The following item was posted on the VMSHARE bulletin board. It describes the origin of the CHRISTMAS EXEC file, and makes valid points about the inability of computer systems to automatically recognize some types of ill-behaved programs quickly enough to prevent damage to a network. (VMSHARE is a closed bulletin board operated for the use of VM installations who are members of SHARE, the large IBM mainframe user group. Shadow copies of the VMSHARE traffic are distributed to many other nets, including VNET and BITNET.) Joe Morris (jcmorris@mitre) Append on 12/19/87 at 20:10 by Melinda Varian <BITNET: MAINT@PUCC>: The following statement, from a member of the EARN Board, answers the queries about the origin of the CHRISTMA EXEC. Clausthal-Zellerfeld is quite a new VM installation. When Heinz Haunhorst, of their staff, was notified that the first appearances of the virus on the networks originated at his node, he pursued the matter vigorously and skillfully. Helmut Woehlbier, of the Technical University of Braunschweig, also did an excellent job in helping to determine the originating node. <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> Date: Wed, 16 Dec 87 18:33:58 GMT Sender: EARN Technical Group <EARNTECH@EB0UB011> From: Michael Hebgen <$02@DHDURZ1> Comments: To: EARN Executive <EARNEXEC@IRLEARN>, EARN Board of Directors <EARN-BOD@IRLEARN> Comments: cc: German EARN Executive <DEARNEX@DHDURZ1>, German EARN node administrators <DEARNADM@DEARN>, Heinz Haunhorst <HENRY@DCZTU1>, "Dr. Gerald Lange" <LANGE@DCZTU1>, Otto Bernd Kirchner <KIRCHNER@DS0IBM1> To: Melinda Varian <MAINT@PUCC> Subject: CHRISTMAS EXEC Dear colleagues, after some very sophisticated detective work it is clear that the origin of the CHRISTMAS EXEC is the EARN node DCZTU1. A student there has writ- ten this EXEC to send christmas greetings to his colleagues and another student has used it without knowing what he is doing (as many of our network users) and started the explosion. The node DCZTU1 has already blocked the Userid of the author and done all necessary steps. Every node in the network can be the next starting point of a similar explosion and distribute virus programms or other bad things. As far as I know the EDP-systems there is no way to prevent users from their own mistakes. The only solution I can think of for this type of behaviour is to observe "EDP-hygiene": If you receive an executable file (EXEC, CLIST, program) from another might be unknown user do N O T execute without control because it can result in gross missdemanour and serious damage. Check all EXECs/CLISTs, what they are doing, before you execute them and check all executable programs, where they come from and what they do. As in normal life uncontrolled behaviour may result in serious consequences (I am not going to mention AIDS). You as a user are responsable for all what you are doing. I propose to include such statements (in better english formulation) into the CODE OF CONDUCT and to start an "enlightenment" process for the end- users Best regards, m[e]rry christmas (without tree) and a happy new year Michael Hebgen EARN director of Germany and General secretary of EARN *** APPENDED 12/19/87 20:10:47 BY PU/MELINDA *** ADDED NOTE FROM JOE MORRIS: Did any contributor suggest how the message jumped from EARN (or BITNET) into VNET? Supposedly the gateways (one at Yorktown, I believe) are monitored closely so that the ability of a message to cross without supervision is quite limited. I'm told that a few years ago there was something of a major flap when a meeting of relatively high IBM brass was shown a message Melinda Varian (the BITNET source of the EARN message I forwarded) had sent to an IBM'er via VNET (WITH the permission of IBM...upper management in IBM just hadn't been aware of the arrangement). My guess would be that it came through an account on a customer machine but assigned to an IBM'er who could pass mail into the IBM network. Thought for the week: was this supposed to be a demonstration of a computerized Christmas distribution TREE? Second thought on the word "tree" (swiped from an undergraduate thesis at MIT from the 60's): Problems are posed by fools like me, but only heuristics can search a tree. Joe Morris
Re the discussion of receiving run-able mail files (sometimes viruses) via BITNET. A few years ago I received 2 pieces of mail, an XMAS EXEC written in EXEC2 and a compiled module of some sort. The module was hard to break into, so no one I knew then knew how to tell what it did without running it. Well, it was a very nice, benign bug: First, it imitated all the usual system messages one gets when logging off, up to the full-screen VM370 logo. Then, slowly, the logo disintegrated into a night time scene of a cottage on a snowy hillside under some pine trees, smoke floating out of the chimney (the "smoke" was made up of phrases; "s..m..o..k..e" and "M..e..r..r..y...C..h..r..i..s..t..m..a..s", etc.), and snow flakes "*" falling from the sky. Elapsed time: about 5 minutes. Then it quit, abruptly leaving you sitting in front of a terminal in some dingy office or terminal room, just as you were before. The clue to this so-called Christmas card's origin was that the usual machine name in the lower right was replaced with, if I remember correctly, PSUVM. Has anyone on the net now got an old copy of that somewhere? I didn't keep mine.
Risks, recently, has been filled with reports of specific virus and how to kill them manually. Has there been any work on "anti-bodies" that attack specific viruses? It seems that contributors have enough knowledge about each virus to build such beasts. Such programs might push the state of the art, reduce the effect of viruses, and keep down the traffic on this list. -brewster [A certain amount can be done contextually, e.g., with specific file names. Paul Karger has suggested something similar for Trojan horses. See his paper in the 1987 IEEE Symposium on Security and Privacy. But such techniques are intrinsically incomplete. PGN]
The following news bulletin appeared on our mail machine this morning: "Recently a flash fire occurred at a Navy lab when an employee attempted to clean his computer screen using an alcohol based cleaner. An investigation revealed that the employee sprayed the cleaner directly at the unit while it was turned on. Static electricity which had built up on the screen then ignited the atomized cleaner. To prevent a similar occurrence here, all PC users are cautioned to turn off their screens before cleaning, and to dampen a cloth with the cleaner before wiping the screen rather than spraying it at the screen." Brian M. Clapper, Naval Air Development Center, Warminster, PA 18976
It seems to me that a large number of problems with product liability arise from a propensity to confuse two issues: _liability_ and _negligence_. If the use of a product carries with it a certain, irreducible risk of injury, then the manufacturer SHOULD be liable for the damages resulting. That liability SHOULD result in increased costs to the users of the product (or to the public in general, in the case of mass vaccines). After all, the damages are part of the cost of the product. Such a liability should be limited to actual damages, meaning such things as medical costs, loss of earning power, and _reasonable_ (capped) compensation for pain and suffering. In particular, _punitive_ damages should be reserved for cases of negligence. Part of the result is that this sort of liability ought to result in predictable costs to the manufacturer, so that it can include those costs in the final price. Finally, most such liability cases should be resolved in administrative courts with low legal costs and short delays. Cases of negligence arise when someone fails to take reasonable and prudent care; for example, the Ford Pinto sort of case. In such cases the present system is perfectly reasonable, with contingency fees and the like. I would not want to see lawyer's fees fixed for such cases, as I believe that would deny legal protection to the poor and would prevent pursuit of cases against the largest and wealthiest defendants. If, as is often asserted, manufacturers are wrongly found negligent because a jury wants to compensate some obviously suffering individual, then the compensation under the liability-no-negligence system should satisfy the jury's desires. Such a system requires specifying a number of special cases; for example, if a corporation buys an expert system, they presumably have access to someone who can explain the risks inherent in using that system. In such cases, sharp limits on non-negligent liability are reasonable. It would not be the author's fault if the company managed the entire pension fund with his financial system. In general, if we were to shift to such a split system of liability, it would take us quite a while and quite a bit of experience to develop the details. Finally, I would like to add that this idea is not original with me; I first saw it advocated in an editorial in Nature. Mark A. Fulk email@example.com P.S. This is not to say that government-imposed fines and the like are not also appropriate. They are simply insufficient, as the government frequently lacks the stomach to take on offenders. The tort system provides a channel for citizen-originated complaints to get a hearing in front of disinterested parties.
> Squirrels, mice, bugs, and Grace Hopper's moth (Mark Mandel) ... > >The word "bug", in the sense we use in the computer world, did NOT >originate with "Amazing" Grace Hopper's moth. ... According to the Oxford English Dictionary (Supplement I), the first recorded use of the term in print is a quote from Edison in the Pall Mall Gazette of 1889 - so it's probably coming up to its centenary now. Peter Mabey (phm@stl ...!mcvax!ukc!stl!phm +44-279-29531 x3596) Standard Technology Ltd., London Road, Harlow, Essex CM17 9NA, U.K.
Has an article about another fire resulting in melted cables, this time a fire at O'Hare that put United Airlines out of operation. And has a special section on computer security. No better than one would expect from Computerworld, but that's it.
You may be interested in a letter I received this morning from American Express; its text is as follows: [the letter is verbatim -- the poor grammar is theirs, not mine] Dear Mr Wales I regret to advise you that a problem has arisen concerning access to our Automated Teller Machine network. As you know a Personal Identification Number (PIN) is needed to use these machines. Due to an internal system error your unique PIN has been deleted. The effect of which, is to deny you access to cash or Travellers Cheque withdrawal. Would you please call London (01) [...] or Brighton [...] where our staff will immediately amend our records with the PIN of your choice. When telephoning, please be prepared to answer two or three questions about your personal details so that we can maintain the necessary security. I am very sorry for the inconvenience this must cause. Yours sincerely (signed by Xerox) N.Colwell Director Customer Services [I have deleted the telephone numbers above, for obvious reasons. PGN] First of all, because the numbers are not normal customer service numbers, I called the 24-hour Emergency number (the normal Customer Service number was busy, as usual), and made sure that the letter was not a scam. I was told, after some rummaging around by the operator, that both were legitimate Amex numbers. I then called the London one, and found that, according to the exchange, it didn't exist. I then called the Brighton one and, after being asked to hold for so long that the operator had to physically go and get her supervisor, sorted out my PIN with them. In the course of this, I asked what had happened: (I'm paraphrasing here -- it was an hour ago) Amex: "A slight computer problem; nothing to worry about." Me: "You mean you've had a security breach?" Amex: "No, no. Nothing like that. That's impossible. Our systems are completely confidential. Someone was just transferring some information onto one of our systems, to make it more efficient, you know, and some information got deleted in the process. We didn't even know until members started calling us up to ask why their cards were being rejected by dispensers." I didn't ask where their backups were -- they obviously didn't have any, or they wouldn't have been reduced to admitting their failure to their customers. Aside from Amex's dubious practice of actually asking customers to write down a PIN and post it to them (or, in this case, tell them over the phone), something which both astonishes and amuses my Bank Manager, what does this episode reveal about American Express's computer systems and procedures, often touted as being among the best in the banking business? [As a side note, I'm also not too convinced that the questions about personal details are good enough to convince them that I am who I say I am; I know that the information I gave wouldn't convince *me*. But that's an issue for another day.] Frank Wales, Development Engineer, [firstname.lastname@example.org<->mcvax!zen.co.uk!frank] Zengrange Ltd., Greenfield Rd., Leeds, ENGLAND, LS9 8DB. (+44) 532 489048 x220
[Last week the New York Times ran a series of articles analyzing the stock market crash. One was on the role of computers in the crash. It's too long to include the whole thing in Risks. These excerpts concentrate on the unplanned and unexpected and omit background information about program trading, etc. I highly recommend the entire article to anyone who is interested in the subject. It also is good holiday reading for any Star Wars fans who believe that computers can be programmed to direct a real-time battle successfully. HP] From The New York Times, Tuesday, December 15, 1987. Page 1. The Computer's Contribution to the Rise and Fall of Stocks by David E. Sanger In the span of a few hours, the stock market's October collapse drove home the fact that new technology has done far more to Wall Street than just accelerate the tempo of trading. Securities firms have always embraced innovations that promised to improve their profits. During this decade... brokerages spent millions of dollars on electronic networks... [and on] complex computerized trading techniques to exploit the flood of information. But in the process, the new generation of hardware and software fundamentally altered the way buying and selling decisions were made. And they subtly magnified the degree of risk that investors and traders routinely accepted. ... [B]ig investors, seeking an advantage measured in seconds, were often led to abandon independent judgement in favor of executing trading strategies programmed into their computers. On Monday, Oct. 19, Wall Street's legendary herd instincts, now embedded in digital code and amplified by hundreds of computers, helped turn a selloff into a panic.... "We are learning that when we compress the time in which things happen, they happen differently," said Robert A. Brusca, the chief economist at Nikko Securities.... [Discussion of how the technology fueled the willingness of big investors to trade for short-term profit instead of investing for long-term returns.] In other words, it helped turn [large, traditionally conservative institutions] from investors into traders. What's more, the computer's enormous appetite for price data helped divorce buy and sell decisions from developments in the business world, focusing them instead on numerical relationships among thousands of fluctuating stock prices.... Technology also gave a false sense of security to investors who deceived themselves into thinking that ballyhooed computer-based trading techniques would somehow protect them in a falling market.... The Allure of Technology [Discussion of how the stock exchanges have built huge computer centers to process enormous daily transaction volumes.] Starting six years ago, a new generation of personal computers and more powerful work stations began playing another, very different role... They were programmed to spot bargains, and to constantly compare the prices of stock index futures contracts... with the prices of the actual stocks.... Without question the new techniques made the markets more efficient... [assuring] that prices reflected pertinent information instantly, and they encouraged investors to trade simultaneously in more than one market, helping to minimize disparities in prices. But the programs also introduced enormous pressure to act and react instantly. "Overnight, the reaction time to market-influencing events dropped from months or days to minutes and seconds," said Allen Sinai, the chief economist of Sherson Lehman Brothers. "Unless you could evaluate all this data instantly, you were out of business." New Tricks for Investors [Description of various "program trading" strategies, including stock index arbitrage, which takes advantage of momentary differences between the prices of stocks and of the corresponding futures contracts (trades must be made instantly before the price difference disappears), and portfolio insurance, which is supposed to reduce the risk of a downturn by selling stock index futures.] [on portfolio insurance:] Advocates of the system were asserting before the collapse that it assured that losses would not exceed 5 percent of the value of the portfolio.... Promotions [of portfolio insurance] worked: By October, between $70 billion and $90 billion was invested in funds using some form of the insurance.... As a result, some [investors] abandoned ordinary prudent techniques, such as selling a portion of their holdings for cash when the market hit new highs, because they were confident the programs would work.... When Facts Became Myths The problems lay in the computerized models of how markets act: They rested on assumptions that proved false. One assumption, for example, was that the markets would be well behaved, meaning that stock prices and futures prices would closely track each other. Another was that whenever the computer commanded a buy or a sell, there would be buyers and sellers. On Oct. 19, neither condition applied. Stocks and futures prices were far out of whack. At times, no buyers could be found. Computers literally froze -- they were not programmed to cope with the unexpected. The role of stock index arbitrage is harder to assess.... ...traders say that it may have begun a wave of selling that was then exaggerated by portfolio insurance programs. In retrospect, the portfolio insurance programs may have helped create much of the turmoil that ultimately defeated them. "The problem was that everyone is working from roughly the same theories," said Peter U. Vinella, a partner at Berkeley Investment Technologies in Berkeley, Calif., which writes many complex trading programs. "They all get the same feedbacks. And that leads everyone to take the same action." A Fear of Defying the Computer Why do people become captive to computers? Programs, of course can easily be overruled by humans, who make the final decision about whether to proceed with a transaction. But amid chaos, when seconds could mean the difference between profit and ruin, traders are deeply reluctant to disregard the neat columns of computer-generated instructions. "People get lulled into thinking, `My program says this will work,'" said Robert H. Mundheim, the dean of the University of Pennsylvania law school.... "And you don't have time to think through the assumptions that went into the programs -- if you understood them in the first place." [Discussion of whether a fully automated trading system might have avoided some of the panic that set in when orders were backed up for hours, causing investors to sell even more.] Slowing of Market Studied Investigators have already discarded as unenforceable one option: stopping the use of computer programs that speed the pace of decision-making. More practical, experts say, would be actions that slow the market, giving participants a chance to absorb new data and adjust accordingly....
Please report problems with the web pages to the maintainer