RISKS-LIST: RISKS-FORUM Digest Monday, 11 January 1988 Volume 6 : Issue 7 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: You don't need a computer to have a technical RISK. (Joe Morris) Leap second leaps seconds (Alan Wexelblat) Plan to automate Federal tax collection system? (John Gilmore) Creative quality control in missile systems? (Dave Curry) Re: getting into ATM rooms (Eric Skinner) Re: PCs die of New Year Cerebration (Scot E. Wilcoxon) Computer asks you your SSI number as ID (Hank Roberts) Computer Virus.... sources(!) (David HM Spector) Reagan Signs Bill Governing Computer Data (Hugh Pritchard) Indianapolis Air Force jet crash (Dave Curry) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, nonrepetitious. Diversity is welcome. Contributions to RISKS@CSL.SRI.COM, Requests to RISKS-Request@CSL.SRI.COM. > > > > > > > > > PLEASE LIST SUBJECT in SUBJECT: LINE. < < < < < < < < < For Vol i issue j, FTP SRI.COM, CD STRIPE:, GET RISKS-i.j. Volume summaries in (i, max j) = (1,46),(2,57),(3,92),(4,97),(5,85). ---------------------------------------------------------------------- Date: Sat, 09 Jan 88 12:22:20 EST From: Joe Morris (jcmorris@mitre.arpa) Organization: The MITRE Corp., Washington, D.C. Subject: You don't need a computer to have a technical RISK. (Jackson Post-ing) With the frequent (and valid) complaints about how the computer is fostering an impersonal society, it was with some interest that I read an article in the Washington Post last week in which the Post reported that Jesse Jackson's campaign headquarters had sent him a telex message which suggested some approaches which he could use in the upcoming primary campaigns. The telex didn't go to Jackson; instead, it was delivered to the Washington Post's telex machine. The Post, of course, printed excerpts from it in the article. (There weren't any smoking pistols in the material.) Jackson's campaign manager told the Post that it wasn't a staff error and must have been the machine, since he (the manager) was the person who operated the machine when the text was sent. The article didn't say just how the machine could have been at fault. Even if this turns out to be a case in which the operator dialed the wrong number, it does illustrate the problem of systems in which the routing system uses non-obvious addressing. An envelope addressed to "The Washington Post" would have been easily seen as not appropriate for an internal political memo, but an E-mail address of (202)-334-6100 isn't obviously an inappropriate one unless you notice that 202 is not equal to 319 (D.C. vs. Iowa)... and that assumes that you aren't using a computer-driven telex system in which you might not see the conversion from a nickname to a phone number. What feedback mechanisms are (should) there be to prevent this kind of misdelivery for electronic mail? We've all seen the occasional red-faced apologies on the net from sites which let test messages escape. (I don't have the article in front of me, and may have some minor details wrong, so no flames, please...) Joe Morris ------------------------------ Date: Wed, 6 Jan 88 15:39:46 CST From: Alan Wexelblat Subject: Leap second leaps seconds [Excerpted from the AP wire] DETROIT - Michigan Bell Telephone Company took about 3 1/2 days to make up one second. The company's computer-operated telephone time service wasn't adjusted at [...] midnight New Year's Eve, Greenwich Mean Time to account for the "leap second" between 1987 and 1988. The adjustment is needed to synchronize the world's steadily running atomic clocks with the ever-slowing rotation of the Earth. But people who set watches or synchronized activities by Michigan Bell's time signal were one second off during the weekend. We thought the change was automatically in the (computer's) program. We manually added the second" Monday morning, said a Michigan Bell spokeswoman. --Alan Wexelblat UUCP: {harvard, gatech, pyramid, &c.}!sally!im4u!milano!wex Information deteriorates upward through bureaucracies. ------------------------------ Date: Fri, 8 Jan 88 22:06:40 PST From: hoptoad.UUCP!gnu@cgl.ucsf.edu (John Gilmore) Subject: Plan to automate Federal tax collection system? I found this in the CPA Client Bulletin, July 1987, copyright 1987 by the American Institute of Certified Public Accountants, reproduced without perdition. Deposit Taxes by Phone: How Easy Can It Get? Tax practitioners are warily watching the development of a government plan to automate the federal tax deposit system. They're mostly in favor of getting rid of glitches in the present system but worry that a new, computerized method could cause added work and expense for very small businesses, some of which would be unable to participate at all because of lack of sophistication or even lack of such basic resources as a computer or touch telephone. Under the present system, taxpayers remit payroll taxes, corporate taxes, excise taxes and the like into Treasury accounts at authorized financial depositories. Nearly 70 percent of all government revenues are received in this manner. Under the new system, a taxpayer might feed the information directly into one of Uncle Sam's computers, which would debit the taxpayer's bank account directly. This is another source of uneasiness among some tax practitioners queried about preliminary plans for the new system -- IRS access to bank accounts. ------------------------------ From: davy@intrepid.ecn.purdue.edu (Dave Curry) Subject: Creative quality control in missile systems? Date: Mon, 11 Jan 88 14:45:16 EST From O'Malley & Gratteau INC. column, Chicago Tribune, Jan. 11, 1988: Just in case you were gaining confidence in the U.S. Military: A barely noticed July 31, 1987, report by the U.S. House Armed Services Committee on the sale of military equipment to the Islamic Republic of Iran included this passage: "As a result of other errors within the Army, the entire last shipment of 500 missiles had a faulty battery that has caused a dangerous fly-back problem." What's a fly-back? It means the rockets had a tendency to dribble out of the tube, fall on the ground and then ignite. We presume there was a no-return policy. Dave Curry, Purdue University [They returned all by themselves! PGN] ------------------------------ Date: Wed, 06 Jan 88 21:53:38 EST From: Eric Skinner Subject: Re: getting into ATM rooms In RISKS 6.4, mar@ATHENA.MIT.EDU writes: >Yesterday I tried an experiment, and discovered that my AT&T calling >card, and even a rapid transit pass would open the door... Even worse, many of these locks will open if you simply stick something thick into them. One of those handy wallet-sized plastic calendars does the trick on many doors. It seems like the locks are there to inspire confidence instead of actually protecting; perhaps the banks feel that decent locks are too expensive? Eric Skinner, University of Ottawa ------------------------------ From: umn-cs!datapg.MN.ORG!sewilco@cs-gw.D.UMN.EDU (Scot E. Wilcoxon) Date: Mon, 11 Jan 88 0:50:45 CST Subject: Re: PCs die of New Year Cerebration I found more details about my previous report. At least some Stearns brand PC compatibles fail at boot up in 1988. A message "bad or missing command interpreter" is issued, perhaps due to something in the config.sys file. A problem on Sun machines was mentioned here, and there are reports on USENET of another PC compatible with problems due to 1988. Three unrelated sensitivities to 1988 may seem like a lot, except there are now hundreds of computer manufacturers able to cause errors. With specialty chips in wide use, a date-sensitive error in millions of appliances is only a matter of time. Scot E. Wilcoxon sewilco@DataPg.MN.ORG ihnp4!meccts!datapg!sewilco Data Progress C and UNIX consulting +1 612-825-2607 ------------------------------ From: well!hank@lll-crg.llnl.gov (Hank Roberts) Subject: computer asks you your SSI number as ID (Wang ad) Date: 7 Jan 88 22:43:20 GMT From the 1-6-88 Wall Street Journal, ad on page 8: "Employee Pension fund. A guy wants to check his pension. What he's got. What he can borrow against. How his fund's performing. Calls the State office A Wang VS computer answers. Speaks. Asks for social security number. Dials it in. It leads him through a menu...status, equity, performance or human interface...you know...a real person. They handle a thousand calls a day." -- one hopes the machine can do voice recognition .... ------------------------------ Date: Sun, 10 Jan 88 22:27:46 EST From: David HM Spector Subject: Computer Virus.... sources(!) Just when you thought its was safe to play with computers... With all of the traffic in Risks digest dealing with Computer Viruses, letter bombs et al, I though I'd pass this one on. A programmer in West Germany has posted to Compu$erve the _source_ to a simple virus that will run on a Macintosh computer. I normally wouldn't even dare to mention that such a thing exists in a "public" forum, but it's on Compuserve, so it might as well be painted on walls coast to coast. The author insists that it's is a very simple virus, easily defeated, (which it is, having looked at and understood the sources), and is posted for educational uses with the intent of making people aware that such things exist and to inspire them to write defenses against them. In terms of a program, it's very small, a few pages of Pascal, and maybe 50 lines of assembly code. The installation code has a bunch of flags to control whether or not the virus replicates, whether it gets installed into the current running application, or just the system software, etc, etc. The actual virus is a small piece of code disguised as a resource that inserts itself in a system trap handler...it's alarmingly straight forward. The author goes on to mention, in the documentation, that this virus was inspired by a number of viruses he has encountered that did damage to his systems, so he wrote a virus that won't let "unknown" programs run on any of his company's machines. (i.e., if the program(s) to be run aren't already infected with HIS virus, they won't be allowed to run at all.) This is the first time I have ever seen sources to something like this, and it scares me a lot. If this code is any indication, viruses in general are a snap to write -- an could be placed _anywhere_; even in innocent looking HyperCard Stacks (Apple's HyperText software...) that thousands of people and User's Groups download and give out all over the place (and most Mac users aren't computer professionals -- they'll never know what hit'em). [Come to think of it, this is right out of the story _True Names_ by Vernor Vinge...] Now, let's see, first thing is to unplug my MacintoshII's modem, then... David HM Spector New York University Senior Systems Programmer Graduate School of Business Arpa: SPECTOR@GBA.NYU.EDU Academic Computing Center UUCP:...!{allegra,rocky,harvard}!cmcl2!spector 90 Trinity Place, Rm C-4 MCIMail: DSpector/Compu$erve: 71260,1410 New York, New York 10006 [There are 10 more messages on viruses pending, but with considerable overlap. I'll get to them soon! PGN] ------------------------------ Date: Sat, 9 Jan 88 14:08 EST From: (Hugh Pritchard) Subject: Reagan Signs Bill Governing Computer Data [Repeated without permission from the business section of _The_Washington_Post_ of Saturday, Jan 9, 1988] [headlined] Reagan Signs Bill Governing Computer Data President Reagan yesterday signed a bill intended to tighten security of computer systems that store nonclassified data such as census, tax and business records. The National Bureau of Standards is to develop programs to protect the machines from being illegally tapped by outsiders. The law overrides a national security directive that Reagan issued in 1984 giving the Pentagon's National Security Agency responsibility for safe- guarding the data. Later, the White House created a new classification of data for protection -- "sensitive but unclassified." The measures led to criticism in Congress that the government was tightening the flow of information and expanding military authority. The new law places responsibility for civilian computer security in civilian hands, but provides for the NSA to give technical advice to the bureau. The law also specifies that nothing in it will be used to restrict disclosures under the Freedom of Information Act. [end of article] /Hugh Pritchard, Systems Programming PRITCHARD@CUA.BITNET The Catholic University of America Computer Center (202) 635-5373 Washington, DC 20064 USA Disclaimer: My views aren't necessarily those of the Pope. [Sounds like HR 145, but none of the articles said so! PGN] ------------------------------ From: davy@intrepid.ecn.purdue.edu (Dave Curry) Subject: Indianapolis Air Force jet crash Date: Sat, 09 Jan 88 23:08:46 EST From The Lafayette (Indiana) Journal & Courier, Jan. 9th, 1988. INDIANAPOLIS - A failed gearbox was blamed Friday for causing the engine to fail in the Air Force fighter jet that crashed Oct. 29 into a hotel, killing 10 people, a published report said. The military jet, piloted by Maj. Bruce L. Teagarden, lost its ignition and air-fuel mixture systems when a gearbox part failed, _The Indianapolis Star_ reported in today's editions, quoting an unreleased Air Force report due to be released next week. --Dave Curry, Purdue University ------------------------------ End of RISKS-FORUM Digest ************************