RISKS-LIST: RISKS-FORUM Digest Wednesday 8 February 1989 Volume 8 : Issue 22 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: B-1B bomber avionics problems (Jon Jacky) Risks of public terminal rooms (Roy Smith) Using barcodes for road toll payments (Phillip Herring) ATM error - in Europe (John O'Connor) Computing as a Discipline (Peter J. Denning) Cryptic status displays, and GIGO (Mark Brader) Re: `User friendliness' and forgotten root passwords (Shannon Nelson, Ge' Weijers, smv) Health Hazards of Office Laser Printers (Hal Murray, Jeffrey Mogul) Re: Keycard badges vs. anti-shoplift systems (Craig Leres) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. * RISKS MOVES SOON TO csl.sri.com. FTPable ARCHIVES WILL REMAIN ON KL.sri.com. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line (otherwise they may be ignored). REQUESTS to RISKS-Request@CSL.SRI.COM. FOR VOL i ISSUE j / ftp KL.sri.com / login anonymous (ANY NONNULL PASSWORD) / get stripe:risks-i.j ... (OR TRY cd stripe: / get risks-i.j ... Volume summaries in (i.j)=(1.46),(2.57),(3.92),(4.97),(5.85),(6.95),(7.99). ---------------------------------------------------------------------- Date: Mon, 06 Feb 89 19:59:21 PST From: jon@june.cs.washington.edu < Jonathan Jacky, University of Washington > Subject: B-1B bomber avionics problems Here are excerpts from AVIATION WEEK 130(1) Jan 2 1989 pps. 101, 103: ROCKWELL WORKING WITH AIL TO DEVELOP B-1B AVIONICS FIX (no author) Rockwell has more than two dozen engineers at AIL [an Eaton subsidiary] to work on the ALQ-161 which is designed to detect, indentify and jam enemy radars. ... The problem occurs when an aircraft flies at low altitude over a powerful radar system. The system radar produces harmonics in the warning receiver that result in a large number of spurious signals overloading the ALQ-161 processor, which tries to analyze them as though they were actual threat emissions ... The fix essentially calls for screening out the spurious signals before they are digitized and allowed to enter the system processor ... Engineering work could be accomplished for about $15 million. The modified system could be evaluated in a flight test by next fall or winter. The $3.5 billion Air Force contract for development of the ALQ-161 was by far AIL's largest contract to date. The Air Force, meanwhile, has decided to study another approach to the problem which involves installation of an autonomous radar warning receiver in addition to the ALQ-161. ------------------------------ Date: Wed, 8 Feb 89 16:34:48 EST From: Roy Smith Subject: risks of public terminal rooms Last week at USENIX, there was a public terminal room consisting of a bunch of terminals on an ethernet terminal server, and a Sun-3/60 with a dial-up SLIP line acting as an IP gateway to the rest of the world. People were invited to telnet to their home machines and read their mail (or whatever). It occured to me that if one was into such things, this would have been a golden opportunity to set up an ethernet listener to capture hostname/username/password triples. Given the high concentration of system administrators at USENIX, in the span of 5 days, one could have captured passwords for important accounts on most of the major Unix machines in the country. ------------------------------ Date: Tue, 7 Feb 89 16:10:44 EDT From: ph@uowcsa.oz.au (Phillip Herring) Subject: Using barcodes for road toll payments (From "The Australian"'s Computer section, Feb 7th, p. 55:) "Barcodes, now in common use for identifying anything from cornflakes and library books to beer barrels, could also be the answer to speeding up the flow of traffic over Sydney's harbour bridge. "Stickers carrying the barcode for the particular week or month could be sold at railway stations, lottery agencies or through the mail. "These would be stuck to the side window of vehicles where they could be read by long-distance scanners at existing bridge checkpoints.[...] "[A company representative] said the use of such technology on the bridge would enable vehicles to pass straight through if they were carrying the right barcode markings. "If there were no sticker or the code was out of date, the normal default camera would be activated." (From the second paragraph, it seems that everyone would get the same barcode for a given period. At $1.50 (Aust.) per crossing, the new (manual) monthly passes will be worth a lot of money. With the Barcode system, anyone with a good printer and barcode-generating software would be in a good position to clean up with fake barcodes.) Rev. Dr. Phil Herring, University of Wollongong ------------------------------ Date: Mon, 6 Feb 89 12:40 GMT From: John O'Connor EuroKom Subject: ATM error - in Europe Recently when I was in Germany on holidays I used my Eurocheque card (once) to withdraw money from an ATM there - the ATM gave me no script of the transaction incidentally. It took about 3 weeks for the transaction to reach my account in Ireland. Fine - I saw it come in on the statement and marked it off against my records. Then 2 weeks later 2 more debits for the same amount came in. I checked my records before approaching my bank query the transaction. I was told that they would have to check back with the bank in Germany and examine its hardcopy audit of transactions etc. etc. and it could take 3 months for the amount to be refunded. The teller did however check with the international ATM office for the bank to discover that in the central clearing house in Brussels the German transaction tape had been mounted 3 times instead of once - causing chaos. The first erroneous transaction was corrected a few days later but it took more than a month to correct the second. My bank manager took a sympathetic view of my case and refunded the sum immediately, pending a correction from Brussels. A few points in this case: 1. I find it unbelievable that this sort of error could happen in a major financial banking centre - any other similar reports ? 2. My colleages said that they would not have spotted the error so quickly (or at all) - too much trust in bank statements. 3. In the event of a dispute it was a case of my word against theirs - I had no proof that I had NOT withdrawn the money. John O'Connor, Systems Support, EuroKom, University College Dublin, Dublin 4, Ireland. ------------------------------ Date: Wed, 8 Feb 89 13:21:53 pst From: Peter J. Denning Subject: Computing as a Discipline A recent item in RISKS (Engineering vs. Programming, by Lynn R. Grant, in RISKS-8.20) about distinctions between engineering and programming prompts me to invite RISKSers to read the report, "Computing as a Discipline," by the ACM Task Force on the Core of Computer Science. It is published in the January CACM and a condensed version on the February COMPUTER. It discusses these distinctions and more. The authors are Peter Denning (chairman), Doug Comer, David Gries, Michael Mulder, Allen Tucker, Joe Turner, and Paul Young. ------------------------------ Date: Tue, 7 Feb 89 18:57:01 EST From: Mark Brader Subject: cryptic status displays, and GIGO SoftQuad is one of the many companies that have decided lately that getting a FAX machine was a good idea. The one that we got supports delayed-start transmission to take advantage of overnight phone rates. Last night, one of our managers left the machine set to send a document at 4:05 am to the 32nd phone number in the machine's memory, and went home. And another employee came along, saw "D.XMT 0405#32" on the status display, decided this must be an error code, and helpfully removed the document from the feeder to try to clear the problem. I asked the victim if it was okay to send this to Risks. He replied: While you're at it you might comment on the highly confidential FAX I had to send some time ago. So confidential in fact that the recipient had to go to remove the FAX from the machine the moment it arrived so that no one would see it. Some time later, I got a puzzled call complaining that the FAX hadn't arrived. I'd been so careful about making sure it was sent correctly, I'd put it in the machine wrong side down ... Mark Brader, SoftQuad Inc., Toronto utzoo!sq!msb, msb@sq.com ------------------------------ Date: Tue, 7 Feb 89 00:19:11 pst From: Shannon Nelson Subject: Re: `User friendliness' and forgotten root passwords (RISKS-8.21) Don't be so shocked. That's taken directly out of the manuals from AT&T. My copy is the Prentice Hall publication _UNIX(r)_System_V/386_ _System_Administrator's_Guide_ for Systam V Release 3.0. Procedure 1.5 is indeed the procedure for "recovering" a forgotten root password. Actually, it's for replacing /etc/passwd with the original default file. The fact that you wipe out all of your account information is not mentioned. Also, the boot floppy that you are to use is meant for installing a new release, and automatically starts the process once UNIX is running. The procedure doesn't mention how to get out of that program and get a shell prompt. (Just hit the interrupt key at the first question) Before attempting the procedure, I suggest making a copy of /etc/passwd. ------------------------------ Date: 7 Feb 89 09:36:34 GMT From: ge@phoibos.cs.kun.nl (Ge Weijers) Subject: Re: `User friendliness' and forgotten root passwords (RISKS-8.21) There is no real protection against breaking into a system if you have physical access to it, IF it does not have any features that make booting from a random floppy impossible. Even without the boot disk it is quite easy to find the password file with a sector editor. One could boot the T5100 and run MS-DOS with the Norton Utilities or whatever to search for "root:" and change the password field to empty (making a hole in the 'gcos' field). Reboot Unix and type 'root'. No password check. Who needs bootable Unix floppies? Some AT-clones have a feature which prevents bootstrapping from a floppy if switched on. A flag is stored in the clock chip. This 'feature' can easily be defeated by disconnecting the backup battery. (this is also true for BIOS-based password checks) Systems containing sensitive data should not be physically accessible. Ge' Weijers, KUN Nijmegen, the Netherlands UUCP: ge@cs.kun.nl -or- uunet.uu.net!kunivv1.uucp!phoibos!ge ------------------------------ Date: Tue, 7 Feb 89 18:31:32 EST From: smv@apollo.com Subject: Re: `User friendliness' tradeoffs can lead to total nonsecurity eric@snark.uu.net (Eric S. Raymond) writes in risks 8.21: > And since > these machines are portables it is unlikely they'll get much site protection. I would expect a portable would be more closely attended than your average VAX. Most VAXen aren't at serious risk of being stolen while you get a cup of coffee. Also, most VAXen won't fit in an office safe, the Toshiba will. For the truly paranoid, there's always the large safe-deposit boxes at the bank, talk about secure computing! Even gets you mandatory signature checking at login. :-) ------------------------------ Date: Mon, 6 Feb 89 22:43:43 PST From: murray@src.dec.com (Hal Murray) Subject: Health Hazards of Office Laser Printers I used to work for Xerox, so I may be biased. I'm interested in that area, but not an expert. You should be able to get that sort of info from the manfacturers. Your local salesman may not be very helpful, but there is probably a corporate health or safety officer that worries about that sort of thing. He will probably be happy to send you copies of the reports that they have already filed with the government to certify that they meet all the rules. Try writing to the corporate headquarters. I've seen the report sheet for the toner used in an LPS-40. It's not very interesting. If you can't get anything like it, I can probably send you a copy. I saw a similar one while I was at Xerox. It was equally dull. Toner is almost inert. It's basically carbon black and ground up plastic. They stuff lots of it into rats trying to see if it does anything nasty. I think the laser is powerful enough to be a problem if you look directly into it, but it is packaged inside a box ... Yes, arsenic is an interesting chemical to use in a drum. I'm not sure what is acutally used these days. Things like arsnic are not usually very toxic until they get turned into a soluable compound. Copper and lead are toxic, but most people don't really worry about handling wire, pipe, or solder. (I've seen "wash your hands before eating" stickers on solder. I wonder if they teach that to plumbers?) It's standard procedure to polish the drum, by hand, with a soft cloth, when tuning/cleaning a copier/printer. Next time I see a repairman, I'll ask. I don't remember that they were particularly careful with the cloth. I did hear stories about early Xerox researchers working with selenium drums getting a strange body odor, but I don't remember any health complications that were part of the tale. If I were looking for troubles, I'd try to find ozone. A dirty machine or such may make enough to be interesting. I can't remember the name, but there are thin high voltage wires used to charge the drum. Coronatron? ------------------------------ Date: 6 Feb 1989 1252-PST (Monday) From: mogul@decwrl.dec.com (Jeffrey Mogul) Subject: Re: Health Hazards of Office Laser Printers In RISKS 8.21, Keith Dancey asks about information on the hazards of office laser printers. I found a little information which might be useful. Digital (my employer) sells the LN03 printer, the guts of which are made by Ricoh. Included in the replacement toner cartridge kit is a "Material Safety Data Sheet"; I suspect that this information may be available from most other manufacturers. The document lists, under "Hazardous Ingredients", two components of the toner: Ferrosoferric oxide 55% Styrene acrylic resin 45% The document goes into some detail on toxicity and first aid, but the short summary would be that there are only "nuisance dust" problems. The toxicity of each ingredient is also described: Ferrosoferric oxide occurs in nature as the mineral "magnetite". No toxicity, other than that associated with nuisance dust is recognized. Styrene Acrylic resin: This copolymer of styrene and acrylic acid has not been associated with a toxic effect in the open scientific literature, although the toxic effects of both styren and acrylic acid are well established. For practical purposes, the polymerization process apparently renders this substance biologically inert, only the nuisance dust properties associated with inhalation of large quantities of this material would be expected to be of biologic concern. Nowhere in this document is carginogencity explicitly discussed, except to state that neither ingredient is listed in any of the following: Registry of Toxic effects of Chemical Substances (NIOSH), Occupational Safety and Health Administration, NIOSH, International Agency for Research on Cancer (WHO). I assume that this means that none of these organizations currently consider these ingredients toxic or carcinogenic, although that's purely an inference on my part. Apparently, there are no "unusual fire or explosion hazards", no "hazardous decomposition products", and no "conditions to avoid". "Other Precautions: Do not handle in areas where wind blows. Avoid inhalation of dust." o o o So far, so good, I thought. Then, I checked the Material Safety Data Sheet for Digital's LPS40 printer, also built on a Ricoh marking engine. This toner includes Styrene Acrylic Resin, but it also includes "dye" (nowhere else discussed) and Carbon Black. That rang a bell; sure enough, there is more question about this than the other toner. Under "Toxic effects of ingredients": Carbon Black Carbon black(s) have been tested for toxicity and carginogenicity in both animal exposure experiments and in epidemiologic investigations of exposed worker populations. Results of these investigations have been uniformly negative. Other than for the accumulation of carbon black in the pulmonary system, prolong exposure to carbon blacks produced no untoward effects. Benzene extractions of carbon blacks from some sources have elicited carcinogenic responses in animals, although the parent substance, itself, has been negative in this regard. The International Agency for Research on Cancer (IARC) has evaluated the evidence for the carcinogenicity of carbon black as inadequate to determine a carcinogenic risk for humans. This document also states that "A review by the IARC of related polymers of [the two monomers used in styrene acrylic resin] was uniformally [sic] negative." For more information, I turned to "Dangerous Properties of Industrial Materials (6th ed)", by N. Irving Sax. About carbon black it says "Whiel it is true that the tiny particulates of carbon black contain some molecules of carcinogenic materials, the carcinogens are apparently held tightly and are not eluted by hot or cold water, gastric juices or blood plasma." It is my recollection that newspaper ink contains carbon black; that might indicate the relative level of danger of carbon black in toner (although toner is inhalable, unlike printers' ink). I don't normally add disclaimers to my messages, but I'm not speaking either as a representative of Digital or as an expert on this topic. ------------------------------ Date: Tue, 07 Feb 89 00:44:49 PST From: Craig Leres Subject: Re: Keycard badges vs. anti-shoplift systems When I was in high school (about 10 years ago) they installed an inventory control system in our library. This spiffy new hi-tech system caught the immediate attention of a friend and me (who were sort of into lock hacking when we were in grammar school). Obviously, we had to find out how the system worked and that meant stealing one of the widgets. Once accomplished, we disassembled it (it was made out of paper and foil) and then spent a few days theorizing about how the system worked. Luckly we had already studied electricity and magnetism in our physics class. We were hard pressed to explain exactly how the widgets were detected by the exit sensors, but knew it had something to do with EMF or RF. I "borrowed" a small square of sheet metal from my metal shop class and, in a brave experiment, we demonstrated that a steel shield could be used to neutralize the widgets. What we never figured out was why anyone would want a system that was so easily defeated. Craig ------------------------------ End of RISKS-FORUM Digest 8.22 ************************