Subject: RISKS DIGEST 13.37 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Thursday 9 April 1992 Volume 13 : Issue 37 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Fremont CA Air Traffic Control Center Outage (PGN) The Army reflects on the Patriot (PGN) Risks of on-line documents dated April 1 (David Tarabar, Robert Ebert) Rounding error changes Parliament makeup (Debora Weber-Wulff) Believe it or not -- there's some reason on the bench! (Phil R. Karn) Cryptography used by Terrorist Organisation (Kees Goossens) Crypto (Export) Policy (Bill Murray, Brinton Cooper) Certification of Cockpit Automation (John Theus) The Paper(less) Trial (J Chapman Flack) Risks of academic cheating by computer (Prentiss Riddle) Public TV series revisited (Brian Tompsett, Nick Rothwell) Re: Correcting Erroneous Database Listings (Fred Gilham) Software Failures (Lin Zucconi, PGN) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line. Others may be ignored! Contributions will not be ACKed. The load is too great. **PLEASE** INCLUDE YOUR NAME & INTERNET FROM: ADDRESS, especially .UUCP folks. REQUESTS please to RISKS-Request@CSL.SRI.COM. Vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 13, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1". =CarriageReturn; FTPs may differ; UNIX prompts for username, password. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Thu, 9 Apr 92 10:07:14 PDT From: "Peter G. Neumann" Subject: Fremont Air Traffic Control Center Outage While I was in the air back to SFO from Washington yesterday morning, the Oakland CA en-route traffic control in Fremont had a major snafu, seriously snarling West-coast and Pacific Ocean air traffic from 8:40am PDT, for two hours. Outgoing flights were delayed more than incoming flights. The backup system requires manual handshaking where otherwise the system would handle handoffs automatically, so there was some element of risk involved. However, the outage of the one center did not directly impact safety. Required separations between planes were increased to 20 miles for landings and departures, instead of 3 miles, and the net effect was a return to leisurely pace of the 1950s. The cause of the failure is not yet known, although it was thought to be a software problem. [Some details can be found in, Traffic Control Center Failure Snarls Airline Flights, By Jack Viets, San Francisco Chronicle, 9 April 1992, front page] ------------------------------ Date: Thu, 9 Apr 92 11:41:06 PDT From: "Peter G. Neumann" Subject: The Army reflects on the Patriot The Army acknowledged on 7 April 1992 that its glowing claims of success were based on faulty data and indicated it is now certain that the missile ``killed'' roughly 10 Iraqi Scud warheads out of more than 80 fired at Israel and Saudi Arabia, although the actual number could be greater. [Source: A front-page article by George Lardner in the Washington Post, Army Cuts Claims of Patriot Success: Reduced Figures on Missile's Precision During Gulf War Are Issued, 8 Apr 1992.] Also, see the earlier item on MIT Professor Theodore A. Postol's article and its aftermath, discussed in RISKS-13.32. Postol was on Fox TV early on the morning of the 7th, prior to the Army briefing, discussing the Patriots. He suggested that 10% was much closer than the 80% previously claimed, and that is actually conceivable that NO direct kills were actually achieved!] ------------------------------ Date: Wed, 8 Apr 92 19:31:02 -0400 From: dtarabar@hstbme.mit.edu (David Tarabar) Subject: Risks of on-line documents dated April 1 In Risks 13.34, an article describing an alleged remote backup service, began: > Date: Thu, 2 Apr 1992 11:07:48 PST > From: Robert_Ebert.OsBU_North@xerox.com > Subject: Backup over the phones? > Excerpted from TidBITS#114/01-Apr-92, source: BackData, info@backdata.com The article mentioned some of the obvious risks involved and subsequent issues of Risks contained follow-up articles. However, in TidBITS#115, the author mentioned that TidBITS#114 was the April Fools issue and all of the content was fictional. Not getting an April Fools joke might be more of a risk in on-line documents because often they are not read until some time after the first of April. (Of course there can be a similar problem with hard copy media - I get several magazines whose April issue arrives in late February or early March.) David Tarabar (dtarabar@hstbme.mit.edu) ------------------------------ Date: Tue, 7 Apr 1992 14:03:01 PDT Sender: Robert_Ebert.OsBU_North@xerox.com From: bebert.osbu_north@xerox.com Subject: Risks of too-subtle April Fools Jokes (Backup over the phones?) RISKS-13.34 (Friday 3 April 1992) carried a submission from me forwarded from TidBITS#114/01-Apr-92 about Backing up Macs and PC's over the phone. TidBITS#115/06-Apr-92 carried the following notice: To quote from the excellent movie "Spinal Tap," "it's a fine line between clever and stupid." I may have fallen off that fine line in writing TidBITS#114, because despite a few clues and hints, the fact that it was indeed our annual April Fools issue appears to have gone generally unnoticed. Almost everything in that issue was false - though often entirely possible and even intensely desirable - with the exception of the IBM marketing move (which was strange enough to be an April Fools joke), and the Dolch projection panel (which I used to make the last article more believable). Sorry folks, if I threw you for a loop. So, there you have it. I don't consider myself to be terribly gullible, but I was taken in. [I didn't have this problem with any other April jokes... I don't think. But then, most of the ones I got were substantially more obviously jokes than this. Xerox is *not* going to lease it's newly acquired buildings in Palo Alto to the Mariott hotel chain, and an "Amusement park for Silicon Valley geeks" requiring "magnetic badges built into pocket protectors" is *not* going to be opened on the neighboring land at Page Mill & Foothills.] In any case, apologies all around for spreading what turned out to be false information. The backup scheme described seems entirely plausible, and even lucrative. Looking over the rest of the TidBITS digest, I suppose there are clues to be had... in retrospect. In comparison to the rest of the silliness that the rest of the net goes through every April, TidBITS was the height of subtlety. Ah, well, whatever it takes to relieve those tax-time blues, I suppose. The IBM marketing move (from TidBITS#114/01-Apr-92): Ralph Amundesen wrote with some interesting information about IBM. Evidently, IBM is so worried about OS/2 that the company has expanded its battalion of salesbots by drafting the entire company. I don't know if this will go as far as dark-suited IBM folks out pounding the pavement ("Excuse me, Ma'am, may I come in and demonstrate what OS/2 2.0 can do for you today?"), but all 344,000 employees are in it for fun and prizes. It's a step up from grade school, but IBM employees could win medals, IBM software, IBM hardware, or even cold hard cash. I sure hope they don't stop in here since I don't have 30 MB free under SoftPC to test it. Sheesh, wouldn't you think it would be easier to just buy a few TV spots like Microsoft is doing? The Dolch projection panel (from TidBITS#114/01-Apr-92): Interestingly, Dolch Computer Systems just released a color LCD projection panel that can double as a stand-alone screen for a mere $8500. --Bob (bebert.osbu_north@xerox.com) ------------------------------ Date: Tue, 7 Apr 1992 12:38:29 GMT From: weberwu@inf.fu-berlin.de (Debora Weber-Wulff) Subject: Rounding error changes Parliament makeup We experienced a shattering computer error during a German election this past Sunday (5 April). The elections to the parliament for the state of Schleswig- Holstein were affected. German elections are quite complicated to calculate. First, there is the 5% clause: no party with less than 5% of the vote may be seated in parliament. All the votes for this party are lost. Seats are distributed by direct vote and by list. All persons winning a precinct vote (i.e. having more votes than any other candidate in the precinct) are seated. Then a complicated system (often D'Hondt, now they have newer systems) is invoked that seats persons from the party lists according to the proportion of the votes for each party. Often quite a number of extra seats (and office space and salaries) are necessary so that the seat distribution reflects the vote percentages each party got. On Sunday the votes were being counted, and it looked like the Green party was hanging on by their teeth to a vote percentage of exactly 5%. This meant that the Social Democrats (SPD) could not have anyone from their list seated, which was most unfortunate, as the candidate for minister president was number one on the list, and the SPD won all precincts: no extra seats needed. After midnight (and after the election results were published) someone discovered that the Greens actually only had 4,97% of the vote. The program that prints out the percentages only uses one place after the decimal, and had *rounded the count up* to 5%! This software had been used for *years*, and no one had thought to turn off the rounding at this very critical (and IMHO very undemocratic) region! So 4,97% of the votes were thrown away, the seats were recalculated, the SPD got to seat one person from the list, and now have a one seat majority in the parliament. And the newspapers are clucking about the "computers" making such a mistake. Debora Weber-Wulff, Institut fuer Informatik, Nestorstr. 8-9, D-W-1000 Berlin 31 dww@inf.fu-berlin.de +49 30 89691 124 ------------------------------ Date: Tue, 7 Apr 92 19:18:33 EDT From: karn@thumper.bellcore.com (Phil R. Karn) Subject: Believe it or not -- there's some reason on the bench! Defense Loses Bid to Present Animated Videotape Depicting Baton Blow By Linda Deutsch, Associated Press Writer Simi Valley, Calif. (AP) The judge in the trial of four officers accused of beating a motorist refused Tuesday to let jurors see an expert witness's animated videotape recreating the first baton blow. Superior Court Judge Stanley Weisberg said he wasn't convinced that the tape, created by a biomechanical engineer with the help of a computer program, was scientifically reliable. ``It would lead the jury to think it must be accurate ... that it's true because the computer shows it,'' Weisberg said. ``Just because it's sold in software stores doesn't make it reliable.'' However, the judge said the witness, biomechanical engineer Carley Ward, could testify on the limited issue of how much force is produced when a baton strikes a human head and how much damage would be done. Officers Theodore Briseno, 39, Laurence Powell, 29, Timothy Wind, 31, and Sgt. Stacey Koon, 41, are on trial in the March 3, 1991 beating of Rodney King. A bystander's videotape of the beating led to a nationwide furor over police brutality and inflamed racial tensions in Los Angeles. King is black, the officers are white. Ms. Ward testified outside the jury's presence that Powell, in a test conducted by her, exerted 1,500 pounds of pressure when swinging a baton in a ``full power swing.'' Prosecution witnesses have said he struck King's head in such a manner. If King was struck with that force, Ms. Ward said, she would have expected more injury than the broken facial bones he suffered. She said her experiments striking the heads of cadavers at such velocity produced brain injuries. Michael Stone, Powell's lawyer, said he would need time to determine if he wanted to call Ms. Ward, given the limitations imposed by Weisberg. ------------------------------ Date: Mon, 6 Apr 92 10:10:08 BST From: kgg@dcs.edinburgh.ac.uk Subject: Cryptography used by Terrorist Organisation In RISKS-13.34 various people wrote about cryptography. The following shows how it already used by terrorists. On Saturday 4th April the British newspaper the Guardian reported that all the leaders of the Basque separatist organisation ETA had been captured in a police raid in France. (ETA is a terrorist organisation in Basque, Spain which want independence from Spain. They have killed many over the last 10 years.) The leaders must have found out several minutes before the raid, as they tried to find matches to burn documents they had in their possession. Failing, they torn them up and flushed them down the toilet instead. (It is not stated whether the police recovered them.) The interesting part however, is that the police captured a computer (PC or laptop) from the ETA some time ago (more than 18 months if I remember correctly) but they have, to date, not been able break the code which was used to decrypt all the information. I suppose this must be a worst case scenario for intelligence organisations such as the police etc. Kees Goossens, LFCS, Dept. of Computer Science JANET: kgg@uk.ac.ed.dcs University of Edinburgh, Scotland UUCP: ..!mcsun!ukc!dcs!kgg ------------------------------ Date: Tue, 7 Apr 92 07:50 EDT From: WHMurray@DOCKMASTER.NCSC.MIL Subject: Crypto (Export) Policy (Cohen, RISKS-13.36) The US policy on export of crypto, while silly, is not quite as silly as Fred thinks. He thinks that it is silly to discourage export of pure information in one form while tolerating it in another. In fact, that is not quite true. While once embargoed, (indeed NSA asserted that mere discussions of crypto were "born classified") publication of cryptographic information is sufficiently like protected speech for its prohibition to raise constitutional issues. (You and I would likely agree that the law should not distinguish between the media of publication.) However, this is not the only reason that print publication is tolerated. The government tolerates "publication" of crypto in hardware encapsulation because replication is very difficult. Likewise, the same information on paper appears to them to be safer than on machine readable media. While information printed on paper can be readily copied, the procedure must be in machine readable form before it can be used. While, as Dr. Cohen suggests, one can scan information from paper into a computer, the government sees this as undesirable but tolerable. This is only one of the silly parts of this policy. Nonetheless, any use of crypto has the potential to increase the cost of intelligence gathering, and less important, reduce the effectiveness of law enforcement. While the government understands that it will not be completely successful, it believes that it has a responsibility to resist whenever and wherever it can. History tells us that intelligence gathering is expensive in any case. It also tells us that we are better at gathering it than we are at using it. Nonetheless, it is a dangerous world. If you believe, with the government that cheap intelligence gathering is a high value, support the government policy. The Director would have you believe that mere use of ISDN, much less secret codes, is inhibiting the ability of the government to enforce the laws against terrorism, drugs, and organized crime. If you believe that the use of commercial crypto by criminals is wide-spread, if you believe that law enforcement should be cheap and easy, and if you believe that law and order are values that are superior to individual freedom and privacy, then support the government policy. Otherwise, resist it. If you believe that international electronically mediated trade and commerce require codes that both parties can trust, then you may wish to join FBC in resisting this silly policy. If you believe that international trade and commerce are more important than efficient intelligence gathering, then to the extent that you believe that, you have an obligation to resist. William Hugh Murray, 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 203 966 4769, WHMurray at DOCKMASTER.NCSC.MIL ------------------------------ Date: Tue, 7 Apr 92 14:55:50 EDT From: Brinton Cooper Subject: Re: Good crypto (Cohen, RISKS-13.34)] FBCohen@DOCKMASTER.NCSC.MIL has posted comprehensive criticisms of US policy regarding export of cryptosystems. In a word or two, he shows how absurd it is that an American could develop a cryptosystem abroad and both sell it both abroad and import it to the US without violating US export laws. Surely spooks from NSA, FBI, CIA, Commerce, and others (Oops, does Commerce have spooks? It wouldn't surprise me) read Risks-Digest. Why, then don't we have an authoritative, or at least an informed rebuttal to his postings? Is this, after all, a partisan political decision that has not been made on the bases of what's best for US competitiveness but but rather of what best fulfills some hidden agenda? C'mon, someone, speak up! _Brint ------------------------------ Date: Fri, 03 Apr 92 00:14:49 -0800 From: John Theus Subject: Certification of Cockpit Automation The 23 March 1992 issue of Aviation Week focused on automated cockpits with 9 articles on the subject. Very interesting reading. The most interesting quotes were in the article "Pilots, Human Factors Specialists Urge Better Man-Machine Cockpit Interface". Near the end of the piece, Anthony J. Broderick, associate FAA administrator of regulation and certification is quoted several times. Quoting AW&ST: Although there are "no real, fundamental changes needed" to certify advanced hardware and software under development by major airframe manufactures, there is a need "to develop procedures that will establish certification standards for a level of safety" when using such systems, he said. .... The agency's [FAA] experience base, in addition to rules established by the RTCA -- formerly know as the Radio Technical Commission for Aeronautics -- that governs design standards for software and hardware used in automation equipment, provides an acceptable means to certifying systems as they are developed, according to Broderick. Glad to know we don't need to worry about this anymore! John Theus john@theus.rain.com TheUs Group ------------------------------ Date: Tue, 07 Apr 92 01:54:24 GMT From: chap@art-sy.detroit.mi.us (j chapman flack) Subject: The Paper(less) Trial Summary: When is a picture of an exhibit evidence? >From _The Cincinnati Enquirer_, date missing from my copy: A judge's distaste for clutter is pushing Cincinnati's federal court into the high-tech world. When a securities case comes to trial soon in the courtroom of federal district Judge Carl Rubin, reams of exhibits will be computerized and displayed on eight computer monitors. ... The alternative is rows of cumbersome file cabinets lining the walnut-paneled walls of his courtroom for weeks on end. "And I hate that," he said. ... With the push of a few buttons, the courtroom deputy can display the exhibits on three color monitors in front of the jury box, and on screens stationed before the judge's bench, witness stand and lawyers' tables and podium. ... Computerization also may cut down on trial time because lawyers can change exhibits without carting posters and papers around the courtroom. [The newspaper photo shows a monitor displaying the front and back of a bank check, signatures and all. "I saw it on the computer, so it had to be real...."] Chap Flack chap@art-sy.detroit.mi.us ------------------------------ Date: Thu, 9 Apr 92 9:21:08 CDT From: riddle@hounix.org (Prentiss Riddle) Subject: Risks of academic cheating by computer There is an academic cheating brouhaha this semester at the university where I work which is brimming over with computer risks. I am not privy to the details of the case, but here is a summary from the published accounts. This university has an Honor Code governing student cheating which is a source of much school pride. Students agree not to give or receive aid on schoolwork and as a result the university can function without the burden of proctored exams. Alleged violations of the Honor Code are taken before the Honor Council, an elected student body which has the authority to dole out substantial punishments. Honor Council cases are publicized in the form of anonymous abstracts which mask the identities of all parties. Enter the computer: Earlier this semester, two students were accused of colluding on a homework assignment which was done and handed in via one of the university's academic computer networks. Their TA noticed that portions of the two students' homework were identical, down to the initials of one of the students. Network officials were asked to examine backup tapes for the period of time in question and produced evidence which supported the theory that "Student B" had sent homework to "Student A" by electronic mail immediately before Student A turned it in. The students argued that they were innocent and were the victims of a frame-up by an unknown "User X" who they alleged had gained access to their accounts. The Honor Council refused to accept the "User X" theory and convicted both students. Student B's conviction was later overturned partly on the basis of further evidence supplied by network officials which suggested that Student A committed the acts of cheating alone by logging in to Student B's account. Although officially the case is closed, it is the subject of much heated debate in the student newspaper and local Usenet newsgroups at the university. Both students continue to maintain their innocence and their supporters have rallied around the slogan "Free Student A". Computer risks seem to surround this case on all sides. A few which come to mind: -- The risk of cheating by computer in the first place. While academic cheating is as old as academia, the computer can make it, like so many other things, easier than ever before. -- The risk of frame-ups. While the Honor Council appears to be satisfied that the computer evidence substantiates real cheating in this case, it is clear that a person with access to one or more users' accounts could at least cause them a major nuisance and possibly succeed in framing them of cheating. With the penalties involved going as high as academic suspension from a school which costs thousands of dollars per semester, this is no light matter. -- The complexity of evidence in cases of computer cheating. Honor council members were quoted in the student paper as complaining about the new and bewildering kinds of evidence they are asked to consider in computer cheating cases, and critics of the Honor Council have complained about the dangers of being judged by people who are not users of the systems involved and don't thoroughly understand them. -- The burden on system administrators. The network official who provided the bulk of the evidence estimated that he spent a full week gathering and analyzing it. Since the case came up, the local academic network has extended the period of time it keeps daily backups before recycling them. How much data is it reasonable to keep, and to pore over, in order to provide evidence in cases like this? I don't know of a way to determine a firm answer. -- The danger to trust and to openness. Both the university's Honor Code and the tradition of open exchange of information within the computing community are threatened by cases like this. Must students be kept in a "padded shell" to prevent computerized cheating? -- Prentiss Riddle ("aprendiz de todo, maestro de nada") priddle@hounix.org ------------------------------ Date: Mon, 6 Apr 92 11:08:18 BST From: Brian Tompsett Subject: Public TV series revisited In RISKS-13.34, a new PBS series on computers was mentioned. These 5 programmes have already aired some weeks ago on the BBC in the UK. I have seen all 5 and regard them as excellent. Their coverage of the historical material was the most accurate and even handed I have ever seen. Their coverage of risks issues is also exemplary. I could seriously use them in undergraduate teaching and did not regard them in any way as "technopulp" for the masses. There is the probability that some of the programmes are "tailored" to the home audience. I have experienced this before with other WGBH/BBC co-productions. This highlights some interesting assumptions often made with regard to TV programmes. If the programmes are in our field we assume them to be "technology for the masses", whereas the masses, having seen it on TV assume the fact presented in the program to be true. Further, if the programme is aired around the globe, or around the nation from more than one TV station we assume everyone shares the same programme we do. Do they tell the people in Cambridge (either one) that they invented the computer and at the same time tell someone in another time zone that it was invented by a little old lady from Novosibirsk? Are we being manipulated by global telecasting on an Orwellian scale? Who can tell? Not easy is it. Brian Tompsett, University of Hull, UK. ------------------------------ Date: Mon, 6 Apr 1992 13:45:42 +0000 From: Nick Rothwell Subject: The Machine that Changed the World >Perhaps it is risky not to see how our >industry is being popularized for the mass media. Perhaps, but I've seen three out of the five programmes and was quite impressed with the factual accuracy. >Another risk: the title of the series is the same as that of a recent book >about the _auto_. Erm, the Americans must be using a different name. Over here the TV series was called "The Dream Machine." Nick. ------------------------------ Date: Mon, 6 Apr 92 13:57:21 -0700 From: Fred Gilham Subject: Re: Correcting Erroneous Database Listings (Davis, RISKS-13.36) > The answer that I would propose for consideration is that the great > nightmare of science fiction, an authoritative official database, may be in > fact the only way to protect ourselves from all the little brothers spreading > information about us. I disagree with this, or rather, think it should be an extremely last resort. I think promulgation of inaccurate information should be legally treated as a form of libel, with legal recourse for those who do it. Currently I understand that there is very little legal recourse for someone who suffers from inaccurate information in this manner, and so little incentive to eliminate it. -Fred Gilham gilham@csl.sri.com ------------------------------ Date: 7 Apr 92 16:24:42 U From: "Lin Zucconi" Subject: Software Failures Has anyone heard of or have evidence of a failure in a safety-related or other critical or security system where the developers claim they "did it right", e.g. they used good software engineering practices during development and had a good SQA program, and in particular, where they have identified common-mode failures in N-way redundant systems in hardware or software? Lin Zucconi zucconi@llnl.gov ------------------------------ Date: Thu, 9 Apr 92 11:00:10 PDT From: "Peter G. Neumann" Subject: Software Failures Lin, You might look at the following paper: * Peter G. Neumann. The Computer-Related Risk of the Year: Weak Links and Correlated Events. Proceedings of COMPASS '91. IEEE 91CH3033-8, pp.5-8. This paper notes the 1980 ARPANET collapse, the 1990 AT&T long-distance collapse, and a bunch of telephone system outages, and considers seemingly weak-link failures that actually arose because of multiple-fault modes. It also notes the some further references that might be useful to you. - S.S. Brilliant, J.C. Knight, N.G. Leveson. Analysis of Faults in an N-Version Software Experiment. IEEE Trans. on Software Engineering, Feb 1990, pp.238-247. - J.E. Brunelle and D.E. Eckhardt. Fault-Tolerant Software: Experiment with the SIFT Operating System. AIAA Computers in Aerospace V Conference, October, 1985, pp.355-360. - R.I. Cook. Reflections on a telephone cable severed near Chicago. SEN, 16, 1, pp.14-16. - J. DeTreville. A Cautionary Tale. SEN, 16, 2, Apr 1990. and look through the RISKS and Software Engineering Notes archives (index in Jan 1992). I imagine some of our readers will also send you further references, with CC: to RISKS, please. ------------------------------ End of RISKS-FORUM Digest 13.37 ************************