RISKS-LIST: RISKS-FORUM Digest Wednesday 31 August 1988 Volume 7 : Issue 41 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: The Marconi Deaths (Brian Randell) $300,000 Automatic Teller Theft (Sort Of) (Henry Cox) Car engines become target for hackers (Jeffrey Mogul) Blinker failure in 87 Ford Mustang (Tim Thomas) Risks of locking systems (Andrew Birner) Electronic 1040s (Rodney Hoffman) Water seepage stops Computer controlled monorail (George Michaelson) Re: Fewer Charges Now Require a Signature (David Sherman) Continental Bank Drops Retail Accounts (Patrick A. Townson) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line (otherwise they may be ignored). REQUESTS to RISKS-Request@CSL.SRI.COM. FOR VOL i ISSUE j / ftp kl.sri.com / login anonymous (ANY NONNULL PASSWORD) / get stripe:risks-i.j ... (OR TRY cd stripe: / get risks-i.j ... Volume summaries in (i, max j) = (1,46),(2,57),(3,92),(4,97),(5,85),(6,95). ---------------------------------------------------------------------- Date: Wed, 31 Aug 88 10:57:28 WET DST From: Brian Randell Subject: The Marconi Deaths Last week a further Marconi employeee died in somewhat mysterious circumstances. I did not see any original press reports, but only the attached editorial from the Independent. The Independent is not a sensationalist tabloid, but rather a highly respected and respectable national newspaper here, so the fact that it chose to devote its leading editorial to the Marconi issue is of some note. The result provides what I would regard as a balanced summary and commentary, which I therefore thought was worthy of passing onto the RISKS readership, given the previous coverage of these matters in RISKS. Brian Randell, Computing Laboratory, University of Newcastle upon Tyne [For those of you wishing to comment on the relevance of this topic, the plausibility of conspiracy theories, the credibility of the debunkers, etc., please first dig up the back issues on this topic, namely RISKS-4.74, 81, 83. And let's keep the speculation down on this one. On the other hand, if there is any DEFINITIVE knowledge, let's hear it. PGN] DEATHS WHICH MUST BE INVESTIGATED The Independent, Friday 26 August 1988 (Reprinted in full, without permission) The police said it was suicide, and no doubt they were right. Ex-Brigadier Peter Ferry, a marketing manager at Marconi's Command and Control Systems centre at Frimley, Surrey, had apparently killed himself by inserting mains electric wires into his mouth and then turning on the power. The method chosen was perhaps marginally more grisly than in the case of several other Marconi employees. In 1986, for example, Ashad Sharif, a computer analyst who worked for Marconi Defence Systems in Stanmore, Middlesex, tied one end of a rope around his neck, another to a tree, and put his car into gear. Two months earlier, the body of Vimal Dajibhai, a software engineer responsible for checking the guidance systems of Tigerfish torpedos for Marconi Underwater Systems, was found under Clifton suspension bridge at Bristol. In March 1987, David Sands, a project manager working on secret satellite radar at Marconi's sister company Easams, in Camberley, drove up a slip road on his way to work and into a cafe at an estimated 80mph. A year later Trevor Knight, a computer engineer at Marconi's space and defence base in Stanmore, died in his fume-filled car at his home in Hertfordshire. Earlier, two other Marconi employees, Victor Moore, a design engineer, and Roger Hill, a draughtsman, had killed themselves, both seemingly as a result of work pressures. There have been at least half a dozen more untoward deaths among defence scientists and others working in the defence field. Marconi is not alone, but it is well in the lead. The best efforts of investigative journalists have failed to establish a link either between the various deaths or between the deaths of the Marconi staff and the Ministry of Defence inquiry, now two years old, into some (pounds)3bn worth of defence contracts awarded to GEC-Marconi. No doubt in several instances pressure of work was the main factor: in a field where millions of pounds hang on the securing of contracts, it can be intense, especially if the Ministry of Defence investigators are hovering, as they had been at Frimley, Brigadier Ferry's base. It is hard to believe, however, that other factors have not also been at work. The pressure of work is also fierce in the money markets of the City, where equally large sums are at stake. Yet the suicide rate remains unremarkable. Mr Ferry's death on Tuesday must add to the concern already aroused by the alarming sequence of deaths in the defence industry. He had apparently been depressed since his car collided with a lorry a month ago; but suicide seems an extreme reaction. In such instances where no foul play is suspected, the inquiries of both police and coroners are likely to be brief, partly for the sake of the distressed relatives. They will not be concerned with establishing a connection with comparable deaths in different counties. Since these cases have been spread wide, there is now a case for pulling the threads together. It may be that there is no conspiracy and no concerted skullduggery. But these have been talented men. To allay anxieties, a senior police officer should be appointed to head a coordinated investigation into the underlying causes of so high a death rate. ------------------------------ Date: Wed, 31 Aug 88 14:30:32 edt From: Henry Cox Subject: $300,000 Automatic Teller Theft (Sort Of) THEFTS FORM AUTOMATIC TELLERS WON'T HURT CLIENTS: DESGARDINS (From the Montreal Gazette, Monday 29 August, 1988) Desjardins credit union customers are being told not to worry about the theft this year of $300,000 from automatic tellers. [ What, me worry? ] Bruno Morin, Desjardins senior vice-president in charge of administration, said the money disappeared from three locations between February and June. Morin assured automatic teller customers that their transactions won't be affected by the unsolved crime, believed to be "an inside job". The amounts stolen are guaranteed by insurers. He added that some changes have been implemented which should avoid any similar thefts. Morin dismissed reports that the $300,000 was stolen by thieves who tampered with the credit union's computer information system. "The computer had nothing to do with it. People got in and stole the reserves. It's pure and simple." What isn't so simple is finding out who took the money. We know exactly the hour and minute the money was stolen and where it was stolen from - just not who did it,", he added. Although Morin wouldn't divulge which automatic tellers were hit, he didsay non was on the island of Montreal. One was in Longueuil [ a suburb on the South Shore ], he said. Francois Aubin, a public affairs vice-president of Desjardins, said the money appears to have been taken when the machines were being loaded. The automatic tellers are supplied by money by Desjardins employees as well as Secur, an affiliated security company. ------------------------------ Date: 26 Aug 1988 1313-PDT (Friday) From: mogul@decwrl.dec.com (Jeffrey Mogul) Subject: Car engines become target for hackers (RISKS-7.39) In RISKS-7.40, Jerry Saltzer worries that if auto repair places must verify the microcode in a car computer, that there will be problems with out-of-date service information; a service agency that hadn't yet received (or had already discarded) the microcode for YOUR car might challenge your warranty. This seems like an obvious application of digital signatures: dedicate some portion of the ROM to a value derived from an encryption of the rest of the ROM (plus some standard validation pattern). ROM hackers without the encryption key could not generate a valid ROM signature. Key security is clearly problematic; it would be greatly simplified if a public-key system is used, so that rather than requiring key security at ever repair shop, the key need be known only when the ROM code is compiled at the manufacturer. Since it doesn't matter how long the crypto function takes to compute, any sound public-key system could be used (perhaps avoiding large license fees). 10 years ago, Jerry wrote an article for Operating Systems Review pointing out some problems with digital signatures; but since nobody is going to try to disclaim one of these ROM signatures, the problems he raised then do not apply here. -Jeff ------------------------------ Date: Wed, 31 Aug 88 17:59:09 CDT From: thomas@xenurus.gould.com Subject: Blinker failure in 87 Ford Mustang Reading the discussion of car acceleration problems in RISKS has prompted me to write of a personal experience I have had with my 1987 Ford Mustang. I was on a trip to Kentucky about 6 months ago, and while in one of the towns had an interesting problem. I suddenly noticed that, although I was using the turn signal arm appropriately for all of my actions, the turn signals did not seem to be activated on the dashboard. I quickly turned down a side street, put the car in park (but didn't turn the engine off), and had a friend of mine who was with me get out and check the turn signals. Sure enough, they were *not* being activated! Being of the experimental sort, I then proceeded to put on the emergency flashers, which worked correctly. I shut them off and once again tried the turn signals. Low and behold (you guessed it), the turn signals worked fine! What went through my mind at that point was, what if I had been in an accident and someone accused me of not properly signaling? What could I say in my defense? Would anyone believe me? I did not report this to the dealership since I considered it an intermittent computer problem that they would probably *never* find. Also, the problem has never reoccurred (to my knowledge). The problem may not be computer related, but it sure sounds like it is! Tim Thomas, Gould CSD Urbana, Urbana, IL 61801 (217) 384-8718 uucp: ihnp4!uiucuxc!ccvaxa!thomas ------------------------------ Date: Sat, 27 Aug 88 12:37 PDT From: Andrew Birner Subject: Risks of locking systems In Risks 7.37, Leonard N. Foner (foner@wheaties.ai.mit.edu) writes: > Whatever happened to good, old-fashioned mechanical locks? Not even a simple mechanical lock can protect you when the locking system is poorly designed. The scheme installed in our computer room a few years back illustrates this: The computer room is acessible from two sides. On one side is a simple double door (for bringing in supplies, etc.), secured with a basic jimmy- proof cylinder lock. Maintenance has a key to this, so that they can get in to check the air conditioning filters and water lines. On the other side, we installed a vestibule with output bins, to protect our operators from chatty users. The door from the vestibule to the computer room has a mechanical combination lock; you punch in some numbers and turn the knob, and the door (usually) opens. From inside the computer room, the door is opened by simply turning a crank. Clearly, if you don't know the combination, you can get from the computer room to the vestibule, but not back in again. After we installed the vestibule, we replaced the old door to the corridor. We changed the direction of swing, and also got rid of the door knob, so that users could just push it open. Of course, we still wanted to lock the vestibule during off hours, so we asked maintenance to install a deadbolt, which they cheerfully did. This deadbolt was actuated by a key on the outside (corridor side), and had NO ACTUATOR AT ALL on the vestibule side! This arrangement made it perfectly possible for someone to get trapped in the vestibule, with NO WAY OUT! I complained of this, but nothing came of it; maintenance apparently decided the probability was low enough that they needn't worry. I doubt the fire inspector would have been impressed, but this didn't seem to bother anyone. About a year after this was installed, a maintenance engineer entered the room via the back entrance, to clean the AC water filters. After filling a bucket with water, he decided to go out the front way, since it was closer to where he wanted to dump this water. He went into the vestibule, letting the door latch behind him, and tried to open the corridor door--which was, of course, locked! Naturally, he didn't know the combination (why should he? He had a key, after all...), so he was quite effectively trapped. Since he didn't feel like waiting until the watchman came by, our hero kicked his way out through our output bins, doing a fair amount of damage. There is now an actuator for the deadbolt on the inside of the vestibule... Andrew Birner ------------------------------ Date: 31 Aug 88 12:24:39 PDT (Wednesday) From: Rodney Hoffman Subject: Electronic 1040s From the August 31, 1988 'Wall Street Journal': Electronic filing [of tax returns] advanced despite computer software snags, says the General Accounting Office. Such filing of computer- ready returns by preparers speeds processing and refunds and slashes errors. The IRS plans to expand it to 48 districts in 1989 and to all 63 in 1990; volume could reach 35 million returns in 1993. Congress's General Accounting Office reports that IRS successes in handling about 580,000 such returns from 16 districts this year came despite glitches that prompted the IRS to make many software corrections without the required testing of effects. As a result, the IRS is waiting for final corrections before going back to make permanent electronic records of the returns. Now it is examining ways to eliminate the need to submit signatures and W-2 tax- withholding forms separately on paper. And it will work to recruit smaller return preparers for 1989; this year, H&R Block offices filed 82% of all the electronic returns.... The IRS's Greensboro district, covering North Carolina, this year produced 123,386 electronic returns -- over 21% of all such filings. The Dallas district ranked second with 70,832 returns, or over 12%. ------------------------------ Date: Thu, 01 Sep 88 10:29:15 +1000 From: George Michaelson Subject: water seepage stops Computer controlled monorail Details in "COMPUTING australia" of Aug 29 Water seepage into Sydney's new monorail PLC (Programmable Logic Controller) halted the system. the GEC-Digital 140 PLC which is located in the nose of the train has been tested with an HP analyser to try and simulate the fault. The monorail is highly automated. One breakdown had dozens of passengers stuck in a sealed environment for over 2 hours, with complaints about heat & lack of fresh air. Many people resent the monorail as a pointless and expensive intrusion into the city, but there have also been fears voiced about the safety of automated systems like this. ------------------------------ Date: Sun, 28 Aug 88 23:09:58 EDT From: attcan!lsuc!dave@uunet.UU.NET Subject: Re: Fewer Charges Now Require a Signature Petro-Canada, the government-owned oil company that competes on the market here with the rest of the biggies, switched to a "no signature" system a few months ago. You get your card back along with what looks like a normal cash-register receipt. It has a line for signing on it, but you only get one copy and the attendant tells you that's all there is. The first time this happened to me, I did a doubletake, thought a second and decided that if they didn't WANT my signature, I wasn't going to complain. A couple of months later an article in the Toronto Star noted that Petro-Canada will change this policy, due to customer complaints (people somehow think that not signing a credit card slip makes them more liable to false charges). Last time I was at a Petro-Canada, they were still doing it, though. ------------------------------ Date: Sun Aug 28 11:06:22 1988 From: sun!portal!cup.portal.com!Patrick_A_Townson@unix.SRI.COM Subject: Continental Bank Drops Retail Accounts [PATRICK: Sorry, mail to you fails, thus no earlier responses. PGN] On August 15, 1988, Continental Illinois National Bank of Chicago discontinued retail banking operations. All retail checking and savings accounts on that day were transferred intact to the First National Bank of Chicago. Most readers will recall that during 1984, Continental went belly-up. Unlike many other banks which have collapsed, Continental was given a huge infusion of money by the feds and kept afloat. Over the three years which followed, Continental again squandered alot of its money, leading the feds to demand some radical changes in one of the largest banks in the world, and the largest bank in Chicago. One of these changes was to get rid of all non-profitable banking business, which was defined to include retail accounts, or the accounts of little folks like you and I. Many of us with Continental accounts in the dark days of 1984 stuck it out without batting an eye. This time around, we were given no choice in the matter of our bank loyalties. The switch to First National Bank was announced several months ago. The change became effective on Monday, August 15. *No action of any sort was required of customers.* We did not have to do a thing. Beginning about August 5, FNB began mailing out new ATM cards and PINS. Several days later, they began mailing out new checks. About 40,000 customers of Continental were involved, so there were some errors in getting the new checks and ATM cards out to the proper address, but these are now largely resolved. We were told to begin using our new checks from FNB on Friday, August 12, under the assumption these checks would not reach clearing until at least August 15. We had to discontinue the use of the Continental ATM cards on Friday, August 12 at 2:00 PM, and were allowed to begin using the cards from FNB as of Monday, August 15 at 8:00 AM. Our only real inconvenience was the inability to use Cash Station machines over that weekend. Continental will continue to manually clear checks written before August 15 which come through for the next two months. They will be forwarded to FNB to be charged on our accounts. Continental issued a final statement on August 15, and waived the usual service charges for the final month. For about ninety percent of the old Continental customers, they will have the same closing date on their statements from First National Bank. As an added courtesy, FNB *will not have service charges of any kind* on these accounts transferred from Continental for one year, until 9-89. The first batch of 300 checks on the new account are free. There will be no ATM fees. There will be no per-check or monthly fees. Since the accounts were not considered 'new accounts' under federal regulations, the new supply of checks for each customer began numbering at 1001 instead of 101 as on new accounts, and the original date of opening was omitted from the face of the check. FNB also took over the branch bank facility Continental had operated at 1150 North Clark Street on the corner of Division Street, and will continue to operate it as a branch bank. Since both banks belong locally to the Cash Station network, there is no difference in the location of ATM's in the area. Continental belonged nationally to the PLUS network, and FNB is in the CIRRUS network, so there will be some differences when travelling outside the Chicago area, but these should be minimal. On Monday, August 15, the teller lines at FNB were *much longer* than usual, as large numbers of former Continental customers qued up to make sure their money had actually been transferred without a hitch. Of course those of us ATM devotees who wanted to check merely had to go to any machine and inquire, to make sure everything was okay. People who had not received their new check stock and ATM cards as of August 15 were issued temporary checks on the spot in the bank, and ATM cards were printed on an embossing machine nearby. Perhaps several hundred out of the 40,000 customers transferred had failed to receive either their new checks, their ATM card or their PIN by the cutover date, but overall, the transition was quite smooth. Employees were stationed in the lobby at Continental for about two weeks before and after the change, handing out information on the transfer. One customer service representative will continue to be on duty in the lobby of Continental for about another month. Although I did have a fight with FNB about fifteen years ago which obliged me to sue them (I won the matter!), I have decided I will try them again for awhile, especially since the account is free of all charges for the next year. I might add the checkstock is more attractive also. My new account has a picture of the Chicago skyline on the check. My pay-by-telephone account was also automatically switched over. We have here in the Chicago area a system by which the utilities (gas, phone and electric) can be paid through a simple phone call to a central computer, and I was concerned at first if this would be changed also. It was, so far as I know, with no hitches whatsoever. The cash machines are responding a little differently though. Under the old Continental account the machines would accept 'split deposits', that is, you could deposit a check and take cash back from the deposit. Under the new account with FNB -- even though its the same Cash Station network -- you have to make two transactions: one to deposit the check, the other to withdraw the desired cash. Likewise, under Continental, you could not get your balance on line until about two months ago. FNB says they have always offered that to their customers. At Continental, we could ask the machine to give us the time, date, and nature of the last transaction; FNB says they are unable to do this. Etcetera...small minor differences, but overall a very smooth conversion of accounts. Continental's credit card portfolio was sold about a year ago to First National, so VISA and MASTERCHARGE cards from that bank have already been getting processed for several months by the FNB card center in Elgin, IL. About 2000-3000 Continental customers decided not to make the switch, and sought out new banking arrangements of their own during the summer. Patrick Townson ------------------------------ End of RISKS-FORUM Digest 7.41 ************************