7-May-87 20:25:24-PDT,17702;000000000000 Mail-From: NEUMANN created at 7-May-87 20:23:58 Date: Thu 7 May 87 20:23:58-PDT From: Peter G. (coordinator) Neumann Subject: RISKS DIGEST 4.81 Sender: NEUMANN@CSL.SRI.COM To: RISKS-LIST@CSL.SRI.COM RISKS-LIST: RISKS-FORUM Digest Thursday, 7 April 1987 Volume 4 : Issue 81 FORUM ON RISKS TO THE PUBLIC IN COMPUTER SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Cadillac to recall 57,000 for computer problem (Chuq Von Rospach) Public E-Mail Risks? (Brian M. Clapper) Wheels up (and simulators) (Eugene Miya, Doug Faunt, Matt Jaffe) Subject: Re: the Marconi deaths (an update) (Brian Randell) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, nonrepetitious. Diversity is welcome. (Contributions to RISKS@CSL.SRI.COM, Requests to RISKS-Request@CSL.SRI.COM) (Back issues Vol i Issue j available in CSL.SRI.COM:RISKS-i.j. MAXj: Summary Contents Vol 1: RISKS-1.46; Vol 2: RISKS-2.57; Vol 3: RISKS-3.92.) ---------------------------------------------------------------------- Date: Wed, 6 May 87 08:49:01 PDT From: chuq@Sun.COM (Chuq Von Rospach) To: risks@csl.sri.com Subject: Cadillac to recall 57,000 for computer problem I heard this on the radio coming in: Cadillac is recalling 57,000 84-86 cars for what they termed 'problems with the headlight computer that would cause your lights to go out unexpectedly' Now, wouldn't THAT be fun. What I want to know is whether it is hardware or software. [For reference, the GM car computer is the 68HC11, a custom CMOS chip based on the 6809 with lots of bit operations added in. They use two per car, one for the engine, and one for the body operations. Both are programmed exclusively in assembler.] chuq [Presumably the two computers are totally independent and provide no redundancy -- with no possibility for alternate hosting or comparison. Does it matter whether WHAT is in hardware or software? If the computer has to go back to Detroit for repairs, it doesn't matter. If your garage mechanic can download a new program it might, but then we get back to an earlier RISKS discussion about whether you will trust your mechanic to mess with your software... PGN] ------------------------------ Date: 7 May 1987 09:46:40-EDT From: clapper@NADC To: RISKS@CSL.SRI.COM Subject: Public E-Mail Risks? Excerpt from Federal Computer Week, Volume I, No. 6 (May 4, 1987): Ecom Resurrected (by M. J. Richter) The U.S. Postal Service's Electronic Computer-Originated Mail (Ecom) system, a short-lived and very unprofitable operation in the early 1980s, has risen from the ashes and will go into operation in the private sector this September. TCOM System Inc. ... plans to offer federal and commercial customers overnight to two-day mail delivery service via a data network. Laser printers will produce hard copies of messages sent over the network ... and the U.S. Postal Service will deliver the messages along with first class mail. ... GTE Data Services of Tampa, Fla., just signed a five-year, $50-million contract to serve as TCOM's central processing and network management organization. Customers will send their computer mail over telephone lines to one of the GTE Data Services' nine processing centers. At the data centers, the electronic mail messages will be sorted by ZIP code, furnished with ZIP+4 codes and then transmitted to one of 25 TCOM regional operating centers. There, the documents will be printed on high-speed laser printers, inserted by machine into envelopes and sent to the U.S. Postal Service for first class mail delivery. A full-page letter will cost 65 cents, and each additional page will cost five cents. ... TCOM trucks will transport the hard copies ... to regional post office hubs for delivery along with regular first-class mail. ... The TCOM "enhanced mail-distribution" operation, slated to start up on Sept. 1, is an exact private replica of the Postal Service Ecom system that opened up in January 1982. ... At the time Ecom operations began, the Postal Service said more than 80 business organizations had signed up for the service, and that four telecommunications carriers had contracted to provide the electronic transmission portion of Ecom. About two years later, protests by Congress and the Postal Service board of governors over Ecom's rising tide of red ink cause the Postal Service to discontinue the operation. ... I'm wondering how secure this mail will be. While most computer "tech-ies" are aware that electronic mail isn't necessarily private, many non-technical people don't consider or aren't aware of the susceptibility of electronic communications (especially electronic mail) to interception. Customers may well be mailing private or sensitive information (financial, personal, whatever), assuming it is as confidential as a traditional sealed-and-stamped letter. Should one of the stuffing machines or laser printers jam, presumably some human must un-jam it. What's to prevent him/her from casually reading the letter which was being processed? After all, if an open letter just falls into *your* lap, don't you usually read at least part of it? (Only to figure out what it is so you can return it, of course... :-) ) Brian M. Clapper [By the way, there were still more messages on spoofing mailers that are not included here. I think you all get the idea that spoofing is amazingly easy, and that most attempts to patch things up don't work. PGN] ------------------------------ Date: Wed, 6 May 87 00:30:31 PDT From: Eugene Miya To: NEUMANN@CSL.SRI.COM Subject: Wheels up (and simulators) (RISKS DIGEST 4.80) ReSent-To: RISKS@CSL.SRI.COM I had a local ACM/SIGGRAPH core (staff) meeting this evening. We will be having a special tour for our local members. A special demonstration was offered to us by Ron Reisman of Singer-Link at the Man-Vehicle Systems Research Facility (MVSRF). This facility was featured during the "why planes crash" episode of Nova and we "flew" in the two simulators shown on Nova. The first, Advanced Cab, simulates a non-existent plane of 1995 with all the latest bells and whistles which are not flight certified: advanced CRTs, checklists (not paper), side sticks, etc. This system does not have a motion base and is about a $2M image generation facility, it was pointed out that the side stick alone costs $125K. The whole thing is multiples of $10M. Scene is a Link Night scene by a DIG (Digital Image Generator). We "took off from SFO" and flew thru the Transamerica Building. We reset the system, and I dropped the question on Ron. Just to let you know, the knobs of the system are human engineered, the flaps know look like little flaps, the landing gear gear looks like a little landing gear (I learned the story of this at JPL: to avoid similar looking knobs and pulling the wrong thing). So we pulled the landing gear while on the ground. Plane bounded up and down basically taking off: (oh yes, the engines were on, we have to specify the test conditions while pulling wheels up) not the wrong thing, but not the right thing (obviously), it's a non-existent plane so they never cared, they knew). The second simulator was a Class 2 727 simulator. This simulator is probably the most advance simulator in Northern CA (so says Ron). We had a 727 pilot with us on this one. This simulator has a live motion base and we could not fly with it (against FAA regs). We have had injuries (broken arms) by unauthorized "flights" with a high turbulence setting: you have to be a real 727 pilot to use it. This is the real simulator used by Boeing trained pilots. The people (Ron and I can't remember the pilot's name [HER name BTW]) assured me that the 727 had interlocks to prevent gear retraction while on the ground. Every eventuality of this type has "been taken care of." You can agree or disagree with this, but I hope you can see why we should not do this type of test in this machine. They were aware of the F-16 simulator problems. Just testing. Basically, the MVSRF people thought the wheels up thing was a bit strange: probably an easily related over simple, but obvious example of problems. They are more concern about what makes plane crash: designs are written on paper with ink, checklists are written on paper with blood (Ron). They are worried about more subtle but complex problems. I think there is a bit of naive on both parts and would recommend suspending this line of discussion. If some one else gets a chance to try the the F-16 simulator at GD in the Mid-West, you might post, but the professionals of this area think we are knit picking. --eugene miya, NASA Ames ------------------------------ Date: Wed 6 May 87 12:17:38-PDT From: Doug Subject: Re: wheels up To: risks@CSL.SRI.COM I worked on A4's in the Navy, and we had a problem with the wheels up interlock circuitry, and people. There was an interlock so that the wheels could not be raised with weight on them, however, this interlock also disabled the radar altimeter. To test the altimeter, this interlock had to be defeated. The proper procedure was for one person to manually actuate the interlock switch, which was on one of the main landing gear, while the testing was going on. Since this would mean four people were required to test the unit, work-arounds were sought after by those of us on the line. One of these workarounds called for removing a fuse from a panel in the forward nose gear well while the test was in progress. Sometimes the fuse didn't get replaced, and didn't get noticed during preflight. This caused the up-and-locked indicator system to not indicate. This annoyed pilots. It never had any serious consequences that I knew of, but.... ------------------------------ To: RISKS@csl.sri.COM Subject: Re: Wheels Up Date: Wed, 06 May 87 12:54:50 -0700 From: Matt Jaffe Many military aircraft have an override which permits the gear to be raised even when there is weight on the main mounts. There are circumstances where safety requres one to raise the gear while on the ground. A typical example is when the aircraft has run off the runway and is headed for uneven or soft terrain. Leaving the gear down may, depending on the aircraft and terrain, result in the aircraft flipping inverted on the ground. For both the aircraft and any personnel on board, that is generally worse than merely sliding along on the fuselage. (There was a fatal accident here - Los Angeles - in the Sepulveda basin recently when a T-28 made an emergency landing on terrain that looked decent but was not quite good enough.) The relevant question for design engineers is, of course, under what circumstances may system operators require overrides to defeat safety mechanisms and how difficult can the override operation be made to be (to prevent inadvertent activiation) before it becomes so difficult to operate in times of stress that it presents more of a safety hazard (because it consumes operator attention and effort under what are obviously already stressful conditions) than if it were it not present at all? ------------------------------ From: Brian Randell Date: Thu, 7 May 87 17:25:07 bst To: Neumann@csl.sri.com Subject: Re: the Marconi deaths (an update to RISKS-4.74) ReSent-To: RISKS@CSL.SRI.COM [The April 30 issue of Computer News (the magazine that ran alone with the story for months before the rest of the media noticed) carried the most complete summary I have seen to date. Here it is, slightly abridged. Brian] DEFENCE DEATHS: THE FACTS BEHIND THE STORY The mysterious deaths of two Marconi systems experts first reported in Computer News have sparked off intense speculation. Tony Collins clears up the confusion surrounding this baffling series of events: Late last year, a Bristol coroner, Donald Hawkins, spoke of a possible 'James Bond' connection between the deaths of two computer experts involved in key underwater defence projects. Since then the mysterious deaths of five other defence workers have come to light. In addition, another scientist has disappeared and a senior ICL employee is critically ill after an unexplained fall. Most incidents have occurred after the men have successfully completed important projects or left one job for another. Although there are police suspicions that many of them were depressed for different reasons, Computer News could establish no obvious motive for suicide in any of the cases..... Four of the dead men were employees of the GEC group - three at Marconi and one at Easams. Two others worked at separate times at the Royal Military College of Science at Shrivenham. A Computer News investigation has established that most of the men were involved in computer simulation, arguably the key which opens the door to some of Britain's most secret defence technology..... Marconi is Britain's only torpedo supplier and was last year awarded the Ministry of Defence's largest weapons order - (pounds) 400m for advanced anti-submarine Sting Ray torpedoes. The Sting Ray's computer aided guidance system is so advanced it is being used in the development of Marconi's strategic defence initiative (SDI) programmes. The Royal Military College at Shrivenham is also involved in a number of Britain's leading edge defence projects. The college develops new testing devices for the Ministry of Defence and is engaged as a sub-contractor to defence companies on research and development..... All the men involved were ambitious and demonstrated a special ability in their particular field. Marconi employee Vimal Dajibhai, 24, found dead beneath the Clifton Suspension Bridge last August, was about to leave Marconi for a higher paid job. Ashad Sharif, another London programmer found dead in Bristol, was about to take over the running of a department at Marconi's Stanmore headquarters. David Sands, who died in March as his car loaded with two cans of petrol exploded into flames as it crashed into a disused cafe, had just returned from a family holiday in Venice to celebrate the ending of a three year command and control systems project for Marconi's sister company Easams. Marconi Space Systems employee Victor Moore (46) had just finished work on infra-red satellites at Portsmouth when he was found dead from a drug overdose. His death is said to have instigated an MI5 investigation, the results of which will remain secret. There is also a separate investigation into Marconi based at Portsmouth by the Ministry of Defence Serious Crime Squad. Early this year, two lecturers on top secret projects died in separate 'accidents' of carbon monoxide poisoning. Both had recently returned from America and had conducted research at the Royal Military College in Shrivenham. The first, Peter Peapell, a lecturer and underwater acoustics expert, was found dead under his car and the garage door was closed. Although an inquest returned a verdict of accidental death, police are unsure how the accident happened..... Despite reports that Peapell had no connections with electronics or computers he had in fact written a book on basic computers. He also had a paper published on underwater acoustic emissions. The second, Dr. John Brittan, a former computer science officer at the Royal Military College was also inexplicably found dead in his car this year. He too was involved in computer simulation. A few weeks ago, Stuart Goody (23) a post graduate at the Royal Military College at Shrivenham was killed in Cyprus while on holiday. He died instantly when his hired car collided head on with a lorry. The lorry driver was said to be unhurt. At least one senior employee at the college considered that the death could be significant. Avtar Singh-Gida, a researcher working on an important Ministry of Defence underwater project, disappeared just three weeks away from its successful completion..... About two weeks ago, Robert Greenhalgh, a contracts manager at ICL's defence division at Winnersh near Reading, suffered multiple injuries after falling from a railway bridge on his way to work..... The firm admitted he had been positively vetted and may have had access to secret UK and Nato data..... After every death, police have given unofficial press briefings which provide journalists with plausible though unconfirmed explanations for the accidents or apparent suicides. The major problem for police has been the lack of obvious signs of depression in any of the cases..... Several MPs have demanded a government inquiry although there are no signs that ministers will agree. The answer to the mystery may never be known, at least in the short term. As one policeman said: "We'll probably know all the answers when the papers are released in 30 years time." ------------------------------ End of RISKS-FORUM Digest ************************ -------