The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 10 Issue 58

Sunday 4 November 1990


o Canadian Auditor-General fears computer sabotage
David Sherman
o U.S. Sprint new calling card system
Jim Morton
o Chilling Advertisement
Cindy Tittle
o Prodigy Censors Users
Dave King
o "Expert Systems in the Loop" explained
Randall Davis
o Re: Airliner story
Christopher C. Stacy
o Info on RISKS (comp.risks)

Canadian Auditor-General fears computer sabotage

David Sherman <>
Wed, 31 Oct 90 21:03:00 EST
Toronto Star, October 31, 1990, page C1:

  "Dye fears computer sabotage" (By Shawn McCarthy, Toronto Star)

The federal government's computer systems are vulnerable to sabotage or
disaster, Auditor-General Ken Dye says.  Dye said a number of departments have
been negligent in ensuring their information systems are tamper-proof.  As a
result, there could be disruptions in the payment of old-age pensions, family
allowance and unemployment insurance, the auditor-general said in his report
released yesterday.  "Most, if not all, programs of government could not be
delivered today without the support of computers," Dye said.  He noted that
everything from income tax returns, to social security payments to a request
for a social insurance number depend on government computers.

Unauthorized access to them can also compromise confidential business
information.  "And yet, unlike people and money, this vital asset is not
adequately supported by political interest, management attention, lines of
accountability, or leadership from central agencies.  "In an information age,
that's like running a railroad without signals or a busy airport without air
traffic controls," Dye said.  He noted that in a four-month period earlier this
year, there were 21 reported incidents of so-called viruses infecting several
hundred government microcomputers.  There was also a security incident
involving the infestation of 28 microcomputers on Parliament Hill.

The RCMP [Royal Canadian Mounted Police, Canada's national police force -DS]
also reported 11 incidents of illegal penetration of government computer
systems to date.  Many of these problems could have been avoided with proper
security, Dye said.  He noted that the RCMP has advised the government for the
past 10 year that computer security needed to be beefed up.  But Dye said 12 of
13 departments reviewed had not addressed the threats and risks to their
computer systems.

Meanwhile, the use of computers is growing rapidly.  There are now more than
80,000 computer workstations in the federal government and 500 minicomputers
and mainframes.  At the same time, there is a growing number of people with
both the know-how and the desire to gain illegal access to federal computers,
Dye said.

But Treasury Board staff said the government is committed to upgrading computer
security and has been working on it since 1986.  "Most institutions have made
significant progress since 1986," the Treasury Board said in comments contained
in the report.  But Dye said that, after 20 years of warnings, "the government
still has not provided all the urgently needed security training."  While there
is increasing demand for RCMP inspection and consulting services, the force has
added only one new inspector in the past five years.  As well, the government
has not provided an adequate backup system in the event its computer system is
knocked out by fire, power outage or natural disaster, Dye said.  "In our
opinion, departments and agencies have been negligent in not satisfying this
need and in failing to make an adequate commitment to threat and risk

Dye told a news conference that virtually the entire government operation could
be halted by a terrorist or earthquakes.  And unlike the private companies, the
government has no backup.  "The private sector would be up in days," Dye said.
"We would be months stumbling around until we were back in business."

U.S. Sprint new calling card system

Jim Morton [ext 237] <jim@applix.UUCP>
1 Nov 90 19:08:07 GMT
U.S. Sprint just announced that they are "Beta-testing" a new phone calling
card system that will use voice spoken card numbers, and no card number entries
will be able to be entered by touch-tone keys. This presents the risk of the
person at the next pay phone to you overhearing your calling card number as you
speak it and be able to write it down and distribute it to other people as has
happened with PC Bulletin boards around the country. To make the matter worse,
9 of the digits in the "voice card" number are your SOCIAL SECURITY NUMBER.
There have been endless discussions on Usenet about the SSN privacy issue.  I
would urge people to consider these risks before participating in this

Jim Morton, APPLiX Inc., Westboro, MA    ...uunet!applix!jim

Chilling Advertisement

Cindy Tittle <tittle@ics.UCI.EDU>
Wed, 31 Oct 90 16:20:13 -0800
I just saw a rather chilling advertisement in this week's edition of Newsweek
(November 5, 1990).  It features a computer monitor/keyboard with a Sherlockian
cap hung on one corner.  The bold type says "Information is your company's best
protection from liability."  OK so far, then I read on:

"Get it fast — without leaving your desk.

Think about it.  Know your potential employees.  Verify the business credits of
new accounts.  Or, check out your new vendors.  Just hit a few keystrokes on
your personal computer and you've got it.

Information from UCC, civil and criminal record filings, Secretary of State,
and more, allow you to uncover bankrupticies, pending litigation and a wealth
of information that may protect your company from liability — or even loss.
All you need is a personal computer and existing software.  That's right.  View
it — Print it — Store it.

CDB Infotek's Investigative Information System is an on-line database designed
to proved access to public record information for company security, credit,
personnel and management departments.

Not only is CDB Infotek's on line service one of the most comprehensive in the
industry, it's easy to use.  And it's fast.

Before you make a decision — check the records — check with CDB Infotek.




Prodigy Censors Users

Dave King <>
04 Nov 90 11:53:27 EST
Apparently, Prodigy is evicting users who are voicing their opposition to a new
Prodigy policy which will implement charges for EMAIL messages within the
Prodigy service.  In 1991 Prodigy will implement a policy which charges users
25 cents for every EMAIL message they send after the first 30 every month.
Prodigy users who have been vocal in their displeasure, and who have used the
facilities of Prodigy to attempt to recruit others to their cause, have found
themselves booted from the service.  According to a story by Evelyn Richards, a
Washington Post staff writer:

...  This week [Prodigy] unplugged about a dozen outspoken dissidents whom it
says were pestering innocent users with the electronic equivalent of junk mail.
But what Prodigy sees as a way to stop needless harassment seems to others as a
blatant example of censorship.  That's because the people bumped from the
Prodigy system included the most active critics of a planned price increase for
Prodigy's electronic mail service.

Using electronic mail on the network, the dissidents had urged other
subscribers to join the revolt by boycotting the advertisers that buy time on
Prodigy's network.  "Prodigy is arguing they don't want people harassing their
users," said Gary Arlen, editor of Interactivity Report, a Bethesda newsletter
that follows the on-line industry.  I think that's a stretch.  It's a way to
keep their advertisers pleased."

The incident is the latest to spotlight the difficulties society faces as it
struggles to adapt old laws and customs to emerging electronic networks. ...
Some people say on-line services should protect the right of all expression, as
a phone system does, while Prodigy argues it is more similar to a newspaper,
which is free to publish what it chooses.

Prodigy's troubles began two months ago when it announced that households would
be able to send their first 30 electronic mail messages free but would get
charged 25 cents for each additional message.  A core of angry subscribers
first protested by posting notices to Prodigy's on-line bulletin boards, the
computer equivalent of neighborhood kiosks.  Prodigy said it posted thousands
of such complaints for others to read - but it didn't publish them all.

When the writers urged a boycott of Prodigy advertisers - firms selling
products on the network - Prodigy's editors returned the messages to the
senders.  "We're not going to post something designed to destroy our business,"
said Geoffrey Moore, Prodigy's director of market programs and communications.
Moore likened the decision to a newspaper rejecting a letter to the editor, or
rejecting an advertisement that criticizes the newspaper's largest advertisers.

This week Prodigy decided enough is enough and refused to post any more
messages about the rate increase.  But what especially angered officials was
when the dissidents innundated other users with electronic chain letters urging
them to join the protest and boycott.  Moore said users complained, so Prodigy
bumped the offenders.

And now the protestors say that's unfair.  "We're not being abusive.  We're not
being vulgar.  All we're doing is making our (opinions) known," said Larry
Wienner, 22, a Prodigy user from Randallstown, Md.  Wienner said the bumped
dissidents are so hooked on Prodigy that they may try to re-subscribe under
assumed names.


"Expert Systems in the Loop" explained (RISKS-10.52)

Randall Davis <>
Wed, 31 Oct 90 12:42:06 est
Martyn Thomas <> writes:

> The original article was mine, and referred to a report of a new research
> project in the UK to develop an expert system to advise commanders in
> tactical situations which are too complex to analyse without assistance.

> This report *explicitly* referred to an expert system. The point of my
> original posting was that an expert system which provides advice, in
> circumstances where a decision must be made and there is insufficient time
> for the commander to analyse the situation him/herself, is effectively
> making the decision. Many who followed up agreed with this viewpoint.

Fair enough.

Note also that a small variation on your fundamental claim is equally true:

 ... an EXPERT who provides advice, in
 circumstances where a decision must be made and there is insufficient time
 for the commander to analyse the situation him/herself, is effectively
 making the decision.

That is, as is frequently true in these situations, not only is this not a
matter of expert systems, the computer itself is almost competely irrelevant.

It's a matter of being in a complex, time-constrained situation and needing to
make a decision.  If you don't have the time to consider carefully what to do,
you're just about equally up the creek whether you get the advice from a
machine or from another human being.

The moral of the story: try not to put yourself into those positions in the
first place.  Neither computers nor humans will get you out of it, and neither
of them is to blame for your predicament.

Airliner story (Re: Cherniavsky, RISKS-10.55)

Christopher C. Stacy <>
Wed, 24 Oct 90 19:46:01 EDT
I believe my original response explained the reasons why transponders are
required.  I must again emphasize that a safe flight under an IFR flight
plan, such as in the "horror story", can by all means be completed without
a transponder (or indeed, without any radar equipment, although nobody is
suggesting this alternative as convenient or desirable.)

We could discuss the details of the ATC issues related to the story, but
I didn't raise those originally because I didn't think this was really the
most appropriate forum for that lengthy technical discussion.

In order to clear up possible misunderstandings, I will respond to the specific
points you have raised in your message.  I could just quote regulations to make
my point, but I think it would be more useful to everyone else if they had some
more general background information about the procedures for conducting flights
like the one in the story.  So I'll start with an explanation of IFR, for those
who are not as familiar with aviation.

Airplanes are navigated by the pilot, not by ATC from the ground.

During good weather conditions, planes can operate under Visual Flight Rules
(VFR), whereby the pilot is responsible for (among other things) "seeing and
avoiding" other airplanes. When the weather is not good enough for flying
around this way, you operate under Instrument Flight Rules (IFR).  The IFR
concept is also based on pilots doing their own navigating, but it's along
completely specified routes.  Air Traffic Control (ATC) manages these routes to
make sure that only one single airplane occupies a given piece of airspace at a
time, since the planes can't see each other.  This function gives pilots a
rather special, personal meaning to the idea of "trusting the Government" :)

A fundamental component of IFR is the Flight Plan, which is the routing
specification for this particular flight.  As the flight progresses from
takeoff to landing, the controllers update the status of the flight, as
recorded on little strips of paper they push around.  This is all fairly
computerized, but can also be done with a pencil.

The pilot finds his way by referring to the charted route, and his Flight Plan,
and the onboard navigation instruments.  The most common instrument is a radio
receiver called a VOR, which listens to special ground stations that define the
airways.  There are other radio-based systems, such as LORAN, and also
self-contained systems like inertial guidance (famous from the KAL-007
disaster.)  The degree of onboard automation to navigate and automatically fly
the plane varies widely.

The pilot and controllers talk to each other over the radio, as the controller
clears the plane into each successive block of airspace.  There are contingency
procedures for a loss of communication, based on expectations from the Flight

The clearances for a plane to enter a portion of an airspace route are based
upon the amount of separation that will be achieved between all the traffic on
that route.  The present speed of an aircraft and its known position are used
to figure out when it's safe for it to be cleared to move along.

ATC uses radar to watch the planes along the routes; this kind of direct
feedback allows them to increase the traffic density.  If radar is not
available, everything still works, but much more slowly.  Without radar, the
pilots have to regularly inform the controllers of their location, and verify
their assigned altitude.  In order to guarantee safety, the separation minima
are much greater when there is no radar contact.

The key point here is that without radar, or even radio communications, the air
traffic system can still keep putting IFR flights into the air with safety,
even if reduced to pencil and paper.  However, it couldn't keep up the volume
of service we are accustomed to, and all our flights would be delayed
considerably without these goodies.  This is why radar transponders are
normally required equipment.  But transponders do break.

In our story, we had not lost radar capability, but only the transponder.  The
transponder responds to radar signals by transmitting ("squawking") a coded
signal containing the the flight's assigned ID number, and the altitude.  In
addition to providing a more reliable signal, the ATC computers would normally
receive and use the ID number and indicated altitude to automate certain
tracking functions.

If our flight had been further along its route when the transponder failed,
assuming the pilots didn't want to land as a precautionary measure against more
critical system failures, they could have received clearance to simply continue
to Dulles airport and land as they had planned.

The exact separation procedures applied to this plane would vary, depending on
the type of automation available to each controller, and other things.
Depending on the effects of this, ATC might also decide to re-route us to
another less busy airway, for greater safety and to not restrict the flow of
other traffic on the original route.

On our way, we could be in radar contact, although the controller would have to
initially point at our target's primary return on the screen to tell the
computer which flight that was.  Next to the little "." or "+" representing our
airplane, the system could then display the usual data block (flight ID and
other information), except for the altitude readout, just as if it were a
normal flight.  Our aircraft could probably be radar separated laterally by
between 3 and 5 miles, depending on the phase of flight and a bunch of other
factors.  Vertical separation (altitude assignment) would be based on the other
traffic's altitude readout and our own altitude as reported by our pilot.

The enroute radar systems at a regional Air Traffic Control Center would
generally be able to track a primary return.  However, at the end of the
flight, the destination Approach controller might not have a system (such as
ARTS IIIA - Radar Tracking & Beacon Level) that could track and predict primary
returns.  I guess this would probably mandate an increase to higher separation
minima than usual, during the final phases.

I'm not an air traffic controller or anything, and I'm not going into
excruciating detail on all the separation minima and equipment and procedures;
there are books available; I think you have the idea now.

Onto Ellen's specific complaints ...

   Reasons for being concerned about the lack of a working transponder are:
   an aircraft with invalid altitude data is not eligible for processing
   by the conflict alert function, and in order to enter a Terminal Control
   Area an aircraft must be equipped with a 4096 code transponder (so without a
   transponder the pilot could not fly into Newark, Kennedy, La Guardia,
   Atlanta, Dallas/Fort Worth, etc.).  Agreed this is not an immediate major
   safety problem, but there are good reasons not to proceed without
   a transponder.

There are two issues here: Conflict Alert, and transponder requirements.

Conflict Alert is a set of features on some of the fancier Approach
controller's radar systems.  It is worth noting that only some of the radar
systems have this feature (for example, ARTS II doesn't.)

The first kind of Conflict Alert has to do with the terrain/obstruction
clearance map programmed into the system.  Basically, when an aircraft is off
the correct landing approach path, the system warns the controller.

The other Conflict Alert feature has to do with converging aircraft.  In an IFR
environment, this is just an additional safety feature; the separation criteria
already provide for airplanes not be close to each other.  It would warn the
controller if the airplanes got closer than 3 miles.  Of course, with arrivals
effectively slowed down due to increased separation minima, the controller can
simply monitor the separation manually.

For Conflict Alert to work, it has to have the plane's altitude readout from
the transponder.  So, if your transponder is not squawking your altitude, you
would indeed lose these extra safety features.  Lots of IFR flights are
conducted to or from airports which don't have radar services available.
Anyway, Conflict Alert is often turned off at ones that do.

Your statement about not being able to fly into a major airport (inside of a
TCA) without a transponder is simply false, and appears to stem from an
incomplete knowledge of the relavent regulations.  Maybe you just heard someone
briefly explain the rule in one sentence or something.

You can't fly into various kinds of airspace unless you have an operating
transponder.  In particular, you can't fly into the 30 nautical mile "Mode C
Veil" around a TCA without an altitude encoding transponder.  Unless the
controllers authorize you to do so.  To wit:

  FAR 91.215 (d) ATC transponder and altitude reporting equipment and use;
  ATC authorized deviations.  ATC may authorize deviations from paragraph
  (b) of this section — (1) Immediately, to allow an aircraft with an
  inoperative transponder to continue to the airport of ultimate
  destination, including any intermediate stops, or to proceed to a place
  where suitable repairs can be made or both, (2) Immediately, for
  operations of aircraft with an operating transponder but without
  operating automatic pressure altitude reporting equipment having a Mode C
  capability; and (3) On a continuing basis, for operations of aircraft
  without a transponder, in which case the request for a deviation must be
  submitted to the ATC facility having jurisdiction over the airspace
  concerned at least one hour before the proposed operation.

If you refer to the Airman's Information Manual (170), or the Air Traffic
Controller's Handbook (5-41), there are additional notes on the subject.

I don't understand the sources of some of the people making various claims
about the air traffic system and its risks.  I am just a simple four-month old
private pilot (not even instrument qualified) and my information comes from my
primary training, reading basic textbooks, and asking questions to the local
FAA experts (the folks at Boston Center.)  I wish people would research things
more before making scary statements.

If people would like to continue this discussion in this kind of detail, I
would be willing, but I consider this all to be a sidetrack from the essential
points about the airliner story and how IFR flight works.  Not to mention
whether the Airbus is safe or not.

My messages on the subject may have been somewhat charged, and if I have
needlessly offended anyone, I apologize.  However, the misinformation and
misconception of issues surrounding flying is generally enormous, and I felt
compelled to introduce a few facts and context into the discussion.  I hope
anyone has found this useful.

There are definitely risks associated with aviation, but unfortunately it's a
technical enough subject area that it can be difficult to understand and
evaluate without alot of detailed knowledge.

I think that the risks associated with systems such as fly-by-wire (remember
that?)  is a useful topic for discussion here, especially in broad terms of
raising the basic risk awareness.  I would be wary of certain kinds of
micro-analysis however, unless you're pretty sure of what you're talking about.

Have you ever noticed when you read a newspaper or watch television
news, that, quite often, technical issues you happen to be familiar with
are misunderstood and distorted?  I hope that similar treatments of our
varied issues will not become the usual practice in RISKS.

Please report problems with the web pages to the maintainer