Subject: RISKS DIGEST 13.49 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Saturday 16 May 1992 Volume 13 : Issue 49 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Shuttle computer miscomputes rendezvous (John Sullivan) The computer made me do it! [Brain enchipment] (Bear Giles) NY Times Columnist Protests Efforts to Prevent Secure Communications (Peter D. Junger) New York Times Computer Typesetting (Craig Partridge) Lack of FTP warning "destroys" hard drive (Taed Nelson) Ankle bracelet; a busy phone ==> scott-free (McGrew) No access to exchange via Cellnet (Lord Wodehouse) OTA has issued a report re "software property" (Jim Warren) Pentagon taps hackers to write viruses (John Mello) Re: Microsoft advocates killing of Jews (Mathew) Two privacy newsgroups [Don't confuse them.] (PGN) Announcing the PRIVACY Forum digest! (Lauren Weinstein) Computer Privacy Digest/comp.society.privacy (Dennis G. Rears) MDC, the C-17 and the F-15E (John Karabaic) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line. Others may be ignored! Contributions will not be ACKed. The load is too great. **PLEASE** INCLUDE YOUR NAME & INTERNET FROM: ADDRESS, especially .UUCP folks. REQUESTS please to RISKS-Request@CSL.SRI.COM. Vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 13, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1". =CarriageReturn; FTPs may differ; UNIX prompts for username, password. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Thu, 14 May 92 16:32:19 CDT From: sullivan@geom.umn.edu Subject: Shuttle computer miscomputes rendezvous Buried in a lead article ("from News Services") about the space shuttle in this morning's (Minneapolis) Star Tribune is the sentence: The spacewalk was [...] delayed for 1 1/2 hours because Endeavour's on-board computer made a mistake in plotting the route needed to rendezvous with the satellite. I hope someone will have more information on this. -John Sullivan@Geom.UMN.Edu ------------------------------ Date: Fri, 15 May 1992 11:46:17 -0600 From: Bear Giles Subject: The computer made me do it! [Brain enchipment] _Rocky Mountain News_, 15 May 1992, page 211 Computer Chip Get Blame A woman who went on trial Wednesday in the shooting of three people at a Denver homeless shelter three years ago blamed the rampage on a computer chip she said her ex-husband planted in her brain. Juanita Whitaker, 42, pleaded innocent by reason of insanity in the Dec. 7, 1988, attack at the Brandon Center for homeless and battered women. One victim, a maid at the center, died in the attack. Bear Giles, bear@fsl.noaa.gov ------------------------------ Date: Thu, 14 May 92 13:04:41 EDT From: junger@samsara.law.cwru.edu (Peter D. Junger) Subject: NY Times Columnist Protests Efforts to Prevent Secure Communications William Safire's column in the New York Times for May 11, 1992 (Page A15, Column 1) contains a sharp attack upon the Bush Administration's efforts to prevent the use of technology designed to allow secure communications. The essay is called: "Foiling the Compu-Tappers". Here are some quotes: [...] You might think, with foreign economic spies intercepting our global data transmissions, faxes and phone calls, the Bush Justice Department and National Security Agency would be helping American businesses defend communications from prying eyes and ears of overseas competitors eager to steal our scientific advantage. The opposite is the case. In a policy blunder ranking with the adoption of the Smoot-Hawley tariff as depression loomed, the Bush Administration sent F.B.I. Director William Sessions to Congress to argue for a weakening of the devices U.S. citizens use to encode and keep confidential the information our competition would love to see. [...] This is a classic case of falling off the pace of change. In the name of law enforcement, we are making ourselves technologically vulnerable to international criminality. To preserve the huge investment in our old eavesdropping facilities, we are abandoning the field to modern organized crime. Does anyone seriously think that state terrorism cannot afford the best encryption and penetration software, or that drug cartels cannot buy the latest encryption devices for their money movements? [...] The trouble with both our Federal law enforcement and intelligence services is that they have become hooked on yesterday's technology. Electronic surveillance for cops and satellite photography for spooks have become central to their lives; their reaction to the inexorable improvement in encryption is to say to the world of science: slow down. It won't. In trying to sweep back the tide of change, King Canute-style, the F.B.I. is the front for the intelligence community, which hates to be forced to go back to the difficult days of running human spies. The N.S.A. (No Such Agency) is obsolescent because its expensive eavesdropping is an offensive weapon in the coming age of digital defense. [...] Mr. Bush is on the wrong side of this issue (and Ross Perot will take him apart on it in debate) because his mindset is toward old-fashioned spookery and against personal privacy. In the end, that's what this futile scramble to stop the scrambling will come down to: not to stop the march of progress, not to take tools from counterspies, but to preserve business and personal privacy. The coming Information Age threatens to be intrusive; the individual will be watched, examined, crowded. At the same time, to the happy tune of "I got algorithm," the computer-telephone complex brings us defenses against its own intrusion. Peter D. Junger, Case Western Reserve University Law School, Cleveland, OH Internet: JUNGER@SAMSARA.LAW.CWRU.Edu -- Bitnet: JUNGER@CWRU ------------------------------ Date: Tue, 12 May 92 12:34:26 -0700 From: Craig Partridge Subject: New York Times Computer Typesetting Has anyone else noticed that the New York Times (at least the west coast edition) seems to have lots of trouble with computer typesetting? Yesterday they had a notice on the front page that due to computer problems, some articles were not complete. The issue also had a lot of articles with headlines in the wrong fonts. It looked rather like someone had put the paper together by cut and paste. Today, the pull-out quotes in Science Times were scrambled so that the article on jury behavior had pull-out quotes from the article on crystals in the human brain. Made for an amusing, if accidental, editorial. Craig Partridge E-mail: craig@aland.bbn.com or craig@bbn.com ------------------------------ Date: Fri, 15 May 92 16:50:40 PDT From: nelson@berlioz.nsc.com (Taed Nelson) Subject: Lack of FTP warning "destroys" hard drive About a year back, a co-worker asked me how to re-partition his hard drive. I told him that this was a silly idea, considering that he had lots of space and the partitions didn't get into anyone's way. He just wanted to do it because it was "better". Anyway, after explaining that he would have to save all of the old data some place (and suggesting that he not use millions of floppies, but instead FTP it up to our Unix system), he went away. About an hour later, he came back asking for PKzipFix. I asked him why, and he told me that PKunzip was complaining that he had a bad ZIP file. I went over to his desk, and after about 15 minutes of questioning, I realized what had happened. He had PKzip-ed each of his partitions and FTP-ed them up to the system. Unfortunately, he did not specify BINARY mode, and so it only transferred ASCII characters and converted CRLFs to LFs. Since he had reformatted his drive, all of that data was lost... The RISK was that FTP had no warning message of the following sort: WARNING: Non-ASCII characters found while in ASCII mode. I suppose that some further argument could be made that BINARY mode should be the default (instead of the data-modifying ASCII mode)... ------------------------------ Date: Wed, 13 May 92 15:08:32 EDT From: mcgrew@cs.rutgers.edu Subject: Ankle bracelet; a busy phone ==> scott-free `Busy signal' aided an `anklet' escapee (Newark "Star Ledger", 13 May 1992, By Robert Schwaneberg) A Paterson man charged with committing a murder while he should have been under house arrest was able to beat the electronic system monitoring his where-abouts because a computer got a busy signal - and never called back. That was the explanation members of the Senate Law and Public Safety Committee were given yesterday as to how Tony Palmer was able to remove the rivets from his electronic anklet and have the tampering go undetected for four months. In fact, the computer at the Corrections Department headquarters in Trenton detected the tampering on Dec. 16 and printed the information out, according to Steven Adams, supervisor of the electronic monitoring-home confinement program. But when the computer tried to relay the information to computer monitors sitting just a few feet away, it got "a busy signal," Adams said. "It did not call back," he added. As a result, senior parole officers manning the monitors 24 hours a day, seven days a week never knew what the computer knew - that Palmer had tampered with his anklet and that the computerized phone calls assuring that he was at home were worthless. Sen. Louis Kosco (R-Bergen), the committee chairman, was incredulous at first. "I don't accept the answers that I've gotten," Kosco said. "How could this have happened for four months - time after time after time?" Corrections Commissioner William Fauver and other staffers explained that once the computer detected the tampering, any additional tampering would not set off new warnings. Adams explained that the device remained in "tamper status" until it was reset. When Kosco realized the implications of that, he was even more appalled. "If someone could get away with it one time, then he had carte blanche," Kosco said. "If you can get away with it one time, you're free." "That's what happened in the Palmer case," conceded Loretta O'Sullivan, the Corrections Department's egislative liaison, "but it will not happen again." Adams said parole officers in Trenton now scrutinize the computer printouts for information about tampering, disconnected phone service or an inmate on home detention failing to answer when called. Anv such incident would trigger an immediate visit from a parole officer, he said. Other staffers said that when parole officers visit home jail inmates once a week, they no longer rely on a visual inspection of their anklets but insert them into a verifier, which would show if the anklets are in "tamper" mode. By the end of the month, Adams added, the state should begin receiving new anklets that attach with interlocking metal bands rather than rivets. Adams, displaying one of the new anklets, said, "The only way this can be removed is by cutting it off." Sen. Bradford Smith (R-Burlington) said a "major fault" of the current system is that even when an anklet is in tamper mode, the inmate can still use it to check in when the computer calls to see if he is home. Smith said that if the device has been tampered with, that should trigger an alarm each time a call is made to the inmate. "The technology has got to be up-graded in some fashion," Smith said. "This is just not acceptable." The anklets and monitoring equipment were manufactured by Digital Products of Florida, which did not have a representative at yesterday's committee meeting at Corrections Department headquarters. "I think we ought to look at some other systems and see what other companies are doing," Smith said. Despite their apparent distress at the technical limitations of the system, the lawmakers said the home confinement program must continue but should be improved and become more selective about the kinds of inmates it takes. State and county jails face severe crowding problems. It costs $12.80 a day to keep an inmate on home confinement vs. $67 a day to keep him in prison. "We all believe this is a very worthwhile program," Kosco said. "We want it to continue in the state of New Jersey, but we want it to work as close to perfect as we can make it." Kosco said the program should be put "on hold" as Fauver had announced last month, but added, "We don't mean stopped." Kosco said the program should not be expanded but that as inmates come out of home detention, new inmates should enter. As of yesterday, 642 state inmates - all within six months of parole - had been released to home confinement with electronic monitoring. Some counties also use electronic bracelet programs. Kosco and Sen. John Girgenti (D-Passaic) said the state should be more selective about the kinds of inmates it releases into the program. "I have problems when I read about people who were armed robbers who are now part of the program," Girgenti said. He said drug dealers and persons with ties to organized crime should also be ineligible for home detention. Girgenti and Kosco have introduced bills to restrict eligibility for home detention. Fauver said he had canceled plans to expand the state's electronic anklet program in the next budget year. He added that he was "still confident" about the program but said it is better suited to county jail inmates than state prison inmates convicted of more serious crimes. Fauver said he was awaiting a consultant's report on the technical as pects of the home detention program and the procedures used in other states with similar programs. ------------------------------ Date: 15 May 92 11:53:00 BST From: Lord Wodehouse Subject: No access to exchange via Cellnet Recently an old friend tried to call me at work, in response to a call from me. He discovered that his moble phone on the Cellnet network would not reach an 081-966-nnnn number, while he could do so from a standard BT phone. Being a comms specialist, he called Cellnet, after a discussion with me. The end result was that Cellnet had in fact left this exchange out of their routing tables. It is now in! The reason behind this is that Cellnet (although partly owned by VBT) has to pay for any access to the BT phone network. To prevent calls being made to exchanges that do not exist and thus return a number unobtainable, but still raise a charge on Cellnet, but nothing that can be charged to the customer, Cellnet blocks such calls. When 966 came into being, no one added the route to make it available. Lord John - The First Programming Peer on INTERNET! ------------------------------ Date: Thu, 14 May 92 14:55:13 PDT From: jwarren@autodesk.com (Jim Warren) Subject: OTA has issued a report re "software property" Hi, all. I just received this and tho't you'd be interested. --jim >From autodesk!megalon!wsgr Thu May 14 08:31:36 1992 To: megalon!jwarren Subject: Software Patent Report Jim - Just in case you hadn't heard, Congress' Office of Technology Assessment has released a new report on the state of protection for computer software. According to an article in the Daily Journal, the report entitled "Finding a Balance: Computer Software, Intellectual Property and the Challenge of Technology Change" has drawn praise for its sophisticated look at the unique problems in safeguarding technology rights. The report is available through the U.S. Government Printing Office ($11). - MarkB ------------------------------ Date: Fri, 15 May 92 05:32:15 PDT From: John Mello Subject: Pentagon taps hackers to write viruses The following item is in the latest issue of Mother Jones. Cybervirus warfare anyone? The Pentagon has a dream: An enemy soldier is attempting to pull up vital information on his computer screen. Suddenly, a peace sign flashes, along with the message, "You are STONED!'' A virus has destroyed his files. If you can make this dream a reality, Secretary of Defense Dick Cheney wants you<>! His department's Innovative Research program is enlisting an unlikely group--computer hackers--to create strategic computer viruses that can attack enemy systems via radio signals. According to an official at the Army's Center for Signal Warfare, one hacker has already been awarded a $500,000 contract for the program's production phase. The exact nature of the work is classified, but the Signal Warfare official told Mother Jones<> magazine that the virus project is based at Fort Monmouth, New Jersey, and described the work as "serious stuff.... Some believe these [viruses] exhibit lifelike tendencies, reproducing themselves like animals or plants.'' Critics fear that the Pentagon's viruses pose a greater threat to computer networks at home than do any potential enemies overseas. Last year, for example, the "STONED!'' virus and several others somehow found their way into nearly five thousand battlefield computers awaiting shipment to the Persian Gulf. ------------------------------ Date: Thu, 14 May 92 15:21:11 BST From: mathew Subject: Re: Microsoft advocates killing of Jews (RISKS-13.48) I decided to see what other sinister secret messages were lurking in Windows 3.1's "WingDings" font. If you type "IBM", you get a waving hand, a hand making an "OK" symbol, then a bomb. Obviously a reference to OS/2. If you type "GOD", you get a hand pointing to heaven, a white flag, and a thumbs down symbol. Clearly Microsoft are a bunch of atheists. If you type "MAC", you get a bomb, a V for victory sign, and a thumbs up. Plainly inspired by the recent legal bombshell in the look-and-feel lawsuit. If you type "UN", you get a crucifix followed by a skull and crossbones. Obviously Microsoft knows something about the United Nations that we don't. Another potentially interesting bit of information: In the beta-test versions of Windows 3.1, three "dingbats" fonts were supplied -- Lucida arrows, Lucida stars and Lucida icons. WingDings seems to have been formed by condensing the three into one single font. It's interesting to note that whereas Lucida icons had both black and white coloured hand symbols, WingDings has only the white-skinned variety. mathew [Clever disclaimer omitted, as usual] ------------------------------ Date: Sat, 16 May 92 14:33:46 PDT From: "Peter G. Neumann" Subject: Two privacy newsgroups [Don't confuse them.] Following are items relating to two different newsgroups on PRIVACY. Dennis Rears' DIGEST is purposefully on the permissive side, less stringently moderated than RISKS; it is ideal for people who want relatively open newsgroups. Lauren Weinstein's FORUM will be on the selective side, substantially more closely moderated than RISKS; it is suitable for people who have little time, but have a vital interest in privacy. Both gentlemen are serious in their efforts. I think there are many reasons for both groups to coexist. Perhaps one or the other will satisfy those people interested in privacy issues who complain to RISKS that they want LESS MODERATION or MORE MODERATION, respectively. I hope that general discussions on privacy issues will continue to appear in RISKS, because those issues represent serious risks. Perhaps both moderators will submit summaries of key discussions to RISKS for our wider audience. ------------------------------ Date: Wed, 13 May 92 00:08:14 PDT From: privacy@cv.vortex.com Subject: Announcing the PRIVACY Forum digest! Announcing the global Internet PRIVACY Forum! The PRIVACY Forum is a moderated digest for the discussion and analysis of issues relating to the general topic of privacy (both personal and collective) in the "information age" of the 1990's and beyond. Topics include a wide range of telecommunications, information/database collection and sharing, and related issues, as pertains to the privacy concerns of individuals, groups, businesses, government, and society at large. The manners in which both the legitimate and the controversial concerns of business and government interact with privacy considerations are also topics for the digest. Except when unusual events warrant exceptions, digest publication will be limited to no more than one or two reasonably-sized digests per week. Given the size of the Internet, this may often necessitate that only a small percentage of overall submissions may ultimately be presented in the digest. Submission volume also makes it impossible for unpublished submissions to be routinely acknowledged. Other mailing lists, with less stringent submission policies, may be more appropriate for readers who prefer a higher volume of messages regarding these issues. The goal of PRIVACY Forum is to present a high quality electronic publication which can act as a significant resource to both individuals and organizations who are interested in these issues. The digest is best viewed as similar in focus to a journal or specialized technical publication. The moderator will choose submissions for inclusion based on their relevance and content. The PRIVACY Forum is moderated by Lauren Weinstein of Vortex Technology. He has been active regarding a wide range of issues involving technology and society in the ARPANET/Internet community since the early 1970's. The Forum also has an "advisory committee" consisting of three individuals who have offered to act as a "sounding board" to help with any questions of policy which might arise in the course of the Forum's operations. These persons are Peter Neumann of SRI International (the moderator of the excellent and renowned Internet RISKS Forum digest), Marc Rotenburg of Computer Professionals for Social Responsibility (a most clear and articulate spokesman for sanity in technology), and Willis Ware of RAND (one of the U.S.A.'s most distinguished champions of privacy issues). Feel free to distribute this announcement message to any interested individuals or groups, but please keep this entire message intact when doing so. Thanks! How to subscribe to PRIVACY Forum ================================= Individual subscriptions for the PRIVACY Forum are controlled through an automated list server ("listserv") system. To subscribe, send a message to: privacy-request@cv.vortex.com or: listserv@cv.vortex.com with a line in the BODY of the message of the form: subscribe privacy where is your actual name, not your e-mail address (your e-mail address is determined automatically by listserv). Also please note that the subscribe command must be in the BODY of your message, not in the "Subject:" field; the "Subject:" field of all messages to listserv is ignored. Example: subscribe privacy Dr. Sidney Schaffer Please note that the "subscribe" command is used to create your own individual subscription to the PRIVACY Forum mailing list. Site managers who wish to establish site-wide local redistribution mailing lists for PRIVACY Forum should contact a human at: list-maint@cv.vortex.com and provide the requested local redistribution mailing list address and any other details. Individuals who wish to subscribe directly to PRIVACY Forum (not to a local redistribution mailing list) should *not* contact "list-maint@cv.vortex.com" unless they are having problems with the automatic listserv "subscribe" command. For more information regarding the listserv system, follow the same command procedure described above, but send to: privacy-request@cv.vortex.com or: listserv@cv.vortex.com the command: help in the BODY of your message instead of "subscribe". ------------------------------ Date: Wed, 13 May 92 13:59:53 EDT From: "Dennis G. Rears " Subject: Computer Privacy Digest/comp.society.privacy I am the moderator of the Computer Privacy Digest. The computer Privacy Digest is an Internet mailing list that is dedicated to the discussion of how technology impacts privacy. This list is gatewayed into the moderated USENET newsgroup comp.society.privacy. In lot of ways it is a subsection on the risks digest but it concentrates on the risks of technology on privacy. The charter is: comp.society.privacy Effects of technology on privacy (Moderated) This newsgroup is to provide a forum for discussion on the effect of technology on privacy. All too often technology is way ahead of the law and society as it presents us with new devices and applications. Technology can enhance and detract from privacy. This newsgroup will be gatewayed to an internet mailing list. Submissions go to: comp-privacy@pica.army.mil and administrative requests go to comp-privacy-request@pica.army.mil. dennis Dennis G. Rears MILNET: drears@pica.army.mil UUCP: ...!uunet!cor5.pica.army.mil!drears INTERNET: drears@pilot.njin.net USPS: Box 210, Wharton, NJ 07885 Phone(home): 201.927.8757 Phone(work): 201.724.2683/(DSN) 880.2683 USPS: SMCAR-FSS-E, Bldg 94, Picatinny Ars, NJ 07806 ------------------------------ Date: Fri, 15 May 92 10:57:17 EDT From: John_Karabaic@NeXT.COM Subject: MDC, the C-17 and the F-15E >END OF STORY. Mark Seecof asks: has anyone seen the report itself? >I'd like to know in what way it was a mistake to give McDonnell-Douglas >control over software development for a plane it was building? ---flame on Well, since I was the Software Manager on the F-15E I can give you lots of reasons from personal experience about why any Government agency should think long and hard before giving McDonnell Douglas control over any software project: 1. Their insistence that flight-control software is not flight-safety critical, since there was a hydraulic backup in the F-15E aircraft. 2. Refusal to perform software Formal Qualification Tests prior to first flight, stating that the FQT is required only on production aircraft, and F-15E-1 was not a production aircraft. FQT should be an iterative testing process, but according to MCAIR, it was an acceptance test. 3. Refusal to define software stored in ROM as software, defining it instead as "firmware", and thus not subject to formal review and testing. These are just a few off the top of my head, five years after the fact. Don't get me wrong; I think MCAIR did a fantastic job on the F-15E. It's one great weapon system. But McDonnell Douglas's biggest problem on the F-15 project was, even though they could build excellent aircraft and systems, they wouldn't tell us government types (including this pitiful second lieutenant) anything unless we pried it out of them with a crowbar. And sometimes not even then, parroting the tired line, "Out of scope [of the contract]!" This makes it extremely difficult to get enough information to enable "organic support" (support by US Government personnel) or second-sourcing of software after the systems are delivered. Since the Advanced Tactical Fighter Program Office was right across the hall at that time, every time I had a problem, I would go tell the people writing the contracts for that program how responsive my contractor was being. (In Air Force talk: "Check six!") --flame off But there may be another, more simple reason for the GAO's finding: I believe that the US Government, not the prime contractor (MDC, in this case) has "total system performance responsibility" for the C-17. That is, a program office residing at Wright-Patterson AFB has the responsibility for integrating and testing every aspect of the aircraft, not the contractor who is building it. Since software is the glue that holds a modern military aircraft together, this may be why the GAO is faulting the C-17 SPO for not "controlling" the software. John S. Karabaic, Systems Engineer, jkarab@NeXT.com, 513 792 5904 NeXT Computer, Inc.; 4434 Carver Woods Dr.; Cincinnati, OH 45242 cellular: 513 532 0224; fax: 513 792 5913; territory: OH, IN & KY ------------------------------ End of RISKS-FORUM Digest 13.49 ************************