RISKS-LIST: RISKS-FORUM Digest Saturday, 13 February 1988 Volume 6 : Issue 26 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Trojan horsing around with bank statements (PGN) Star Wars Test (Reid Simmons) Last-clasp credit cards (Carolyn M. Kotlas) "Inmate gets into computer files"; computer porn (Prentiss Riddle) Safe Programming Languages (Martyn Thomas) Viruses and Virtual Memory (Dave Tweed) Software-based Mugging -- RISKS of Dragon Quest(John Elemans via Kevin Kelly) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, nonrepetitious. Diversity is welcome. Contributions to RISKS@CSL.SRI.COM, Requests to RISKS-Request@CSL.SRI.COM. For Vol i issue j, FTP SRI.COM, CD STRIPE:, GET RISKS-i.j. Volume summaries in (i, max j) = (1,46),(2,57),(3,92),(4,97),(5,85). ---------------------------------------------------------------------- Date: Sat 13 Feb 88 18:04:02-PST From: Peter G. Neumann Subject: Trojan horsing around with bank statements My Wells Fargo EquityLine statement of 2 Feb 88 had the following message at the bottom: YOU OWE YOUR SOUL TO THE COMPANY STORE. WHY NOT OWE YOUR HOME TO WELLS FARGO? AN EQUITY ADVANTAGE ACCOUNT CAN HELP YOU SPEND WHAT WOULD HAVE BEEN YOUR CHILDREN'S INHERITANCE. It took until 11 Feb for Wells Fago to send out the following letter: I wish to extend my personal apology for a message printed on your EquityLine statement dated February 2, 1988. This message was not a legitimate one. It was developed as part of a test program by a staff member, whose sense of humor was somewhat misplaced, and it was inadvertently inserted in that day's statement mailing. The message in no way conveys the opinion of Wells Fargo Bank or its employees. You may be assured that the financial information on the statement was correct, and the confidentiality of your individual account information has been maintained. [...] [James G. Jones, Executive Vice President, South Bay Service Center] ------------------------------ Date: Sat, 13 Feb 1988 18:08 EST From: REID%OZ.AI.MIT.EDU@XX.LCS.MIT.EDU Subject: Star Wars Test Item in The Boston Globe, 2/13/88 (from the Associated Press) Tracking test fails in 'star wars' satellite flight A satellite launched last week to test elements of the proposed "star wars" antimissile shield failed in a tracking exercise when an optical sensor gave false data to two onboard computers... Col. John Otten of the Air Force... said an optical sensor on a satellite gave flawed data when it tried to track target objects that were beyond its range. Otten said the sensor data went into the computers, causing them to respond inappropriately. He said the flaw was detected within an hour and that the computers were told to ignore the data. This corrected the problem. [! more likely, it just masked the symptoms] Some of the test data on the system disappeared because of the problem, but Otten said the loss was minor because the tracking exercise was a secondary objective. "In the fundamental mission, we succeeded," he said. The satellite, Delta 181,... spent 12 hours conducting a series of tests to gather data needed to refine the "star wars" antimissile system. Last week, the program manager...called the flight "a very successful mission." However, Aviation Week and Space Technology, in a story prepared for Monday [2/15/88] publication, said the satellite was unable to complete "battle management fire control computations." The magazine said the computers were responsible for the problem, but Otten said the flaw actually was caused by the optical sensor attempting to lock onto an object beyond its range. Otten said the problem developed when the optical sensor located an object, looked away, and then tried to relocate the original object. By then, the target had moved beyond the range of the sensor. [There is no indication in the article what the "primary mission" was, or how "success" was determined, considering the number of things that apparently went wrong.] Reid Simmons, MIT AI Lab ------------------------------ Date: Fri, 12 Feb 88 08:13:45 est From: ecsvax!kotlas@mcnc.org (Carolyn M. Kotlas) Subject: Last-clasp credit cards (Re: RISKS-6.25) News-Path: mcnc!gatech!udel!rochester!bbn!uwmcsd1!ig!agate!ucbvax!KL.SRI.COM!RISKS "Collidal goo considered harmful" (Jon Jacky) [PGN's annotation notes that credit-card magnetic stripes may be affected by magnetized clasps, which are increasingly being found on] snap-closure purses and wallets. I personally had 2 credit cards' codes scrambled for apparently no reason. Quite accidentally, I noticed that the magnetic snap on my handbag was powerful enough to attract and lift a heavy pair of scissors. If it was that strong, it probably had no problem affecting the credit card inside which was in a thin nylon case. After I switched to handbags without these snaps, I never had a problem again. The handbag manufacturers seem to think that these snaps are so convenient that they are putting them on more and more bags, so it is almost impossible to find non-magnetized snaps on handbags. I would be curious to know how many of the handbags cited in the article, besides being made of eelskin also had snap closures. Carolyn Kotlas (kotlas@ecsvax.UUCP or kotlas@ecsvax.BITNET) UNC-Educational Computing Service P. O. Box 12035 2 Davis Drive Research Triangle Park, NC 27709 State Courier #315 919/549-0671 [She who clasps last clasps best. If it changes the credit-card hologram, you are an iconoclasp. PGN] ------------------------------ From: woton!riddle@im4u.utexas.edu (Prentiss Riddle) Subject: "Inmate gets into computer files"; computer porn Date: 11 Feb 88 21:04:02 GMT Organization: Shriners Burns Institute, Galveston "PARCHMAN, Miss. (AP) -- An inmate serving a 30-year term has been accused of tampering with computer records at the State Penitentiary, allowing him to sell about 100,000 pounds of prison cotton and possibly try to obtain an early release. Corrections Commissioner Gene Scroggy said Monday the inmate had worked as a clerk at the penitentiary's prison industries program and was given his own computer and access to the institution's entire computer system." Also recently seen in my local paper was a wire service report on computer pornography, which lumped together dirty joke files, girly graphics, sexually oriented computer games and BBS systems catering to pedophiles. The tone of the article was pitched at scaring parents about what their kids might be getting into with their PCs. (I wish I'd clipped a copy, but I thought sure some RISKS reader would beat me to it.) Prentiss Riddle riddle@woton.UUCP {ihnp4,harvard}!ut-sally!im4u!woton!riddle Opinions expressed are not necessarily those of my employer. ------------------------------ From: Martyn Thomas Date: Wed, 10 Feb 88 17:37:27 BST Subject: Safe Programming Languages There is a (draft) definition of a language that is designed to make it harder to write incorrect programs. The language (defined in terms of its abstract syntax tree, to facilitate program transformation in the language), is called NewSpeak, and is the work of Ian Currie, at the Royal Signals and Radar Establishment, MoD, UK. It is an "unexceptional language" - programs cannot loop infinitely, run out of store at runtime, or cause address errors or numeric overflow. Where the compiler cannot deduce the safety of an operation, the programmer is required to supply a checkable assertion. The language is designed for safety-critical applications, and the ideal hardware target is VIPER (RSRE's formally-proven 32-bit microprocessor). A design rationale is in "Orwellian programming in safety-critical systems", Proc IFIP working conference on System Implementation Languages, experience and assessment. University of Kent at Canterbury, 1984. Further details may be available from Ian Currie at RSRE, St Andrews Rd, Gt Malvern, Worcs WR14 3PS, UK. Martyn Thomas, Praxis plc, 20 Manvers Street, Bath BA1 1PX UK. Tel: +44-225-444700. Email: ...!uunet!mcvax!ukc!praxis!mct ------------------------------ From: apollo!tweed@csl.sri.com Date: Thu, 11 Feb 88 09:09:38 EST Subject: Viruses and Virtual Memory All of this discussion (panic?) about viruses in the PC world makes me wonder all the more why users aren't more interested in virtual memory systems with hardware protection. In a properly designed system (hardware + O/S) it's impossible for a user-level application to corrupt system code (subvert interrupt vectors, etc.) It's generally accepted that you need physical access to such a system in order to corrupt it. Software distribution by networks or removable media can't do it. You would have to replace system files *and then reboot* (physical access). This, along with the other benefits of virtual memory (larger address space, easier multitasking, easier porting of software from "real" systems), would seem to me to push towards having it. The hardware is there for both Intel and Motorola processors. Yet, OS/2 doesn't have it. Some UNIX look-alikes don't even have it. Why not? Dave Tweed, Apollo Computer, Inc. ------------------------------ From: well!kk@lll-crg.llnl.gov (Kevin Kelly) Subject: Software-based Mugging -- RISKS of Dragon Quest (lightly edited) Date: 13 Feb 88 03:58:17 GMT Organization: Whole Earth 'Lectronic Link, Sausalito, CA [From the Information Conference on the WELL that Kevin cohosts with Howard Rheingold. John posts from Tokyo. This is the first software mugging I've heard of, so thought you might be interested.] Topic 40: The public image of software From: John Elemans (sungja) Wed, Feb 10, '88 [several messages] NHK, Japan's national broadcasting company, today reported that at one store alone 10,000 people lined up today to buy a newly released *program*. People began lining up the yesterday, Feb 9, to pick up the first copies of "Dragon Quest III", the latest installment in a serial adventure program for Nintendo computers. The newscast also reported that educational authorities were shocked to find many students skipping classes in order to get the program as soon as possible. Police warned 300 students against skipping classes. Estimated first day sales for Dragon Quest III are 1,000,000 ROM cartridges. The first day price was 4,130 Yen, at 129 Yen/US$ that is a first day retail sale of 32,000,000 US$! One commentator called it "softo-fever". [...] The Japan Times (Wednesday, Feb 10, 1988) reported that 289 students were not warned by police against skipping classes, but actually "taken into custody". Also, at least one software-mugging was reported. A 14-year old told police he was knocked off of his bike by three older boys who took his "Dragon Quest III" and rode off on their bikes! ------------------------------ End of RISKS-FORUM Digest ************************