The RISKS Digest
Volume 4 Issue 33

Sunday, 21st December 1986

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


o Help British Telecom save a WORM.
Scot E. Wilcoxon
o Security of magnetic-stripe cards
Brian Reid
o Korean Air Lines Flight 007
Dick King
o Car-stress syndrome
Dick King
o Bugs called cockroaches [A True Fable For Our Times]
o Re: More on car computers (not Audi)
Miriam Nadel
o Runaway Audi 5000
John O. Rutemiller
o Info on RISKS (comp.risks)

Help British Telecom save a WORM.

Scot E. Wilcoxon <sewilco@mecc.UUCP>
21 Dec 86 04:01:49 GMT
  >Unfortunately, a relatively simple doctoring of the card has been discovered
  >that threatens the whole scheme, and makes a card indefinitely reusable [at
  >least until the system is either modified or withdrawn].

A read-after-write test before using the resource (telephone time in this case)
might be the generic solution.  This won't work if the BT reader can't be
positioned to read what has just been written.  Hopefully there aren't many
other major installations with the same flaw (BART & other transport?).

Computer programmers should know of this flaw due to one eagerly-awaited
peripheral which is finally becoming available.  Writeable optical data disks
(ie, WORM drives) promise storage of huge amounts of data.  People who want to
sell large numbers of programs or data will now be able to put hundreds of
programs on one optical disk.  One "demonstration disk" method being used by
some companies is to allow a program to be used a few times or for a few days.
This method may be vulnerable to a write-blocking technique similar to the
British Telecom card doctoring, although different physical tools may be
needed.  The designer of an optical disk collection should be aware of this
technique so he can thwart it.

Scot E. Wilcoxon   Minn Ed Comp Corp  {quest,dayton,meccts}!mecc!sewilco
(612)481-3507           sewilco@MECC.COM       ihnp4!meccts!mecc!sewilco

security of magnetic-stripe cards [This relates to earlier risks.]

Brian Reid <reid@decwrl.DEC.COM>
20 Dec 1986 0109-PST (Saturday)
There are three ways that I know of to fraudulently modify magnetic-strip
credit cards. The technology to make mag-stripe credit cards secure against
two of them has existed for almost 15 years. Most credit-card companies do
not use it because it is more expensive than the losses that they are
currently sustaining from fraud. However, the main reasons for its expense
are that it requires new card-reader electronics, and in the fullness of
time one could imagine moving to it.

The three attacks are:
 1) Copying the strip from one card to another
 2) Modifying the contents of a card with read/modify/write (or
    rewriting it completely, if you choose)
 3) Making a checkpoint of a card, using it, and then restoring the
    card to its former state.

This technology can protect against attacks (1) and (2), but not (3). I
first heard about it from a security person at the National Bank of
Washington in 1973.

Here's how it works. When a credit card is molded, it is molded out of
plastic that has had nickel particles stirred in with it. The magnetic
strip is affixed, and the card is run through a machine that senses the
location of the nickel particles on the card and computes a
cryptographic checksum of their positions. The checksum function is
secret. That checksum is used as the decryption key of a 2-way
encryption function, and the remaining information on the magnetic
strip is encrypted in such a way that the nickel-particle checksum of
the plastic card is used as the decrypting key for the data on the
magnetic strip.

This protects against attack 1, copying, because the contents of the
mag strip on one card will not work on a card with a different nickel
checksum. This protects against attack 2, forging, because even if the
forger can determine the position of the nickel particles he does not
know how to compute the checksum from their position. It is easy to
design a system for which attack 3 will not be useful.

I believe that the expense of this system is the expense of the
particle-sensing readers, which are more delicate than mag-strip
readers. I am confident that if electronic fraud with credit cards
starts to cost more than the particle readers, that banks will switch.

Brian Reid
DEC Western Research

Korean Air Lines Flight 007 (RISKS-4.31)

Dick King <king@kestrel.ARPA>
Thu, 18 Dec 86 13:48:36 pst
I'm very unimpressed with the straightness of the logic in Shootdown.
There seem to be as many contradictions within that volume as there
are in the record of the shootdown itself.

As one example, on page 24 [hardcover, American edition] he states that "The
full significance of this becomes apparent if one realises that Soviet
ground control was undoubtedly monitoring 007's conversation with Tokyo,
presumably with a slight lag as a translation was obtained.  ...".  The
transcripted conversation, to which the Soviets were "undoubtedly"
listening, clearly identified the airliner as 007.  The thrust of P. 24-27
is that the plane gave out deceptive information that fooled the Soviet air
defence.  On page 187, however, he quotes the Times as quoting US
intelligence analysts as saying "the initial identification of the the
jetliner as a military reconnaissance aircraft became fixed in the mind of
Soviet air defence officials and was strengthened after Soviet interceptors
were unable to locate the plane for two hours".

Mr. Johnson did not explain why the Soviets were, according to him,
listening closely enough to this routine airliner traffic to be fooled, and
why, if they thought the intruder was not 007, they attributed 007's
broadcasts to this intruder.  Remember, they were supposed to be hearing
007; they are just supposed to have thought that this plane wasn't it.


Car-stress syndrome (RISKS-4.31)

Dick King <king@kestrel.ARPA>
Thu, 18 Dec 86 12:19:22 pst
This brings up an interesting RISK imposed by high technology in general --
namely that certain people will take advantage of the public's natural fear
of the unknown.  They can either offer new and different forms of snake oil
or, as this ad seems to do, or they can prey on the public ignorance as to
how things work and what is known or not known about safety and levels of
exposure, to attract a following for whatever reason.

What has this to do with computers?  Two groups I know of are arguably using
this tactic in a computer-related manner.  One group, 9-5 I believe,
attempts to bolster a political base by causing CRT's to be regarded as
*unsafe*.  The second group offers to clear credit problems, doing nothing
you couldn't do for yourself [per CR], but implying in at least some of
their ads that they have an "in" with the computer network.

* I will apologize to the first person who can show me that most of the
group's supporters refuse to allow a TV into their homes, or at least that
the group advocates such refusal.  I have never even seen any such
literature claim that monochrome TV's are safer.  This would be obviously
counter-productive because most of the intended audience uses monochrome
monitors, but voltages are lower, images are crisper, flyback noise tends to
be less; this covers most of the claimed problems with CRT's.

Bugs called cockroaches [A True Fable For Our Times]


  >  Heisenbugs is already a fairly common term — it refers to bugs
  >  which go away as soon as you try to run them under a debugger 
  >  (or with the debugging compile- or run-time flags set).

I once had an amusing problem where the most likely cause was that I was
exceeding array bounds.  Naturally I turned on the bounds checking flag,
and got fatal output errors.  So I next put in manual traces, and I still
got fatal output errors.  Highly annoying, no?  A little investigation
revealed that the newly compiled-in format strings were getting trashed.
I'm talking about a genuine cockroach.

What to do, what to do?  I declared a dummy array of dimension 100k--what
the heck, it was on a Cray--so from then on the array overflow was safely
trashing the dummy; I got my trace and I killed the nasty little bugger.

So, what is the moral of this story?  Obviously, 

     "Rough strings do flake the darling bugs of Cray."  

            [Ah, yes, the iambic pentameter is always a giveaway.
            For those of you in search of the original, the first 
            line is exceedingly well known:

                       Shall I compare thee to a summer's day?
                       Thou art more lovely and more temperate:
                       Rough winds do shake the darling buds of May,
                       And summer's lease hath all too short a date:

            I hope that any future shaggy bug stories will be more lovely,
            more temperate, and less anonymous.  PGN (LE KOOK or HOTSHOT?)]

Re: More on car computers (not Audi)

Controls Wizard <dma%euler.Berkeley.EDU@BERKELEY.EDU>
Thu, 18 Dec 86 12:09:35 PST
According to the latest issue of Consumer Reports there is a recall of 1982
Toyotas because a problem with the cruise-control computers can result in
uncontrollable acceleration.  Yet another reason for Audi to rethink their
                      Miriam Nadel  [Specify by name in any direct reply]

Runaway Audi 5000

"John O. Rutemiller" <Rutemiller@DOCKMASTER.ARPA>
Sat, 20 Dec 86 11:03 EST
The Washington Post Magazine for December 21, 1986 had an article in which
the author supports Audi's position of driver error.  I believe his view
helps show the current trend of people like "60 Minutes" to blame a computer
or machine without looking at operator error.  I'm glad someone is willing
to accept possible operator error.  The full text follows.

      Audi's Runaway Trouble With the 5000,      by Brock Yates

  I recently watched in fascination as Ed Bradley reported on the CBS-TV
  show "60 Minutes" that the 1978-'86 Audi 5000 sedans can treacherously
  launch themselves like misfired missiles when their automatic
  transmission levers are placed in drive or reverse.  This phenomenon
  labeled "unintended acceleration," has allegedly been responsible for
  several deaths, including a particularly poignant one - tearily
  documented on the show - in which a pretty young mother crushed her
  young son against the back wall of a garage.  The segment included
  testimony from several victims.  They decried Audi's suggestion that the
  trouble lay not in a mechanical flaw but in driver error.

  Audi says the drivers accidentally hit the accelerator, not the brakes,
  after engaging the transmission.  Although Bradley acknowledged Audi's
  explanation and interviewed two of its engineers, he clearly sided with
  the owners.

  "60 Minutes" portrayed the Audi 5000 as a flawed automobile, perhaps
  cursed by its "idle stabilizer control," a fuel system component that
  supposedly triggers "transient malfunctions" without warning.

  But wait a minute, did Bradly tell us everything?  There is no arguing
  the Audi is in serious trouble with the 5000:  Sales are down 20 percent
  and the Center for Auto Safety has taken the position that the
  Department of Transportation should require Audi to buy back all its
  5000s.  Further, an Audi spokesman agrees that "hundreds" of
  acceleration incidents have occured in the 5000s.  The Center for Auto
  Saftey has received 500 reports and believes more than 750 reports have
  been made altogether.  Audi has ceased to stonewall the issue.  "We take
  the responsibility to resolve the problem," says Audi public relations
  director Ed Triolo.

  Furthermore, the phenomenon of "unintended acceleration" is not new.
  The problem has occurred in a variety of autos with automatic
  transmissions.  More than 2,000 complaints have been made about General
  Motors models built between 1973 and 1986.  Owners of Toyotas, Renaults,
  Mercedes-Benzes and Nissans have also reported unintended acceleration
  incidents.  However, the Audi 5000 has the highest percentage of
  acceleration incidents:  about 1 in 400 cars built.

  Triolo says that in the 270 accidents that have been examined by Audi
  engineers, only six idle-speed stabilizers were found defective and not
  in a way that would cause rapid, unexpected acceleration.  More
  important, the Audi 5000 - with its 2.2-liter, five cylinder engine
  developing only 110 hp - simply does not have enough power to override
  its brakes.  (Drivers involved in the incidents swear they are standing
  on the brakes.  Audi has found no instances of brake failure in autos it
  has examined.)

  Who's right?  Will an Audi 5000 outmuscle its own brakes?  I borrowed a
  1984 Audi 5000, floored the accelerator with my right foot and stepped
  on the brake hard with my left foot.  Then I moved the transmission from
  park to drive.  AND THE ENGINE STALLED!  It lacked sufficient power to
  override the brakes.  According to my brief test, for unintended
  acceleration to occur, two independent systems - fuel supply and brakes
  - must fail simultaneously and somehow return to normal.

  Audi says it went even further.  In demonstrations for both CBS and NBC,
  it made full-throttle acceleration runs to speeds between 30 and 50 mph
  and then, with the throttle on the floor, stopped the car with the brakes.

  All of which raises some interesting questions "60 Minutes" failed to
  ask about the Audi 5000 incidents:

  Why, after millions of starts over an eight-year period, haven't there
  been any runaway 5000s reported at Audi's 410 dealerships?

  Why do there seem to be more of these incidents among drivers who have
  relatively little experience driving the Audi 5000?  (There are an
  inordinate number of such incidents within the first 2,000 miles of the
  life of a given car.)

  Why are there no reported accidents with the Audi 4000 Quattro, which
  has an identical idle stabilizer mechanism?

  Why do independent experts, who have speculated that the trouble is
  centered on throttle linkage, the computer brain in the engine, the
  automatic transmission or the idle stabilizer, still openly admit there
  is no obvious culprit?

  Why, in a number of accident investigations, did Audi engineers find the
  accelerator pedal bent, even snapped off, presumably by foot pressure?

  While continuing to research the incidents, Audi has so far installed
  32,000 interlock devices that prevent the transmission from being
  engaged without the driver's foot on the brake.  Audi has asked all
  owners of the 5000 model to bring their cars in for free installation of
  the interlock.  Audi is adamant that the device is a solution, although
  Triolo says the company does not expect it to eliminate the problem.

  Drivers of three cars equipped with the interlocks have reported runaway
  crashes.  In the first case, an Audi spokesman says, the driver's
  description of the event changed over time, and Audi representatives
  decided it was not a case of brake failure or runaway acceleration.  In
  the second case, Audi says a bushing was installed upside down,
  preventing the interlock from working.  In the third case, Audi says it
  has not been allowed by the owner's attorneys to inspect the vehicle.

  Audi contends that the problem of unintended acceleration is a complex
  one involving a number of factors, including the design of the car
  itself, the driver, and external distractions.  Triolo says the problem
  of unintended acceleration is inherent in automatic transmission cars
  throughout the auto industry, not just in Audis.

  There is one potential explanation for the runaway Audis that strikes me as
  obvious:  The brake and accelerator pedals in the Audi 5000 are off-center,
  to the left.  In models of the 5000 built before 1983, it was even possible
  to step on the brake pedal and the accelerator at the same time, a problem
  Audi has since rectified.  Audi maintains that brake and accelerator pedals
  in autos come in a wide range of placements, some farther to the left than

  I maintain the pedals are sufficiently misplaced that inexperienced
  drivers might easily thrust a right foot forward and hit the accelerator
  when intending to hit the brake.  Audi has investigated at least one
  incident in which a 5000 was driven a foot or so into a concrete wall in
  a parking garage, the rear tires spinning in anguish, the driver
  confused as to what was happening until she finally realized her right
  foot was on the accelerator.

  Sadly, one of the most troubling aspects of these incidents is that so
  many Audi 5000 drivers fail to avert disaster simply by shoving the
  transmission shifter into neutral or turning off the ignition.  While it
  certainly is understandable that a panicked driver might actually press
  harder on the throttle of a runaway car, thinking he was stepping on the
  brake pedal, such a reaction also exposes the dismal training and
  minimal presence of mind the average American driver has when faced with
  an emergency.

  How about a segment on driver training, Mr.  Bradley?

Please report problems with the web pages to the maintainer