RISKS-LIST: RISKS-FORUM Digest Thursday 16 June 1988 Volume 7 : Issue 8 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: New Jersey wants computer audit trails disabled (Joe Morris) Bunkers (C H Longmore) More on Blackhawk helicopter (Dave Horsfall) Root typos (Ken Yap) Costs/risks of impregnable telephone booths (Geoff Goodfellow) Science, Journalism, and Whistle-Blowing (HENRY SPENCER) Shrink Wrap (BILL MURRAY) Hard-disk risks from vendors (Jerry Harper) An old CTSS virus (Tom Van Vleck) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. Contributions to RISKS@CSL.SRI.COM, Requests to RISKS-Request@CSL.SRI.COM. PLEASE use a relevant "Subject:" line, not just "RISKS DIGEST i.j...". THANKS. For Vol i issue j / ftp kl.sri.com / get stripe:risks-i.j ... . Volume summaries in (i, max j) = (1,46),(2,57),(3,92),(4,97),(5,85),(6,95). ---------------------------------------------------------------------- Date: Wed, 15 Jun 88 15:08:42 EDT From: Joe Morris (jcmorris@mitre.arpa) Subject: New Jersey wants computer audit trails disabled From _Computerworld_, 13 June 1988, p. 4 (without permission, of course): CASINOS FIGHT PLAN FOR COMPUTER ACCESS Atlantic City -- In a major dispute over government access to corporate computers, 11 Atlantic City casinos are fighting a proposal by the New Jersey Division of Gaming Enforcement (DGE) to obtain direct access to casino computers for investigations. Unfettered computer access is necessary to fully investigate and regulate casino operations, DGE officials say.[...] The casinos have been joined in their battle by privacy experts, who say the proposal would set a dangerous precedent by allowing government agents to go on secret "fishing expeditions" through business computers. Public comments on the proposal are due this week. [discussion of parallel paper-and-electronic records, due process requirements, etc...] The proposed regulation, published last month and pending before the state's Casino Control commission, would require the licensed casinos to provide DGE investigator with inquiry-only access to ALL [emphasis supplied] computer records. The requirement would have the following conditions: * The New Jersey casinos must provide the DGE with an on-site terminal and the capability to make printouts. * DGE personnnel must be given "reasonable privacy in which to conduct such inquiries." * Casinos may not track or monitor the DGE inquiries, and casino computers must be programmed to preclude any such tracking. * Casinos may request a log of DGE inquiries that shows the general category of information examined and the time of the inquiry. * Each casino must train DGE personnel in the use of its computer system. [The DGE tried to get this done four years ago but was blocked by a court order requiring extensive hearings. DGE changed the procedures under which the demands were made, prompting] an April 7 filing by 11 of the 12 Atlantic City casinos [which] raised numerous objections and argued that the new proceeding defies the 1985 court order. [discussion of the loss of audit trail info for inquiries, which would make it impossible for anyone to know if compromised information had been leaked by a DGE employee or someone else.] Wow. Regardless of one's stand on how deeply the Mob owns the casinos, you've got to wonder just who if anyone at DGE knows how to spell "Computer Security". After we've been careful to build security audit capability into systems (and screaming about how dumb designers of the older systems were for not doing so), now comes DGE with orders to shut them down. Anyone want to give some odds on some other part of DGE filing charges against the casinos for failing to maintain an audit trail of access to the detailed profiles they keep of the high rollers? Disclaimer: the odds are very high that you won't be able to show any link between yours truly and any casino or the DGE, mainly because there isn't any. Of course, we all know how easily computer records can be changed... ------------------------------ Date: Wed, 15 Jun 88 19:23+0100 From: C H Longmore Subject: Bunkers The following is from The Independent of 15th June 1988, reproduced without permission. * * * * COUNCIL WAR BUNKERS HIT BY COMPUTER PROBLEMS The Home Office has suspended installation of a critical part of the Government's wartime communications network, a multi-million pound computerised link-up for local authority bunkers. A national programme for the installation of the County Message Switch system was halted at the end of March because of "Software Problems" The Home Office confirmed yesterday that the software was still being tested. One county emergency planning officer has privately described the situation as "an absolute botch-up". Bunkers in Lancashire, North Yorkshire, Cornwall and Somerset have been affected by the delay following extensive teething problems encountered during a pilot installation in Bedfordshire. It is understood that the system's memory specifications are so limited that district computers can only take about eight messages before previous files are automatically deleted. One source said yesterday that the Home Office had suggested that punctuation and spaces should be left out of messages in an attempt to avoid overloading the system. But there have been complaints that this would make messages more difficult to decipher. There are also complaints that because of a lack of back-up batteries, a power cut would result in the computer system's entire memory being automatically wiped out. [Note: bunkers have their own generators, but EMP from a nuclear airburst could easily disrupt the supply] * * * * [Note: In the UK, the Civil Defence plans in time of war are to keep the population in the towns and cities where they live, and devolve power to Emergency Regional Seats of Government if central Government is incapacitated.] One of the thoughts that occurred to me was this: Why upgrade from teletypes to a new [?] computer system. After all, the message capacity of a teletype in that of the roll of paper attached, and they don't need rebooting after a power failure. You can also read them in the dark by using a torch. If you were getting really technical you could use an incoming teletype, and outgoing terminal/teletype. And another one was: Upgrading this sort of computer system is very dangerous. The more complex the technology involved (ICs, DRAMS, Magnetic Media etc) the more prone it is to damage from ElectroMagnetic Pulse from Nuclear Weapons, fluctuations in the generator supply and other adverse operating conditions. A simple teletype is less technologically advanced and therefore probably *more reliable* in these conditions. And finally: Is this going to end up as another Nimrod fiasco, where the UK government spends millions of pounds on a system, and then scraps it and buys from the US instead? -- -- -- C H Longmore: CCAse7-16%bham.ac.uk@cunyvm.cuny.edu ------------------------------ Date: Fri, 10 Jun 88 16:42:13 est From: Dave Horsfall Subject: More on Blackhawk helicopter From "The Australian" 31st May 1988: "German incident sours Blackhawk shield plan The United States Army says it will speed up plans to shield the UH-60 Blackhawk helicopter from radio-wave interference following an incident in West Germany earlier this month [May]. On May 11, a Blackhawk flying near a large group of powerful antennae banked into a right-hand turn for five seconds without any pilot commands. [...] An Army spokesman, Major Phil Soucy, said on Friday that tests had shown the problem of electromagnetic interference did not jeopardise flight safety. ``We certainly are not going to ground the (Blackhawk) fleet because there's no reason to'' Major Soucy said. He said the Army had begun talks with the helicopter's manufacturer, Sikorsky Aircraft, on shielding a number of electronic components. [Details on Knight-Ridder report of 5 accidents and 22 deaths, since 1982] The Army and Sikorsky, a subsidiary of United Technologies Corp of Hartford, Connecticut, disputed that report, saying there was no evidence that electromagnetic interference had caused any crashes." -- Dave Horsfall (VK2KFU), Alcatel-STC Australia, dave@stcns3.stc.oz dave%stcns3.stc.OZ.AU@uunet.UU.NET, ...munnari!stcns3.stc.OZ.AU!dave ------------------------------ Date: Fri, 10 Jun 88 17:55:24 -0400 From: Ken Yap Subject: root typos X-Uucp: ..!rochester!ken Internet: ken@cs.rochester.edu You don't even have to be root to wreak havoc. I have the escape character in rlogin set to ^P because I want to keep ~ for my own use. One day I was using the console on a Vax to make a backup tape and logged in to another machine to read my mail while waiting. When I decided to escape back to the Vax to check how the backup was going, I got: >>> (For those not familiar with Vaxes, this is the bootstrap prompt.) Fortunately I realized that I had halted the machine and typed C immediately. These days I do one of the following: (1) Ensure the console switch is on LOCK. (2) Avoid using the console. Ken ------------------------------ Date: Mon, 13 Jun 88 11:56:59 PDT From: geoff@fernwood.mpk.ca.us (Geoff Goodfellow) Subject: costs/risks of impregnable telephone booths. The following was passed to me from David Kucharczyk : Taken from the Sydney Morning Herald and the May 22, 1988 issue of Awake magazine. In an effort to outwit phonebooth thieves, Telecom, Australia's government- owned telephone company, has fitted the susceptible booths with Kirk safes. Named after the worker who invented them, the safe has so far proved 100- percent effective. As mentioned in the Sydney Morning Herald, it has with- stood 'oxy torches, ramset guns, angle-grinders, hydraulic jacks, pulley clamps, centre-punches and bricks.' Ironically, the new safes appear to have led to an increase in vandalism, as theives frustrated by the tough safes vent their anger on the booths. Telecom reports that the current rate of smashed glass and ruined handsets and cords is at a new high of 3,000 cases per month. [note by Geoff: reminds me of the time my car was broken into in an unsucessful attempt to steal the stero/casette player. the shattered glass everywhere, the mangled radio face plate, storage of the car in a secure location until i could obtain an appointment at the fix-it shop, the overhead of taking the car in / pick-up, etc -- all besides the expense/insurance deductable. quite a hassle, for which i would have given the radio away to have avoided!] ------------------------------ Date: Fri, 10 Jun 88 18:05:34 EDT From: mnetor!utzoo!henry@uunet.UU.NET Subject: Science, Journalism, and Whistle-Blowing The following is the editorial by Daniel E. Koshland Jr. in the 29 April 1988 issue of Science; it has relevance beyond the scientific community. [Reprinted (sigh) without permission.] "Discussion of fraud in science is becoming a cottage industry in need of an environmental impact report. Fraud is devastating to science; it undermines the basic respect for the literature on which the rapidity of scientific advance depends. It must be rooted out wherever and whenever it is discovered. That makes it all the more imperative that charges of fraud be made responsibly and that the performance record of whistle-blowers be scrutinized as well as those of the scientists they criticize. In recent times we have been exposed to excesses in whistle-blowing and journalism that come close to the evils they wish to eradicate. We see, for example, the charge that there is widespread fraud, followed by a text defining fraud as a broad concept including "misconduct". Misconduct is then interpreted to include such items as poor proofreading or incomplete references. In a recent congressional hearing, misconduct was further broadened to include a difference in interpretation of complex data. Crying wolf tends to lose effectiveness when the wolf is redefined as a vicious mouse and then it is further conceded that the viciousness is a matter of opinion. "The slowness of institutions in conducting investigations is viewed by some as evidence of an "old boy" conspiracy. But there are good reasons to be slow to accuse a colleague. A student works in close cooperation with a professor for months or years and finally solves a problem. A statement by the professor that "we can't publish until the result is checked" might eliminate a few cases of fraud, but it would forever damage the relation between student and professor. Institutions that are quick to accuse distinguished faculty members of misconduct or worse on the basis of gossip or flimsy data will not long have a distinguished faculty. The fate of whistle-blowers who have lost their jobs or failed to continue in science is often recounted as evidence of retaliation, but the quality of the whistle-blowers' work is relevant to this conclusion. The idea that scientists may cut corners to achieve fame, but whistle-blowers never do, is nonsense. Past track records are not always a guide to future conduct -- some distinguished scientists err, some erratic whistle-blowers are right on occasion -- but scientists, like ordinary citizens, are innocent until proven guilty. Investigation of their integrity should require substance. It is not a cover-up for an institution to refuse to initiate an inquiry if the only evidence is the accusation by an unreliable source. "The scientific apparatus cannot afford to disregard accusations of fraud, and competent whistle-blowers help science. Investigations should be pursued meticulously, but the final report should strongly state the outcome: If the accusation is correct the miscreant should be punished and the whistle-blower commended. If, however, the accusation is incorrect, in addition to the usual bland announcement of exoneration there should be a denunciation of the false charges and a documentation of the time, anguish, and delay that has been occasioned. Science cannot tolerate fraud, but it should not be at the mercy of headline-happy journalists or incompetent whistle-blowers. "Journalists must distinguish between fraud, sloppiness, and differences of opinion. When an accusation of fraud is made, if the evidence appears weak or the charge exaggerated a careful journalist should be alerted to probe more deeply. Opinions of noninvolved experts on the likelihood of error and the track record of the accuser should be documented early on, even in the initial story. The original story may have to state the facts of an accusation before all the background is obtained, but in most cases the story can be delayed, and in all cases pertinent doubts should be expressed. The final outcome should be publicized appropriately. Finally, the setting in which a story is reported must be considered by a journalist. A story involving a prominent scientist in an inquiry on fraud is bound to make headlines, even if the story is only a question of judgement. The late Senator Joseph McCarthy was particularly clever at manipulating journalists in this way; the techniques should be familiar by now. "Scientists respect integrity, scholarship, and good judgement as much as they abhor fraud, sloppiness, and poor judgement, but these are very different phenomena. Those who mix them together in uncritical ways may decrease our chances of eliminating true fraud, may damage reputations unfairly, and may diminish enthusiasm for healthy differences of opinion at the cutting edge of science." Henry Spencer @ U of Toronto Zoology {ihnp4,decvax,uunet!mnetor}!utzoo!henry ------------------------------ Date: Wed, 15 Jun 88 09:41 EDT From: WHMurray@DOCKMASTER.ARPA Subject: Shrink Wrap Yesterday I received an unsolicited package in the mail. From the source and the marking "magnetic media," I conclude that the package contains a program sent to me for evaluation and review. I am usually cautious about unsolicited mail. However, this one came with its own warning. It was sealed with a sticker with the following warning: "The program on the enclosed disk is licensed to the user. By opening this package, you indicate your acceptance of the ENCLOSED (emphasis mine) license agreement." Goodness! What might I be agreeing to? The fantasies are simply endless. ------------------------------ Date: Wed, 15 Jun 88 15:41:59 GMT From: Jerry Harper Subject: Hard-disk risks from vendors We use a number of 286 machines (American Research Corporation -made in Taiwan) for some development work before uploading the code to an MVS/XA environment. REcently, one of the machines has given considerable trouble and, indirectly, an insight into the obligations of the vendor we dealt with. The system unit emits quite a noticeable vibration which transmits itself forcibly to the keyboard and desk - that problem has been there from its purchase. On several occasions the vendor has checked the unit to ascertain the source of the vibration but to no avail. Almost from the start I mentioned that the vibration was bound to cause some damage to the hard-disk in the long run (increased oscillation of the heads,etc). In the last month one of the crimped connections to the hard-disk controller board fell out with the result that drives C and D were not recognised and some 30mb, it appeared were either lost or inaccessible. I took the shroud off the unit and pushed home the connector - we lost two recent files (yes, we have floppy backups). A week later the same occured only but this time I couldn't locate any loose connections, so I rang the vendor. Firstly, he said he was too "busy" to come out, and then he told me in a matter of fact manner that the hard-disk was probably corrupt and all the data was lost. We have had this machine *four* months. He then proceeded to give a telephone analysis of what might have happened. Eventually, I was tiring and demanded that someone appear quickly. Two days later a technician came and once again it turned out that a power connection to the the hard-disk had worked itself loose. At this point, I decided that we should have a replacement machine. No dice. I was assured that the machine was in fine form. A week later the CMOS went sick and the hard-disk was inaccessible. Once again a telephone analysis was conducted and I reconfigured the system. I know this is getting long-winded but the point is that at no stage in any of the exchanges did the vendor admit any liability, nor did he seriously offer a replacement. This is of some concern to a number of companies here in Ireland as quite a number of vendors have suffered financial difficulties leaving their customers with pitiful after sales support. Are too many people getting into the VAR market by the seat of their pants? Jerry Harper : Merrion Gates Software (Logic Programming) : 89 Booterstown Avenue, Blackrock, Co Dublin, IRELAND. Phone-net : 353-1-88 52 51 email : jharper@euroies.uucp ------------------------------ Date: Mon Jun 13 11:42:06 1988 From: garyt@cup.portal.com Subject: An old CTSS virus Really-from Tom Van Vleck SENT: 88-06-11 19:00 FROM:2 VANVLECK_TOM @PRUNE This may qualify as one of the oldest viruses: Just before the July 4th holiday in 1966, two undergraduate CTSS users decided to write a RUNCOM (like a shell script) which would invoke itself. They knew that this would create a new SAVED file on each invocation and eventually use all the disk space on the Project MAC CTSS system, but they thought this would just lead to a documented error return. Unfortunately, there was a bug in the system and CTSS crashed. Noel Morris and I spent a long time repairing the system disk tables by hand. Well, was this a virus? The program launched a new copy of itself, and this proliferation led to the death of the host. (Note the early fascination with self-reference. The other well-known way to crash CTSS was to issue the XEC * instruction, which said "execute the instruction at the location where this instruction is." The 7094 CPU looped taking I cycles only and couldn't be interrupted. Bill Matthews once did this deliberately to stop the system when an unwary system administrator accidentally put the password file in the "message of the day." Once again, at 5PM Friday.) The most important lesson is "don't get clever at 5PM Friday." ------------------------------ End of RISKS-FORUM Digest ************************