RISKS-LIST: RISKS-FORUM Digest Monday 28 November 1988 Volume 7 : Issue 83 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Tech Report on the Internet Worm (Gene Spafford, PGN) Congress plans hearings on the Internet Worm (Jon Jacky) Computer Literacy #3 (Ronni Rosenberg) More on misuses of computers (PGN) Chain letters = next net disaster ? (Ira Baxter) Computerized Parking Meters (James Peterson) Data verification (Rob Gross) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line (otherwise they may be ignored). REQUESTS to RISKS-Request@CSL.SRI.COM. FOR VOL i ISSUE j / ftp kl.sri.com / login anonymous (ANY NONNULL PASSWORD) / get stripe:risks-i.j ... (OR TRY cd stripe: / get risks-i.j ... Volume summaries in (i, max j) = (1,46),(2,57),(3,92),(4,97),(5,85),(6,95). ---------------------------------------------------------------------- Date: Mon, 28 Nov 88 19:53:07 EST From: Gene Spafford Subject: Tech Report on the Internet Worm Organization: SERC, Department of Computer Sciences, Purdue Univ. My tech report on the Internet Worm is finally finished! You can get a compressed PostScript version of the formatted report via FTP as follows: 1) ftp to arthur.cs.purdue.edu (128.10.2.1) 2) login for anonymous ftp 3) set binary mode on 4) cd pub/reports 5) get TR823.PS.Z 6) quit Then uncompress the file and print it. [If you cannot uncompress it, you may access the UNCOMPRESSED PostScript file directly (280,827 bytes, by the way!): OMIT 3) above; it should also work in binary mode, but more slowly; REPLACE 5) above with "get TR823.PS", using the name of the uncompressed PS file. Also, use a copying machine if someone you know has already FTPed it. Spare the Internet. PGN] If you have already ordered a paper copy of the report and you can FTP a copy to print it yourself, please send me mail and cancel your request for a paper copy. If you cannot FTP a copy and you have already ordered a paper copy, have patience. As soon as they get printed they will be mailed -- before the end of this week, I am told. If you cannot FTP a copy and would like to order a paper copy, send me your surface mail address and I will add your name to the list. Cheers, --spaf ------------------------------ Date: 28 Nov 1988 18:59:19-PST From: Peter Neumann Subject: Tech report on the Internet Worm Spaf's ``The Internet Worm Program: An Analysis'' is an extremely thoughtful and comprehensive report. It will be standard reading for years. It is offered by Spaf ``solely for the purposes of instruction and research'' (as he states in his title-page copyright notice), and is cited in RISKS for precisely those purposes. There are many lessons to be learned -- including needs for better operating systems and network protocols, better quality programmers with greater social awareness, better ethical teaching, better laws, and generally better understanding of THE RISKS. Our thanks to Spaf for his considerable contribution. PGN ------------------------------ Date: Mon, 28 Nov 88 09:35:59 PST From: jon@june.cs.washington.edu Subject: Congress plans hearings on the Internet Worm The House Science, Space and Technology Committee and the House Judiciary Committee are planning hearings on the Internet virus for the upcoming 101st Congress. Also, the author of the federal computer crime law says that he believes the virus programmer could be prosecuted under that law. Here is the source, from a story that appeared in THE SEATTLE TIMES, Sunday Nov 27 1988, p. B2: CONGRESSMEN PLAN HEARINGS ON VIRUS - Newhouse news service WASHINGTON - The computer virus that raced through a Pentagon data network earlier this month is drawing the scrutiny of two congressional committee chairmen who say they plan hearings on the issue during the 101st Congress. Democratic Reps. Robert Roe, chairman of the House Science Space and Technology Committee, and William Hughes, chairman of the crime subcommittee of the House Judiciary Committee, say they want to know more about the self-replicating program that invaded thousands of computer systems. The two chairmen, both from New Jersey, say the are concerned about how existing federal law applies to the Nov. 2 incident in which a 23-year-old computer prodigy created a program that jammed thousands of computers at universities, research centers, and the Pentagon. Roe said his committee also will be looking at ways to protect vital federal computers from similar viruses. `As we move forward and more and more of our national security is dependent on computer systems, we have to think more about the security and safety of those systems,' Roe said. Hughes, author of the nation's most far-reaching computer crime law, said his 1986 measure is applicable in the latest case. He said the law, which carries criminal penalties for illegally accessing and damaging `federal interest' computers, includes language that would cover computer viruses. `There is no question but that the legislation we passed in 1986 covers the computer virus episodes,' Hughes said. Hughes noted that the law also includes a section creating a misdemeanor offense for illegally entering a government-interest computer. The network invaded by the virus, which included Pentagon research computers, would certainly meet the definition of a government-interest computer, he said. `The 1986 bill attempted to anticipate a whole range of criminal activity that could involve computers,' he said. ------------------------------ Date: Mon, 28 Nov 88 12:36:39 EST From: ronni@juicy-juice.lcs.mit.edu (Ronni Rosenberg) Subject: Computer Literacy #3 Expenditures of time and money on computer-literacy education represent important tradeoffs for schools. If you think that computer literacy should be taught in school, how do you think schools should pay for it (hardware, software, training, maintenance)? How should computer-literacy courses be fit into the school day? Since school budgets and days are finite, these questions raise the issue of priorities. Should computer-literacy education be a high priority for our education system? Why or why not? How do you compare computer literacy with current education priorities? [Respond to Ronni, please. PGN] ------------------------------ Date: 28 Nov 1988 17:17:10-PST From: Peter Neumann Subject: More on misuses of computers A flurry of risks relating to antisocial computer uses has been rapidly developing into a blizzard: * Hatred-promoting materials. Jeff Stout (jstout@boeing.com) alerted me to an article in the Seattle Times/Post-Intelligencer, 11/20/88, excerpted as follows: The rapid spread in recent months of illegally produced floppy disks with anti-Semitic and racist content, promoted by the increased use of home computers, has alarmed West German teachers and those concerned with protecting young people from exposure to military, racist and pornographic violence. The neo-Nazi underground has changed tactics", says Gerhard Adams, deputy chairman of the government office responsible for monitoring "youth-endangering" materials. "Instead of distributing leaflets, they now circulate in schools computer programs which are anti-Semitic and racist." [...] While the majority of games glorifying war and Rambo-style episodes of self-enforced law are produced in the United States and Great Britain, games inciting racial hatred and propagating Nazi ideology are believed to have their origin in Germany. * A flurry of PC porno programs (including some highly interactive versions). For example, a porno program is apparently sweeping through the banking community (Lounge-suit Larry ...), some versions of which are Trojan horsed and rather destructive. Many others have also been reported, and with pirating and direct propagation seem to be spreading rampantly. * Electronic chain letters such as that noted in the following message. So, what is new? The subject matter is certainly not new. But the medium offers new opportunities -- proliferability, programmability, and privacy. (Next we will be having subliminal messages on the screen, or even buried inside the programs?) ------------------------------ Date: Fri, 25 Nov 88 23:37:04 -0800 From: Ira Baxter Subject: Chain letters = next net disaster ? Just received this. Figured best way to a) satisfy RISKS readers and b) "prevent breaking the chain" :-} was to submit this rather than victimize 20 more people. If this sort of thing is turned loose in email, the resulting exponential explosion could be as bad as the recent net worm (with willing vectors, anyhow). Unwilling vectors will just damp them out... but with 3 million PCs out there, how many do we need to keep it alive? [RISKS has no difficulty whatever in breaking this chain. Chain letters are bad enough via SnailMail, but electronically they open up horrible possibilities. PGN] ------------------------------ Date: Mon, 28 Nov 88 16:40:05 CST From: James Peterson Subject: Computerized Parking Meters While visiting the University of Oregon last summer, I found a parking space with no meter, but a sign directing me around the corner. There was a small terminal with a map of the adjacent parking area, about 14 spaces along the side of the street. The instructions indicated that the money was to be deposited and the code number for my parking space keyed in. Out popped a little printed ticket with my parking space number and the time, date, etc when I arrived and how long before my parking expired. It's the only time I've seen such a system (instead of the normal mechanical parking meters). I assume the benefits of the system are that there is a centralized station for checking what cars are legally parked (the meter maid doesn't have to check each spot, but one central location), central collection of money, and if one car pays for an hour but leaves after 10 minutes, there is no visible record allowing the next car to just use the remaining 50 minutes without paying for it. ------------------------------ Date: Mon, 28 Nov 88 20:58 EST From: (Rob Gross) Subject: Data verification At Boston College, most faculty members are expected to advise between ten and twenty students. For various reasons (students requesting new advisors, faculty members on leave, students changing majors), the students I advise one semester often are not my responsibility by the time the next semester rolls around. So I wasn't too surprised when I received a call from a student I had advised in September asking for an appointment to see me; I told her that she was no longer one of my advisees, and suggested that she call the dean to find out who her advisor was. She called back an hour later and told me that she had been entered into the computer as class of 1993, and the computer had duly scheduled her to register in November of 1989. And my computer science students worry about why I stress data verification! Rob Gross ------------------------------ End of RISKS-FORUM Digest 7.83 ************************