Subject: RISKS DIGEST 12.43 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Monday 7 October 1991 Volume 12 : Issue 43 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Full (16 rounds) DES Broken (Li Gong, Dave Roberts) AT&T "Deeply Distressed" over Outage (Mark Seecof, Michael F Eastman) Fred Cohen's contest and ``good viruses'' (Gene Spafford, John Markoff excerpt) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line. Others ignored! REQUESTS to RISKS-Request@CSL.SRI.COM. For vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 12, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1". =CarriageReturn; FTPs may differ; UNIX prompts for username, password. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Fri, 4 Oct 91 14:18:26 EDT From: li@cambridge.oracorp.com (Li Gong) Subject: full (16 rounds) DES Broken (reported in NY Times) John Markoff in The New York Times (03Oct91, p.A18) reported that Adi Shamir and his student Eli Biham had emailed their American colleagues and told them that the full 16-round DES had been broken with chosen-ciphertext attacks (probably the follow-up of what they reported last year at Crypto). The article said that Adi is not willing to comment on anything until the research result is published in a journal later this (yes, this) year. Li Gong, ORA Corp, 675 Mass Ave, Cambridge, MA 02139 ------------------------------ Date: Mon, 7 Oct 91 11:45:14 GMT From: Dave Roberts Subject: Demise of DES >From THE DAILY TELEGRAPH, London, Saturday, October 5th 1991 "Secret" bank code cracked warns GCHQ, By Adrian Berry Banks and financial houses are being warned by GCHQ at Cheltenham to stop sending messages in their most widely used secret code [DES], because it has been cracked. [...] GCHQ, which supervises the security of secret codes, wants banks to use the more advanced code known as Rambutan. [A known plaintext attack] helped the Americans to win the Battle of Midway in 1942. An American base radioed falsely that its water supplies had broken down. The Japanese then reported the message in a cipher. The Americans simply compared the two texts and learned to read secret enemy traffic. Bank officials said yesterday that they would probably continue to use the DES code until officially warned against it, or until another Government-approved encryption package was made available. [Nobody is selling commercial Rambutan chips in the UK so the banks cannot (to the best of my knowledge) get them. D.W. Roberts dwr@uk.co.datasci] ------------------------------ Date: Tue, 1 Oct 91 09:47:41 -0700 From: Mark Seecof Subject: AT&T "Deeply Distressed" over Outage The Wall Street Journal reports on page C18 of the October 1 issue that "AT&T Tells FCC a Lapse In Procedure Led to Outage." [Elisions and bracketed comments from Mark S.] [Story Begins] An [AT&T] executive told the FCC that AT&T was ``deeply distressed by the lapses in procedure'' that led to a network failure in New York City last month. Kenneth L. Garrett, a senior vice-president in charge of AT&T's network services, said that the failure of the Manhattan switching center on Sept. 17 could have been averted if ``AT&T's existing procedures'' had been followed by a supervisor. Mr. Garrett made his remarks in a letter to FCC Chairman Alfred C. Sikes released late yesterday. While AT&T's report said alarms in the building were not working properly, Mr. Garrett's letter, which accompanied AT&T's report on the outage, noted the failure wasn't a systemic breakdown of the AT&T network. AT&T said standard procedure calls for the supervisor, whom AT&T didn't name, to assign a technician to inspect each of the Thomas St. facility's power plants when AT&T switched to its own electrical power from the grid operated by New York utility [Con Ed]. Instead, the supervisor took his technicians to a class on a new power alarm system, leaving the plant unsupervised. The switchover blew rectifiers, which convert Con Ed's AC power to DC current, sending the switching center to emergency batteries, which quickly ran out of juice [sic!]. The switching center gradually lost power, stalling communications traffic, including critical air-traffic control information. It was AT&T's third major network failure in 18 months. ------------------------------ Date: Mon, 7 Oct 91 9:42:00 PDT From: "Peter G. Neumann" Subject: from telecom -- att outage Date: Wed, 2 Oct 91 12:16:44 EDT From: mfe@ihlpy.att.com (Michael F Eastman) Subject: Update on 9/17/91 AT&T Outage Organization: AT&T Bell Laboratories The following report was posted on our internal news network by Corporate Media Relations. It is a good summary of the events surrounding the outage. I hope that you will find it informative. Mike Eastman - 4ESS Development - AT&T Bell Laboratories ----------- FOR THE RECORD *** Following is a synopsis of the events leading to the service disruption on Sept. 17: Late in the afternoon on Sept. 17, the AT&T switching center at 33 Thomas St. in lower Manhattan experienced a battery power failure in its 20th floor power room facilities, disrupting service, including voice and data communications for all three New York area airports. The events leading to the disruption began earlier, between 6-7 a.m., when the Building Operations Group was contacted by Con Edison with a request to take the facility off commercial power during the day. We agreed to do so. At 10:10 a.m., AT&T cut over from commercial power supplied by Con Edison to backup, diesel-generated power. Such a cutover is standard procedure; it is a result of the interruptible power arrangement AT&T has with Con Edison, and was accomplished four times without incident this summer alone, most recently on August 15 and 29. The interruptible power arrangement with Con Edison has been in effect formally since 1990. It capitalizes on AT&T's ability to generate at 33 Thomas St. sufficient power to cover the building's needs. By having the means on-site to generate the building's electricity, AT&T both protects itself from voltage brown outs that could damage equipment and impair service, an fulfills a corporate citizenship obligation to shed electrical load during power emergencies. At 10:10 a.m. the AC power supervisor threw a switch, engaging the diesel generator and taking the building off commercial power. Throughout the building, in each of the telecommunications power plants but one, that transfer of power from commercial AC to diesel-generated AC, was accomplished smoothly. On the 20th floor, where the power plant for DS3 and other high-capacity transmission facilities is located, there was a problem. A rectifier there sensed a spike in voltage level; to protect the power plant and facilities the plant supported, AC power was removed from the rectifier input and the power plant began operating on battery reserve. Subsequent tests have determined that the overload protection relay was misadjusted during recent plant modernization, making the shutdown circuit overly sensitive to overvoltage. This is the only power plant in the building that did not cutover normally. From that moment, approximately 10:10 a.m., the batteries supporting all DS3-and-higher-capacity facilities at 33 Thomas St. were removed from their recharging system and were operating on emergency reserve. That emergency reserve power is designed to last six hours. Standard operating procedure requires the DC power supervisor to dispatch a power technician to walk through each of the building's power plants during a shift from commercial power to diesel power. Had such a walkthrough occurred on Sept. 17, the technician would have seen a "POWER" alarm in the 20th floor power room. A power technician performs such walkthroughs as a matter of standard methods of procedure. However, on the morning of September 17, the DC power supervisor decided not to dispatch a technician to verify the transfer for the following reasons: o All six power technicians (and the supervisor) were scheduled for a power alarm training class in another building, about 15 minutes away. o 33 Thomas St. had not experienced a power problem in six to eight years. o The rectifiers had been refurbished in the last year and the batteries were new with a six (6) hour reserve. o Four (4) power transfers had been conducted during the summer without problem. Additionally, the supervisor did not arrange for a substitute by requesting the use of one of the fifty-two power-qualified technicians -- a technician normally charged with other duties, but capable of responding to a power emergency -- remaining within the building. In the absence of a power technician, if an alarm had been recognized, one of these power-qualified technicians could have handled the problem. Doing so would have enabled the batteries in the 20th floor power room to be recharged by the diesel generator, even as they were being drained by providing power to the high-capacity telecommunications facilities in the building. There was a failure to follow standard operating procedure. Had a power technician or any power-qualified communications technician been required to perform the power plant walkthrough as methods of procedure mandated, the tripped rectifier would have been discovered and reset, and a service outage would have been avoided. But the power plant walkthrough was not performed. All of the building's six power plant technicians had been dispatched to receive training, ironically, on a new computerized alarm system that will be cut over at 33 Thomas St. in October. The equipment for that new alarm system is functioning already at the building where the training class was being conducted; it is being installed, but has not yet been brought into service at 33 Thomas St. From 10:10 a.m. until 4:30 p.m., all high-capacity telecommunications facilities in the building were being run on emergency battery reserve power from the 20th floor power room. All other equipment, such as the three 4ESS switching systems in the building, was supplied with electricity from other power plants, and was fully operational and functioning normally. At 4:30 p.m., a communications technician who was just coming on duty for the evening tour, noticed a visual display indicating the emergency battery power condition. This visual alarm is in a location that is normally unstaffed. At this point, the technician, who is power qualified, made an attempt to cut back from batteries to AC power. That attempt was unsuccessful; the batteries had been discharged to a point where they would not physically accept recharging current without being disconnected from the facilities they were supporting. At 4:40 p.m., as battery life expired, those facilities began to go down. The restoral effort got under way virtually immediately. During the first 30 minutes, 144 non-terminating T3 circuits, carrying traffic passing through but not terminating in the New York area, were restored. This amounted to some 19,200 message circuits and approximately 1,400 private line T1 lines. By 6:00 p.m., all equipment was disconnected from the 20th floor power plant, and rectifiers were manually reset to force current into the batteries to recharge them. As the rectifiers recharged the power plant, facilities were gradually brought back on line. By 9 p.m., 43% of domestic and 8% of international traffic was restored, by 10 p.m., 51% of domestic and 56% of international traffic was restored, and by midnight, virtually 100% of domestic and 95% of international traffic was restored. FYI: 1. The 48-volt battery plant at 33 Thomas St. is scheduled to be replaced by the end of the year. The new plant will have restart capability, in contrast to the existing plant. 2. A diversification of load distribution is now planned for both call-handling systems and power systems within the local node. This diversification will mean that any future outages would be limited to a maximum of 50% of an office's high-capacity transmission facilities. Rerouting is expected to be completed at 33 Thomas St. by March, 1992; at all major metropolitan New York offices by the end of 1992, and at all offices in the nation by the end of 1993. 3. A new power alarm system, now being installed at 33 Thomas St., will have built-in redundancy, with alarm connections to both the local building and to a surveillance center in Conyers, Ga. In the event of a failure, alarms will go off in both locations, providing a backup if the local alarms are not functioning. 4. Nationwide, AT&T has stepped up plans to spend $200 million over the next 12 months to improve the reliability and backup of its power systems, which is expected to greatly diminish the risk of similar equipment problems. Mike Eastman att!ihlpy!mfe (708) 979-6569 AT&T Bell Laboratories Rm. 4F-328 Naperville, IL 60566 ------------------------------ Date: Mon, 30 Sep 1991 17:17:13 -0500 From: spaf@cs.purdue.edu (Gene Spafford) Subject: Fred Cohen's contest The September/October issue of "The Sciences," published by the New York Academy of Sciences, had an article by Fred Cohen. In it, he tried to make a case for the existence of "good" viruses, and he pulled out a number of supporting examples that really weren't viruses or weren't clearly done well by viruses. He concluded the article with an announcement of a contest. His publishing company, ASP (which may be run by Fred for all I know) will award $1000 for the best "good" virus as per vague rules laid down by Fred in the article. I was quite upset by the article, and especially the contest, because I think it quite unethical to encourage the writing of viruses as he is doing. I also think there is a very clear and significant conflict of interest for him and/or ASP to be encouraging such a contest. I wrote a letter of response to the editor a few weeks ago, and I have spent the time since then thinking about it. The toned-down letter that I actually sent is reproduced below, minus some italics and bold-facing. Whether you agree or disagree with my comments, if you wish to make your own comments to the editor, his address is below; his fax number is 212-260-1356. I doubt I am the only person with an opinion on this matter. (Naturally, I could be the lone voice of dissent; I hope not, but it may be the case.) = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Mr. Peter G. Brown, Editor The Sciences 622 Broadway New York, NY 10012 Dear Mr. Brown: I began to read the recent article by Dr. Fred Cohen [1] with considerable interest. Dr. Cohen is a pioneer in the field of computer virus research, and I have found many of his writings quite thought-provoking. Unfortunately, by the time I finished his article, I was quite dismayed. I believe that Dr. Cohen has failed to adequately consider both the practicality and the ethics of his proposal. First of all, I believe that there is an obvious conflict of interest involved when the vendor of a computer virus prevention product sponsors a contest soliciting the development of new viruses. I am further troubled by the lack of a list of the judges of the contest and the criteria for winning. I will not discuss these points further, however, as they are minor matters compared with my main concern: I believe that the writing of computer viruses is unethical, [2--3] and to encourage their development in an unsupervised manner is likewise unethical. Computer viruses spread without the informed consent of the owner of the software (``host'') they ``infect,'' and they are usually not limited in their spread, in time or space. If scientists were to experiment with organic viruses capable of infecting humans and possessing these same properties, we would likely be taking vigilante action against them, contest or no. Encouraging the general populace to develop organic viruses would bring about widespread condemnation; yet, oddly, encouraging the development of computer viruses leads to publication in a journal. To his credit, Dr. Cohen explicitly prohibits viruses that exhibit the above two dangerous properties from being eligible for his contest. However, many viruses cause damage because of flaws within the code, or unexpected properties of their target computing environment; examples include the ``Stoned'' virus for IBM PCs, and the ``WDEF'' virus for Apple Macintoshes (cf., [3--5]). What will be the attitude of the community as a whole if a new destructive virus appears on the scene because of a bug in the software meant to contain it? What if something similar to Robert T. Morris's Internet Worm were to be discovered and explained as a buggy test version intended for Cohen's contest? This brings me to another argument with Dr. Cohen's article: we disagree about the definition of the term ``computer virus.'' Cohen describes Morris's Internet program as a ``virus,'' while I (and others) would define it as a ``worm.'' [6--7] Morris's program did not alter existing software to include a copy of itself as do viruses. His program was no more a virus than is a compiler (suggesting an interesting class of potential submissions to the contest). In fact, if we intuit a definition of ``contest-acceptable virus'' from Cohen's article to be something that spreads from system to system, that requires permission to install itself, and has limited potential for spread (like the Worm), it is no longer clear we are speaking about viruses at all! Harold Thimbleby of Stirling University, Scotland and Ian Witten of Calgary University, Canada have done extensive work on software that would meet the above intuited definition of a computer virus. They have developed some very sophisticated self-propagating applications, including self-updating databases with window-based interfaces. [8--9] It is not at all clear that the community recognizes these as viruses. Professor Thimbleby himself has chosen to call them ``liveware'' to make the distinction clear. I am surprised that Dr. Cohen is unfamiliar with their work and did not cite it in his Sciences article; it would be a clear favorite if it were to be entered in the ASP contest. However, it also serves to illustrate how something that might win the contest is not likely to be viewed as a ``virus'' by the community of researchers. This brings me to the second of my two major objections to Cohen's article and contest. I believe that his underlying thesis is flawed: I do not believe that there are any practical ``good'' viruses. During the Second Conference on Artificial Life, held in Santa Fe in 1990 (cf. [10]), I was on a panel discussing computer viruses. Russell Brand, another panelist, made the observation that there is nothing that can be done by a computer virus that cannot be done more efficiently and generally by other means. This observation was debated by the panel, and discussed extensively by others since that time. To my knowledge, everyone involved in these discussions now believes that is a true statement. Consider that a computer virus is nothing other than a program coupled with code to transport and install itself as part of existing software. It will be more difficult (or impossible) than a stand-alone program to update for new releases, customize, and maintain. A virus will also be more difficult to write and test for correctness than will a stand-alone program because of its interaction with its environment. Viruses are simply not the most practical or efficient approach to any particular task. His example in the article of the billing system demonstrates an inadequacy in the data model used and tools available, and not the superiority of using a quasi-virus. Even the example Cohen gave in his PhD dissertation of a compression virus would be better served by a well-written stand-alone program over which the user has more control. I believe that any attempt made to promote ``useful'' viruses involves a contradiction of the word ``useful,'' assuming that ``useful'' does not also imply ``malicious.'' To return to my first fundamental objection (and the one I feel most strongly about) -- the impropriety of encouraging virus authorship. We have been battling computer viruses for five years now, and the indications are that the problem is growing exponentially (cf. [11--12]). Computer viruses --- even those intended to be harmless, and limited in scope and duration --- continue to cause untold amounts of damage to computer systems. For someone of Dr. Cohen's reputation within the field to actually promote the uncontrolled writing of any kind of virus, even with his stated stipulations, is to act irresponsibly and immorally. To act in such a manner is likely to encourage the development of yet more viruses ``in the wild'' by muddling the ethics and dangers involved. It will reinforce the attitude that there may be some benefit to be gained from writing viruses (when there is as yet absolutely no clear indication that such is the case), and may encourage people to begin uncontrolled experiments with viruses they might not otherwise have undertaken. We have seen cases already where well-trained virus researchers have accidentally released experimental computer viruses into the population; to encourage amateurs to also engage in risky behavior that may lead to similar or worse results is quite appalling. It is my fond hope that no one attempts to enter Dr. Cohen's contest, and that he quickly recognizes the dangers and cancels it. A few decades ago, physicists talked about peaceful uses of atomic weapons, such as blasting out canals and destroying threatening icebergs. They were attempting, in good faith, to put a better moral cast on their research. Thankfully, none of them offered money in a contest for the best demonstration of such an application! Alfred Nobel, horrified at the use to which his invention of stabilized explosives were being put, did not establish a contest for the best peaceful use of dynamite. Instead, he established world-reknowned awards for research in peaceful pursuits, funded by the income from his discovery. It is quite unfortunate that ASP and Dr. Cohen could not have taken a similar approach with their $1000 prize. They could have made a powerful statement about responsible behavior, but instead have increased the danger to the community and generated doubts about their own motivations. Eugene H. Spafford, PhD REFERENCES [1] Friendly Contagion: Harnessing the Subtle Power of Computer Viruses, by Fred Cohen, The Sciences, Sep/Oct 1991, pp. 22--28. [2] Computer Viruses and Ethics, by Eugene H. Spafford, in Collegiate Microcomputer, special issue on the Rose-Hullman/GTE Computing and Ethics Seminars, to appear, 1992. [3] Computer Viruses: Dealing with Electronic Vandalism and Programmed Threats, by Eugene H. Spafford, Kathleen A. Heaphy and David J. Ferbrache, ADAPSO, 1989. [4] Rogue Programs: Viruses, Worms, and Trojan Horses, edited by Lance J. Hoffman, Van Nostrand Reinhold, 1990. [5] Computers Under Attack: Intruders, Worms and Viruses, edited by Peter J. Denning, ACM Press/Addison-Wesley, 1990. [6] What is A Computer Virus?, by Eugene H. Spafford, Kathleen A. Heaphy and David J. Ferbrache, Chapter 2 in [4]. [7] An Analysis of the Internet Worm, by Eugene H. Spafford, in Lecture Notes in Computer Science 387, Springer-Verlag, 1989. [8] Bugs, Viruses and Liveware: Collected Papers by Harold Thimbleby, technical report of the Department of Computer Science, Stirling University, Scotland, 1990. [9] Liveware: A New Approach to Sharing Data in Social Networks, by I. H. Witten, H. W. Thimbleby, G. F. Coulouris, and S. Greenberg, in International Journal of Man-Machine Studies, 1990. [10] Artificial Life II, Studies in the Sciences of Complexity, Volume XII, edited by D. Farmer, C. Langton, S. Rasmussen, and C. Taylor, Addison-Wesley, 1992. [11] Virus Trends: Up, Up, Up by David Stang in National Computer Security Association News, 2(2), March/April 1991. [12] The Kinetics of Computer Virus Replication by Peter S. Tippet in Proceedings of the Fourth Annual DPMA Computer Virus Security Conference, New York, March 1991. ------------------------------ Date: Mon, 7 Oct 91 10:07:30 PDT From: "Peter G. Neumann" SUBJECT: DESIGNING BENEFICIAL COMPUTER VIRUSES Excerpt from JOHN MARKOFF, New York Times, News of the Week in Review, 6oct91 Biologists have learned to harness viruses to create vaccines and, in recent years, to reprogram faulty chromosomes by using viruses to smuggle new genes into cells. Now a small but growing group of computer scientists is examining the possibility of designing computer viruses and similar programs called worms to burrow into computer networks and set in motion a whole range of beneficial activities Many computer users have been the victims of malicious virus programs propagating through networks and erasing data or causing the whole system to fail. But now some researchers are suggesting that it is possible to harness the subtle power of computer viruses to perform useful tasks. [The article goes on to quote Cohen, Spafford, and others, and revisits the 1960s Bell Labs Darwin Days of McIlroy and Vyssotsky (Bob Morris was around then, too), Bob Thomas at BBN for ATC software, John Shoch and Jon Hepp's Xerox Worms, and Danny Hillis of Thinking Machines. PGN] ------------------------------ End of RISKS-FORUM Digest 12.43 ************************