The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 9 Issue 39

Tuesday 7 November 1989

Contents

o Computer used to find scoflaws in Boston
Barry C. Nelson
o Air Traffic in Leesburg VA
PGN
o Equinox TV Documentary on "Fly By Wire"
Brian Randell
o Lifethreatening risk! (related to Soviet PCs)
Julian Thomas
o New computer risk: child abuse data base proposed (W. K.
Bill) Gorman
o Dangers of mail aliases
Jonathan Leech
o Committee report on Bugs
Bob Morris
o Computer Viruses Attack China
Yoshio Oyanagi
o First Virus Attack on Macs in Japan
Yoshio Oyanagi
o NTT Challenges Hackers
Mark H. W.
o Even COBOL programmers need to know about range checking.
Bryce Nesbitt
o Unix Expo Power Failure
Jan I Wolitzky
o Info on RISKS (comp.risks)

Computer used to find scoflaws in Boston

"Barry C. Nelson" <bnelson@ccb.bbn.com>
Sun, 5 Nov 89 13:14:43 EST
A news article in the Boston Globe [last Sunday 29 October, with photo]
describes a new computer system, named Argus (after a mythical multi-eyed and
vigilant beast), which is being used to catch local drivers with stolen license
plates.  The innovation is that a sensor is used to observe license plates and
a program turns the image into numbers (so they claim).  A database is then
searched and a match signalled to the operator.  The system is set up at a toll
booth at the harbor tunnel and the suspect is somehow pulled over by the State
Police at the other end as the car emerges.

The article goes on to quote the operators as saying they have proven the
system "works" by matching on six offenders in one day.  Unfortunately, five of
the six were errors caused by Registry backlog or other policy inconsistencies
such as re-using old numbers for new car owners.  The sixth case was bona fide.

Their current experiment uses one camera and a floppy database of some 40,000
registrations. They say they are looking forward to installing the list of
200,000 suspended licenses or registrations and increasing the number of
cameras to enable them to watch all eight lanes.

When five out of six hits are human errors, imagine the complaints! It can be
very humiliating to be hauled out of your car and treated like a felon.  This
could turn out to be embarrassing for the overworked database managers.

At least we can look forward to less tunnel traffic someday as Argus evaders
find alternate routes.

BCNelson                         "Opinions contained herein are my own, etc..."


Air Traffic in Leesburg VA

Peter G. Neumann <neumann@csl.sri.com>
Tue, 7 Nov 1989 12:17:57 PST
Friday evening's air traffic around Washington DC was awful.  As most of you
now know, both the primary computer system AND the backup were seriously
degraded for at least two hours during the evening rush hour, stacking up and
backing up air traffic extensively.  (I was in DC that day.  I'm at MIT today,
Home tonight, hopefully.) The scuttlebutt seems to blame a buffer overflow, but
I hope someone can contribute the real inside story.


Equinox TV Documentary on "Fly By Wire"

Brian Randell <Brian.Randell@newcastle.ac.uk>
Mon, 6 Nov 89 10:28:39 BST
Last night the one-hour TV documentary in the Equinox series, entitled "Fly By
Wire" was shown on Channel 4 in the UK. Since it was identified as "A Box
Production for Channel 4, in association with WGBH/Boston, copyright 1989", I
assume it will soon be shown in the States; I recommend looking out for it.

In my opinion it provided a reasonably complete and well-balanced (and also
visually very attractive) account of the various incidents and opinions
surrounding the A320, using a lot of well-chosen film clips, together with
interviews with, or at least "sound-bites" from, about twenty different people.

>From Airbus Industrie there was Bernard Ziegler (VP Engineering), Roger
Betaille, and Gordon Corps (Engineering Test Pilot) and, from Aerospatiale,
Gilles Pichon (Chief Engineer A320) and Jacques Troy (Flight Control Manager).
Four A320 pilots took part, including Michel Asseline, who alleged that his
crash was due to the control-system over-riding his command to the plane to
ascend. (The others were somewhat critical of the flight control system, but
did not back up this allegation.)

The computing science community was represented by Mike Hennell, Bev
Littlewood, John Knight, and John Cullyer. There were also representatives from
Boeing, the FAA, CAA and DGAC, and Flight International.

The overall impression given was (i) that Airbus had been rather daring in
introducing fly-by-wire, but had probably got away with it, and (ii) that their
rivals would now follow suit, but that the next logical step, that of active
control, was even more controversial and should not be rushed.

Brian Randell, Computing Laboratory, University of Newcastle upon Tyne, UK


Lifethreatening risk! (related to Soviet PCs)

Julian Thomas <72355.20@CompuServe.COM>
03 Nov 89 21:14:32 EST
Seen on another news digest service (not in the original):

>From the Financial Times and the Daily Telegraph (UK) - articles about the
Soviet Union studying a proposal to import lots of PC equipment for educational
use.  "The soaring demand for scarce PCs has swollen the Soviet crime rate, and
PC owners have even been murdered for their machines."

Lock up your machines, gang, and compute only in the dark!
                                                              Julian Thomas


new computer risk: child abuse data base proposed

"W. K. (Bill) Gorman" <34AEJ7D@CMUVM.BITNET>
Wed, 01 Nov 89 08:32:26 EST
     According to a news release heard a day or two ago, MI is now considering
legislation permitting local communities to establish and maintain data bases
of "suspected" child abusers, or those meeting another of the nebulous
"profiles" used to identify all sorts of persons and ethnic groups in our
society. Aside from permitting hearsay from neighbors, teachers, co-workers,
associates and assorted third parties to be entered and disseminated about any
particular individual or family, the framers of this legislation are also
attempting to gain back-door access to medical records. One profile criteria
disclosed for "identifying" child abusers is use of multiple doctors/hospitals
by the same family.  Physicians are threatened with legal sanctions for not
reporting the simple fact that one or another patient HAS SEEN ANOTHER
PHYSICIAN without their knowledge/blessing. I don't think that implies any sort
of involvement by Physicians or the AMA in this legislation.

Obviously, the privacy considerations and potential for misuse and/or
malicious use, such as slanderous reports by neighbors against an unpopular
neighborhood resident, inherent in this legislation are enormous.


Dangers of mail aliases

Jonathan Leech <leech@cs.unc.edu>
Wed, 1 Nov 89 18:43:52 EST
    Yesterday, I was surprised to find over a dozen messages from the internal
technical mailing list of a company I worked for in 1982 in my inbox.  As it
turned out, the reason was that the mail alias a friend at this company used
for me was duplicated in the systemwide alias file for a new employee.
Fortuitously, nothing which was a sensitive matter (save for their code
indenting style :-) happened to be discussed in the block of messages I
received.

    Jon Leech (leech@cs.unc.edu)



Committee report on Bugs

<RMorris@DOCKMASTER.NCSC.MIL>
Fri, 3 Nov 89 10:05 EST
The congressional committee on Science, space, and technology issued
this weed a staff study entitled "Bugs in the Program:  Problems in
Federal Government Computer Software Development and Regulation".  It is
worth reading for those interested in risks.  It is 33 pages long and I
am not about to type any part of it in.  It is available from the Sup of
Documents, Congressional Sales Office, U.S.G.P.O, Wash., D.C.  20402.
It does not have a reference number.


Computer Viruses Attack China

Yoshio Oyanagi <oyanagi@is.tsukuba.ac.jp>
Mon, 6 Nov 89 12:15:25+0900
     Ministry of Public Safety of People's Republic of China found this
summer that one tenth of the computers in China had been contaminated by
three types of computer virus:  "Small Ball", "Marijuana" and "Shell", China
Daily reported.  The most serious damage was found in the National
Statistical System, in which "Small Ball" spread in 21 provinces.
In Wuhan University, viruses were found in *ALL* personal computers.
     In China, three hundred thousand computers (including PC's) are in
operation.  Due to premature law system the reproduction of software is not
regulated, so that computer viruses can easily be propagated.  Ministry of
Public Safety now provides "vaccines" against them.  Fortunately, those viruses
did not give fatal damage to data.
                                   Yoshio Oyanagi, University of Tsukuba, JAPAN


First Virus Attack on Macs in Japan

Yoshio Oyanagi <oyanagi@is.tsukuba.ac.jp>
Tue, 7 Nov 89 17:07:09+0900
First Virus Attack on Macs in Japan

     Six Macs in University of Tokyo, Japan, were found to have caught
viruses, newspapers and radio reported.  Since this September, Prof. K. Tamaki,
Ocean Research Institute, University of Tokyo, has noticed malfunctions on the
screen.  In October, he applied vaccines "Interferon" and "Virus Clinic" to
find his four Mac's were contaminated by computer viruses, "N Virus" type A and
type B.  He then found ten softwares were also infected by viruses.  A Mac of
J. Kasahara, Earthquake Research Institute, University of Tokyo, was also found
to be contaminated by N Virus and Score Virus.  Those are the first reports of
real viruses in Japan.

     Later it was reported that four Mac's in Geological Survey of Japan, in
Tsukuba, were infected by N Virus Type A.  This virus was sent from U. S.
together with an editor.
                                        Yoshio Oyanagi, University of Tsukuba


NTT Challenges Hackers

<markw@gvl.unisys.com>
1 Nov 89 21:55:26 GMT
[A copy of the following article appeared on one of our bulletin boards here
 at work. I have no idea when or where it was originally published - MHW]

NTT: Calling All Hackers

Tokyo - Nippon Telegraph and Telephone Corp. has issued a provocative
challenge: the Japanese communications giant will give 1 million yen
($6803) to any computer hacker anywhere in the world who can break its
FEAL-8 data communications security code by August 1991. Why the unusual
move? The company wants to debunk a rumor circulationg in Europe that
its security code has been cracked. The FEAL-8 code, developed by NTT in
1986, is widely used in Japan and overseas to protect datacom systems and
integrated circuit cards from illegal access.



Even COBOL programmers need to know about range checking.

Bryce Nesbitt <bryce@cbmvax.commodore.com>
Fri, 3 Nov 89 17:40:53 EST
Last week I received this letter from my bank:

    GREAT NEWS FOR THE HOLIDAYS!

    Dear Bryce C. Nesbitt:

           You are important to us.  And, because of the excellent way you've
   handled your finances, we are pleased to increase the credit limit on your
   Meridian Open Line of Credit to $0.  Now you have more buying power when you
   need it most - in time for the holidays.
                ...

Thanks a lot.  Before the promotion my credit limit was $5,000.00.  The rest
of the letter talked about the free Mini-Vac that could be mine if I'd just
borrow $1,000 (funny, there was no mention of the over-limit penalty :-).

The bank had little to say about the event.  I assume the calculation was
based on a number of factors, including the "high credit" on the account.
Since I have never drawn on this account, high credit would be zero.


Unix Expo Power Failure

Jan I Wolitzky <wolit@mhuxd.att.com>
Fri, 3 Nov 89 15:17:10 EST
I was strolling through the Unix Expo show at the Javits Center in NY this
morning, shortly after it opened for its third and final day, when all the
power went out.  My first reaction was that, boy, now we're gonna get to see
whose systems really ARE uninterruptable.  My second reaction was that there
must be a VMS hack around somewhere.  My third reaction, after it became clear
that the lights weren't coming back on right away, was to move toward the
daylight at the front of the convention center, with disturbing thoughts of
panicked crowds, the San Francisco earthquake, and other paranoia in mind.  As
I approached the front of the hall, the big steel roll-up overhead doors
started coming down.  Quite a few people, apparently believing that their only
exit was disappearing, rushed forward and ducked under the closing doors.  It
turned out that there were lots of other, conventional exit doors still
available, but it still seemed to me a poor choice of failure mode: when the
power fails (who knows, maybe because of a fire or other condition
necessitating evacuation), close off the biggest and most obvious escape route.
There was no panic this time, but after more than an hour, there was no power,
either, so I gave up on the show.  On the bus back, I was reading the issue of
Unix Today that was being handed out at the show.  A non-cover story described
some of the problems experienced by the people who tried to set up an operating
network (Ethernet?) at the show: apparently, some vendors were using unassigned
net addresses, so that they could access other systems, but their competitors
couldn't access theirs. And then there was the problem they had in actually
laying the cable: normally a 4-hour job, it turned out that in NYC, it had to
be performed by members of the Electrical Workers Union, who took 36 hours to
do it.  I found the juxtaposition of the appearance of a story blasting the
Electrical Workers Union and the power failure to be curious....

Oh yes, almost forgot, Unix is a registered trademark of AT&T.

Jan Wolitzky, AT&T Bell Labs, Murray Hill, NJ; 201 582-2998
    att!mhuxd!wolit or jan.wolitzky@att.com
(Affiliation given for identification purposes only)

Please report problems with the web pages to the maintainer

Top