RISKS@KL.SRI.COM (RISKS FORUM, Peter G. Neumann -- Coordinator) (12/07/88)
RISKS-LIST: RISKS-FORUM Digest Tuesday 6 December 1988 Volume 7 : Issue 88
FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
Contents:
Summary of Software Uniformity Legislation issue (Conleth OConnell)
Exploiting workers (Dale Worley)
Re: Automated teller theft (Dr Robert Frederking)
Speeding detectors (Dave Horsfall)
Report of hardware "virus" on chips (Gary Chapman)
Re: Corps of Software Engineers? (Richard Rosenthal)
Vendor Liability, and "Plain Vanilla" configurations (Bob Estell)
Talk by Tom Blake on Computer Fraud (Mark Mandel)
Defining "hackers and crackers" (Gordon Meyer)
RISKS OF GREATER GARBLE (somewhere in netland)
The RISKS Forum is moderated. Contributions should be relevant, sound, in good
taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome.
CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line
(otherwise they may be ignored). REQUESTS to RISKS-Request@CSL.SRI.COM.
FOR VOL i ISSUE j / ftp kl.sri.com / login anonymous (ANY NONNULL PASSWORD) /
get stripe:<risks>risks-i.j ... (OR TRY cd stripe:<risks> / get risks-i.j ...
Volume summaries in (i, max j) = (1,46),(2,57),(3,92),(4,97),(5,85),(6,95).
----------------------------------------------------------------------
Date: Mon, 5 Dec 88 22:58:25 EST
From: Conleth OConnell <cso@cis.ohio-state.edu>
Subject: Summary of Software Uniformity Legislation issue
I want to thank all of you who have expressed opinions on the Software
Uniformity issue. I also want to forward the thanks of the organization,
described below, for your opinions/concerns. After describing the
organization, I give a brief summary of the opinions that were sent. To the
best of my knowledge, the organization is meeting towards the end of January,
so should you still want to send an opinion to me, I am setting a deadline of
January 15, 1989, to insure forwarding. Once again THANKS!!
The organization that was requesting the information is "The National
Conference of Commissioners on Uniform State Laws." The best known act that
came out of this organization is the Uniform Commercial Code. It is made up of
practicing lawyers, college law professors and deans, as well as some judges.
The members donate their time to this organization although some states pay
actual expenses, no member receives a salary for working on the organization.
The organization has NO association with the Federal Government or with
Congress. For those of you so inclined, the representatives from each state
can be sought out via the State Bar or Secretary of State.
PROS
- Something needs to be done along the lines of truth in advertising of
a particular product. For example, the packaging of some products with "lavish
painted covers of the boxes". When in fact, the product has nothing to do with
the artwork. This is not acceptable in other industries like videotapes, toys
or plastic models.
- The industry has been lax with self-regulation, so something needs to
be done.
- Some minimum standards are needed, but who monitors them, what are
the reporting/registration requirements, what would be the penalties, but
"Don't feed the lawyers."
CONS
- Most of the opinions were dubious of federal legislation even the
opinions in the above section.
- A major concern is for the smaller companies/individuals.
- A bad product tends to get negative publicity anyway, thus there
seems to be some quality control by the community, but the
inexperienced/isolated user can get burned.
- Concern about price increase blamed on the regulation, which, in the
end, hits the consumer and the small companies.
- "Control will only close off creativity."
- The Uniform Commercial Code has been used in the past.
- The feeling that the industry is "moving towards warranties,
guarantees, and efforts for solid support" without legislation.
- Legislation may be obsolete by the new technologies.
- Similar feelings towards the "stifling" of public domain and
free/shareware packages.
Thanks again and Happy Holidays!!
Conleth S. O'Connell, Department of Computer and Information Science,
The Ohio State University, 2036 Neil Ave., Columbus, OH USA 43210-1277
------------------------------
Date: Mon, 5 Dec 88 10:52:08 EST
From: worley@compass.UUCP (Dale Worley)
Subject: Exploiting workers
From: Larry Hunter <hunter-larry@YALE.ARPA>
>From "Optical Information Systems Update," Dec 1, 1988, p.8.
Digiport, a new telecommunications facility in Jamaica, will open up
a new era for data entry operations.
And, of course, with a significant loss to data entry personnel in high cost
(like $6.00/hr) labor areas. Not to mention the savings (losses) in reduced
requirements for worker benefits and safety standards.
Is this really a loss to the workers? The workers in the high-cost
areas must be able to get $6/hr somewhere else (or else the data entry
operations wouldn't have to pay so much). The workers in Jamaica
clearly *aren't* able to get $6/hr somewhere else. It seems to me
that the net change is to slightly reduce labor demand in high-wage
areas (thus slightly reducing wages there) and to slightly increase
labor demand in a low-wage area (thus slightly increasing wages
there). It seems to me that this is not only "economically efficient"
but also redistributes wealth from the rich to the poor. (Of course,
an American data-entry worker isn't "rich" from our point of view, but
*is* from the vantage point of the average Jamaican.)
If everybody in the world were able to bid on every job that they were
capable of, wage inequities (from country to country) would be much
smaller. This is what has happened in the automobile industry (modulo
import restrictions), raising such formerly Third-World countries as
South Korea into the ranks of industrialized nations.
Dale Worley, Compass, Inc. mit-eddie!think!compass!worley
Seen in a net discussion: "It took work to make tofu politically correct."
------------------------------
Date: Tue, 6 Dec 88 14:15:19 -0100
From: ref@ztivax.siemens.com (Dr Robert Frederking)
Subject: Re: Automated teller theft (Risks 7.85)
Organization: Siemens AG in Munich, W-Germany
I wouldn't be too sure that there really was a "passkey" card; that may have
been a story cooked up to explain the loss to the public without revealing how
vulnerable the system actually is. I don't know what technology is currently
being used, but about 10 years ago a friend and I were looking at some used
computer equipment we were thinking of buying, in someone's garage. After we
had chatted for a bit, and he apparently decided we were trustworthy, he told
us that these computers were part of a banking machine system that he had
bought, lock, stock, and barrel, and asked us if we would like to see the parts
he wouldn't sell, for risk of being a party to a crime.
Among other things, there was a bank card reader that would display the account
and *PIN number* of a bank card you ran through it. It could also *write*
these cards. There was a set of sixteen thumbwheels inside the machine to set
parameters to the encoding algorithm, which no one at the bank thought to
shuffle, and so were still set to the bank's choice! He pointed out that once a
set of positions was chosen, a bank would never change them again, as this
would require recalling all the cards in circulation for recoding. It isn't
clear to me that this could have been used in this case (unless the PIN number
is algorithmically related to the account number, or the thieves had access to
a list of PIN numbers), but this fellow could have caused a fair amount of
trouble if he had been dishonest.
As for the daily limit, a friend of mine figured out once that you could easily
exceed the daily limit. First ask for a balance. If the machine says it can't
give you a balance at the moment, it means the line to the central database is
down. You then withdraw the maximum daily amount. You do this on as many
different machines as you can find. If the net is down, this is the total
number of machines you can physically get to before the net comes back up.
"Robert Frederking" <unido!ztivax!ref@uunet.UU.NET>
------------------------------
Date: Tue, 6 Dec 88 10:47:05 est
From: Dave Horsfall <dave@stcns3.stc.oz.au>
Subject: Speeding detectors
Just heard on the radio about how an Aussie inventor has come up with
a box to detect speeders. Apparently, it ignores a short burst of
speeding (e.g. overtaking) but logs it if it was sustained. When
vehicle registration time comes around, the owner gets hit with a fine.
I missed the actual implementation details, such as how it knows what
the current speed limit is (but bar code scanners were mentioned).
The RISKS are obvious - you enter a 110 km/h zone, but the sensor doesn't
see the new limit, and still thinks you are on 80 km/h etc.
In all, this appears to be yet another revenue-collecting device, shrouded
in the guise of safety. We can well do without them.
Dave Horsfall (VK2KFU), Alcatel-STC Australia, dave@stcns3.stc.oz
dave%stcns3.stc.oz.AU@uunet.UU.NET, ...munnari!stcns3.stc.oz.AU!dave
[By the way, Dave accidentally reposted RISKS-7.65 to some of you,
and wishes to extend his apologies. PGN]
------------------------------
Date: Mon, 5 Dec 88 15:59:16 PST
From: chapman@csli.Stanford.EDU (Gary Chapman)
Subject: Report of hardware "virus" on chips
Advanced Military Computing, a defense industry newsletter, has reported that
researchers at Nova University in Fort Lauderdale, Florida, have found a flaw
in the Intel 8272A and NEC 765 floppy disk controllers that will allow in-
correct data to be written to disks without alerting the user with an error
message. The newsletter reports this flaw is a "virus," but there is very
little technical information on the nature of the chip problem. The chips
have been manufactured since 1978 and are estimated to be in millions of
computers. Both NEC and Intel deny there is a problem, but an Intel memo
dated May 2, 1988 admits an error in the Intel chip.
"The error condition has to happen in the last byte of the 512 bytes of a
sector being transferred," said Nova University professor of computer science
Phil Adams. The Intel memo, or letter, says that under this condition,
"incorrect data is written to the disk and validated by the 8272A." The error
condition is most likely to happen in networks and uploads to mainframes.
A report on the chip problem is available from Dean Edward Simco, of the Nova
Computer Science Center, Nova University, Fort Lauderdale, FL 33314. The
report is $5 and comes with a diskette containing a "risk assessment program,"
which allegedly reports on the "virus" in the subject machine.
[I assume no responsibility for the accuracy of this report, and this infor-
mation is passed on without permission from Advanced Military Computing, and
after no investigation of this other than reading the article in the news-
letter.--GC]
-- Gary Chapman chapman@csli.stanford.edu
Executive Director, Computer Professionals for Social Responsibility
------------------------------
Date: Tue, 6 Dec 88 12:36:54 EST
From: Richard Rosenthal <richr@ai.etl.army.mil>
Subject: Re: Corps of Software Engineers?
> "Flexibility is software's strong suit, allowing the military
> to make changes in how a weapon system functions, even after
> it is fielded...
Replacement chips are available for the microprocessors in cars allowing
one to change the performance characteristics of the engine. Imagine
the following conversation:
Hey, Captain! Do you want one of these PROM's I burned last night?
I changed the parameters for the F-16 thrust settings. Now I'll
be able to do Mach 1.5 straight off the deck!
------------------------------
Date: 5 Dec 88 12:51:00 PDT
From: "FIDLER::ESTELL" <estell%fidler.decnet@nwc.arpa>
Subject: Vendor Liability, and "Plain Vanilla" configurations
GM *could* ship cars with "holes in the frame" for seatbelts, and then
*highly recommend* that one order the seatbelts. They don't. The belts
come, standard equipment, flat price; ditto the dashboard warning light and
buzzer. Now, one *can* disconnect that annoying buzzer, or short out the
connection under the seat to fool the buzzer. The cars are NOT tamper
proof; but they are shipped with driver safety in mind.
By analogy, DEC could ship VMS with all the passwords "expiring" most
ESPECIALLY those on "privileged" accounts [e.g., System, Operator], and then go
into a "closed loop" that could be exited only after the "user" [system, or
operator, in this case] selected and installed a *computer generated* password.
ONLY then could the installation be completed; only then could the privileged
accounts of "system managers" execute routines to allow users to generate their
own passwords, default files to "public access" etc. etc. etc. ad insecurity.
I'm not picking on DEC; I happen to use -- and like -- VMS. I use that example
because I can make it credibly. As most of you know, VMS is one of the few
systems that has earned its "C2."
Bob
------------------------------
Date: Mon, 5 Dec 88 11:06 EST
From: Mark Mandel <Mandel@BCO-MULTICS.HBI.HONEYWELL.COM>
Subject: Talk on Computer Fraud
Topic: "Computer Fraud: Motivation, Method and Opportunity"
Speaker: Tom Blake, Arthur Young, Boston,
Date: Wed 14 Dec 5:30 pm Anthony's Pier 4 Boston
Host: Mayflower Chapter, ASM (Association for Systems Management)
Register: Beth Furey (617) 367-3161 Admission/registration charge: $25.00
------------------------------
Date: Mon, 05 Dec 88 21:24 CST
From: Gordon Meyer <TK0GRM1@NIU.BITNET>
Subject: defining "hackers and crackers"
I would argue that creating a new term to refer to the more... "illicit"
users of computer system would do little to help solve the confusion. In my
experience the "less malicious" use of the word HACKER is found almost
entirely in professional computing circles. The media and general public
know the term to mean "illegal, unauthorized and malicious computer use". (I
just made that definition up...the quotes are used for emphasis not to
indicate another source.)
If the computer science community continues to hold on to the term "hacker"
they will only create more confusion and ambiguity in the future. While I
realize that the term may be nostalgic for some of you, english is not a
static language and continuing to use an "outdated" definition of the term
serves little purpose.
PS: Just to add a little more confusion to the issue, the term "cracker" is
sometimes used to refer to those software pirates with the programming
ability to remove copy protection. If folks insist on creating a new name
for the "illicit" users out there..."crackers" is probably not the best
choice. <grin>
Gordon R. Meyer, Dept of Sociology, Northern Illinois University.
GEnie: GRMEYER CIS: 72307,1502 Phone: (815) 753-0365
------------------------------
Date: 6 Dec 88 06:02:08 GMT
From: [somewhere in netland]
Path: mirror!bu-cs!bloom-beacon!tut.cis.ohio-state.edu!cwjcc!mailrus!ncar!
ames!pasteur!ucbvax!KL.SRI.COM!RISKS
Subject: RISKS DIGEST 7.87 [RISKS OF GREATER GARBLE]
I EXCERPTED A FEW GARBLED LINES FROM A RETURNED COPY OF RISKS-7.87.
[SIC] GLORIOUS TRANSIT MONDAY's ISSUE.
RIQKS-LIST: RISKS-FORUM Digest Molday 5 December 1988 Volume 7 8 Issue 87
FORUM ON RISJS TO THE PUBLIC IN COMPUTERS AN@ RELATED SYSTEMS
ACM Committee on Computers and Public Poli`y, Peter G. Neumann, moderator
DEC @net and "denial of service" att`cks (Willie Smith)
(P`ul E. McKenney, Kendall Collett, PGN)
(Fpank Maginnis, PGN, FM, Darrell @ong, Alex Colvin)
Computer Riqks Revisited (John Markoff)
taste, objective, aoherent, concise, and nonrepetitious. Diversity is welcome.
COLTRIBUTIONS to RISKS@CSL.SRI.COM( with relevant, substantive "Su`ject:" line
From: Jerry Harp`r <jharper@euroies.UUCP>
This is exaerpted from THE IRISH TIMES of pwo weeks back:
The Department mf Health was accused yesterday of committing some [$67m] of
State funds to the purchase of an iladequate computer system for the health
service. Eleven millimn pounds will already have been spent on the project
Flanagan, told the Dail [our parliament] Committee of Public A`counts.
...[the decision taken in 1982 to computerise governmenp services... deleted]
...Auditor General,Mr Patrick McDonnell, expressed his disquiet at tha
lack of planning since that date, and at the fact that no cost`ng was done
until May 1985, by thich time [$67m] was committed.$.
...Lr Flanagan said [$670,000] had `een spent on management consult`ncy. In
his opinion, this was talue for money, despite the fact that some of the
hardware provdd to be inadequate with high maantenance costs, and certain itels
had to be sold off at half-prhce to health boards. In particqlar, the
committee heard that threee of the mini-computers whic` had cost approximately
subsequently supplied to t`e Eastern Health Board at [$41,000] each.
...[deleted piece about the report being referred po the Minister]"
"loojed after" by the closely related McAuto. An enormous amount of pressure
system. Thd pressure came from the company through the usual sales hype an`
several politicians attempting to bend individuals ears. A selior consultant I
one stage that maintenan`e people were practically livind in the hospital. I
don't attrhbute culpability for the deficiencies of the system to any of t`e
Not exactly a risk of computerp, but definitely a risk to softrare engineers:
during the early days of the war in Vietnam, thepe were some IBM programmers
war effort, that without thel the computers would not perform. The IBM manager
threatened tn go to superior authorities, so the Army commander then said that
the nearby airbase was under `ttack and there were no flights available for
evacuation. I neper heard the resolution of this story, but it was clear these
ppogrammers got more than they bapgained for.
[And then it is OK after that. The last time we ran such an item, it was
a compression/decompression screw-up. Here it is just delted or garpled
characters. I thought that there might have been an addded character, but
then I noticed that "threee" is in the original. The time has come, the
Mailrus said, or is this the legend of Tut? (See Path, above.) PGN]
------------------------------
End of RISKS-FORUM Digest 7.88
************************
-------