RISKS-LIST: RISKS-FORUM Digest Monday 28 March 1988 Volume 6 : Issue 50 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Short stories of old computer risks (Les Earnest) NY TIMES on risks of cockpit automation (Jon Jacky) Credit-limit handling found overly restrictive (Wayne H. Badger) Decomposing checks (David Rogers) Notifying users of security problems (Andy Goldstein) Entrepreneurial Viruses (Chuck Weinstock) Early viruses (Sayed A. Banawan) Person-in-the-Loop Amendment Signed into Law (Fred Baube) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, nonrepetitious. Diversity is welcome. Contributions to RISKS@CSL.SRI.COM, Requests to RISKS-Request@CSL.SRI.COM. For Vol i issue j, FTP SRI.COM, CD STRIPE:, GET RISKS-i.j. Volume summaries in (i, max j) = (1,46),(2,57),(3,92),(4,97),(5,85). ---------------------------------------------------------------------- Date: 28 Mar 88 1641 PST From: Les Earnest Subject: Short stories of old computer risks Tired of viruses? I was just purging some old files and ran across a trilogy of true short stories that I posted on the Stanford bboards two years ago. The incidents described span a period of twenty years ending 25 years ago, but I think they are still amusingly relevant. Kick the Mongrel In a previous account I told how reading a book on cryptography led to my getting an F.B.I. record at the age of 12 and about subsequent awkwardness in obtaining a security clearance. I will now describe how I learned that putting provocative information on a security clearance form can accelerate the clearance process. First let me describe the environment that gave rise to this occurrence. White Faces in New Places In 1963, after living in Lexington, Massachusetts for 7 years, my wife and I moved to the Washington D.C. area to help set up a new office for Mitre Corporation. After three days of searching, we bought a house then under construction in a pleasant new suburb called Mantua Hills, near Fairfax, Virginia. I hadn't noticed it during our search, but it soon became evident that there were nothing but white faces in this area. In fact, there were nothing but white faces for miles around. We expected to find some cultural differences and did. For example, people drove much less aggressively than in Boston. The first time that I did a Boston-style bluff at a traffic circle, the other cars yielded! This took all the fun out of it and I was embarrassed into driving more conservatively. When I applied for a Virginia driver's license, I noticed that the second question on the application, just after "Name," was "Race." When filling out forms, I have always made it a practice to omit information that I think is irrelevant. It seemed to me that my race had nothing to do with driving a car, so I left it blank. When I handed the application to the clerk along with the fee, he just looked at me, marked "W" in the blank field and threw it on a stack. I guess that he had learned that this was the easiest way to deal with outlanders. Our contractor was a bit slow in finishing the house. We knew that there was mail headed our way that was probably accumulating in the post office, so we put up the mailbox even before the house was finished. The first day we got just two letters -- from the American Civil Liberties Union and Martin Luther King's organization. We figured that this was the Post Office staff's way of letting us know that they were on to us. Sure enough, the next day we got the rest of our accumulated mail, a large stack. It shortly became apparent that on all forms in Virginia, the second question was "Race." Someone informed me that as far as the Commonwealth of Virginia was concerned, there were just two races: "white" and "colored." When our kids brought forms home from school, I started putting a "C" after the second question, leaving it to the authorities to figure out whether that meant "Colored" or "Caucasian." Racing Clearance About this time, my boss and I and another colleague applied for a special security clearance that we needed. There are certain clearances that can't be named in public -- it was one of those. I had held an ordinary Top Secret clearance for a number of years and had held the un-namable clearance a short time before, so I did not anticipate any problems. When I filled out the security form, I noticed that question #5 was "Race." In the past I had not paid attention to this question; I had always thoughtlessly written "Caucasian." Having been sensitized by my new environment, I re-examined the question. All of my known forebears came from Europe, mostly from Southern Germany with a few from England, Ireland, and Scotland. A glance in the mirror, however, indicated that there was Middle Eastern blood in my veins. I have a semitic nose and skin that tans so easily that I am often darker than many people who pass for black. Did I inherit this from a Hebrew, an Arab, a Gypsy or perhaps one of the Turks who periodically pillaged Central Europe? Maybe it was from a Blackfoot Indian that an imaginative aunt thinks was in our family tree. I will probably never know. As an arrogant young computer scientist, I believed that if there is any decision that you can't figure out how to program, the question is wrong. I couldn't figure out how to program racial classification, so I concluded that there isn't such a thing. I subsequently reviewed some scientific literature that confirmed this belief. "Race" is, at best, a fuzzy concept about typical physical properties of certain populations. At worst, of course, it is used to justify more contemptible behavior than any concept other than religion. In answer to the race question on the security form, I decided to put "mongrel." This seemed like an appropriate answer to a meaningless question. Shortly after I handed in the form, I received a call from a secretary in the security office of the Defense Communications Agency. She said that she had noticed a typographical error in the fifth question where it said "mongrel." She asked if I didn't mean "Mongol." "No thanks," I said, "I really meant `mongrel.'" She ended the conversation rather quickly. A few hours later I received a call from the chief security officer of D.C.A., who I happened to know. "Hey, Les," he said in a friendly way, "I'd like to talk to you the next time you're over here." I agreed to meet him the following week. When I got there, he tried to talk me out of answering the race question "incorrectly." I asked him what he thought was the right answer. "You know, Caucasian," he replied. "Oh, you mean someone from the Caucusus Mountains of the U.S.S.R.?" I asked pointedly. "No, you know, `white.'" "Actually, I don't know," I said. We got into a lengthy discussion in which he informed me that as far as the Defense Department was concerned there were five races: Caucasian, Negro, Oriental, American Indian, and something else that I don't remember. I asked him how he would classify someone who was, by his definition, 7/8 Caucasian and 1/8 Negro. He said he wasn't sure. I asked how he classified Egyptians and Ethiopians. He wasn't sure. I said that I wasn't sure either and that "mongrel" seemed like the best answer for me. He finally agreed to forward my form to the security authorities but warned that I was asking for trouble. A Question of Stability I knew what to expect from a security background investigation: neighbors and former acquaintances let you know it is going on by asking "What are they trying to get you for?" and kidding you about what they told the investigators. Within a week after my application for the new clearance was submitted, it became apparent that the investigation was already underway and that the agents were hammering everyone they talked to about my "mental stability." The personnel manager where I worked was interviewed quite early and came to me saying "My God! They think you're crazy! What did you do, rape a polo pony?" He also remarked that they had asked him if he knew me socially and that he had answered "Yes, we just celebrated Guy Fawkes Day together." When the investigator wanted to know "What is Guy Fawkes Day?" he started to explain the gunpowder plot but thought better of it. He settled for the explanation that "It's a British holiday." An artist friend named Linda, who lived two houses away from us, said that she had no trouble answering the investigator's questions about my stability. She said that she recalled our party the week before when we had formed two teams to "Walk the plank." In this game, participants take turns walking the length of a 2 x 4 set on edge and drinking a small amount of beer. Anyone who steps off is eliminated and the team with the most total crossings after some number of rounds wins. Linda said that she remembered I was one of the most stable participants. I was glad that she had not remembered my instability at an earlier party of hers when I had fallen off a skateboard, broken my watch and bruised my ribs. The embarrassing cause of the accident was that I had run over the bottom of my own toga! The investigation continued full tilt everywhere I had lived. After about three months it stopped and a month later I was suddenly informed that the clearance had been granted. The other two people whose investigations were begun at the same time did not receive their clearances until several months later. In comparing notes, it appeared that the investigators did the background checks on my colleagues in a much more leisurely manner. We concluded that my application had received priority treatment. The investigators had done their best to pin something on me and, having failed, gave me the clearance. The lesson was clear: if you want a clearance in a hurry, put something on your history form that will make the investigators suspicious but that is not damning. They get so many dull backgrounds to check that they relish the possibility of actually nailing someone. By being a bit provocative, you draw priority attention and quicker service. After I received the clearance, I expected no further effects from my provocative answer. As it turned out, there was an unexpected repercussion a year later and an unexpected victory the year after that. But that is another story. Les Earnest - - - - - - - - - - - - - - - - - - - - - - - - - The Missed Punch An earlier account described how I came to list my race as "mongrel" on a security clearance application and how the clearance was granted in an unusually short time. I will now describe a subsequent repercussion that was a byproduct of a new computer application. Mongrel in a Star-chamber In early 1965, about a year after I had been granted a supplementary security clearance, I received a certified letter directing me to report to the Air Force Office of Special Investigations at Suitland, Maryland very early in the morning on a certain day four weeks later. To one whose brain seldom functions before 10am, this was a singularly unappealing trip request. My wife somehow got me up early on the appointed day and I drove off in my TR-3 with the top down, as usual, even though it was a cold winter morning. I hoped that the air would stimulate my transition to an awakened state. When I arrived and identified myself, I was immediately ushered into a long narrow room with venetian blinds on one side turned to block the meager morning light. I was seated on one side of a table on which there were two goose-neck lamps directed into my eyes. There was no other light in the room, so I could barely see the three inquisitors who took positions on the opposite side of the table. Someone punched on a tape recorder and the trio began taking turns at poking into my past. They appeared to be trying to convince me that I was in deep trouble. While the pace and tone of their questions were clearly aimed at intimidation, they showed surprisingly little interest in my answers. I managed to stay relaxed, partly because I was not yet fully awake. They asked whether I had any association with a certain professor at San Diego State College, which I had attended for one year. I recognized his name as being one who was harassed as an alleged Communist sympathizer by the House Un-American Activities Committee during the McCarthy Era. Responding to the interrogator's question, I answered that I did not know him but that I might have met him socially since he and my mother were on the faculty concurrently. They wanted to know with certainty whether I had taken any classes from him. I said that I had not. They next wanted to know how well I knew Linus Pauling, who they knew was a professor at Caltech when I was a student there. I acknowledged that he was my freshman chemistry professor and that I had visited his home once. (I did not mention that Pauling's lectures had so inspired me that I decided to become a chemist. It was not until I took a sophomore course in physical chemistry that I realized that chemistry wasn't as much fun as I had thought. After that, I switched majors in rapid succession to Geology, Civil Engineering, then Electrical Engineering. I ended up working in a still different field.) I recalled that Pauling had been regularly harassed by certain government agencies during the McCarthy Era because of his leftist "peacenik" views. He was barred from overseas travel on occasion and the harassment continued even after he won his first Nobel Prize but seemed to diminish after the second one, the peace prize. The inquisitors next wanted to know how often I got together with one of my uncles. I acknowledged that we met occasionally, the last time being a few months earlier when our families dined together. It sounded as though they thought they had something on him. I knew him to be a very able person with a distinguished career in public service. He had been City Manager of Ft. Lauderdale and several other cities and had held a number of diplomatic posts with the State Department. It occurred to me that they might be planning to nail him for associating with a known mongrel. The questions continued in this vein for hours without a break. I kept waiting for them to bring up a Caltech acquaintance named Bernon Mitchell, who had lived in the same student house as me. Mitchell had later taken a position at the National Security Agency, working in cryptography, then defected to the Soviet Union with a fellow employee. They were apparently closet gays. In fact, the inquisitors never mentioned Mitchell. This suggested that they may not have done a very thorough investigation. A more likely explanation was that Mitchell and his boyfriend represented a serious failure of the security clearance establishment -- one that they would rather not talk about. After about three and a half hours of nonstop questioning I was beginning to wake up. I was also beginning to get pissed off over their seemingly endless fishing expedition. At this point there was a short pause and a rustling of papers. I sensed that they were finally getting around to the main course. "We note that on your history form you claim to be a mongrel," said the man in the middle. "What makes you think you are a mongrel?" "That seems to be the best available answer to an ill-defined question," I responded. We began an exchange that was very much like my earlier discussion with the security officer in the Defense Communications Agency. As before, I asked how they identified various racial groups and how they classified people who were mixtures of these "races." The interrogators seemed to be taken aback at my asking them questions. They asked why I was trying to make trouble. I asked them why they would not answer my questions. When no answers were forthcoming, I finally pointed out that "It is clear that you do not know how to determine the race of any given person, so it is unreasonable for you to expect me to. I would now like to know what you want from me." The interrogators began whispering among themselves. They had apparently planned to force me to admit my true race and were not prepared for an alternative outcome. Finally, the man in the center spoke up saying, "Are you willing to sign a sworn statement about your race?" "Certainly," I said. They then turned up the lights and called for a secretary. She appeared with notebook in hand and I dictated a statement: "I declare that to the best of my knowledge I am a mongrel." "Don't you think you should say more than that," said the chief interrogator. "I think that covers it," I replied. The secretary shrugged and went off to type the statement. Punch Line With the main business out of the way, things lightened up -- literally. They opened the venetian blinds to let in some sunlight and offered me a cup of coffee, which I accepted. We had some friendly conversation, then I signed the typed statement, which was duly notarized. My former tormentors now seemed slightly apologetic about the whole affair. I asked them what had prompted this investigation. After some glances back and forth, one of them admitted that "We were putting our clearance data base on punched cards and found that there was no punch for `mongrel'." I thought about this for a moment, then asked "Why didn't you add a new punch?" "We don't have any programmers here" was the answer. "We got the program from another agency." I said, "Surely I am not the only person to give a non-standard answer. With all the civil rights activists now in government service, some of them must have at least refused to answer the race question." The atmosphere became noticeably chillier as one of them answered, with clinched teeth, "You're the only one. The rest of those people seem to know their race." It was clear that they believed I had caused this problem, but it appeared to me that the entire thrash was triggered by the combination of a stupid question and the common programmer's blunder of creating a categorization that does not include "Other" as an option. The security people apparently found it impractical to obtain the hour or two of a programmer's time that would have been needed to fix the code to deal with my case, so they chose instead to work with their standard tools. This led to an expenditure of hundreds of man-hours of effort in gathering information to try to intimidate me into changing my answer. I was surprised to learn that nearly everyone believed in the mythical concept of racial classification. It appeared that even people who were victims of discrimination acknowledged their classification as part of their identity. I never did find out how the security investigators coped with the fact that I remained a mongrel, but in 1966 I discovered that something very good had happened: the "race" question had disappeared from the security clearance form. I liked to think that I helped that change along. Unfortunately, almost the same question reappeared on that form and most other personnel forms a few years later, under the guise of "ethnic" classification. I believe that that question is just as meaningless as the race question and I have consistently answered it the same way during the intervening 20 years. I now invite others to join me in this self-declassification, with the hope and expectation that one day the bureaucrats and politicians will be forced to quit playing with this issue and will come to realize that the United States of America is a nation of egalitarian mongrels. I believe that we will all be better off. In any case, whenever you design a database, please don't forget the "other" category. Les Earnest [A Shaggy Database Story, for a change. PGN] ------------------------------ Date: Mon, 28 Mar 88 09:45:52 PST From: jon@june.cs.washington.edu (Jon Jacky) Subject: NY TIMES on risks of cockpit automation The cover story of the March 27, 1988 NEW YORK TIMES MAGAZINE is "Trouble in the Cockpit: The Airlines Tackle Pilot Error," by William Stockton. The story relates several incidents in which over-reliance on autopilots is thought to have contributed to accidents or near-accidents: "Last July 8, the crew in a Delta Airlines L-1011 en route to the US from Europe strayed 60 miles off course and came within 100 feet of colliding with a Continental Airlines 747. The consensus among safety experts is that the Delta pilots entered the wrong data in a computer navigation system and then failed to frequently verify their position by other means." "(Three years ago) a China Airlines 747 ... went out of control and fell 30,000 feet in less than two minutes, upside down much of the time ... (First) the outboard engine on the right wing ... quit. The loss of the engine cause the airplane to try to turn to the right. (The autopilot tried to compensate, turning the plane to the left). With his attention focused, inappropriately, almost exclusively on the engine problem, the captain failed... to realize that the airplane and the autopilot had become engaged in a tug-of-war ... The captain was entirely oblivious to it because he was letting the autopilot fly and did not actually have his hands on the control wheel ... Finally, he disconnected the autopilot and took hold of the control wheel to fly the plane himself. In that instant, the plane immediately won the tug of war with the autopilot .. The 747 rolled dramatically to the right (The pilot apparently did not immediately understand what was happening and did not compensate appropriately) and within a few seconds the 747 was on its back, plummeting earthward. "If he had just turned the autopilot off when the engine problem first developed, none of it would have happened," says (a human factors expert). "In 1972, an Eastern Airlines L-1011 crashed in the Florida Everglades killing 100 people. When a light that indicates whether the landing gear are up or down did not illuminate, all three pilots in the cockpit became engrossed in the problem, which turned out to be a faulty light bulb. The tape recording of the cockpit conversation revealed that no one had noticed that the autopilot had been inadvertantly disengaged and the airplane had begun a gradual descent which finally led to its crashing" The article cites recent human factors research that reveals crews often handle sudden catastrophes better than a series of small nuisance incidents which gradually builds into a disaster. - Jon Jacky, University of Washington ------------------------------ Date: Mon, 28 Mar 1988 19:06 EST From: LENOIL@XX.LCS.MIT.EDU To: badger%fang@XENURUS.GOULD.COM (Wayne H. Badger) Subject: Credit-limit handling found overly restrictive I called my Mastercard bank and they informed me that authorizations remain in effect for 10 days if not removed. Authorizations can be removed in two ways: 1. If a bill comes in for the exact amount of the authorization on the same day, the authorization will be replaced with the bill. 2. A company can remove the authorization by arrangements through their bank in what is apparently a difficult procedure. This sounds totally bogus. Whenever a merchant calls for authorization, (s)he is given an authorization number and writes that number on the charge slip. I assume that the number is used to remove the associated hold, which is then replaced with the actual charge. If your bank doesn't work this way, you should switch to one that does. (I've never had a problem with my Citibank MasterCard, so I don't think the problem is endemic to MasterCards.) ------------------------------ Date: Mon, 28 Mar 88 13:16:42 PST From: David Rogers Subject: Decomposing checks Actually, the reason the scheme worked is more subtle that PGN mentioned (the national news got this wrong, also). When you deposit a check, the money is automatically deposited in your account, but a `hold' for that amount is also placed on your account. If the bank does *not* receive a notice that the check bounced in 5 days, the hold expires, and the money can be removed. There is no rush to get the money out, since the decomposed check cannot be traced back to the original account. Because this scheme requires a knowledge of bank's procedures for depositing checks, they think this was an inside job, done by someone who works or worked at a bank. David Rogers ------------------------------ Date: Mon, 28 Mar 88 08:28:40 PST From: goldstein%star.DEC@decwrl.dec.com (Andy Goldstein) Subject: Notifying users of security problems Klaus Brunnstein, University of Hamburg, Faculty for Informatics writes: > Surprisingly fast, Apple Germany found out about the MacInVirus and informed > it's users by email with the following text (cited without permission): > `A product manager in Apple Germany, Kurt Bierbaum (BIERBAUM1) has found a > disk in Germany which destroys hard disks and the applications that run on > them. [...] > With this rather quick information, Apple reacted much faster than DEC did > in 1987 when the missing CLOSE in the password control routine in it's VMS > 4.4/4.5 versions was detected, [...] I would be more impressed with this comparison if Apple had (1) Notified all Mac users worldwide of this problem, and (2) included with the notification machine readable copy an anti-virus which one could install to defeat the virus. This would be more equivalent to what DEC did regarding the V4.4/V4/5 bug. I do not know exactly what form of "email" Mr. Brunnstein refers to in his message, but for the sake of argument I will presume it to mean the various networks that join most academic and research institutions. For DEC, at least, such networks reach only a small percentage of its customer base. Sending out notice of a security problem to a subset of one's user base, even if the notice includes a correction for the problem, does a great disservice to the remaining users. (Sending out notice of the presence of a bug without a correction or workaround is of course even more irresponsible.) A virus is most harmful when users are unaware of it (and thus take no precautions to prevent its spread). The seriousness of a security bug, on the other hand, is directly proportional to how far knowledge of the bug has propagated, because knowledge of the bug is what permits an attacker to exploit it. By informing a subset of one's user community, one spreads knowledge of the bug and thus raises the exposure to attack of the remaining users who are not yet so informed. For example, circumstantial evidence suggests that publication of the patch for the V4.4/V4.5 bug in INFO-VAX may have been the means by which the CCC learned of the bug's existence. Only when all computer installations in the world are offered access at reasonable terms to ARPAnet, Bitnet, or their siblings will I be convinced that such electronic distribution is a fair and viable means of informing users about security problems. In the meantime, DEC must use its own means to reach all its users. I do not for a moment mean to imply that DEC's response in 1987 is the best that we can do. A number of mishaps of the sort that tend to befall large corporations conspired to delay getting the fix into all users hands. Additional delays occurred with some customers in the form of the fix sitting on the wrong person's desk or other confusion. The difficulties in dealing with the V4.5 bug have gotten the corporation's attention in a serious way, and I think it's fair to say that should the need for a repeat performance occur, we will do a lot better. - Andy Goldstein, VMS Development ------------------------------ Date: Mon, 28 Mar 88 11:11:32 EST From: Chuck Weinstock Subject: Entrepreneurial Viruses An obvious next step in the virus business is to develop a virus, watch it spread, and then sell a vaccination and/or a cure at a high price. ------------------------------ Date: Thu, 24 Mar 88 11:54 CST From: BANAWAN%houston.csnet@RELAY.CS.NET Subject: Early viruses (RE: RISKS-6.48) Commenting on Kevin Driscoll, if the first virus was: Move(program counter) program counter+1 I used a similar instruction all the time when my school was using IBM 1620. The instruction set of this machine operates on fields of arbitrary length. For those readers who do not know, there was no operating system. Furthmore, it was used exclusively by a single user. To have a fresh start, each time a new program is to run the memory is fully cleared by a statement that move the field that starts in byte 2 to the field that starts at byte 3. This instruction was entered and executed by the operator from the console. The result can be seen at the panel: the memory is filled by zeros continutously It was quite legitimate (and highly recommended) thing to do before you run a new program. Sayed A. Banawan, University of Houston ------------------------------ Date: Thu, 24 Mar 88 13:20:39 -0500 From: fbaube@note.nsf.gov Subject: Person-in-the-Loop Amendment Signed into Law This from the Winter 1988 CPSR Newsletter: The 1988 Defense Authorization Act, signed into law, had this amendment, sponsored by Dale Bumpers: "No agency of the Federal government may pay for, fund, or otherwise support the development of command and control systems for strategic defense in the boost or post-boost phase against ballistic missile threats that would permit such strategic defense to initiate the directing of damaging or lethal fire except by affirmative human discretion at an appropriate level of authority." For bureaucracy-watchers, the full citation is: National Defense Authorization Act for FY 1988-89 H.R. 1748 Division A (Dept. of Defense Authorizations) Title II (Research, Development, Test, and Evaluation) Part C (Strategic Defense Initiative) Subpart 1 (SDI Funding and Program Limitations and Req'ts) Section 224 (SDI Architecture to Require Human Decisionmaking) Not that a loophole mentality would be slowed a bit by this .. #include ------------------------------ End of RISKS-FORUM Digest ************************