RISKS-LIST: RISKS-FORUM Digest Thursday 12 May 1988 Volume 6 : Issue 83 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Time-bomb warning: SunOS may have one set to go off TOMORROW! (Dave Platt [2], PGN) A reminder on listening to the boy who cried wolf! (PGN) Report on the Northwest crash in Detroit (PGN) CCC informs on `Virus Jerusalem'; valid threat? (Klaus Brunnstein) `Virus Epidemic Center' at Hamburg University (Klaus Brunnstein) Risks and Risk Reporting (Elizabeth D. Zwicky) Hawaiian Tel and HISS -- the Hawaiian Islands SysOp Society (Todd South) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, nonrepetitious. Diversity is welcome. Contributions to RISKS@CSL.SRI.COM, Requests to RISKS-Request@CSL.SRI.COM. For Vol i issue j, ftp kl.sri.com, get stripe:risks-i.j ... . Volume summaries in (i, max j) = (1,46),(2,57),(3,92),(4,97),(5,85). ---------------------------------------------------------------------- Date: Thu, 12 May 88 14:36:05 PDT From: dplatt@coherent.com (Dave Platt) Subject: Time-bomb warning: SunOS may have one set to go off TOMORROW! Our site administrator has just received notice of what's said to be a "confirmed rumor" that there is a time-bomb buried in some current versions of SunOS (the Sun variant of Unix). This time-bomb is reported to be set to trigger tomorrow (Friday the 13th). It was suggested that we should either shut down our Sun systems tomorrow, or alter the date so that the time-bomb doesn't go off. As we don't know whether the bomb is of the "go off on the 13th" or "go off on or after the 13th" variety, it would seem safest to set the system clocks back rather than forwards. We have no details at this time about the content of the time-bomb. The call to our administrator did not come from Sun, but from one of her contacts at another Sun customer's site; it was of the "We thought you should know... more details soon" variety. It is possible that this rumor, although "confirmed", is actually mistaken or is a hoax. So, I apologize in advance to everyone everywhere if this alert turns out to be a false alarm. I'll mail updates when and as I receive them. Dave Platt VOICE: (415) 493-8805 USNAIL: Coherent Thought Inc. 3350 West Bayshore #205 Palo Alto CA 94303 UUCP: ...!{ames,sun,uunet}!coherent!dplatt DOMAIN: dplatt@coherent.com INTERNET: coherent!dplatt@ames.arpa, ...@sun.com, ...@uunet.uu.net ------------------------------ Date: Thu, 12 May 88 15:25:28 PDT From: dplatt@coherent.com (Dave Platt) Subject: Followup to SunOS time-bomb alert Within the past 20 minutes, I've spoken to two people in Sun's tech-support department. They report the following: - They have been running extensive experiments on their in-house machines, attempting to detect any signs of a "Friday the 13th" time-bomb. So far, there has been "absolutely no sign" of any such time-bomb. - They have no information that leads them to believe that any such time- bomb exists in the code. - They're not sure where the rumor of the time-bomb originated. It appears to have first "broken" at about noon PDT (3 PM EDT), and has spread with extreme rapidity. One of the people to whom I spoke indicated that he has spoken with "at least 30" contacts across the country. - There have been no reports from Australia or Japan (where it's already Friday the 13th) that would indicate the triggering of any time-bombs. So... at this point, it appears likely that the "Friday the 13th time-bomb" rumor is just that... a rumor with no facts behind it. Dave Platt VOICE: (415) 493-8805 USNAIL: Coherent Thought Inc. 3350 West Bayshore #205 Palo Alto CA 94303 UUCP: ...!{ames,sun,uunet}!coherent!dplatt DOMAIN: dplatt@coherent.com INTERNET: coherent!dplatt@ames.arpa, ...@sun.com, ...@uunet.uu.net ------------------------------ Date: Thu 12 May 88 17:28:34-PDT From: Peter G. Neumann Subject: Re: Followup to SunOS time-bomb alert Private net communications from Werner Uhrig and chuq@Sun.COM (Chuq Von Rospach) and spaff@purdue (Gene Spafford) confirm that as far as any one can tell, the rumor is totally unfounded, but that Sun is taking this very seriously. (By the way, I know that several computer companies routinely run their systems with the clock advanced in an effort to detect time-bombs in the official products.) Serious concern about the rumor is reported within the U.S. government. No one has yet been able to identify the source of the rumor, although it could have easily been someone's confusion with the alleged Israeli time bomb, also scheduled for 13 May but presumably defused by now. (Rumors sometimes do have a thread of reality behind them.) And, after all, as Werner noted, it is Friday the 13th -- which is sort of an imitation April Fool's Day. Starting rumors is a commonly used technique to attempt to damage the competition, or to test public reaction. It also provides a mask for the perpetrator of the real thing to hide behind. [See the next item!] ------------------------------ Date: Thu 12 May 88 13:38:13-PDT From: Peter G. Neumann Subject: A reminder on hearing the boy who cried wolf! Security personnel in the First Interstate Bank tower in Los Angeles apparently reset the smoke alarms that went off at the beginning of last Wednesday's fire, believing that this was another in a recent string of false alarms. They also sent maintenance engineer Alexander John Handy to investigate the alarms. (He died in the elevator.) At least seven minutes were lost until three phone calls came in to 911 from outside the bank. Although this is not computer related, the less on is clear: mere presence of false alarms must always be considered as a potentially serious system problem. [SF Chron, 11 May 88, p.A8] ------------------------------ Date: Thu 12 May 88 13:35:41-PDT From: Peter G. Neumann Subject: Report on the Northwest crash in Detroit The National Transportation Safety Board officially blamed the crash last August (killing 156) on pilot error. They also acknowledged the contribution of the audible warning system, which did not go off because power to it had been cut, and which should have alerted the pilots that the flaps were not set properly. They were unable to determine whether a circuit had been pulled by the pilots or maintenance workers, or if the alarm had simply failed. [SF Chron, 11 May 1988, p.A5] ------------------------------ Received: from RELAY.CS.NET by KL.SRI.COM with TCP; Tue 10 May 88 09:08:14-PDT From: Klaus Brunnstein Subject: CCC informs on `Virus Jerusalem'; valid threat? (Re: RISKS-6.80) Members of Computer Chaos Club have informed German public authorities that a version of `Jerusalem Virus' has invaded public PCs. These authorities have asked some Computer Security experts, but up to now, there is no evidence of such an epidemic. Can anybody else help to verify or falsify this? In this context, the following information from a CCC insider may become interesting: the arrest of CCC leader, Mr.Wernery, who is the virus expert of his organisation, has heavily upset CCCs members; some younger guys evidently plan a `revenge action'. Since the chances to invade German public computers are rather restricted, due to missing links to publicly accessible networks, they may try to distribute `interesting' programs (games, text processors, DTP, databanks) infected with a virus with `retarded activation'. According to good information souces, such activities are discussed but I have no insight that they have decided and begun action! ------------------------------ Received: from RELAY.CS.NET by KL.SRI.COM with TCP; Tue 10 May 88 09:08:14-PDT From: Klaus Brunnstein Subject: `Virus Epidemic Center' at Hamburg University (Re: RISKS-6.80) As a consequence of growing concern of economic and public organisations in Fed.Rep.Germany, we are establishing in Hamburg, together with scientific staff and some 20 students, a `Virus Epidemic Center' aimed at testing any new virus as well as producin and testing `hygienic software' to detect and eliminate `infections'. We focus our work on PC (DOS) and PS (OS-2), Amiga, ATARI and MacIntosh. We plan to establish a formatted description distributed electronically (and available to RISK FORUM directly or by reference, depending on PGNs moderation), and to publish a (German) book on "Viruses, and how to fight them" covering our tests. We are interested in any exchange of information and experiences. Klaus Brunnstein University of Hamburg FRG ------------------------------ Date: Wed, 11 May 88 17:14:27 EDT From: zwicky@pterodactyl.cis.ohio-state.edu (Elizabeth D. Zwicky) Subject: Risks and Risk Reporting Risks have been on our minds a lot here recently. We're in a bad security position as a heavily networked educational site. This quarter we have some 500 students (all in Computer and Information Science) using Sun workstations. Probably 400 of them know barely enough about UNIX to do the work. Another 90 know enough to fool around, but are basically harmless. Those last 10 students are a real problem, though. We implement a little more security every quarter. We started by making the client Suns unable to touch any of the disk as root. Then we modified the boot sequence so that it will not simply dump you into single-user mode if interrupted, but will ask for the password first. This quarter we modified the programs that allow you to become the superuser so that they only work for users in specific groups and also log extra attempts. While we were doing all this, we were of course merrily creating other security holes we didn't know about. The one that just came to our attention had to do with a screen saver. The students here run the X window system, and there is a program that is not advertised to them but is available called "xsecure" which blanks the screen to black and bounces a little lock around it until you type your password at it. Earlier, in one of our less security-minded moments, we added to xsecure a feature we had come to know and love in the SunView version of the program, where you can type the root password as well as the user password to clear the lock. This allowed us to easily and non-destructively clear locks. Students are not supposed to lock screens for more than a few minutes, since we are rather short of Suns. As a stick-in-the-mud, I stuck to my old violent method of just rebooting the Sun. Turns out that this was a good thing, as a clever student trojan-horsed xsecure. His program looked just like xsecure, but stored the password. He just set it running and left, sure that an operator would come by and unlock it eventually - and one did. Everybody now uses my method. Then, the CACM got here. Several people asked, on a public newsgroup, whether we had the mentioned Gnu Emacs bugs. Fact is, we don't. I can't imagine what posessed them to ask on cis.general, however. Did they think we were going to say that we did have the bugs? Some security improvement that would be! Elizabeth Zwicky [I presume you are referring to Cliff Stoll's article in the May 88 CACM? PGN] ------------------------------ Date: Mon, 9 May 88 06:00:26 HST From: tsouth@pro-pac.cts.com (Todd South) Subject: Hawaiian Tel and HISS -- the Hawaiian Islands SysOp Society Recently, Hawaiian Tel has gone on the local news and stated that they want to change the laws so that ALL computer BBS's will have to have business lines and become actual businesses! This is the result of a recent person in the community deciding that he would become a universal watchdog for the Hawaiian area BBS's. After sending intimidating letters to Hawaiian Tel, the Star Bulletin newspaper, all local military commanders, and to the sysops of a large number of local systems, this person finally sparked Hawaiian Tel into action. The telephone company has been badgering people with claims of false service and threatening them with federal prosecution if they do not change their lines to business service RETROACTIVELY to the first day the phone line was installed! Their (HTel) basic claim is that even if you have a BBS listing on your system that does nothing but list the phone numbers of other local area BBS's you are advertising. If someone on your system says, "hey I want to sell this extra CP/M board I have", you (as a sysop) are running a business. To this effect there have also been claims of tax evasion and other illicit activities with no founded proof. But, it is all a bad situation that has caused a number of us to band together into an association of sysops in Hawaii so that we may have a large base of people and financial backing in case this thing comes down to lawyers. The following is the official notice that is being published around Hawaiian systems. -------------------------------------- First off, my name is Toni Hinton (aka "avatar") and my husband Stan and I run The Restaurant... BBS. I'm not sure how much of the garbage going on you're aware of -- the letters "reporting" SysOps to HawTel for running "businesses" on residential lines; letters supposedly sent to local TV stations and newspapers; letters to the Provost Marshals of military bases and military SysOps' commanding officers suggesting they be reprimanded for their "illegal and fraudulent activities"; the anonymous letters of some months ago suggesting that it was impossible and risky to run a BBS no matter how responsible the SysOp might be; and other actions whose apparent aim is to cause diffculty (both personal and legal) and strife in the BBS community here. I say it has to stop! I've been approached by several local SysOps who have been told by others that I have the "straight dope" on the situation. I don't; but from each person I've spoken to I've learned more, and I know enough now to have a pretty good grasp of the situation. I also have my suspicions as to who has been waging this campaign, but nothing I can prove as yet. It's a safe bet (I think) that it's someone within the BBS community, either a current or former SysOp. A lot of ill will, misinformation, and fear has been spread by this person or persons, and outside forces are also coming into play. You're probably aware that in many cases the "outside world" considers us all unprincipled, lawless "hackers" -- stories in the Star-Bulletin recently have only confirmed this view with their emphasis on BBSes used to further "kiddie porn" and unlawful access to credit companies, banks, telephone companies, and classified government information. It's time for Hawaiian SysOps to band together to communicate with each other and to begin policing our ranks from internally before someone from the outside, with little understanding of what it is to be a SysOp, does it for us. To this end, the two of us and some other SysOps we are friendly with are working to organize "HISS" -- the Hawaiian Islands SysOp Society. Membership in HISS will be open to any Hawaiian SysOp with a BBS currently active; whether commercial or hobby, public or private. HISS will give a chance to meet fellow SysOps, talk, get to know each other and hopefully be able to be prepared if another troublemaker tries his/her tricks. Our best weapon is our strength as a group and communication in that group, and we haven't made much of an effort to utilize that weapon. Ironic, isn't it, when the purpose of BBSes is to facilitate communication? Right now, HISS is just a handful of us working as a sort of "board of directors" to get it off the ground. As such, I haven't much to report on our progress. Our first board meeting will be early this week, and we'll try to hammer out a few rough guidelines -- meeting dates, times, location, all the niggling details of getting a large group of people together. We will do our best to keep you informed of our progress. To this end, I would appreciate it if you could set up an account on your system for us to communicate with you. It needs to only have email or feedback privileges so that we may leave messages to you. Use the account name of HISS (if a last name is necessary, as it is on our TBBS system, use a period) with the password of "grumpy". You may also contact us via The Restaurant at (808) 499-1101 (24 hours, 3-2400 baud), where we have set up an account for visiting Sysops under the name of "Visiting SysOp", pass- word "howdy" (all lower case, TBBS considers lower case different from upper case). Look under the Bulletin Board menu for "The Lounge" which is our visiting SysOp message base. All updates and details will be posted there. We may also be contacted voice at (808) 499-3158 between 10am and 10pm. Thanks for your attention and we hope to see you at the first meeting of HISS in the very near future. Toni ------------------------------------------ To this end, an account has been setup on my site, Pro-pac, to facilitate mail from the 'net' at large on this subject. If you have any comments on this, or would like to learn more about the results of this situation as they develop, please send mail to hiss@pro-pac.CTS.COM and it will be forwarded to the appropriate people. Thanks for the soapbox, and any support you may provide. Todd South UUCP: {nosc, ihnp4, cacilj, sdcsvax, hplabs!hp-sdd, sun!ihnp4} ...!crash!pnet01!pro-simasd!pro-pac!tsouth ARPA: crash!pnet01!pro-simasd!pro-pac!tsouth@nosc.MIL INET: tsouth@pro-pac.CTS.COM - BITNET: pro-pac.UUCP!tsouth@PSUVAX1 ------------------------------ End of RISKS-FORUM Digest ************************