RISKS-LIST: RISKS-FORUM Digest Tuesday 20 December 1988 Volume 7 : Issue 96 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Soviets Claim Computer-Virus Shield (PGN) UNICEF Belated Greetings (David Andrew Segal and Chris Koenigsberg) Computer Ethics or just Ethics (David Clayton) Those Who Do Not Learn From History (F. Baube) Re: Armed with a keyboard and considered dangerous (F. Baube) Re: Computer Virus Eradication Act of 1988 (David Keegel) Manslaughter caused by computer error (Herman J. Woltring) New EMI Shielding Material (Earl Boebert) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line (otherwise they may be ignored). REQUESTS to RISKS-Request@CSL.SRI.COM. FOR VOL i ISSUE j / ftp kl.sri.com / login anonymous (ANY NONNULL PASSWORD) / get stripe:risks-i.j ... (OR TRY cd stripe: / get risks-i.j ... Volume summaries in (i, max j) = (1,46),(2,57),(3,92),(4,97),(5,85),(6,95). ---------------------------------------------------------------------- Date: Mon, 19 Dec 1988 13:15:45 PST From: Peter Neumann Subject: Soviets Claim Computer-Virus Shield The Soviet Union said yesterday that so-called computer viruses have invaded systems in at least five government-run institutions since August, but Soviet scientists say they have developed a way to detect known viruses and prevent serious damage. In August 1988, a virus infected 80 computers at the Soviet Academy of Sciences before it was brought under control 18 hours later. It was traced to a group of Soviet and foreign schoolchildren attending the Institute's summer computer studies program, apparently resulting from the copying of game programs. Sergei Abramov of the Soviet Academy of Sciences claims they have developed a protective system, PC-shield, that protects Soviet computers against known virus strains. It has been tested on IBM computers in the Soviet Union. "This protective system has no counterpart in the world," he said (although the details remain a state secret). [Paraphrase of a UPI item in the San Francisco Chronicle, 19 Dec 88, p. A16] ------------------------------ Date: Sun, 18 Dec 88 13:02:52 EST From: dasegal@brokaw.LCS.MIT.EDU (David Andrew Segal) Subject: UNICEF Belated Greetings From the New York Times, Saturday, December 17, 1988 A computer problem has brought frustration instead of glad tidings to hundreds of people who ordered Unicef Christmas cards through the organization's toll-free telephone number. Many orders have been delayed or lost. "We have a little bug in the system," said Colin J. Rainsbury, vice president of the greeting-card division .... Unicef's direct-marketing manager, Laura A. Colassano, said the organization had processed more than 90,000 orders in the United States for the cards, ... She said almost 1,000 people had called about missing orders. TMI Inbound Inc., a telemarketing agency in Omaha, receives orders from customers who call 800-FOR-KIDS and transmits the orders to BSA-Fulfillment Service Inc. in Lakewood, N.J., which fills the orders. "There's a problem with the computers speaking to each other," Ms. Colassano said. [info about refunds...] David Andrew Segal, Laboratory for Computer Science, MIT [Also contributed by Chris Koenigsberg Subject: Computer Ethics or just Ethics There is a recent book titled "Everything I Need to Know I Learned in Kindergarten". I've only read excerpts and this is not a book review but I thought of the title as I was reading many contributors' comments regarding ethics for computer users. What I find interesting is the implicit assumption that a different (higher? lower? more stringent? more lenient?) set of ethics apply to those who by chance or choice work with computers. Apparently, because I use a keyboard and stare at a VDT, the rules of right and wrong, the definitions of proper -vs- improper behavior that were taught me as a child no longer apply. For some reason my choice of a profession has somehow rendered obsolete those rules I (we?) learned in kindergarten about respecting others and not taking what isn't ours. We make attempts to wrap common snooping in terms of honor by making claims of "respecting data" and "exercising the system" to find bugs and point out weaknesses in design and implementation. And we ignore or dismiss acts of thievery and vandalism by faulting the designers and administrators of pilfered systems. There is no doubt that systems must be secure, but we don't tear down the prisons because we can't build thief-proof banks. Courses in computer ethics may be an interesting forum for the discussion of ideas but let's not kid ourselves that these problems are so unique (and by association, we are so special) that we must be treated differently and so develop a new ethos. David Clayton; Academic Computing; University of Rhode Island The opinions are my own. I don't know what, or if, the University thinks about these things! ------------------------------ Date: Mon, 19 Dec 88 18:04:34 -0500 From: "F.Baube" Subject: Those Who Do Not Learn From History .. Some old mail, from one year ago .. Mr Patterson can hardly be blamed for not foreseeing what no-one else on the Internet did, either .. And, what does 1989 have in store for Netland ? ------- Forwarded Message Date: Mon, 21 Dec 87 15:22:26 EST From: Ross Patterson Subject: IBM Christmas Virus >Subject: IBM Xmas Prank {RISKS 5.79} >(5) Is the Internet similarly vulnerable ? Not to this one. It plays on several things that the Internet doesn't have: 1) A large number of IBM VM/CMS systems. The program would only run in a CMS environment. There is no reason one couldn't write something similar in any other language, though. 2) A suitable file transfer system. FTP doesn't apply. It must provide a way for a user to receive an unsolicited file, in a runnable form. 3) A good method of determining targets. The CMS NAMES and NETLOG files provided an excellent source of information. I suppose in a Unix environment, ".alias" and "/etc/aliases" would be ok, but .alias is comparatively rare, while NAMES files are almost universal in CMS. Browsing this message is no fun at all. Just type Christmas .. ------- End of Forwarded Message ------------------------------ Date: Mon, 19 Dec 88 12:03:36 -0500 From: "F.Baube" Subject: Re: Armed with a keyboard and considered dangerous Rodney Hoffman (quoting a news article): > [..] Federal prosecutors also obtained a court order restricting > Mitnick's telephone calls from jail, fearing he might gain access > to a computer over the phone lines.... .. and presumably he would whistle at 1200 bps. ------------------------------ Date: Tue, 20 Dec 88 17:11:03 EST From: munnari!murrumbong.cs.mu.oz.au!djk@uunet.UU.NET (David Keegel) Subject: Re: Computer Virus Eradication Act of 1988 In Risks 7.92, Jonathan Sweedler wrote: ] In other words, can I break into any computer I want to and look at ] whatever files I want to, as long as I announce I'm there and don't ] cause any harm? Why do these laws center on causing harm to computers ] and not just illegal/unauthorized entry? I think we need to be a bit more careful about what "harm" or "loss" means. For instance, if someone reads your private files, you can say that you have lost some of your privacy. If someone infects your computer with a "benign" worm/virus whose only effect is to use a few kilobytes of disk and some CPU time, you can still claim loss of processing power (assuming someone was using the machine). When taken literally, this could even apply to such things as remote fingering: information is given to the finger program which causes it to use CPU time on another system. It seems that this cannot be called "loss" otherwise by running a non-optimised program I am potentially depriving others of processing power. On the other hand, to say that loss means loss of data (files) allows a {h,cr,sn}acker to run a program that may crash your machine. Is there a clear dividing line between this and using 100% of the CPU? Where could we draw such a line? I believe it _is_ important to avoid making laws which prohibit _all_ unauthorised access. Apart from questions about the fuzziness of the word "authorised" (eg: who is authorised to use "login"?), the important problem is that you do not allow people to test your security, without previous authorisation (try to imagine a one-man, part-time "tiger team" :-). The possible advantages of "hack attacks" and the like have been covered before, so consider another facet of this: imagine that Joe User (joe@host) one day mistypes his login name and discovers, by accident, that jo@host has no password required. He is dropped into Jo Bloggs' shell, without authorisation from her. Already he has broken the law. Now (the interesting part), he is faced with the following dilemma: does he tell jo@host or root@host of this security problem, and face being charged; or does he keep his mouth closed about the situation? There is now a definite DISincentive to informing the sysadmins that jo has no password. As if this weren't bad enough, imagine the hypothetical law made no distinction between "unauthorised use" and "harm". Since he has already broken this law, he may as well play around. For instance, to erase indications of his presence. Or to see who Jo is, and what she is doing. Admittedly, this is a contrived situation which is highly unlikely in practice, but the point is that it is possible to use someone else's account, with absolutely _no_ malicious intent and yet become a criminal. A more realistic example is the person who is bored waiting for a print-out, and tries a few combinations, or someone exploring some outside system to see what they can find out about it. I contend that any legislation must not only charge the guilty, but also avoid charging the innocent. David Keegel (djk%munnari.oz.au@uunet) "Flattery will get you nowhere, unless someone else does it to you" ------------------------------ Date: Mon, 19 Dec 88 18:04 N From: Subject: Manslaughter caused by computer error * * * Software bugs and copyright -- is the author a (re)liable owner? * * * Six years ago, the Dutch journal Computable reported a case of manslaughter, attempted manslaughter, and attempted suicide in Western Germany caused by a computer error. A print-out error caused a medical insurer to convince a 54-year old woman that she suffered from a fatal form of syphilis, and that she had transmitted the disease to her children; in panick, she strangled her 15-year old daughter and tried to kill her 13-year old son. The boy escaped, and succeeded in preventing his mother's death from a drugs overdose. The Duesseldorf court dismissed the accusation of murder, laid all blame with the computer error, and declared the woman unaccountable for her actions. It is not known whether any civil liability action followed this tradegy. Two years ago, a software bug in a (canadian) radiation therapy machine in Texas caused a number of fatal accidents due to a radiation overdose (cf. Datamation, May 1987). It seems that such (re)liability factors were partly responsible for the recent withdrawal of all software protection proposals in Dutch Bill 19.921 on Com- bating Piracy of Copyright Works, after which the Bill was passed by the Dutch House of Representatives on 8 November 1988. In effect, the software clauses proposed to exclude so-called "computer programs" (otherwise undefined in the Bill) from the Dutch equivalent of Section 107 USC ("Fair Use"), under inclu- sion of a clause rather similar to Section 117 USC. Unfortunately, insuffi- cient attention was given to morally acceptable activities as licenced under anglo-american Fair Use / Fair Dealing (including "reverse engineering" and analysis in either a profit or not-for-profit context). In fact, the Bill attempted to use copyright law for creating trade-secret protection on soft- ware, as was the case with the French and West-German Copyright revisions of 1985. Also, it was proposed that programs should have a sufficient PERSONAL creativity level under the standard doctrine of Dutch case law for copyright protection. This caused quite a debate since legal entities may not qualify for title to "authorship" under such circumstances unless special agreements are drafted between employer and employee, in view of the moral (personal) rights under the Berne Copyright Convention (the Universal Copyright Convention does not recognize any moral rights). If software can be viewed as a "writing", no personal creativity requirements exist under the Dutch "copijreght" doctrine, and the Minister of Justice seems to have desired to elicit a fundamental debate on "copyrights" for legal entities versus "author's rights" for natural persons. At present, the discussion evolves around the June 1988 Green Paper of the Commission of the European Communities on "Copyright and the Challenge of Technology", in which a number of questions are posed on all kinds of copyright works including software and databases. Important issues are (a) the relation between software property rights under the pending European Directive on Soft- ware Protection versus software (re)liability under the 1985 European Directive on Product Liability, and (b) to what extent a legal entity may claim "author's rights" under the Berne Copyright Convention with its strong emphasis on moral rights for natural persons. In short: is software an impersonal "product" to be protected under industrial property law, or a personal "service" to be pro- tected under intellectual property law? Unlike the anglo-american "work-for-hire" rule, a legal entity's title to authorship has been a hotly debated issue in continental-european intellectual property law, pursuant to section 27(2) of the Universal Declaration of Human Rights (New York, 1948) and to section 15(1)c of the International Covenant on Economic, Social and Cultural Rights (New York, 1966). During last year's "Tripartite Meeting on Salaried Authors and Inventors" organized by the Inter- national Labour Office in Geneva, no agreement could be reached on this issue. If the natural author is the legal author under the Berne Convention, it stands to reason that he is also liable for any errors caused by "his" work, notwith- standing his employer's title to (and liability for) the pure information/ideas underlying "his" work. Here, the relation between (objective, impersonal) information/ideas/contents which are NOT protected under traditional copyright and the form/expression of the work which are protected under copyright is at stake, and it is of interest that recent publications in the field of intel- lectual property law attempt to shift the boarderline of copyright into pure information, despite the USA's First Amendment and various international in- struments that purport to protect "Freedom of Information". From a liability point of view, this makes sense, since each individual is morally (and materi- ally?) responsible for what he decides to publish, whether it is a highly per- sonal recipe for making a nuclear device or an objective method fur curing can- cer. From a scientific point of view, one may argue just the opposite. At any rate, private property rights and public information rights should remain in balance, as the Dutch events have demonstrated. A paper "Going Dutch between Copyright and Droit d'Auteur" on some of these issues will appear in Computer Law & Practice (London) 5(1988)2 [special issue on the European Communities' Green Paper]. Herman J. Woltring Study-committee on Software and Chips Protection, Netherlands Association for Computers and Law, wwtmhjw@heitue5.bitnet, na.woltring@na-net.stanford.edu Biomedical & Health Technology Software Engineering Department Eindhoven University of Technology Philips Medical Systems The Netherlands The Netherlands [A disclaimer indemnifying an employer or other party is not required under the Berne Convention!] [The Duesseldorf case is in SIGSOFT Software Engineering Notes (SEN) 10 3 1985, and the Therac 25 radiation therapy case is discussed in SEN 11 3 and 12 3, 1986 and 1987, respectively.] ------------------------------ Date: Tue, 13 Dec 88 13:56 EST From: Boebert@DOCKMASTER.ARPA Subject: New EMI Shielding Material I just had an opportunity to examine a description and a sample of a new EMI shielding material called SAFENSHIELD from International Paper. This is a nonwoven fabric that looks a lot like the old "silkspan" we used to cover model airplanes in days of yore ... also the material teabags are made out of. The fabric has an embedded metallic substance which provides the shielding; can be put up like wallpaper, does not require bonding, and comes in two grades; the heavy grade is about $2.25 a square foot in small quantities, and is solderable. Attenuation specs look impressive. Brochure states that it is being used to shield Pontiac Fiero radios from ignition emissions. It must be a pretty new material because it is being sold from the corporate research center instead of a product division of International Paper. Point of contact in brochure is David Diermeier, (914) 577 7447. I don't know anything about this stuff except what is in the sales literature, but if it lives up to its specs it sure looks like a cheap and easy countermeasure to a variety of EMI RISKS. ------------------------------ End of RISKS-FORUM Digest 7.96 ************************