RISKS-LIST: RISKS-FORUM Digest  Monday, 2 November 1987  Volume 5 : Issue 53

        FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS 
   ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Contents:
  Re: Risks in intelligent security algorithms (David Redell)
  Danger of typing the wrong password (Scot Wilcoxon)
  Inadvertent Launch (Kenneth R. Jongsma)
  MX Missile guidance computer problems (John Haller)
  Re: Autopilots (Jan Wolitzky)
  Aircraft accident (Peter Ladkin)
  Missiles; predicting disasters (David Chase)
  DISCOVER Uncovered? (Bruce N. Baker)
  TV Clipping Services (Tom Benson [and Charles Youman], Samuel B. Bassett)

The RISKS Forum is moderated.  Contributions should be relevant, sound, in good
taste, objective, coherent, concise, nonrepetitious.  Diversity is welcome. 
Contributions to RISKS@CSL.SRI.COM, Requests to RISKS-Request@CSL.SRI.COM.
For Vol i issue j, FTP SRI.COM, CD STRIPE:<RISKS>, GET RISKS-i.j.
Volume summaries for each i in max j: (i,j) = (1,46),(2,57),(3,92),(4,97).

----------------------------------------------------------------------

Date: Mon, 2 Nov 87 11:10:03 PST
From: redell@src.dec.com (David Redell)
To: RISKS FORUM    (Peter G. Neumann -- Coordinator) <RISKS@KL.SRI.Com>
Subject: Re: Risks in intelligent security algorithms (RISKS 5.52)

Peter Denning reports (5.52) on an annoying rough edge on the San Francisco
Airport's parking lot computer system, which attempted to double charge him
when he re-entered the lot on the same day. I had a similar experience at the
San Jose airport, but in my case, I parked for two consecutive weekends, and 
when I left after the second one, the blasted system tried to charge me for
the week in between! This seems really unforgivable, since it had plenty of
time to both purge the old record and enter the new one. Fortunately, I just
happened to still have the first receipt in my car. Unfortunately, I was in a
hurry, and so did not display Peter's diligence in tracking down the official
"explanation".
                                     [Sounds like the SAME program!  If you 
                                     drive a BMW, Let the Bayer Beware.  PGN]

------------------------------

Subject: Danger of typing the wrong password
Date: 1 Nov 87 15:37:22 CST (Sun)
From: umn-cs!sewilco@datapg.MN.ORG (Scot Wilcoxon)
To: RISKS@csl.sri.com

Yet more from the Program Trader Nelson article (WSJ, Oct 13, pg 39):
	One time, a broker typed in the wrong password (on the Bankers Trust
	computer), which happened to be another broker's password.  "So they
	both had this same list of securities.  I get a call from a broker
	saying, `I'm trying to buy XYZ and it keeps getting bid up out there.`
	We couldn't figure it out.  Then it suddently dawned on us that (two
	different brokers) were working the same list."
Both brokers were getting the same list of stocks to buy and sell, and were
bidding against each other.

Scot E. Wilcoxon	sewilco@DataPg.MN.ORG	{ems,meccts}!datapg!sewilco
Data Progress		Minneapolis, MN, USA	+1 612-825-2607

------------------------------

From: portal!cup.portal!Kenneth_R_Jongsma@Sun.COM
To: risks@csl.sri.com
Subject: Inadvertent Launch
Date: Mon Nov  2 17:06:28 1987

In regards to the post that talked about parking a vehicle on top of a
Minuteman III silo to prevent it's launch: I was a Minuteman commander
for several years and had a similar experience. One evening while on
alert, I had a missile report "Launch In Process". This was unusual,
to say the least! It was also not preceded by the usual indications
of a launch. When I called the problem into the base, I received the
reply: "Well sir, keep an eye on it. It's either going to launch or
shut itself down. In either case, there's not a lot we can do about
it." This was not a true statement and probably was the type of         Shortly
thinking that led to the vehicle being placed over the silo at
F.E. Warren. If that did indeed occur, it would be questionable
to it's effect. The silo door is approximately 5 feet of hardened
concrete and is designed to open even when buried under a substantial
amount dirt and rubble.

Inadvertent launch sounds serious, but hold on before you assume
the worst. A subsequent investigation revealed that there was a fire
in the communications rack that reported site status. At no time
were any of the interlocks that prevent accidental launch at risk.
In effect, the missle's status had never changed from the reported
"Strategic Alert".

I have worked with many systems, I would say that none have the number
and well thought out sets of fail safes for both Type I and II
accidental launches. One interesting fact is that no part of the
launch *procedure* for Minuteman or MX is classified. Only recently
have the operational manuals been restricted to offical use and
probably could be obtained under the Freedom of Information Act.

The challenge, of course, is to design, build and test systems that
have an acceptable level of risk.

------------------------------

Date: Mon, 2 Nov 87 19:44:10 PST
From: ihnp4!ihlpl!jhh@ucbvax.Berkeley.EDU
To: ucbvax!KL.SRI.COM!RISKS
Subject: MX Missile guidance computer problems

I'm sure many people will have something to say about Sunday's 60 Minutes
report about untested parts being used in the MX Missiles currently
deployed.  I'll refrain from comparing this to SDI, and stick to the story.

There are three variables that make up a project: quality, budget, and
schedule.  It has been said that it is possible to meet any two of these
objectives, but only at the expense of the third.  It appears that, in the
eyes of lower management, the personal risk of not meeting the schedule was
greater than the risk of manufacturing products that had not been fully
tested.  After all, if the US ever had to use these parts, the individuals
are not likely to be around to face the repercussions of MX missiles landing
in Chicago rather than Moscow.

Although this particular program focused on untested, but certified falsely
as tested, hardware, similar problems exist is software development.
Software developers are loath to have someone else checking to be sure that
they have done all the work they said they have done.  The feeling is that
each individual is trustworthy, and checking work exhibits a lack of trust.
Unfortunately, human nature is such that someone testing an error leg of
code, probably at 2:30 in the morning, is likely to declare themselves done,
as they "know" they did a good job coding the software, and the last 20
error legs they tested had no problems.  Even worse is the case when their
manager is pushing hard to meet a particular schedule, and the project is
understaffed.  The 60 Minutes program showed how hard it is to use auditors
to discover problems when management does not want to know that a problem
exists.  The organizations telling the auditors what to do all had a vested
interest in the project being completed on time.

Any suggestions?   John Haller ihnp4!ihlpl!jhh

------------------------------

Date: Mon, 2 Nov 87 06:33:59 PST
From: research!wolit@ucbvax.Berkeley.EDU
To: RISKS@csl.sri.com
Subject: Re: Autopilots

Joe Morris is correct in stating that a pilot should be able to
overpower a failed autopilot.  Of course, fighting a bad autopilot is
not the safest way to fly, either.

While not exactly pertinent here -- most general aviation autopilots are
analog, not digital devices, and thus hardly qualify as "computers" by
most people's definition -- a few autopilot "war stories" may be of
interest.

My friend had flown his Grumman Cheetah (a light, single-engine plane)
to a nearby airport for its annual inspection, and the shop offered to
have an instructor fly it back to him afterwards.  Without shutting down,
the instructor slid across to the right seat, and my friend climbed into
the left to fly the instructor back.  (I know it sounds complicated,
but it's a lot easier than setting up a car shuttle.)  He immediately
noticed that the controls felt much stiffer than usual, and mentioned this
to the instructor.  The instructor replied that the shop had probably
tightened up the control cables, and that everything was normal.  My friend
took off and flew to the instructor's airport, disturbed that the usual
light, responsive control feel of the Grumman had been replaced by the
truck-like feel of, say, a Cessna (no flames from Cessna owners, please).
After landing, he went to the shop to complain about this.  The mechanic
came out to the plane, moved the control yoke, and said that it felt fine.
My friend tried it and, sure enough, it moved freely.  Turned out that
the instructor (who usually flew Cessnas) had flown to my friend's airport
with the autopilot engaged, and that my friend had not noticed this during
the run-up and return flight.  The single-axis (roll) autopilot had been
engaged in a navigation-aid tracking mode, but the nav radio had been off
for the short flight, so the autopilot had been busily trying to hold the
ailerons neutral, fortunately without overwhelming success.

The other point I want to raise concerns a particular type of
autopilot (or mode of operation) popular on many corporate jets and turboprops
and heavier piston twins.  This is known as a flight director, and it
involves having the autopilot compute the desired flight path for a
particular maneuver (a missed approach, e.g.), and display on the
artificial horizon -- the primary attitude reference instrument -- a
set of "command bars", which direct the pilot to maintain the appropriate
aircraft attitude.  In other words, the autopilot assumes the
"executive" function, and the pilot serves as a servo motor!  I never
understood why anyone would use such a device.  I read a report of an
accident several years ago in which a corporate plane -- I believe it
was an MU-2, in fact -- took off from National Airport in D.C. and
flew into the river for no other reason than that the flight director
went psychotic and commanded the pilot to do so.  It seems to me that
it's hard enough to remain skeptical of what your instruments are
telling you and maintain a cross-check on their reliability, without
reducing the pilot to the status of a robot, slavishly following
George's orders.

Jan Wolitzky, AT&T Bell Labs, Murray Hill, NJ; 201 582-2998; mhuxd!wolit
(Affiliation given for identification purposes only)

------------------------------

Date: Mon, 2 Nov 87 15:03:53 PDT
From: ladkin@kestrel.ARPA (Peter Ladkin)
To: risks@csl.sri.com
Subject: aircraft accident 

i found the following letter in the 8.1.87 copy of aviation safety.
apart from the deja vu, it raises questions about certification
procedures for light aircraft, does it not? i had understood that
aircraft had to be flown through all the appropriate flight regimes to
validate the data. maybe i am mistaken, and perhaps someone can clarify?

density-altitude is a term used for the `correction' of true altitude for
`non-standard' air temperature (based on the international standard
temperatures and lapse rates used for aircraft design). all pilots are
taught to compute it, and to be aware of it on takeoff from `hot-and-high'
fields. it's a measure of airplane performance, e.g. i have taken off from
grand canyon (6606ft MSL) on a hot day in june when the density altitude was
9300 feet and i expect the airplane to behave according to the handbook's
figures for 9300ft.

the letter is reprinted without permission.  i reproduce the letter in full
because of the apparent legal history.  the grumman aircraft are not
currently in production.

peter ladkin

  (From Donald H. Slavik of Milwaukee, Wisconsin)

  I enjoyed the article in your May 15, 1987 issue regarding the Grumman
  AA-1.  As an attorney, several years ago, I represented the estate of a
  man who was killed in an accident involving this aircraft.  He attempted
  to take off from a 3,000-foot long, 150-foot wide, one-degree uphill
  grass runway in northern Wisconsin.  The aircraft was loaded to maximum
  gross weight and the outside air temperature was about 70 degrees.  The
  aircraft failed to clear trees which were located 1,400 feet past the
  end of the runway.

  My investigation into the background of the aircraft revealed that
  original flight testing for takeoff and climb performance was 
  accomplished at sea level only.  This data was then used as input to
  a computer program to reduce it to data applicable to higher density
  altitudes.  A careful review of the computer program revealed that there
  was a sign error in one of the exponents for the critical equations.
  This caused serious errors in the resulting output data.  Secondly, the
  technical research paper which the computer program was based upon had
  a footnote which was ignored by the manufacturer of the aircraft.  The
  footnote pointed out that these equations were not applicable to
  aircraft with low thrust-to-weight ratios (such as this particular plane).

  We initiated our own set of flight tests under the direction of Michael 
  Antoniou, the consultant referred to in the Aviation Consumer article. 
  These tests, accomplished at the same density altitude as that which 
  existed on the day of the accident, correctly predicted the performance 
  of the aircraft and also matched the impact point in the trees.

  In conclusion, I sincerely believe that the takeoff and climb performance
  data in the pilot's operating handbook is incorrect.

  [End of Letter]

------------------------------

Date: Mon, 2 Nov 87 10:13 PST
From: David Chase <acornrc!rbbb@ames.arpa>
To: risks@csl.sri.com
Subject: Missiles; predicting disasters

(on faulty missiles)

I find it interesting that the doors are controlled by the missile and not by
the person(s) giving the launch order.  I suppose that this removes one way of
thwarting a launch, but it seems unlikely that agents of the Evil Enemy Empire
would be able to get at the door controls if they were ground-based
(certainly, it is no more likely than them being able to park an APC on top of
the silo).  The trade-offs that our military makes between ensuring a desired
launch and preventing an accidental launch tend to give me the creeps.

(on predicting disasters, and the comment that it didn't really matter)

There is no question that disaster prediction is useless without some advance
preparation.  Since there is a cost to both prediction and preparation, as
soon as the expected cost of disaster X falls (well) below the costs of
prediction and preparation, one stops preparing and predicting.  Consider
hurricane preparation on the West Coast, earthquake preparation on the East
Coast, and snowstorm preparation in the South.  One region's minor disaster is
another region's calamity, and a day or two of warning won't help that much.
Preparation for all these events requires widespread, long-term preparation,
and an occasional "baby disaster" helps enormously to keep people aware and to
test their response.

I find the current administration's early depictions of SDI particularly
amusing in light of this.  Remember the "umbrella"?  Whatever happened to
civil defense?  I recall some interpretation of civil defense as "threatening"
-- does that mean that SDI is not?  On the other hand, civil defense may
whip up emotions in ways that the "umbrella" does not; it's harder to
generate public sentiment for peace and friendship when the public is also
preparing for an attack by the Evil Enemy Empire.  Sigh.  I wish I could
think that this was Reagan's Secret Plan for better relations with Russia.

David

------------------------------

Date: Mon 2 Nov 87 14:44:51-PST
From: BNBaker@KL.SRI.Com
Subject: DISCOVER Uncovered?

I just received a promotional letter designed to entice me to join Discover
Card Travel Services.  There is a sweepstakes involved in which I may already
be a winner.  I get so excited everytime I read those words.  In other words,
I get excited at least once a day, but this one has a new twist.

The flyer states, "Enter now.  You could be an INSTANT WINNER!  Your dream
vacation stamp bears a unique UPC Symbol.  It will be electronically scanned
to reveal if you are an instant winner!"  It so happens that we have two 
Discover cards for some reason, and I happened to open both envelopes.  I
already mentioned how excited I get and so I was able to get excited twice.
Then I noticed that the UPC symbols were the same on both flyers.  As you
may recall from a couple of issues ago, I have an interest in semantics so
I called Discover Card to learn about this new meaning of the word "unique."
I was told that there is a secret code on the UPC Symbol that makes each one
unique.  The bar codes are identical so there would have to be some special
material in the ink of the winning ones.  If, however, the bar codes differed
on the winners, then the winners would be obvious to those printing them up.
Either way, my entries are not unique, as claimed.  The Discover Card
representative simply gave cute answers back to my questions.

They asked how big my sample size was, so part of the purpose of this is to ask
RISKS readers if they by chance received the same unique set of UPC symbols
that I did, namely Canada 12345 06240, Hawaii 12345 50030, West Germany 12345
02990, Walt Disney World 12345 75740, Colorado 12345 00580, Arizona 12345 10300
If yours are different, please let me know also.

The things that annoy me about this are:
     The aura of electronically scanning the entries to determine who the
     winners are, when in fact that process may not take place.

     The attempt to dispense my concerns by stating that there is a secret code
     on each of the UPC symbols that can only be read by their special
     computer.

The technology is produced by UPC Games of Chicago (no phone listing).  At a
minimum, this appears to be misrepresentation, but I've been notified that I
may already be a winner so many times that this slight twist to the
misrepresentation game should not bother me I suppose.  Does anyone know how
this one supposedly works?

Bruce N. Baker <bnbaker@kl.sri.com>

------------------------------

Date:    Sun, 1 Nov 87 08:33 EST
From:    "Tom Benson 814-238-5277" <T3B@PSUVM>    [BITNET]
Subject: TV Clipping Services
To:      RISKS@KL.SRI.COM

In RISKS-5.51 Will Martin asks about TV clipping services.  The best
comprehensive source for network television news is the Vanderbilt
Television News Archive, at Vanderbilt University.  They collect all
national network news (since 1968, I believe), plus some special events.
Full print indexes of this service are available at good research
libraries or from Vanderbilt.  They will provide videotape of specified
stories at, I believe, about $100 per hour of tape.

There are also several commercial clipping services, which charge more
but which also collect such things as local tv news.  They operate in
several major cities, but I have little information about them; I could
find out more if it's of interest.

On the general point, Will is right: these services are a good way
to monitor what the public is hearing about various areas in which
scholars and scientists are interested.

Tom Benson, Penn State University           [Also noted by Charles Youman]

------------------------------

Date: Fri, 30 Oct 87 23:29:39 PST
From: amdcad!well!samlb@hplabs.HP.COM (Samuel B. Bassett)
To: risks%csl.sri.com%hplabs@hplabs.HP.COM
Subject: Video Clips

	For the person wondering about being able to get videotapes of TV
programs, I would suggest contacting Bacon's PR & Media Information Services
in Chicago.  They do, certainly do newspaper and magazine clips, and may also
do video clips -- if not, they will likely be willing and able to refer you
to somewhere that can.
	The address and telephone number I have are from 1984, but they do
have an '800' number, and you can get it by dialing 1-800-555-1212 and asking
the AT&T operator.
	Bacon's is a decidedly commercial operation, and is not cheap, but my
experiences with them in '81-'83 were decidedly positive.

------------------------------

End of RISKS-FORUM Digest
************************