RISKS-LIST: RISKS-FORUM Digest Tuesday, 1 December 1987 Volume 5 : Issue 68 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Logic Bomb (Brian Randell, ZZASSGL) Re: hyphens & Mariner I (Jerome H. Saltzer) Re: Mariner, and dropped code (Ronald J Wanttaja) Minuteman and Falling Trucks (Joe Dellinger) Re: Fiber optic tap (Mike Muuss) Re: Garage door openers (Henry Spencer) Dutch Database Privacy Laws (Robert Stanley) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, nonrepetitious. Diversity is welcome. Contributions to RISKS@CSL.SRI.COM, Requests to RISKS-Request@CSL.SRI.COM. For Vol i issue j, FTP SRI.COM, CD STRIPE:<RISKS>, GET RISKS-i.j. Volume summaries for each i in max j: (i,j) = (1,46),(2,57),(3,92),(4,97). ---------------------------------------------------------------------- From: Brian Randell <br%kelpie.newcastle.ac.uk@NSS.Cs.Ucl.AC.UK> Date: Fri, 27 Nov 87 10:57:34 GMT To: RISKS@csl.sri.com Subject: Logic Bomb Here, in response to Gligor Taskovich's request in RISKS DIGEST 5.65, is an article on the trial here in the UK relating to a "logic bomb". It comes from Computer Weekly, November 26, p. 3, and is quoted here in full. (br) MAN CHARGED WITH PLANTING TIME BOMB Criminal damage charges have been brought against a computing specialist who allegedly doctored a customer's software so it would give his firm a contract to put things right. James McMahon, 32, from Watford denies four charges of criminal damage and one attempt at criminal damage to discs and systems belonging to Pandair Freight, obtaining over (pounds)1,000 from Pandair by deception for his company, Wendmist, and attempting to obtain (pounds)372. In January 1986 Pandair's system in Heston, Middlesex, running on a DEC computer, broke down. Prosecutor David Radcliffe told the court that the problem was caused by a time bomb, inserted earlier. The 1985 version would still work but after McMahon spent time on it things got worse, Radcliffe said. McMahon arranged to work on the faults on returning from holiday. While he was away a Pandair programmer did some tests and found a section of unauthorised code. "He found the time bomb and defused it," Radcliffe said. The programmer then looked at a similar system at Pandair's Birmingham office. Here he found a time bomb which would have erased the computer's memory. Radcliffe suggested McMahon had acted out of revenge, because he had just failed to win a (pounds)50,000 contract to update Pandair's system at Maidenhead. Pandair says the system problems cost it (pounds)15,000. This is believed to be only the second case of alleged criminal damage of its kind. The first, last year, followed a farewell prank by a Dixons employee who tried to get the company's mainframe to display "goodbye folks" whenever his leaving date was entered in staff records. he was conditionally charged and orderd to pay Dixons (pounds)1,000. John Kavanagh ------------------------------ Date: Mon, 30 Nov 87 12:35:49 GMT From: "ZZASSGL" <ZZASSGL@CMS.UMRCC.AC.UK> To: risks@csl.sri.com Subject: UK Logic Bomb Case [This contribution included TWO news reports, including excerpts from the article noted above. It also commented thereupon. PGN] Both reports are somewhat confusing about the actual details, but the basic facts seem simple. McMahon did some work on the system, was expecting to get a contract for more, but didn't. Shortly after the system had problems and when Pandair programmer investigated he found the ''bombs''. As the case is still proceeding it is not possible to connect these two facts. I remember reading an earlier report (I can't find it now) about the problems that were expected because the jury would have to understand the background and jargon before being able to decide the case. They were all provided with a glossary for the technical terms to be used and also given a one day introduction to computers and DEC systems. ------------------------------ Date: Sun, 29 Nov 87 01:30:11 EST To: RISKS FORUM (Peter G. Neumann -- Coordinator) <RISKS@KL.SRI.COM> Subject: Re: hyphens & Mariner I From: Jerome H. Saltzer <Saltzer@ATHENA.MIT.EDU> As long as people are still searching for the real story, here is another possible clue, based on yet another third-hand rumor: Back in 1962, when Mariner I failed, the story that quickly circulated around M.I.T. was that a minus sign had been miscoded as a hyphen. You see, the keypunches in those days had two different keys with similar-looking graphics, one interpreted as a minus sign, the other as a hyphen. The first Fortran compiler accepted only the minus sign for the subtraction operator. At one point in the evolution of that compiler a (fatal!) diagnostic was added to alert you that you had used the "wrong minus sign," leading to snide comments along the line of "if you're so smart, why don't you fix it?" and a standard test of skill was to figure out how to patch the Fortran compiler to accept a hyphen as an alternate minus sign. When a hyphen appeared in data, the result depended on the software that was trying to interpret it; some programs accepted it as an alternate minus sign, other programs ignored hyphens (effectively reversing the intended sign), and still other programs blew out with a bad data diagnostic. Given that kind of confusion every day in the keypunch room, when the rumor about Mariner I came through it sounded very plausible. Whether or not Mariner I was a victim of hyphen/minus-sign confusion, the keypunches of the late 50's carry a cautionary tale for RISKS readers. Jerry Saltzer [Hyphen the Terrible? PGN] ------------------------------ Date: Fri, 27 Nov 87 00:25:40 pst From: ucbcad!ames.UUCP!uw-beaver!ssc-vax!wanttaja@ucbvax.Berkeley.EDU (Ronald J Wanttaja) To: uw-beaver!KL.SRI.COM!RISKS Subject: Re: Mariner, and dropped code I was in a NORAD satellite operations unit for four years, and "I was there" during several times when erroneous attack warnings were generated. One sticks in my mind... it wasn't caused by a missing hyphen, or replacing a period with a comma, but by an INCORRECT VALUE OF *PI*! I dearly wish I had bothered to find out what the value had been, but, considering the circumstances of the error, it probably was in one of the later decimal places. The system worked as advertised and the attack warning was quickly cancelled. [This and Jerry Saltzer's contributions are just two of many that have been backlogged. More is coming... PGN] ------------------------------ Date: Mon, 30 Nov 87 02:46:45 pst From: Joe Dellinger <joe@hanauma.STANFORD.EDU> To: risks@csl.sri.com Subject: Minuteman and Falling Trucks I was curious to find out how often incidents such as the "truck parked on the missile silo door" one mentioned here really occur, and how stupid this response really was. As it happens, my brother was until a few years ago the commander in charge of missiles at a Missouri base. While the answers to some of my questions were classified, here's what he said (as I understood it): False "launch in progress" status warnings aren't that rare. He saw about one per year at his base. There is a definite set of procedures to perform when this happens. Parking a truck on top of the silo door such that it will fall in on top of the missile if the door opens is one of them. The people that did this were doing the officially approved thing! The truck is to be parked such that one set of wheels is on terra firma and the other set is on the silo door. The truck is to be left in neutral with the parking brake off. The door itself is designed to open despite any debris on it, and there is a lip of sorts on the door to keep the debris from falling off the door and onto the missile. However, this lip can't handle more than a few inches worth of debris. The truck, properly parked, has no way of riding the door and will fall something like several hundred feet onto the missile. The damage thus inflicted should serve to "keep the missile in the hole". Worst possible outcome (unlikely to happen) is that the missile detonates its nuclear warhead in the hole, resulting in a quarter-mile wide crater and some local contamination. The silo door can be opened and closed with a hand crank, but even if you know all the required access codes (which no one person does) you don't have time to get to the crank before the security people have time to get to you. I've seen a field where missiles are kept. Looked just like any other farmer's field in the area to me, except that the "keep out" signs were especially intimidating and there were no cows in it. I was amazed to discover that the missile field was right next to a state highway! - joe@hanauma.stanford.edu ------------------------------ Date: Tue, 1 Dec 87 16:20:52 EST From: Mike Muuss <mike@BRL.ARPA> To: risks@csl.sri.com Cc: ABC@BRL.ARPA, Towson@BRL.ARPA, Randy@BRL.ARPA, ACST@BRL.ARPA Subject: Re: Fiber optic tap Your message is neither surprising, nor is it "news". The device used by AT&T to splice cables "in the field" has used this principle for years. The device is suitcase-sized, rugged, portable, and inexpensive (< $100k). It injects a signal on one side of the splice, monitors the signal on the other side of the splice, and mechanically optimizes for the maximum transmission through the splice, then heat-welds the two fibers. The signal injection and recovery is non-intrusive and non- damaging, and very very easy. Dr. Steve Wolff (now of NSF, formerly of BRL) jointly holds a patent for a spatial light modulation technique that renders this type of tapping useless. However, to my knowledge, there are no production modulators that embody this technique. In summary, only physical security and encryption provide acceptable security for important transmissions. -Mike Muuss, Advanced Computer Systems Team, BRL ------------------------------ Date: Fri, 27 Nov 87 12:33:09 EST From: mnetor!utzoo!henry@uunet.UU.NET To: RISKS@kl.sri.com Subject: Re: Garage Door Openers > An Army spokesperson denies that the Army is radiating anything that > would lock up these receivers. What they may actually have said, or meant to say, is that they are not radiating anything that *should* lock up those receivers. Much consumer electronic equipment is cheaply (in both senses of the word) designed and is very vulnerable to interference from signals that theoretically it should ignore. Things like ham-radio transmissions interfering with TV reception are often the fault of the TV set, not the perfectly-legal-and-proper radio transmitter. The problem actually is not restricted to consumer equipment; things like police radars are often rather unselective as well. Henry Spencer @ U of Toronto Zoology {allegra,ihnp4,decvax,pyramid}!utzoo!henry ------------------------------ To: "utcsri!ai.toronto.edu!watmath!comp-risks" From: Robert Stanley <roberts%cognos%math.waterloo.edu@RELAY.CS.NET> Subject: Dutch Database Privacy Laws Date: 27 Nov 87 19:50:18 GMT The following is an extract from a recent posting to comp.society.futures. This is a very advanced approach to the problem, and it would be extremely interesting to have more detail on the law in question. The issue of implementation is not totally resolved, however. I assume that the law requires each GOAL to be registered, and that some agency is empowered to audit and/or investigate (the latter only in the event of reasonable suspicion of misuse). But how do we prevent the meta-database of database GOALS from being misused - quis custodiet ipsos custodes remains true as the day it was written. | From: FRUIN@HLERUL5.BITNET.UUCP | Newsgroups: comp.society.futures | Subject: Filtering A Global Hypermedia Network | Organization: The ARPA Internet | Posted: Fri Nov 20 08:18:00 1987 | | In Holland a new law will soon take effect regarding databases that store | information about people. It's basic premise is that a database should have | a GOAL, i.e. to send you your electricity bill or to keep track of your car's | registration number. It is FORBIDDEN two match or combine any two databases | that don't have the same goal. You can take anybody to court who does so | anyway. This should make it very hard for corporations and government agencies | to access any information about you. | | -- Thomas Fruin | | fruin@hlerul5.BITNET | thomas@uvabick.UUCP | 2:500/15 on FidoNet | | Leiden University, Netherlands On a slightly different subject, I am becoming increasingly aware of a new computer-related problem which may yet develop into a full-blown risk. In our working environment we are pretty well established as workstation-per-user, and the technology of networking means that it is sometimes easier to relocate people rather than reconfigure electronic offices. We have a fair number of tools for which we have site licenses limiting us to x copies (x <= 5 for our group of 18 is typical). What we want is ability to run no more than 5 simultaneous copies at any of 18 workstations, what we have is software enabled on 5 specific workstations. Not only is this damnably awkward at times, but it can introduce a number of problems. First of all, there is the classic problem of protected software. We use Sun/3 workstations, and the first engineering response to problems is swap out the processor board (our workstations are single-board). At this point we are in the identical position of the person who has irretrievably damaged their key-disk for a copy-protected micro product, because the workstation's serial number has changed. We have a company policy that pretty much says that no critical data will be dependent on a program for which we cannot generate replacement/alternate versions in case of emergency. The second problem is when installation of software changes the workstation in subtle but important ways. When people shift workstations in order to access one of these restricted applications, the displaced owner can find him/herself misusing the (temporary) alternate environment. Once you have worked for a while on a configurable workstation, you rapidly forget how much of its behaviour is default, and how much is your customizing. Until, that is, you find yourself in an environment which appears almost the same, but behaves drastically differently in some key and unobvious fashion. Of course, there are ways round this, but the problem is a direct result of lazy or sloppy thinking on the part of the application vendor. The vendor solution is to have a copy of their software on every workstation, but that is a totally unacceptable solution from the cost standpoint unless some massive price breaks are introduced. Interestingly, as standards such as X come into common implementation, we may end up remote-logging-in to a software server to which such tools are licensed, with X supplying the full interactive graphic windowing capability at the remote workstation. Back to the days of time-sharing a central computer! R.A. Stanley Cognos Incorporated S-mail: P.O. Box 9707 Voice: (613) 738-1440 (Research: there are 2!) 3755 Riverside Drive FAX: (613) 738-0002 Compuserve: 76174,3024 Ottawa, Ontario uucp: decvax!utzoo!dciem!nrcaer!cognos!roberts CANADA K1G 3Z4 ------------------------------ End of RISKS-FORUM Digest ************************