RISKS-LIST: RISKS-FORUM Digest Saturday 11 March 1989 Volume 8 : Issue 37 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Computer blunders blamed for massive student loan losses (Rodney Hoffman) Prisoner access to confidential drivers' records (Rodney Hoffman) Ethics Question (Randall Neff) [Adobe(rman?) Bites VorTeX?] Risk of congenial machinery (Robert Steven Glickstein) Limitless ATM's (Geoff Kuenning) Re: Faking internet mail (Stephen Wolff) Virus detector goes wrong (Dave Horsfall) Re: News from the KGB/Wily Hackers (Hans Huebner = `pengo') UK archive service [for European RISKS readers] (Dave Ferbrache) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. * RISKS MOVES SOON TO csl.sri.com. FTPable ARCHIVES WILL REMAIN ON KL.sri.com. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line (otherwise they may be ignored). REQUESTS to RISKS-Request@CSL.SRI.COM. FOR VOL i ISSUE j / ftp KL.sri.com / login anonymous (ANY NONNULL PASSWORD) / get stripe:risks-i.j ... (OR TRY cd stripe: / get risks-i.j ... Volume summaries in (i.j)=(1.46),(2.57),(3.92),(4.97),(5.85),(6.95),(7.99). ---------------------------------------------------------------------- Date: 10 Mar 89 14:48:43 PST (Friday) From: Rodney Hoffman Subject: Computer blunders blamed for massive student loan losses Bank of America and possibly other major international banks stand to lose as much as $650 million on bad student loans, due to computer problems at United Education and Software. The 'Wall Street Journal' for Friday, March 10, provides the first hints of details I've seen on the nature of the "computer blunders" which earlier stories hinted at. The article, by Charles F. McCoy and Richard B. Schmitt, is headlined UNITED EDUCATION'S COMPUTER BLUNDERS FORM VORTEX OF BIG STUDENT LOAN FIASCO. Excerpts: Computers at United Education and Software, Inc. ... ran wild for at least eight months. They rejected payments from overdue borrowers and addressed collection notices intended for New Yorkers to such places as "Radio City, N.Y.," among other gaffes. United Education and its colossal computer mistakes are at the heart of what is emerging as one of the most tangled loan fiascos in years... The U.S. Dept. of Education has refused to honor guarantees on certain federally backed student loans serviced by United Education. That raises the possibility that BankAmerica or other banks that backed the loans with letters of credit will have to shoulder huge defaults. BankAmerica served as trustee on the loans... [Other banks, including Citicorp and several Japanese banks, dispute how much of the liability might be theirs, saying BankAmerica is responsible.] United Education's beserk computer produced records that are so fouled up that nobody knows how much the losses eventually will be. United Education and Software, oringinally a trade-school operator, began servicing student loans in 1983, and grew rapidly, developing a portfolio of more than $1 billion in less than five years... The computer problems apparently stemmed from United Education's switch to a new system in October 1987. According to officials familiar with the problems, United Education's programmers introduced major software errors and failed to properly debug the new system. Among the results, according to a Dept. of Education audit report: United Education sent delinquency notices to students who were still in school and thus weren't scheduled even to begin payments on the loans. It placed students who were supposed to have been granted deferments into default. It didn't inform many laggard borrowers that they were delinquent, while informing some current borrowers that they were. The computers also apparently logged telephone calls that were never made and didn't log calls that were. United Education applied payments to interest when they were supposed to be applied to interest and principal... Aaron Cohen, president of United Education, called the depth of the problems identified by the audit a "shock." He said the company was aware of bugs in the new software that were causing accounting errors, but had no idea its loan servicing operation had run amok. He thought any problems were routine. "Software companies have problems all the time," he said... ------------------------------ Date: 8 Mar 89 13:42:10 PST (Wednesday) From: Rodney Hoffman Subject: Prisoner access to confidential drivers' records From a story by Leo Wolinsky in the 'Los Angeles Times' 5-March-89: If the [California Governor] Deukmejian Administration has its way, state prisoners soon will be put to work sorting through confidential motor vehicle records as part of the governor's plan to keep inmates working and save taxpayers money. But the program, which is set to begin July 1, is prompting con- cern among some lawmakers and other officials who worry that the records -- which include names, addresses and some financial information about California motorists -- might end up in the hands of career criminals. "The concept boggles the mind," said Assemblyman Richard Katz, chairman of the Transportation Committee. "They may be car thieves... They may have killed people or molested kids and now we're going to give them access to home addresses of people along with [information on] loans that they have on their vehicles and what cars they drive. It seems like an open invitation for trouble." .... No one is sure what illicit uses, if any, inmates might make of the information. But the Legislature's nonpartisan analyst charged in a report that procedures employed by the state "may not be adequate" to ensure the security of the documents. "From our position, there is a fair amount that could be done even with this much information," said [one of the report authors].... [In an earlier, now cancelled mail sorting job,] some corrections officers said they believe the inmates were searching for addresses of prison officials ..... PS. It is not clear from the newspaper article whether the records involved would be paper or on-line, so, strictly speaking, this may not involve any computer-based system RISK. ------------------------------ Date: Fri, 10 Mar 89 17:28:55 PST From: neff@paradigm.STANFORD.EDU (Randall Neff) Subject: Ethics Question On Wednesday, March 8, Professor Michael A. Harrison, from the University of California, Berkeley, made a presentation: "VorTeX, a Multiple Representation System" to the Stanford EE 380/CS 540 Computer System Colloquium. As part of the VorTeX project, the group decided that they needed a graphical display language, so they (re)implemented PostScript (trademark of Adobe Systems, Inc) on the Sun workstations. Then they realized that they also needed the fonts that are buried in the Apple LaserWriter. They talked to Adobe, but the money discussed was quite large (to Harrison) and he objected to Adobe's attitude (quote "shove in your face"). So, the group wrote several clever pieces of software (PostScript program to find the intersections of `scan' lines with the character boundaries, pump results back to Suns, program to curve fit the coordinates, etc.), and recreated the font information as Bezier cubic curves for use with their Sun PostScript implementation. According to the UC Berkeley lawyers, this is legal due to the current copyright law, that digital encoding of fonts is not protected by copyright. However, all Adobe sells is software and fonts; and the internal coding of fonts is a trade secret. THE ETHICS QUESTION ( I was really bothered by all of this ): Is this ethically correct? Is it all right to acquire a company's product by clever coding? Is it reasonable behavior for a Famous CS department funded by California taxpayers and NSF grants (it is certainly not research)? Is there a reasonable way for an audience member to stand up and say: "For Shame, this is ethically reprehensible behavior and you're setting a bad example for students everywhere." Randall Neff @ anna.stanford.edu ------------------------------ Date: Sat, 4 Mar 89 03:31:21 -0500 From: @sri-unix.UUCP, geoff@itcorp.com Subject: Limitless ATM's Like many people, I've occasionally wanted to get a moderately large amount of money out of an ATM, only to be foiled by a "daily limit" of some sort. I accepted this as a necessary evil for keeping thieves from completely cleaning me out. Recently, however, I had an experience that taught me a possible way around these restrictions. A credit card and the associated PIN were stolen from my home, and the thief then used the card to withdraw $3900 in cash from ATM's. Since the ATM's had a per-transaction limit of $300, the withdrawal was done in 13 separate transactions. The interesting thing is that only two ATM's were used for all of these operations! Further, the card only had a $3000 credit limit, and about $600 was already in use. I don't know the reason for the lack of limits and restrictions, but I have begun to wonder just how much money I could get away with if I systematically spent a few days taking all my credit cards to ATM's and making withdrawals. Geoff Kuenning geoff@ITcorp.com uunet!desint!geoff ------------------------------ Date: Wed, 8 Mar 89 18:05:20 -0500 (EST) From: Robert Steven Glickstein Subject: Risk of congenial machinery An observation that I made earlier today: I entered a store in the neighborhood with an old-fashioned mechanical cash register, complete with the little "I just made a sale" bell. I purchased an item and after the transaction was complete, the clerk thanked me and wished me a good afternoon. I returned the pleasantry. Later on I was in a much larger store, complete with barcode readers and electronic cash registers with dot-matrix LED displays. As the clerk rang up my purchase, the cash register told me "Thank You For Shopping At " and my receipt said "Have a Good Day". Perhaps because the dreary task of being pleasant to customers was now automated, the clerk felt no need to greet me, address me, look at me, or in any way acknowledge me except to take my money and shove some change into my hand. Computers do a lot of jobs a lot better than people, but there are some tasks that should be performed by no one but humans. Bob Glickstein, Information Technology Center, CMU, Pittsburgh, PA ------------------------------ Date: Thu, 9 Mar 89 14:59:33 EST From: Stephen Wolff Subject: Re: Faking internet mail From "Kevin S. McCurley" in RISKS DIGEST 8.29: > I guess a lot of people know about faking Internet mail. Since the > National Science Foundation now accepts reviews of proposals via email, I > wonder whether anybody there knows about this ? Yes, we know. We also accept *proposals* electronically, so we have to face problems of privacy, too. > It is rather farfetched to think that somebody would try to fake their > reviews,... Nope, not at all. These concerns are handled informally at present, but tighter methods are on the way. ------------------------------ Date: Wed, 8 Mar 89 12:45:17 est From: Dave Horsfall Subject: Virus detector goes wrong Taken from "Computing Australia", Feb 27: ``Sneaky little non-virus Sun Microsystems has moved to reassure Australian TOPS users that US reports on a virus are false. In a virus-paranoid environment, US pc users of TOPS/Mac Version 2.1 were running their disks through a virus detector before loading the software onto their computers. It was a precaution that went wrong. The particular virus detector was Interferon and it falsely reported TOPS infected with a virus known as Sneak, said TOPS/Macintosh product manager Timothy Fredel. Fredel said the resource structure of TOPS/Macintosh 2.1 happens to look like a Sneak virus to Interferon. To be on the safe side, Fredel suggested users run Virex or VirusRx.'' So now one can't trust one's virus detector any more... On a different note, have there been any (confirmed) reports of a fake virus detector? Ahhh, the perils of a standard Applications Binary Interface... ------------------------------ Date: Fri, 10 Mar 89 18:09:25 MET DST From: Hans Huebner Subject: Re: News from the KGB/Wily Hackers In RISKS 8.36, Klaus Brunnstein mentioned my name in the context of the hacker/espionage case recently discovered by the german authorities. Since Mr. Brunnstein is not competent to speak about the background of the case, I'd like to add some clarification to prevent misunderstandings, especially concerning my role. I think it is a very bad practice to just publish names of people without giving background information. Roy Omond did this once to a friend of mine, who has been a hacker as well, and his reputation in the net community has suffered from this publication quite a lot, even if he was doing a favour to the community by developing bug fixes and posting them to the net. I have been an active member of the net community for about two years now, and I want to explicitely express that my network activities have in no way been connected to any contacts to secret services, be it western or eastern ones. On the other hand, it is a fact that when I was younger (I'm 20 years now), there has been a circle of persons which tried to make deals with an eastern secret service. I have been involved in this, but I hope that I did the right thing by giving the german authorities detailed information about my involvement in the case in summer '88. As long as the lawsuit on this case is not finished, I will/may not give any detailed about it to the public. As soon as I have the freedom to speak freely about all this, I'll be trying to give a detailed picture about the happenings to anyone who's interested. For my person: I define myself as a hacker. I acquired most of my knowledge by playing around with computers and operating systems, and yes, many of these systems were private property of organisations that didn't even have the slightest idea that I was using their machines. I think, hackers - persons who creatively handle technology and not just see computing as their job - do a service for the computing community in general. It has been pointed out by other people that most of the 'interesting' modern computer concepts have been developed or outlined by people which define themselves as 'hackers'. When I started hacking foreign systems, I was 16 years old. I was just interested in computers, not in the data which has been kept on their disks. As I was going to school at that time, I didn't even have the money to buy an own computer. Since CP/M (which was the most sophisticated OS I could use on machines which I had legal access to) didn't turn me on anymore, I enjoyed the lax security of the systems I had access to by using X.25 networks. You might point out that I should have been patient and wait until I could go to the university and use their machines. Some of you might understand that waiting was just not the thing I was keen on in those days. Computing had become an addiction for me, and thus I kept hacking. I hope this clears the question 'why'. It was definitely NOT to get the russians any advantage over the USA, nor to become rich and get a flight to the Bahamas as soon as possible. The finish of the court trial will reveal this again, but until then I want to keep rumours out that the german hackers were just the long (??) arm of the KGB to incriminate western computer security or defense power. It should also be pointed out that the Chaos Computer Club has in no way been connected to this recent case, and again, that the CCC as an organization has never been a 'hacker group'. The CCC merely handles the press for hackers, and tries to point out implications of computers and communications for society in general. For punishment: I already lost my current job, since through the publications of my name in the SPIEGEL magazine and in RISKS, our business partners are getting anxious about me being involved in this case. Several projects I was about to realise in the near future have been cancelled, which forces me to start again at the beginning in some way. -Hans Huebner pengo@tmpmbx, pengo@garp.mit.edu, huebner@db0tui6.bitnet ------------------------------ Date: 9 Mar 89 11:50:28 GMT From: Server Subject: UK archive service [for European RISKS readers] For the information of the European (especially UK) readers of the group, their is an archive of Comp.risks newgroup postings maintained on the Heriot-Watt information server. The archive server is email based, and will accept requests in the form of an email message to ,with the text: request: comp.risks topic: v8.1 where topic can be either: index for an index of all available risks digests (currently only v7.96 to date, I am hoping to extend this backwards to the time of the Internet worm). v8.index for an index of all available digests in a specific volume v8.contents for a list of the contents of all digests in a specified volume (contents lists are extracted and appended as new digests are received and may thus be slightly disorganised) v8.1 to send a specific issue (in this case digest 1 in volume 8) any number of topics can follow the request. The server also archives virus-l digests, and holds BSD unix fixes, security software and virus disinfection software. For a general index of available materials, send a message of the form: request: index topic: index Dave Ferbrache Personal mail to: Dept of computer science Internet Heriot-Watt University Janet 79 Grassmarket UUCP ..!mcvax!hwcs!davidf Edinburgh,UK. EH1 2HJ Tel (UK) 031-225-6465 ext 553 [Thanks! PGN] ------------------------------ End of RISKS-FORUM Digest 8.37 ************************ -------