The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 10 Issue 62

Monday 19 November 1990


o Playboy jammer who jammed Hefner's 'jamas gets jammed
o Telephone cable cut eliminates O'Hare tower communications
Richard I. Cook
o Tomatoed 911
Rob Boudrie
o Computer-Aided Gerrymandering
Steve Summit
o GOES mirror problems caused by oversimplified analysis
Henry Spencer
o Re: Privacy concerns about new Lotus "Marketplace" product
Dan Aronson
o AFCEA's 2nd Annual Military / Government Computing Conf/Exp
Jack Holleran
o Info on RISKS (comp.risks)

Playboy jammer who jammed Hefner's 'jamas gets jammed

"Peter G. Neumann" <>
Mon, 19 Nov 1990 14:47:24 PST
Many moons ago there were several up-link spoofings, including Captain Midnight
interrupting HBO to protest signal scrambling.  (See RISKS-2.49, RISKS-3.24,
SEN 11 3, 11 5.)  As a result of that case, the U.S. Congress passed a law
making satellite hacking a felony.  The first person convicted under that law
is Thomas M. Haynie, an employee of the Christian Broadcasting Network (CBN)
who preempted the Playboy Channel in 1987 with a religious message.  (See
RISKS-5.36, SEN 12 4.)  The detective work to identify the culprit used a form
of electronic fingerprinting to identify the character generator as a Knox K50,
of which only five were located in satellite ground stations.  Sentencing is
set for 7 Dec 90, with the max being 11 years in prison and $350,000 in fines.
[Update culled from IEEE The Institute, December 1990, p.6.]

Telephone cable cut eliminates O'Hare tower communications

Mon, 19 Nov 90 09:58:32 EST
>From the New York Times:

             Severed Phone Line Disrupts Chicago Zone

     A contractor planting trees severed a high-capacity telephone
  line in a Chicago suburb yesterday morning, leaving 150,000 people
  without long-distance and most local telephone service and
  disrupting businesses across a wide area.
     Teller machines at some banks were paralyzed, and flights at
  O'Hare International Airport were delayed because the air traffic
  control tower there temporarily lost contact with the main Federal
  Aviation Administration air traffic control centers for the
  Chicago area.  The Illinois Bell Telephone Company said the line was
  accidentally cut at 10:02 AM, Central daylight time, and cautioned
  that full service would not be restored until midnight.
     About half the calls blocked by the severed cable were being
  electronically routed around the break by mid afternoon, said
  Michael E. LeBeau, an Illinois Bell Official.
     People calling telephones with area code 706 in the affected
  towns recevied a "fast, busy signal," said Gloria A. Pope, a
  spokeswoman for the utility.
     Some flights at O'Hare were delayed by up to two hours but
  safety was not affected, said James A. Dermody, a spokesman for the
                 The New York Times (National Edition), Tuesday,
                 16 October 1990, page A14.

   Numerous functions and services in large, complex, systems may be dependent
on apparently distant or unrelated events.  Such large systems intrinsically
have 'latent failures' within them, i.e. failures which are only apparent under
a specific set of (often obscure) triggering conditions [Reason J, Human Error,
Cambridge U. Press, 1990].

   The combination of the contractor digging, the location of the cable, the
signals routed through it, the nature of the use of those signals, the time of
day, and a host of other factors must join in confluence in order to produce
the outcome.  Other large systems failures, including Three Mile Island, the
Vincennes, the Stark, Challenger, and especially Apollo-13, display this same
confluence of (apparently) unlikely events and conditions.  The current state
of understanding of complex system failures [cf.  Rasmussen J, Information
Processing and Human-Machine Interaction: An Approach to Cognitive Engineering.
New York: North-Holand, 1986] and complex system successes [cf. Rochlin GI, et
al., The Self-Designing High-Reliability Organization: Aircraft Carrier Flight
Operations at Sea, Naval War College Review, Autumn, 1987, pp.76-90] is that
failures are virtually never the result of a single fault and that arguments
about the nature of causality which focus on single faults mistake the
intrinsic nature of these systems.  The disasters which arise in complex
systems nearly always have an apparent trigger (e.g. captain's failure to
follow procedures for ship navigation) but the event produces disastrous
consequences only in a particular setting (i.e.  limited navigation tools,
schedule pressures, limited manning levels, faulty communications links, faulty
superveilance) and that removing the possibility of the particular trigger
event does not markedly enhance system safety [for a good example, read the
complete report see Marine Accident Report, Grounding of the U.S. Tankship
Exxon Valdez on Bligh Reef..., NTSB/MAR-90/04, Washington, D.C.: National
Transportation Safety Board, 1990].  Similarly, the recent Hubble telescope
issues are gradually becoming focussed on the nature of the project as a large
system rather than on the single test/single fault approach [Waldrop MM.
Hubble:The Case of the Single Point Failure.  Science 1990, 249: 735-6].

   The issues of complex, high-risk/high-reliability system failures arise in
numerous disciplines, almost all of which rely on computers to provide
information to human operators.  Faults and failures of such systems produce
intense pressures to modify the system components in such a way as to forestall
their recurrence.  Unfortunately there is little evidence that these pressures
are effective in increasing overall system safety [Bowman E, Kunreuther H.
Post-Bhopal Behavior at a Chemical Company.  Journal of Management Studies,
1988, 25:4].  Large systems represent such significant investments that they
are difficult to abandon [Ross J, Staw BM. Expo 87: An Escalation Prototype.
Administrative Science Quarterly, 1986, 31:274-297] and it is very difficult to
know that retroengineering has produced a markedly more reliable system.  The
Shuttle may be an example of such a system.  It represents a such a large
component of the space program that scrapping it and starting over is virtually
impossible and there is certainly no guarentee that any new system would not be
equally fragile.  A rare example of abandonment of a large technical system in
favor of another design for primary safety reasons is the new generation of
nuclear power generating systems [Golay MW, Todreas NE. Advanced Light Water
Reactors.  Scientific American, April, 1990], although the technical features
of these 'intrinsically safe' plants are difficult to assess.

   Arguments about whether a computer is 'expert', or 'advising' human
operators are unlikely to produce much useful progress towards developing safer
large systems.  Indeed, these arguments tend to results in polarized
discussions about the roles of technological elements versus the roles of human
operators which are little more than the sort of 'hunt for proximal cause'
which is described above.  The risks of large, computerized system failures are
those which accrue to the system rather than to the components.  It is clear,
however, that pressures during design to meet specific performance, economical,
or political requirements may lead to designs which are destined to operate
near the extremes of the safety envelope.  These pressures, in turn, lead to
systems designed to perform more and more at the edge of the safety envelope
[Andrewa EL. Sensing the Presence of Potential Problems.  New York Times,
Sunday 6 May 1990, p.F6].                                            [Andrews?]

   It is particularly instructive to examine the roles of human operators in
these systems as they are actually practiced by the operators (rather than as
they are defined by rules and procedures, doctine, etc.).  In many, even most,
such systems, the operators are highly skilled individuals who have developed
novel and often quite elegant means for achieving system performance with tools
which are only partially suited to the purpose.  For example, aircraft pilots
modify their environment in a number of ways, including hanging notes on the
consoles with paper clips, using the flight management systems in unorthodox
ways to plan their flight, etc.  Anesthesiologists modify their equipment
configurations to preserve certain, critical features of the data display in
order to maintain specific relationships on the screen [Cook, et al., The
Natural History of Introducing New Information Technology into a High-Risk
Environment.  Proc. of the Human Factors Society 34th Annual Meeting.  Santa
Clara, CA: Human Factors Society, 1990, pp. 429-433].  These adaptations are a
source of information about the nature of operations, system critical
performance areas, etc. and may provide means for improving system feartures in
order to produce more robust systems [Hollnagel E.  The Design of Fault
Tolerant Systems: Prevention is Better Than Cure. 2nd European Meeting on
Cognitive Science Approaches to Process Control, Sienna, Italy, 24-27 October,
1989].  Remarkably, operators usually understand the system performance in ways
which the designers do not, and achieve safe and efficient operation through
various means.

   The loss of telephone connection is a particular kind of fault in a large
system, one which stresses various system elements in various ways.  In this
case, it did not apparently cause any airplane crashes, destroy any bank
records, etc.  But it is particularly instructive to consider what the nature
of the arguments would be if there had been an incident at O'Hare, say the
collision on the ground of a taxiing and landing aircraft, or a near miss
because the handoff to air traffic control was blocked.  In these cases the
communications system would have come under intense scrutiny (much as did the
one in Valdez after the Exxon tanker disaster).  What is fascinating about
computer associated risks, at least to some, is that some components of the
system are resilient and flexible in ways that minimize the effects of
component failures.  Much of this flexibility resides in the human operators of
complex computerized equipment and much of the obstacle to improving safety and
mimizing computer-associated risks depends on the care with which computer
system designers produce devices which meaningfully enhance that flexibility.

                                    Richard I. Cook, M.D.
                          Cognitive Systems Engineering Laboratory
                                 The Ohio State University

   [Don't forget the classical case of logical redundancy compromised by a
   lack of physical redundancy, the ARPANET routing between NY and New England
   via 7 logical circuits, all of which went through the same fiber-optic
   cable, and all of which were cut in one swell foop on 12 Dec 86.  (See
   RISKS-4.30 and SEN 12 1, January 1987.)  PGN]

Tomatoed 911 (RISKS-10.60)

Rob Boudrie <>
Fri, 16 Nov 90 17:48:58 EST
A recent posting described an answering machine, without any dial-out
capability, which somehow managed to dial 911 when juice from a decaying tomato
dripped on it.

there was speculation about undocumented "autodial" features in the phone. I
have an alternate explanation:

Although most modern telephones use DTMF (tone) dialing, some older phones use
"pulse dialing", in which the circuit is broken in rapid sequence [In my
younger years, I used to be able to dial any number on a telephone by banging
on the switchhook - I did this just in case the dial broke, not so I could dial
out from phones with locks on the dials :)].  Modern telephone switches
recognize both pulse and DTMF dialing, except where DTMF tones are filtered out
for customers who don't pay a surcharge for DTMF service.

So...It is very possible that the tomato juice was causing some sort of
electrical condition that resulted in the machine rapidly going on and off line
in an intermittent manner.  Although unlikely, it is possible that this
resulted in 9 rapid on/off cycles, followed by two single on/off cycles at a
lower pace.

Rob Boudrie                               

Computer-Aided Gerrymandering

Sun, 18 Nov 90 14:16:02 -0500
Naif that I am, I always thought that gerrymandering was a "bad word," a
practice that no modern thinking person would speak of except to
denounce.  Wrongo.  Under the headline "GOP hopes high tech will give it
edge in redistricting", the Boston Globe (November 18, 1990, page 5)
mentions "how bad the GOP has been at gerrymandering in the past" (i.e.
that they did it ineffectually, not egregiously) but that they "have
learned a lot about redistricting in the intervening nine years."

    "There's no big secret about this; we haven't been very good in
    the last few decades at this redistricting game," [political
    director of the Republican National Committee Norman] Cummings
    said in an interview.  "You'd always like more, of course, but
    we're in much better shape now compared to 10 years ago... and
    the Democrats could be in for a surprise before it's all over."

After discussing the implications of the shifts in party balance due to
the recent elections, the article finally gets to the "high tech" part,
describing how the Republicans "plan legal assaults, assisted by new
computer capabilities."

    This strategy is based mainly on the Civil Rights Act of 1982,
    which mandates that districts with a majority of blacks,
    Hispanics, or other minorities must be drawn wherever possible.

    With that in mind, the GOP has devised software allowing anyone
    with a computer to draw alternative lines and has arranged for
    civil rights groups to obtain it for free.  The intent is for
    minorities, who tend to vote Democratic, to be grouped together,
    leaving more Republicans in adjoining areas.

    "What the Republicans want to do is go in and create one black
    district that will result in weakening three or four Democratic
    districts to make them Republican or at least competitive," said
    Howard Schloss, spokesman for the Democratic Congressional
    Campaign Committee.

Neat trick; use a law which was intended to protect minorities, when
they had less political power, against them now that they have more; and
dangle bait (the software) which will let them do your job for you.
It may be working:

    An initial foray into tinkering with minority districts, partly
    by using the GOP's software, was to be made this weekend in
    Texas by several groups whose function is to get more minorities
    involved in the political process; they include the Southwest
    Voters Project and the Mexican-American Legal Defense Fund.

    Those organizations' work has tended to benefit Democrats in the
    past, but Republican officials hope that is about to change.

    "Both minorities and the Republican Party have been the victims
    of gerrymandering by the Democrats," said Benjamin Ginsberg, the
    Republican National Committee's chief legal counsel, who plans
    to attend the strategy session in San Antonio.  "So this is a
    natural alliance for the redistricting process."

Once again, the underlying RISKs are as old as the hills, but a bit of computer
assist can allow them to be exploited ever-so-much-more-so effectively.

Steve Summit                                       

GOES mirror problems caused by oversimplified analysis

Sun, 18 Nov 90 17:37:52 EST
Catching up on my reading, I found a very interesting piece in the Aug 13
issue of Aviation Week & Space Technology.  The next series of GOES weather
satellites are experiencing serious development problems:  the main mirrors
of their imaging systems warp when exposed to extreme temperatures.  (To
head off the inevitable question:  this is *completely* unrelated to the
Hubble telescope's mirror problems.)  To quote:

    The design for the new mirrors was derived from Ford [prime
    contractor] and ITT [instrument subcontractor] experience in
    developing smaller mirrors for the Indian Insat spacecraft.
    A computer model of the mirrors initially used to verify their
    stability showed that they were designed properly.  That model
    was based on 30 data points across the mirrors.

    But during thermal vacuum testing in late 1989, when the
    mirrors were integrated with the sounder and imager telescopes,
    the instruments began to show anomalies... [initially thought
    to be possibly due to other problems].

    ITT engineers were not completely sure what caused the problem,
    however, so they devised a more complex computer model of the
    mirrors that used 1600 data points instead of 30.  The improved
    tests showed that the mirrors had a thermal warpage problem...

This adds to the problems of the new GOES series, which is already far
over budget and two years behind schedule.  The schedule is starting to
look like a major problem, because NOAA is already down to one operational
satellite in orbit, and two are really needed for full coverage of the
Americas.  Originally the first replacement was scheduled for launch this
year, but now even the current target of Feb 1992 is looking optimistic.

Henry Spencer at U of Toronto Zoology utzoo!henry

Privacy concerns about new Lotus "Marketplace" product

Dan Aronson <dan@big-ben.UUCP>
Fri, 16 Nov 90 11:38:37 PST
Lotus claims that if you don't want to be in the database you can write a
letter to:

Lotus Development Corp.
Attn:  Market Name Referral Service
55 Cambridge Parkway
Cambridge, MA 02142

--Dan Aronson, Thinking Machines Corporation

   [Also noted by (Rick Noah Zucker)]

AFCEA's 2nd Annual Military / Government Computing Conf/Exp

Jack Holleran &olleran@DOCKMASTER.NCSC.MIL>
Fri, 16 Nov 90 14:16 EST
AFCEA's 2nd Annual Military / Government Computing Conference and Exposition
Dates:  February 5-7, 1991
Location:  Hyatt Regency, Crystal City, Arlington, VA

Additional Information:
  The Armed Forces Communications and Electronics Association
  4400 Fair Lakes Court
  Fairfax, Virginia 22033-3899
  (703) 631-6225

Theme:  Information Systems Solutions Today & Tomorrow

Concurrent tutorial sessions will be presented on February 5; Four technical
tracks will be presented on February 6-7.  Technology Advances (February 6);
Information Systems Applications (February 7); Software Development /
Maintainence (February 6-7); and Systems Security Solutions --- Security /
Privacy, Integrity and Availability (February 6-7).

February 5, 1991
 Concurrent Tutorial Sessions
 Tutorial Co-Chairmen
  Mr. Larry Walker, Director,
   Command Control and Planning, CONTEL Federal Systems
  LTC Calvin Hastie, USA
   Office of the Director of Information Systems C4
    Headquarters, Department of the Army, Army Management Division

I   Open Systems Architecture
    Improving the Software Process
     Mr. J. Mogilensky, Director of the SW Process Enhancement Program,
     CONTEL Federal Systems
    MLS-A Critical Technology
     Col. Bill Freestoner, USA, Program Manager
     Defense Communications Agency

II  Expert Systems in Artificial Intelligence
    Imaging / Graphics
    Personal Authentication Via Biometrics

III Evolutionary Systems Acquisition
     D. Shore, Technical Director, AFCEA
     Dr. S. Starr, The MITRE Corporation
     Dr. S. Albert, Vice President and Chief Scientist,
      Institute for Systems Analysis
    Information Engineering
     Mr. J. Weyland, Senior Associate, Booz, Allen & Hamilton, Inc.

Technology Advances  (February 6, 1991)
 Track Co-Chairmen:
  Dr. Paul Oliver, Vice President, Booz, Allen & Hamilton, Inc.
  Mr. John Carabello, Dean, Information Resources Management College,
   National Defense University

* Artificial Intelligence and Expert Systems
   Dr. Larry Medsker, Chairman, Computer Science and Information Systems,
    American University

* Imaging and Graphic Systems
   Dr. Alan Salisbury, President, CONTEL Technology Center

* Information Engineering
   Mr. Jon Whalen, Senior Associate, Booz, Allen & Hamilton, Inc.

Information Systems Application  (February 7, 1991)
 Track Co-Chairmen
  BGen J. Ronald Carey, USAR
   Program Manager, Reserve Component Automation System,
   National Guard Bureau
  Mr. Thomas L. Hewitt, President
   Federal Sources, Inc.

* Panel:  Managing Large Systems
   BGen. John F. Phillips, USAF, Commander
    Logistics Management Systems, Air Force Logistics Command
    Wright-Patterson AFB
   Mr. Edward G. Lewis, Assistant Secretary
    Information Resources Management, Department of Veteran Affairs
   Mr. Frank DeGeorge, Inspector General,
    Department of Commerce
   Mr. Robert Cook, Chief Executive Officer
    The Systems Center

* Wrap-up of the 101st Congress and Expectations for the 102nd Congress
  on Issues and Legislation Effecting Information Technology Application
   Mr. Steven Ryan, Attorney, Former General Counsel for Senator
     John Glenn's Government Affairs Committee

* A Success Story of How USAA Achieved a Paperless Office with
  Information Technology
  MGen. Donal Lasher, USA (Ret.), Senior Vice President,
   USAA Insurance Company

* A Successful Turnaround in a Major Government Application
  Mr. Thomas P. Giammo, Assistant Commisioner for Information Systems,
   U.S. Patent & Trademark Office, Department of Commerce

* The United States Postal Service in 1995
  Dr. Bernard J. Bennington, Director of Communications and Technology,
   U.S. Postal Service

Software Development / Maintenance (February 6-7, 1991)
 Track Co-Chairmen:
  Mr. Anthony M. Valetta, Program Executive Officer
   Standard Army Management Information Systems, Department of the Army
  Mr. John Turner, Associate Administrator, National Aerospace
   System Development, Federal Aviation Administration

* Maintaining Quality in the Software Development
  Presenter:   Mr. James Emery, Professor of Decision Sciences,
                Wharton School of Business

* Grand Design vs Evolutionary Development / Acquisition

* Panel:  Prototyping
   Moderator:  Dr. Michael F. McGrath, Director of CALS Office,
                  Office of the Assistant Secretary of Defense

* Panel:  Managing the Corporate Information Management (CIM) Life Cycle
   Moderator:  Mr. John Gioia, President, Robbins-Gioia, Inc.

* Panel:  Modernization / Uptrade / Re-engineering
   Moderator:  Dr. Paul Oliver, Vice President, Booz, Allen & Hamilton
   Panelists:  Mr. Phil Kiviat, Vice President, Chartways Technology
               Mr. George Baird, Senior Associate, Booz, Allen & Hamilton
               Mr. Roger Kerchaw, Program Director,
                       Educational Testing Services

* Panel:  Maintainability
   Modeator:  Mr. John Caron, Assistant Commissioner, Office of
               Technical Assistance, General Services Administration

* Panel:  Software Re-Use
   Moderator:  Mr. Mitchell J. Bassman, Senior Scientist, Special
                Projects Division, Computer Sciences Corporation

* Panel:  Ada
   Moderator:  Dr. Clay Stewart, Associate Director, C3I Center
                George Mason University
   Panelists:  Dr. Win Royce, TRW
               Mr. Paul Mauro, Hughes

Systems Security Solutions Security / Privacy, Integrity and Availability
   (February 6-7, 1991)
 Track Co-Chairmen:
  Mr. Patrick Gallagher, Director
   National Computer Security Center, National Security Agency
  Mr. James H. Burrows, Director of National Computer Systems Laboratory
   National Institute of Standards and Technology

* Panel:  Computer Security Applications Experiences:  National Security
   Moderator:  Mr. Patrick Gallagher, Director, National Computer
                    Security Center, National Security Agency

* Panel:  Computer Security Applications Experiences:  Civilian / Commercial
   Moderator:  Mr. James H. Burrows, Director of National Computer
     Systems Laboratory, National Institute of Standards and Technology

* Panel:  Computer Security Procurement Experiences
   Moderator:  Ms. Barbara Guttman, Computer Specialist,
               National Institute of Standards and Technology
   Panelists:  Mr. Hal Tipton, Director and Past President,
               Information Systems Security Association (ISSA), Inc.

* Panel:  Voice / Data Security Applications
   Moderator:  Mr. Ray Fitzgerald, Central Intelligence Agency
                Chairman:  STS/SISS Joint STU-III Working Group

* Panel:  Network Security --- Applications
   Moderator:  Mr. Curt Barker, Senior COMSEC Analyst,
                Trusted Information Systems, Inc.

* Panel:  Protection Against Malicious Software
   Moderator:  Mr. Dennis Steinauer, Manager of Computer Security
                Management and Evaluation, National Institute of
                Standards and Technology

* Panel:  Where are We Going?
   Moderator:  Mr. Steve Walker, President
                Trusted Information Systems, Inc.

Please report problems with the web pages to the maintainer