RISKS-LIST: RISKS-FORUM Digest Tuesday 7 November 1989 Volume 9 : Issue 39

RISKS-LIST: RISKS-FORUM Digest Tuesday 7 November 1989 Volume 9 : Issue 39

FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Contents:
Computer used to find scoflaws in Boston (Barry C. Nelson)
Air Traffic in Leesburg VA (PGN)
Equinox TV Documentary on "Fly By Wire" (Brian Randell)
Lifethreatening risk! (related to Soviet PCs) (Julian Thomas)
New computer risk: child abuse data base proposed (W. K. (Bill) Gorman)
Dangers of mail aliases (Jonathan Leech)
Committee report on Bugs (Bob Morris)
Computer Viruses Attack China (Yoshio Oyanagi)
First Virus Attack on Macs in Japan (Yoshio Oyanagi)
NTT Challenges Hackers (Mark H. W.)
Even COBOL programmers need to know about range checking. (Bryce Nesbitt)
Unix Expo Power Failure (Jan I Wolitzky)

The RISKS Forum is moderated. Contributions should be relevant, sound, in good
taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome.
CONTRIBUTIONS to [email protected], with relevant, substantive "Subject:" line
(otherwise they may be ignored). REQUESTS to [email protected].
TO FTP VOL i ISSUE j: ftp CRVAX.sri.com<CR>login anonymous<CR>AnyNonNullPW<CR>
cd sys$user2:[risks]<CR>get risks-i.j . Vol summaries now in risks-i.0 (j=0)

----------------------------------------------------------------------

Date: Sun, 5 Nov 89 13:14:43 EST
From: "Barry C. Nelson" <[email protected]>
Subject: Computer used to find scoflaws in Boston

A news article in the Boston Globe [last Sunday 29 October, with photo]
describes a new computer system, named Argus (after a mythical multi-eyed and
vigilant beast), which is being used to catch local drivers with stolen license
plates. The innovation is that a sensor is used to observe license plates and
a program turns the image into numbers (so they claim). A database is then
searched and a match signalled to the operator. The system is set up at a toll
booth at the harbor tunnel and the suspect is somehow pulled over by the State
Police at the other end as the car emerges.

The article goes on to quote the operators as saying they have proven the
system "works" by matching on six offenders in one day. Unfortunately, five of
the six were errors caused by Registry backlog or other policy inconsistencies
such as re-using old numbers for new car owners. The sixth case was bona fide.

Their current experiment uses one camera and a floppy database of some 40,000
registrations. They say they are looking forward to installing the list of
200,000 suspended licenses or registrations and increasing the number of
cameras to enable them to watch all eight lanes.

When five out of six hits are human errors, imagine the complaints! It can be
very humiliating to be hauled out of your car and treated like a felon. This
could turn out to be embarrassing for the overworked database managers.

At least we can look forward to less tunnel traffic someday as Argus evaders
find alternate routes.

BCNelson "Opinions contained herein are my own, etc..."

------------------------------

Date: Tue, 7 Nov 1989 12:17:57 PST
From: Peter G. Neumann <[email protected]>
Subject: Air Traffic in Leesburg VA

Friday evening's air traffic around Washington DC was awful. As most of you
now know, both the primary computer system AND the backup were seriously
degraded for at least two hours during the evening rush hour, stacking up and
backing up air traffic extensively. (I was in DC that day. I'm at MIT today,
Home tonight, hopefully.) The scuttlebutt seems to blame a buffer overflow, but
I hope someone can contribute the real inside story.

------------------------------

Date: Mon, 6 Nov 89 10:28:39 BST
From: Brian Randell <[email protected]>
Subject: Equinox TV Documentary on "Fly By Wire"

Last night the one-hour TV documentary in the Equinox series, entitled "Fly By
Wire" was shown on Channel 4 in the UK. Since it was identified as "A Box
Production for Channel 4, in association with WGBH/Boston, copyright 1989", I
assume it will soon be shown in the States; I recommend looking out for it.

In my opinion it provided a reasonably complete and well-balanced (and also
visually very attractive) account of the various incidents and opinions
surrounding the A320, using a lot of well-chosen film clips, together with
interviews with, or at least "sound-bites" from, about twenty different people.

>From Airbus Industrie there was Bernard Ziegler (VP Engineering), Roger
Betaille, and Gordon Corps (Engineering Test Pilot) and, from Aerospatiale,
Gilles Pichon (Chief Engineer A320) and Jacques Troy (Flight Control Manager).
Four A320 pilots took part, including Michel Asseline, who alleged that his
crash was due to the control-system over-riding his command to the plane to
ascend. (The others were somewhat critical of the flight control system, but
did not back up this allegation.)

The computing science community was represented by Mike Hennell, Bev
Littlewood, John Knight, and John Cullyer. There were also representatives from
Boeing, the FAA, CAA and DGAC, and Flight International.

The overall impression given was (i) that Airbus had been rather daring in
introducing fly-by-wire, but had probably got away with it, and (ii) that their
rivals would now follow suit, but that the next logical step, that of active
control, was even more controversial and should not be rushed.

Brian Randell, Computing Laboratory, University of Newcastle upon Tyne, UK

------------------------------

Date: 03 Nov 89 21:14:32 EST
From: Julian Thomas <[email protected]>
Subject: Lifethreatening risk! (related to Soviet PCs)

Seen on another news digest service (not in the original):

>From the Financial Times and the Daily Telegraph (UK) - articles about the
Soviet Union studying a proposal to import lots of PC equipment for educational
use. "The soaring demand for scarce PCs has swollen the Soviet crime rate, and
PC owners have even been murdered for their machines."

Lock up your machines, gang, and compute only in the dark!
Julian Thomas

------------------------------

Date: Wed, 01 Nov 89 08:32:26 EST
From: "W. K. (Bill) Gorman" <[email protected]>
Subject: new computer risk: child abuse data base proposed

According to a news release heard a day or two ago, MI is now considering
legislation permitting local communities to establish and maintain data bases
of "suspected" child abusers, or those meeting another of the nebulous
"profiles" used to identify all sorts of persons and ethnic groups in our
society. Aside from permitting hearsay from neighbors, teachers, co-workers,
associates and assorted third parties to be entered and disseminated about any
particular individual or family, the framers of this legislation are also
attempting to gain back-door access to medical records. One profile criteria
disclosed for "identifying" child abusers is use of multiple doctors/hospitals
by the same family. Physicians are threatened with legal sanctions for not
reporting the simple fact that one or another patient HAS SEEN ANOTHER
PHYSICIAN without their knowledge/blessing. I don't think that implies any sort
of involvement by Physicians or the AMA in this legislation.

Obviously, the privacy considerations and potential for misuse and/or
malicious use, such as slanderous reports by neighbors against an unpopular
neighborhood resident, inherent in this legislation are enormous.

------------------------------

Date: Wed, 1 Nov 89 18:43:52 EST
From: Jonathan Leech <[email protected]>
Subject: Dangers of mail aliases

Yesterday, I was surprised to find over a dozen messages from the internal
technical mailing list of a company I worked for in 1982 in my inbox. As it
turned out, the reason was that the mail alias a friend at this company used
for me was duplicated in the systemwide alias file for a new employee.
Fortuitously, nothing which was a sensitive matter (save for their code
indenting style :-) happened to be discussed in the block of messages I
received.

Jon Leech ([email protected])

------------------------------

Date: Fri, 3 Nov 89 10:05 EST
From: [email protected]
Subject: Committee report on Bugs

The congressional committee on Science, space, and technology issued
this weed a staff study entitled "Bugs in the Program: Problems in
Federal Government Computer Software Development and Regulation". It is
worth reading for those interested in risks. It is 33 pages long and I
am not about to type any part of it in. It is available from the Sup of
Documents, Congressional Sales Office, U.S.G.P.O, Wash., D.C. 20402.
It does not have a reference number.

------------------------------

Date: Mon, 6 Nov 89 12:15:25+0900
From: Yoshio Oyanagi <[email protected]>
Subject: Computer Viruses Attack China

Ministry of Public Safety of People's Republic of China found this
summer that one tenth of the computers in China had been contaminated by
three types of computer virus: "Small Ball", "Marijuana" and "Shell", China
Daily reported. The most serious damage was found in the National
Statistical System, in which "Small Ball" spread in 21 provinces.
In Wuhan University, viruses were found in *ALL* personal computers.
In China, three hundred thousand computers (including PC's) are in
operation. Due to premature law system the reproduction of software is not
regulated, so that computer viruses can easily be propagated. Ministry of
Public Safety now provides "vaccines" against them. Fortunately, those viruses
did not give fatal damage to data.
Yoshio Oyanagi, University of Tsukuba, JAPAN

------------------------------

Date: Tue, 7 Nov 89 17:07:09+0900
From: Yoshio Oyanagi <[email protected]>
Subject: First Virus Attack on Macs in Japan

First Virus Attack on Macs in Japan

Six Macs in University of Tokyo, Japan, were found to have caught
viruses, newspapers and radio reported. Since this September, Prof. K. Tamaki,
Ocean Research Institute, University of Tokyo, has noticed malfunctions on the
screen. In October, he applied vaccines "Interferon" and "Virus Clinic" to
find his four Mac's were contaminated by computer viruses, "N Virus" type A and
type B. He then found ten softwares were also infected by viruses. A Mac of
J. Kasahara, Earthquake Research Institute, University of Tokyo, was also found
to be contaminated by N Virus and Score Virus. Those are the first reports of
real viruses in Japan.

Later it was reported that four Mac's in Geological Survey of Japan, in
Tsukuba, were infected by N Virus Type A. This virus was sent from U. S.
together with an editor.
Yoshio Oyanagi, University of Tsukuba

------------------------------

Date: 1 Nov 89 21:55:26 GMT
From: [email protected]
Subject: NTT Challenges Hackers

[A copy of the following article appeared on one of our bulletin boards here
at work. I have no idea when or where it was originally published - MHW]

NTT: Calling All Hackers

Tokyo - Nippon Telegraph and Telephone Corp. has issued a provocative
challenge: the Japanese communications giant will give 1 million yen
($6803) to any computer hacker anywhere in the world who can break its
FEAL-8 data communications security code by August 1991. Why the unusual
move? The company wants to debunk a rumor circulationg in Europe that
its security code has been cracked. The FEAL-8 code, developed by NTT in
1986, is widely used in Japan and overseas to protect datacom systems and
integrated circuit cards from illegal access.

------------------------------

Date: Fri, 3 Nov 89 17:40:53 EST
From: [email protected] (Bryce Nesbitt)
Subject: Even COBOL programmers need to know about range checking.

Last week I received this letter from my bank:

GREAT NEWS FOR THE HOLIDAYS!

Dear Bryce C. Nesbitt:

You are important to us. And, because of the excellent way you've
handled your finances, we are pleased to increase the credit limit on your
Meridian Open Line of Credit to $0. Now you have more buying power when you
need it most - in time for the holidays.
...

Thanks a lot. Before the promotion my credit limit was $5,000.00. The rest
of the letter talked about the free Mini-Vac that could be mine if I'd just
borrow $1,000 (funny, there was no mention of the over-limit penalty :-).

The bank had little to say about the event. I assume the calculation was
based on a number of factors, including the "high credit" on the account.
Since I have never drawn on this account, high credit would be zero.

------------------------------

Date: Fri, 3 Nov 89 15:17:10 EST
From: [email protected] (Jan I Wolitzky)
Subject: Unix Expo Power Failure

I was strolling through the Unix Expo show at the Javits Center in NY this
morning, shortly after it opened for its third and final day, when all the
power went out. My first reaction was that, boy, now we're gonna get to see
whose systems really ARE uninterruptable. My second reaction was that there
must be a VMS hack around somewhere. My third reaction, after it became clear
that the lights weren't coming back on right away, was to move toward the
daylight at the front of the convention center, with disturbing thoughts of
panicked crowds, the San Francisco earthquake, and other paranoia in mind. As
I approached the front of the hall, the big steel roll-up overhead doors
started coming down. Quite a few people, apparently believing that their only
exit was disappearing, rushed forward and ducked under the closing doors. It
turned out that there were lots of other, conventional exit doors still
available, but it still seemed to me a poor choice of failure mode: when the
power fails (who knows, maybe because of a fire or other condition
necessitating evacuation), close off the biggest and most obvious escape route.
There was no panic this time, but after more than an hour, there was no power,
either, so I gave up on the show. On the bus back, I was reading the issue of
Unix Today that was being handed out at the show. A non-cover story described
some of the problems experienced by the people who tried to set up an operating
network (Ethernet?) at the show: apparently, some vendors were using unassigned
net addresses, so that they could access other systems, but their competitors
couldn't access theirs. And then there was the problem they had in actually
laying the cable: normally a 4-hour job, it turned out that in NYC, it had to
be performed by members of the Electrical Workers Union, who took 36 hours to
do it. I found the juxtaposition of the appearance of a story blasting the
Electrical Workers Union and the power failure to be curious....

Oh yes, almost forgot, Unix is a registered trademark of AT&T.

Jan Wolitzky, AT&T Bell Labs, Murray Hill, NJ; 201 582-2998
att!mhuxd!wolit or [email protected]
(Affiliation given for identification purposes only)

------------------------------

End of RISKS-FORUM Digest 9.39
************************