The RISKS Digest
Volume 11 Issue 83

Wednesday, 5th June 1991

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


o Electronic Gear Boxes at the Canadian Grand Prix
Lindsay F. Marshall
o Computer-controlled fuel system problems in 747-400
o KAL 007
o Thrust Reversal in the real world
o VIPER lawsuit withdrawn
Martyn Thomas
o Listening?
Eric Florack
o Combatting the Network Monitors
Richard Johnson
o Re: Digital Fingerprints in California
Michael Robinson
o RFD: moderated
Robert Jacobson
o Correction Re: Writer steals stories via computer
Rodney Hoffman
o Amendation Re: Computers and Academic Freedom Groups Now at EFF.ORG
o Info on RISKS (comp.risks)

Electronic Gear Boxes at the Canadian Grand Prix

Lindsay "F." Marshall <>
Wed, 5 Jun 91 12:30:30 BST
Mansell mystery deepens (The Guardian, 4 June 1991)

Mystery surrounds the precise cause of Nigel Mansell's dramatic retirement from
the Canadian Grand Prix on Sunday. But the fact that yet again it centred on
the electro-hydraulically actuated gearbox has led to murmurings in the
Williams camp that a manual-gearchange version of the current car should be
rushed through for the second half of the season.

Problems associated with the Williams FW14's gearbox have been responsible for
Mansell's retirement in four of this season's five F1 races.  Williams
immediate priority is to sort out the problem before the next grand prix in
Mexico City on June 16 by pinpointing why Mansell's car lost all drive on
Sunday with the chequered flag in sight.

The mystery deepened after the race when the car eventually returned to the
Montreal padock: it fired up immediately and the gearchange worked perfectly.
It all seemed to support the widely held view that today's breed of grand prix
car is becoming over-reliant on complex electronics for the efficient operation
of its engine.

This viewpoint is strongly supported by the Honda president Nobuhiko Kawamoto,
the man largely responsible for the Japanese company's pre-eminent position in
F1.  "We are in danger of introducing a breed of computerised dinosaur", he
said in Montreal.  We are facing a situation where the electronics may become
more comlpicated than the engines. This aspect of F1 threatens to become ever
more expensive".

In the race, Gerhard Berger's McLaren-Honda retired after only four laps with
just such a malfunction of its engine-management computer.  Meanwhile, McLaren
have a similar gearbox to William's under development, but the team chief Ron
Dennis will not compromise his cars' competitiveness until he is satisfied the
system is bulletproof.

Computer-controlled fuel system problems in 747-400

"Peter G. Neumann" <>
Wed, 5 Jun 91 11:57:36 PDT
Richard Fairley picked up the Mainichi Daily News as he was boarding a 747-400
to return from Narita to San Francisco on Saturday, 1 June, and found on the
front page an article on a 747-400 fuel problem experienced at the end of March
on a NY-to-Narita JAL flight.  I do not recall seeing a report of this before
in the U.S. press.  I abstract from the article somewhat tersely, as follows:

  The 747-400 (popularly known as the high-tech jumbo) has five fuel tanks,
  with 13+38+52+38+13 tons of fuel distributed with lateral symmetry, the 52
  being in the fuselage.  The computers are programmed to automatically draw
  from the 52, then the two 38s until they approach 13 tons, at which point
  all four wing tanks are used simultaneously to maintain proper weight
  distribution across the wingspan.  On this particular flight, the outer wing
  tanks were depleted prematurely, while the fuselage tank was not depleted.
  The result was that the wings were too light, arching the wings upward.  The
  operating ratio limits were exceeded.  The fuselage tank is supposedly
  pressurized at twice the wing tanks so that the outer tank valves can remain

Fairley commented: "I found it particularly interesting that the article
reports there was no trace of the abnormality.  If the problem had been more
severe, it is unlikely that the cause of a crash could ever have been
detected."  (The article notes that the incident was detected only because JAL
had been placing flight engineers as observers [this is a two-man cockpit-crew
aircraft] on its flights in an attempt to find design problems in the new

PGN muses: Perhaps this could have begun with a loss of pressurization in the
fuselage tank, with the computer system doing exactly what it was programmed to
do, but with a false assumption about the actual pressure...

KAL 007

"Peter G. Neumann" <>
Wed, 5 Jun 91 9:33:51 PDT
More is emerging on the KAL 007 shoot-down, 8 years later, resolving some of
the mysteries but leaving other ones.  Recent articles in Izvestia revealed
"that the Soviet Union lied after the shoot-down when it said it had attempted
to contact the errant airliner, that it did find the remains of the aircraft
(including the black box), and that it apparently uncovered no evidence that
the plane was on a spy mission."  But they also interviewed the pilot Lt.Col.
Gennadi Osipovich, who said, "I had no idea that it was a passenger
aircraft..."  Osipovich also stated that prior to the shoot-down the U.S. had
increasingly been violating Soviet airspace, including various reconnaissance
flights, presumably to calibrate the Soviet responsiveness.  One overflight of
15 minutes caused a reprimand for Osipovich himself, and had "put the Soviet
air command on edge."

An article in The Nation, 3 June 91, pp. 724-5 raised old several RISKS- and
technology-related questions that still seem unanswered:

  * Why had the U.S. tracking system failed to follow the plane and alert it?
    (or had it and is simply not admitting it?)
  * What had U.S. intelligence learned of the Soviet's responses?
  * Why were the U.S. radar tapes erased?

The article concludes with this: "But the lack of concrete evidence supporting
the spyflight scenario does not exonerate the Reagan Administration's
propaganda campaign.  Both sides acted deplorably...."  (E.g., "... the
President ignored U.S.-collected intelligence that demonstrated the Russians
didn't know what they were chasing.")

Thrust Reversal in the real world

Wed, 5 Jun 91 11:10:12 xxx
While it is true that the 767-300 was certified for operation with accidental
thrust reversal, a very senior airline pilot who knows these planes has told me
(when I asked him about this very topic in light of the recent crash) that in
the "real world" of flying it can be a different matter.

The problem is that during periods of maximum thrust (such as climbing, as was
the airliner in question) the sudden deployment of the reversers could result
in a violent "pinwheeling" of the plane.  He points out that this can be
extremely difficult to correct, and can rapidly result in an overspeed
condition (and in fact, the overspeed warning can apparently be heard on the
cockpit voice recorder from the crash).  Such conditions can result in rapid
disintegration of the plane as engines and wings are damaged, which could of
course result in fires as well!

He also mentioned that there is a mechanical system that is supposed to prevent
the thrust reversers from deploying unless the aircraft is on the ground--but
he said that these do break down from time to time, which could result in a
situation where computer control, alone, could theoretically deploy the
reversers in flight.

Whether or not thrust reversal was indeed related to the particular crash is an
open question at this time, but remember that just because an aircraft has been
"certified" for a certain set of conditions, doesn't necessarily mean it will
do you much good under a particular set of complex real world circumstances,
and possibly multiple failure modes.

VIPER lawsuit withdrawn

Martyn Thomas <>
Wed, 5 Jun 91 12:05:50 BST
Charter Technologies apparently went into voluntary liquidation on June 4th.
Before doing so, it withdrew its lawsuit against the UK Ministry of Defence,
probably because it could not afford to pursue it.

There has been a lot of criticism of MoD and others for claiming that Viper is
a proven microprocessor when the development process has not been submitted to
"proof by theorem-prover" from specification to netlist. I believe that this is
mistaken criticism, and reveals some fundamental misunderstandings about the
nature, and value, of proof.

No degree of mathematical analysis of a development process can give
absolute certainty of correctness, and nor can any other technique. Isn't
it essential that anyone in a senior role, developing or purchasing systems
or components for critical applications, understands this?

VIPER is a very high integrity microprocessor. No fault has ever been
discovered in its behaviour, so far as I am aware. This needs to be emphasised,
in case the lawsuit has given the impression that there is something wrong with
VIPER. I do not believe that anyone has even *suggested* that VIPER does not
perform according to specification.

The VIPER development and verification methods have been described in detail,
including the fact that four of the theorems were too difficult for the HOL
theorem prover, and that the lower levels were verified by exhaustive
simulation using a simulator which had not itself been formally analysed. [ The
company which develops and markets this tool, ELLA, used to belong to Praxis].
There has been no attempt to present this development route as anything other
than what it is: a very high integrity development, stopping short of full
axiomatic proof.

We must beware of having the term "proof" restricted to one, extremely formal,
approach to verification. If proof can only mean axiomatic verification with
theorem provers, most of mathematics is unproven and unprovable. The "social"
processes of proof are good enough for engineers in other disciplines, good
enough for mathematicians, and good enough for me. Occasionally, the use of
theorem provers will be cost-effective for the extra level of assurance they
probably provide, but we harm our industry if we do not recognise that there
are very effective, and very formal, verification strategies using higher-level
logics and formal arguments, and that these are legitimately described as

My main concerns are firstly, that the reputation of VIPER and of the
development technologies should not suffer from any misleading impression of
the basis of the lawsuit. Secondly, that we should not slip into a belief that
there are verification techniques which can deliver certainty that a system or
component cannot fail. If we reserve the word "proof" for the activities of the
followers of Hilbert, we waste a useful word, and we are in danger of
overselling the results of their activities!

Martyn Thomas, Praxis plc, 20 Manvers Street, Bath BA1 1PX UK.
Tel:    +44-225-444700.   Email:

Listening? (John Gilmore, RISKS-11.80)

Wed, 5 Jun 1991 08:33:15 PDT
>My conclusion is that the government should be prohibited from intercepting
*ALL* civilian radio communications, except in certain bands like AM and FM,
while third parties should have full freedom to listen in on any band, as they
did before 1986 and ECPA.

Many two-way services are content specific. There are specific channels for
just about every type of business on the business bands, for example.
How would you suggest that these be enforced without routine monitoring?

Free speech is not the issue in situations like what I suggest. FOr example,
the business bands, let's say a taxicab channel, for example, is not the place
to be discussing political thinking. The issue as I say, is not free speech,
but rather, the effective and efficient use of the bandwidth.... a matter for
the FCC to determine, certainly. How to be effective in enforcing traffic
laws, without routine monitoring?

My point here is not just this one exception, of course. My point is that your
demand for bans on ALL routine monitoring by governmental agencies is far too
broad a call.

Let's please make sure that in your (IMHO, overblown) concern about government
monitoring we don't cripple the government's ability to enforce laws which
allow the day to day operations of telecommunications equipment to be smooth.

Combatting the Network Monitors

Richard Johnson <>
Wed, 5 Jun 91 11:53:53 PDT
In RISKS-11.79, an anonymous poster tells of the chilling effects of people in
his company discovering they were being electronically "eavesdropped" by
personnel.  Here are a few ideas this individual might wish to employ to
restore some of the sense of community they lost.  I mention them publicly
because they touch on a lot of privacy conflicts we've been discussing.  Sorry
about the length.

1.  If they are not pre-screened by these same personnel department
    meddlers,  drop a note in one or more of the suggestion boxes
    you mentioned.  Might not work, since most companies actually
    ignore unsigned suggestions and they're already sensitized to you.

2.  I suspect top-level management is not aware of the chilling
    effect that *this* policy is having on company morale.  While a
    well-meaning policy, its effect has been to insulate the real
    decision-makers (at the corporate or site level) from the actual
    feedback they need to decide well.  In their wisdom, they saw
    fit to provide several avenues for formal and informal criticism
    to climb the chain of command.  Someone in the middle of the
    chain has blocked this criticism.  The end result can only be less
    efficiency and poorer decisions from the top.

    Somehow you might make the TOP_LEVEL people aware.  This might
    mean the awful end-run around management (probably a bad move),
    posting a note like the above paragraph to the same monitored
    distribution list, a memo to your boss with a CC to the _boss_,
    or an anonymous, computer-printed, memo physically displayed in
    obvious places.

3.  (If you're desperate)
    Continue posting as before, only encrypted.  This kind of
    mitigates the personnel-weenee's argument that the information
    is "public" on a closed distribution list.

4.  Continue posting as before, only quietly circulate key code
    phrases that are complementary on the surface and might have
    alternate meanings.

5.  Continue posting, making sure that the watchdogs get thoroughly
    confused, overworked, *blamed* for all kinds of things.

6.  Set up your own e-mail distribution list and exclude the offenders.

Obviously, you don't want to get extreme until it's clear the company is going
to tell you to take a hike anyway.  Also, there are some people (very
closed-minded, elitist ones IMO) who honestly believe that since you do this on
company equipment and on company time, your views and information are also "the
company's".  This view is not universal, and is probably being legally debated
right now, but that doesn't stop the meddlers from believing in the "rightness"
of their position.  I believe it was Confucius (or maybe Lao Tzu?) who said
basically "You must first forget what you know before you can learn."

7.  (If you are _truly_ desperate)
    Tell the world exactly who is doing the dirty deed.  Name names,
    dates, and times.  Specify the company and be sure to cowtow
    properly to the top-level people's mal-implemented plans.

Of course you might find out they really DO want to censure their employees.
Which leads inexorably to ...

8.  Look elsewhere for work, or grab the best talent there and start
    your own company.

Richard Johnson

Re: Digital Fingerprints in California (Caplinger, RISKS-11.82)

Michael Robinson <robinson@cogsci.Berkeley.EDU>
Tue, 4 Jun 91 20:49:16 -0700
>I suppose it's possible that the California DMV doesn't retain the digital data
>-- but I doubt it.  I'm less certain but fairly sure that the "mugshot" is also
>taken with a video system.

It is.

>I could imagine it would be awfully tempting for
>law enforcement agencies to combine those two databases.

It is, and they will.

But, as with most risks, there are countervailing risks.  The California
driver's license (and its relative, the California identification card)
is intended to be positive legal identification.

California Vehicle Code, Sec. 14610:
  It is unlawful for any person:
    (a) To display or cause or permit to be displayed or have in his
    possession any cancelled, revoked, suspended, fictitious, fraudulently
    altered, or fraudulently obtained driver's license.
    (c) To display or represent any driver's license not issued to him
    as being his license.
    (g) To photograph, photostat, duplicate, or in anyway reproduce any
    driver's license or facsimile thereof in such a manner that it could be
    mistaken for a valid license, or to display or have in his possession
    any such photograph, photostat, duplicate, reproduction, or facsimile
    unless authorized by the provisions of this code.

This language is repeated in the section covering identification cards.

You don't have to have a legal ID, but if you do have one, it has to identify
you.  At least in theory.  Obtaining fictitious identification has always
been trivial, and it is almost always used for illegal purposes.

A while ago, I read in RISKS of a woman who obtained fraudulent identification
and spent large amounts of another woman's credit.  The risk of fraudulent
identification is, IMHO, far greater than the risk of positive identification.

The DMV has a statutory obligation to enforce "one man, one card" to the best
of its ability by whatever means are technologically feasible.  In this case,
the technology may skirt the margins of a potential tool of repression, but
doesn't get me nervous yet.  I don't see how the thumbprint/photo database
would allow law enforcement to threaten my rights or privacy in any novel

What does get me sort of nervous is the magnetic stripe on the back.  The only
advantage I can see to that is the ability to process a lot of people really

Michael Robinson       USENET:  ucbvax!cogsci!robinson

RFD: moderated

Robert Jacobson <>
Tue, 4 Jun 91 19:48:32 PDT
I would like to propose the creation of a new newsgroup, COMP.ONLINE.  The
purpose of this newsgroup would be to discuss the phenomena of being "online"
-- what it means to be part of an electronic community.

To my knowledge, there are no newsgroups dealing broadly with this issue.
Individual newsgroups may deal with the conversations happening locally, as in
the various muds newsgroups; or the topic may come up spontaneously and then
die, as it has in comp.society on occasion.  Yet the experience of being online
is central to what all of us do here: it deserves some special attention.

I suggest putting this new newsgroup in the comp. hierarchy because being
online is irrevocably tied up with the use of computers and information
technology.  It could also go in rec. (since we often recreate online) or soc.
(because we are a social happening) or alt. (where nearly every- thing else
ends up).  But comp. feels right to me.

I propose further that this newsgroup be moderated.  I offer to do the
moderation, at least initially.  I have been a host on USENET (sci.
virtual-worlds) for nearly a year; before that, I hosted two conferences
on The WELL and ran a legislative BBS for the California State Assembly.
My credentials are in order.

Please let the online crowd know what YOU think about this proposal.  Also,
please crosspost this announcement to such other newsgroups as you think are
appropriate.  After approximately one month of discussion, I will call for a
vote on creating .

Thanks for your attention and your ideas.

Bob Jacobson, Moderator, sci.virtual-worlds

Associate Director, Human Interface Technology Laboratory, Washington
Technology Center, c/o University of Washington, Seattle 206-543-5075
(Employment given for purposes of identification only; the HIT Lab hosts only
sci.virtual-worlds and has no connection to this proposal.)

Correction Re: Writer steals stories via computer

Rodney Hoffman <>
Wed, 5 Jun 1991 11:06:57 PDT
A footnote to an item in RISKS 11.74.  The 'Los Angeles Times' ran the
following correction on June 4:

                   "FOR THE RECORD"

  "A Times article on May 29 incorrectly stated that free-lance
  writer Stuart Goldman pleaded no contest to stealing fictional
  story ideas planted by police in Fox Television computers.
  Goldman, in fact, pleaded no contest only to unauthorized access
  to a computer system."

Amendation Re: Computers and Academic Freedom Groups Now at EFF.ORG

Peter G. Neumann <>
Wed, 5 Jun 1991 13:01:03 PDT
Actually, the first person named in the writeup reproduced in RISKS-11.82
regarding the academic-freedom mailing list was Carl Kadie (,
which was left out due to an editing foulup even before it was routed to Jim
Horning...  Sorry for the lack of attribution.  PGN

Please report problems with the web pages to the maintainer