Subject: RISKS DIGEST 16.35 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Thursday 25 August 1994 Volume 16 : Issue 35 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator [Info on RISKS (comp.risks): omitted from this issue] Contents: Fraud and Identity (Mich Kabay) Summary of Der Speigel interview with Airbus' Bernard Ziegler (Peter Ladkin) CORRECTION, Report on the *1993* Gatwick near-miss (PGN) Re: pi = 3 (James Dudley, L. P. Levine) Re: The new Cray and Unix passwords... (Chris Ransom) ---------------------------------------------------------------------- Date: 20 Aug 94 17:13:41 EDT From: "Mich Kabay [NCSA Sys_Op]" <75300.3232@compuserve.com> Subject: Fraud and Identity According to the U.K. Press Association newswire (94.08.10), the final culprit has been jailed for defrauding the British social security administration of a small fortune: LAWYER'S DAUGHTER JAILED FOR BENEFITS FRAUD By Melvyn Howe, PA News `The daughter of a wealthy and respected lawyer was jailed for three and a half years today for her part in a massive countrywide social security fraud. Public school educated Olu Atobatele, regarded as a "pariah" by her "shamed" family, took a leading role in a highly sophisticated operation which involved 2,000 false identities and was the largest benefits conspiracy of its kind in Britain.' Key points from the article: o Part of a gang of 11 who defrauded the Crown of 1 million pounds. o She herself stole 90,000 pounds in 20 months. o The gang members used "details of students' identities" and fabricated identities using information "from the Death Register at St Katherine's House, as well as identities from the British and African edition of Who's Who to make more than 240 bogus claims for income support between early 1992 and August last year." o The Department of Social Security "has instituted new procedures" to reduce fraud as a result of this scam. [Comments from MK: Please skip on to the next message if you're not in the mood for a leisurely stroll through some speculation. I got to thinking about this case of a Saturday afternoon and wrote down this little essay on identity in the real world and in cyberspace. Impersonation is one of the techniques used by criminals, including criminal hackers, to acquire goods and services belonging to or due to others. Many people will be familiar with the techniques of "social engineering" (properly called "lying, cheating and extorting") used by criminal hackers to obtain information need in penetrating restricted systems. Such techniques include impersonating journalists, technicians and high-ranking personnel. High-resolution colour scanners, photocopiers, printers and image-processing software, have been turned to evil effect by high-tech forgers of currency and of authenticating documents. In the case above, criminals were able to bamboozle human beings into entering false information into computerized systems--a kind of data diddling at one remove. Disproportionate public outrage over much-publicized social services fraud by immigrants is pushing many jurisdictions towards insisting on biometric pattern recognition (e.g., fingerprints) to authenticate claims on social entitlements. Such a system would preclude inventing identities to be claimed by the same human being, since the "different" people would all have the same fingerprints. However, biometric systems do not solve the fundamental problem: the difficulty of authentication of identity in today's world of fragmented communities and highly mobile individuals. Consider the true story underlying the film "Le Retour de Martin Guerre" (severely distorted in the US remake called "Sommersby"). A young man in mid-Renaissance France is forced to marry an even younger woman against their wishes because of family pressures. After seven years of unconsummated marriage, he runs away, only to reappear many years later. With his detailed knowledge of everything he ought to know as Martin Guerre, he is re-integrated into his village despite oddities like the wrong shoe size and hostility from his own dog. Even his wife welcomes him back to the conjugal bed. However, envious relatives eventually challenged him as an imposter. The real Martin Guerre reappears and the imposter is hanged. This story has been part of French history for centuries precisely because successful imposture was so unusual in agrarian Europe. Most people never travelled more than a day's journey from their place of birth in their entire lives. They married the people they had known all their lives; they were no more likely to take on other identities than to learn to read. Now contrast today's world: there would be nothing unusual about being born in Tucson, growing up in San Francisco, going to college in Boston, taking the first job in Chicago, moving to Denver, and ending up in Syracuse with a spouse from Edmonton. In such a society it's a wonder that there aren't _more_ impersonations--and who knows, maybe there are lots but they're real successful . Benjamin Wright, author of _The Law of Electronic Commerce_ and instructor in the National Computer Security Association's online seminar on _EDI Security_ has often commented that we seem to demand more of identity in cyberspace than we do in reality. Suppose Able Baker carries on a discussion with Charlie Delta; does it matter to either "who" the other is in another context? What _would_ matter is for an imposter to pretend to be Able or Charlie and interfere in their communication by inserting fraudulent messages or intercepting legitimate messages. Real-world authentication fails because of reliance on paper documents which are just too easy to falsify; perhaps computer-based authentication could reduce such fraud. Despite relatively poor reliability for any one biometric technique, the error rates for combinations are very low. Combining any two of, say, fingerprints, retinal scans and signature dynamics, for example, would provide trustworthy authentication. The question will be cost-effectiveness; would the enormous expense of installing huge numbers of biometric input devices and the network and database infrastructure be seen as justified? And would the costs of protecting the "cyberspace shadow" (as some writers are calling it) against tampering exceed the reduction in fraud? The remaining difficulty is the bridge between social identity and identity in cyberspace. How does one ensure that the person registering as Echo Foxtrot _really is_ Echo Foxtrot in other aspects of his life? And how much do we care? Enough to implant a non-forgeable device in the person's body at birth or upon receiving legal immigration status? Yuk! Sounds like the basis for a police state, doesn't it? I predict that under the increasing pressures of immigration (legal and illegal), increasing economic disparities, and continuing entitlement programs, the occurrence of impersonation will increase. At some point, fingerprinting will become mandatory for all claims on the social welfare systems; eventually, pressures will mount for authentication even in the initial claims for entitlements. At that point, societies will turn to mechanisms of authentication familiar to computer system users. Will the time come when microprocessors will be implanted under people's skin to transfer their cryptographically-sound identifiers on demand? And what will the consequences of such institutionalized scepticism be on social relations? Will people meeting in person for the first time press their wrists together to exchange public keys? Will those who refuse to participate in rituals of authentication be frowned upon? And will such tokens become valuable commodities--valuable enough to steal and trade in the underworld? Sounds like the subject for an interesting science fiction novel.] M.E.Kabay/DirEd/Natl Computer Security Assn (Carlisle, PA) ------------------------------ Date: Sat, 20 Aug 1994 21:32:45 +0200 From: Peter Ladkin Subject: Summary of Der Speigel interview with Bernard Ziegler, Airbus Ind. The German newsweekly Der Spiegel, issue 33 (1994) dated 15 Aug 94, contains an interview with Bernard Ziegler, described as Technical Director of Airbus Industrie, responsible for flight test and certification (`Zulassung') of all Airbus aircraft. There is a short background statement concerning the accidents on pp160-161, and the interview is on pp161-164. The interview focuses on the reliability of Airbus aircraft, in the light of the following crashes: Bangalore, Feb 90 (A320: landed short of the runway in clear weather, 92 dead); Strasbourg, Jan 92 (A320 descended into a hill in clouds on a backcourse approach to the airport, 87 dead); Warsaw, Sep 93 (A320, landing in a thunderstorm, overran the runway, 2 dead, many injured); Nagoya, Apr 94 (A300, copilot and autopilot in control conflict, eventually nose rose at an extreme angle and the plane stalled, crashing tail first onto the ground, 246 dead); Toulouse-Blagnac Jun 94 (A330, testing engine-out go-arounds, stalled and crashed, 7 dead including the Airbus chief test pilot). The Habsheim A320 accident is not mentioned. The header to the intro says: "Airbus Industrie is under pressure. Twelve total-losses since 1987 with 815 dead have awakened doubts about the concept of airplanes dependent on electronics [`elektronisch hochgeruesteten Flugzeuge']. Do technical failures contribute to the series of accidents? Or are pilots overextended by the `flying computers'?" Here is a summary of what I surmise are the salient parts of the interview for RISKS readers. [begin summary] Ziegler says they've had a lot of bad luck recently, contrasted with the first 14 accident-free years (except for the Iranian Airbus shot down by the US Navy). But he suggests comparing the record of the A320 with that of the B727, B737 or DC9 when they were introduced. He says that Airbus is 30 per cent better than the average of all builders - but he wants to be 100 per cent better. He says there's no reason to change the Airbus `philosophy' of taking over some of the pilot's tasks by computer, pointing out that all of the new technology developed by Airbus, from `glass cockpit' to new types of autopilot, has been followed by `all the others'. And, `[..] the pilot still has the last decision. Whoever suggests the contrary doesn't know what they're talking about.' They discuss the problems in Warsaw concerning the late deployment of airbrakes and thrust reverse, concerning which he points out that (a) it's a requirement for all modern airplanes that deployment is not enabled until the plane is firmly on the ground; and (b) there are particular limits on landing, for example not when a tailwind is stronger than 10 knots, or when the landing speed is too high. In Warsaw, these boundaries, which were carefully ascertained in test flights, were crossed. Also, runway overrun is one of the `classical' airplane accidents, regardless of type. When asked why the Polish investigators singled out late deployment of airbrakes and reversers, he noted that the report also misses important details, including the problem with the false weather information given to the pilots, and notes that many of the Polish recommendations contradict various requirements of the air transport supervisory authorities. He said that the level of the compression sensors on the landing gear, and the landing logic, has been changed for Lufthansa at the request of the client, but that only an expert can tell the difference between the old and the new landing logic. There follows a discussion about computers vs other kinds of flight control, during which he says that there is in principle no difference between more traditional methods of control and the fly-by-wire of the A320, and that it's an illusion to believe that there's ever a direct connection between the pilot's hand and the behavior of an airplane - flying is in this sense something artificial. He says that there are always ways to improve airplanes, and they remain in close contact with the clients to make such improvements. He is asked about the involvement of the autopilot in Nagoya, and about a prima facie similar problem with an autopilot in 1991 in Moscow (an A310), and why Airbus had not modified all the autopilots of these types. He replies that requiring expensive modifications is not a simple matter, and must first be thoroughly investigated to see if they cause more problems than they solve [not his phrase - I am paraphrasing. pbl]. He notes that Boeing has waited twelve years before recommending modifications in one case. He says that in conjunction with the certification authorities, Airbus had developed an autopilot modification and recommended that A300-600 clients perform it, and after the Moscow incident had notified everyone officially of the correct use of the autopilot [there are standard procedures for doing these things - he's pointing out that the standard procedures for clarification of operating procedure were vigorously pursued. pbl] After the Nagoya accident, Airbus decided that the modifications they had recommended to A300-600 and A310 aircraft should be mandatory. It will take about 2 years and $60m to alter the fleet. When asked about the `spectacular crashes' in India, he rejects the categorisation and points out the statistics for India show that it's a difficult environment for airlines, and that the A320 crash happened right after two B737 crashes. There's then some discussion of pilot training and capabilities. Concerning the A330 test flight crash in Toulouse, he points out that it was a difficult but not dangerous test, and in response to a question concerning entering the right autopilot `flight level', he points out that it was mistakenly left at 2000ft but should have been at 7000ft according to the checklist. He says that the fundamental error was that the crew let the nose-high, low-speed situation persist too long, and speculates why: because they took the nose-high situation for an anomaly and they wanted to see what would develop [according to the preliminary report, it was pilot commanded. They were confused as to which mode the flight control was in. pbl]; because the test engineer trusted the pilot to know when to return to normal; and Nick Warner [the chief test pilot of Airbus, one of the two pilots. pbl] had been critised before by test engineers for retaking control too quickly, and maybe was sensitive to potential criticism in this case also. It was a question just of two seconds delay. The consequences, he says, will be that automatic protection will be developed that will rule out such extremely unlikely accidents, and that the A330 and A340 will be the first aircraft to be protected automatically against the development of such a flight condition (`entsprechend ueberzogenen Flugzustand'). [end summary] A few comments - Warsaw: Ziegler correctly points out regulations concerning thrust reverse and airbrakes. However, no mention was made by the interviewer or Ziegler of the wheel brakes themselves. The wheels did not spin up on landing to the required speed to allow the anti-skid system to function as designed. Ziegler's selection of the tailwind for commentary raises some hypothetical considerations. At the given landing speed, with the tail wind, the wings were developing less lift than they would have been without the tail wind, making it more likely that the braking functions would have been enabled by the sensors. On the other hand, had there been no tailwind, the pilots would have landed at the same indicated airspeed, which would have given them 10 kts slower ground speed, but the same amount of lift preventing the sensors from indicating ground contact. For similar problems not to have occurred in this situation, the wheels would have not to have aquaplaned at this slower landing speed. But in the accident situation, they did not appear to spin up to speed until the ground speed was well below this, and much more of the airplane weight was on the wheels. It's a simple consequence of the landing logic that braking systems did not deploy under the landing condition in Warsaw, as may be seen from an inspection of the description of the logic in the Flight Crew Operating Manual. The sensor settings and landing logic has apparently been changed sufficiently so that A320s landing in similar conditions, in a similar manner to the accident airplane, will not suffer a lengthy delay in activation of braking systems (brakes, airbrakes, thrust reversers). The logic is written in the Flight Crew Operating Manual which your local A320 pilot might be happy to show you. Bangalore: it appears the pilots were confused as to which control mode the airplane was in. Under the particular conditions of flight, the engines went to flight-idle and the airplane descended rapidly into the ground while the pilots were trying to figure out what was going on. Nagoya: The autopilot appears to have been engaged and in `go-around' mode (`abort landing, gain altitude quickly'). The copilot, who was flying, was pushing hard forward on the control column trying to land the airplane. The autopilot was counteracting this by configuring the airplane aerodynamically for full nose-up (this `trim' feature is a standard control in all airplanes). When the copilot eventually let go of the column, the airplane's nose rapidly rotated upwards to an extremely high angle (given the trim condition, this is what one would expect) and the speed decayed severely, causing the aircraft to stall nose-high, close to the ground. It hit the ground tail-first. The standard procedure in which pilots are trained (on this and all other transport airplanes) is to disconnect the autopilot and ensure it is disconnected if they want to hand-fly the plane onto the runway. There are numerous puzzles concerning this accident. Toulouse: Under the correct checklist settings, the pitch (nose-upward angle) of the aircraft on takeoff would have been automatically controlled when the autopilot was engaged. The co-pilot who was flying rotated on take-off to a high angle. Meanwhile, Warner engaged the autopilot (which took three tries) and `failed' the left engine. It's surmised they were expecting the autopilot to return the aircraft to a precise pitch as it handled the situation, as planned. The aircraft was flying in a different control regime than planned due to the mistaken altitude-capture setting of 2000ft rather than 7000ft on the autopilot. Pitch was not `protected' by the autopilot in this regime. Speed decayed rapidly since the nose did not go down, the aircraft was unable to maintain lateral control when it was below the airspeed required to do so, and yawed and rolled. After this situation had developed, Warner throttled back the right engine to regain lateral control, as well as regaining wings-level and nose-level. When control was regained, the ground was just a little too close. There are a couple of important reports on this accident in Flight International for 10-16 Aug and 17-23 Aug. The Strasbourg crash was reported in RISKS-13.06, with follow-ups in numerous immediately following RISKS-13 numbers. The official verdict was reported in RISKS-14.74, with follow-ups in 14.76 and 14.77. Warsaw, Nagoya and Toulouse accidents have been discussed in RISKS-15.13, 15.30, 15.31, 15.32, 15.36, 16.07, 16.13, 16.14, 16.15, 16.16, 16.22 and 16.23. For a survey of these accidents (except for the A330), see RISKS contributor Peter Mellor's paper: `CAD: Computer-Aided Disaster'. Additional comments on Airbus aircraft may also be found in RISKS-13 numbers 06,07,08,09,11,12,16,19,20,21,22,23,24,27,64,67; and RISKS-14 numbers 01,07,74,76,77. Peter Ladkin ------------------------------ Date: Thu, 25 Aug 94 10:23:10 PDT From: "Peter G. Neumann" Subject: CORRECTION, Report on the 1993 Gatwick near-miss (Ladkin, RISKS-16.34) I must apologize for an overzealous attempt to correct what appeared to be an error. Peter Ladkin's message explicitly referred to the *1993* Gatwick near-miss. I was reading some out-of-band communications in which there had been a date error that made it appear that the *1993* was incorrect, so I miscorrected it miscorrectly. Sorry. Mea culpa. PGN ------------------------------ Date: Wed, 24 Aug 94 20:52:40 EST From: james@cssnps.com (James Dudley) Subject: pi = 3 (Re: Wayner, RISKS-16.34) Actually, my home state of Indiana did try to legislate that the value of pi should be 3. Here is some information from the alt.folklore.urban archives from an article written by Mark Bader (msb@sq.com) (Further information can be found in "Mathematical Cranks", Underwood Dudley, The Mathematical Association of America, Washington D.C.). James Dudley THE STORY The author of the bill was Dr. Edwin J. Goodwin, an M.D., of Solitude, Indiana. It seems that he was a crank mathematician. He contacted his Representative, one Taylor I. Record, with his epoch-making suggestion: if the State would pass an Act recognizing his discovery, he would allow all Indiana textbooks to use it without paying him a royalty. Nobody in the Indiana Legislature knew enough mathematics to know that the "discovery" was nonsense. In due course the bill had its third House reading, and passed 67-0. At this point the text of the bill was published "and, of course, became the target for ridicule", "in this and other states". By this time a real mathematician, Prof. C. A. Waldo, had learned what was going on. In fact, he was present when the bill was read on February 5, 1897. ("...imagine [the author's] surprise when he discovered that he was in the midst of a debate upon a piece of mathematical legislation. An ex-teacher was saying ... 'The case is perfectly simple. If we pass this bill which establishes a new and correct value for Pi, the author offers ... its free publication in our school text books, while everyone else must pay him a royalty'", Waldo wrote in a 1916 article.) But the House had passed the bill. Fortunately, Indiana has a bicameral legislature. The bill came up for first reading in the Senate on Thursday, February 11. Apparently in fun, they referred it to the Committee on Temperance. The Committee reported back on Friday, February 12, approving the bill, which then had its second reading. The Indianapolis Journal reported what happened: "The Senators made bad puns about it, ridiculed it, and laughed over it. The fun lasted half an hour. Senator Hubbell said that it was not meet for the Senate, which was costing the State $250 a day [!], to waste its time in such frivolity ... He moved the indefinite postponement of the bill, and the motion carried. ... All of the senators who spoke on the bill admitted that they were ignorant of the merits of the proposition. [In the end,] it was simply regarded as not being a subject for legislation." ANNOTATED TEXT OF THE BILL /* Following is the text of Indiana House Bill #246 of 1897, with my * own annotations (in comment signs and exdented, like this text). * In my annotations, A, r, d, c, and s are respectively the circle's * area, radius, diameter, circumference, and the side of the inscribed * square. */ A bill for an act introducing a new mathematical truth and offered as a contribution to education to be used only by the State of Indiana free of cost by paying any royalties whatever on the same, provided it is ac- cepted and adopted by the official action of the leg- islature of 1897. /* You normally have to pay royalties on mathematical truths? * The Pythagoras estate must be doing well by now... */ SECTION 1. Be it enacted by the General Assembly of the State of Indiana: It has been found that a circular area is to the square on a line equal to the quadrant of the cir- cumference, as the area of an equilateral rectangle is to the square on one side. /* The part after the last comma is a remarkable way of saying * "as 1 is to 1". In other words, this says A = (c/4)^2, which * is the same as A = (pi*r/2)^2 = (pi^2/4)*r^2 instead of the * actual A = pi*r^2. */ The diameter employed as the linear unit according to the present rule in computing the circle's area is entirely wrong, as it represents the circle's area one and one-fifth times the area of a square whose perimeter is equal to the circumference of the circle. /* The formula A = pi*r^2 is interpreted as A = d*(c/4), which is correct. * The author claims that the d factor should be c/4, so the ratio of * the area by the author's formula to the area by the real formula * is c/(4*d), that is, pi/4. Since he believes pi = 3.2, this ratio * is 3.2/4, which is 4/5. Therefore the area by the author's rule * is 1/5 smaller than the actual area. Now he apparently thinks that * the reciprocal of 1-1/5 is 1+1/5, and thus that the other area is * 1/5 larger than his area, which of course would actually require * the ratio to be 5/6. */ This is because one-fifth of the di- ameter fails to be represented four times in the circle's circumference. /* In other words, c = (1-1/5) * (4*d); consistent with pi = 3.2. */ For example: if we multiply the per- imeter of a square by one-fourth of any line one-fifth greater than one side, we can in like manner make the square's area to appear one fifth greater than the fact, as is done by taking the diameter for the linear unit instead of the quadrant of the circle's circumference. /* He says that if we consider the area of a square of side x to be * (4*x)*(x/4) and we replace the second x by (1+1/5)*x, we get an * area 1/5 too large, and this is analogous to using d in place of * c/4 with the circle. */ SECTION 2. It is impossible to compute the area of a circle on the diameter as the linear unit without trespassing upon the area outside the circle to the extent of in- cluding one-fifth more area than is contained within the circle's circumference, because the square on the diame- ter produces the side of a square which equals nine when the arc of ninety degrees equals eight. /* I can only assume that "nine" is a mistake for "ten". See also * the annotation after the next one. */ By taking the quadrant of the circle's circumference for the linear unit, we fulfill the requirements of both quadrature and rectification of the circle's circumference. /* Getting repetitive here... */ Furthermore, it has revealed the ra- tio of the chord and arc of ninety degrees, which is as seven to eight, and also the ratio of the diagonal and one side of a square which is as ten to seven, disclos- ing the fourth important fact, that the ratio of the di- ameter and circumference is as five-fourths to four; and because of these facts and the further fact that the rule in present use fails to work both ways mathematically, it should be discarded as wholly wanting and misleading in its practical applications. /* The meat of the bill. He says that s/(c/4) = 7/8, and d/s = 10/7, * therefore d/c = (10/7)*(7/8)/4, which he reduces only as far as * (5/4)/4. Of course this is 5/16, and gives pi = c/d = 16/5 = 3.2. * It also implies that the square root of 2 is 10/7. */ SECTION 3. In further proof of the value of the author's pro- posed contribution to education, and offered as a gift to the State of Indiana, is the fact of his solutions of the trisection of the angle, duplication of the cube and quadrature of the circle having been already accepted as contributions to science by the American Mathematical Monthly, the leading exponent of mathematical thought in this country. /* When I first posted this I assumed that the A.M.M. must have had a * policy of politely acknowledging crankish submissions, but apparently * at one time they simply printed whatever they were sent. I haven't * checked this out. */ And be it remembered that these not- ed problems had been long since given up by scientific bodies as unsolvable mysteries and above man's ability to comprehend. /* "Given up" is not the same as "proved insoluble"! */ [Also noted by pcw@access.digex.net (Peter Wayner), "Tom Zmudzinski" , who suggests using 355/113, mhaynes@bgsu.edu (Michael F. Haynes), clark@cpd125.cpd.ford.com (Andrew Clark), nhy@panix.com (Nina H. Yuan), George Jansen , dalamb@qucis.queensu.ca (David Lamb), and cc32859@vantage.fmrco.com (Donald Sharp), who wonders ``how many other technically flawed ideas have actually been codified into law because not enough people in the legislature understood flaw? And what is the risk involved in trying to implement laws that contradict the fundamental truths of nature?''. (However, two of those remembered the state incorrectly.) I am delighted to have this urban nonlegend put to rest. Thanks. PGN] ------------------------------ Date: Thu, 25 Aug 1994 06:56:54 -0500 (CDT) From: "Prof. L. P. Levine" Subject: PI = 3 There are two biblical verses that show PI to have a value of three. They seem to be the same information repeated, but from the King James version as reported in the Library of the Future CDROM, which seems to be filled with texts from the past: Kings-1 verse 7:23 And he made a molten sea, ten cubits from the one brim to he other: [it was] round all about, and his height [was] five cubits and a line of thirty cubits did compass it round about. Chronicles-2 verse 4:2 Also he made a molten sea of ten cubits from brim to brim, round in compass, and five cubits the height thereof; and a line of thirty cubits did compass it round about. Leonard P. Levine, Professor, Computer Science, Univ. of Wisconsin-Milwaukee Box 784, Milwaukee, WI 53201 levine@cs.uwm.edu 1-414-229-5170 ------------------------------ Date: Thu, 25 Aug 94 09:45:13 PDT From: "Chris Ransom" Subject: Re: The new Cray and Unix passwords... Mr. Wayner neglects to consider the "salt" values used to hash the passwords which prevent this type of attack. All 1000 passwords would likely require independent encryption with unique salt values. Chris Ransom chris@quests.com ------------------------------ End of RISKS-FORUM Digest 16.35 ************************