Subject: RISKS DIGEST 11.83 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Wednesday 5 June 1991 Volume 11 : Issue 83 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Electronic Gear Boxes at the Canadian Grand Prix (Lindsay "F." Marshall) Computer-controlled fuel system problems in 747-400 (PGN) KAL 007 (PGN) Thrust Reversal in the real world (anonymous) VIPER lawsuit withdrawn (Martyn Thomas) Listening? (Eric Florack) Combatting the Network Monitors (Richard Johnson) Re: Digital Fingerprints in California (Michael Robinson) RFD: comp.online moderated (Robert Jacobson) Correction Re: Writer steals stories via computer (Rodney Hoffman) Amendation Re: Computers and Academic Freedom Groups Now at EFF.ORG The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line. Others ignored! REQUESTS to RISKS-Request@CSL.SRI.COM. For vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 11, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1". =CarriageReturn; FTPs may differ; UNIX prompts for username, password. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Wed, 5 Jun 91 12:30:30 BST From: Lindsay "F." Marshall Subject: Electronic Gear Boxes at the Canadian Grand Prix Mansell mystery deepens (The Guardian, 4 June 1991) Mystery surrounds the precise cause of Nigel Mansell's dramatic retirement from the Canadian Grand Prix on Sunday. But the fact that yet again it centred on the electro-hydraulically actuated gearbox has led to murmurings in the Williams camp that a manual-gearchange version of the current car should be rushed through for the second half of the season. Problems associated with the Williams FW14's gearbox have been responsible for Mansell's retirement in four of this season's five F1 races. Williams immediate priority is to sort out the problem before the next grand prix in Mexico City on June 16 by pinpointing why Mansell's car lost all drive on Sunday with the chequered flag in sight. The mystery deepened after the race when the car eventually returned to the Montreal padock: it fired up immediately and the gearchange worked perfectly. It all seemed to support the widely held view that today's breed of grand prix car is becoming over-reliant on complex electronics for the efficient operation of its engine. This viewpoint is strongly supported by the Honda president Nobuhiko Kawamoto, the man largely responsible for the Japanese company's pre-eminent position in F1. "We are in danger of introducing a breed of computerised dinosaur", he said in Montreal. We are facing a situation where the electronics may become more comlpicated than the engines. This aspect of F1 threatens to become ever more expensive". In the race, Gerhard Berger's McLaren-Honda retired after only four laps with just such a malfunction of its engine-management computer. Meanwhile, McLaren have a similar gearbox to William's under development, but the team chief Ron Dennis will not compromise his cars' competitiveness until he is satisfied the system is bulletproof. ------------------------------ Date: Wed, 5 Jun 91 11:57:36 PDT From: "Peter G. Neumann" Subject: Computer-controlled fuel system problems in 747-400 Richard Fairley picked up the Mainichi Daily News as he was boarding a 747-400 to return from Narita to San Francisco on Saturday, 1 June, and found on the front page an article on a 747-400 fuel problem experienced at the end of March on a NY-to-Narita JAL flight. I do not recall seeing a report of this before in the U.S. press. I abstract from the article somewhat tersely, as follows: The 747-400 (popularly known as the high-tech jumbo) has five fuel tanks, with 13+38+52+38+13 tons of fuel distributed with lateral symmetry, the 52 being in the fuselage. The computers are programmed to automatically draw from the 52, then the two 38s until they approach 13 tons, at which point all four wing tanks are used simultaneously to maintain proper weight distribution across the wingspan. On this particular flight, the outer wing tanks were depleted prematurely, while the fuselage tank was not depleted. The result was that the wings were too light, arching the wings upward. The operating ratio limits were exceeded. The fuselage tank is supposedly pressurized at twice the wing tanks so that the outer tank valves can remain open. Fairley commented: "I found it particularly interesting that the article reports there was no trace of the abnormality. If the problem had been more severe, it is unlikely that the cause of a crash could ever have been detected." (The article notes that the incident was detected only because JAL had been placing flight engineers as observers [this is a two-man cockpit-crew aircraft] on its flights in an attempt to find design problems in the new plane!) PGN muses: Perhaps this could have begun with a loss of pressurization in the fuselage tank, with the computer system doing exactly what it was programmed to do, but with a false assumption about the actual pressure... ------------------------------ Date: Wed, 5 Jun 91 9:33:51 PDT From: "Peter G. Neumann" Subject: KAL 007 More is emerging on the KAL 007 shoot-down, 8 years later, resolving some of the mysteries but leaving other ones. Recent articles in Izvestia revealed "that the Soviet Union lied after the shoot-down when it said it had attempted to contact the errant airliner, that it did find the remains of the aircraft (including the black box), and that it apparently uncovered no evidence that the plane was on a spy mission." But they also interviewed the pilot Lt.Col. Gennadi Osipovich, who said, "I had no idea that it was a passenger aircraft..." Osipovich also stated that prior to the shoot-down the U.S. had increasingly been violating Soviet airspace, including various reconnaissance flights, presumably to calibrate the Soviet responsiveness. One overflight of 15 minutes caused a reprimand for Osipovich himself, and had "put the Soviet air command on edge." An article in The Nation, 3 June 91, pp. 724-5 raised old several RISKS- and technology-related questions that still seem unanswered: * Why had the U.S. tracking system failed to follow the plane and alert it? (or had it and is simply not admitting it?) * What had U.S. intelligence learned of the Soviet's responses? * Why were the U.S. radar tapes erased? The article concludes with this: "But the lack of concrete evidence supporting the spyflight scenario does not exonerate the Reagan Administration's propaganda campaign. Both sides acted deplorably...." (E.g., "... the President ignored U.S.-collected intelligence that demonstrated the Russians didn't know what they were chasing.") ------------------------------ Date: Wed, 5 Jun 91 11:10:12 xxx From: [anonymous] Subject: Thrust Reversal in the real world While it is true that the 767-300 was certified for operation with accidental thrust reversal, a very senior airline pilot who knows these planes has told me (when I asked him about this very topic in light of the recent crash) that in the "real world" of flying it can be a different matter. The problem is that during periods of maximum thrust (such as climbing, as was the airliner in question) the sudden deployment of the reversers could result in a violent "pinwheeling" of the plane. He points out that this can be extremely difficult to correct, and can rapidly result in an overspeed condition (and in fact, the overspeed warning can apparently be heard on the cockpit voice recorder from the crash). Such conditions can result in rapid disintegration of the plane as engines and wings are damaged, which could of course result in fires as well! He also mentioned that there is a mechanical system that is supposed to prevent the thrust reversers from deploying unless the aircraft is on the ground--but he said that these do break down from time to time, which could result in a situation where computer control, alone, could theoretically deploy the reversers in flight. Whether or not thrust reversal was indeed related to the particular crash is an open question at this time, but remember that just because an aircraft has been "certified" for a certain set of conditions, doesn't necessarily mean it will do you much good under a particular set of complex real world circumstances, and possibly multiple failure modes. ------------------------------ Date: Wed, 5 Jun 91 12:05:50 BST From: Martyn Thomas Subject: VIPER lawsuit withdrawn Charter Technologies apparently went into voluntary liquidation on June 4th. Before doing so, it withdrew its lawsuit against the UK Ministry of Defence, probably because it could not afford to pursue it. There has been a lot of criticism of MoD and others for claiming that Viper is a proven microprocessor when the development process has not been submitted to "proof by theorem-prover" from specification to netlist. I believe that this is mistaken criticism, and reveals some fundamental misunderstandings about the nature, and value, of proof. No degree of mathematical analysis of a development process can give absolute certainty of correctness, and nor can any other technique. Isn't it essential that anyone in a senior role, developing or purchasing systems or components for critical applications, understands this? VIPER is a very high integrity microprocessor. No fault has ever been discovered in its behaviour, so far as I am aware. This needs to be emphasised, in case the lawsuit has given the impression that there is something wrong with VIPER. I do not believe that anyone has even *suggested* that VIPER does not perform according to specification. The VIPER development and verification methods have been described in detail, including the fact that four of the theorems were too difficult for the HOL theorem prover, and that the lower levels were verified by exhaustive simulation using a simulator which had not itself been formally analysed. [ The company which develops and markets this tool, ELLA, used to belong to Praxis]. There has been no attempt to present this development route as anything other than what it is: a very high integrity development, stopping short of full axiomatic proof. We must beware of having the term "proof" restricted to one, extremely formal, approach to verification. If proof can only mean axiomatic verification with theorem provers, most of mathematics is unproven and unprovable. The "social" processes of proof are good enough for engineers in other disciplines, good enough for mathematicians, and good enough for me. Occasionally, the use of theorem provers will be cost-effective for the extra level of assurance they probably provide, but we harm our industry if we do not recognise that there are very effective, and very formal, verification strategies using higher-level logics and formal arguments, and that these are legitimately described as "proofs". My main concerns are firstly, that the reputation of VIPER and of the development technologies should not suffer from any misleading impression of the basis of the lawsuit. Secondly, that we should not slip into a belief that there are verification techniques which can deliver certainty that a system or component cannot fail. If we reserve the word "proof" for the activities of the followers of Hilbert, we waste a useful word, and we are in danger of overselling the results of their activities! Martyn Thomas, Praxis plc, 20 Manvers Street, Bath BA1 1PX UK. Tel: +44-225-444700. Email: mct@praxis.co.uk ------------------------------ Date: Wed, 5 Jun 1991 08:33:15 PDT From: Eric_Florack._WBST311@xerox.com Subject: Listening? (John Gilmore, RISKS-11.80) =-=-=-= >My conclusion is that the government should be prohibited from intercepting *ALL* civilian radio communications, except in certain bands like AM and FM, while third parties should have full freedom to listen in on any band, as they did before 1986 and ECPA. =-=-=-= Many two-way services are content specific. There are specific channels for just about every type of business on the business bands, for example. How would you suggest that these be enforced without routine monitoring? Free speech is not the issue in situations like what I suggest. FOr example, the business bands, let's say a taxicab channel, for example, is not the place to be discussing political thinking. The issue as I say, is not free speech, but rather, the effective and efficient use of the bandwidth.... a matter for the FCC to determine, certainly. How to be effective in enforcing traffic laws, without routine monitoring? My point here is not just this one exception, of course. My point is that your demand for bans on ALL routine monitoring by governmental agencies is far too broad a call. Let's please make sure that in your (IMHO, overblown) concern about government monitoring we don't cripple the government's ability to enforce laws which allow the day to day operations of telecommunications equipment to be smooth. ------------------------------ Date: Wed, 5 Jun 91 11:53:53 PDT From: richard@oresoft.com (Richard Johnson) Subject: Combatting the Network Monitors In RISKS-11.79, an anonymous poster tells of the chilling effects of people in his company discovering they were being electronically "eavesdropped" by personnel. Here are a few ideas this individual might wish to employ to restore some of the sense of community they lost. I mention them publicly because they touch on a lot of privacy conflicts we've been discussing. Sorry about the length. 1. If they are not pre-screened by these same personnel department meddlers, drop a note in one or more of the suggestion boxes you mentioned. Might not work, since most companies actually ignore unsigned suggestions and they're already sensitized to you. 2. I suspect top-level management is not aware of the chilling effect that *this* policy is having on company morale. While a well-meaning policy, its effect has been to insulate the real decision-makers (at the corporate or site level) from the actual feedback they need to decide well. In their wisdom, they saw fit to provide several avenues for formal and informal criticism to climb the chain of command. Someone in the middle of the chain has blocked this criticism. The end result can only be less efficiency and poorer decisions from the top. Somehow you might make the TOP_LEVEL people aware. This might mean the awful end-run around management (probably a bad move), posting a note like the above paragraph to the same monitored distribution list, a memo to your boss with a CC to the _boss_, or an anonymous, computer-printed, memo physically displayed in obvious places. 3. (If you're desperate) Continue posting as before, only encrypted. This kind of mitigates the personnel-weenee's argument that the information is "public" on a closed distribution list. 4. Continue posting as before, only quietly circulate key code phrases that are complementary on the surface and might have alternate meanings. 5. Continue posting, making sure that the watchdogs get thoroughly confused, overworked, *blamed* for all kinds of things. 6. Set up your own e-mail distribution list and exclude the offenders. Obviously, you don't want to get extreme until it's clear the company is going to tell you to take a hike anyway. Also, there are some people (very closed-minded, elitist ones IMO) who honestly believe that since you do this on company equipment and on company time, your views and information are also "the company's". This view is not universal, and is probably being legally debated right now, but that doesn't stop the meddlers from believing in the "rightness" of their position. I believe it was Confucius (or maybe Lao Tzu?) who said basically "You must first forget what you know before you can learn." 7. (If you are _truly_ desperate) Tell the world exactly who is doing the dirty deed. Name names, dates, and times. Specify the company and be sure to cowtow properly to the top-level people's mal-implemented plans. Of course you might find out they really DO want to censure their employees. Which leads inexorably to ... 8. Look elsewhere for work, or grab the best talent there and start your own company. Richard Johnson richard@oresoft.com richard@agora.rain.com ------------------------------ Date: Tue, 4 Jun 91 20:49:16 -0700 From: robinson@cogsci.Berkeley.EDU (Michael Robinson) Subject: Re: Digital Fingerprints in California (Caplinger, RISKS-11.82) >I suppose it's possible that the California DMV doesn't retain the digital data >-- but I doubt it. I'm less certain but fairly sure that the "mugshot" is also >taken with a video system. It is. >I could imagine it would be awfully tempting for >law enforcement agencies to combine those two databases. It is, and they will. But, as with most risks, there are countervailing risks. The California driver's license (and its relative, the California identification card) is intended to be positive legal identification. California Vehicle Code, Sec. 14610: It is unlawful for any person: (a) To display or cause or permit to be displayed or have in his possession any cancelled, revoked, suspended, fictitious, fraudulently altered, or fraudulently obtained driver's license. (c) To display or represent any driver's license not issued to him as being his license. (g) To photograph, photostat, duplicate, or in anyway reproduce any driver's license or facsimile thereof in such a manner that it could be mistaken for a valid license, or to display or have in his possession any such photograph, photostat, duplicate, reproduction, or facsimile unless authorized by the provisions of this code. This language is repeated in the section covering identification cards. You don't have to have a legal ID, but if you do have one, it has to identify you. At least in theory. Obtaining fictitious identification has always been trivial, and it is almost always used for illegal purposes. A while ago, I read in RISKS of a woman who obtained fraudulent identification and spent large amounts of another woman's credit. The risk of fraudulent identification is, IMHO, far greater than the risk of positive identification. The DMV has a statutory obligation to enforce "one man, one card" to the best of its ability by whatever means are technologically feasible. In this case, the technology may skirt the margins of a potential tool of repression, but doesn't get me nervous yet. I don't see how the thumbprint/photo database would allow law enforcement to threaten my rights or privacy in any novel manner. What does get me sort of nervous is the magnetic stripe on the back. The only advantage I can see to that is the ability to process a lot of people really quickly... Michael Robinson USENET: ucbvax!cogsci!robinson ------------------------------ Date: Tue, 4 Jun 91 19:48:32 PDT From: cyberoid@milton.u.washington.edu (Robert Jacobson) Subject: RFD: comp.online moderated I would like to propose the creation of a new newsgroup, COMP.ONLINE. The purpose of this newsgroup would be to discuss the phenomena of being "online" -- what it means to be part of an electronic community. To my knowledge, there are no newsgroups dealing broadly with this issue. Individual newsgroups may deal with the conversations happening locally, as in the various muds newsgroups; or the topic may come up spontaneously and then die, as it has in comp.society on occasion. Yet the experience of being online is central to what all of us do here: it deserves some special attention. I suggest putting this new newsgroup in the comp. hierarchy because being online is irrevocably tied up with the use of computers and information technology. It could also go in rec. (since we often recreate online) or soc. (because we are a social happening) or alt. (where nearly every- thing else ends up). But comp. feels right to me. I propose further that this newsgroup be moderated. I offer to do the moderation, at least initially. I have been a host on USENET (sci. virtual-worlds) for nearly a year; before that, I hosted two conferences on The WELL and ran a legislative BBS for the California State Assembly. My credentials are in order. Please let the online crowd know what YOU think about this proposal. Also, please crosspost this announcement to such other newsgroups as you think are appropriate. After approximately one month of discussion, I will call for a vote on creating comp.online . Thanks for your attention and your ideas. Bob Jacobson, Moderator, sci.virtual-worlds Associate Director, Human Interface Technology Laboratory, Washington Technology Center, c/o University of Washington, Seattle 206-543-5075 (Employment given for purposes of identification only; the HIT Lab hosts only sci.virtual-worlds and has no connection to this proposal.) ------------------------------ Date: Wed, 5 Jun 1991 11:06:57 PDT From: Rodney Hoffman Subject: Correction Re: Writer steals stories via computer A footnote to an item in RISKS 11.74. The 'Los Angeles Times' ran the following correction on June 4: "FOR THE RECORD" "A Times article on May 29 incorrectly stated that free-lance writer Stuart Goldman pleaded no contest to stealing fictional story ideas planted by police in Fox Television computers. Goldman, in fact, pleaded no contest only to unauthorized access to a computer system." ------------------------------ Date: Wed, 5 Jun 1991 13:01:03 PDT From: Peter G. Neumann Subject: Amendation Re: Computers and Academic Freedom Groups Now at EFF.ORG Actually, the first person named in the writeup reproduced in RISKS-11.82 regarding the academic-freedom mailing list was Carl Kadie (kadie@eff.org), which was left out due to an editing foulup even before it was routed to Jim Horning... Sorry for the lack of attribution. PGN ------------------------------ End of RISKS-FORUM Digest 11.83 ************************