The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 8 Issue 37

Saturday 11 March 1989

Contents

o Computer blunders blamed for massive student loan losses
Rodney Hoffman
o Prisoner access to confidential drivers' records
Rodney Hoffman
o Ethics Question (Randall Neff) [Adobe
rman?
o Risk of congenial machinery
Robert Steven Glickstein
o Limitless ATM's
Geoff Kuenning
o Re: Faking internet mail
Stephen Wolff
o Virus detector goes wrong
Dave Horsfall
o Re: News from the KGB/Wily Hackers
Hans Huebner = `pengo'
o UK archive service [for European RISKS readers]
Dave Ferbrache
o Info on RISKS (comp.risks)

Computer blunders blamed for massive student loan losses

Rodney Hoffman <Hoffman.ElSegundo@Xerox.com>
10 Mar 89 14:48:43 PST (Friday)
Bank of America and possibly other major international banks stand to lose
as much as $650 million on bad student loans, due to computer problems at
United Education and Software. 

The 'Wall Street Journal' for Friday, March 10, provides the first hints of
details I've seen on the nature of the "computer blunders" which earlier
stories hinted at.  The article, by Charles F. McCoy and Richard B.
Schmitt, is headlined UNITED EDUCATION'S COMPUTER BLUNDERS FORM VORTEX OF
BIG STUDENT LOAN FIASCO.  Excerpts:

   Computers at United Education and Software, Inc. ... ran wild for at
   least eight months.  They rejected payments from overdue borrowers
   and addressed collection notices intended for New Yorkers to such
   places as "Radio City, N.Y.," among other gaffes.  United Education
   and its colossal computer mistakes are at the heart of what is
   emerging as one of the most tangled loan fiascos in years... 

   The U.S. Dept. of Education has refused to honor guarantees on certain
   federally backed student loans serviced by United Education.  That 
   raises the possibility that BankAmerica  or other banks that backed
   the loans with letters of credit will have to shoulder huge defaults.
   BankAmerica served as trustee on the loans...  [Other banks, including
   Citicorp and several Japanese banks, dispute how much of the liability
   might be theirs, saying BankAmerica is responsible.]

   United Education's beserk computer produced records that are so fouled
   up that nobody knows how much the losses eventually will be.

   United Education and Software, oringinally a trade-school operator, 
   began servicing student loans in 1983, and grew rapidly, developing 
   a portfolio of more than $1 billion in less than five years... The 
   computer problems apparently stemmed from United Education's switch 
   to a new system in October 1987.  According to officials familiar with 
   the problems, United Education's programmers introduced major software 
   errors and failed to properly debug the new system.

   Among the results, according to a Dept. of Education audit report:  
   United Education sent delinquency notices to students who were still 
   in school and thus weren't scheduled even to begin payments on the loans.
   It placed students who were supposed to have been granted deferments 
   into default.  It didn't inform many laggard borrowers that they were
   delinquent, while informing some current borrowers that they were.  The
   computers also apparently logged telephone calls that were never made 
   and didn't log calls that were.  United Education applied payments to
   interest when they were supposed to be applied to interest and principal...

   Aaron Cohen, president of United Education, called the depth of the 
   problems identified by the audit a "shock."  He said the company was
   aware of bugs in the new software that were causing accounting errors,
   but had no idea its loan servicing operation had run amok.  He thought
   any problems were routine.  "Software companies have problems all the
   time," he said...


Prisoner access to confidential drivers' records

Rodney Hoffman <Hoffman.ElSegundo@Xerox.com>
8 Mar 89 13:42:10 PST (Wednesday)
From a story by Leo Wolinsky in the 'Los Angeles Times' 5-March-89:

  If the [California Governor] Deukmejian Administration has its
  way, state prisoners soon will be put to work sorting through
  confidential motor vehicle records as part of the governor's plan
  to keep inmates working and save taxpayers money.

  But the program, which is set to begin July 1, is prompting con-
  cern among some lawmakers and other officials who worry that the
  records -- which include names, addresses and some financial
  information about California motorists -- might end up in the 
  hands of career criminals.

  "The concept boggles the mind," said Assemblyman Richard Katz,
  chairman of the Transportation Committee.  "They may be car thieves...
  They may have killed people or molested kids and now we're going to 
  give them access to home addresses of people along with [information
  on] loans that they have on their vehicles and what cars they drive.
  It seems like an open invitation for trouble."

  .... No one is sure what illicit uses, if any, inmates might make
  of the information.  But the Legislature's nonpartisan analyst
  charged in a report that procedures employed by the state "may not
  be adequate" to ensure the security of the documents.  "From our
  position, there is a fair amount that could be done even with this
  much information," said [one of the report authors]....

  [In an earlier, now cancelled mail sorting job,] some corrections 
  officers said they believe the inmates were searching for addresses 
  of prison officials .....

PS. It is not clear from the newspaper article whether the records involved
would be paper or on-line, so, strictly speaking, this may not involve any
computer-based system RISK.


Ethics Question

Randall Neff <neff@paradigm.STANFORD.EDU>
Fri, 10 Mar 89 17:28:55 PST
On Wednesday, March 8, Professor Michael A. Harrison, from the University of
California, Berkeley, made a presentation:  "VorTeX, a Multiple Representation
System" to the Stanford EE 380/CS 540 Computer System Colloquium.

As part of the VorTeX project, the group decided that they needed a graphical
display language, so they (re)implemented PostScript (trademark of Adobe 
Systems, Inc) on the Sun workstations.  Then they realized that they also
needed the fonts that are buried in the Apple LaserWriter.  They talked
to Adobe, but the money discussed was quite large (to Harrison) and he
objected to Adobe's attitude (quote "shove in your face").

So, the group wrote several clever pieces of software (PostScript program to
find the intersections of `scan' lines with the character boundaries, pump
results back to Suns, program to curve fit the coordinates, etc.), and
recreated the font information as Bezier cubic curves for use with their Sun
PostScript implementation.

According to the UC Berkeley lawyers, this is legal due to the current
copyright law, that digital encoding of fonts is not protected by copyright.
However, all Adobe sells is software and fonts; and the internal coding of
fonts is a trade secret.

THE ETHICS QUESTION ( I was really bothered by all of this ):

Is this ethically correct?   
Is it all right to acquire a company's product by clever coding?  
Is it reasonable behavior for a Famous CS department funded by California 
     taxpayers and NSF grants (it is certainly not research)?
Is there a reasonable way for an audience member to stand up and say:
    "For Shame, this is ethically reprehensible behavior and you're setting
     a bad example for students everywhere."

Randall Neff @ anna.stanford.edu


Limitless ATM's

<@sri-unix.UUCP, geoff@itcorp.com>
Sat, 4 Mar 89 03:31:21 -0500
Like many people, I've occasionally wanted to get a moderately large amount of
money out of an ATM, only to be foiled by a "daily limit" of some sort.  I
accepted this as a necessary evil for keeping thieves from completely cleaning
me out.

Recently, however, I had an experience that taught me a possible way around
these restrictions.  A credit card and the associated PIN were stolen from my
home, and the thief then used the card to withdraw $3900 in cash from ATM's.
Since the ATM's had a per-transaction limit of $300, the withdrawal was done in
13 separate transactions.  The interesting thing is that only two ATM's were
used for all of these operations! Further, the card only had a $3000 credit
limit, and about $600 was already in use.  I don't know the reason for the lack
of limits and restrictions, but I have begun to wonder just how much money I
could get away with if I systematically spent a few days taking all my credit
cards to ATM's and making withdrawals.

    Geoff Kuenning   geoff@ITcorp.com   uunet!desint!geoff


Risk of congenial machinery

Robert Steven Glickstein <bobg+@andrew.cmu.edu>
Wed, 8 Mar 89 18:05:20 -0500 (EST)
An observation that I made earlier today:

I entered a store in the neighborhood with an old-fashioned mechanical cash
register, complete with the little "I just made a sale" bell.  I purchased an
item and after the transaction was complete, the clerk thanked me and wished me
a good afternoon.  I returned the pleasantry.

Later on I was in a much larger store, complete with barcode readers and
electronic cash registers with dot-matrix LED displays.  As the clerk rang up
my purchase, the cash register told me "Thank You For Shopping At <Foo>" and my
receipt said "Have a Good Day".  Perhaps because the dreary task of being
pleasant to customers was now automated, the clerk felt no need to greet me,
address me, look at me, or in any way acknowledge me except to take my money
and shove some change into my hand.

Computers do a lot of jobs a lot better than people, but there are some tasks
that should be performed by no one but humans.

Bob Glickstein, Information Technology Center, CMU, Pittsburgh, PA


Re: Faking internet mail

Stephen Wolff <steve@note.nsf.gov>
Thu, 9 Mar 89 14:59:33 EST
From "Kevin S. McCurley" <mccurley@IBM.com> in RISKS DIGEST 8.29:

> I guess a lot of people know about faking Internet mail.  Since the
> National Science Foundation now accepts reviews of proposals via email, I
> wonder whether anybody there knows about this ?

Yes, we know.  We also accept *proposals* electronically, so we have to face
problems of privacy, too.

> It is rather farfetched to think that somebody would try to fake their
> reviews,...

Nope, not at all.

These concerns are handled informally at present, but tighter methods are
on the way.


Virus detector goes wrong

Dave Horsfall <dave@stcns3.stc.oz.au>
Wed, 8 Mar 89 12:45:17 est
Taken from "Computing Australia", Feb 27:

``Sneaky little non-virus

  Sun Microsystems has moved to reassure Australian TOPS users that US
  reports on a virus are false.  In a virus-paranoid environment, US pc
  users of TOPS/Mac Version 2.1 were running their disks through a virus
  detector before loading the software onto their computers.

  It was a precaution that went wrong.  The particular virus detector
  was Interferon and it falsely reported TOPS infected with a virus known
  as Sneak, said TOPS/Macintosh product manager Timothy Fredel.  

  Fredel said the resource structure of TOPS/Macintosh 2.1 happens to
  look like a Sneak virus to Interferon.  To be on the safe side, Fredel
  suggested users run Virex or VirusRx.''

So now one can't trust one's virus detector any more...  On a different
note, have there been any (confirmed) reports of a fake virus detector?

Ahhh, the perils of a standard Applications Binary Interface...


Re: News from the KGB/Wily Hackers

Hans Huebner <pengo@netcs.SMTP>
Fri, 10 Mar 89 18:09:25 MET DST
In RISKS 8.36, Klaus Brunnstein mentioned my name in the context of the
hacker/espionage case recently discovered by the german authorities.  Since Mr.
Brunnstein is not competent to speak about the background of the case, I'd like
to add some clarification to prevent misunderstandings, especially concerning
my role.  I think it is a very bad practice to just publish names of people
without giving background information.  Roy Omond did this once to a friend of
mine, who has been a hacker as well, and his reputation in the net community
has suffered from this publication quite a lot, even if he was doing a favour
to the community by developing bug fixes and posting them to the net.

I have been an active member of the net community for about two years now, and
I want to explicitely express that my network activities have in no way been
connected to any contacts to secret services, be it western or eastern ones.
On the other hand, it is a fact that when I was younger (I'm 20 years now),
there has been a circle of persons which tried to make deals with an eastern
secret service.  I have been involved in this, but I hope that I did the right
thing by giving the german authorities detailed information about my
involvement in the case in summer '88.  As long as the lawsuit on this case is
not finished, I will/may not give any detailed about it to the public.  As soon
as I have the freedom to speak freely about all this, I'll be trying to give a
detailed picture about the happenings to anyone who's interested.

For my person:  I define myself as a hacker.  I acquired most of my knowledge
by playing around with computers and operating systems, and yes, many of these
systems were private property of organisations that didn't even have the
slightest idea that I was using their machines.  I think, hackers - persons who
creatively handle technology and not just see computing as their job - do a
service for the computing community in general.  It has been pointed out by
other people that most of the 'interesting' modern computer concepts have been
developed or outlined by people which define themselves as 'hackers'.

When I started hacking foreign systems, I was 16 years old.  I was just
interested in computers, not in the data which has been kept on their disks.
As I was going to school at that time, I didn't even have the money to buy an
own computer.  Since CP/M (which was the most sophisticated OS I could use on
machines which I had legal access to) didn't turn me on anymore, I enjoyed the
lax security of the systems I had access to by using X.25 networks.  You might
point out that I should have been patient and wait until I could go to the
university and use their machines.  Some of you might understand that waiting
was just not the thing I was keen on in those days.  Computing had become an
addiction for me, and thus I kept hacking.  I hope this clears the question
'why'.  It was definitely NOT to get the russians any advantage over the USA,
nor to become rich and get a flight to the Bahamas as soon as possible.  The
finish of the court trial will reveal this again, but until then I want to keep
rumours out that the german hackers were just the long (??) arm of the KGB to
incriminate western computer security or defense power.  

It should also be pointed out that the Chaos Computer Club has in no way been
connected to this recent case, and again, that the CCC as an organization has
never been a 'hacker group'.  The CCC merely handles the press for hackers, and
tries to point out implications of computers and communications for society in
general.

For punishment:  I already lost my current job, since through the publications
of my name in the SPIEGEL magazine and in RISKS, our business partners are
getting anxious about me being involved in this case.  Several projects I was
about to realise in the near future have been cancelled, which forces me to
start again at the beginning in some way.
                                                    -Hans Huebner
pengo@tmpmbx, pengo@garp.mit.edu, huebner@db0tui6.bitnet


UK archive service [for European RISKS readers]

Server <infoadm@cs.heriot-watt.ac.uk>
9 Mar 89 11:50:28 GMT
For the information of the European (especially UK) readers of the group,
their is an archive of Comp.risks newgroup postings maintained on the
Heriot-Watt information server.

The archive server is email based, and will accept requests in the
form of an email message to <info-server@cs.hw.ac.uk>,with the text:

request: comp.risks
topic: v8.1

where topic can be either:

index       for an index of all available risks digests (currently only 
            v7.96 to date, I am hoping to extend this backwards to the
            time of the Internet worm).

v8.index    for an index of all available digests in a specific volume

v8.contents for a list of the contents of all digests in a specified volume
            (contents lists are extracted and appended as new digests are
            received and may thus be slightly disorganised)

v8.1        to send a specific issue (in this case digest 1 in volume 8)

any number of topics can follow the request. The server also archives
virus-l digests, and holds BSD unix fixes, security software and virus
disinfection software. For a general index of available materials, send a
message of the form:

request: index
topic: index

Dave Ferbrache                            Personal mail to:
Dept of computer science                  Internet <davidf@cs.hw.ac.uk>
Heriot-Watt University                    Janet    <davidf@uk.ac.hw.cs>
79 Grassmarket                            UUCP     ..!mcvax!hwcs!davidf 
Edinburgh,UK. EH1 2HJ                     Tel      (UK) 031-225-6465 ext 553

                                                                 [Thanks!  PGN]

Please report problems with the web pages to the maintainer

Top