7-Dec-85 14:04:49-PST,59048;000000000001 Mail-From: NEUMANN created at 7-Dec-85 13:58:41 Date: Sat 7 Dec 85 13:58:41-PST From: RISKS FORUM (Peter G. Neumann, Coordinator) Subject: RISKS-1.27 Sender: NEUMANN@SRI-CSL.ARPA To: RISKS-LIST@SRI-CSL.ARPA RISKS-LIST: RISKS-FORUM Digest Saturday, 7 Dec 1985 Volume 1 : Issue 27 FORUM ON RISKS TO THE PUBLIC IN COMPUTER SYSTEMS Peter G. Neumann, moderator Contents: SPECIAL ISSUE Summary of Groundrules: The RISKS Forum is a moderated digest. To be distributed, submissions should be relevant to the topic, technically sound, objective, in good taste, and coherent. Others will be rejected. Diversity of viewpoints is welcome. Please try to avoid repetition of earlier discussions. (Contributions to RISKS@SRI-CSL.ARPA, Requests to RISKS-Request@SRI-CSL.ARPA) (FTP Vol 1 : Issue n from SRI-CSL:RISKS-1.n) ---------------------------------------------------------------------- Date: Fri, 6 Dec 85 11:49:54 PST From: hplabs!amdahl!esf00@ucbvax.berkeley.edu (Elliott S. Frank) To: hplabs!risks Subject: Re: RISKS digests I'm attaching a cross posting from one of our other internal BBS systems. You may have seen it before, and it may well be worth excerpting (or, even posting) to the net. [Elliott] [Although there is some old stuff here, it is interesting to have it all in one place. Thus, I am sending this out intact. Besides, it would take me longer than I have to try to edit it. PGN] =============================================================================== From nzm10 Thu Dec 5 15:26:10 1985 Relay-Version: version B 2.10.2 9/18/84; site amdahl.UUCP Posting-Version: version B 2.10.2 9/18/84; site amdahl.UUCP Path: amdahl!nzm10 From: nzm10@amdahl.UUCP (Neal Macklin) Newsgroups: amdahl.general Subject: worms and viruses (long) Date: 5 Dec 85 23:26:10 GMT Date-Received: 5 Dec 85 23:26:10 GMT Distribution: amdahl Organization: Amdahl Corp, Sunnyvale CA This came off the VM conf system, and I thought it was interesting. The first part is posted outside my office, so those of you that have read that should go to line 530 (approx). (I hate people who say "enjoy".....Neal) ------------------------------------------------------------------ * TOPIC: RUMOR - "RUMOR Interesting tidbits about the company" --> Item 15 from AJP30 on 12/02/85 at 16:22:58 This is part one of a two part series written by Gary North about software worms and viruses. Gary North is an investment newsletter publisher and presents an interesting perspective of the problem from a non-technical point of view. Enjoy. Andrew J. Piziali, x8584. --------------------------------------------------------------------------- Gary North's Remnant Review Matt. 6:33-34 --------------------------------------------------------------------------- Vol. 12, No. 20 379 November 1, 1985 What you are about to read will shock you. It shocked me as I did the research on the project. It so completely shocked me that I am lifting the copyright on this issue and the one to follow. Reprint them in any form you choose. Second, I am sufficently scared about what I've uncovered that I am going to make this request. I will pay $1,000 to the first person who blows what I regard as significant holes in my thesis, and who consents to a 90-minute taped interview for FIRESTORM CHATS. If you can't do this, but you can put me in contact wth anyone who can refute me or show an effective way out of the problems I raise, I WILL GIVE YOU A ONE YEAR RENEWAL TO REMNANT REVIEW FOR LOCATING THE FIRST SUCH PERSON FOR ME, AND I WILL PAY THE INDIVIDUAL $1,000 TO DO THE 90-MINUTE TAPED INTERVIEW WITH ME, plus provide supporting evidence. And let me say, it will be the happiest check-writing session of my life. I DESPERATELY WANT TO BE PROVED WRONG. Mail me your (his) outline. I am going public with this story because it is unlikely that any conventional news source will touch it, unless pressure is brougth to bear. The reason is this: the problems are too horrendous even to be discussed by appropriate officials, unless they have specific answers. But they don't. What I present here cannot be smoothed over by a press release abount having set up a blue-ribbon study panel. I literally stumbled into this information. I had read about one tiny aspect of it. I made a few extrapolations. Then I got worried. The problem looked as though it would have major implications. Little did I know! Every dark cloud has a silver lining, they say. Well, every silver lining has its dark cloud. This is a "dark cloud" report about the high tech silver lining. I am not trying to be deliberately gloomy, but this problem can only get worse, unless someone (and I don't know who) can figure out an answer. I don't like to present problems in REMNANT REVIEW for which I have no answers. This time I have to do what I don't like to do. If you've got some answer, WRITE! I am hoping that by going to my reader I may locate one or more people who can provide decent counsel. Congress hasn't the foggiest idea of the threat that is now developing to the whole Western world. When I began this research porject, neither did I. Those who know the facts are so close to the problem that they may have grown jaundiced -- or else they are people who are the source of the problem, and they don't want it solved. The technicians remain silent, or discuss it only in "the inner circles" where the issues are understood. Policy-makers need to know. ELECTRONIC AIDS (Part I) Scenario: Paul Volcker is handed a telegram as he enters the monthly meeting of the Federal Open Market Committe. Every other member of the FOMC, which sets monetary policy for the U.S., is also handed an identical telegram. The telegram reads as follows: THIS MORNING (a rural bank is named) SUFFERED A MAJOR FAILURE IN ITS COMPUTER SYSTEM STOP ALL DATA IN THAT COMPUTER HAS BEEN SCRAMBLED BEYOND RECOGNITION STOP WHEN BANK OFFICIALS ATTEMPT TO CALL UP THE RECORDS FROM ITS BACK UP COMPUTER TAPES THEY WILL FIND THAT THESE BACK UP TAPES ARE ALSO SCRAMBLED STOP ON MONDAY AFTERNOON THREE OTHER SMALL BANKS WILL SUFFER THE SAME FATE STOP ONE WILL BE IN NEW YORK CITY STOP ONE WILL BE IN LOS ANGELES STOP ONE WILL BE IN CHICAGO STOP PLEASE MEET AGAIN ON TUESDAY AFTERNOON STOP WE WILL GIVE YOU INSTRUCTIONS AT THAT TIME Volcker calls the appropriate bureaucrat at the Federal Reserve Systems's headquarters, and he asks if there are any reports from the named bank. A few minutes later, the official calls back. The bank's management confirms the breakdown. The bank is attempting to install the back-up tapes. Volcker orders him to call back and stop the tapes from being installed. The bank complies. The tapes are then shipped to the Federal Reserve Bank under armed guard. When the FED's computer specialists acquire the same operating system and try to bring up the data, the system crashes. No usable data. Tuesday morning, one by one three banks call the FED, the FDIC, and the Comptroller of the Currency's office, each with the same frantic tale. They have been working all night, but their computer records are scrambled. They cannot open at 10 a.m. They have only an hour to make a decision. What should they do? The FED instructs them to remain closed. They are also instructed to keep their mouths equally closed. The T.V. networks are tipped off, but no one at any bank says anything. Lines appear in front of each bank. Governers in all three states call frantically to Washington. They all remember Ohio and Maryland. What is the FED going to do? The FOMC, the Board of Governors of the FED, each regional president, and a team of computer experts meet at the New York FED's offices. At three in the afternoon, a telegram is delivered to Volcker. It is brief. It says: WORMS "What the @%* is this?" he yells to no one in particular. The computer men turn white. They do their best to tell him what it means. They are finished answering his questions in about 45 minutes. Another telegram arrives. It says: ON FRIDAY AFTERNOON THE CHASE MANHATTAN BANK WILL EXPERIENCE A SIMILAR COMPUTER FAILURE STOP ITS BACK UP TAPES WILL BE EQUALLY USELESS STOP IT WILL NOT BE ABLE TO REOPEN ON MONDAY MORNING STOP ON TUESDAY MORNING CITICORP WILL SUFFER A SIMILAR FAILURE STOP ON WEDNESDAY MORNING BANK OF AMERICA AND THREE OTHER MAJOR BANKS WILL ALSO SUFFER A BREAKDOWN STOP WE CAN PROVIDE YOU WITH THE CORRECTION FOR EACH COMPUTER STOP THE PRICE WILL BE THE REMOVAL OF DIPLOMATIC RECOGNITION OF THE ILLEGITIMATE STATE OF ISRAEL BY THE UNITED STATES AND AN END TO ALL ECONOMIC AID TO ISRAEL STOP TO PROVE THAT WE CAN DO THIS WE WILL SCRAMBLE ALL THE RECORDS OF CHASE MANHATTAN BRANCH BANK XYZ TOMORROW MORNING STOP The next morning, all of the records of Chase Manhattan's branch bank are turned into random numbers. That afternoon, the President of the United States breaks off diplomatic relations with the state of Israel. The banks stay open. No crash of the data occurs. This time. This is hypothetical scenario. It is NOT hypothetical technologically. This is the terrifying message of this issue the REMNANT REVIEW. what I have described here is conceivable technologically. On a small scale, it has already been threatened. Let's start with the historical and then go the the possible. WORMS Earlier this year, I read a very interesting article on a major problem racing computer software (programs) development companies. A program comes on one or more 5.25-inch plastic discs. It takes only a few seconds to copy a program on one disc to a blank disc which costs $3. Yet these programs normally run at least $250, and usually sell at $495, and sometimes cost thousands. Very few are less than $100. So you have a major temptation: make a $500 asset out of a $3 asset. Insert the $500 program into drive A, write "COPY A:*.* B:" and hit the "enter key"; sixty seconds later, you have a $500 program in drive B. There are ways to make this copying more difficult. The companies code the programs, and force you to have a control disc in drive A at all times. These "copy protected" programs are a hassle for users. We cannot put them on a "hard (big) disc" easily, and sometimes the control disc dies for some reason. Then what? Your data are locked in your hard disc or on a floppy disc, but you can't get to the data because the control disc is not functioning. You order a replacement. Weeks go by. Last year, several firms came up with a solution. It is called a WORM. A worm is a command which is built deep into the complex code which creates the program itself. These are incredibly complex codes, and it is easy to bury a command in them. They cannot be traced. What does the worm do? It "eats" things. Say that you are a software thief. You make a copy of a non-copy-protected disc, either to use on a second computer, or to give (or sell) to a friend. The programs works just fine. But when the programs is copied to a new disc, the worm is "awakened." It bides its time, maybe for many months, maybe for years. The programs's user is blissfully unaware that a monster lurks inside his pirated program. He continues to enter data, make correlations, etc. HE BECOMES COMPLETELY DEPENDENT ON THE PROGRAM. Then, without warning, the worm strikes. Whole sections of the data dispppear. Maybe the data storage disc is erased. Maybe it is just scrambled. Even his back-up data discs have worms in them. Everything he entered on those discs is gone. Forever. Can you imagine the consternation of the user? He has become dependent on a booby-trapped program. His business could simply disappear. For the savings of $500 (stolen program), he could lose everything he has. Several firms threatened to insert worms into their programs. But then they backed off. They are afraid that lawsuits initiated against them might go against them in court. The could be hit for damages suffered by the thieving victims. Juries might decide that the punishment (a bankruptcy) was too much for the crime (a $500 theft). So far, no worms are lurking in any commercial software programs -- as far as I know and the industry knows, anyway. But what if a disgruntled programmer were to hide one in a master copy of, say, Lotus 1-2-3, the most popular business program on the market? What if ten thousand copies a month go out for, say, three years? Then, without warning, every company that has started using them loses three years of data? They sue Lotus. Lotus goes bankupt paying lawyers. NO COMPANY IN THE INDUSTRY IS WILLING TO TALK ABOUT THIS SABORAGE THREAT PUBLICLY. Obviously. LARCENISTS I just happened to stumble across an article on worms in a computer magazine. It occurred to me that it might be possible to use the worm technique as a form of deliberate sabotage rather that just as a copy protection device. But what did I know? I'm not a computer expert. I know a computer expert, however. I mean, a REAL expert -- one of those people you occasionally read about. In the world of business, they're called "space cadets." They operate somewhere in between the asteroid belt and Jupiter. But this one is different. He's a businessman, too. I got him to sit down with me to discuss the problem of worms. It turned out that he has a real fascination for the topic. He tells me that there are advanced design worms, called 'viruses' by 'hackers' -- computer freak programming genuises. "The software virus is the most terrifying thing I've ever come across," he told me. And then he showed me why. My initial scenario is based on only a portion of his estimation of the treat. It gets a lot worse. He gave me a 90-minute FIRESTORM CHAT interview. He must remain anonymous. He used to be a software developer for programs that were used in the U.S. banking system, by is now employed in a highly sensitive job in a related industry. Therein lies his problem. IF HE WERE TO TELL THE STORY OF WHAT HE IS CAPABLE OF DOING TO THESE BANKS, HIS FIRM MIGHT LOSE A LOT OF SALES. He can't "go public." Let's call him Tom. Let me summarize briefly some of the details he gave to me. they floored me. They're going to floor you. 1. JACKPOTTING The rush is on in the banking world to get automated teller machines (ATM's) into shopping malls, supermarkets, and in front of every bank. We've all seen them. Just walk up, punch in your card number, ask for cash, and you get it. In a busy location, one of these machines can hold as much as $250,000 in cash, mostly small bills. These machines are controlled by computer. They are hooked up to the bank's computer system, usually by phone lines. This local line, Tom tells me, is what computer freaks call THE LOOP. The loop is wide open to tampering. He says that what computer thieves are doing is to hook up a cheap Apple II computer, tie into the phone lines, break into the ATM, and get it to empty itself. This is "jackpotting." He tells me that banks are getting hit by ATM thieves continually, but nothing is getting to the press. The banks have yet to show a profit with the ATM's so far, which is understandable. They are hoping to get their machines placed in key locations, so "market share" is crucial to their plans. They are suffering horrendous losses in the short run in the hope that long-run profits will pay off, if and when a defense is developed. The banks are saying nothing because of their fear that if the extent of the losses gets into the press, they will be forced by pressure from depositors -- bank runs -- to cancel the ATM's. The losses are horrendous, he says. At present, there is no known defense, given the communications technology. 2. ROUNDING OFF This is the "preferred" computer bank theft system. Someone on the inside who has access to the software, takes advantage of the banks' need to round off numbers. The programs carry numbers out to 13 places. Banks can't use all that space. so when they balance the books (interest rates at, say, 9.873), they just don't count every tenth of a cent. The program is assumed to round off the numbers randomly. What does the bank care? But the thief has set up bank accounts that absorb those random tenths or hundredths of a cent. In millions of dollars worth of transactions (federal funds, etc.), programmers in some cases have stashed away hundreds of thousands of dollars -- maybe millions -- over a few years. No one knows how much of this goes on. How could a bank spot this? The books would always balance to the penny. How would the accountants ever know? I think of a story the Adam Osborne tells in his paperback book, RUNNING WILD. The president of a large firm was looking out his window one day, and he noticed two Rolls Royce cars parked next to each other. He enquired as to the owners. They were two men in the data processing department. He called in investigators, and the cars and the men disappeared. They fled to Brazil and took their cars with them; Brazil has no extradition treaty with the U.S. Years later, as Osborne was writing the story, the firm still hadn't figured out what they has done. ARSONISTS These are the fearful ones, far more than the larcenists. These are the practical jokers who get into a major data bank and trash things. It's a kind of multimillion dollar "Kilroy was here" graffiti. How easy is it to get in? Incredible easy. The boy in "War Games" really could have broken into most firms telephone-connected computers. Computer programs exist that allow the user to hook up his computer to a phone line and randomly dial numbers until they hear the tell-tale whine of a computer line. It then notes the phone number and goes on its way, searching out more lines. They can do it by long distance, free of charge. The phone company has a tough time tracing those who use various sorts of electonic black boxes to call anywhere on earth at no charge. Some people get caught, of course. "The tip of the iceberg," says Tom. How do they get in? Easy; few systems are protected, once you locate the line. If one is, he says, you create a deliberate error. Most programs then collapse the protective shell, and the hacker finds himself inside the heart of the system. Tom has designed a program which keeps this from happening to his company's programs, but few companies have anything like it. It's very easy to get in if someone has "logged on" -- opened his terminal's connection to the main computer -- if the system is connected to phone lines. Or anyone in the company can just tap in, if someone has left his desk and left the computer on. It's common to forget and leave an open terminal. He showed me. He says anyone can get fired for leaving a computer on. He demonstrated his point. With 40 computers on line, he ran a quick search and found two of them "logged on," despite the fact that it was after hours. "All the security in the world can't do anything if a computer line is open. It's like a burglar alarm; it's worthless if you leave the door unlocked or leave the keys lying around." That janitor you hired. Is he a computer illiterate? Or a plant? Once inside, what can you do? Steal a fortune? Yes, if you really know the system. He told me he could easily steal $3 million from a local bank, even as an outsider. He would then offer to give it back AND KEEP HIS MOUTH SHUT ABOUT HOW EASY IT WAS if the bank would pay him 10% of the take. He thinks most banks would capitulate for fear of the publicity. In any case, he knows that he probably wouldn't get caught. How about creating a new identity? The grade-changing scene in "War Games" is true. You cound even create a new identity, give yourself high grades in any academic discipline, just by breaking into a university's data base. There is very little security here, he says. But for sheer vindictiveness, for sheer envy, consider the possibilities of a virus-implanter. He gets inside the computer for a major communication link: telephones, large information data base, bank wire transfer, or whatever. Then he lays the egg: a tiny, untraceable brief instruction. Inside a huge data base are just a few characters. These float inside a system, seeking to devour certain kinds of data, or executing certain routines. There is a game played by computer freaks called "Core War." They try to implant these killer messages, which seek out each other and battle one another. If you find one morning that yours has been consumed, you lost the battle. That was probably the origin of worms and viruses. TERRORISM Say that a revolutionary terrorist group, or some anti-Zionist group gets a "ringer" into the system. He might be a computer genius type. Everyone knows they are either orientals, dark-skinned people with accents, or teenagers. The firms don't hire teenagers, but they hire a lot foreigners. They may even check the guy's credentials. Electronic credentials. (Ha!). Then they turn the guy loose in the system. The virus is implanted deep inside the system. It can then be transferred to any other bank's computer by means of EFT (electronic funds transfer). Maybe it is triggered when someone with a peculiar and and address opens a bank account. Three days later: bam. The data disappear. They haul out the back-up tapes. Bam. The virus is on them, too. It is a process of INFECTION, CONTAMINATION, AND INCUBATION. There is no known defense. Not yet. This is the bottom line. ANTIBODIES The designer of a virus can also design an "antibody". The antibody is a counter-virus agent which seeks it out and destroys it. But like other antibodies, it must be specific. The only way today that an antibody system can be created is to know what kind of a virus is involved beforehand. Tom says that people are now selling antibodies at very high prices. Who is paying? Big companies that suspect that there is a virus present in their computers. In all probability, THE GUY SELLING THE ANTIBODY CREATED AND INJECTED THE VIRUS. But how can any businessman prove it? So he pays the blackmail. NATIONAL DEFENSE A Soviet agent or American spy working for the Soviets penetrates any of a dozen computers used by the military. He plants a virus. The computers talk to each other, and the virus spreads to all of them. It tells them to execute a certain routine when a certain command is entered at a missile-controlling terminal. That command might interfere with a routine which activates a missile or launches it. Upon reading that command, the virus shuts down the computer, or scrambles the executing program, or scrambles the data. No more "launch on warning." No more launch at all. Dead metal. Scenario: The President of the United States receives a telephone call on the "red phone" -- the direct link to Moscow. He lifts the receiver and says "Hello." "Mr. President, this is Michael Gorbachev. You must recognize my voice. I have very little time. I will come directly to the point. You have refused to back down on your threat to implement your Strategic Defense Initiative. You intend to go ahead with space-based weapons. My military staff informs me that they think that the United States has the technology to implement it, and that it would place my nation's military strategy in jeopardy. We cannot allow you to do this." "If we allow you to deploy the SDI, it will be too late for us to respond effectively. Therefore, we are taking the initiative today. I issued orders this morning to put Soviet military units on immediate alert. We are abiding by your biblical rule to announce the initiation of hostilities before striking. Neither the Japanese nor the Germans gave us this courtesy. If you do not come to terms with us, we will launch a first strike against your nation in three hours. We will delay for one day, if you agree to follow a precise procedure that I will outline shortly." "At one time we feared nuclear retaliation. We no longer do. Within two hours, you will know why not. I suggest that you instruct your ballistic missile team to prepare your missiles for a strike. Then, to prove to yourself that we no longer are concerned about retaliation, launch one or two of them. As far as I am concerned, launch all of them. But please instruct your senior military commanders to report back to you concerning the effects of their instruction. I suggest that you try launching three or four as a test. We don't care which ones." "Mr. President, let me tell you what is going to happen. As soon as anyone attempts to launch a missile, that missile's computer guidance system will shut down. It will lock up tight, and you will not be able to unlock it within the time you need to respond to our attack. Two hours and thirty minutes from now, you finally unlock your frozen computers." "I suggest that you contact your senior officers now. You will have to mobilize them within 60 minutes. The test should take about 30 minutes. I will telephone you again in 90 minutes to present our terms of surrender." Click. The President calls the Joint Chiefs. If he is lucky, he will be able to locate two of the three in time. They will be paralyzed. Who wouldn't be? But in all likelihood, they will at least test Gorbachev's theory. They will order one or two missiles launched. The computer guidance system on both will shut down the system. They will try two or three more, with the same result. They will attempt to launch one from a submarine, with the same result. The President brings in senior Congressional officials and the remaining Joint Chiefs member to the White House. Exactly 90 minutes after he had hung up, Gorbachev telephones back. He presents his list of demands. First, the immediate removal of U.S. troops from Europe. Second, the withdrawal of personnel from Diego Garcia Island in the Indian Ocean. Third, the breaking of diplomatic relations with Red China and Taiwan. Fourth, the removal of all troops from Korea. Fifth, a moratorium on all debts owed to U.S. banks by the Soviet Union and its client states. Sixth, the removal of all Minuteman III missiles from their silos. Seventh, the return of all U.S. submarines to port. If he agrees, and the orders are delivered within two hours, the Soviet Union will delay launching a first strike. The President complies. They might do it with our communications satellites, Tom says. You might do it with any aspect of U.S. data transmission. The virus could sit dormant in a system for years, and no one would know. Triggered, it would then strike. THE WEST'S VULNERABILITY The West has become increasingly dependent on computers. We can no longer function without them. The Third World hasn't. Neither has the U.S.S.R. Their technology is still pre-computer. They are inefficient, but they are far less vulnerable. Tom says that the world of computers presumes that almost everyone is essentially honest, and that all the brightest programmers must be honest. They aren't. Thus, the entire system -- banks, national defense, large and small businesses, public utilities -- have opened themselves to attack. The attackers are invisible. "Nothing I have seen in all my years of computers scares me as much as this does," he says. "The system has been designed in terms of a far older set of standards, especially with respect to security. It is totally vulnerable." He compares it to plague, or venereal disease. People copy each other's software to save a few bucks. They use public access data bases. They use "loops"-- the phone lines. Yet these transmission belts of information can become transmission belts of collapse. This is what I have harped on for twenty years: the potential for a collapse of the division of labor. We become rich by means of a brilliant technology, yet we become dependent on it to an extent that no previous society ever has. Centralized institutions are most vulnerable, but because we use public transmission lines, from microwave transmissions to cables in the ground, each local unit is vulnerable. Those who would choose to bring down the system need only plant electronic viruses in a handful of major common-use data bases or transmission sources, and five years or ten years later, the disease hits. It could brings down the system if technological defenses are not developed. Nothing on the immediate horizon points to a solution, he says. The silence of those who should know what to do indicates that they don't know what to do, but they don't want panic to spread. * TOPIC: SUGGEST - "CCC Open Suggestion Box" --> Item 64 from AJP30 on 12/05/85 at 06:49:47 This is part two of a two part series written by Gary North about software worms and viruses. Gary North is an investment newsletter publisher and presents an interesting perspective of the problem from a non-technical point of view. Enjoy. Andrew J. Piziali, x8584. ------------------------------------------------------------------------------- Gary North's Remnant Review Matt. 6:33-34 ------------------------------------------------------------------------------- Vol. 12, No. 20 380 November 15, 1985 ELECTRONIC AIDS (PART 2) (Again, note that this issue of REMNANT REVIEW is not copyrighted. Reproduce it in any form you choose. This information needs wide dispersal.) Maybe you saw the article buried somewhere in your newspaper. I saw it in the New York Times (Oct. 19): A group of at least 23 teen-age computer users broke into a Chase Manhattan Bank computer installation by telephone in July and August and "significantly damaged" bank records, the Federal Bureau of Investigation said yesterday. And where were these teenagers located? In San Diego, ACROSS THE CONTINENT! It gets even more ludicrous: Federal officials said that most of the offenders were probably too young to be prosecuted. Robert D. Rose, the Asst. United States Attorney handling the case, said: "We're not yet sure what we are going to do. But these things can get out of hand -- it did get out of hand -- and we have to treat them seriously." Treat WHAT seriously. "These THINGS?" What things? If they can't legally treat the electronic trespassers seriously, just what is the man talking about? He is talking about the topic, above all other topics, that bank and government officials don't want to face: THE VULNERABILITY OF THEIR COMPUTER RECORDS. I have seen no follow-up on this story in the conventional press. A brief article did appear in the computer-oriented tabloid, INFOWORLD (Oct. 28). It turns out that the students had broken into the files of Interactive Data Corp. of Waltham, Massachusetts, which maintains the bank's financial records. The break-ins were discovered in late July. They had obtained the toll-free 800 number which was restricted (ha!) to Interactive data subscribers. As late as October 9, an illegal entry was observed. In short, IT TOOK TEN WEEKS AFTER THE BREAK-INS WHERE DISCOVERED TO PUT A STOP TO THEM. The response of the bank's bureaucracy was predictable. It will ever be thus: "Bank officials are claiming that the FBI exaggerated the nature of the activities of the suspected individuals. A spokesperson for Chase Manhattan said that Interactive's customers were not prevented from accessing their accounts and that none of Interactive's data was altered or manipulated in any way." In response, FBI supervisory agent John Kelso said that the FBI has sworn affidavits from bank officials that say data has been manipulated or damaged. "That sounds pretty serious to me," he volunteered. Here is the capper: Interactive Data has 25,000 subscribers who are tied into that toll-free phone line. Try keeping tight security on a system with 25,000 users. Chase Manhattan couldn't. If they can't, who can? And if Chase Manhattan Bank was vulnerable to 23 teenagers who are too young to prosecute, consider its vulnerability to JUST ONE ENVY-DRIVEN GENIUS who knows all about electronic viruses. The students who did this were apparently just goofing around. But what if just one malevolent computer freak decided to "get even" with Chase Manhattan? What if he had phoned in just once or twice, implanted a long-dormant data-killing virus, and quit? What if he had tied its detonation to, say, a calendar clock in the Interactive computer? If it took security forces from July until early October 15 to raid the 23 students' homes, they would never have spotted one break-in. They could not have traced it, either. Conclusion: we have a risk-free opportunity for electronic arson. We face a potential electronic epidemic. AND WHEN I SAY "WE," I MEAN THE ENTIRE FINANCIAL SYSTEM OF THE WEST. Sure, all the bank "spokespersons" in the world will tell you, "no problem." But there is a problem. A horrendous problem. At this point, it REALLY gets interesting. Chase Manhattan Bank has just announced that we will be able to set up our own personal electronic banking facilities with them by buying an expanded version of Managing Your Money, Andrew Tobias' home financial management program. Citicorp and Bank of America have opted for Dollars and Sense, a rival program. You will be able to pay monthly bills electronically, balance your "checkbook," monitor your net worth, buy and sell stocks, etc., etc., etc., just be dialing Citicorp or Chase Manhattan. Fantastic! But despite all the assurances, I get nervous. Yes, I know no one will be able to break in and tamper with the numbers. But 23 teenagers shouldn't have been able to do it, either. And now we're talking about a lot more subscribers than 25,000. Obviously, the master program used by the banks will prohibit easy entry. Unfortunately, someone has to write the program. Can you imagine the blackmail possibilities? Some hot-shot programmer could build in a bomb, and then threaten to detonate it. In fact, he could merely pretend to have inserted a virus. Who would want to call his bluff? Not Chase Manhattan, I would bet. CORE WARS REVISITED In May of 1984, A.K. Dewdney published an article in Scientific American's "Computer Recreations" column. It was a light-hearted piece on how computer experts can get involved in playing this exciting game of "blow up your opponent's defenses." You know: RECREATION! In the March 1985 issue, he wrote a follow-up. It begins: When the column about Core War appeared last May, it had not occurred to me how serious a topic I was raising. My descriptions of machine-language programs, moving about in memory and trying to destroy each other, struck a resonant chord. According to many readers, whose stories I shall tell, there are abundant examples of worms, viruses and other software creatures living in every conceivable computing environment. SOME OF THE POSSIBILITIES ARE SO HORRIFYING THAT I HESITATE TO SET THEM DOWN AT ALL (emphasis added.) It turns out that the French have been enjoying a novel on the international implications, SOFTWAR: LA GUERRE DOUCE, by Breton and Beneich. A translation is scheduled for publication here by Holt, Rinehart & Winston. The study revolves around the sale of a high-power computer to the Soviet Union. The U.S. allows its export because it has a "software bomb" in it. When the U.S. Weather Service announces a certain temperature at St. Thomas in the Virgin Islands, the program proceeds to subvert every piece of software in the Soviet Union. A pair of Italian programmers were "inspired" by the translation of Dewdney's original article to dream up a virus (a virus is a computer-to-computer killer, whereas a worm is resident in one man's computer). They figured out that by infecting a disk operating system disk (these start computers and tell them what to do with programs and electronics), and then installing it on disks used by the biggest computer shop in the city, they could create an epidemic. They decided not to do it. In short, the only restraint is SELF-RESTRAINT. A high school student in Pittsburgh wrote a virus which was more subtle than a data-destroying virus, which at least tells us that we have a problem. His virus created a plague of very subtle errors in the disk operating system. "All of this seems pretty juvenile," he wrote, but "Oh woe to me! I have never been able to get rid of my electronic plague. It infested all of my disks, and all of my friends' disks. It even managed to get onto my math teacher's graphing disks." He wrote a program to destroy the virus (an "antidote") but it is not anywhere near as effective as the virus is. Warning: do not copy disks from your friends' copies. This act of piracy could cost you plenty. A COMMERCIAL WORM Just a few days after I wrote "Electronic AIDS, Part I," I read a column in the WASHINGTON TIMES, the conservative (Moonie-owed) daily newspaper. One of the reporters has a computer. He had purchased a newly released program from Microsoft Co., called "Access." Understand that Microsoft supplies the disk operating system which is used by the IBM PC, the most popular microcomputer. In other words, this is no backyard company. It is one of the two or three software giants in the U.S. (Its owner is under age 30, which tells you something about who is pinoeering the microcomputer revolution.) As he was setting up his computer to take advantage of this telecommunications program, a warning flashed on his screen: "The weed of crime bears bitter fruit. Now trashing your program disk." Wham! He lost all his files -- probably a couple of year's worth of work. Sure, he was probably smart enough to have made back-up copies, but think of the risk. And what if it had been a worm that kept silent for a few years, infecting all of his back-up disks? He called Microsoft, and they gave him the runaround. They told him that they were not responsible. Some programmer had put in the worm in order to zap program pirates, but the journalist insisted that he was an original buyer. Tough luck, they told him. Obviously, they didn't know that he was a reporter. Then he published his article. All of a sudden, the victim was not some average buyer. He was big trouble. Things started moving. INFOWORLD (Oct. 28) reports that Microsoft has admitted that a programmer put in the worm, but without permission. The offending text has now been removed, we are assured. But what if it had sat in the master for three years? HERE IS THE PREMIER FIRM IN THE SOFTWARE BUSINESS, AND IT HAD AN UNAUTHORIZED PROGRAMMER INSERT A WORM. This is not idle speculation. It has already happened, verfiying my hypothetical scenario within a few days after I published it. Can you imagine the absolute havoc that a dormant worm or virus could create if it were imbedded in all updates of Microsoft's masters of PC DOS and MS DOS, the operating systems for all IBM microcomputers and IBM compatible microcomputers? It could cost the U.S. economy billions, and some microcomputer-dependent firms wouldn't survive. Any Microsoft spokesman who says, "it's impossible; it could never happen" has to explain how it already did happen to "Access." ADAM OSBORNE'S WARNING You may know the name Adam Osborne. He invented the revolutionary portable computer, the Osborne 1. Before there was an Osborne 2, the company went bankrupt. Compaq, the most successful first-year firm in U.S. history (over $100 million in sales in its 12 months of operations) and others built imitations that were far superior. That isn't my point, however. Adam Osborne was "present at the creation" of the microcomputer industry. He created Osborne publications, and then sold out to McGraw Hill. He knows what is going on. In his delightful paperback book, RUNNING WILD, which is a history of the microcomputer (desk top) revolution, 1975-82, he offers this warning. He says that three areas should not be allowed to be computerized: 1) bank money transfers; 2) the stock market; and 3) elections. All three are just about fully computerized. Another ten years, or maybe five, and they will be 100% computerized. Several firms allow microcomputer buying and selling of stock (e.g., Charles Schwab), and New York Stock Exchange floor transactions eventually will be fully computerized, at which time it will be pressured to get rid of the "specialists" who make (and sometimes manipulate) the market, short-term -- Richard Ney's hated "Wall Street Gang" -- but the price of getting rid of them may turn out to be horrendously high. "The great fortunes of the 21st century," Osborne predicts, "will be the legacies of the great computer thieves of the 20th." Three years ago, I used a firm to supply computer services I needed. The head of it was a former businessman, quite young, and a true "space cadet." I've quoted him in the last issue. I call him Tom. He operated in a world far removed mentally from the rest of us. He is a nice fellow, a Christian, and a moral philosopher of sorts. He ran the operations of the local elections. He did it fairly inexpensively. He told me why: "I want to keep these elections honest. It would be incredibly simple to rig the program to produce whatever outcome I wanted in close races. If I can do it, anyone with enough skill to set up the system could do it." I asked him if he thought Osborne was correct in his predictions about bank theft. "It would be a piece of cake for me to steal three or four million from any local bank. I could go in the next week, offer to give 90% of the money back, keep 10% as a finder's fee, and promise not to tell the press how easy it was to steal. They would probably pay me my 10% just to keep me quiet." Look, these people are geniuses. Worse, they are geniuses in a vary narrow field technically, which is now being used to control darned near everything. This unique intellectual-technical skill is the possession of literally a handful of people, mostly under 35 years of age. They are "fooling around" with Chase Manhattan Bank's computers. What happens when a few of them stop fooling around and get deadly serious? Computer program designers keep telling us that there is no 100% secure way to defend data banks. Maybe there will be a 98% secure system someday, but not now. THE SYSTEM RELIES ON THE INTEGRITY OF YOUTH TO DEFEND ITSELF. In short, SELF-GOVERNMENT is the major defense. And where have they learned self-discipline? In the public schools? "NOW YOU'VE DONE IT!" About four years ago, I read an article in the ROLLING STONE, the tabloid aimed at rock music fans. It was the only article I ever read in that periodical. It was a gem. It described a subculture of students at Stanford University, "hackers." These people are computer freaks. The mainframe computer at Stanford was cheaper to use after midnight, so from midnight to 6 a.m., the hackers gathered at their terminals. They lived on candy bars, junk food, and high-technology dreams. One of the games they played was breaking into each other's programs. It was considered the mark of a master hacker to be able to crack another hacker's defenses. They would spend hours trying. They were "hacker-crackers." One bright fellow then designed a classic booby trap. He wrote a program which warned trespassers not to tamper withit. This, of course, alerted every would-be electronic safe-cracker to the challenge. It was a complex program, and it took days to crack it. Then, after repeated warnings, the successful trespasser got a surprise. Japanese letters appeared on his screen. Roughly translated, the words proclaimed, "Now you've done it!" At that point, the victim's computer screen went blank. Then the names of all his own computer files appeared on the screen -- files that may have taken years to assemble. One by one, they blipped off the screen. In horror, the victim would stare at the screen, unable to stop the process. As it turned out, the booby trap was only a practical joke. It really didn't erase all the victim's files. It only listed the NAMES, and then erased them. But for a horrifying few minutes, the victim wouldn't know this. Hackers play games. Very interesting games. The kind of people who spend six hours, midnight to 6 a.m., trying to break into each other's programs are different from the rest of us. Among their ranks are some highly individualistic people. Some of them are libertarians. I mean anarchists. They are electronic "don't tread on me" sorts of people. They do not appreciate bureaucracy. They appreciate being pushed around even less. The folks at Chase Manhattan really do have a problem. Do you attempt to prosecute a legally unprosecutable kid? A kid who has already cracked your computer system? I don't think you do. You play the role of stern but appreciative banker. "Son, I am impressed by your ability to break in. But understand, we are honest people. There is a code of honor here. You wouldn't want to break that code -- of honor, I mean -- would you?" Because if this kid gets angry, he can do it again. Quietly. And next time, he deposits a virus. Of course, Chase may hire a programming team to create an unbreakable system. Sure. "Hire fox A. Give him chain link fence B. Hire him to build fence B around chicken coop C." TEEN CHALLENGE Suppose that the public gets wind of the threat to the whole banking system which is posed by viruses? What do the bankers (or anyone else) announce to the public? "We want to assure you that our computer program is impenetrable. No one can break in. It is foolproof." Here is a challenge -- rather like the Stanford program that announced: "Do not trespass." These kids see breaking in as a challenge, a kind of sport. They do not regard it as vandalism, even if it costs a company millions of dollars to unscramble. They may be ethical in other respects, but they think of "core wars" as a game. How would you like to be the 60-year-old banker who doesn't know a byte from usury, but whose public relations department tells him to inform the public that nobody can crack his bank's code? To cite Mr. T in "Rocky III," that bank is dead meat. So are its depositors. But if he keeps quiet, and the story still gets out about the vulnerability of the system, one or two small "virus-demolished" banks could trigger a collapse of the system, as people do the only smart thing: run for CASH. The whole fractional reserve banking system would deflate; only the FED's printing presses could "save the day," in a wave of fiat money. What I am saying is this: I THINK THAT WE WILL SEE THE END OF FRACTIONAL RESERVE BANKING IN OUR DAY. At the very least, I think we will see it subjected to tremendous shocks. People will lose faith in electronic promises made by bureaucrats who do not know anything about the monsters that their efficient computers can be turned into. ATTACK ON MARTINSBURG Now, let's take it a step farther. Some day some state or Federal bureaucrat is going to step on the toes of some genius entrepreneur who has created a software development firm. The bureaucrat will try to wrap this enterpreneur in red tape. Or maybe -- just maybe -- he will try to sock him with a tax bill that the entrepreneur regards as unfair. In Martinsburg, West Virginia, there is a large computer. It is owned and operated by the Internal Revenue Service. Into it, over the next five years, the IRS apparently intends to deposit all the records it can assemble on every US taxpayer. This computer data base will be the biggest in the world. It is the tool by which the IRS hopes to increase taxpayer compliance. And it may succeed. For a while. This is one reason for saving all letters to and from the IRS. If the IRS becomes dependent on its computer system, which is likely, then any short-circuiting of its data base could create havoc for tax collecting. If word gets out that a major failure has hit the IRS, the tax revolt could multiply overnight. You would see the deficit become astronomical. If the IRS continues to tie its "voluntary" compliance program to the myth of "the all-seeing computer," then news of the computer's scrambling could backfire. It is possible that the story of the IRS data base is a myth. Maybe they aren't going to build it. But if the public believes that such computer power is at the disposal of the IRS, and taxpayers then learn either that the system has been blown, or that it was mythical from the start, the tax revolt could spread like an epidemic. The elctronic epidemic could trigger a tax revolt epidemic. He who lives on the cutting edge of technology eventually dies on the cutting edge of technology. "PEOPLE ARE BASICALLY GOOD" Let's return to my taped interview with "Tom." In a 90-minute interview, we covered a lot of ground. But one topic which stands out in my mind is our discussion of the presupposition which goes into the creation of a computer- based society. The computer people have all adopted the assumption which undergirds modern science, namely, that participants are well-meaning, that they will not fake their experiments, and that they will play fair. If scientists had to check every aspect of every article, science could not advance very fast. What about the computer industry? The whole system rests on faith: "Men are not malevolent.. They are not envy-driven. They will not deliberately seek to destroy the work of some random victim." Tom says categorically thay this assumption is false. There are bad people with tremendous computer skills, and that modern society has not restructured its economic institutions to protect itself. Here is one example of a break-in technique. Someone phones into a computer which has been left open temporarily by some user. The lock is unlatched; he needs no key to get in. He then seeks to penetrate te inner core of the program, such as a bank's program. He creates a deliberate error, which all too ofter triggers a kind of electronic explosion. The protective shell self-destructs, and the invader now finds himself inside the system, where far fewer defense mechanisms exist. Tom designed his own firm's defense against this tactic. His program automatically records the source of the error, and throws the user out of the program. The program has protection against deliberate errors, but most of them don't, he says. A major error simply simply collapses the program's outer shell. In my previous issue, I speculated that a Soviet spy or agent could penetrate U.S. computers. Note: I did not assume that he would simply phone in; I assumed that a disloyal programmer, or a team, could plant the virus as insiders. From there, the virus would spread though the system through normal telecommunications. Several people have written in to tell me that a wrecker cannot destroy the system by penetrating it from the outside. They may be correct. But when informed that I am assuming an INSIDE JOB by someone with access to a major computer, the critics have admitted that this might be possible. The weed of crime bears bitter fruit: FOR HONEST, COMPUTER-DEPENDENT PEOPLE. FEDERAL FUNDS The Federal Funds bank transfer lines allow banks to borrow money overnight. Hundreds of billions of dollars go across these lines every working day. The bank's computers communicate with each other by means of this telecommunications hook-up. What if someone were to plant a long-delay virus in the software which operates these transfers? And what banker ahs even thought about this problem? What if this scenario were to take place: A virus triggers the disruption of bank records -- not a total breakdown initially, but disruptions in the data? It might be weeks or months before auditors recognized the extent of the problem. As rumors begin to leak out about complex accounting or other data-management problems of major banks all over the U.S. (including off-shore branches), the various banking regulatory agencies would be swamped with crises and outside rumors. Then, all at once, bank computers begin breaking down. The rumors then explode. The lines appear in front of banks. The only answer at this point is to print up paper money. It would be printed by the hundreds of billions in order to offset the deflationary effects of bank runs (paper money which is pulled out but redeposited in another bank). YOU COULD TOPPLE THE FRACTIONAL RESERVE BANKING SYSTEM ALL OVER THE WORLD. The entire payments system could easily become engulfed in chaos. Debits and credits would no longer be meaningful. A pure paper money inflation would replace the manipulated "fine-tuned" monitary inflation of modern central banking. All of a sudden, market-created alternative currencies would be revived. It would the be METALLIC CASH that talks loudest. Silver dimes are not electronic. They can't be infected electronically. They still circulate when banks are "temporarily closed, due to circumstance beyond our control." The loss of efficiency would be initially horrendous, I would guess. The division of labor would break down. You could that have the crash that lurks in the minds and suspicions of average depositors. Who says it cannot happen? A lot of public relations firms hired by the banks -- computer illiterates in high places? What we have is AN INTERNATIONAL BANK MONEY WIRE SYSTEM which is TOTALLY VULNERABLE to some vindictive programmer. There is little doubt in my mind that the bankers are desperatesly fearful of this sort of vandalism. It could topple people's confidence in the fractional reserve banking system, and confidence is the only thing which keeps it going. CONCLUSION Technologically, there is no solution at this point. I have no heartening message. Maybe later; not now. Keep precious metal coins. Don't assume that it an't happen here. It can. The only thing holding it back is the restraining hand of God, through the temporary self-restraint of a technological priesthood. Neal Macklin (408) 737-5214 ...{hplabs,ihnp4}!amdahl!nzm10 [There are no opinions expressed in this article]. ========================================================================= Elliott S Frank ...!{ihnp4,hplabs,amd,nsc}!amdahl!esf00 (408) 746-6384 [the above opinions are strictly mine, if anyone's] ------------------------------ End of RISKS-FORUM Digest ************************ -------