RISKS-LIST: RISKS-FORUM Digest Tuesday 24 May 1988 Volume 6 : Issue 90 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: "Man Charged with 'Infecting' Computers" (Steve Smaha) Automobile recall notice (Martin Minow) The Risks of Risks [Second-Order Friday the 13th Effects] (Mike O'Brien) Cash on the Nail (Betty Smith via Brian Randell) "Sciences & Vie Micro": BILLIONS (Franklin Anthes) Who watches the watchers? -- Southern Bell outage (Scott Schwartz) "The Bell System"; aircraft navigation systems (Steve Philipson) Hinsdale File (John Haller) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, nonrepetitious. Diversity is welcome. Contributions to RISKS@CSL.SRI.COM, Requests to RISKS-Request@CSL.SRI.COM. For Vol i issue j, ftp kl.sri.com, get stripe:risks-i.j ... . Volume summaries in (i, max j) = (1,46),(2,57),(3,92),(4,97),(5,85). ---------------------------------------------------------------------- Date: Tue, 24 May 88 09:23 EDT From: Smaha@DOCKMASTER.ARPA Subject: "MAN CHARGED WITH 'INFECTING' COMPUTERS" Fort Worth, Texas (AP) 24 May 1988 A 39-year-old computer progammer is being prosecuted on felony charges of infecting his ex-employer's computers with an electronic "virus", and faces up to 10 years in prison if convicted. Donald Gene Burleson faces a charge of "harmful access to a computer," and is free on a $3,000 bond pending his July 11 trial. Police described the electronic interference as a "massive deletion" of more than 168,000 records of sales commissions for employees. Burleson is thought to be the first person charged under the state law prohibiting computer sabotage, which took effect Sept. 1, 1985, about three weeks before the alleged incident, said Davis McCown, chief of the Tarrant County district attorney's economic crimes division. [From Steve Smaha, Austin, TX] ------------------------------ Date: 24 May 88 19:36 From: minow%thundr.DEC@decwrl.dec.com (Martin Minow THUNDR::MINOW ML3-5/U26 223-9922) Subject: Automobile recall notice Abstracted from a notice that I received yesterday. "Volvo has determined that a defect which relates to motor vehicle safety exists in Volvo installed cruise control systems of 1986 and 1987 Volvo automobiles. "In laboratory tests, we have been able to induce a malfunction in the microprocessor of the cruise control unit. We have found that if the cruise control switch is left in the "on" position and the car's electrical system experiences a voltage drop, the cruise control may unexpectedly engage. We have also found that the application of the brake pedal and the movement of the switch to the "off" position cancels the malfunction. This cannot occur if the cruise control is in the "off" position. "We know of know cases where this has happened in normal driving, but we do not want a malfunction of the cruise control to contribute to an accident. Accordingly, we will replace the microprocessor of your cruise control at no charge to you...." A few observations: -- I'd really like to know how they discovered this -- was it by some programmer staring at the source code, or by testing in a design verification test chamber? The problem itself might make an interesting case study for a "software safety" seminar (assuming you can pry the details out of the manufacturer). -- A law (The National Traffic and Motor Vehicle Safety Act) does wonders for improving the quality of manufacturered goods. Would the problem have been discovered (and the roms replaced) if it weren't for this act? (Note: this is a voluntary recall from a manufacturer who advertises the quality of its cars.) -- "Microprocessor" is now a common English word. Martin Minow ------------------------------ Date: Mon, 23 May 88 09:57:23 -0700 From: obrien@aerospace.aero.org Subject: The Risks of Risks [Second-Order Friday the 13th Effects] We had what is, in retrospect, a fairly humorous occurrence here last Friday 13th. As most readers are no doubt aware by now, there was a rumor to the effect that a disgruntled employee of Sun Microsystems had planted a "logic bomb" (nature unspecified) in Sun's operating system, set to "detonate" on Friday 13th. [RISKS-6.83-84] This rumor hit our site only sometime on Thursday the 12th. As a precaution, and after some considerable thought, one of our chief systems team members decided to set all the clocks back so that the Suns in our network would think that Friday was Thursday. Imagine the surprise some of us got when we arrived at work on Friday morning to discover that the screens on our Suns were blank, dead, kaput, no response, zippola. This made us really wonder if perhaps there were some truth to the rumor. Well, no. Those of us with dead screens were the ones who run a Sun-supplied program called "screenblank" which turns off the video signal to the Sun screen after a certain period of inactivity. This program, after blanking the tube, goes into a sleep loop, waking every 1/4 second by default to check for keyboard and/or mouse activity. What had happened, of course, was that our screenblank programs were asleep when the date was set back by 24 hours. Since in UNIX, time is kept as an absolute quantity, the programs were now waiting for 24 hours plus 1/4 second before checking for activity. They had to be killed off and the video restored manually (running another "screenblank" did the trick). As I say, this is amusing in retrospect: in defending against a non-existent RISK, we created a real one, though minor. Risks don't even have to exist to cause real damage. Mike O'Brien, The Aerospace Corporation ------------------------------ From: Brian Randell Date: Tue, 24 May 88 21:42:26 +0100 Subject: Cash on the Nail >From Betty_Smith@UK.AC.NEWCASTLE Tue May 24 14:39:41 1988 DAEDALUS David Jones For years now, we have been told that the cashless society is just around the corner. Every shop will have a computer terminal; simply enter the transaction, validate it with your personal card, and the central computer will transfer the sum specified from your bank account to that of the shop. Wonderful! The reason why it doesn't happen is that fraud would be so easy. Card fraud is so widespread already that the banks daren't risk anything worse. But Daedalus has the answer. His new cash-card is unstealable: the user's own thumbnail. A nail has a smooth and uniform surface, and is transparent enough to let through the light from a laser. A small laser could bring a brief light pulse to a focus in the body of the nail, burning a tiny white mark that could easily be read, but would be protected from chance abrasion. A dot-matrix pattern of such marks could easily encode a financial transaction. A nail has no nerves so the process would be quite painless. Accordingly, the new Dreadco financial terminal has, besides a keyboard for entering the transaction, a thumb-port to admit the user's thumb. Every day a nail grows about a tenth of a millimetre. With laser dots about the size of those on a compact disc , this would give space for about ten new transactions. Over time the user will accumulate on his thumbnail a running financial statement showing all his transactions for the past few months. Each time he inserts his thumb into a terminal, the sytem will check that statement against its file. If everything matches, his identification is secure; the terminal accepts the new transaction and prints it below the previous ones. But if there is a discrepancy, it sounds an alarm and clamps down on the suspect thumb, trapping the fraudster until the police arrive! But suppose a bent manicurist manages to photograph a client's thumbnail, and uses it to construct a forged thumb? Even then, the fraud is risky. By the time the forged thumb is ready, the victim will probably have used the system again. The forgery will not carry this latest transaction: it will be detected and trapped by the terminal, for the police to study later as evidence. Daedalus' new thumbcard will impose financial prudence on its users. The spendthrift who fills his thumb up with wild transactions will soon be choked off by sheer lack of space. On the other hand, should he go down with mumps or measles (which arrests nail growth) bankruptcy would rapidly threaten. And secrecy is not really assured. Gigolos with magnifiers may shrewdly revive the old gallantry of hand-kissing: gypsy palmists will read both sides with great care; shady financial operators of both sexes may take to wearing opaque nail varnish. And a death in the family will have the sorrowing relatives hastily erasing the deceased's thumbs with a laser-scrambler, before some unscrupuous undertaker or body-snatcher can detach or copy them to filch their encoded legacy. The Guardian 24 May l988 ------------------------------ Date: Mon, 23 May 88 21:15:50 +0200 From: mcvax!geocub!anthes@uunet.UU.NET (Franklin Anthes) Subject: "Sciences & Vie Micro": BILLIONS (Re: RISKS-6.86) Organization: Greco de programmation, Bordeaux France >RISKS DIGEST 6.85 includes a brief excerpt translated from the >French-language "Sciences & Vie Micro" referring to chances of a crash >due to a software error: > "One chance in a million? Wrong! One chance in a billion and that > for each hour of flight!" The original was: "Je prends l'avion, quelle probabilite ai-je de m'ecraser au sol pour une erreur de logiciel? Une chance sur un million? Perdu! Une chance sur un milliard et par heure." So the translation was correct concerning the billion. I Looked in the dictionary and found out that billion actually has two meanings in French: one old and one new (talk about a RISK!). The old meaning is 10**9, and the new is 10**12, like you said. Anyway thank you for pointing out the possible ambiguities. Frank Anthes-Harper ....!ucbvax!decvax!uunet!mcvax!inria!geocub!anthes ------------------------------ Date: Tue, 24 May 88 04:46:11 EDT From: Scott Schwartz Subject: who watches the watchers? -- Southern Bell outage Relying on alarms, even with humans in the loop is sometimes not enough, it seems. The following article is from the Philadelphia Inquirer, 23 May '88, pA10. "Power Surge Knocks Out Telephone Service in N.C" UPI, Charlotte N.C. -- A mysterious power surge that went undetected for six hours knocked out telephone service to about one-fifth of North Carolina Saturday (May 21) night and early yesterday, forcing hospitals and police to rely on radio communications. ... The outage was caused by an apparent power surge of unknown origin that struck the central office of Southern Bell in Charlotte at about 11:30 a.m. Saturday. A skeleton crew at the office failed to notice alarms warning of the problem until the overloaded system failed about six hours later. -- Scott Schwartz schwartz@swarthmore.edu ------------------------------ Date: Mon, 23 May 88 11:44:02 PDT From: Steve Philipson Subject: "The Bell System"; aircraft navigation systems In RISKS 6.89, ihuxz!mfe@moss.att.com (Mike Eastman) writes: >As of Jan 1, 1984 the Bell System was abolished when the Justice Dept had AT&T >officially divest itself of the local operating companies. ... It has been three and a half years since divestiture and a lot of operational changes have occurred in that time. However, that Ill. Bell cable vault has probably been around a long time. Was it put in place and operated by the "Bell System" BEFORE divestiture? Did the Bell System originally place the primary and backup trunks in the same building? These questions have significance to RISKS in that we should find the roots of our technical errors in their design process and not simply lay blame on government decisions that we don't like. Has divestiture increased risk, or is it beginning to serve as a convenient whipping boy when something goes wrong? It's easier to point fingers at the other guy than to accept responsibility. We see this all the time in multi-vendor computer systems. No one want to accept blame when they can say it's someone else's problem. Of course, the users just want the system fixed! (It's not a hardware problem -- it's a wetware bug!) One more point on aircraft navigation systems: The concerns of depending on electrical power for navigation become insignificant for many new aircraft, as some cannot fly at all if there is total electrical system failure. In RISKS we've discussed the new Airbus jets. The opposite end of the spectrum is the new Mooney PFM. This single engine aircraft uses electronic ignition. It does have dual electrical systems and batteries, and a very low failure probability, but if total failure does occur, the pilot will be more concerned with landing his glider than navigating to a distant destination. ------------------------------ Date: Tue, 24 May 88 01:10:16 EDT Received: from tut.cis.ohio-state.edu by KL.SRI.COM with TCP; Mon 23 May 88 22:10:08-PDT From: jhh@ihlpl.uucp Subject: Hinsdale File (Re: RISKS DIGEST 6.89) Last Friday, May 20, there was a Chicago Tonight (1/2 hour show on PBS channel) that described the Hinsdale fire. Apparently, the fire alarms go off whenever there is a power failure. Since there was an AC power alarm at the same time as the fire alarm, it was assumed to be the source of the fire alarm. I personally would not be surprised if that was actually the case, and that the AC power went off as a result a short, which caused the fire. The diesels started automatically, and then failed within 10 minutes, causing another power and fire alarm. At this time, when the alarms were released (a manual operation), they did not re-occur, indicating only a glitch in the alarm circuits. The alarms are detected by a contact closure on the switch itself, and passed to the SCCS (Switching Control Center System) via a data link. Since the alarms were being received, the switch was obviously working, the prime concern of SCC personnel. Since the fire, the other three hub switches in Chicago are being staffed 24 hours a day, because of the vulnerability caused by Hinsdale not being in full operation. I can understand some of the logic behind not staffing offices on off-hours, as there is a large expense involved, particularly if all offices are to be staffed. Even assuming a day shift at all offices, another 3 shifts are required to cover the remainder of the week. At a typical salary of a craft person, that would be ~$120,000 per year per office. To staff 100 offices, at $12,000,000 per year, it is easy to see the decision not to staff compared to the cost of a new switch. Before Hinsdale, public utilities commissions probably would be likely to disallow those charges, as unnecessary. I also suspect that Hinsdale grew more by accident than by design into such an important part of the Chicago network. There has been tremendous growth in development in the western suburbs, along with subsequent growth in telecommunications. I seriously doubt that anyone in Illinois Bell ever did a worst case catastrophe analysis of their network. After all, it could have been a tornado destroying the entire building, rather than a fire destroying merely the contents. I am positive that there has never been a study by Illinois Bell of the effects of two simultaneous failures. John Haller, AT&T Bell Laboratories ------------------------------ End of RISKS-FORUM Digest ************************