Subject: RISKS DIGEST 14.57 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Monday 3 May 1993 Volume 14 : Issue 57 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: The risks of non-24-hour days (Debora Weber-Wulff) Flaws in government computer bond auction (Mark Seecof) Evading 1-900 blocking (John Carr) `New Computer Virus Reported in Japan (David Fowler) Stunning vending machines (Edward N Kittlitz) Junk mail reduction request can add to your junk mail, too (Rich Rosenbaum) Re: SSN for Health Identifier (John R. Levine) Re: How to rob a bank the cashcard way (Anthony Naggs) Humans NOT needed to save NASA (Don Norman) Re: Human vs. computer in space (Craig Partridge, Espen Andersen, Scott Alexander, R. Mehlman) Re: Clipper - A dumb idea (Brian Seborg) Re: Worries over the Clipper Chip (Brinton Cooper) Re: Too much electricity (DonB) The RISKS Forum is a moderated digest discussing risks; comp.risks is its Usenet counterpart. Undigestifiers are available throughout the Internet, but not from RISKS. Contributions should be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with appropriate, substantive "Subject:" line. Others may be ignored! Contributions will not be ACKed. The load is too great. **PLEASE** INCLUDE YOUR NAME & INTERNET FROM: ADDRESS, especially .UUCP folks. REQUESTS please to RISKS-Request@CSL.SRI.COM. Vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 14, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1". =CarriageReturn; FTPs may differ; UNIX prompts for username, password. For information regarding delivery of RISKS by FAX, phone 310-455-9300 (or send FAX to RISKS at 310-455-2364, or EMail to risks-fax@vortex.com). ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Sun, 2 May 1993 12:26:02 GMT From: dww@math.fu-berlin.de (Debora Weber-Wulff) Subject: The risks of non-24-hour days A student told this quite believable tale about a German steel-producer last week: The steel production line is completely automated, with the molten ingots having to cool a certain number of minutes/hours before force is applied to flatten them out. It appears the programmers of the system didn't want to construct their own clock, and so from a security point of view they used the German radio signal put out from Braunschweig (Funkuhr) that gives the exact time. This was used to calculate cooling times. In April, though, there was the day we switched to summer time, and a day with just 23 hours. 3:00 am followed 1:59 am, and the mill controller thought that the cooling time was up, and applied force - splattering still-molten steel around the place and breaking this part of the mill. Any confirmation of this from sources other than a friend of a friend? Debora Weber-Wulff, Technische Fachhochschule Berlin, FB Informatik, Luxemburgerstr. 10, 1000 Berlin 65 dww@informatik.tfh-berlin.dbp.de ------------------------------ Date: Sun, 2 May 93 12:32:35 -0700 From: Mark Seecof Subject: Flaws in government computer bond auction On Friday 29 April 93 the Los Angeles Times reported on page D1 in a story by Robert A. Rosenblatt that the U.S. Treasury department will implement a new computerized government securities auction system even though the General Accounting Office (GAO) says it is "deeply flawed." [Paraphrasing and elisions by Mark Seecof.] The purpose of the new system is to prevent fraud and bid-rigging such as Salomon Bros. engaged in during 1990 and 1991. "The automated network proved highly unreliable during tests of simulated auctions... In one test, five dealers 'were disconnected from the mainframe'... If this happened during an actual auction, the bids would have been lost. "Another threat comes from the computer clock..., which 'drifts and has to be manually readjusted... This poses a potential problem for those dealers who submit bids seconds before an auction closes... For instance, should the computer clock gain time, dealers could transmit timely bids that are rejected as late.' [NNTP, anyone?] "Because of these uncertainties, the Treasury is allowing dealers to maintain the old [paper] method of bidding despite the GAO warning that this defeats the purpose of the new network, known as the Treasury Automated Auction Processing System. "The GAO recommended that the computer effort be delayed while a better system is devised to detect fraud and collusion... The Treasury defended its decision to proceed... 'Our position is that TAAPS has been thoroughly tested and is ready to be put into production,' a Treasury spokeswoman said. 'Treasury considers this TAAPS program an important first step... We deliberately chose to introduce automation to the auction process incrementally and believe this to be a prudent approach.'" [Mark Seecof says:] "Prudent incrementalism." Note that this is (a) not a lie, (b) not a response to the charge that TAAPS is "deeply flawed," and (c) not very satisfying to the reader. Okay, so bureaucrats will "brazen it out," and implement even "deeply flawed" systems rather than admit to development failures. Perhaps we should start rewarding managers for NOT implementing bogus systems? Could we devise a suitable bureaucratic scheme for doing so? On another note, could an unethical trader with a copy of the GAO report find a way to gain some advantage by exploiting TAAPS' flaws? Mark Seecof Los Angeles Times' Publishing Systems Dept. ------------------------------ Date: Mon, 03 May 1993 08:30:52 EDT From: John Carr Subject: Evading 1-900 blocking A local TV news program had a story about a new type of phone sex service. A teenage boy evaded the long distance blocking on his parents' phone by calling a free 1-800 number and leaving his phone number. The phone sex service called him back, collect. The people interviewed on the show acted very shocked that this could happen, even though the phone company said it wouldn't charge for the calls. In particular they pointed out that the boy was not required to prove his age. No suggestions were offered as to how he might do so over the phone. In my opinion, they were trying to blame technology for a social problem. The phone company is an easy target. Certainly it's easier to blame them than to ask controversial questions like "why can't you take responsibility for your son's actions?" or "what's wrong with talking about sex?". I was a bit surprised that the report included the free phone number to call. I wonder how many people will call the service after learning about it from the news. --John Carr (jfc@athena.mit.edu) ------------------------------ Date: Sat, 1 May 93 19:21:33 PDT From: fowler@oes.ca.gov (David Fowler) Subject: New Computer Virus Reported in Japan The Kyodo News Agency, in a story datelined Tokyo, warns of a new strain of computer virus that is to strike computers operating under MS-DOS on the Japanese Children's Holiday, May 5 (May 4 on this side of the International Dateline). Kyoto quotes the Information Technology Promotion Agency, which it describes as "a government-backed computer institute." as identifying the new virus as DApdm-13. This virus, when activated displays the English sentence, "Hey boy, do you know hide-and-seek? Play with me." The virus will then, according to Kyoto, overwrite all data and programs. Without further elaboration, the news agency says that the virus can be removed by programs already on the market. David Fowler, San Francisco ------------------------------ Date: Fri, 30 Apr 1993 09:14:40 -0400 (EDT) From: kittlitz@world.std.com (Edward N Kittlitz) Subject: stunning vending machines I just saw a Japanese language report from a network or program called `FNN'. Based upon the abridged subtitles, some people are stealing telephone service. This is accomplished by using a hand-held electric stun gun on a machine which vends telephone debit cards. E. N. Kittlitz kittlitz@world.std.com ------------------------------ Date: Sat, 1 May 93 09:29:54 EDT From: "Rich Rosenbaum, rosenbaum@lkg.dec.com" Subject: junk mail reduction request can add to your junk mail, too The Direct Marketing Association maintains a database listing people that prefer to not receive unsolicited marketing material. I've had my name and address added to this list, hoping it would reduce my mail. It seems to have had just the opposite effect recently - I just received a mailing from Sears that begins: "Because you have requested through the Direct Marketing Association not to receive various solicitations through the mail, ..." Rich Rosenbaum ------------------------------ Date: 30 Apr 93 12:37:32 EDT (Fri) From: johnl@iecc.cambridge.ma.us (John R. Levine) Subject: Re: SSN for Health Identifier [RE a note saying that the Clinton administration seems to be leaning toward making the SSN the national health ID] There is a thriving business in stolen SSN's so that illegal aliens can get work. The checking is now good enough that the alien needs the name that matches the SSN for the I-9 form to pass, under the bureaucratic rule of thumb that anyone who presents your name and SSN must be you. This means that people all over the country are now being hassled by the IRS for not reporting income, typically from some place in Southern California or Texas that they've never heard of where the alien was working. There was a sidebar in the Boston Globe yesterday about a local woman who was hounded by the IRS for five years with this problem. Until now, SSN theft could cause considerable financial pain, but it couldn't kill you. If the national health number is the SSN, this means that when someone steals your SSN and they go to the doctor, their health records will become mixed in with yours. If someone is already fairly sick, it is easy to imagine how a system depending on computerized records could misprescribe drugs or other treatment with fatal effects. John Levine, johnl@iecc.cambridge.ma.us, {spdcc|ima|world}!iecc!johnl ------------------------------ Date: Fri, 30 Apr 93 13:19:08 BST From: amn@ubik.demon.co.uk (Anthony Naggs) Subject: Re: How to rob a bank the cashcard way (Wodehouse, RISKS-14.56) It is interesting Lord Wodehouse's contribution was published here. I had considered sending details myself, but I remembered that my similar submission last autumn was not published, (describing a report on the BBC Newsnight television programme and New Scientist magazine). > An article in the UK Sunday Telegrapph on 25 Apr 1993, p. 5, by Barbara > Lewis, ... Barbara is the journalist, the deceit of the Automated Teller Machines (ATMs) was performed by Bryan Clough, and an unnamed computer expert. The banks call this "white card fraud" because up to now most attempts have been with the plain white plastic cards supplied by vendors of the card read/write equipment. The banks only find the white cards if they are retained by the ATMs. To my knowledge all ATMs operated in the UK allow three attempts to enter the correct 4 digit PIN. If the third attempt is not validated the ATM retains the card, but after the first or second attempt you can select "cancel" or "error" and have the card returned. If you reinsert the card into the ATM it does not remember your previously failed attempts. Summary: a fraudster has to be very incompetent to let the ATM retain the card. I spoke to Bryan Clough on Monday about this. He clarified a few of the technical aspects for me, which I hesitate to post here. A brief outline of one of the events described should be enough to worry: 1 The journalist used her cashcard to withdraw money at an ATM. 2 She placed the receipt in the bin provided. 3 Bryan Clough retrieved the receipt. 4 Bryan, and his colleague, took the receipt to a portable computer and card read/write unit, (in their car I think). They programmed 3 cards using information from other cards and the receipt. 5 Presenting each of the 3 cards to an ATM, (not at the bank that issued the card), gave these results: 1. 10 pounds was withdrawn, debited to the journalist's account. 2. 10 pounds was withdrawn, the journalist's account was debited with 10 pounds and 3 pence! 3. The card was rejected as invalid, Mr Clough recovered the card by selecting "cancel". Note, in this case the PIN was derived from the known card - only the journalist's account number was needed, not her PIN. In a further conversation with Bryan today he told me that the (UK) Sun newspaper had a short item on this yesterday, and that he was expecting them to do another one on Saturday. I suspect that the banks insist that this is impossible simply because the managers lack a technical understanding of the technology. Anthony Naggs (anti-virus consultant) email: amn@ubik.demon.co.uk phone: +44 273 589701 ------------------------------ Date: 03 May 93 01:12 GMT From: DNORMAN@applelink.apple.com (Norman, Donald) Subject: Humans NOT needed to save NASA (Mellor, RISKS-14.56) A contribution to RISKS (14.56) once again repeats the propaganda that it is only through human cleverness and ingenuity that complex space missions are saved. That is sheer propaganda. Oh yes, it is true, but the stories neglect the fact that if it weren't for the requirement to keep the humans healthy and alive, the mission would be dramatically less complex and the reliability would be dramatically greater (and the cost correspondingly less). And if a space launch or two failed, it wouldn't much matter. Reread that RISKS quote: "For a few appalling moments it must have seemed as though the nightmare had begun: marooned on the Moon, with only a day's oxygen and no way home. Aldrin poked around, and found a felt-tipped pen, and shoved it in the slot. It worked. ... Man had a proper place in the scheme after all." Notice that the felt-tipped pen prevented the humans from being marooned. But if there were no humans on board, it wouldn't have mattered. What is all this about "Man had a proper place in the scheme after all"? And then RISKS repeats the old joke: ``Where else,'' said one test pilot in the programme, ``would you get a non-linear computer weighing only 160 lbs, having a billion binary decision elements, that can be mass-produced by unskilled labour?'' (Actually, it is hundreds of billions of elements, and a lot more complex than binary). The problem with this old joke is not the inaccuracy of the numbers (for the correct numbers make the point of the joke even more impressive) but rather the neglect of the twenty to thirty years of training by *very highly skilled* personnel necessary to produce test pilots and the rest of us, to say nothing of the infrastructure and costs required to keep us alive during that period. Look, folks, the main justification of humans in space is that it is a neat thing to do, that it provides new opportunities for growth, exploration, and colonization. It is probably inevitable, given human curiosity and love of new adventures. I want to do it too. But let us be honest: if you want people in space, then admit it. Justify it on those grounds. Don't lie and say that humans are needed to keep the spacecraft going -- the only reason they are needed for that purpose is because humans are on board in the first place. There is a NASA report floating about somewhere (the old "Carl Sagan committee" -- of which I was a member -- that performed an expensive several year study of the problem and concluded just that. But the report violated NASA's goals of "man in space" and seems to have been lost in the filing cabinets. Don Norman Apple Computer dnorman@apple.com ------------------------------ Date: Fri, 30 Apr 93 08:05:42 -0700 From: Craig Partridge Subject: re: Human vs. computer in space (Mellor, RISKS-14.56) Page 365 of Murray and Cox's, "Apollo: The Race to the Moon", (Simon and Schuster 1989) gives a very different account. According to their version of the story, Armstrong bumped into the circuit breaker with his backpack, and the astronauts reported the damage before going out on their moon walk. During the moon walk, folks on Earth figured how to rewire some of the switches in the LEM to bypass the circuit breaker and arm the ascent engine. So the astronauts were superfluous... :-) Craig Partridge ------------------------------ Date: 30 Apr 1993 07:01:24 -0400 (EDT) From: ESPEN ANDERSEN Subject: Re: Human vs. computer in space (Mellor, RISKS-14.56) While not disagreeing with Peter Mellor's point about humans having a place in space (that is, on manned space missions), I would like to point out that his example would seem to argue for the opposite. The error that Buzz Aldrin fixed was caused by a misplaced backpack. A computer probably wouldn't do this, not because computers do not misplace things, but because in an unmanned flight there would not be any backpacks--or any switches either. In other words, the error corrected was in the user interface of the lunar module, and the correction was done by the user. Espen Andersen (eandersen@hbs.harvard.edu) ------------------------------ Date: Fri, 30 Apr 93 13:16:29 PDT From: Scott Alexander Subject: re: Human vs. computer in space (Mellor, RISKS-14.56) I probably have a bias in this matter working for a laboratory tasked with the robotic exploration of the solar system. Let me reiterate that I cannot speak for JPL (and that they probably disagree with at least some of this.) It strikes me that the case cited illustrates the advantages of unmanned exploration as well as the advantages of manned exploration. If Armstrong and Aldrin hadn't been on board the module, some mission capabilities would have been lost. However, there would not have been the "nightmare" scenario in which human beings are at risk. Given that losing humans is considered far worse than any other failure in our space program, the cost of sending humans into space is much higher than the cost of robotic exploration. This limits the number of missions flown. Moreover, the cost to the space program any time an astronaut is lost is tremendous both in terms of money and time lost to the program. Thus, because of the costs of additional systems and redundancies to support humans and the additional weight (which adds further costs), I believe we need to very carefully choose those situations in which it is worthwhile to send humans versus those situations where sending several robots will produce wider results. Scott Alexander salex@devvax.jpl.nasa.gov ------------------------------ Date: Fri, 30 Apr 1993 18:44:12 PDT From: rmehlman%grumpy.decnet@pdsppi.igpp.ucla.edu Subject: RE: Human vs. computer in space (Mellor, RISKS-14.56) In all fairness, it should be noted that the circuit breaker would not have failed if a human had not been present to brush the plastic pin with his backpack. Further, the increased complexity of *manned* spacecraft greatly increases the number of things which can fail. The pyramids are a poor example to bring into the argument about manned space exploration. They cost more than just money. ------------------------------ Date: Fri, 30 Apr 93 12:26:51 EDT From: Brian Seborg Subject: Clipper - A dumb idea After reading the initial announcement of Clinton's support of the Clipper Chip I thought that the idea was insane! Upon reading more about the chip and following the discussions here I have to express some concern over this technology and the cost of pursuing the implementation of it in government systems. One concern that was raised was the problem that once an entity had been given the escrow key to effect a tap that they could then continue to tap any and all conversations in the future. Dorothy Denning suggested that the purchase of a new unit could be effected, or a simple chip relacement could be done to rectify this situation. I have to suggest that now hardware replacement is "simple" and I have to wonder at the cost and logistics of effecting such a replacement. Padgett suggests that this is a sound technology whose time has come and which will offer a "good enough" encryption service. Well, I would suggest that "good enough" technology already exists, so why invest in technology which has a built in trap door? It makes no sense! Also, I am somewhat concerned that we are already ramping up for this effort. NIST is already beginning to allocate resources to this project, as has NSA. How much is this going to cost? It seems to me that we have embarked on a trip but forgotten the map. Why would Clinton set up such a standard before trying to get some consensus from the effected parties? Or is this just a trial balloon? I think there are many valid questions which have been raised such as who will be the consumers of this technology? What is the point of providing such a chip if criminals are unlikely to use it, or if additional layers of encryption are placed on the communications? Tapping would seem useless if this were the case, unless, as others have pointed out, other forms of encryption were made illegal. But what is the possibility of this? I'd say nil. Such a requirement would be so onerous that it would never be supported. In addition, there is no way that current vendors of encryption software and hardware would lay down while this occurred. Plus, it might not even be constitutional (potentially violating privacy, freedom of press, and expression). So I doubt that doing away with other forms of encryption is being contemplated. So then what is the use of this chip? It may have some use as a technology, but not in the way currently described. For example, I could think of a use within a corporation. If all computers in a corporation used the encryption provided by such a chip to encrypt sensitive information and an employee left, then the escrow key could be used to get back the information which would otherwise be lost to the company. But this is not the way that is currently being pursued. And since other forms of encryption can be used to thwart tapping attempts, what is the point? It seems to be an interesting intellectual exercise, and it may indeed have uses in corporations requiring encryption, but the idea that you would provide the "keys to the kingdom" to some currently undefined escrow authority such as the FBI or NSA or the local police will never be supported by security experts or commercial entities. Let's all agree that we don't want to waste our tax dollars on this project and contact our congresspeople and senators to nip this project in the bud before it becomes the next government sponsored boondoggle. Brian Seborg, VDS Advanced Research Group ------------------------------ Date: Fri, 30 Apr 93 13:28:21 EDT From: Brinton Cooper Subject: Re: Worries over the Clipper Chip (Firth, RISKS-14.55) Robert Firth, , asks >Why should anyone worried about snoopers >use an encryption scheme designed to allow snooping? Answering his own question, he says >The answer, of course, is indeed that all other encryption schemes >must be outlawed. When private use of end-to-end encryption is outlawed, how will it be enforced? How will the agents of the Crypto Enforcement Agency (CEA) know that two end-users are sending encrypted traffic and not just random bit streams? Will they mis-interpret binary file transfer as unauthorized use of encrypted data? Will every kermit user be subject to search of his/her premises by CEA agents, bashing in the door under authority of search warrant? Where will it all end? _Brint ------------------------------ Date: 30 Apr 93 16:33:02 GMT From: donb@crash.cts.com Subject: Re: Too much electricity (Miller, RISKS-14.55) In a case several years ago in the desert north of Los Angles "excessive" electricity use was the "Probable Cause" for a search warrant. The police did find pot cultivation in an underground garden. The excessive use was determined by a bill found during a raid in Bullhead City Arizona. The part never mentioned by the press was the bill was while the house and barn were being constructed. Power for the garden was provided by a generator. DonB ------------------------------ End of RISKS-FORUM Digest 14.57 ************************