RISKS-LIST: RISKS-FORUM Digest Tuesday, 16 February 1988 Volume 6 : Issue 27 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Sometimes doing nothing is doing something (Carl via Jerry Leichter) More info on Compuserve Macinvirus (Max Monningh) Viruses as copy protection (Eliot) Re: Trojan horsing around with bank statements (Henry Spencer) Re: computer pornography (Jonathan Kamens) Emergency Calls misdirected by Cellular Telephone System (Dave Wortman) Software Warranties (Robert Kennedy) Mag-stripe cards (Joel Kirsh) Interleaving of Early Warning Systems (Herb Lin) What is the responsibility of Administrators? (Chris McDonald) Data Physician -- Correction (Re: RISKS-6.25) (Andrew Hastings) Reporter seeking virus information (John Gilmore) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, nonrepetitious. Diversity is welcome. Contributions to RISKS@CSL.SRI.COM, Requests to RISKS-Request@CSL.SRI.COM. > > > > > > > > > PLEASE LIST SUBJECT in SUBJECT: LINE. < < < < < < < < < For Vol i issue j, FTP SRI.COM, CD STRIPE:, GET RISKS-i.j. Volume summaries in (i, max j) = (1,46),(2,57),(3,92),(4,97),(5,85). ---------------------------------------------------------------------- Date: Tue, 16 Feb 88 18:04 EST From: "Jerry Leichter (LEICHTER-JERRY@CS.YALE.EDU)" Subject: Sometimes doing nothing is doing something Forwarded from INFO-VAX. -- Jerry Date: Wed, 10 Feb 88 18:43:53 PST From: carl@CitHex.Caltech.Edu Subject: The Chaos Computer Club's Trojan Horse threat was apparently successful To: info-vax@CitHex.Caltech.Edu A week or so ago, the Chaos Computer Club of West Berlin announced that they were going to trigger trojan horses they'd previously planted on various computers in the Space Physics Analysis Network. Presumably, the reason for triggering the trojan horses was to throw the network into disarray; if so, the threat has, unfortunately, with the help of numerous fifth-columnists within SPAN, succeeded. Before anybody within SPAN replies by saying something to the effect of "Nonsense, they didn't succeed in triggering any trojan horses", let me emphasize that I said the THREAT succeeded. That's right, for the last week SPAN hasn't been functioning very well as a network. All to many of the machines in it have cut off network communications (or at least lost much of their connectivity), specifically in order to avoid the possibility that the trojan horses would be triggered (the fifth-columnists to whom I referred above are those system and network managers who were thrown into panic by the threat). I find this rather amazing (not to mention appalling) for a number of reasons: 1) By reducing networking activities, SPAN demonstrated that the CCC DOES have the power to disrupt the network (even if there aren't really any trojan horses out there); 2) Since the break-ins that would have permitted the installation of trojan horses, there have been a VMS release (v4.6) that entails replacement of ALL DEC-supplied images (well, not quite: some layered products didn't have to be reinstalled; however, there have been new versions of many layered products since the break-ins). Installation of the new version of VMS provided a perfect opportunity to purge one's system of any trojan horses. 3) In addition to giving CCC's claims credibility, SPAN's response to the threat seems a bit foolish since it leaves open the question "What happens if the CCC activates trojan horses without first holding a press conference?". Hiding from the problem doesn't help in any way that I can see; it merely makes SPAN (and NASA) look foolish. Disclaimer: The opinions expressed above are my own, and not necessarily those of my employers. The opinion of one of my bosses is (at least in part) that he'd like to regain access to some of the databases that SPAN's managers have isolated in their panic. ------------------------------ Date: Sun, 14 Feb 88 23:33 CST From: MAXWELL%FNALC.BITNET@CUNYVM.CUNY.EDU Subject: More info on Compuserve Macinvirus Here is some more info on the Compuserve Mac-virus (see RISKS-6.22). (From the Chicago Tribune, without their permission of course) Chicago Tribune, Sunday 14 Feb. 1988, Section 7, Page 8 "Virus gimmick is 'vandalism, pure and simple'" by Daniel Brogan "By now you've probably read a thing or two about computer viruses. Every- one seems to be talking about them. [explanation deleted] The matter of computer viruses is a matter of heated debate in computer circles. Some fear [the obvious]. Others see [it as an urban legend born of science fiction and societal technophobia]. I was inclined to side with the latter group. [This guy's a reporter??] Every virus report I investigated seemed to have taken place in some foreign country or was attributed to a friend of a friend. Then I ran into a real honest-to-goodness virus. [more stuff we already know] As it turned out the virus was pretty tame. On March 2, the user would be greeted with the following message: "RICHARD BRANDOW, publisher of MacMag, and its entire staff would like to take this opportunity to convey their UNIVERSAL MESSAGE OF PEACE to all Macintosh users around the world." After displaying the message, the virus would quietly delete itself without disturbing any other data. At least 40 subscribers downloaded the virus from Compuserve. The stack was also spotted on SEVERAL other commercial databases. I called Brandow, who readily accepted responsibility for the virus. [Here comes the bilge...] 'Actually, we like to call it a message,' he told me. 'We look at is a something that's really positive.' MacMag is a Canadian monthly with a circulation of about 40,000. Brandow began toying with the idea of his message about 2 years ago, toyed with various distribution schemes, settled on a virus and HIRED A PROGRAMMER!! (March 2 was chosen to commemorate the 1st birthday of the Mac II. He then infected 2 Macs at MacMag for 2 days in December. Already, he says the virus has been sighted throughout Europe. 'People there are reacting to it like a new form of art. They think it's a nifty form of communication.' [Brogan's opinion deleted] Brandow says, 'I really think it's a difference of philosophy. People here in Canada and over in Europe see this for what it is, a message of peace. It's you people in the United States who see it as something dark and nasty.' [Henry, are we really that paranoid down here?] Neil Shapiro, Compuserve's Macintosh forum admin worries that 'MacMag has opened here a Pandora's Box of problems which will haunt our community for years.'" [beg.flame] Who the hell does this clown think he is?? How could he possibly get to the position in life to publish his own magazine and be unable to think through the logical, INEVITABLE implications of his actions?? American's are just paranoid?? Oh sure, there have never been ANY Canadian crackers, the Chaos Computer Club [Europe], the IBM Christmas card [W.Germany] and the Israeli virus are just campfire fictions. And what about the little American computer geek who at THIS VERY MINUTE is probably altering the DNA inside Brandow's message to do nasty things? Mac users ARE particularly bad about software hygiene,(I used to be, untill I subscribed to Risks...) and there ARE a lot of people who use Macs for REAL WORK. I assert that some of these people bought Macs because they don't like what IBM stands for, believe in "the little guy" because they are too, are undercapitalized and could be seriously screwed if one of their employees loads a sick disc. Some of these people are going to learn a painfully expen$ive le$$on because of Brandow. I know that someone out west uses Macs for Cray terminals...the mind boggles. Since Brandow lives in Canada and not here in Chicago, I can't get Vito, the alderman's nephew, to break his knees; I don't s'pose he lives in Toronto ;-> ... I therefore propose economic response. The liquidation of Brandow's business will probably be insufficient to cover the losses which will eventually be suffered by the Macuser community (and it wouldn't help anyway) but it might make an impression. [end.flame] I also have an opinion about his method of spreading the virus, which may or may not have been discussed here previously. Most of my old risks issues are archived on tape, the robot's slow, and I don't have a quota THAT big anyway...I'll do my homework and maybe post something on the subject later. Max Monningh, Fermi National Accelerator Laboratory, Box 500, MS-355 Batavia, IL 60510 MAXWELL@FNALB.BITNET SPAN/HEPnet: 43011MAXWELL ------------------------------ Date: Thu, 11 Feb 88 11:55 EDT From: ELIOT%cs.umass.edu@RELAY.CS.NET Subject: Viruses as copy protection The idea of using a virus as a copy protection mechanism is very scary. Here are a couple of ideas for people to try to use to convince companies not to try this. (1) Suppose a virus from a stolen system finds its way into someone else's computer, who had no knowledge or involvement with the piracy. The person who buys software ussually has a contract protecting the company from liability, but I cannot see the company escaping legal liability to a third party who is damaged by software doing what they intended it to do. If this happened to me I would certainly sue the company for everything it had. Consider, for example, that you are liable for injuries to a burgler who is hurt by a trap inside your home. (2) Protection schemes can fire incorrectly. Consider a *legitimate* owner of a piece of software who runs it from an *old* disk. A little bit of bit-rot and all of a sudded the program thinks it is stolen... (3) Another example, that has happened to me. I am a *legitimate* owner of a copy-protected macintosh game program. I have used it quite happily on my 512K Macintosh. My "licence" allows me to run it on any single machine etc., so I tried using the original master disk on a Macintosh SE. This wa perfectly legitimate, but the slightly differences in the machines was enough to set off their copy protection scheme. Since the game runs, but cheats, when this happens it took me quite a while to be sure of what was happening. The basic point is that software cannot reliably detect that is has been illegitimately copied. ------------------------------ Date: Mon, 15 Feb 88 18:02:58 EST From: mnetor!utzoo!henry@uunet.UU.NET Subject: Re: Trojan horsing around with bank statements > This message was not a legitimate one. It was developed as part of > a test program by a staff member, whose sense of humor was somewhat > misplaced, and it was inadvertently inserted in that day's statement... Note an analogy to the "no jokes please" signs at airport security-screening stations: there are times and places which are just too sensitive for certain types of humor. Putting an "EXPLOSIVES" sticker on your friend's suitcase, however appropriate it might be as a joke in the right situation, is defensible only if you take precautions to be SURE it gets removed before he tries to go through airport security. Good intentions are not enough; redundant precautions are in order, in case something goes wrong. Henry Spencer @ U of Toronto Zoology {allegra,ihnp4,decvax,pyramid}!utzoo!henry [John Markoff told me today that Wells Fargo still does not know who is responsible. By the way, despite my choice of SUBJECT: line, I have no inside information that would lead me to believe it was an intentional Trojan horse rather than an accidental leakage. But that is certainly a possibility under th circumstances! PGN] ------------------------------ From: jik@ATHENA.MIT.EDU Date: Mon, 15 Feb 88 14:27:55 EST Subject: Re: computer pornography In Risks Digest 6.26, Prentiss Riddle (riddle@woton.UUCP) mentions a wire service report about computer pornography. We've had firsthand experience in the "dangers" of computer pornography here at MIT's Project Athena computer system in the past few weeks.... About a month ago, an employee of Project Athena (who is also an MIT student) created a directory entitled "xpix" which contained all kind of graphic files, most of which were either digitized or scanned from pictures. These files had been circulating around Athena in many different users' subdirectories for some time, and the student who organized them all was simply trying to conserve space and make them easier to access. Also included in the xpix directory was a program to place any of the pictures in the directory into the background of a workstation (Athena workstations are multiple-window environments with a background which is normally gray.). Included in the xpix directory were two subdirectories entitled "boys" and "girls;" I am sure you can imagine what kinds of graphics they contained. After the xpix directories had existed for about a week, the director of Project Athena announced that complaints about the boys and girls directories had been made by a dean; the dean had said that she had received complaints from students. The xpix directory was soon thereafter made totally inaccessible to Athena users. Approximately a week later, the xpix directory was restored, but the boys and girls directories are no longer readable. A few observations: First of all, is what Athena did legitimate? They claimed that since the xpix directory was an independent filesystem and was not a part of any user's home directory, Athena was "supporting" it by allowing it to exist. Since Athena did not want to "support" pornography, they could not allow the offensive [to some people] directories to remain world-readable. Basically, what they are saying is that if any user decides to take all of the offensive pictures (if he can get access to them) and place them into his home directory and make them world-readable, there is nothing Athena can do to stop him. Second, the student who created xpix estimates that while the girls and boys directories were taking up 4 or meg before they were segregated, the many copies of the pictures which have been obtained by whatever means since the directories were cut off are now taking up about 50 meg of system space. Was it really worth it for Athena to install the directory protections if there are ways to get around them and the net result is less efficient use of system resources? What are the possible implications of Project Athena's decision? Can the administration of a supposedly user-privacy-secure system censor the material that is made accessible on it? Is the presence of a filesystem on a machine evidence that the administration "supports" the contents of the filesystem? Jonathan Kamens, MIT '91 ------------------------------ Date: Fri, 12 Feb 88 13:00:22 EST From: Dave Wortman Subject: Emergency Calls misdirected by Cellular Telephone System Several cases have been reported here recently in which calls from cellular telephones to the 911 emergency number have been seriously misdirected due to automated load shedding by the cellular nodes. The problem arises when the node nearest a caller is overloaded and a call automatically gets switched to the next nearest node. For example a person calling 911 in Oakville, Ont. was redirected to St. Catharines, Ont which is about 85 km away. There have also been trans-border problems, a cellular call to 911 in Bowmanville, Ont was picked up on the other side of lake Ontario in Rochester, N.Y. I haven't seen any documented cases of loss of life or property due to this problem but the potential for such loss is clearly present. Local telephone officials are warning cellular telephone users to fully identify their location when they make a call to the emergency number. I conjecture that this is a symptom of a much larger problem. The cellular phone system is probably incapable in general of always correctly dealing with "generic" telephone numbers (e.g. 411, 611, 555-1212, etc.) where part of the effective telephone number is derived from the context of the caller. Large trans-border municipalities like Detroit Michigan/Windsor Ontario must be a real zoo in this regard since the INWATS (800-XXX-XXXX) numbers have different bindings in the U.S. and Canada Dave Wortman, Computer Systems Research Institute, University of Toronto ------------------------------ Date: Mon, 15 Feb 88 13:58:31 GMT From: Robert Kennedy Subject: Software Warranties Nancy Leveson writes informing us of the ABA's Legal Technology Advisory Council and their "ABA Mark of Approval" which they grant to software passing their tests. I am concerned that any organization which purports to do what the LTAC does is really sticking its neck out. How can they really be sure they have uncovered all the "serious errors" in the software they are testing? Of course the answer is that they can't. Shouldn't they include a disclaimer to this effect with their mark of approval? I think it is a very good idea to have an organization like the LTAC doing this sort of work. Someone should certainly make it their business to evaluate software and publicize the results. But a user who naively believes approved software to be "without serious errors" could really get burned. I have seen software certification people find some really obscure bugs, but never before have I heard anyone claim to find them ALL. Of course this problem is not unique to computer software. I am sure that somewhere out there is a person who believed Underwriters' Labs when they were wrong (I don't know of a specific instance of their being wrong; perhaps they never have approved a product that was dangerous...). But we are much better at understanding the workings of electrical and mechanical machines than we are at understanding the workings of computer software. Furthermore, UL, as far as I know, doesn't say whether or not the products perform as advertised. They only say whether they are safe or not. Robert Kennedy ------------------------------ Date: Sun, 14 Feb 88 13:32 CST From: Joel Kirsh Subject: Mag-stripe cards When my bank card "lost its stripes" (and was subsequently munched by the ATM) I was informed that the blame lay in the fact that I was storing it in my wallet adjacent to another mag-stripe card. Perhaps a subtle form of competition between financial institutions? Joel Kirsh, kirsh@nuacc.BITNET [That is actually an attractive theory. PGN] ------------------------------ Date: Fri, 12 Feb 1988 23:19 EST From: LIN@XX.LCS.MIT.EDU To: ronni@CCA.CCA.COM (Ronni Rosenberg) Cc: risks@KL.SRI.COM, arms-d@XX.LCS.MIT.EDU Subject: Interleaving of Early Warning Systems From: ronni at CCA.CCA.COM (Ronni Rosenberg) In RISKS 6.22, Ronald Wanttaja discusses a scenario in which "The Soviets blind most of the US Early Warning satellites.. The U.S. immediately goes to high DEFCON. ... The Soviets do *nothing*." I believe that if the U.S. goes to a high DEFCON, the Soviets automatically go to a higher state of alert. This statement is not supported by the historical data. The US has placed its strategic forces on DEFCON 3 three times, and DEFCON 2 once. To my knowledge, the USSR never changed the alert level of its nuclear forces. On the other hand, the fact that it is not empirically supported does not mean that it is not true. It may mean that the US has never placed its forces at sufficiently high DEFCON to do this. DEFCON 1 has never been reached. The real lesson is that the Sovs might react, and they might not. You'll never know until it happens. ------------------------------ Date: Fri, 12 Feb 88 13:38:02 MST From: Chris McDonald STEWS-SD 678-2814 Subject: What is the responsibility of Administrators? Cc: wancho@simtel20.arpa The latest edition of RISKS from Keith Peterson on "FLU_SHOT" as a virus defense raises a question which I have posed to Keith and the administrator of the simtel20 on which "FLU_SHOT" resides as a public domain program: namely, does an administrator of a public domain repository have any responsiblity to examine software for the possiblity of a Trojan Horse before he or she posts that package to their repository? If there are technical or administrative reasons as to why an administrator cannot examine packages before posting them, I feel that users should be advised in advance and up-front that this is the situation. But I have the impression that my opinion is a minority one. The Army C2MUG public domain repository at Fort Leavenworth, which had 14,000 subscribers as of last Friday, apparently has a policy to screen all software submissions before release. C2MUG is the Command and Control Microcomputer Users' Group. But other well-known repositories on DDN, for example, do not and have no official policy on notifying users of that fact. Is there any written policy within the respective DDN, BITNET, CSNET, etc., communities which does address this question? Chris McDonald, White Sands Missile Range ------------------------------ Date: From: Subject: Data Physician -- Correction (Re: RISKS-6.25) The phone number for Eric Hansen should have been 612-571-7400. -Andrew Hastings abh@cs.cmu.edu 412/268-8734 ------------------------------ Date: Sun, 14 Feb 88 05:28:14 PST From: hoptoad.UUCP!gnu@cgl.ucsf.edu (John Gilmore) Subject: Reporter seeking virus information [Relayed from the FidoNews 5-06 of 8 Feb 1988] -- VIRUS QUERY -- Reporter writing an article for the NY Times on the threat of "virus' ("mole,) "worm" and/or trojan horse "attack code" programs seeks reports of real experiences with these often destructive, sometimes playful, devices. I'm interested in any reports about incidents involving PCs, minis or micros. Please forward replies to Vin McLellan at Fido 101/154, (voice) 617-426-2487, or Snail: 125 Kingston St., Boston, Ma. 02111. ------------------------------ End of RISKS-FORUM Digest ************************