23-Mar-86 20:54:06-PST,12576;000000000000 Mail-From: NEUMANN created at 23-Mar-86 20:50:07 Date: Sun 23 Mar 86 20:50:07-PST From: RISKS FORUM (Peter G. Neumann, Coordinator) Subject: RISKS-2.33 Sender: NEUMANN@SRI-CSL.ARPA To: RISKS-LIST@SRI-CSL.ARPA RISKS-LIST: RISKS-FORUM Digest, Sunday, 23 Mar 1986 Volume 2 : Issue 33 FORUM ON RISKS TO THE PUBLIC IN COMPUTER SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: RSO's and IIP's - Martin Moore's response (Dave Curry) Omissions/commissions and missile destructs (Chris McDonald) Blind and Paper Money (sdo) Two Cases of Computer Burglary (NY Times) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, nonrepetitious. Diversity is welcome. (Contributions to RISKS@SRI-CSL.ARPA, Requests to RISKS-Request@SRI-CSL.ARPA.) (Back issues Vol i Issue j stored in SRI-CSL:RISKS-i.j. Vol 1: MAXj=45) ---------------------------------------------------------------------- Date: Fri, 21 Mar 86 08:00:21 EST From: davy@ee.purdue.edu (Dave Curry) To: risks@sri-csl.arpa Subject: RSO's and IIP's - Martin Moore's response This is Martin Moore's response to my questions about RSO's and IIP's which appeared in RISKS-2.32. It is forwarded with his permission. Dave ------- Forwarded Message Good question...I guess I forget that not all of the audience is familiar with space launch details and orbital mechanics. I'll try to explain the IIP's relation to the world and how it is used... Simply stated, the IIP of an object is the intersection of its ballistic trajectory (or "orbit") with the surface of the Earth. An object is in a ballistic trajectory when it is not accelerating under its own power; its acceleration is due only to gravitational effects (in short, it's falling.) The trajectory can be determined almost entirely from the object's position (mostly altitude) and velocity vector relative to the Earth (there are minor effects due to aerodynmaics and various anomalies but these can be ignored for this type of calculation -- they take a great deal of computation to yield a relatively small correction.) An object which is resting on the Earth's surface is located at its IIP. An object in free orbit does not have an IIP; its orbit does not intersect the Earth's surface. For an object falling through the atmosphere (which is what our missile would do if its thrust terminated) the IIP becomes interesting. Since the IIP is the end result of an object's ballistic trajectory, the IIP does not change when the object is not accelerating; conversely, while the missile is accelerating, the IIP moves downrange *FAST*. (Consider that the Challenger explosion occurred 8 miles or so downrange, but most of the pieces impacted 20-40 miles downrange.) So on a normal missile launch the IIP starts on the launch pad; as the missile launches the IIP moves downrange very fast until it eventually moves off the planet (if an orbital launch) or to the target area (for a weapons test) or something is wrong. On a shuttle launch, the IIP has moved off the planet by MECO (about +520 seconds); the shuttle's engines cut off even though it has not yet achieved orbit -- it "coasts" on up to orbit based on the velocity vector it has achieved through powered flight. Now, to answer your question, missiles launched at the Cape NEVER fly over land intentionally except at the very first seconds (unavoidable) or during a shuttle landing (when the Orbiter is flying by itself and the dangerous parts have been dropped.) This is why the launch facility at Vandenberg was built; shuttles cannot be launched into polar orbits from the Cape because there is land both due north and due south. On *any* launch, violation of the destruct lines means something is wrong (they are drawn with the missile's nominal trajectory in mind) and the population is endangered. Missiles can be obviously bad *without* crossing the destruct line; if a second stage, say, fails to ignite, the IIP stops halfway downrange and the missile falls into the drink. It is generally wise to blow it up in this case as if it falls intact the fuel is not very good for the environment. Unmanned missiles are pretty easy: something goes wrong, you blow it up. Obviously, this has to modified with the Shuttle; if it's performing an abort you don't blow it up (the tanks and solids are already gone; the Orbiter is no threat.) If it goes awry and curves back over land *but* the crew is still in control (which is at least theoretically possible) you let it go as long as they are in control -- they may be able to recover for a landing or at least get it back over the ocean, drop the tank (you don't want to blow it over land -- would shatter every window in Brevard County), and try to ditch and have at least a chance of surviving. Whew. I hope this has answered your question. Feel free to follow up if it hasn't or if you have other questions. /mjm - ------ ------- End of Forwarded Message ------------------------------ Date: Fri, 21 Mar 86 13:09:06 MST From: Chris McDonald SD Subject: Omissions/commissions and missile destructs To: RISKS@SRI-CSL.ARPA Regarding Dave Curry's musings about his never having heard about a "missile going back over the US", in fact missiles go over the US on a daily basis at White Sands Missile Range. As a 4,000 square mile DoD test facility the Range has been an inland range for missile and rocket firings for over 40 years. This fact has some bearing on the discussion of omissions/commissions in flight safety computers because major cities surround the Range resulting in legitimate safety concerns. During the last 40 years not every flight has range boundaries and in one well-publicized incident a rocket landed in a Juarez, Mexico cemetery. While redundancy in flights safety computers has so far precluded an accident or incident attributable to a computer, there was one incident in which a missile was destroyed by computer because of a breakdown in trajectory tracking data transmissions. The computer was programmed to automatically destroy the missile if it did not have tracking data from a specified number of radars. The rationale behind this was that, if one lost radar track given the manner in which the test was structured, the missile was well off course and should be destroyed. Even though there was redundancy in radars, a situation occurred in which radar problems precluded the flight safety computer from receiving the anticipated tracking data. Launch occurred and from all personnel accounts appeared to be nominal. But in fact the computer was not receiving the tracking data immediately after launch to predict what another contributor referred to as IIP or Instantaneous Impact [that] destroyed the missile. All readers can well understand that the project manager for the missile system involved was extremely upset over the destruction of his test item. ------------------------------ From: celerity!sdo@sdcsvax.ucsd.edu Date: Sat, 22 Mar 86 14:35:40 pst Subject: Blind and Paper Money Apparently-To: risks@sri-csl.ARPA One solution I have heard proposed to the problem of the blind being unable to read the denomination of paper currency is to cut off the corners of the bills. The $1 bill would have 4 corners cut off. The $5 bill would have 3 corners cut off. The $10 bill would have 2 corners cut off. The $20 bill would have 1 corners cut off. The $100 bill would have 0 corners cut off. Forgery would be limited since cutting of a corner of a bill would decrease its value. This is much simpler and less costly than "talking money". [This may seem unrelated to Computer RISKS. However, in some cases -- believe it or not -- the best solution may not involve technology. However, this solution still begs fraud by copy machine. It is easy to cut corners off of a copy... But, let's blow the whistle on this topic for now. PGN] ------------------------------ Date: 22 Mar 1986 12:50-PST Sender: GEOFF@SRI-CSL.ARPA Subject: It would take someone really sophisticated, with a Ph.D in math or CS. From: the tty of Geoffrey S. Goodfellow [...] Cc: Neumann@SRI-CSL.ARPA This story made the front page of the Palo Alto TimesTribune: a775 21-Mar-86 12:32 ny BCBURGLARY Two Cases of Computer Burglary (WashPage) c.1986 N.Y. Times News Service WASHINGTON - Jennifer Kuiper was working late at her computer terminal in the office of Rep. Ed Zschau of California on March 7 when she heard a beep that told her someone had entered the computer system from an outside telephone line. Twenty minutes later, her computer screen went blank. When service was restored, copies of more than 200 letters sent to constituents and iformation on mailing addresses had disappeared. Four days later, staff workers for Rep. John McCain of Arizona told the police they had discovered that someone outside their office had reached into McCain's computer and destroyed hundreds of letters and mailing addresses over the lunch hour. Why the computers were entered from the outside, and by whom, is now the subject of a criminal investigation by the Capitol police and the United States attorney for the District of Columbia. They say the have ruled out the possibility of staff error in destruction of the records and have some leads. But they refuse to discuss possible motives. Both Zschau and McCain are Republicans, neither yet a House leader but both increasingly visible on Capitol Hill. Both are seeking Senate seats in the November elections. These were apparently the first computer break-ins on Capitol Hill, where computers are increasingly being used, especially for recordkeeping and answering mail. ''This is definitely a concern,'' said Inspector Robert R. Howe of the Capitol police. ''We're looking into better controls to prevent it from ever happening in the future.'' Zschau, who taught computer courses at Stanford Business School, and founded and for 13 years was president of System Industries, a computer software company, said the illegal entering of his office computer was ''tantamount to someone breaking into my office, taking my files and burning them.'' ''I am very concerned,'' he added, ''and the police would be more concerned if this were a physical break-in. ''Because people don't see the files overturned or a pile of ashes outside the door, it doesn't seem as bad,'' he continued. ''But it is equally as devastating. We rely on computers a lot for correspondence, writing articles and keeping a record of the history of the letters and responses sent to our constituents. ''Every office on Capitol Hill can be broken into in this way and the files deleted. It can bring the work that a member of Congress does to a complete halt.'' After both break-ins, the copies of most of the lost records were regained from duplicate files. ''We were lucky,'' said James M. LeMunyon, administrative aide to Zschau. ''We had back-up computer tapes that restored all but 30 of the 200 letters. My greatest concern was that they might have destroyed our lists of constituents' names.'' Stephen A. Armstrong, vice president of Micro Research, the company that provides computers and related equipment to more than 150 members of Congress, including both Zschau and McCain, said that whoever broke into the computers ''would have to have a password and two security codes to get in.'' In a congressional office that has computers, the system operates independently of systems in other offices, and each staff member has a personal password to gain access to computer files. For someone to enter the system by telephone from outside the office, a special switch in the office must be on. ''It is possible to break into a system if all physical and software security measures are ignored,'' Armstrong said. ''But it would take someone really sophisticated, with a Ph.D. in math or computer science.'' nyt-03-21-86 1532est ------------------------------ End of RISKS-FORUM Digest ************************ -------