31-Jan-86 00:26:31-PST,8279;000000000000 Mail-From: NEUMANN created at 31-Jan-86 00:25:09 Date: Fri 31 Jan 86 00:25:09-PST From: RISKS FORUM (Peter G. Neumann, Coordinator) Subject: RISKS-1.45 Sender: NEUMANN@SRI-CSL.ARPA To: RISKS-LIST@SRI-CSL.ARPA RISKS-LIST: RISKS-FORUM Digest, Friday, 31 Jan 1986 Volume 1 : Issue 45 FORUM ON RISKS TO THE PUBLIC IN COMPUTER SYSTEMS sponsored by the ACM, Peter G. Neumann, moderator Contents: Risks from discussing Reliability of Shuttle Destruct System (John Carpenter, Peter G. Neumann) Possible triggering of the self-destruct mechanism (Peter G. Neumann) Challenger and Living with High-Risk Technologies (Dave Benson) The Challenger [non]accident (Jeff Siegal) Shuttle Explosion -- Plutonium on Galileo (Larry Shilkoff) Reliability in redundant systems (Brad Davis) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, nonrepetitious. Diversity is welcome. (Contributions to RISKS@SRI-CSL.ARPA, Requests to RISKS-Request@SRI-CSL.ARPA.) (Back issues Vol 1 Issue n stored in SRI-CSL:RISKS-1.n.) ---------------------------------------------------------------------- Date: Thu, 30 Jan 86 07:51:58 PST From: cbosgd!akgua!whuxlm!whuxcc!crash@ucbvax.berkeley.edu To: whuxlm!risks Subject: Risks from discussing Reliability of Shuttle Destruct System As I read the article [by Martin Moore in RISKS-1.43,] it occurred to me that as we discuss the risks of the destruct system we could be creating another risk by revealing the nature of it's operation. I had no prior knowledge of this system and now I know, generally, how it works, it's redundancy level, and it's physical location. I am aware that much of the technical information about the shuttle is a matter of public record. I don't know what sort of information is public and what isn't. If the destruct system is public information, I would like to know why, If it isn't, it certainly has no place on the net. Respectfully, John Carpenter ------------------------------ Date: Thu 30 Jan 86 10:49:44-PST From: Peter G. Neumann Subject: Risks from discussing Reliability of Shuttle Destruct System To: cbosgd!akgua!whuxlm!whuxcc!crash@UCBVAX.BERKELEY.EDU cc: RISKS@SRI-CSL.ARPA Your concern is of course very valid. The existence of such a mechanism represents a serious risk. The details of how that mechanism are thought not to be spoofable or accidentally triggered are of course the subject of an age-old controversy. On one hand, pretending that such a mechanism is safe because it is not publically known is disastrous -- especially if the mechanism is intrinsically not safe. On the other hand, publishing the details of a mechanism that is not entirely sound is also dangerous, because it may suggest the flaws to an interloper. However, unless there can be scrutiny by dedicated experts, the flaws will persist. A further comment in this chain of reasoning is that no mechanism can be guaranteed 100% sound -- there are ALWAYS circumstances outside of the set of assumptions. On balance, openness appears preferable, tempered by the recognition that if the risks are otherwise too great, then what is being done should probably NOT BE DONE THAT WAY AT ALL. This is a very difficult problem, and I and many of my colleagues seem to come down fairly consistently on the side of forthright discussion rather than hiding one's head in the sand under a blanket of obliviousness. What you don't know CAN hurt you. What you do know can also. There are no easy answers. Peter [I use "safe" and "sound" loosely to imply reliable, available, secure, nonspoofable, nontamperable, free of Trojan horses, etc.] ------------------------------ Date: 30 Jan 86 09:23:53 PST (Thu) From: Peter G. Neumann To: RISKS@sri-csl.arpa Subject: Possible triggering of the self-destruct mechanism Much to my surprise -- since it did not seem too likely -- I heard of a report on the radio last night by a physicist (and head of a company that does something with solid-fuel rockets) who speculated that the explosion in the solid-fuel rocket booster set off the self-destruct mechanism, resulting in the destruction of the orbiter. He suggested that it could not have been a hydrogen leak because hydrogen burns clear and the Shuttle explosion had an obvious orange glow. ------------------------------ Date: Wed, 29 Jan 86 21:02:58 pst From: Dave Benson To: risks@sri-csl.ARPA Re: Challenger and Living with High-Risk Technologies According to Charles Perrow Normal Accidents: Living with High-Risk Technologies Basic Books, New York, 1984 we should expect to see large-scale accidents such as the loss of the space shuttle Challenger. Perrow's thesis, I take it, is that the complexity of current technology makes accidents a 'normal' aspect of the products of these technologies. We may view space shuttles launches, nuclear reactors, power grids, transportation systems, and much real-time control software as lacking homeostatis, "give", forgiveness. Perhaps some of these technologies will forever remain "brittle", but despite the shock of the loss of the space shuttle Challenger, I remain positive about our ability to learn from our mistakes and provide greater "ductility" in future engineering practice. ------------------------------ Date: Thu 30 Jan 86 20:22:37-EST From: Jeff Siegal Subject: The Challenger [non]accident To: RISKS%SRI-CSL@EDDIE.MIT.EDU Cc: LIN@MC.LCS.MIT.EDU From: Herb Lin at MC.LCS.MIT.EDU It is obvious that at the time of the explosion, no rifle bullet hit it. Thus, any shot must have been fired much sooner. The rifle shot must then be timed in such a way that it is fast enough to weaken the casing, but not strong enough to penetrate it. It seems that that window is pretty small. I have heard speculation that some fuel leaking (LHY or LOX) from the MFT and a unexpected flame could be seen (on slow-motion videotape) for some time prior to the explosion. This seems consistent with rifle bullet impact/puncture, long before the actual explosion occured. I have, in general, been concerned about the fact that, except for a single question asked by one reporter at the first news conference, there has been no public mention of the possiblity of terrorism. Is there someone who knows enough about the security at NASA/KSC to be able to estimate the difficulty that a malicious party would have in getting getting physical access to the shuttle/SRB/MFT prior to the launch? I haven't noticed any great measure of security (except DoD flights), but perhaps this has been the result a NASA P.R. effort make the Space program appear as "open" as possible. Jeff Siegal ------------------------------ Date: Thu, 30 Jan 86 17:05 PST From: LShilkoff.ES@Xerox.COM Subject: Shuttle Explosion -- Plutonium on Galileo To: "risks" I understand the Galileo probe which was planned to be on a shuttle flight this summer is powered by plutonium. Had Galileo been on this flight, it seems to me a whole bunch of plutonium particles would have been raining along the coast of Florida. Any comments? Larry ------------------------------ Date: Thu, 30 Jan 86 09:08:52 MST From: b-davis@utah-cs.ARPA (Brad Davis) To: RISKS@sri-csl.arpa Subject: Reliability in redundant systems Martin Moore's report on the self destruct devices was very informative. It also brings up an important question. If the hardware system is redundant, what about the software system? Is the same software running on all of the redundant hardware systems or are there more than one software packages developed. If there is only one software package then if one system fails due to a software failure then the other systems' software may fail since the same conditions may still be in effect. Brad Davis ------------------------------ End of RISKS-FORUM Digest ************************ -------