Subject: RISKS DIGEST 10.58 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Sunday 4 November 1990 Volume 10 : Issue 58 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Canadian Auditor-General fears computer sabotage (David Sherman) U.S. Sprint new calling card system (Jim Morton) Chilling Advertisement (Cindy Tittle) Prodigy Censors Users (Dave King) "Expert Systems in the Loop" explained (Randall Davis) Re: Airliner story (Christopher C. Stacy) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line. Others ignored! REQUESTS to RISKS-Request@CSL.SRI.COM. FTP VOL i ISSUE j: ftp CRVAX.sri.comlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j; j is TWO digits. Vol summaries in risks-i.00 (j=0); "dir risks-*.*" gives directory; bye logs out. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Wed, 31 Oct 90 21:03:00 EST From: dave@lsuc.on.ca (David Sherman) Subject: Canadian Auditor-General fears computer sabotage Toronto Star, October 31, 1990, page C1: "Dye fears computer sabotage" (By Shawn McCarthy, Toronto Star) The federal government's computer systems are vulnerable to sabotage or disaster, Auditor-General Ken Dye says. Dye said a number of departments have been negligent in ensuring their information systems are tamper-proof. As a result, there could be disruptions in the payment of old-age pensions, family allowance and unemployment insurance, the auditor-general said in his report released yesterday. "Most, if not all, programs of government could not be delivered today without the support of computers," Dye said. He noted that everything from income tax returns, to social security payments to a request for a social insurance number depend on government computers. Unauthorized access to them can also compromise confidential business information. "And yet, unlike people and money, this vital asset is not adequately supported by political interest, management attention, lines of accountability, or leadership from central agencies. "In an information age, that's like running a railroad without signals or a busy airport without air traffic controls," Dye said. He noted that in a four-month period earlier this year, there were 21 reported incidents of so-called viruses infecting several hundred government microcomputers. There was also a security incident involving the infestation of 28 microcomputers on Parliament Hill. The RCMP [Royal Canadian Mounted Police, Canada's national police force -DS] also reported 11 incidents of illegal penetration of government computer systems to date. Many of these problems could have been avoided with proper security, Dye said. He noted that the RCMP has advised the government for the past 10 year that computer security needed to be beefed up. But Dye said 12 of 13 departments reviewed had not addressed the threats and risks to their computer systems. Meanwhile, the use of computers is growing rapidly. There are now more than 80,000 computer workstations in the federal government and 500 minicomputers and mainframes. At the same time, there is a growing number of people with both the know-how and the desire to gain illegal access to federal computers, Dye said. But Treasury Board staff said the government is committed to upgrading computer security and has been working on it since 1986. "Most institutions have made significant progress since 1986," the Treasury Board said in comments contained in the report. But Dye said that, after 20 years of warnings, "the government still has not provided all the urgently needed security training." While there is increasing demand for RCMP inspection and consulting services, the force has added only one new inspector in the past five years. As well, the government has not provided an adequate backup system in the event its computer system is knocked out by fire, power outage or natural disaster, Dye said. "In our opinion, departments and agencies have been negligent in not satisfying this need and in failing to make an adequate commitment to threat and risk assessment." Dye told a news conference that virtually the entire government operation could be halted by a terrorist or earthquakes. And unlike the private companies, the government has no backup. "The private sector would be up in days," Dye said. "We would be months stumbling around until we were back in business." ------------------------------ Date: 1 Nov 90 19:08:07 GMT From: jim@applix.UUCP (Jim Morton [ext 237]) Subject: U.S. Sprint new calling card system U.S. Sprint just announced that they are "Beta-testing" a new phone calling card system that will use voice spoken card numbers, and no card number entries will be able to be entered by touch-tone keys. This presents the risk of the person at the next pay phone to you overhearing your calling card number as you speak it and be able to write it down and distribute it to other people as has happened with PC Bulletin boards around the country. To make the matter worse, 9 of the digits in the "voice card" number are your SOCIAL SECURITY NUMBER. There have been endless discussions on Usenet about the SSN privacy issue. I would urge people to consider these risks before participating in this "Beta-test". Jim Morton, APPLiX Inc., Westboro, MA ...uunet!applix!jim jim@applix.com ------------------------------ Date: Wed, 31 Oct 90 16:20:13 -0800 From: Cindy Tittle Subject: Chilling Advertisement I just saw a rather chilling advertisement in this week's edition of Newsweek (November 5, 1990). It features a computer monitor/keyboard with a Sherlockian cap hung on one corner. The bold type says "Information is your company's best protection from liability." OK so far, then I read on: "Get it fast -- without leaving your desk. Think about it. Know your potential employees. Verify the business credits of new accounts. Or, check out your new vendors. Just hit a few keystrokes on your personal computer and you've got it. Information from UCC, civil and criminal record filings, Secretary of State, and more, allow you to uncover bankrupticies, pending litigation and a wealth of information that may protect your company from liability -- or even loss. All you need is a personal computer and existing software. That's right. View it -- Print it -- Store it. CDB Infotek's Investigative Information System is an on-line database designed to proved access to public record information for company security, credit, personnel and management departments. Not only is CDB Infotek's on line service one of the most comprehensive in the industry, it's easy to use. And it's fast. Before you make a decision -- check the records -- check with CDB Infotek. [...]" Eek. --Cindy ------------------------------ Date: 04 Nov 90 11:53:27 EST From: Dave King <71270.450@compuserve.com> Subject: Prodigy Censors Users Apparently, Prodigy is evicting users who are voicing their opposition to a new Prodigy policy which will implement charges for EMAIL messages within the Prodigy service. In 1991 Prodigy will implement a policy which charges users 25 cents for every EMAIL message they send after the first 30 every month. Prodigy users who have been vocal in their displeasure, and who have used the facilities of Prodigy to attempt to recruit others to their cause, have found themselves booted from the service. According to a story by Evelyn Richards, a Washington Post staff writer: ... This week [Prodigy] unplugged about a dozen outspoken dissidents whom it says were pestering innocent users with the electronic equivalent of junk mail. But what Prodigy sees as a way to stop needless harassment seems to others as a blatant example of censorship. That's because the people bumped from the Prodigy system included the most active critics of a planned price increase for Prodigy's electronic mail service. Using electronic mail on the network, the dissidents had urged other subscribers to join the revolt by boycotting the advertisers that buy time on Prodigy's network. "Prodigy is arguing they don't want people harassing their users," said Gary Arlen, editor of Interactivity Report, a Bethesda newsletter that follows the on-line industry. I think that's a stretch. It's a way to keep their advertisers pleased." The incident is the latest to spotlight the difficulties society faces as it struggles to adapt old laws and customs to emerging electronic networks. ... Some people say on-line services should protect the right of all expression, as a phone system does, while Prodigy argues it is more similar to a newspaper, which is free to publish what it chooses. Prodigy's troubles began two months ago when it announced that households would be able to send their first 30 electronic mail messages free but would get charged 25 cents for each additional message. A core of angry subscribers first protested by posting notices to Prodigy's on-line bulletin boards, the computer equivalent of neighborhood kiosks. Prodigy said it posted thousands of such complaints for others to read - but it didn't publish them all. When the writers urged a boycott of Prodigy advertisers - firms selling products on the network - Prodigy's editors returned the messages to the senders. "We're not going to post something designed to destroy our business," said Geoffrey Moore, Prodigy's director of market programs and communications. Moore likened the decision to a newspaper rejecting a letter to the editor, or rejecting an advertisement that criticizes the newspaper's largest advertisers. This week Prodigy decided enough is enough and refused to post any more messages about the rate increase. But what especially angered officials was when the dissidents innundated other users with electronic chain letters urging them to join the protest and boycott. Moore said users complained, so Prodigy bumped the offenders. And now the protestors say that's unfair. "We're not being abusive. We're not being vulgar. All we're doing is making our (opinions) known," said Larry Wienner, 22, a Prodigy user from Randallstown, Md. Wienner said the bumped dissidents are so hooked on Prodigy that they may try to re-subscribe under assumed names. Dave ------------------------------ Date: Wed, 31 Oct 90 12:42:06 est From: davis@ai.mit.edu (Randall Davis) Subject: "Expert Systems in the Loop" explained (RISKS-10.52) Martyn Thomas writes: > The original article was mine, and referred to a report of a new research > project in the UK to develop an expert system to advise commanders in > tactical situations which are too complex to analyse without assistance. > This report *explicitly* referred to an expert system. The point of my > original posting was that an expert system which provides advice, in > circumstances where a decision must be made and there is insufficient time > for the commander to analyse the situation him/herself, is effectively > making the decision. Many who followed up agreed with this viewpoint. Fair enough. Note also that a small variation on your fundamental claim is equally true: ... an EXPERT who provides advice, in circumstances where a decision must be made and there is insufficient time for the commander to analyse the situation him/herself, is effectively making the decision. That is, as is frequently true in these situations, not only is this not a matter of expert systems, the computer itself is almost competely irrelevant. It's a matter of being in a complex, time-constrained situation and needing to make a decision. If you don't have the time to consider carefully what to do, you're just about equally up the creek whether you get the advice from a machine or from another human being. The moral of the story: try not to put yourself into those positions in the first place. Neither computers nor humans will get you out of it, and neither of them is to blame for your predicament. ------------------------------ Date: Wed, 24 Oct 90 19:46:01 EDT From: cstacy@ai.mit.edu (Christopher C. Stacy) Subject: Airliner story (Re: Cherniavsky, RISKS-10.55) I believe my original response explained the reasons why transponders are required. I must again emphasize that a safe flight under an IFR flight plan, such as in the "horror story", can by all means be completed without a transponder (or indeed, without any radar equipment, although nobody is suggesting this alternative as convenient or desirable.) We could discuss the details of the ATC issues related to the story, but I didn't raise those originally because I didn't think this was really the most appropriate forum for that lengthy technical discussion. In order to clear up possible misunderstandings, I will respond to the specific points you have raised in your message. I could just quote regulations to make my point, but I think it would be more useful to everyone else if they had some more general background information about the procedures for conducting flights like the one in the story. So I'll start with an explanation of IFR, for those who are not as familiar with aviation. Airplanes are navigated by the pilot, not by ATC from the ground. During good weather conditions, planes can operate under Visual Flight Rules (VFR), whereby the pilot is responsible for (among other things) "seeing and avoiding" other airplanes. When the weather is not good enough for flying around this way, you operate under Instrument Flight Rules (IFR). The IFR concept is also based on pilots doing their own navigating, but it's along completely specified routes. Air Traffic Control (ATC) manages these routes to make sure that only one single airplane occupies a given piece of airspace at a time, since the planes can't see each other. This function gives pilots a rather special, personal meaning to the idea of "trusting the Government" :) A fundamental component of IFR is the Flight Plan, which is the routing specification for this particular flight. As the flight progresses from takeoff to landing, the controllers update the status of the flight, as recorded on little strips of paper they push around. This is all fairly computerized, but can also be done with a pencil. The pilot finds his way by referring to the charted route, and his Flight Plan, and the onboard navigation instruments. The most common instrument is a radio receiver called a VOR, which listens to special ground stations that define the airways. There are other radio-based systems, such as LORAN, and also self-contained systems like inertial guidance (famous from the KAL-007 disaster.) The degree of onboard automation to navigate and automatically fly the plane varies widely. The pilot and controllers talk to each other over the radio, as the controller clears the plane into each successive block of airspace. There are contingency procedures for a loss of communication, based on expectations from the Flight Plan. The clearances for a plane to enter a portion of an airspace route are based upon the amount of separation that will be achieved between all the traffic on that route. The present speed of an aircraft and its known position are used to figure out when it's safe for it to be cleared to move along. ATC uses radar to watch the planes along the routes; this kind of direct feedback allows them to increase the traffic density. If radar is not available, everything still works, but much more slowly. Without radar, the pilots have to regularly inform the controllers of their location, and verify their assigned altitude. In order to guarantee safety, the separation minima are much greater when there is no radar contact. The key point here is that without radar, or even radio communications, the air traffic system can still keep putting IFR flights into the air with safety, even if reduced to pencil and paper. However, it couldn't keep up the volume of service we are accustomed to, and all our flights would be delayed considerably without these goodies. This is why radar transponders are normally required equipment. But transponders do break. In our story, we had not lost radar capability, but only the transponder. The transponder responds to radar signals by transmitting ("squawking") a coded signal containing the the flight's assigned ID number, and the altitude. In addition to providing a more reliable signal, the ATC computers would normally receive and use the ID number and indicated altitude to automate certain tracking functions. If our flight had been further along its route when the transponder failed, assuming the pilots didn't want to land as a precautionary measure against more critical system failures, they could have received clearance to simply continue to Dulles airport and land as they had planned. The exact separation procedures applied to this plane would vary, depending on the type of automation available to each controller, and other things. Depending on the effects of this, ATC might also decide to re-route us to another less busy airway, for greater safety and to not restrict the flow of other traffic on the original route. On our way, we could be in radar contact, although the controller would have to initially point at our target's primary return on the screen to tell the computer which flight that was. Next to the little "." or "+" representing our airplane, the system could then display the usual data block (flight ID and other information), except for the altitude readout, just as if it were a normal flight. Our aircraft could probably be radar separated laterally by between 3 and 5 miles, depending on the phase of flight and a bunch of other factors. Vertical separation (altitude assignment) would be based on the other traffic's altitude readout and our own altitude as reported by our pilot. The enroute radar systems at a regional Air Traffic Control Center would generally be able to track a primary return. However, at the end of the flight, the destination Approach controller might not have a system (such as ARTS IIIA - Radar Tracking & Beacon Level) that could track and predict primary returns. I guess this would probably mandate an increase to higher separation minima than usual, during the final phases. I'm not an air traffic controller or anything, and I'm not going into excruciating detail on all the separation minima and equipment and procedures; there are books available; I think you have the idea now. Onto Ellen's specific complaints ... Reasons for being concerned about the lack of a working transponder are: an aircraft with invalid altitude data is not eligible for processing by the conflict alert function, and in order to enter a Terminal Control Area an aircraft must be equipped with a 4096 code transponder (so without a transponder the pilot could not fly into Newark, Kennedy, La Guardia, Atlanta, Dallas/Fort Worth, etc.). Agreed this is not an immediate major safety problem, but there are good reasons not to proceed without a transponder. There are two issues here: Conflict Alert, and transponder requirements. Conflict Alert is a set of features on some of the fancier Approach controller's radar systems. It is worth noting that only some of the radar systems have this feature (for example, ARTS II doesn't.) The first kind of Conflict Alert has to do with the terrain/obstruction clearance map programmed into the system. Basically, when an aircraft is off the correct landing approach path, the system warns the controller. The other Conflict Alert feature has to do with converging aircraft. In an IFR environment, this is just an additional safety feature; the separation criteria already provide for airplanes not be close to each other. It would warn the controller if the airplanes got closer than 3 miles. Of course, with arrivals effectively slowed down due to increased separation minima, the controller can simply monitor the separation manually. For Conflict Alert to work, it has to have the plane's altitude readout from the transponder. So, if your transponder is not squawking your altitude, you would indeed lose these extra safety features. Lots of IFR flights are conducted to or from airports which don't have radar services available. Anyway, Conflict Alert is often turned off at ones that do. Your statement about not being able to fly into a major airport (inside of a TCA) without a transponder is simply false, and appears to stem from an incomplete knowledge of the relavent regulations. Maybe you just heard someone briefly explain the rule in one sentence or something. You can't fly into various kinds of airspace unless you have an operating transponder. In particular, you can't fly into the 30 nautical mile "Mode C Veil" around a TCA without an altitude encoding transponder. Unless the controllers authorize you to do so. To wit: FAR 91.215 (d) ATC transponder and altitude reporting equipment and use; ATC authorized deviations. ATC may authorize deviations from paragraph (b) of this section -- (1) Immediately, to allow an aircraft with an inoperative transponder to continue to the airport of ultimate destination, including any intermediate stops, or to proceed to a place where suitable repairs can be made or both, (2) Immediately, for operations of aircraft with an operating transponder but without operating automatic pressure altitude reporting equipment having a Mode C capability; and (3) On a continuing basis, for operations of aircraft without a transponder, in which case the request for a deviation must be submitted to the ATC facility having jurisdiction over the airspace concerned at least one hour before the proposed operation. If you refer to the Airman's Information Manual (170), or the Air Traffic Controller's Handbook (5-41), there are additional notes on the subject. I don't understand the sources of some of the people making various claims about the air traffic system and its risks. I am just a simple four-month old private pilot (not even instrument qualified) and my information comes from my primary training, reading basic textbooks, and asking questions to the local FAA experts (the folks at Boston Center.) I wish people would research things more before making scary statements. If people would like to continue this discussion in this kind of detail, I would be willing, but I consider this all to be a sidetrack from the essential points about the airliner story and how IFR flight works. Not to mention whether the Airbus is safe or not. My messages on the subject may have been somewhat charged, and if I have needlessly offended anyone, I apologize. However, the misinformation and misconception of issues surrounding flying is generally enormous, and I felt compelled to introduce a few facts and context into the discussion. I hope anyone has found this useful. There are definitely risks associated with aviation, but unfortunately it's a technical enough subject area that it can be difficult to understand and evaluate without alot of detailed knowledge. I think that the risks associated with systems such as fly-by-wire (remember that?) is a useful topic for discussion here, especially in broad terms of raising the basic risk awareness. I would be wary of certain kinds of micro-analysis however, unless you're pretty sure of what you're talking about. Have you ever noticed when you read a newspaper or watch television news, that, quite often, technical issues you happen to be familiar with are misunderstood and distorted? I hope that similar treatments of our varied issues will not become the usual practice in RISKS. ------------------------------ End of RISKS-FORUM Digest 10.58 ************************