The RISKS Digest
Volume 4 Issue 77

Thursday, 23rd April 1987

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

'Hackers' hit the Jackpot
Michael Bednarek
Fidelity Mutual Funds Money Line feature
Chris Salander via Barry Shein
VCRs, Telephones, and Toasters
Martin Ewing
Checklists, Aircraft risks, and Neutrons
Eugene Miya
Neutron Beams for Explosives Detection
Marco Barbarisi
Forgery on Usenet
Brad Templeton
Re: How to post a fake
Wayne Throop
Info on RISKS (comp.risks)

'Hackers' hit the Jackpot

Michael Bednarek <munnari!murdu.oz!u3369429@seismo.CSS.GOV>
Thu, 23 Apr 87 17:27:22 EST
Paraphrasing a well-known motto:
The Benefits to Individuals in Computer Systems

'Hackers' hit the Jackpot, by John England
The Sun, Melbourne, 23-Apr-1987

BONN, Wed. - Computer experts have cracked the codes of West Germany's most
popular poker machine.
  They are selling computer print-outs giving the machine's play programs
for $6500 and people are embarking on money-spinning raids on pubs and
amusement arcades.
  Even better, if a person is caught using the system there is nothing to fear.
West Germany does not have a law saying it is illegal to fool a machine.
  The ruse came to light when three students made a "hit" on a Cologne pub
which has four machines.
  Police were called after the students won the jackpot on each of the machines
within minutes and a search revealed a computer print-out giving the machines'
play programs.
  Police believe the students, from Brunswick University where a technical
department checks poker machines to make sure they comply with the payout law,
were the "hackers" who cracked the code.
  The makers are hurrying to change their programs but, as a spokesman
admitted:  "You can't fix 160,000 machines overnight - or stop the hackers
cracking the new code!"


Fidelity Mutual Funds Money Line feature

Barry Shein <bzs@bu-cs.bu.edu>
Thu, 23 Apr 87 01:50:10 EDT
From: chris@leadsv.UUCP (Chris Salander)
Newsgroups: misc.invest
Date: 22 Apr 87 19:54:17 GMT
Organization: LMSC-LEADS, Sunnyvale, Ca.
Summary: BEWARE!!!  Computers gone mad!

    Fidelity Investments has a feature on their Mutual Funds called
the Money Line.  Every quarter or every month their computers will call
the computers at your bank and withdraw a specified amount of money from
your checking or savings account and invest it into a particular fund.

    I have been severely victimized by this feature and have lost
control of my checking account because of it.  As a warning to the rest
of you here is my story:

January 1986
    I sign up for 3 of Fidelity's funds and invest some $.  I ask for
the Money Line feature (once every quarter) on each account and give them
my electronic banking number and checking account number.

May 1986
    Investments doing well.  Money Line feature on each fund was never
activated.  I invest in one more fund, Magellan.  This time I specify NO
Money Line feature.

July 1986
    Money is withdrawn from my checking account without warning.  A
statement shows up saying that the Magellan fund now has that money.  I
call Fidelity customer service and asked for this to stop.

October 1986
    Money is again withdrawn from my checking account without warning.
For the first time in my life my checking account is overdrawn because
of this withdrawl.  I am fined by the bank.  I call Fidelity and ask them 
to stop.  I write them a letter telling them to stop.  I withdraw all my 
money from Magellan.  The beast should be dead.   But .....

January 1987
    Money is withdrawn from my checking account and placed into an
otherwise empty Magellan fund account that still exists.  This withdrawl
causes a check to bounce for the first time in my life.  I call Customer
Service.  They refer me to the Research Department.  Research gets back
to me later and assures me that everything will be stopped.  TWO MONTHS
later I get my money back.  Meanwhile, I am fined by my bank for the
bounced check and embarassed in front of the company I paid it to.
Is the beast dead?   Noooo ...

April 1987
    Money is again withdrawn from my checking account without warning.
The Money is put into a NEW Magellan account in my name.  I transfer the
money out.  I visit the office of my bank where my account is.  I ask them
to cancel this connection to account.  The flesh and blood people say they
cannot help me and give me a phone to call Customer Service.  Customer
Service identifies the automatic debit feature on my account and puts a
"STOP order" on it.  The operator then says that she cannot guarantee
that this will prevent the access from occurring again.  She says that
if the Fidelity computer asks for its money again, the bank computer will
probably give the money to it.  I'm furious.  I complain to the flesh and
blood people.  They say there is nothing they can do.

Epilog
    I am taking all of my money out of Fidelity to punish them for this
and to avoid future problems with them.  I will be cancelling my account
with the bank and moving it somewhere else.  Only then will I kill the
beast.  I hope ...
                    BIG BROTHER IS HERE AND HE IS A COMPUTER!!!


VCRs, Telephones, and Toasters

Martin Ewing <mse%Phobos.Caltech.Edu@DEImos.Caltech.Edu>
Wed, 22 Apr 87 23:15:07 PDT
I appreciate the comments of Beckman and Saltzer on inappropriate
technology in VCRs, toasters, etc.  I, too, have found it inordinately
difficult to program our "7-day programmable" VCR.

The telephone offers another case.  Our "Dimension/1" system happily
takes a half dozen codes for call forwarding, camp-on, holding, etc.,
with zero feedback as to its internal state.  Just for spite, it gives
you a little chirp as you realize you forgot to reset call forwarding
and your call has flown off to the other end of the building. 

You can also get into exotic telephone situations with banks and mutual
funds, as you can transfer five figures of cash between accounts without
being *quite* sure afterwards what you have done.

A simple rule would be that any user interface should have visual output
that is in line with the complexity of the transaction.  Visual because
an entire transaction can be viewed at once.  VCRs are lately using the
TV screen for state indication, and financial institutions are providing
PC access for their customers.  Both are hopeful developments.  I just
don't know about smart toasters.  Can they scorch ascii on your
crumpets?
        Martin 


Checklists, Aircraft risks, and Neutrons

<eugene@ames-nas.arpa>
23 Apr 87 09:05:58 PST (Thu)
  Subject: Re: Checklist stops risks?
  From: Jerome H. Saltzer <Saltzer@ATHENA.MIT.EDU>

It seems maintenance is one of the biggest problems in software, and not
uncommon to software.  If there is any one area where we could use
checklists, and where software people [and others] fall down, it is in the
area of long-term maintenance.

  From: ladkin@kestrel.ARPA (Peter Ladkin)
  Subject: Aircraft risks
  >One possible source of confusion - a blackout is not a loss of consciousness

The problem is there is a lag associated with loss of vision and loss
of unconsciousness which does not travel at the speed of light.  I would
suggest it is not as easily reversed as implied.  Better to stay far away.

  Subject: Neutron beam detection [RISKS 4.75] (Scott Dorsey)
  >In addition, what happens to digital electronics when they are hit with 
  >slow neutrons?  

Yes, interesting indeed.  You may have just justified the use of GaAs
circuits for home use.  This is especially critical when you consider we can
sputter layers 20 atoms thick when hitting these atoms with neutrons.

--eugene miya, NASA Ames Research Center


Neutron Beams for Explosives Detection

Barbarisi <marco@ncsc.ARPA>
Thu, 23 Apr 87 16:29:25 CST
    I did an experiment with neutron radiation for a physics laboratory
while I was in college.  It may shed some light on this issue.

    For the experiment, a silver dime was placed in a device called a
"neutron howitzer" and irradiated with neutrons for approximately one
minute.  The dime was removed and the gamma radiation emmisions were
monitored.  As I recall, the half-life of the radiation was about thirty
seconds (it was very "hot" upon removal from the howitzer).  After about
three or four minutes the gamma radiation decayed to background levels.  The
latex stick which held the dime in the neutron howitzer showed no sign of
radiation at all.

    Thus, I doubt that there would be any lasting effect on clothing and
food from low energy neutron radiation.  The device we used to irradiate the
dime was in a refridgerator-sized can of lead and used plutonium to generate
the neutrons.  The device that is proposed for airport use is of
considerably less power.

    However, there would be considerable hazard to an airport worker
stationed near the neutron emitter.  I foresee lawsuits a-plenty when a
baggage handler working near the bomb detector gets a nasty disease or
produces afflicted offspring.

Marco C. Barbarisi   marco@ncsc.ARPA   (904)234-4954


Forgery on Usenet

<brad%looking%math%math.waterloo.edu@RELAY.CS.NET>
Wed Apr 22 19:07:34 1987
While I'm not sure we should be revealing all this, it is possible
to go even further and make forgeries that can't even be traced by
looking in the logs.

If you are root on your machine, you can change the machine's site
name, so that it pretends to be another machine.  If the remote site
you are calling has a general uucp login, nothing prevents you from
saying, "hi, I am site ihnp4, and here are some transactions."

cbosgd does have such a general login.  If you insist on a different
login (with password) for every network partner, than that can be safe
IF you have a version of uucp that does security checks on the names.

I think lots of people have got secure uucp mail, at least within
their organization, these days.  I don't think they do with news.

Brad Templeton, Looking Glass Software Ltd. - Waterloo, Ontario 519/884-7473


Re: How to post a fake

<rti-sel!dg_rtp!throopw@mcnc.org>
Thu, 23 Apr 87 17:53:47 EST
> From: sun!plaid!chuq@seismo.CSS.GOV (Chuq Von Rospach) ...
> That's how you forge messages.  And as long as the uucp links exist, there
> is no way to fix this, because a vital piece of information isn't passed out
> of uucp.

Well.... I disagree on a minor point.  A news system could allow only
user "news" to get at rnews, and only allow user "news" incomming access
to uuxqt.  (With perhaps similar arrangements for mail.)  This means
that uux would not be allowed for anything but news or mail, but it
would plug the security hole.  So, revise Chuq's point to be "as long as
the uucp links on news systems need to be used for anything but news and
mail, there is no way to fix this."

At least... I THINK so.                  Wayne Throop

   [I am suppressing a bunch of other messages on this subject.
   It is important that you all be aware of the risks, although the
   nuances in trying to avoid them are probably beyond the interest of 
   our readership community.  Suffice it to say that most of the alleged
   solutions still have significant windows of vulnerability. PGN]

Please report problems with the web pages to the maintainer

x
Top