27-Aug-86 19:51:11-PDT,12063;000000000000 Mail-From: NEUMANN created at 27-Aug-86 19:49:08 Date: Wed 27 Aug 86 19:49:08-PDT From: RISKS FORUM (Peter G. Neumann -- Coordinator) Subject: RISKS-3.44 Sender: NEUMANN@CSL.SRI.COM To: RISKS-LIST@CSL.SRI.COM RISKS-LIST: RISKS-FORUM Digest, Wednesday, 14 August 1986 Volume 3 : Issue 44 FORUM ON RISKS TO THE PUBLIC IN COMPUTER SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: F-16 Problems (Bill Janssen) Various clips from European Newspapers (Martin Minow) Comment on Nancy Leveson's comment on... (Alan Wexelblat) Words, words, words... (Herb Lin) Software Safety (Paul Anderson) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, nonrepetitious. Diversity is welcome. (Contributions to RISKS@CSL.SRI.COM, Requests to RISKS-Request@CSL.SRI.COM) (Back issues Vol i Issue j available in CSL.SRI.COM:RISKS-i.j. Summary Contents in MAXj for each i; Vol 1: RISKS-1.46; Vol 2: RISKS-2.57.) ---------------------------------------------------------------------- Date: Wed, 27 Aug 86 14:31:45 CDT From: Bill Janssen To: risks@csl.sri.com Subject: F-16 Problems (from Usenet net.aviation) A friend of mine who works for General Dynamics here in Ft. Worth wrote some of the code for the F-16, and he is always telling me about some neato-whiz-bang bug/feature they keep finding in the F-16: o Since the F-16 is a fly-by-wire aircraft, the computer keeps the pilot from doing dumb things to himself. So if the pilot jerks hard over on the joystick, the computer will instruct the flight surfaces to make a nice and easy 4 or 5 G flip. But the plane can withstand a much higher flip than that. So when they were 'flying' the F-16 in simulation over the equator, the computer got confused and instantly flipped the plane over, killing the pilot [in simulation]. And since it can fly forever upside down, it would do so until it ran out of fuel. (The remaining bugs were actually found while flying, rather than in simulation): o One of the first things the Air Force test pilots tried on an early F-16 was to tell the computer to raise the landing gear while standing still on the runway. Guess what happened? Scratch one F-16. (my friend says there is a new subroutine in the code called 'wait_on_wheels' now...) [weight?] o The computer system onboard has a weapons management system that will attempt to keep the plane flying level by dispersing weapons and empty fuel tanks in a balanced fashion. So if you ask to drop a bomb, the computer will figure out whether to drop a port or starboard bomb in order to keep the load even. One of the early problems with that was the fact that you could flip the plane over and the computer would gladly let you drop a bomb or fuel tank. It would drop, dent the wing, and then roll off. There are some really remarkable things about the F-16. And some even more remarkable things in the new F-16C and D models: o They are adding two movable vents called 'canards' that will be installed near the engine intake vent under where the pilot sits. By doing some fancy things with the flight surfaces and slick programming, they can get the F-16 to fly almost sideways through the air. Or flat turns (no banking!). Or fly level with the nose pointed 30 degrees down or up (handy for firing the guns at the ground or other aircraft). I figured this stuff can't be too classified, since I heard the almost same thing from two different people who work at GD. I hope the Feds don't get too upset... George Moore (gm@trsvax.UUCP) ------------------------------ Date: 27-Aug-1986 0835 From: minow%regent.DEC@decwrl.DEC.COM (Martin Minow, DECtalk Engineering ML3-1/U47 223-9922) To: risks@csl.sri.com Subject: Various clips from European Newspapers From The [London] Guardian, Aug. 20-22 1986 (not sure of the exact date): Bank zaps `raid on computer' Barclays Bank yesterday denied reports that computer experts had "hacked" into its Whitehall computer and transferred 440,000 Lb. Sterling to an overseas account. ---- From Dagens Nyheter [Stockholm], Aug. 22, 1986. My translation, abridged. Shock billing of private person Phone bill of 31,000 kronor [almost $2,600] A woman in the Stockholm area received a record phone bill of 31,000 kronor. The amount is equivalent to local calls 24-hours per day for nearly two years. The phone company's computers raised an alarm that the amount was unreasonably high, but human error resulted in the bill being sent out anyways. The group that normally checks especially high invoices never got to see this bill. The woman and the phone company have reached an agreement, whereby she pays an average bill based on previous invoices. Phone technicians are now trying to discover whether an error occurred in the computer-controlled phone exchange. ... "It's completely our fault," says phone company spokesman Kjell Palmqvist. "What are you doing about it?" [asked the reporter.] "First, we've come to an agreement with the woman. She need not pay more than normally. We've also started an examination of what could have caused the problem.... There could have been a problem in the computerized phone exchange, or a cable-error or other type of interference." "Is this sort of bill common?" "No, theoretically, we expect one error in 10,000 years. But no technology is 100% perfect." ... The telephone exchange, in Oestermalm in Stockholm, uses an AXE-exchange, a computerized telephone exchange [manufactured by LM Ericsson] that is very advanced and reliable. ---- From Dagens Nyheter [Stockholm], Aug. 22, 1986. My translation, abridged. Battle over Databank The chairman of the governmental data- and public-access committee [offentlighetskommitt'en], Carl Axel Petri, rejects the criticisms which have recently been brought by the moderate party [conservative] and folk-party [liberal conservative] concerning sales of personal information from computer data banks. [Sweden has a "sunshine" law, almost 200 years old, that guarantees public access to almost all government documents. As the information in the manual registers were considered public, so too is the same information in the computerised data bank. Information which is not public is carefully controlled. Access is governed by the Swedish Data Law, which is now over 10 years old.] "It is important to quickly get a law that stops general sales. We have allowed some exceptions, nine specified computer companies, but even their sales shall, in the future, be controlled by parliament. Nobody should be allowed to earn money by [selling] personal information. Sales should have a public interest, in principle, the new law will forbid sales" said Petri. ... The leader of the Moderate Party, Gunnar Hoekmark, says that Petri is incorrect when he claims that the law will forbid sales of personal information. "On the contrary," says Hoekmark, "the largest databases will continue to be sold. Without the committee's discussing what effect sales of different personal information will have on individual personal integrity, they propose that the largest database, Spar, may continue to sell information on individuals income, personal identity number, wealth, civil status, address, age, etc." Hoekmark points out that the majority [report?] of the inquiry didn't answer the most basic questions on whether the government in general shall have the right to sell information on private individuals' economy and personal situation. The majority includes the Center Party's [liberal conservative] Olof Johansson, who says that the important issue for the future isn't whether the information ought to be sold, but what information should be collected. This includes, for example, the discussion on limitations of use of the personal id number. Constitutional questions [the Sunshine Law is part of the Swedish Constitution] and the future of the personal id number will remain for the inquiry to solve by next spring. ---- Sloppily translated by Martin Minow [Peter, I also have a long article on computer controlled airplanes (fly by wire) from the Observer. Mostly Sunday Paper background. Too much to type in. "... the pilot must have enough confidence in the flight control computer, and the men who programmed its software, to take off in an aircraft he cannot fly without them" "there is one more type of failure from which they [the pilots] cannot recover."] ------------------------------ Date: Wed, 27 Aug 86 09:33:11 CDT From: Alan Wexelblat To: risks@csl.sri.com Subject: Comment on Nancy Leveson's comment on... I agree in large part with Nancy Leveson's comments in RISKS-3.43. Nevertheless, I find it interesting that she denies that there are "human errors" but believes that there are "management errors." It seems that the latter is simply a subset of the former (at least, until we get computer managers). Also, it's not clear whether she includes things like `pushing the wrong button' or `following the wrong procedure' under the category of "operational errors." --Alan Wexelblat (WEX@MCC.COM) ------------------------------ Date: Wed, 27 Aug 1986 15:05 EDT From: LIN@XX.LCS.MIT.EDU To: mikemcl@NRL-CSR.ARPA (Mike McLaughlin) Cc: Arms-Discussion@XX.LCS.MIT.EDU, risks@CSL.SRI.COM Subject: Words, words, words... From: mikemcl at nrl-csr (Mike McLaughlin) I do not know that "NO ONE in the scientific community believes that it is possible to frustrate a deliberate Soviet attack on the U.S. population..." If there is a PhD in a science who believes that, is that person de facto excluded from the scientific community? I should have been more precise. No person with technical credentials has stated that it is possible to deny the Soviet Union the capability to wreak significant damage on the U.S. population and industry. I do not know what "frustrat[ing] a deliberate... attack" means. If it means deterring the attack by reducing the cost/benefit ratio to an unacceptable level, I believe that is possible (but I am not in the scientific community and never have been). If it means saving a significant number of civilian lives from an inevitable attack, I believe that is possible (but... ). I think the benchmark that Ashton Carter used in his Office of Technology Assessment background paper on BMD was pretty good, and it will serve as a starting point for discussion. "Frustrate a deliberate attack..." is taken to mean "preventing the Soviet Union from delivering by ballistic missile 100 megatons of nuclear warhead on U.S. cities and industry." (Note well: WW II was a 5 MT war.) ------------------------------ Date: Wed, 27 Aug 86 09:43:03 edt From: anderson (Paul Anderson) To: RISKS@CSL.SRI.COM Subject: Software Safety I have received a copy of a proposed revision of MIL-STD-882B (System Safety Hazard Analysis) Task 212, Software Safety Analysis, that has been distributed for formal coordination. This task will be invoked on contractors building systems containing software for DOD. This task will require the contractor to conduct safety analyses and testing of the software, both on the software alone, and when integrated with the overall system. If anybody has thoughts, comments, or suggestions (or even recommended wording), on what should be included in this task, please let me know (preferably within the next week or so). Paul Anderson anderson@nrl-csr ------------------------------ End of RISKS-FORUM Digest ************************ -------