RISKS-LIST: RISKS-FORUM Digest Tuesday 6 December 1988 Volume 7 : Issue 88 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Summary of Software Uniformity Legislation issue (Conleth OConnell) Exploiting workers (Dale Worley) Re: Automated teller theft (Dr Robert Frederking) Speeding detectors (Dave Horsfall) Report of hardware "virus" on chips (Gary Chapman) Re: Corps of Software Engineers? (Richard Rosenthal) Vendor Liability, and "Plain Vanilla" configurations (Bob Estell) Talk by Tom Blake on Computer Fraud (Mark Mandel) Defining "hackers and crackers" (Gordon Meyer) RISKS OF GREATER GARBLE (somewhere in netland) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line (otherwise they may be ignored). REQUESTS to RISKS-Request@CSL.SRI.COM. FOR VOL i ISSUE j / ftp kl.sri.com / login anonymous (ANY NONNULL PASSWORD) / get stripe:risks-i.j ... (OR TRY cd stripe: / get risks-i.j ... Volume summaries in (i, max j) = (1,46),(2,57),(3,92),(4,97),(5,85),(6,95). ---------------------------------------------------------------------- Date: Mon, 5 Dec 88 22:58:25 EST From: Conleth OConnell Subject: Summary of Software Uniformity Legislation issue I want to thank all of you who have expressed opinions on the Software Uniformity issue. I also want to forward the thanks of the organization, described below, for your opinions/concerns. After describing the organization, I give a brief summary of the opinions that were sent. To the best of my knowledge, the organization is meeting towards the end of January, so should you still want to send an opinion to me, I am setting a deadline of January 15, 1989, to insure forwarding. Once again THANKS!! The organization that was requesting the information is "The National Conference of Commissioners on Uniform State Laws." The best known act that came out of this organization is the Uniform Commercial Code. It is made up of practicing lawyers, college law professors and deans, as well as some judges. The members donate their time to this organization although some states pay actual expenses, no member receives a salary for working on the organization. The organization has NO association with the Federal Government or with Congress. For those of you so inclined, the representatives from each state can be sought out via the State Bar or Secretary of State. PROS - Something needs to be done along the lines of truth in advertising of a particular product. For example, the packaging of some products with "lavish painted covers of the boxes". When in fact, the product has nothing to do with the artwork. This is not acceptable in other industries like videotapes, toys or plastic models. - The industry has been lax with self-regulation, so something needs to be done. - Some minimum standards are needed, but who monitors them, what are the reporting/registration requirements, what would be the penalties, but "Don't feed the lawyers." CONS - Most of the opinions were dubious of federal legislation even the opinions in the above section. - A major concern is for the smaller companies/individuals. - A bad product tends to get negative publicity anyway, thus there seems to be some quality control by the community, but the inexperienced/isolated user can get burned. - Concern about price increase blamed on the regulation, which, in the end, hits the consumer and the small companies. - "Control will only close off creativity." - The Uniform Commercial Code has been used in the past. - The feeling that the industry is "moving towards warranties, guarantees, and efforts for solid support" without legislation. - Legislation may be obsolete by the new technologies. - Similar feelings towards the "stifling" of public domain and free/shareware packages. Thanks again and Happy Holidays!! Conleth S. O'Connell, Department of Computer and Information Science, The Ohio State University, 2036 Neil Ave., Columbus, OH USA 43210-1277 ------------------------------ Date: Mon, 5 Dec 88 10:52:08 EST From: worley@compass.UUCP (Dale Worley) Subject: Exploiting workers From: Larry Hunter >From "Optical Information Systems Update," Dec 1, 1988, p.8. Digiport, a new telecommunications facility in Jamaica, will open up a new era for data entry operations. And, of course, with a significant loss to data entry personnel in high cost (like $6.00/hr) labor areas. Not to mention the savings (losses) in reduced requirements for worker benefits and safety standards. Is this really a loss to the workers? The workers in the high-cost areas must be able to get $6/hr somewhere else (or else the data entry operations wouldn't have to pay so much). The workers in Jamaica clearly *aren't* able to get $6/hr somewhere else. It seems to me that the net change is to slightly reduce labor demand in high-wage areas (thus slightly reducing wages there) and to slightly increase labor demand in a low-wage area (thus slightly increasing wages there). It seems to me that this is not only "economically efficient" but also redistributes wealth from the rich to the poor. (Of course, an American data-entry worker isn't "rich" from our point of view, but *is* from the vantage point of the average Jamaican.) If everybody in the world were able to bid on every job that they were capable of, wage inequities (from country to country) would be much smaller. This is what has happened in the automobile industry (modulo import restrictions), raising such formerly Third-World countries as South Korea into the ranks of industrialized nations. Dale Worley, Compass, Inc. mit-eddie!think!compass!worley Seen in a net discussion: "It took work to make tofu politically correct." ------------------------------ Date: Tue, 6 Dec 88 14:15:19 -0100 From: ref@ztivax.siemens.com (Dr Robert Frederking) Subject: Re: Automated teller theft (Risks 7.85) Organization: Siemens AG in Munich, W-Germany I wouldn't be too sure that there really was a "passkey" card; that may have been a story cooked up to explain the loss to the public without revealing how vulnerable the system actually is. I don't know what technology is currently being used, but about 10 years ago a friend and I were looking at some used computer equipment we were thinking of buying, in someone's garage. After we had chatted for a bit, and he apparently decided we were trustworthy, he told us that these computers were part of a banking machine system that he had bought, lock, stock, and barrel, and asked us if we would like to see the parts he wouldn't sell, for risk of being a party to a crime. Among other things, there was a bank card reader that would display the account and *PIN number* of a bank card you ran through it. It could also *write* these cards. There was a set of sixteen thumbwheels inside the machine to set parameters to the encoding algorithm, which no one at the bank thought to shuffle, and so were still set to the bank's choice! He pointed out that once a set of positions was chosen, a bank would never change them again, as this would require recalling all the cards in circulation for recoding. It isn't clear to me that this could have been used in this case (unless the PIN number is algorithmically related to the account number, or the thieves had access to a list of PIN numbers), but this fellow could have caused a fair amount of trouble if he had been dishonest. As for the daily limit, a friend of mine figured out once that you could easily exceed the daily limit. First ask for a balance. If the machine says it can't give you a balance at the moment, it means the line to the central database is down. You then withdraw the maximum daily amount. You do this on as many different machines as you can find. If the net is down, this is the total number of machines you can physically get to before the net comes back up. "Robert Frederking" ------------------------------ Date: Tue, 6 Dec 88 10:47:05 est From: Dave Horsfall Subject: Speeding detectors Just heard on the radio about how an Aussie inventor has come up with a box to detect speeders. Apparently, it ignores a short burst of speeding (e.g. overtaking) but logs it if it was sustained. When vehicle registration time comes around, the owner gets hit with a fine. I missed the actual implementation details, such as how it knows what the current speed limit is (but bar code scanners were mentioned). The RISKS are obvious - you enter a 110 km/h zone, but the sensor doesn't see the new limit, and still thinks you are on 80 km/h etc. In all, this appears to be yet another revenue-collecting device, shrouded in the guise of safety. We can well do without them. Dave Horsfall (VK2KFU), Alcatel-STC Australia, dave@stcns3.stc.oz dave%stcns3.stc.oz.AU@uunet.UU.NET, ...munnari!stcns3.stc.oz.AU!dave [By the way, Dave accidentally reposted RISKS-7.65 to some of you, and wishes to extend his apologies. PGN] ------------------------------ Date: Mon, 5 Dec 88 15:59:16 PST From: chapman@csli.Stanford.EDU (Gary Chapman) Subject: Report of hardware "virus" on chips Advanced Military Computing, a defense industry newsletter, has reported that researchers at Nova University in Fort Lauderdale, Florida, have found a flaw in the Intel 8272A and NEC 765 floppy disk controllers that will allow in- correct data to be written to disks without alerting the user with an error message. The newsletter reports this flaw is a "virus," but there is very little technical information on the nature of the chip problem. The chips have been manufactured since 1978 and are estimated to be in millions of computers. Both NEC and Intel deny there is a problem, but an Intel memo dated May 2, 1988 admits an error in the Intel chip. "The error condition has to happen in the last byte of the 512 bytes of a sector being transferred," said Nova University professor of computer science Phil Adams. The Intel memo, or letter, says that under this condition, "incorrect data is written to the disk and validated by the 8272A." The error condition is most likely to happen in networks and uploads to mainframes. A report on the chip problem is available from Dean Edward Simco, of the Nova Computer Science Center, Nova University, Fort Lauderdale, FL 33314. The report is $5 and comes with a diskette containing a "risk assessment program," which allegedly reports on the "virus" in the subject machine. [I assume no responsibility for the accuracy of this report, and this infor- mation is passed on without permission from Advanced Military Computing, and after no investigation of this other than reading the article in the news- letter.--GC] -- Gary Chapman chapman@csli.stanford.edu Executive Director, Computer Professionals for Social Responsibility ------------------------------ Date: Tue, 6 Dec 88 12:36:54 EST From: Richard Rosenthal Subject: Re: Corps of Software Engineers? > "Flexibility is software's strong suit, allowing the military > to make changes in how a weapon system functions, even after > it is fielded... Replacement chips are available for the microprocessors in cars allowing one to change the performance characteristics of the engine. Imagine the following conversation: Hey, Captain! Do you want one of these PROM's I burned last night? I changed the parameters for the F-16 thrust settings. Now I'll be able to do Mach 1.5 straight off the deck! ------------------------------ Date: 5 Dec 88 12:51:00 PDT From: "FIDLER::ESTELL" Subject: Vendor Liability, and "Plain Vanilla" configurations GM *could* ship cars with "holes in the frame" for seatbelts, and then *highly recommend* that one order the seatbelts. They don't. The belts come, standard equipment, flat price; ditto the dashboard warning light and buzzer. Now, one *can* disconnect that annoying buzzer, or short out the connection under the seat to fool the buzzer. The cars are NOT tamper proof; but they are shipped with driver safety in mind. By analogy, DEC could ship VMS with all the passwords "expiring" most ESPECIALLY those on "privileged" accounts [e.g., System, Operator], and then go into a "closed loop" that could be exited only after the "user" [system, or operator, in this case] selected and installed a *computer generated* password. ONLY then could the installation be completed; only then could the privileged accounts of "system managers" execute routines to allow users to generate their own passwords, default files to "public access" etc. etc. etc. ad insecurity. I'm not picking on DEC; I happen to use -- and like -- VMS. I use that example because I can make it credibly. As most of you know, VMS is one of the few systems that has earned its "C2." Bob ------------------------------ Date: Mon, 5 Dec 88 11:06 EST From: Mark Mandel Subject: Talk on Computer Fraud Topic: "Computer Fraud: Motivation, Method and Opportunity" Speaker: Tom Blake, Arthur Young, Boston, Date: Wed 14 Dec 5:30 pm Anthony's Pier 4 Boston Host: Mayflower Chapter, ASM (Association for Systems Management) Register: Beth Furey (617) 367-3161 Admission/registration charge: $25.00 ------------------------------ Date: Mon, 05 Dec 88 21:24 CST From: Gordon Meyer Subject: defining "hackers and crackers" I would argue that creating a new term to refer to the more... "illicit" users of computer system would do little to help solve the confusion. In my experience the "less malicious" use of the word HACKER is found almost entirely in professional computing circles. The media and general public know the term to mean "illegal, unauthorized and malicious computer use". (I just made that definition up...the quotes are used for emphasis not to indicate another source.) If the computer science community continues to hold on to the term "hacker" they will only create more confusion and ambiguity in the future. While I realize that the term may be nostalgic for some of you, english is not a static language and continuing to use an "outdated" definition of the term serves little purpose. PS: Just to add a little more confusion to the issue, the term "cracker" is sometimes used to refer to those software pirates with the programming ability to remove copy protection. If folks insist on creating a new name for the "illicit" users out there..."crackers" is probably not the best choice. Gordon R. Meyer, Dept of Sociology, Northern Illinois University. GEnie: GRMEYER CIS: 72307,1502 Phone: (815) 753-0365 ------------------------------ Date: 6 Dec 88 06:02:08 GMT From: [somewhere in netland] Path: mirror!bu-cs!bloom-beacon!tut.cis.ohio-state.edu!cwjcc!mailrus!ncar! ames!pasteur!ucbvax!KL.SRI.COM!RISKS Subject: RISKS DIGEST 7.87 [RISKS OF GREATER GARBLE] I EXCERPTED A FEW GARBLED LINES FROM A RETURNED COPY OF RISKS-7.87. [SIC] GLORIOUS TRANSIT MONDAY's ISSUE. RIQKS-LIST: RISKS-FORUM Digest Molday 5 December 1988 Volume 7 8 Issue 87 FORUM ON RISJS TO THE PUBLIC IN COMPUTERS AN@ RELATED SYSTEMS ACM Committee on Computers and Public Poli`y, Peter G. Neumann, moderator DEC @net and "denial of service" att`cks (Willie Smith) (P`ul E. McKenney, Kendall Collett, PGN) (Fpank Maginnis, PGN, FM, Darrell @ong, Alex Colvin) Computer Riqks Revisited (John Markoff) taste, objective, aoherent, concise, and nonrepetitious. Diversity is welcome. COLTRIBUTIONS to RISKS@CSL.SRI.COM( with relevant, substantive "Su`ject:" line From: Jerry Harp`r This is exaerpted from THE IRISH TIMES of pwo weeks back: The Department mf Health was accused yesterday of committing some [$67m] of State funds to the purchase of an iladequate computer system for the health service. Eleven millimn pounds will already have been spent on the project Flanagan, told the Dail [our parliament] Committee of Public A`counts. ...[the decision taken in 1982 to computerise governmenp services... deleted] ...Auditor General,Mr Patrick McDonnell, expressed his disquiet at tha lack of planning since that date, and at the fact that no cost`ng was done until May 1985, by thich time [$67m] was committed.$. ...Lr Flanagan said [$670,000] had `een spent on management consult`ncy. In his opinion, this was talue for money, despite the fact that some of the hardware provdd to be inadequate with high maantenance costs, and certain itels had to be sold off at half-prhce to health boards. In particqlar, the committee heard that threee of the mini-computers whic` had cost approximately subsequently supplied to t`e Eastern Health Board at [$41,000] each. ...[deleted piece about the report being referred po the Minister]" "loojed after" by the closely related McAuto. An enormous amount of pressure system. Thd pressure came from the company through the usual sales hype an` several politicians attempting to bend individuals ears. A selior consultant I one stage that maintenan`e people were practically livind in the hospital. I don't attrhbute culpability for the deficiencies of the system to any of t`e Not exactly a risk of computerp, but definitely a risk to softrare engineers: during the early days of the war in Vietnam, thepe were some IBM programmers war effort, that without thel the computers would not perform. The IBM manager threatened tn go to superior authorities, so the Army commander then said that the nearby airbase was under `ttack and there were no flights available for evacuation. I neper heard the resolution of this story, but it was clear these ppogrammers got more than they bapgained for. [And then it is OK after that. The last time we ran such an item, it was a compression/decompression screw-up. Here it is just delted or garpled characters. I thought that there might have been an addded character, but then I noticed that "threee" is in the original. The time has come, the Mailrus said, or is this the legend of Tut? (See Path, above.) PGN] ------------------------------ End of RISKS-FORUM Digest 7.88 ************************