RISKS-LIST: RISKS-FORUM Digest Saturday 7 May 1988 Volume 6 : Issue 79 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Abuse of power by the press: PCs down BBall scoreboard clocks! (Richard Cook) Re: Is the Press impressing or depressing? (Les Earnest, Cliff Stoll, LE) KAL007 - the defeaning silence continues (Clifford Johnson) Risks of auditing for risks (Doug Claar) Viruses and write-protection (Dennis Director) Harrier ejection-seat accident (Henry Spencer) Re: Military Aircraft Crashes in Germany (Henry Spencer) Risks of Halon to the environment vs. risks of other fire protection (Dave Cornutt> The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, nonrepetitious. Diversity is welcome. Contributions to RISKS@CSL.SRI.COM, Requests to RISKS-Request@CSL.SRI.COM. For Vol i issue j, ftp kl.sri.com, get stripe:risks-i.j ... . Volume summaries in (i, max j) = (1,46),(2,57),(3,92),(4,97),(5,85). ---------------------------------------------------------------------- Date: Fri, 6 May 88 09:45 MDT From: "Richard Cook, (303)492-2148, Data Analysis Center" Subject: Abuse of power by the press: PCs down BBall scoreboard clocks! During the Seattle SuperSonics and Denver Nuggets basketball game last night, 5 May 1988, officials encountered several problems with game clocks. Coverage in the Boulder, Colorado, `Daily Camera' of 6 May included the following item: "CLOCK TROUBLES: Seattle Coliseum officials were wringing their hands Thursday night when the 24-second clock wasn't working when the game started. They finally got it going with 8:14 to go in the first quarter--but their troubles were far from over. With 8:06 left in the second quarter, the scoreboard clock went out. They got it going again with 6:54 left--but it went out again 30 seconds later and did not work for the rest of the half. The problem? It seems the scoreboard circuits were on the same electrical line that the entire media corps was using to hook up their portable computers. And, the line finally overloaded and blew out the scoreboard. When Sonics officials discovered the problem, they frantically moved up and down press row, asking reporters to switch to battery power." This is presumably reliable evidence of increased use of portables by the press since last year's playoffs... ------------------------------ Date: 04 May 88 1900 PDT From: Les Earnest Subject: Re: Is the Press impressing or depressing? In RISKS DIGEST 6.71, Cliff Stoll reviews his experiences in running down a cracker and in dealing with the press. One of Cliff's remarks that caught my eye was the following: > Instead of closing our doors to this bastard, we monitored and traced him > for about a year. I am curious about _why_ this was done. I agree that it is necessary to spend some time watching crackers to be sure that you understand their principal tricks, but once you have that information, I see no point in prolonging the game -- why not start slamming doors and harassing them off your system? You may not catch them, but you are likely to get rid of the problem and the drain on your time a lot quicker that way. ------------------------------ Date: Fri, 6 May 88 15:16:18 PDT From: cliff@Csa5.LBL.Gov (Cliff Stoll) Subject: Re: Is the Press impressing or depressing? Just like Les Earnest, we at LBL take computer security seriously: we wish to keep our data intact, and we don't tolerate break-ins. Our philosophies differ. Les slams his doors when he finds someone in his system. As outlined on page 490 of this month's CACM, remaining open to an intruder is a toughy. We decided to go after such bastards intending to prosecute them. If they aren't arrested, we'll do our best to sue them [cf: Cal. Penal Code S. 502]. In this particular case, instead of a sophmoric prankster, we found a mercenary who apparently sold stolen information. He wasn't interested in games or academics -- he sought (and received) military data. Simply locking him out of our system would leave him free to roam around the networks, breaking into many other systems. I believe we owe a debt to our community of Internet nodes. As in a neighborhood, each of us should report burglaries and breakins, and cooperate in nailing the SOBs. For this reason, we spent a lot of time on this work. Les disagrees, and sees it as a game, rather than a service to a community of networked computer users. Most of your network partners won't detect a breakin. Most that detect won't follow up. A few will doggedly chase it down, and prosecute. We're in the latter category. Cliff Stoll ------------------------------ Date: 06 May 88 1724 PDT From: Les Earnest Subject: Re: Is the Press impressing or depressing? Regarding my question about why LBL didn't slam the door on their international cracker, Cliff Stoll says: > Les disagrees, and sees it as a game, rather than a service to a community > of networked computer users. On the contrary, it is precisely because I do _not_ see it as a game that I do not wish to prolong it. Indeed, if Stanford spent as much as a week chasing down each cracker on its systems, it would be necessary to hire more programmers just to do that. In fact, there _are_ several people around Stanford who spend large amounts of time programming special hacks to monitor crackers and then spending weeks or months observing their activities. For some reason, these people seem to be mostly reformed crackers. Perhaps they are reliving former exploits. I _am_ sympathetic to Cliff's argument that this was not an ordinary cracker and deserved special treatment, but in general it may take quite a bit of work to distinguish such a person from J. Random Cracker. Les Earnest ------------------------------ Date: Fri, 6 May 88 20:51:18 PDT From: Clifford Johnson Subject: KAL007 - the defeaning silence continues From: Don Wegeng In regards to the continuing debate in RISKS about the KAL007 incident, it appears that one side of the argument is putting all of its faith in the version of the story reported in the book "Shootdown". It seems to me that you are always at RISK when you chose to put all of your faith in a single source, be it a pressure sensor in an engine, the phone company's billing system, an elected official, or a book about an aircraft that was shot down. [... and the OTHER side of the story is putting its faith on information that is all derived from one set of interrelated sources??? PGN] Re Shootdown versus other books on KAL007, I don't think faith comes into it. All the varieties of hypotheses and facts I've seen in other books are discussed in depth (with source references) for all facts in Shootdown. This is not true of the other books, which by comparison cannot be taken anything like as seriously. Shootdown provided some 700 citations (some of which I checked out and found accurately stated) and weighed the facts without reaching a definite conclusion other than that an inquiry was warranted. Hirsh, without citations, and without adding any significant new facts, told a silly story based on a rather small subset of the facts that suited his flagrantly unjustified assertion, delivered as fact, that KAL007 was not a spy flight. Shootdown covered pretty much every point that Hirsh made, whereas Hirsh made *many glaring* omissions. Hirsh spent ages recounting a route dismissed by Shootdown (Ewing's version), and chose to ignore most of the evidence that pointed to espionage. (Sure Shootdown had a few mistakes, but nothing crucial.) Hirsh made a huge fanfare of the fact that the administration falsely asserted that it thought the Soviets knew KAL007 was a passenger flight, a deception admitted a couple of years before Hirsh's "revelations." From: Nancy Leveson "During the first six months of 1978, 16 flights were observed off track by more than 50 miles, while eight were spotted by coastal radars 100 miles or more off track. The three greatest cross track errors were 180, 400, and 700 miles." I believe the KAL007 flight was 250 miles off track, which is within the bounds of previous incidents that were assuredly accidental. I have no data to determine whether navigation errors are more or less frequent or have a different average size over the North Pacific as opposed to the North Atlantic. I think KAL007 was about 365 nautical miles off course. I find it astonishing that the contrived possibility that KAL007 could have been accidentally off course is interpreted as proof that this was the case, and so the espionage possibility is eliminated without even considering its affirmative evidence. I'm sure that the mere fact that other air flights have been off course is not a valid comparison. The other flights seem to have been over the ocean, whereas KAL007 passed over obvious-to-radar mountain-islands (it wasn't supposed to) and made consecutive course changes, all "incorrectly." How many of the other off-course flights were delayed due to favorable winds shortening the anticipated flight time, yet signed for additional fuel and rejected paying cargo, and then began flying unusually slowly, and then had their false positions relayed by a follow-on flight (KAL015)? Far from being delayed due to the same favorable winds, KAL015 took off six minutes *early* and proceeded so fast that its Mach buzzer would have sounded had it not been switched off. Facts such as KAL007 being ordered to report directly are suppressed by Hirsh, who simply tells us that no one was concerned at KAL007's not reporting its own position. Hirsh doen't mention the weird speed patterns of both flights, nor think it worth mentioning that KAL007 and KAL015 were using the wrong transponder codes, nor that the Japanese radar tapes reported KAL007 dived when it requested permission to ascend, nor that this maneuver improbably occured after hours of radio silence, immediately the Soviet pilot reported having established a lock on KAL007... etc. As I've said, Shootdown should be read for a review of the quite astonishing indications that KAL007 was on a deliberate mission, and for an account of the inadequacy of computer-pilot errors for the actual route. KAL007 "accidentally" overflew the Soviets' second largest submarine base. I believe the world record for an off-course flight occured in 1978, when a KAL flight was 1,000 miles off-course, "accidentally" flying over the Soviets largest submarine base (Murmansk). The alarm was sounded by passengers noting the sun was on the wrong side of the plane. Hirsh writes of his "one basic finding of the book, that the Korean airliner was not a spy plane... The publication clearly diminished the zeal of those public interest groups that had been insisting Flight 007 was deliberately sent over the Soviet Union." Hirsh's major finding is relegated to a footnote, that dismisses the espionage hypothesis on the ground that his unnamed intelligence sources had not heard of the flight in advance. Not only a slender reed for such a conclusion, but an invisible reed. Hirsh does not address the merits of those like me and R.W.Johnson who admit grave doubts and ask for an inquiry. He seems to think his silly book is gospel. I am left wondering whether he deliberately left out key evidence, or whether he is as bad an investigative journalist as his KAL007 book demonstrates. Hirsh himself found a conspiracy to cover-up the facts of KAL007's shootdown. I think that PGN's tentative suggestion that the matter might still be incompletely unravelled simply cannot be denied - at least until a public inquiry is instigated. ------------------------------ Date: Fri, 6 May 88 17:09:34 pdt From: Doug Claar Subject: risks of auditing for risks... Our site is recently underwent corporate audit. Among the things checked for was pirated PC software. In preparation for this audit, our local EDP folks ran a little program which looks at program files on the hard disk, and attempts to figure out what products they represent. This introduced some risks to the local computing community: First, the program only checks program names against its database, and not sizes or checksums or... In addition, if any one file of a product is recognized, the user is assumed to have that product. Needless to say, there were lots of false positives. Since EDP had the secretaries running the program, there was lots of "Do you have master floppies for X?" "No, I don't have X on my disk." "Well, you have to get rid of it, because this says you have it." The second risk was potentially much more devastating--the secretary brought around a floppy, stuck it in 'your' system, and ran the program. Of course, you have relatively little choice in the matter, since it IS the company's PC. The program was designed to dump its output back onto the floppy, so the floppy wasn't write protected! (I didn't even think of this until after my system had been checked). All I could do is hope that, if anyone had a virus on their PC, their system was tested AFTER mine... Doug Claar, HP Information Software Division UUCP: { ihnp4 | mcvax!decvax }!hplabs!hpda!dclaar -or- ucbvax!hpda!dclaar ------------------------------ Date: Thu May 5 16:40:20 1988 CDT From: Dennis Director Subject: Viruses and write-protection Enough is Enough! Regarding the effectiveness of hardware write-protection for protecting the operating system and programs from computer viruses, I offer the following challenge: I have an XT-compatible computer with DOS 3.2 and all of its utilities and programs in the write-protected portion of the hard disk. I invite both Dr. Fred Cohen of the University of Cincinnati and William Murray to come to my office at the Technology Innovation Center, Northwestern University with the press or any other mutually agreed upon reliable witness. I also invite them to bring along any or all virus infected programs that they have collected or written for the occasion. I am (100%) sure that none of these programs will modify my boot block, my partition table, the operating system files or any of the DOS programs (.COM or .EXE) stored on my hard disk, which will be hardware write-protected. A scratch area of the hard disk will be writeable at all times. Simply copying a Trojan Horse into the scratch section of the disk, should obviously not be considered "infecting my system". Since Dr. Cohen has stated that "you cannot write protect lotus, etc because of copy protection" we will also have a copy of Lotus 123 installed and working in the write-protected section, as we have had for almost two years. This will be a fully legitimate copy-protected installed version of 123. It runs perfectly from the write-protected zone and cannot be infected. Why go on debating that which can be simply demonstrated? Seems like a fair offer to me! Dennis Director ------------------------------ Date: Fri, 6 May 88 15:49:10 EDT From: mnetor!utzoo!henry@uunet.UU.NET Subject: Harrier ejection-seat accident A while ago I mentioned the incident in which a Harrier pilot was apparently pulled out of his aircraft after the parachute-deployment system on his ejection seat fired through the canopy. Flight International just printed a summary of the final report on the accident. The problem does indeed appear to have been an accidental firing of the parachute-deployment system, which is powerful enough to punch its way through the canopy. The question is why it fired. The Harrier flew west on autopilot until it ran out of fuel, and went down in deep ocean; the wreckage has not been located despite an extensive search. (The general nature of the accident is known because air traffic control, after being unable to raise the pilot, had another aircraft take a look.) The inquiry came up with three hypotheses. In the absence of wreckage, there is no way to be sure of the answer. However, two of the hypotheses require multiple errors and/or multiple failures. The third is considered most plausible: if the seat was lowered, and there was a foreign object underneath it in just the right place, a connecting linkage on the seat's underside could have been bent enough to fire the deployment system. The Harrier cockpit equipment includes a utility light on a coiled cable; it is strong enough and large enough to have done the trick, and could have ended up in the right place if it fell off its bracket. Also, there is reason to suspect that the pilot may have lowered the seat at about the right time: he was to perform some tests that required a clear view of the instrument panel, and he was flying into the setting sun, so once he was flying safely on autopilot he might well have lowered the seat for a better view of the panel. Martin-Baker, manufacturers of the ejection seat (with a generally very high reputation for quality products), are adding a guard over the linkage. (I'm a bit surprised that this wasn't done in the original design; somebody assumed that the cockpit was a controlled environment in which such things couldn't happen.) The utility lights have been removed from the Harriers until this is done. Henry Spencer @ U of Toronto Zoology {ihnp4,decvax,uunet!mnetor}!utzoo!henry ------------------------------ Date: Fri, 6 May 88 15:30:26 EDT From: mnetor!utzoo!henry@uunet.UU.NET Subject: Re: Military Aircraft Crashes in Germany > ... The press says that, in each case, a much worse disaster was only > narrowly avoided ... The crashes occured just down the flight path from: > a nuclear generating station, a munitions dump, and an inhabited village. I can't speak for the munitions dump and the village, but nuclear-reactor containment buildings are deliberately designed to survive a direct hit from a crashing airliner (not as fast as a military jet, in general, but much, much heavier). > In all, 35 military aircraft have fallen out of the skies here since 1960. I > have no idea how this compares with other countries. I don't have regional numbers on such losses, but even peacetime military flying is much more dangerous than most people think. Flight International regularly publishes flight-safety reviews that list all known crashes and related incidents; the annual military safety review, at one line per occurrence, typically covers a couple of pages. Henry Spencer @ U of Toronto Zoology {ihnp4,decvax,uunet!mnetor}!utzoo!henry ------------------------------ From: dkc%hotly%ihnp4%mtune@mtunx.att.com Date: Wed, 4 May 16:09:52 1988 Subject: Risks of Halon to the environment vs. risks of other fire protection Due to the recent concerns about depletion of the atmosphere's ozone layer, there is a possibility that manufacture and sale of certain fluorocarbons may be banned or severely restricted by international treaty. One of these fluorocarbons is Halon. So, we have to weigh the risks of environmental harm caused by Halon against the risks posed by other types of systems. What exactly are the environmental risks of using Halon? The questions here are: 1. Does Halon disassociate in the upper atmosphere and produce ozone-destroying free radicals, like Freon does? (I suspect that it does, as they're chemically similar.) 2. How much Halon is discharged into the atmosphere each year? Of the total amount of flourocarbons which escape into the atmoshpere, what percentage of it is Halon? 3. Does this environmental threat outweigh the risks to property and humans posed by other systems? (Halon does not conduct electricity, interfere with respiration, lower the room temperature, leave a solid residue, or lower the room temperature on discharge. All other systems -- water, CO2, nitrogen, dry chemical, etc. -- have at least one of these undesirable properties.) If Halon were banned, what fire protection system would you use? Is its use a serious RISK, or is there a greater RISK in not speaking up for it? Dave Cornutt, AT&T Bell Labs (rm 4A406,x1088), Holmdel, NJ UUCP:{ihnp4,allegra,cbosgd,moss,genesis}!hotly!dkc "The opinions expressed herein are not necessarily my employer's, not necessarily mine, and probably not necessary" [See previous discussions on this subject in RISK-5.27 and 28. PGN] ------------------------------ End of RISKS-FORUM Digest ************************