ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
Re: IBM Christmas Virus Logic Bomb case thrown out of court Repository for Illicit Code Roger Boisjoly and Ethical Behavior Truncation and VM passwords Competing ATM networks Info on RISKS (comp.risks)
Re: IBM Christmas Virus
There have been several messages to RISKS lately about the
CHRISTMAs EXEC virus on IBM's network. This was an extension of the
same problem on BITNET and its European counterpart, EARN. Since I
raised the general alarm about it, I'd like to answer a few questions.
The virus used two standard CMS files, called NAMES and NETLOG, to
help it infect other users. The NAMES file contains a list of userids
and system names that you correspond with frequently, allowing you to
abbreviate them to a mnemonic nickname when sending mail, files, or
interactive messages. I composed this mail by sending to "RISKS",
which my NAMES file lists as user RISKS on system KL.SRI.COM. You can
also list phone numbers, paper addresses, etc. There is a commonly
available program that will print off a personal phonebook from your
NAMES file ("Traveling Sidekick" from the days BB - Before Borland).
The NETLOG file lists all users you've sent mail or files to, or
received them from. It's a very nice audit trail when you're trying
to remember where you got that copy of Space Wars.
After typing the Christmas Tree on your terminal, the virus
proceeded to read both the NAMES and NETLOG files to get a set of
target addresses. It then sent a copy of itself to each of them, and
finally deleted itself.
>From: davy@intrepid.ecn.purdue.edu (Dave Curry)
>Subject: IBM invaded by a Christmas virus {RISKS 5.72}
> ...
>This article seems to have a lot of things in it that the reporter didn't
>understand. I assume that the "terminals" in question are really PC's
>connected to the mainframes; for one thing.
The terminals mentioned are generally IBM 3270's, and PC's with
IRMA-type cards. The virus ran on the host system, not on the PC.
> Plus, I presume the "Don't
>browse it" refers to the VM/CMS "BROWSE" command used for looking through
>files, and not just to the regular English word.
Both, actually. The intent was obviously to stop the reader from
going further down into the file, where the real purpose of the
program was quite obvious. The language used (IBM's REXX) is usually
interpreted, so the program was sent in source form. Anyone who
bothered to read below the second screen-full (like all of us paranoid
Systems Programmers) began to see the trouble. It was slightly
cloudy, as all the variable names were in German, but seeing was fair
to good.
>Subject: IBM Xmas Prank {RISKS 5.79}
>From: Fred Baube
Logic Bomb case thrown out of court
<"ZZASSGL"
Mon, 21 Dec 87 16:03:05 GMT
As I have not seen anything about this in RISKs yet ... The case brought
against James McMahon, who was accused of placing logic bombs within the
computer system used by Pandair Freight, has been thrown out of court because
of "unsatisfactory evidence". The judge has ruled that there was no case to
answer. This was reported in Computer Weekly dated December 17/24, 1987.
It will be interesting to learn in what way the evidence was unsatisfactory.
There used to be a problem in British law(and it may still exist) in that
evidence could only be given by humans. Information generated by a computer
without the explicit involvement of a human could not be used in court. I
may have got this legal point garbled as I don't speak legalese.
Geoff, UMRCC
Repository for Illicit Code
Steve Jong/NaC Pubs
21 Dec 87 16:23
If there is a legitimate need to study illicit code such as viruses and
embezzlement routines, and not just a forensic need to try and track down
the author, then there could indeed by a need for a repository. I suggest
the model of the Center for Disease Control in Atlanta, which has samples of
pathogens. However, note that there was (is?) a controversy surrounding
CDC's wish to keep samples of smallpox, which, it is believed, has otherwise
been eradicated from the face of the earth. Why leave one known source?
Personally, I'd just as soon not have the code samples around. I'd just be
tempted to play with them. (Disclaimer: I'm not a programmer.)
[Program viruses, Trojan horses, etc., will never be competely eradicated.
They tend to re-erupt spontaneously or be rediscovered. PGN]
Roger Boisjoly and Ethical Behavior
Mon, 21 Dec 87 13:20:18 EST
To add my $0.02 to the conversation on Roger Boisjoly, I agree with Ronni
Rosenberg, having seen a videotape of him telling his story. I seem to recall
that he made reference to the same period of silence (the last time anyone
called for objections to the launch) that Henry Spencer did. Boisjoly said
that he was much too astonished at the decision to go through with the
launch (despite his strong objections) to say anything at that point. He
did not fully recover his senses until after the teleconference ended. I
think that we can only expect the man to be human; we can't always act
heroically when we're in shock...
Stuart Freedman stuart@bkr.ceo.dg.com or rti!xyzzy!freedman@mcnc.org
Data General Corp.(Mail Stop E-219), Westboro, MA 01580 +1(617)870-9659
Pick an e-mail address -- any e-mail address...
Truncation and VM passwords
jcmorris@mitre.arpa
Mon, 21 Dec 87 10:24:46 EST
In RISKS 5:79 Alex Heatley reports that he can establish a password of more
than eight characters in the IBM VM system, but that on login the system
truncates the entered password to eight characters, then (correctly) reports
that it fails to match the one in the access control file.
I don't know what security system his system uses, but IBM's DIRMAINT product,
which is probably the most widely used directory maintenance facility used
in VM installations, refuses to accept an oversized password. I just tried
to enter one on our system, and was rebuffed with message DVHDIR017E.
Joe Morris (jcmorris@mitre.ARPA)
competing ATM networks
Chris Koenigsberg
Sun, 20 Dec 87 22:22:24 -0500 (EST)
The two competing local ATM cards in Pennsylvania are Cashstream and MAC. All
the Pittsburgh banks with ATM cards are signed up for one or the other local
networks. Cashstream is run mainly by Mellon Bank, MAC mainly by Pgh. National
Bank. Both Cashstream and MAC extend into neighboring states. Meanwhile
Cashstream is hooked up with the national ATM network called CIRRUS, while MAC
is part of the national PLUS system.
I've used my Cashstream card in CIRRUS machines in other faraway states, and
I've used my MAC card in PLUS machines across the country. But I always
assumed that these two kinds of cards were big competitors at each level :
bank vs. bank, local net vs. local net, and national vs. national, and that
the two sides wouldn't cross.
But in New York, there are ATM machines which accept both MAC and Cirrus
cards. I was surprised, since in Pennsylvania, MAC cards work in PLUS machines
but not in Cirrus machines, as MAC's local competitor Cashstream is connected
with Cirrus.
Report problems with the web pages to the maintainer