21-Dec-86 21:51:48-PST,19554;000000000000
Mail-From: NEUMANN created at 21-Dec-86 21:50:31
Date: Sun 21 Dec 86 21:50:31-PST
From: RISKS FORUM (Peter G. Neumann -- Coordinator) <
[email protected]>
Subject: RISKS DIGEST 4.33
Sender:
[email protected]
To:
[email protected]
RISKS-LIST: RISKS-FORUM Digest, Sunday, 21 December 1986 Volume 4 : Issue 33
FORUM ON RISKS TO THE PUBLIC IN COMPUTER SYSTEMS
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
Contents:
Help British Telecom save a WORM. (Scot E. Wilcoxon)
Security of magnetic-stripe cards (Brian Reid)
Korean Air Lines Flight 007 (Dick King)
Car-stress syndrome (Dick King)
Bugs called cockroaches [A True Fable For Our Times] (anonymous)
Re: More on car computers (not Audi) (Miriam Nadel)
Runaway Audi 5000 (John O. Rutemiller)
The RISKS Forum is moderated. Contributions should be relevant, sound, in good
taste, objective, coherent, concise, nonrepetitious. Diversity is welcome.
(Contributions to
[email protected], Requests to
[email protected])
(Back issues Vol i Issue j available in CSL.SRI.COM:<RISKS>RISKS-i.j. MAXj:
Summary Contents Vol 1: RISKS-1.46; Vol 2: RISKS-2.57; Vol 3: RISKS-3.92.)
----------------------------------------------------------------------
From:
[email protected]
To:
[email protected]
From:
[email protected] (Scot E. Wilcoxon)
Subject: Help British Telecom save a WORM.
Summary: Possible solution: test write before accepting card. WORM problem.
Date: 21 Dec 86 04:01:49 GMT
Organization: Minn Ed Comp Corp, St. Paul
>Unfortunately, a relatively simple doctoring of the card has been discovered
>that threatens the whole scheme, and makes a card indefinitely reusable [at
>least until the system is either modified or withdrawn].
A read-after-write test before using the resource (telephone time in this case)
might be the generic solution. This won't work if the BT reader can't be
positioned to read what has just been written. Hopefully there aren't many
other major installations with the same flaw (BART & other transport?).
Computer programmers should know of this flaw due to one eagerly-awaited
peripheral which is finally becoming available. Writeable optical data disks
(ie, WORM drives) promise storage of huge amounts of data. People who want to
sell large numbers of programs or data will now be able to put hundreds of
programs on one optical disk. One "demonstration disk" method being used by
some companies is to allow a program to be used a few times or for a few days.
This method may be vulnerable to a write-blocking technique similar to the
British Telecom card doctoring, although different physical tools may be
needed. The designer of an optical disk collection should be aware of this
technique so he can thwart it.
Scot E. Wilcoxon Minn Ed Comp Corp {quest,dayton,meccts}!mecc!sewilco
(612)481-3507
[email protected] ihnp4!meccts!mecc!sewilco
------------------------------
From:
[email protected] (Brian Reid)
Date: 20 Dec 1986 0109-PST (Saturday)
To:
[email protected]
Subject: security of magnetic-stripe cards [This relates to earlier risks.]
There are three ways that I know of to fraudulently modify magnetic-strip
credit cards. The technology to make mag-stripe credit cards secure against
two of them has existed for almost 15 years. Most credit-card companies do
not use it because it is more expensive than the losses that they are
currently sustaining from fraud. However, the main reasons for its expense
are that it requires new card-reader electronics, and in the fullness of
time one could imagine moving to it.
The three attacks are:
1) Copying the strip from one card to another
2) Modifying the contents of a card with read/modify/write (or
rewriting it completely, if you choose)
3) Making a checkpoint of a card, using it, and then restoring the
card to its former state.
This technology can protect against attacks (1) and (2), but not (3). I
first heard about it from a security person at the National Bank of
Washington in 1973.
Here's how it works. When a credit card is molded, it is molded out of
plastic that has had nickel particles stirred in with it. The magnetic
strip is affixed, and the card is run through a machine that senses the
location of the nickel particles on the card and computes a
cryptographic checksum of their positions. The checksum function is
secret. That checksum is used as the decryption key of a 2-way
encryption function, and the remaining information on the magnetic
strip is encrypted in such a way that the nickel-particle checksum of
the plastic card is used as the decrypting key for the data on the
magnetic strip.
This protects against attack 1, copying, because the contents of the
mag strip on one card will not work on a card with a different nickel
checksum. This protects against attack 2, forging, because even if the
forger can determine the position of the nickel particles he does not
know how to compute the checksum from their position. It is easy to
design a system for which attack 3 will not be useful.
I believe that the expense of this system is the expense of the
particle-sensing readers, which are more delicate than mag-strip
readers. I am confident that if electronic fraud with credit cards
starts to cost more than the particle readers, that banks will switch.
Brian Reid
DEC Western Research
------------------------------
Date: Thu, 18 Dec 86 13:48:36 pst
From:
[email protected] (Dick King)
Subject: Korean Air Lines Flight 007 (RISKS-4.31)
To:
[email protected]
I'm very unimpressed with the straightness of the logic in Shootdown.
There seem to be as many contradictions within that volume as there
are in the record of the shootdown itself.
As one example, on page 24 [hardcover, American edition] he states that "The
full significance of this becomes apparent if one realises that Soviet
ground control was undoubtedly monitoring 007's conversation with Tokyo,
presumably with a slight lag as a translation was obtained. ...". The
transcripted conversation, to which the Soviets were "undoubtedly"
listening, clearly identified the airliner as 007. The thrust of P. 24-27
is that the plane gave out deceptive information that fooled the Soviet air
defence. On page 187, however, he quotes the Times as quoting US
intelligence analysts as saying "the initial identification of the the
jetliner as a military reconnaissance aircraft became fixed in the mind of
Soviet air defence officials and was strengthened after Soviet interceptors
were unable to locate the plane for two hours".
Mr. Johnson did not explain why the Soviets were, according to him,
listening closely enough to this routine airliner traffic to be fooled, and
why, if they thought the intruder was not 007, they attributed 007's
broadcasts to this intruder. Remember, they were supposed to be hearing
007; they are just supposed to have thought that this plane wasn't it.
-dick
------------------------------
Date: Thu, 18 Dec 86 12:19:22 pst
From:
[email protected] (Dick King)
Subject: Car-stress syndrome (RISKS-4.31)
To:
[email protected]
This brings up an interesting RISK imposed by high technology in general --
namely that certain people will take advantage of the public's natural fear
of the unknown. They can either offer new and different forms of snake oil
or, as this ad seems to do, or they can prey on the public ignorance as to
how things work and what is known or not known about safety and levels of
exposure, to attract a following for whatever reason.
What has this to do with computers? Two groups I know of are arguably using
this tactic in a computer-related manner. One group, 9-5 I believe,
attempts to bolster a political base by causing CRT's to be regarded as
*unsafe*. The second group offers to clear credit problems, doing nothing
you couldn't do for yourself [per CR], but implying in at least some of
their ads that they have an "in" with the computer network.
-dick
* I will apologize to the first person who can show me that most of the
group's supporters refuse to allow a TV into their homes, or at least that
the group advocates such refusal. I have never even seen any such
literature claim that monochrome TV's are safer. This would be obviously
counter-productive because most of the intended audience uses monochrome
monitors, but voltages are lower, images are crisper, flyback noise tends to
be less; this covers most of the claimed problems with CRT's.
------------------------------
From: anonymous@erehwon
Subject: Bugs called cockroaches [A True Fable For Our Times]
[THE FOLLOWING WAS CONTRIBUTED FOR ANONYMOUS INCLUSION ON THE GROUNDS OF SEVERE
AUTHOR EMBARRASSMENT AT EVER ADMITTING TO WRITING SUCH AWFUL DRIVEL (EVEN
THOUGH THE INCIDENT DESCRIBED IS ABSOLUTELY TRUE) OR TO INCLUDING SOME HORRIBLE
PUNS (MOST OF WHICH HAVE BEEN REMOVED BY THE SOMETIMES IMMODERATE MODERATOR).]
> Heisenbugs is already a fairly common term -- it refers to bugs
> which go away as soon as you try to run them under a debugger
> (or with the debugging compile- or run-time flags set).
I once had an amusing problem where the most likely cause was that I was
exceeding array bounds. Naturally I turned on the bounds checking flag,
and got fatal output errors. So I next put in manual traces, and I still
got fatal output errors. Highly annoying, no? A little investigation
revealed that the newly compiled-in format strings were getting trashed.
I'm talking about a genuine cockroach.
What to do, what to do? I declared a dummy array of dimension 100k--what
the heck, it was on a Cray--so from then on the array overflow was safely
trashing the dummy; I got my trace and I killed the nasty little bugger.
So, what is the moral of this story? Obviously,
"Rough strings do flake the darling bugs of Cray."
[Ah, yes, the iambic pentameter is always a giveaway.
For those of you in search of the original, the first
line is exceedingly well known:
Shall I compare thee to a summer's day?
Thou art more lovely and more temperate:
Rough winds do shake the darling buds of May,
And summer's lease hath all too short a date:
...
I hope that any future shaggy bug stories will be more lovely,
more temperate, and less anonymous. PGN (LE KOOK or HOTSHOT?)]
------------------------------
Date: Thu, 18 Dec 86 12:09:35 PST
From: dma%
[email protected] (Controls Wizard)
To: ucbvax!CSL.SRI.COM!RISKS
Subject: Re: More on car computers (not Audi)
According to the latest issue of Consumer Reports there is a recall of 1982
Toyotas because a problem with the cruise-control computers can result in
uncontrollable acceleration. Yet another reason for Audi to rethink their
position.
Miriam Nadel [Specify by name in any direct reply]
------------------------------
Date: Sat, 20 Dec 86 11:03 EST
From: "John O. Rutemiller" <
[email protected]>
Subject: Runaway Audi 5000
To:
[email protected]
The Washington Post Magazine for December 21, 1986 had an article in which
the author supports Audi's position of driver error. I believe his view
helps show the current trend of people like "60 Minutes" to blame a computer
or machine without looking at operator error. I'm glad someone is willing
to accept possible operator error. The full text follows.
Audi's Runaway Trouble With the 5000, by Brock Yates
I recently watched in fascination as Ed Bradley reported on the CBS-TV
show "60 Minutes" that the 1978-'86 Audi 5000 sedans can treacherously
launch themselves like misfired missiles when their automatic
transmission levers are placed in drive or reverse. This phenomenon
labeled "unintended acceleration," has allegedly been responsible for
several deaths, including a particularly poignant one - tearily
documented on the show - in which a pretty young mother crushed her
young son against the back wall of a garage. The segment included
testimony from several victims. They decried Audi's suggestion that the
trouble lay not in a mechanical flaw but in driver error.
Audi says the drivers accidentally hit the accelerator, not the brakes,
after engaging the transmission. Although Bradley acknowledged Audi's
explanation and interviewed two of its engineers, he clearly sided with
the owners.
"60 Minutes" portrayed the Audi 5000 as a flawed automobile, perhaps
cursed by its "idle stabilizer control," a fuel system component that
supposedly triggers "transient malfunctions" without warning.
But wait a minute, did Bradly tell us everything? There is no arguing
the Audi is in serious trouble with the 5000: Sales are down 20 percent
and the Center for Auto Safety has taken the position that the
Department of Transportation should require Audi to buy back all its
5000s. Further, an Audi spokesman agrees that "hundreds" of
acceleration incidents have occured in the 5000s. The Center for Auto
Saftey has received 500 reports and believes more than 750 reports have
been made altogether. Audi has ceased to stonewall the issue. "We take
the responsibility to resolve the problem," says Audi public relations
director Ed Triolo.
Furthermore, the phenomenon of "unintended acceleration" is not new.
The problem has occurred in a variety of autos with automatic
transmissions. More than 2,000 complaints have been made about General
Motors models built between 1973 and 1986. Owners of Toyotas, Renaults,
Mercedes-Benzes and Nissans have also reported unintended acceleration
incidents. However, the Audi 5000 has the highest percentage of
acceleration incidents: about 1 in 400 cars built.
Triolo says that in the 270 accidents that have been examined by Audi
engineers, only six idle-speed stabilizers were found defective and not
in a way that would cause rapid, unexpected acceleration. More
important, the Audi 5000 - with its 2.2-liter, five cylinder engine
developing only 110 hp - simply does not have enough power to override
its brakes. (Drivers involved in the incidents swear they are standing
on the brakes. Audi has found no instances of brake failure in autos it
has examined.)
Who's right? Will an Audi 5000 outmuscle its own brakes? I borrowed a
1984 Audi 5000, floored the accelerator with my right foot and stepped
on the brake hard with my left foot. Then I moved the transmission from
park to drive. AND THE ENGINE STALLED! It lacked sufficient power to
override the brakes. According to my brief test, for unintended
acceleration to occur, two independent systems - fuel supply and brakes
- must fail simultaneously and somehow return to normal.
Audi says it went even further. In demonstrations for both CBS and NBC,
it made full-throttle acceleration runs to speeds between 30 and 50 mph
and then, with the throttle on the floor, stopped the car with the brakes.
All of which raises some interesting questions "60 Minutes" failed to
ask about the Audi 5000 incidents:
Why, after millions of starts over an eight-year period, haven't there
been any runaway 5000s reported at Audi's 410 dealerships?
Why do there seem to be more of these incidents among drivers who have
relatively little experience driving the Audi 5000? (There are an
inordinate number of such incidents within the first 2,000 miles of the
life of a given car.)
Why are there no reported accidents with the Audi 4000 Quattro, which
has an identical idle stabilizer mechanism?
Why do independent experts, who have speculated that the trouble is
centered on throttle linkage, the computer brain in the engine, the
automatic transmission or the idle stabilizer, still openly admit there
is no obvious culprit?
Why, in a number of accident investigations, did Audi engineers find the
accelerator pedal bent, even snapped off, presumably by foot pressure?
While continuing to research the incidents, Audi has so far installed
32,000 interlock devices that prevent the transmission from being
engaged without the driver's foot on the brake. Audi has asked all
owners of the 5000 model to bring their cars in for free installation of
the interlock. Audi is adamant that the device is a solution, although
Triolo says the company does not expect it to eliminate the problem.
Drivers of three cars equipped with the interlocks have reported runaway
crashes. In the first case, an Audi spokesman says, the driver's
description of the event changed over time, and Audi representatives
decided it was not a case of brake failure or runaway acceleration. In
the second case, Audi says a bushing was installed upside down,
preventing the interlock from working. In the third case, Audi says it
has not been allowed by the owner's attorneys to inspect the vehicle.
Audi contends that the problem of unintended acceleration is a complex
one involving a number of factors, including the design of the car
itself, the driver, and external distractions. Triolo says the problem
of unintended acceleration is inherent in automatic transmission cars
throughout the auto industry, not just in Audis.
There is one potential explanation for the runaway Audis that strikes me as
obvious: The brake and accelerator pedals in the Audi 5000 are off-center,
to the left. In models of the 5000 built before 1983, it was even possible
to step on the brake pedal and the accelerator at the same time, a problem
Audi has since rectified. Audi maintains that brake and accelerator pedals
in autos come in a wide range of placements, some farther to the left than
Audi's.
I maintain the pedals are sufficiently misplaced that inexperienced
drivers might easily thrust a right foot forward and hit the accelerator
when intending to hit the brake. Audi has investigated at least one
incident in which a 5000 was driven a foot or so into a concrete wall in
a parking garage, the rear tires spinning in anguish, the driver
confused as to what was happening until she finally realized her right
foot was on the accelerator.
Sadly, one of the most troubling aspects of these incidents is that so
many Audi 5000 drivers fail to avert disaster simply by shoving the
transmission shifter into neutral or turning off the ignition. While it
certainly is understandable that a panicked driver might actually press
harder on the throttle of a runaway car, thinking he was stepping on the
brake pedal, such a reaction also exposes the dismal training and
minimal presence of mind the average American driver has when faced with
an emergency.
How about a segment on driver training, Mr. Bradley?
------------------------------
End of RISKS-FORUM Digest
************************
-------
