RISKS-LIST: RISKS-FORUM Digest Saturday 16 July 1988 Volume 7 : Issue 23 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Policy Chief Indicted in Computer Misuse (Owen Blevins) Data for Iran airliner discussion (Dave Fiske) Re: Data "viruses" (Peter J. Denning, PGN) Invitation to visit Disaster Research Center (DRC) Passwords on networked systems (Steve Oualline) Other ways to manage risks (Dave Fiske) Colwich Junction, England, 1986 (Blair P. Houghton) Oops -- risks of writing -- SI prefixes (Richard S D'Ippolito) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line. (otherwise they may be ignored). REQUESTS to RISKS-Request@CSL.SRI.COM. FOR VOL i ISSUE j / ftp kl.sri.com / login anonymous (ANY NONNULL PASSWORD) / get stripe:risks-i.j ... (OR TRY cd stripe: / get risks-i.j ... Volume summaries in (i, max j) = (1,46),(2,57),(3,92),(4,97),(5,85),(6,95). ---------------------------------------------------------------------- Date: Fri, 15 Jul 88 20:25:50 est From: owen blevins Subject: Policy Chief Indicted in Computer Misuse From New York Times Friday., July 15, 1988: Metro-North Police Chief Indicted in Computer Misuse The police chief of the Metro-North Commuter Railroad was indicted yesterday on charges that he improperly used a New York State polic computer system to investigate job applicants, their relatives and people who were suing the railroad. The indictment against the chief, John V. Esposito, includes allegations of "computer trespass." Authorities said he is believed to be the first police official to be prosecuted under a 1986 law restricting the use of confidential criminal justice records compiled in computers. After pleading not guilty in a courtroom in Manhattan, Mr. Esposito, who was released without bail, said his use of the computer system "is standard operating procedure" by police chiefs throughout the state as part of routine background examinations of prospective employees. ------------------------------ Date: 14 Jul 88 21:28:21 GMT From: davef@brspyr1.brs.com (Dave Fiske) Subject: Data for Iran airliner discussion I know this is the net, but I hope I can be forgiven for doing a bit of actual research! Here are a few excerpts from some books I happen to have at home. Shows that with just a little effort, we could be having discussions based loosely on fact, rather than vague memories and opinions. First of all, despite Reagan's statement, the AEGIS system is a bit more than your average radar unit. The following excerpt indicates that it does some interpretation of the data it obtains, and even performs limited decision-making. "The AEGIS Combat System was developed to counter the saturation missile attacks which could be expected to form the basis of Soviet anti-carrier tactics during the 1980s. Conventional rotating radars are limited both in data rate and in number of target tracks they can handle, whereas saturation missile attacks require sensors which can react immediately and have a virtually unlimited tracking capacity. The solution adopted in the AEGIS system is to mount four fixed planar antennae each covering a sector of 45 degrees on the superstructures of the ship. Each SPY-1 array has more than 4000 radiating elements that shape and direct multiple beams. Targets satisfying predetermined criteria are evaluated, arranged in sequence of threat and engaged, either automatically or with manual override, by a variety of defensive systems." John Jordan, "An Illustrated Guide to the Modern U.S. Navy", 1986, Prentice Hall. Several people have maintained in comp.risks that the F-14 would not be much of a threat to surface ships. However: "The twin-jet F-14 is indeed some airplane. It was designed to range farther, fly faster, climb higher and pack more wallop than any interceptor ever built. While it possesses some of the features of a fighter, fighter pilots certainly would prefer to call it an interceptor. Its long suit is its fire control system and its missiles. With his AWG-9 radar and infrared-sensor-computer system, the backseat Missile Control Officer (MCO) of the Tomcat can track twenty-four separate targets, from sea level to one hundred thousand feet, up to one hundred miles distant." James W. Canan, "The Superwarriors", 1975, Weybright and Talley. "Possibly the most complete fighter in the world today, the Grumman F-14 Tomcat first entered service in 1975. Armament consists of M61A1 20-mm rotary cannon plus AIM-9 Sidewinder short-range, AIM-7 Sparrow medium-range and AIM-54 Phoenix long-range air-to-air missiles. A combination of all these missiles can be carried at one time, making the F-14 capable of shooting down any flying intruder at any range up to 200 km (125 miles). The Phoenix missiles are operated in conjunction with the Tomcat's AWG-9 radar, and can hit targets at any altitude from ground level to over 2400 m (78,740 ft)." "Modern Combat Aircraft", Crescent Books According to The Military Balance, 1984-85, published by the International Institute for Strategic Studies, Iran still has 10 F-14As (in 1975 they had 15--some undoubtedly have become inoperative since then), and does have Sidewinders, Sparrows, and Phoenixes. Dave Fiske (davef@brspyr1.BRS.COM) ------------------------------ Date: Fri, 15 Jul 88 14:47:45 pdt From: Peter J. Denning Subject: Re: Data "viruses" (RISKS-7.11) Dave Horstall inquired about whether the propagation of corrupted data through a system can be considered a new form of virus. No. The propagation of corrupted data is an old problem that systems designers interested in fault tolerance must face. It is a difficult problem and many systems do not include appropriate data consistency checks to prevent or mitigate it. The virus is a program designed to infect other programs with copies of itself and to perform unwanted actions in the manner of a Trojan horse. Peter Denning ------------------------------ Date: Sat, 16 Jul 88 10:29:19 PDT From: Peter G. Neumann Subject: Program viruses vs "data viruses" On viruses versus data propagated effects of contaminated data: Yes, the propagation of corrupted data is an old problem, although it is generally considered within the scope of a single program or a single process. My favorite example of more global propagation is provided by the ARPANET collapse (mentioned in RISKS occasionally, but newer readers should dig up Eric Rosen's enlightening article, "Vulnerabilities of network control protocols", in ACM Software Engineering Notes, vol 6 no 1, January 1981). This was caused by a status word being propagated along with two corrupted versions of itself -- as a result of hardware malfunctions. The consequence was that those two corrupted versions (yes, propagated by the normal node programs, which were unaltered) contaminated every node in the network -- because the flawed garbage collection algorithm broke down. True, there was no program virus. However, the two bogus status words effectively contaminated the entire network! This case is interesting not because a piece of data was altered, but because three different versions of the SAME piece of data were able to bring the entire network to its knees -- despite the belief that distributed control was safe. That kind of contamination deserves some sort of explicit identity such as "data bacterium" or "data microbe" or whatever, although it has some of the characteristics of a (data or nonprogram) virus... PGN ------------------------------ Date: Fri, 15 Jul 88 20:24:21 EDT From: Disaster Research Center Subject: Invitation to visit Disaster Research Center (DRC) An Introduction to the Disaster Research Center for RISKS Readers. Come to our open house in August ! The Disaster Research Center, the first of its kind and the only one in the United States, was established at the Ohio State University in 1963 and moved to the University of Delaware in 1985. The Center engages in a variety of sociological and social science research on group and organizational preparations for, responses to, and recovery from community-wide emergencies, particularly natural and technological disasters. Since the Center's inception, there have been over 496 different field studies. Teams have gone to earthquakes in Japan, Chile, Yugoslavia, Italy, Iran, El Salvador, Greece, California, and Alaska; hurricanes in the southern and eastern United States, as well as Japan; floods in Italy, Canada, and more than a dozen states; and tornadoes and hazardous chemical incidents in Canada, Mexico, and the United States. A dozen cities struck by major disasters have been restudied several years after the initial research. For purposes of comparison, Center personnel have also examined organizational responses to civil disturbances and riots. The Center has a number of professionals on its staff plus supporting clerical and secretarial personnel. It is directed by Professor E.L. Quarantelli, with the assistance of Professors Dennis E. Wenger and Russell R. Dynes, all of the Department of Sociology at the University. Recent studies have focused on: Social and organizational aspects of the delivery of mental health services and of emergency medical services in mass emergencies; and socio-behavioral responses to acute chemical hazards and the problems involved in mass evacuation and sheltering. Research underway includes the ways in which information relating to disaster is processed through news organizations, the organizational and public response to the Mexico City earthquake, and the role of local emergency response agencies. Center personnel have examined legal aspects of governmental responses in disasters, the emergence and operation of rumor control centers, mass media reporting of community crises, the functioning of relief and welfare groups in stress situations, and the handling of the dead in catastrophes. The research provides basic knowledge about group behavior and social life in large scale community crises as well as information which can be applied to develop more effective plans for future disasters. Besides storing its own data collected through in-depth interviewing, participant observations, and document gathering, the Center serves as a repository for materials collected by other agencies and researchers. The Center's specialized library, which contains the world's most complete collection --over 20,000 items-- on the social and behavioral aspects of disasters, is open to all interested scholars and public and private agencies involved in emergency planning. With over 400 publications, the Center has its own book, monograph, and report series. There are close relations with Canadian, Mexican, Australian, Swedish, Japanese, and West German disaster researchers, a number of whom have been visiting research associates at the Center for periods of up to a year, and collaborative field research is currently underway with groups in Japan and Mexico. An exchange program and very close ties with Italian researchers, especially the Mass Emergency Program of the Institute of International Sociology in Gorizia, Italy. Center activities have been supported by diverse sources including the Health Resources Administration; the Center for Applied Social Problems, National Institute of Mental Health; the Defense Civil Preparedness Agency; the Water Resource Research Program, Department of the Interior; the State of Ohio Department of Mental Health; but major funding has been from the National Science Foundation, and the Federal Emergency Management Agency. If you would like more information concerning the Disaster Research Center or desire an updated Publications List, write to Margie Simmons, Office Coordinator, Disaster Research Center, University of Delaware, Newark, Delaware, 19716, United States of America. ** Special note to Risks Digest Readers ** Anniversary Celebration Announcement The Disaster Research Center was formed in August, 1963. Thus, it will be 25 years old next month. To mark the occasion, an open house will be held at the Center's present location on the third floor of 102 East Main St., Newark, Delaware (U.S.A.). Time: Monday, August 22, 1988 1 - 5 p.m. We hope you can take some time to visit us. - E.L. Quarantelli, Director - Russell R. Dynes - Dennis E. Wenger (Information forwarded by Bruce D. Crawford, Computer Services Coordinator, Disaster Research Center). ------------------------------ Date: 15 Jul 88 22:31:51 GMT From: horizon!sdo@seismo.CSS.GOV (Steve Oualline) Subject: Passwords on networked systems Although RISKs seems to be primarily oriented toward major problems with the cutting edge of technology, I wish to offer an example of a small problem that can be solved by a little common sense. At our site we have several UNIX systems running on a network. For convenience of the administrator, me, all the root passwords are the same. I discovered the hard way that this is not a good idea. I wanted to reboot "zabbar" a small system that no one was using, so I walked over to its console and type su root, /etc/halt. This shut down the system -- the problem was that I had done rlogin horizon (horizon is our main system), and had shut it down by mistake. If the root passwords had been different for each machine, then horizon would have rejected the root password for zabbar causing me to discover which system I was really on. ------------------------------ Date: 15 Jul 88 18:58:58 GMT From: davef@brspyr1.brs.com (Dave Fiske) Subject: Other ways to manage risks (Re: RISKS-7.20) > From: Doug Faunt (phone (415) 496-4727) > Subject: re: lockpicking and burglars > I would like to point out that it might be worthwhile to improve your > locks to some degree, ... > ... You may not be able to keep them out, but you can make sure there's a > record. I'm surprised that comp.risks readers are primarily fixating only on PREVENTION for managing risks. Prevention is only one way to deal with them. Nearly all homeowners therefore have insurance to cover the theft of contents, as well as locks on the doors. Some have burglar alarms as well. The prevalence of insurance and burglar alarms is an indication that unwanted entries cannot be 100% eradicated. Locks are only one aspect in the management of the risk of theft. The existence of law enforcement agencies is another deterrent--a burglar has to (well, at least he should) consider the possibility that he will get caught. The consequences of entering a locked home ("burglary", or "breaking and entering") are more severe than entering one which is not locked ("illegal entry"), and is also more easily proved due to physical evidence. In addition to helping to deter entry, locks help to provide evidence to facilitate getting an insurance settlement, or to capture the culprit and achieve return of the goods. Similarly, a computer system can probably never be made totally secure, since it's always possible (granted, very unlikely) that an unauthorized user could happen to guess a correct password on the very first try, etc. However, log files are kept and checked, means of disciplining system abusers are maintained, backup tapes are made, etc. as further means of reducing the consequences of tampering. Dave Fiske (davef@brspyr1.BRS.COM) [But don't forget that in many systems it is easy to turn off auditing altogether, or to bypass it, or to modify the audit trail later. PGN] ------------------------------ Date: Fri, 15 Jul 88 17:50:38 edt From: bph%buengc.bu.edu@bu-it.BU.EDU (Blair P. Houghton) Subject: Colwich Junction, England, 1986 (Re: Mark Brader, RISKS-7.22) Mark's message points out a common misconception: that skidding provides more stopping force than does rolling with the brakes on. The truth is that the coefficient of friction is lowered drastically once the surfaces involved begin to slide. That is, the kinetic coefficient of friction is lower than the static coefficient of friction. Hence, a rolling wheel, which indeed has a nonsliding portion of its surface in contact with the rail, can apply more force to the rail, thus slowing the train faster; once the wheel locks up and begins to slide, the force decreases in a virtual discontinuity, and the train slows slower, meaning that the stopping distance is larger (usually much larger). If the wheelslip protection overcompensated for impending slippage by lowering the braking force below even the skidding-friction force, then it is utterly at fault for an extended stopping distance, and the above mentioned report's conclusion is correct. However, if the wheelslip protection was properly designed, it should have operated in the region between skidding-friction force (kinetic coefficient in effect) and onset-of-skidding force (static coefficient in effect), then the report is dangerously wrong and has made a suggestion that will aggravate future accident situations. While the "flattening" argument for wheelslip protection is good economy, the increased stopping power is the primary reason that antilock braking was invented, since saving lives is the best economy. Blair P. Houghton ------------------------------ Date: Friday, 15 July 1988 09:29:09 EDT From: Richard.S.D'Ippolito@sei.cmu.edu Subject: Oops -- risks of writing -- SI prefixes I blew it. The SI prefixes for kilo (10^3), hecto (10^2), and deca (10^1) are abbreviated with lower case letters. Those above kilo are abbreviated with capital letters. All those below (10^-1 to 10^-18) are lowercase. I've seen too many KVs and KWs in the electrical industry. I'm sorry -- next time I'll look it up first. Rich ------------------------------ End of RISKS-FORUM Digest 7.23 ************************