The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 7 Issue 41

Wednesday 31 August 1988

Contents

o The Marconi Deaths
Brian Randell
o $300,000 Automatic Teller Theft (Sort Of)
Henry Cox
o Car engines become target for hackers
Jeffrey Mogul
o Blinker failure in 87 Ford Mustang
Tim Thomas
o Risks of locking systems
Andrew Birner
o Electronic 1040s
Rodney Hoffman
o Water seepage stops Computer controlled monorail
George Michaelson
o Re: Fewer Charges Now Require a Signature
David Sherman
o Continental Bank Drops Retail Accounts
Patrick A. Townson
o Info on RISKS (comp.risks)

The Marconi Deaths

Brian Randell <Brian_Randell%newcastle.ac.uk@NSS.Cs.Ucl.AC.UK>
Wed, 31 Aug 88 10:57:28 WET DST
Last week a further Marconi employeee died in somewhat mysterious
circumstances.  I did not see any original press reports, but only the attached
editorial from the Independent. The Independent is not a sensationalist
tabloid, but rather a highly respected and respectable national newspaper here,
so the fact that it chose to devote its leading editorial to the Marconi issue
is of some note. The result provides what I would regard as a balanced summary
and commentary, which I therefore thought was worthy of passing onto the RISKS
readership, given the previous coverage of these matters in RISKS.

Brian Randell, Computing Laboratory, University of Newcastle upon Tyne

    [For those of you wishing to comment on the relevance of this topic,
    the plausibility of conspiracy theories, the credibility of the 
    debunkers, etc., please first dig up the back issues on this topic, namely
    RISKS-4.74, 81, 83.  And let's keep the speculation down on this one.  On
    the other hand, if there is any DEFINITIVE knowledge, let's hear it. PGN]


DEATHS WHICH MUST BE INVESTIGATED

The Independent, Friday 26 August 1988

(Reprinted in full, without permission)

  The police said it was suicide, and no doubt they were right. Ex-Brigadier
Peter Ferry, a marketing manager at Marconi's Command and Control Systems
centre at Frimley, Surrey, had apparently killed himself by inserting mains
electric wires into his mouth and then turning on the power. The method chosen
was perhaps marginally more grisly than in the case of several other Marconi
employees. In 1986, for example, Ashad Sharif, a computer analyst who worked
for Marconi Defence Systems in Stanmore, Middlesex, tied one end of a rope
around his neck, another to a tree, and put his car into gear. Two months
earlier, the body of Vimal Dajibhai, a software engineer responsible for
checking the guidance systems of Tigerfish torpedos for Marconi Underwater
Systems, was found under Clifton suspension bridge at Bristol. In March 1987,
David Sands, a project manager working on secret satellite radar at Marconi's
sister company Easams, in Camberley, drove up a slip road on his way to work
and into a cafe at an estimated 80mph. A year later Trevor Knight, a computer
engineer at Marconi's space and defence base in Stanmore, died in his
fume-filled car at his home in Hertfordshire. Earlier, two other Marconi
employees, Victor Moore, a design engineer, and Roger Hill, a draughtsman, had
killed themselves, both seemingly
 as a result of work pressures.

  There have been at least half a dozen more untoward deaths among defence
scientists and others working in the defence field. Marconi is not alone, but
it is well in the lead. The best efforts of investigative journalists have
failed to establish a link either between the various deaths or between the
deaths of the Marconi staff and the Ministry of Defence inquiry, now two years
old, into some (pounds)3bn worth of defence contracts awarded to GEC-Marconi.
No doubt in several instances pressure of work was the main factor: in a field
where millions of pounds hang on the securing of contracts, it can be intense,
especially if the Ministry of Defence investigators are hovering, as they had
been at Frimley, Brigadier Ferry's base. It is hard to believe, however, that
other factors have not also been at work. The pressure of work is also fierce
in the money markets of the City, where equally large sums are at stake. Yet
the suicide rate remains unremarkable.

  Mr Ferry's death on Tuesday must add to the concern already aroused by the
alarming sequence of deaths in the defence industry. He had apparently been
depressed since his car collided with a lorry a month ago; but suicide seems an
extreme reaction. In such instances where no foul play is suspected, the
inquiries of both police and coroners are likely to be brief, partly for the
sake of the distressed relatives. They will not be concerned with establishing
a connection with comparable deaths in different counties. Since these cases
have been spread wide, there is now a case for pulling the threads together. It
may be that there is no conspiracy and no concerted skullduggery. But these
have been talented men. To allay anxieties, a senior police officer should be
appointed to head a coordinated investigation into the underlying causes of so
high a death rate.


$300,000 Automatic Teller Theft (Sort Of)

Henry Cox <cox%spock.ee.mcgill.ca@Larry.McRCIM.McGill.EDU>
Wed, 31 Aug 88 14:30:32 edt
THEFTS FORM AUTOMATIC TELLERS WON'T HURT CLIENTS: DESGARDINS
(From the Montreal Gazette, Monday 29 August, 1988)

Desjardins credit union customers are being told not to worry about the theft
this year of $300,000 from automatic tellers. [ What, me worry? ]

Bruno Morin, Desjardins senior vice-president in charge of administration, said
the money disappeared from three locations between February and June.  Morin
assured automatic teller customers that their transactions won't be affected by
the unsolved crime, believed to be "an inside job".  The amounts stolen are
guaranteed by insurers.  He added that some changes have been implemented which
should avoid any similar thefts.  Morin dismissed reports that the $300,000 was
stolen by thieves who tampered with the credit union's computer information
system.  "The computer had nothing to do with it.  People got in and stole the
reserves.  It's pure and simple."

What isn't so simple is finding out who took the money.  We know exactly the
hour and minute the money was stolen and where it was stolen from - just not
who did it,", he added.  Although Morin wouldn't divulge which automatic
tellers were hit, he didsay non was on the island of Montreal.  One was in
Longueuil [ a suburb on the South Shore ], he said.

Francois Aubin, a public affairs vice-president of Desjardins, said the money
appears to have been taken when the machines were being loaded.  The automatic
tellers are supplied by money by Desjardins employees as well as Secur, an
affiliated security company.


Car engines become target for hackers (RISKS-7.39)

Jeffrey Mogul <mogul@decwrl.dec.com>
26 Aug 1988 1313-PDT (Friday)
In RISKS-7.40, Jerry Saltzer worries that if auto repair places must
verify the microcode in a car computer, that there will be problems
with out-of-date service information; a service agency that hadn't yet
received (or had already discarded) the microcode for YOUR car might
challenge your warranty.

This seems like an obvious application of digital signatures:  dedicate
some portion of the ROM to a value derived from an encryption of the
rest of the ROM (plus some standard validation pattern).  ROM hackers
without the encryption key could not generate a valid ROM signature.

Key security is clearly problematic; it would be greatly simplified if
a public-key system is used, so that rather than requiring key security
at ever repair shop, the key need be known only when the ROM code is
compiled at the manufacturer.  Since it doesn't matter how long the crypto
function takes to compute, any sound public-key system could be used
(perhaps avoiding large license fees).

10 years ago, Jerry wrote an article for Operating Systems Review pointing out
some problems with digital signatures; but since nobody is going to try to
disclaim one of these ROM signatures, the problems he raised then do not apply
here.
                                       -Jeff


Blinker failure in 87 Ford Mustang

<thomas@xenurus.gould.com>
Wed, 31 Aug 88 17:59:09 CDT
Reading the discussion of car acceleration problems in RISKS has prompted me to
write of a personal experience I have had with my 1987 Ford Mustang.  I was on
a trip to Kentucky about 6 months ago, and while in one of the towns had an
interesting problem.  I suddenly noticed that, although I was using the turn
signal arm appropriately for all of my actions, the turn signals did not seem
to be activated on the dashboard.  I quickly turned down a side street, put the
car in park (but didn't turn the engine off), and had a friend of mine who was
with me get out and check the turn signals.  Sure enough, they were *not* being
activated!

Being of the experimental sort, I then proceeded to put on the emergency
flashers, which worked correctly.  I shut them off and once again tried the
turn signals.  Low and behold (you guessed it), the turn signals worked fine!
What went through my mind at that point was, what if I had been in an accident
and someone accused me of not properly signaling?  What could I say in my
defense?  Would anyone believe me?

I did not report this to the dealership since I considered it an intermittent
computer problem that they would probably *never* find.  Also, the problem has
never reoccurred (to my knowledge).  The problem may not be computer related,
but it sure sounds like it is!

Tim Thomas, Gould CSD Urbana, Urbana, IL 61801  
   (217) 384-8718    uucp: ihnp4!uiucuxc!ccvaxa!thomas


Risks of locking systems

Andrew Birner <Andrew-Birner%ZENITH.CP6%LADC@BCO-MULTICS.ARPA>
Sat, 27 Aug 88 12:37 PDT
 In Risks 7.37, Leonard N. Foner (foner@wheaties.ai.mit.edu) writes:

>  Whatever happened to good, old-fashioned mechanical locks?

Not even a simple mechanical lock can protect you when the locking system
is poorly designed.  The scheme installed in our computer room a few years
back illustrates this:
 The computer room is acessible from two sides.  On one side is a simple
double door (for bringing in supplies, etc.), secured with a basic jimmy-
proof cylinder lock.  Maintenance has a key to this, so that they can get
in to check the air conditioning filters and water lines.  On the other
side, we installed a vestibule with output bins, to protect our operators
from chatty users.
 The door from the vestibule to the computer room has a mechanical combination
lock; you punch in some numbers and turn the knob, and the door (usually)
opens.  From inside the computer room, the door is opened by simply turning
a crank.  Clearly, if you don't know the combination, you can get from the
computer room to the vestibule, but not back in again.
 After we installed the vestibule, we replaced the old door to the corridor.
We changed the direction of swing, and also got rid of the door knob, so
that users could just push it open.  Of course, we still wanted to lock the
vestibule during off hours, so we asked maintenance to install a deadbolt,
which they cheerfully did.  This deadbolt was actuated by a key on the
outside (corridor side), and had NO ACTUATOR AT ALL on the vestibule side!
 This arrangement made it perfectly possible for someone to get trapped
in the vestibule, with NO WAY OUT!  I complained of this, but nothing
came of it; maintenance apparently decided the probability was low enough
that they needn't worry.  I doubt the fire inspector would have been
impressed, but this didn't seem to bother anyone.
 About a year after this was installed, a maintenance engineer entered the
room via the back entrance, to clean the AC water filters.  After filling
a bucket with water, he decided to go out the front way, since it was
closer to where he wanted to dump this water.  He went into the vestibule,
letting the door latch behind him, and tried to open the corridor door--which
was, of course, locked!  Naturally, he didn't know the combination (why should
he?  He had a key, after all...), so he was quite effectively trapped.
 Since he didn't feel like waiting until the watchman came by, our hero kicked
his way out through our output bins, doing a fair amount of damage.  There is
now an actuator for the deadbolt on the inside of the vestibule...
                                                                 Andrew Birner


Electronic 1040s

Rodney Hoffman <Hoffman.es@Xerox.COM>
31 Aug 88 12:24:39 PDT (Wednesday)
From the August 31, 1988 'Wall Street Journal':

   Electronic filing [of tax returns] advanced despite computer software
   snags, says the General Accounting Office.  Such filing of computer-
   ready returns by preparers speeds processing and refunds and slashes
   errors.  The IRS plans to expand it to 48 districts in 1989 and to all
   63 in 1990; volume could reach 35 million returns in 1993.  Congress's
   General Accounting Office reports that IRS successes in handling about
   580,000 such returns from 16 districts this year came despite glitches
   that prompted the IRS to make many software corrections without the
   required testing of effects.

   As a result, the IRS is waiting for final corrections before going back
   to make permanent electronic records of the returns.  Now it is
   examining ways to eliminate the need to submit signatures and W-2 tax-
   withholding forms separately on paper.  And it will work to recruit
   smaller return preparers for 1989; this year, H&R Block offices filed
   82% of all the electronic returns....

   The IRS's Greensboro district, covering North Carolina, this year 
   produced 123,386 electronic returns -- over 21% of all such filings.
   The Dallas district ranked second with 70,832 returns, or over 12%.


water seepage stops Computer controlled monorail

George Michaelson <munnari!ditmela.oz.au!G.Michaelson@uunet.UU.NET>
Thu, 01 Sep 88 10:29:15 +1000
Details in "COMPUTING australia" of Aug 29

Water seepage into Sydney's new monorail PLC (Programmable Logic Controller)
halted the system. the GEC-Digital 140 PLC which is located in the nose of the
train has been tested with an HP analyser to try and simulate the fault.

The monorail is highly automated.  One breakdown had dozens of passengers stuck
in a sealed environment for over 2 hours, with complaints about heat & lack of
fresh air.  Many people resent the monorail as a pointless and expensive
intrusion into the city, but there have also been fears voiced about the safety
of automated systems like this.


Re: Fewer Charges Now Require a Signature

attcan!lsuc!dave@uunet.UU.NET <David Sherman>
Sun, 28 Aug 88 23:09:58 EDT
Petro-Canada, the government-owned oil company that competes on the market here
with the rest of the biggies, switched to a "no signature" system a few months
ago.  You get your card back along with what looks like a normal cash-register
receipt.  It has a line for signing on it, but you only get one copy and the
attendant tells you that's all there is.

The first time this happened to me, I did a doubletake, thought a second and
decided that if they didn't WANT my signature, I wasn't going to complain.  A
couple of months later an article in the Toronto Star noted that Petro-Canada
will change this policy, due to customer complaints (people somehow think that
not signing a credit card slip makes them more liable to false charges).  Last
time I was at a Petro-Canada, they were still doing it, though.


Continental Bank Drops Retail Accounts

<sun!portal!cup.portal.com!Patrick_A_Townson@unix.SRI.COM>
Sun Aug 28 11:06:22 1988
           [PATRICK: Sorry, mail to you fails, thus no earlier responses.  PGN]

On August 15, 1988, Continental Illinois National Bank of Chicago discontinued
retail banking operations. All retail checking and savings accounts on that
day were transferred intact to the First National Bank of Chicago.

Most readers will recall that during 1984, Continental went belly-up. Unlike
many other banks which have collapsed, Continental was given a huge infusion
of money by the feds and kept afloat. Over the three years which followed,
Continental again squandered alot of its money, leading the feds to demand
some radical changes in one of the largest banks in the world, and the largest
bank in Chicago.

One of these changes was to get rid of all non-profitable banking business,
which was defined to include retail accounts, or the accounts of little folks
like you and I. Many of us with Continental accounts in the dark days of 1984
stuck it out without batting an eye. This time around, we were given no choice
in the matter of our bank loyalties.

The switch to First National Bank was announced several months ago. The
change became effective on Monday, August 15. *No action of any sort was
required of customers.*  We did not have to do a thing. Beginning about
August 5, FNB began mailing out new ATM cards and PINS. Several days
later, they began mailing out new checks. About 40,000 customers of
Continental were involved, so there were some errors in getting the new
checks and ATM cards out to the proper address, but these are now largely
resolved.

We were told to begin using our new checks from FNB on Friday, August 12,
under the assumption these checks would not reach clearing until at least
August 15. We had to discontinue the use of the Continental ATM cards on
Friday, August 12 at 2:00 PM, and were allowed to begin using the cards from
FNB as of Monday, August 15 at 8:00 AM. Our only real inconvenience was the
inability to use Cash Station machines over that weekend. Continental will
continue to manually clear checks written before August 15 which come through
for the next two months. They will be forwarded to FNB to be charged on our
accounts. Continental issued a final statement on August 15, and waived the
usual service charges for the final month. For about ninety percent of the
old Continental customers, they will have the same closing date on their
statements from First National Bank.

As an added courtesy, FNB *will not have service charges of any kind* on these
accounts transferred from Continental for one year, until 9-89. The first
batch of 300 checks on the new account are free. There will be no ATM fees.
There will be no per-check or monthly fees. Since the accounts were not
considered 'new accounts' under federal regulations, the new supply of checks
for each customer began numbering at 1001 instead of 101 as on new accounts,
and the original date of opening was omitted from the face of the check.

FNB also took over the branch bank facility Continental had operated at 1150
North Clark Street on the corner of Division Street, and will continue to
operate it as a branch bank. Since both banks belong locally to the Cash
Station network, there is no difference in the location of ATM's in the
area. Continental belonged nationally to the PLUS network, and FNB is in
the CIRRUS network, so there will be some differences when travelling
outside the Chicago area, but these should be minimal.

On Monday, August 15, the teller lines at FNB were *much longer* than
usual, as large numbers of former Continental customers qued up to make
sure their money had actually been transferred without a hitch. Of course
those of us ATM devotees who wanted to check merely had to go to any
machine and inquire, to make sure everything was okay.

People who had not received their new check stock and ATM cards as of August
15 were issued temporary checks on the spot in the bank, and ATM cards were
printed on an embossing machine nearby. Perhaps several hundred out of the
40,000 customers transferred had failed to receive either their new checks,
their ATM card or their PIN by the cutover date, but overall, the transition
was quite smooth. Employees were stationed in the lobby at Continental for
about two weeks before and after the change, handing out information on the
transfer. One customer service representative will continue to be on duty
in the lobby of Continental for about another month.

Although I did have a fight with FNB about fifteen years ago which obliged
me to sue them (I won the matter!), I have decided I will try them again
for awhile, especially since the account is free of all charges for the
next year. I might add the checkstock is more attractive also. My new
account has a picture of the Chicago skyline on the check.

My pay-by-telephone account was also automatically switched over. We have
here in the Chicago area a system by which the utilities (gas, phone and
electric) can be paid through a simple phone call to a central computer, and
I was concerned at first if this would be changed also. It was, so far as
I know, with no hitches whatsoever.

The cash machines are responding a little differently though. Under the old
Continental account the machines would accept 'split deposits', that is, you
could deposit a check and take cash back from the deposit. Under the new
account with FNB -- even though its the same Cash Station network -- you
have to make two transactions: one to deposit the check, the other to
withdraw the desired cash. Likewise, under Continental, you could not get
your balance on line until about two months ago. FNB says they have always
offered that to their customers. At Continental, we could ask the machine
to give us the time, date, and nature of the last transaction; FNB says
they are unable to do this.  Etcetera...small minor differences, but overall
a very smooth conversion of accounts.

Continental's credit card portfolio was sold about a year ago to First
National, so VISA and MASTERCHARGE cards from that bank have already been
getting processed for several months by the FNB card center in Elgin, IL.
About 2000-3000 Continental customers decided not to make the switch, and
sought out new banking arrangements of their own during the summer.

Patrick Townson

Please report problems with the web pages to the maintainer