RISKS-LIST: RISKS-FORUM Digest Monday 20 March 1989 Volume 8 : Issue 41 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: 20+ year, $100+ million Army software project (Jon Jacky) Formal methods to be applied in Australian railroad switching (Jon Jacky) Error in updating new specifications for call-routing (Pertti Jarvinen) Risks of Registering Shareware (A. Lester Buck) Risks of helpfulness (Jerome H Saltzer) Remote Smart-Cards (Ian W Moor) Re: so-called multi-gigabuck theft of information (Mark Brader) Re: NASA to replace top-level personnel with Expert Systems (Robert English) Meter Readers an Endangered Species? (David K. Black) Security of Electronic Mail (Karl Lehenbauer) Star Trek computer virus (Colin P.) ---------------------------------------------------------------------- Date: Fri, 17 Mar 89 17:15:06 PST From: jon@june.cs.washington.edu (Jon Jacky) Subject: 20+ year, $100+ million Army software project In view of all the postings a while back about runaway software projects, I found very interesting these excerpts from GOVERNMENT COMPUTER NEWS, Feb. 20, 1989, p. 59: ARMY TO CONVERT `CENTRAL NERVOUS SYSTEM' TO ADA by Karen D. Schwarz The Army issued a request for information last month to convert its All Source Analysis System (ASAS) to Ada code. ... ASAS is being developed by the Joint Tactical Fusion Program Management Office (JTFPMO) on behalf of the Army and the Air Force. It has been in development for more than 10 years. ... More than 800,000 lines of code have been written in FORTRAN 77 so far. The project is expected to begin using Ada code in fiscal 1991. By that time, more than 1 million lines of FORTRAN 77 code also will have been written. A document detailing JTFMPO's major programs refers to ASAS as the "central nervous system" guiding field commanders in battle. ASAS is a key component of the Army Command and Control System and will automate command and control of intelligence/electronic warfare operations. ASAS will fuse raw battlefield data into intelligence for analysis on a workstation. The services can then distribute resulting information to battlefield commanders, fire support elements and the Air Force to help control electronic warfare equipment. ... The project is scheduled to be completed sometime after the year 2000. Although he would not estimate the total costs of the program, deputy for plans and integration at JTFPMO Bennet Hart said software costs alone might exceed $100 million over the life of the contract. ... The JTFPMO has received many replies to the request for information, Hart said. "Response from industry has been very good. No one is conspicuous by their absence." The Jet Propulsion Laboratory (JPL) in Pasadena, Calif., currently holds a contract for the first phase of the project. - Jonathan Jacky, University of Washington ------------------------------ Date: 17 Mar 1989 16:49:02 EST From: JON.JACKY@GAFFER.RAD.WASHINGTON.EDU Subject: Formal methods to be applied in Australian railroad switching Here are excerpts from ELECTRONICS ENGINEERING TIMES, Feb. 20 1989, p. 28: High-integrity uP wins first big order: Railroad signals go-ahead for Viper by Roger Woolnough Worcester, England --- In the first significant order for the chip, the Australian National Railways Commission has placed a contract for signaling systems incorporating Viper to control two long-distance rail routes. ... Viper is a 32-bit RISC device designed to overcome the shortcomings of conventional microprocessors, which can be unreliable in safety-critical applications because they can perform in unpredictable ways. The design of Viper was undertaken using formal mathematical methods and was then subjected to a series of formal proofs to ensure that the implementation conforms to the design specification. ... In Australia, the contract to develop and supply railroad signaling equipment using Viper was won by Teknis Systems (Australia) Pty. Ltd. Support was provided by Charter Technologies Ltd. (the British Viper specialist), and the two companies believe that proposing Viper as the system processor was a major factor in Teknis being chosen against strong competition. The contract is to design and supply signaling for automatic crossing sections on the Trans Australian and the Central Australian rail routes, operated by the Australian National Railways Commission, a federal government statutory authority. ... The installations will include trackside equipment, systems on board trains, radio links and a computer-controlled center in Adelaide. ... Formal methods will be used throughout the development. ... Charter Technologies is sponsoring a study by the Department of Engineering in the University of Warwick, England, into the use of formal methods for railroad signalling. ... Railroad signalling systems around the world are based on concepts of interlocking and routing which have developed over the past 150 years. The first-class safety record of railroads is due to a large extent to the rigor of the regulations. The aim of the joint study by Charter Technologies and Warwick University is to consider whether the well-established rules can be formulated in a mathematical way, so as to suit the increasing use of computer-controlled interlocking and routing. ... It will consider the application of the specification language HOL developed at the University of Cambridge, England; programming in subsets of computer languages such as Pascal; and the use of Viper. ... - Jonathan Jacky, University of Washington ------------------------------ Date: Mon, 20 Mar 89 08:43:56 +0200 From: pj@utacs.uta.fi (Pertti J{rvinen) (from Pertti Jarvinen, Finland) Subject: Error in updating new specifications for call-routing The Finnish Post and Telepohone office was March 6 changing call-routing specifications in one of three main computer-controlled switches at Helsinki, the capital of Finland. Some of necessary changes was forgotten. To this end traffic via the switch was broken for two hours. The error was located and corrected in six hours. Domestic calls were turned to go via two correctly functioning switches. But some international calls, for example, to Canada, Portugal, Iran, Turkey and Cyprus were totally hindered. As a remedy to prevent similar errors in the future systems analysts propose a programmed checking for implementation of all the necessary changes. ------------------------------ Date: Wed, 8 Mar 89 03:38:55 EST From: @sri-unix.UUCP, @rutgers, @texbell, buck%siswat@moray Subject: Risks of Registering Shareware I just sat through a user's group demo of a new shareware package called BackMail, which is a background electronic mail package for MS-DOS. It is a slick program with many fine features for supporting local and long-distance mail networks. The authors were leery of the standard shareware registration procedure. Quoting from the BackMail Newsletter: "The problem was that the whole process of payment was so cumbersome. If only there was a simple way to communicate one's payment... Hold it! Communication is just what BackMail was about. We had the first program that could be used to _literally_ pay for itself! And so TeleWare was born." Yes, your copy of BackMail is registered by filling in a screen with your credit card information and the program automatically calls an 800 number to deliver the information. And most users will register ($30), since BackMail asks you to register on every fourth access of the program's main functions, and complains for twenty seconds if you don't register. The risks of this scheme for freely redistributable shareware are obvious, from simply patching the stored 800 number to saving the credit card information and making one "extra call" at the program's convenience. A. Lester Buck ...!texbell!moray!siswat!buck ------------------------------ Date: Mon, 20 Mar 89 11:03:05 gmt From: Jerome H Saltzer Subject: Risks of helpfulness (RISKS-8.40) > intrudesr got into AT&T systems by being talked through the sign-on > procedures by AT&T help desks! > Henry Spencer at U of Toronto Zoology The specific incident may not have been mentioned in RISKS, but the general technique is widely enough known that it is casually mentioned in the hacker periodicals (such as the magazine "2600") when they run an article of tips for beginners. If you are having trouble getting into someone's system, call up their consulting office and act like you are authorized but encountering unexpected trouble logging in; often someone there will give you just the clues you need. Jerry Saltzer ------------------------------ Date: Mon, 20 Mar 89 04:17:24 PST From: iwm@doc.imperial.ac.uk Subject: Remote Smart-Cards Backround: A bill to require all major football (Soccer) grounds in the UK to require a valid machine readable membership card before admitting a spectator is currently going through Parliament. The clubs will be given lists of people who should not be admitted; the object is to stop violence in the grounds. Several objections have been raised - Civil Liberties: People object to having to carry the cards, and to having football clubs provided with information about them. Practicalities: The card readers, turnstiles, or the computer controlling them may fail, leaving thousands of angry fans outside. Last month New Scientist carried an item describing a proposed solution, remotely readable and writeable smart-cards. (In this case the card has to be writeable to prevent it being passed over the fence and used again.) The cards are made by Plessey and the read/write range is quoted as about a meter; power is taken from the signal. Consider the risks: the card can be read (AND WRITTEN) without you knowing and without your control. Obviously the card could check that it was being interrogated by a legal reader using some kind of validation (public key challenge and response?) but there will be a limit to how much processing the card can do and as the reader has to broadcast to activate the card, it may be very easy to record a dialog and spoof either the card or reader. Ian W Moor, Department of Computing, Imperial College, 180 Queensgate, London SW7 UK UUCP: uunet!mcvax!ukc!icdoc!iwm JANET: iwm@uk.ac.ic.doc ------------------------------ Date: Fri, 17 Mar 89 16:43:13 EST From: Mark Brader Subject: Re: so-called multi-gigabuck theft of information (RISKS-8.23 ff.) > From msb Fri Feb 24 06:40:01 1989 > To: utzoo!attcan!uunet!csl.sri.com!risks > Subject: Re: so-called multi-gigabuck theft of information > Bcc: hcr!mike There appeared in Risks 8.23 my summary of a newspaper item I'd noticed about what was said to be a "theft" of highly valuable computer data. A followup newspaper article, which I summarized in Risks 8.28, provided a good deal more information and placed a much lower value on the data, but while it identified the victim (HCR Corp., of Toronto), it did not identify the "stolen" data. So I was surprised to see Jeff Makey assert in 8.26, which I read after submitting my second item, that what was taken was a copy of the UNIX source. I emailed him and he replied in part: > I heard it *somewhere* during the last few months (it seems like > it was before Christmas, which is why I said it wasn't news). Since the HCR case was much more recent, Jeff had to be talking about a different one. In fact, with that hint I remember the one he had in mind; the confusing thing is that it happened to also have occurred in the same geographical area. (Toronto: Canadian computer crime capital?) The earlier case hasn't been mentioned in Risks before. [???] What happened, as I recall, was that someone bought a used computer at auction, found a copy of the UNIX source on its disks, and claimed all rights (!) to use the source, thus making the newspapers. AT&T of course disagreed, and I believe the case dropped out of the news before it was resolved. Someone I was chatting about this with conjectured that the $4 billion (Canadian) valuation that appeared in the first newspaper article might have resulted from a reporter also confusing the two cases and assuming that because HCR has UNIX source then that must be the valuable thing in question, and then taking the highest possible valuation. Such a speculation would also explain why the second article suddenly started talking about AT&T, which had not been mentioned in connection with the case. Simple press speculation/sensationalism. Of course, there's more than one way to value copyable things like computer programs or data. It's correct to say that the UNIX source is worth kilo- bucks because you can buy a copy for your own use for that much. It's also correct to say that it's worth gigabucks, if that's how much money AT&T earns from it over the lifespan of the system. In addition, one must distinguish between theft and illegal copying. The former, I think, would be better defined as involving loss to the owner of one or more copies of the original. (Of course, the newspapers prefer to use the more dramatic word.) Anyway, if ALL copies were stolen in this sense, then the value of the loss to the owner suddenly becomes much greater. Also since submitting to Risks the second newspaper article, I have spoken to Mike Tilson, president of HCR, who was quoted in it. He confirmed that the first article was "wildly inaccurate" and the second one was substantially, though not entirely, correct. (He noted that Risks readers ought to be aware of the risks of believing what they read in the paper...) He also confirmed that HCR was not saying what was taken, only that they had regained complete control of it. So I think that wraps up this case as far as Risks is concerned. Mark Brader utzoo!sq!msb msb@sq.com ------------------------------ Date: Mon, 20 Mar 89 11:19:06 pst From: Robert English Subject: Re: NASA to replace top-level personnel with Expert Systems An AI friend of mine told me recently that most expert systems have a relatively short useful lifespan. It seems that if you assign a human to operate the system, the human will soon stop using the ES, and do a better, faster job without it. The ES makes an excellent training system, however, and creating it does a good job of recording what the job entails, information which is often lost when people change jobs. --bob-- renglish%hpda@sde.hp.com ------------------------------ Date: Mon, 20 Mar 89 16:26:03 est From: black%par1@cs.umass.edu Subject: Meter Readers an Endangered Species? The following appeared in the March 13 Wall Street Journal: Human Meter Readers Step Toward Extinction Meter readers' jobs are being threatened by technology. Boston Gas Co. recently became the firsr utility in the country to commit itself to installing a radio-based automated meter-reading system for all its customers. It plans to install the AccuRead system, made by Enscan Inc. of Minneapolis, in some 400,000 homes at a cost of over $20 million. The system will eliminate most of the utility's 100 meter readers who make an average of $28,000 a year. The AccuRead system ... uses a cigarette-pack-sized radio receiver and transmitter that is attached to the gas meter. The device counts the number of times the dials spin. Once a month, a computer-equipped van cruises the streets nearby and sends out a "wake-up" signal to the reader device, which then transmits the gas consumption. the devices have 10-year batteries and a 32 year meantime between failures, Enscan says. Boston Gas says the remote readings have a number of pluses. Homeowners don't have to be in for readings; unlike humans, THE DEVICES DON'T MAKE MISTAKES, and the information can be sent automatically from the van to the billing computer without retyping. Moreover, says a spokesman: " It will elimimate estimated bills which are the biggest complaint we have...." ....no doubt the devices are as reliable as the average garage door opener. David K. Black Umass Amherst ------------------------------ Date: 19 Mar 89 18:08:29 GMT From: karl@sugar.hackercorp.com (Karl Lehenbauer) Subject: Security of Electronic Mail While "everybody knows" or should know that electronic mail is not secure in that its contents can be read en route, the reason people generally trust their email as being authentic is because it usually is; that is, there has been very little email forgery hence it hasn't been much of a problem, thus people tend to regard their email as being genuine. When it starts to become a problem, people will stop trusting it, at least when it's important. It seems that faking comments on a grant proposal would be prosecutable as fraud. As for security from interception, a DES encryption program that is free of U.S. export controls (as it was written and distributed from outside the country) was recently posted to one of the Usenet source groups. By using this and something like uuencode (a common program on Usenet that reversibly maps unprintable characters to printable ones) on one's text, one can keep their mail private from the prying eyes of most individuals. The security of one's electronic mail from decryption by the National Security Agency is a different matter, and one that I hope is merely academic to most RISKS readers. As to whether or not they can relatively easily decrypt DES-encoded material, let me say that I would not expect such a group to widely promote an encryption scheme that they were incapable of breaking and that, from a national security standpoint, doing so would not be such a good idea. Within the Internet, it is my understanding that the steering committee has endorsed the RSA encryption scheme for email. This addresses both the privacy and forgery issues. I think we will see further movement toward routine encryption of email, and it is high time that we do so. Cellular phone data encryption is a relatively simple matter as well. I don't think we'll see any movement in that area until the users demand it, and the government isn't likely to push heavily for it, a few strong proponents of personal privacy in the legislature nonwithstanding. ------------------------------ Date: Sun Mar 19 22:05:13 1989 From: microsoft!w-colinp@uunet.UU.NET Subject: Star Trek computer virus This (including threats to take over the ship) has already happened on Star Trek: The Next Generation. Data was playing Sherlock Holmes in a computer-generated simulacrum, but since he had memorised all existing Holmes plots, the computer was asked to come up with a new one, involving an enemy "capable of defeating Data." Because Data, unlike Holmes, lives in the "real" world, this one-word slip produced an opponent also capable of affecting the "real" world, which attempted to take over the ship. It was portrayed more as a question of sentience (the conclusion was that the created personality was stored until technically feasible to give it corporeal existence), but we had a computer program, in this case inadvertantly created (grave RISK indeed!), attempting to control the ship. I suspect that treating the problem directly, the writres will massacre the issues. But I may just be overly pessimistic. -Colin (uunet!microsoft!w-colinp) ------------------------------ End of RISKS-FORUM Digest 8.41 ************************ -------