17-Aug-86 10:31:40-PDT,9007;000000000000 Mail-From: NEUMANN created at 17-Aug-86 10:29:30 Date: Sun 17 Aug 86 10:29:30-PDT From: RISKS FORUM (Peter G. Neumann -- Coordinator) Subject: RISKS-3.38 Sender: NEUMANN@CSL.SRI.COM To: RISKS-LIST@CSL.SRI.COM RISKS-LIST: RISKS-FORUM Digest, Sunday, 17 August 1986 Volume 3 : Issue 38 FORUM ON RISKS TO THE PUBLIC IN COMPUTER SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Computer gives away California state funds (Rodney Hoffman) High-Tech Sex Ring: Beware of Whose Database You Are In! (Peter G. Neumann) Computer Viruses (Chris McDonald, Paul Garnet, Matt Bishop) Computer Viruses and Air Traffic Control (Dan Melson) Re: Traffic lights in Austin (Bill Davidsen) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, nonrepetitious. Diversity is welcome. (Contributions to RISKS@CSL.SRI.COM, Requests to RISKS-Request@CSL.SRI.COM) (Back issues Vol i Issue j available in CSL.SRI.COM:RISKS-i.j. Summary Contents in MAXj for each i; Vol 1: RISKS-1.46; Vol 2: RISKS-2.57.) ---------------------------------------------------------------------- Date: 15 Aug 86 13:51:39 PDT (Friday) From: Hoffman.es@Xerox.COM Subject: Computer gives away California state funds To: RISKS@CSL.SRI.COM From the Los Angeles Times, August 15 1986, page 2: A computer error caused California's check-writing system to issue $4 million in interest-payment checks to bondholders who hold a type of bond on which no such payments were due. Deputy state Treasurer Liz Whitney explained that those bonds are of the "zero coupon" type, which are held for a period of years and redeemed with accumulated interest at maturity rather than bearing interest on a monthly or yearly basis. The treasurer's office learned of the error last Friday, she said, when a recipient inquired about the check's validity, and stop-payment orders were issued. By Wednesday, all but a few checks totaling $33,000 had been recovered. No further details are given about the nature of the computer error. -- Rodney Hoffman ------------------------------ Date: Fri 15 Aug 86 19:37:38-PDT From: Peter G. Neumann Subject: High-Tech Sex Ring: Beware of Whose Database You Are In! To: RISKS@CSL.SRI.COM From the San Francisco Chronicle, Friday 15 August 1986: POLICE SAY ARRESTS IN MARIN SMASHED HIGH-TECH SEX RING by Torri Minton and Katy Butler A sophisticated prostitution ring that kept computerized records on more than 12,000 patrons has been broken after a three-month investigation, authorities in San Jose said yesterday. The ring, known as EE&L Enterprises, collected $3.5 million a year dispatching at least 117 prostitutes by electronic beeper to cities all over Northern California from a computerized command center in San Rafael, according to San Jose vice Lieutenant Joe Brockman. ``It's a top-class operation -- the largest prostitution ring, to our knowledge, in Northern California," Brockman said. He said that the business took in more than $25 million during the eight years it was in business... Records seized by police ... included customers' names, telephone numbers, credit card numbers, sexual preferences and comments by the prostitutes... The office was equipped with four desks, several IBM computers, a photocopier, a paper shredder and a wall poster announcing that ``Reality is nothing but a collective hunch.'' On-line SuperCalifornication? ------------------------------ Date: Fri, 15 Aug 86 7:47:01 MDT From: Chris McDonald SD Subject: Computer Viruses To: RISKS FORUM (Peter G. Neumann -- Coordinator) [This is included because so many of you do not seem to know the Cohen reference. PGN Robert Stroud references a paper by Fred Cohen on "Computer Viruses." The full text of the paper can be found in several public souces. The most available for US readers is the minutes of the 7th DoD/NBS Computer Security Conference, Sept 24-26, 1984, pages 240-263. The paper is not exclusively concerned with any one particular operating system. It defines a "virus" as "a program that can infect other programs by modifying them to include a possibly evolved copy of itself." The paper references Ken Thompson's acceptance speech on the Turing Award, "Reflections on Trusting Trust," which was published in the August 1984 "Communications of the ACM." The reference, however, is only for purposes of illustrating what Fred proposes is a "limited" virus. [That paper includes the wonderful C compiler Trojan horse lurking in wait for the next recompilation of the UNIX LOGIN procedure. PGN] A close reading of the paper would reveal that very specific factors have to exist for a "virus" to become "virulent." The most interesting facet of the paper is really the question it raises as to whether the Bell-LaPadula and the Biba models on mathematically defining "secure systems" even addresses the potential of a "virus" attack. ------------------------------ Date: Fri, 15 Aug 86 12:14:22 edt From: pgarnet@nswc-wo.ARPA To: RISKS@CSL.SRI.COM Subject: Computer Viruses Another paper by Fred Cohen is "Recent Results in Computer Viruses", written while at Lehigh University. The copy I have does not have a date on it, but I believe it was written sometime around the spring of 1985. Anybody else know of any good, technical papers on the subject? Paul ------------------------------ From: Matt Bishop To: RISKS FORUM (Peter G. Neumann -- Coordinator) Subject: Re: Computer Viruses Date: Fri, 15 Aug 86 07:28:27 -0700 If anyone wants to read an interesting science fiction book about computer viruses (and things of that ilk) try reading John Brunner's "Shockwave Rider." Briefly, it's about a man who puts computer viruses into the worldwide data banks, enabling him to do all sorts of illegal things such as change identities. Quite interesting, at least from the viewpoint of computer security! Matt Bishop [I think we included mention of "Shockwave Rider" in RISK long ago. However, with the interest in viruses and our large number of new readers, I am not trying to avoid all duplication -- especially with the distant past. PGN] ------------------------------ Date: Sat, 16 Aug 86 01:13:47 PDT From: crash!pnet01!dm@nosc.ARPA (Dan Melson) To: crash!noscvax!RISKS@CSL.SRI.COM Subject: Computer Viruses and Air Traffic Control Those who fly regularly will be somewhat relieved to note that all terminals of the ARTS and NAS systems, except master consoles (and a few others hardwired straight into the machine and on site) are limited in what they can input, nor can they escape the ATC program. Furthermore, I am not aware of any means whereby employees can access any of the FAA's computers from other than known sites. This also explains why there are so few ATC's on any net, despite the large amount of computer work associated with the job today. DM [Beware of Trojan horses bearing gifts that look like sound programs, officially installed through proper channels. There is also the problem of accidental viruses such as the ARPANET collapse of 27 October 1980. (See Eric Rosen's fine article in the ACM Software Engineering Notes 6 1 Jan 81, for those of you who have not seen it before.) PGN] ------------------------------ Date: 15 Aug 86 10:57 EST From: davidsen%kbsvax.tcpip@ge-crd.arpa Subject: Re: Traffic lights in Austin To: RISKS@CSL.SRI.COM [From: Davidsen ] I would call a 2% clean failure rate a success. If the two intersections had failed in an unsafe mode, such as green in both directions, it would not have been acceptable. If the lights had "stuck" showing green one way and red the other, it could have caused severe delays. For the light to cleanly go out is probably acceptable. Most drivers seeing a light with no signal showing will use adequate caution to prevent accidents. -bill davidsen ihnp4!seismo!rochester!steinmetz!--\ \ unirot ------------->---> crdos1!davidsen chinet ------/ sixhub ---------------------/ (davidsen@ge-crd.ARPA) "Stupidity, like virtue, is its own reward" ------------------------------ End of RISKS-FORUM Digest ************************ -------