RISKS-LIST: RISKS-FORUM Digest Sunday, 20 December 1987 Volume 5 : Issue 79
FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
Contents:
Re: Lehigh Virus (James Ford)
IBM Xmas Prank (Fred Baube)
National security clearinghouse (Alan Silverstein)
Financial brokers are buying Suns... (John Gilmore)
Toronto Stock Exchange Automation? (Hugh Miller)
Who Sues? (Marcus J. Ranum)
The Fable of the Computer that Made Something (Geraint Jones)
Re: Litigation over an expert system (Rich Richardson)
Tulsa; Bugs (Haynes)
More ATM information (George Bray)
Truncation (Alex Heatley)
The RISKS Forum is moderated. Contributions should be relevant, sound, in good
taste, objective, coherent, concise, nonrepetitious. Diversity is welcome.
Contributions to RISKS@CSL.SRI.COM, Requests to RISKS-Request@CSL.SRI.COM.
For Vol i issue j, FTP SRI.COM, CD STRIPE:<RISKS>, GET RISKS-i.j.
Volume summaries for each i in max j: (i,j) = (1,46),(2,57),(3,92),(4,97).
----------------------------------------------------------------------
Date: Fri, 18 Dec 87 15:16:33 CST
From: "James Ford (Phantom)" <JFORD1%UA1VM.BITNET@CUNYVM.CUNY.EDU>
Subject: Re: Lehigh Virus (RISKS-5.72)
To: RISKS@csl.sri.com
I've been reading about the PC virus that invaded Lehigh Univ. There is
public domain software (2 that I know of now) that will detect potential
"trojans" and/or "bombs". These programs are:
1. CHK4BOMB (check 4 bomb) - This program is used on suspected trojans.
The program will read and print the ASCII code. After that, it'll start
reading the machine code. If the file writes to absolute sectors, CHK4BOMB
will respond with "WARNING! THIS PROGRAM WRITES TO ABSOLUTE SECTORS! THERE
IS A CHANCE THAT DATA COULD BE LOST....etc"
2. BOMBSQAD - This program is a memory resident program that will allow you
to intercept READ, WRITE and VERIFY (in any combination) to your hard/floppy
disks. It allow you to abort the suspected command by returning a timeout
error (I think) to DOS, which gives you a ABORT, RETRY, IGNORE........
While I can't state that it will detect ALL trojans, these "binary condoms"
have detected the COMMAND.COM virus at LeHigh Univ.
Since the programs are public domain, I will gladly send them to you if you
request them. If sent, the files will uploaded WITHOUT converting to EBCDIC.
James Ford, The Phantom, JFORD1@UA1VM.BITNET
------------------------------
To: risks@csl.sri.com
Subject: IBM Xmas Prank
Date: Fri, 18 Dec 87 10:03:57 -0500
From: Fred Baube <fbaube@note.nsf.gov>
From Friday's Washington Post, excerpted without permission.
"The message popped onto desktop screens in IBM offices around
the country and even crossed the Atlantic and Pacific oceans,
showing up in IBM outposts in West Germany, Italy and Japan."
[as pictured X
in the article] X X
X X X
X X X X
X X X X X
X X X X X X
X X X X X X X
X
X
X
A very happy Christmas and my best wishes for the next year.
Let this run and enjoy yourself.
Browsing this file is no fun at all. Just type Christmas.
________
"The message that bedeviled IBM was a comparatively benevolent
one and did not, as computer tricksters' creations sometimes do,
destroy other material in the system .. [although] rapidly
producing electronic gridlock."
"The culprit is unknown .. but preliminary investigation suggests
that the message originated outside the company. IBM's mail
system is attached to those of several other institutions."
"From start to finish, the message survived only hours .."
"Does the world's biggest and most advanced computer company feel
embarassed about its Christmas chain ? 'We didn't want it to
happen, but we anticipated something like this might be attempted
and we were prepared to deal with it.'"
Questions:
(1) An incoming message can contain an executable program,
that can easily be run ?
(2) Such a message can be remailed under its contained program's
control, presumably with the name of the last victim in the
"From:" field ?
(3) Can IBM trace it to an originator, or was anonymity possible ?
(4) How/where can readers of RISKS submit something similar ?
(strictly for professional testing purposes)
(5) Is the Internet similarly vulnerable ?
The prank seems to be benign, and therefore beneficial.
IBM seems to have dealt with it effectively (or have they ?).
Browsing this message is no fun at all. Just type Christmas ..
[Bay Area folks can read a long front-page article by John
Markoff on viruses in today's SF Chronicle-Examiner. PGN]
------------------------------
Date: Fri, 18 Dec 87 14:27:32 mst
From: Alan Silverstein <hpfcdt!ajs@hplabs.HP.COM>
To: risks@csl.sri.com
Subject: national security clearinghouse
> Andy Freeman, Security failures..., RISKS-5.77
> A clearinghouse, repository, library, or whatever name one wants to give
> to such a function should be set up so that those of us who are trying
> to build defenses can have subjects to study.
This falls right in the charter of the National Computer Security Center
(NCSC), a federal agency. They are also the folks who evaluate Trusted
Computer Systems by the Evaluation Criteria (Orange Book). Their services
are "free" (tax-supported).
Alan Silverstein, Hewlett-Packard
[We have noted this here before, but it seems worth reminding new
readers that all sorts of systems have been evaluated. PGN]
------------------------------
Date: Sat, 19 Dec 87 04:26:22 PST
From: hoptoad.UUCP!gnu@cgl.ucsf.edu (John Gilmore)
Subject: Financial brokers are buying Suns...
To: risks@csl.sri.com
> In hindsight, it seems that computers on Wall Street created an
> appetite they ultimately couldn't satisfy. Following the classic
> addicts' pattern, each time investors got more powerful computers,
> they developed investment techniques that needed even more powerful
> computers....
By the way, one of the hottest new markets for Suns (and possibly other
workstations) is in financial trading. A bunch of companies are doing
software that lets a broker monitor a bunch more stuff, get plots of
stock trends, etc, on their bitmapped Sun screen. Just being able to
display N things at once in N windows will help a lot.
Today's common "quotron" terminals seem to just be dumb terminals.
Well-designed support software on Suns should be able to aid brokers,
the same way it has helped me to get more programming done in the
same amount of time, and with higher quality.
[Wait until people figure out the nice network security
flaws/features in such an environment. That will give a new
meaning to INSIDER TRADING, using INSIDER COMPUTER FRAUD. PGN]
------------------------------
Date: Sun, 20 Dec 87 14:21:03 EST
From: Hugh Miller <HUGH%UTORONTO.BITNET@CUNYVM.CUNY.EDU>
Subject: Toronto Stock Exchange Automation?
To: "Peter G. Neumann, Moderator" <RISKS@csl.sri.com>
The following is excerpted without permission from "Computers-or-people
dispute flares at TSE" by Fred Lebolt, *Toronto Star*, Sa 19 Dec 87, p. B1:
A dispute between floor traders and senior management at the Toronto Stock
Exchange is brewing again, as the exchange studies whether computers or
people should be at the center of stock market action. After what one
exchange official described as a "shooting match" between the two sides, the
exchange has launched a new, $1.25 million study looking into computer-based
trading compared with person-to-person stock market trades.
"People's livelihoods are involved here, so tensions and anxieties are high,"
the official said in an interview.[...]
Newspaper photos and television clips of the stock exchange usually show the
floor traders in action: often wearing brightly colored jackets, they're the
ones who yell buy and sell orders on the exchange floor. At the heart of the
action are the specially designated registered floor traders. This group of
more than 100 individuals will guarantee to buy or sell a certain number of
shares so the public will always be able to trade in those securities, and
will oversee trading to make sure there's a small spread between the buy and
sell prices. They have to keep tabs on all the trades in the stocks they
follow.
Computer-based trading, by contrast, involves putting orders through by
machine, with the buy and sell prices displayed on video terminals. The
people behind the machines are also traders, but the deals are struck by
computer keystrokes, rather than in person.[...]
The controversy over computerized trading has been simmering for some time,
but erupted a year ago after the exchange's board of governors approved a
plan to switch two large stock issues from the trading floor to the
TSE-developed Computer Assisted Trading System, known as CATS. CATS was
originally introduced to handle trades in less active stocks, while major
share issues remained in the hands of floor traders. The computerized system
now handles almost half of the total listings on the exchange. But the news
that two large stock issues were going over to CATS hit like a bombshell.
Traders banded together into a Professional Traders Association to voice
their concerns.
What emerged was a compromise deal, in which an experimental trading area
was set up using both floor traders and computer technology. But the
controversy stirred up again in June, when the exchange startedpushing for a
rapid expansion of the experimental trading posts throughout the floor. Many
traders argued that the move was premature, and sought a postponement in the
expansion, which they won.
The July report [prepared for the exchange found advantages in the
computer-based trading system and] reopened the controversy. [A second
report, issued in September and prepared for Gordon Capital Corp., disputed
much of the first report's findings. A subsequent letter sent to Toronto
Stock Exchange members by Gordon Capitol president Donald Bainbridge said
conclusions from the July report "were a real shock to the many experienced
traders" who reviewed it.]
The latest study now under way involves management, traders, and other
groups. It is looking into a variety of key issues about future directions
for trading and the over-all market environment.[...] When asked
specifically if he believes there will be still be person-to-person trades on
the exchange floor five years from now, [exchange vice-president Terry]
Popowich [,who has management responsibility for floor trading,] replied, "I
don't know. "I also don't know if there's going to be completely automated
trading."
This is the first indication I have seen that a stock exchange is considering
abandoning open outcry entirely in favour of completely on-line trading.
Previous contributions to this list have emphasized the limited role
computers play in performing or influencing actual trading. It has been
pointed out that they are most often utilized in margin trading, and in
portfolio insurance (where, it has been hypothesized, they can contribute
most to market instability during large fluctuations in share prices).
There is in this story little indication that human beings will not be at the
keyboards of the new, totally on-line TSE. But the tendency in recent times has
definitely been to replace human judgment with machine judgment, on the grounds
that the latter is much faster and therefore able to take advantage of
favorable buy/sell conditions much sooner than humans, with correspondingly
greater earnings for the brokerages.
Given this tendency, are we on the way to the introduction of computer trading
programs to handle trading in *ALL* stock issues? And to handle the functions
previously reserved for the registered floor traders, as overseers and monitors
of price spreads? And how will we insure that such enormously complex systems
will not synergetically go plooey when pushed to their volume or price limits?
Hugh Miller, Department of Philosophy, University of Toronto, Toronto,
Ontario., CAN M5S 1A1 (416)536-4441
------------------------------
Date: Sat, 19 Dec 87 12:35:20 EST
From: ucbcad!ames.UUCP!uunet.UU.NET!mimsy!jhu!osiris!mjr@ucbvax.Berkeley.EDU
(Marcus J. Ranum)
To: KL.SRI.COM!RISKS@uunet.uu.net
Subject: Who Sues? (Re: RISKS DIGEST 5.75)
It would be nice to think that the current trend towards suing
anyone and everything in the near vicinity of a mistake does not indicate
that Americans are not losing track of the basic principles of causality !!
Can't anyone take credit for their own mistakes anymore ? If someone
wishes to place their trust in an ES, and it turns out to be misplaced, I'd
look at "assigning the blame" as follows:
Person who did not exercise common sense: 99.5%
Programmer who marketted malfun software: 00.4%
Assembly of chips and magnetic oxide: 00.1%
Until it is a fact of reality that expert systems are KNOWN to be
reliable, then a person is unreasonable in trying to sue the producer of a
product that common sense would indicate as potentially unreliable.
I understand that these views have no weight against current "law"
and "legal" decisions. On the other hand, our legal system is becoming less
and less a system of justice and common sense, and more and more a
self-feeding system of self-reproducing rules...
It concerns me that nobody can stand up anymore and say "wow, I
goofed" or "I should have used my own !@#!@#!@# brain instead of flipping
a coin" when something goes wrong and they are associated with it. I can
see a case where an airplane crashes because of poor service as the fault
of the airline. There must, however, be a provision for acts of god, or a
simple admission of stupidity.
An elderly woman recently won a lawsuit against a soda bottler because
her eye was hurt when a cap hit it. She was taking the cap off the bottle with
pliers, and the pliers slipped. Essentially, the "law" and the "lawyers" are
saying that it is permissible (even rewarded) to be stupid.
--mjr();
------------------------------
Date: Sat, 19 Dec 87 14:21:15 GMT
From: Geraint Jones <geraint%prg.oxford.ac.uk@NSS.Cs.Ucl.AC.UK>
To: RISKS@csl.sri.com
Subject: The Fable of the Computer that Made Something
It has happened before, but is worth documenting that almost all the media
here reported the last year's erroneous calculations of the Retail Price Index
as a computer error. It was the BBC's flagship evening radio news bulletin on
Friday that I heard report that ``a computer made a mistake''. As far as I can
see, this time it was not even the case that `the computer' was incorrectly
instructed; rather it was decided to perform an (almost) entirely unrelated
calculation, and it just so happened that a computer was used to do the adding
up. Using a computer means never having to say sorry. gj
------------------------------
Date: 18 Dec 87 21:18:46 PST (Friday)
Subject: Re: Litigation over an expert system
To: Dean Sutherland <Sutherland@TL-20B.ARPA>
Cc: RISKS@csl.sri.com, RMRichardson.PA@Xerox.COM
From: Rich <RMRichardson.PA@Xerox.COM>
> In Risks digest 5.71, chapman@russell.stanford.edu (Gary Chapman)
> mentions a "goofy" California law that provides for a defendant who
> is only 1% responsible to pay 1% of the judgement. Although this
> law may be goofy, it is a major improvement over previous versions. ...
I think the new law applies to "punitive damages" and real damages (actual
loss) may still be taken from any of the "deep pocket" defendants. Am I wrong?
Rich
------------------------------
Date: Sat, 19 Dec 87 00:07:53 PST
From: haynes@ucscc.UCSC.EDU (99700000)
To: RISKS@kl.sri.com
Subject: Tulsa; Bugs (Re: RISKS-5.78)
1) RE the Tulsa event of criminals sawing up telephone boxes. Here in Santa
Cruz a few weeks ago transients living under a bridge built a fire to keep
warm - right on top of a nest of conduits carrying telephone cables!
2) RE "Bug" - I remember vaguely reading some boys' book of the 1920s
(something like Tom Swift) in which one of the characters is working on his
invention and says he just has to get a few bugs out before it will work right.
haynes@ucscc.bitnet, ...ucbvax!ucscc!haynes, ...
------------------------------
Date: Thu, 17 Dec 87 19:33:54 PST
From: George Bray <lcc.ghb@SEAS.UCLA.EDU>
To: RISKS FORUM (Peter G. Neumann -- Coordinator) <RISKS@KL.SRI.COM>
Subject: More ATM information
We have discussed several issues of ATMs recently, and I want to add
a few more nuggets:
1. Recently, a contributor mentioned that their bank claimed that
"the ATM cuts the card if there is something wrong with it."
I have experience with ATMs made by IBM, Docutel and Diebold
(and various Diebold emulators) and none of them cut the card
when capturing it. It is simply stacked inside the machine.
Typically, bank tellers do cut the cards up after removing
them from the machine, but that is done by a person, not by
the ATM.
2. Another contributor mentioned that banks don't wish to discuss
their systems, even when they implement standards that are publicly
available. This is quite true in my experience. The manufacturers
of bank hardware and the banks themselves depend mostly upon
ignorance for protection.
3. Most bank transaction security is aimed at preventing losses to
the bank, not to the cardholder. In fact, ATM security isn't
seen as a big problem, because even with a stolen card, the most
a burglar could get away with is a few hundred dollars at a time.
(Again, tough on the poor customer, but it is cheap for the bank
to eat the loss if the customer complains).
In fact, the prevailing attitude is that the major threat to
ATMs is physical: since there is about $40,000 in a fully-loaded
ATM, but it will only dispense a maximum of a few dozen bills at
a time, the easiest way to get money out is to blow the front
off the ATM, or attack it with a car, etc.
4. As an aside, it is interesting that in many cases bank regulations
have not caught up with the concept of ATMs. In California at
least, the banking laws stipulate that any location that accepts
deposits for a bank must be a branch of that bank. This means
that ATMs owned by a different bank can't be used for deposits,
even if the data processing and money handling for the two banks
are run by the same data processing provider.
This regulation becomes onerous when combined with the definition
of a transfer: "a withdrawal from one account followed by a deposit
to another account". This means that one is not allowed by law to
press a button on an ATM commanding a computer to transfer funds
between two accounts which consist of bits on a disk drive
connected to that computer.
George Bray
------------------------------
Date: Tue, 8 Dec 87 15:24:43 +1300
From: Alex Heatley <alex@comp.vuw.ac.nz>
To: RISKS@kl.sri.com
Subject: Truncation (Doug Mosher, Re: RISKS-5.69)
Organization: Comp Sci, Victoria Univ, Wellington, New Zealand
> It is ALWAYS BAD PRACTICE to truncate anything without notice.
>
>Many examples over the years occur to me; here's a small partial list.
Regarding VM/CMS (IBM Mainframe OS) here's a nasty one that has caught me
twice. When you change your password you are allowed to enter one that is
longer than 8 characters. However, upon logging in, your password is
truncated to 8 characters. The OS goes away and compares the entered
password with the one in the file (passwords are kept in clear in a special
file that only the SYSADMIN is supposed to be able to access -- ha!) aha!
it says these are not equivalent and refuses to let you log in.
Now you know that you typed in the right password so you try again but, after
five attempts the OS will lock you out of the terminal. So you walk away in
confusion. If the terminal is in a public place, eventually, another user
will try to use the terminal -- and will receive the error message that they
can't login -- yes that's right the OS locks the terminal from being used
until either the SYSADMIN resets it or n (SYSADMIN defined) hours have elapsed.
Aren't IBM OS's fun!!!
Alex Heatley : CSC, Victoria University of Wellington, New Zealand.
Domain: alex@comp.vuw.ac.nz Path: ...!uunet!vuwcomp!alex
------------------------------
End of RISKS-FORUM Digest
************************