The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 9 Issue 96

Tuesday 29 May 1990

Contents

o Roller Coaster Accident Blamed on Computer
Gary Wright
o ATMs robbed with no signs of tampering
Stephen W Thompson
o Bank deposits huge amount in account and blames owner!
Richard Muirden
o Risks in secure documents
David Fuller
o You Think YOU Have Trouble with Your Telephone Company?
Donald B. Wechsler
o Steve Jackson Games & A.B. 3280
Brian Sherwood
o Re: Secure UNIX Infected?
Steve Bellovin
Henry Spencer
o Dereferencing Tim Kay's address
David Kuder
o Info on RISKS (comp.risks)

Roller Coaster Accident Blamed on Computer

Gary Wright <wright@hsi.com>
Tue, 29 May 1990 18:01:46 EDT
ACE News is the official newsletter of The American Coaster Enthusiasts.  The
following article appeared in ACE News, Volume XII, Issue 6, May 1990:

Worlds of Fun _Timber_Wolf_ Incident Blamed on Computer

The 1990 season began inauspiciously for Worlds of Fun (Kansas City, MO) when
two trains on the one-year-old _Timber_Wolf_ (world class woodie) collided on
opening day.

No one was seriously hurt in the March 31 crash, but nine of the 28 passengers
sent to the hospital were admitted, one with a broken leg.  The ride was closed
immediately after the incident.

The accident occurred when the computerized control system allowed one train to
rear-end another on the first set of station brakes.

Beginning April 2, the $3-million wooden coaster was subjected to an exhaustive
investigation by Worlds of Fun, the Dinn Corporation (which built the coaster),
the engineering firm Burns & McDonnell, and TechnoMation, an electronic systems
integration design company.

Before _Timber_Wolf_ reopened to the public on April 27, the trains, structure,
track and braking and computer systems were all thoroughly inspected.  The ride
also went through an extensive series of test runs with park executives aboard.

_Timber_Wolf_ is currently running with only one train.  Two-train operation
will begin as soon as a new, co-processing computerized control system is
installed.  With four times as many sensors as the original system (many of
them redundant) and two computer controls instead of one, Worlds of Fun
officials are confident that a similar accident will not occur.

    [RISKS-4.91 (28 May 1987) and ACM SIGSOFT Software Engineering Notes
    12 3 (Jul 1987) relate a previous case of two roller coasters involved
    in a crash, in which electromagnetic radiation was suspected.  PGN]


Automatic Teller Machines robbed with no signs of tampering

"Stephen W Thompson" <thompson@a1.quaker.upenn.edu>
Tue, 29 May 90 09:17:01 -0400
_The Philadelphia Inquirer_, in a story from Monday, 21 May 1990 by Maureen
Graham and Mike Schurman headlined SHORE ATM TAPPED FOR $100,000 reported
that an automatic teller machine located in Trump Castle Casino Resort in
Atlantic City, NJ (and owned by National Westminster Bank) was missing
about $100,000 which was apparently taken the previous week.  The FBI was
reportedly on the case, and was considering embezzlement, inaccurate or
inadequate record keeping or theft by someone outside the bank.

There was no forced entry into the macine.  The article indirectly quoted
the bank's CEO L. Douglas O'Brien, reporting that "Bank officials said they
believed that the thief had access to the bank's security system."  The
funds were discovered during a weekly audit of the machines.  Two ATMs at
other casino hotels had amounts of $10,000 and $20,000 stolen.

Some of the nitty gritty details:

"According to O'Brien, the money is delivered by bank employees, as needed,
to the Trump Castle lobby MAC [Money Access Center] machine and placed in a
vault inside the machine.

"The money from the vault is then transferred to canisters inside the
machine by two employees -- from the bank or from a Philadelphia security
firm that services the bank on weekends and during non-banking hours.

"O'Brien said the $100,000 was determined to be missing from the vault
section of the MAC machine.

"To provide security, a dual-access system is used to service a MAC machine
-- each employee has access to only half the security information required
to enter the system.

"However, officials said they suspected one person bypassed the security
system.

"'It was a legal access.  It was not forced open.  The system was
compromised,' O'Brien said."

CoreState Financial Corp. operates the computer system for the machines.

****** End of article synopsis *****

In what may be a related development, I heard on the news this weekend of
ATMs in New York city that had money stolen, again with no signs of
tampering. There is no hard evidence that a computer RISK is involved in
any of these thefts; other security breeches are as likely.  The Inquirer
article doesn't make clear what the "security system" consists of --
computer system or not?  The tone of the article makes it sound as if the
reporters suspected a computer RISK, but I can't always trust reporters'
suspicions.

Steve Thompson, University of Pennsylvania, 215-898-4585 Standard Disclaimer


Bank deposits huge amount in account and blames owner!

Richard Muirden, A Star Trek Fan <s892024@minyos.xx.rmit.oz>
Mon, 28 May 90 13:58:27+1100
I thought this personal story might be of interest to RISKS readers:

In mid 1988 I had an interesting experience with my bank account - I had had
$87,889,984 (or some such random value in the $87 million range!) added to my
account!! On asking the bank concerned if they could fix the problem they
blamed me for "Keying in the amount at an ATM!" Of course I protested my
innocence - where would I get that sort of money from?! :-) Now I would have
thought that surely:

        a) The ATM software would check for such obvious erroneous
           data if I had in fact entered such an amount as a
           deposit. (ever heard of range checking?!)
        b) With such large sums of money would the computer not
           alert an operator to check to see that it was valid
           (considering that I do not hold a corporate account).

The problem was fixed after several weeks (!) and although rather amusing {and
if only I got the interest on that money :-( } to do an account balance and see
a nice amount for a change :-) but it still leaves me wondering just what
happened and why they should blame *me* for such an obvious computer error!
Maybe it was because I am a student! I wonder if this kind of error has
occurred to anyone else.

-Richard  Muirden                       s892024@minyos.xx.rmit.OZ.AU


Risks in secure documents

David Fuller <dafuller@sequent.UUCP>
Sun, 27 May 90 20:49:59 -0700
In response to your volume 9, Issue 94 observations regarding the security
of "secure" documents, I offer some comments:

1) The best defense is naivety.  Diamond brokers (at least used to)
   ship quantities of product via 1st class mail because it was
   reliable (in the States) and anonymous.

   Perhaps our most secure documents should be published in the Consumer
   Information Catalog (available free from Pueblo, CO).  Or perhaps they
   are; suitably encrypted to look like regular documents.

2) The congressional register, if it is difficult to analyse, possibly
   represents a chaotic system and models noise very well.  Political
   statements excluded.

On other topics...

Another interesting thing.  We had our building "fire alert" system go
off the other day, fortunately a minor problem, and as we were watching
the fire department do their thing (very well) a cohort asked about the
policy regarding shutting down the machines in an emergency.  I said that
(in so many words) I thought the idea was to preserve human (not machine)
lives.  My workmate responded that his previous job was with a company
whose policy was that machines must be safely shut down before humans
could respond to such an emergency and insure personal safety.

Whether winding thread, sewing shirts or making steel, the organization has
life greater than human's; still.
                                               Dave


You Think YOU Have Trouble with Your Telephone Company?

Wechsler, Donald B <m17434@mwvm.mitre.org>
Tuesday, 29 May 1990 10:14:36 EST
After entertaining many explanations for misrouted telephone calls, RISKS
should consider another possibility.  Last week, the Houston Post reported that
Ginger was in the dog house with the Arlington, Texas, police department.  The
Post continued:

     That's because the Lhasa apso twice managed to place
     911 emergency calls from an Arlington home.  At least,
     police can think of no other explanation for the calls.
     Police said they found the dog beside a telephone when
     they entered the place after receiving the second call.
     No one else was home.

     Ginger's owner, Jane Shumaker, said she hadn't
     programmed 911 into her telephone's automatic dialing
     system, and she finds it hard to believe her pet made
     the call.  But she added, "I'm beginning to think she's
     smarter than I thought.  Maybe she was lonesome."

Dare I mention it? It seems our phone system is going to the dogs.

                         [An Apso Facto case.  Don't terrier hair out.
                         The dog was doing a St. Gingervitus Dance. PGN]


Steve Jackson Games & A.B. 3280

Brian Sherwood <aha@m-net.ann-arbor.mi.us>
27 May 90 03:50:07 EDT (Sun)
> Computer Gaming World (Golden Empire Publications)
> June, 1990, Number 72, Page 8
> Editorial by Johnny L. Wilson

                        It CAN Happen Here

  Although Nobel Prize-winning novelist Sinclair Lewis is probably best known
for 'Main Street', 'Babbitt', 'Elmer Gantry', and 'Arrowsmith', my personal
favorites are 'It Can't Happen Here' and 'Kingsblood Royal'.  The latter is an
ironic narrative in which who suffers from racial prejudice toward the black
population discovers, through genealogical research, that he himself has black
ancestors.  The protagonist experienced a life-challenging discovery that
enabled Lewis to preach a gospel of civil rights to his readership.

  The former is, perhaps, Lewis' most lengthy novel and it tells how a radio
evangelist was able to use the issues of morality and national security to form
a national mandate and create a fascist dictatorship in the United States.  As
Lewis showed how patriotic symbolism could be distorted by power-hungry elite
and religious fervor channeled into a political movement, I was personally
shaken.  As a highschool student, reading this novel, for the first time, I
suddenly realized what lewis intended for his readers to realize.  "It" (a
dictatorship) really CAN happen here,  There is an infinitesimally fine line
between protecting the interests of society and encumbering the freedoms of the
self-same society in the name of protection.

  Now it appears that the civil liberties of game designers and gamers
themselves are to be assaulted in the name of protecting society.  In recent
months two unrelated events have taken place which must make us pause: the
raiding of Steve Jackson Games' offices by the United States Secret Service,
and the introduction of A.B. 3280 into the California State Assembly by
Assemblyperson Tanner.

  On March 1, 1990, Steve Jackson Games (a small pen and paper game company)
was raided by agents of the United States Secret Service.  The raid was
allegedly part of an investigation into data piracy and was, apparently,
related  to the latest supplement from SJG entitled, GURPS Cyberpunk (GURPS
stands for Generic Universal Role-Playing System).  GURPS Cyberpunk features
rules for a game universe analogous to the dark futures of George Alec Effinger
('When Gravity Fails'), William Gibson ('Neuromancer'), Norman Spinrad ('Little
Heroes'), Bruce Sterling ('Islands in the Net'), and Walter Jon Williams
('Hardwired').

  GURPS Cyberpunk features character related to breaking into networks and
phreaking (abusing the telephone system).Hence, certain federal agents are
reported to have made several disparaging remarks about the game rules being a
"handbook for computer crime".  In the course of the raid (reported to have
been conducted under the authority of an unsigned photocopy of a warrant; at
least, such was the only warrant showed to the employees at SJG) significant
destruction allegedly occurred.  A footlocker, as well as exterior storage
units and cartons, were deliberately forced open even though an employee with
appropriate keys was present and available to lend assistance.  In addition,
the materials confiscated included: two computers, an HP Laserjet II printer, a
variety of computer cards and parts, and an assortment of commercial software.
In all, SJG estimates that approximately $10,000 worth of computer hardware and
software was confiscated.

  The amorphous nature of the raid is what is most frightening to me.  Does
this raid indicate that those who operate bulletin board systems as individuals
are at risk for similar raids if someone posts "hacking" information on their
computer?  Or does it indicate that games which involve "hacking" are subject
to searches and seizures by the federal government?  Does it indicate that
writing about "hacking" exposes one to the risk of a raid?  It seems that this
raid goes over the line of protecting society and has, instead, violated the
freedom of its citizenry.  Further facts may indicate that this is not the
case, but the first impression strongly indicates an abuse of freedom.

  Then there is the case of California's A.B 3280 which would forbid the
depiction of any alcohol or tobacco package or container in any video game
intended primarily for use by minors.  The bill makes no distinction between
positive or negative depiction of alcohol or tobacco, does not specify what
"primarily designed for" means, and defines 'video game' in such a way that
coin-ops, dedicated game machines, and computer games can all fit within the
category.

  Now the law is, admittedly, intended to help curb the use and abuse of
alcohol and tobacco among minors.  Yet the broad stroke of the brush with which
it is written limits the dramatic license which can be used to make even
desirable points in computer games.  For example, Chris Crawford's 'Balance of
the Planet' depicts a liquor bottle on a trash heap as part of a screen talking
about the garbage problem.  Does this encourage alcohol abuse?  In 'Wasteland',
one of the encounters involves two winos in an alley.  Does their use of
homemade white lightening commend it to any minors that might be playing the
game?

  One of the problems with legislating art is that art is designed to both
reflect and cast new light and new perspectives on life.  As such, depiction of
any aspect of life may be appropriate, in context.  Unfortunately for those who
want to use the law as a means of enforcing morality, laws cannot be written to
cover every context.

  We urge our California readers to oppose A.B. 3280 and help defend our basic
freedoms.  We urge all of our readers to be on the alert for any governmental
intervention that threatens our freedom of expression.  "It" not only CAN
happen here, but "it" is very likely to if we are not careful.


Re: Secure UNIX Infected?

<smb@ulysses.att.com>
Sat, 26 May 90 16:41:55 EDT
     If you read between the lines you will note that a development
     version of AT&T UNIX was infected.  The message is that the
     "NCSC" is more concerned about "confidentiality" then, say,
     integrity.  The sooner we get a counter balance to the NCSC
     critical mass within POSIX P1003.6 (security) the better our
     future.

     [description of Duff's virus deleted]

     he loosed the thing inside AT&T as an experiment to see how
     well such a weak virus would spread, and how it could be
     started.  (he started the infection by adding an infected copy
     of "echo" to some public directories he had write access
     too).

     [more deletions]

     it caused some particular problems on a "secure" unix that was
     being developed, since the kernel detected the attempts of the
     virus to propagate, and killed the virus.

I think there's a serious misconception here about Duff's virus, where it
spread, and ``AT&T UNIX''.  There are no lines to read between; what was said
is literally and completely true, with no hidden messages.  Tom's virus was
developed on 9th Edition UNIX systems, a research version that bears little
relation to System V or anything else in the product line.  No ``development
version'' of the UNIX system was affected.  This is doubly true of AT&T's
secure UNIX system product (System V/MLS), which has been certified at the B1
level.  The ``secure unix'' affected was an experimental implementation of
mandatory access controls, using a modified 9th Edition kernel.  And, as noted,
even the affected system was still under development at the time -- hardly a
fair criticism of any finished system.

All that aside, I wouldn't be so quick to dismiss the NCSC's efforts as focused
on confidentiality rather than integrity.  While there certainly is that bias,
there's a lot to be said for maintaining confidentiality even in the commercial
world (as numerous stories in RISKS attest, of course).  And, at least for some
programs, the mandatory access controls can be used to maintain integrity: mark
any critical program as being in the lowest-possible security level, lower than
any user process.  That way, any attempt to modify the program appears to be an
access-control violation.

And there's one more point that shouldn't be ignored.  The Orange Book does not
simply list a set of features.  It describes a development process, an attitude
towards software management, and (to some extent) an enforced modularity.  All
of these contribute to reliable -- and hence secure -- software.  Furthermore,
the certification process itself is quite stringent.  There's a world of
difference between, say, ``B1- certifiable'' -- which generally means a feature
list -- and ``B1 certified.''

If there are specific features you'd like to see added to POSIX for better
integrity maintenance, by all means propose them.  But as far as I can tell,
the NCSC -- and its sponsor, DoD -- are among the few groups that not only take
security seriously, but are prepared to put their money where their mouth is.

        --Steve Bellovin


Re: Secure UNIX Infected?

<henry@zoo.toronto.edu>
Mon, 28 May 90 12:11:35 EDT
>If you read between the lines you will note that a development version of AT&T
>UNIX was infected.  The message is that the "NCSC" is more concerned about
>"confidentiality" then, say, integrity.  The sooner we get a counter balance to
>the NCSC critical mass within POSIX P1003.6 (security) the better our future.

If you read the Usenix paper referred to, you will find out that (a) the secure
Unix in question is a research system, not a product or potential product, and
(b) as mentioned in the Risks posting, the virus infected it at a time when
much of the security had not yet been turned on.  I would urge people to read
the paper before jumping to unwarranted conclusions.

Henry Spencer at U of Toronto Zoology                 uunet!attcan!utzoo!henry


Dereferencing Tim Kay's address

David Kuder <david@indetech.com>
Sun, 27 May 90 20:39 PDT
When Tim first wrote about his problems I thought that they were
related to the fact that zipcodes don't provide a functional dependency
for city and state.  That is, more than one city (well wide spot in the
road) can be in one zip code.  This problem has bitten my father who
now has subscriptions with a 4 line address of the form:
    Doc Kuder
    3 Elm St.
    Brownsville
    Emmittburg, PA 18888
Because there is an Elm Street in both Brownsville and Emmittburg and
they've got nothing to do with each other, but the Post Office insists
that 18888 is Emmittburg.

I also thought that Tim's problem might be that the zip code he's using is only
for the dorms at Caltech.  The rest of campus has its own zip code, and the box
number Tim uses doesn't match dorm practice.  It shouldn't matter since both
zip codes go to the same campus Post Office.  When I first moved off campus, I
used the campus zip code and had my delivered even slower than normal since it
was sent to campus first then bounced.  That house has since become part of
campus -- I wonder what it's zip code is now?

Tim's problem is actually "Box".  A quick scan of the zip code directory shows
that only post office boxes in Pasadena can be found in zip code 91102.  I
suggest that Tim use something like "Building" or "Mailstop".  The campus Post
Office may be able to give him the definitive answer.

David A. Kuder                                      david@indetech.com

Please report problems with the web pages to the maintainer