for the recent
withdrawal of all software protection proposals in Dutch Bill 19.921 on Com-
bating Piracy of Copyright Works, after which the Bill was passed by the Dutch
House of Representatives on 8 November 1988.  In effect, the software clauses
proposed to exclude so-called "computer programs" (otherwise undefined in the
Bill) from the Dutch equivalent of Section 107 USC ("Fair Use"), under inclu-
sion of a clause rather similar to Section 117 USC.  Unfortunately, insuffi-
cient attention was given to morally acceptable activities as licenced under
anglo-american Fair Use / Fair Dealing (including "reverse engineering" and
analysis in either a profit or not-for-profit context).  In fact, the Bill
attempted to use copyright law for creating trade-secret protection on soft-
ware, as was the case with the French and West-German Copyright revisions of
1985.

Also, it was proposed that programs should have a sufficient PERSONAL
creativity level under the standard doctrine of Dutch case law for copyright
protection.  This caused quite a debate since legal entities may not qualify
for title to "authorship" under such circumstances unless special agreements
are drafted between employer and employee, in view of the moral (personal)
rights under the Berne Copyright Convention (the Universal Copyright Convention
does not recognize any moral rights).  If software can be viewed as a
"writing", no personal creativity requirements exist under the Dutch
"copijreght" doctrine, and the Minister of Justice seems to have desired to
elicit a fundamental debate on "copyrights" for legal entities versus "author's
rights" for natural persons.

At present, the discussion evolves around the June 1988 Green Paper of the
Commission of the European Communities on "Copyright and the Challenge of
Technology", in which a number of questions are posed on all kinds of copyright
works including software and databases.  Important issues are (a) the relation
between software property rights under the pending European Directive on Soft-
ware Protection versus software (re)liability under the 1985 European Directive
on Product Liability, and (b) to what extent a legal entity may claim "author's
rights" under the Berne Copyright Convention with its strong emphasis on moral
rights for natural persons.  In short: is software an impersonal "product" to
be protected under industrial property law, or a personal "service" to be pro-
tected under intellectual property law?

Unlike the anglo-american "work-for-hire" rule, a legal entity's title to
authorship has been a hotly debated issue in continental-european intellectual
property law, pursuant to section 27(2) of the Universal Declaration of Human
Rights (New York, 1948) and to section 15(1)c of the International Covenant on
Economic, Social and Cultural Rights (New York, 1966).  During last year's
"Tripartite Meeting on Salaried Authors and Inventors" organized by the Inter-
national Labour Office in Geneva, no agreement could be reached on this issue.

If the natural author is the legal author under the Berne Convention, it stands
to reason that he is also liable for any errors caused by "his" work, notwith-
standing his employer's title to (and liability for) the pure information/ideas
underlying "his" work.  Here, the relation between (objective, impersonal)
information/ideas/contents which are NOT protected under traditional copyright
and the form/expression of the work which are protected under copyright is at
stake, and it is of interest that recent publications in the field of intel-
lectual property law attempt to shift the boarderline of copyright into pure
information, despite the USA's First Amendment and various international in-
struments that purport to protect "Freedom of Information".  From a liability
point of view, this makes sense, since each individual is morally (and materi-
ally?) responsible for what he decides to publish, whether it is a highly per-
sonal recipe for making a nuclear device or an objective method fur curing can-
cer.  From a scientific point of view, one may argue just the opposite.  At any
rate, private property rights and public information rights should remain in
balance, as the Dutch events have demonstrated.

A paper "Going Dutch between Copyright and Droit d'Auteur" on some of these
issues will appear in Computer Law & Practice (London) 5(1988)2 [special issue
on the European  Communities' Green Paper].

Herman J. Woltring

Study-committee on Software and Chips Protection, Netherlands Association for
Computers and Law, wwtmhjw@heitue5.bitnet,  na.woltring@na-net.stanford.edu

Biomedical & Health Technology            Software Engineering Department
Eindhoven University of Technology        Philips Medical Systems
The Netherlands                           The Netherlands

[A disclaimer indemnifying an employer or other party is not required under
 the Berne Convention!]

   [The Duesseldorf case is in SIGSOFT Software Engineering Notes (SEN) 10 3
   1985, and the Therac 25 radiation therapy case is discussed in SEN 11 3 and
   12 3, 1986 and 1987, respectively.]


New EMI Shielding Material

<Boebert@DOCKMASTER.ARPA>
Tue, 13 Dec 88 13:56 EST
I just had an opportunity to examine a description and a sample of a new EMI
shielding material called SAFENSHIELD from International Paper.  This is a
nonwoven fabric that looks a lot like the old "silkspan" we used to cover model
airplanes in days of yore ...  also the material teabags are made out of.  The
fabric has an embedded metallic substance which provides the shielding; can be
put up like wallpaper, does not require bonding, and comes in two grades; the
heavy grade is about $2.25 a square foot in small quantities, and is
solderable.  Attenuation specs look impressive.  Brochure states that it is
being used to shield Pontiac Fiero radios from ignition emissions.  It must be
a pretty new material because it is being sold from the corporate research
center instead of a product division of International Paper.  Point of contact
in brochure is David Diermeier, (914) 577 7447.  I don't know anything about
this stuff except what is in the sales literature, but if it lives up to its
specs it sure looks like a cheap and easy countermeasure to a variety of EMI
RISKS.

Please report problems with the web pages to the maintainer

Top