RISKS DIGEST 12.02
RISKS Forum
FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
Contents:
Insecure Superman leads to Superbill (Paul Leyland)
Too Many Computer Systems Hurt War on Drugs, study says (PGN)
Colombian Constitution Erased (Brian Snow)
More phone disruptions (Fernando Pereira)
Bell Atlantic 26 June Failure (Robert McClenon)
Re: The Risks of Undelete and the Law (Al Donaldson)
Searching the RISKS archives via WAIS (Ephraim Vishniac)
"On the Danger of Simple Answers" (elnitsky via Rob Slade)
Videotape of the pilot discussing the crash of UAL 232 (Mary Shafer)
Risk of posting to RISKS (Jerry Hollombe)
The RISKS Forum is moderated. Contributions should be relevant, sound, in
good taste, objective, coherent, concise, and nonrepetitious. Diversity is
welcome. CONTRIBUTIONS to RI...@CSL.SRI.COM, with relevant, substantive
"Subject:" line. Others ignored! REQUESTS to RISKS-...@CSL.SRI.COM. For
vol i issue j, type "FTP CRVAX.SRI.COM<CR>login anonymous<CR>AnyNonNullPW<CR>
CD RISKS:<CR>GET RISKS-i.j<CR>" (where i=1 to 12, j always TWO digits). Vol i
summaries in j=00; "dir risks-*.*<CR>" gives directory; "bye<CR>" logs out.
The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1".
<CR>=CarriageReturn; FTPs may differ; UNIX prompts for username, password.
ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY.
Relevant contributions may appear in the RISKS section of regular issues
of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise.
----------------------------------------------------------------------
Date: Mon, 1 Jul 91 14:18:30 +0100
From: Paul Leyland <p...@convex.oxford.ac.uk>
Subject: Insecure Superman leads to Superbill.
Victim of computer hackers fights BT over \pounds 8,000 bill
_The Times_ (London), 1 July 1991
A director of video films is embroiled in a dispute with British Telecom over
an \pounds 8,000 bill after becoming a victim of hackers -- people who steal
computer passwords to break into international data bases and use services
illegally.
George Snow says the bill will ruin him. Experts say the case highlights
increasing concern over one of Britain's most under-reported crimes. For
several years, Mr Snow has kept abreast of developments in 3-D computer
graphics by using access to an American information service called Compuserve.
To cut costs, he became a customer of BT's Dial Plus service, which allows
customers to connect their office or home computers to international data bases
for the price of a local rather than an international call.
Mr Snow, who has directed programmes for Channel 4 and the Arts Council, and
whose pop video credits include Howard Jones, had found the service useful and
inexpensive until recently. "My quarterly bill would be around \pounds 30,"
said the director whose company, WKBC TV, is based in west London. Mr Snow,
aged 42, now faces a big unscheduled bill for calls he never made. It appears
that hackers illegally obtained Mr Snow's password and BT agrees. The dispute
is about who pays the \pounds 5,500 and \pounds 2,500 bills which have been
run-up in recent months.
BT says that Mr Snow chose a password that hackers could easily borrow [sic].
He says that the company has a responsibility to ensure its networks are
secure. "To clock up \pounds 8,000 worth of bills you have to be talking about
someone using the service 24 hours-a-day day in day out," he said.
To break into a data base, hackers will generally first try obvious passwords
such as Christian names. They also use programmes that run randomly through
words in a dictionary until one opens a data base.
Customers with Dial Plus have to sign a disclaimer stating that they will not
use obvious passwords otherwise they might be liable for hackers' bills. A BT
spokesman admitted, however, that Mr Snow had joined the service before the
agreement came into force.
Mr Snow also says that it was BT which approved Superman, the password stolen
by the hackers. The company says that Mr Snow was warned that his account was
running up huge bills in early February but that it was sometime later that the
password was changed. Mr Snow says that it was changed within days and that by
the time BT contacted him the damage had been done with most of the bill having
been run up.
He believes that he, and possibly others, are being forced to pay the price for
the company's poor security and has called in the Computer Crime Unit at
Scotland Yard to investigate.
David Frost, a computer security expert with accountants Price Waterhouse, said
yesterday that the amount of hacking taking place in Britain was being
seriously undeerplayed by companies.
BT rejects suggestions that it is cavalier with security. A spokesman said the
company would write to Mr Snow this week. He says that he willfight BT in
court if it prosecutes him. "\pounds 8,000 is about 10 per cent of my
turnover," he said.
[I have a few comments, based solely on the report as printed. I do not know
what truly happened. I draw attention to the BT's apparent attitude to
password security. They used the term "borrow", rather than "steal" or "use
illegally". They vetted the password, implying that Mr Snow was asked to
reveal his password rather than keep it secret. Even so, they gave the OK to
a password which is of dubious security. It is generally agreed that proper
names, dictionary words, literay characters and the like are easily guessed.
More generally, it is interesting how British newspapers, and _The Times_ in
particular, are beginning to take an informed interest in he subject of
computer security and, indeed, in computer-related risks in general. Apart
from some quaint terminology ("programmes", "data bases") they seem
reasonably competent at understanding the issues and reporting them clearly
to a non-expert audience.
Paul Leyland, p...@convex.oxford.ac.uk ]
------------------------------
Date: Tue, 2 Jul 91 20:08:30 PDT
From: "Peter G. Neumann" <neu...@csl.sri.com>
Subject: Too Many Computer Systems Hurt War on Drugs, study says
The 2 Jul 91 Washington Post noted that the government's war on drugs is being
seriously impeded by having to rely on more than 100 different computer
systems, according to a report of the General Accounting Office. Many of the
computers cannot communicate. Also, "the government has no measures for
ensuring that its information is correct and that its systems are protected
from outsiders."
------------------------------
Date: Sun, 30 Jun 91 10:19 EDT
From: BS...@DOCKMASTER.NCSC.MIL
Subject: Columbian Constitution 'lost' due to lack of data backup procedures.
Excerpted from The Washington Post, 30 Jun 1991, p.A23:
Computer Glitch 'Kills' Constitution;
Columbian Charter Appears in Jeopardy
by Douglas Farah, Special to The Washington Post
BOGOTA, Columbia, June 29 -- The approval of Colombia's new constitution,
which modernizes the nation's judicial, political and economic structures, is
in jeopardy because a computer apparently ate the text. ...
The committee writing the final version was to turn over the text for final
voting Wednesday. However, a technician storing the material in a computer,
borrowed from the office of the presidency, erased or lost the final document
-- after many of the papers with the drafts of the articles had been thrown
away. ... "We literally have people going through trash cans looking for
scraps of paper," said one source close to the process. "We do not know how
this was allowed to happen, and we have lost an almost vital three days. We
cannot debate or vote on a text we do not have in front of us." ...
While there are different versions of how the computer foul-up occurred,
sources said a member of the codification committee refused to allow
technicians from the office of the president to have access to the computer,
fearing that some of the material could be pirated or changed. Instead, he had
a nephew hired to do the computer work.
It turned out that the nephew had only taken a one-year correspondence
course in computer programming. ...
[Also noted by Les Earnest, and by "Raleigh F. Romine"
<rom...@cise.nsf.gov>, who added
"It has all the traditional ingredients -- no backups, inexperienced
operators, etc. The final quote is the best part." ]
------------------------------
Date: Tue, 2 Jul 91 11:17:25 EDT
From: per...@klee.research.att.com (Fernando Pereira)
Subject: More phone disruptions
Associated Press writer Jim Stader reports today (July 2nd) on another
software-induced disruption of phone service affecting over 1 millon customers
(area code 412 around Pittsburgh) of Pennsylvania Bell for over 6 hours. The
problem was probably caused by the same recently installed signalling software
that is under suspicion for earlier disruptions in the Washington DC and Los
Angeles areas. The bug has not yet been identified, and the possibilities of a
virus or other sabotage have not been ruled out. Pennsylvania Bell's president
stated that the triggering event might have been different in the various
disruptions, but that once the problem is triggered, the symptoms are very
similar. In all cases, lines carrying signaling between switches became jammed.
[A subsequent revised version of the AP story summarized above reports
on speculation that the cause of the phone disruptions may be sabotage
originating in the Middle East. The alleged reason for this is the claim
that in most cases the network failures followed the appearance of
animated hieroglyphics on operators's terminals.]
Fernando Pereira, 2D-447, AT&T Bell Laboratories
600 Mountain Ave, Murray Hill, NJ 07974 per...@research.att.com
[The San Francisco Chronicle front page this morning recorded the
Pennsylvania problems, and also noted similar problems in San Francisco,
although only for five minutes. It quoted Don Burns, a Bell Atlantic
VP: "The fact that we've had, in the short period of a month, several
outages causes us to believe that something has been introduced" into
the systems. The complexity of highly distributed systems continues to
confront us. PGN]
------------------------------
Date: 01 Jul 91 22:53:08 EDT
From: Robert McClenon <7647...@compuserve.com>
Subject: Bell Atlantic 26 June Failure
In my opinion, the spreading of the failure of the telephone system on
Wednesday (26 June) from Baltimore to Washington and Northern Virginia was an
example of a risk of a high degree of connectedness in a network. In
particular, connectedness increases the vulnerability to spreading failures,
unless special provisions are made to limit that spread. I think a similar
lesson was exhibited (but perhaps not learned) by the failure of the electrical
grid connecting the Northeast in 1965 resulting in the New York blackout.
It eventually was necessary to C&P (a subsidiary of Bell Atlantic) to
break the links between the four SS7 computers and take each of them down and
bring them up separately.
The Washington Post says:
> Bell Atlantic said yesterday that it had probably worsened the scope
>of the failure inadvertently because it had recently linked all four of
>the traffic cop computers [Signaling System 7 computers] temporarily...
In other words, connecting the four computers was a two-edged sword, and
it cut the wrong way on 26 June 1991. Also, there had obviously been
inadequate testing of the software. Something as large as a telephone
switching system is not easy to test adequately, and requires a high level of
thoroughness in planning the tests.
Robert McClenon
------------------------------
Date: Tue, 2 Jul 91 11:33:14 EDT
From: a...@escom.com (Al Donaldson)
Subject: Re: The Risks of Undelete and the Law (Dippold, RISKS-12.01)
In RISKS-12.01, Ron Dippold writes about a case in which a murderer
used a computer to plan his crime, and then claimed that when he "deleted"
his files he had an "expectation of privacy" regarding the data:
>The court soundly, and IMO correctly, rejected this claim, analogizing the
>retrieval of the deleted file data (by an FBI agent who was a computer expert)
>to deciphering a coded message in a diary, after the diary was obtained under a
>valid subpoena.
I agree that the information was properly used in the trial, but I think
the analogy given was incorrect or incomplete. While most people think
of computers simply as electronic filing cabinets, there are some weak
analogies between writing messages to disk and coding data in a diary
(e.g., use of ASCII, way in which bits are written to media). I suspect
that these analogies were not appreciated by the court. Instead, they seem
to have concluded that "deleting" a file is analogous to encrypting it.
File deletion (actually, removing links to the data) is more analogous
to shredding or burning the diary, or tearing out pages and throwing them
in the trash (imagine an Apple wastebasket icon.. :-) The defendant did
have an expectation of privacy based on his (lack of) knowledge of how
file deletion worked, just as someone who sets fire to a stack of papers
may expect them to burn completely all the way through and obliterate all
of the data written on them. But in the case of burned papers, it may
still be possible to carefully peel them apart and read some information.
If you really want to obliterate the *data*, you burn the paper completely
and then grind the charred paper to small pieces of ash. Similarly,
if you want to remove *data* from a disk, you overwrite it. If it is
really important, like national secrets or murder evidence, then you
hacksaw the disk platters into little bitty pieces and throw them into
the Potomac. Ask Ollie North.
I agree they should fry Mr. Copenhefer, but I don't like the justification.
This will probably establish precedence in future trials, further removing
legal practice from physical reality. Wouldn't it have been nice if the
court had simply decided to use "un-deleted" data, without any half-baked
analogies?
Al
Incidentally, I seem to remember a similar case in Northern Virginia
recently in which a Marine was accused of murdering his wife (also a
Marine, who disappeared and whose body has not been found). As I
remember, investigators found plans on how to carry out a murder and
hide the body on a disk belonging to the suspect. His explanation,
supported by his mother, was that he was working on a book, a murder
mystery, and he has no idea where his wife is. Murder, he wrote?
------------------------------
Date: Mon, 1 Jul 91 10:55:48 EDT
From: Ephraim Vishniac <eph...@Think.COM>
Subject: Searching the RISKS archives via WAIS (Wollman, RISKS-11.95)
I'm the database maintainer, and I just want to add a few notes.
1. The public WAIS server is down right now. With last week's record heat and
some inadequate air-conditioning here, we temporarily killed cmns-vax. It's
possible that it will be up sometime tomorrow (July 2nd) after moving to a new
machine room, but it might be another day or two.
2. The database is automatically updated. (I should fix the source
description.) Issues arriving during the night are saved until we start up in
the morning; issues arriving while the system is up are added within ten
minutes.
3. A variety of user interfaces for the WAIS system are available by anonymous
ftp from think.com, in /public/wais. There's a Macintosh interface in
WAIStation-0-62.sit.hqx, and there are gnu emacs and X-Windows interfaces in
wais-8-b1.tar.Z. The latter package also includes code for setting up your own
servers using whatever Unix host you've got handy. (The public WAIS server uses
a Connection Machine. Code for that server is not generally available.)
4. The public WAIS server contains a variety of other databases, including the
info-mac digest, Sun-Spots digest, Sun Managers mailing list, King James
Version of the Bible, National Institutes of Health Guide to Grants and
Programs, and the CIA World Factbook 1990.
Ephraim Vishniac eph...@think.com Thinki...@applelink.apple.com
Thinking Machines Corporation / 245 First Street / Cambridge, MA 02142
------------------------------
Date: Mon, 01 Jul 91 20:26:12 PDT
From: p...@arkham.wimsey.bc.ca (Rob Slade)
Subject: "On the Danger of Simple Answers"
The following was posted on rec.humor.funny. On the one hand, it shows an
apalling naivete. On the other hand, that isn't funny at all:
From: elni...@math.lsa.umich.edu
Subject: global warming
Date: 30 Jun 91 23:30:04 GMT
"... Perhaps of even greater significance is the continuous and profound
distrust of science and technology that the environmental movement displays.
The environmental movement maintains that science and technology cannot be
relied upon to build a safe atomic power plant, to produce a pesticide that is
safe, or even bake a loaf of bread that is safe, if that loaf of bread contains
chemical preservatives. When it comes to global warming, however, it turns out
that there is one area in which the environmental movement displays the most
breathtaking confidence in the reliability of science and technology, an area
in which, until recently, no one -- even the staunchest supporters of science
and technology -- had ever thought to assert very much confidence at all. The
one thing, the environmental movement holds, that science and technology can do
so well that we are entitled to have unlimited confidence in them, is FORECAST
THE WEATHER! -- for the next one hundred years..."
George Reisman, "The Toxicity of Environmentalism"
This kind of thinking is, unfortunately, all too common, even in the scientific
community. If I disagree with it, it must be wrong. If it supports what I
believe, it must be right.
True "critical" thinking: that facility which allows us to discriminate between
correct and incorrect information and points of view, is too often lacking in
our society and world. In additon, all too few people have taken the time to
acquire the technical knowledge which allows one to judge scientific
pronouncements.
(My subject line is the title of the editorial for the Journal of the American
Scientific Affiliation special issue on nuclear power some years back.)
Robert...@mtsg.sfu.ca Vancouver Institute for Research into User Security
Canada V7K 2G6
------------------------------
Date: Mon, 1 Jul 91 14:01:06 PDT
From: Mary Shafer <sha...@skipper.dfrf.nasa.gov>
Subject: Videotape of the pilot discussing the crash of UAL 232
I wrote:
>There's been a lot of discussion of the safety of fly-by-wire aircraft, so
>here's the discussion of an accident that very possibly would have been
>prevented were the DC-10 fly-by-wire rather than hydraulic.
And Robert Dorsett comments:
As I'm sure Mary realizes, FBW does not alleviate the necessity for
multiple- redundant hydraulics, and all the plumbing that comes
with them. As currently implemented on most aircraft, it simply
replaces the means by which the *hydraulic* actuators are operated.
Instead of cables, there are electrical wires. These leads to one
or more computers, which in turn process command inputs from the
pilot, leading to the possibility of unconventional control laws.
Most of the controversy of FBW occurs at this stage. The severity
of the failure involved would have happened whether the DC-10 were
FBW or not.
No, Robert, it wouldn't have. The loss of two of the hydraulic systems was
caused by shrapnel damage to the hydraulic lines. Had this not happened, the
airplane would have flown along with two working hydraulic systems and have
done just fine. However, the design of the conventional hydraulic system
dictates hydraulic runs that were vulnerable to the precise damage caused by
this accident.
DC-10s don't use cables, they use nonreversible hydraulic systems. I don't
believe that any airliner since the DC-4 or so has had cables.
This has nothing to do with the control laws, nothing to do with redundancy,
nothing to do with unconventional systems, it has everything to do with the
physical vulnerability of the hydraulic lines and the fact that the wiring is
better armored and less vulnerable to shrapnel damage and that other hydraulic
runs are better protected from this particular damage.
This is, of course, why battle damage resistance is an important benefit of
fly-by-wire and why the military is so fond of it. I worked on the Survivable
Flight Conditions Systems F-4 Phantom in the early to mid-70s. The Air Force
wasn't interested in fancy control systems or lighter weight, they were
interested in surviving battle damage. That's the easiest payoff to FBW.
Now, in rebuttal, I'm sure Mary'd point out that the FBW issue
would only enter in the form of *control* issues subsequent to the
accident, introducing unconventional control laws to effectively
duplicate (or improve upon) the differential thrust technique
Haynes used. And she has a point. But there's always the question
of whether the complexity and cost of such software will ever
justify its usefulness in the "1:1e-9" catastrophic control failure
case. In safety management, there is a point of negative return.
Nope, I wouldn't point this out because it never even occurred to me
until you mentioned it. My only thought was shrapnel damage.
I think you're quite correct about some sort of thrust-only flight path control
system. There've only been a very few accidents that resulted in total
hydraulic loss with an otherwise flyable airplane. (Two pressure vessel
failures--Paris in a DC-10, Japan in a 747--and this one for airliners, the
birdstrike to the B-1B out of Dyess.) It doesn't seem to me that there's any
reason to develop a system to deal with such a remote possibility. Sometimes
you just go ahead and accept the risk, when it's an extremely small risk. Life
isn't completely risk-free.
Perhaps a more salient observation would have been: this accident
would not have happened if there was full manual reversion on the
DC-10, ala the Boeing 707? :-)
This accident wouldn't have happened if the airplane had completely armored
hydraulic lines. It happened to a DC-10, it happened to a B-1B, but it's
easier to prevent in a fly-by-wire aircraft because you have safer hydraulic
runs available and because fly-by-wire wires are more easily armored.
Mary Shafer sha...@skipper.dfrf.nasa.gov ames!skipper.dfrf.nasa.gov!shafer
NASA Ames Dryden Flight Research Facility, Edwards, CA
------------------------------
Date: Tue, 2 Jul 91 16:33:19 -0700
From: The Polymath <holl...@ttidcb.tti.com>
Subject: Risk of posting to RISKS
Some years ago, as an apprentice programmer, I learned to craft even my
personal, quick-and-dirty utility programs carefully and thoughtfully. The
lesson was first driven home as I stood by and watched in horror while one of
my uglier personal "tools" was packaged and shipped as part of a product.
Recently, a similar phenomenon caught me again. I received an e-mail query
asking permission to include the text of one of my postings to RISKS in a
forthcoming book. The request came so long after the fact, I had to ask the
publisher to send me a copy of the article in question. I'd long since
forgotten it.
The article turned out to be a minor diatribe on the nature of censorship and
its relation to Stanford's attempt to ban rec.humor.funny. It was a bit
embarrassing to read it again and note its flamish style. All in all, I was
mildly surprised our moderator let it through.
I gave my permission for its publication, but requested a footnote be added
clarifying my position on the matter. I received a copy of the book in the
mail a few days ago, footnote and all. (It also contains RISKS comments on the
same subject from Les Earnest and John McCarthy. I'm honored to be found in
such company).
The risk? The words we exchange here aren't as ephemeral as they may appear on
a VDT screen, so be careful what you say and how you say it. You never know
who might decide to package and ship it to a customer. (-:
Oh, yes. The book:
_Computerization and Controversy: Value Conflicts and Social Choices_
Edited by Charles Dunlop and Rob Kling, Academic Press, Inc.
Harcourt, Brace, Jovanovich, Publishers ISBN 0-12-224356-0
(No, I don't get any royalties).
Jerry Hollombe, Citicorp, 3100 Ocean Park Blvd. Santa Monica, CA 90405
(213) 450-9111, x2483 {rutgers|pyramid|philabs|psivax}!ttidca!hollombe
------------------------------
End of RISKS-FORUM Digest 12.02
************************