Forum on Risks to the Public in Computers and Related Systems
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
Volume 9: Issue 39
Tuesday 7 November 1989
Contents
Computer used to find scoflaws in Boston- Barry C. Nelson
- Air Traffic in Leesburg VA
- PGN
- Equinox TV Documentary on "Fly By Wire"
- Brian Randell
- Lifethreatening risk! (related to Soviet PCs)
- Julian Thomas
- New computer risk: child abuse data base proposed (W. K.
- Bill) Gorman
- Dangers of mail aliases
- Jonathan Leech
- Committee report on Bugs
- Bob Morris
- Computer Viruses Attack China
- Yoshio Oyanagi
- First Virus Attack on Macs in Japan
- Yoshio Oyanagi
- NTT Challenges Hackers
- Mark H. W.
- Even COBOL programmers need to know about range checking.
- Bryce Nesbitt
- Unix Expo Power Failure
- Jan I Wolitzky
- Info on RISKS (comp.risks)
Computer used to find scoflaws in Boston
"Barry C. Nelson" <bnelson@ccb.bbn.com>
Sun, 5 Nov 89 13:14:43 EST
A news article in the Boston Globe [last Sunday 29 October, with photo] describes a new computer system, named Argus (after a mythical multi-eyed and vigilant beast), which is being used to catch local drivers with stolen license plates. The innovation is that a sensor is used to observe license plates and a program turns the image into numbers (so they claim). A database is then searched and a match signalled to the operator. The system is set up at a toll booth at the harbor tunnel and the suspect is somehow pulled over by the State Police at the other end as the car emerges. The article goes on to quote the operators as saying they have proven the system "works" by matching on six offenders in one day. Unfortunately, five of the six were errors caused by Registry backlog or other policy inconsistencies such as re-using old numbers for new car owners. The sixth case was bona fide. Their current experiment uses one camera and a floppy database of some 40,000 registrations. They say they are looking forward to installing the list of 200,000 suspended licenses or registrations and increasing the number of cameras to enable them to watch all eight lanes. When five out of six hits are human errors, imagine the complaints! It can be very humiliating to be hauled out of your car and treated like a felon. This could turn out to be embarrassing for the overworked database managers. At least we can look forward to less tunnel traffic someday as Argus evaders find alternate routes. BCNelson "Opinions contained herein are my own, etc..."
Air Traffic in Leesburg VA
Peter G. Neumann <neumann@csl.sri.com>
Tue, 7 Nov 1989 12:17:57 PST
Friday evening's air traffic around Washington DC was awful. As most of you now know, both the primary computer system AND the backup were seriously degraded for at least two hours during the evening rush hour, stacking up and backing up air traffic extensively. (I was in DC that day. I'm at MIT today, Home tonight, hopefully.) The scuttlebutt seems to blame a buffer overflow, but I hope someone can contribute the real inside story.
Equinox TV Documentary on "Fly By Wire"
Brian Randell <Brian.Randell@newcastle.ac.uk>
Mon, 6 Nov 89 10:28:39 BST
Last night the one-hour TV documentary in the Equinox series, entitled "Fly By Wire" was shown on Channel 4 in the UK. Since it was identified as "A Box Production for Channel 4, in association with WGBH/Boston, copyright 1989", I assume it will soon be shown in the States; I recommend looking out for it. In my opinion it provided a reasonably complete and well-balanced (and also visually very attractive) account of the various incidents and opinions surrounding the A320, using a lot of well-chosen film clips, together with interviews with, or at least "sound-bites" from, about twenty different people. >From Airbus Industrie there was Bernard Ziegler (VP Engineering), Roger Betaille, and Gordon Corps (Engineering Test Pilot) and, from Aerospatiale, Gilles Pichon (Chief Engineer A320) and Jacques Troy (Flight Control Manager). Four A320 pilots took part, including Michel Asseline, who alleged that his crash was due to the control-system over-riding his command to the plane to ascend. (The others were somewhat critical of the flight control system, but did not back up this allegation.) The computing science community was represented by Mike Hennell, Bev Littlewood, John Knight, and John Cullyer. There were also representatives from Boeing, the FAA, CAA and DGAC, and Flight International. The overall impression given was (i) that Airbus had been rather daring in introducing fly-by-wire, but had probably got away with it, and (ii) that their rivals would now follow suit, but that the next logical step, that of active control, was even more controversial and should not be rushed. Brian Randell, Computing Laboratory, University of Newcastle upon Tyne, UK
Lifethreatening risk! (related to Soviet PCs)
Julian Thomas <72355.20@CompuServe.COM>
03 Nov 89 21:14:32 EST
Seen on another news digest service (not in the original):
>From the Financial Times and the Daily Telegraph (UK) - articles about the
Soviet Union studying a proposal to import lots of PC equipment for educational
use. "The soaring demand for scarce PCs has swollen the Soviet crime rate, and
PC owners have even been murdered for their machines."
Lock up your machines, gang, and compute only in the dark!
Julian Thomas
new computer risk: child abuse data base proposed
"W. K. (Bill) Gorman" <34AEJ7D@CMUVM.BITNET>
Wed, 01 Nov 89 08:32:26 EST
According to a news release heard a day or two ago, MI is now considering
legislation permitting local communities to establish and maintain data bases
of "suspected" child abusers, or those meeting another of the nebulous
"profiles" used to identify all sorts of persons and ethnic groups in our
society. Aside from permitting hearsay from neighbors, teachers, co-workers,
associates and assorted third parties to be entered and disseminated about any
particular individual or family, the framers of this legislation are also
attempting to gain back-door access to medical records. One profile criteria
disclosed for "identifying" child abusers is use of multiple doctors/hospitals
by the same family. Physicians are threatened with legal sanctions for not
reporting the simple fact that one or another patient HAS SEEN ANOTHER
PHYSICIAN without their knowledge/blessing. I don't think that implies any sort
of involvement by Physicians or the AMA in this legislation.
Obviously, the privacy considerations and potential for misuse and/or
malicious use, such as slanderous reports by neighbors against an unpopular
neighborhood resident, inherent in this legislation are enormous.
Dangers of mail aliases
Jonathan Leech <leech@cs.unc.edu>
Wed, 1 Nov 89 18:43:52 EST
Yesterday, I was surprised to find over a dozen messages from the internal
technical mailing list of a company I worked for in 1982 in my inbox. As it
turned out, the reason was that the mail alias a friend at this company used
for me was duplicated in the systemwide alias file for a new employee.
Fortuitously, nothing which was a sensitive matter (save for their code
indenting style :-) happened to be discussed in the block of messages I
received.
Jon Leech (leech@cs.unc.edu)
Committee report on Bugs
<RMorris@DOCKMASTER.NCSC.MIL>
Fri, 3 Nov 89 10:05 EST
The congressional committee on Science, space, and technology issued this weed a staff study entitled "Bugs in the Program: Problems in Federal Government Computer Software Development and Regulation". It is worth reading for those interested in risks. It is 33 pages long and I am not about to type any part of it in. It is available from the Sup of Documents, Congressional Sales Office, U.S.G.P.O, Wash., D.C. 20402. It does not have a reference number.
Computer Viruses Attack China
Yoshio Oyanagi <oyanagi@is.tsukuba.ac.jp>
Mon, 6 Nov 89 12:15:25+0900
Ministry of Public Safety of People's Republic of China found this
summer that one tenth of the computers in China had been contaminated by
three types of computer virus: "Small Ball", "Marijuana" and "Shell", China
Daily reported. The most serious damage was found in the National
Statistical System, in which "Small Ball" spread in 21 provinces.
In Wuhan University, viruses were found in *ALL* personal computers.
In China, three hundred thousand computers (including PC's) are in
operation. Due to premature law system the reproduction of software is not
regulated, so that computer viruses can easily be propagated. Ministry of
Public Safety now provides "vaccines" against them. Fortunately, those viruses
did not give fatal damage to data.
Yoshio Oyanagi, University of Tsukuba, JAPAN
First Virus Attack on Macs in Japan
Yoshio Oyanagi <oyanagi@is.tsukuba.ac.jp>
Tue, 7 Nov 89 17:07:09+0900
First Virus Attack on Macs in Japan
Six Macs in University of Tokyo, Japan, were found to have caught
viruses, newspapers and radio reported. Since this September, Prof. K. Tamaki,
Ocean Research Institute, University of Tokyo, has noticed malfunctions on the
screen. In October, he applied vaccines "Interferon" and "Virus Clinic" to
find his four Mac's were contaminated by computer viruses, "N Virus" type A and
type B. He then found ten softwares were also infected by viruses. A Mac of
J. Kasahara, Earthquake Research Institute, University of Tokyo, was also found
to be contaminated by N Virus and Score Virus. Those are the first reports of
real viruses in Japan.
Later it was reported that four Mac's in Geological Survey of Japan, in
Tsukuba, were infected by N Virus Type A. This virus was sent from U. S.
together with an editor.
Yoshio Oyanagi, University of Tsukuba
NTT Challenges Hackers
<markw@gvl.unisys.com>
1 Nov 89 21:55:26 GMT
[A copy of the following article appeared on one of our bulletin boards here at work. I have no idea when or where it was originally published - MHW] NTT: Calling All Hackers Tokyo - Nippon Telegraph and Telephone Corp. has issued a provocative challenge: the Japanese communications giant will give 1 million yen ($6803) to any computer hacker anywhere in the world who can break its FEAL-8 data communications security code by August 1991. Why the unusual move? The company wants to debunk a rumor circulationg in Europe that its security code has been cracked. The FEAL-8 code, developed by NTT in 1986, is widely used in Japan and overseas to protect datacom systems and integrated circuit cards from illegal access.
Even COBOL programmers need to know about range checking.
Bryce Nesbitt <bryce@cbmvax.commodore.com>
Fri, 3 Nov 89 17:40:53 EST
Last week I received this letter from my bank:
GREAT NEWS FOR THE HOLIDAYS!
Dear Bryce C. Nesbitt:
You are important to us. And, because of the excellent way you've
handled your finances, we are pleased to increase the credit limit on your
Meridian Open Line of Credit to $0. Now you have more buying power when you
need it most - in time for the holidays.
...
Thanks a lot. Before the promotion my credit limit was $5,000.00. The rest
of the letter talked about the free Mini-Vac that could be mine if I'd just
borrow $1,000 (funny, there was no mention of the over-limit penalty :-).
The bank had little to say about the event. I assume the calculation was
based on a number of factors, including the "high credit" on the account.
Since I have never drawn on this account, high credit would be zero.
Unix Expo Power Failure
Jan I Wolitzky <wolit@mhuxd.att.com>
Fri, 3 Nov 89 15:17:10 EST
I was strolling through the Unix Expo show at the Javits Center in NY this
morning, shortly after it opened for its third and final day, when all the
power went out. My first reaction was that, boy, now we're gonna get to see
whose systems really ARE uninterruptable. My second reaction was that there
must be a VMS hack around somewhere. My third reaction, after it became clear
that the lights weren't coming back on right away, was to move toward the
daylight at the front of the convention center, with disturbing thoughts of
panicked crowds, the San Francisco earthquake, and other paranoia in mind. As
I approached the front of the hall, the big steel roll-up overhead doors
started coming down. Quite a few people, apparently believing that their only
exit was disappearing, rushed forward and ducked under the closing doors. It
turned out that there were lots of other, conventional exit doors still
available, but it still seemed to me a poor choice of failure mode: when the
power fails (who knows, maybe because of a fire or other condition
necessitating evacuation), close off the biggest and most obvious escape route.
There was no panic this time, but after more than an hour, there was no power,
either, so I gave up on the show. On the bus back, I was reading the issue of
Unix Today that was being handed out at the show. A non-cover story described
some of the problems experienced by the people who tried to set up an operating
network (Ethernet?) at the show: apparently, some vendors were using unassigned
net addresses, so that they could access other systems, but their competitors
couldn't access theirs. And then there was the problem they had in actually
laying the cable: normally a 4-hour job, it turned out that in NYC, it had to
be performed by members of the Electrical Workers Union, who took 36 hours to
do it. I found the juxtaposition of the appearance of a story blasting the
Electrical Workers Union and the power failure to be curious....
Oh yes, almost forgot, Unix is a registered trademark of AT&T.
Jan Wolitzky, AT&T Bell Labs, Murray Hill, NJ; 201 582-2998
att!mhuxd!wolit or jan.wolitzky@att.com
(Affiliation given for identification purposes only)
Report problems with the web pages to the maintainer