RISKS-LIST: RISKS-FORUM Digest Wednesday 16 March 1988 Volume 6 : Issue 44 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Terry Dean Rogan, concluded (for now) (Hal Perkins) RISKS in Bell lawsuit (Alan Wexelblat) Hackers to Face Jail or Fines (Anne Morrison) Risk in submarine accident; MAC Virus arrives in Germany; German Hacker arrested in Paris (Klaus Brunnstein) RISKS in the U.S. Government Archives (sethk) MacMag virus infects commercial software (Dave Platt) More on the Brandow virus (Dave Curry) = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = NOTE -- AFTER TWO DAYS OF MAILER AND NAME TABLE DISASTERS (one address seesm to blow it all -- rpeschke@afit-ab.arpa -- sorry!), RISKS-6.44 BOMBED IN A NEW WAY. THIS A RETRY. APOLOGIES TO THE FEW OF YOU WHO HAVE ALREADY RECIEVED A COPY. PGN = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, nonrepetitious. Diversity is welcome. Contributions to RISKS@CSL.SRI.COM, Requests to RISKS-Request@CSL.SRI.COM. For Vol i issue j, FTP SRI.COM, CD STRIPE:, GET RISKS-i.j. Volume summaries in (i, max j) = (1,46),(2,57),(3,92),(4,97),(5,85). ---------------------------------------------------------------------- Date: Tue, 15 Mar 88 13:10:13 EST From: hal@gvax.cs.cornell.edu (Hal Perkins) Subject: Terry Dean Rogan, concluded (for now) [This case has been discussed in Risks in the past, so readers might be interested in the outcome.] From the New York Times, Sunday March 6, 1988, section 1, page 30. Wrong Suspect Settles His Case for $55,000 Saginaw, Mich., March 5 (AP) -- Terry Dean Rogan, who [was] arrested five times in Michigan and Texas for crimes he did not commit, has settled a lawsuit against the City of Los Angeles for failing to remove his name from a crime computer's file. Mr. Rogan, who is 30 years old, sued Los Angeles, its Police Department and two detectives, saying his civil rights were violated when the department neglected to remove his name from a nationwide crime computer file. The settlement, approved by the Los Angeles City Council Friday, calls for Mr. Rogan to receive $55,000. Last July, a Federal district judge in Los Angeles ruled that Mr. Rogan should be paid damages. The murders and robberies he was charged with were ultimately traced to an Alabama jail inmate, Bernard McKandes. Mr. McKandes was found to have assumed Mr. Rogan's identity after Mr. Rogan apparently discarded a copy of his birth certificate. ------------------------------ Date: Tue, 15 Mar 88 15:20:20 CST From: Alan Wexelblat Subject: RISKS in Bell lawsuit I'm sure everyone has, by now, read about Bell Helicopter's settlement with the government in which they repaid $85.1 million in overcharges. However, in an article by Mark Thompson (Knight-Ridder News Service), the following quotes caught my eye: "[The settlement] stems from Bell's computerized accounting system which government investigators claim shifted costs among the contracts..." [note how the computer is blamed, not the programmer, nor the people who used it nor the people who ordered it programmed/used in that way!] "The $85.1 million settlement is only half the size of the government's estimated loss ... But [government] officials said the case was so complex that court action to recoup the funds probably would have failed." It struck me that here we may have a case of someone(s) using a computer to deliberately complicate/obfuscate what they are doing not only for profit but to avoid detection. And, even when detected, the use of a computer may have complicated things beyond the point where the average juryperson can understand them. --Alan Wexelblat ARPA: WEX@MCC.COM UUCP: {harvard, gatech, pyramid, &c.}!sally!im4u!milano!wex ------------------------------ Date: Tue, 15 Mar 88 11:07:30 EST From: munnari!murdu.oz.au!anne@uunet.UU.NET (Anne Morrison) Subject: Hackers to Face Jail or Fines From the Age, Melbourne, Monday March 14 1988 Computer Hackers to Face Jail or Fines Convicted computer hackers will face huge fines under new laws being prepared for Victoria. The State Government is planning to create an offence of computer trespass, with a maximum fine of $2500, under a bill soon to be debated in Parliament. The Attorney-General, Mr McCutcheon, said yesterday that while many computer hackers were no more than technological voyeurs, there was a need for some kind of deterrent. He said the legislation was the first in Australia to deal specifically with technological crime. The Government had previously thought it sufficient to ensure that computer hackers could be prosecuted if they altered or erased data, Mr McCutcheon said. But submissions from police, the computer industry and legal experts had led to the inclusion of penalties for hackers who simply looked at material after breaking into a computer system. People were understandably concerned that hackers could gain access to sensitive data of great commercial value or of a personal and private nature, Mr McCutcheon said. The new offence of computer trespass was similar to the offence of willful trespass on property or being unlawfully on premises. The bill before Parliament also creates offences of falsifying or altering data held in a computer system, punishable by fines of up to $100,000 or 10 years jail. Existing laws applying to criminal damage will be applied to technological crime, enabling prosecution of anyone releasing "viruses" or "bugs" into computer systems to cause damage. People spreading these "viruses" or "logic bombs" -- programming instructions timed to destroy data later -- would face up to 10 years jail or a $100,000 fine, or 15 years jail if they acted for gain, Mr McCutcheon said. This raises an interesting point - does "accidentally" spreading a virus or logic bomb (i.e. if you don't know it's there) make you liable for prosecution? Can you prove that you passed on sabotaged software in good faith? This legislation may prove to be a major deterrent to software piracy - IF it is strictly enforced. Anne Morrison University of Melbourne Computing Services, Parkville, Victoria, AUSTRALIA ACSnet: anne@murdu.mu.oz ARPA: anne%murdu.mu.oz.au@uunet.uu.net ------------------------------ From: Klaus Brunnstein Subject: 1. Risk in submarine accident 2. MAC Virus arrives in Germany 3. German Hacker arrested in Paris Organisation: University of Hamburg, FRG, Faculty for Informatics 1. Electronic Navigation Aids fail on German Submarine? According to German newsmedia, the collision of a German submarine (NATO code: S 176) on March 6, 1988 with the Norwegian oil-drilling platform Oseberg B in the North Sea Ekofisk field was caused either by `human failure' or by undetected malfunctioning of a previously `repaired' navigation aid. The submarine had a first collision with one leg of the platform in 30 m depth; when trying to escape by diving to the 115 m deep North Sea bottom at that point, several more collisions occured with legs and iron chains, which anchor this platform and the neighboring `hotel platform Polyconfidence', floating 40 m away. The collisions continued for over 15 minutes and were experienced by the platform's workers as `some kind of seaquake'. Some report said that the platform has been checked and is again operational but workers must leave it when waves become 15 m high (instead of 30 m before accident). The damage of the platform is reported to coast `several 10 Mill.DM'. After the heavily damaged boat returned to it's naval base at Kiel, FRG, the commanding "Captain Lieutenant" (`Kaleu') argued that he had `seen' the platform, through his periscope, 15 minutes before the collision and he was sure, that his course would keep him clear of the platform. Probably, no further 'visual control' of the subsequent course had been undertaken. Norwegian media reports that German official seacharts don't register the two platforms are incorrect; the president of the German office responsible for updating seacharts said that updates show every change in position. Such updates are stored electronically, but avalailable (today) only in printed form. Electronic devices and methods are being prepared, in close collaboration with IMO (I have close contact to this group and inform them on risks experienced in electronic air traffic aids). Since this chart is 1:750.000, German navy vessels use detailed British special charts on stationary or movable oil-drilling platforms. On the other hand, navigation is difficult there due to strong tidal flows; every responsible captain uses therefore as much information and sources as possible, including computerized device and `eye contact'. The commander reported that an electronic navigation aid, probably a sonar detector, had been repaired shortly before. Details of cross-check procedures and spare devices have not been reported, but most interestingly, the commander said in a press conference that usually several persons `indepently' steer the boat, thus `human failure' was extremely improbable to him and navy officials. An examination has been started (I will report the results to RISK FORUM). Apart from the risk of overreliance on (badly checked) hardware, the behaviour of officers and crew presents another risk. While the commander argued, that his crew behaved in a calm and controlled manner, the helmsman of a nearby working Norwegian supply vessel, Mr. Per Rogne, reportedly said: `the commander and his officers were totally confused' when they finally came back to surface. Norwegian newspapers reported on `blockheads of German submarines which meet the only obstacle in a large area', but they added that a Norwegian submarine recently had damaging `contact' with a wall of rock'. While the risk to the crew seems `calculable', the public risk accorded to such officer's may be the worse problem. The boat belongs to the NATO fleet to protect Western Europe from sea invasion from North-East of Norway. (Maybe, Norwegian workers should be better protected against unforeseen, illegal visits of friends.) 2. MAC-virus arrived in Germany: Surprisingly fast, Apple Germany found out about the MacInVirus and informed it's users by email with the following text (cited without permission): `A product manager in Apple Germany, Kurt Bierbaum (BIERBAUM1) has found a disk in Germany which destroys hard disks and the applications that run on them. `This program is called VIRUS. I believe that it installs something in the CODE resources of the System file. In addition, it installs INIT32 and the resource MVIR in the System file. I think that it installs the MVIR resource in the applications as well. I have the disk in my office if you would like a copy. This program can be found on CompuServe in a Hypercard stack. A user named David HM Spector sent this information to all other users. ...... This program seems to be widespread.' With this rather quick information, Apple reacted much faster than DEC did in 1987 when the missing CLOSE in the password control routine in it's VMS 4.4/4.5 versions was detected, with well known results of hackers invading science and commercial VAX-systems (e.g. Philips France, see 3.). Though DEC people knew of the severe fault since early 1987 (if not before), a proper system patch was only available, in Germany, by summer 1987. Moreover, DEC missed to inform the respective German computer center heads properly. 3. German leading `Computer Chaos Hacker' arrested in Paris A leading German hacker, Mr. Steffen Wernery of `Computer Chaos Club' of Hamburg, has been arrested in Paris, on March 14. He is accused of having participated in the invasion of a Philips France VAX computer (under a `buggy' VNS) in 1987; while being a speaker at SECURICOM, Philips officials had arranged a meeting, but police awaited him before. French police wanted to arrest Mr.Wernery since some time, but German institutions refused to deport him due to German law. After having done some analysis of CCC's respective activities, to me the arrest seems rather arbitrary; the invaded system evidently lacked any reasonable protection, and the particip- ation of Mr. Wernery seems doubtful, at least he has only superficial knowledge of VAX/VMS. (To be precise: I don't wish to help hackers in cases of criminal actions; but the analysis of what they do and what they can should be based on facts. I would hope that police concentrates itself on real damages done by professional computer criminals; but I admit that is more difficult to understand their actions than that of hackers.) Klaus Brunnstein, University of Hamburg, Faculty for Informatics ------------------------------ From: sco!sethk@ucscc.UCSC.EDU Subject: RISKS in the U.S. Government Archives Date: Tue Mar 15 11:32:03 1988 >From The Nation, March 12, 1988, p. 332, "Beltway Bandits" column. Archive's Black Hole The government is in danger of losing its memory. That's the message of Don Wilson, the Federal Archivist. Testifying before a House subcommittee last month, Wilson emphasized the problems posed by the "increased usage of electronic records and the expanded use of computers in the Federal Government." He complained that "data held on computers is frequently altered or updated" - shades of the deeds done by Oliver North and Fawn Hall - and that much material never reaches the National Archives. While the government uses an estimated 13 million reels of computer tape, the archives now holds only 3,000 reels. All this hinders the National Archives and Records Administration in preserving the documents generated by each presidency. Unless Congress and NARA find a way to address these matters, the bureacracy's broadening reliance on computer technology will rob the public of pieces of history as well as information that may be needed by a future independent counsel or Congressional committee. ------------------------------ Date: Tue, 15 Mar 88 09:13:14 PST From: dplatt@coherent.com (Dave Platt) Subject: MacMag virus infects commercial software According to an article in this morning's San Jose Mercury News, the "DREW" INIT-virus has been found to have infected a commercial software product. The virus, which was a "benign" time-bomb designed to display a message of world peace on March 2nd, is present on disks containing Aldus Freehand. The virus was inadvertently passed to Aldus by Marc Canter, president of MacroMind Inc., which makes training disks for Aldus. Canter avisited Canada some time ago, and was given a disk containing a program called "Mr. Potato Head", which lets users play with a computerized version of the toy character. Canter ran the program only once, and his machine was apparently infected by the virus at this time. Subsequently, the virus infected a disk of training software that Canter then delivered to Aldus; at Aldus, the virus infected disks that were then sold to customers. Although this virus was believed to be harmless, Canter reports that it forced his Macintosh II computer to shut down and caused him to lose some computer information. "My system crashed," Canter said, "I was really angry." (( Not all that surprising... quite a few popular but nonstandard programming tricks used on the classic Mac don't work on the Mac II due to its different video card/monitor architecture... many games, etc. don't run on the II for this reason and can cause some very impressive system crashes... dcp )) Canter fears that more of his customers may have been infected by the virus. MacroMind's clients include Microsoft Corp., Lotus Development Corp., Apple Computer Inc. and Ashton-Tate. Microsoft has determined that none of its software has been infected, a company spokeswoman said. Apple and Lotus could not be reached for comment. Ashton-Tate declined to comment. Aldus would not comment on how many copies of FreeHand are infected, but admits that a disk-duplicating machine copied the infected disk for three days. Half of the infected disks have been distributed to retail outlets; the other half are in Aldus' warehouse. Aldus will replace the infected disks with new, uninfected copies to any FreeHand buyer who requests it, according to Aldus spokeswoman Laury Bryant. The company will also replace the infected disks in its warehouse. (( As I recall, the DREW virus infects the System file on affected disks, but doesn't affect applications directly. I suppose that Aldus could salvage the damaged disks by replacing the System folders with copies from a locked, uninfected disk... but it'll probably be faster for them to simply erase and reduplicate. I have no idea what Canadian liability laws are like these days... but I rather suspect that if MacMag were a United States company rather than a Canadian one, its publisher would now be extremely vulnerable to a liability-and-damages suit of some sort. This escapade will probably cost Aldus a pretty piece of change in damage-control expenses and perhaps loss-of-sales or injury-to- reputation. Kids, don't try this sort of thing at home! --- dcp )) ------------------------------ From: davy@intrepid.ecn.purdue.edu (Dave Curry) Subject: More on the Brandow virus [ANOTHER VERSION] Date: Wed, 16 Mar 88 08:39:15 EST From the Lafayette (IN) Journal & Courier, 3/16/88, p. A-12: Publisher blamed for computer virus SEATTLE (AP) - Officials at Seattle's Aldus Corp. are blaming the publisher of a Canadian computer magazine for a rogue computer program virus that has popped up in commercial software, apparently for the first time. Richard Brandow, publisher of *MacMag* in Montreal, acknowledged Tuesday that he wrote the so-called "March 2 peace message," but said he did so to point out the dangers of software piracy. The relatively benign virus was discovered in FreeHand, a new program Aldus developed for Apple Macintosh computers, according to spokeswoman Laury Bryant. It apparently did not harm any computers and only flashed a brief message on the computer screen. Nevertheless, the virus forced Aldus to recall or rework thousands of pack- ages of the new software and has prompted the company to threaten legal action. It also has sent a scare through the computer industry because of the manner in which the virus apparently spread and because it challenged the previous belief that off-the-shelf software largely was immune. "We feel that Richard Brandow's actions deserve to be condemned by every member of the Macintosh community," Bryant said. [ description of what a virus is and warnings about getting software from bulletin boards ] The Aldus virus also caused consternation because several of the nation's largest software companies are clients of a [sic] MacroMind, Inc. of Chicago, a subcontractor that inadvertently spread the virus to Aldus. Brandow said the full message read: "Richard Brandow, the publisher of MacMag, and its entire staff would like to take this opportunity to convey their universal message of peace to all Macintosh users around the world." Beneath that was a graphic of the globe. Brandow and Bryant said the virsu erased itself after March 2, the anniver- sary of the introduction of Apple's Macintosh SE and Macintosh II models. MacroMind president Marc Canter said Tuesday that he believed Aldus was the only customer that received the virus. Among Canter's clients are the nation's three largest software producers - Microsoft Corp. of Redmond, Ashton-Tate, and Lotus Development Corp. - and Apple. Ashton-Tate declined comment, but officials at Microsoft, Apple and Lotus all said none of their software was infected. --Dave Curry, Purdue University ------------------------------ End of RISKS-FORUM Digest ************************