Subject: RISKS DIGEST 13.46 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Saturday 2 May 1992 Volume 13 : Issue 46 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: F-22 crash (Barton Gellman via Nancy Leveson) Dean's password used to misappropriate funds (Janet M. Swisher) April fool meteorology (Bob Grumbine) Patriot: The missile that missed (Lord Wodehouse) Re: Ralph Nader/Cable TV/Information Networks (Tom Wicklund) AT&T announces Easy Reach 700 (PGN) Re: Tracking by Cellular Phone (Les Earnest, Mark Fulk, Kevin Paul Herbert) Free TRW Credit Report (Mary Culnan) Shut Down Ambulance Computer (Jean Ramaekers, Scott Dunham via Lord Wodehouse) Risks of using cash (Robert Ebert) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line. Others may be ignored! Contributions will not be ACKed. The load is too great. **PLEASE** INCLUDE YOUR NAME & INTERNET FROM: ADDRESS, especially .UUCP folks. REQUESTS please to RISKS-Request@CSL.SRI.COM. Vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 13, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1". =CarriageReturn; FTPs may differ; UNIX prompts for username, password. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Thu, 30 Apr 92 19:49:10 -0400 From: leveson@cs.UMD.EDU Subject: F-22 crash Here's a switch -- someone hoping the blame can be put on the computer. Computer Problem Cited in Crash of F-22 Prototype by Barton Gellman Washington Post, April 30, page A3 A computer software problem probably caused the weekend crash that destroyed the only flying prototype of the F-22 Advanced Tactical Fighter, the Air Force's top general said yesterday. Gen. Merrill A. "Tony" McPeak, Air Force chief of staff, told House Armed Services Committee panel that it will be good news for his top-priority weapon program if an investigative panel confirms what he calls his speculative explanation, because a software flaw is "relatively straightforward" to fix. [...] Lockheed Corp. test pilot Tom Morganfeld, by this account, had just refilled his fuel tanks in preparation for a test of supersonic flight characteristics when he learned of a break in the telemetry link that sends performance data from the aircraft to the ground. The supersonic test was cancelled. Already airborne, the F-22 was too heavily laden to land safely, and so Morganfeld began a series of high-speed, low-altitude passes over the runway to burn excess fuel. On the second pass, Morganfeld lost control. Videotape of his last seconds in the air shows that he retracted the landing gear and ignited his afterburners at roughly the same time, and the plane's nose immediately began porpoising out of control. The F-22 crashed, burst into flame, and slid 8,000 feet -- well over a mile -- before stopping. Morganfeld escaped with minor injuries. McPeak's theory of the crash said the combination of reduced drag from the retracted landing gear and increased power from the afterburners meant that the plane needed far more "slab authority" to control the aircraft. In other words, the F-22's control surfaces had to be raised and lowered more sharply. But on modern fly-by-wire aircraft, a pilot has no direct control of the physical movement of the flaps. Morganfeld's commands were interpreted by a computer- controlled servo-motor that continuously made thousands of calculations to adjust the controls, much as anti-lock brakes do on late model automobiles. McPeak said he believed that "something in the logic of the fly-by-wire flight control system" failed to move the control surfaces far or fast enough to keep up with the pilot's commands. If an Air Force investigative panel bears out McPeak's hypothesis, according to experts, it will rule out far more serious problems with the aerodynamic stability of the plane during the critical "flight regine" of a landing approach. But McPeak acknowledged he does not yet have all the facts. [This is Nancy Leveson, now at UMD, still on sabbatical from UCI. PGN] ------------------------------ Date: Thu, 30 Apr 92 13:05:13 -0500 From: swisher@cs.utexas.edu (Janet M. Swisher) Subject: Dean's password used to misappropriate funds The _Austin American Stateman_ and _The Daily Texan_ report that an employee of the University of Texas College of Engineering used a password belonging to a dean to misappropriate about $16,200 from March 1991 to February 1992. The dean reportedly gave the employee the password, in violation of university policy. The employee resigned when confronted; no charges have yet been filed. Neither the dean nor the employee were identified to the press. The funds were earmarked for travel fellowships for recruiting students from other universities; the employee awarded fellowships to UT students who were not eligible to receive them. UT police would not comment on whether the employee directly benefitted from the misappropriation. The improper payments were discovered accidentally when a student wrote to thank the associate dean of recruiting of the College of Engineering for the College's generosity. According the dean of the College, "That student didn't do anything wrong. He just came to the dean's office for assistance and he got some." The employee had access to about $300,000. The university is auditing its records to determine whether improper payments were made in prior periods. Legitimate awards were made from the same fund during the same period as the improper ones. The College of Engineering is tightening its security guidelines (no details given). ------------------------------ Date: Thursday, 30 Apr 1992 16:45:22 EDT From: Subject: April fool meteorology In a recent Risks, we heard the story of a shotgun attack on a wind profiler. It develops that this was indeed an April Fool's joke. I've deleted the included text to save you bytes. Bob Grumbine a.k.a. rmg3@grebyn.com Newsgroups: sci.geo.meteorology From: skaggs@nsslsun.nssl.uoknor.edu (Gary Skaggs) Subject: Re: Hazardous Duty - Wind Profilers Organization: National Severe Storms Laboratory Date: Thu, 30 Apr 1992 13:56:08 GMT >Excerpted from RISKS-LIST: RISKS-FORUM Digest Monday 27 April 1992 >Volume 13 : Issue 44 You got a second generation. Yes, you've been `APRIL FOOLED'!!! This story appeared in a posting on OMNET by R.JUNE addressed to the noaa.erl.labs listing under the subject of weekly report. The header reads thusly: OCEANIC AND ATMOSPHERIC RESEARCH (OAR) WEEKLY REPORT FOR THE SECRETARY OF COMMERCE April 1, 1992 Besides the above story, other tongue in cheek submissions covered: GLERL proposing to introduce the Chesapeake Bay blue crab into the Great Lakes to try to control the zebra mussel An agreement with the Russian republic to rescue a data set of some 70 years of "potential greenhouse gases emitted by herds of Bovinas mermoska, the Mongolian yak of central Asia." A new ERL lab to Study the Effects of the Moon on the Earth. Jerry Brown announcing that if elected, he would create a NOAA/ERL lab called the Moon Environment Lab (MEL). (This one was REALLY good). And a weather Modification Person of the Year Award to Saddam Hussein for taking weather mod out of the lab and into the atmosphere. He was cited for his willingness to "test scientific hypotheses through the examination of actual, not simulated or modelled, pollution events, and for initiating similar studies into the environmental effects of massive oil spills." Carl Sagan was the keynote speaker. Sorry guys, you've been had... Gary Skaggs - WB5ULK skaggs@nssl.nssl.uoknor.edu DOC/NOAA/ERL/NSSL [Also noted by Thomas Lapp and joe@montebello.soest.hawaii.edu (Joe Dellinger). PGN] ------------------------------ Date: 29 Apr 92 12:31:00 BST From: Lord Wodehouse Subject: Patriot: The missile that missed >From New Scientist 18 April 1992 (For other articles and comments, see RISKS-13.19, 13.32, 13.37) Patriot: The missile that missed While defending the performance of the Patriot missile last week, US Army officers reduced their estimates of how many Iraqi missiles the Patriot hit during the Gulf War. The army now believes that the Patriot successfully intercepted 24 missiles out of about 85 attempts. But it has "high confidence" in only 10 attempts. Even as the Pentagon renewed its defence of the Patriot's record, new evidence cast additional doubt of its credibility. The congressional General Accounting Office revealed that the army's earlier estimates of the Patriot's success were wildly optimistic and were based on over=hopeful assumptions. For instance, if the army could not find an impact crater from a Scud warhead, it assumed that the Scud had been destroyed by a Patriot. Yet some army units on the scene never bothered to look for craters, says the GAO. The Congressional Research Service, in a separate analysis of classified Pentagon data, concluded that most of the army's evidence was weak. Steven Hildreth of the CRS says that he is only convinced that one Patriot missile actually destroyed a Scud warhead. During the Gulf War, President Bush announced to cheering crowds the Patriot had "intercepted" 41 out of 42 Scuds that it was fired at. General Robert Drolet defended Bush's statement at last week's congressional hearing, saying that "intercepted" meant only that "a Patriot and a Scud passed each other in the sky". The army has abandoned an investigation of Ted Postol, the professor at Massachusetts Institute of Technology, who has been among the Patriot's strongest critics (New Scientist 28th March). Postol had been accused of using classified data in an article he published that was critical of the missile's performance. [It is very good news, if Ted Postol has been "cleared" and that no action will be taken against him. However the double speak "intercepted" by this article leaves me worried to say the least. Most people will believe the "successes" and thus expect great things to happen. When such over-sold systems fail, it is the scientists, who get the blame and the world starts to reject their achievements instead.] Lord John - The Programming Peer ------------------------------ Date: Tue, 28 Apr 92 16:36:09 MDT From: wicklund@intellistor.com (Tom Wicklund) Subject: Re: Ralph Nader/Cable TV/Information Networks (RISKS-13.44) > Summary: Your help is needed to secure an amendment to pending cable >television legislation. [...] Hmm, is this in risks because of the risks of cable monopolies to consumers or because of the risk of Ralph Nader :-) Unfortunately, this effort makes the false assumption that cable is a monopoly which needs to be regulated. Cable is in no way a monopoly, and the most effective way to control cable costs has been shown to be competition (rates are much lower in areas with 2 cable providers). Mr. Nader's effort is, as expected from his political philosophy, an attempt to create a "consumer" group and force cable companies to promote it before their customers. These consumer groups would pay to have information sent to the consumer, but only "incremental cost" (e.g. the cost of an extra sheet of paper in your cable bill rather than having to pay their own postage). These groups would lobby regulatory bodies and legislatures. This is apparently needed because regulatory bodies and legislatures are bought and paid for by the cable companies and so we need another organization to represent the citizen. Of course, there's no reason why a consumer group can't be started by interested individuals and lobby the appropriate bodies -- many such groups exist today. This proposal is an attempt to subsidize such groups, not financially but by legislating reduced cost access to consumers. This proposal reminds me of (Ralph Nader prompted) "public interest research groups" which have been started on many university campuses. When they started their group at the University of Colorado, they promoted themselves as a consumer protection group, out to protect the average person (e.g. somebody stupid and gullible) from big business. The problem is that rather than being funded like any other campus group, they proposed that all students be required to pay their fee (about $2.00), then about 4 weeks after the start of the semester, well after tuition and fees had been paid, students could apply for a refund of the fee if they didn't want to pay it, finally receiving the refund several weeks after applying. This method was desired because it provided the group the highest income (much higher than voluntary checkoffs). Of course, this method plays on the same apathy that they deplored when businesses tried something similar, but the hypocrisy wasn't noticed. ------------------------------ Date: Sat, 2 May 92 13:21:46 PDT From: "Peter G. Neumann" Subject: AT&T announces Easy Reach 700 Easy Reach 700 gives each subscribers a Unique Phone Number that remains unchanged for the lifetime of the subscription, and that indirects to wherever you want the call to be received. The caller does not know the receiving number or its location. The service begins on 15 June. The subscriber can call the assigned 700-xxx-yyyy number, followed by a 4-digit PIN, then 1#, and then the number to which calls are to be routed. This can be done from ANY touch-tone phone (assuming compatible tones, which -- I have noticed -- is not always the case among clone-phones). The subscriber may choose to assign up to 19 different passwords to would-be callers, where the absence of a password blocks the call indirection. Perhaps the system will be smart enough to detect systematic attacks such as a denial of service from a computer dialing your number, running through as many of the 10,000 possible PINs as necessary until the right one is found, and then forwarding your calls off into space. I suppose you would want automatic calling number identification to detect who is attacking. (I presume that it would indicate the original caller, and not the 700 number!) Of course, following our discussions of schemes for tracking people (such as by cellular phone IDs), Easy Reach could be misused as an interesting database of your presumed whereabouts... [Source: San Fran Chron, 29 Apr 1992, p.1] ------------------------------ Date: Fri, 1 May 92 16:08:14 -0700 From: Les Earnest Subject: Re: Tracking by Cellular Phone (Kush, RISKS-13.44) I brought up the subject of cellular phone tracking in a short note to RISKS a year or so ago and learned that locating a given phone within a sector having an area of a square mile or so is part of normal operations. All that is needed to track a given phone, whether or not it is in active use, is to save this information in the same way that billing data is saved. Furthermore, a civil liberties lawyer with whom I discussed this issue believes that as things stand in the U.S., law enforment authorities may collect and use cellular phone tracking data without a court order, unlike tapping telephones. They would presumably need the cooperation of the cellular phone company in order to do this without a large investment, of course. My opinion is that cellular tracking data should be accorded the same privacy protection as phone taps. Les Earnest, 12769 Dianne Drive, Los Altos Hills, CA 94022 415 941-3984 Les@cs.Stanford.edu UUCP: . . . decwrl!cs.Stanford.edu!Les ------------------------------ Date: Thu, 30 Apr 1992 17:20:50 GMT From: fulk@cs.rochester.edu (Mark Fulk) Subject: Re: Tracking by Cellular Phone (Brown, RISKS-13.45) Wouldn't it be cheaper, simpler, and less intrusive to use Skytel-like satellite pagers to notify people that they have a call? It would work like this: You cellular phone contains a satellite paging receiver and antenna. When someone calls you, the switch has the paging satellites transmit your code and the connection id number all over the world. Your phone receives this info, recognizes that it is meant for this phone, puts the connection id into a buffer, and rings. If you pick up the phone and press the "answer" button, the phone transmits the connection id on a standard connection request frequency. The connection id encodes the origin of the call, so the switch at the recipient end can route the call. You can only be tracked when you answer the phone. Since a pager id + connection id need only be about 80 bits long, one voice-grade satellite channel would be able to handle at least 800 calls per second. 125 voice grade channels would handle the entire U.S., if every individual had a cellular phone and received about 10 calls per day. (Note that the address of the pager would include the channel it listened to.) Mark A. Fulk, Computer Science Department, University of Rochester, Rochester, NY 14627 fulk@cs.rochester.edu ------------------------------ Date: Wed, 29 Apr 92 10:25:22 -0700 From: Kevin Paul Herbert Subject: Re: Tracking by Cellular Phone (RISKS-13.44) I was talking to my mother yesterday about a new device that she had installed in her car, required by the insurance company in order to insure the car at full value. The device tracks the location of the car with sufficient resolution to even give driving speed. My father called up the service to "test it out", and they said where my mother was driving, as well as indicating that she was driving 30 in a 35... If she did not get this locating device, her insurer would have only insured the car at up to 50% of the car's value. She didn't know anything about how this data could be disclosed; she hadn't really thought about it. The risks should be obvious. Kevin ------------------------------ Date: Wed, 29 Apr 1992 16:32 EDT From: MCULNAN@guvax.georgetown.edu Subject: Free TRW Credit Report The RISKS of not checking one's credit report periodically, and especially before applying for a mortgage or other loan or a job have been well documented here and elsewhere. According to USA Today, beginning April 30, you can get a free copy of your TRW credit report once a year by writing to: TRW Consumer Assistance, P.O. Box 2350, Chatsworth, CA 91313-2350 Include all of the following in your letter: full name including middle initial and generation such as Jr, Sr, III etc., current address and ZIP code, all previous addresses and ZIPs for past five years, Social Security number, year of birth, spouse's first name. Also include a photocopy of a billing statement, utility bill, driver's license or other document that links your name with the address where the report should be mailed. Mary Culnan, School of Business Administration, Georgetown University MCULNAN@GUVAX.GEORGETOWN.EDU ------------------------------ Date: Wed, 22 Apr 92 09:33:38 PDT From: jrama@ICSI.Berkeley.EDU (Jean Ramaekers) Subject: Shut Down Ambulance Computer (RISKS-13.38,42,43) in : The Sunday Telegraph (London), N0. 1, 622, April 19, 1992. Fatal delays shut down ambulance computer London Ambulance Service has shut down its new L1.5 million 999-call computer system and launched an inquiry into failures that have led to fatal delays in emergency services reaching patients. In a catalog of errors, the capital's ambulance service has admitted defeat and agreed not to implement a second phase of its computer system. But a spokesman said the delays were "not a system problem but human error". ... Already the LAS was under severe pressure to resolve the sofware problems following the death of a 20-year-old diabetic, Kerrie Swannell, on February 7. Miss Swannell died cardiac arrest shortly before the ambulance arrived, an hour after it was called. It was said that calls had been lost when a visual display unit was turned off by mistake. ... The computer-aided dispatch system (CAD) was introduced in January in south-west London, and despite the "lost 999 calls" was extended to the north-east of the capital on February 25. Mr Barber says the system crashed for 90 minutes every day for more than a week. ... ICSI, 1947 Center Street, Berkeley Ca 94704-1105 phone (510) 642-4274 ext 147 ------------------------------ Date: 23 Apr 92 10:22:00 BST From: Lord Wodehouse Subject: London Ambulance - comments I think that this whole area deserves airing. I hope some other readers in the UK are taking note! Lord John - The Programming Peer 23 Apr 92 09:45 From: 'm21208@mwvm.mitre.org (Scott Dunham)'@RELAY (remote user) To: 'w0400 '@RELAY (remote user) Subject: London Ambulance (RISKS posting) Date: Thursday, 23 Apr 1992 04:31:27 EDT From: m21208@mwvm.mitre.org (Scott Dunham) To: w0400 Subject: London Ambulance (RISKS posting) Sender: M21208@mwvm.mitre.org I used to be a public safety dispatcher in California (police, fire, AND ambulance), and all I can say about the current performance of LAS is that it would have gotten our entire staff sacked. Fifteen minutes to answer the phone at a safety critical service is completely, totally, absolutely unacceptable. Our standard was no more than 30 seconds, and generally by the second ring, with arrival of the ambulance at the scene often coming within 5 minutes of the first call. Even that is almost too slow, because you can lose heart attack victims in four minutes. With eleven people on staff, even 30 calls on the same incident can be handled in a couple of minutes if the staff have a suitable display system available. Once the incident appears in the queue, subsequent calls are a matter of establishing the nature and location of the report (15-20 secs) satisfying yourself that it is indeed a repeat report, and letting the caller know that help is coming. (Another 10 secs, tops!) Except for absolutely GROSS mismanagement, I can see no reason for such horrible response times as are regularly reported for LAS. Such a service must be held to a performance standard commensurate with the seriousness of its task and assigned sufficient resources to meet that standard. I think it's safe to say that letting people die on the phone would not meet a reasonability check for ambulance service performance... Scott Dunham (Internet: sdunham@mitre.org) MITRE/London 011-44-895-426572 ------------------------------ Date: Mon, 27 Apr 1992 13:24:22 PDT From: Robert_Ebert.OsBU_North@xerox.com Subject: Risks of using cash My wife works at a major department store. This weekend, she was called upon to translate for two non english speaking customers who had been detained for suspicion of passing counterfeit money. The two young men had made a small purchase (some socks) and paid with a US $50 bill. Something about the bill (or perhaps the men) did not seem "right" to the clerk, and so the men were detained for more than an hour. The police were called, and their wallets were searched for more evidence of counterfeiting. [I don't know whether or not the search was made with permission.] The men spoke and acted innocently, and were confused and afraid by the proceedings. It was determined that the bill in question was one of the new bills that are designed to *prevent* counterfeiting. Several other stores in the area were contacted in order to make this determination. The new bills have metallic threads woven into them, have a plastic "id stripe" in the paper that is visible when held up to the light, and have some design modifications. [My info from a "Nova" episode entitled "Making Money"] I took a look at some new $100 and $50 bills at the local Credit Union, and they do look and feel different from the older bills. Additionally, the printing on the new bills looks rather poor, with green ink from the back "leaking" through to the face and much evidence of black ink being absorbed into the paper creating blur lines. [It's somewhat like the output from my DeskWriter on cheap paper!] It is, however, only marginally worse than the printing on a $20. Perhaps the spotty printing helps to authenticate the bill--color copiers either do not have the problem or also blur the "colored threads". aThe men were eventually freed, and advised to "use $20 bills in the future." Some expired (but not forged) documents turned up as a result of the search were confiscated from one of the men. No attempt so far has been made to inform the rest of the store clerks of the different bills. It is disturbing to note that not much publicity has surrounded the issuing of the new bills. Neither the store personnel, the city police, nor the tellers at my bank knew anything about them, and if it hadn't been for the Nova episode neither would I. While it may be risky to publicise anti-counterfeit measures, it seems more risky to hide the information from those who need to determine the legitimacy of the cash. During my interaction with my bank teller I was also making a withdrawal, and was offered one of the $50 bills... I opted for $20s instead :) --Bob (bebert.osbu_north@xerox.com) ------------------------------ End of RISKS-FORUM Digest 13.46 ************************