RISKS-LIST: RISKS-FORUM Digest Wednesday 15 March 1989 Volume 8 : Issue 38 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Water Bug - Computerization Messing Up Yacht Race (Robert Horvitz) Sunspots & Communications (Cliff Stoll, PGN) pengo and the Wily hackers (Klaus Brunnstein) Toshiba DOS 3.3 Backup deletes files (Fiona M Williams) Star Trek computer virus (Kevin Rushforth) Re: NASA to replace top-level personnel with Expert Systems (Henry Spencer) Pushbutton Banking (Lynn R Grant) Risks of telephone access to your bank account (Michael McClary) Limitless ATMs (John Murray) Re: Prisoner access to confidential drivers' records (Scot E Wilcoxon) Risks of Human Emulating Machinery (Jon Loux) New Sprint Card (Ken Harrenstien) Incoming-call identification (David Albert) ---------------------------------------------------------------------- Date: Sat, 11 Mar 89 19:41:15 PST From: rh@well.UUCP (Robert Horvitz) Subject: Water Bug - Computerization Messing Up Yacht Race An Irish friend, Derek Lynch, sent this article from the Irish Times' Sports page (10 Feb 89). Perhaps a British reader can provide the necessary follow-up: "COMPUTER ERROR MAY PROVE COSTLY by Dermot Gilleece "A major decision with critical implications for Ireland's first involvement in the Whitbread Round the World yacht race, will be taken in England next week. Race organisers, the Royal Naval Sailing Association, will be responding officially to a storm of criticism concerning the specifications of competing yachts... "The problem concerns the technique of measuring yachts which, in the context of the Whitbread Race, are in the maxi, 70 foot class. This is the responsibility of the British-based Offshore Racing Council, which introduced a new measuring process two years ago. "Up to that stage, yachts were hand-measured, taking various complex factors, even the size of the engine, into the equation. It was then decided that computers could handle the process more efficiently. "In the event, a fault was discovered in the computer software with the result that specifications were more liberal than intended. So, the Offshore Racing Council corrected the error last November. "By then, however, two New Zealand yachts had been built according to the faulty computer measurement... The fact was that, while the New Zealand yachts measured 70 feet under the faulty process, their actual measurement was 71 feet. "The implications of this discovery were far-reaching. Rear-Admiral Charles Williams, chairman of the race committee, was bound by the new regulations which, in effect, made the New Zealand craft illegal. On the other hand, if the New Zealand yachts were accepted into the Whitbread Race, they would have a decided advantage over British and Irish craft - possibly by as much as 10 hours in the 36,000 miles event, which will get under way in September... "Butch Dalrymple-Smith is a partner in the company of Ron Holland, the Cork-based designer of NCB Ireland. He said last night: `My view is that the New Zealand boat which we know to be outside the limit, was built with the computer loophole in mind. "`We knew about the problem as far back as last July when the Americans decided that yachts built to the faulty computer process were unacceptable. Admittedly NCB Ireland was built at that stage but we could still have carried out the necessary modifications had we needed to...'" "It has been suggested that Rear-Admiral Williams has bowed to pressure from the New Zealanders, who are heavily sponsored. This was roundly rejected last night by Captain Brian Evans, the race secretary... "He added: `The matter will be cleared up next week when we will be announcing our decision.'... "If NCB Ireland were to be modified to make it competitive with the New Zealanders, the expense would be formidable. For instance, a new keel would cost L/40,000, a mainsail L/10,000 and a new rig as much as L/150,000. "At this stage, it would appear that the RNSA will have no option other than to back down in the face of overwhelming protests... Meanwhile, leading yachtsmen will be awaiting next week's decision with some apprehension. This is clearly a case in which a considerable quantity of oil will be necessary to calm troubled waters." ------------------------------ Date: Mon, 13 Mar 89 13:55:36 est From: cliff%cfa204@harvard.harvard.edu (Cliff Stoll) Subject: Sunspots & Communications There's a major sunspot group on the sun ... it's visible to the naked eye (with suitable protection, of course). Largest sunspot in a long time. At least two flares have been associated with this group. Ten or twenty years ago, we'd probably have heard warnings that communications circuits might be disrupted, due to ionospheric interactions with the solar wind. Today, however, it's a rare communication link that depends on ionospheric reflections (although military over-the-horizon radars do...). So this sunspot won't affect our communications, huh? You say we've nothing to worry about? Maybe. Here's a few things to worry about: 1) Geomagnetic storms can screw up magnetic compasses. 2) Satellites in geosynchronous orbit have a rough time of it. Twice a year, (at each equinox), they're shadowed by the earth, and their solar panels don't generate electricity at night. In addition, the high energy particles can get wicked at this altitude, especially when there's a major solar flare. Well, it's near the equinox (so the comsats are battery powered at night), and there's bad solar flares. Result: these satellites are being stressed. 3) Earth satellite lifetimes depend on the shape and size of the earth's atmosphere. Satellites in low orbits may have their lifespans shortened drastically when the atmosphere bulges out. What causes such bulges? Increased solar activity. If this sunspot -- largest in memory -- is an indicator of a very active sun in the next few years, low-flying satellites may be in trouble. Best of cheers, Cliff Stoll cliff@cfa200.harvard.edu 617/495-7147 Smithsonian Astrophysical Observatory Harvard - Smithsonian Center for Astrophysics ------------------------------ Date: Wed, 15 Mar 1989 9:28:47 PST From: Peter Neumann Subject: Sunspots & Communications (O Solar Milhaud!) Solar flares resulting from the unprecendented sunspot activity have reportedly been wreaking havoc with communications around here since about 10 March. (And the peak of the 11-year sunspot cycle is still about a year away!) Radio and satellite communications have been seriously affected. In the Mount Diablo area of California, there have been many reports of garage door openers failing to operate. (Younger RISKS readers will not remember a different effect caused by signals from the first Sputnik, which merrily opened and closed garage doors each time it traversed the U.S. -- at the time there was little redundancy in the g.d. control signals. This time the controls are apparently being jammed.) [The "Subject:" line subtitle is due to the fact that I had awful radio reception on hearing a piece by Darius Milhaud.] [By the way, today is the day to "Beware The Ides of March", which means that The Calends of April is only 17 days away. As we have learned, Beware the Calends of April also.] ------------------------------ Date: 14 Mar 89 11:04 GMT+0100 From: Klaus Brunnstein Subject: pengo and the Wily hackers (RISKS-8.37) In RISK FORUM 8.37, `Pengo' Hans Huebner stated that he had no share in the KBG case as I mentioned in my RISK report. Since I myself had no share in the KGB hack (and in this sense, I am not as good a source as Pengo!), I tried to transmit only information where I had at least *two independent sources* of *some credibility*. In Pengo's case (where I was rather careful because I could not believe what I read), my two sources were: - the SPIEGEL report (I personally agree that names should be avoided as long as current investigations are underway; yet in this cases, the names have been widely published in FRG and abroad); - a telephone conversation with a leading CCC person (before I present his name, I will inform him); after he had informed me about a public debate at Hannover fair (where the German daily business newspaper, Wirtschafts- woche had organised a discussion with data protection people and CCC), I asked him whether he knew of Pengo's contribution; he told me that he directly asked Pengo: '`Did you, without pressure and at your own will, work for the Russians?', and Pengo answered: `Yes'. He told me that he immediately cut-off any contact to Pengo. Evidently, there was a controversial discussion in Chaos Computer Club whether on should react in such a strict manner. I understand the strong reaction because the KGB hackers severely damaged CCCs attempt to seriously contribute to the public discussion of some of the social consequences of computers. They now face, more seriously than before, the problem of being regarded as members of a criminal gang. In the bulk of information, I found much desinformation (not only regarding computer stuff, like the notion of a sold `C-Compiler, which is a program to accomodate old programs to modern computers'). I didnot mention such des- informing non-facts (like the rumor that also personal information was sold) because I had only one source, which moreover was of very limited credability. Klaus Brunnstein ------------------------------ Date: Tue, 14 Mar 89 14:34:50 GMT From: Fiona M Williams Subject: Toshiba DOS 3.3 Backup deletes files A colleague of mine had just started to backup the hard disk of his Toshiba 3200 using the Toshiba DOS 3.3 backup command. While backup was still looking at the root directory we had a power failure in the office. A couple of gnashes later he re-booted the T3200 only to get the message "Bad or missing command interpreter." (This generally means that command.com has been knackered.) Also, when we looked at the backup diskette, there was nothing on it! Having (eventually) found a Toshiba DOS 3.3 diskette we managed to have a look at the hard disk only to find that all files in the root directory *had been deleted*. (Sub-directories were ok though.) Norton's quick un-erase came to the rescue so we managed to recover everything after about an hour. I'd hate to think what might have happened if we'd had the power failure when backup was on its 20th diskette, rather than its first, but in any case, the moral seems to be that you should sometimes make a backup before making a backup! Stephen Farrell, MANTIS LTD. (stephen_farrell_mantis@eurokom.ucd.ie) ------------------------------ Date: Tue, 14 Mar 89 22:30:12 PST From: kcr@Sun.COM (Kevin Rushforth) Subject: Star Trek computer virus I realize that the fictional world of Star Trek is not normally an appropriate risks topic, but I feel this is an exception. The next original episode of "Star Trek: The Next Generation" (scheduled to air the week of 3/20-3/26) is titled "Contagion" and is about (you guessed it) a computer virus: The Enterprise's computer system falls prey to a mysterious electronic "virus" which programs the ship to self destruct. This episode may prove interesting to readers of comp.risks. It raises an interesting question as to what would happen if the on-board computer of an F-16 or Space Shuttle were to contract a virus. Kevin C. Rushforth, Sun Microsystems ------------------------------ Date: Sun, 12 Mar 89 01:33:01 -0500 From: henry@utzoo.UUCP Subject: Re: NASA to replace top-level personnel with Expert Systems A cynic might say that replacing many of NASA's top-level people with, say, a PC each would be an *improvement*, bugs and all... Let us not forget that some human beings are far from fully debugged. Today's NASA is notorious for bad management (e.g. Challenger) and too much management (NASA's supervisor:worker ratio today is twice what it was during Apollo). If nothing else, a program spouting nonsense is easier to ignore than a manager spouting nonsense -- programs have less political clout. Henry Spencer at U of Toronto Zoology uunet!attcan!utzoo!henry henry@zoo.toronto.edu ------------------------------ Date: Wed, 15 Mar 89 14:00 EST From: Lynn R Grant Subject: Pushbutton Banking My bank, the Suburban Bank of Palatine (Illinois) has just announced that starting April 1st (April Fool's Day!) they will be implementing "Pushbutton Banking," which will allow you to query balances, find out what checks have cleared, and transfer balances between accounts, all from the comfort of your easy chair, using your Touch-Tone phone. All you need to access this is your account number and your security code, which is the last four digits of your SSN. I called the bank and asked them if the security code was changable by the user. They said no, but how many people know your account number and SSN. I pointed out to them that since my Illinois driver's license has my SSN on it, every time I pay by check at a store, I am showing the cashier my account number and SSN. The bank said that that hadn't occurred to them. They offerred to set up my account so that nobody, including me, could use the pushbutton banker on it, and of course, I accepted. It is certainly worrysome that the people charged with keeping my money safe don't think about these things. True, the pushbutton banker could probably not be used to steal money, but it could certainly invade your privacy, and could be used to perform denial-of-service attacks (someone dials in and transfers all your checking account money to your savings account, causing all your checks to bounce. The merchants you paid by check all charge you their 10 or 20 buck returned check fee. When you try to explain your way out of the charges, the bank says "Well, it must have been you; who else would know your account number and security code?"). --Lynn Grant ------------------------------ Date: 15 Mar 89 13:13:05 GMT From: michael@xanadu.com (Michael McClary) Subject: Risks of telephone access to your bank account Upon moving to California, I opened an account at a local bank (Wells Fargo). They took down a bunch of personal information to use to identify myself when using their 24-hour telephone account-munging service. The information was a standard set, such as mother's maiden name. All public record, as I recall, but in any case nothing a cheap private detective couldn't dig up, given a little time. So anyone who'd, say, gotten hold of my checkbook, could find out how much it was good for. But the surprise came when I was back in Michigan finishing the move, and needed to transfer funds to cover a check. Instead of a random set of the items, they asked for EVERY SINGLE ONE of them. Anyone listening in on the phone would have all they'd need to use the service. Now combine that with cellular phones that: - are not scrambled, - don't switch channels enough to break up a conversation, - can be recieved on the high end of an old TV set's UHF dial - are generally owned by busy people with money and you've got the makings of some nasty surprises. ------------------------------ Date: 15 Mar 89 20:43:27 GMT From: johnm@uts.amdahl.com (John Murray) Subject: Limitless ATMs (Re: RISKS DIGEST 8.37) > From: @sri-unix.UUCP, geoff@itcorp.com > > . . . . A credit card and the associated PIN were stolen from my > home, and the thief then used the card to withdraw $3900 in cash from ATM's. > Since the ATM's had a per-transaction limit of $300, the withdrawal was done in > 13 separate transactions. The interesting thing is that only two ATM's were > used for all of these operations! Further, the card only had a $3000 credit > limit, and about $600 was already in use. Several ATM systems have (used to have?) loopholes in them, which allowed this type of thing to occur. For example: * In regions where on-line links are unreliable, a machine might use floppy disks for its data. The transaction file and "hot-card" data are only updated once a day, and the bank moves this info using its regular courier system. All sorts of risks can occur over public holiday weekends. * The card in question is a credit card. It seems unlikely that data for ALL cards EVER issued ANYWHERE is instantly available EVERYWHERE, especially across international boundaries. Perhaps some systems just accept this potential for loss. * Some off-line systems could rewrite data onto the card, so that taking the card to a different machine wouldn't work. However, using joint cards could not be trapped. - John Murray, Amdahl Corp. (My own opinions, etc.) ------------------------------ Date: 14 Mar 89 05:42:21 GMT From: sewilco@datapg.mn.org (Scot E Wilcoxon) Subject: Re: Prisoner access to confidential drivers' records Much of the information which was mentioned is already easily available. For $3, the California DMV will give you auto registration information. "Names, addresses", and "what cars they drive" certainly, and maybe also "loans" (I forgot to ask the DMV about loans, but I know Minnesota lists loan info). Auto and driver registration information is public in most states. Apparently the California government has considered the license holders' desire for privacy (or perhaps of the ignorance of the public status of the information). Along with the $3, you must give a signed statement of the reason why you want the information. The license holder then is notified by mail that the information was delivered, and of the reason you gave. Scot E. Wilcoxon ------------------------------ Date: Mon, 13 Mar 1989 09:59:51 EST From: Jon Loux Subject: Risks of Human Emulating Machinery In reply to "Risks of Congenial Machinery" from Robert Steven Glickstein. Hear, hear. In the effort to make our machines more like humans, we have failed. The best we can do is make a parroting parody of some intellectual function. Useful? Yes. Important? Yes. Vital to the functioning of many (most) institutions in our society? Yes. But human? No. We cannot make our machines more like humans, so we have done the next best thing. We have made our humans more like machines. The silicon revolution is nothing more than the industrial revolution without the smoke. Mechanized. Mass produced. And impersonal. A case in point. A senior project manager in the DP shop of a large defense contractor told me a story about his home bank back in the town in New York where he grew up. It used to be that the tellers and managers of the bank knew everybody in the town. If a check came in without sufficient funds in your account to cover it (Banks don't like this, for some reason) they would call you at work and make some arrangements for you to cover it (run down and make a deposit, hold the check, whatever). It was a community matter. Now, with ATMs and electronic funds transfers, etc., walking into the bank is the financial equivalent of entering a meat locker. "But Bob," I said. "The bank must be serving a larger number of people. It's just impossible to be personal in a corporate setting. This isn't Bailey's Savings and Loan, you know." "No," he said. "But the town's population hasn't gone up in fifty years." You decide. Jon Loux. University of Connecticut. ------------------------------ Date: Thu, 9 Mar 89 13:23:18 PST From: Ken Harrenstien Subject: New Sprint Card Regarding the message from Will Martin: ... Fred Lawrence, Sprint's executive vice president for network development, said the Voicecard would work a little like the company's Foncard: Callers dial the phone number printed on the card, adding a second number such as a birthdate, and then give a two-second verbal password. Sprint equipment compares the voice print with one that is on record. The call goes through only if the voice prints match, Lawrence said. ... My hair rose when I saw this. I may be over-reacting in the absence of additional information, but I sincerely hope this idea does not spread. If it did, I won't be able to make a long-distance call, because I'm deaf. Let me explain for the benefit of people who don't get it. How could deaf people make calls in the first place anyway? There are normally two ways: First, they can use TDDs (Telecommunication Device for the Deaf). This is typically a small terminal-like unit that uses half-duplex FSK (1400/1800 Hz) to transmit Baudot codes at 45.45 baud. More foresighted designs also provide the capability of using ASCII with a standard 300 baud (Bell 103) full-duplex modem. People can thus type to each other. Second, they can use an interpreter -- the usual resort when one of the parties is hearing and doesn't have a TDD. But it's very rare that one can use the same interpreter (i.e. the same voice) every time. Perhaps the Sprint people have thought about this, and have an alternate security method for those cases. But I rather suspect not. I don't have any problem with proposals for whiz-bang new techno-fixes that are focused on just one modality, but all too often these ideas unwittingly exclude other modes, which is exactly the wrong thing to do where a public service is concerned. Think about color-coded displays. Touch displays. Mice. Voice-synthesized responses. And so on. None of these is suitable for everyone, but as long as a system is not limited to just one way of doing things, no one will be excluded. I sincerely hope that in the rush to automate everything, designers take advantage of the flexibility that computers give them to provide for as many alternatives as possible. The person who benefits will someday be you. --Ken ------------------------------ Date: Thu, 2 Mar 89 19:04:57 EST From: albert@harvard.harvard.edu (David Albert) Subject: Incoming-call identification Today's (3/2/89) Boston Globe has an article on telephone features, including incoming-call identification. I quote a relevant section: [Spokesperson for Bell Atlantic Karen] Johnson ... brushed aside questions about the privacy of incoming callers. "We feel that in most cases, the caller gives up anonymity and the customer gains privacy and security. In all the time we've offered it, we've had very few complaints." New England Telephone's [product manager for the new calling services Gerald J.] Malette agreed. "We feel the person being called has the right to know who's calling," he said. Well, we keep bringing up the issue on the net; perhaps it's time we started complaining directly to the people keeping track of the number of complaints, such as the two named above. In particular, I suggest we bring to their attention the issue of the confidentiality of calls to services such as the Samaritans, to the police (on their business number), to the government (say, asking questions about tax laws), and to businesses in general. Do we really want to give up our privacy when a business might turn around and compile a mailing list (or worse, a calling list) based on telephone calls received? When we want to ask an anonymous question of a government agency? When we are baring our souls to a suicide line? Let's all get out there and complain before it's too late (if we're not too late already). ------------------------------ End of RISKS-FORUM Digest 8.38 ************************ -------