RISKS-LIST: RISKS-FORUM Digest Monday 11 July 1988 Volume 7 : Issue 20 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: "Computers may be at root of jet downing" (PGN) Iran Airbus tragedy (Chris Moss) Shooting down Flight 655 (Herb Lin) Ignoring the wolf (Andy Freeman) Air France Airbus crash (Henry Spencer) Re: Physical hazards - poorly designed switches (John Robert LoVerso) PIN on PNB calling card (Mark Mandel) Lockpicking (Henry Spencer, Robert Mathiesen, Doug Faunt, Chaz Heritage) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line (otherwise they may be ignored). REQUESTS to RISKS-Request@CSL.SRI.COM. For Vol i issue j / ftp kl.sri.com / get stripe:risks-i.j ... . Volume summaries in (i, max j) = (1,46),(2,57),(3,92),(4,97),(5,85),(6,95). ---------------------------------------------------------------------- Date: Mon 11 Jul 88 10:34:52-PDT From: Peter G. Neumann Subject: "Computers may be at root of jet downing" From the Washington Post, on the front page of the San Jose Mercury News, 11 July 1988: WASHINGTON -- Computer-generated mistakes abourd the USS Vincennes may lie at the root oooof the downing of Iran Air Flight 655 last week, according to senior military officials being briefed on the disaster. If this is the case, it raises the possibility that the 290 Iranian passwngers and crew may have been the first known victims of "artificial intelligence," the technique of letting machines go beyond monitoring to actually making deductions and recommendations to humans. The cruiser's high-tech radar system, receivers and computers -- known as the Aegis battle management system -- not only can tell the skipper what is out there in the sky or water beyond his eyesight but also can deduce for him whether the unseen object is friend or foe and say so in words displayed on a console. This time, said the military officials, the computers' programming could not deal with the ambiguities of the airliner flight and made the wrong deduction, reached the wrong conclusion and recommended the wrong solution to the skipper of the Vincennes, Capt. Will Rogers III. The officials said Rogers believed the machines -- which wrongly identified the approaching plane as hostile -- and fired two missiles at the passenger plane, knocking it out of the sky over the Strait of Hormuz. [...] System `flawed' in tests On the question of the Vincennes' performance, Rep. Denny Smith, R-Ore., a longtime critic of the Aegis program, said Sunday on the ABC News program "This Week With David Brinkley" that the type of phased-array radar system carried on the Vincennes has proved "flawed almost every time" in a recent series of Navy tests. [...] Military officers with combat experience stopped short of criticizing Rogers for firing but said a skipper who relied more on human intelligence than artificial intelligence might have doubted that the approaching plane was an Iranian F-14 intent on attacking his ship for these reasons: / The approaching plane had not focused either its search or fire-control radar system on the Vincennes and had identified itself at least once electronically as an airliner as well as an F-14, an air-to-air fighter that Iran has not used against ships. / The plane was descending from a high altitude, between 9,000 and 12,000 feet, making it vulnerable to the Vincennes' missiles and guns. Rogers had about four minutes -- enough time to handle a single threat -- to shoot the Airbus down after it came within sight but before a hostile plane could use its cannons or drop unguided bombs accurately. (The Iranian F-14 is not wired for anti-ship missiles, which would be dropped during a different flight profile than the Airbus was flying, and has not shown the ability to use laser-guided bombs in such a single-airplane attack. / A single plane would be unlikely to attempt a kamikaze attack against such a heavily armed and highly maneuverable ship as the Vincennes. Newspaper disputes account The Pentagon's account of the incident came under fire from a new direction Sunday when the Sunday Times of London reported that the British Government Communications Headquarters had determined from electronic eavesdropping that the Iranian Airbus left Bandar Abbas only three minutes behind schedule, was flying in the correct flight path south over the Strait of Hormuz toward Dubai in the United Arab Emirates and was climbing when the Vincennes shot it down. Adm. William J. Crowe Jr., chairman of the Joint Chiefs of Staff, said July 3 that the Airbus was outside the commercial corridor, an assertion the Pentagon stepped away from Thursday, and was descending toward the ship in an attack mode. The Pentagon has said the airliner was 27 minutes late taking off. The newspaper said that the communications headquarters report was "severely critical" of the U.S. Navy for shooting down the Airbus and suggests that the initial confrontation between the Vincennes and three Iranian gunboats may have been provoked by U.S. helicopters flying into Iranian airspace. The Pentagon has said a helicopter from the Vincennes was fired on by the gunboats, triggering return fire from the cruiser. Pentagon officials declined to comment on the Times report. ------------------------------ Date: Mon, 11 Jul 88 15:22:43 BST From: cdsm%DOC.IC.AC.UK@CUNYVM.CUNY.EDU Subject: Iran Airbus tragedy [...] Some people writing in the US may not realise that Dubai airport, to which the flight was heading, is the busiest transit point in the region. It would change a LOT of schedules if it were closed. Chris Moss ------------------------------ Date: Mon, 11 Jul 1988 00:47 EDT From: LIN@XX.LCS.MIT.EDU Subject: Shooting down Flight 655 I've just read the last few issues of commentary about this subject, and I find the debate sadly misdirected. The one really relevant comment came from Gary Chapman, who says we should not look at just the technical issues. The point is not to learn why the Vincennes was unable to identify a civilian airliner as such. The US military has known for 20 years that the IFF problem (Identification Friend or Foe) is a VERY tough problem, and no good solutions exist as yet, other than visual identification. If you send ships into areas in which weapons will be fired at other things in the area, sooner or later an innocent target will be destroyed. We can argue till the cows come home the precise nature of this particular error, but in the larger scheme of things, it really doesn't matter. Whatever this reason is, the next time it will be some other reason. The real issue -- if you are determined to save innocent lives -- is why the US Navy is in the Gulf at all. The only sure way to make sure you don't -- at some point -- have innocent blood on your hands is to not send your weapons of war into an area where they could be used. The technology doesn't matter; the policy does. On the other hand, maybe RISKS isn't the right place for a strictly policy debate. Try ARMS-D for that, maybe? Herb (ARMS-D moderator) ------------------------------ Date: Fri, 8 Jul 88 23:03:45 PDT From: Andy Freeman Subject: Ignoring the wolf The July 8 issue of the San Francisco Chronicle had an article by Karen DeYoung of the Washington Post. She reported on a news conference by Brigadier General Mansour Satary, "the chief of Iran's Air Force." The last paragraph of the article was: "Asked why the airbus failed to respond to what the Pentagon has said were 12 separate radio queries, on both military and civilian frequencies, to identify itself, Satary said that such communications from the American ships in the gulf were so frequent that Iranian pilots usually ignored them." -andy ------------------------------ Date: Sun, 10 Jul 88 21:57:41 EDT From: mnetor!utzoo!henry@uunet.UU.NET Subject: Air France Airbus crash > Does the Airbus model in question display altitude in feet or meters? [Question raised regarding whether the Air France Airbus was at 30 feet or 30 meters...] Unless I am greatly mistaken, in feet. Altitudes and airspeeds are not quite the same situation as fuel volumes. The latter are a matter for individual aircraft; the former are of vital interest to air traffic control and other aircraft, and units are internationally standardized (altitude in feet, airspeed in knots). I wouldn't even expect readouts in both units, because altitude and airspeed are safety-critical items and even the slightest confusion about which number is which is unacceptable. It's kind of unfortunate that aviation standardized on units that are now obsolete, but this is one of those cases where the actual units are not very important so long as they're standard. For navigation one needs to turn airspeed into map distance, and for the initial phase of takeoff and the final phase of landing the absolute altitude is significant, but otherwise comparisons are usually relative and the units of measurement don't matter much. For example, what matters about airspeed is not its absolute value, but its value relative to safe limits, optimal values for the particular phase of flight, and the value requested by traffic control. Even near-ground altitudes are relative to some degree: 50 feet of altitude is a good takeoff-obstacle clearance for a Cessna, a dangerously small one for a 747 (which can't do a hard turn without sticking a wing down farther than that), and a routine operating altitude for military aircraft in wartime. Henry Spencer at U of Toronto Zoology uunet!mnetor!utzoo! henry @zoo.toronto.edu ------------------------------ Date: Mon, 11 Jul 88 16:01:50 EDT From: John Robert LoVerso Subject: Re: Physical hazards - poorly designed switches Dave Curry relates of some problems with a CCI Power 6/32: > CCI also cleverly placed the "reboot" switch, an up/down toggle, on the > front of the cabinet, not recessed, and at knee level. Fortunately, > UNIX seems to ignore the switch. At SUNY/Buffalo, the Sperry 7000/40 there that I had running 4.3BSD-tahoe beta did respond to that switch (I remember leaning over the front of the processor once, only to end up rebooting it). That machine suffered my worst abuse. To the left of the front reboot switch was the key switch for local/locked/off. I once knocked into it, only to break the end off of the key. CCI also used a clever placement strategy with the "emergency shutoff" switch, a large red push button. This was on the back of the cabinet, extending out 1" at waist level. Pressing this would trip the main breaker for the CPU and disks. It was easy to lean on this button and then suddenly notice the quiet in your end of the machine room. Unfortunately, this machine was far from the VAXen in the room, and behind it was one of the quieter locales in the machine room, so I frequently stood in that area while talking to people. And, more than once, I accidentally hit that switch. One day, I was imparting upon the field service tech how poorly designed this switch was (and he was telling me how it was required by law to have an easily accessible emergency cutoff?!) when I (accidentally) leaned on darned thing again. The very next day I took the mounting bracket apart and replaced it in such a way that the switch was recessed 1" into the cabinet. Never again did I hit it accidentally. Henry Spencer tells of a chair that liked RK05s. I was told a story about CU/Boulder, where they used to use munchkins (12 year olds) to do dumps. They had the familiar RA81/TU80 combinations common to VAX 11/750s, where the RA81 controls are about 18" from the ground. One particular short munchkin had the problem of repeatedly off-lining the drive while mounting the tape to dump it. As with Henry's chair, he was replaced by someone taller. John R LoVerso, Encore Computer Corp ------------------------------ Date: Mon, 11 Jul 88 09:26 EDT From: Mark Mandel Subject: PIN on PNB calling card Scott Peterson's reaction to Pacific Northwest Bell's encoding his calling card PIN in the magstripe is simply to "hit [his] card with a bulk tape eraser, and forget about using card reader phones until PNB straightens this out". Scott, have *you* called PNB's attention to this monumental piece of stupidity? Has anyone? Or do you trust the same crew that implemented this un-security measure to realize their mistake unaided and take the initiative to correct it? "Marketing sez the customers want the convenience, and they haven't gotten any complaints, so if it ain't broke [i.e., not causing us any grief] don't fix it." -- Mark Mandel ------------------------------ Date: Sat, 9 Jul 88 23:45:42 EDT From: mnetor!utzoo!henry@uunet.UU.NET Subject: Re: Lockpicking > Should I spend a fortune replacing the locks on my house, or are the risks > low that a burglar will pick the locks? A local insurance outfit might be able to tell you what the incidence of such things is locally. Do beware of one complication: since picking leaves no major physical traces, it is a convenient scapegoat for cases where the *real* problem was the owner's carelessness. Orthodox wisdom is that most "burglar picked the lock" cases are really "burglar had a key" or "door was not locked". My understanding is that picking is perceived as difficult and possession of lockpicks (aka "burglary tools") is perceived as too likely to be incriminating. I would be surprised if Arizona didn't have a possession- of-burglary-tools law; before spending a fortune on locks, spend a little asking a lawyer about this. (Local officials are notorious for being uninformed about the laws they are supposed to enforce, so I wouldn't put too much faith in the negative results you got by asking them.) Henry Spencer @ U of Toronto Zoology {ihnp4,decvax,uunet!mnetor}!utzoo!henry ------------------------------ Date: Mon, 11 Jul 88 08:37:45 EDT From: Robert Mathiesen Subject: lockpicking Apropos of Randy D. Miller's surprise that information on lockpicking is so readily available, I cannot resist quoting Charles Tomlinson's Rudimentary Treatise on the Construction of Locks, published about 140 years ago. His words are also relevant to much of the discussion on computer security which has gone on in this Forum. "A commercial, and in some respects a social, doubt has been started within the last year or two, whether or not it is right to discuss so openly the security or insecurity of locks. Many well-meaning persons suppose that the discus- sion respecting the means for baffling the supposed safety of locks offers a premium for dishonesty, by showing others how to be dishonest. This is a fal- lacy. Rogues are very keen in their profession, and already know much more than we can teach them respecting their several kinds of roguery. Rogues knew a good deal about lockpicking long before locksmiths discussed it among them- selves, as they have lately done. If a lock -- let it have been made in what- ever country, or by whatever maker -- is not so inviolable as it has hitherto been deemed to be, surely it is in the interest of *honest* persons to know this fact, because the *dishonest* are tolerably certain to be the first to apply the knowledge practically; and the spread of knowledge is necessary to give fair play to those who might suffer by ignorance. It cannot be too ear- nestly urged, that an acquaintance with real facts will, in the end, be better for all parties. Some time ago, when the reading public was alarmed at being told how London milk is adulterated, timid persons deprecated the exposure, on the plea that it would give istructions in the art of adulterating milk; a vain fear -- milkmen knew all about it before, whether they practised it or not; and the exposure only taught purchasers the necessity of a little scrutiny and caution, leaving them to obey this necessity or not, as they pleased. ..... The unscrupulous have the command of much of this kind of knowledge without our aid; and there is moral and commercial justice in plac- ing on their guard those who might possibly suffer therefrom. We employ these stray expressions concerning adulteration, debasement, roguery, and so forth, simply as a mode of illustrating a principle -- the advantage of pub- licity. In respect to lock-making, there can scarcely be such a thing as dis- honesty of intention: the inventor produces a lock which he honestly thinks will possess such and such qualities; and he declares his belief to the world. If others differ from him in opinion concerning those qualities, it is open to them to say so; and the discussion, truthfully conducted, must lead to public advantage: the discussion stimulates curiosity, and curiosity stimu- lates invention. Nothing but a partial and limited view of the question could lead to the opinion that harm can result: if there be harm, it will be much more than counterbalanced by good." The subsequent development of lockmaking in the course of the next 140 years has long since demonstrated the correctness of Tomlinson's argument in his own field. I do not doubt that it is equally applicable in the area of com- puter security. ------------------------------ Date: Fri, 8 Jul 88 22:44:02 PDT From: Doug Faunt (phone (415) 496-4727) Subject: re: lockpicking and burglars I would like to point out that it might be worthwhile to improve your locks to some degree, since an intruder who picked the lock probably wouldn't leave any evidence of the intrusion, and at least one of my insurance policies DOES NOT cover, "mysterious disappearance". You may not be able to keep them out, but you can make sure there's a record. This has obvious applicability to computer security measures. ...{amdahl|decwrl|hplabs}!spar!faunt faunt@spar.slb.com ------------------------------ Date: 7 Jul 88 09:31:26 PDT (Thursday) From: "chaz_heritage.WGC1RX"@Xerox.COM Subject: Lockpicking In his Tue, 5 Jul 88 09:44:06 MST Randy D. Miller writes: >I called some city and state offices, and one local locksmith, to see if there are any laws regulating the possession and use of lockpicks in Arizona. No one I talked to seemed to know anything about any regulations!< I feel that I ought to ask the Phoenix, Arizona Police Department how they would feel about searching Mr. Miller's home for >$0.99 hacksaw blades and a Dremel Tool grinder<. Exactly this 'ban it all' attitude is very prevalent in UK. If someone is murdered with a knife, the media howl for all knives to be 'banned'. What they should howl about is that someone is motivated to murder - not that someone who was so motivated chose a particular instrument. Or perhaps Mr. Miller would be happy to live under a law that prohibited possession of lockpicks - or the means to make them - or the knowledge of how to make them........ Chaz Heritage ------------------------------ End of RISKS-FORUM Digest 7.20 ************************