The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 13 Issue 37

Thursday 9 April 1992


o Fremont CA Air Traffic Control Center Outage
o The Army reflects on the Patriot
o Risks of on-line documents dated April 1
David Tarabar
Robert Ebert
o Rounding error changes Parliament makeup
Debora Weber-Wulff
o Believe it or not -- there's some reason on the bench!
Phil R. Karn
o Cryptography used by Terrorist Organisation
Kees Goossens
o Crypto (Export) Policy
Bill Murray
Brinton Cooper
o Certification of Cockpit Automation
John Theus
o The Paper(less) Trial
J Chapman Flack
o Risks of academic cheating by computer
Prentiss Riddle
o Public TV series revisited
Brian Tompsett
Nick Rothwell
o Re: Correcting Erroneous Database Listings
Fred Gilham
o Software Failures
Lin Zucconi
o Info on RISKS (comp.risks)

Fremont Air Traffic Control Center Outage

"Peter G. Neumann" <>
Thu, 9 Apr 92 10:07:14 PDT
While I was in the air back to SFO from Washington yesterday morning, the
Oakland CA en-route traffic control in Fremont had a major snafu, seriously
snarling West-coast and Pacific Ocean air traffic from 8:40am PDT, for two
hours.  Outgoing flights were delayed more than incoming flights.  The backup
system requires manual handshaking where otherwise the system would handle
handoffs automatically, so there was some element of risk involved.  However,
the outage of the one center did not directly impact safety.  Required
separations between planes were increased to 20 miles for landings and
departures, instead of 3 miles, and the net effect was a return to leisurely
pace of the 1950s.  The cause of the failure is not yet known, although it was
thought to be a software problem.  [Some details can be found in, Traffic
Control Center Failure Snarls Airline Flights, By Jack Viets, San Francisco
Chronicle, 9 April 1992, front page]

The Army reflects on the Patriot

"Peter G. Neumann" <>
Thu, 9 Apr 92 11:41:06 PDT
The Army acknowledged on 7 April 1992 that its glowing claims of success were
based on faulty data and indicated it is now certain that the missile
``killed'' roughly 10 Iraqi Scud warheads out of more than 80 fired at Israel
and Saudi Arabia, although the actual number could be greater.

[Source: A front-page article by George Lardner in the Washington Post, Army
Cuts Claims of Patriot Success: Reduced Figures on Missile's Precision During
Gulf War Are Issued, 8 Apr 1992.]

Also, see the earlier item on MIT Professor Theodore A. Postol's article and
its aftermath, discussed in RISKS-13.32.  Postol was on Fox TV early on the
morning of the 7th, prior to the Army briefing, discussing the Patriots.  He
suggested that 10% was much closer than the 80% previously claimed, and that is
actually conceivable that NO direct kills were actually achieved!]

Risks of on-line documents dated April 1

David Tarabar <>
Wed, 8 Apr 92 19:31:02 -0400
In Risks 13.34, an article describing an alleged remote backup service, began:

> Date:   Thu, 2 Apr 1992 11:07:48 PST
> From:
> Subject: Backup over the phones?

> Excerpted from TidBITS#114/01-Apr-92, source: BackData,

The article mentioned some of the obvious risks involved and subsequent
issues of Risks contained follow-up articles.

However, in TidBITS#115, the author mentioned that TidBITS#114 was the April
Fools issue and all of the content was fictional.

Not getting an April Fools joke might be more of a risk in on-line documents
because often they are not read until some time after the first of April.
(Of course there can be a similar problem with hard copy media - I get
several magazines whose April issue arrives in late February or early March.)

David Tarabar (

Risks of too-subtle April Fools Jokes (Backup over the phones?)

Tue, 7 Apr 1992 14:03:01 PDT
RISKS-13.34 (Friday 3 April 1992) carried a submission from me forwarded from
TidBITS#114/01-Apr-92 about Backing up Macs and PC's over the phone.

TidBITS#115/06-Apr-92 carried the following notice:

  To quote from the excellent movie "Spinal Tap," "it's a fine line
  between clever and stupid." I may have fallen off that fine line
  in writing TidBITS#114, because despite a few clues and hints, the
  fact that it was indeed our annual April Fools issue appears to
  have gone generally unnoticed. Almost everything in that issue was
  false - though often entirely possible and even intensely
  desirable - with the exception of the IBM marketing move (which
  was strange enough to be an April Fools joke), and the Dolch
  projection panel (which I used to make the last article more
  believable). Sorry folks, if I threw you for a loop.

So, there you have it.  I don't consider myself to be terribly gullible, but I
was taken in.  [I didn't have this problem with any other April jokes... I
don't think.  But then, most of the ones I got were substantially more
obviously jokes than this.  Xerox is *not* going to lease it's newly acquired
buildings in Palo Alto to the Mariott hotel chain, and an "Amusement park for
Silicon Valley geeks" requiring "magnetic badges built into pocket protectors"
is *not* going to be opened on the neighboring land at Page Mill & Foothills.]

In any case, apologies all around for spreading what turned out to be false
information.  The backup scheme described seems entirely plausible, and even
lucrative.  Looking over the rest of the TidBITS digest, I suppose there are
clues to be had... in retrospect.  In comparison to the rest of the silliness
that the rest of the net goes through every April, TidBITS was the height of
subtlety.  Ah, well, whatever it takes to relieve those tax-time blues, I

The IBM marketing move (from TidBITS#114/01-Apr-92):
  Ralph Amundesen wrote with some interesting information about IBM.
  Evidently, IBM is so worried about OS/2 that the company has
  expanded its battalion of salesbots by drafting the entire
  company. I don't know if this will go as far as dark-suited IBM
  folks out pounding the pavement ("Excuse me, Ma'am, may I come in
  and demonstrate what OS/2 2.0 can do for you today?"), but all
  344,000 employees are in it for fun and prizes.  It's a step up
  from grade school, but IBM employees could win medals, IBM
  software, IBM hardware, or even cold hard cash. I sure hope they
  don't stop in here since I don't have 30 MB free under SoftPC to
  test it. Sheesh, wouldn't you think it would be easier to just buy
  a few TV spots like Microsoft is doing?

The Dolch projection panel (from TidBITS#114/01-Apr-92):
  Interestingly, Dolch Computer Systems just released a color LCD
  projection panel that can double as a stand-alone screen for a
  mere $8500.

            --Bob (

Rounding error changes Parliament makeup

Debora Weber-Wulff <>
Tue, 7 Apr 1992 12:38:29 GMT
We experienced a shattering computer error during a German election this past
Sunday (5 April). The elections to the parliament for the state of Schleswig-
Holstein were affected.

German elections are quite complicated to calculate. First, there is the 5%
clause: no party with less than 5% of the vote may be seated in parliament.
All the votes for this party are lost. Seats are distributed by direct vote
and by list. All persons winning a precinct vote (i.e. having more votes than
any other candidate in the precinct) are seated. Then a complicated system
(often D'Hondt, now they have newer systems) is invoked that seats persons from
the party lists according to the proportion of the votes for each party. Often
quite a number of extra seats (and office space and salaries) are necessary so
that the seat distribution reflects the vote percentages each party got.

On Sunday the votes were being counted, and it looked like the Green party was
hanging on by their teeth to a vote percentage of exactly 5%. This meant that
the Social Democrats (SPD) could not have anyone from their list seated, which
was most unfortunate, as the candidate for minister president was number one on
the list, and the SPD won all precincts: no extra seats needed.

After midnight (and after the election results were published) someone discovered
that the Greens actually only had 4,97% of the vote. The program that prints out
the percentages only uses one place after the decimal, and had *rounded the
count up* to 5%! This software had been used for *years*, and no one had thought
to turn off the rounding at this very critical (and IMHO very undemocratic) region!

So 4,97% of the votes were thrown away, the seats were recalculated, the SPD got
to seat one person from the list, and now have a one seat majority in the parliament.
And the newspapers are clucking about the "computers" making such a mistake.

Debora Weber-Wulff, Institut fuer Informatik, Nestorstr. 8-9,
     D-W-1000 Berlin 31 +49 30 89691 124

Believe it or not -- there's some reason on the bench!

Phil R. Karn <>
Tue, 7 Apr 92 19:18:33 EDT
Defense Loses Bid to Present Animated Videotape Depicting Baton Blow
By Linda Deutsch, Associated Press Writer

   Simi Valley, Calif. (AP) The judge in the trial of four officers accused of
beating a motorist refused Tuesday to let jurors see an expert witness's
animated videotape recreating the first baton blow.  Superior Court Judge
Stanley Weisberg said he wasn't convinced that the tape, created by a
biomechanical engineer with the help of a computer program, was scientifically
reliable.  ``It would lead the jury to think it must be accurate ... that it's
true because the computer shows it,'' Weisberg said. ``Just because it's sold
in software stores doesn't make it reliable.''  However, the judge said the
witness, biomechanical engineer Carley Ward, could testify on the limited issue
of how much force is produced when a baton strikes a human head and how much
damage would be done.
   Officers Theodore Briseno, 39, Laurence Powell, 29, Timothy Wind, 31, and
Sgt. Stacey Koon, 41, are on trial in the March 3, 1991 beating of Rodney King.
A bystander's videotape of the beating led to a nationwide furor over police
brutality and inflamed racial tensions in Los Angeles. King is black, the
officers are white.
   Ms. Ward testified outside the jury's presence that Powell, in a test
conducted by her, exerted 1,500 pounds of pressure when swinging a baton in a
``full power swing.'' Prosecution witnesses have said he struck King's head in
such a manner.
   If King was struck with that force, Ms. Ward said, she would have expected
more injury than the broken facial bones he suffered.  She said her experiments
striking the heads of cadavers at such velocity produced brain injuries.
   Michael Stone, Powell's lawyer, said he would need time to determine if he
wanted to call Ms. Ward, given the limitations imposed by Weisberg.

Cryptography used by Terrorist Organisation

Mon, 6 Apr 92 10:10:08 BST
In RISKS-13.34 various people wrote about cryptography.  The following shows
how it already used by terrorists.  On Saturday 4th April the British newspaper
the Guardian reported that all the leaders of the Basque separatist
organisation ETA had been captured in a police raid in France. (ETA is a
terrorist organisation in Basque, Spain which want independence from Spain.
They have killed many over the last 10 years.) The leaders must have found out
several minutes before the raid, as they tried to find matches to burn
documents they had in their possession.  Failing, they torn them up and flushed
them down the toilet instead. (It is not stated whether the police recovered
them.) The interesting part however, is that the police captured a computer (PC
or laptop) from the ETA some time ago (more than 18 months if I remember
correctly) but they have, to date, not been able break the code which was used
to decrypt all the information. I suppose this must be a worst case scenario
for intelligence organisations such as the police etc.

Kees Goossens, LFCS, Dept. of Computer Science     JANET:
University of Edinburgh, Scotland   UUCP:  ..!mcsun!ukc!dcs!kgg

Crypto (Export) Policy (Cohen, RISKS-13.36)

Tue, 7 Apr 92 07:50 EDT
The US policy on export of crypto, while silly, is not quite as silly as Fred
thinks.  He thinks that it is silly to discourage export of pure information in
one form while tolerating it in another.  In fact, that is not quite true.

While once embargoed, (indeed NSA asserted that mere discussions of crypto were
"born classified") publication of cryptographic information is sufficiently
like protected speech for its prohibition to raise constitutional issues.  (You
and I would likely agree that the law should not distinguish between the media
of publication.)  However, this is not the only reason that print publication
is tolerated.

The government tolerates "publication" of crypto in hardware encapsulation
because replication is very difficult.  Likewise, the same information on paper
appears to them to be safer than on machine readable media.  While information
printed on paper can be readily copied, the procedure must be in machine
readable form before it can be used.  While, as Dr.  Cohen suggests, one can
scan information from paper into a computer, the government sees this as
undesirable but tolerable.  This is only one of the silly parts of this policy.

Nonetheless, any use of crypto has the potential to increase the cost of
intelligence gathering, and less important, reduce the effectiveness of law
enforcement.  While the government understands that it will not be completely
successful, it believes that it has a responsibility to resist whenever and
wherever it can.

History tells us that intelligence gathering is expensive in any case.  It also
tells us that we are better at gathering it than we are at using it.
Nonetheless, it is a dangerous world.  If you believe, with the government that
cheap intelligence gathering is a high value, support the government policy.

The Director would have you believe that mere use of ISDN, much less secret
codes, is inhibiting the ability of the government to enforce the laws against
terrorism, drugs, and organized crime.  If you believe that the use of
commercial crypto by criminals is wide-spread, if you believe that law
enforcement should be cheap and easy, and if you believe that law and order are
values that are superior to individual freedom and privacy, then support the
government policy.  Otherwise, resist it.

If you believe that international electronically mediated trade and commerce
require codes that both parties can trust, then you may wish to join FBC in
resisting this silly policy.  If you believe that international trade and
commerce are more important than efficient intelligence gathering, then to the
extent that you believe that, you have an obligation to resist.

William Hugh Murray, 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840
                     203 966 4769, WHMurray at DOCKMASTER.NCSC.MIL

Re: Good crypto (Cohen, RISKS-13.34)]

Brinton Cooper <abc@BRL.MIL>
Tue, 7 Apr 92 14:55:50 EDT
FBCohen@DOCKMASTER.NCSC.MIL has posted comprehensive criticisms of US policy
regarding export of cryptosystems.  In a word or two, he shows how absurd it is
that an American could develop a cryptosystem abroad and both sell it both
abroad and import it to the US without violating US export laws.

Surely spooks from NSA, FBI, CIA, Commerce, and others (Oops, does Commerce
have spooks?  It wouldn't surprise me) read Risks-Digest.  Why, then don't we
have an authoritative, or at least an informed rebuttal to his postings?  Is
this, after all, a partisan political decision that has not been made on the
bases of what's best for US competitiveness but but rather of what best
fulfills some hidden agenda?

C'mon, someone, speak up!

Certification of Cockpit Automation

John Theus <>
Fri, 03 Apr 92 00:14:49 -0800
The 23 March 1992 issue of Aviation Week focused on automated cockpits with
9 articles on the subject. Very interesting reading.  The most interesting
quotes were in the article "Pilots, Human Factors Specialists Urge Better
Man-Machine Cockpit Interface".

Near the end of the piece, Anthony J. Broderick, associate FAA administrator
of regulation and certification is quoted several times. Quoting AW&ST:

  Although there are "no real, fundamental changes needed" to certify advanced
  hardware and software under development by major airframe manufactures, there
  is a need "to develop procedures that will establish certification standards
  for a level of safety" when using such systems, he said. ....  The agency's
  [FAA] experience base, in addition to rules established by the RTCA --
  formerly know as the Radio Technical Commission for Aeronautics -- that
  governs design standards for software and hardware used in automation
  equipment, provides an acceptable means to certifying systems as they are
  developed, according to Broderick.

Glad to know we don't need to worry about this anymore!

John Theus    TheUs Group

The Paper(less) Trial

j chapman flack <>
Tue, 07 Apr 92 01:54:24 GMT
>From _The Cincinnati Enquirer_, date missing from my copy:

    A judge's distaste for clutter is pushing Cincinnati's federal
  court into the high-tech world.
    When a securities case comes to trial soon in the courtroom
  of federal district Judge Carl Rubin, reams of exhibits will be
  computerized and displayed on eight computer monitors.
    The alternative is rows of cumbersome file cabinets lining
  the walnut-paneled walls of his courtroom for weeks on end.
    "And I hate that," he said.
    With the push of a few buttons, the courtroom deputy can
  display the exhibits on three color monitors in front of the
  jury box, and on screens stationed before the judge's bench,
  witness stand and lawyers' tables and podium.
    Computerization also may cut down on trial time because
  lawyers can change exhibits without carting posters and
  papers around the courtroom.

   [The newspaper photo shows a monitor displaying the front and back
   of a bank check, signatures and all.  "I saw it on the computer,
   so it had to be real...."]

Chap Flack

Risks of academic cheating by computer

Prentiss Riddle <>
Thu, 9 Apr 92 9:21:08 CDT
There is an academic cheating brouhaha this semester at the university where I
work which is brimming over with computer risks.  I am not privy to the details
of the case, but here is a summary from the published accounts.

This university has an Honor Code governing student cheating which is a source
of much school pride.  Students agree not to give or receive aid on schoolwork
and as a result the university can function without the burden of proctored
exams.  Alleged violations of the Honor Code are taken before the Honor
Council, an elected student body which has the authority to dole out
substantial punishments.  Honor Council cases are publicized in the form of
anonymous abstracts which mask the identities of all parties.

Enter the computer: Earlier this semester, two students were accused of
colluding on a homework assignment which was done and handed in via one of the
university's academic computer networks.  Their TA noticed that portions of the
two students' homework were identical, down to the initials of one of the
students.  Network officials were asked to examine backup tapes for the period
of time in question and produced evidence which supported the theory that
"Student B" had sent homework to "Student A" by electronic mail immediately
before Student A turned it in.  The students argued that they were innocent and
were the victims of a frame-up by an unknown "User X" who they alleged had
gained access to their accounts.  The Honor Council refused to accept the "User
X" theory and convicted both students.  Student B's conviction was later
overturned partly on the basis of further evidence supplied by network
officials which suggested that Student A committed the acts of cheating alone
by logging in to Student B's account.

Although officially the case is closed, it is the subject of much heated debate
in the student newspaper and local Usenet newsgroups at the university.  Both
students continue to maintain their innocence and their supporters have rallied
around the slogan "Free Student A".

Computer risks seem to surround this case on all sides.  A few which
come to mind:

-- The risk of cheating by computer in the first place.  While academic
cheating is as old as academia, the computer can make it, like so many other
things, easier than ever before.

-- The risk of frame-ups.  While the Honor Council appears to be satisfied that
the computer evidence substantiates real cheating in this case, it is clear
that a person with access to one or more users' accounts could at least cause
them a major nuisance and possibly succeed in framing them of cheating.  With
the penalties involved going as high as academic suspension from a school which
costs thousands of dollars per semester, this is no light matter.

-- The complexity of evidence in cases of computer cheating.  Honor council
members were quoted in the student paper as complaining about the new and
bewildering kinds of evidence they are asked to consider in computer cheating
cases, and critics of the Honor Council have complained about the dangers of
being judged by people who are not users of the systems involved and don't
thoroughly understand them.

-- The burden on system administrators.  The network official who provided the
bulk of the evidence estimated that he spent a full week gathering and
analyzing it.  Since the case came up, the local academic network has extended
the period of time it keeps daily backups before recycling them.  How much data
is it reasonable to keep, and to pore over, in order to provide evidence in
cases like this?  I don't know of a way to determine a firm answer.

-- The danger to trust and to openness.  Both the university's Honor Code and
the tradition of open exchange of information within the computing community
are threatened by cases like this.  Must students be kept in a "padded shell"
to prevent computerized cheating?

-- Prentiss Riddle ("aprendiz de todo, maestro de nada")

Public TV series revisited

Brian Tompsett <>
Mon, 6 Apr 92 11:08:18 BST
 In RISKS-13.34, a new PBS series on computers was mentioned. These 5
programmes have already aired some weeks ago on the BBC in the UK. I have seen
all 5 and regard them as excellent. Their coverage of the historical material
was the most accurate and even handed I have ever seen. Their coverage of risks
issues is also exemplary. I could seriously use them in undergraduate teaching
and did not regard them in any way as "technopulp" for the masses.

 There is the probability that some of the programmes are "tailored" to the
home audience. I have experienced this before with other WGBH/BBC
co-productions. This highlights some interesting assumptions often made with
regard to TV programmes. If the programmes are in our field we assume them to
be "technology for the masses", whereas the masses, having seen it on TV assume
the fact presented in the program to be true. Further, if the programme is
aired around the globe, or around the nation from more than one TV station we
assume everyone shares the same programme we do.

 Do they tell the people in Cambridge (either one) that they invented the
computer and at the same time tell someone in another time zone that it
was invented by a little old lady from Novosibirsk? Are we being manipulated
by global telecasting on an Orwellian scale? Who can tell? Not easy is it.

 Brian Tompsett, University of Hull, UK.

The Machine that Changed the World

Nick Rothwell <>
Mon, 6 Apr 1992 13:45:42 +0000
>Perhaps it is risky not to see how our
>industry is being popularized for the mass media.

Perhaps, but I've seen three out of the five programmes and was quite
impressed with the factual accuracy.

>Another risk: the title of the series is the same as that of a recent book
>about the _auto_.

Erm, the Americans must be using a different name. Over here the TV series was
called "The Dream Machine."

Re: Correcting Erroneous Database Listings (Davis, RISKS-13.36)

Fred Gilham <>
Mon, 6 Apr 92 13:57:21 -0700
> The answer that I would propose for consideration is that the great
> nightmare of science fiction, an authoritative official database, may be in
> fact the only way to protect ourselves from all the little brothers spreading
> information about us.

I disagree with this, or rather, think it should be an extremely last resort.
I think promulgation of inaccurate information should be legally treated as a
form of libel, with legal recourse for those who do it.  Currently I understand
that there is very little legal recourse for someone who suffers from
inaccurate information in this manner, and so little incentive to eliminate it.

-Fred Gilham

Software Failures

"Lin Zucconi" <>
7 Apr 92 16:24:42 U
Has anyone heard of or have evidence of a failure in a safety-related or other
critical or security system where the developers claim they "did it right",
e.g. they used good software engineering practices during development and had a
good SQA program, and in particular, where they have identified common-mode
failures in N-way redundant systems in hardware or software?

Lin Zucconi

Software Failures

"Peter G. Neumann" <>
Thu, 9 Apr 92 11:00:10 PDT
Lin, You might look at the following paper:

  * Peter G. Neumann.  The Computer-Related Risk of the Year: Weak Links and
    Correlated Events.  Proceedings of COMPASS '91.  IEEE 91CH3033-8, pp.5-8.
    This paper notes the 1980 ARPANET collapse, the 1990 AT&T long-distance
    collapse, and a bunch of telephone system outages, and considers seemingly
    weak-link failures that actually arose because of multiple-fault modes.
    It also notes the some further references that might be useful to you.

    - S.S. Brilliant, J.C. Knight, N.G. Leveson.  Analysis of Faults in an
      N-Version Software Experiment.  IEEE Trans. on Software Engineering,
      Feb 1990, pp.238-247.

    - J.E. Brunelle and D.E. Eckhardt.  Fault-Tolerant Software: Experiment
      with the SIFT Operating System. AIAA Computers in Aerospace V
      Conference, October, 1985, pp.355-360.

    - R.I. Cook. Reflections on a telephone cable severed near Chicago.  SEN,
      16, 1, pp.14-16.

    - J. DeTreville. A Cautionary Tale.  SEN, 16, 2, Apr 1990.

and look through the RISKS and Software Engineering Notes archives (index in
Jan 1992).  I imagine some of our readers will also send you further
references, with CC: to RISKS, please.

Please report problems with the web pages to the maintainer