RISKS-LIST: RISKS-FORUM Digest Tuesday 7 November 1989 Volume 9 : Issue 39 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Computer used to find scoflaws in Boston (Barry C. Nelson) Air Traffic in Leesburg VA (PGN) Equinox TV Documentary on "Fly By Wire" (Brian Randell) Lifethreatening risk! (related to Soviet PCs) (Julian Thomas) New computer risk: child abuse data base proposed (W. K. (Bill) Gorman) Dangers of mail aliases (Jonathan Leech) Committee report on Bugs (Bob Morris) Computer Viruses Attack China (Yoshio Oyanagi) First Virus Attack on Macs in Japan (Yoshio Oyanagi) NTT Challenges Hackers (Mark H. W.) Even COBOL programmers need to know about range checking. (Bryce Nesbitt) Unix Expo Power Failure (Jan I Wolitzky) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line (otherwise they may be ignored). REQUESTS to RISKS-Request@CSL.SRI.COM. TO FTP VOL i ISSUE j: ftp CRVAX.sri.comlogin anonymousAnyNonNullPW cd sys$user2:[risks]get risks-i.j . Vol summaries now in risks-i.0 (j=0) ---------------------------------------------------------------------- Date: Sun, 5 Nov 89 13:14:43 EST From: "Barry C. Nelson" Subject: Computer used to find scoflaws in Boston A news article in the Boston Globe [last Sunday 29 October, with photo] describes a new computer system, named Argus (after a mythical multi-eyed and vigilant beast), which is being used to catch local drivers with stolen license plates. The innovation is that a sensor is used to observe license plates and a program turns the image into numbers (so they claim). A database is then searched and a match signalled to the operator. The system is set up at a toll booth at the harbor tunnel and the suspect is somehow pulled over by the State Police at the other end as the car emerges. The article goes on to quote the operators as saying they have proven the system "works" by matching on six offenders in one day. Unfortunately, five of the six were errors caused by Registry backlog or other policy inconsistencies such as re-using old numbers for new car owners. The sixth case was bona fide. Their current experiment uses one camera and a floppy database of some 40,000 registrations. They say they are looking forward to installing the list of 200,000 suspended licenses or registrations and increasing the number of cameras to enable them to watch all eight lanes. When five out of six hits are human errors, imagine the complaints! It can be very humiliating to be hauled out of your car and treated like a felon. This could turn out to be embarrassing for the overworked database managers. At least we can look forward to less tunnel traffic someday as Argus evaders find alternate routes. BCNelson "Opinions contained herein are my own, etc..." ------------------------------ Date: Tue, 7 Nov 1989 12:17:57 PST From: Peter G. Neumann Subject: Air Traffic in Leesburg VA Friday evening's air traffic around Washington DC was awful. As most of you now know, both the primary computer system AND the backup were seriously degraded for at least two hours during the evening rush hour, stacking up and backing up air traffic extensively. (I was in DC that day. I'm at MIT today, Home tonight, hopefully.) The scuttlebutt seems to blame a buffer overflow, but I hope someone can contribute the real inside story. ------------------------------ Date: Mon, 6 Nov 89 10:28:39 BST From: Brian Randell Subject: Equinox TV Documentary on "Fly By Wire" Last night the one-hour TV documentary in the Equinox series, entitled "Fly By Wire" was shown on Channel 4 in the UK. Since it was identified as "A Box Production for Channel 4, in association with WGBH/Boston, copyright 1989", I assume it will soon be shown in the States; I recommend looking out for it. In my opinion it provided a reasonably complete and well-balanced (and also visually very attractive) account of the various incidents and opinions surrounding the A320, using a lot of well-chosen film clips, together with interviews with, or at least "sound-bites" from, about twenty different people. >From Airbus Industrie there was Bernard Ziegler (VP Engineering), Roger Betaille, and Gordon Corps (Engineering Test Pilot) and, from Aerospatiale, Gilles Pichon (Chief Engineer A320) and Jacques Troy (Flight Control Manager). Four A320 pilots took part, including Michel Asseline, who alleged that his crash was due to the control-system over-riding his command to the plane to ascend. (The others were somewhat critical of the flight control system, but did not back up this allegation.) The computing science community was represented by Mike Hennell, Bev Littlewood, John Knight, and John Cullyer. There were also representatives from Boeing, the FAA, CAA and DGAC, and Flight International. The overall impression given was (i) that Airbus had been rather daring in introducing fly-by-wire, but had probably got away with it, and (ii) that their rivals would now follow suit, but that the next logical step, that of active control, was even more controversial and should not be rushed. Brian Randell, Computing Laboratory, University of Newcastle upon Tyne, UK ------------------------------ Date: 03 Nov 89 21:14:32 EST From: Julian Thomas <72355.20@CompuServe.COM> Subject: Lifethreatening risk! (related to Soviet PCs) Seen on another news digest service (not in the original): >From the Financial Times and the Daily Telegraph (UK) - articles about the Soviet Union studying a proposal to import lots of PC equipment for educational use. "The soaring demand for scarce PCs has swollen the Soviet crime rate, and PC owners have even been murdered for their machines." Lock up your machines, gang, and compute only in the dark! Julian Thomas ------------------------------ Date: Wed, 01 Nov 89 08:32:26 EST From: "W. K. (Bill) Gorman" <34AEJ7D@CMUVM.BITNET> Subject: new computer risk: child abuse data base proposed According to a news release heard a day or two ago, MI is now considering legislation permitting local communities to establish and maintain data bases of "suspected" child abusers, or those meeting another of the nebulous "profiles" used to identify all sorts of persons and ethnic groups in our society. Aside from permitting hearsay from neighbors, teachers, co-workers, associates and assorted third parties to be entered and disseminated about any particular individual or family, the framers of this legislation are also attempting to gain back-door access to medical records. One profile criteria disclosed for "identifying" child abusers is use of multiple doctors/hospitals by the same family. Physicians are threatened with legal sanctions for not reporting the simple fact that one or another patient HAS SEEN ANOTHER PHYSICIAN without their knowledge/blessing. I don't think that implies any sort of involvement by Physicians or the AMA in this legislation. Obviously, the privacy considerations and potential for misuse and/or malicious use, such as slanderous reports by neighbors against an unpopular neighborhood resident, inherent in this legislation are enormous. ------------------------------ Date: Wed, 1 Nov 89 18:43:52 EST From: Jonathan Leech Subject: Dangers of mail aliases Yesterday, I was surprised to find over a dozen messages from the internal technical mailing list of a company I worked for in 1982 in my inbox. As it turned out, the reason was that the mail alias a friend at this company used for me was duplicated in the systemwide alias file for a new employee. Fortuitously, nothing which was a sensitive matter (save for their code indenting style :-) happened to be discussed in the block of messages I received. Jon Leech (leech@cs.unc.edu) ------------------------------ Date: Fri, 3 Nov 89 10:05 EST From: RMorris@DOCKMASTER.NCSC.MIL Subject: Committee report on Bugs The congressional committee on Science, space, and technology issued this weed a staff study entitled "Bugs in the Program: Problems in Federal Government Computer Software Development and Regulation". It is worth reading for those interested in risks. It is 33 pages long and I am not about to type any part of it in. It is available from the Sup of Documents, Congressional Sales Office, U.S.G.P.O, Wash., D.C. 20402. It does not have a reference number. ------------------------------ Date: Mon, 6 Nov 89 12:15:25+0900 From: Yoshio Oyanagi Subject: Computer Viruses Attack China Ministry of Public Safety of People's Republic of China found this summer that one tenth of the computers in China had been contaminated by three types of computer virus: "Small Ball", "Marijuana" and "Shell", China Daily reported. The most serious damage was found in the National Statistical System, in which "Small Ball" spread in 21 provinces. In Wuhan University, viruses were found in *ALL* personal computers. In China, three hundred thousand computers (including PC's) are in operation. Due to premature law system the reproduction of software is not regulated, so that computer viruses can easily be propagated. Ministry of Public Safety now provides "vaccines" against them. Fortunately, those viruses did not give fatal damage to data. Yoshio Oyanagi, University of Tsukuba, JAPAN ------------------------------ Date: Tue, 7 Nov 89 17:07:09+0900 From: Yoshio Oyanagi Subject: First Virus Attack on Macs in Japan First Virus Attack on Macs in Japan Six Macs in University of Tokyo, Japan, were found to have caught viruses, newspapers and radio reported. Since this September, Prof. K. Tamaki, Ocean Research Institute, University of Tokyo, has noticed malfunctions on the screen. In October, he applied vaccines "Interferon" and "Virus Clinic" to find his four Mac's were contaminated by computer viruses, "N Virus" type A and type B. He then found ten softwares were also infected by viruses. A Mac of J. Kasahara, Earthquake Research Institute, University of Tokyo, was also found to be contaminated by N Virus and Score Virus. Those are the first reports of real viruses in Japan. Later it was reported that four Mac's in Geological Survey of Japan, in Tsukuba, were infected by N Virus Type A. This virus was sent from U. S. together with an editor. Yoshio Oyanagi, University of Tsukuba ------------------------------ Date: 1 Nov 89 21:55:26 GMT From: markw@gvl.unisys.com Subject: NTT Challenges Hackers [A copy of the following article appeared on one of our bulletin boards here at work. I have no idea when or where it was originally published - MHW] NTT: Calling All Hackers Tokyo - Nippon Telegraph and Telephone Corp. has issued a provocative challenge: the Japanese communications giant will give 1 million yen ($6803) to any computer hacker anywhere in the world who can break its FEAL-8 data communications security code by August 1991. Why the unusual move? The company wants to debunk a rumor circulationg in Europe that its security code has been cracked. The FEAL-8 code, developed by NTT in 1986, is widely used in Japan and overseas to protect datacom systems and integrated circuit cards from illegal access. ------------------------------ Date: Fri, 3 Nov 89 17:40:53 EST From: bryce@cbmvax.commodore.com (Bryce Nesbitt) Subject: Even COBOL programmers need to know about range checking. Last week I received this letter from my bank: GREAT NEWS FOR THE HOLIDAYS! Dear Bryce C. Nesbitt: You are important to us. And, because of the excellent way you've handled your finances, we are pleased to increase the credit limit on your Meridian Open Line of Credit to $0. Now you have more buying power when you need it most - in time for the holidays. ... Thanks a lot. Before the promotion my credit limit was $5,000.00. The rest of the letter talked about the free Mini-Vac that could be mine if I'd just borrow $1,000 (funny, there was no mention of the over-limit penalty :-). The bank had little to say about the event. I assume the calculation was based on a number of factors, including the "high credit" on the account. Since I have never drawn on this account, high credit would be zero. ------------------------------ Date: Fri, 3 Nov 89 15:17:10 EST From: wolit@mhuxd.att.com (Jan I Wolitzky) Subject: Unix Expo Power Failure I was strolling through the Unix Expo show at the Javits Center in NY this morning, shortly after it opened for its third and final day, when all the power went out. My first reaction was that, boy, now we're gonna get to see whose systems really ARE uninterruptable. My second reaction was that there must be a VMS hack around somewhere. My third reaction, after it became clear that the lights weren't coming back on right away, was to move toward the daylight at the front of the convention center, with disturbing thoughts of panicked crowds, the San Francisco earthquake, and other paranoia in mind. As I approached the front of the hall, the big steel roll-up overhead doors started coming down. Quite a few people, apparently believing that their only exit was disappearing, rushed forward and ducked under the closing doors. It turned out that there were lots of other, conventional exit doors still available, but it still seemed to me a poor choice of failure mode: when the power fails (who knows, maybe because of a fire or other condition necessitating evacuation), close off the biggest and most obvious escape route. There was no panic this time, but after more than an hour, there was no power, either, so I gave up on the show. On the bus back, I was reading the issue of Unix Today that was being handed out at the show. A non-cover story described some of the problems experienced by the people who tried to set up an operating network (Ethernet?) at the show: apparently, some vendors were using unassigned net addresses, so that they could access other systems, but their competitors couldn't access theirs. And then there was the problem they had in actually laying the cable: normally a 4-hour job, it turned out that in NYC, it had to be performed by members of the Electrical Workers Union, who took 36 hours to do it. I found the juxtaposition of the appearance of a story blasting the Electrical Workers Union and the power failure to be curious.... Oh yes, almost forgot, Unix is a registered trademark of AT&T. Jan Wolitzky, AT&T Bell Labs, Murray Hill, NJ; 201 582-2998 att!mhuxd!wolit or jan.wolitzky@att.com (Affiliation given for identification purposes only) ------------------------------ End of RISKS-FORUM Digest 9.39 ************************