The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 13 Issue 12

Friday 7 February 1992


o Another Radiotherapy Error
Brian Randell
o Aviation Software Certification
Brian Randell
o Our database says you'll read this item
Rodney J. Hoffman
o New England Telephone Refiles For CLASS Without Caller ID
John R. Covert
o US Sprint offering phone fraud insurance
Jonathan Allen
o Telephone hacker to be tried
Mark Seecof
o Dutch Crackers - Shifting Blame?
Dave Pipes
o War on Drugs Communications Network Stalled
Sanford Sherizen
o Relative accuracy of FMS/INS navigation
Clifford Johnson
Robert Dorsett
o Strasbourg A320: Duck writes in Duck
Pete Mellor
o Re: Ballad of Silicon Slim
Laurence R. Brothers
o Info on RISKS (comp.risks)

Another Radiotherapy Error

Fri, 7 Feb 92 10:19:55 GMT
The following article about faulty computer control of radiotherapy treatment
is reprinted in its entirety, from today's Independent, a "quality" national
paper here in the UK. The story was covered last night on BBC TV news - where
interestingly enough they referred only to "human error", if my memory serves
me correctly, and where some of the medical experts they sought comments from
expressed fears that the fault might well have led to some fatalities.

            Brian Randell Computing Laboratory, The University,
            Newcastle upon Tyne, NE1 7RU,     PHONE = +44 91 222 7923


Nearly 1,000 cancer patients were given radiotherapy treatment up to 30 per
cent below the proper level, North Staffordshire hospital centre said
yesterday.  A computer programming error meant that for the last 10 years
patients at the hospital in Stoke-on-Trent received doses between 10 and 30 per
cent below the required level.

Stuart Gray, the hospital general manager, said yesterday: "We very much regret
that an error has been made.  We are very concerned about it and the staff of
the department are very upset."  The 447 surviving patients and their general
practitioners have been informed.  Patients and relatives of the 542 who have
died who "need reassurance" can see consultants or call a telephone hotline set
up by the hospital.  Officials say there is no evidence that patients have
suffered.  "It is up to individuals whether they seek compensation from the
district health authority," a spokesman said.

Most of the patients, from as far away as North Wales and Cheshire, were
suffering from cancer of the bladder, pelvis, lung and throat.  No children
or patients with breast cancers or brain tumours were treated.

The physicist who made the mistake by introducing an unnecessary correction
factor when a new planning computer was installed in 1982, has been transferred
to another department while two doctors carry out an independent inquiry.
Colleagues said she was "devastated" after realising her error when the
equipment was replaced just before Christmas.  Mr. Gray said it was too early
to say whether there would be disciplinary action.

The Department of Health, which has been investigating the incident since
December, welcomed the independent review.  A spokesman said: "There is no
doubt that negligence was involved.  An error has been admitted... If there
are any lessons to be learnt they will be implemented."

Mr. Gray said consultants have reviewed the case notes of all 989 patients
treated and have found no evidence that patients had died or suffered because
they received the low doses.  "We have no reason to believe this has had a
deleterious effect on the health of any of our patients.... We would welcome an
independent inquiry to confirm the findings of our consultants."

Two senior radiotherapists - Dr. Thelma Bates of St. Thomas Hospital, London,
and Dr. Daniel Ash of Cookridge Hospital, Leeds - are to carry out the
independent clinical review.  "We want to determine why it happened, why it
went undetected for 10 years and to make sure it never happens again," Mr. Gray

    [The Therac 25 case was one of OVERdoses being life critical.
    It is appropriate to note that UNDERdoses may also be life critical.  PGN]

Aviation Software Certification

Thu, 6 Feb 92 18:41:58 GMT
  The front page of today's issue of the (UK) Computer Weekly is dominated by a
  photo of a very stern-looking Bev Littlewood, under the main headline stating
  "Experts warned CAA before Airbus disaster". The article is by Tony Collins.

Software experts warned the Civil Aviation Authority (CAA) that rules governing
the safety of software in aircraft were inadequate two weeks before January's
crash of the A320 Airbus jet in France.  The results of an enquiry into the
January 20 Airbus crash, which killed 87, are not yet known, but the disaster
has focussed attention on aircraft such as the A320 which has fly-by-wire
controls dependent on the software.

Safety-critical software experts from the British Computer Society (BCS) met
the CAA to express concern about the laxity and ambiguity of certification
criteria used by regulatory authorities to test the safety of complex software
in aircraft.  They also called for improvements in an aviation software
certification codebook, D0/178B, which is now in draft form. They complained
that DO/178B fails to lay down mandatory requirements for aircraft software
safety and relies instead on guidelines.

The delegation to the CAA was led by Brian Wichmann, a software engineering
specialist at the government's National Physical Laboratory and acting chairman
of the BCS's task force on safety related systems.

Airbus Industrie, based in Toulouse, southern France said this week that it has
demonstrated that the A320 and its systems fully meet the requirements of the
world's certification authorities.  But the delegation said that the safety
claims made by the aircraft manufacturers for the software cannot be adequately
tested. One member said that the committees which lay down certification
standards represent the manufacturers' interests more than those of the

Another member of the delegation, Bev Littlewood, professor of software
engineering at London's City University, said that some parts of DO/178B were
"appalling". He said that it fails to stipulate the way in which the claims
made for the software's safety by manufacturer can be tested.

The delegation's third member, Martyn Thomas, chairman of Bath software house
Praxis, said aircraft manufacturers should have to prove that their software
can be easily analyzed to check for any flaws. Certification standards make no
provision for this, he said.

A CAA spokesman said he sympathasised with views expressed by the delegation
and added that it is also seeking tougher standards for testing safety-critical

  Clearly the paper has sought to dramatize its account of a meeting by linking
  it so directly to the A320. However I note that the article is followed up by
  a very supportive and reasonably well-argued editorial on page 23 - an
  editorial which ends "The CAA is said to agree with many of the BCS
  objections to the DO/178B guidelines. Only with international support can it
  make any changes."   Brian Randell

Computing Laboratory, The University, Newcastle upon Tyne, NE1 7RU, UK   +44 91 222 7923   FAX = +44 91 222 8232

Our database says you'll read this item

Rodney J. Hoffman <>
04 Feb 92 12:55:21 PST
Edited bits from a story in the weekly "Marketing" column by Bruce Horovitz
in the "Los Angeles Times" 4-Feb-92, p. D6:


"If you need a stiff drink before reading this column, .... the folks at
Seagram Co. already have a pretty good idea who you are.  And they'll prove
that in this month's issues of Newsweek, Atlantic, and U.S. News and
World Report.  If the marketing gurus at Seagram suspect that you're a
drinker — or are a likely candidate ... — you'll be seeing their ads in
your February issues.  But if their research tells them that you're a
teetotaling subscriber, don't expect to see their ads....

"Beginning this month, for the first time on a large scale, a major advertiser
-- Seagram — will test the ability of a handful of national magazines to
selectively place its ads only in those issues subscribed to by likely buyers
of its liquor....

"Marketers are watching more closely than ever whether consumers eat Wheaties,
collect colorized movies or take frequent trips to Toledo....  How deos
Seagram get this kind of personal information?  Officials there declined to
return phone calls.  But typically, [it] is gleaned from elaborate databases
on consumers who order from catalogues, telephone toll-free numbers, or even
fill out questionnaires when renewing magazine subscriptions....

" 'No one wants to get involved in an invasion of privacy,' says James R.
Guthrie, Exec. V.P. of marketing at Magazine Publishers of America.  'But
there is no doubt in my mind that this is the direction that magazine
publishing is going.'  This is just the beginning.  Before the end of the
decade, marketing experts say, many of the advertisers in major national
magazines will do individualized advertising regularly.  And within 20 years,
they say, most of the advertising placed in each issue of every major magazine
will be targeted specifically to narrow groups of subscribers....

[Approving quotes from marketers for Lexus, Reebok, etc., and other magazines]

"But not everyone is enamored of the concept.  'We're not going to do it,'
said Richard McEvoy, Senior V.P. at Carillon Importers, which imports
Absolut vodka.  'It sounds like a good idea, but you won't bring in new
customers if you only advertise to old ones."

New England Telephone Refiles For CLASS Without Caller ID

John R. Covert 04-Feb-1992 1015 <>
Tue, 4 Feb 92 07:28:24 PST
[From: TELECOM Digest Tue, 4 Feb 92 20:30:41 CST    Volume 12 : Issue 114]
   [from Marc Rotenberg <>
   via Lance J. Hoffman <>]

As a result of the Massachusetts DPU's order requiring free per-line blocking,
New England Telephone has refiled for three of the original four "PhoneSmart"
(CLASS) features in the original filing.

N.E.T. proposes to offer Call Trace, Return Call, and Repeat Call, but not
Caller ID or any of the other features that are part of CLASS such as Incoming
Call Blocking, Selective Call Forwarding.  The last two were not part of the
original filing.

N.E.T. had proposed a monthly fee for Call Trace as well as a charge for each
use; the DPU ordered that it be provided free on all lines with only a per-use

Call Trace will provide the needed protection from annoyance calls without the
privacy problems.

US Sprint offering phone fraud insurance

Thu, 06 Feb 92 13:34:28 -0800
It's been reported that US Sprint is trying to "transform a billion-dollar
industrywide problem into a source of income" by offering phone fraud insurance
to its customers (Information Week, 2/3/92).  Discussions about the conflict
of interest inherent in making a "security industry" financially dependent on
a thriving security problem suddenly seem much less far-fetched...

Is security against phone fraud something that Sprint, a company that doesn't
require the use of PINs on their calling cards, should be asking its
customers to pay for?

Jonathan Allen, University of California, Irvine
CORPS (Computers, ORganizations, Policy, and Society) program

Telephone hacker to be tried

Mark Seecof <>
Wed, 5 Feb 92 17:27:50 -0800
"Man To Be Tried on Phone Hacking Charges" by Jonathan Gaw.
From the Los Angeles Times, Wednesday, February 5, 1992, page B8.

  [Excerpted by Mark Seecof; elisions and bracketed interjections
  mine as well as all errors -MS.]

VISTA-A telephone hacker who allegedly tied up lines at Palomar Hospital for
hours at a time has been ordered to stand trial on dozens of felony wiretapping
and eavesdropping counts.  Rick Ivkovich is accused of using his touch-tone
telephone to jam the lines of the Escondido hospital, bringing switchboard
operators to tears.  From as early as April, 1990, prosecutors allege, he
occasionally blocked calls to and from the hospital and connected hospital
operators to outside lines, including 911 emergency lines and the county jail
here.  He also allegedly reported false emergencies to 911 while making it
appear that he was calling from the hospital.

         [Various quotes about stuff the defendant allegedly did.]

Outside the courtroom, Deputy District Attorney James Valiant [dig that name!]
said Ivkovich "had a gripe with the operators at Palomar.  He wanted to use
their telephone system and he wasn't allowed to."

         [Ivkovich has been confined for treatment in Palomar Hospital's
         mental-health unit in the past.]

Ivkovich is charged with 18 counts of wiretapping, 18 counts of eavesdropping,
and nine counts of falsely reporting an emergency, all felonies.  Escondido
police tracked down Ivkovich in December through a series of telephone "traps."

Public Defender William Saunders argued that there may have been no violation
of the law.  "The calls are not private communications as required in the
(eavesdropping) statute.  First of all, he's a party to the call," Saunders
told the court.  "Any call to 911 is a taped call... and I don't think there is
any expectation of privacy there."  Saunders argued that wiretapping charges
require physical attachment to telephone lines, and Ivkovich had none.

But Vista Municipal Judge Harley Earwicker said "there was an unauthorized
connection," which met the wiretapping provisions.

  [Mark Seecof <> (Los Angeles Times) says:
    The big question here is why Palomar Hospital couldn't (apparently) keep
    this guy from hacking their PBX.  They should have just frozen him out.
    Why did the whole episode get as far as an arrest and felony charges?]

Dutch Crackers - Shifting Blame? (Gonggrijp, RISKS-13.11)

Dave Pipes x4552 <>
Fri, 7 Feb 92 11:11:35 EST
Rop Gonggrijp writes:  [...]
"...A well trained system-manager can protect a system without making it
inaccessible to normal users."

Mr. Gonggrijp's argument seems to be that the hackers could not have really
broken in, as the system was reasonably well protected.  Therefore, it must
have been the "fault" of the system managers that they got in, because they did
not do what was needed and (he implies) were not well-trained enough to do what
was needed.  Ergo, the hackers *really* got in because the system was *not*
well-protected, and hence should bear no responsibility for any costs incurred
in cleaning up after them.

Resting a plea for openness and continued ignoring of crackers on such a
contradictory argument seems foolish, to say the least.  By this reasoning, the
two gentleman should be let go, and the system managers arrested, perhaps for
recklessly endangering the data of their customers.

Why are all the pro-cracker arguments of the form of "Yes, I did it, but it is
not my fault, because {blame someone else here}"?  The risk?  People who buy
into this line of "reasoning" will feel that it is their moral obligation to
chastise those who they can victimize.  After all, the damage is not real, just
lines on a screen 2000 miles away, and anyway the bozo had it coming...

            David Pipes

War on Drugs Communications Network Stalled

Sanford Sherizen <>
Thu, 6 Feb 92 15:10 GMT
The New York Times reported today (6 February) that a $617 million
communications network designed to combat drugs is caught in a budget squeeze
and will not be completed for at least nine years.  The network, designed by
the Pentagon and law enforcement agencies, was developed due to consistent
communications problems in fighting drugs.

Relative accuracy of FMS/INS navigation (Dorsett, RISKS-13.11)

"Clifford Johnson" <Cliff@Forsythe.Stanford.EDU>
Thu, 6 Feb 92 15:43:36 PST
In his otherwise excellent posting, in contrasting FMS with INS, Robert Dorsett
states that "the potential for a KAL 007 sort of mismanagement is minimal,"
implying that INS-related problems were to blame for KAL 007's massive
deviation.  But INS-related theories are debunked in R.W. Johnson's book
"Shootdown" (including the theory later relied on in Hersh's book).  More
importantly, the jury in the KAL 007 case found that the deviation was, as a
matter of law, "intentional" and "willful."  KAL was accordingly held liable,
whereas the case against the manufacturers of the INS dismissed.  The INS was
found to be not a credible proximate cause of KAL 007's deviation.

Relative safety of INS/FMS]

Robert Dorsett <>
Wed, 5 Feb 92 20:08:45 CST
   [Robert had this statement in response to an earlier private exchange
   with Cliff, but it seems appropriate to include it here.  PGN]

I didn't mean to claim that there was one singular authoritative cause of
KAL 007's demise.  At least two books (and many net discussions, including
RISKS) put forth a credible theory that a misplanted number may have thrown
the track off the requisite number of miles.  I should have made the nature
and character of my comment more precise. [...]

Strasbourg A320: Duck writes in Duck

Pete Mellor <>
Thu, 6 Feb 92 17:35:37 GMT
"Le Canard Enchaine" ("The Chained Duck") is a satirical French rag which
specialises in political commentary of the less respectful variety. It
maintains a high standard of investigative journalism, and is not afraid to ask
awkward questions.  The nearest equivalents are "Private Eye" (UK) and "Der
Spiegel" (Germany).

One of our French colleagues faxed us a recent article from "The Duck".  By
coincidence, it was written by a certain Jerome Canard (and no jokes about
his brother Donald, please! :-).             <It's an old canard, anyway.  PGN>

As usual, RISKS readers will have to bear with my own limited ability to
translate French into something that might pass for English. [Translator's,
and other, notes in brackets.] :-

            Disconnected alarm system on the Air Inter Airbus

The "Flight Analysis Report" [I'm not sure of the exact title of this
document in English] of Air France is confidential. Pity! Its last number,
dated 18 December 1991, reports five cases where the pilots, thanks to
the GPWS (Ground Proximity Warning System), were able to conclude their
flights successfully. This was not the case with the Lyon-Strasbourg A-320.

Explanation: This GPWS is an alarm system which is triggered by five "modes":
excessive rate of descent, excessive rate of approach to the ground, loss of
altitude, etc. Among the five incidents noted by the Air France document, two
concern the A-320. The first was a non-stabilised "approach", the second a
rapid "approach" [to the ground (?)]. Thanks to the GPWS, their pilots avoided
the crash.

Forbidden alarm

All the aircraft of that type are equipped with this system provided by the
manufacturer. Even the A-320s of Air Inter. Alas, they had been "disarmed", as
"Le Point" [a publication which I don't know] wrote. For what reason?  "The
company only serves the Hexagon," it was explained with a slightly bothered air
[i.e., "Don't ask stupid questions!"]. "The pilots know the terrain perfectly."
[Anyone know exactly which region the "Hexagon" is?]

One fact has been established: when the Lyon-Strasbourg Airbus, which was
making a VOR-DME instrument "approach", was judged "clear" by the radar,
it was at an altitude of 5000 feet (1600m) and 5 nautical miles (9.5km)
from the start of the landing strip. In 3 [nautical] miles and one minute,
it had lost 2700 feet and struck the side of Mont St. Odile.

It is there that the essential cause of the drama resides. The experts, without
a doubt, will be astonished at the disconnection of the famous GPWS, all the
more so since, on 12 December 1991, M. Frantzen, director of the aeronautical
training and technical control service, enjoined Air Inter by letter to
"reconnect" these alarm systems.  Il s'est fait envoyer sur les roses. [I think
this means he was told to **** off, but any French reader is welcome to correct

Re: Ballad of Silicon Slim - v13 i10

Laurence R. Brothers <>
Tue, 4 Feb 92 15:28:38 -0500
Actually, on Neil Young's old album "Trans" (lots of computer-related
songs, but for some reason not released on CD), there is a song called
"Computer Cowboy (aka Syscrusher)", from which I quote:

 "Ride along computer cowboy,
 To the city just in time,
 To bring another system down,
 And leave your alias behind...

... another ballad, I imagine one of the first mass-marketed popular
songs celebrating the computer intruder. I think, by the way, the song
was actually released prior to the book Neuromancer, so the
coincidence of "computer cowboy" is rather odd.

          Laurence R. Brothers (

Please report problems with the web pages to the maintainer