Subject: RISKS DIGEST 13.12 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Friday 7 February 1992 Volume 13 : Issue 12 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Another Radiotherapy Error (Brian Randell) Aviation Software Certification (Brian Randell) Our database says you'll read this item (Rodney J. Hoffman) New England Telephone Refiles For CLASS Without Caller ID (John R. Covert) US Sprint offering phone fraud insurance (Jonathan Allen) Telephone hacker to be tried (Mark Seecof) Dutch Crackers - Shifting Blame? (Dave Pipes) War on Drugs Communications Network Stalled (Sanford Sherizen) Relative accuracy of FMS/INS navigation (Clifford Johnson, Robert Dorsett) Strasbourg A320: Duck writes in Duck (Pete Mellor) Re: Ballad of Silicon Slim (Laurence R. Brothers) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line. Others may be ignored! Contributions will not be ACKed. The load is too great. **PLEASE** INCLUDE YOUR NAME & INTERNET FROM: ADDRESS, especially .UUCP domain folks. REQUESTS please to RISKS-Request@CSL.SRI.COM. Vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 13, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1". =CarriageReturn; FTPs may differ; UNIX prompts for username, password. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Fri, 7 Feb 92 10:19:55 GMT From: Brian.Randell@newcastle.ac.uk Subject: Another Radiotherapy Error The following article about faulty computer control of radiotherapy treatment is reprinted in its entirety, from today's Independent, a "quality" national paper here in the UK. The story was covered last night on BBC TV news - where interestingly enough they referred only to "human error", if my memory serves me correctly, and where some of the medical experts they sought comments from expressed fears that the fault might well have led to some fatalities. Brian Randell Computing Laboratory, The University, Newcastle upon Tyne, NE1 7RU, PHONE = +44 91 222 7923 HOSPITAL ADMITS ERROR IN TREATING CANCER PATIENTS (By John Arlidge) Nearly 1,000 cancer patients were given radiotherapy treatment up to 30 per cent below the proper level, North Staffordshire hospital centre said yesterday. A computer programming error meant that for the last 10 years patients at the hospital in Stoke-on-Trent received doses between 10 and 30 per cent below the required level. Stuart Gray, the hospital general manager, said yesterday: "We very much regret that an error has been made. We are very concerned about it and the staff of the department are very upset." The 447 surviving patients and their general practitioners have been informed. Patients and relatives of the 542 who have died who "need reassurance" can see consultants or call a telephone hotline set up by the hospital. Officials say there is no evidence that patients have suffered. "It is up to individuals whether they seek compensation from the district health authority," a spokesman said. Most of the patients, from as far away as North Wales and Cheshire, were suffering from cancer of the bladder, pelvis, lung and throat. No children or patients with breast cancers or brain tumours were treated. The physicist who made the mistake by introducing an unnecessary correction factor when a new planning computer was installed in 1982, has been transferred to another department while two doctors carry out an independent inquiry. Colleagues said she was "devastated" after realising her error when the equipment was replaced just before Christmas. Mr. Gray said it was too early to say whether there would be disciplinary action. The Department of Health, which has been investigating the incident since December, welcomed the independent review. A spokesman said: "There is no doubt that negligence was involved. An error has been admitted... If there are any lessons to be learnt they will be implemented." Mr. Gray said consultants have reviewed the case notes of all 989 patients treated and have found no evidence that patients had died or suffered because they received the low doses. "We have no reason to believe this has had a deleterious effect on the health of any of our patients.... We would welcome an independent inquiry to confirm the findings of our consultants." Two senior radiotherapists - Dr. Thelma Bates of St. Thomas Hospital, London, and Dr. Daniel Ash of Cookridge Hospital, Leeds - are to carry out the independent clinical review. "We want to determine why it happened, why it went undetected for 10 years and to make sure it never happens again," Mr. Gray said. [The Therac 25 case was one of OVERdoses being life critical. It is appropriate to note that UNDERdoses may also be life critical. PGN] ------------------------------ Date: Thu, 6 Feb 92 18:41:58 GMT From: Brian.Randell@newcastle.ac.uk Subject: Aviation Software Certification The front page of today's issue of the (UK) Computer Weekly is dominated by a photo of a very stern-looking Bev Littlewood, under the main headline stating "Experts warned CAA before Airbus disaster". The article is by Tony Collins. Software experts warned the Civil Aviation Authority (CAA) that rules governing the safety of software in aircraft were inadequate two weeks before January's crash of the A320 Airbus jet in France. The results of an enquiry into the January 20 Airbus crash, which killed 87, are not yet known, but the disaster has focussed attention on aircraft such as the A320 which has fly-by-wire controls dependent on the software. Safety-critical software experts from the British Computer Society (BCS) met the CAA to express concern about the laxity and ambiguity of certification criteria used by regulatory authorities to test the safety of complex software in aircraft. They also called for improvements in an aviation software certification codebook, D0/178B, which is now in draft form. They complained that DO/178B fails to lay down mandatory requirements for aircraft software safety and relies instead on guidelines. The delegation to the CAA was led by Brian Wichmann, a software engineering specialist at the government's National Physical Laboratory and acting chairman of the BCS's task force on safety related systems. Airbus Industrie, based in Toulouse, southern France said this week that it has demonstrated that the A320 and its systems fully meet the requirements of the world's certification authorities. But the delegation said that the safety claims made by the aircraft manufacturers for the software cannot be adequately tested. One member said that the committees which lay down certification standards represent the manufacturers' interests more than those of the consumer. Another member of the delegation, Bev Littlewood, professor of software engineering at London's City University, said that some parts of DO/178B were "appalling". He said that it fails to stipulate the way in which the claims made for the software's safety by manufacturer can be tested. The delegation's third member, Martyn Thomas, chairman of Bath software house Praxis, said aircraft manufacturers should have to prove that their software can be easily analyzed to check for any flaws. Certification standards make no provision for this, he said. A CAA spokesman said he sympathasised with views expressed by the delegation and added that it is also seeking tougher standards for testing safety-critical software. Clearly the paper has sought to dramatize its account of a meeting by linking it so directly to the A320. However I note that the article is followed up by a very supportive and reasonably well-argued editorial on page 23 - an editorial which ends "The CAA is said to agree with many of the BCS objections to the DO/178B guidelines. Only with international support can it make any changes." Brian Randell Computing Laboratory, The University, Newcastle upon Tyne, NE1 7RU, UK Brian.Randell@newcastle.ac.uk +44 91 222 7923 FAX = +44 91 222 8232 ------------------------------ Date: 04 Feb 92 12:55:21 PST From: rodney@oxy.edu (Rodney J. Hoffman) Subject: Our database says you'll read this item Edited bits from a story in the weekly "Marketing" column by Bruce Horovitz in the "Los Angeles Times" 4-Feb-92, p. D6: OUR DATABASE SAYS YOU'LL READ THIS COLUMN "If you need a stiff drink before reading this column, .... the folks at Seagram Co. already have a pretty good idea who you are. And they'll prove that in this month's issues of Newsweek, Atlantic, and U.S. News and World Report. If the marketing gurus at Seagram suspect that you're a drinker -- or are a likely candidate ... -- you'll be seeing their ads in your February issues. But if their research tells them that you're a teetotaling subscriber, don't expect to see their ads.... "Beginning this month, for the first time on a large scale, a major advertiser -- Seagram -- will test the ability of a handful of national magazines to selectively place its ads only in those issues subscribed to by likely buyers of its liquor.... "Marketers are watching more closely than ever whether consumers eat Wheaties, collect colorized movies or take frequent trips to Toledo.... How deos Seagram get this kind of personal information? Officials there declined to return phone calls. But typically, [it] is gleaned from elaborate databases on consumers who order from catalogues, telephone toll-free numbers, or even fill out questionnaires when renewing magazine subscriptions.... " 'No one wants to get involved in an invasion of privacy,' says James R. Guthrie, Exec. V.P. of marketing at Magazine Publishers of America. 'But there is no doubt in my mind that this is the direction that magazine publishing is going.' This is just the beginning. Before the end of the decade, marketing experts say, many of the advertisers in major national magazines will do individualized advertising regularly. And within 20 years, they say, most of the advertising placed in each issue of every major magazine will be targeted specifically to narrow groups of subscribers.... [Approving quotes from marketers for Lexus, Reebok, etc., and other magazines] "But not everyone is enamored of the concept. 'We're not going to do it,' said Richard McEvoy, Senior V.P. at Carillon Importers, which imports Absolut vodka. 'It sounds like a good idea, but you won't bring in new customers if you only advertise to old ones." ------------------------------ Date: Tue, 4 Feb 92 07:28:24 PST From: John R. Covert 04-Feb-1992 1015 Subject: New England Telephone Refiles For CLASS Without Caller ID [From: TELECOM Digest Tue, 4 Feb 92 20:30:41 CST Volume 12 : Issue 114] [from Marc Rotenberg via Lance J. Hoffman ] As a result of the Massachusetts DPU's order requiring free per-line blocking, New England Telephone has refiled for three of the original four "PhoneSmart" (CLASS) features in the original filing. N.E.T. proposes to offer Call Trace, Return Call, and Repeat Call, but not Caller ID or any of the other features that are part of CLASS such as Incoming Call Blocking, Selective Call Forwarding. The last two were not part of the original filing. N.E.T. had proposed a monthly fee for Call Trace as well as a charge for each use; the DPU ordered that it be provided free on all lines with only a per-use charge. Call Trace will provide the needed protection from annoyance calls without the privacy problems. john ------------------------------ Date: Thu, 06 Feb 92 13:34:28 -0800 From: jpallen@ics.uci.edu Subject: US Sprint offering phone fraud insurance It's been reported that US Sprint is trying to "transform a billion-dollar industrywide problem into a source of income" by offering phone fraud insurance to its customers (Information Week, 2/3/92). Discussions about the conflict of interest inherent in making a "security industry" financially dependent on a thriving security problem suddenly seem much less far-fetched... Is security against phone fraud something that Sprint, a company that doesn't require the use of PINs on their calling cards, should be asking its customers to pay for? Jonathan Allen, University of California, Irvine CORPS (Computers, ORganizations, Policy, and Society) program ------------------------------ Date: Wed, 5 Feb 92 17:27:50 -0800 From: Mark Seecof Subject: Telephone hacker to be tried "Man To Be Tried on Phone Hacking Charges" by Jonathan Gaw. From the Los Angeles Times, Wednesday, February 5, 1992, page B8. [Excerpted by Mark Seecof; elisions and bracketed interjections mine as well as all errors -MS.] VISTA-A telephone hacker who allegedly tied up lines at Palomar Hospital for hours at a time has been ordered to stand trial on dozens of felony wiretapping and eavesdropping counts. Rick Ivkovich is accused of using his touch-tone telephone to jam the lines of the Escondido hospital, bringing switchboard operators to tears. From as early as April, 1990, prosecutors allege, he occasionally blocked calls to and from the hospital and connected hospital operators to outside lines, including 911 emergency lines and the county jail here. He also allegedly reported false emergencies to 911 while making it appear that he was calling from the hospital. [Various quotes about stuff the defendant allegedly did.] Outside the courtroom, Deputy District Attorney James Valiant [dig that name!] said Ivkovich "had a gripe with the operators at Palomar. He wanted to use their telephone system and he wasn't allowed to." [Ivkovich has been confined for treatment in Palomar Hospital's mental-health unit in the past.] Ivkovich is charged with 18 counts of wiretapping, 18 counts of eavesdropping, and nine counts of falsely reporting an emergency, all felonies. Escondido police tracked down Ivkovich in December through a series of telephone "traps." Public Defender William Saunders argued that there may have been no violation of the law. "The calls are not private communications as required in the (eavesdropping) statute. First of all, he's a party to the call," Saunders told the court. "Any call to 911 is a taped call... and I don't think there is any expectation of privacy there." Saunders argued that wiretapping charges require physical attachment to telephone lines, and Ivkovich had none. But Vista Municipal Judge Harley Earwicker said "there was an unauthorized connection," which met the wiretapping provisions. [Mark Seecof (Los Angeles Times) says: The big question here is why Palomar Hospital couldn't (apparently) keep this guy from hacking their PBX. They should have just frozen him out. Why did the whole episode get as far as an arrest and felony charges?] ------------------------------ Date: Fri, 7 Feb 92 11:11:35 EST From: Dave Pipes x4552 Subject: Dutch Crackers - Shifting Blame? (Gonggrijp, RISKS-13.11) Rop Gonggrijp writes: [...] "...A well trained system-manager can protect a system without making it inaccessible to normal users." Mr. Gonggrijp's argument seems to be that the hackers could not have really broken in, as the system was reasonably well protected. Therefore, it must have been the "fault" of the system managers that they got in, because they did not do what was needed and (he implies) were not well-trained enough to do what was needed. Ergo, the hackers *really* got in because the system was *not* well-protected, and hence should bear no responsibility for any costs incurred in cleaning up after them. Resting a plea for openness and continued ignoring of crackers on such a contradictory argument seems foolish, to say the least. By this reasoning, the two gentleman should be let go, and the system managers arrested, perhaps for recklessly endangering the data of their customers. Why are all the pro-cracker arguments of the form of "Yes, I did it, but it is not my fault, because {blame someone else here}"? The risk? People who buy into this line of "reasoning" will feel that it is their moral obligation to chastise those who they can victimize. After all, the damage is not real, just lines on a screen 2000 miles away, and anyway the bozo had it coming... David Pipes ------------------------------ Date: Thu, 6 Feb 92 15:10 GMT From: Sanford Sherizen <0003965782@mcimail.com> Subject: War on Drugs Communications Network Stalled The New York Times reported today (6 February) that a $617 million communications network designed to combat drugs is caught in a budget squeeze and will not be completed for at least nine years. The network, designed by the Pentagon and law enforcement agencies, was developed due to consistent communications problems in fighting drugs. ------------------------------ Date: Thu, 6 Feb 92 15:43:36 PST From: "Clifford Johnson" Subject: Relative accuracy of FMS/INS navigation (Dorsett, RISKS-13.11) In his otherwise excellent posting, in contrasting FMS with INS, Robert Dorsett states that "the potential for a KAL 007 sort of mismanagement is minimal," implying that INS-related problems were to blame for KAL 007's massive deviation. But INS-related theories are debunked in R.W. Johnson's book "Shootdown" (including the theory later relied on in Hersh's book). More importantly, the jury in the KAL 007 case found that the deviation was, as a matter of law, "intentional" and "willful." KAL was accordingly held liable, whereas the case against the manufacturers of the INS dismissed. The INS was found to be not a credible proximate cause of KAL 007's deviation. ------------------------------ Date: Wed, 5 Feb 92 20:08:45 CST From: Robert Dorsett Subject: Relative safety of INS/FMS] [Robert had this statement in response to an earlier private exchange with Cliff, but it seems appropriate to include it here. PGN] I didn't mean to claim that there was one singular authoritative cause of KAL 007's demise. At least two books (and many net discussions, including RISKS) put forth a credible theory that a misplanted number may have thrown the track off the requisite number of miles. I should have made the nature and character of my comment more precise. [...] Robert ------------------------------ Date: Thu, 6 Feb 92 17:35:37 GMT From: Pete Mellor Subject: Strasbourg A320: Duck writes in Duck "Le Canard Enchaine" ("The Chained Duck") is a satirical French rag which specialises in political commentary of the less respectful variety. It maintains a high standard of investigative journalism, and is not afraid to ask awkward questions. The nearest equivalents are "Private Eye" (UK) and "Der Spiegel" (Germany). One of our French colleagues faxed us a recent article from "The Duck". By coincidence, it was written by a certain Jerome Canard (and no jokes about his brother Donald, please! :-). As usual, RISKS readers will have to bear with my own limited ability to translate French into something that might pass for English. [Translator's, and other, notes in brackets.] :- Disconnected alarm system on the Air Inter Airbus The "Flight Analysis Report" [I'm not sure of the exact title of this document in English] of Air France is confidential. Pity! Its last number, dated 18 December 1991, reports five cases where the pilots, thanks to the GPWS (Ground Proximity Warning System), were able to conclude their flights successfully. This was not the case with the Lyon-Strasbourg A-320. Explanation: This GPWS is an alarm system which is triggered by five "modes": excessive rate of descent, excessive rate of approach to the ground, loss of altitude, etc. Among the five incidents noted by the Air France document, two concern the A-320. The first was a non-stabilised "approach", the second a rapid "approach" [to the ground (?)]. Thanks to the GPWS, their pilots avoided the crash. Forbidden alarm All the aircraft of that type are equipped with this system provided by the manufacturer. Even the A-320s of Air Inter. Alas, they had been "disarmed", as "Le Point" [a publication which I don't know] wrote. For what reason? "The company only serves the Hexagon," it was explained with a slightly bothered air [i.e., "Don't ask stupid questions!"]. "The pilots know the terrain perfectly." [Anyone know exactly which region the "Hexagon" is?] One fact has been established: when the Lyon-Strasbourg Airbus, which was making a VOR-DME instrument "approach", was judged "clear" by the radar, it was at an altitude of 5000 feet (1600m) and 5 nautical miles (9.5km) from the start of the landing strip. In 3 [nautical] miles and one minute, it had lost 2700 feet and struck the side of Mont St. Odile. It is there that the essential cause of the drama resides. The experts, without a doubt, will be astonished at the disconnection of the famous GPWS, all the more so since, on 12 December 1991, M. Frantzen, director of the aeronautical training and technical control service, enjoined Air Inter by letter to "reconnect" these alarm systems. Il s'est fait envoyer sur les roses. [I think this means he was told to **** off, but any French reader is welcome to correct me!] Black mystery As for the black box containing the flight parameters, it is, it seems, unusable. "The Duck" has made enquiries of the manufacturer, the Schlumberger company, which asserts that this mini-strongbox withstands a temperature of 1100 degrees C for thirty minutes, and confirms that the other black box, the one for recording the conversation in the cockpit, situated some centimetres from the first, is intact. Let us recall that, on the Air France Boeing 747 reduced to ashes at Karachi, the black boxes were recovered and used, just like those in the Korean Air Lines' 747 shot down by a Soviet missile, recovered from the bottom of the ocean. In 1989, Gilles Pinchon, general engineer of the A-320, declared to the British TV channel Channel Four: "Our system is so reliable that only one breakdown can occur in a billion hours." [US billion: 10^9] Paul Quiles [Surname not clear due to poor fax], Minister of Transport, promises that the enquiry will be "open". Why doesn't that go without saying? Peter Mellor, Centre for Software Reliability, City University, Northampton Sq., London EC1V 0HB, Tel: +44(0)71-477-8422, JANET: p.mellor@city.ac.uk ------------------------------ Date: Tue, 4 Feb 92 15:28:38 -0500 From: quasar@puddle.bellcore.com (Laurence R. Brothers) Subject: Re: Ballad of Silicon Slim - v13 i10 Actually, on Neil Young's old album "Trans" (lots of computer-related songs, but for some reason not released on CD), there is a song called "Computer Cowboy (aka Syscrusher)", from which I quote: "Ride along computer cowboy, To the city just in time, To bring another system down, And leave your alias behind... ... another ballad, I imagine one of the first mass-marketed popular songs celebrating the computer intruder. I think, by the way, the song was actually released prior to the book Neuromancer, so the coincidence of "computer cowboy" is rather odd. Laurence R. Brothers (quasar@bellcore.com) ------------------------------ End of RISKS-FORUM Digest 13.12 ************************