23-Apr-87 17:19:19-PDT,12843;000000000000 Mail-From: NEUMANN created at 23-Apr-87 17:18:23 Date: Thu 23 Apr 87 17:18:22-PDT From: RISKS FORUM (Peter G. Neumann -- Coordinator) Subject: RISKS DIGEST 4.77 Sender: NEUMANN@CSL.SRI.COM To: RISKS-LIST@CSL.SRI.COM RISKS-LIST: RISKS-FORUM Digest Thursday, 23 April 1987 Volume 4 : Issue 77 FORUM ON RISKS TO THE PUBLIC IN COMPUTER SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: 'Hackers' hit the Jackpot (Michael Bednarek) Fidelity Mutual Funds Money Line feature (Chris Salander via Barry Shein) VCRs, Telephones, and Toasters (Martin Ewing) Checklists, Aircraft risks, and Neutrons (Eugene Miya) Neutron Beams for Explosives Detection (Marco Barbarisi) Forgery on Usenet (Brad Templeton) Re: How to post a fake (Wayne Throop) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, nonrepetitious. Diversity is welcome. (Contributions to RISKS@CSL.SRI.COM, Requests to RISKS-Request@CSL.SRI.COM) (Back issues Vol i Issue j available in CSL.SRI.COM:RISKS-i.j. MAXj: Summary Contents Vol 1: RISKS-1.46; Vol 2: RISKS-2.57; Vol 3: RISKS-3.92.) ---------------------------------------------------------------------- Date: Thu, 23 Apr 87 17:27:22 EST From: munnari!murdu.oz!u3369429@seismo.CSS.GOV (Michael Bednarek) To: RISKS@csl.sri.com Subject: 'Hackers' hit the Jackpot Paraphrasing a well-known motto: The Benefits to Individuals in Computer Systems 'Hackers' hit the Jackpot, by John England The Sun, Melbourne, 23-Apr-1987 BONN, Wed. - Computer experts have cracked the codes of West Germany's most popular poker machine. They are selling computer print-outs giving the machine's play programs for $6500 and people are embarking on money-spinning raids on pubs and amusement arcades. Even better, if a person is caught using the system there is nothing to fear. West Germany does not have a law saying it is illegal to fool a machine. The ruse came to light when three students made a "hit" on a Cologne pub which has four machines. Police were called after the students won the jackpot on each of the machines within minutes and a search revealed a computer print-out giving the machines' play programs. Police believe the students, from Brunswick University where a technical department checks poker machines to make sure they comply with the payout law, were the "hackers" who cracked the code. The makers are hurrying to change their programs but, as a spokesman admitted: "You can't fix 160,000 machines overnight - or stop the hackers cracking the new code!" ------------------------------ Date: Thu, 23 Apr 87 01:50:10 EDT From: bzs@bu-cs.bu.edu (Barry Shein) To: risks@csl.sri.com Subject: Fidelity Mutual Funds Money Line feature From: chris@leadsv.UUCP (Chris Salander) Newsgroups: misc.invest Date: 22 Apr 87 19:54:17 GMT Organization: LMSC-LEADS, Sunnyvale, Ca. Summary: BEWARE!!! Computers gone mad! Fidelity Investments has a feature on their Mutual Funds called the Money Line. Every quarter or every month their computers will call the computers at your bank and withdraw a specified amount of money from your checking or savings account and invest it into a particular fund. I have been severely victimized by this feature and have lost control of my checking account because of it. As a warning to the rest of you here is my story: January 1986 I sign up for 3 of Fidelity's funds and invest some $. I ask for the Money Line feature (once every quarter) on each account and give them my electronic banking number and checking account number. May 1986 Investments doing well. Money Line feature on each fund was never activated. I invest in one more fund, Magellan. This time I specify NO Money Line feature. July 1986 Money is withdrawn from my checking account without warning. A statement shows up saying that the Magellan fund now has that money. I call Fidelity customer service and asked for this to stop. October 1986 Money is again withdrawn from my checking account without warning. For the first time in my life my checking account is overdrawn because of this withdrawl. I am fined by the bank. I call Fidelity and ask them to stop. I write them a letter telling them to stop. I withdraw all my money from Magellan. The beast should be dead. But ..... January 1987 Money is withdrawn from my checking account and placed into an otherwise empty Magellan fund account that still exists. This withdrawl causes a check to bounce for the first time in my life. I call Customer Service. They refer me to the Research Department. Research gets back to me later and assures me that everything will be stopped. TWO MONTHS later I get my money back. Meanwhile, I am fined by my bank for the bounced check and embarassed in front of the company I paid it to. Is the beast dead? Noooo ... April 1987 Money is again withdrawn from my checking account without warning. The Money is put into a NEW Magellan account in my name. I transfer the money out. I visit the office of my bank where my account is. I ask them to cancel this connection to account. The flesh and blood people say they cannot help me and give me a phone to call Customer Service. Customer Service identifies the automatic debit feature on my account and puts a "STOP order" on it. The operator then says that she cannot guarantee that this will prevent the access from occurring again. She says that if the Fidelity computer asks for its money again, the bank computer will probably give the money to it. I'm furious. I complain to the flesh and blood people. They say there is nothing they can do. Epilog I am taking all of my money out of Fidelity to punish them for this and to avoid future problems with them. I will be cancelling my account with the bank and moving it somewhere else. Only then will I kill the beast. I hope ... BIG BROTHER IS HERE AND HE IS A COMPUTER!!! ------------------------------ Date: Wed, 22 Apr 87 23:15:07 PDT From: mse%Phobos.Caltech.Edu@DEImos.Caltech.Edu (Martin Ewing) Subject: VCRs, Telephones, and Toasters To: risks%Phobos.Caltech.Edu@DEImos.Caltech.Edu I appreciate the comments of Beckman and Saltzer on inappropriate technology in VCRs, toasters, etc. I, too, have found it inordinately difficult to program our "7-day programmable" VCR. The telephone offers another case. Our "Dimension/1" system happily takes a half dozen codes for call forwarding, camp-on, holding, etc., with zero feedback as to its internal state. Just for spite, it gives you a little chirp as you realize you forgot to reset call forwarding and your call has flown off to the other end of the building. You can also get into exotic telephone situations with banks and mutual funds, as you can transfer five figures of cash between accounts without being *quite* sure afterwards what you have done. A simple rule would be that any user interface should have visual output that is in line with the complexity of the transaction. Visual because an entire transaction can be viewed at once. VCRs are lately using the TV screen for state indication, and financial institutions are providing PC access for their customers. Both are hopeful developments. I just don't know about smart toasters. Can they scorch ascii on your crumpets? Martin ------------------------------ To: risks@csl.sri.com Subject: Checklists, Aircraft risks, and Neutrons Date: 23 Apr 87 09:05:58 PST (Thu) From: eugene@ames-nas.arpa Subject: Re: Checklist stops risks? From: Jerome H. Saltzer It seems maintenance is one of the biggest problems in software, and not uncommon to software. If there is any one area where we could use checklists, and where software people [and others] fall down, it is in the area of long-term maintenance. From: ladkin@kestrel.ARPA (Peter Ladkin) Subject: Aircraft risks >One possible source of confusion - a blackout is not a loss of consciousness The problem is there is a lag associated with loss of vision and loss of unconsciousness which does not travel at the speed of light. I would suggest it is not as easily reversed as implied. Better to stay far away. Subject: Neutron beam detection [RISKS 4.75] (Scott Dorsey) >In addition, what happens to digital electronics when they are hit with >slow neutrons? Yes, interesting indeed. You may have just justified the use of GaAs circuits for home use. This is especially critical when you consider we can sputter layers 20 atoms thick when hitting these atoms with neutrons. --eugene miya, NASA Ames Research Center ------------------------------ Date: Thu, 23 Apr 87 16:29:25 CST From: marco@ncsc.ARPA (Barbarisi) To: risks@csl.sri.com Subject: Neutron Beams for Explosives Detection I did an experiment with neutron radiation for a physics laboratory while I was in college. It may shed some light on this issue. For the experiment, a silver dime was placed in a device called a "neutron howitzer" and irradiated with neutrons for approximately one minute. The dime was removed and the gamma radiation emmisions were monitored. As I recall, the half-life of the radiation was about thirty seconds (it was very "hot" upon removal from the howitzer). After about three or four minutes the gamma radiation decayed to background levels. The latex stick which held the dime in the neutron howitzer showed no sign of radiation at all. Thus, I doubt that there would be any lasting effect on clothing and food from low energy neutron radiation. The device we used to irradiate the dime was in a refridgerator-sized can of lead and used plutonium to generate the neutrons. The device that is proposed for airport use is of considerably less power. However, there would be considerable hazard to an airport worker stationed near the neutron emitter. I foresee lawsuits a-plenty when a baggage handler working near the bomb detector gets a nasty disease or produces afflicted offspring. Marco C. Barbarisi marco@ncsc.ARPA (904)234-4954 ------------------------------ From: brad%looking%math%math.waterloo.edu@RELAY.CS.NET To: RISKS@CSL.SRI.COM Date: Wed Apr 22 19:07:34 1987 Subject: Forgery on Usenet While I'm not sure we should be revealing all this, it is possible to go even further and make forgeries that can't even be traced by looking in the logs. If you are root on your machine, you can change the machine's site name, so that it pretends to be another machine. If the remote site you are calling has a general uucp login, nothing prevents you from saying, "hi, I am site ihnp4, and here are some transactions." cbosgd does have such a general login. If you insist on a different login (with password) for every network partner, than that can be safe IF you have a version of uucp that does security checks on the names. I think lots of people have got secure uucp mail, at least within their organization, these days. I don't think they do with news. Brad Templeton, Looking Glass Software Ltd. - Waterloo, Ontario 519/884-7473 ------------------------------ Date: Thu, 23 Apr 87 17:53:47 EST From: To: rti-sel!mcnc!csl.sri.com!risks@mcnc.org Subject: Re: How to post a fake > From: sun!plaid!chuq@seismo.CSS.GOV (Chuq Von Rospach) ... > That's how you forge messages. And as long as the uucp links exist, there > is no way to fix this, because a vital piece of information isn't passed out > of uucp. Well.... I disagree on a minor point. A news system could allow only user "news" to get at rnews, and only allow user "news" incomming access to uuxqt. (With perhaps similar arrangements for mail.) This means that uux would not be allowed for anything but news or mail, but it would plug the security hole. So, revise Chuq's point to be "as long as the uucp links on news systems need to be used for anything but news and mail, there is no way to fix this." At least... I THINK so. Wayne Throop [I am suppressing a bunch of other messages on this subject. It is important that you all be aware of the risks, although the nuances in trying to avoid them are probably beyond the interest of our readership community. Suffice it to say that most of the alleged solutions still have significant windows of vulnerability. PGN] ------------------------------ End of RISKS-FORUM Digest ************************ -------