The RISKS Digest
Volume 8 Issue 33

Thursday, 2nd March 1989

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

Viruses and the comics
Jack Holleran
Hope Munro
Hacking in the movies — Working Girl
Martin Minow
Re: British Computer Society policy statement
Clifford Johnson
Hacking and Computer Fraud in the U.K.
Brian Foster
Re: Knowing probability just doesn't make a difference...
Henry Spencer
Reach Out and Spy on Someone
Pete McVay
Douglas Jones
Emily Lonsford
New Sprint Card
Will Martin
US missile-warning radar endangers friendly aircraft
Ken Arnold
Error free code and ancient systems
Bill Francis
Info on RISKS (comp.risks)

viruses and the comics

Jack Holleran <Holleran@DOCKMASTER.ARPA>
Wed, 1 Mar 89 13:30 EST
  In comment to Brent Laminack's observation concerning the discussion of
computer viruses (RISKS-8.31) in RISKS-8.32.

  > Is comics page where most of the population will get most of 
  > its information about viruses?

  If our goals are to make sure the population understands the concept of virus
correctly, AND if we perceive that the population reads comics, why not educate
some of the cartoonists with the correct perceptions and give them some ideas.

  If a person understands the concept, does it matter that the principle
was learned from school or the comic strips?
                                                    Jack Holleran
(Disclaimer:  My opinions only!)


viruses and comics

<Hope.Munro@mac.Dartmouth.EDU>
01 Mar 89 21:08:10
>Is comics page where most of the population will get most of its information
>about viruses?

Apparently so! I clipped a strip out a few weeks ago which was an installment
of Bloom County.  It depicts Oliver coughing and wheezing, with a head swollen
to resemble his Banana 6000 terminal.  Then he remarks "computer virus".  End
of panel.  Has anyone seen any other examples of viruses in the comic pages?  A
possible topic for the next issue of Detective Comics?  Let's see the Dark
Knight battle these dastardly villians!
                                                       - Hope
Hope.Munro@mac.dartmouth.edu


Hacking in the movies — Working Girl

Repent! Godot is coming soon! Repent! <minow%thundr.DEC@decwrl.dec.com>
2 Mar 89 08:26
The current (and quite popular) movie "Working Girl" shows two instances
of unethical access to computers, both by the heroine, and both praised:

-- after being put-upon by her boss, she turns to her terminal and pounds
   briefly on the keyboard.  Immediately, the stock-ticker display that
   circles the room shows a message describing, in somewhat negative and
   explicit terms, his ability to perform sexually.

-- subsequently, she accesses the "personal and confidential" files of
   her new manager's home computer.

Of course, the bosses are nasty, evil creatures and she is the beautiful
heroine who marries the handsome prince; so they deserve what they get.

Martin Minow


Re: British Computer Society policy statement

"Clifford Johnson" <GA.CJJ@Forsythe.Stanford.EDU>
Thu, 2 Mar 89 11:11:55 PST
> From: Martyn Thomas <mct@praxis.UUCP>
> The BCS recently issued the following policy statement...
> We would welcome constructive criticism of this policy ...
>
> 11 The BCS wishes to emphasise that there is no evidence that
> current SRCS pose a serious threat to the public.  There is
> therefore no cause for alarm, ...

I suggest replacing point 11 with:

  11  The BCS wishes to emphasise that there is some evidence that
  current SRCS pose a serious, growing threat to the public.  There
  is therefore some cause for alarm, ...

In other words, I think the policy statement seriously errs in steering its
course of responsibility with a *political* caution that in the present
social/military context is unfortunately irresponsible.  I think public panic
is a negligible (but might in any case be a beneficial) risk.  Everybody knows
that the world's ecology is headed for disaster at rapid rate, but it's
difficult to get anyone to care enough even to inform themselves further, let
alone to vote to reverse it, let alone to panic.

I think it's not responsible to announce there's "NO evidence" of dangers.
Planes fall out of the sky; in medicine, brains are accidentally fried; the
innocent are jailed; etc.; because of software bugs.  Meanwhile, back at the
ranch, a thousand multi-warheaded ICBMs are poised on a computerized
hair-trigger, ready for instant launch on receipt of a brief, encrypted launch
instruction.  If those who are supposed to sound alarms say there's no evidence
warranting alarm, who will listen closely to the accompanying advice?  If an
alarm is sounded, some people may listen, but panic is most improbable.  In my
opinion, the public needs to be woken up pretty badly.

Could it be that the BCS statement is diercted at management and
industrialists, who would be "turned off" by forthright criticism that
threatens an uncomfortable degree of change, rather than at the public, who
would welcome frankness?


Hacking and Computer Fraud in the U.K.

<blf@scol.UUCP>
Wed Mar 1 16:02:53 1989
        Outlaw Computer Hacking — CBI
        Peter Large, Technology Editor
                (1 March 1989 Guardian newspaper)

  Computer hacking should be made a criminal offence, the CBI said yesterday.

  The employer's organisation said it was vital to secure a stable base for
computer development, since computers played a major part in the nation's
economic competitiveness and "social well-being".  Computer buffs were
increasingly gaining unauthorised access to confidential information held by
banks and other companies in computer databanks, it said.

  Much computer fraud is hidden by firms, but the conservative consensus
estimate is that the cost to British business is at least #30 million a year.

  But computer disasters, caused by software failures, fire and power failures,
are reckoned to be cost about ten times that.

  The CBI, in its response to the Law Commission's paper on computer misuse,
made six proposals:

 * Hacking cases should be tried by jury;

 * The concept of "criminal damage" should cover computer programs and data and
attacks by computer viruses (rogue programs that can disrupt or destroy data);

 * Laws should be harmonised internationally so that hackers cannot operate
across country boundaries;

 * The offence of obtaining unauthorised access should include non-physical
access, such as computer eavesdropping;

 * Even unsuccessful attempts to hack should be subject to criminal sanctions;

 * The value of confidential commercial information should be protected by
civil remedies for loss or damage caused by hackers.

  The US, Canada, Sweden, and France have outlawed hacking, but it is not an
offence in Britain unless damage is done, such as fraud or theft.  Last week
the Jack Report on banking law proposed outlawing the hacker.  The Law
Commission has produced a discussion document and is to make firm proposals
later this year.  

Brian Foster, The Santa Cruz Operation, Ltd., London


Re: Knowing probability just doesn't make a difference...

<henry@utzoo.UUCP>
Thu, 2 Mar 89 13:20:33 -0500
  >"... earlier in the year an eagle penetrated the cockpit of an ethopian
  >727, breaking the copilot's leg and damaging flight controls...."

it's worth remembering, also, that there's always an unknown risk lurking
around a corner somewhere.  a few months ago, a 747 diverted to gander after
something hit the nose radome and mashed it in, disabling the weather radar.
this was first thought to be a simple birdstrike, albeit a rather large bird
(possibly a goose :-)).  the trouble is, it happened at 33,000 feet! in the
absence of major mountains nearby, that is an *extremely* high altitude for any
bird, especially a big one.  flight international's most recent yearly summary
of commercial flight accidents gives the explanation for that one as "hit
unknown object at 33,000 ft.".
                                     Henry Spencer at U of Toronto Zoology


Comment: Reach Out and Spy on Someone

Pete McVay, VRO3-2/E8, 273-5339 <mcvay%tnt.DEC@decwrl.dec.com>
2 Mar 89 07:24
 Back in the days when terminals were hardwired to mainframes and VMS was very
new, I was a part-time system manager for a VAX/VMS in a course development
group.  I needed to know critical information at times, such as what programs
and task were being run, so I could tell if it was safe to reboot the system or
perform other nasty system-management-type tasks.  I wrote an enhancement to
the "SHOW USERS" command which included the user name, image being executed,
amount of logon time, location of the terminal, and other useful tidbits.  By
running this program I could find out what jobs were being done by whom, and
give them phone calls if necessary to see if it was okay to tune the system.

 Some users quickly discovered that the program was useful for spying on each
other.  Two (of about thirty) users were using the program to see what images
were being run, and were reporting users to management by name, claiming they
were abusing the system and hogging valuable resources.  Games were a favorite
target, but major file copy operations and MAIL readings also came under attack.

 My philosophy was (and is) that users are generally responsible persons and
should be consulted in all system policies.  I was also chagrined that my
"innocent" program was now a major police tool.  I removed my program from the
system and deleted all sources.  Unfortunately, backups were religiously done;
these two users convinced management that the program was necessary, so it was
restored.  I resigned my system management duties in protest.  The consequence
was a continuing war on the system, with users hiding the names (or images)
they were running and the new system manager continually trying to ferret out
subterfuge, with stiffer and stiffer penalties...but that is past the scope of
this note.

 Seeing these new spy programs raises the old issues for me.  I can see
their benign intent and usefulness.  Unfortunately, like guns, they become
dangerous and abusive in the wrong hands.


Reach out and spy

Douglas Jones <jones@herky.cs.uiowa.edu>
Tue, 28 Feb 89 11:25:29 CST
We in the computer field forget our past extremely quickly.  The Sunday, 26 Feb
comments of odyssey!gls@att.att.com about the RADIO program on the SDS Sigma
system at Harvard illustrate this, but there are even earlier illustrations.

I used Com-Share's version of the Berkeley Timesharing System on the SDS 940
back in 1968.  This had a talk/monitor facility that was used by Com-Share's
consultants for on-line user assistance.  As highschool students, we weren't
allowed to use it, but I saw our teacher use it once.

In 1973, the University of Illinois had a talk/monitor mechanism on their PLATO
system.  This was a Computer Based Instruction system, and the instructor of a
course was expected to be able to monitor any students under their charge.
When the system was used outside the instructional context, the "reach out and
spy" potential was very real.  The developers of PLATO were careful to make
talk/monitor use between peers secure — only after two users had established
a conversation through talk could one let the other monitor his or her screen.

Both the Com-Share and Plato systems had nation-wide user communities, and
unlike oddyssey!gls@att.att.com, I don't remember any concern about FCC
regulations limiting the use of talk facilities.


Reach out and spy on someone

Emily Lonsford <m19940@mwvm.mitre.org>
Tuesday, 28 Feb 1989 10:31:50 EST
There are other products that allow the 'monitor' to watch what the terminal
operator is doing - notably CVIEW on VM and a product by Clyde Digital Systems
on the VAX.  CVIEW at least has an internal ID/password scheme, which of course
should be enabled.  And it gives a warning message to the person being watched
but it's not clear enough for the novice "spy-ee."

I once worked for a utility company that had a couple of hundred customer
service operators (using 2260 terminals...it was a long time ago!) and their
supervisors could listen in on their phone conversations to make sure that
they were doing their jobs and being polite, etc.  The operators could also
signal for assistance if the customer became irate.  But the real use was for
performance monitoring.  Either it was a condition of the job, or it didn't
occur to anyone to complain about invasion of privacy, which it surely was.
There are a lot of parallels between this and the 'spy' products.

On the other hand, a case could be made that the "owner" of the system has a
right to know what it's being used for; for example, no fair using your PC at
work to do your resume or run a business on the side.

Clearly there has to be some reasonable middle ground.  For myself, if it's
so sensitive or private, it's encrypted or on a floppy and locked away.
*      EMILY H. LONSFORD,  MITRE - HOUSTON W123  (713) 333-0922


New Sprint Card

Will Martin — AMXAL-RI <control@ST-LOUIS-EMH2.ARMY.MIL>
Wed, 1 Mar 89 14:54:22 CST
The following is from the "Federal Bytes" column on the last page of Federal
Computer Week, Feb. 13 '89:

  PHONE ID

  US Sprint announced last week at Comnet that it is testing a telephone
  calling card this is activated only by the card holder's voice.

  Fred Lawrence, Sprint's executive vice president for network development,
  said the Voicecard would work a little like the company's Foncard: Callers
  dial the phone number printed on the card, adding a second number such as a
  birthdate, and then give a two-second verbal password. Sprint equipment
  compares the voice print with one that is on record. The call goes through
  only if the voice prints match, Lawrence said.

  Sprint plans to evaluate its test results this spring to determine whether
  there is a market for the card.

What isn't clear, of course, is if you go through all this before you can
actually begin to dial the number you are trying to call. Maybe this is a way
to call an 800 number and then get into a mode so that you can make a series of
calls authenticated by the initial voiceprint signon process. It seems a lot of
overhead for a single short call. If the card has a magstripe and you run it
through a reader on the phone, and then only have to speak your "password"
phrase before dialling the number you want to reach, it won't be too bad.

I wonder how easily the user (or a cracker) can change the voice "password" (if
at all), and the actual degree of matching that is performed on it. How will
noisy environments (airports, etc.) affect the recognition/verification
process? Anybody out there participating in this test? Please post your
comments and evaluation!

Regards, Will Martin   [Will sent this to another list as well.  Please respond
                       to HIM and we'll let him collect the responses in an
                       orderly fashion...  PGN]


US missile-warning radar endangers friendly aircraft (Re: RISKS-8.28)

Ken Arnold <arnold@apollo.com>
Sat, 25 Feb 89 19:54:59 EST
Jon Jacky submits:
>ADEFENSE RADAR MUST TURN OFF AS PLANES LAND - AIR FORCE FEARS SYSTEM
>COULD TRIGGER A BLAST  (no author given)
> ...
>The interruptions are to avoid accidental detonations of tiny explosive 
>charges found in virtually every military weapons system and in the planes 
>and ships that deliver them.

Doesn't one wonder what one's enemy could do with this data?  Imagine — all
they have to do is build large radar installations, and, at no extra charge,
they can cause incoming weapons to blow themselves up (or otherwise interefere
with their systems).  Once again, the more sophisticated technology is also
vulnerable in unexpected ways.
                                    Ken Arnold


Error free code and ancient systems

"Francis,Bill" <RISKS@GRIN1.BITNET>
Thu, 2 Mar 89 15:58:31 cdt
In a recent issue of RISKS, Bob Wilson cites a Datamation (Feb 15, 1989,
p.53,56) article that reports on "error-free" code developed by IBM for
the space shuttle.  Bob points out several fallacies of the article, let
me add this comment ....

The low error rates cited were achieved largely because the programmers
worked on an ancient, and stable, hardware platform (IBM 360)for years
and years!

How many programmers have the luxury of such stability in the commercial
market and in most of the defense market?

The tradeoffs between error rates and computer power are obvious.

Bill Francis, Noyce Computer Center, Grinnell College, Grinnell, Iowa

Please report problems with the web pages to the maintainer

x
Top