Subject: RISKS DIGEST 10.85 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Thursday 31 January 1991 Volume 10 : Issue 85 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: **NOTE: Tons of stuff pending on MasterCard & Cashless Society, to be pruned?** BENEFITS of Computers, Valentine's Day Edition (Jay Elinsky) Re: Auto Pilot Problems (David B. Horvath) Re: Risks of automatic flight (Gordon D. Wishon) Re: Patriots (Alex Bangs, Jerry Leichter, Martyn Thomas, Henry Spencer, Frank Ritter, David B. Horvath) Re: Broadcast local area networks are a'comin (Russ Housley, Frank Letts, Rich Rosenbaum, Ian Clements) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line. Others ignored! REQUESTS to RISKS-Request@CSL.SRI.COM. FTP VOL i ISSUE j: ftp CRVAX.sri.comlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j (where i=1 to 10, j is always TWO digits. Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Thu, 31 Jan 91 08:58:53 EST From: "Jay Elinsky" Subject: BENEFITS of Computers, Valentine's Day Edition On "Neighbors" page of Woman's Day, 5 February 1991: A husband who finds it difficult to say "I Love You" programmed his wife's software on their personal computer to flash "I LOVE YOU" on the screen when she exits the program. Jay Elinsky, IBM T.J. Watson Research Center, Yorktown Heights, NY [This is known as putting all your exits in one pass-kit. But what, you might ask, is the RISK that makes this story relevant? The Trojan horsing around? The risk of botching her software? The opportunities for subliminal advertising? Well, when Weekly World News prints this story, it will describe it as intelligent workstation software that gets jealous because it detected the amorous intent of the husband and then automagically changed the message to "YOUR HUSBAND IS CHEATING ON YOU." or "YOUR HUSBAND IS TRYING TO BUG YOUR SOFTWARE." PGN] ------------------------------ Date: Wed, 30 Jan 91 15:35:58 EST From: "DAVID B. HORVATH, CDP 8*747/215-354-2468" Subject: Re: Auto Pilot Problems During the Vietnam war (conflict?), the F-111 was sent into combat. There are three modes to the terrain following equipment - soft, medium, and hard. These modes describe how hard the computer climbs or dives the aircraft - the number of G's exerted on the crew. Several planes were lost shortly after deployment. Another crew reported that when the hard mode was used, there were times that the crew was helpless - the computer performed 5 G climbs and dives over some of the high hilly terrain in vietnam. The plane would climb HARD and dive HARD, climb and dive, etc.; due to the G-forces, the crew was not able to control the plane, making it a good target for the enemy. Being air-sick is nothing compared with being shot down because you can't take the airplane's controls out of automatic mode. - David Horvath [Opinions are mine only; I found this information in something I read. References available on request.] ------------------------------ Date: 31 Jan 91 22:03:36 GMT From: gwishon@blackbird.afit.af.mil (Gordon D. Wishon) Subject: Re: Risks of automatic flight (Crepin-Leblond translation, RISKS-10.83) > This is so serious that when some pilots arrived at the target site, they had >lost all faculties of analysis, and as a result the U.S. Air Force has decided >to abandon at least partially the concept of automated piloting for very low >altitude flights. " Ahem... I hope someone tells the crewmembers of USAF F-111's, RAF Tornados, and any allied LANTIRN-equipped aircraft (among others). It's ludicrous to believe that any airman would allow his pink flesh to be routinely thrown at the ground without some control (or at least a cross check) of the system. I would suspect that's the real reason to "abandon" the concept. Don't forget, in the USAF at least, airmen make the decisions on what technology to pursue. As for airsickness, some people are susceptible, others are not. Those who are, are mostly weeded out during the qualification process. By the way, the article should have specified "...the concept of _manned_ automated piloting...." The concept of unmanned automated piloting is alive and well (vis. Tomohawk cruise missile). Gordon D. Wishon, Air Force Institute of Technology ------------------------------ Date: Wed, 30 Jan 91 15:46:02 EST From: abg@mars.EPM.ORNL.GOV (Alex Bangs) Subject: Re: Patriots (RISKS-10.84) Note that according to press reports, the JSTARS tracking aircraft is being used in the Kuwaiti theater. This aircraft is only a prototype. I remember hearing early on that JSTARS would _not_ be used because they didn't want to risk it, but apparently they have decided otherwise. Or the press could be wrong. Alex Bangs, ORNL ------------------------------ Date: Thu, 31 Jan 91 00:16:38 EDT From: Jerry Leichter Subject: Patriots The debate about what the apparent effectiveness of the Patriots demonstrates itself demonstrates the unfortunate way in which too much debate on various important issues is carried on. 1. The Patriot was intended to be a close-in defender of important military sites. It was apparently never intended to be used to defend cities. When you are protecting a relatively small, fairly "hard", military site, knocking an incoming warhead off target by even a fairly small amount is an excellent defense. Obviously this is NOT the case when you are defending a spread out, fairly "soft" target like a city. 2. "If the warhead had chemical agents, blowing it up with a Patriot just makes things worse." Simple logic tells you that this is unlikely to be true. There is an optimal height at which to release poison gas: Too near the ground and it doesn't spread out enough, too high and it dissipates before having an effect. The designer of the warhead will try to hit the optimum. Unless he does a really bad job of it, AND you are very unlucky, you can at worst leave things unchanged by hitting the warhead. The arguments in (1) and (2) are typical of one class of responses by those who have an emotional attachment to the position that sophisticated weapons don't work: When the systems SEEM to work, that's only an illusion - they don't REALLY work after all. (I'd be interested to know what those who make these arguments think the Israelis have in mind in deploying and using Patriots.) The arguments of those who have an attachment to these weapons are pretty much the same, if turned around: See, they work so they are effective. The evidence - so far as we can tell through the noise of battle combined with censorship - is that these weapons really DO work, in the sense that they do pretty much what their builders claimed. What is by no means clear is that they are as effective at actually doing something USEFUL, as has also been claimed. A more subtle anti-smart-weapon argument takes the form: "Well, yes, these things work, but we always knew they would - it's those OTHER things that don't work." The difficulty with such a claim is that anyone can make it after the fact. Certain people - David Parnas is certainly one, as he has written about many of these issues - can legitimately and honestly say that they have never said, say, that close-in defenses can't work, they've only argued against some more grandiose schemes. However, my own experience has been that most critics had very general complaints about these systems. "They won't work in the heat of battle." "The sand will destroy them." "RFI among all the planes in the sky will make them all do crazy things." And so on. In effect, these people made a prediction: When used in battle, these devices would not perform as well as simpler weapons. As far as we can tell at this point, that prediction was just plain wrong. I must admit that I made such predictions myself. Having seen the way large complex systems fail, especially having seen how getting the last 10% can destroy the 90% you already have, I always read the criticisms with great sympathy. If you had asked me a couple of months ago whether one could expect to hit rockets coming essentially straight down at Mach 4, in the middle of a desert, night after night, with all sorts of other clutter in the sky, I would have said "no". (It appears that Parnas knew better.) A final argument, seen on both sides, is essentially one of extrapolation: Sure, you can hit SCUDs, but what about the next weapon? Sure, a Stealth fighter can hide from standard radar, but what about two-point radar? To which the only answer is: Weapons are always changing. They have been since the beginning of time, and they always will be. The best you can do is match what the other guy has now, or will likely have in the near future. In the long run, both your system and the other guy's will be obsolete; it's a never- ending process. At the moment, the evidence is that the smart weapons CAN be built and used, and can best "not so smart" weapons. Things could change. The same argument from the other side is: We can build a Patriot, so we can build an SDI. Well, maybe - but that's a very big leap. On the other hand, the claim "We can build a Patriot, so we can build an ABM system that will keep us safe from attack by any small power (i.e., an attack with no more than a few hundred warheads)" is now at least reasonably arguable. It's been said that the first victim of war is the truth. There are plenty of issues here - political, social, technological, military - that need to be examined with some degree of rational thought. Sloganeering doesn't help. Refusing to look at the evidence doesn't help. Refusing to change one's mind no matter WHAT happens doesn't help. -- Jerry ------------------------------ Date: Thu, 31 Jan 91 14:03:52 BST From: Martyn Thomas Subject: Patriot missiles provide no evidence for SDI One powerful argument against SDI is that you need confidence that the system will work effectively the first time it is used against a full attack. The Patriot missiles, even if they were 100% effective against SCUDs, can provide no basis on which we can be confident that a different system, deployed against different targets, would be successful. In general, we may be able to *achieve* very high success rates with complex systems, but this is a very different thing from being able to *predict* a high success rate with any convincing evidence. When we certify a new safety-critical system for use, we predict that the failure rate will be acceptable; evidence that past systems have achieved acceptable error-rates is almost useless for justifying such a prediction, unless the new system is a very well-controlled evolution of the earlier system. This is extremely rare. Martyn Thomas, Praxis plc, 20 Manvers Street, Bath BA1 1PX UK. +44-225-444700. ------------------------------ Date: Thu, 31 Jan 91 11:54:47 EST From: henry@zoo.toronto.edu Subject: Re: Patriot Missile (Parnas) I should preface this by saying that I agree with Dave Parnas's most basic point: recent Patriot successes say little about effectiveness of more ambitious antimissile defences. However, some of his arguments are weak... >...The Patriot missile itself is launched on a path that will >intercept the path of the incoming missile ... >and has a very simple homing system that is effective when (and if) it >gets near its target. Were the target missile to change course drastically >after launch, the Patriot missile would end up somewhere else... I believe this is erroneous. Patriot is guided, under control of the launch system, all the way up. It's not a question of firing it on a predetermined trajectory in hopes that it will get close enough to home. Even Patriot's homing is actually controlled by the ground computers; the missile itself has no brains to speak of, just a receiver system that picks up radar reflections off the target and relays them to the ground for assessment. In principle, a drastic course change by the target can be matched by a similar change by the Patriot. How well this actually works is an open question, since it hasn't been tried in combat. (The recent incident of an accidental launch against aircraft is silly as a test case, since the Patriot system reportedly was in antimissile mode and thus probably wasn't expecting evasive action.) It occurred to me a little while ago, in fact, that we may never know how well Patriot would work against aircraft. Aircraft can be shot down by lots of systems, e.g., other aircraft, while Patriot is the only operational antimissile system. I'd expect that the Patriot batteries in the Gulf have firm orders to ignore aircraft, and it would take a really drastic change in the situation to get those orders changed. >... The development and manufacture tooling stage of the Patriot >was completed in 1980... The SDI program was >not announced until 1983. There was no SDI software technology to be applied >to Patriot... While the original development of Patriot was completed about a decade ago, much of the antimissile capability was in the form of retrofits. According to Flight International, full production of Patriots with the current antimissile capability started in 1989. So there was some opportunity for application of SDI software technology, although I do not know whether that actually happened. >... Terminal defense systems can have an operator who makes >decisions that would have had to be automated in the space-based system. I've never understood why it is fundamentally impossible to put "man in the loop" for space-based systems. I'd be interested in seeing this explained. There is clearly a serious shortage of time for decision-making, but the same is true of terminal defence against tactical missiles -- which have much shorter flight times than ICBMs -- and short-notice decision-making in combat is both possible and practical, as any fighter pilot can testify. >... The SCUD was first deployed about 1965 - Patriot about 19 years later. >All RISKS readers should think about the advances that we have seen in 19 >years. It should come as no surprise that the Patriot can sometimes destroy >missiles that were deployed when its development began... As far as I am aware, it should still be capable of destroying most missiles that were deployed yesterday. Maneuvering warheads remain extremely rare and rather limited, and most other forms of countermeasures don't work in the terminal phase. Henry Spencer at U of Toronto Zoology utzoo!henry ------------------------------ Date: Thu, 31 Jan 91 03:16:54 -0500 (EST) From: Frank Ritter Subject: Patriot's defense (Johnson, RISKS-10.83) Some notes on the Patriot system: You can "program" by designating areas where all planes are safe, or a plane should be assumed a bogey. The programming going on now is probably on this level, where they are trying to create areas not to shoot at what's in them. There are things that could be used, but I don't think anything provided directly or played with in the past. I know that a good way to avoid Patriot missiles is to drop below their radar height. I would also assume that if I had accidently shot at a friendly, I would give them a call and turn off my radar. Even if neither of these occured, our pilots are keenly aware and concerned about the Patriot system and how to avoid it (and indeed all air defense, ours and theirs). And there are other ways to beat the Patriot, such as being in a "safe zone" that change daily, which friendlies, and only friendlies, would know. I don't think what we've seen tells me a lot. SCUDs are a lot different than planes, while they travel straight, they travel darn fast for a plane. Our planes should be able to not get hit even if shot at, particularly if there are no other planes or AAA. The real power of the Patriot appears to be the ability to deal with a large number of planes, some targets, some not. If these friendlies came back without their transponders on, in the wrong direction and altitude, the right mistake was to shoot at them. Until you know this information, it's hard to judge what was going on. Frank Ritter@cs.cmu.edu ritter@psy.cmu.edu fr07@andrew.cmu.edu ------------------------------ Date: Wed, 30 Jan 91 15:35:31 EST From: "DAVID B. HORVATH, CDP 8*747/215-354-2468" Subject: Nike Hercules Site (Re: Patriots, Wright, RISKS-10.83) > Some years back I was stationed with HHB 45th Arty (AD) a Nike Hercules unit > [...] > the reply was "Well son .... what would you rather have: ## kilotons over > Evanston, or 10 to 50 megatons over the loop ?" [... Ed Wright] I live in suburban Philadelphia (Pennsylvania, USA), a few miles from where I live is the remains of a Nike Hercules unit. I believe the intent was to loose Broomall or Cherry Hill (New Jersey) to save Philadelphia and other suburbs. I can see a conversation like the one described above actually happening! - David Horvath ------------------------------ Date: Wed, 30 Jan 1991 11:06:04 PST From: Russ_Housley.McLean_CSD@xerox.com Subject: Re: Broadcast local area networks are a'comin In RISKS 10.83, Tom Lane quotes an article from the New York Times stating that Apple is installing (or at least reserving the radio frequencies for) a wireless 10 Mbit/sec LAN. Tom observes that such a broadcast LAN requires protection. I agree. Wireless LANs are being standardized by the IEEE and IEEE 802.11 was recently formed for just this task. The people working on this standard also agree that sensitive data must be protected on such a LAN. IEEE 802.10 (Standard for Interoperable LAN Security) is developing standards for just this purpose. (Of course, it would be up to each company to decide whether all its data is sensitive.) Tom Lane also says, "(But if they are going to support 10Mb/sec data rates, the encryption would have to be fairly weak, methinks.)" On this, Mr. Lane and I disagree! 10 Mbit/sec is the data rate of the "backbone." If encryption is placed at each wireless LAN station, the encryptors can run at a significantly lower data rate. The station cipher device only needs to decrypt those frames which are addressed to that station. Of course, this includes broadcast frames, appropriate multicast frames, and frames addressed to that particular station. In the IEEE 802.3 (Ethernet) world, there are encryption devices that work just this way. I will refrain from turning this into an advertisement for such products, but they are available with the DES algorithm and with NSA "proprietary" algorithms. Russ Housley ------------------------------ Date: Wed Jan 30 22:45:06 1991 From: frank letts Subject: broadcast LAN's Reading the notices about the approach of broadcast LAN's reminded me of a semihumorous incident that happened about 2 years while I was doing some consulting for a "local" oil company. We were preparing a SCADA system for Oilpatch, Texas and had the entire thing staged on the 17th floor of a TALL building in downtown Houston. (That ought to narrow the oil company down to about 20 or so.) All of the remote telemetry units were communicating with the master station computer via low power Johnson radios, and I had made sure that we had dummy loads on all of the antennae so as to cut down the range of the transmissions. This screwed up SWR's and about everything else, but we could adjust the transceivers and get decent communications - most of the time. Sporadically, we would get bursts of errors for seemingly no reason, and then good comm again for a while. I hooked up data analysers, etc, and could see the junk that was being injected on the frequency, but couldn't identify it as any of the other equipment that we had operating in the area. I remembered an old microwave hand showing me how you could kluge in a telephone handset on a circuit and listen to the "noise", often identifying it with ease when all of the sophisticated techniques had failed. Out of desperation, I rigged up a speaker at the master station and listened to the buzzings of the remotes answering the master. Much to my surprise, I heard some poor fella in a delivery truck complain about "there's that doggone buzzing sound again" to his dispatcher at the same time that our comm efficiency dropped to zero! I felt sorry for him, but I didn't have enough radios laying around to set up with another frequency, so we just kept testing with the occasional comm burps until we shipped the system. I did leave the speaker hooked up, though. It was kinda fun listening to all of those guys swear at the strange interference that they were getting. Frank Letts, Ferranti International Controls Corp., Sugar Land, Texas (713)274-5509 [Sounds like the old joke whose punchline is "Hey Martha, it's that guy with the damn whistle again." ------------------------------ Date: Wed, 30 Jan 91 16:31:24 PST From: Rich Rosenbaum 30-Jan-1991 1029 Subject: Re: Risks of radio-based LAN's (Lane, RISKS-10.83) In RISKS-10.83, Tom Lane points out the security risks of wireless (radio-based) LAN technology. Actually, wireless LAN's have the potential to be _more_ secure than traditional "wired" LAN's. One currently available wireless LAN product uses spread spectrum communications. (It is interesting to note that, for the radio frequencies used by this product, the FCC mandates use of spread spectrum). While I am not an expert on spread spectrum communications, my understanding of the technique suggests that it offers both increased protection against eavesdropping as well as resistance to jamming, when compared to traditional radio broadcast techniques. Rich Rosenbaum ------------------------------ Date: Wed, 30 Jan 91 17:29:59 PST From: ian@lassen.wpd.sgi.com (Ian Clements) Subject: Broadcast local area networks are a' comin One other possible risk is to those with pacemakers or other electronic medical devices (such as implanted pumps or heart monitoring devices). --ian Ian Clements ian@sgi.com 415/962-3410 ------------------------------ End of RISKS-FORUM Digest 10.85 ************************