The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 11 Issue 95

Friday 28 June 1991

Contents

o BackLogCabinJohnBridgeOutagesEtc.
PGN
o Programmer Accused of Plotting to Sabotage Missile Project
PGN
o Phone system becoming inherently less reliable?
Rodney Hoffman
Fernando Pereira
o Mitsubishi sues AT&T for unsecure system
Rodney Hoffman
o More on Cellular Phone Swindles
PGN
o Lauda Air crash
Pete Mellor
o Lauda Air and lithium batteries
PGN
o Videotape of the pilot discussing the crash of UAL 232
Mary Shafer
o Searching the RISKS archives via WAIS
Garrett Wollman
o Info on RISKS (comp.risks)

BackLogCabinJohnBridgeOutagesEtc.

"Peter G. Neumann" <neumann@csl.sri.com>
Fri, 28 Jun 91 15:29:25 PDT
I was East for a week, culminating in my COMPASS '91 Risk-of-the-Year talk at
NIST on failures (both correlated and independent) that resulted in
far-reaching problems, including the recent telephone cable cuts and switching
problems.  On the way back across the Cabin John Bridge toward Dulles Airport
on Wednesday (having experienced enormous traffic delays in the opposite
direction on Monday night due to construction), I heard the report of the
7-state east-coast phone slowage plus the simultaneous but presumed independent
L.A. problem, both attributed to Switching System 7 protocol implementations.
(See below.)  From the airport Wednesday, I tried a bunch of calls that would
not go through.  Having returned home, it is clear that from a RISKS point of
view this was a bad time to have been away (there were over 250 messages
awaiting me in the RISKS directory alone).

This issue is the first to try to catch up with the backlog in hopes of not
generating the exponentially increasing backlog in response.  We will as usual
favor exciting new business, and go very slow on nth-order incrementals.  I
will also jack up the relevance razor ('n' Occam Dead?).

Some of the items in this issue will be "old hat" to those of you who are avid
media mavens, but they are included anyway for archival purposes... and have
been greatly foreshortened by the PGN Abstracting Service.


Programmer Accused of Plotting to Sabotage Missile Project

Peter G. Neumann <neumann@csl.sri.com>
Thu, 27 Jun 91 01:05:04 PDT
   In San Diego, the former General Dynamics Corp. computer programmer, Michael
John Lauffenburger, was arrested for allegedly planting a ``logic bomb,'' a
type of virus that would have destroyed vital rocket project data.
Lauffenburger's goal, according to a federal indictment, was to get rehired as
a high-priced consultant to fix the damage he created. He quit May 29.
   A fellow General Dynamics worker defused the plot by accidentally stumbling
onto the logic bomb. Lauffenburger was charged with computer tampering and
attempted computer fraud.  If convicted, he faces up to 10 years in prison and
a $500,000 fine. He pleaded innocent and was released on $10,000 bail.

[Source: Article by Laura Myers, AP Business Writer, 26 June 91]


Phone system becoming inherently less reliable?

Rodney Hoffman <Hoffman.El_Segundo@Xerox.com>
Fri, 28 Jun 1991 08:57:35 PDT
Excerpts from an article headlined PHONE OUTAGES SHOW HAZARDS OF NEW TECHNOLOGY
by Jonathan Weber in the 28 June 1991 `Los Angeles Times':

"The massive telephone failures in the Los Angeles and Washington areas earlier
this week stemmed from glitches in ... a specialized computer network that
shuttles information about calls between telephone company switching
offices.... The inherent complexity of an increasingly software-based phone
system ... raises the prospect that the public telephone service may be
inherently less reliable in the future than it has been in the past.  Pacific
Bell said Thursday that it had suspended further deployment of ...  Signaling
System 7 until the exact cause of the problem could be identified.  It appeared
... that the [LA and Washington] problems ... were not identical, but both
[were] attributed to breakdowns [in the] SS-7 equipment supplied by DSC
Communications of Dallas."

  [Explanations of expected benefits from the SS-7, including improved
  efficiency, capacity, speed, security, and new service possibilities such as
  "the controversial Caller ID."]

"The flip side of all this ... is that if the SS-7 system malfunctions, it
begins sending incorrect information all over the network.  Ross Ireland,
general manager for network services at Pacific Bell, said Wednsday's incident
was caused by a signaling system unit in downtown Los Angeles that inexplicably
began sending out a flurry of wrong information about problems in the network,
and ultimately shut itself down.  Then there was a cascade effect, in which the
other signaling system units began acting on the incorrect information.
Finally, when people tried to make calls and couldn't, they kept trying, which
created an abnormally high level of calling traffic and thus further
exacerbated the problem.

"Because a phone network is so tightly integrated -- akin to one big computer
-- it's very hard to locate and fix problems...."

[See also `Los Angeles Times,' John Kendall and Paul Lieberman, 27 June 1991:
"By coincidence, service also was disrupted to 6.7 million telephone customers
Wednesday in the District of Columbia, Maryland, Virginia, and parts of West
Virginia.... [T]he trouble began in Baltimore during a routine modification of
equipment procedure." [sic]]

    [Officials at Chesapeake and Potomac said the problems were probably
    unrelated. Asked if hackers could have caused the problems, Ellen
    Fitzgerald, a spokeswoman for Chesapeake and Potomac, said she she had been
    assured that the system could not be penetrated.  [!!!] But, she added, ``a
    few days ago I would have told you that what happened yesterday wouldn't
    happen.''

    Terry Adams, a spokesman at the DSC Communications Corp., which made both
    systems, said company officials also discounted any connection between the
    failures.  {From the NY Times article, 28 Jun 91.  PGN}]


Another software-caused phone network problem

Fernando Pereira <pereira@klee.research.att.com>
Fri, 28 Jun 91 12:03:13 EDT
[...] May we be seeing here a situation in which market pressures to implement
a complex new protocol is affecting design and test cycles for switching
software?

According to the WSJ, the equipment and software in question are made by DSC
Communications Co.  The new protocol supports all those new services we hear so
much about, such as caller ID, return call, call trace and various new business
services.  It's interesting to note that the January 1990 disruption in the
AT&T network, involving an implementation of the same protocol, involved
different (AT&T) hardware (4ESS) and software.

Fernando Pereira, 2D-447, AT&T Bell Laboratories, 600 Mountain Ave,
Murray Hill, NJ 07974 pereira@research.att.com


Mitsubishi sues AT&T for unsecure system

Rodney Hoffman <Hoffman.El_Segundo@Xerox.com>
Thu, 20 Jun 1991 09:49:43 PDT
According to an AP story carried in the 18 June '91 `New York Times',
Mitsubishi is suing AT&T over a pbx system that was broken into by hackers who
made thousands of illegal calls worldwide.

Mitsubishi contends that AT&T's System 85 Private Branch Exchange is not secure
and that AT&T failed to warn Mitsubishi of the potential for unauthorized use.
Mitsubishi seeks $10 million in punitive damages and a dismissal of $430,000
billed for 30,000 phone calls which Mitsubishi attributes to unauthorized
users.

The pbx system, installed in 1988 and disconnected last year, permitted
Mitsubishi employees to make calls on the company lines no matter where they
were by using a 6-digit personal password.  According to Mitsubishi, AT&T
failed to diagnose the problem, and it was New York Telephone which finally
told Mitsubishi of the possibility of system crackers.

Andrew Myers of AT&T declined to comment on the suit but said that under
federal communications law, "customers are clearly responsible for both
authorized and unauthorized service."


Cellular Phone Swindle

"Peter G. Neumann" <Neumann@csl.sri.com>
28 Jun 91 10:20:45 PST
The old sell-illegal-calls-at-a-discount scam has reemerged in Elmhurst,
Queens, NY.  High-tech mobile phone booths (cars) are very popular there, and
draw crowds of people standing in lines to make their calls, often to Colombia
or Peru.  Each car has a doctored cellular phone chip containing an ID
illegally set to some poor sap's valid ID.  "The swindle has become so popular
that legal cellular phone users in the area can rarely get access to an
available phone line."  Law-enforcement officials say that many of the calls
are made to high-level drug dealers in Colombia.  Many of the numbers dialed
from Elmhurst match up with Colombian phone numbers that investigators have on
file with the Federal Drug Enforcement Administration.

Metro One in Paramus, N.J., one of the two cellular carriers for New York City,
estimated that it has lost more than $1 million a month from illegal calls
transmitted from Elmhurst.  Nationwide, such fraudulent calls cost the cellular
phone industry about $700 million in 1990, according to Donald Delaney, an
investigator for the NY state police. Industry officials put the figure much
lower, at $100 million.  [Source: Cars Using Rigged Cellular Phones Sell
Illegal Overseas Calls, By Donatella Lorch, N.Y. Times News Service, 28 Jun 91]


Lauda Air crash (from "The European")

Pete Mellor <pm@cs.city.ac.uk>
Wed, 26 Jun 91 21:52:24 PDT
"The European" is a weekly news magazine published and distributed throughout
Europe. Last week's issue carried the following article.

Boeing skipped essential test on Lauda crash jet        By Mark Zeller, Paris

The Lauda Air 767 that crashed in Thailand last month was granted an
airworthiness certificate without vital tests being carried out, the US Federal
Aviation Authority has admitted.  The FAA's administrator said that the
aircraft's thrust reversers - which have been blamed for the crash - were only
tested at low air speed with the engine set to idle because Boeing convinced
the FAA that safety systems would prevent their accidental deployment in
flight.

Examination of the wreckage and the pilot's cockpit voice recorder have [sic]
now shown that one of the thrust reversers - used to slow an aircraft after
landing - failed to lock in place when the plane was gaining height and
accidentally shifted to a high-power setting, causing the plane to turn so
rapidly that the tail was torn off the aircraft.

Under the FAA's rules, all jet aircraft which use the thrusters must be tested
to ensure that accidental deployment would not cause the plane to crash.  But
the FAA's administrator, James Busey, in Paris for Le Bourget air show, said
last week that the plane had not undergone a realistic in-flight test of the
thrust reversers, which were designed and manufactured by Boeing and fitted to
Pratt & Whitney engines. He disclosed that Boeing told the FAA that the plane's
sophisticated flight control computers made an accidental inflight [sic]
deployment of the thrust reversers impossible. The plane, owned by former
Austrian racing driver Nikki Lauda, was en route from Bangkok to Vienna when it
crashed in a Thai jungle three weeks ago, killing all 233 on board.

P&W confirmed that if the reverse thruster had not locked properly there would
have been an indicator light advising the pilots. This warning light was heard
[sic] being discussed by the pilots on the cockpit recorder shortly before the
crash. Reading instructions from the Boeing manual, they took no action and
continued to ascend. Seconds before the crash, the co-pilot shouted that a
thrust reverser had been activated.

The tape concludes with a series of warning sirens, alarms, a snapping sound
and then a bang. The wreckage of the plane was found in dense jungle in
Thailand with one engine's thrust reverser deployed. The tail section was found
several kilometres away. Asked about the possibility of an accidental
deployment of a thrust reverser, Boeing spokesman Dick Kenny said: "It can't
happen."

But a P&W representative, who wished to remain anonymous, said it was possible.

According to the engine-maker, Boeing was only now carrying out exercises to
find out what would happen if the reverse thruster deployed at high power.
Boeing has refused to comment on these tests. Before the crash, there had
already been at least one incident involving partial in-flight deployment of a
thrust reverser on a Boeing 767. There have also been several similar incidents
on 747s, but none of these led to a crash.

   Peter Mellor, Centre for Software Reliability, City University, Northampton
   Sq.,London EC1V 0HB +44(0)71-253-4399 Ext. 4162/3/1 ]


Lauda Air and lithium batteries

Peter G. Neumann <neumann@csl.sri.com>
Sun, 23 Jun 91 11:47:08 PDT
Lauda Air disaster linked to potentially hazardous cargo

   London, 23 June 1991 (dpa) - A potentially hazardous cargo may have
contributed to the engine thrust reversal which caused a Lauda Air Boeing 767
to crash in Thailand May 26, killing all 223 people aboard, according to a
British report Sunday.  The Sunday Times, citing aviation safety experts, said
the Austrian plane was carrying a shipment of cheap Chinese-made watches in a
cargo hold, and that lithium batteries in one or more of the watches could have
discharged, resulting in heat and possibly fire.  Fire in the cargo hold could
have affected computer wiring, causing the plane's port engine to shift into
reverse thrust in mid-air.  The cockpit's in-flight voice recorder, and
inspections of the wreckage, showed that the engine inexplicably went into
reverse, creating aerodynamic stresses which pulled the aircraft apart.
   The wreckage also showed evidence of burn marks in one cargo hold, a
phenomenon which specialists initially were unable to explain but later linked
to the watch batteries, the report said.
   The Sunday Times said speculation about the potentially dangerous batteries
has already prompted several major airlines to slap a ban on such shipments
from Hong Kong.
   The report claimed that a South African Airways Boeing 747 was carrying a
cargo of lithium-battery watches when it crashed into the Indian Ocean on a
flight from Taiwan to South African in 1987, killing 159 people.  Last year, a
Cathay Pacific plane was forced to make an emergency landing after fire broke
out in a cargo hold bearing a shipment of watches with lithium batteries, it
said.


Videotape of the pilot discussing the crash of UAL 232

Mary Shafer <shafer@skipper.dfrf.nasa.gov>
Tue, 25 Jun 91 15:45:20 PDT
There's been a lot of discussion of the safety of fly-by-wire aircraft, so
here's the discussion of an accident that very possibly would have been
prevented were the DC-10 fly-by-wire rather than hydraulic.

On July 18, 1989, while in cruise at 37,000 feet, United Airlines Flight 232
suffered an uncontained engine failure of the #2 engine.  This ultimately
disabled all three hydraulic systems, thus rendering the aircraft all but
uncontrollable.  The flight crew were able to guide the aircraft to Sioux City
Gateway Airport by using a technique of "differential thrust." Approximately
fifty feet above the ground, they lost control, which, when combined with a
high descent rate, resulted in a violent crash.  Of the 296 people on board,
184 survived.  This included the flight crew.

On May 24, 1991, the captain of the airplane, Al Haynes, gave a speech on the
crash to a gathering at NASA's Dryden Flight Research Facility.  It was
primarily concerned with the mechanics of controlling the aircraft, as well as
disaster preparedness.  The speech was recorded on video tape, and, with the
consent of Al Haynes, has been made available to the net community via a
somewhat ad hoc distribution system.

In the US:

Eric Thiele (ericth@i88.isc.com) will make you a copy of your own
for $4.  Send a check to:
     Eric Thiele
     2000 Crown Point
     Woodridge, IL  60517

Loaner copies will be distributed by a number of people.  E-mail to
the person closest to you to get on the list.  Don't be too surprised
if there's a little delay; this seems to be very popular.

    barney@usc.edu -- Barney Lum -- Southern California
    geoff@apple.com -- Geoff Peck -- Northern California
    jle@hpfcla.fc.hp.com -- Jerry Eberhard -- Colorado
    ericth@i88.isc.com -- Eric Thiele -- Illinois
    mahler@usl.edu -- Steve Mahler --Louisiana
    james@nueng.coe.northeastern.edu -- James Jones, Jr -- Massachusetts
    rjg@umnstat.stat.umn.edu -- Robert Granvin -- Minnesota
    gerry@n5jxs.jsc.nasa.gov -- Gerry Creager -- Texas
    gjh@galen.med.virginia.edu -- Galen Hekhuis -- Virginia

A transcript has been made by Robert Dorsett (...cs.utexas.edu!cactus.org!rdd,
rdd@cactus.org) and is available by anonymous ftp on rascal.ics.utexas.edu.
It's located in the directory ~ftp/misc/av/safety-folder/SUX.  A Macintosh
Microsoft Word-formatted file is in that directory, as well as a text-readable
version.  The transcript has also been posted to sci.aeronautics, in two parts.

Australian readers will be able to borrow a copy from Mark Ferraretto
(mferrare@physics.adelaide.edu.au).  There is some delay here, as I'm trying to
get it converted to PAL and it's taking some time.

If the demand is very heavy, I'll ask for a couple more volunteers and
get more copies circulating.

Mary Shafer  shafer@skipper.dfrf.nasa.gov  ames!skipper.dfrf.nasa.gov!shafer
           NASA Ames Dryden Flight Research Facility, Edwards, CA


Searching the RISKS archives via WAIS

Garrett Wollman <wollman@emily.UVM.EDU>
Tue, 18 Jun 91 20:41:27 GMT-6:40
The folks at Thinking Machines have provided what is (so far as I can tell) a
complete archive of RISKS for access by users of the Wide-Area Information
Server technology, on their public-access Connection Machine WAIS server.  I
have been fiddling with this for a few days now, and I think it's extremely
useful.  For example, I can ask about "Clifford Stoll Wily Hacker" and it will
come back with

263 2K  (01/12/89) :   Name this book  -- for a box of cookies!
^^^     ^^      ^^^^^^^^^^ ^^^^^^^^^^^^
Score   Size    Date       Headline

among others; I can then retrieve the *individual articles* from the server,
save them on the local disk if I want, and much more!  The server is only
available from 9 to 9 ET, but it works really well, and is amazingly
fast--there's more time spent on my end setting up question files and
garbage-collecting in Emacs than during the actual search.

Anyway, I thought you might want to mention this in the masthead...  The
"source description file" is called "risks-digest.src" and is available from
quake.think.com:

(:source
   :version  3
   :ip-name "cmns.think.com"
   :tcp-port 210
   :database-name "RISK"
   :cost 0.00
   :cost-unit :free
   :maintainer "ephraim@think.com"
   :description
"Connection Machine WAIS server.  Operated between 9AM and 9PM EST.

Risk Digest collection from the arpa-net list, but this is so far an unofficial
archive server.  It contains all issues, but is not updated automatically yet.
" )

Garrett A. Wollman - wollman@emily.uvm.edu

Please report problems with the web pages to the maintainer