The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 3 Issue 42

Monday, 25 August 1986


o Re: $1 million bogus bank deposit
Barry Shein
o Sometimes things go right
Matt Bishop
o Re: Cheating of automatic teller machines
Dave Farber
o Keystroke Analysis for Authentication
o Computer Vote Counting In the News -- More
John Woods
o Info on RISKS (comp.risks)

Re: $1 million bogus bank deposit

Barry Shein <bzs@BU-CS.BU.EDU>
Sat, 23 Aug 86 20:14:53 EDT
   >  "We are now looking very closely at our internal systems.  Human
   >error may also be involved," Kunowski said.

There's that term "human error" again.  Note Chernobyl, TMI, etc.  They
also seemed to like to speak of "human error".

Is this a new form of excuse?  Is it supposed to have PR value?
What else? Alien-life-form error? Supernatural error?

I know most of you agree with me, and this is essentially trite.
I am just starting to sensitize badly to this techno-speak.

    -Barry Shein, Boston University

    [I have commented on this on various occasions.  Many of the problems
     that we find are deeper sorts of "human error" -- the requirements
     are established badly (the DIVAD?), the design is flawed (Challenger
     booster rockets), the implementation is faulty (the first Shuttle 
     launch), the patch was put in wrong (Viking), the system permits 
     operation in an unsafe mode (Sheffield), etc.  Those are clearly human
     errors, but they get treated in the opposite way -- not treated as
     human errors, but rather disanthropomorphized as "computer errors"!
     What you are saying is both essentially trite and very deep, both at
     the same time.  PGN]

Sometimes things go right

Matt Bishop <mab@riacs.ARPA>
Mon, 25 Aug 86 08:19:14 -0700
All these letters about ATM's being outsmarted reminds me of an incident
where someone gambled on the inability of a bank to change the programming
for managing ATM's, and lost.  This incident is described in Donn Parker's
book on computer crime, which I seem to have left at home (so I can't give a
reference), and it's interesting because it shows the risks in assuming
things can't be done quickly.

In Japan, someone kidnapped a little girl, and told her father to open an
account at a bank which had ATM's throughout Tokyo, and put the ransom in
that account.  He was then to indicate the account number and password (in
the newspaper via what Sherlock Holmes would call the agony column, I
guess). The kidnapper would then withdraw the money from one of the ATMs.
He figured there weren't enough police to watch all the ATMs and even if
there were, they would have no way of distinguishing him from any of the
other patrons who made legitimate withdrawals.

Unfortunately for him, when the bank heard about this, they got
several programmers together and working all night they changed the
program controlling the ATMs to trap any transactions for that
particular account, and immediately notify the operators at which ATM
the withdrawal was taking place.  They then put police at as many ATMs
as they could.  The father made the deposit, the kidnapper withdrew
the money, and before he could get out of the ATM booth the police
grabbed him.  The girl was recovered safely.  The programmers got a
medal.  The kidnapper went to jail.

Kind of nice to know that sometimes things do go wrong for the better!

Matt Bishop

Re: Cheating of automatic teller machines

Dave Farber <farber@huey.udel.EDU>
Sat, 23 Aug 86 17:01:38 -0400
That's the modern analog to the favorite telephone trick, stuff cotton [or
chewing gum] up the coin return, and come back latter to collect the coin
returns.  (It's harder to do with the new pay phones, but not impossible.)

    [Yes, many of the current tricks are reincarnations of earlier ones.
     But, as we get higher-tech, new tricks are emerging as well.  PGN]     

Keystroke Analysis for Authentication (Re: RISKS-3.31)

Wed, 20 Aug 86 10:07:37 edt
>                                            ...  One gray area is checking
> the match between credentials and credential-holders:  this generally has
> to be done by humans unless the credentials are something like retinagrams.

Actually, this is easier to automate than most people would guess.

A few years back, I saw a demo of one solution, which is as accurate as
retinagrams, but is non-invasive.  This was the measurement of a "typing
profile" as a person typed something (it didn't much matter what) on a
keyboard that recorded and reported microsecond-precision timing info on

The idea was to make a list of the most common 2-character pairs (th, he,
st, se, ...), calculate ratios of the top entries (th/he, he/st, th/st,
...), and normalize by dividing throughout by the mean value of the most
common pairs.  The resulting histogram turns out to be quite as specific as
retinagrams and fingerprints, and even harder to counterfeit.

Since then, I've been watching for applications, and have found instead that
most people 1) have never heard of it, and 2) don't believe that it works.
The people doing the demo weren't very concerned about either of these
"problems".  After all, only the ones making the decision to install it need
know about it; it's better if the subject not know or understand the
security system.  As for the second point, it doesn't really matter whether
the subject believe in it; it works regardless.

It's surprising how short a message it works with.  Obviously, you need at
least 3 characters; it turns out that you don't need more than about 10.  Of
course, there are failures.  But from a security viewpoint, they are in the
right direction of labeling a person as "unknown", typically when they are
typing irregularly due to fatigue or drugs.

The demo system had no sign-on.  You just started typing commands; the
machine determined for each command who had typed it and whether the person
was authorized to do what was asked.  In particular, they liked to show an
operator's console sitting in a non-secure area.  The machine would obey
commands typed by authorized operators, but not by anyone else.  It was
rather cute.  A lot of people who tried using it got very nervous looks on
their faces.  "The machine really does know who I am, doesn't it?"

Of course, you couldn't use this approach with just any commercial 
terminal.  How could you get the timing figures out of a VT100, 
for example?  But the data collection is well within the capabilities 
of the typical intelligent terminal with an 8-bit micro as a controller.

I've occasionally wondered whether there are any other non-invasive
identification techniques that are anywhere nearly as effective as
this one.  I haven't heard of any.  But then, they might not be very
widely advertised if they do exist.

I've also wondered about the feasibility of using this a a "user
friendliness" feature.  Imagine not needing to sign on to a system;
you just walk up to any terminal and start typing commands....

Computer Vote Counting In the News [SOME NEW STUFF, SOME OLD]

John Woods <jfw@EDDIE.MIT.EDU>
Sat, 23 Aug 86 21:13:24 EDT

Use of computers in elections raises security questions
Boston Globe, 23 August 1986, page 17
By Gregory Witcher, Globe Staff

   The computer programs that will be used to count the votes in elections
this fall accross the United States, including a quarter of the votes in
Massachusetts, are vulnerable to tampering and fraud, according to computer
specialists, researchers, science writers and attorneys.
   Although no case of computer fraud has been proved, specialists say a
large potential exists because of the lack of mandatory federal or state
security guidelines to prevent it.
   In addition, they say, there are no independent means of auditing
programs to verify they are working properly and most local election
officials lack the computer skills necessary to detect if computer
programs are secretly altered.
   "It's like a black box," says Eva Waskell, a Reston, Va., science
writer who helped organize a recent two-day conference at Boston
University on the potential of computer fraud in voting.  "Election
officials have no hard data to back their claims that these
vote-counting programs are counting accurately."
   Sixty-five percent of the votes cast by Americans in the 1984
presidential election were tabulated by computer systems, according to
the Federal Election Commission.  In next month's Massachusetts primary,
computer programs will be used to tally the votes in 26 percent of the
state's 351 election precincts, the Secretary of State's office says.
   Four of every five of those votes will be tallied by a vote-counting
program that has been challenged in cases now pending in state and
federal courts in Indiana, West Virginia, and Maryland.  In Indiana and
West Virginia, the company was accused of helping to rig elections.
   The program was developed by Business Records Corp., formerly
Computer Election Systems, a Berkeley, Calif., company that federal
election officials estimate produces more than half the computer voting
equipment used nationwide.  Company officials in Berkeley and Chicago
could not be reached for comment yesterday.
   John Cloonan, director of the elections division of the Massachusetts
Secretary of State's office, said there have been no instances of
computer fraud reported since Massachusetts first began using a
computer-assisted voting system in 1967.
   Computerized voting is now used in Massachusetts jurisdictions ranging in
size from Worcester, the state's second largest city with about 80,000
registered voters, to Avon, where there are 3,000 registered voters, Cloonan
   Voters in Boston and in one-third of all Massachusetts communities
cast their ballots on mechanical lever-type machines.  The remaining
cities and towns use paper ballots.
   According to David Stutsman, who participated in the two-day seminar
at BU, a recount of the votes cast in Elkhart County, Ind., in November
1982 showed that the computer program had improperly printed the results
of one race in another, failed to count all the votes for one candidate
and counted 250 more votes than there were voters in a third race.
   Stutsman is an attorney representing eight candidates who challenged
the election results in lawsuits alleging that the vote counting was
"false and fraudulent."
   Stutsman contended that a computer programmer from the company changed
the computer program's instructions on election night, but without a system
to record changes made in the pgram and without election officials
knowledgable about how the program worked, "it was impossible to say how the
votes were counted and whether they were counted accurately or not."
   In another case presented at the conference, a review of 1984 election
results showed that President Reagan received 159 votes in the Trinity River
Bottom precinct, defeating challenger Walter Mondale by a 3 to 1 margin in
the Texas district inhabited only by squirrels, rabbits and fish.
   "The computer invented those numbers.  The numbers could not have
gone into the program but they came out," said Terry Elkins, a political
researcher in Dallas who studied the election results.  "No one lives
there, so the fish must have voted."
   Despite reports like these, others remain confident that computer voting
is not terribly vulnerable to fraud or error.  "The smoke far outweighs the
fires," William Kimberling, a federal elections administrator in Washington,
said.  Kimberling said that none of the allegations of fraud raised in the
legal challenges has been upheld in court.

Words, words, words...

Mon, 25 Aug 1986 15:08 EDT
    The point is that a person who believes something, however
    erroneously, and espouses and publicly supports that belief, is *not*
    lying.  These are complex times.  There are many matters about which
    reasonable persons, even reasonable scientists, may differ.  There is
    no point in saying that a person lied when that person was doing the
    best work possible based on the knowledge and belief available at the

I'd like to believe this, but I think you leave out a major category
-- how are we to classify what could be called "deliberate ignorance"?
That is probably the most charitable label that one could give to the
call for SDI -- a system that will eliminate the threat of nuclear
ballistic missiles.  Some people (some of them on RISKS) have called
such statements merely "political rhetoric".  But when the call is for
defense of the entire population, and NO ONE in the scientific
community believes that it is possible to frustrate a deliberate
Soviet attack on the U.S. population, isn't that either lying (at
worst) or deliberate dumbness at best?

Please report problems with the web pages to the maintainer