RISKS-LIST: RISKS-FORUM Digest Monday, 2 November 1987 Volume 5 : Issue 53 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Re: Risks in intelligent security algorithms (David Redell) Danger of typing the wrong password (Scot Wilcoxon) Inadvertent Launch (Kenneth R. Jongsma) MX Missile guidance computer problems (John Haller) Re: Autopilots (Jan Wolitzky) Aircraft accident (Peter Ladkin) Missiles; predicting disasters (David Chase) DISCOVER Uncovered? (Bruce N. Baker) TV Clipping Services (Tom Benson [and Charles Youman], Samuel B. Bassett) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, nonrepetitious. Diversity is welcome. Contributions to RISKS@CSL.SRI.COM, Requests to RISKS-Request@CSL.SRI.COM. For Vol i issue j, FTP SRI.COM, CD STRIPE:<RISKS>, GET RISKS-i.j. Volume summaries for each i in max j: (i,j) = (1,46),(2,57),(3,92),(4,97). ---------------------------------------------------------------------- Date: Mon, 2 Nov 87 11:10:03 PST From: redell@src.dec.com (David Redell) To: RISKS FORUM (Peter G. Neumann -- Coordinator) <RISKS@KL.SRI.Com> Subject: Re: Risks in intelligent security algorithms (RISKS 5.52) Peter Denning reports (5.52) on an annoying rough edge on the San Francisco Airport's parking lot computer system, which attempted to double charge him when he re-entered the lot on the same day. I had a similar experience at the San Jose airport, but in my case, I parked for two consecutive weekends, and when I left after the second one, the blasted system tried to charge me for the week in between! This seems really unforgivable, since it had plenty of time to both purge the old record and enter the new one. Fortunately, I just happened to still have the first receipt in my car. Unfortunately, I was in a hurry, and so did not display Peter's diligence in tracking down the official "explanation". [Sounds like the SAME program! If you drive a BMW, Let the Bayer Beware. PGN] ------------------------------ Subject: Danger of typing the wrong password Date: 1 Nov 87 15:37:22 CST (Sun) From: umn-cs!sewilco@datapg.MN.ORG (Scot Wilcoxon) To: RISKS@csl.sri.com Yet more from the Program Trader Nelson article (WSJ, Oct 13, pg 39): One time, a broker typed in the wrong password (on the Bankers Trust computer), which happened to be another broker's password. "So they both had this same list of securities. I get a call from a broker saying, `I'm trying to buy XYZ and it keeps getting bid up out there.` We couldn't figure it out. Then it suddently dawned on us that (two different brokers) were working the same list." Both brokers were getting the same list of stocks to buy and sell, and were bidding against each other. Scot E. Wilcoxon sewilco@DataPg.MN.ORG {ems,meccts}!datapg!sewilco Data Progress Minneapolis, MN, USA +1 612-825-2607 ------------------------------ From: portal!cup.portal!Kenneth_R_Jongsma@Sun.COM To: risks@csl.sri.com Subject: Inadvertent Launch Date: Mon Nov 2 17:06:28 1987 In regards to the post that talked about parking a vehicle on top of a Minuteman III silo to prevent it's launch: I was a Minuteman commander for several years and had a similar experience. One evening while on alert, I had a missile report "Launch In Process". This was unusual, to say the least! It was also not preceded by the usual indications of a launch. When I called the problem into the base, I received the reply: "Well sir, keep an eye on it. It's either going to launch or shut itself down. In either case, there's not a lot we can do about it." This was not a true statement and probably was the type of Shortly thinking that led to the vehicle being placed over the silo at F.E. Warren. If that did indeed occur, it would be questionable to it's effect. The silo door is approximately 5 feet of hardened concrete and is designed to open even when buried under a substantial amount dirt and rubble. Inadvertent launch sounds serious, but hold on before you assume the worst. A subsequent investigation revealed that there was a fire in the communications rack that reported site status. At no time were any of the interlocks that prevent accidental launch at risk. In effect, the missle's status had never changed from the reported "Strategic Alert". I have worked with many systems, I would say that none have the number and well thought out sets of fail safes for both Type I and II accidental launches. One interesting fact is that no part of the launch *procedure* for Minuteman or MX is classified. Only recently have the operational manuals been restricted to offical use and probably could be obtained under the Freedom of Information Act. The challenge, of course, is to design, build and test systems that have an acceptable level of risk. ------------------------------ Date: Mon, 2 Nov 87 19:44:10 PST From: ihnp4!ihlpl!jhh@ucbvax.Berkeley.EDU To: ucbvax!KL.SRI.COM!RISKS Subject: MX Missile guidance computer problems I'm sure many people will have something to say about Sunday's 60 Minutes report about untested parts being used in the MX Missiles currently deployed. I'll refrain from comparing this to SDI, and stick to the story. There are three variables that make up a project: quality, budget, and schedule. It has been said that it is possible to meet any two of these objectives, but only at the expense of the third. It appears that, in the eyes of lower management, the personal risk of not meeting the schedule was greater than the risk of manufacturing products that had not been fully tested. After all, if the US ever had to use these parts, the individuals are not likely to be around to face the repercussions of MX missiles landing in Chicago rather than Moscow. Although this particular program focused on untested, but certified falsely as tested, hardware, similar problems exist is software development. Software developers are loath to have someone else checking to be sure that they have done all the work they said they have done. The feeling is that each individual is trustworthy, and checking work exhibits a lack of trust. Unfortunately, human nature is such that someone testing an error leg of code, probably at 2:30 in the morning, is likely to declare themselves done, as they "know" they did a good job coding the software, and the last 20 error legs they tested had no problems. Even worse is the case when their manager is pushing hard to meet a particular schedule, and the project is understaffed. The 60 Minutes program showed how hard it is to use auditors to discover problems when management does not want to know that a problem exists. The organizations telling the auditors what to do all had a vested interest in the project being completed on time. Any suggestions? John Haller ihnp4!ihlpl!jhh ------------------------------ Date: Mon, 2 Nov 87 06:33:59 PST From: research!wolit@ucbvax.Berkeley.EDU To: RISKS@csl.sri.com Subject: Re: Autopilots Joe Morris is correct in stating that a pilot should be able to overpower a failed autopilot. Of course, fighting a bad autopilot is not the safest way to fly, either. While not exactly pertinent here -- most general aviation autopilots are analog, not digital devices, and thus hardly qualify as "computers" by most people's definition -- a few autopilot "war stories" may be of interest. My friend had flown his Grumman Cheetah (a light, single-engine plane) to a nearby airport for its annual inspection, and the shop offered to have an instructor fly it back to him afterwards. Without shutting down, the instructor slid across to the right seat, and my friend climbed into the left to fly the instructor back. (I know it sounds complicated, but it's a lot easier than setting up a car shuttle.) He immediately noticed that the controls felt much stiffer than usual, and mentioned this to the instructor. The instructor replied that the shop had probably tightened up the control cables, and that everything was normal. My friend took off and flew to the instructor's airport, disturbed that the usual light, responsive control feel of the Grumman had been replaced by the truck-like feel of, say, a Cessna (no flames from Cessna owners, please). After landing, he went to the shop to complain about this. The mechanic came out to the plane, moved the control yoke, and said that it felt fine. My friend tried it and, sure enough, it moved freely. Turned out that the instructor (who usually flew Cessnas) had flown to my friend's airport with the autopilot engaged, and that my friend had not noticed this during the run-up and return flight. The single-axis (roll) autopilot had been engaged in a navigation-aid tracking mode, but the nav radio had been off for the short flight, so the autopilot had been busily trying to hold the ailerons neutral, fortunately without overwhelming success. The other point I want to raise concerns a particular type of autopilot (or mode of operation) popular on many corporate jets and turboprops and heavier piston twins. This is known as a flight director, and it involves having the autopilot compute the desired flight path for a particular maneuver (a missed approach, e.g.), and display on the artificial horizon -- the primary attitude reference instrument -- a set of "command bars", which direct the pilot to maintain the appropriate aircraft attitude. In other words, the autopilot assumes the "executive" function, and the pilot serves as a servo motor! I never understood why anyone would use such a device. I read a report of an accident several years ago in which a corporate plane -- I believe it was an MU-2, in fact -- took off from National Airport in D.C. and flew into the river for no other reason than that the flight director went psychotic and commanded the pilot to do so. It seems to me that it's hard enough to remain skeptical of what your instruments are telling you and maintain a cross-check on their reliability, without reducing the pilot to the status of a robot, slavishly following George's orders. Jan Wolitzky, AT&T Bell Labs, Murray Hill, NJ; 201 582-2998; mhuxd!wolit (Affiliation given for identification purposes only) ------------------------------ Date: Mon, 2 Nov 87 15:03:53 PDT From: ladkin@kestrel.ARPA (Peter Ladkin) To: risks@csl.sri.com Subject: aircraft accident i found the following letter in the 8.1.87 copy of aviation safety. apart from the deja vu, it raises questions about certification procedures for light aircraft, does it not? i had understood that aircraft had to be flown through all the appropriate flight regimes to validate the data. maybe i am mistaken, and perhaps someone can clarify? density-altitude is a term used for the `correction' of true altitude for `non-standard' air temperature (based on the international standard temperatures and lapse rates used for aircraft design). all pilots are taught to compute it, and to be aware of it on takeoff from `hot-and-high' fields. it's a measure of airplane performance, e.g. i have taken off from grand canyon (6606ft MSL) on a hot day in june when the density altitude was 9300 feet and i expect the airplane to behave according to the handbook's figures for 9300ft. the letter is reprinted without permission. i reproduce the letter in full because of the apparent legal history. the grumman aircraft are not currently in production. peter ladkin (From Donald H. Slavik of Milwaukee, Wisconsin) I enjoyed the article in your May 15, 1987 issue regarding the Grumman AA-1. As an attorney, several years ago, I represented the estate of a man who was killed in an accident involving this aircraft. He attempted to take off from a 3,000-foot long, 150-foot wide, one-degree uphill grass runway in northern Wisconsin. The aircraft was loaded to maximum gross weight and the outside air temperature was about 70 degrees. The aircraft failed to clear trees which were located 1,400 feet past the end of the runway. My investigation into the background of the aircraft revealed that original flight testing for takeoff and climb performance was accomplished at sea level only. This data was then used as input to a computer program to reduce it to data applicable to higher density altitudes. A careful review of the computer program revealed that there was a sign error in one of the exponents for the critical equations. This caused serious errors in the resulting output data. Secondly, the technical research paper which the computer program was based upon had a footnote which was ignored by the manufacturer of the aircraft. The footnote pointed out that these equations were not applicable to aircraft with low thrust-to-weight ratios (such as this particular plane). We initiated our own set of flight tests under the direction of Michael Antoniou, the consultant referred to in the Aviation Consumer article. These tests, accomplished at the same density altitude as that which existed on the day of the accident, correctly predicted the performance of the aircraft and also matched the impact point in the trees. In conclusion, I sincerely believe that the takeoff and climb performance data in the pilot's operating handbook is incorrect. [End of Letter] ------------------------------ Date: Mon, 2 Nov 87 10:13 PST From: David Chase <acornrc!rbbb@ames.arpa> To: risks@csl.sri.com Subject: Missiles; predicting disasters (on faulty missiles) I find it interesting that the doors are controlled by the missile and not by the person(s) giving the launch order. I suppose that this removes one way of thwarting a launch, but it seems unlikely that agents of the Evil Enemy Empire would be able to get at the door controls if they were ground-based (certainly, it is no more likely than them being able to park an APC on top of the silo). The trade-offs that our military makes between ensuring a desired launch and preventing an accidental launch tend to give me the creeps. (on predicting disasters, and the comment that it didn't really matter) There is no question that disaster prediction is useless without some advance preparation. Since there is a cost to both prediction and preparation, as soon as the expected cost of disaster X falls (well) below the costs of prediction and preparation, one stops preparing and predicting. Consider hurricane preparation on the West Coast, earthquake preparation on the East Coast, and snowstorm preparation in the South. One region's minor disaster is another region's calamity, and a day or two of warning won't help that much. Preparation for all these events requires widespread, long-term preparation, and an occasional "baby disaster" helps enormously to keep people aware and to test their response. I find the current administration's early depictions of SDI particularly amusing in light of this. Remember the "umbrella"? Whatever happened to civil defense? I recall some interpretation of civil defense as "threatening" -- does that mean that SDI is not? On the other hand, civil defense may whip up emotions in ways that the "umbrella" does not; it's harder to generate public sentiment for peace and friendship when the public is also preparing for an attack by the Evil Enemy Empire. Sigh. I wish I could think that this was Reagan's Secret Plan for better relations with Russia. David ------------------------------ Date: Mon 2 Nov 87 14:44:51-PST From: BNBaker@KL.SRI.Com Subject: DISCOVER Uncovered? I just received a promotional letter designed to entice me to join Discover Card Travel Services. There is a sweepstakes involved in which I may already be a winner. I get so excited everytime I read those words. In other words, I get excited at least once a day, but this one has a new twist. The flyer states, "Enter now. You could be an INSTANT WINNER! Your dream vacation stamp bears a unique UPC Symbol. It will be electronically scanned to reveal if you are an instant winner!" It so happens that we have two Discover cards for some reason, and I happened to open both envelopes. I already mentioned how excited I get and so I was able to get excited twice. Then I noticed that the UPC symbols were the same on both flyers. As you may recall from a couple of issues ago, I have an interest in semantics so I called Discover Card to learn about this new meaning of the word "unique." I was told that there is a secret code on the UPC Symbol that makes each one unique. The bar codes are identical so there would have to be some special material in the ink of the winning ones. If, however, the bar codes differed on the winners, then the winners would be obvious to those printing them up. Either way, my entries are not unique, as claimed. The Discover Card representative simply gave cute answers back to my questions. They asked how big my sample size was, so part of the purpose of this is to ask RISKS readers if they by chance received the same unique set of UPC symbols that I did, namely Canada 12345 06240, Hawaii 12345 50030, West Germany 12345 02990, Walt Disney World 12345 75740, Colorado 12345 00580, Arizona 12345 10300 If yours are different, please let me know also. The things that annoy me about this are: The aura of electronically scanning the entries to determine who the winners are, when in fact that process may not take place. The attempt to dispense my concerns by stating that there is a secret code on each of the UPC symbols that can only be read by their special computer. The technology is produced by UPC Games of Chicago (no phone listing). At a minimum, this appears to be misrepresentation, but I've been notified that I may already be a winner so many times that this slight twist to the misrepresentation game should not bother me I suppose. Does anyone know how this one supposedly works? Bruce N. Baker <bnbaker@kl.sri.com> ------------------------------ Date: Sun, 1 Nov 87 08:33 EST From: "Tom Benson 814-238-5277" <T3B@PSUVM> [BITNET] Subject: TV Clipping Services To: RISKS@KL.SRI.COM In RISKS-5.51 Will Martin asks about TV clipping services. The best comprehensive source for network television news is the Vanderbilt Television News Archive, at Vanderbilt University. They collect all national network news (since 1968, I believe), plus some special events. Full print indexes of this service are available at good research libraries or from Vanderbilt. They will provide videotape of specified stories at, I believe, about $100 per hour of tape. There are also several commercial clipping services, which charge more but which also collect such things as local tv news. They operate in several major cities, but I have little information about them; I could find out more if it's of interest. On the general point, Will is right: these services are a good way to monitor what the public is hearing about various areas in which scholars and scientists are interested. Tom Benson, Penn State University [Also noted by Charles Youman] ------------------------------ Date: Fri, 30 Oct 87 23:29:39 PST From: amdcad!well!samlb@hplabs.HP.COM (Samuel B. Bassett) To: risks%csl.sri.com%hplabs@hplabs.HP.COM Subject: Video Clips For the person wondering about being able to get videotapes of TV programs, I would suggest contacting Bacon's PR & Media Information Services in Chicago. They do, certainly do newspaper and magazine clips, and may also do video clips -- if not, they will likely be willing and able to refer you to somewhere that can. The address and telephone number I have are from 1984, but they do have an '800' number, and you can get it by dialing 1-800-555-1212 and asking the AT&T operator. Bacon's is a decidedly commercial operation, and is not cheap, but my experiences with them in '81-'83 were decidedly positive. ------------------------------ End of RISKS-FORUM Digest ************************