Subject: RISKS DIGEST 9.92 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Thursday 17 May 1990 Volume 9 : Issue 92 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Army chafes under Congress' robot weapons ban (Jon Jacky) Re: [London] Tube train leaves ... without its driver (Gavin Oddy) Re: First Hubble Images Delayed To Conduct Focusing Tests (Karl Lehenbauer) ANI for the criminal as well as the private citizen (Brad Templeton) Computer Virus Solicitation (Andy Warinner) Feds Pull Plug On Hackers (Bob Sutterfield, Rick Clark) Re: Military Viruses (Jim Vavrina via David Brierley) Re: Magnetic ID cards for all Israeli citizens (Amos Shapir) Risks of Laser Printouts (David Tarabar) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line (otherwise they may be ignored). REQUESTS to RISKS-Request@CSL.SRI.COM. TO FTP VOL i ISSUE j: ftp CRVAX.sri.comlogin anonymousAnyNonNullPW cd sys$user2:[risks]get risks-i.j . Vol summaries now in risks-i.00 (j=0) ---------------------------------------------------------------------- Date: Tue, 15 May 1990 11:48:19 PDT From: JON@GAFFER.RAD.WASHINGTON.EDU (Jon Jacky) Subject: Army chafes under Congress' robot weapons ban The following dialog occurred in hearings before the U.S. Congress' House Appropriations Committee in March, 1989: Mr. (Martin Olav) Sabo (Rep. from Minnesota): I am curious about robotics and what you see as its future. I forget particular programs as we go along, but I was involved in discussions last year with the other body on a program. They seemed very negative on robotics research, which struck me as something we should be aggressively pursuing. Mr. (George T.) Singley (Director of Army Research and Technology): We have a problem about restrictions placed on us, but not on the Marine Corps, relative to Army robotic vehicles, so our robotics program does not include weapons on unmanned ground vehicles. ... Mr. (John P.) Murtha (Rep. from Pennsylvania): Restrictions by whom? Mr. Singley: By Congress. Mr. Murtha: We put restrictions --- (Lt.) General (Donald S.) Pihl (Deputy to the Assistant Secretary of the Army for R&D): To put a weapon on a robot vehicle. We were told to restrict our robotic vehicle work to reconnaissance and surveillance. Mr. Sabo: Generated by the other body? General Pihl: Yes, sir. Mr. Murtha: Staff tells me that in the conference last year, that the Senate wanted to go forward with robotics research and make sure you got the bugs worked out before you started working out systems with weapons; does that make sense? General Pihl: Yes, sir. It is a logical approach as long as you don't have a restriction on weaponizing the unmanned ground vehicle forever. Mr. Murtha: What would you recommend we do this year? General Pihl: Sir, I think you should allow the Army to proceed with a roboticized look at a ground-launched Hellfire system in conjunction with the Marine Corps. I think that would be a good thing to do. Mr. Murtha: Let's move on ... [ to other topics...] The reference is: Department of Defense Appropriations for 1990, Hearings Before a Subcommittee of the Committee on Appropriations, House of Representatives, One Hundred First Congress, First Session, Subcommittee on the Department of Defense. (Superintendent of Documents "Su Docs" number: YkAp6/1 D36/5/990/pt. 7), pages 132-133. Jonathan Jacky University of Washington ------------------------------ Date: 16 May 1990 10:43:49-BST From: gco Subject: [London] Tube train leaves ... without its driver Regarding Stephen Page's contribution of 16 Apr 90... This incident was used as an example at a colloquium on Systems Engineering which I attended yesterday, where it was referred to as the handbag problem. It seems that the system designers had succeeded in optimising the controls on the train to two buttons: one to close the doors and another to start the train. An interlock prevented the train starting until the doors were indeed closed. The driver of the train in question decided to optimise the system design further (to one button) by taping the second of these buttons permanently down so that (s)he only had to press the button to close the doors. The train would then go once they had closed as the second button was always depressed. This worked satisfactorily until a handbag became trapped in the doors and, as reported, the driver (following his training) went to the doors and prised them apart, freeing the handbag, allowing the doors to close and completing the set of events required for the train to depart (without the driver). The driver had failed to realise and/or take into account that the second button (for making the train go) was implementing the requirement that the driver should be in the cab before the train could go. In retrospect, perhaps the action of depressing the second button (rather than the state of depression) should have been required to start the train; but such statements are easy to make with hindsight. Gavin Oddy ------------------------------ Date: 16 May 90 08:09:09 CDT (Wed) From: karl@sugar.hackercorp.com (Karl Lehenbauer) Subject: First Hubble Images Delayed To Conduct Focusing Tests (RISKS-9.91) A brief report in Aviation Week (May 14, 1990, page 42) says that the first test pictures from the Hubble Space Telescope are being delayed until ground controllers can conduct optical system focusing exercises. Hubble engineers have been trying to determine why the telescope's guidance sensors were not properly locking onto "guide stars." They have since determined that there was an error in the pointing data provided to the telescope by the Space Telescope Science Institute. The error occurred because someone several years ago inserted a plus sign instead of a minus sign in a computer program being prepared to aid in early telescope checkout. The star data being used came from a 1954 star survey. Engineers realized the Earth's precession in relation to the 30-year-old star data would have to be accounted for in the Hubble checkout data. The precession equated to an 18 arc minute reduction in the coordinates of the star field, but a programmer accidentally added 18 arc minutes instead. That resulted in the telescope being a full 0.5 degrees off target in the initial pattern recognition tests. Engineers are also working to solve a .1 Hz jitter problem the telescope has for 20 to 30 minutes whenever it passes from the dark side of its orbit into sunlight. They believe the problem is related to thermal effects from the telescope's solar arrays, but they doubt the problem will seriously affect the telescope's mission. ------------------------------ Date: Mon, 7 May 90 16:53:53 EDT From: brad@looking.on.ca (Brad Templeton) Subject: ANI for the criminal as well as the private citizen The following article appeared in clari.tw.telecom, and I thought it was appropriate for RISKS. Reprinted with permission, for use within the RISKS digest only. (For more information on the ClariNet news service, write to info@clarinet.com.) While I have no sympathy for drug dealers, I don't feel that this is a negative aspect of ANI. I myself would like to know if a call comes from the Police, Government or other enforcement agency, even if I have done nothing wrong. >Subject: Drug dealers find uses for Caller ID equipment >Keywords: illegal drugs, legal, telecom, media BALTIMORE (UPI) -- Like telephone pagers and mobile cellular phones before it, the latest in telephone technology, the Caller ID machine, is proving a valuable tool for drug traffickers. Drug enforcement officials in Baltimore say that the Caller ID machines are starting to turn up in drug raids, which may be proof that once again, dealers find benefits in the communications revolution. Caller ID, which has been on the market for several months, has been advertised as a means of crime prevention -- giving people receiving harrassing calls a chance to see the phone number the call is being made from even before they pick up the receiver. But such a service apparently also means that drug dealers, eager to protect their business from undercover police operations, can screen the phone calls they receive and refuse to answer a suspicious call. ``It's frightening,'' said Assistant U.S. Attorney Katharine Armentrout, who has seen Caller ID equipment confiscated in drug raids. Even though an undercover police operation would have a different phone number than a police station, dealers could worry about calls from an unfamiliar exchange. ``The question then becomes, `Where are you calling from?''' a federal surveillance expert told the Baltimore Sun, in an article printed in Sunday's editions. ``Or more to the point, `Why aren't you calling me from your usual pay phone?''' The problem has been much the same with other recent progress made in the telecommunications industry. Pagers were developed for doctors, lawyers and other professionals, but dealers have found them useful. And mobile cellular telephones have created a myriad of surveillance problems for police tracking drug dealers. Phone company officials in the Baltimore and Washington areas say they are looking for ways to solve the problems law enforcement agencies have with the Caller ID equipment. ``We're committed to finding solutions,'' said Al Burman, a spokesman for C&P Telephone Co. ``There are a number of things that can be done that aren't being done.'' One solution may be to block certain numbers from being picked up by the machines. Burman said there are enough numbers in the Baltimore area not linked to the Caller ID system currently to avoid arousing any suspicions. Police officials pointed out, however, that as more telephone numbers become linked with the system, blocked numbers will become more suspicious to traffickers. Brad Templeton, ClariNet Communications Corp. -- Waterloo, Ontario 519/884-7473 ------------------------------ Date: 11 May 90 11:54:50 CDT (Fri) From: andy@tasha.UUCP (Andy Warinner) Subject: Computer Virus Solicitation There has been some discussion in the media and the net lately about the Department of Defense sponsoring research into computer viruses. Here is the solicitation in question. It is part of the government's Small Business Innovative Research (SBIR) program. The SBIR program is designed to help small companies develop advanced technologies. Up to $50,000 can be awarded in Phase I and up to $500,000 can be awarded in Phase II. Title: Computer Virus Electronic Counter Measure (ECM) Objective: The objective shall be to determine the potential for using "computer viruses" as an ECM technique against generic military communications systems/nets and analyzing its effects on various subsystem components. Description: The purpose of this research shall be to investigate potential use of computer viruses to achieve traditional communications ECM effects in targeted communications systems. These effects can include data (information) disruption, denial, and deception, but other effects should also be researched such as effects on executable code in processors, memory, storage management, etc. Research in effective methods or strategies to remotely introduce such viruses shall also be conducted. Efforts in this area should be focused on RF atmospheric signal transmission such as performed in tactical military data communications. Phase I: Phase I shall analyze the feasibility of using viruses as an ECM technique. Analysis shall include validity studies of the concept, types of viruses suitable to be employed in this concept, strategies for virus injection, and/or simulated predictions of effects. Phase I shall culminate with the submission of a final report that details the above analysis and outlines a method that can validate the concept. Phase II: Based on analysis performed under Phase I, develop a demonstration method that can validate the virus ECM concept and demonstrate various ECM techniques or strategies. Phase II shall culminate with this demonstration and a final report describing demonstration methodology, results, and analysis of effects compared with predicted effects from the Phase I effort. The final report shall also summarize or make conclusions as to the future potential of using virus ECM techniques or strategies. Andrew Warinner, GIST, Inc. ------------------------------ Date: Tue, 15 May 90 14:52:17 GMT From: bob@MorningStar.Com (Bob Sutterfield) Subject: Feds Pull Plug On Hackers (Huggins, RISKS-9.91) ...[the Secret Service agent] also said there was no evidence that the suspects were working together. Rather, they probably were sharing information someone had put into a national computer "bulletin board". [...] Does our law enforcement community really think that "working together" requires physical presence? Don't they recognize that sharing information via a cracker bulletin board is collaboration? Isn't this the whole point of a computer security case? ------------------------------ Date: 15 May 90 14:13:31 GMT From: rbc@cuuxb.ATT.COM (~XT6561210~Rick Clark~C24~H15~6011~) Subject: Re: "Feds Pull Plug On Hackers" (RISKS-9.91) Boy, do I hate sensationalism in journalism. Does anyone besides me find it difficult to believe these 42 computers ran up over a million dollars apiece in unpaid phone time? You *could* do it in a month or two if you had connect time 24 hours a day (very) long distance, or a couple hours a day for two years. So, its possible, but I don't believe it for all 42 systems. It's also pretty colorful to refer to a "nationwide network" of people for which "there was no evidence that [they] were working together". Richard B. Clark, Lisle, IL ------------------------------ Date: Sun, 13 May 90 21:16:22 EST From: davidbrierley@lynx.northeastern.edu Subject: Re: Military Viruses [From VIRUS-L vol 3 issue 93] Date: Thu, 10 May 90 13:43:15 -0500 From: "Mr. J. Vavrina" Subject: RE: Military Viruses (THE FACTS) After reading, in astonishment, Nick DiGionanni's input regarding Military Viruses, (VIRUS-L 3-90 8 May 90) the phone lines were burning up from my office to the DOD Information Systems Security Management Office checking on the validity of the story. No one had even heard of such a project being undertaken. A few more phone calls later generated a FAX to my desk of an article from the Phildelphia Inquirer titled, "Army Searches for new weapon: Computer Virus", written by Rory J. O'Connor. The article quoted an individual as being the adminstrator of the project. Now the hunt started to locate her. Within a few hours I had her on the phone. Needless to say, the reporter identified himself as a small businessman and was interested in this program. The information given to him was completely turn around so that he could make a big story out of nothing. HERE ARE THE FACTS: The Department of Defense published a booklet titled, "PROGRAM SOLICITATION 90.2 FY-1990 SMALL BUSINESS INNOVATION RESEARCH (SBIR) PROGRAM". On page 45 can be found the following: A90-217 TITLE: Computer Virus Electronic Counter Measure (ECM) CATEGORY: Exploratory Development OBJECTIVE: The objective shall be to determine the potential for using "computer viruses" as an ECM technique against generic military communications systems/nets. The goal shall be to determine the feasibility of remotely introducing a virus into a system/net and analyzing its effects on various subsystem components. DESCRIPTION: The purpose of this research shall be to investigate potential use of computer viruses to achieve traditional communications ECM effects in targeted communications systems. These effects can include data (information) disruption, denial, and deception, but other effects should also be researched such as executable code in processors, memory storage mamagement, etc. Research in effective methods or strategies to remotely introduce such viruses shall also be conducted. Efforts in this area should be focused on RF atmospheric signal transmission shch as performed in tactical military data communications. It continues on to explain what needs to be accomplished in each phase. As you can see, this is nothing more than a feasability study to answer the famous "WHAT IF WE COULD ?????" question. Admittedly, myself and many of my collegues are quite suprised that something of this nature would be put on the streets for research and not using the expertise internally available. Jim Vavrina, Computer Security Specialist, Intelligence and Security Division, US Army Information Systems Software Center. Comm 703-355-0010/0011 AV 345-0010-0011 ------------------------------ Date: 14 May 90 15:11:26 GMT From: amos@taux01.nsc.com (Amos Shapir) Subject: Re: Magnetic ID cards for all Israeli citizens (This is a repost from talk.politics.mideast, originally posted by HANK@BARILVM.BITNET (Hank Nussbacher)) >From the Jerusalem Post, May 7, 1990: > >The Director-General of the Ministry of the Interior announced yesterday >that within 3 months all Israeli citizens will be issued magnetic id >cards. He stated that with the new cards it will take only 10 minutes >to issue a new passport and that all future elections will no longer have >manual balloting. [End quote] Though the current method of balloting is very cumbersome and wasteful, I wonder if anyone at the Ministry of the Interior ever read comp.risks... Amos Shapir, National Semiconductor (Israel) P.O.B. 3007, Herzlia 46104, Israel ------------------------------ Date: Thu, 17 May 90 09:47:12 -0400 From: dtarabar@hstbme.mit.edu (David Tarabar) Subject: Risks of Laser Printouts (More on RISKS-9.89) In the New England Journal of Medicine dated May 3, 1990, there is a letter to the editor titled: 'Laser-Printer Rhinitis' on page 1323. In this letter, the authors report on a single recent patient case. "A 51-year-old man was seen for nasal and systemic symptoms that developed repeatedly after he handled documents from a laser printer. He had worked for the same insurance company for 21, years spending an average of three to four hours per day on computer and clerical work. In April of 1987 a new computer system with a laser printer was installed at his work station. During the next six weeks he had increasing intermittent nasal congestion, with a burning sensation on his skin, headache, and diffuse retrosternal and epigastric discomfort. He had no history of asthma, allergies, hay fever or eczema, although his mother did." ... "Two substance-specific challenges were performed, each preceded and followed by " [a computerized test] "On one occasion he shuffled laser-printed paper for 10 minutes, when nasal and other symptoms developed. The " [test] "demonstrated an increase of more than fourfold in nasal airflow resistance." [The second test demonstrated a three-fold increase in nasal airflow resistance when sitting next to an operating laser printer.] ------------------------------ End of RISKS-FORUM Digest 9.92 ************************