The RISKS Digest
Volume 10 Issue 85

Thursday, 31st January 1991

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


BENEFITS of Computers, Valentine's Day Edition
Jay Elinsky
Re: Auto Pilot Problems
David B. Horvath
Re: Risks of automatic flight
Gordon D. Wishon
Re: Patriots
Alex Bangs
Jerry Leichter
Martyn Thomas
Henry Spencer
Frank Ritter
David B. Horvath
Re: Broadcast local area networks are a'comin
Russ Housley
Frank Letts
Rich Rosenbaum
Ian Clements
Info on RISKS (comp.risks)

BENEFITS of Computers, Valentine's Day Edition

Thu, 31 Jan 91 08:58:53 EST
On "Neighbors" page of Woman's Day, 5 February 1991: A husband who finds it
difficult to say "I Love You" programmed his wife's software on their personal
computer to flash "I LOVE YOU" on the screen when she exits the program.

Jay Elinsky, IBM T.J. Watson Research Center, Yorktown Heights, NY

     [This is known as putting all your exits in one pass-kit.
     But what, you might ask, is the RISK that makes this story relevant?
     The Trojan horsing around?  The risk of botching her software?
     The opportunities for subliminal advertising?

     Well, when Weekly World News prints this story, it will describe it as
     intelligent workstation software that gets jealous because it detected the
     amorous intent of the husband and then automagically changed the message

Re: Auto Pilot Problems

"DAVID B. HORVATH, CDP 8*747/215-354-2468" <>
Wed, 30 Jan 91 15:35:58 EST
During the Vietnam war (conflict?), the F-111 was sent into combat.  There are
three modes to the terrain following equipment - soft, medium, and hard.  These
modes describe how hard the computer climbs or dives the aircraft - the number
of G's exerted on the crew.

Several planes were lost shortly after deployment.  Another crew reported that
when the hard mode was used, there were times that the crew was helpless - the
computer performed 5 G climbs and dives over some of the high hilly terrain in
vietnam.  The plane would climb HARD and dive HARD, climb and dive, etc.; due
to the G-forces, the crew was not able to control the plane, making it a good
target for the enemy.

Being air-sick is nothing compared with being shot down because you can't take
the airplane's controls out of automatic mode.
                                                - David Horvath

   [Opinions are mine only; I found this information in something I read.
   References available on request.]

Re: Risks of automatic flight (Crepin-Leblond translation, RISKS-10.83)

Gordon D. Wishon <>
31 Jan 91 22:03:36 GMT
>  This is so serious that when some pilots arrived at the target site, they had
>lost all faculties of analysis, and as a result the U.S. Air Force has decided
>to abandon at least partially the concept of automated piloting for very low
>altitude flights. "

Ahem...  I hope someone tells the crewmembers of USAF F-111's, RAF Tornados,
and any allied LANTIRN-equipped aircraft (among others).

It's ludicrous to believe that any airman would allow his pink flesh to be
routinely thrown at the ground without some control (or at least a cross check)
of the system.  I would suspect that's the real reason to "abandon" the
concept.  Don't forget, in the USAF at least, airmen make the decisions on what
technology to pursue.

As for airsickness, some people are susceptible, others are not.  Those who
are, are mostly weeded out during the qualification process.

By the way, the article should have specified "...the concept of _manned_
automated piloting...."  The concept of unmanned automated piloting is alive
and well (vis. Tomohawk cruise missile).

Gordon D. Wishon, Air Force Institute of Technology

Re: Patriots (RISKS-10.84)

Alex Bangs <abg@mars.EPM.ORNL.GOV>
Wed, 30 Jan 91 15:46:02 EST
Note that according to press reports, the JSTARS tracking aircraft is being
used in the Kuwaiti theater. This aircraft is only a prototype.  I remember
hearing early on that JSTARS would _not_ be used because they didn't want to
risk it, but apparently they have decided otherwise. Or the press could be
                                        Alex Bangs, ORNL


Jerry Leichter <>
Thu, 31 Jan 91 00:16:38 EDT
The debate about what the apparent effectiveness of the Patriots demonstrates
itself demonstrates the unfortunate way in which too much debate on various
important issues is carried on.

    1.  The Patriot was intended to be a close-in defender of important
        military sites.  It was apparently never intended to be used
        to defend cities.

        When you are protecting a relatively small, fairly "hard",
        military site, knocking an incoming warhead off target by
        even a fairly small amount is an excellent defense.  Obviously
        this is NOT the case when you are defending a spread out,
        fairly "soft" target like a city.

    2.  "If the warhead had chemical agents, blowing it up with a Patriot
        just makes things worse."  Simple logic tells you that this
        is unlikely to be true.  There is an optimal height at which
        to release poison gas:  Too near the ground and it doesn't
        spread out enough, too high and it dissipates before having
        an effect.  The designer of the warhead will try to hit the
        optimum.  Unless he does a really bad job of it, AND you are
        very unlucky, you can at worst leave things unchanged by
        hitting the warhead.

The arguments in (1) and (2) are typical of one class of responses by those
who have an emotional attachment to the position that sophisticated weapons
don't work:  When the systems SEEM to work, that's only an illusion - they
don't REALLY work after all.  (I'd be interested to know what those who make
these arguments think the Israelis have in mind in deploying and using

The arguments of those who have an attachment to these weapons are pretty much
the same, if turned around:  See, they work so they are effective.  The
evidence - so far as we can tell through the noise of battle combined with
censorship - is that these weapons really DO work, in the sense that they do
pretty much what their builders claimed.  What is by no means clear is that
they are as effective at actually doing something USEFUL, as has also been

A more subtle anti-smart-weapon argument takes the form:  "Well, yes, these
things work, but we always knew they would - it's those OTHER things that
don't work."  The difficulty with such a claim is that anyone can make it
after the fact.  Certain people - David Parnas is certainly one, as he has
written about many of these issues - can legitimately and honestly say that
they have never said, say, that close-in defenses can't work, they've only
argued against some more grandiose schemes.  However, my own experience has
been that most critics had very general complaints about these systems.  "They
won't work in the heat of battle."  "The sand will destroy them."  "RFI among
all the planes in the sky will make them all do crazy things."  And so on.
In effect, these people made a prediction:  When used in battle, these devices
would not perform as well as simpler weapons.  As far as we can tell at this
point, that prediction was just plain wrong.

I must admit that I made such predictions myself.  Having seen the way large
complex systems fail, especially having seen how getting the last 10% can
destroy the 90% you already have, I always read the criticisms with great
sympathy.  If you had asked me a couple of months ago whether one could
expect to hit rockets coming essentially straight down at Mach 4, in the
middle of a desert, night after night, with all sorts of other clutter in the
sky, I would have said "no".  (It appears that Parnas knew better.)

A final argument, seen on both sides, is essentially one of extrapolation:
Sure, you can hit SCUDs, but what about the next weapon?  Sure, a Stealth
fighter can hide from standard radar, but what about two-point radar?  To
which the only answer is:  Weapons are always changing.  They have been since
the beginning of time, and they always will be.  The best you can do is match
what the other guy has now, or will likely have in the near future.  In the
long run, both your system and the other guy's will be obsolete; it's a never-
ending process.  At the moment, the evidence is that the smart weapons CAN be
built and used, and can best "not so smart" weapons.  Things could change.

The same argument from the other side is:  We can build a Patriot, so we can
build an SDI.  Well, maybe - but that's a very big leap.  On the other hand,
the claim "We can build a Patriot, so we can build an ABM system that will
keep us safe from attack by any small power (i.e., an attack with no more than
a few hundred warheads)" is now at least reasonably arguable.

It's been said that the first victim of war is the truth.  There are plenty
of issues here - political, social, technological, military - that need to be
examined with some degree of rational thought.  Sloganeering doesn't help.
Refusing to look at the evidence doesn't help.  Refusing to change one's mind
no matter WHAT happens doesn't help.
                            — Jerry

Patriot missiles provide no evidence for SDI

Martyn Thomas <>
Thu, 31 Jan 91 14:03:52 BST
One powerful argument against SDI is that you need confidence that the system
will work effectively the first time it is used against a full attack. The
Patriot missiles, even if they were 100% effective against SCUDs, can provide
no basis on which we can be confident that a different system, deployed against
different targets, would be successful.

In general, we may be able to *achieve* very high success rates with complex
systems, but this is a very different thing from being able to *predict* a high
success rate with any convincing evidence. When we certify a new
safety-critical system for use, we predict that the failure rate will be
acceptable; evidence that past systems have achieved acceptable error-rates is
almost useless for justifying such a prediction, unless the new system is a
very well-controlled evolution of the earlier system. This is extremely rare.

Martyn Thomas, Praxis plc, 20 Manvers Street, Bath BA1 1PX UK.  +44-225-444700.

Re: Patriot Missile (Parnas)

Thu, 31 Jan 91 11:54:47 EST
I should preface this by saying that I agree with Dave Parnas's most basic
point:  recent Patriot successes say little about effectiveness of more
ambitious antimissile defences.  However, some of his arguments are weak...

>...The Patriot missile itself is launched on a path that will
>intercept the path of the incoming missile ...
>and has a very simple homing system that is effective when (and if) it
>gets near its target.  Were the target missile to change course drastically
>after launch, the Patriot missile would end up somewhere else...

I believe this is erroneous.  Patriot is guided, under control of the launch
system, all the way up.  It's not a question of firing it on a predetermined
trajectory in hopes that it will get close enough to home.  Even Patriot's
homing is actually controlled by the ground computers; the missile itself has
no brains to speak of, just a receiver system that picks up radar reflections
off the target and relays them to the ground for assessment.  In principle, a
drastic course change by the target can be matched by a similar change by the
Patriot.  How well this actually works is an open question, since it hasn't
been tried in combat.  (The recent incident of an accidental launch against
aircraft is silly as a test case, since the Patriot system reportedly was in
antimissile mode and thus probably wasn't expecting evasive action.)

It occurred to me a little while ago, in fact, that we may never know how well
Patriot would work against aircraft.  Aircraft can be shot down by lots of
systems, e.g., other aircraft, while Patriot is the only operational
antimissile system.  I'd expect that the Patriot batteries in the Gulf have
firm orders to ignore aircraft, and it would take a really drastic change in
the situation to get those orders changed.

>... The development and manufacture tooling stage of the Patriot
>was completed in 1980...  The SDI program was
>not announced until 1983.  There was no SDI software technology to be applied
>to Patriot...

While the original development of Patriot was completed about a decade ago,
much of the antimissile capability was in the form of retrofits.  According to
Flight International, full production of Patriots with the current antimissile
capability started in 1989.  So there was some opportunity for application of
SDI software technology, although I do not know whether that actually happened.

>... Terminal defense systems can have an operator who makes
>decisions that would have had to be automated in the space-based system.

I've never understood why it is fundamentally impossible to put "man in the
loop" for space-based systems.  I'd be interested in seeing this explained.
There is clearly a serious shortage of time for decision-making, but the
same is true of terminal defence against tactical missiles — which have
much shorter flight times than ICBMs — and short-notice decision-making
in combat is both possible and practical, as any fighter pilot can testify.

>... The SCUD was first deployed about 1965 - Patriot about 19 years later.
>All RISKS readers should think about the advances that we have seen in 19
>years.  It should come as no surprise that the Patriot can sometimes destroy
>missiles that were deployed when its development began...

As far as I am aware, it should still be capable of destroying most missiles
that were deployed yesterday.  Maneuvering warheads remain extremely rare
and rather limited, and most other forms of countermeasures don't work in
the terminal phase.
                        Henry Spencer at U of Toronto Zoology  utzoo!henry

Patriot's defense (Johnson, RISKS-10.83)

Frank Ritter <fr07+@ANDREW.CMU.EDU>
Thu, 31 Jan 91 03:16:54 -0500 (EST)
Some notes on the Patriot system:

You can "program" by designating areas where all planes are safe, or a plane
should be assumed a bogey.  The programming going on now is probably on this
level, where they are trying to create areas not to shoot at what's in them.
There are things that could be used, but I don't think anything provided
directly or played with in the past.

I know that a good way to avoid Patriot missiles is to drop below their radar
height.  I would also assume that if I had accidently shot at a friendly, I
would give them a call and turn off my radar.  Even if neither of these
occured, our pilots are keenly aware and concerned about the Patriot system and
how to avoid it (and indeed all air defense, ours and theirs).  And there are
other ways to beat the Patriot, such as being in a "safe zone" that change
daily, which friendlies, and only friendlies, would know.  I don't think what
we've seen tells me a lot.  SCUDs are a lot different than planes, while they
travel straight, they travel darn fast for a plane.  Our planes should be able
to not get hit even if shot at, particularly if there are no other planes or

The real power of the Patriot appears to be the ability to deal with a large
number of planes, some targets, some not.  If these friendlies came back
without their transponders on, in the wrong direction and altitude, the right
mistake was to shoot at them.  Until you know this information, it's hard to
judge what was going on.


Nike Hercules Site (Re: Patriots, Wright, RISKS-10.83)

"DAVID B. HORVATH, CDP 8*747/215-354-2468" <>
Wed, 30 Jan 91 15:35:31 EST
> Some years back I was stationed with HHB 45th Arty (AD) a Nike Hercules unit
>  [...]
> the reply was "Well son .... what would you rather have: ## kilotons over
> Evanston, or 10 to 50 megatons over the loop ?"    [... Ed Wright]

I live in suburban Philadelphia (Pennsylvania, USA), a few miles from where I
live is the remains of a Nike Hercules unit.  I believe the intent was to loose
Broomall or Cherry Hill (New Jersey) to save Philadelphia and other suburbs.  I
can see a conversation like the one described above actually happening!

       - David Horvath

Re: Broadcast local area networks are a'comin

Wed, 30 Jan 1991 11:06:04 PST
In RISKS 10.83, Tom Lane quotes an article from the New York Times stating that
Apple is installing (or at least reserving the radio frequencies for) a
wireless 10 Mbit/sec LAN.  Tom observes that such a broadcast LAN requires
protection.  I agree.

Wireless LANs are being standardized by the IEEE and IEEE 802.11 was recently
formed for just this task.  The people working on this standard also agree that
sensitive data must be protected on such a LAN.  IEEE 802.10 (Standard for
Interoperable LAN Security) is developing standards for just this purpose.  (Of
course, it would be up to each company to decide whether all its data is

Tom Lane also says, "(But if they are going to support 10Mb/sec data rates, the
encryption would have to be fairly weak, methinks.)"  On this, Mr. Lane and I
disagree!  10 Mbit/sec is the data rate of the "backbone."  If encryption is
placed at each wireless LAN station, the encryptors can run at a significantly
lower data rate.  The station cipher device only needs to decrypt those frames
which are addressed to that station.  Of course, this includes broadcast
frames, appropriate multicast frames, and frames addressed to that particular

In the IEEE 802.3 (Ethernet) world, there are encryption devices that work just
this way.  I will refrain from turning this into an advertisement for such
products, but they are available with the DES algorithm and with NSA
"proprietary" algorithms.
                                               Russ Housley

broadcast LAN's

frank letts <>
Wed Jan 30 22:45:06 1991
Reading the notices about the approach of broadcast LAN's reminded me of a
semihumorous incident that happened about 2 years while I was doing some
consulting for a "local" oil company.  We were preparing a SCADA system for
Oilpatch, Texas and had the entire thing staged on the 17th floor of a TALL
building in downtown Houston.  (That ought to narrow the oil company down to
about 20 or so.)  All of the remote telemetry units were communicating with the
master station computer via low power Johnson radios, and I had made sure that
we had dummy loads on all of the antennae so as to cut down the range of the
transmissions.  This screwed up SWR's and about everything else, but we could
adjust the transceivers and get decent communications - most of the time.
Sporadically, we would get bursts of errors for seemingly no reason, and then
good comm again for a while.  I hooked up data analysers, etc, and could see
the junk that was being injected on the frequency, but couldn't identify it as
any of the other equipment that we had operating in the area.

I remembered an old microwave hand showing me how you could kluge in a
telephone handset on a circuit and listen to the "noise", often identifying it
with ease when all of the sophisticated techniques had failed.  Out of
desperation, I rigged up a speaker at the master station and listened to the
buzzings of the remotes answering the master.  Much to my surprise, I heard
some poor fella in a delivery truck complain about "there's that doggone
buzzing sound again" to his dispatcher at the same time that our comm
efficiency dropped to zero!

I felt sorry for him, but I didn't have enough radios laying around to set up
with another frequency, so we just kept testing with the occasional comm burps
until we shipped the system.  I did leave the speaker hooked up, though.  It
was kinda fun listening to all of those guys swear at the strange interference
that they were getting.

Frank Letts, Ferranti International Controls Corp., Sugar Land, Texas

        [Sounds like the old joke whose punchline is
        "Hey Martha, it's that guy with the damn whistle again."

Re: Risks of radio-based LAN's (Lane, RISKS-10.83)

Rich Rosenbaum 30-Jan-1991 1029 <>
Wed, 30 Jan 91 16:31:24 PST
In RISKS-10.83, Tom Lane points out the security risks of wireless
(radio-based) LAN technology.  Actually, wireless LAN's have the potential
to be _more_ secure than traditional "wired" LAN's.

One currently available wireless LAN product uses spread spectrum
communications. (It is interesting to note that, for the radio frequencies used
by this product, the FCC mandates use of spread spectrum).

While I am not an expert on spread spectrum communications, my understanding of
the technique suggests that it offers both increased protection against
eavesdropping as well as resistance to jamming, when compared to traditional
radio broadcast techniques.
                                            Rich Rosenbaum

Broadcast local area networks are a' comin

Ian Clements <>
Wed, 30 Jan 91 17:29:59 PST
 One other possible risk is to those with pacemakers or other electronic
medical devices (such as implanted pumps or heart monitoring devices).

--ian                             Ian Clements 415/962-3410

Please report problems with the web pages to the maintainer