Subject: RISKS DIGEST 12.02 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Tuesday 2 July 1991 Volume 12 : Issue 02 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Insecure Superman leads to Superbill (Paul Leyland) Too Many Computer Systems Hurt War on Drugs, study says (PGN) Colombian Constitution Erased (Brian Snow) More phone disruptions (Fernando Pereira) Bell Atlantic 26 June Failure (Robert McClenon) Re: The Risks of Undelete and the Law (Al Donaldson) Searching the RISKS archives via WAIS (Ephraim Vishniac) "On the Danger of Simple Answers" (elnitsky via Rob Slade) Videotape of the pilot discussing the crash of UAL 232 (Mary Shafer) Risk of posting to RISKS (Jerry Hollombe) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line. Others ignored! REQUESTS to RISKS-Request@CSL.SRI.COM. For vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 12, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1". =CarriageReturn; FTPs may differ; UNIX prompts for username, password. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Mon, 1 Jul 91 14:18:30 +0100 From: Paul Leyland Subject: Insecure Superman leads to Superbill. Victim of computer hackers fights BT over \pounds 8,000 bill _The Times_ (London), 1 July 1991 A director of video films is embroiled in a dispute with British Telecom over an \pounds 8,000 bill after becoming a victim of hackers -- people who steal computer passwords to break into international data bases and use services illegally. George Snow says the bill will ruin him. Experts say the case highlights increasing concern over one of Britain's most under-reported crimes. For several years, Mr Snow has kept abreast of developments in 3-D computer graphics by using access to an American information service called Compuserve. To cut costs, he became a customer of BT's Dial Plus service, which allows customers to connect their office or home computers to international data bases for the price of a local rather than an international call. Mr Snow, who has directed programmes for Channel 4 and the Arts Council, and whose pop video credits include Howard Jones, had found the service useful and inexpensive until recently. "My quarterly bill would be around \pounds 30," said the director whose company, WKBC TV, is based in west London. Mr Snow, aged 42, now faces a big unscheduled bill for calls he never made. It appears that hackers illegally obtained Mr Snow's password and BT agrees. The dispute is about who pays the \pounds 5,500 and \pounds 2,500 bills which have been run-up in recent months. BT says that Mr Snow chose a password that hackers could easily borrow [sic]. He says that the company has a responsibility to ensure its networks are secure. "To clock up \pounds 8,000 worth of bills you have to be talking about someone using the service 24 hours-a-day day in day out," he said. To break into a data base, hackers will generally first try obvious passwords such as Christian names. They also use programmes that run randomly through words in a dictionary until one opens a data base. Customers with Dial Plus have to sign a disclaimer stating that they will not use obvious passwords otherwise they might be liable for hackers' bills. A BT spokesman admitted, however, that Mr Snow had joined the service before the agreement came into force. Mr Snow also says that it was BT which approved Superman, the password stolen by the hackers. The company says that Mr Snow was warned that his account was running up huge bills in early February but that it was sometime later that the password was changed. Mr Snow says that it was changed within days and that by the time BT contacted him the damage had been done with most of the bill having been run up. He believes that he, and possibly others, are being forced to pay the price for the company's poor security and has called in the Computer Crime Unit at Scotland Yard to investigate. David Frost, a computer security expert with accountants Price Waterhouse, said yesterday that the amount of hacking taking place in Britain was being seriously undeerplayed by companies. BT rejects suggestions that it is cavalier with security. A spokesman said the company would write to Mr Snow this week. He says that he willfight BT in court if it prosecutes him. "\pounds 8,000 is about 10 per cent of my turnover," he said. [I have a few comments, based solely on the report as printed. I do not know what truly happened. I draw attention to the BT's apparent attitude to password security. They used the term "borrow", rather than "steal" or "use illegally". They vetted the password, implying that Mr Snow was asked to reveal his password rather than keep it secret. Even so, they gave the OK to a password which is of dubious security. It is generally agreed that proper names, dictionary words, literay characters and the like are easily guessed. More generally, it is interesting how British newspapers, and _The Times_ in particular, are beginning to take an informed interest in he subject of computer security and, indeed, in computer-related risks in general. Apart from some quaint terminology ("programmes", "data bases") they seem reasonably competent at understanding the issues and reporting them clearly to a non-expert audience. Paul Leyland, pcl@convex.oxford.ac.uk ] ------------------------------ Date: Tue, 2 Jul 91 20:08:30 PDT From: "Peter G. Neumann" Subject: Too Many Computer Systems Hurt War on Drugs, study says The 2 Jul 91 Washington Post noted that the government's war on drugs is being seriously impeded by having to rely on more than 100 different computer systems, according to a report of the General Accounting Office. Many of the computers cannot communicate. Also, "the government has no measures for ensuring that its information is correct and that its systems are protected from outsiders." ------------------------------ Date: Sun, 30 Jun 91 10:19 EDT From: BSnow@DOCKMASTER.NCSC.MIL Subject: Columbian Constitution 'lost' due to lack of data backup procedures. Excerpted from The Washington Post, 30 Jun 1991, p.A23: Computer Glitch 'Kills' Constitution; Columbian Charter Appears in Jeopardy by Douglas Farah, Special to The Washington Post BOGOTA, Columbia, June 29 -- The approval of Colombia's new constitution, which modernizes the nation's judicial, political and economic structures, is in jeopardy because a computer apparently ate the text. ... The committee writing the final version was to turn over the text for final voting Wednesday. However, a technician storing the material in a computer, borrowed from the office of the presidency, erased or lost the final document -- after many of the papers with the drafts of the articles had been thrown away. ... "We literally have people going through trash cans looking for scraps of paper," said one source close to the process. "We do not know how this was allowed to happen, and we have lost an almost vital three days. We cannot debate or vote on a text we do not have in front of us." ... While there are different versions of how the computer foul-up occurred, sources said a member of the codification committee refused to allow technicians from the office of the president to have access to the computer, fearing that some of the material could be pirated or changed. Instead, he had a nephew hired to do the computer work. It turned out that the nephew had only taken a one-year correspondence course in computer programming. ... [Also noted by Les Earnest, and by "Raleigh F. Romine" , who added "It has all the traditional ingredients -- no backups, inexperienced operators, etc. The final quote is the best part." ] ------------------------------ Date: Tue, 2 Jul 91 11:17:25 EDT From: pereira@klee.research.att.com (Fernando Pereira) Subject: More phone disruptions Associated Press writer Jim Stader reports today (July 2nd) on another software-induced disruption of phone service affecting over 1 millon customers (area code 412 around Pittsburgh) of Pennsylvania Bell for over 6 hours. The problem was probably caused by the same recently installed signalling software that is under suspicion for earlier disruptions in the Washington DC and Los Angeles areas. The bug has not yet been identified, and the possibilities of a virus or other sabotage have not been ruled out. Pennsylvania Bell's president stated that the triggering event might have been different in the various disruptions, but that once the problem is triggered, the symptoms are very similar. In all cases, lines carrying signaling between switches became jammed. [A subsequent revised version of the AP story summarized above reports on speculation that the cause of the phone disruptions may be sabotage originating in the Middle East. The alleged reason for this is the claim that in most cases the network failures followed the appearance of animated hieroglyphics on operators's terminals.] Fernando Pereira, 2D-447, AT&T Bell Laboratories 600 Mountain Ave, Murray Hill, NJ 07974 pereira@research.att.com [The San Francisco Chronicle front page this morning recorded the Pennsylvania problems, and also noted similar problems in San Francisco, although only for five minutes. It quoted Don Burns, a Bell Atlantic VP: "The fact that we've had, in the short period of a month, several outages causes us to believe that something has been introduced" into the systems. The complexity of highly distributed systems continues to confront us. PGN] ------------------------------ Date: 01 Jul 91 22:53:08 EDT From: Robert McClenon <76476.337@compuserve.com> Subject: Bell Atlantic 26 June Failure In my opinion, the spreading of the failure of the telephone system on Wednesday (26 June) from Baltimore to Washington and Northern Virginia was an example of a risk of a high degree of connectedness in a network. In particular, connectedness increases the vulnerability to spreading failures, unless special provisions are made to limit that spread. I think a similar lesson was exhibited (but perhaps not learned) by the failure of the electrical grid connecting the Northeast in 1965 resulting in the New York blackout. It eventually was necessary to C&P (a subsidiary of Bell Atlantic) to break the links between the four SS7 computers and take each of them down and bring them up separately. The Washington Post says: > Bell Atlantic said yesterday that it had probably worsened the scope >of the failure inadvertently because it had recently linked all four of >the traffic cop computers [Signaling System 7 computers] temporarily... In other words, connecting the four computers was a two-edged sword, and it cut the wrong way on 26 June 1991. Also, there had obviously been inadequate testing of the software. Something as large as a telephone switching system is not easy to test adequately, and requires a high level of thoroughness in planning the tests. Robert McClenon ------------------------------ Date: Tue, 2 Jul 91 11:33:14 EDT From: al@escom.com (Al Donaldson) Subject: Re: The Risks of Undelete and the Law (Dippold, RISKS-12.01) In RISKS-12.01, Ron Dippold writes about a case in which a murderer used a computer to plan his crime, and then claimed that when he "deleted" his files he had an "expectation of privacy" regarding the data: >The court soundly, and IMO correctly, rejected this claim, analogizing the >retrieval of the deleted file data (by an FBI agent who was a computer expert) >to deciphering a coded message in a diary, after the diary was obtained under a >valid subpoena. I agree that the information was properly used in the trial, but I think the analogy given was incorrect or incomplete. While most people think of computers simply as electronic filing cabinets, there are some weak analogies between writing messages to disk and coding data in a diary (e.g., use of ASCII, way in which bits are written to media). I suspect that these analogies were not appreciated by the court. Instead, they seem to have concluded that "deleting" a file is analogous to encrypting it. File deletion (actually, removing links to the data) is more analogous to shredding or burning the diary, or tearing out pages and throwing them in the trash (imagine an Apple wastebasket icon.. :-) The defendant did have an expectation of privacy based on his (lack of) knowledge of how file deletion worked, just as someone who sets fire to a stack of papers may expect them to burn completely all the way through and obliterate all of the data written on them. But in the case of burned papers, it may still be possible to carefully peel them apart and read some information. If you really want to obliterate the *data*, you burn the paper completely and then grind the charred paper to small pieces of ash. Similarly, if you want to remove *data* from a disk, you overwrite it. If it is really important, like national secrets or murder evidence, then you hacksaw the disk platters into little bitty pieces and throw them into the Potomac. Ask Ollie North. I agree they should fry Mr. Copenhefer, but I don't like the justification. This will probably establish precedence in future trials, further removing legal practice from physical reality. Wouldn't it have been nice if the court had simply decided to use "un-deleted" data, without any half-baked analogies? Al Incidentally, I seem to remember a similar case in Northern Virginia recently in which a Marine was accused of murdering his wife (also a Marine, who disappeared and whose body has not been found). As I remember, investigators found plans on how to carry out a murder and hide the body on a disk belonging to the suspect. His explanation, supported by his mother, was that he was working on a book, a murder mystery, and he has no idea where his wife is. Murder, he wrote? ------------------------------ Date: Mon, 1 Jul 91 10:55:48 EDT From: Ephraim Vishniac Subject: Searching the RISKS archives via WAIS (Wollman, RISKS-11.95) I'm the database maintainer, and I just want to add a few notes. 1. The public WAIS server is down right now. With last week's record heat and some inadequate air-conditioning here, we temporarily killed cmns-vax. It's possible that it will be up sometime tomorrow (July 2nd) after moving to a new machine room, but it might be another day or two. 2. The database is automatically updated. (I should fix the source description.) Issues arriving during the night are saved until we start up in the morning; issues arriving while the system is up are added within ten minutes. 3. A variety of user interfaces for the WAIS system are available by anonymous ftp from think.com, in /public/wais. There's a Macintosh interface in WAIStation-0-62.sit.hqx, and there are gnu emacs and X-Windows interfaces in wais-8-b1.tar.Z. The latter package also includes code for setting up your own servers using whatever Unix host you've got handy. (The public WAIS server uses a Connection Machine. Code for that server is not generally available.) 4. The public WAIS server contains a variety of other databases, including the info-mac digest, Sun-Spots digest, Sun Managers mailing list, King James Version of the Bible, National Institutes of Health Guide to Grants and Programs, and the CIA World Factbook 1990. Ephraim Vishniac ephraim@think.com ThinkingCorp@applelink.apple.com Thinking Machines Corporation / 245 First Street / Cambridge, MA 02142 ------------------------------ Date: Mon, 01 Jul 91 20:26:12 PDT From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: "On the Danger of Simple Answers" The following was posted on rec.humor.funny. On the one hand, it shows an apalling naivete. On the other hand, that isn't funny at all: From: elnitsky@math.lsa.umich.edu Subject: global warming Date: 30 Jun 91 23:30:04 GMT "... Perhaps of even greater significance is the continuous and profound distrust of science and technology that the environmental movement displays. The environmental movement maintains that science and technology cannot be relied upon to build a safe atomic power plant, to produce a pesticide that is safe, or even bake a loaf of bread that is safe, if that loaf of bread contains chemical preservatives. When it comes to global warming, however, it turns out that there is one area in which the environmental movement displays the most breathtaking confidence in the reliability of science and technology, an area in which, until recently, no one -- even the staunchest supporters of science and technology -- had ever thought to assert very much confidence at all. The one thing, the environmental movement holds, that science and technology can do so well that we are entitled to have unlimited confidence in them, is FORECAST THE WEATHER! -- for the next one hundred years..." George Reisman, "The Toxicity of Environmentalism" This kind of thinking is, unfortunately, all too common, even in the scientific community. If I disagree with it, it must be wrong. If it supports what I believe, it must be right. True "critical" thinking: that facility which allows us to discriminate between correct and incorrect information and points of view, is too often lacking in our society and world. In additon, all too few people have taken the time to acquire the technical knowledge which allows one to judge scientific pronouncements. (My subject line is the title of the editorial for the Journal of the American Scientific Affiliation special issue on nuclear power some years back.) Robert_Slade@mtsg.sfu.ca Vancouver Institute for Research into User Security Canada V7K 2G6 ------------------------------ Date: Mon, 1 Jul 91 14:01:06 PDT From: Mary Shafer Subject: Videotape of the pilot discussing the crash of UAL 232 I wrote: >There's been a lot of discussion of the safety of fly-by-wire aircraft, so >here's the discussion of an accident that very possibly would have been >prevented were the DC-10 fly-by-wire rather than hydraulic. And Robert Dorsett comments: As I'm sure Mary realizes, FBW does not alleviate the necessity for multiple- redundant hydraulics, and all the plumbing that comes with them. As currently implemented on most aircraft, it simply replaces the means by which the *hydraulic* actuators are operated. Instead of cables, there are electrical wires. These leads to one or more computers, which in turn process command inputs from the pilot, leading to the possibility of unconventional control laws. Most of the controversy of FBW occurs at this stage. The severity of the failure involved would have happened whether the DC-10 were FBW or not. No, Robert, it wouldn't have. The loss of two of the hydraulic systems was caused by shrapnel damage to the hydraulic lines. Had this not happened, the airplane would have flown along with two working hydraulic systems and have done just fine. However, the design of the conventional hydraulic system dictates hydraulic runs that were vulnerable to the precise damage caused by this accident. DC-10s don't use cables, they use nonreversible hydraulic systems. I don't believe that any airliner since the DC-4 or so has had cables. This has nothing to do with the control laws, nothing to do with redundancy, nothing to do with unconventional systems, it has everything to do with the physical vulnerability of the hydraulic lines and the fact that the wiring is better armored and less vulnerable to shrapnel damage and that other hydraulic runs are better protected from this particular damage. This is, of course, why battle damage resistance is an important benefit of fly-by-wire and why the military is so fond of it. I worked on the Survivable Flight Conditions Systems F-4 Phantom in the early to mid-70s. The Air Force wasn't interested in fancy control systems or lighter weight, they were interested in surviving battle damage. That's the easiest payoff to FBW. Now, in rebuttal, I'm sure Mary'd point out that the FBW issue would only enter in the form of *control* issues subsequent to the accident, introducing unconventional control laws to effectively duplicate (or improve upon) the differential thrust technique Haynes used. And she has a point. But there's always the question of whether the complexity and cost of such software will ever justify its usefulness in the "1:1e-9" catastrophic control failure case. In safety management, there is a point of negative return. Nope, I wouldn't point this out because it never even occurred to me until you mentioned it. My only thought was shrapnel damage. I think you're quite correct about some sort of thrust-only flight path control system. There've only been a very few accidents that resulted in total hydraulic loss with an otherwise flyable airplane. (Two pressure vessel failures--Paris in a DC-10, Japan in a 747--and this one for airliners, the birdstrike to the B-1B out of Dyess.) It doesn't seem to me that there's any reason to develop a system to deal with such a remote possibility. Sometimes you just go ahead and accept the risk, when it's an extremely small risk. Life isn't completely risk-free. Perhaps a more salient observation would have been: this accident would not have happened if there was full manual reversion on the DC-10, ala the Boeing 707? :-) This accident wouldn't have happened if the airplane had completely armored hydraulic lines. It happened to a DC-10, it happened to a B-1B, but it's easier to prevent in a fly-by-wire aircraft because you have safer hydraulic runs available and because fly-by-wire wires are more easily armored. Mary Shafer shafer@skipper.dfrf.nasa.gov ames!skipper.dfrf.nasa.gov!shafer NASA Ames Dryden Flight Research Facility, Edwards, CA ------------------------------ Date: Tue, 2 Jul 91 16:33:19 -0700 From: The Polymath Subject: Risk of posting to RISKS Some years ago, as an apprentice programmer, I learned to craft even my personal, quick-and-dirty utility programs carefully and thoughtfully. The lesson was first driven home as I stood by and watched in horror while one of my uglier personal "tools" was packaged and shipped as part of a product. Recently, a similar phenomenon caught me again. I received an e-mail query asking permission to include the text of one of my postings to RISKS in a forthcoming book. The request came so long after the fact, I had to ask the publisher to send me a copy of the article in question. I'd long since forgotten it. The article turned out to be a minor diatribe on the nature of censorship and its relation to Stanford's attempt to ban rec.humor.funny. It was a bit embarrassing to read it again and note its flamish style. All in all, I was mildly surprised our moderator let it through. I gave my permission for its publication, but requested a footnote be added clarifying my position on the matter. I received a copy of the book in the mail a few days ago, footnote and all. (It also contains RISKS comments on the same subject from Les Earnest and John McCarthy. I'm honored to be found in such company). The risk? The words we exchange here aren't as ephemeral as they may appear on a VDT screen, so be careful what you say and how you say it. You never know who might decide to package and ship it to a customer. (-: Oh, yes. The book: _Computerization and Controversy: Value Conflicts and Social Choices_ Edited by Charles Dunlop and Rob Kling, Academic Press, Inc. Harcourt, Brace, Jovanovich, Publishers ISBN 0-12-224356-0 (No, I don't get any royalties). Jerry Hollombe, Citicorp, 3100 Ocean Park Blvd. Santa Monica, CA 90405 (213) 450-9111, x2483 {rutgers|pyramid|philabs|psivax}!ttidca!hollombe ------------------------------ End of RISKS-FORUM Digest 12.02 ************************