The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 11 Issue 59

Wednesday 1 May 1991

Contents

o "Losing" a Warehouse
Jane Beckman
o Soon, ATMs May Take Your Photograph, Too
Paul B. Carroll via Michael W.Miller
o Old O/S and Network Security
Bob Estell
o Genie
Chuq Von Rospach
o Prodigy Problem in Major Press
Bill Biesty
o Re: Prodigy
Chuq Von Rospach
A. Padgett Peterson
Mary Culnan
Bill Seurer
o Info on RISKS (comp.risks)

"Losing" a Warehouse

Jane Beckman <jane@stratus.swdc.stratus.com>
Wed, 1 May 91 16:14:52 PDT
I've been meaning to post this for a while, as it is a perfect illustration
of the hazards of a system that gets too dependant on computer programs.

In 1989, Mongomery Ward had a sale of "discontinued, one-of-a-kind, and out-
of-date merchandise."  A fellow I was dating, who was a Wards employee, told
me the story of where it had come from.  Around 1985, Wards had reprogrammed
their master inventory program.  Somehow, the entry for the major distribution
warehouse in Redding, California, was left out.  One day, the trucks simply
stopped coming.  Nothing was brought into the warehouse, and nothing left.
Paychecks for the employees, however, which were on a different system, kept
coming.  While this was baffling to the employees, they figured it was better
not to make waves.  (Rumor has it that they were afraid the warehouse had
been phased out, and they had "forgotten" to lay them off, and figured it was
better to stay employed.)  They went to work every day, and moved boxes
around the warehouse, and submitted timecards, for three years, until someone
doing an audit finally wondered why major amounts of merchandise had simply
disappeared.  Tracing things back, the missing warehouse was finally re-found.
They were then stuck with an entire warehouse full of white elephants---
merchandise that was three years out of date.  Thus, Wards stores throughout
California ended up with major amounts of discontinued merchandise to sell at
deep discounts.  Wards, being majorly embarrassed, tried to downplay how the
merchandise was "found."  Or, more specifically, why it had become lost in
the first place.

The store employees got a big chuckle over the warehouse employees being
afraid to mention this oversight to the higher-ups, for fear of becoming
unemployed.  Many references to "like jobs with the government."

Of course, the question is: is this the only case like this?  Are there more
places where an operator entry glitch has caused some function to simply
disappear?  Things like this happen when live people are accidentally classed
as "dead," etc.  What happens if someone types the wrong thing, and the local
branch of your bank, or MacDonalds, or whatever, simply ceases to exist, to
the central computer?

   Jane Beckman  [jane@swdc.stratus.com]


Soon, ATMs May Take Your Photograph, Too

Michael W. Miller <mikeym@well.UUCP>
Wed, 1 May 91 08:06:51 pdt
Soon, ATMs May Take Your Photograph, Too,  By Paul B. Carroll,
Wall Street Journal, 25 April 1991, Page B1 (Technology)

*Smile* when you use that automated teller machine.  Miniature cameras may soon
become widespread in ATMs and elsewhere.
   At Edinburgh University in Scotland, researchers have produced a single
computer chip that incorporates all the circuitry needed for a video camera.
Even with a lens that fits right on top of the chip, it's still just the size
of a thumbnail. When they become available in a year or so, such cameras may
carry as little as a $40 price tag.
   NCR thinks these tiny cameras could find their way into lots of ATMs in the
next few years. The computer maker already sells ATMs that include cameras,
allowing banks to doublecheck on people who contend their account was debited
even though they didn't use an ATM that day. But those cameras are expensive,
especially because the big box with the electronics has to be so far back in
the ATM that it requires a long, elaborate lens. The lens also gives away to
potential cheats the fact that the camera is there, whereas the new tiny
cameras will just need a pinhole to peep through.
   "We see this as a breakthrough," says Greg Scott, an engineer with NCR in
Dunfermline, Scotland.
   The Scottish Development Agency, which supplied some of the initial research
funds, says the tiny cameras may also find their way into baby monitors,
picture telephones, bar-code readers and robotic vision systems.


Old O/S and Network Security

"351M::ESTELL" <estell%351m.decnet@scfb.nwc.navy.mil>
1 May 91 07:59:00 PDT
For years now, there has been a reasonable solution to the problem of
"an old O/S" and network security: Install a newer, much improved O/S
(WRT network security) _between_ the open network, and the "closed"
community that uses the old O/S to process valuable information.

If you REALLY want security, install a Honeywell SCOMP between the
internet, and your local host, LAN, or whatever; at less cost, and more
risk, install any C2 or better O/S host at that connection site.  Then
the would-be hacker has to penetrate something a bit better than the
"standard out of the box" 5-pin lock that yields in *seconds*.

Such a connection can be layered; e.g., one can put a "C2" host (such as
a DEC VAX running VMS 5.x, with security options turned on) on the
internet, as a MAIL host; then a "B2" (or better) system between that
MAIL machine on the internet, and another MAIL machine on the local
network; and even other "B2" (or better) nodes within the local net
protecting the most "valuable" hosts on it.  This is the electric analog
to the fence around the base, the lock on the building door, the locked
office, and the safe inside the office.

The continuing reluctance of "management" (both "general" and "system") to
adopt this (or other, better) solutions is perhaps one key to the continuing
lack of security.  Are we still "hung up" on the cost of hardware, versus cost
of personnel time to chase intruders?  Are we too proud to admit that we need
to improve?  Is the old aphorism right: "Never attribute to malice anything
that can be explained by stupidity."
                                                   Bob

              [The Honeywell SCOMP -- still the only A1 evaluated system --
              is now the Bull SCOMP.


Genie: (was Re: Email, Privacy, and `small print')

Chuq Von Rospach <chuq@Apple.COM>
1 May 91 06:17:40 GMT
By the way, to clear things up before the flaming starts, GEnie has recently
clarified its user policies for acceptable behavior (in the wake of the Linda
Kaplan affair, of which I'm trying to avoid speaking about). Their policy on
email is quite clear -- they say that junk mail, chain letters, offensive or
libelous mail, etc etc are unacceptable -- but they also make it perfectly
clear that GEnie does not under any circumstances monitor or read email on
their systems. They will investigate and deal with inappropriate mail ONLY
after complaints from the recipients.

Please don't start lumping GEnie and Prodigy together. They are like Night
and Orange Juice.

chuq (not attached to GEnie in any official way, although they do subsidize
one of my GEnie accounts. Aren't disclaimers silly?)

Chuq Von Rospach >=< chuq@apple.com >=< GEnie:CHUQ or MAC.BIGOT >=< ALink:CHUQ
     SFWA Nebula Awards Reports Editor    =+=    Editor, OtherRealms
Book Reviewer, Amazing Stories    ---@---    #include <standard/disclaimer.h>
Recommended: ORION IN THE DYING TIME Ben Bova (Tor, Aug, ***-); SACRED
VISIONS Greeley&Cassutt (Tor, Aug, ****+); MEN AT WORK George Will (****);
XENOCIDE Orson Scott Card (August, ****)


Prodigy Problem in Major Press

Bill J Biesty <wjb@edsr.UUCP>
Wed, 1 May 91 16:21:52 CDT
This is the summary of the WSJ article I get mailed to me on a daily basis.
Interesting that Prodigy does NOT deny that it sends customer data to their
host; ONLY that they DO NOT USE it.  If they "haven't any interest in getting
there" as the summary says, why are they spending their own money to get
customer data in the first place?  (Prodigy charges a lump fee for unlimited
connect time, so they are absorbing the cost of sending this extra data.)
Bill Biesty

 SUBJECT: WSJ DAILY EXTRACT 5/1/91    POSTED 05/01/91 16:09
 FROM: EDS BULLETINS
     WALL STREET JOURNAL DAILY EXTRACT           05/01/91

The following "extracts" are taken from Wall Street Journal (WSJ) articles and
are posted on the eMail Bulletin Board daily.  Technical Resource Acquisition
(TRA), assumes no responsibility for the accuracy of the extracts, which are
simply provided as a service to those who do not have the time to read the WSJ.
The extracts do not represent the opinion of EDS nor TRA, and are posted for
informational purposes only.

[...other summaries deleted...]

 o Subscribers to the popular Prodigy computer service are discovering an
unsettling quirk about the system: It offers Prodigy's headquarters a peek into
users' own private computer files.  The quirk sends copies of random snippets
of a PC's contents into some special files in the software Prodigy subscribers
use to access the system.  Those files are also accessible to Prodigy's central
computers, which connect to users' PCs via phone lines.  Prodigy, a joint
venture of IBM and Sears, Roebuck & Co., offers nearly one million users
electronic banking, games, mail and other services.  The service's officials
say they're aware of the software fluke.  They also confirm that it could
conceivably allow Prodigy employees to view those stray snippets of private
files that creep into the Prodigy software.  But they insist that Prodigy has
never looked at those snippets and hasn't any intention of ever doing so.  "We
couldn't get to that information without a lot of work, and we haven't any
interest in getting there," says Brian Ek, a Prodigy spokesman.  Nevertheless,
news of the odd security breach has been stirring alarm among Prodigy users.
Many have been nervously checking their Prodigy software to see what snippets
have crept into it, finding such sensitive data as lawyer-client notes, private
phone-lists, and accountants' tax files.  Even though Prodigy users' privacy
doesn't appear to have been invaded, the software problem points up the
security risks that can arise as the nation races to build vast networks
linking PCs via telephone lines.


Re: Prodigy, etc. (RISKS-11.56)

Chuq Von Rospach, only here for the beer <chuq@Apple.COM>
1 May 91 06:32:03 GMT
>It seems to me that there's nothing all that different between an e-mail
>service and a phone company--except the format of the data being carried.

There are actually a LOT of differences. Phone companies are regulated,
quasi-governmental agencies with guaranteed monopolies where the regulating
agency has build a set of regulations to make sure that the phone company
doesn't take advantage of their monopoly.

E-mail services are private businesses that are doing businesses with
individuals in an unregulated industry.

Now, you can argue that e-mail companies *OUGHT* to be regulated like phone
companies -- but they aren't, and to do so would require legislation (and
probably court fights and other associated legal stuff).

>but if a carrier offers a "conference call" service, I don't believe
>that they can restrict anyone from using it, or from saying what they like in
>the course of such a call.

Sure they can. They are a company doing business. When you sign up with
them, you make an agreement to do business with them within the guidelines
that are set down in the agreement. If you abrograte that agreement (be it
"not pay the bill" or "put the company in a situation of legal liability")
then that company has the right to terminate the agreement.

There is no guarantee of service. Even with the phone company, there is no
guarantee of service -- you don't believe me, go a few months without paying
your bill and argue that you have a right to continue using your phone.

>A sharp lawyer ought to be able to convince a judge or jury in a civil suit
>(where a preponderance of evidence is all that is necessary to win) that
>Prodigy and the others, in offering their e-mail and BBS services, are
>operating as de-facto carriers for electronic communications.

Sorry, I don't buy it. First, when you sign up for GEnie (and others),
you sign an agreement which stipulates the services rendered and the
responsibilities to both parties. What you're trying to do here is convince
a judge/jury that the legal contract you signed is, in fact, not valid. Not
likely to happen.

Second, "de-facto carrier" is, to me, a non-statement. An entity is either a
common carrier legally or it is not. If it is not a common carrier, it can
be held liable for what YOU do on ITS computers. There's no defacto attached --
unless it is given real, legally binding (through legislation or legal
precedent) common carrier status, a company HAS to have the right to refuse
you service and monitor your behavior for appropriateness, becaus otherwise
you are in a position of putting them in legal liability without them having
any recourse to protect themselves.

Sounds good -- but your thoughts don't seem to be well thought out as to how
things are in real life.
                                                Chuq


PRODIGY

A. Padgett Peterson <padgett%tccslr.dnet@uvs1.orl.mmc.com>
Wed, 1 May 91 12:03:26 -0400
In the current issue of the Prodigy Star (newsletter sent out from Prodigy to
users) there is a two page article from Harold Goldes (one of the Prodigy
EXPerts) on computer viruses. While it is quite informative, the issue of
online updating of executables/data is skated though one point seems clear -
they do not guarentee that you will not get a virus from Prodigy, and if you
do, it is your problem.


Prodigy

"Mary Culnan" <mculnan@guvax.georgetown.edu>
1 May 91 11:40:00 EDT
Prodigy recently ran an ad in DM News, a weekly direct marketing trade
newspaper with the header "..But you can't miss with Prodigy Direct Mail."  The
ad is encouraging companies to use Prodigy for direct marketing and says in
part,

  "Now, for the first time, marketers can deliver electronic mail to targeted
  segments of the PRODIGY service member file..."

Prodigy service members are highly-responsive, highly-qualified prospects.
They are young, well-educated, well-paid and well-traveled.  And they're active
users of the PRODIGY service, signing on 10 times a month on average, for about
20 minutes each time.

Members' demographic data is merged with their PRODIGY service usage
information to offer yo more than a dozen selections based on their interests
and activities, such as personal finance, sports, computers, travel, etc....

PRODIGY Direct Mail offers you the most sophisticated application available of
high-tech, high-touch direct-to-consumer marketing."

Clearly they are looking over the shoulders of every user--a point that was
also made in the recent NOVA show, "We Know Where You Live."
                                                                Mary Culnan


A Prodigy experiment

Bill Seurer <seurer@rchland.vnet.ibm.com>
Wed, 1 May 1991 11:01:59 -0500 (CDT)
Because of all the rumors flying around of Prodigy uploading data off of
user's harddisks I decided to test if this was indeed happening.

All of these rumors are based on the fact that the staging file (STAGE.DAT)
Prodigy uses to buffer its screens on the harddisk sometimes is found to
contain bits and pieces of user files and directories.  Some users claim this
proves Prodigy is uploading the data while others just say it is an artifact of
the way that DOS allocates files and because Prodigy does not initialize the
file when it is created.

I devised and carried out the following experiment in order to test if this was
happening.

The results are:
  Prodigy does not appear to be uploading any data.
  The STAGE.DAT file contains bits and pieces of ERASED files.

The experiment went as follows:

1) Re-installed Prodigy.  I erased all of the files Prodigy had
   installed on my system.
2) Modified CONFIG.SYS and AUTOEXEC.BAT to remove all TSRs and have 0
   DOS buffers.  I removed the disk caching software I usually use.  This
   was to prevent any leftovers in buffers or caches from showing up in
   STAGE.DAT and so that I could monitor what the harddisk was doing more easily.
3) Defragmented the harddisk so that all files were in contiguous blocks.
4) I ran CLEANDSK and CLEANEND to write zeroes over all the unused parts
   of the disk and over the unused ends of DOS files.
5) Powered the PC off and then on.  All memory was therefore flushed and
   the minimal system with no buffers was in use.
6) I created several large (500k) files each containing a different
   pattern of characters.  After all were created, I erased them.  This was
   to test whether STAGE.DAT is picking up bits of erased files.
7) I installed Prodigy using a large buffer.  This created a STAGE.DAT
   file that was just under 1 meg in size.
8) I browsed STAGE.DAT to see what was inside.  The first 250k or so had
   interesting stuff and the other 750k was 0's.  The interesting stuff was
   mostly buffered Prodigy windows (I could tell by the text that was mixed
   in) along with scattered pieces of one of the files I had created and
   deleted in step 7.  This file made up about 100k of STAGE.DAT. and given
   where the data was I'd guess that the first 200k or so of STAGE.DAT had
   been overlaid on the disk where this file used to be.  The *ONLY*
   non-Prodigy thing that I saw was a copy of my environment variables
   (COMPSEC, PATH, and PROMPT).  I noted that the windows that were
   buffered were the "old" windows (Prodigy has changed many of its windows
   since I got my installation kit).
9) Made a copy of STAGE.DAT so that I could compare it with an updated
   copy after I signed on.
10) I again powered the PC off and on to clear all the memory.
11) I signed on Prodigy.  While on I read some mail, sent some mail,
   read a few BBS appends, and looked at a couple of ads.  Then I signed
   off.  I noticed some things when I signed on.  First of all, it took a
   looooong time.  I surmised that all those "old" windows I had seen in
   STAGE.DAT were being updated.  I carefully watched my modem lights and
   harddisk light (remember, I had no buffering).  About 95% of the time
   (at least!) the modem was receiving data.  At the end of each long
   receive (some were 4 or 5 seconds long) the hard disk would be used
   briefly and the modem transmit light would flicker on.  Then there would
   be another long receive and etc.  At no time was my modem transmitting
   for more than a fraction of a second.
12) Using a hex/ASCII file comparison tool I compared the contents of
   the STAGE.DAT that I had saved with the updated one after I logged off
   Prodigy.  Many of the menus I had noticed the first time I looked were
   changed to the newer formats.  Also, the sign off menus and some of the
   messaging menus had either overwritten some (but not all) of the data
   from the file I had created and deleted in step 7 or been added at the
   end of the 250k of initially used area in STAGE.DAT.  STAGE.DAT now had
   about 280k of used area less perhaps 80-90k of data from the file in step 7.

This experiment shows to me that all the stuff about Prodigy uploading files is
rumors started by people ignorant of how DOS works.  Some people said that they
reinstalled Prodigy to see if that changed STAGE.DAT but they didn't
defragment/zero out their disks first so their data is highly suspect.  If they
had watched their modem lights they would realize that almost no time is spent
sending data to Prodigy when signing on but is almost all sent receiving it.

If I were to run this again I would change step 7 to completely fill up the
unused portion of my harddisk with the dummy files and then erase them all.  My
guess is that the 750k of space at the end of STAGE.DAT would then contain bits
from those files.  Later this week I think I'll try this and see.

My set-up in case you're interested is:

IBM PC-1 (the original) with an Intel Inboard/386, 40 meg harddisk, 2400
baud modem, DOS 3.2, and Prodigy 3.1 (which is the latest I believe).

If you have any questions about the experiment I'm more than happy to answer
them.  Also, if you have suggestions for more things to try next time let me
know.
         - Bill Seurer      IBM: seurer+@rchland  Prodigy: CNSX71A
           Rochester, MN    Internet: seurer+@rchland.vnet.ibm.com

Please report problems with the web pages to the maintainer

Top