RISKS-LIST: RISKS-FORUM Digest Thursday 2 March 1989 Volume 8 : Issue 33 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Viruses and the comics (Jack Holleran, Hope Munro) Hacking in the movies -- Working Girl (Martin Minow) Re: British Computer Society policy statement (Clifford Johnson) Hacking and Computer Fraud in the U.K. (Brian Foster) Re: Knowing probability just doesn't make a difference... (Henry Spencer) Reach Out and Spy on Someone (Pete McVay, Douglas Jones, Emily Lonsford) New Sprint Card (Will Martin) US missile-warning radar endangers friendly aircraft (Ken Arnold) Error free code and ancient systems (Bill Francis) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. * RISKS MOVES SOON TO csl.sri.com. FTPable ARCHIVES WILL REMAIN ON KL.sri.com. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line (otherwise they may be ignored). REQUESTS to RISKS-Request@CSL.SRI.COM. FOR VOL i ISSUE j / ftp KL.sri.com / login anonymous (ANY NONNULL PASSWORD) / get stripe:risks-i.j ... (OR TRY cd stripe: / get risks-i.j ... Volume summaries in (i.j)=(1.46),(2.57),(3.92),(4.97),(5.85),(6.95),(7.99). ---------------------------------------------------------------------- Date: Wed, 1 Mar 89 13:30 EST From: Jack Holleran Subject: viruses and the comics In comment to Brent Laminack's observation concerning the discussion of computer viruses (RISKS-8.31) in RISKS-8.32. > Is comics page where most of the population will get most of > its information about viruses? If our goals are to make sure the population understands the concept of virus correctly, AND if we perceive that the population reads comics, why not educate some of the cartoonists with the correct perceptions and give them some ideas. If a person understands the concept, does it matter that the principle was learned from school or the comic strips? Jack Holleran (Disclaimer: My opinions only!) ------------------------------ Date: 01 Mar 89 21:08:10 From: Hope.Munro@mac.Dartmouth.EDU Subject: viruses and comics >Is comics page where most of the population will get most of its information >about viruses? Apparently so! I clipped a strip out a few weeks ago which was an installment of Bloom County. It depicts Oliver coughing and wheezing, with a head swollen to resemble his Banana 6000 terminal. Then he remarks "computer virus". End of panel. Has anyone seen any other examples of viruses in the comic pages? A possible topic for the next issue of Detective Comics? Let's see the Dark Knight battle these dastardly villians! - Hope Hope.Munro@mac.dartmouth.edu ------------------------------ Date: 2 Mar 89 08:26 From: minow%thundr.DEC@decwrl.dec.com (Repent! Godot is coming soon! Repent!) Subject: Hacking in the movies -- Working Girl The current (and quite popular) movie "Working Girl" shows two instances of unethical access to computers, both by the heroine, and both praised: -- after being put-upon by her boss, she turns to her terminal and pounds briefly on the keyboard. Immediately, the stock-ticker display that circles the room shows a message describing, in somewhat negative and explicit terms, his ability to perform sexually. -- subsequently, she accesses the "personal and confidential" files of her new manager's home computer. Of course, the bosses are nasty, evil creatures and she is the beautiful heroine who marries the handsome prince; so they deserve what they get. Martin Minow ------------------------------ Date: Thu, 2 Mar 89 11:11:55 PST From: "Clifford Johnson" Subject: Re: British Computer Society policy statement > From: Martyn Thomas > The BCS recently issued the following policy statement... > We would welcome constructive criticism of this policy ... > > 11 The BCS wishes to emphasise that there is no evidence that > current SRCS pose a serious threat to the public. There is > therefore no cause for alarm, ... I suggest replacing point 11 with: 11 The BCS wishes to emphasise that there is some evidence that current SRCS pose a serious, growing threat to the public. There is therefore some cause for alarm, ... In other words, I think the policy statement seriously errs in steering its course of responsibility with a *political* caution that in the present social/military context is unfortunately irresponsible. I think public panic is a negligible (but might in any case be a beneficial) risk. Everybody knows that the world's ecology is headed for disaster at rapid rate, but it's difficult to get anyone to care enough even to inform themselves further, let alone to vote to reverse it, let alone to panic. I think it's not responsible to announce there's "NO evidence" of dangers. Planes fall out of the sky; in medicine, brains are accidentally fried; the innocent are jailed; etc.; because of software bugs. Meanwhile, back at the ranch, a thousand multi-warheaded ICBMs are poised on a computerized hair-trigger, ready for instant launch on receipt of a brief, encrypted launch instruction. If those who are supposed to sound alarms say there's no evidence warranting alarm, who will listen closely to the accompanying advice? If an alarm is sounded, some people may listen, but panic is most improbable. In my opinion, the public needs to be woken up pretty badly. Could it be that the BCS statement is diercted at management and industrialists, who would be "turned off" by forthright criticism that threatens an uncomfortable degree of change, rather than at the public, who would welcome frankness? ------------------------------ Date: Wed Mar 1 16:02:53 1989 From: blf@scol.UUCP Subject: Hacking and Computer Fraud in the U.K. Outlaw Computer Hacking -- CBI Peter Large, Technology Editor (1 March 1989 Guardian newspaper) Computer hacking should be made a criminal offence, the CBI said yesterday. The employer's organisation said it was vital to secure a stable base for computer development, since computers played a major part in the nation's economic competitiveness and "social well-being". Computer buffs were increasingly gaining unauthorised access to confidential information held by banks and other companies in computer databanks, it said. Much computer fraud is hidden by firms, but the conservative consensus estimate is that the cost to British business is at least #30 million a year. But computer disasters, caused by software failures, fire and power failures, are reckoned to be cost about ten times that. The CBI, in its response to the Law Commission's paper on computer misuse, made six proposals: * Hacking cases should be tried by jury; * The concept of "criminal damage" should cover computer programs and data and attacks by computer viruses (rogue programs that can disrupt or destroy data); * Laws should be harmonised internationally so that hackers cannot operate across country boundaries; * The offence of obtaining unauthorised access should include non-physical access, such as computer eavesdropping; * Even unsuccessful attempts to hack should be subject to criminal sanctions; * The value of confidential commercial information should be protected by civil remedies for loss or damage caused by hackers. The US, Canada, Sweden, and France have outlawed hacking, but it is not an offence in Britain unless damage is done, such as fraud or theft. Last week the Jack Report on banking law proposed outlawing the hacker. The Law Commission has produced a discussion document and is to make firm proposals later this year. Brian Foster, The Santa Cruz Operation, Ltd., London ------------------------------ Date: Thu, 2 Mar 89 13:20:33 -0500 From: henry@utzoo.UUCP Subject: Re: Knowing probability just doesn't make a difference... >"... earlier in the year an eagle penetrated the cockpit of an ethopian >727, breaking the copilot's leg and damaging flight controls...." it's worth remembering, also, that there's always an unknown risk lurking around a corner somewhere. a few months ago, a 747 diverted to gander after something hit the nose radome and mashed it in, disabling the weather radar. this was first thought to be a simple birdstrike, albeit a rather large bird (possibly a goose :-)). the trouble is, it happened at 33,000 feet! in the absence of major mountains nearby, that is an *extremely* high altitude for any bird, especially a big one. flight international's most recent yearly summary of commercial flight accidents gives the explanation for that one as "hit unknown object at 33,000 ft.". Henry Spencer at U of Toronto Zoology ------------------------------ Date: 2 Mar 89 07:24 From: mcvay%tnt.DEC@decwrl.dec.com (Pete McVay, VRO3-2/E8, 273-5339) Subject: Comment: Reach Out and Spy on Someone Back in the days when terminals were hardwired to mainframes and VMS was very new, I was a part-time system manager for a VAX/VMS in a course development group. I needed to know critical information at times, such as what programs and task were being run, so I could tell if it was safe to reboot the system or perform other nasty system-management-type tasks. I wrote an enhancement to the "SHOW USERS" command which included the user name, image being executed, amount of logon time, location of the terminal, and other useful tidbits. By running this program I could find out what jobs were being done by whom, and give them phone calls if necessary to see if it was okay to tune the system. Some users quickly discovered that the program was useful for spying on each other. Two (of about thirty) users were using the program to see what images were being run, and were reporting users to management by name, claiming they were abusing the system and hogging valuable resources. Games were a favorite target, but major file copy operations and MAIL readings also came under attack. My philosophy was (and is) that users are generally responsible persons and should be consulted in all system policies. I was also chagrined that my "innocent" program was now a major police tool. I removed my program from the system and deleted all sources. Unfortunately, backups were religiously done; these two users convinced management that the program was necessary, so it was restored. I resigned my system management duties in protest. The consequence was a continuing war on the system, with users hiding the names (or images) they were running and the new system manager continually trying to ferret out subterfuge, with stiffer and stiffer penalties...but that is past the scope of this note. Seeing these new spy programs raises the old issues for me. I can see their benign intent and usefulness. Unfortunately, like guns, they become dangerous and abusive in the wrong hands. ------------------------------ Date: Tue, 28 Feb 89 11:25:29 CST From: Douglas Jones Subject: Reach out and spy We in the computer field forget our past extremely quickly. The Sunday, 26 Feb comments of odyssey!gls@att.att.com about the RADIO program on the SDS Sigma system at Harvard illustrate this, but there are even earlier illustrations. I used Com-Share's version of the Berkeley Timesharing System on the SDS 940 back in 1968. This had a talk/monitor facility that was used by Com-Share's consultants for on-line user assistance. As highschool students, we weren't allowed to use it, but I saw our teacher use it once. In 1973, the University of Illinois had a talk/monitor mechanism on their PLATO system. This was a Computer Based Instruction system, and the instructor of a course was expected to be able to monitor any students under their charge. When the system was used outside the instructional context, the "reach out and spy" potential was very real. The developers of PLATO were careful to make talk/monitor use between peers secure -- only after two users had established a conversation through talk could one let the other monitor his or her screen. Both the Com-Share and Plato systems had nation-wide user communities, and unlike oddyssey!gls@att.att.com, I don't remember any concern about FCC regulations limiting the use of talk facilities. ------------------------------ Date: Tuesday, 28 Feb 1989 10:31:50 EST From: m19940@mwvm.mitre.org (Emily Lonsford) Subject: Reach out and spy on someone There are other products that allow the 'monitor' to watch what the terminal operator is doing - notably CVIEW on VM and a product by Clyde Digital Systems on the VAX. CVIEW at least has an internal ID/password scheme, which of course should be enabled. And it gives a warning message to the person being watched but it's not clear enough for the novice "spy-ee." I once worked for a utility company that had a couple of hundred customer service operators (using 2260 terminals...it was a long time ago!) and their supervisors could listen in on their phone conversations to make sure that they were doing their jobs and being polite, etc. The operators could also signal for assistance if the customer became irate. But the real use was for performance monitoring. Either it was a condition of the job, or it didn't occur to anyone to complain about invasion of privacy, which it surely was. There are a lot of parallels between this and the 'spy' products. On the other hand, a case could be made that the "owner" of the system has a right to know what it's being used for; for example, no fair using your PC at work to do your resume or run a business on the side. Clearly there has to be some reasonable middle ground. For myself, if it's so sensitive or private, it's encrypted or on a floppy and locked away. * EMILY H. LONSFORD, MITRE - HOUSTON W123 (713) 333-0922 ------------------------------ Date: Wed, 1 Mar 89 14:54:22 CST From: Will Martin -- AMXAL-RI Subject: New Sprint Card The following is from the "Federal Bytes" column on the last page of Federal Computer Week, Feb. 13 '89: PHONE ID US Sprint announced last week at Comnet that it is testing a telephone calling card this is activated only by the card holder's voice. Fred Lawrence, Sprint's executive vice president for network development, said the Voicecard would work a little like the company's Foncard: Callers dial the phone number printed on the card, adding a second number such as a birthdate, and then give a two-second verbal password. Sprint equipment compares the voice print with one that is on record. The call goes through only if the voice prints match, Lawrence said. Sprint plans to evaluate its test results this spring to determine whether there is a market for the card. What isn't clear, of course, is if you go through all this before you can actually begin to dial the number you are trying to call. Maybe this is a way to call an 800 number and then get into a mode so that you can make a series of calls authenticated by the initial voiceprint signon process. It seems a lot of overhead for a single short call. If the card has a magstripe and you run it through a reader on the phone, and then only have to speak your "password" phrase before dialling the number you want to reach, it won't be too bad. I wonder how easily the user (or a cracker) can change the voice "password" (if at all), and the actual degree of matching that is performed on it. How will noisy environments (airports, etc.) affect the recognition/verification process? Anybody out there participating in this test? Please post your comments and evaluation! Regards, Will Martin [Will sent this to another list as well. Please respond to HIM and we'll let him collect the responses in an orderly fashion... PGN] ------------------------------ Date: Sat, 25 Feb 89 19:54:59 EST From: Ken Arnold Subject: US missile-warning radar endangers friendly aircraft (Re: RISKS-8.28) Jon Jacky submits: >ADEFENSE RADAR MUST TURN OFF AS PLANES LAND - AIR FORCE FEARS SYSTEM >COULD TRIGGER A BLAST (no author given) > ... >The interruptions are to avoid accidental detonations of tiny explosive >charges found in virtually every military weapons system and in the planes >and ships that deliver them. Doesn't one wonder what one's enemy could do with this data? Imagine -- all they have to do is build large radar installations, and, at no extra charge, they can cause incoming weapons to blow themselves up (or otherwise interefere with their systems). Once again, the more sophisticated technology is also vulnerable in unexpected ways. Ken Arnold ------------------------------ Date: Thu, 2 Mar 89 15:58:31 cdt From: "Francis,Bill" Subject: Error free code and ancient systems In a recent issue of RISKS, Bob Wilson cites a Datamation (Feb 15, 1989, p.53,56) article that reports on "error-free" code developed by IBM for the space shuttle. Bob points out several fallacies of the article, let me add this comment .... The low error rates cited were achieved largely because the programmers worked on an ancient, and stable, hardware platform (IBM 360)for years and years! How many programmers have the luxury of such stability in the commercial market and in most of the defense market? The tradeoffs between error rates and computer power are obvious. Bill Francis, Noyce Computer Center, Grinnell College, Grinnell, Iowa ------------------------------ End of RISKS-FORUM Digest 8.33 ************************ -------