The Risks Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 13 Issue 46

Saturday 2 May 1992

Contents

o F-22 crash
Barton Gellman via Nancy Leveson
o Dean's password used to misappropriate funds
Janet M. Swisher
o April fool meteorology
Bob Grumbine
o Patriot: The missile that missed
Lord Wodehouse
o Re: Ralph Nader/Cable TV/Information Networks
Tom Wicklund
o AT&T announces Easy Reach 700
PGN
o Re: Tracking by Cellular Phone
Les Earnest
Mark Fulk
Kevin Paul Herbert
o Free TRW Credit Report
Mary Culnan
o Shut Down Ambulance Computer
Jean Ramaekers
Scott Dunham via Lord Wodehouse
o Risks of using cash
Robert Ebert
o Info on RISKS (comp.risks)

F-22 crash

<leveson@cs.UMD.EDU>
Thu, 30 Apr 92 19:49:10 -0400
Here's a switch -- someone hoping the blame can be put on the computer.

           Computer Problem Cited in Crash of F-22 Prototype
                         by Barton Gellman
                 Washington Post, April 30, page A3

   A computer software problem probably caused the weekend crash that destroyed
the only flying prototype of the F-22 Advanced Tactical Fighter, the Air
Force's top general said yesterday.  Gen. Merrill A. "Tony" McPeak, Air Force
chief of staff, told House Armed Services Committee panel that it will be good
news for his top-priority weapon program if an investigative panel confirms
what he calls his speculative explanation, because a software flaw is
"relatively straightforward" to fix.  [...]

   Lockheed Corp. test pilot Tom Morganfeld, by this account, had just refilled
his fuel tanks in preparation for a test of supersonic flight characteristics
when he learned of a break in the telemetry link that sends performance data
from the aircraft to the ground.  The supersonic test was cancelled.  Already
airborne, the F-22 was too heavily laden to land safely, and so Morganfeld
began a series of high-speed, low-altitude passes over the runway to burn
excess fuel.  On the second pass, Morganfeld lost control.  Videotape of his
last seconds in the air shows that he retracted the landing gear and ignited
his afterburners at roughly the same time, and the plane's nose immediately
began porpoising out of control.  The F-22 crashed, burst into flame, and slid
8,000 feet -- well over a mile -- before stopping.  Morganfeld escaped with
minor injuries.
   McPeak's theory of the crash said the combination of reduced drag from the
retracted landing gear and increased power from the afterburners meant that the
plane needed far more "slab authority" to control the aircraft.  In other
words, the F-22's control surfaces had to be raised and lowered more sharply.
But on modern fly-by-wire aircraft, a pilot has no direct control of the
physical movement of the flaps.  Morganfeld's commands were interpreted by a
computer- controlled servo-motor that continuously made thousands of
calculations to adjust the controls, much as anti-lock brakes do on late model
automobiles.
   McPeak said he believed that "something in the logic of the fly-by-wire
flight control system" failed to move the control surfaces far or fast enough
to keep up with the pilot's commands.  If an Air Force investigative panel
bears out McPeak's hypothesis, according to experts, it will rule out far more
serious problems with the aerodynamic stability of the plane during the
critical "flight regine" of a landing approach.  But McPeak acknowledged he
does not yet have all the facts.

    [This is Nancy Leveson, now at UMD, still on sabbatical from UCI.  PGN]


Dean's password used to misappropriate funds

Janet M. Swisher <swisher@cs.utexas.edu>
Thu, 30 Apr 92 13:05:13 -0500
The _Austin American Stateman_ and _The Daily Texan_ report that an employee of
the University of Texas College of Engineering used a password belonging to a
dean to misappropriate about $16,200 from March 1991 to February 1992.  The
dean reportedly gave the employee the password, in violation of university
policy.  The employee resigned when confronted; no charges have yet been filed.
Neither the dean nor the employee were identified to the press.

The funds were earmarked for travel fellowships for recruiting students from
other universities; the employee awarded fellowships to UT students who were
not eligible to receive them.  UT police would not comment on whether the
employee directly benefitted from the misappropriation.  The improper payments
were discovered accidentally when a student wrote to thank the associate dean
of recruiting of the College of Engineering for the College's generosity.
According the dean of the College, "That student didn't do anything wrong.  He
just came to the dean's office for assistance and he got some."

The employee had access to about $300,000.  The university is auditing its
records to determine whether improper payments were made in prior periods.
Legitimate awards were made from the same fund during the same period as the
improper ones.  The College of Engineering is tightening its security
guidelines (no details given).


April fool meteorology

<RMG3@psuvm.psu.edu>
Thursday, 30 Apr 1992 16:45:22 EDT
  In a recent Risks, we heard the story of a shotgun attack on a wind profiler.
It develops that this was indeed an April Fool's joke.  I've deleted the
included text to save you bytes.
                                      Bob Grumbine  a.k.a. rmg3@grebyn.com

Newsgroups: sci.geo.meteorology
From: skaggs@nsslsun.nssl.uoknor.edu (Gary Skaggs)
Subject: Re: Hazardous Duty - Wind Profilers
Organization: National Severe Storms Laboratory
Date: Thu, 30 Apr 1992 13:56:08 GMT

>Excerpted from RISKS-LIST: RISKS-FORUM Digest  Monday 27 April 1992
>Volume 13 : Issue 44

You got a second generation.  Yes, you've been `APRIL FOOLED'!!!

This story appeared in a posting on OMNET by R.JUNE addressed to the
noaa.erl.labs listing under the subject of weekly report.

The header reads thusly:
        OCEANIC AND ATMOSPHERIC RESEARCH (OAR)
        WEEKLY REPORT FOR THE SECRETARY OF COMMERCE
                April 1, 1992

Besides the above story, other tongue in cheek submissions covered:

GLERL proposing to introduce the Chesapeake Bay blue crab into the Great
Lakes to try to control the zebra mussel

An agreement with the Russian republic to rescue a data set of some 70
years of "potential greenhouse gases emitted by herds of Bovinas mermoska,
the Mongolian yak of central Asia."

A new ERL lab to Study the Effects of the Moon on the Earth.  Jerry Brown
announcing that if elected, he would create a NOAA/ERL lab called the Moon
Environment Lab (MEL). (This one was REALLY good).

And a weather Modification Person of the Year Award to Saddam Hussein for
taking weather mod out of the lab and into the atmosphere.  He was cited for
his willingness to "test scientific hypotheses through the examination of
actual, not simulated or modelled, pollution events, and for initiating similar
studies into the environmental effects of massive oil spills."  Carl Sagan was
the keynote speaker.

Sorry guys, you've been had...

Gary Skaggs - WB5ULK    skaggs@nssl.nssl.uoknor.edu     DOC/NOAA/ERL/NSSL

   [Also noted by Thomas Lapp <thomas%mvac23.uucp@udel.edu>
   and joe@montebello.soest.hawaii.edu (Joe Dellinger).  PGN]


Patriot: The missile that missed

Lord Wodehouse <w0400@uk0x08.ggr.co.uk>
29 Apr 92 12:31:00 BST
>From New Scientist 18 April 1992

(For other articles and comments, see RISKS-13.19, 13.32, 13.37)

Patriot: The missile that missed

While defending the performance of the Patriot missile last week, US
Army officers reduced their estimates of how many Iraqi missiles the Patriot
hit during the Gulf War. The army now believes that the Patriot successfully
intercepted 24 missiles out of about 85 attempts. But it has "high
confidence" in only 10 attempts.

Even as the Pentagon renewed its defence of the Patriot's record, new evidence
cast additional doubt of its credibility. The congressional General Accounting
Office revealed that the army's earlier estimates of the Patriot's success were
wildly optimistic and were based on over=hopeful assumptions. For instance, if
the army could not find an impact crater from a Scud warhead, it assumed that
the Scud had been destroyed by a Patriot. Yet some army units on the scene
never bothered to look for craters, says the GAO.

The Congressional Research Service, in a separate analysis of classified
Pentagon data, concluded that most of the army's evidence was weak.
Steven Hildreth of the CRS says that he is only convinced that one Patriot
missile actually destroyed a Scud warhead.

During the Gulf War, President Bush announced to cheering crowds the Patriot
had "intercepted" 41 out of 42 Scuds that it was fired at. General Robert
Drolet defended Bush's statement at last week's congressional hearing, saying
that "intercepted" meant only that "a Patriot and a Scud passed each other in
the sky".

The army has abandoned an investigation of Ted Postol, the professor at
Massachusetts Institute of Technology, who has been among the Patriot's
strongest critics (New Scientist 28th March). Postol had been accused of
using classified data in an article he published that was critical of
the missile's performance.

[It is very good news, if Ted Postol has been "cleared" and that no action will
be taken against him. However the double speak "intercepted" by this article
leaves me worried to say the least. Most people will believe the "successes"
and thus expect great things to happen. When such over-sold systems fail, it is
the scientists, who get the blame and the world starts to reject their
achievements instead.]
                       Lord John - The Programming Peer <w0400@uk0x08.ggr.co.uk>


Re: Ralph Nader/Cable TV/Information Networks (RISKS-13.44)

Tom Wicklund <wicklund@intellistor.com>
Tue, 28 Apr 92 16:36:09 MDT
>  Summary: Your help is needed to secure an amendment to pending cable
>television legislation.  [...]

Hmm, is this in risks because of the risks of cable monopolies to consumers or
because of the risk of Ralph Nader :-)

Unfortunately, this effort makes the false assumption that cable is a monopoly
which needs to be regulated.  Cable is in no way a monopoly, and the most
effective way to control cable costs has been shown to be competition (rates
are much lower in areas with 2 cable providers).

Mr. Nader's effort is, as expected from his political philosophy, an attempt to
create a "consumer" group and force cable companies to promote it before their
customers.  These consumer groups would pay to have information sent to the
consumer, but only "incremental cost" (e.g. the cost of an extra sheet of paper
in your cable bill rather than having to pay their own postage).

These groups would lobby regulatory bodies and legislatures.  This is
apparently needed because regulatory bodies and legislatures are bought and
paid for by the cable companies and so we need another organization to
represent the citizen.

Of course, there's no reason why a consumer group can't be started by
interested individuals and lobby the appropriate bodies -- many such groups
exist today.  This proposal is an attempt to subsidize such groups, not
financially but by legislating reduced cost access to consumers.

This proposal reminds me of (Ralph Nader prompted) "public interest research
groups" which have been started on many university campuses.  When they started
their group at the University of Colorado, they promoted themselves as a
consumer protection group, out to protect the average person (e.g. somebody
stupid and gullible) from big business.

The problem is that rather than being funded like any other campus group, they
proposed that all students be required to pay their fee (about $2.00), then
about 4 weeks after the start of the semester, well after tuition and fees had
been paid, students could apply for a refund of the fee if they didn't want to
pay it, finally receiving the refund several weeks after applying.

This method was desired because it provided the group the highest income (much
higher than voluntary checkoffs).  Of course, this method plays on the same
apathy that they deplored when businesses tried something similar, but the
hypocrisy wasn't noticed.


AT&T announces Easy Reach 700

"Peter G. Neumann" <neumann@csl.sri.com>
Sat, 2 May 92 13:21:46 PDT
Easy Reach 700 gives each subscribers a Unique Phone Number that remains
unchanged for the lifetime of the subscription, and that indirects to wherever
you want the call to be received.  The caller does not know the receiving
number or its location.  The service begins on 15 June.

The subscriber can call the assigned 700-xxx-yyyy number, followed by a 4-digit
PIN, then 1#, and then the number to which calls are to be routed.  This can be
done from ANY touch-tone phone (assuming compatible tones, which -- I have
noticed -- is not always the case among clone-phones).  The subscriber may
choose to assign up to 19 different passwords to would-be callers, where the
absence of a password blocks the call indirection.

Perhaps the system will be smart enough to detect systematic attacks such as a
denial of service from a computer dialing your number, running through as many
of the 10,000 possible PINs as necessary until the right one is found, and then
forwarding your calls off into space.  I suppose you would want automatic
calling number identification to detect who is attacking.  (I presume that it
would indicate the original caller, and not the 700 number!)

Of course, following our discussions of schemes for tracking people (such as by
cellular phone IDs), Easy Reach could be misused as an interesting database of
your presumed whereabouts...
                                [Source: San Fran Chron, 29 Apr 1992, p.1]


Re: Tracking by Cellular Phone (Kush, RISKS-13.44)

Les Earnest <les@sail.stanford.edu>
Fri, 1 May 92 16:08:14 -0700
I brought up the subject of cellular phone tracking in a short note to RISKS a
year or so ago and learned that locating a given phone within a sector having
an area of a square mile or so is part of normal operations.  All that is
needed to track a given phone, whether or not it is in active use, is to save
this information in the same way that billing data is saved.

Furthermore, a civil liberties lawyer with whom I discussed this issue believes
that as things stand in the U.S., law enforment authorities may collect and use
cellular phone tracking data without a court order, unlike tapping telephones.
They would presumably need the cooperation of the cellular phone company in
order to do this without a large investment, of course.

My opinion is that cellular tracking data should be accorded the same
privacy protection as phone taps.

Les Earnest, 12769 Dianne Drive, Los Altos Hills, CA 94022    415 941-3984
Les@cs.Stanford.edu                UUCP: . . . decwrl!cs.Stanford.edu!Les


Re: Tracking by Cellular Phone (Brown, RISKS-13.45)

Mark Fulk <fulk@cs.rochester.edu>
Thu, 30 Apr 1992 17:20:50 GMT
Wouldn't it be cheaper, simpler, and less intrusive to use Skytel-like
satellite pagers to notify people that they have a call?  It would work like
this:

You cellular phone contains a satellite paging receiver and antenna.  When
someone calls you, the switch has the paging satellites transmit your code and
the connection id number all over the world.  Your phone receives this info,
recognizes that it is meant for this phone, puts the connection id into a
buffer, and rings.  If you pick up the phone and press the "answer" button, the
phone transmits the connection id on a standard connection request frequency.
The connection id encodes the origin of the call, so the switch at the
recipient end can route the call.  You can only be tracked when you answer the
phone.

Since a pager id + connection id need only be about 80 bits long, one
voice-grade satellite channel would be able to handle at least 800 calls per
second.  125 voice grade channels would handle the entire U.S., if every
individual had a cellular phone and received about 10 calls per day.  (Note
that the address of the pager would include the channel it listened to.)

Mark A. Fulk, Computer Science Department, University of Rochester, Rochester,
NY 14627    fulk@cs.rochester.edu


Re: Tracking by Cellular Phone (RISKS-13.44)

Kevin Paul Herbert <kph@cisco.com>
Wed, 29 Apr 92 10:25:22 -0700
I was talking to my mother yesterday about a new device that she had installed
in her car, required by the insurance company in order to insure the car at
full value.

The device tracks the location of the car with sufficient resolution to even give
driving speed. My father called up the service to "test it out", and they said where
my mother was driving, as well as indicating that she was driving 30 in a 35...

If she did not get this locating device, her insurer would have only insured
the car at up to 50% of the car's value.

She didn't know anything about how this data could be disclosed; she hadn't
really thought about it.

The risks should be obvious.
                                              Kevin


Free TRW Credit Report

<MCULNAN@guvax.georgetown.edu>
Wed, 29 Apr 1992 16:32 EDT
The RISKS of not checking one's credit report periodically, and especially
before applying for a mortgage or other loan or a job have been well documented
here and elsewhere.

According to USA Today, beginning April 30, you can get a free copy of your TRW
credit report once a year by writing to:

  TRW Consumer Assistance, P.O. Box 2350, Chatsworth, CA  91313-2350

Include all of the following in your letter: full name including middle initial
and generation such as Jr, Sr, III etc., current address and ZIP code, all
previous addresses and ZIPs for past five years, Social Security number, year
of birth, spouse's first name.  Also include a photocopy of a billing
statement, utility bill, driver's license or other document that links your
name with the address where the report should be mailed.

Mary Culnan, School of Business Administration, Georgetown University
MCULNAN@GUVAX.GEORGETOWN.EDU


Shut Down Ambulance Computer (RISKS-13.38,42,43)

Jean Ramaekers <jrama@ICSI.Berkeley.EDU>
Wed, 22 Apr 92 09:33:38 PDT
in : The Sunday Telegraph (London), N0. 1, 622, April 19, 1992.

Fatal delays shut down ambulance computer

London Ambulance Service has shut down its new L1.5 million 999-call computer
system and launched an inquiry into failures that have led to fatal delays in
emergency services reaching patients.  In a catalog of errors, the capital's
ambulance service has admitted defeat and agreed not to implement a second
phase of its computer system. But a spokesman said the delays were "not a
system problem but human error".  ...

Already the LAS was under severe pressure to resolve the sofware problems
following the death of a 20-year-old diabetic, Kerrie Swannell, on February 7.
Miss Swannell died cardiac arrest shortly before the ambulance arrived, an hour
after it was called. It was said that calls had been lost when a visual display
unit was turned off by mistake.  ...

The computer-aided dispatch system (CAD) was introduced in January in
south-west London, and despite the "lost 999 calls" was extended to the
north-east of the capital on February 25. Mr Barber says the system crashed for
90 minutes every day for more than a week.  ...

ICSI, 1947 Center Street, Berkeley Ca 94704-1105 phone (510) 642-4274 ext 147


London Ambulance - comments

Lord Wodehouse <w0400@uk0x08.ggr.co.uk>
23 Apr 92 10:22:00 BST
I think that this whole area deserves airing. I hope some other readers
in the UK are taking note!             Lord John - The Programming Peer

                                                                23 Apr 92 09:45
From:         'm21208@mwvm.mitre.org (Scott Dunham)'@RELAY (remote user)
To:           'w0400 <uk.co.ggr.uk0x08!w0400@mwunix.mitre.org>'@RELAY (remote user)
Subject:      London Ambulance (RISKS posting)

Date: Thursday, 23 Apr 1992 04:31:27 EDT
From: m21208@mwvm.mitre.org (Scott Dunham)
To: w0400 <uk.co.ggr.uk0x08!w0400@mwunix.mitre.org>
Subject: London Ambulance (RISKS posting)
Sender: M21208@mwvm.mitre.org

I used to be a public safety dispatcher in California (police, fire, AND
ambulance), and all I can say about the current performance of LAS is that it
would have gotten our entire staff sacked.  Fifteen minutes to answer the
phone at a safety critical service is completely, totally, absolutely
unacceptable.  Our standard was no more than 30 seconds, and generally by the
second ring, with arrival of the ambulance at the scene often coming within 5
minutes of the first call.  Even that is almost too slow, because you can lose
heart attack victims in four minutes.

With eleven people on staff, even 30 calls on the same incident can be handled
in a couple of minutes if the staff have a suitable display system available.
Once the incident appears in the queue, subsequent calls are a matter of
establishing the nature and location of the report (15-20 secs) satisfying
yourself that it is indeed a repeat report, and letting the caller know that
help is coming. (Another 10 secs, tops!)  Except for absolutely GROSS
mismanagement, I can see no reason for such horrible response times as are
regularly reported for LAS.  Such a service must be held to a performance
standard commensurate with the seriousness of its task and assigned sufficient
resources to meet that standard.  I think it's safe to say that letting people
die on the phone would not meet a reasonability check for ambulance service
performance...

Scott Dunham (Internet: sdunham@mitre.org) MITRE/London 011-44-895-426572


Risks of using cash

<Robert_Ebert.OsBU_North@xerox.com>
Mon, 27 Apr 1992 13:24:22 PDT
My wife works at a major department store.  This weekend, she was called upon
to translate for two non english speaking customers who had been detained for
suspicion of passing counterfeit money.

The two young men had made a small purchase (some socks) and paid with a US $50
bill.  Something about the bill (or perhaps the men) did not seem "right" to
the clerk, and so the men were detained for more than an hour.  The police were
called, and their wallets were searched for more evidence of counterfeiting.
[I don't know whether or not the search was made with permission.]  The men
spoke and acted innocently, and were confused and afraid by the proceedings.

It was determined that the bill in question was one of the new bills that are
designed to *prevent* counterfeiting.  Several other stores in the area were
contacted in order to make this determination.  The new bills have metallic
threads woven into them, have a plastic "id stripe" in the paper that is
visible when held up to the light, and have some design modifications.  [My
info from a "Nova" episode entitled "Making Money"]

I took a look at some new $100 and $50 bills at the local Credit Union, and
they do look and feel different from the older bills.  Additionally, the
printing on the new bills looks rather poor, with green ink from the back
"leaking" through to the face and much evidence of black ink being absorbed
into the paper creating blur lines.  [It's somewhat like the output from my
DeskWriter on cheap paper!]  It is, however, only marginally worse than the
printing on a $20.  Perhaps the spotty printing helps to authenticate the
bill--color copiers either do not have the problem or also blur the "colored
threads".

aThe men were eventually freed, and advised to "use $20 bills in the future."
Some expired (but not forged) documents turned up as a result of the search
were confiscated from one of the men.  No attempt so far has been made to
inform the rest of the store clerks of the different bills.  It is disturbing
to note that not much publicity has surrounded the issuing of the new bills.
Neither the store personnel, the city police, nor the tellers at my bank knew
anything about them, and if it hadn't been for the Nova episode neither would
I.

While it may be risky to publicise anti-counterfeit measures, it seems more
risky to hide the information from those who need to determine the legitimacy
of the cash.  During my interaction with my bank teller I was also making a
withdrawal, and was offered one of the $50 bills... I opted for $20s instead :)

            --Bob  (bebert.osbu_north@xerox.com)

Please report problems with the web pages to the maintainer