21-Dec-86 21:51:48-PST,19554;000000000000 Mail-From: NEUMANN created at 21-Dec-86 21:50:31 Date: Sun 21 Dec 86 21:50:31-PST From: RISKS FORUM (Peter G. Neumann -- Coordinator) Subject: RISKS DIGEST 4.33 Sender: NEUMANN@CSL.SRI.COM To: RISKS-LIST@CSL.SRI.COM RISKS-LIST: RISKS-FORUM Digest, Sunday, 21 December 1986 Volume 4 : Issue 33 FORUM ON RISKS TO THE PUBLIC IN COMPUTER SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Help British Telecom save a WORM. (Scot E. Wilcoxon) Security of magnetic-stripe cards (Brian Reid) Korean Air Lines Flight 007 (Dick King) Car-stress syndrome (Dick King) Bugs called cockroaches [A True Fable For Our Times] (anonymous) Re: More on car computers (not Audi) (Miriam Nadel) Runaway Audi 5000 (John O. Rutemiller) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, nonrepetitious. Diversity is welcome. (Contributions to RISKS@CSL.SRI.COM, Requests to RISKS-Request@CSL.SRI.COM) (Back issues Vol i Issue j available in CSL.SRI.COM:RISKS-i.j. MAXj: Summary Contents Vol 1: RISKS-1.46; Vol 2: RISKS-2.57; Vol 3: RISKS-3.92.) ---------------------------------------------------------------------- From: rutgers!meccts!mecc!sewilco@seismo.CSS.GOV To: mod-risks@seismo.CSS.GOV From: sewilco@mecc.UUCP (Scot E. Wilcoxon) Subject: Help British Telecom save a WORM. Summary: Possible solution: test write before accepting card. WORM problem. Date: 21 Dec 86 04:01:49 GMT Organization: Minn Ed Comp Corp, St. Paul >Unfortunately, a relatively simple doctoring of the card has been discovered >that threatens the whole scheme, and makes a card indefinitely reusable [at >least until the system is either modified or withdrawn]. A read-after-write test before using the resource (telephone time in this case) might be the generic solution. This won't work if the BT reader can't be positioned to read what has just been written. Hopefully there aren't many other major installations with the same flaw (BART & other transport?). Computer programmers should know of this flaw due to one eagerly-awaited peripheral which is finally becoming available. Writeable optical data disks (ie, WORM drives) promise storage of huge amounts of data. People who want to sell large numbers of programs or data will now be able to put hundreds of programs on one optical disk. One "demonstration disk" method being used by some companies is to allow a program to be used a few times or for a few days. This method may be vulnerable to a write-blocking technique similar to the British Telecom card doctoring, although different physical tools may be needed. The designer of an optical disk collection should be aware of this technique so he can thwart it. Scot E. Wilcoxon Minn Ed Comp Corp {quest,dayton,meccts}!mecc!sewilco (612)481-3507 sewilco@MECC.COM ihnp4!meccts!mecc!sewilco ------------------------------ From: reid@decwrl.DEC.COM (Brian Reid) Date: 20 Dec 1986 0109-PST (Saturday) To: risks@sri-csl.ARPA Subject: security of magnetic-stripe cards [This relates to earlier risks.] There are three ways that I know of to fraudulently modify magnetic-strip credit cards. The technology to make mag-stripe credit cards secure against two of them has existed for almost 15 years. Most credit-card companies do not use it because it is more expensive than the losses that they are currently sustaining from fraud. However, the main reasons for its expense are that it requires new card-reader electronics, and in the fullness of time one could imagine moving to it. The three attacks are: 1) Copying the strip from one card to another 2) Modifying the contents of a card with read/modify/write (or rewriting it completely, if you choose) 3) Making a checkpoint of a card, using it, and then restoring the card to its former state. This technology can protect against attacks (1) and (2), but not (3). I first heard about it from a security person at the National Bank of Washington in 1973. Here's how it works. When a credit card is molded, it is molded out of plastic that has had nickel particles stirred in with it. The magnetic strip is affixed, and the card is run through a machine that senses the location of the nickel particles on the card and computes a cryptographic checksum of their positions. The checksum function is secret. That checksum is used as the decryption key of a 2-way encryption function, and the remaining information on the magnetic strip is encrypted in such a way that the nickel-particle checksum of the plastic card is used as the decrypting key for the data on the magnetic strip. This protects against attack 1, copying, because the contents of the mag strip on one card will not work on a card with a different nickel checksum. This protects against attack 2, forging, because even if the forger can determine the position of the nickel particles he does not know how to compute the checksum from their position. It is easy to design a system for which attack 3 will not be useful. I believe that the expense of this system is the expense of the particle-sensing readers, which are more delicate than mag-strip readers. I am confident that if electronic fraud with credit cards starts to cost more than the particle readers, that banks will switch. Brian Reid DEC Western Research ------------------------------ Date: Thu, 18 Dec 86 13:48:36 pst From: king@kestrel.ARPA (Dick King) Subject: Korean Air Lines Flight 007 (RISKS-4.31) To: RISKS@CSL.SRI.COM I'm very unimpressed with the straightness of the logic in Shootdown. There seem to be as many contradictions within that volume as there are in the record of the shootdown itself. As one example, on page 24 [hardcover, American edition] he states that "The full significance of this becomes apparent if one realises that Soviet ground control was undoubtedly monitoring 007's conversation with Tokyo, presumably with a slight lag as a translation was obtained. ...". The transcripted conversation, to which the Soviets were "undoubtedly" listening, clearly identified the airliner as 007. The thrust of P. 24-27 is that the plane gave out deceptive information that fooled the Soviet air defence. On page 187, however, he quotes the Times as quoting US intelligence analysts as saying "the initial identification of the the jetliner as a military reconnaissance aircraft became fixed in the mind of Soviet air defence officials and was strengthened after Soviet interceptors were unable to locate the plane for two hours". Mr. Johnson did not explain why the Soviets were, according to him, listening closely enough to this routine airliner traffic to be fooled, and why, if they thought the intruder was not 007, they attributed 007's broadcasts to this intruder. Remember, they were supposed to be hearing 007; they are just supposed to have thought that this plane wasn't it. -dick ------------------------------ Date: Thu, 18 Dec 86 12:19:22 pst From: king@kestrel.ARPA (Dick King) Subject: Car-stress syndrome (RISKS-4.31) To: RISKS@CSL.SRI.COM This brings up an interesting RISK imposed by high technology in general -- namely that certain people will take advantage of the public's natural fear of the unknown. They can either offer new and different forms of snake oil or, as this ad seems to do, or they can prey on the public ignorance as to how things work and what is known or not known about safety and levels of exposure, to attract a following for whatever reason. What has this to do with computers? Two groups I know of are arguably using this tactic in a computer-related manner. One group, 9-5 I believe, attempts to bolster a political base by causing CRT's to be regarded as *unsafe*. The second group offers to clear credit problems, doing nothing you couldn't do for yourself [per CR], but implying in at least some of their ads that they have an "in" with the computer network. -dick * I will apologize to the first person who can show me that most of the group's supporters refuse to allow a TV into their homes, or at least that the group advocates such refusal. I have never even seen any such literature claim that monochrome TV's are safer. This would be obviously counter-productive because most of the intended audience uses monochrome monitors, but voltages are lower, images are crisper, flyback noise tends to be less; this covers most of the claimed problems with CRT's. ------------------------------ From: anonymous@erehwon Subject: Bugs called cockroaches [A True Fable For Our Times] [THE FOLLOWING WAS CONTRIBUTED FOR ANONYMOUS INCLUSION ON THE GROUNDS OF SEVERE AUTHOR EMBARRASSMENT AT EVER ADMITTING TO WRITING SUCH AWFUL DRIVEL (EVEN THOUGH THE INCIDENT DESCRIBED IS ABSOLUTELY TRUE) OR TO INCLUDING SOME HORRIBLE PUNS (MOST OF WHICH HAVE BEEN REMOVED BY THE SOMETIMES IMMODERATE MODERATOR).] > Heisenbugs is already a fairly common term -- it refers to bugs > which go away as soon as you try to run them under a debugger > (or with the debugging compile- or run-time flags set). I once had an amusing problem where the most likely cause was that I was exceeding array bounds. Naturally I turned on the bounds checking flag, and got fatal output errors. So I next put in manual traces, and I still got fatal output errors. Highly annoying, no? A little investigation revealed that the newly compiled-in format strings were getting trashed. I'm talking about a genuine cockroach. What to do, what to do? I declared a dummy array of dimension 100k--what the heck, it was on a Cray--so from then on the array overflow was safely trashing the dummy; I got my trace and I killed the nasty little bugger. So, what is the moral of this story? Obviously, "Rough strings do flake the darling bugs of Cray." [Ah, yes, the iambic pentameter is always a giveaway. For those of you in search of the original, the first line is exceedingly well known: Shall I compare thee to a summer's day? Thou art more lovely and more temperate: Rough winds do shake the darling buds of May, And summer's lease hath all too short a date: ... I hope that any future shaggy bug stories will be more lovely, more temperate, and less anonymous. PGN (LE KOOK or HOTSHOT?)] ------------------------------ Date: Thu, 18 Dec 86 12:09:35 PST From: dma%euler.Berkeley.EDU@BERKELEY.EDU (Controls Wizard) To: ucbvax!CSL.SRI.COM!RISKS Subject: Re: More on car computers (not Audi) According to the latest issue of Consumer Reports there is a recall of 1982 Toyotas because a problem with the cruise-control computers can result in uncontrollable acceleration. Yet another reason for Audi to rethink their position. Miriam Nadel [Specify by name in any direct reply] ------------------------------ Date: Sat, 20 Dec 86 11:03 EST From: "John O. Rutemiller" Subject: Runaway Audi 5000 To: risks@CSL.SRI.COM The Washington Post Magazine for December 21, 1986 had an article in which the author supports Audi's position of driver error. I believe his view helps show the current trend of people like "60 Minutes" to blame a computer or machine without looking at operator error. I'm glad someone is willing to accept possible operator error. The full text follows. Audi's Runaway Trouble With the 5000, by Brock Yates I recently watched in fascination as Ed Bradley reported on the CBS-TV show "60 Minutes" that the 1978-'86 Audi 5000 sedans can treacherously launch themselves like misfired missiles when their automatic transmission levers are placed in drive or reverse. This phenomenon labeled "unintended acceleration," has allegedly been responsible for several deaths, including a particularly poignant one - tearily documented on the show - in which a pretty young mother crushed her young son against the back wall of a garage. The segment included testimony from several victims. They decried Audi's suggestion that the trouble lay not in a mechanical flaw but in driver error. Audi says the drivers accidentally hit the accelerator, not the brakes, after engaging the transmission. Although Bradley acknowledged Audi's explanation and interviewed two of its engineers, he clearly sided with the owners. "60 Minutes" portrayed the Audi 5000 as a flawed automobile, perhaps cursed by its "idle stabilizer control," a fuel system component that supposedly triggers "transient malfunctions" without warning. But wait a minute, did Bradly tell us everything? There is no arguing the Audi is in serious trouble with the 5000: Sales are down 20 percent and the Center for Auto Safety has taken the position that the Department of Transportation should require Audi to buy back all its 5000s. Further, an Audi spokesman agrees that "hundreds" of acceleration incidents have occured in the 5000s. The Center for Auto Saftey has received 500 reports and believes more than 750 reports have been made altogether. Audi has ceased to stonewall the issue. "We take the responsibility to resolve the problem," says Audi public relations director Ed Triolo. Furthermore, the phenomenon of "unintended acceleration" is not new. The problem has occurred in a variety of autos with automatic transmissions. More than 2,000 complaints have been made about General Motors models built between 1973 and 1986. Owners of Toyotas, Renaults, Mercedes-Benzes and Nissans have also reported unintended acceleration incidents. However, the Audi 5000 has the highest percentage of acceleration incidents: about 1 in 400 cars built. Triolo says that in the 270 accidents that have been examined by Audi engineers, only six idle-speed stabilizers were found defective and not in a way that would cause rapid, unexpected acceleration. More important, the Audi 5000 - with its 2.2-liter, five cylinder engine developing only 110 hp - simply does not have enough power to override its brakes. (Drivers involved in the incidents swear they are standing on the brakes. Audi has found no instances of brake failure in autos it has examined.) Who's right? Will an Audi 5000 outmuscle its own brakes? I borrowed a 1984 Audi 5000, floored the accelerator with my right foot and stepped on the brake hard with my left foot. Then I moved the transmission from park to drive. AND THE ENGINE STALLED! It lacked sufficient power to override the brakes. According to my brief test, for unintended acceleration to occur, two independent systems - fuel supply and brakes - must fail simultaneously and somehow return to normal. Audi says it went even further. In demonstrations for both CBS and NBC, it made full-throttle acceleration runs to speeds between 30 and 50 mph and then, with the throttle on the floor, stopped the car with the brakes. All of which raises some interesting questions "60 Minutes" failed to ask about the Audi 5000 incidents: Why, after millions of starts over an eight-year period, haven't there been any runaway 5000s reported at Audi's 410 dealerships? Why do there seem to be more of these incidents among drivers who have relatively little experience driving the Audi 5000? (There are an inordinate number of such incidents within the first 2,000 miles of the life of a given car.) Why are there no reported accidents with the Audi 4000 Quattro, which has an identical idle stabilizer mechanism? Why do independent experts, who have speculated that the trouble is centered on throttle linkage, the computer brain in the engine, the automatic transmission or the idle stabilizer, still openly admit there is no obvious culprit? Why, in a number of accident investigations, did Audi engineers find the accelerator pedal bent, even snapped off, presumably by foot pressure? While continuing to research the incidents, Audi has so far installed 32,000 interlock devices that prevent the transmission from being engaged without the driver's foot on the brake. Audi has asked all owners of the 5000 model to bring their cars in for free installation of the interlock. Audi is adamant that the device is a solution, although Triolo says the company does not expect it to eliminate the problem. Drivers of three cars equipped with the interlocks have reported runaway crashes. In the first case, an Audi spokesman says, the driver's description of the event changed over time, and Audi representatives decided it was not a case of brake failure or runaway acceleration. In the second case, Audi says a bushing was installed upside down, preventing the interlock from working. In the third case, Audi says it has not been allowed by the owner's attorneys to inspect the vehicle. Audi contends that the problem of unintended acceleration is a complex one involving a number of factors, including the design of the car itself, the driver, and external distractions. Triolo says the problem of unintended acceleration is inherent in automatic transmission cars throughout the auto industry, not just in Audis. There is one potential explanation for the runaway Audis that strikes me as obvious: The brake and accelerator pedals in the Audi 5000 are off-center, to the left. In models of the 5000 built before 1983, it was even possible to step on the brake pedal and the accelerator at the same time, a problem Audi has since rectified. Audi maintains that brake and accelerator pedals in autos come in a wide range of placements, some farther to the left than Audi's. I maintain the pedals are sufficiently misplaced that inexperienced drivers might easily thrust a right foot forward and hit the accelerator when intending to hit the brake. Audi has investigated at least one incident in which a 5000 was driven a foot or so into a concrete wall in a parking garage, the rear tires spinning in anguish, the driver confused as to what was happening until she finally realized her right foot was on the accelerator. Sadly, one of the most troubling aspects of these incidents is that so many Audi 5000 drivers fail to avert disaster simply by shoving the transmission shifter into neutral or turning off the ignition. While it certainly is understandable that a panicked driver might actually press harder on the throttle of a runaway car, thinking he was stepping on the brake pedal, such a reaction also exposes the dismal training and minimal presence of mind the average American driver has when faced with an emergency. How about a segment on driver training, Mr. Bradley? ------------------------------ End of RISKS-FORUM Digest ************************ -------