Subject: RISKS DIGEST 9.96 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Tuesday 29 May 1990 Volume 9 : Issue 96 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Roller Coaster Accident Blamed on Computer (Gary Wright) ATMs robbed with no signs of tampering (Stephen W Thompson) Bank deposits huge amount in account and blames owner! (Richard Muirden) Risks in secure documents (David Fuller) You Think YOU Have Trouble with Your Telephone Company? (Donald B. Wechsler) Steve Jackson Games & A.B. 3280 (Brian Sherwood) Re: Secure UNIX Infected? (Steve Bellovin, Henry Spencer) Dereferencing Tim Kay's address (David Kuder) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line (otherwise they may be ignored). REQUESTS to RISKS-Request@CSL.SRI.COM. TO FTP VOL i ISSUE j: ftp CRVAX.sri.comlogin anonymousAnyNonNullPW cd sys$user2:[risks]get risks-i.j . Vol summaries now in risks-i.00 (j=0) ALL CONTRIBUTIONS ARE CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. ---------------------------------------------------------------------- Date: Tue, 29 May 1990 18:01:46 EDT From: wright@hsi.com (Gary Wright) Subject: Roller Coaster Accident Blamed on Computer ACE News is the official newsletter of The American Coaster Enthusiasts. The following article appeared in ACE News, Volume XII, Issue 6, May 1990: Worlds of Fun _Timber_Wolf_ Incident Blamed on Computer The 1990 season began inauspiciously for Worlds of Fun (Kansas City, MO) when two trains on the one-year-old _Timber_Wolf_ (world class woodie) collided on opening day. No one was seriously hurt in the March 31 crash, but nine of the 28 passengers sent to the hospital were admitted, one with a broken leg. The ride was closed immediately after the incident. The accident occurred when the computerized control system allowed one train to rear-end another on the first set of station brakes. Beginning April 2, the $3-million wooden coaster was subjected to an exhaustive investigation by Worlds of Fun, the Dinn Corporation (which built the coaster), the engineering firm Burns & McDonnell, and TechnoMation, an electronic systems integration design company. Before _Timber_Wolf_ reopened to the public on April 27, the trains, structure, track and braking and computer systems were all thoroughly inspected. The ride also went through an extensive series of test runs with park executives aboard. _Timber_Wolf_ is currently running with only one train. Two-train operation will begin as soon as a new, co-processing computerized control system is installed. With four times as many sensors as the original system (many of them redundant) and two computer controls instead of one, Worlds of Fun officials are confident that a similar accident will not occur. [RISKS-4.91 (28 May 1987) and ACM SIGSOFT Software Engineering Notes 12 3 (Jul 1987) relate a previous case of two roller coasters involved in a crash, in which electromagnetic radiation was suspected. PGN] ------------------------------ Date: Tue, 29 May 90 09:17:01 -0400 From: "Stephen W Thompson" Subject: Automatic Teller Machines robbed with no signs of tampering _The Philadelphia Inquirer_, in a story from Monday, 21 May 1990 by Maureen Graham and Mike Schurman headlined SHORE ATM TAPPED FOR $100,000 reported that an automatic teller machine located in Trump Castle Casino Resort in Atlantic City, NJ (and owned by National Westminster Bank) was missing about $100,000 which was apparently taken the previous week. The FBI was reportedly on the case, and was considering embezzlement, inaccurate or inadequate record keeping or theft by someone outside the bank. There was no forced entry into the macine. The article indirectly quoted the bank's CEO L. Douglas O'Brien, reporting that "Bank officials said they believed that the thief had access to the bank's security system." The funds were discovered during a weekly audit of the machines. Two ATMs at other casino hotels had amounts of $10,000 and $20,000 stolen. Some of the nitty gritty details: "According to O'Brien, the money is delivered by bank employees, as needed, to the Trump Castle lobby MAC [Money Access Center] machine and placed in a vault inside the machine. "The money from the vault is then transferred to canisters inside the machine by two employees -- from the bank or from a Philadelphia security firm that services the bank on weekends and during non-banking hours. "O'Brien said the $100,000 was determined to be missing from the vault section of the MAC machine. "To provide security, a dual-access system is used to service a MAC machine -- each employee has access to only half the security information required to enter the system. "However, officials said they suspected one person bypassed the security system. "'It was a legal access. It was not forced open. The system was compromised,' O'Brien said." CoreState Financial Corp. operates the computer system for the machines. ****** End of article synopsis ***** In what may be a related development, I heard on the news this weekend of ATMs in New York city that had money stolen, again with no signs of tampering. There is no hard evidence that a computer RISK is involved in any of these thefts; other security breeches are as likely. The Inquirer article doesn't make clear what the "security system" consists of -- computer system or not? The tone of the article makes it sound as if the reporters suspected a computer RISK, but I can't always trust reporters' suspicions. Steve Thompson, University of Pennsylvania, 215-898-4585 Standard Disclaimer ------------------------------ Date: Mon, 28 May 90 13:58:27+1100 From: s892024@minyos.xx.rmit.oz (Richard Muirden, A Star Trek Fan) Subject: Bank deposits huge amount in account and blames owner! I thought this personal story might be of interest to RISKS readers: In mid 1988 I had an interesting experience with my bank account - I had had $87,889,984 (or some such random value in the $87 million range!) added to my account!! On asking the bank concerned if they could fix the problem they blamed me for "Keying in the amount at an ATM!" Of course I protested my innocence - where would I get that sort of money from?! :-) Now I would have thought that surely: a) The ATM software would check for such obvious erroneous data if I had in fact entered such an amount as a deposit. (ever heard of range checking?!) b) With such large sums of money would the computer not alert an operator to check to see that it was valid (considering that I do not hold a corporate account). The problem was fixed after several weeks (!) and although rather amusing {and if only I got the interest on that money :-( } to do an account balance and see a nice amount for a change :-) but it still leaves me wondering just what happened and why they should blame *me* for such an obvious computer error! Maybe it was because I am a student! I wonder if this kind of error has occurred to anyone else. -Richard Muirden s892024@minyos.xx.rmit.OZ.AU ------------------------------ Date: Sun, 27 May 90 20:49:59 -0700 From: dafuller@sequent.UUCP (David Fuller) Subject: Risks in secure documents In response to your volume 9, Issue 94 observations regarding the security of "secure" documents, I offer some comments: 1) The best defense is naivety. Diamond brokers (at least used to) ship quantities of product via 1st class mail because it was reliable (in the States) and anonymous. Perhaps our most secure documents should be published in the Consumer Information Catalog (available free from Pueblo, CO). Or perhaps they are; suitably encrypted to look like regular documents. 2) The congressional register, if it is difficult to analyse, possibly represents a chaotic system and models noise very well. Political statements excluded. On other topics... Another interesting thing. We had our building "fire alert" system go off the other day, fortunately a minor problem, and as we were watching the fire department do their thing (very well) a cohort asked about the policy regarding shutting down the machines in an emergency. I said that (in so many words) I thought the idea was to preserve human (not machine) lives. My workmate responded that his previous job was with a company whose policy was that machines must be safely shut down before humans could respond to such an emergency and insure personal safety. Whether winding thread, sewing shirts or making steel, the organization has life greater than human's; still. Dave ------------------------------ Date: Tuesday, 29 May 1990 10:14:36 EST From: m17434@mwvm.mitre.org (Wechsler, Donald B) Subject: You Think YOU Have Trouble with Your Telephone Company? After entertaining many explanations for misrouted telephone calls, RISKS should consider another possibility. Last week, the Houston Post reported that Ginger was in the dog house with the Arlington, Texas, police department. The Post continued: That's because the Lhasa apso twice managed to place 911 emergency calls from an Arlington home. At least, police can think of no other explanation for the calls. Police said they found the dog beside a telephone when they entered the place after receiving the second call. No one else was home. Ginger's owner, Jane Shumaker, said she hadn't programmed 911 into her telephone's automatic dialing system, and she finds it hard to believe her pet made the call. But she added, "I'm beginning to think she's smarter than I thought. Maybe she was lonesome." Dare I mention it? It seems our phone system is going to the dogs. [An Apso Facto case. Don't terrier hair out. The dog was doing a St. Gingervitus Dance. PGN] ------------------------------ Date: 27 May 90 03:50:07 EDT (Sun) From: aha@m-net.ann-arbor.mi.us (Brian Sherwood) Subject: Steve Jackson Games & A.B. 3280 > Computer Gaming World (Golden Empire Publications) > June, 1990, Number 72, Page 8 > Editorial by Johnny L. Wilson It CAN Happen Here Although Nobel Prize-winning novelist Sinclair Lewis is probably best known for 'Main Street', 'Babbitt', 'Elmer Gantry', and 'Arrowsmith', my personal favorites are 'It Can't Happen Here' and 'Kingsblood Royal'. The latter is an ironic narrative in which who suffers from racial prejudice toward the black population discovers, through genealogical research, that he himself has black ancestors. The protagonist experienced a life-challenging discovery that enabled Lewis to preach a gospel of civil rights to his readership. The former is, perhaps, Lewis' most lengthy novel and it tells how a radio evangelist was able to use the issues of morality and national security to form a national mandate and create a fascist dictatorship in the United States. As Lewis showed how patriotic symbolism could be distorted by power-hungry elite and religious fervor channeled into a political movement, I was personally shaken. As a highschool student, reading this novel, for the first time, I suddenly realized what lewis intended for his readers to realize. "It" (a dictatorship) really CAN happen here, There is an infinitesimally fine line between protecting the interests of society and encumbering the freedoms of the self-same society in the name of protection. Now it appears that the civil liberties of game designers and gamers themselves are to be assaulted in the name of protecting society. In recent months two unrelated events have taken place which must make us pause: the raiding of Steve Jackson Games' offices by the United States Secret Service, and the introduction of A.B. 3280 into the California State Assembly by Assemblyperson Tanner. On March 1, 1990, Steve Jackson Games (a small pen and paper game company) was raided by agents of the United States Secret Service. The raid was allegedly part of an investigation into data piracy and was, apparently, related to the latest supplement from SJG entitled, GURPS Cyberpunk (GURPS stands for Generic Universal Role-Playing System). GURPS Cyberpunk features rules for a game universe analogous to the dark futures of George Alec Effinger ('When Gravity Fails'), William Gibson ('Neuromancer'), Norman Spinrad ('Little Heroes'), Bruce Sterling ('Islands in the Net'), and Walter Jon Williams ('Hardwired'). GURPS Cyberpunk features character related to breaking into networks and phreaking (abusing the telephone system).Hence, certain federal agents are reported to have made several disparaging remarks about the game rules being a "handbook for computer crime". In the course of the raid (reported to have been conducted under the authority of an unsigned photocopy of a warrant; at least, such was the only warrant showed to the employees at SJG) significant destruction allegedly occurred. A footlocker, as well as exterior storage units and cartons, were deliberately forced open even though an employee with appropriate keys was present and available to lend assistance. In addition, the materials confiscated included: two computers, an HP Laserjet II printer, a variety of computer cards and parts, and an assortment of commercial software. In all, SJG estimates that approximately $10,000 worth of computer hardware and software was confiscated. The amorphous nature of the raid is what is most frightening to me. Does this raid indicate that those who operate bulletin board systems as individuals are at risk for similar raids if someone posts "hacking" information on their computer? Or does it indicate that games which involve "hacking" are subject to searches and seizures by the federal government? Does it indicate that writing about "hacking" exposes one to the risk of a raid? It seems that this raid goes over the line of protecting society and has, instead, violated the freedom of its citizenry. Further facts may indicate that this is not the case, but the first impression strongly indicates an abuse of freedom. Then there is the case of California's A.B 3280 which would forbid the depiction of any alcohol or tobacco package or container in any video game intended primarily for use by minors. The bill makes no distinction between positive or negative depiction of alcohol or tobacco, does not specify what "primarily designed for" means, and defines 'video game' in such a way that coin-ops, dedicated game machines, and computer games can all fit within the category. Now the law is, admittedly, intended to help curb the use and abuse of alcohol and tobacco among minors. Yet the broad stroke of the brush with which it is written limits the dramatic license which can be used to make even desirable points in computer games. For example, Chris Crawford's 'Balance of the Planet' depicts a liquor bottle on a trash heap as part of a screen talking about the garbage problem. Does this encourage alcohol abuse? In 'Wasteland', one of the encounters involves two winos in an alley. Does their use of homemade white lightening commend it to any minors that might be playing the game? One of the problems with legislating art is that art is designed to both reflect and cast new light and new perspectives on life. As such, depiction of any aspect of life may be appropriate, in context. Unfortunately for those who want to use the law as a means of enforcing morality, laws cannot be written to cover every context. We urge our California readers to oppose A.B. 3280 and help defend our basic freedoms. We urge all of our readers to be on the alert for any governmental intervention that threatens our freedom of expression. "It" not only CAN happen here, but "it" is very likely to if we are not careful. ------------------------------ Date: Sat, 26 May 90 16:41:55 EDT From: smb@ulysses.att.com Subject: Re: Secure UNIX Infected? If you read between the lines you will note that a development version of AT&T UNIX was infected. The message is that the "NCSC" is more concerned about "confidentiality" then, say, integrity. The sooner we get a counter balance to the NCSC critical mass within POSIX P1003.6 (security) the better our future. [description of Duff's virus deleted] he loosed the thing inside AT&T as an experiment to see how well such a weak virus would spread, and how it could be started. (he started the infection by adding an infected copy of "echo" to some public directories he had write access too). [more deletions] it caused some particular problems on a "secure" unix that was being developed, since the kernel detected the attempts of the virus to propagate, and killed the virus. I think there's a serious misconception here about Duff's virus, where it spread, and ``AT&T UNIX''. There are no lines to read between; what was said is literally and completely true, with no hidden messages. Tom's virus was developed on 9th Edition UNIX systems, a research version that bears little relation to System V or anything else in the product line. No ``development version'' of the UNIX system was affected. This is doubly true of AT&T's secure UNIX system product (System V/MLS), which has been certified at the B1 level. The ``secure unix'' affected was an experimental implementation of mandatory access controls, using a modified 9th Edition kernel. And, as noted, even the affected system was still under development at the time -- hardly a fair criticism of any finished system. All that aside, I wouldn't be so quick to dismiss the NCSC's efforts as focused on confidentiality rather than integrity. While there certainly is that bias, there's a lot to be said for maintaining confidentiality even in the commercial world (as numerous stories in RISKS attest, of course). And, at least for some programs, the mandatory access controls can be used to maintain integrity: mark any critical program as being in the lowest-possible security level, lower than any user process. That way, any attempt to modify the program appears to be an access-control violation. And there's one more point that shouldn't be ignored. The Orange Book does not simply list a set of features. It describes a development process, an attitude towards software management, and (to some extent) an enforced modularity. All of these contribute to reliable -- and hence secure -- software. Furthermore, the certification process itself is quite stringent. There's a world of difference between, say, ``B1- certifiable'' -- which generally means a feature list -- and ``B1 certified.'' If there are specific features you'd like to see added to POSIX for better integrity maintenance, by all means propose them. But as far as I can tell, the NCSC -- and its sponsor, DoD -- are among the few groups that not only take security seriously, but are prepared to put their money where their mouth is. --Steve Bellovin ------------------------------ Date: Mon, 28 May 90 12:11:35 EDT From: henry@zoo.toronto.edu Subject: Re: Secure UNIX Infected? >If you read between the lines you will note that a development version of AT&T >UNIX was infected. The message is that the "NCSC" is more concerned about >"confidentiality" then, say, integrity. The sooner we get a counter balance to >the NCSC critical mass within POSIX P1003.6 (security) the better our future. If you read the Usenix paper referred to, you will find out that (a) the secure Unix in question is a research system, not a product or potential product, and (b) as mentioned in the Risks posting, the virus infected it at a time when much of the security had not yet been turned on. I would urge people to read the paper before jumping to unwarranted conclusions. Henry Spencer at U of Toronto Zoology uunet!attcan!utzoo!henry ------------------------------ Date: Sun, 27 May 90 20:39 PDT From: david@indetech.com (David Kuder) Subject: Dereferencing Tim Kay's address When Tim first wrote about his problems I thought that they were related to the fact that zipcodes don't provide a functional dependency for city and state. That is, more than one city (well wide spot in the road) can be in one zip code. This problem has bitten my father who now has subscriptions with a 4 line address of the form: Doc Kuder 3 Elm St. Brownsville Emmittburg, PA 18888 Because there is an Elm Street in both Brownsville and Emmittburg and they've got nothing to do with each other, but the Post Office insists that 18888 is Emmittburg. I also thought that Tim's problem might be that the zip code he's using is only for the dorms at Caltech. The rest of campus has its own zip code, and the box number Tim uses doesn't match dorm practice. It shouldn't matter since both zip codes go to the same campus Post Office. When I first moved off campus, I used the campus zip code and had my delivered even slower than normal since it was sent to campus first then bounced. That house has since become part of campus -- I wonder what it's zip code is now? Tim's problem is actually "Box". A quick scan of the zip code directory shows that only post office boxes in Pasadena can be found in zip code 91102. I suggest that Tim use something like "Building" or "Mailstop". The campus Post Office may be able to give him the definitive answer. David A. Kuder david@indetech.com ------------------------------ End of RISKS-FORUM Digest 9.96 ************************