The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 5 Issue 79

Sunday, 20 December 1987

Contents

o Re: Lehigh Virus
James Ford
o IBM Xmas Prank
Fred Baube
o National security clearinghouse
Alan Silverstein
o Financial brokers are buying Suns...
John Gilmore
o Toronto Stock Exchange Automation?
Hugh Miller
o Who Sues?
Marcus J. Ranum
o The Fable of the Computer that Made Something
Geraint Jones
o Re: Litigation over an expert system
Rich Richardson
o Tulsa; Bugs
Haynes
o More ATM information
George Bray
o Truncation
Alex Heatley
o Info on RISKS (comp.risks)

Re: Lehigh Virus (RISKS-5.72)

"James Ford (Phantom)" <JFORD1%UA1VM.BITNET@CUNYVM.CUNY.EDU>
Fri, 18 Dec 87 15:16:33 CST
I've been reading about the PC virus that invaded Lehigh Univ.  There is
public domain software (2 that I know of now) that will detect potential
"trojans" and/or "bombs".  These programs are:

1.  CHK4BOMB (check 4 bomb) - This program is used on suspected trojans.
The program will read and print the ASCII code.  After that, it'll start
reading the machine code.  If the file writes to absolute sectors, CHK4BOMB
will respond with "WARNING! THIS PROGRAM WRITES TO ABSOLUTE SECTORS! THERE
IS A CHANCE THAT DATA COULD BE LOST....etc"

2.  BOMBSQAD - This program is a memory resident program that will allow you
to intercept READ, WRITE and VERIFY (in any combination) to your hard/floppy
disks.  It allow you to abort the suspected command by returning a timeout
error (I think) to DOS, which gives you a ABORT, RETRY, IGNORE........

While I can't state that it will detect ALL trojans, these "binary condoms"
have detected the COMMAND.COM virus at LeHigh Univ.

Since the programs are public domain, I will gladly send them to you if you
request them.  If sent, the files will uploaded WITHOUT converting to EBCDIC.

James Ford, The Phantom, JFORD1@UA1VM.BITNET


IBM Xmas Prank

Fred Baube <fbaube@note.nsf.gov>
Fri, 18 Dec 87 10:03:57 -0500
From Friday's Washington Post, excerpted without permission.

"The message popped onto desktop screens in IBM offices around
the country and even crossed the Atlantic and Pacific oceans,
showing up in IBM outposts in West Germany, Italy and Japan."

[as pictured                X
 in the article]           X X
                          X X X
                         X X X X
                        X X X X X
                       X X X X X X
                      X X X X X X X
                            X
                            X
                            X

A very happy Christmas and my best wishes for the next year.
             Let this run and enjoy yourself.
Browsing this file is no fun at all.  Just type Christmas.
________

"The message that bedeviled IBM was a comparatively benevolent
one and did not, as computer tricksters' creations sometimes do,
destroy other material in the system .. [although] rapidly
producing electronic gridlock."

"The culprit is unknown .. but preliminary investigation suggests
that the message originated outside the company.  IBM's mail
system is attached to those of several other institutions."

"From start to finish, the message survived only hours .."

"Does the world's biggest and most advanced computer company feel
embarassed about its Christmas chain ?  'We didn't want it to
happen, but we anticipated something like this might be attempted
and we were prepared to deal with it.'"

Questions:
(1) An incoming message can contain an executable program,
    that can easily be run ?
(2) Such a message can be remailed under its contained program's
    control, presumably with the name of the last victim in the
    "From:" field ?
(3) Can IBM trace it to an originator, or was anonymity possible ?
(4) How/where can readers of RISKS submit something similar ?
    (strictly for professional testing purposes)
(5) Is the Internet similarly vulnerable ?

The prank seems to be benign, and therefore beneficial.
IBM seems to have dealt with it effectively (or have they ?).

Browsing this message is no fun at all.  Just type Christmas ..

          [Bay Area folks can read a long front-page article by John 
          Markoff on viruses in today's SF Chronicle-Examiner.  PGN]


national security clearinghouse

Alan Silverstein <hpfcdt!ajs@hplabs.HP.COM>
Fri, 18 Dec 87 14:27:32 mst
> Andy Freeman, Security failures..., RISKS-5.77
> A clearinghouse, repository, library, or whatever name one wants to give
> to such a function should be set up so that those of us who are trying
> to build defenses can have subjects to study.

This falls right in the charter of the National Computer Security Center
(NCSC), a federal agency.  They are also the folks who evaluate Trusted
Computer Systems by the Evaluation Criteria (Orange Book).  Their services
are "free" (tax-supported).
                                          Alan Silverstein, Hewlett-Packard

   [We have noted this here before, but it seems worth reminding new
   readers that all sorts of systems have been evaluated.  PGN]


Financial brokers are buying Suns...

John Gilmore <hoptoad.UUCP!gnu@cgl.ucsf.edu>
Sat, 19 Dec 87 04:26:22 PST
>    In hindsight, it seems that computers on Wall Street created an  
>    appetite they ultimately couldn't satisfy.  Following the classic 
>    addicts' pattern, each time investors got more powerful computers,  
>    they developed investment techniques that needed even more powerful 
>    computers....

By the way, one of the hottest new markets for Suns (and possibly other
workstations) is in financial trading.  A bunch of companies are doing
software that lets a broker monitor a bunch more stuff, get plots of
stock trends, etc, on their bitmapped Sun screen.  Just being able to
display N things at once in N windows will help a lot.

Today's common "quotron" terminals seem to just be dumb terminals.
Well-designed support software on Suns should be able to aid brokers,
the same way it has helped me to get more programming done in the
same amount of time, and with higher quality.

   [Wait until people figure out the nice network security 
   flaws/features in such an environment.  That will give a new 
   meaning to INSIDER TRADING, using INSIDER COMPUTER FRAUD.  PGN]


Toronto Stock Exchange Automation?

Hugh Miller <HUGH%UTORONTO.BITNET@CUNYVM.CUNY.EDU>
Sun, 20 Dec 87 14:21:03 EST
The following is excerpted without permission from "Computers-or-people
dispute flares at TSE" by Fred Lebolt, *Toronto Star*, Sa 19 Dec 87, p. B1:

    A dispute between floor traders and senior management at the Toronto Stock
  Exchange is brewing again, as the exchange studies whether computers or
  people should be at the center of stock market action.  After what one
  exchange official described as a "shooting match" between the two sides, the
  exchange has launched a new, $1.25 million study looking into computer-based
  trading compared with person-to-person stock market trades.
  "People's livelihoods are involved here, so tensions and anxieties are high,"
  the official said in an interview.[...]

  Newspaper photos and television clips of the stock exchange usually show the
  floor traders in action:  often wearing brightly colored jackets, they're the
  ones who yell buy and sell orders on the exchange floor.  At the heart of the
  action are the specially designated registered floor traders.  This group of
  more than 100 individuals will guarantee to buy or sell a certain number of
  shares so the public will always be able to trade in those securities, and
  will oversee trading to make sure there's a small spread between the buy and
  sell prices.  They have to keep tabs on all the trades in the stocks they
  follow.

    Computer-based trading, by contrast, involves putting orders through by
  machine, with the buy and sell prices displayed on video terminals.  The
  people behind the machines are also traders, but the deals are struck by
  computer keystrokes, rather than in person.[...]

    The controversy over computerized trading has been simmering for some time,
  but erupted a year ago after the exchange's board of governors approved a
  plan to switch two large stock issues from the trading floor to the
  TSE-developed Computer Assisted Trading System, known as CATS.  CATS was
  originally introduced to handle trades in less active stocks, while major
  share issues remained in the hands of floor traders.  The computerized system
  now handles almost half of the total listings on the exchange.  But the news
  that two large stock issues were going over to CATS hit like a bombshell.
  Traders banded together into a Professional Traders Association to voice
  their concerns.

    What emerged was a compromise deal, in which an experimental trading area
  was set up using both floor traders and computer technology.  But the
  controversy stirred up again in June, when the exchange startedpushing for a
  rapid expansion of the experimental trading posts throughout the floor.  Many
  traders argued that the move was premature, and sought a postponement in the
  expansion, which they won.

    The July report [prepared for the exchange found advantages in the
  computer-based trading system and] reopened the controversy.  [A second
  report, issued in September and prepared for Gordon Capital Corp., disputed
  much of the first report's findings.  A subsequent letter sent to Toronto
  Stock Exchange members by Gordon Capitol president Donald Bainbridge said
  conclusions from the July report "were a real shock to the many experienced
  traders" who reviewed it.]

    The latest study now under way involves management, traders, and other
  groups. It is looking into a variety of key issues about future directions
  for trading and the over-all market environment.[...]  When asked
  specifically if he believes there will be still be person-to-person trades on
  the exchange floor five years from now, [exchange vice-president Terry]
  Popowich [,who has management responsibility for floor trading,] replied, "I
  don't know.  "I also don't know if there's going to be completely automated
  trading."

This is the first indication I have seen that a stock exchange is considering
abandoning open outcry entirely in favour of completely on-line trading.

Previous contributions to this list have emphasized the limited role
computers play in performing or influencing actual trading.  It has been
pointed out that they are most often utilized in margin trading, and in
portfolio insurance (where, it has been hypothesized, they can contribute
most to market instability during large fluctuations in share prices).

There is in this story little indication that human beings will not be at the
keyboards of the new, totally on-line TSE. But the tendency in recent times has
definitely been to replace human judgment with machine judgment, on the grounds
that the latter is much faster and therefore able to take advantage of
favorable buy/sell conditions much sooner than humans, with correspondingly
greater earnings for the brokerages.

Given this tendency, are we on the way to the introduction of computer trading
programs to handle trading in *ALL* stock issues? And to handle the functions
previously reserved for the registered floor traders, as overseers and monitors
of price spreads?  And how will we insure that such enormously complex systems
will not synergetically go plooey when pushed to their volume or price limits?

Hugh Miller, Department of Philosophy, University of Toronto, Toronto, 
Ontario., CAN M5S 1A1 (416)536-4441 


<ucbcad!ames.UUCP!uunet.UU.NET!mimsy!jhu!osiris!mjr@ucbvax.Berkeley.EDU>
Sat, 19 Dec 87 12:35:20 EST
      (Marcus J. Ranum)
To: KL.SRI.COM!RISKS@uunet.uu.net
Subject: Who Sues?  (Re: RISKS DIGEST 5.75)

    It would be nice to think that the current trend towards suing 
anyone and everything in the near vicinity of a mistake does not indicate
that Americans are not losing track of the basic principles of causality !!

    Can't anyone take credit for their own mistakes anymore ? If someone
wishes to place their trust in an ES, and it turns out to be misplaced, I'd
look at "assigning the blame" as follows:

Person who did not exercise common sense:   99.5%
Programmer who marketted malfun software:   00.4%
Assembly of chips and magnetic oxide:       00.1%

    Until it is a fact of reality that expert systems are KNOWN to be
reliable, then a person is unreasonable in trying to sue the producer of a
product that common sense would indicate as potentially unreliable.

    I understand that these views have no weight against current "law"
and "legal" decisions. On the other hand, our legal system is becoming less
and less a system of justice and common sense, and more and more a
self-feeding system of self-reproducing rules...

    It concerns me that nobody can stand up anymore and say "wow, I
goofed" or "I should have used my own !@#!@#!@# brain instead of flipping
a coin" when something goes wrong and they are associated with it. I can
see a case where an airplane crashes because of poor service as the fault
of the airline. There must, however, be a provision for acts of god, or a 
simple admission of stupidity. 

    An elderly woman recently won a lawsuit against a soda bottler because
her eye was hurt when a cap hit it. She was taking the cap off the bottle with
pliers, and the pliers slipped. Essentially, the "law" and the "lawyers" are
saying that it is permissible (even rewarded) to be stupid.
                                                                --mjr();


The Fable of the Computer that Made Something

Geraint Jones <geraint%prg.oxford.ac.uk@NSS.Cs.Ucl.AC.UK>
Sat, 19 Dec 87 14:21:15 GMT
It has happened  before,  but is worth  documenting  that almost  all the media
here reported the last year's erroneous calculations  of the Retail Price Index
as a computer  error.  It was the BBC's flagship evening radio news bulletin on
Friday that I heard report that ``a computer made a mistake''.  As far as I can
see,  this  time  it was not even the case that `the computer'  was incorrectly
instructed;  rather it was decided to perform  an (almost)  entirely  unrelated
calculation,  and it just so happened that a computer was used to do the adding
up. Using a computer means never having to say sorry.                        gj


Re: Litigation over an expert system

Rich <RMRichardson.PA@Xerox.COM>
18 Dec 87 21:18:46 PST (Friday)
> In Risks digest 5.71, chapman@russell.stanford.edu (Gary Chapman) 
> mentions a "goofy" California law that provides for a defendant who
> is only 1% responsible to pay 1% of the judgement.  Although this 
> law may be goofy, it is a major improvement over previous versions. ...

I think the new law applies to "punitive damages" and real damages (actual
loss) may still be taken from any of the "deep pocket" defendants.  Am I wrong?

Rich


Tulsa; Bugs (Re: RISKS-5.78)

99700000 <haynes@ucscc.UCSC.EDU>
Sat, 19 Dec 87 00:07:53 PST
1) RE the Tulsa event of criminals sawing up telephone boxes.  Here in Santa
Cruz a few weeks ago transients living under a bridge built a fire to keep
warm - right on top of a nest of conduits carrying telephone cables!

2) RE "Bug" - I remember vaguely reading some boys' book of the 1920s
(something like Tom Swift) in which one of the characters is working on his
invention and says he just has to get a few bugs out before it will work right.

haynes@ucscc.bitnet, ...ucbvax!ucscc!haynes, ...


More ATM information

George Bray <lcc.ghb@SEAS.UCLA.EDU>
Thu, 17 Dec 87 19:33:54 PST
We have discussed several issues of ATMs recently, and I want to add
a few more nuggets:

1.  Recently, a contributor mentioned that their bank claimed that
    "the ATM cuts the card if there is something wrong with it."
    I have experience with ATMs made by IBM, Docutel and Diebold
    (and various Diebold emulators) and none of them cut the card
    when capturing it.  It is simply stacked inside the machine.

    Typically, bank tellers do cut the cards up after removing
    them from the machine, but that is done by a person, not by
    the ATM.

2.  Another contributor mentioned that banks don't wish to discuss
    their systems, even when they implement standards that are publicly
    available.  This is quite true in my experience.  The manufacturers
    of bank hardware and the banks themselves depend mostly upon
    ignorance for protection.

3.  Most bank transaction security is aimed at preventing losses to
    the bank, not to the cardholder.  In fact, ATM security isn't
    seen as a big problem, because even with a stolen card, the most
    a burglar could get away with is a few hundred dollars at a time.
    (Again, tough on the poor customer, but it is cheap for the bank
    to eat the loss if the customer complains).

    In fact, the prevailing attitude is that the major threat to
    ATMs is physical: since there is about $40,000 in a fully-loaded
    ATM, but it will only dispense a maximum of a few dozen bills at
    a time, the easiest way to get money out is to blow the front
    off the ATM, or attack it with a car, etc.

4.  As an aside, it is interesting that in many cases bank regulations
    have not caught up with the concept of ATMs.  In California at
    least, the banking laws stipulate that any location that accepts
    deposits for a bank must be a branch of that bank.  This means 
    that ATMs owned by a different bank can't be used for deposits,
    even if the data processing and money handling for the two banks
    are run by the same data processing provider.

    This regulation becomes onerous when combined with the definition
    of a transfer: "a withdrawal from one account followed by a deposit
    to another account".  This means that one is not allowed by law to
    press a button on an ATM commanding a computer to transfer funds
    between two accounts which consist of bits on a disk drive
    connected to that computer.  
                                                  George Bray


Truncation (Doug Mosher, Re: RISKS-5.69)

Alex Heatley <alex@comp.vuw.ac.nz>
Tue, 8 Dec 87 15:24:43 +1300
>  It is ALWAYS BAD PRACTICE to truncate anything without notice.
>
>Many examples over the years occur to me; here's a small partial list.

Regarding VM/CMS (IBM Mainframe OS) here's a nasty one that has caught me
twice. When you change your password you are allowed to enter one that is
longer than 8 characters. However, upon logging in, your password is
truncated to 8 characters. The OS goes away and compares the entered
password with the one in the file (passwords are kept in clear in a special
file that only the SYSADMIN is supposed to be able to access -- ha!)  aha!
it says these are not equivalent and refuses to let you log in.

Now you know that you typed in the right password so you try again but, after
five attempts the OS will lock you out of the terminal. So you walk away in
confusion. If the terminal is in a public place, eventually, another user
will try to use the terminal -- and will receive the error message that they
can't login -- yes that's right the OS locks the terminal from being used
until either the SYSADMIN resets it or n (SYSADMIN defined) hours have elapsed.

Aren't IBM OS's fun!!!

Alex Heatley : CSC, Victoria University of Wellington, New Zealand.
Domain: alex@comp.vuw.ac.nz                Path: ...!uunet!vuwcomp!alex

Please report problems with the web pages to the maintainer

Top