RISKS-LIST: RISKS-FORUM Digest Tuesday 20 February 1990 Volume 9 : Issue 69 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: [Backlog. Also at risk of multiples. Guru inaccessible. Good luck.] A320 accident (Nancy Leveson, George Michaelson) Ferry line replaces "sail-by-wire" with pneumatic controls (Jon Jacky) Now Prodigy Can Read You (Donald B Wechsler) 3 KGB Wily Hackers convicted, mild sentences (Klaus Brunnstein) Problems/risks due to programming language, stories requested. [Item Includes AT&T "do...while"..."switch"..."if"..."break" tale] (Gerald Baumgartner) AT&T Says New Goof Wiped Out Many Toll-Free Calls (David B. Benson) Re: Computerized Collect Calls (Adam Gaffin via Mark Brader) RISKS of ANI blocking (James C Blasius) "Brilliant Pebbles" (Gary Chapman) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line (otherwise they may be ignored). REQUESTS to RISKS-Request@CSL.SRI.COM. TO FTP VOL i ISSUE j: ftp CRVAX.sri.comlogin anonymousAnyNonNullPW cd sys$user2:[risks]get risks-i.j . Vol summaries now in risks-i.0 (j=0) ---------------------------------------------------------------------- Date: Wed, 14 Feb 90 12:09:11 -0800 From: Nancy Leveson Subject: A320 accident >From the AP wire: by Sharon Herbaugh, Associated Press Writer, NEW DELHI, India (AP) - An Indian Airlines jet with 146 people aboard crashed and burst into flames while attempting to land at a southern Indian airport today and 91 people were killed, authorities said. The Airbus 320 crashed at 1 p.m. while on final approach to the runway at Bangalore airport, airline and airport officials said. The plane apparently grazed a grove of trees and crashed about 50 yards from the runway, they said. State-run television showed shots of the crash site, a grassy plain on a golf course adjacent to the airport. The craft's tail was intact, but its fusilage was shattered and charred and the nose smashed. "The crash occurred before the plane touched the runway, and it caught fire as soon as it crashed, said P..S. Ghetty, airport manager in Bombay, where the hourlong flight had originated. The crash was the first by the sophisticated Airbus 320 on a commercial flight. One of the planes crashed in a demonstration flight at an airshow in eastern France in 1988 killing three people and injuring 50. Airline officials said the plane, which was an hour behind schedule, carried 139 passengers and a crew of seven. [More about injuries] Airline officials did not know what caused the crash, but they said weather was not a factor. The jet was acquired by the nation's government-run domestic carrier about three months ago for $38 million. After Indian Airlines announced it was adding 31 Airbus 320s to its aging fleet of Boeing, Fokker, and Avro planes, news reports criticized the airline for failing to adequately train pilots to fly the sophisticated aircraft, the first civilian airliner with a fully computerized flight control system. The carrier also was criticized for failing to provide adequate hangar space to house and maintain the planes. [more about some previous Indian Airlines accidents] Indian Airlines, the major domestic carrier, flies to 73 cities nationwide and to nine nearby countries. It has come under criticism for allegedly failing to maintain pre-flight safety procedures on its fleet and to adequately supervise its pilots. Delays in flight schedules are also endemic. The A320, built by the European consortium Airbus Industrie, is the first civilian airliner equipped with a fuly computerized flight control system, which the manufacturer says permits safer, electronically controlled flight. Developed at a cost of nearly $2 billion, the A320 was certified for flight on Feb. 26, 1988, and went into service in April 1988. [There have also been some unofficial radio reports that suggested that the flight control system was involved in this crash. My friends in the industry say that this cannot possibly be known for a while. nancy] [Also noted by Robert Dorsett (rdd@rascal.ics.utexas.edu) and David B. Benson (benson@cs2.cs.WSU.EDU), Steve Milunovic . PGN] ------------------------------ Date: Thu, 15 Feb 90 16:39:16 +1100 From: George Michaelson Subject: yet another A320 problem [...] Doubts were expressed about the ability of the airline to maintain the complex flight control equipment, and the effects of dust on the system, both with explicit reference to computing systems. I find it hard to raise any possible risks in technology transfer to developing countries (does that label apply to India?) given the overtones of chauvinism if not downright racism, but it seems from this interview as if the Indian engineers themselves question their ability to handle this package. I suspect other parallels exist with well-meaning donation/supply of IT infrastructure that failed to match local conditions eg lack of tropical "hardening", availaibility of spike-free UPS, spares, training. sort-of comp.society but has some RISKy overtones... -George ------------------------------ Date: Mon, 19 Feb 1990 20:02:49 PST From: JON@GAFFER.RAD.WASHINGTON.EDU (Jon Jacky) Subject: Ferry line replaces "sail-by-wire" with pneumatic controls This article appeared in IEEE SPECTRUM, vol 27, no 2, Feb. 1990, page 54: FAULTS AND FAILURES: FERRY ELECTRONICS OUT OF CONTROL by Karen Fitzgerald with John R. Devaney and Robert Thomas In a seeming reversal of progress, Washington State Ferries, the agency that manages the United States' largest ferry transportation system, has begun replacing the electronic control systems of six of its boats with pneumatic controls. A string of failures, beginning in the early 1980's after the Issaquah-class ferries were introduced, eventually forced the change. Ferries rammed docks, for instance, or puttered away from them even though no command was given. In a few instances, a ferry shifted from forward to reverse with no warning. In contrast, an Issaquah boat retrofitted last June with a hybrid electro-pneumatic system has outstripped all expectations, according to vessel maintenance engineer Ben Davis. [ Here the article includes a photo of an Issaquah ferry. They are large, carrying several hundred cars, their passengers, and hundreds of walk-on passengers - JJ ] As part of the state's Department of Transportation, Washington State Ferries in Seattle operates 24 vessels, encompassing a variety of control systems. No others have had the problems of the six boats in the Issaquah class, which are unique in having variable-pitch propellors, one at each end of the boat. When the captain sets the control handle positions for transit or movement near the dock, the control system must set the appropriate propellor speed, pitch, and clutch engagement. Variable pitch makes the craft extremely maneuverable, able to move sideways and turn on the spot. Many of the problems could be traced to the vendor, Propulsion Systems Inc. (PSI), which went bankrupt in 1981 and was then bought by the ferry builder, the now-defunct Marine Power and Equipment Co. "The problem is not so much with digital controls," said Davis, "as with horribly shoddy control system design." [ Here the SPECTRUM article describes examples, including poor understanding of the propulsion system, grounding and shielding problems, poor protection against power supply dropouts and transients, poor documentation and configuration control, and incorrect assembly ] ... a 1986 Lockheed Shipbuilding Co. study recommended switching to pneumatics to improve reliability. ... The agency chose a hybrid control system that operates electrically from control handles to control cabinet ... but operates pneumatically from cabinet to propellors and engine governors ... (the replacement control system is) supplied by Mathers Control Inc., Seattle. ... - Jon Jacky, University of Washington (in Seattle) ------------------------------ Date: Thursday, 15 Feb 1990 17:11:22 EST From: m17434@mwvm.mitre.org (Wechsler, Donald B) Subject: Now Prodigy Can Read You The Prodigy Services publication, PRODIGY STAR, (Volume III, No. 1) recently showcased a "major benefit". The Prodigy system accesses remote subscribers' disks to check the Prodigy software version used, and when necessary, downloads the latest programs. This process is automatic when subscribers link to the network. I asked Prodigy how they protect against the possibility of altering subscribers' non-Prodigy programs, or reading their personal data. Prodigy's less-than-reassuring response was essentially (1) we don't look at other programs, and (2) you can boot from a floppy disk. According to Prodigy, the feature cannot be disabled. ------------------------------ Date: 15 Feb 90 15:50 +0100 From: Klaus Brunnstein Subject: 3 KGB Wily Hackers convicted, mild sentences A court in Celle (a small town near Hannover, FRG) today (Thursday 15,1990) convicted 3 KGB hackers of espionage (=to work for a foreign service against the interests of the country) for the KGB. Sentences were mild and partly significantly below the recommendation of the public prosecutor. Markus H. (whom Clifford Stoll regarded as 'the Wily hacker') was found guilty of having intruded US military computer systems 30 times (out of 450 attempts); his sentence: 20 month prison (for 3 years on probation) and to pay 10,000 DM; Dirk B. was sentenced to 14 months and has to pay back 5,000 DM. And finally, former croupier Peter C. (who essentially connected the links to KGB but has no knowledge in computing) was sentenced to 2 years and has to pay back 3,000 DM. All of them lost the `citizen rights' (e.g. to participate in elections, either passively or actively) for 2-3 years. The prison sentences are deferred for 3 years probation time. They were immediately released from detention pending trial. The chairman of the 2nd senate of the Nether Saxonian Criminal Court said in his oral argumantation, that the Federal Republic didnot suffer seriously from the hack, but that US military institutions and a large manufacturer were damaged. (As the German law has not the same universality as US law, damage tu US instutions couldnot be prosecuted). Moreover, the court expressed strong doubts that a real damage was done: 'only' a security package of a large manufacturer and the source code for a UNIX system were mentioned. (the large manufacturer evidently prepares a civil case). Independent of whether the sentences are accepted and will become valid, the estimations in media about billions DM of damage were rather premature. It will be interesting to analyse (in the written argumentation) why the court didnot convince the hackers on the hacker attacks (the German penal law recently was updated by a new paragraph on computer espionage which was not applied). The defenders tried (evidently successfully) to show that Cliff Stoll's proofs were insufficient to show that the guy in Hannover (H.) really was the guy whose commands were executed 10,000 miles away. With a court without any knowledge (the chairman asked the hackers more than once: `What means' questions on e-mail etc), with public prosecutors and with criminalists which evidently lacked the basic knowledge, it may not surprise that the defenders succeeded in put the material in question (Cliff Stoll's book was forbidden to be sold in its German version, due to several statements which the defenders neglected). I apologize for any misformulations esp. regarding legal language (I am not educated as a lawyer); moreover, I hope that my personal doubts about the competence of the criminal agencies, the prosecutor and the court are not overstated here. On the other side, the 2 hackers (a 3rd one committed suicide last year, and the defenders tried to load all the guilt on him) and the 4th one, `Pengo' who may face another process (in Berlin), all belonging to the so-called `Leitstelle 511' (due to the telephone prefix of Hannover) of Chaos Computer Club are not those professionals as they are regarded by the media and the lawyers. Klaus Brunnstein ------------------------------ From: gb@cs.purdue.edu (Gerald Baumgartner) Subject: problems/risks due to programming language, stories requested Date: 19 Feb 90 07:42:16 GMT [Gerald is collecting stories on the risks of choosing the wrong programming language, including problems that could have been avoided if another (a better) programming language would have been used. He cited the Mariner (but hadn't seen the newer explanations in RISKS-8.75 or RISKS-9.75), the Internet Worm fingerd problem, and the 15 Jan 90 AT&T slowdown. But he included the following text on the AT&T problem. PGN] >From: kent@wsl.dec.com | | Subject: AT&T Bug | | Date: Fri Jan 19 12:18:33 1990 | | | | This is the bug that cause the AT&T breakdown | | the other day (no, it wasn't an MCI virus): | | | | In the switching software (written in C), there was a long | | "do . . . while" construct, which contained | | a "switch" statement, which contained | | an "if" clause, which contained a | | "break," which was intended for | | the "if" clause, but instead broke from | | the "switch" statement. | | Again it looks like this bug wouldn't have occurred in another programming language. You C what I mean? Do you know other stories like these, if possible with references? I don't want to praise Ada or pick at C and Fortran; I am looking for any story where a provably inappropriate/insecure programming language has been used. Gerald Baumgartner gb@cs.purdue.edu ...!{decwrl,gatech,ucbvax}!purdue!gb ------------------------------ Date: Wed, 14 Feb 90 11:36:41 PST From: dbenson@cs2.cs.WSU.EDU (David B. Benson) Subject: AT&T Says New Goof Wiped Out Many Toll-Free Calls The Wall Street Journal, Tuesday, February 13, 1990 By John J. Keller, Staff Reporter of The Wall Street Journal New York -- American Telephone & Telegraph Co., still reeling from a cripling network outage less than a month ago, suffered another accident on Friday that wiped out toll-free 800 service to tens of thousands of callers nationwide. AT&T blamed the latest disruption on a service technician who had forgotten to program some information on a group of 800 numbers into a network computer. Only companies subscribing to 800 numbers using the prefix 424 were affected, said AT&T. That included the Internal Revenue Service's toll-free, tax-service number 1-800-424-1040. Another IRS line that allows callers to order forms by phone was also cut off. AT&T declined to identify business and government agency customers other than the IRS that were affected by the Friday shutdown, which lasted about 90 minutes, from 12:40 p.m. EST to a little after 2 p.m. While that's nowhere near the nine hours that AT&T's network had problems on the afternoon and evening of Jan. 15, it was an embarrassing epilogue to the earlier breakdown. Until the January problem, AT&T hadn't experienced a major network problem in its 114-year history. The January outage was caused by a software programming error in the company's network signaling system. "AT&T offers the most modern services, but this latest accident was at the lowest level of sophistication," said Jack B. Grubman, an analyst at PaineWebbber Inc. "Thats not good." The AT&T spokesman blamed Friday's accident, which he called a "very small mishap" and a "minor inconvenience," on a network service technician who was "load balancing" or making network routing changes to some 800 numbers. The technician was supposed to transfer the list of these 800 numbers from one network control point to another, he said. But apparently the technician forgot to program the routing changes into one of the control points, shutting down service on as many as 200 toll-free lines, including those leased by the IRS. An IRS spokesman said the agency didn't have a clear idea of how many people were affected by the shutdown, but "obviously it was in the thousands. We hope it didn't cause too much of a problem." ------------------------------ Date: Wed, 14 Feb 90 14:23:01 EST From: Mark Brader Subject: Re: Computerized Collect Calls Originally-from: adamg@world.std.com in comp.dcom.telecom (= Telecom Digest) On Jan. 7, New England Telephone began switching over to a new computerized system for handling collect calls from touch-tone pay phones. Instead of an operator, you get a computerized voice telling you to punch "one one" for a collect call. Then you say your name, the computer dials the other number, tells the person it's a collect call and then plays you back as you state your name. Just one problem. One of the reporters where I work was negotiating a sensitive interview and needed to talk to the editor-in-chief. He didn't have any change, so he tried calling collect. Another editor picked up the phone, thought it was one of those "goddamned computer telemarketing things" and promptly hung up. Adam Gaffin, Middlesex News ------------------------------ Date: Thu, 15 Feb 90 20:44:34 EST From: dopey@iwtil.att.com (James C Blasius) Subject: RISKS of ANI blocking AT&T has recently seen fit to start using Illinois Bell ISDN at my location, replacing thousands of individual answering machines (that don't work with digital phones) with an AUDIX answering system. We have automatic number identification inside the complex, displaying the caller's name on an LCD screen on the phone. We can block ANI when we call somebody, then the name shows up as PRIVATE. However, if your ANI-blocked call goes to AUDIX, AUDIX leaves your phone number along with your message! Leaves me wondering how much I can trust commercial ANI blocking if Illinois Bell even offers it. (The other nifty feature of AUDIX is that it leaves a message of your call even when you don't want it to. Only fix I've found to this is to type *** and confuse it). James C. Blasius ------------------------------ Date: Mon, 19 Feb 90 10:42:30 PST From: chapman@csli.Stanford.EDU (Gary Chapman) Subject: "Brilliant Pebbles" The San Francisco Chronicle reports today that the Jasons, a group of technically-oriented defense intellectuals who study weapons systems as consultants to the Pentagon, have prepared a report on the "Brilliant Pebbles" program that is highly critical of the concept. Although the report was delivered to the Pentagon last fall after the Jasons' summer study session, the general thrust of the report was not revealed until yesterday, Sunday, February 18, at a symposium at the annual convention of the American Association for the Advancement of Science, being held in San Francisco. A summary of the Jasons' findings was presented by John M. Cornwall, professor of physics at UCLA and a member of the Jasons group. Also part of the symposium was Lieutenant General George Monahan, director of the SDIO. General Monahan told the audience that it will cost between $50 and $60 billion to develop and deploy "Brilliant Pebbles," although others have put the cost at $100 billion. General Monahan said, "We could have a very robust first-phase defense" with "Brilliant Pebbles." "And the technology is at hand to deploy such a system, so the major considerations now are political." Cornwall, however, said that the Jasons do not consider the technology to be at hand, and he outlined a number of problems with the "Brilliant Pebbles" concept. He said that the system would be "a somewhat leaky defense," and the "pebbles" would be vulnerable to countermeasures. They would also be ineffective against hostile missiles using fast-burn boosters. Cornwall also reported that the lasers proposed as guidance mechanisms for the projectiles are currently inadequate for the job. Cornwall concluded, "This design is not ready to be locked into place." He did recommend further support, however, because the system may eventually prove to be a "near-term" possibility. The Bush administration's proposed budget for the "Brilliant Pebbles" program has increased from $129 million in FY 90 to $329 million in FY 91. -- Gary ------------------------------ End of RISKS-FORUM Digest 9.69 ************************