RISKS-LIST: RISKS-FORUM Digest Thursday 13 April 1989 Volume 8 : Issue 56 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Student grants debited instead of credited (John Harper) Electronic Truant Officers (Mike McNally) "Virus" arrest in New Jersey (A. Michael Berman) H.D. Thoreau on Risks of Believing Computations (David A Honig) Knowledge and Power (David Guaspari) "Malicious" computers? (Clifford Johnson) Re: Infallible Computers and Mason (Jack Holleran) HP MPE V/E Batch Security (Brown) More on the Sun 386i security hole (David C. Kovar via Alan Wexelblat) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. * RISKS MOVES SOON TO csl.sri.com. FTPable ARCHIVES WILL REMAIN ON KL.sri.com. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line (otherwise they may be ignored). REQUESTS to RISKS-Request@CSL.SRI.COM. FOR VOL i ISSUE j / ftp KL.sri.com / login anonymous (ANY NONNULL PASSWORD) / get stripe:risks-i.j ... (OR TRY cd stripe: / get risks-i.j ... Volume summaries in (i.j)=(1.46),(2.57),(3.92),(4.97),(5.85),(6.95),(7.99). ---------------------------------------------------------------------- Date: Thu, 13 Apr 89 16:58:30 NZT From: John Harper Subject: Student grants debited instead of credited Student grants in New Zealand are now paid by direct credit from the university's bank account to the student's. On Tuesday Victoria University sent a tape with the details to its bank, the Bank of NZ, which passed it on to Databank, the NZ banks' centralised computer centre. One (human) error meant the university was apparently asking for debits of a total of about $2,000,000 from some 4700 students instead of credits to their accounts. Databank did this although of course the university was not authorised to debit the students. According to today's "Dominion" newspaper BNZ may have spotted the error. On Wednesday a certain amount of chaos ensued, with students' banks saying all their cheques would be honoured that day and no overdraft fees applied. Corrections were made that night. It seems that Databank had no senior staff on duty on Tuesday night when the wrong transactions occurred, and guessed wrong on finding conflict between BNZ and Victoria University of Wellington instructions. John Harper, Mathematics Department, Victoria University, Wellington, NZ ------------------------------ Date: Thu, 13 Apr 89 11:18:43 PDT From: m5@lynx.uucp (Mike McNally) Subject: Electronic Truant Officers During a recent episode of the PBS series "Learning in America", the cameras were taken through a trade show at which computer and software vendors pitched high-tech teaching aids to school board purchasing agents. Aside from possible (and clearly debatable) RISKs to the brains of American schoolchildren (my child was taught by a computer; she must always be right!), a more ominous idea was presented. A company whose name I cannot recall was demonstrating a software system to track attendance. It included a feature whereby parents would be automatically notified (by mail, I suppose) of their childrens' absences: "Where were you last week?!?" "In school, mom!" "Wrongo! The school computer says you were absent 12 days last week!" (**whack**) Mike McNally, Lynx Real-Time Systems [Incorporeal banishment leads to corporal punishment! PGN] ------------------------------ Date: Thu, 13 Apr 89 10:03:47 EDT From: berman@pilot.njin.net (A. Michael Berman) Subject: "Virus" arrest in New Jersey From the Phila. Inquirer, April 12, 1989. Page One, New Jersey/Metro section. "Ex-worker charged in virus case -- Databases were alleged target", by Jane M. Von Bergen, Inquirer Staff Writer A former employee was charged yesterday with infecting his company's computer database in what is believed to be the first computer-virus arrest in the Philadelphia area. "We believe he was doing this as an act of revenge," said Camden County Assistant Prosecutor Norman Muhlbaier said [sic] yesterday, commenting on a motive for the employee who allegedly installed a program to erase databases at his former company, Datacomp Corp. in Voorhees [N.J.]. Chris Young, 21, of the 2000 block of Liberty Street, Trenton, was charged in Camden County with one count of computer theft by altering a database. Superior Court Judge E. Stevenson Fluharty released Young on his promise to pay $10,000 if he failed to appear in court. If convicted, Young faces a 10-year prison term and a $100,000 fine. Young could not be reached for comment. "No damage was done," Muhlbaier said, because the company discovered the virus before it could cause harm. Had the virus gone into effect, it could have damaged databases worth several hundred thousand dollars, Muhlbaier said. Datacomp Corp., in the Echelon Mall, is involved in telephone marketing. The company, which has between 30 and 35 employees, had a contract with a major telephone company to verify the contents of its white pages and try to sell bold-faced or other special listings in the white pages, a Datacomp company spokeswoman said. The database Young is accused of trying to destroy is the list of names from the phone company, she [sic] said. Muhlbaier said that the day Young resigned from the company, Oct. 7, he used fictitious passwords to obtain entry into the company computer, programming the virus to begin its destruction Dec. 7 --- Pearl Harbor Day. Young, who had worked for the company on and off for two years --- most recently as a supervisor --- was disgruntled because he had received some unfavorable job-performance reviews, the prosecutor said. Eventually, operators at the company picked up glitches in the computer system. A programmer, called in to straighten out the mess, noticed that the program had been altered and discovered the data-destroying virus, Muhlbaier said. "What Mr. Young did not know was that the computer system has a lot of security features so they could track it back to a particular date, time and terminal," Muhlbaier said. "We were able to ... prove that he was at that terminal." Young's virus, Muhlbaier said, is the type known as a "time bomb" because it is programmed to go off at a specific time. In this case, the database would have been sickened the first time someone switched on a computer Dec. 7, he said [note -- it makes me kind of sick to see the term "sickened" applied to a database... sigh] Norma Kraus, a vice president of Datacomp's parent company, Volt Information Sciences Inc, said yesterday that the company's potential loss included not only the databases, but also the time it took to find and cure the virus. "All the work has to stop," causing delivery backups on contracts, she said. "We're just fortunate that we have employees who can determine what's wrong and then have the interest to do something. In this case, the employee didn't stop at fixing the system, but continued on to determine what the problem was." [hear, hear!] The Volt company, based in New York, does $500 million worth of business a year with such services as telephone marketing, data processing and technical support. It also arranges temporary workers, particularly in the data-processing field, and installs telecommunication services, Kraus said. [As usual, everything is now a `virus', even a nonreplicating timebomb. PGN] ------------------------------ Date: Thu, 13 Apr 89 17:28:16 -0700 From: David A Honig Subject: H.D. Thoreau on Risks of Believing Computations From Walden, Ch. 1 "Economy": ..to keep yourself informed of the state of the markets, prospects of war and peace every where, and anticipate the tendencies of trade and civilization , --taking advantage of the results of all exploring expeditions, using new passages and all improvements in navigation; ---charts to be studied, the position of reefs and new lights and buoys to be ascertained, and ever, and ever, the logarithmic tables to be corrected, for by error of some calculator the vessel often splits upon a rock that should have reached a friendly pier... ------------------------------ Date: Thu, 13 Apr 89 15:26:23 EDT From: oravax!nestor.UUCP!davidg@wrath.cs.cornell.edu Subject: Knowledge and Power Corrections to some semi-philosophical remarks in a recent posting: Hugh Miller, Not Secure Agencies, in RISKS-8.55: > The classical philosophers held that knowledge is power. If we give "classical" its usual meaning, no such philosopher "held that power is knowledge" (or, at any rate, none known to me). The famous aphorism comes from Bacon, and what he was doing was proposing a radically new definition: that nothing counts as true knowledge unless it enables us to intervene in and control the material world. All the rest was mumbo-jumbo. This was part of an explicit attack on (more or less) everybody who preceded him, especially the Schoolmen. Note: There's a meta-problem with phrases like "the classical philosophers [believed this or that]" -- for the simple reason that there were many different ones, and they often disagreed. > 'Information' in the modern sense is much more structured ... than the classical notion of 'knowledge' allowed. Comparing information and knowledge is like asking whether the fatness of a pig is more or less green than the designated hitter rule. Let's take Plato and Aristotle as exemplars of "classical" views on "knowledge." For both of them, knowledge concerns the highest truths about the cosmos and mankind's place in it, and is aspired to by the very best kind of human being. Such cannot be said of lists of social security numbers. David Guaspari ------------------------------ Date: Thu, 13 Apr 89 16:45:19 PDT From: "Clifford Johnson" Subject: "Malicious" computers? From: ficc!peter@uunet.UU.NET > One thing to bear in mind is that the computer can be mistaken, but > it can't be malicious. The computer program won't deliberately try to defraud Hmmm. Depends on your definition of "malicious." A large bank I worked for was found in court to have programmed its computers so as to systematically defraud its customers of their full compound interest. Whether the program into which the fraud was built was "malicious" is largely a matter of terminology. Let me turn the issue around somewhat - can a computer recognize "malice" in a person? Believe it or not, some computerized psychological tests (that are regularly admissible in court as evidence) purport to be able to diagnose malicious tendencies. I was once compelled by a court to submit to such an examination, despite my academic protest that such tests were scientifically invalid (which was established statistically in the 1960s). The computer reported that I didn't have a sense of humor, which I still find amusing. However, the widespread use of such tests is definitely not amusing. ------------------------------ Date: Thu, 13 Apr 89 10:06 EDT From: Jack Holleran Subject: Re: Infallible Computers and Mason (RISKS-8.54) In reference to Dave Curry's response about the guy on the stand. Mason doesn't have to prove he was guilty of the crime; he has to prove that his client is not guilty. Ergo, it wouldn't matter if the guy on the stand denied everything and forced Mason to prove anything. The bottom line is Mason by discussing the "directory" could introduce some doubt to the District Attorney`s argument. Normally, if the case is not provable "beyond a reasonable doubt", a verdict of "not guilty" is usually given. Of course, since Mason always does such a good job, the DA doesn't have to work hard for the next trial. But then again, Mason might defend the "guilty" guy successfully since "was the directory acquisition legal"? So much for supporting Mason writers... I agree strongly with Dave's arguments since many people do accept computer printouts as infallible facts and gospel. I wonder how many RISK debates are accepted because they appear in the RISK forum... I also wonder how many people use the RISKS forum discussions/debates to support local opinions... The computer word/document/listing has become a very powerful tool (just like statistics) and many people use it to their advantage. Jack Holleran (This is strictly an opinion not based on anything legal.) ------------------------------ Date: Thu, 13 Apr 89 08:43:46 -0700 From: brown@aerospace.aero.org Subject: HP MPE V/E Batch Security I'd like to respond to a posting by Brian McMahon, Administrative Computing, University of Maryland in which he states : "May I add to the list of flagrant security violators the Hewlett Packard Corporation? Under MPE/V (the current OS for HP/3000 machines), all batch jobs must begin with a JOB card (those of you living in the late 1980s, substitute "line of text") which contains user and group passwords in plain text. "Interestingly, one of our systems programmers (who shall remain nameless) spoke of this as a FEATURE, because it allows users to submit batch jobs for other accounts!" The C2 evaluated version of MPE V/E, which was announced in October of 1988, allows the security administrator to configure the system to remove this vulnerability. In particular, to quote from the Final Evaluation Report: "Prevention of password exposure in batch submissions is effected by rejecting embedded passwords in job cards, prohibiting cross streaming [mentioned in the second paragraph above], and allowing System Manager and Account Manager to stream subordinate's jobs, and a user to stream one's own jobs, without having to supply passwords. A privileged interface, STREAMJOB, is provided which allows privileged mode programs to start jobs without having to supply passwords." Obviously, word hasn't gotten out to everyone about how the C2 secure version of MPE V/E works, but I know it does since I was team leader of the National Computer Security Center evaluation team. It is true that a customer must pay extra to get the Security Configurator software which will turn on the above features, but the ability to prevent job STREAMing with exposed passwords is there in all versions of release G.03.04 and later. You have to have the Security Configurator to configure it that way; otherwise it will default to the previous way of handling STREAMing, which requires embedded passwords. This is known as backward compatibility, and HP is hardly the first company to worry about that. ------------------------------ Date: Wed, 12 Apr 89 16:59:41 CDT From: "Alan Wexelblat" Subject: More on the Sun 386i security hole Taken from Sun-nets again: Date: Wed, 12 Apr 89 15:48:28 -0400 From: -David C. Kovar Subject: Re: Security hole in 386i login Reply-To: daedalus!kovar%husc4@talcott.harvard.edu Several phone calls to Sun later ... Someone at Sun claims that it is a "known security hole in 4.0.1 and will be patched in the next release due out at the end of May." I pointed out that it was more like a known security trapdoor feature and there wasn't much argument on the point. [...] -David C. Kovar Technical Consultant ARPA: kovar@husc4.harvard.edu Office of Information Technology BITNET: corwin@harvarda.bitnet Harvard University Ma Bell: 617-495-5947 ------------------------------ End of RISKS-FORUM Digest 8.56 ************************