14-Aug-86 21:31:10-PDT,14485;000000000000 Mail-From: NEUMANN created at 14-Aug-86 21:29:04 Date: Thu 14 Aug 86 21:29:04-PDT From: RISKS FORUM (Peter G. Neumann -- Coordinator) Subject: RISKS-3.37 Sender: NEUMANN@CSL.SRI.COM To: RISKS-LIST@CSL.SRI.COM RISKS-LIST: RISKS-FORUM Digest, Thursday, 14 August 1986 Volume 3 : Issue 37 FORUM ON RISKS TO THE PUBLIC IN COMPUTER SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Computer Viruses (Robert Stroud) On knowing how hard a system is to make work (Bob Estell) COMSAT and the Nondelivery of Mail (Rob Austein) Exploding Office Chairs (Jonathan Bowen) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, nonrepetitious. Diversity is welcome. (Contributions to RISKS@CSL.SRI.COM, Requests to RISKS-Request@CSL.SRI.COM) (Back issues Vol i Issue j available in CSL.SRI.COM:RISKS-i.j. Summary Contents in MAXj for each i; Vol 1: RISKS-1.46; Vol 2: RISKS-2.57.) ---------------------------------------------------------------------- From: Robert Stroud Date: Wed, 13 Aug 86 20:29:54 bst To: risks@csl.sri.com Subject: Computer Viruses Here is something I found in the Times yesterday. Since it is marked "Reuters" I assume it originated in the States so you may have seen it already. What is your policy on posting copyrighted articles? This is the entire text and I have not made any excerpts. On the other hand, I have acknowledged the copyright. There has been a fuss about this in net.unix recently, so I am rather concerned not to get myself, the University or you into trouble. [RISKS is a non-profit educational operation. I believe that it is quite appropriate to quote an article under such circumstances -- with attribution. There is a burden on all of us to use it accordingly. PGN] One of the "computer comics" (free journal made up of half news/features and half job adverts) called Datalink has a front page story about the X-ray machine in Texas killing a patient. I remember this coming up in RISKS some time ago, and you are quoted in the article as follows: "Specialists in the field of software reliability have long been predicting fatalities caused by bugs. Peter Neumann of the US ACM claimed that the ACM's software engineering group had monitored 16 deaths caused by defective programs. "This is just the tip of the iceberg", he said. [Actually I thought I mentioned to him that there were at least 16 CASES of computer-related deaths (a subsequent closer count by me shows that there are 24 different cases in my files). The total number of deaths in those cases is over 716. There were also three Soviet nuclear sub accidents with unknown tolls. PGN] Manny Lehman is also quoted as being "not surprised - this is merely the front-runner of a thing we're going to see a lot of". The same issue of Datalink also contains a story about how a problem with some new software led to rumours that Tetley's brewery had stopped production - while they were installing it, they ran into problems and to save time, tried to contact the programmer who was on holiday in Scotland. Somehow the messages got distorted en-route... It's a nice anecdote but perhaps not really a RISK! However, I'll send it in if you're interested. People can take beer very seriously in the UK... [Please send it! PGN] ============================================================ Here is an article from yesterday's [London] Times (August 12th, "Computer Horizons"). Although it is couched in somewhat exaggerated tones(!), the consequences of failure are the same, whether induced by sinister bogeymen or simply design faults. By coincidence, I recently came across a reference to the paper by F. Cohen of the University of Southern California entitled "Computer Viruses: Theory & Experiments", which apparently suggests that a Unix virus could gain root privileges within an hour, so maybe there is something to be worried about after all! [A few minutes is well within an hour... PGN] Perhaps some of the "sources who spoke on condition they would not be identified" will read this and would like to comment further, (anonymously of course...) Robert Stroud, Computing Laboratory, University of Newcastle upon Tyne. ARPA robert%cheviot.newcastle@ucl-cs.ARPA, UUCP ...!ukc!cheviot!robert ============================================================ "The 'virus' threat to defence secrets" (c) Times Newspapers Limited 1986 from Christopher Hanson in Washington American Scientists are struggling to protect computer networks - vital in areas ranging from national defence to banking and air traffic control - against a potentially devastating weapon called a computer virus. Computer security experts in the US government say the "virus" is a high technology equivalent of germ warfare: a destructive electronic code that could be inserted into a computer's program, possibly over a telephone line, by a secret agent, terrorist or white collar criminal. When a computer virus attacks it wipes out crucial memory data or otherwise causes high technology equipment to behave erratically, according to sources who spoke on condition they would not be identified. They said a computer virus attack might bring a major weapons system to a standstill, throw a computer-guided missile off course, or wipe out computer stored intelligence. "The government is concerned and we are pursuing solutions," one security official said. Computer security experts have created experimental viruses in a bid to find defences, but there had been no breakthroughs. Both the military's computer nets and the highly automated US banking system are vulnerable to "catastrophic collapse", according to a recent Georgetown University report by a group of government and private counter-terror experts. Urging that the pace of defensive research be quickened, it said the computer virus threat was "a matter of great concern...There do not appear to be any quick and easy defences or overall solutions to the problem." As to the banking system, the report warned: "The four major electronic funds transfer networks alone carry the equivalent of the federal budget every two to four hours. These almost incomprehensible sums of money are processed solely between the memories of computers, using communications systems that are vulnerable to physical disruption and electronic tampering." Computer viruses are designed to replicate themselves like a living organism, spreading throughout a computer netork, government scientists said. Viruses can spread from one computer system to another during electronic linkups and might lie undetected for months or years before going on the attack at a pre-determined time. Before it begins to disrupt a system, a computer virus would be inconspicuous, containing only a few hundred "bytes" in a program that might total hundreds of thousands. Even the most carefully designed computer security barriers can be vulnerable, the Georgetown report said. Another way the viruses could spread was through computer discs which computer users often copy and share. Scientists say the computer virus idea may have originated in a 1975 science fiction novel, "The Shockwave Rider". Intrigued computer buffs began tinkering and by the early 1980s had turned fiction into fact with experimental viruses. (Reuter) ------------------------------ Date: 14 Aug 86 11:06:00 PST From: "SEFE::ESTELL" [or estell@nwc-143b] Subject: On knowing how hard a system is to make work To: "risks" I think there is a risk in solving computing problems too easily. A San Diego friend says that "The trouble with doing a project right the first time is that no one knows how hard it was." Though that happens infrequently, he's got a point. In most fields, accomplishment can be measured by effort, along with talent, luck, and some other things. The scholar who breezes through school often knows how hard it is, based on the hours spent in the library and the lab; the athlete whose graceful moves seem effortless knows how close to the limit she plays. But lots of "good" computing systems are joint ventures between a hardware designer of generic computer power, and a software designer of some particular algorithm; neither really knows how hard the machine works to solve a particular problem. Often it's only after the system fails that we realize that it was operating at its limit before we increased the load. That's in part because many programmers just write code, with little attention to thorough analysis & design as urged by Don Knuth's work; and in part because hardware designer and software end-user often never meet; and in part because the field is so broad and demanding that one person can't know it all. There's another old saying, that an expert is someone who avoids all the minor errors on his way to the colossal blunder. That points up the risk of being so bright (or lucky?) that one never fails (or is even stressed) by routine assignments; and finally assumes a prominent role in a major, high risk program. Maybe we should give some thought to having major computing projects headed by people who have reached their limits at least once along the way; not that they have failed, but that they have had to try again. [A winner is one who gets up one more time than he goes down.] With that in mind, does anyone know the "track record" of the leaders of some high risk projects; e.g., SDI? I'm sure these folks have impressive credentials; I just wonder if they've ever explored their own limits. Bob ------------------------------ Date: Thu, 14 Aug 1986 03:16 EDT From: Rob Austein To: RISKS@CSL.SRI.COM Subject: [Nondelivery of RISKS-2.38 (8 April 1986) and other mail] Date: Friday, 8 August 1986 19:43-EDT From: Communications Satellite "[For the past week or so, I have been getting sequential notices of undeliverable mail from "Communications Satellite" -- four months after the original mailings of RISKS, ... PGN ]" COMSAT stopped being able to deliver messages of any serious length sometime around last December, and didn't really get fixed until mid-May (changing of the guard, had to scare up a new COMSAT hacker). During that time a couple of Really Dedicated People were faithfully saving all the messages that COMSAT was dropping on the floor. Ever since COMSAT was fixed these messages have been being dribbled back into the mail queue, 10 or 20 at a time (not practical to filter them, given the volume). The fact that it is now August and we still aren't done should give you some idea of the volume of mail that MC handles. We announced this on Arpanet-BBoards (and other places) when we started dribbling the mail back in. Of course, that was a while ago.... --Rob ------------------------------ Date: Thu, 14 Aug 86 15:16:30 GMT From: Jonathan Bowen To: RISKS@csl.sri.com Subject: Exploding Office Chairs [A Peripheral Risk of Sitting Before a VDT?] Below are extracts from two reports in the Guardian; the first rather jokey and the second less so, presumably after the journalist realised the seriousness of the problem. Exploding chairs a pain in the office (Monday, 11th August 1986) A new hazard at work, the exploding office chair, is facing - or, rather, the reverse - Britain's white collar workers. The problem is now under investigation so that up to 2 million minds, and a similar number of bottoms, may rest more easily. So far, 11 swivel chairs around the country are known to have gone off with a bang. In three cases the exploding chairs have caused injury, probably because the sitters have been sent sprawling as the bottom drops out of their world. The problem has cropped up with adjustable office chairs fitted with nitrogen gas cylinders in place of the conventional springs in their height control mechanism. Preliminary findings suggest that metal fatigue cracks can develop in the cylinders, possibly caused by the poor chairs being asked to cope with more than they can bear. Exploding chairs' two-year history (Tuesday, 12th August 1986) The danger of office chairs exploding has not previously been made public because of official reluctance to raise an "alarmist scare," it emerged yesterday. The public has not been warned about blasts scattering stell fragments and metal bolts caused by failures in adjustable chairs fitted with nitrogen cylinders instead of conventional springs. Cases of serious injury came to light two years ago. ... In September 1984, the Consumers' Association passed to the Health and Safety Executive (HSE) details reported by consumer organisations in Europe of incidents involving office chairs. They included accounts of two deaths, one in Belgium and the other in West Germany, where, it was reported, a piece of steel had penetrated a victim's brain through the eye. .... The HSE has stressed that only 11 incidents, three of which caused injury, are known to have occurred in Britain - where up to 2 million of the chairs are in use. Has this story broken in the US yet? How many of you are sitting at your VDU on such a chair? This is the time to take a quick peek below you, and take appropriate defensive action if necessary. You have been warned! Jonathan Bowen, Research Officer, Distributed Computing Software Project Oxford University Computing Laboratory, Programming Research Group 8-11 Keble Road, Oxford OX1 3QD, England, Tel: +44-865-54141 x293 JANET: bowen@uk.ac.oxford.prg UUCP: ...seismo!mcvax!ukc!ox-prg!bowen (bowen@ox-prg.uucp) [Some persons talked into buying this chair were evidently given a bum steer! PGN] ------------------------------ End of RISKS-FORUM Digest ************************ -------