RISKS-LIST: RISKS-FORUM Digest Monday 6 March 1989 Volume 8 : Issue 35 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: NASA to replace top-level personnel with Expert Systems (Dave Davis) A Touching Faith in Technology (Ruaridh Macdonald) Computer catches thief (Randall [!] Davis) Computer espionage: 3 `Wily Hackers' arrested (Klaus Brunnstein) Re: West German Hackers (Dana Kiehl) The word "hacking" (Geoffrey Knauth, Rao V. Akella) 747 Simulators Can't Simulate Flight 811 Failures (Scot E Wilcoxon) Viruses in the comics (Peter Merel, Tom Parker, Len Levine, Guy Robinson) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. * RISKS MOVES SOON TO csl.sri.com. FTPable ARCHIVES WILL REMAIN ON KL.sri.com. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line (otherwise they may be ignored). REQUESTS to RISKS-Request@CSL.SRI.COM. FOR VOL i ISSUE j / ftp KL.sri.com / login anonymous (ANY NONNULL PASSWORD) / get stripe:risks-i.j ... (OR TRY cd stripe: / get risks-i.j ... Volume summaries in (i.j)=(1.46),(2.57),(3.92),(4.97),(5.85),(6.95),(7.99). ---------------------------------------------------------------------- Date: Mon, 06 Mar 89 12:52:29 -0500 From: dave davis Subject: NASA to replace top-level personnel with Expert Systems From the 6 March New York Times, page 1, comes a news item that NASA faces the possibilty of retirement of ALL of its senior and top-level managers, engineers and scientists within five (5!) years. To address this, NASA plans to continue a trend that it has already been implementing. That is, it will seek to capture expert knowledge via expert systems, and where it can, replace people with embedded systems containing this expertise. Currently, NASA is utilizing such systems to perform Space Shuttle fueling and monitoring, countdown diagnostics (some risks there...), and telemetry monitoring and interpreting. For example, NASA says that it can take two years to train an individual to interpret a data stream from a satellite (after which he/she is probably a bit warped). NASA was able to completely replace the console operator in an example of this with an embedded system which included friendlier user display and interpretive knowledge. The article points out that not all of those elegible for retirement will take it, however, if this program is successfull, the decision may be made for some of them. Many of the technical risks of such a program are numerous and obvious. One which may not be quite so obvious is stagnation, that is, how will NASA incorporate new knowledge into its systems and how will such knowledge be developed and recognized. This may be a non-problem, in that previous technological advances (see the steam engine) taught us more than was ever expected when they were invented. Dave Davis, MITRE Corp., 7525 Colshire Dr, McLean, VA 22102 ------------------------------ Date: 6-MAR-1989 12:15:22 GMT From: MACDONALD@hermes.mod.uk Subject: A Touching Faith in Technology The question of whether we in the U.K. should carry identity cards is currently being debated, particularly in the press. It has been stirred up by the Government's intention to introduce identity cards for attendees at football matches, as part of an attempt to curb hooliganism. The following appeared as the leading article in The Times on 10th February (reproduced without permission), and shows a touching, if misplaced, faith in technology by non-technologists. (The highlighting is my own.) "British suspicion of identity cards is deeply rooted. But it is not as profound as is commonly supposed, according to a survey out today. "Identity cards were compulsory during and immediately after the Second World War. ... 57 per cent of those questioned in today's survey were in favour ... ". . . everyone has a unique collection of official numbers, including a health service number, a national insurance number, a passport number, another on their driving licence and one issued by the Inland Revenue. However free and libertarian people might feel, they are deeply enmeshed by 20th century bureaucracy - and for the most part accept their fate without complaint. "The adoption of an identity card, at least on a voluntary basis, which would carry such numbers - name, date of birth, nationality, signature and perhaps blood group - would surely be an advantage for everybody. In one sense it would be a master key. GIVEN THAT TECHNOLOGY SHOULD MAKE IT IMPOSSIBLE TO FORGE THEM, such cards could quickly establish one's bona fide. . . ." Ruaridh Macdonald ------------------------------ Date: Sun, 5 Mar 89 15:25:10 est From: davis@wheaties.ai.mit.edu [RANDALL Davis, PLEASE identify yourself!] Subject: Computer catches thief In Risks 8:31, Michael C Polinske gives us the newspaper story of two men caught stealing long distance telephone service, that ran with the headline: 2 MEN ACCUSED OF `HACKER' CRIME Interesting that the theft of service via hacking gets all the attention, when part of the story (reproduced below) makes it clear that the headline could equally well have been: COMPUTER CATCHES TWO STEALING PHONE SERVICE ... The company's computer keeps track of all calls that are rejected because of an improper access code. Clients dialing incorrectly would cause 10 to 30 rejected calls a month, but sometime last year the number jumped to 1,000 or 2,000 per month. Computer printouts showed the unknown parties were repeatedly dialing the computer and changing the access code sequentially, Reddin said. ------------------------------ Date: 02 Mar 89 21:43 GMT+0100 From: Klaus Brunnstein Subject: Computer espionage: 3 `Wily Hackers' arrested Today (February 2nd,1989), 3 hackers have been arrested in Berlin, Hamburg and Hannover, and they are accused of computer espionage for the Soviet KGB. According to TV magazine `Panorama' (whose journalists have first published the NASA and SPANET hacks), they intruded scientific, military and industry computers and gave passwords, access mechanisms, programs and data to 2 KGB officers; among others, intrusion is reported of the NASA headquarters, the Los Alamos and Fermilab computers, the US Chief of Staffs data bank OPTIMIS, and several more army computers. In Europe, computers of the French-Italian arms manufacturer Thomson, the European Space Agency ESA, the Max Planck Institute for Nuclear Physics in Heidelberg, CERN/GENEVA and the German Electron Accelerator DESY/Hamburg are mentioned. Report says that they earned several 100,000 DM plus drugs (one hacker evidently was drug addict) over about 3 years. For the German Intelligence authorities, this is `a new quality of espionage'. The top manager said that they had awaited something similar but are nevertheless surprised that it happened so soon and with such broad effects. Summarizing the different events which have been reported earlier - NASA and SPANET hacks, Clifford Stoll's report of the `Wily Hacker' - I regard this as essentially the final outcome of the Wily Hackers story (with probably more than the 3 which have now been imprisoned). It is surprising that the Intelligence authorities needed so long time (after Cliff's CACM report, in May 1988!) to finally arrest and accuse these crackers. Moreover, the rumors according to which design and production plans of a Megabit chip had been stolen from Philips/France computers seems to become justified; this was the background that CCC hacker Steffen Wernery had been arrested, for several months, in Paris without being accused. CAD/CAM programs have also been sold to KBG. Klaus Brunnstein University of Hamburg/FRG [There were numerous articles on this topic over the weekend. Because almost every paper had a little something, our coverage here will remain light until we have some more definitive reports. PGN] ------------------------------ Date: Fri, 3 Mar 89 09:36 EST From: Dana Kiehl Subject: re: West German Hackers Regarding today's (3rd of March) news on the West German Hackers who got money and drugs from the KGB: If the story is accurate, this brings up another point about hacking: they could be working for the enemy. Some people consider hackers as harmless pranksters or not much of a threat but this story shows that the bugger running around your system may very well be working for your competitor or even the other side. Scary thought ------------------------------ Date: Fri, 3 Mar 89 10:14:09 EST From: lloyd!sunfs3!geoff@hscfvax.harvard.edu (Geoffrey Knauth) Subject: The word "hacking" (RISKS-8.33) I object strongly to Peter Large's use of the words "hacking" and "hacker" in a continually negative context, especially since he proposes to outlaw "hacking." Much hacking is wonderful for society. Take Richard Stallman, for example, the driving force behind GNU and the Free Software Foundation. He is a dedicated hacker in the best sense of the word, and I only wish I could hack so well. I cannot accept statements which confuse productive hacking with harmful acts. ------------------------------ Date: 03/03/89 19:28:42 From: "Rao V. Akella" Subject: [RISKS] `Hey...Who are you calling a "hacker"?' (RISKS-8.33) > Computer hacking should be made a criminal offence, the CBI said yesterday... Hey, hey, wait a minute...since when has the term "hacker" become synonymous with "criminal"? I strongly object to the insinuation that ALL hackers are criminals. I personally consider the appellation "hacker" to be a badge of honour. I would dearly like to call myself "hacker", but in my own opinion I'm not good enough yet. I would love it if anyone called me a "hacker" (I badly want someone to, but no one has - yet.) According to Steven Levy's "Hackers", the term "hacker" was coined at MIT in the 1950s, and it implied 'serious respect','innovation, style and technical virtuosity' and 'artistry'. Why has this word come to stand for serious wrong-doing today? Today's (March 3rd, 1989) NBC Nightly News with Tom Brokaw had a story about 3 West German "computer hackers" being convicted (and 5 other "hackers" being charged) for providing the Soviets with sensitive computer passwords. Why is it that a computer programmer automatically becomes a "hacker" when it involves a crime? Why couldn't they have reported '...3 West German computer programmers have been convicted...'? If some of you think that I'm making a mountain out of a molehill, then I demand that all programming job classifications be renamed to "Applications Hacker", "Systems Hacker", and so on. It would make at least me very happy. In my humble opinion, this much maligned word is becoming as overused and abused as that other overloaded operator of the late 1980s: "computer virus". Rao Akella, Research Assistant, University of Minnesota CCCSRAO@UMNHSNVE.BITNET ------------------------------ Date: 5 Mar 89 04:00:27 GMT From: sewilco@datapg.mn.org (Scot E Wilcoxon) Subject: 747 Simulators Can't Simulate Flight 811 Failures The Wall Street Journal of March 1 1989, page 1, had an article on United's Flight 811 which mentions: "The Role of Skill Training prepares airline pilots for all sorts of emergencies, but nothing like the one Flight 811 encountered. There aren't any simulator programs for losing two engines on the same wing of a 747, let alone flying with a 10-by-25 foot hole in the fuselage." The wording of "on the same wing" suggests there are simulators which allow one engine on each wing to be lost, so the possibility of multiple engine failure has not been completely overlooked. The article later points out there is no way to prepare for all the possible things that can go wrong. Scot E. Wilcoxon sewilco@DataPg.MN.ORG {amdahl|hpda}!bungia!datapg!sewilco Data Progress UNIX masts & rigging +1 612-825-2607 uunet!datapg!sewilco ------------------------------ Date: Sun, 5 Mar 89 23:58:16 AES From: pete@attila.oz.au (Peter Merel) Subject: Viruses in the comics Viruses and other nefarious hacker activities have been included as plot devices in DC's revival of 'The Shadow'. In this book The Shadow has returned from Shambhalla (sp?) to the West after an absence of over 40 years to carry on his war on the evil that men do. Two of the new agents recruited into his service belong to a hacker consortium calling itself 'The Shadownet'. While the book is not intended as any sort of explication of hacking activities or computer activities in general, I've not seen any outright mistakes in its presentation of hacking. Of course I'm not sure whether it is really that easy to hack into the Orbital Mind Control Lasers. Worth a read if you're interested in the RISKS to society of coordinated networks of technically competent people. Also hysterically funny. "The weed of crime bears bitter fruit..." ------------------------------ Date: 3 Mar 89 22:33:25 MST (Fri) From: firewind%xroads%sunburn@sun.UUCP (Tom Parker) Subject: Viruses in the comics I can think of a few examples of computer virii in the comics. In a semi-recent issue of "Alpha Flight", the story revolves around a virus who's function is to "transfer credits to author". The virus is "written in machine code so it can infect any machine". In a not so recent issue of Iron Man, a "tapeworm" is introduced into the world's computer network to erase certain blueprints where ever they might appear. In both instances the virii are portrayed as invincible and able to infect any computer. I'm afraid that any depiction of viruses in the comics is going to be simplistic and pretty much out of touch with reality. Tom ------------------------------ Date: Fri, 3 Mar 89 11:27:38 CDT From: "Len Levine" Subject: Viruses in the comics Kelly, a cartoonist in the San Diego Union posted a cartoon recently with several panels discussing the danger of swapping floppies with comments from the cartoon characters like: He: I think we should do it. She: No way, I hardly know you. He: Come on, you only live once. She: No way, there are too many viruses out there. He: You know you want to. She: The threat of infection mortifies me. He: _Please_! She: Well maybe, just this once. He: [he hands her a floppy] She: Trading software is so risky these days. This is good educational techniques. It gets the point across. Leonard P. Levine e-mail len@evax.milw.wisc.edu | Professor, Computer Science Office (414) 229-5170 | University of Wisconsin-Milwaukee Home (414) 962-4719 | Milwaukee, WI 53201 U.S.A. Modem (414) 962-6228 | ------------------------------ Date: 6 Mar 89 02:47:04 PST (Monday) From: "Guy_Robinson.SBDERX<"@Xerox.COM Subject: Intelligent treatment of viruses in comics Marvel Comics traditionally deal with computers in a very intelligent way. Very often the younger intelligent "super-heroes" are seen using computers for both work and recreation. This is not to say something totally unfeasible happens from time to time but this simply requires suspension of disbelief. The example in point I want to use is the current storyline concerning the Vision, an android. Due to a previous severe computer crime the Vision was kidnapped and stripped bare of all software. To prevent a simple back-up being taken a virus was used to destroy all saved copies of the Vision's personality. This virus propogated itself around several machines to ensure the task was completed. One problem this situation raised was that the Vision's human WIFE was a little distraught! Could this be a whole new type of RISK to bear in mind? Guy ------------------------------ End of RISKS-FORUM Digest 8.35 ************************