RISKS-LIST: RISKS-FORUM Digest Monday 16 May 1988 Volume 6 : Issue 84 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Friday the 13th, Part N (PGN) 'Jerusalem Virus' Bet Ends in a Draw; May 13th... (Amos Shapir) Re: Risks in timestamps ... (Ken Barr) Re: Lost homework due to the computer (David Sherman) Chicago Phone Fire (PGN, James M. Boyle quoting Christine Winter, Paul Czarnecki, Patrick A. Townson) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, nonrepetitious. Diversity is welcome. Contributions to RISKS@CSL.SRI.COM, Requests to RISKS-Request@CSL.SRI.COM. For Vol i issue j, ftp kl.sri.com, get stripe:risks-i.j ... . Volume summaries in (i, max j) = (1,46),(2,57),(3,92),(4,97),(5,85). ---------------------------------------------------------------------- Date: Mon 16 May 88 13:34:05-PDT From: Peter G. Neumann Subject: Friday the 13th, Part N A few comments are in order on Friday the 13th, Part One and Only for 1988. That this incident was a rumor rather than a real threat is not important. It did have some basis in truth -- even if only a faint glimmer. The rumor might have had its roots in an actual bug discovered in a test version of a test version of Sun 4.0 on the Sun 4/110. That bug had nothing in particular to do with a time-bomb, and was just a garden-variety bug. As the rumor spread, the bug was transmogrified into a virus on all 4.0 machines, and later into a virus in all releases back to 1.4. But throughout, it seems there never were was any real theat of Friday the 13th Sun spot activity, and that there never was a time bomb. All in all, it is my impression that Sun behaved admirably throughout the incident, and took the entire incident with great seriousness. There are some important lessons to be learned. * In our electronic age it is possible for rumors to span the networld within an incredibly short time. * The risks of such a rumor are enormous. Entire companies could be threatened by a well-placed and partially founded but credible rumor. * Computer-network security problems (e.g., Trojan horses and viruses) are intrinsic. They are not going to go away, although better computer systems and networks will help a little. * Simplistic solutions are vulnerable. They may be even more dangerous than NO solutions if they lull people into a false sense of security. * Although it was probably very painful for Sun, this was in retrospect a valuable exercise, a little like a fire-drill but sufficiently indistinguishable from the real thing that people had to react as if it were real. How many times have you heard people saying that they were going to keep backups (perhaps even off-site) of everything, but had not yet gotten around to it because nothing had ever happened before... But don't get me wrong -- I'm not recommending this kind of fire-drill. [By the way, recall that the ORIGINAL Friday the 13th ("Jerusalem") virus was NOT a rumor. See the next message.] ------------------------------ Date: 13 May 88 12:02:03 GMT From: nsc!taux01!taux01.UUCP!amos@Sun.COM (Amos Shapir) Subject: 'Jerusalem Virus' Bet Ends in a Draw [See RISKS-6.62]; May 13th... A 10,000 shekel (about $6000) bet between Israeli virus hunters ended in a draw this week. The bet, started during a live TV interview, was between Yuval Rekhavi of the Hebrew U. of Jerusalem (discoverer of the first 'jerusalem Virus'), and Ofer Akhituv of Iris Software Ltd. (which sells an innoculation program to that virus). Mr. Rekhavi claimed to have written a program that can alert against the presence of any virus on a PC (IBM or clone), while Mr. Akhituv had bet that such a program is impossible. The bet was decided this week by two arbitrators, Dr. Israel Spiegler and Mr. Ran Giladi, of Tel-Aviv University. While it was evident that none of the viruses provided by Iris Software could evade detection by Mr. Rekhavi's program, the arbitrators stated that the cycle of improvments in viruses and detection program is infinite, so detection of all viruses, present and future, is impossible; therefore they concluded that the bet is a draw. The original 'Jerusalem Virus' is due to set off today, May 13. I doubt it'll cause much damage, since it has a bug that causes each infected program to grow by about 1000 bytes each time it is run. Any disk that has not been sanitized by now, has probably run out of space. Amos Shapir, National Semiconductor (Israel) 6 Maskit st. P.O.B. 3007, Herzlia 46104, Israel Tel. +972 52 522261 amos%taux01@nsc.com 34 48 E / 32 10 N ------------------------------ Date: Fri, 13 May 88 10:05:33 pdt From: calma!barr@ucbvax.Berkeley.EDU (Ken Barr) Subject: Re: Risks in timestamps ... In RISKS DIGEST 6.81, Subject: Risks in timestamps (postmarks) >At in where I used to live, it was a >regular practice to stay open until midnight, April 15 to allow the >filing of last-minute tax forms. These forms would be taken by postal >employees at drive-up booths. One year, a housemate happened to >notice that his form, dropped off at ~8 PM was stamped "11:59PM". [...] >--Alan Wexelblat UUCP: {harvard, gatech, pyramid, &c.}!sally!im4u!milano!wex Here's an even better example of posible timestamp abuse, from "Linn's Stamp News", May 9. 1988, page 3 (Editor's Choice column, by guest ed Ken Lawrence) "If you haven't filed your 1987 income tax return yet, it's not too late to get it postmarked before the April 15 deadline. That's because the Postal Service has granted very generous grace periods for servicing first-day covers of recent stamps. All three non-denominated E stamps were released without prior warning on March 22. Collectors have until May 21 to submit envelopes franked with these stamps to receive first day cancels. [... Other stamps which may still receive pre-April 15 postmarks deleted ...] The last possible date for late-filing taxpayers to get a pre-April 15 postmark is June 11, the deadline for submitting FDC's of the 8.4c non-profit-rate stamped envelope, whose first day was April 11." If anyone is interested in the details, please e-mail me directly for info. Basically, you have to buy the stamps/envelopes from your local Post Office and mail them to the First Day of Issue city or the USPS headquarters in Virginia. They will be *delighted* to back-date the cancellations to the FDOI date ... Disclaimer: I don't know *what* the IRS can/would do about this pseudo-legal "timestamping" ... and I don't intend to find out ... Ken Barr {ucbvax,sun}!calma!barr Calma Company calma!barr@ucbvax.ARPA Disclaimer: Calma lets me use their computers and their mailstops. Unless policy has changed, my opinions should not be considered as gospel. ------------------------------ Date: 15 May 88 02:03:35 EDT (Sun) From: lsuc!dave@unix.SRI.COM (David Sherman) Subject: Re: lost homework due to the computer I had to use that excuse back in 1976-77, when I was an undergraduate taking language courses at U of Toronto. Being a UNIX hacker, I used to typeset my assignments on a Versatec plotter, using nroff (this was v6, before troff) and various fonts for French, German and Hebrew. When the Sanford Fleming building caught fire in February 1977, I had two assignments due that day that I hadn't yet run off. The professors involved accepted my explanation, and in fact the CRF lab housng the PDP-11/45 wasn't damaged, so I was able to get the assignments out a few days later. I'm sure others remember that fire. My textbooks smelled of smoke for months. David Sherman ------------------------------ Date: Mon 16 May 88 13:27:30-PDT From: Peter G. Neumann Subject: Chicago Phone Mess Disrupts Businesses Across the Country [RISKS-6.82] Chicago (L.A. Times) All day last Friday, bankers trooped to an unmarked car inn a secret location in the western suburbs of Chicago to transfer millions of dollars over a car phone. The car contained officials from the Federal Reserve Bank of Chicago, and the operation, carried out under the watchful eye of local police at the undisclosed suburban city, was just one of the resourceful ways people here are coping with a telephone disaster of unprecedented proportions. ... the impact on businesses has been devastating. And the scope of the problems raises questions about the emergency plans in place in other major business centers to handle similar disasters. One business that had prepared for disaster was Bekins, the household moving company that is based in Glendale, Calif., but has its dispatch operations in Hillside, Ill. [They set up temporary dispatch headquarters in Glendale.]... For the 80 to 100 banks located in the affected area, ... 300 automated teller machines were out of commission... [FS Chron, 16 May 1988.] There are important implications of this case for the RISKS community. Thus we also include the following messages, despite some duplication... ------------------------------ Date: Wed, 11 May 88 13:20:38 CDT From: boyle%antares@anl-mcs.arpa Subject: More on Chicago Telephone Fire The problem with telephone service in the Chicago area was much more serious than I was aware of at the time of my original posting. Non-local telephone service was cut off for customers in an approximately 500 square mile area from the Wisconsin border to Kankakee, and from Aurora to the Chicago city limits. Among these was the FAA Air Traffic Control Center in Aurora, which lost all its land lines to O'Hare and Midway airports [no redundancy there!], causing delays of an hour or more. Directory assistance was unavailable over most of the state. [James M. Boyle] [James sent in a lengthy article, "WHEN HUB IS HIT, EVERYONE IS HURT", by Christine Winter, Chicago Tribune, 11 May 1988, from which I have excerpted even more heavily than he did. PGN] "The goal behind running lines from a large number of Illinois Bell central offices through one major superoffice, called a "hub," is to provide security and flexibility, especially in times of emergency. [Well, perhaps they need to evaluate whether the goal is served by the means! JMB] "But when an emergency occurs at the hub itself, the repercussions are more like tidal waves than ripples. On Sunday night, when a major fire struck Bell's hub in Hinsdale [Ill.], those tidal waves hit the western suburbs [of Chicago]. [...Explanation of the "hub" concept.] "A diagram of the concept would look like a wagon wheel, with the hub office in the cnter. Of course, customers know nothing of all this--until the hub burns down. [I'll say amen! to that. From my experience with computer networks, I had assumed that there were all sorts of alternate paths. JMB] "'Normally, we feel really secure with the hub concept, because most of the problems occur out in the field when somebody digs up a fiber-optic cable,' said Neal Cox, director of engineering for Ametitech Mobile Communications. Ameritech Mobile used Hinsdale as its major `link to the world' for its cellular telephone network. [... Explanation of fiber-optic cables.] "`Under a centralized setup like this, when a fiber-optic cable is damaged, there is an enormous amount of flexibility, because so many cables come into the hub that they can just reroute all the traffic,' Cox said. "But who whould have guessed the hub would burn down?" [Ahh..., who indeed! I'm sure a terrorist would never think of such a thing. JMB] [... Paragraphs about the fire damage to equipment.] "The central processor suffered only minimal damage Sunday, and its software was largely undamaged, so its computer operations are largely unaffected. [You've gotta watch that software! It goes quickly in a fire... JMB] [... Paragraphs about a second switch in La Grange doing 98% of its operations through the Hinsdale office, and attempts to reconnect them by microwave.] "`This is about the worst place a disaster like this could have happened, except for the downtown [Chicago] office.' Richards said. "He said it would be `possible, but not practical' to have backup capabilities. "`It would mean a duplication of all our cabling and all this equipment,' he said, pointing to the rows and rows of metal frames, many of the first floor singed and blackened, which hold the electronic circuitry. [This reasoning seems specious. There would be some duplication, but not complete duplication. Wouldn't distributed function, stealing cycles in many switches, be much, much more reliable? Perhaps he means that the economics of high-bandwidth fiber-optic cables weigh against duplication. JMB] "Illinois Bell spokeswoman Pat Montgomery said only that the costs of getting service restored, while substantial, would not be recovered through rate increases. [Hmmm, that's a relief! But I wonder about the lawsuits... JMB] ------------------------------ Date: Fri, 13 May 88 10:52:45 EDT From: ames!ll-xn!munsell!pz@spam.istc.sri.com (Paul Czarnecki) Subject: Re: The Great Fire > and a few began a process known as an emergency telephone tree, > calling other employees and company management at home to notify > them of the circumstances. Each employee thus notified was > responsible for calling a few more employees. Does anyone else find it suprising that a telephone company's emergency handling policy includes use of the telephone? It sounds like you are just asking for trouble. pZ Paul Czarnecki {{harvard,ll-xn}!adelie,{decvax,allegra}!encore}!munsell!pz [Telephone systems work fine on batteries during power failures. That is a more commonplace "emergency". PGN] ------------------------------ Date: Sat May 14 16:20:12 1988 From: portal!cup.portal.com!Patrick_A_Townson@Sun.COM Subject: Questions We Aren't Supposed To Ask About Hinsdale First, an update: On Friday, Jim Eibel, Vice President of Operations for Illinois Bell announced the company was abandoning efforts to save the water/fire damaged switch at Hinsdale. The old switch was a #1 ESS; the new one will be a #5 ESS. They estimate 14 days of round the clock work will be required to bring it up. For about 21,000 of the 35,000 customers effected, limited service will resume on May 15, gradually phased in during the evening and overnight hours. Most network services for the Chicago area have been resumed in part, and will be largely restored by May 15. The network will remain somewhat crippled for another 2-3 weeks, pending complete installation of the new switch. Several more emergency communication centers have been set up in the west suburban area, bringing the total to eight locations where the public can go to make calls. Complete rehabilitation is expected by mid-June. The grim news though, is that Illinois Bell is avoiding discussion of the '40 to 60 minute delay' in calling the Fire Department, which probably caused the loss of the switch, and contributed to what is now openly being called 'the worst disaster in telephone history'. We now have this timetable of events for Sunday, May 8 -- At 3:50 PM, a technician in a Bell central office in Springfield, IL got a fire alarm trip signal from Hinsdale. *HE CHOSE TO IGNORE THE ALARM TRIP*. Within a period of 10 minutes, several more alarms from Hinsdale tripped, including one for a loss of power. Shortly after 4:00 PM, the technician called the weekend duty supervisor for the area to ask what was going on. The duty supervisor agreed to check it out, and drove to 120 North Lincoln Street in Hinsdale. When asked why a technician in Springfield had to notify a supervisor for Hinsdale, Jim Eibel responded that *THE HINSDALE OFFICE IS TOTALLY UNATTENDED ON WEEKENDS*. This was in direct contradiction to earlier reports from Bell saying that personnel 'on duty' discovered the fire and tried to extinguish it. *There were no personnel on duty.* The duty supervisor checked the building and found the fire. It is unclear at this point if the supervisor attempted to fight the fire or returned to a safe area of the building to call the Fire Department. In any event, the supervisor found all the phones dead. There was no way to call the Fire Department. Community residents we have talked to believe the phone circuits in town had *ALREADY CEASED TO OPERATE 10-15 MINUTES EARLIER*. At this point, now about 4:15 PM, being unable to call the Fire Department on the phone, the supervisor leaned outside the front door of the building and asked a passer by to please call the Fire Department. Apparently the passer by did not call; but let us be generous and assume the person tried to call from the payphone down the block on Lincoln. Finding that phone dead also -- and why not? -- the person probably dismissed the matter, was bewildered and went on about their business. Let's be that generous, anyway. After about ten minutes, nearing 4:30 PM, when no Fire Department had arrived, the supervisor flagged a motorist driving past, and urged that person to go for help. Apparently that person went to the police nearby and got help on the way. A little past 4:30 PM, the first firefighters were on the scene. *Earlier reports, for which the media is probably to blame and not Illinois Bell, say the fire started 'about 5:30 PM'. So a fire starts sometime in the afternoon, maybe 3:30-3:45. By 3:50 the fire has becoming sufficiently severe that heat/smoke sensors go off. We don't really know the *exact minute* it started -- just that depending on the sensitivity of the alarms, either a minute or two or several minutes passed before a technician downstate got the message. There were *NO SPRINKLERS OR OTHER AUTOMATIC FIRE FIGHTING DEVICES IN THE BUILDING*. According to Jim Eibel, they don't use sprinklers for the same reason they don't like firemen with water: the switch can be, and was damaged. So a fire burns at some degree of intensity or another for around an hour before firemen even start working on it -- and this comes to light only when Illinois Bell is pressured by the [Chicago Sun Times] to explain how the matter could have gotten so far out of control. Here are some questions for Jim Eibel and others in the hierarchy at Illinois Bell to answer. I doubt you will hear them discussed or the answers given on the Illinois Bell Communicator for obvious reasons -- 1. Why did the technician in Springfield at first ignore the fire alarm? What does a fire alarm mean, if it does not mean a fire is going on? 2. When the person in Springfield finally was moved to call a supervisor in the area to see what it was all about, why were no emergency authorites notified at that time? Why didn't s/he call the Hinsdale Fire Department -- the phones may have still been working then! -- or the police, or *some authority in the the community * and tell them, 'we [may] have a serious problem. Please send the fire department to 120 N. Lincoln. I have a supervisor on the way to meet them and let them in the building.' Why? Had the weekend duty supervisor and the fire department and their police escorts all landed on location somewhere around 4:00 PM, the damage would have been greatly minimized. 3. Why no personnel on duty on weekends? Not even a watchman or a single clerk? Here sits a multi-million dollar hunk of electronic equipment, very sophisticated in nature, and not one person to brouse around from time to time in the course of the afternoon? It didn't have to be a fire! It could have been vandals. It could have been a dissident employee. It could have been a broken water pipe. It seems incredible Bell would essentially abandon its property in this way, out of some false sense of economy. 4. Was the lack of personnel -- even one person -- part of the same school of thought called 'economics in running a central office' which says to put all your eggs in one basket? Why was Hinsdale doing all these jobs for the area? Anyone should have the foresight to see that now and then the bottom falls out of the basket and all the eggs get broken. Is it really 'too expensive' to distribute the traffic over a few more offices instead of stacking everything in one big center? I'm not suggesting a full complement of services/features in every office, but a little more judicious distribution in the future. And if nothing else, a watchman, technician, clerk *or someone* to be on the premises at all times day and night. Many's the time such a person would sit and do nothing. Last Sunday I dare say they'd have earned their salary many times over. Can you imagine the difference it would have made if someone on site around 3:30-3:45 PM or whenever it was all that hell came down had been able to grab some halon, a celluar phone, walk into the switch and start spraying? And on the phone, getting people into the office immediatly? I guess that doesn't fit into the economics of running a switch! 5. Finally, why no fire protection system in place? Admittedly, automatic water sprinklers are *not* the thing to use overhead in a central office switch. But why not halon piped in? Halon *can* be disseminated through overhead plumbing the same as water. When the firefighters went in the building, they took halon because they knew what they were dealing with. They only gave up on using the halon when the fire got so far out of control that halon was no longer effective. When that fire alarm tripped in Springfield, why didn't overhead halon jets start releasing their gas? It would have made short work of a fire at that point in time! And had there been halon extinquishers about the premises, a weekend duty *clerk* -- note please! on premises person! -- could have used them also. But what did Jim Eibel say? Well...it just didn't fit into that sacrosanct economy. Neither does the forced purchase of a new switch, Mr. Eibel. 6. Finally, a question for the duty supervisor last Sunday -- When you found the phones were all dead, why didn't YOU immediatly go and get help? Why not jump in your car, drive 90 miles an hour if you could, flash your lights, honk your horn, scream and holler at the top of your lungs or otherwise find a policeman somewhere, and tell him 'we need help now, and we need it bad.' Admittedly you wanted to stay there and protect the system and do what you could on your own, but trained firefighters could have made very good use of the ten minutes or so you wasted trying to find someone to turn in the alarm. I began this report thinking I would conclude it by calling for the resignation or firing of James Eibel and the two or three people directly reporting to him who could have prevented last Sunday's disaster by proper planning. Now I am not so sure. Perhaps Mr. Eibel has a very good explanation for how one of the main switchers for northern Illinois could be left unattended; and a worker in Springfield could ignore a fire alarm; and an employee responding locally could have been not properly trained -- all at the same time. Maybe Mr. Eibel has very good answers, and hopefully it will not take a bit of arm twisting by the Illinois Commerce Commission and the newspapers to get his reponse. But if Illinois Bell *even considers* the notion of recouping their loss on this fire through the rate base -- as opposed to the stock holders -- then my feeling is Eibel and employees reporting to him *HAVE GOT TO GO*. Its not as though a check for twenty five million dollars could be written today and all would be well tomorrow. And twenty five million is a *very low estimate* of the cost of the fiasco. The new switch alone is estimated to cost about sixteen million dollars. Although Eibel refused to discuss the cost of the switch, purchased on an emergency basis from American Telephone and Telegraph, we've done some comparative shopping, if you will, with other vendors/suppliers making similar equipment. The best we could find was about sixteen million dollars -- for the switch alone. That does not of course include peripheral equipment, overtime salaries to workers, the cost of repairing the building or the month of lost revenue from the thousands of subscribers without service. And what of hardship to residents and businesses? What of restitution to the community? Eibel pointed out that the affected subscribers would recieve 'a credit on their bill for the time service was out....but it is not our corporate policy to go further...' I have to agree with him there. There is no constitutional right to phone service. No one should become dependent on it. Still, the fact remains that eight telemarketing firms are closed for the duration; their employees told to stay home. Spiegel's Catalog is closed with many employees laid off. A major insurance claims processing center is without phone service. Numerous travel agencies are shut. Bank ATM systems are down. Restaurants and theatres cannot accept reservations. Credit approvals for purchases made with plastic are jeopardized. No, we should not have ever come to the place we are *this dependent* on a pair of wires attached to a microphone and earpiece. But likewise, Bell must share some of the blame. The 'economy of running a central office' espoused by Mr. Eibel and associates caused a needless delay in resolving a serious problem. That 40 minute delay probably cost them their switch and has caused considerable economic hardship to west suburban Chicago. If Eibel and his associates have an answer, perhaps they will share it with us. Many, many dedicated people are working their hearts out to bring back the service from a disruption that might well have been avoided. Fires cannot be avoided. 40 minute delays *can be*. I've been a supporter of Bell and most of its corporate policy for many, many years. Right now, I am disgusted to think of how slipshod some of its operations have become. Patrick Townson ------------------------------ End of RISKS-FORUM Digest ************************