Subject: RISKS DIGEST 10.05 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Wednesday 6 June 1990 Volume 10 : Issue 05 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: New computerized scoring system fails during Indy 500 (Jaime Villacorte) Nuclear hair-trigger still set (Johnson v. Chain) (Clifford Johnson) Network follies (Tim Shimeall) Re: The A320's attacks of nerves (Danny Cohen) Re: Article on A320 in Aeronautique, April 1990 (Pete Mellor, Atkielski) "Computer to track down drivers without insurance" (SeanF) Another egregious database (Mark Anacker) Risks of Caller Identification (David desJardins) Re: Denial of service due to switch misconfiguration (Larry Kilgallen) Private mail on BBSes... (David Gursky) Re: 2600 article (Henry Spencer) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line (otherwise they may be ignored). REQUESTS to RISKS-Request@CSL.SRI.COM. TO FTP VOL i ISSUE j: ftp CRVAX.sri.comlogin anonymousAnyNonNullPW cd sys$user2:[risks]GET RISKS-i.j ; j is TWO digits. Vol summaries in risks-i.00 (j=0); "dir risks-*.*" gets you directory listing of back issues. ALL CONTRIBUTIONS ARE CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. ---------------------------------------------------------------------- Date: Wed, 6 Jun 90 09:08:04 PDT From: jaime@tcville.hac.com (Jaime Villacorte) Subject: New computerized scoring system fails during Indy 500 The following appeared in an article by Tim Considine in the June 4, 1990 issue of Autoweek. It concerned the use of a new computerized scoring system manufactured by Dorian Industries, an Autralian electronics firm for use in the recent Indianapolis 500 race. "Data-1, as the system is known is arguably the most advanced and foolproof scoring system in the world. Well almost foolproof." [...] "...all monitors went blank on Lap 130 of the race. The cause of such a catastrophe: A laser printer ran out of paper and the system froze. A simple problem, but one that hadn't been simulated during testing. However, while the monitors were blank, Data-1's computer kept collecting scoring and timing information, even though those in the tower couldn't gain access to it for a while. Thus the last third of the Indianapolis 500 ended up being scored by 33 people with clipboards - the system used for the last nine years anyway and which USAC director of scoring and timing Art Graham had the foresight to retain as backup." [ All was not lost though...the computer eventually saved the day :-) ...] "Ironically, a mistake was made. In provisional results released immediately after the race, Eddie Cheever was seventh and Scott Brayton eight. But a half-hour later, the positions were reversed when Data-1's complete scoring data was fed back into the computer and the error was found and corrected - Brayton hadn't been credited with a lap he'd completed. And not only had the new technology proven itself, but for the first time in memory, Graham and his crew finished in time for dinner." - jaime villacorte jaime@tcville.hac.com Hughes Aircraft Co, EDSG, POB 902, EO/E52/D203, El Segundo, CA. 90245 (213) 616-8954 ------------------------------ Date: Tue, 5 Jun 90 14:34:52 PDT From: "Clifford Johnson" Subject: Nuclear hair-trigger still set (Johnson v. Chain) On June 4, 1990, Soviet premier Gorbachev told a Stanford audience that the cold war was behind us. On the same day, Stanford computer manager Clifford Johnson filed his appeal brief in the Ninth Circuit Court of Appeals in San Francisco, case 90-15276, arguing that he had "standing" to sue General Chain, the Commander-In-Chief of the Strategic Air Command, to reduce the risk of accidental launch of Minuteman and MX missiles. The appeal is from a District Court dismissal of the lawsuit Johnson v. Chain, et al., case C-89-20265-SW, filed May 1, 1989. The suit challenges "standing orders" that assure the immediate launch of Minuteman and MX missiles, at all times. Missile launch crews and their commanders are on perpetual alert, at DEFCON (DEFense CONdition code) 4, instead of the peacetime level of DEFCON 5. Johnson contends that this nuclear alert gives rise an ongoing risk of accidental nuclear launch due to computer-related error, a charge endorsed by Computer Professionals for Social Responsibility. Ultimately, Johnson seeks a declaration that the standing orders are illegal under constitutional, statutory, and international law, as follows: (a) in peacetime, based on Congress' required power to declare war, and on prohibitions against jeopardizing the peace; (b) prior to an actual first nuclear use and without express congressional authorization, based on the required power of Congress to qualitatively expand war, and on prohibitions against disproportionate response; (c) at any time, on grounds that they surrender to computers all-important war powers, and so constitute an unrepublican form of government; and (d) at any time, as they require subdelegation to military commanders of the decision to launch a nuclear strike, which is barred by the Atomic Energy Act and by the republican principle of the civilian supremacy. Taking as true all the factual allegations of risk, the trial court dismissed the action on the ground that Johnson lacked "standing" to sue the government. The issues raised in the brief are as follows: THE ISSUES ON APPEAL GIVEN present and continuing computer-related risks of sudden accidental death to millions, and to the Plaintiff in particular, due to the Defendants' standing orders re the launch of nuclear missiles; WHERE said standing orders are challenged as inherently reckless and in excess of authority under constitutional, statutory, treaty, and international law; WHETHER, under Article III of the Constitution, the Plaintiff has standing to sue Defendants, either in their official capacities or as individuals, on the grounds that Defendants' conduct: 1. immediately endangers Plaintiff's life, and diminishes its daily quality, without due process, in violation of Fifth Amendment to the Constitution; and/or 2. is heedless of the dictate of the public conscience and/or constitutes a crime against the peace, which Plaintiff is specially qualified to complain of, so that his standing is assured, respectively, by the Martens clause of the Hague Convention Respecting the Laws and Customs of War on Land (1907) 36 Stat. 2277 and/or by Article 6(a) of the Treaty of London (1945) 59 Stat 1544; and/or 3. delegates to error-prone, computer-governed military drills ultimate political judgments, imposing upon the Plaintiff a here-and-now subservience to unrepublican government, in violation of Article IV z 4 of the Constitution. The brief is 50-pages long, and dense with footnotes. It claims that the immediate threat of harm, imposed without due process, is an injury sufficient for standing, even though it is "pervasively shared." It also argues that Johnson's injury is particular, in that he works close to a top-priority target, namely, Sunnyvale's Satellite Control Facility, and in that, as a British citizen, he has no remedy through the ballot box. Besides, as an expert on the relevant technology, he has standing to complain of crimes against the peace under international law, even if he himself were not injured. Finally, the case is novel in asserting that the de facto delegation of political decisions to computers amounts to unrepublican government, and is actionable. The government has thirty days in which to respond. ------------------------------ Date: Wed, 6 Jun 90 09:12:44 PDT From: shimeall@cs.nps.navy.mil (Tim Shimeall) Subject: Network follies For reasons known only to them, the folks who run the MILNET/Arpanet gateways decided to sever the connections at about 9:00am Monday, and reconnect them at about 4:00pm Tuesday (both times PDT). Naturally, they gave no advance (or following) notice of these actions. (At least, neither our users nor our system administrators received such notice...) It is unfortunate that the gateway administrators act with such apparent disregard for the users and such apparent capriciousness. Tim Shimeall ------------------------------ Date: Wed 6 Jun 90 14:43:21-PDT From: Danny Cohen Subject: Re: The A320's attacks of nerves (RISKS-10.02) About the A320'S ATTACKS OF NERVES Mr. Bertrand Bonneau (the translator to English) did a terrific job of translation, given his knowledge of the subject area. Too bad that the original writer is not more knowledgeable of aviation. For example, I was very surprised by the total absence of any reference to the B767/B767 with their glass cockpits and computers. The main point of this article is that the procedures were bad, and that the French FAA was conducting the investigation rather than the French Department of Justice. Even if the French judges are only ten times technically-smarter than ours and if the French-FAA is only ten times more corrupted than ours, I'd still rather see their FAA, not their DoJ conduct the investigation. The article asks (in the sub-headline): "How could the willingness to declare the pilots responsible for major accidents, EVEN BEFORE THE JUDGES HAVE RETURNED THEIR VERDICT, appear other than suspect?" Sure sounds like a good question. Well, in the US the NTSB (and the FAA) typically have "probable cause" within a day, even though investigations take many months or even years. Is it suspect, too? For example, the Aloha B737 experienced an explosive decompression on 28-Apr-88, and the NTSB report about it was submitted only on Jun-14-89, nearly 14 months later. However, within a day or two after accident everyone was told what happened. Was this suspect, too? Neither Boeing nor RISKS complained about it. I couldn't find the contribution in RISKS saying that: How could the willingness to declare the aircraft responsible for this accidents, even before the judges have returned their verdict, appear other than suspect? Another example, closer to our hearts: the article says "For example, the software in the flight warning computer [FWC] included a fault which a good computer scientist could have repaired without a doubt". I take it to imply that this shows that because of "*Industrial Secrets*" (which cover the software) the operating airlines could not use any "good computer scientist" to simply go ahead and fix that fault. If this is the case -- how about all the regression testing that ANY change in operational flight software must go through? who would be responsible for the modified code? etc., etc. To sum it up: opinionated reporting may leave something to be desired. Danny ------------------------------ Date: Tue, 5 Jun 90 21:03:03 PDT From: Pete Mellor Subject: Re: Article on A320 in Aeronautique, April 1990 In RISKS-10.04, livesey@Eng.Sun.COM criticises my recommendation of the Aeronautique article, as follows: > Writing of a translated article, he recommends it to us on several ground, > one of which is > >> b) the fact that it presents a French (and therefore not negatively biased?) >> view, > > The two problems with this are, first, Airbus is not exclusively a French > aeroplane. It is a joint venture between several European countries. > > Secondly, there has been quite a lot of negative comment about Airbus from > French sources, mainly from pilots' unions. Quite correct on both counts! The umbrella company, Airbus Industrie, is, however, based in France, and the company responsible for the EFCS, at which much of the criticism has been levelled, is Aerospatiale, also French. The representatives of these companies have made extravagant claims for the safety and reliability of the A320 EFCS in TV interviews (see quotes from the Equinox programme on fly-by-wire in RISKS-9.42). I am very well aware of some of the criticisms from French sources, but when I wrote the above, I was thinking of this fairly vociferous defence of the FBW concept in general, and A320 in particular. (On the other hand, criticism emanating from the vicinity of Boeing, for example, *might* be expected to be a little bit biased. :-) > The risk here is that of giving one source extra credence on specious grounds. Yes, it is only one source, but *did* seem to be fairly well informed. If any RISKS or Aeronatics digest readers can fault the article technically, I would be very glad to hear from them. One thing in my recommendation which *was* misleading was my carelessly worded statement that the author had drawn some fascinating conclusions about the cause of the Mulhouse-Habsheim accident. He had not, of course. He merely raised a few fascinating questions. Other than that, please judge for yourselves, and read again my disclaimer :-). Pete Mellor ------------------------------ Date: Wed, 6 Jun 90 01:01 MST From: Atkielski.TDS-ASF@SYSTEM-M.PHX.BULL.COM Subject: A 320 article in Aeronautique Minor erratum: This article actually appears in the "Aeronautique" section of the French science magazine "Science & Vie," in the April, 1990 issue. A rebuttal from Bernard Ziegler, technical director of Airbus Industrie, may be found in the following May issue. ------------------------------ Date: Sun Jun 3 13:27:33 1990 From: seanf@sco.UUCP Subject: "Computer to track down drivers without insurance" [This is from clari.tw.computers.] BOSTON (UPI) -- Tens of thousands of illegally uninsured drivers in Massachusetts will be tracked down and hunted when the Registry of Motor Vehicles implements a new computer-based system beginning Friday. The new system, which allows insurance companies to electronically send the Registry's computer a list of uninsured motorists whose policies have been revoked for nonpayment, aims at cracking down on the estimated 300,000 Massachusetts drivers who take to the roads without insurance. [...] Police will pursue those individuals who fail to obtain o insurance after being discovered. [end excerpt] I think the risks are obvious. ------------------------------ Date: 4 Jun 90 21:11:15 GMT From: marka@dsinet.UUCP (elroy) Subject: Another egregious database Reprinted from the June 3rd 1990 Seattle Times: "Computer-data program to link student with prospective boss" Newhouse News Service Lawrence Township, N.J. Imagine if an employer could find out how many times a prospective employee had been late for school, or if a business could tap into a pool of high school graduates and find the model employee. Those are among the possible uses of an information system being developed by the Educational Testing Services, the nonprofit institution that administers the college entrance exams. Called Worklink, the program is designed to connect education and business by gathering information from student records and providing it to employers through a computer data bank. The idea, according to George Elford of ETS, is to improve the work force by motivating students, particularly those who might lack the contacts to land a good job. Ideally, cost for the program would be shared by schools and businesses - not the students. Elford says, since it aims to help students who lack traditional means of "getting a foot in the door". "Because the advantages of social networks and family influences are reduced with Worklink, the socially disadvantaged will gain real benefits," Elford says. "Students will be competing on their record, not on their ability to create an impressive resume. And because the data bank will include teacher ratings, letters of recommendation and previous work experience, Wordlink will avoid the problems of standardized tests that often compare the disadvantaged with the advantaged." Under the voluntary program, everything from prose reading and document reading to punctuality would be assessed and, subject to student approval, entered into the student's record. Such control would be exercised in order to build on an individual's strengths, says Elford. The absence of criteria like punctuality might be noticed, however, just as vital information omitted from a resume would be, he adds. If the system is successful, says Elford, it would provide an incentive for apathetic students to do well. "Worklink, when widely used by employers, is likely to motivate students to develop and demonstrate their proficiency in a number of areas," he says. "This increased motivation is likely to lead students to view teachers and class work as a means to help them build a strong record. Now, kids (who are not applying to colleges) know nobody cares what they're doing in high school, so why work hard? ... Hopefully this would serve as an incentive." While the reward for the student would be a good job, employers would benefit by having a competent work force at their fingertips. Pilot projects for Worklink will be launched in Tampa, Fla., and Spokane, Wa. this fall if business leaders in those communities agree to cooperate, says Elford. It will be at least a couple of years before the results of the pilot are known, but Elford hopes Worklink will eventually catch on throughout the country. "I'd like to see this kind of record system used in most localities in 10 years," he says. "Our hope is this will raise the whole level of attainment in schools and in the workplace." [Now let's see... ETS's standardized tests are no good, so they want to add an even MORE intrusive system. Is it just me, or does anyone else have a problem with this?] Mark Anacker, Digital Systems International, Inc., Redmond WA USA (206)881-7544 ------------------------------ Date: Tue, 5 Jun 90 23:26:25 EDT From: desj%idacrd@Princeton.EDU (David desJardins) Subject: Risks of Caller Identification (Re: Lesher, RISKS-10.04) From: David Lesher > Given the level of violence within the general population around > here, the CID block seems to made a classic RISKS mistake. A system > designed for less critical use has been thrust beyond its design > parameters into a life-dependent role. I think you are misplacing the blame. Anyone who chooses to have their life depend on call blocking deserves what they get. (As you point out, the call blocking isn't useful for those trying to conceal their law-enforcement relationship in any case.) If you walk up to my door and knock, I can find out who you are (by taking a photograph through my peephole). So logically police informants don't expect to be able to walk up to doors anonymously. Neither should they expect to be able to enter homes via telephone anonymously. -- David desJardins ------------------------------ Date: Wed, 6 Jun 90 18:49 EDT From: Kilgallen.Catwalk@DOCKMASTER.NCSC.MIL Subject: RE: Denial of service due to switch misconfiguration In RISKS DIGEST 10.01, Marc Horowitz writes: > It turns out, that as a "client," MIT doesn't get automatic updates >when new exchanges are created. Without this information, the switch has no >clue how to bill the caller, or even if it should let the caller make the call. >So it assumes the worst case, and disallows anyone from making the call. The >switch had to be manually programmed with the necessary information about the >new exchange. This problem is not restricted to organizations which run their own switch, or those with an ESS. There are *lots* of plain ordinary PBX's in this divested world which have automatic "route selection" to decide whether to send that outbound call over normal or WATS circuits, and in my experience these often don't get updated with new exchange codes, so calls simply cannot be made in the absence of routing information. In at least one of these cases the PBX was one maintained by AT&T, which apparently did not have good communications with its former child, New England Telephone. But wait, there's more... I had a problem when I first got a cellular phone (as soon as they were offered in Boston). Well, there was the aforementioned problem that PBX's had not been loaded with information about the new cellular exchange codes. But also, I found that I could not forward calls from a residential phone to the new exchange. Sure enough, the ESS run by New England Telephone had not been updated with information on how to forward to exchanges run by a "different" company, NYNEX Mobile Communications (both companies are owned by NYNEX). Larry Kilgallen ------------------------------ Date: Mon, 4 Jun 90 14:50:06 EDT From: dmg@lid.mitre.org (David Gursky) Subject: Private mail on BBSes... In Risks 10.03, nazgul@alphalpha.com (Kee Hinckley) poses some questions on handling private mail on BBSes that deal with illegal activities (the messages that is, not the BBSes in general). It is true that as a Sysop, you can't legally read private mail to others. The loophole is you can read public mail. What many BBSes here in the Washington area do is (1) prohibit private mail, except to and from the Sysop or (2) put up up a public notice announcing there is no private mail on the BBS, only public and semi-private, and the Sysop reserves the right to inspect (read) all messages. Should a prospective used not be willing to abide by either (1) or (2), they need not use the BBS. ------------------------------ Date: Mon, 4 Jun 90 12:43:53 EDT From: henry@zoo.toronto.edu Subject: Re: 2600 article >...suggests that I can be arrested based on the contents/usage of my >BBS, even when I'm unaware of that usage... >...it seems to me that the Electronic Privacy Act prevents me from taking >any actions which would let me prevent the misuse of my board... The real problem here is that the courts are still fumbling with the question of whether electronic media are publishers or common carriers. A publisher, e.g. of a newspaper, is very definitely responsible for what he prints, and cannot claim innocence just because he wasn't paying attention to what the reporters were writing that day. A common carrier, e.g. the phone company, merely provides communication services and bears no responsibility for the content of messages. Most electronic media fall in a vast gray area in between, and nobody can really predict how a major court case would go. Eventually, precedents and legislation will settle things. Meanwhile, one should not be surprised if law-enforcement people assume the worst. Deciding who is guilty and who is innocent is the courts' job, not theirs. In the absence of solid rules (nonexistent as yet) and informed judgement (unlikely, given that most of them are computer-illiterate), they have few options. When they don't understand what's going on and the rulebook doesn't help, but there are definitely people being victimized, all they can do is arrest those who appear to be involved and hope they aren't too far wrong. Henry Spencer at U of Toronto Zoology uunet!attcan!utzoo!henry ------------------------------ End of RISKS-FORUM Digest 10.05 ************************