RISKS-LIST: RISKS-FORUM Digest Wednesday 6 July 1988 Volume 7 : Issue 16 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Air France Airbus A320 Crash Story In Aviation Week (Karl Lehenbauer) Common failure path in A320 (Lee Naish) Reply to Hugh Miller about Iran Flight 655 (Michael Mauldin) The Iranian airliner tragedy (Bob Estell) Aegis and the Iran Airbus (PGN) The "F-14" attacking the Vincennes... But the F-14 is for air defense (Jonathan Crone) It's easy to make decisions if you don't have the facts (Martin Minow) Re: A300 using F14 transponder (Bruce O'Neel) Iran Flight 655 and the Vincennes (James P. Anderson) Lockpicking (Randy D. Miller) Re: The Eyes Have It (Tracey Baker) RISK of PIN's - PNB calling card (Scott Peterson) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line (otherwise they may be ignored). REQUESTS to RISKS-Request@CSL.SRI.COM. For Vol i issue j / ftp kl.sri.com / get stripe:risks-i.j ... . Volume summaries in (i, max j) = (1,46),(2,57),(3,92),(4,97),(5,85),(6,95). ---------------------------------------------------------------------- Date: 6 Jul 88 01:19:18 GMT From: sugar!karl@uunet.UU.NET (Karl Lehenbauer) Subject: Air France Airbus A320 Crash Story In Aviation Week (quoted without permission from the July 4, 1988 issue of Aviation Week) "The investigation into the June 26 crash of an Air France Airbus Industrie A320 is focusing on the pilots' judgment in performing a slow-speed air show flyby with a fully loaded transport that they allowed to descend well below their filed minimum altitude." [background information on the crash deleted for brevity] "Video images of the accident showed that the A320 was stabilized in a nose- high attitude throughout the flyby, and that the mid/aft section of the aircraft struck the outermost row of trees at the perimeter of the airport. The aircraft then settled into the wooded area and burned. The pilots said they thought the aircraft was at an altitude of 100 ft. based on the flight instruments, and stated that the A320's two CFM International CFM56 turbofan engines did not respond correctly when they moved the throttles forward for full power." [The article goes on to quote the French Transport Minister Louis Mermaz and later the Director of the Direction Generale de l'Aviation Civile (DGAC) as saying that the aircraft's 30-ft. flyby altitude and its reduced airspeed "were confirmed by both the cockpit voice recorder and the cockpit data recorder."] "'When the pilot advanced the throttles, the thrust was increase was normal, but it [the power increase] apparently was made too late,' Tenenbaum said. 'This is important because the pilot reported after the accident that the engines did not respond. ... According to the data, the thrust increase to the full available power should have occured within 8 sec., and we saw it in approximately 5 sec.,', he said." [The article then describes the renewal of a long debate in France over the minimum crew requirements for the A320.] "'Based on the cockpit conversations we heard [on the cockpit voice recorder], the crew was perfectly aware of what was going on,' Tenenbaum said. 'They were perfectly lucid, they knew what altitued they were at because there were [computer-generated] voice callouts from the radar altimiter during the low pass, including an audible callout of 30 ft.'" [The article proceeds to describe the orientation of the aircraft during its low pass and as it struck the trees (nose-high level flight), the history of Air France's operations of the aircraft, that Air France has decided to suspend all further demonstration flights and that British Airways and Air France substituted other aircraft for their scheduled A320 flights for two days after the accident.] "Officials at British Airways said the airline had experienced no significant mechanical or electronic problems with the aircraft since they entered service earlier this year. Several European test and company pilots questioned the crew's reasoning in attempting to perform an air show-type low, slow flyby without apparent advanced training and with a passenger payload." ------------------------------ Date: Wed, 6 Jul 88 19:00:14 EST From: munnari!mulga.oz.au!lee@uunet.UU.NET (Lee Naish) Subject: Common failure path in 320 Though the A320 Airbus has redundant computer systems, they all use the same air conditioning system. Does anyone know what the expected failure rate of that system is, or how critical a failure would be? Lee Naish ------------------------------ Date: Tue, 5 Jul 1988 22:38-EDT From: Michael.Mauldin@NL.CS.CMU.EDU Subject: Reply to Hugh Miller about Iran Flight 655 I can't match Mr Miller's polemic, but I can point out that he got just about every fact wrong about flight 655. All of the information below is from the Pittsburgh Post Gazette, Monday July 4. Their text comes from an article by Stephen Engelberg of the New York Times News Service. > So from now on it's hair-trigger 24 hours a day, and since I can't > be sure my BOZO QZ999 Battlesys can knock down a missile once it's fired > my only recourse is to knock the launchers down before they fire. They're > bigger & slower & better targets anyway. Do you have a problem with that? You criticize "the system" for overreliance on technology and then fault the captain for his caution? > Shoot first and ask questions later. 3 warnings were radioed on civilian distress frequencies 4 warnings were radioed on military frequencies A nearby Italian vessel reported hearing at least 4 of these warnings All of the discussion I've heard said that he should have fired 2 minutes earlier, and would have been justified in doing so, given the information available. Captain Rogers was very forgiving to have waited as long as he did. > The hell if I'm gonna be the next one to lose his Florida retirement condo to > keep Marconi's rep clean." I can't find it in my heart to blame the man, > either. Who wants to be the fall guy for a gigabuck defense contractor and a > desperate, freebooting White House in an election year? How about a more likely line of reasoning: "Gee whiz, just after we sank two of those gunboats this plane takes off from a nearby civilian/military air base and is closing directly on my ship. It has no transponder and won't answer my radio challenge. Maybe I should shoot it down to save my ship and the men in my command." > So along comes a jumbo jet, 25,000 feet, 430 mph An A300 is much smaller than a jumbo jet. It was flying at 9,000 feet and descending. It was shot down at an altitude of 7,500 according to Iranian press releases. It was traveling 450 knots (518 mph) and gaining speed. > radar cross-section size of a football field. The wingspan of an A300 is 147 feet, less than half the size of a football field. That's a little more than twice the 64 foot wingspan of an F-14. In any event the bottom line is that you can't reliably identify planes from a head-on cross section. No one has ever said they could. > Software library in the EW battle computers says it's an F-14, kind that > dinged the Stark. The plane was tentatively identified as an F-14 not from radar but from five other facts: 1. There were reports of 10 F-14's operating out of Bandar Abbas. 2. The flight took off from Bandar Abbas immediately after the Vincennes fired on the three gunboats. 3. It had no transponder (a requirement for all civil aviation). 4. It was 4 miles outside of the commercial air corridor and 14,000 feet lower than a commercial plane should have been. 5. The plane was broadcasting on a military "mode 2" (I'm not sure whether that's a radar or a radio). These were the "electronic indications" the Admiral Crowe spoke of in his press conference. (This comes from CNN news Tuesday, July 5). Also, Flight 655 took off about an hour after it's scheduled departure time; the captain had requested information about scheduled commercial flights, but this search was not completed before the decision to fire was made. Even if they'd had the time, all they would have found was that it was the wrong time to be a commercial flight. (Also from CNN News). It may well be true that the Iranian pilot thought our technology was so good that we could identify him properly despite the fact that he was in the wrong place at the wrong altitude at the wrong time ignoring (or unable to hear) frequencies he was required to monitor. To that extent there may well have been an over-reliance on our technology. ------------------------------ Date: 6 Jul 88 08:21:00 PDT From: "FIDLER::ESTELL" Subject: the Iranian airliner tragedy The "target is destroyed" note in RISKS 7.15 of 5 Jul 88 was not pleasing to MY tastes; whether it was in good taste or not is a question that I won't raise; tastes are far too personal for rational debate. I know our moderator personally, and I trust his judgment. But I also know CAPT Will Chapel Rogers III; we had two years together at Baylor a long time ago. The traits that made Will a friend and a good student are ones that the Navy seeks in recruits, and develops in officers; I cannot believe that the goodness has been trained out him. I also know a thing or two about Aegis radar systems, F-14's, C3 systems used in Navy combatants. I know for instance that the "radar signature" of a "loaded fighter-bomber" [or other medium aircraft, carrying missiles] can look as large as a jet liner, for much the same reasons that a sequined bikini will reflect as much footlight as a white satin gown. And I learned Tues 5 Jul p.m. that the Iranian airliner was identifying itself as an F-14. The Vincennes fired for much the same reasons that the police in many cities fire at apparently armed assailants almost every day: self defense. When it sometimes happens that afterwards the attacker turns out to be relatively innocent [e.g., kid with a water gun], that's a "tragedy." One of the RISKS of using computers is that we sit in our cubicles and deal with machines - that feel no pain, leave no widows nor orphans; we come to think of human loss as statistics, which we compute so easily. The loss of one life is tragic; 290 at a stroke only serves to awaken our dulled senses! Tragedy is one thing; justification is another. I happen to believe in self- defense, an adequate army [and navy], and capital punishment. But I repeat, the loss of human life is tragic. Let's not rush to judgment just because the statistics get our attention. Instead, let us resolve [in Lincoln's words] that these 290 will not have died in vain: Let us rethink both our [computerized] weapons systems designs, AND their use. Bob p.s. The opinions herein, as always, are personal; NO conclusions can be drawn about my employer's concurrence or lack thereof. ------------------------------ Date: 6 Jul 88 13:34 From: minow%thundr.DEC@decwrl.dec.com (Martin Minow THUNDR::MINOW ML3-5/U26 223-9922) Subject: It's easy to make decisions if you don't have the facts Idle speculation: sometimes it's more interesting to listen to what wasn't said. In the recent attack on the Iranian airliner, why do I get the feeling that nobody on the Vincennes was monitoring tower-plane radio communications. (And the vague suspicion that there wasn't anyone on the ship fluent in Farsi.) Martin Minow ------------------------------ Date: Wed, 06 Jul 88 08:09:10 EDT From: Bruce O'Neel Subject: Re: A300 using F14 transponder [Referring to the Mode 2 / Mode 3 confusion, and belief in the transponder:] Seems it might be a good idea in a war to equip all the fighters with transponders saying that they are say 767s? ------------------------------ Date: Wed, 6 Jul 88 10:40:16 PDT From: Peter G. Neumann Subject: Aegis and the Iran Airbus An article in this morning's San Francisco Chronicle (p. A-12) is titled "Electronic Errors ----------------- Star Wars Planners' Lesson in the Gulf", by David Perlman [...] The cruiser's Aegis system linking its radar with a battery of advanced comptuers and missile launchers, had been hailed as "Star Wars at Sea" by the Navy. But David L. Parnas [...] held a different view. "It is obvious," he said in an interview, "that if you can't discriminate at close range between an Airbus and an F-14 fighter, it would surely be even more difficult if not impossible to discriminate between a Soviet warhead and a decoy baloon flying on the same ballistic trajectory in outer space." ... "The Aegis system was always presented to me in briefings as a defensive system only against high-speed, low-flying missiles," Parnas said. "But, while I have no reason to believe that it was the Aegis computer system that failed on Sunday, the fact is that discriminating targets is vital for any defense." ------------------------------ Date: Wed, 06 Jul 88 10:30:47 CST From: Jonathan Crone Subject: The "F-14" attacking the Vincennes... But the F-14 is for air defense I basically have a comment to make about the supposed response about the Vincennes defending itself against an attack from an inbound F-14. Were the F-14's that were sold to Iran during the 1970's stock F-14's or were they supplied with upgraded avionics and attack systems. The reason I'm questioning this, is because Grumman designed the F-14 to support the Navy's requirement for a powerful Air Defense Fighter. This explains the F-14's exceptional ""capabilities"" in this area... (such as the supposed ability to maintain lock on 24 inbound targets and to attack 6 of those targets using a mix of Phoenix Sparrow/AMRAAM, and Sidewinder missiles.) However, and I recall this from reading material published during the late seventies when Canada was looking to purchase a new all purpose fighter for the Canadian Airforce, the F-14 has very limited Air to Ground capabilities... its radar and attack systems aren't really designed to do it. (thats why Canada purchased F-18s instead, because it had multipurpose radars to deal with both modes of combat.) (The Canadian Air Force required a single type of aircraft that would be capable of dealing both with the close ground support environment of NATO commitments, as well as the long ranging Air Defence requirements over North America) Presumably the crew of the Vincennes would know about this wouldn't they??? (from news reports, Iran, is still using F-14's as Air to Air units, and not as ground attack birds.) If I were the Commander of the Vincennes, I would be worried if the Aegis was saying that the inbound aircraft was a Mirage or a Super Etenard (a Mirage is the aircraft that launched the two Exocet missiles that holed the Stark). So perhaps the big question is, why are they saying that they were worried about the possibility of an attack from an F-14? Jonathan P. Crone ------------------------------ Date: Tue, 5 Jul 88 23:03 EDT From: JPAnderson@DOCKMASTER.ARPA Subject: Iran Flight 655 and the Vincennes The Captain of the Vincennes did the correct thing. If he can be faulted for anything, it is that he waited so long before acting. All the breast-beating in world and appeals to castigate the military notwithstanding, the correct action was taken. If a human failure took place, it was in the Iranian decision to fly a commercial aircraft over an area where a fire-fight was in progress, and in not responding to the reported 7 (repeat seven) attempts to raise the aircraft and have it identify itself. The loss of life was indeed tragic. The attempt to picture the U.S. Navy or U.S. policy as irresponsible is even more tragic. Mr. Miller seems genuinely confused over what is 'national interest'. I would submit 'national interest' is Canada selling its wheat to anyone it chooses regardless of what other nations; ostensible allies and maybe even friends, think. It is also an assertion that a tin-horn dictator, operating under the guise of religious leader cannot prevent free ship movement in the Gulf area. It is possibly also a belief that the rest of the world, maybe even Canada might suffer if oil does not move freely from the Middle East. [I guess the view of 'national interest' is crystal clear from the lofty towers of academe.] Let's get the forum back to technical risks and off of the political beat. Jim ------------------------------ Date: Tue, 5 Jul 88 09:44:06 MST From: sun!sunburn!gtx!randy@ucbvax.Berkeley.EDU (Randy D. Miller) Subject: Lockpicking Organization: GTX Corporation, Phoenix, Arizona I never imagined that picking locks could be so easy. A couple months ago, I went to the Phoenix Public Library (!) and checked out a few books on locksmithing. Surprise! The books all had chapters on how to pick locks for fun and profit. One book explained how to make homemade lockpicks by grinding down hacksaw blades. Using $0.99 hacksaw blades and a Dremel Tool grinder, I made an assortment of lockpicks. K-Mart supplied me with an assortment of locks to practice on and disassemble. After a few days of practice, I found that I could pick open any disk tumbler lock that I could find - these are the cheap locks found on desk drawers, cabinet locks, window locks, and a few cheap padlocks and old door locks. Most disk tumber locks take me less than 10 seconds to get open. I've also picked open every pin tumber lock that I've tried, but they're harder; most of them take about two minutes to get open. These are the locks found on most doorlocks. The most difficult lock I've tried is the expensive Master brand pin-tumbler padlock, which required about twenty minutes of delicate work to pick open. (I disassembled it to see why it was so hard. Master uses smaller pins than usual, made to very tight tolerances, without the bevelled ends found on most pins.) There are such things as pick resistant locks, but they are pretty rare. It seems that 99 per cent of the locks in my life are pickable disk tumbler or pin tumbler locks. (I haven't yet begun practicing on automobile locks; from the diagrams in the books, they seem to have extra features that may make them harder to pick.) I called some city and state offices, and one local locksmith, to see if there are any laws regulating the possession and use of lockpicks in Arizona. No one I talked to seemed to know anything about any regulations! If it's so easy to pick open locks, why do burglars resort to harder and messier ways of entering buildings, desks, cabinets, etc.? Are most burglars incapable of learning such a skill, or does it just not occur to them? Should I spend a fortune replacing the locks on my house, or are the risks low that a burglar will pick the locks? Randy D. Miller (602) 870-1696 GTX Corp., 8836 N. 23rd Ave., Phoenix, AZ 85021 {cbosgd,decvax,hplabs,amdahl,nsc}!sun!sunburn!gtx!randy [One of the imperative themes in the RISKS Forum is that protection measures are inherently compromisable. The myth of technology as a panacea continues to haunt us. Most car-door locks are TRIVIAL to break. Skeleton keys for house locks are simple to fabricate. Cyclic redundancy checks and crypto seals are simple to break if the underlying system is not adequately secure. Thus using a complicated mechanism on top of a flawed mechanism invites compromise. The more sophisticated the lock mechanism, the more challenges for the sophisticated attacker. But the belief in technology as a magic wand is perhaps the most dangerous of all -- whether it is locks or automated defense systems. PGN] ------------------------------ Date: Tue, 5 Jul 88 17:32 EDT From: tab@mhuxu.att.com Subject: Re: The Eyes Have It (RISKS DIGEST 7.14) Organization: AT&T Bell Laboratories, Murray Hill I had to laugh at "The Eyes Have It". The last five digits of my NJ driver's license number are 61664. This is supposed to represent my date of birth and eye color. I was born on 11-22-66, and the last time I checked my calendar, we didn't even have 61 months! This made me think about PGN's comment about three extra "eye color" values not being enough to prevent data collisions. Since it is obviously possible to have the first "DOB" digit not match the actual DOB, why not use 2-9 in that field? That, combined with the extra eye color values, would leave room for almost eight times as many "identical" people ("almost" because Jan-Nov and Feb-Dec birth dates would have to share the extra numbers). They could still retain the DOB information if 2-5 in the first digit = 0 and 6-9 = 1. It also makes me wonder about the NJ DMV. I know they've had many problems with their computer system (and their offices, and their personnel, and ... :-), but this is ridiculous - not only do the two DOB fields not match (they did get it right in the DOB space on the license), but one of them isn't even a valid date! (If the NJ DMV already uses different DOB #'s for data collisions, I apologize for this entire article. I've *never* heard of anyone else with something other than the DOB in those 4 digits. In fact, everything I have heard makes my nuber look like a unique case. If there were a reliable way to get information from the DMV I'd ask them, but they can't even tell me what forms I need to register my car, so I'm afraid there's not much hope of getting a correct answer to a question like this.) Tracey Baker {att, rutgers!moss}!mhuxu!tab or tab@mhuxu.att.com (201)582-5357 Rm. 2F-211, AT&T Bell Laboratories, 600 Mountain Ave., Murray Hill NJ 07974 ------------------------------ Date: Tue Jul 5 20:46:53 1988 From: littlei!foobar!sdp!sdp@uunet.UU.NET Subject: RISK of PIN's - PNB calling card After noting charges on my last phone bill for calls made from places I've never been, I called Pacific Northwest Bell (PNB) and changed the PIN on my calling card. (I decided to pay the $3 in long distance charges since I had given my PIN to an old girlfriend about a year ago.) I was mildly surprised to find that the procedure for changing my PIN was to tell the PNB representative on the phone what I wanted my new PIN to be. I already (have to) trust the phone company, so this risk was acceptable to me. I was REALLY surprised by what I found out when I received a new calling card in the mail today. (Probably sent automatically because I changed my PIN.) Here are some of the "features" of my new calling card as explained in the letter sent along with it: "Exclusive extra security When you look at your Card, you'll notice that your four-digit security number is not shown. That means _extra security for you_, because only you know the Security Code. Maximum convenience Turn your card over. The magnetic stripe on the back lets you use many of the new Card Reader phones. _You don't need to enter your card number or your security code_. Just slide your Card through the special slot and dial! ... " Identifying the problem with this is left as an exercise for the reader. I think I'll just hit my card with a bulk tape eraser, and forget about using card reader phones until PNB straightens this out. Scott Peterson, OMSO Software Engineering, Intel, Hillsboro OR sdp@sdp.hf.intel.com uunet!littlei!foobar!sdp!sdp ------------------------------ < End of RISKS-FORUM Digest 7.16 ************************