The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 10 Issue 5

Wednesday 6 June 1990

Contents

o New computerized scoring system fails during Indy 500
Jaime Villacorte
o Nuclear hair-trigger still set (Johnson v. Chain)
Clifford Johnson
o Network follies
Tim Shimeall
o Re: The A320's attacks of nerves
Danny Cohen
o Re: Article on A320 in Aeronautique, April 1990
Pete Mellor
Atkielski
o "Computer to track down drivers without insurance"
SeanF
o Another egregious database
Mark Anacker
o Risks of Caller Identification
David desJardins
o Re: Denial of service due to switch misconfiguration
Larry Kilgallen
o Private mail on BBSes...
David Gursky
o Re: 2600 article
Henry Spencer
o Info on RISKS (comp.risks)

New computerized scoring system fails during Indy 500

Jaime Villacorte <jaime@tcville.hac.com>
Wed, 6 Jun 90 09:08:04 PDT
    The following appeared in an article by Tim Considine in the June 4,
1990 issue of Autoweek. It concerned the use of a new computerized scoring
system manufactured by Dorian Industries, an Autralian electronics firm for use
in the recent Indianapolis 500 race.

    "Data-1, as the system is known is arguably the most advanced and
    foolproof scoring system in the world. Well almost foolproof." [...]

    "...all monitors went blank on Lap 130 of the race.
      The cause of such a catastrophe: A laser printer ran out of paper
    and the system froze. A simple problem, but one that hadn't been
    simulated during testing.
      However, while the monitors were blank, Data-1's computer kept
    collecting scoring and timing information, even though those in
    the tower couldn't gain access to it for a while.
      Thus the last third of the Indianapolis 500 ended up being scored
    by 33 people with clipboards - the system used for the last nine years
    anyway and which USAC director of scoring and timing Art Graham
    had the foresight to retain as backup."

[ All was not lost though...the computer eventually saved the day :-) ...]

      "Ironically, a mistake was made. In provisional results released
    immediately after the race, Eddie Cheever was seventh and Scott
    Brayton eight. But a half-hour later, the positions were reversed
    when Data-1's complete scoring data was fed back into the computer and
    the error was found and corrected - Brayton hadn't been credited with
    a lap he'd completed.
      And not only had the new technology proven itself, but for the
    first time in memory, Graham and his crew finished in time for dinner."

                        -  jaime villacorte    jaime@tcville.hac.com

Hughes Aircraft Co, EDSG, POB 902, EO/E52/D203, El Segundo, CA. 90245
(213) 616-8954


Nuclear hair-trigger still set (Johnson v. Chain)

"Clifford Johnson" <A.CJJ@Forsythe.Stanford.EDU>
Tue, 5 Jun 90 14:34:52 PDT
On June 4, 1990, Soviet premier Gorbachev told a Stanford audience that the
cold war was behind us.  On the same day, Stanford computer manager Clifford
Johnson filed his appeal brief in the Ninth Circuit Court of Appeals in San
Francisco, case 90-15276, arguing that he had "standing" to sue General Chain,
the Commander-In-Chief of the Strategic Air Command, to reduce the risk of
accidental launch of Minuteman and MX missiles.

The appeal is from a District Court dismissal of the lawsuit Johnson v. Chain,
et al., case C-89-20265-SW, filed May 1, 1989.  The suit challenges "standing
orders" that assure the immediate launch of Minuteman and MX missiles, at all
times.  Missile launch crews and their commanders are on perpetual alert, at
DEFCON (DEFense CONdition code) 4, instead of the peacetime level of DEFCON 5.
Johnson contends that this nuclear alert gives rise an ongoing risk of
accidental nuclear launch due to computer-related error, a charge endorsed by
Computer Professionals for Social Responsibility.

Ultimately, Johnson seeks a declaration that the standing orders are illegal
under constitutional, statutory, and international law, as follows:
    (a) in peacetime, based on Congress' required power to declare
        war, and on prohibitions against jeopardizing the peace;
    (b) prior to an actual first nuclear use and without express
        congressional authorization, based on the required power
        of Congress to qualitatively expand war, and on prohibitions
        against disproportionate response;
    (c) at any time, on grounds that they surrender to computers
        all-important war powers, and so constitute an unrepublican
        form of government; and
    (d) at any time, as they require subdelegation to military
        commanders of the decision to launch a nuclear strike,
        which is barred by the Atomic Energy Act and by the
        republican principle of the civilian supremacy.

Taking as true all the factual allegations of risk, the trial court dismissed
the action on the ground that Johnson lacked "standing" to sue the government.
The issues raised in the brief are as follows:

                   THE ISSUES ON APPEAL

    GIVEN present and continuing computer-related risks of
    sudden accidental death to millions, and to the Plaintiff in
    particular, due to the Defendants' standing orders re the
    launch of nuclear missiles;

    WHERE said standing orders are challenged as inherently
    reckless and in excess of authority under constitutional,
    statutory, treaty, and international law;

    WHETHER, under Article III of the Constitution, the
    Plaintiff has standing to sue Defendants, either in their
    official capacities or as individuals, on the grounds that
    Defendants' conduct:

    1.  immediately endangers Plaintiff's life, and diminishes
    its daily quality, without due process, in violation of
    Fifth Amendment to the Constitution; and/or

    2.  is heedless of the dictate of the public conscience
    and/or constitutes a crime against the peace, which
    Plaintiff is specially qualified to complain of, so that his
    standing is assured, respectively, by the Martens clause of
    the Hague Convention Respecting the Laws and Customs of War
    on Land (1907) 36 Stat. 2277 and/or by Article 6(a) of the
    Treaty of London (1945) 59 Stat 1544; and/or

    3.  delegates to error-prone, computer-governed military
    drills ultimate political judgments, imposing upon the
    Plaintiff a here-and-now subservience to unrepublican
    government, in violation of Article IV z 4 of the
    Constitution.

The brief is 50-pages long, and dense with footnotes.  It claims that the
immediate threat of harm, imposed without due process, is an injury sufficient
for standing, even though it is "pervasively shared."  It also argues that
Johnson's injury is particular, in that he works close to a top-priority
target, namely, Sunnyvale's Satellite Control Facility, and in that, as a
British citizen, he has no remedy through the ballot box.  Besides, as an
expert on the relevant technology, he has standing to complain of crimes
against the peace under international law, even if he himself were not injured.
Finally, the case is novel in asserting that the de facto delegation of
political decisions to computers amounts to unrepublican government, and is
actionable.

The government has thirty days in which to respond.


Network follies

Tim Shimeall <shimeall@cs.nps.navy.mil>
Wed, 6 Jun 90 09:12:44 PDT
For reasons known only to them, the folks who run the MILNET/Arpanet gateways
decided to sever the connections at about 9:00am Monday, and reconnect them at
about 4:00pm Tuesday (both times PDT).  Naturally, they gave no advance (or
following) notice of these actions.  (At least, neither our users nor our
system administrators received such notice...)

It is unfortunate that the gateway administrators act with such
apparent disregard for the users and such apparent capriciousness.
                    Tim Shimeall


Re: The A320's attacks of nerves (RISKS-10.02)

Danny Cohen <OHEN@ISI.EDU>
Wed 6 Jun 90 14:43:21-PDT
           About the A320'S ATTACKS OF NERVES

Mr. Bertrand Bonneau (the translator to English) did a terrific job of
translation, given his knowledge of the subject area.  Too bad that the
original writer is not more knowledgeable of aviation.

For example, I was very surprised by the total absence of any reference
to the B767/B767 with their glass cockpits and computers.

The main point of this article is that the procedures were bad, and that
the French FAA was conducting the investigation rather than the French
Department of Justice.  Even if the French judges are only ten times
technically-smarter than ours and if the French-FAA is only ten times
more corrupted than ours, I'd still rather see their FAA, not their DoJ
conduct the investigation.

The article asks (in the sub-headline): "How could the willingness to
declare the pilots responsible for major accidents, EVEN BEFORE THE
JUDGES HAVE RETURNED THEIR VERDICT, appear other than suspect?"  Sure
sounds like a good question.  Well, in the US the NTSB (and the FAA)
typically have "probable cause" within a day, even though investigations
take many months or even years.  Is it suspect, too?

For example, the Aloha B737 experienced an explosive decompression on
28-Apr-88, and the NTSB report about it was submitted only on Jun-14-89,
nearly 14 months later.  However, within a day or two after accident
everyone was told what happened.  Was this suspect, too?  Neither Boeing
nor RISKS complained about it.  I couldn't find the contribution in RISKS
saying that:
        How could the willingness to declare the
        aircraft responsible for this accidents,
        even before the judges have returned
        their verdict, appear other than suspect?

Another example, closer to our hearts: the article says "For example,
the software in the flight warning computer [FWC] included a fault which
a good computer scientist could have repaired without a doubt".

I take it to imply that this shows that because of "*Industrial
Secrets*" (which cover the software) the operating airlines could not
use any "good computer scientist" to simply go ahead and fix that fault.
If this is the case -- how about all the regression testing that ANY
change in operational flight software must go through?  who would be
responsible for the modified code? etc., etc.

To sum it up: opinionated reporting may leave something to be desired.

                               Danny


Re: Article on A320 in Aeronautique, April 1990

Pete Mellor <pm@cs.city.ac.uk>
Tue, 5 Jun 90 21:03:03 PDT
In RISKS-10.04, livesey@Eng.Sun.COM criticises my recommendation of the
Aeronautique article, as follows:

> Writing of a translated article, he recommends it to us on several ground,
> one of which is
>
<> b) the fact that it presents a French (and therefore not negatively biased?)
<>    view,
>
> The two problems with this are, first, Airbus is not exclusively a French
> aeroplane.  It is a joint venture between several European countries.
>
> Secondly, there has been quite a lot of negative comment about Airbus from
> French sources, mainly from pilots' unions.

Quite correct on both counts! The umbrella company, Airbus Industrie, is,
however, based in France, and the company responsible for the EFCS, at which
much of the criticism has been levelled, is Aerospatiale, also French. The
representatives of these companies have made extravagant claims for the safety
and reliability of the A320 EFCS in TV interviews (see quotes from the Equinox
programme on fly-by-wire in RISKS-9.42). I am very well aware of some of the
criticisms from French sources, but when I wrote the above, I was thinking of
this fairly vociferous defence of the FBW concept in general, and A320 in
particular.

(On the other hand, criticism emanating from the vicinity of Boeing, for
example, *might* be expected to be a little bit biased. :-)

> The risk here is that of giving one source extra credence on specious grounds.

Yes, it is only one source, but *did* seem to be fairly well informed. If any
RISKS or Aeronatics digest readers can fault the article technically, I would
be very glad to hear from them.

One thing in my recommendation which *was* misleading was my carelessly worded
statement that the author had drawn some fascinating conclusions about the
cause of the Mulhouse-Habsheim accident. He had not, of course. He merely
raised a few fascinating questions.

Other than that, please judge for yourselves, and read again my disclaimer :-).

Pete Mellor


A 320 article in Aeronautique

&tkielski.TDS-ASF@SYSTEM-M.PHX.BULL.COM>
Wed, 6 Jun 90 01:01 MST
  Minor erratum:  This article actually appears in the "Aeronautique"
    section of the French science magazine "Science & Vie," in the April,
    1990 issue.  A rebuttal from Bernard Ziegler, technical director
    of Airbus Industrie, may be found in the following May issue.


"Computer to track down drivers without insurance"

<seanf@sco.UUCP>
Sun Jun 3 13:27:33 1990
[This is from clari.tw.computers.]

    BOSTON (UPI) -- Tens of thousands of illegally uninsured drivers in
Massachusetts will be tracked down and hunted when the Registry of Motor
Vehicles implements a new computer-based system beginning Friday.
    The new system, which allows insurance companies to electronically
send the Registry's computer a list of uninsured motorists whose
policies have been revoked for nonpayment, aims at cracking down on the
estimated 300,000 Massachusetts drivers who take to the roads without
insurance.  [...] Police will pursue those individuals who fail to obtain o
insurance after being discovered.

[end excerpt]

I think the risks are obvious.


Another egregious database

elroy <marka@dsinet.UUCP>
4 Jun 90 21:11:15 GMT
Reprinted from the June 3rd 1990 Seattle Times:

"Computer-data program to link student with prospective boss"
Newhouse News Service
Lawrence Township, N.J.

Imagine if an employer could find out how many times a prospective employee
had been late for school, or if a business could tap into a pool of high school
graduates and find the model employee.

Those are among the possible uses of an information system being developed by
the Educational Testing Services, the nonprofit institution that administers the
college entrance exams.

Called Worklink, the program is designed to connect education and business by
gathering information from student records and providing it to employers
through a computer data bank.

The idea, according to George Elford of ETS, is to improve the work force by
motivating students, particularly those who might lack the contacts to land a
good job.

Ideally, cost for the program would be shared by schools and businesses - not
the students.  Elford says, since it aims to help students who lack traditional
means of "getting a foot in the door".

"Because the advantages of social networks and family influences are reduced
with Worklink, the socially disadvantaged will gain real benefits," Elford
says.

"Students will be competing on their record, not on their ability to create an
impressive resume.  And because the data bank will include teacher ratings,
letters of recommendation and previous work experience, Wordlink will avoid
the problems of standardized tests that often compare the disadvantaged with
the advantaged."

Under the voluntary program, everything from prose reading and document reading
to punctuality would be assessed and, subject to student approval, entered into
the student's record.  Such control would be exercised in order to build on an
individual's strengths, says Elford.

The absence of criteria like punctuality might be noticed, however, just as
vital information omitted from a resume would be, he adds.

If the system is successful, says Elford, it would provide an incentive for
apathetic students to do well.

"Worklink, when widely used by employers, is likely to motivate students to
develop and demonstrate their proficiency in a number of areas," he says.
"This increased motivation is likely to lead students to view teachers and
class work as a means to help them build a strong record.  Now, kids (who are
not applying to colleges) know nobody cares what they're doing in high school,
so why work hard? ... Hopefully this would serve as an incentive."

While the reward for the student would be a good job, employers would benefit
by having a competent work force at their fingertips.

Pilot projects for Worklink will be launched in Tampa, Fla., and Spokane, Wa.
this fall if business leaders in those communities agree to cooperate, says
Elford.

It will be at least a couple of years before the results of the pilot are
known, but Elford hopes Worklink will eventually catch on throughout the
country.

"I'd like to see this kind of record system used in most localities in 10
years," he says.  "Our hope is this will raise the whole level of attainment
in schools and in the workplace."

[Now let's see... ETS's standardized tests are no good, so they want to add
an even MORE intrusive system.  Is it just me, or does anyone else have a
problem with this?]

Mark Anacker, Digital Systems International, Inc., Redmond WA USA (206)881-7544


Risks of Caller Identification (Re: Lesher, RISKS-10.04)

David desJardins <desj%idacrd@Princeton.EDU>
Tue, 5 Jun 90 23:26:25 EDT
From: David Lesher <wb8foz@mthvax.cs.miami.edu>
> Given the level of violence within the general population around
> here, the CID block seems to made a classic RISKS mistake. A system
> designed for less critical use has been thrust beyond its design
> parameters into a life-dependent role.

   I think you are misplacing the blame.  Anyone who chooses to have
their life depend on call blocking deserves what they get.  (As you
point out, the call blocking isn't useful for those trying to conceal
their law-enforcement relationship in any case.)
   If you walk up to my door and knock, I can find out who you are (by taking a
photograph through my peephole).  So logically police informants don't expect
to be able to walk up to doors anonymously.  Neither should they expect to be
able to enter homes via telephone anonymously.
                                                     -- David desJardins


RE: Denial of service due to switch misconfiguration

&ilgallen.Catwalk@DOCKMASTER.NCSC.MIL>
Wed, 6 Jun 90 18:49 EDT
In RISKS DIGEST 10.01, Marc Horowitz writes:

>        It turns out, that as a "client," MIT doesn't get automatic updates
>when new exchanges are created.  Without this information, the switch has no
>clue how to bill the caller, or even if it should let the caller make the call.
>So it assumes the worst case, and disallows anyone from making the call.  The
>switch had to be manually programmed with the necessary information about the
>new exchange.

This problem is not restricted to organizations which run their own switch,
or those with an ESS.  There are *lots* of plain ordinary PBX's in this
divested world which have automatic "route selection" to decide whether to
send that outbound call over normal or WATS circuits, and in my experience
these often don't get updated with new exchange codes, so calls simply
cannot be made in the absence of routing information.  In at least one
of these cases the PBX was one maintained by AT&T, which apparently did
not have good communications with its former child, New England Telephone.

But wait, there's more...

I had a problem when I first got a cellular phone (as soon as they were
offered in Boston).  Well, there was the aforementioned problem that PBX's
had not been loaded with information about the new cellular exchange codes.
But also, I found that I could not forward calls from a residential phone
to the new exchange.  Sure enough, the ESS run by New England Telephone
had not been updated with information on how to forward to exchanges run by
a "different" company, NYNEX Mobile Communications (both companies are owned
by NYNEX).

Larry Kilgallen


Private mail on BBSes...

David Gursky <dmg@lid.mitre.org>
Mon, 4 Jun 90 14:50:06 EDT
In Risks 10.03, nazgul@alphalpha.com (Kee Hinckley) poses some questions on
handling private mail on BBSes that deal with illegal activities (the messages
that is, not the BBSes in general).

It is true that as a Sysop, you can't legally read private mail to others.  The
loophole is you can read public mail.  What many BBSes here in the Washington
area do is (1) prohibit private mail, except to and from the Sysop or (2) put up
up a public notice announcing there is no private mail on the BBS, only
public and semi-private, and the Sysop reserves the right to inspect (read)
all messages. Should a prospective used not be willing to abide by either (1)
or (2), they need not use the BBS.


Re: 2600 article

<henry@zoo.toronto.edu>
Mon, 4 Jun 90 12:43:53 EDT
>...suggests that I can be arrested based on the contents/usage of my
>BBS, even when I'm unaware of that usage...
>...it seems to me that the Electronic Privacy Act prevents me from taking
>any actions which would let me prevent the misuse of my board...

The real problem here is that the courts are still fumbling with the question
of whether electronic media are publishers or common carriers.

A publisher, e.g. of a newspaper, is very definitely responsible for what he
prints, and cannot claim innocence just because he wasn't paying attention to
what the reporters were writing that day.  A common carrier, e.g. the phone
company, merely provides communication services and bears no responsibility for
the content of messages.  Most electronic media fall in a vast gray area in
between, and nobody can really predict how a major court case would go.

Eventually, precedents and legislation will settle things.  Meanwhile, one
should not be surprised if law-enforcement people assume the worst.  Deciding
who is guilty and who is innocent is the courts' job, not theirs.  In the
absence of solid rules (nonexistent as yet) and informed judgement (unlikely,
given that most of them are computer-illiterate), they have few options.  When
they don't understand what's going on and the rulebook doesn't help, but there
are definitely people being victimized, all they can do is arrest those who
appear to be involved and hope they aren't too far wrong.

Henry Spencer at U of Toronto Zoology               uunet!attcan!utzoo!henry

Please report problems with the web pages to the maintainer

Top