The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 16 Issue 15

Weds 15 June 1994

Contents

o Privacy: Your Secrets For Sale
Les Earnest
o Life imitates Bart Simpson
Jeffrey S. Sorensen
o "Computer Ethics" by Deborah Johnson
Rob Slade
o Re: More Chunnel vision
Philip H. Smith III
o Re: Airbus
Mary Shafer
Robert Dorsett
Phil Overy
Wesley Kaplow
o Re: Risks of speed enforcement
Jonathan Clark
Clive D.W. Feather
o Re: RISKS in UK Election Voting Process
Doug Tooley
Kent J Quirk
John C Sager
Sean Matthews
Peter Robinson
John Gray
o Info on RISKS (comp.risks)

Privacy: Your Secrets For Sale

Les Earnest <les@sail.stanford.edu>
Sun, 12 Jun 94 17:39:31 -0700
ABC's Nightline programs on June 9 & 10 focussed on invasions of privacy that
are facilitated by computers and other electronic media.  The program mainly
covered things that we are familiar with but performed a valuable service, I
believe, by bringing some important privacy issues to the attention of the
general public in a fairly clear and direct way.

The program began with Ted Koppel presenting results of a public opinion poll
on two questions:

  Is the sale of records to mail order companies an invasion of privacy?
    YES - 73%  NO - 27%

  Are you concerned about threats to your privacy?
    YES - 85%  NO - 15%

Koppel went on to assert that the amount of personal information that is
available online is currently quadrupling each year.  An interview followed
with an information broker named Al Schweitzer, who they mentioned is
currently on probation for bribery in connection with information gathering.
They gave him names and social security numbers of a couple of people and he
showed that in less than 24 hours he could get a great deal of information
about them from legal sources, including their residential addresses going
back a number of years, the amounts of all outstanding loans and credit card
debts and terms of a divorce settlement.

Schweitzer could not resist mentioning that he could get additional
information, including detailed phone bills and lists of credit card purchases
through illicit but readily accessible channels and could get the person's
income through another such channel at a cost of $50.  He showed a list of
kinds of information, both legal and illegal, that are available and the
schedule of fees for these services.

There was a discussion of the fact that state and local governments sell a
great deal of information to direct marketers, including voter registration,
property owners lists, court records, and (in many states) motor vehicle and
drivers license registrations.  These agencies derive a great deal of income
from selling this information, which has assisted direct marketers to keep
track of 80 million Americans.  Thus they have a mutually beneficial
relationship, arguably at the expense of the public.

It was mentioned that Barbara Boxer's bill, which has passed the U.S.  Senate,
would restrict dissemination of information by all state departments of motor
vehicles.

They interviewed a "reformed hacker" named Ian Murphy who is now a security
consultant.  Murphy pointed out that all calls to 800 or 900 numbers make the
caller's phone number available and that with a computer and an available
database this can be mapped into the subscriber's name and address.  He also
discussed how it was possible to intercept a telephone conversation from a
specific cellular phone.  He noted that this is illegal but that it is almost
impossible to catch anyone who does it.  He concluded that "Laws can't keep up
with technology."

In a discussion of the Clipper Chip there was a short interview with John
Perry Barlow in which he remarked that with it "The government can sit in your
living room and hear everything you say."

A woman from Houston, Texas, named Carol Gibbs told her horror story about
having her credit usurped by another person and the fact that it has taken her
two years to get her life back together.

It was pointed out that even though it is now illegal to sell video rental
records, it is perfectly legal to sell personal medical records!

The second program concluded with a discussion between Koppel, Schweitzer,
Sally Katzen of the "Clinton Privacy Group" and Representative Ed Markey, who
discussed his proposed "Privacy Bill of Rights."  Markey said that this bill
would impose two requirements:

(1) That individuals must be given knowledge that information is being
    gathered about them electronically;

(2) Individuals must be given notice when information that has been
    gathered is proposed to for a use other than the one for which it
    was gathered.

Katzen mentioned that it has been over 20 years since the Code of Fair
Information Practices was developed and that technology has changed
substantially: in 1973-74 most records were paper-based but computer-based
records now dominate.  She asserted that the law has to catch up.

In parting it was mentioned that a representative of one of the "big three"
credit information houses had originally agreed to participate in the
discussion but decided not to come after learning who else would be there.

    -Les Earnest


Life imitates Bart Simpson

"Jeffrey S. Sorensen" <sorenj@rpi.edu>
Mon, 13 Jun 1994 23:14:34 -0400
This is a Risk only fans of The Simpsons will appreciate:
(Paraphrased from New Haven Register Sunday, June 12, 1994 [With my comments!])

Northeast Utilities reported that it had failed to follow proper safety
procedures on 2 occasions in April at its Millstone 2 plant in Waterford.

On April 23, an indicator showed that some of the control rods were stuck.
The crew concluded that the problem must have been with the indicator and left
for the day.  When the new crew arrived, they discovered the rods were indeed
stuck but failed to shutdown the reactor as quickly as they should have and
underclassified the seriousness of the event.

[See stdrisks.h sections on incredulous operators ignoring unexpected
warnings.  Also see section on It's Not MY Problem/It's Miller Time
(After a HOT day at work, everyone's _dying_ to get home)]

After the incident, some of the plant's operators failed a Northeast
Utilities test on reactor theory and were removed from duty for training.
The utility's report blamed the problem in part on the operators'
failure to understand reactor theory and a failure of plant
management to "fully appreciate the implications" of the safety-related
event and to provide sufficient oversight.

[sound clip of Homer: Dough!]
[sound clip of Mr. Burns: Excellent...]

The other incident involved a coolant leak from the plant's reactor.
In this case, the operators again underclassified the seriousness of
the event.  Notification of federal authorities was delayed by 16
hours.

[Guess they were just letting off a little steam after failing their tests...]
[sound clip of Bart: Aye Carumba!]

Jeffrey Sorensen  sorenjs@pb.com


<"Rob Slade, Ed. DECrypt & ComNet, VARUG rep, 604-984-4067">
Tue, 14 Jun 1994 11:55:07 -0600 (MDT)
Subject: "Computer Ethics" by Deborah Johnson

BKCMPETH.RVW  940322

Prentice Hall
113 Sylvan Avenue
Englewood Cliffs, NJ   07632
(515) 284-6751
FAX (515) 284-2607
phyllis@prenhall.com
70621.2737@CompuServe.COM Alan Apt
Beth Mullen-Hespe beth_hespe@prenhall.com
"Computer Ethics", Johnson, 1994, 0-13-290339-3

Unlike the famous quote about life in the state of nature being nasty, dull,
brutish and short, Johnson's examination of the state of ethics in computing is
readable, interesting, discerning--and short.

Unlike the usual treatment of ethics as proof by exhaustion, Johnson does a
complete and reasonable job.  Without recourse to mounds of collected work (of
dubious merit), the major points of professionalism, property rights, privacy,
crime, and responsibility are addressed.  Even in this brief space, ethics are
studied more rigorously than in more weighty tomes.  Not content with the usual
reliance on relativism and utilitarianism, Johnson points out the flaws in
each.

"Complete" is, I suppose, an overstatement.  Although it is difficult to
imagine a scenario that the book does not touch upon at some point, ultimately
this book is a good primer and discussion starter.  Although possibly the
definitive work in the field to date, it does not, in the final analysis, get
us much closer to a computer ethic.

Recommended.  Should be required reading for all computer science students.
Exposure wouldn't hurt any number of professionals and executives, either.

copyright Robert M. Slade, 1994   BKCMPETH.RVW  940322

======================
DECUS Canada Communications, Desktop, Education and Security group newsletters
Editor and/or reviewer ROBERTS@decus.ca, RSlade@sfu.ca, Rob Slade at 1:153/733
BCVAXLUG ConVAXtion, Vancouver, BC, Oct. 13 & 14, 1994 contact vernc@decus.ca


More Chunnel vision

703) 506-0500 <PHILS@RELAY.RELAY.COM (Philip H. Smith III,>
Tue, 14 Jun 94 06:46:18 EDT
I had always hoped the Chunnel would allow auto traffic, with HOV
restrictions, thus enabling the dreaded "Carpool Tunnel Syndrome".

...phsiii


Airbus A3(0?)0 deductions (Overy, RISKS-16.14)

Mary Shafer <shafer@ferhino.dfrf.nasa.gov>
Tue, 14 Jun 94 07:51:24 PDT
Phil> 1) Boeing sell similar automation to the A320 - they also caused
Phil> the second- worst Japanese crash and in this case much more
Phil> directly (the fuselage broke).

Not true--Boeing does not have any fly-by-wire aircraft in operational status.
They have flown precisely ONE fly-by-wire aircraft, the prototype 777.  And it
made its first flight last week.

Phil> 2) whether you se sidestick or yoke, a modern airliner has no
Phil> direct "cables" to the rudders - it relies on multiple links
Phil> either electrical or hydraulic which would work equally well
Phil> with sidesticks. A300s have been around for 20 years - this was an A320.

Not entirely true, as the Douglas DC-11 and DC-12 have cables that run from
the pilot controls (yoke and rudder) all the way back to the wing and tail,
for ailerons or elevators and rudders respectively.  The control surfaces are
hydraulically actuated, it's true, but most of the control run is cables.  I
think that the 747 also has similar cables.

Phil> 5) Since several A320s have crashed when silly things have been
Phil> happening, perhaps the automation, like the "watertight" hull of
Phil> the Titanic, is creating a too-complacent pilot. As a
Phil> far-too-complacent pilot myself in the past, I can understand this.

Well, no doubt, but wasn't this accident a 300, not a 320?  The 300 has a
conventional FCS, not fly-by-wire.  Just because they both start with 3's
doesn't make them the same aircraft.  That's like saying that an A-10 and a
KC-10 are identical because they both have 10 in the designator.

Mary Shafer  SR-71 Chief Engineer         NASA Dryden Flight Research Center,
Edwards, CA  shafer@ferhino.dfrf.nasa.gov


Re: How to feel safer in an Airbus Ladkin, RISKS-16.14

Robert Dorsett <rdd@netcom.com>
Mon, 13 Jun 1994 19:41:40 -0700
>His speculation on the A320, that Airbus were forced to use modes
>because they chose a sidestick design, is incorrect. Fly-by-wire
>aircraft use modes because they have to.

This is not true.  Early FBW aircraft were essentially open-loop analog
systems.  They were reactive, very simple, providing very simple feedback and
control loops.  They were not anywhere near as modal as modern systems.  Keep
in mind that Airbus' position is that fly-by-wire systems have to provide a
supermarket of user features.  In reality, the primary operational benefit is
to be simplicity and weight savings.  What a manufacturer does from that point
onwards is totally arbitrary and subject to market forces.

The Airbus design has long struck me as a being in support of an interface
which, in turn, was probably the result of a marketing decision.  Certainly,
the decision to use sidesticks--which provide no active feedback, and which
are not interlinked--ran contrary to the preferences of many pilots.  The
lack of said characteristics has resulted in more modes (and the necessity
of protections) and a variety of rather impressive kludges (such as the
"take-over" arrows which point to the other pilot when he pushes his "take-
over" button).

>From what I've read of the Boeing 777 design, it's much less modal than
the Airbus design, providing unified and conventional flight characteristics
from takeoff roll through landing roll.

>A further comment about the Nagoya accident is appropriate. Current
>knowledge is that the pilots failed to follow normal, explicit
>procedure for control of the aircraft,

Really?  I've not seen that anywhere.  "Explicit" suggests that the systems'
characteristics were clear and well-understood.  Such is not the case here.
In fact, given that Airbus control philosophies tend to be rather subtle
in their feedback and invocation procedures, I'd certainly not suggest
that "pilot error" was a likely or trivial error in this case, at least not
at this point.

>and secondly that they had both
>been drinking alcohol, which is illegal for good reason.

This has also not been substantiated.  The investigators will not comment,
and it is not clear whether the presence of alcohol in the corpses was a
result of ingestion or decomposition of tissues.  In any event, the
*presence* of alcohol is not illegal.  The illegality is determined by
the *amount* of alcohol present.

>senior management of China Airlines has resigned because of this accident.

Because of the fifth major accident in as many years, was the way I understood
it.

And Phil Overy RAL <PJO@ib.rl.ac.uk> writes:

> re: Mark Terribile's posting:-
> 1) Boeing sell similar automation to the A320 - they also caused the second-
> worst Japanese crash and in this case much more directly (the fuselage broke).
I do not understand this paragraph.  To the naive reader, it could appear
that you're claiming a Boeing automation issue was responsible for the struc-
tural failure of an airplane.  This is clearly false.

Nor was the JAL crash the simple result of structural failure: it was
primarily the result of a faulty repair, which destroyed the tail, taking
the airplane's hydraulic systems along with it.

Moreover, Boeing automation is significantly different from AI automation,
from the ground up.  The 777 flight control system (assuming you're referring
to flight control systems) uses a different machine architecture and has a
fundamentally different mission requirement, governed by the use of a
different interface.

If you're referring to more conventional functions, such as cockpit auto-
mation and the navigation systems, again, Boeing philosophy is demonstrably
different from Airbus philosophy.  It's debatable whether either is "better,"
but to even a casual observer, they are sufficiently different to cause
at least a few customers to scratch their heads when it comes to running
fleets with airplanes from multiple vendors.  In many cases, the differences
are not trivial.

> 2) whether you use sidestick or yoke, a modern airliner has no direct
> "cables" to the rudders - it relies on multiple links either electrical or
> hydraulic which would work equally well with sidesticks.

In point of fact, the hydraulic actuators are controlled via cables.  And
in a few airplanes (727, DC-9 derivatives) the pilots still retain aircraft
control via control tabs in the event of complete hydraulic failure.

> 4) as for mode-switching and elevators etc - the senior pilot seems to have
> tried to recover without switching off the auto-pilot, the junior pilot seems
> to have flown as if the auto-pilot wasn't on. Reports will not say this as
> it's a conclusion, not a fact - it does however sound like the explanation.

And reports also claim a 15-year-old boy crashed an A310-600 when he nudged
against the control column.  Hmm.  I wonder why two airline pilots couldn't
figure THAT one out.

Robert Dorsett    rdd@netcom.com


Correction of my post on "A-THREE-HUNDRED" crash at Nagoya

Phil Overy <PJO@ib.rl.ac.uk>
Wed, 15 Jun 94 08:38:51 BST
After a mail from Peter Ladkin I am now sure of my ground and wish to write
what I wanted to write in the first place - despite your correspondent (and a
newspaper report I unfortunately used to check my memory, not my Independent
or Peter Ladkin's Herald Tribune which got it right), the worst crash in Japan
was AN A300 (ie an "old", un-computerised type NOT with sidesticks).

The Taiwanese plane did not crash after any kind of automation or airframe
failure, but when the auto-pilot was left on until too late.  Peter Ladkin
tells me that the president of the airline resigned after the crash, so it
doesn't sound as if they are trying to transfer responsibility to the
manufacturers.

The crash at Nagoya was not like Japan's second-worst disaster when a Super
747 (high-altitude model) crashed when the pressure bulkhead at the rear
collapsed; on that occasion the makers were Boeing, however I leave
accusations to lawyers -- there are plenty of these around and I may have
flown on one (and lived :-) ).    [lawyers?]

I could have phrased it better, but I would point out that Boeing also now use
fly-by-wire (on the brand new 777), so the earlier correspondent was misguided
in thinking that Boeing were staying away from fly-by-wire. The 777 is also a
much bigger plane than the A320...

Phil Overy


Does it matter why A3??'s have a poor record?

Wesley Kaplow <kaploww@cs.rpi.edu>
Tue, 14 Jun 1994 09:51:48 -0400
The average persons response to all of the A3?? technical discussion would
probably be that it frankly it does not matter why these planes crash!.  To
me, if we play only on the statistics, I want a airplane with a good safety
record.  Already, Airbus Industry has lost more planes per delivered plane
than other major aircraft manufacturer in the past 3 decades (Lockheed,
Boeing, MD).  To the average person, who for example reads in Consumer Reports
that XYZ product can burst into flames after extended use, does not care why!.
The same is true for airline equipment.

It is also reassuring to note that some committee decided (or individual)
decided that an A320 does not think it has landed until the wheels
spin up to something like 90 kts.  How reassuring to think that all of
the possible consequences of this decision have been carefully thought
out and that a full fault-effect analysis has been performed.

Wesley K. Kaplow, AT&T Bell Laboratories, Rensselaer Polytechnic Institute
kaplow@att.com kaploww@cs.rpi.edu


Re: risks of speed enforcement (Cunningham, RISKS-16.14)

Jonathan Clark <jhc@hostel.lincroftnj.ncr.com>
Tue, 14 Jun 94 12:13 EDT
Andy Cunningham mentions some possible risks of over-zealous speed
enforcement, with (presumably) a radar gun linked to a video camera and some
automatic licence-plate recognition software.

Such a system was until last year under test in New Jersey.  A law was then
passed banning it after it was found that there was no way to let people off
after they had been ticketed, so that politicians, off-duty police officers
and other members of the nomenklatura would then have to conform to the same
rules of the road as the rest of the populace. I guess the risk here is that
of trying to apply rules to people they obviously weren't meant for!
Designers take note - you always have to leave *some* way to circumvent the
system :-)

I should note that in the U.S. speeding tickets are frequently (many
would say primarily) used to generate revenue, rather than for
any considerations of safety or traffic management.

On the other hand, I understand that photo-radar systems work in the
infra-red. This is preferable to an experience I had some years ago while
driving late at night at high speed on an autoroute in Belgium - I drove under
a bridge and was dazzled by a *powerful* flash going off behind me. Now
there's an unexpected risk of driving too fast...

Jonathan


RISKS of real-time image processing (Cunningham, RISKS-16.14)

"Clive D.W. Feather" <clive@sco.com>
Tue, 14 Jun 1994 11:10:07 +0100 (BST)
> ...actually send out tickets (camera/radar systems which produce photographic

I don't think this is a likely problem. The current camera/radar systems
don't work like that. The radar is used to detect likely speeders, and
then the camera takes two pictures a known time apart; the position of
the car in each is used to determine whether the car was speeding.

Clive D.W. Feather, Santa Cruz Operation, Croxley Centre, Hatters Lane, Watford
WD1 8YN, United Kingdom   clive@sco.com        Phone: +44 923 816 344


Re: RISKS in UK Election Voting Process

Doug Tooley <djtooley@undergrad.math.uwaterloo.ca>
Tue, 14 Jun 1994 12:44:41 -0400
The UK is not alone in their lack of voting security.

In Canada, as "proof of identification" all we had to do to identify
ourselves at the registration station was to bring an envelope mailed
to our address (with our name on it) with a second piece of identification.

Sounds straightforward... The people are nice and accommodating too: A
roommate of mine couldn't make it to the registration, so we were able to
register for him *very* easily.

Given the (lack of) care being put into actually checking the
identification (to test this, I deliberately didn't show them the address
on my envelope, I merely waved it at him, and that was sufficient)
literally anyone could have registered to vote.

The registration process was optimized for speed (we had to wait 30-40
mins) and for friendliness, (they were very willing to accept my word at
face value) but no REAL effort was made to authenticate the participants.

Doug Tooley      4C Co-Op CS/C&O student at U of Waterloo, Ontario, Canada
djtooley@undergrad.math.uwaterloo.ca


Re: Voting Systems - UK, US

Kent J Quirk <kentq@world.std.com>
Tue, 14 Jun 1994 03:22:40 GMT
In the two towns I've lived in here in Massachusetts, they have a similar
voting system to that mentioned in England, except that no voter card is
required.  They ask for a street address and a house number, but anyone
who can read upside down could simply pick a name out of a hat.

The risks to the would-be fraudulent voter is that even in our relatively
large town of 25,000 people there is a decent chance that the person
behind the counter knows the person you are naming, or that the person
will later attempt to vote and uncover the fraud (not that there's much
that could be done about it at that point).

The news media, in covering questionable elections around the world, often
speak of "massive election fraud".  It seems to me that since massive fraud is
really the only kind that has any predictable benefit, spoofing the
blue-haired volunteers behind the desk is not really all that much of a worry.

   [Similar comment regarding Mass. from Andrew_Marc_Greene@frankston.com .]


Re: RISKS in UK Election Voting Process (Rushton, RISKS-16.14)

John C Sager <jcs@zoo.bt.co.uk>
Tue, 14 Jun 94 09:17:49 BST

This is not uncommon - I did exactly the same thing. Admittedly there
is a RISK, but you also have to consider cultural factors. Accusations
of ballot-rigging in UK elections are rare. If someone picked an
address at random and voted as a resident there, as suggested, then
there would be major investigations & lots of publicity when the real
voter turned up with a valid poll card. Yet this does not happen.
There is no culture of ballot-rigging in the UK (except long ago
in Northern Ireland, but that was done a different way).

John C Sager B67 G18, BT Labs, Martlesham Heath, IPSWICH  IP5 7RE England
jcs@zoo.bt.co.uk             +44 473 642623


Re: RISKS in UK Election Voting Process

Sean Matthews <sean@mpi-sb.mpg.de>
Tue, 14 Jun 94 10:32:18 +0200
> Question: Should the UK update its voting system?

Answer: No.

Actually, at least, in Northern Ireland, the election procedure has been
tightened: because there is a real, as opposed to theoretical, problem with
impersonation (vote early, vote often) they insist that you now have to have
some form of ID with you (or at least did, I haven't voted there for some
years, but I don't imagine that it has changed). Traditionally, polling
stations in Britain have someone local who is familar with the people of the
area, a doctor or vicar or something, around as an informal check for
impersonation (this would probably work better in rural, than urban areas
though).

I don't think there is much of a problem really, with the UK procedure.  If
they need to be careful (like in NI) they can make things much better, just by
always asking for ID, or to see the registration card.  But since they don't
actually need to at the moment, why bother.  After all, a problem with voter
impersonation would be obvious if it happened on any sort of scale and if it
does happen there are separate procedures for dealing with it.

There is the risk here of fixing something that is not obviously broken,
by assuming a purely theoretical worst case.

Sean Matthews <sean@mpi-sb.mpg.de>   Max-Planck-Institut fuer Informatik
Im Stadtwald, D-66123 Saarbruecken, Germany     +49 681 302 5363

   [Further similar comments from Peter Robinson <Peter.Robinson@cl.cam.ac.uk>]

Date: Tue, 14 Jun 94 11:33:31 BST
From: grayjw <grayjw@helios.aston.ac.uk>
Subject: Re: Risks in UK Election Voting Process (Rushton, RISKS 16-14)

Thomas Rushton is correct to identify this problem (of getting names from the
electoral roll. There are two points to make.

1) You don't need ID to vote in the UK. Instead you must satisfactorily
answer two "statutory questions" having given the name and address:
   a) Are you XY, resident at (address)       (yes)
   b) Have you already voted in this election  (no)

2) The problem is worst in the case where the "real" turnout is low, because
it would be possible, in disguise, to vote several times under different names.
However, in a high turnout election, it's more likely that the person whose ID
you have used will turn up to vote. They are *not* denied a vote.

If you turn up at the polling station, and give your name, and it's already
marked on the register, then you will be asked the questions, and given a
different colour of ballot paper, which you complete in the same way. If the
final result is close enough for these papers to matter, then the election may
have to be resolved in court.

I agree that for low-turnout elections there is a problem with the system.
This strikes me as a common risk in any democratic system: if you don't use
your influence, someone else will.

John Gray

Please report problems with the web pages to the maintainer

Top