The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 8 Issue 41

Monday 20 March 1989

Contents

o 20+ year, $100+ million Army software project
Jon Jacky
o Formal methods to be applied in Australian railroad switching
Jon Jacky
o Error in updating new specifications for call-routing
Pertti Jarvinen
o Risks of Registering Shareware
A. Lester Buck
o Risks of helpfulness
Jerome H Saltzer
o Remote Smart-Cards
Ian W Moor
o Re: so-called multi-gigabuck theft of information
Mark Brader
o Re: NASA to replace top-level personnel with Expert Systems
Robert English
o Meter Readers an Endangered Species?
David K. Black
o Security of Electronic Mail
Karl Lehenbauer
o Star Trek computer virus
Colin P.
o Info on RISKS (comp.risks)

20+ year, $100+ million Army software project

Jon Jacky <jon@june.cs.washington.edu>
Fri, 17 Mar 89 17:15:06 PST
In view of all the postings a while back about runaway software projects,
I found very interesting these excerpts from GOVERNMENT COMPUTER NEWS, 
Feb. 20, 1989, p. 59:

ARMY TO CONVERT `CENTRAL NERVOUS SYSTEM' TO ADA by Karen D. Schwarz

The Army issued a request for information last month to convert its
All Source Analysis System (ASAS) to Ada code.  ...  ASAS is being 
developed by the Joint Tactical Fusion Program Management Office (JTFPMO)
on behalf of the Army and the Air Force.  It has been in development for more
than 10 years. ...

More than 800,000 lines of code have been written in FORTRAN 77 so far.
The project is expected to begin using Ada code in fiscal 1991.  By that
time, more than 1 million lines of FORTRAN 77 code also will have been 
written.

A document detailing JTFMPO's major programs refers to ASAS as the "central
nervous system" guiding field commanders in battle.  ASAS is a key component
of the Army Command and Control System and will automate command and control
of intelligence/electronic warfare operations.  ASAS will fuse raw battlefield
data into intelligence for analysis on a workstation.  The services can then
distribute resulting information to battlefield commanders, fire support
elements and the Air Force to help control electronic warfare equipment. ...

The project is scheduled to be completed sometime after the year 2000. 
Although he would not estimate the total costs of the program, deputy
for plans and integration at JTFPMO Bennet Hart said software costs alone
might exceed $100 million over the life of the contract. ...

The JTFPMO has received many replies to the request for information, Hart 
said.  "Response from industry has been very good.  No one is conspicuous by
their absence."

The Jet Propulsion Laboratory (JPL) in Pasadena, Calif., currently holds a 
contract for the first phase of the project.

- Jonathan Jacky, University of Washington


Formal methods to be applied in Australian railroad switching

<JON.JACKY@GAFFER.RAD.WASHINGTON.EDU>
17 Mar 1989 16:49:02 EST
Here are excerpts from ELECTRONICS ENGINEERING TIMES, Feb. 20 1989, p. 28:

High-integrity uP wins first big order: Railroad signals go-ahead for Viper
by Roger Woolnough

Worcester, England --- In the first significant order for the chip, the
Australian National Railways Commission has placed a contract for signaling
systems incorporating Viper to control two long-distance rail routes.  ...

Viper is a 32-bit RISC device designed to overcome the shortcomings of
conventional microprocessors, which can be unreliable in safety-critical
applications because they can perform in unpredictable ways.  The design
of Viper was undertaken using formal mathematical methods and was then
subjected to a series of formal proofs to ensure that the implementation
conforms to the design specification. ... 

In Australia, the contract to develop and supply railroad signaling equipment
using Viper was won by Teknis Systems (Australia) Pty. Ltd.  Support was
provided by Charter Technologies Ltd. (the British Viper specialist), and
the two companies believe that proposing Viper as the system processor was
a major factor in Teknis being chosen against strong competition.

The contract is to design and supply signaling for automatic crossing sections
on the Trans Australian and the Central Australian rail routes, operated
by the Australian National Railways Commission, a federal government statutory
authority. ...

The installations will include trackside equipment, systems on board trains,
radio links and a computer-controlled center in Adelaide. ...

Formal methods will be used throughout the development. ... Charter
Technologies is sponsoring a study by the Department of Engineering in the
University of Warwick, England, into the use of formal methods for railroad
signalling. ...

Railroad signalling systems around the world are based on concepts of
interlocking and routing which have developed over the past 150 years.  The
first-class safety record of railroads is due to a large extent to the rigor of
the regulations.

The aim of the joint study by Charter Technologies and Warwick University is to
consider whether the well-established rules can be formulated in a mathematical
way, so as to suit the increasing use of computer-controlled interlocking and
routing.  ... It will consider the application of the specification language
HOL developed at the University of Cambridge, England; programming in subsets
of computer languages such as Pascal; and the use of Viper. ...

- Jonathan Jacky, University of Washington


Error in updating new specifications for call-routing

from Pertti Jarvinen, Finland Mon, 20 Mar 89 08:43:56 +0200
The Finnish Post and Telepohone office was March 6 changing call-routing
specifications in one of three main computer-controlled switches at Helsinki,
the capital of Finland. Some of necessary changes was forgotten.  To this end
traffic via the switch was broken for two hours. The error was located and
corrected in six hours. Domestic calls were turned to go via two correctly
functioning switches. But some international calls, for example, to Canada,
Portugal, Iran, Turkey and Cyprus were totally hindered.

As a remedy to prevent similar errors in the future systems analysts propose a
programmed checking for implementation of all the necessary changes.


Risks of Registering Shareware

<@sri-unix.UUCP, @rutgers, @texbell, buck%siswat@moray>
Wed, 8 Mar 89 03:38:55 EST
I just sat through a user's group demo of a new shareware package called
BackMail, which is a background electronic mail package for MS-DOS.  It is a
slick program with many fine features for supporting local and long-distance
mail networks.  The authors were leery of the standard shareware registration
procedure.  Quoting from the BackMail Newsletter:

    "The problem was that the whole process of payment
    was so cumbersome.  If only there was a simple way to
    communicate one's payment... Hold it!  Communication is
    just what BackMail was about.  We had the first program
    that could be used to _literally_ pay for itself!
    And so TeleWare was born."

Yes, your copy of BackMail is registered by filling in a screen
with your credit card information and the program automatically
calls an 800 number to deliver the information.  And most users
will register ($30), since BackMail asks you to register on every
fourth access of the program's main functions, and complains for
twenty seconds if you don't register.

The risks of this scheme for freely redistributable shareware are
obvious, from simply patching the stored 800 number to saving the
credit card information and making one "extra call" at the
program's convenience.

A. Lester Buck      ...!texbell!moray!siswat!buck


Risks of helpfulness (RISKS-8.40)

Jerome H Saltzer <jhs%computer-lab.cambridge.ac.uk@NSS.Cs.Ucl.AC.UK>
Mon, 20 Mar 89 11:03:05 gmt
> intrudesr got into AT&T systems by being talked through the sign-on 
> procedures by AT&T help desks!
>                                     Henry Spencer at U of Toronto Zoology

The specific incident may not have been mentioned in RISKS, but the general
technique is widely enough known that it is casually mentioned in the hacker
periodicals (such as the magazine "2600") when they run an article of tips for
beginners.  If you are having trouble getting into someone's system, call up
their consulting office and act like you are authorized but encountering
unexpected trouble logging in; often someone there will give you just the clues
you need.
                    Jerry Saltzer


Remote Smart-Cards

<iwm@doc.imperial.ac.uk>
Mon, 20 Mar 89 04:17:24 PST
Backround:
A bill to require all major football (Soccer) grounds in the UK to require
a valid machine readable membership card before admitting a spectator is
currently going through Parliament. The clubs will be given lists of people who
should not be admitted; the object is to stop violence in the grounds. 

Several objections have been raised - 
Civil Liberties:
 People object to having to carry the cards, and to having football clubs 
 provided with information about them.
Practicalities:
 The card readers, turnstiles, or the computer controlling them may fail,
 leaving thousands of angry fans outside. 

Last month New Scientist carried an item describing a proposed solution, 
remotely readable and writeable smart-cards. (In this case the card has to be 
writeable to prevent it being passed over the fence and used again.) The cards
are made by Plessey and  the read/write range is quoted as about a meter;
power is taken from the signal. 

Consider the risks: the card can be read (AND WRITTEN) without you knowing and
without your control. Obviously the card could check that it was being 
interrogated by a legal reader using some kind of validation (public key 
challenge and response?) but there will be a limit to how much processing
the card can do and as the reader has to broadcast to activate the card, it
may be very easy to record a dialog and spoof either the card or reader.

Ian W Moor,  Department of Computing,  Imperial College, 180 Queensgate,
London SW7 UK   UUCP: uunet!mcvax!ukc!icdoc!iwm  JANET: iwm@uk.ac.ic.doc


Re: so-called multi-gigabuck theft of information (RISKS-8.23 ff.)

Mark Brader <msb@sq.sq.com>
Fri, 17 Mar 89 16:43:13 EST
> From msb Fri Feb 24 06:40:01 1989
> To: utzoo!attcan!uunet!csl.sri.com!risks
> Subject: Re: so-called multi-gigabuck theft of information
> Bcc: hcr!mike

There appeared in Risks 8.23 my summary of a newspaper item I'd noticed
about what was said to be a "theft" of highly valuable computer data.
A followup newspaper article, which I summarized in Risks 8.28, provided
a good deal more information and placed a much lower value on the data,
but while it identified the victim (HCR Corp., of Toronto), it did not
identify the "stolen" data.

So I was surprised to see Jeff Makey assert in 8.26, which I read after
submitting my second item, that what was taken was a copy of the UNIX source.
I emailed him and he replied in part:

> I heard it *somewhere* during the last few months (it seems like
> it was before Christmas, which is why I said it wasn't news).

Since the HCR case was much more recent, Jeff had to be talking about
a different one.  In fact, with that hint I remember the one he had in
mind; the confusing thing is that it happened to also have occurred in
the same geographical area.  (Toronto: Canadian computer crime capital?)

The earlier case hasn't been mentioned in Risks before. [???]  What happened,
as I recall, was that someone bought a used computer at auction, found a copy
of the UNIX source on its disks, and claimed all rights (!) to use the source,
thus making the newspapers.  AT&T of course disagreed, and I believe the case
dropped out of the news before it was resolved.

Someone I was chatting about this with conjectured that the $4 billion
(Canadian) valuation that appeared in the first newspaper article might
have resulted from a reporter also confusing the two cases and assuming
that because HCR has UNIX source then that must be the valuable thing in
question, and then taking the highest possible valuation.  Such a speculation
would also explain why the second article suddenly started talking about
AT&T, which had not been mentioned in connection with the case.  Simple
press speculation/sensationalism.

Of course, there's more than one way to value copyable things like computer
programs or data.  It's correct to say that the UNIX source is worth kilo-
bucks because you can buy a copy for your own use for that much.  It's also
correct to say that it's worth gigabucks, if that's how much money AT&T
earns from it over the lifespan of the system.  In addition, one must
distinguish between theft and illegal copying.  The former, I think, would
be better defined as involving loss to the owner of one or more copies of the
original.  (Of course, the newspapers prefer to use the more dramatic word.)
Anyway, if ALL copies were stolen in this sense, then the value of the
loss to the owner suddenly becomes much greater.

Also since submitting to Risks the second newspaper article, I have spoken
to Mike Tilson, president of HCR, who was quoted in it.  He confirmed
that the first article was "wildly inaccurate" and the second one was
substantially, though not entirely, correct.  (He noted that Risks readers
ought to be aware of the risks of believing what they read in the paper...)
He also confirmed that HCR was not saying what was taken, only that they had
regained complete control of it.

So I think that wraps up this case as far as Risks is concerned.

Mark Brader   utzoo!sq!msb   msb@sq.com 


Re: NASA to replace top-level personnel with Expert Systems

Robert English <renglish%hpda@hp-sde.sde.hp.com>
Mon, 20 Mar 89 11:19:06 pst
An AI friend of mine told me recently that most expert systems have a
relatively short useful lifespan.  It seems that if you assign a human
to operate the system, the human will soon stop using the ES, and do a
better, faster job without it.  The ES makes an excellent training
system, however, and creating it does a good job of recording what the
job entails, information which is often lost when people change jobs.

--bob--                     renglish%hpda@sde.hp.com


Meter Readers an Endangered Species?

<black%par1@cs.umass.edu>
Mon, 20 Mar 89 16:26:03 est
The following appeared in the March 13 Wall Street Journal:

Human Meter Readers Step Toward Extinction

Meter readers' jobs are being threatened by technology.

Boston Gas Co. recently became the firsr utility in the country to commit
itself to installing a radio-based automated meter-reading system for all its
customers.  It plans to install the AccuRead system, made by Enscan Inc. of
Minneapolis, in some 400,000 homes at a cost of over $20 million.  The system
will eliminate most of the utility's 100 meter readers who make an average of
$28,000 a year.

The AccuRead system ... uses a cigarette-pack-sized radio receiver and
transmitter that is attached to the gas meter.  The device counts the number of
times the dials spin.  Once a month, a computer-equipped van cruises the
streets nearby and sends out a "wake-up" signal to the reader device, which
then transmits the gas consumption. the devices have 10-year batteries and a 32
year meantime between failures, Enscan says.

Boston Gas says the remote readings have a number of pluses.  Homeowners don't
have to be in for readings; unlike humans, THE DEVICES DON'T MAKE MISTAKES, and
the information can be sent automatically from the van to the billing computer
without retyping.

Moreover, says a spokesman: " It will elimimate estimated bills which
are the biggest complaint we have...."

....no doubt the devices are as reliable as the average garage door opener. 

David K. Black Umass Amherst


Security of Electronic Mail

Karl Lehenbauer <karl@sugar.hackercorp.com>
19 Mar 89 18:08:29 GMT
While "everybody knows" or should know that electronic mail is not secure in
that its contents can be read en route, the reason people generally trust 
their email as being authentic is because it usually is; that is, there has 
been very little email forgery hence it hasn't been much of a problem, thus
people tend to regard their email as being genuine.  When it starts to become 
a problem, people will stop trusting it, at least when it's important.

It seems that faking comments on a grant proposal would be prosecutable as
fraud.

As for security from interception, a DES encryption program that is free of 
U.S. export controls (as it was written and distributed from outside the
country) was recently posted to one of the Usenet source groups.  By using
this and something like uuencode (a common program on Usenet that reversibly 
maps unprintable characters to printable ones) on one's text, one can keep 
their mail private from the prying eyes of most individuals.

The security of one's electronic mail from decryption by the National
Security Agency is a different matter, and one that I hope is merely
academic to most RISKS readers.  As to whether or not they can relatively
easily decrypt DES-encoded material, let me say that I would not expect
such a group to widely promote an encryption scheme that they were incapable
of breaking and that, from a national security standpoint, doing so would
not be such a good idea.

Within the Internet, it is my understanding that the steering committee has
endorsed the RSA encryption scheme for email.  This addresses both the
privacy and forgery issues.  I think we will see further movement toward 
routine encryption of email, and it is high time that we do so.

Cellular phone data encryption is a relatively simple matter as well.  I don't
think we'll see any movement in that area until the users demand it, and the
government isn't likely to push heavily for it, a few strong proponents of
personal privacy in the legislature nonwithstanding.


Star Trek computer virus

<microsoft!w-colinp@uunet.UU.NET>
Sun Mar 19 22:05:13 1989
This (including threats to take over the ship) has already happened on
Star Trek: The Next Generation.  Data was playing Sherlock Holmes in a
computer-generated simulacrum, but since he had memorised all existing
Holmes plots, the computer was asked to come up with a new one, involving
an enemy "capable of defeating Data."  Because Data, unlike Holmes, lives
in the "real" world, this one-word slip produced an opponent also capable
of affecting the "real" world, which attempted to take over the ship.

It was portrayed more as a question of sentience (the conclusion was that
the created personality was stored until technically feasible to give it
corporeal existence), but we had a computer program, in this case
inadvertantly created (grave RISK indeed!), attempting to control the ship.

I suspect that treating the problem directly, the writres will massacre
the issues.  But I may just be overly pessimistic.

    -Colin (uunet!microsoft!w-colinp)

Please report problems with the web pages to the maintainer

Top