Subject: RISKS DIGEST 12.08 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Thursday 25 July 1991 Volume 12 : Issue 08 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Another false apprehension -- erroneous database information (PGN) Human Error Blamed for Soviet N-Plant Problems (PGN) Shuttle Atlantis out to launch (PGN) Risks of getting used to computers (Geoff Kuenning) Index of Known MsDos Malware: 998 viruses/trojans (Klaus Brunnstein) Sometimes they even warn you about the pitfalls (self-trapping) (Andrew Koenig) Smart cockpit with no backup (Henry Spencer) Black boxes in autos for accident "facts" (Mark Seecof) Re: Artificial Dissemination (Edward Jung) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line. Others ignored! REQUESTS to RISKS-Request@CSL.SRI.COM. For vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 12, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1". =CarriageReturn; FTPs may differ; UNIX prompts for username, password. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Thu, 25 Jul 91 9:04:40 PDT From: "Peter G. Neumann" Subject: Another false apprehension -- erroneous database information Herb Caen, the San Francisco Chronicle's chronicler of the chronic and (a)cute, starts off the 25 July 91 column with this ad infin-item: Dennis Perry, an Oakland truck driver, and his good friend, Yvonne Kendrick -- both are black --- rented a Hertz car to drive to Maryland to visit his family. They took along his 4-yr old dghtr, Danielle, and all went swimmingly until they were stopped in white-bread Williamsburg, Iowa, for no apparent reason. The police ran a check on the car and found it listed by Hertz as stolen. It wasn't, of course, but during the 24 hours it took Hertz to correct the mistake, Dennis and Yvonne were held in jail and Danielle went to a juvenile home. Atty. Dennis Hecht is handling the inevitable suit." The next item was on Judge Clarence Thomas not being able to get a cab in DC. After that came another item for our series of computer-addressed mail: Jayne Valdez of Antioch forwards a copy of PG&E's closing bill addressed to her late father, "Bob A. Speake, Deceased," with this neatly boxed encomium printed on it: "Bob Speake, deceased for the last 12 months, you had an excellent payment record. If you need to establish credit at another utility, you may use this message as a credit reference." ------------------------------ Date: Thu, 25 Jul 91 9:08:21 PDT From: "Peter G. Neumann" Subject: Human Error Blamed for Soviet N-Plant Problems Moscow -- Human error caused 20 of the 59 shutdowns at Soviet nuclear power plants in the first six months of 1991, the Trud newspaper reported yesterday. "It is not the first time that we have to admit the obvious lack of elementary safety culture in running reactors," Anatoly Mazlov, the government's head of nuclear safety, said. Mazlov reported that Soviet nuclear power plants worked at only 67 percent capacity in the first six months of 1991. [San Francisco Chronicle, 24Jul91, p.A8] ------------------------------ Date: Wed, 24 Jul 91 9:06:22 PDT From: "Peter G. Neumann" Subject: Shuttle Atlantis out to launch The 24Jul91 morning launch was scrubbed. An NPR report indicated a "faulty engine computer". Postscript: The 25Jul91 San Fran Chronicle paper had a picture of Atlantis mission commander John Blaha and mission specialist Shannon Lucid holding their ears while fellow crew members taxied their T-38 trainers. The caption briefly mentioned the computer problem (with no details), but also noted that Blaha and Lucid's T-38 failed to start for a return to Houston! (T-38s require an external jumpstart.) It is perhaps worth contemplating whether computer failures have now become so commonplace that newspaper folks decided there was no need for coverage of the launch scrub itself! ------------------------------ Date: Sun, 21 Jul 91 16:02:12 PDT From: desint!geoff@uunet.UU.NET (Geoff Kuenning) Subject: Risks of getting used to computers The Sunday, July 21 edition of the Los Angeles Times has a story headlined "LAPD Begins Crackdown on Computer Messages." The story reports that the new program is "aimed partly at finding and punishing" officers who sent offensive personal messages cited in the recent Christopher Commission report (issued in the wake of the Rodney King beating) as evidence of departmental racism and sexism. The program "is also aimed at stopping...even innocuous personal messages." The story goes on to state that several officers have been assigned to the task of spot-checking daily printouts of messages. "Efforts [will be] made to find out who sent" offending messages. It also reports that "snooping by headquarters has led to a 25% decline in...traffic." "Creating a context for the messages is...difficult because [of an] inflexible computer program," according to the article. Only chronological printouts are available, making it difficult to extract messages relating to a particular car. Messages from a patrol car are not identified as to which of two officers sent them, although sergeants, who occupy cars alone, can be uniquely identified. "The department is trying to get computer experts to write programs" that will extract messages from one car. I see two risks here. The first, of course, is to the officers, who became so comfortable with the computer system that they forgot (or perhaps were never aware?) that their messages could be monitored. The second is to the department, which is now unable to extract useful data from their files. (This makes me wonder. Wouldn't it be useful to them in court cases to be able to extract the messages from a particular car over a period of an hour or so?) I also wonder if the Electronic Communications Privacy Act would apply here. Did the officers have a reasonable expectation of privacy in any of their messages? Geoff Kuenning geoff@ITcorp.com uunet!desint!geoff ------------------------------ Date: 24 Jul 91 12:38 +0100 From: Klaus Brunnstein Subject: Index of Known Malware: 998 viruses/trojans After weeks of work and excellent assistance of David Chess, Yisrael Radai, Alan Solomon, Padgett Peterson and some others, I just published the "Index of Known Malicious Software: MsDos systems". It covers most of the viruses and trojans reported in this arena (similar indices for Amiga and Macintosh to follow later this year). When summing up, I was deeply depressed: the index counts: 120 virus families ("strains)") with 59 more sub-families with 744 viruses, variants and clones plus 7 trojans, and 228 single (non-strain) viruses plus 19 trojans *** totalling 998 pieces of malware *** Though some people (including Alan Solomon) foresaw 1,000 viruses later this year, the rise in figures has been underestimated. As this development is likely to continue, antivirus experts should cooperate even more strongly than contemporarily discussed. At the same time, the July edition of VTCs Computer Virus Catalog describes + 8 AMIGA viruses totalling 54 viruses +10 Macintosh viruses totalling 20 (out of 28 existing) +14 PC viruses/trojans totalling 84 The disparity between "virus known" and "viruses classified" (with the aim to maintain a good quality over quantity of classification) demands other tools and methods for analysis, classification and production of countermeasures. We are working harder to a more actual version of Virus Catalog; I am glad that Mr.Jahn joined VTC (for a doctor workm on secure databanks), and that Vesselin Bonchev will join us next week for a (not yet specified) dissertation. On the Moreover, I appreciate any cooperation with serious antivirus experts. VTC documents (Index of Known Malicious Software: IMSDOS.791; Index of Virus Catalog: Index.791; all entries classified up to now) are now available from FTP: Our FTP server: ftp.rz.informatik.uni-hamburg.de Login anonymous ID as you wish (preferably your name) dir: directory of available information cd pub/virus: VTCs documents Hoping that this works, I will be absent (with Auto-Reply on) on a sailing trip (with my schooner "Arethusa" which is a small replica of BLUENOSE but with staysails) until August 18. 1991. Klaus Brunnstein, Hamburg ------------------------------ Date: Wed, 24 Jul 91 22:11:38 EDT From: ark@research.att.com Subject: Sometimes they even warn you about the pitfalls (self-trapping alarms) I have a car with a built-in burglar alarm. The alarm is activated if the last door locked is locked from the outside without a key (by locking it on the INSIDE and then holding onto the door handle while closing the door). That means that it doesn't matter who leaves the car first; the alarm will still be armed at a sensible time. Once the alarm is armed, any attempt to open a door from the inside (after breaking a window, for example) or to start the car, without first unlocking one of the doors from the outside with a key, will set off the alarm. Do you see the pitfall? The owner's manual actually warns about it. Suppose you're sitting in the car with a passenger. You have locked the door from the inside. Your passenger gets out, locking the other door from the outside. That has just armed the alarm. It is now impossible for you to get out of the car or start the engine without setting off the alarm. With luck, you noticed this was going to happen when the "alarm" light on the center console started flashing; if you caught it in time you could unlock your door from the inside and stop it from arming. Once it's been armed, though, all you can do is get out of the car, setting off the alarm, and then turn off the alarm from the outside by unlocking the driver's door with the key. I hope your passenger didn't take the key. ------------------------------ Date: Wed, 24 Jul 91 02:12:19 EDT From: henry@zoo.toronto.edu Subject: Smart cockpit with no backup The May 20 issue of Aviation Week (I'm catching up on old issues) has a short piece on the avionics being planned for the USAF's new fighter, the Lockheed F-22. It's no surprise that flight information will be displayed on computer-driven digital displays. What is a bit surprising is that the usual set of small mechanical backup instruments will not be present. Talk about flight-critical software... Henry Spencer at U of Toronto Zoology utzoo!henry ------------------------------ Date: Wed, 24 Jul 91 12:13:14 -0700 From: Mark Seecof Subject: black boxes in autos for accident "facts" Excerpts from an article in the Los Angeles Times June 13, 1991; page E8. Edited and submitted to RISKS Digest by Mark Seecof of the L.A. Times Publishing Systems Department. [elisions and bracketed comments mine --Mark S.] ``A Black Box Tells Just the Facts'' LEGAL VIEW column by Jeffrey S. Klein and Louis M. Brown. Klein is an attorney and president of the Times' San Fernando Valley and Ventura County Editions. Brown is professor of law emeritus at USC and chairman of the board for the National Center for Preventive Law. Most court cases about auto accidents involve disputes about facts, not the law. That means lawyers argue mostly about how fast a car was going, who didn't stop at the red light, whether a driver crossed over the double yellow line, and similar questions. Less time is spent debating legal niceties, such as jury instructions or rules of evidence. One innovative idea to reduce the time and expense of re-creating the scene of an auto accident in the courtroom was recently suggested by Harold Weston, a Los Angeles lawyer: a ``black box'' for automobiles, just like those in the cockpits of commercial airplanes. Weston offered his proposal in a legal publication, the Los Angeles Daily Journal. The black box would include a running video camera that would record events just the way the driver sees them. A black box could also record speed, acceleration, braking, turn signals, and even whether the seat belt was fastened. Perhaps the device that triggers the air bag could tell the black box that an accident has occurred, Weston noted. ``If we are going to have dashboards that look like cockpits, shifters that look like throttles, and turbos that sound like turbines, we might as well add the black boxes to complete the whole image,'' he wrote. In fact, there is such a device, invented by Joseph A. Michetti, who lives in Ventura. A patent for it was issued in 1989 and it is now being developed for marketing, including a five-minute video about the device, called a ``vero-vedi.'' It has not only one video camera but two--one directed forward and one directed rearward. Of course, a video recording of an accident, even if it captures all the relevant details, will not reduce the number of accidents, but it could cut down the work of lawyers and judges--and give juries a much better factual base upon which to make decisions. It could also settle insurance claims that might otherwise wind up in court. If an insurance company can see who was at fault, there is less likely to be a courtroom battle. Pictures of ``facts'' can be admissible in the courtroom. We are all accustomed to seeing photographs offered as evidence. And some lawyers now make video recordings of the signing of a will. A video camera in every car might sound expensive in the short run, but it is also preventive. It could save lots of insurance company, lawyer, and court time. That's the end of the column. Below are my comments, which of course reflect only my personal opinions and not those of my employer. There are many unexplored ramifications of implementing such a system. Off the top of my head I think of: self-incrimination problems (especially if police want to review the black boxes from every blue Ford sedan on Oahu after a hit-and-run accident, or what if a tape shows some OTHER crime?), sabotage problems (by guilty drivers), and forgery problems (people buy warranty-voiding replacement PROMS for their car computers to increase performance (with greater smog output as the chief side-effect), so I think a market for black boxes which never record excessive speed or always record seatbelt usage would develop, plus another market for "clean videotapes" to be substituted after an accident). I read an article in Smithsonian sometime in the last year or two (I've hunted for the issue but I must have discarded it)... about very-long haul trucking in Europe/Asia/Africa. Trucks carry goods from England to the Middle-east across many European countries. The trucks are required to have chart recorders that show speed and distance travelled against time. These are called tachymeters and the charts (recorded in a circular fashion) are called "tacho discs." Police review the tacho discs to catch drivers who speed or break hours-of-work rules. The drivers abominate the tacho system and I for one feel some sympathy for them as the police can use the tacho records as a basis for punishing even trivial violations, or worse, to "detect" violations which may have happened in extenuating circumstances not recorded by the device (e.g., exceeding speed limit to pass a very slow vehicle during a small window of opportunity). Moreover, I suggest that electronic monitoring devices encourage a unilateral (by enforcement agencies and people with axes to grind) revision of the social contract on which traffic laws are ultimately based. You see, electronic monitoring helps to enforce the strict numerical or other limits in the laws. But real people tend to expect (a) fuzzy enforcement to match their fuzzy obedience (driving 57 or 58 is "close enough" to 55 for most people), (b) lenient enforcement under "otherwise safe" circumstances to match the general belief that it's not much of a crime to speed a little on a good road in good light when there aren't too many other cars around, and last but perhaps most important: fuzzy, lenient enforcement to allow for the fact that the laws are generally much stricter than the majority of voters really want. I've read of studies showing that a large majority of drivers think they're "better" or "much better than average" drivers. Obviously this is impossible. I suspect that the same drivers (remember, that's most of 'em... including me!) believe that they're qualified by their skills to exercise more discretion than other folks about bending traffic rules. This self-confidence, coupled with the famous inability of legislators to resist voting for harsh laws (so as to avoid accusations of being "soft on drunk drivers|crime|whatever"), means that the laws on the books are often more restrictive than the concensus on what the "practical" law should be. The public relies on soft enforcement practices to make the system work. Micrometric law enforcement is something for which our culture, not to say our legal system, really isn't prepared. Indeed, there's reason to believe that "human nature" wants us to set the posted speed limit five or ten MPH below what we want the actual top speeds to remain because that's the amount by which people will routinely exceed the posted limit. If you figure that the posted limit has been pegged 10 MPH low for reasons rooted in human psychology, with the concomitant expectation of fuzzy enforcement, then to introduce strict enforcement would amount to a 10 MPH revision of the "real" speed limit. I think that police, prosecutors, and insurance adjusters tend to like technical means of detecting and quantifying violations of laws or standards, because these means reduce the amount of discretion exercised by the enforcers of the rules and thus the amount of post-hoc argument over how that discretion was exercised. However, the laws on the books assume the exercise of discretion. Changing the amount of slop in enforcement decisions without changing the standards seems a dangerous business to me. Because it's easier to add a new method than to revise an old standard ("What? You want to have more children run over by speed maniacs?") we might ratchet ourselves into situation that no one really wants. The biggest RISK of black-boxes for automobiles is that they'll enable strict enforcement of the wrong set of standards. Footnote: California has several special rules intended to fuzz traffic enforcement in favor of putative violators. The Highway Patrol (state troopers) mostly don't (can't) use radar. Local cops can use radar only after special formalities to justify the limits they're enforcing. $22351 CVC allows a special defense to charges of breaking a posted speed limit < 55 MPH; which is that the driver's speed was safe even though it was over the limit. Because the limit is presumed on its face to be the safe limit, this defense must be proven by the defendant. People actually do this now and then; the law serves as a check on local jurisdictions which might use unreasonably low speed limits as fine-generating revenue boosters. Lastly, petty violators (including minor speeding tickets but not including reckless or drunk driving) can often avoid trial, conviction, and punishment by going to a court-ordered "traffic school" which costs about $50 and eight hours of excruciating boredom but saves a fine, point count, and what amounts to another (huge) fine in the form of giant insurance premium increase. Drivers can only do the "traffic school" bit once every 18 months, but the very existence of the dodge (which has been shown to have no effect on accident rates) is an acknowlegement that the official punishment for minor traffic offenses is too harsh. ------------------------------ Date: Fri Jul 19 01:48:33 1991 From: edwardj@microsoft.com Subject: Re: Artificial Dissemination (See Curtin, RISKS-12.05) For the edification of the readers of this newsgroup I will repeat what has been said in the press already about the Bill Gates memo: it was not an email message, but a message sent via paper and routed through inter-office mail. Any leaking that occurred would have happened from someone copying the memo and sending it to an external source. There was no forwarding of email involved. It is therefore not an example of comp.risks as much as an example of human-resources.risks! Edward Jung ------------------------------ End of RISKS-FORUM Digest 12.08 ************************