The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 16 Issue 96

Weds 22 March 1995


o Dan Farmer, SATAN and SGI
o Triggerfish Cellular Phone Tap
John R Henry
o RISKS of non-standard interfaces
Ry Jones
o Pilot not informed of plane's intended destination
Mike Crawford
o Snake Oil and Grantsmanship
Douglas W. Jones
o Profiting from misdialed numbers
Matt Weatherford
o Re: A340 incident at Heathrow
Peter Ladkin
John Rushby
o Re: FBOI
Mike Crawford
o Info on RISKS (comp.risks)

Dan Farmer, SATAN and SGI

"Peter G. Neumann" <>
Wed, 22 Mar 95 12:02:12 PST
An article, Dismissal of Security Expert Adds Fuel to Internet Debate, by
John Markoff in The New York Times, 22 Mar 1995, discusses last Monday's
departure of Dan Farmer from Silicon Graphics.  RISKS-16.90 noted that Dan
and Wietse Venema have developed SATAN, a Security Administrator Tool for
Analyzing Networks, which Dan plans to release openly to the world on 5 Apr

RISKS has frequently seen discussions of the pros and cons of making such
tools available.  If the knowledge of vulnerabilities is not promulgated,
the system flaws and configuration weaknesses do not seem to get fixed, and
that knowledge seems to permeate the malicious-hacker community anyway.  If
the knowledge is promulgated, then the likelihood of exploitations tends to
increase -- although it certainly provides an added incentive to clean
things up in a greater hurry.

Dan is at the center of this renewed controversy.  Markoff's article
includes this statement:

  In the Internet community, Farmer's case is seen as symbolizing the
  conflict between a time-honored ideal the free flow of information in
  cyberspace and the harsh new reality that corporations and government
  agencies must protect their computer systems against intruders and vandals
  armed with increasingly sophisticated break-in software.

Triggerfish Cellular Phone Tap

John R Henry <>
20 Mar 95 20:05:51 EST
There has been some discussion in recent issues of cellular phone monitoring
in Pakistan. Nobody has mentioned that this technology is currently
available off the shelf in the US from Harris Communications (Melbourne FL,
address on request).

The Harris "Triggerfish", from a photo in an ad, looks like a laptop
computer with an extra box alongside. "Everything you need fits into a a
suitcase" in the words of the ad.

It will allow collecting and analysis of dialed number statistics,
Identifying the telephone number when it is registered under another persons
name or an alias, and developing usage patterns.

"Wiretap applications..... provide audio minimization, on/off hook logging,
multiple tape recorder outputs and necessary intercept documentation. A
headphone jack with volume control and alarm speaker allows the monitoring
agent to intercept each and every communication." (From Harris brochure)

The brochure goes on for several pages but I think you get the idea. This is
a wiretap in a suitcase. As it is listening to radio waves, there is no way
of anyone, including the gov't, knowing when it is being used.

The Triggerfish is sold only to law enforcement agencies and is *supposed*
to be used only with a court order permitting a wiretap. The risk is, who is
to know if and how it is being used?

The brochure was reproduced in a newsletter that I used to get. I don't know
how old it is but at least 1, possibly 2 years. I found an undated copy in
my desk drawer when I was cleaning house the other day.

So what's the fuss with Pakistan and Motorola? Perhaps somebody
should give them Harris' phone number. (John Henry)

RISKS of non-standard interfaces

Ry Jones <>
Wed, 22 Mar 95 12:28:50 -0800
We have debated and called to attention the troubles involved with
non-standard interfaces, such as the power switch on the keyboard of the Mac
and the like.

Here's a new one I heard on the radio last night.

According to a study released yesterday (sorry, I didn't write down the name
of the study), the post-admittance treatment lag for heart attack patients
in hospitals could be reduced from an average of 70 minutes to 30 minutes if
the interfaces on the equipment used to treat these patients were standard.
This was based on (so the announcer said, I have not seen the study) a
hospital where every unit of equipment of type "x" (say, a defibrillator) was
purchased with a standard interface. The treatment time went down because
the personnel didn't waste time looking for the CHARGE button, instead they
knew where it was.

This is a truly amazing claim. If it is true, I would think the business
case for purchasing standard equipment in a hospital would be quite strong,
even if it was built only on liability reduction.  Never mind the fact that
2 patients can be treated in the same window on time that one could before,
or that your ROI for each unit of equipment would be higher due to the
higher use.

On a related tangent, I was recently in the hospital. The nurse hooked me to
an IV, but the flow rate was too low; she went to get a pump. She hooked me
into the pump, but couldn't get it started.  When she did get it started,
the rate was too low and the alarms were going off. She couldn't figure out
the interface. I turned the IV pump to face me, and read the large amount of
fine print on the side relating to the pump's operation. It turned out she
needed to input the size of needle she was using to adjust the flow rate;
she was using a small butterfly needle instead of the default needle, which
is larger.

Pilot not informed of plane's intended destination

Mike Crawford <>
Wed, 22 Mar 1995 12:07:59 -0800
I heard on the radio news this morning (KGO 810 AM, about 11 AM) that a
planeload of Taiwanese passengers thought their plane had been hijacked when
it landed on a small island instead of at the capital Taipei during a
domestic flight.

The destination had been changed, and all the passengers knew it, but no one
told the pilot.

I would speculate that the scheduling system held the correct information,
so that the displays in the airport directed all the passengers which plane
to get onto, but that there is no direct computer link to the airplane, and
either no one realized that the pilot needed to be told "manually", or the
person responsible flaked.

Mike Crawford

Snake Oil and Grantsmanship

Douglas W. Jones <>
22 Mar 1995 22:37:08 GMT
I just got a grant announcement from ARPA, discarded it in disgust, and then
read Cliff Stoll's newest book, ``Silicon Snake Oil''.  That led me to
dredge the announcement out of the wastebasket, because it's such a perfect
example of how much snake oil and snake-oil salesmen have come to permeate
our field!

DARPA SOL BAA95-21 DUE 052495 POC states that "Proposed research should
investigate innovative approaches and techniques that lead to or enable
revolutionary advances in the state-of-the-art.  Specifically excluded is
research which primarily results in evolutionary improvement to the existing
state of practice ..."

It seems to me that this wording is a specific invitation to snake oil
salesmen and that it explicitly and openly promises to discriminate against
an honest proposal that makes a realistic projection of the likely outcome
of the proposed research.

In general, my experience leads me to believe that research projects that
actually produce revolutionary results rarely anticipate them, and research
projects that promise revolutions rarely deliver!  I don't deny that the
projects funded on the promise of revolution haven't occasionally delivered
interesting results, but I greatly detest a system that demands such empty
promises as a condition of obtaining funding.

In any case, ``Silicon Snake Oil'' is a book worth reading.  Computer
professionals will find it alternately infuriating, when it attacks our
specialties, and rewarding, when it attacks all that hocum everyone else in
the field has been pushing.

Doug Jones

Profiting from misdialed numbers

Matt Weatherford <>
Wed, 22 Mar 95 12:48:30 PST
Some time ago, RISKS ran an article about a long distance company offering
an 800-operator service for discounted Collect calls.  A competitor soon
realized that *many* folks were dialing 800-operatEr. The competitor soon
chartered this number for their own, strikingly similar (some would say
indistinguishable to the naked ear) service and raked in the stray dialers.

National Public Radio ran a piece last week telling of another similar
incident.  A small mom-and-pop company called "The wooden Boat store" was
getting thousands of misdialed calls per month for an MCI 800 service.  The
small business contacted MCI about the problem and when MCI didn't offer any
help, the Wooden boat store approached AT&T.  Within 1 week, AT&T had set up
a "voice mail" message that said something like "Welcome to the wooden boat
store. Press 1 for AT&T Operator assistance, or press 4 for the Wooden Boat
Store" Note that AT&T did not offer to connect to the intended, originally
misdialed MCI service!

Matt Weatherford Atlantis Diagnostics Int'l (206) 487-7826

Re: A340 incident at Heathrow (Hatton, RISKS-16.92)

Wed, 22 Mar 1995 19:50:56 +0100
Les Hatton reports in RISKS-16.92 on an incident involving an Airbus A340 on
a trip from Japan to London Heathrow. The aircraft is one of the
A320/330/340 (also A319/321) family of Airbuses, some of whose primary
flight control systems are computer-controlled (that is, the pilots
control-stick movements are input to a computer that guides the control
systems).  The A340 is a very long-haul aircraft, capable of flying the very
longest routes without refueling (it holds the world record for length of
route flown without refuelling, for normally-equipped civil transport
aircraft).  The incident is of greatest significance for RISKS readers
because it is the first time that an accident report on an A320/330/340
series aircraft specifically cites software and hardware reliability as the
main problem.

The incident concerned a Virgin A340 at Heathrow on 19 September 1994 (cf.
the incorrect info reported by Hatton). A short article by Christian Wolmar
appeared in The Independent newspaper, one of Britain's major dailies, on
Wednesday March 15, 1995. After talking to Christian, I obtained a copy of
AAIB (Britain's Air Accident Investigation Board) Bulletin No. 3/95, the
report on the incident.

I'll spoil the tale for everyone by giving the punchlines first: the
description of the problem areas identified during the incident, and the
report's conclusion, the `Safety Recommendation 95-1'.  [during quotes, my
editorial comments and elisions are contained within square parentheses such
as these. PBL.]

[begin quote]

Problem Areas

The AAIB identified and investigated the following problem areas: RTF [radio
communication] phraseology; ATC [air traffic control] vectors and ILS
[instrument landing system] performance; fuel quantity indications; double
Flight Management Guidance System (FMGS) failure and aircraft type

[end quote]

The radio phraseology can be ignored by RISKS readers.  ATC vector problems
had to do with capturing the `glideslope', the radio beam angled up into the
sky from the end of the runway, down which an aircraft flies in order to
land, under instrument conditions.  The aircraft at one point encountered a
`false glideslope' at about 9\deg at 5 miles from touchdown and 4,800ft
altitude caused by a `shallow sidelobe' of the ILS. Such problems are known
(glideslope is assured for between 1.35\deg and 5.25\deg in the UK) and the
airplane wouldn't have got there had it not been vectored there by ATC - but
one hastens to add that normally this is not a problem. Just in this
case....see below. All the other problems concern the on-board computers,
and the AAIB has written to the JAA (Joint Aviation Authority, which does
for Europe what the FAA does for the USA) to determine if the JAA was "aware
of some of the more significant shortcomings of the A340's fuel and flight
management systems before the type certificate was granted".

[begin quote]

Safety Recommendation.

It is recommended that the reliability of the Airbus A340 FMGS and the fuel
management system should be reviewed to ensure that modified software and
hardware required to achieve a significant improvement in reliability should
be introduced as quickly as possible and the subsequent system performance
closely monitored.

[end quote]

Here is why they made this recommendation:

[begin quote]

Autopilot and Flight Director heading performance

The reason for the wrong response of the autopilot and one flight director
to the left turn demand was a software error [...] [This error] was known to
Airbus Industrie and corrective measures for this and several other software
deficiencies were contained in [...] standard L-5 that has been issued and
incorporated in most A340s on the UK register.

Fuel Quantity indications

In July 1994 Airbus Industrie issed an Operations Engineering Bulletin on
the subject of fuel quantity indication. [The bulletin gives detailed
descriptions of anomalies, when they occur, and how to take them into
account.]  Action pending by Airbus Industrie to correct fuel quantity
errors involves the installation of five additional fuel probes in each
inner tank and software standard 6.0. Action to correct CG control errors
[the center of gravity is adjusted in cruise by moving fuel around, to give
efficient cruise performance] is contained in a software only upgrade to
standard 6.1. [...]

FMGS double failures

After landing the aircraft's Central Maintenance System had logged a fault
in No 2 FMGEC. This was removed and sent to France for data extraction and
fault analysis. No fault was found within the hardware and a comparable
software fault could not be reproduced on the test bench.  Nevertheless, the
BITE data dump showed that at 1435 hours the No 2 FMGEC had detected a CLASS
1 HARD failure within itself and a simultaneous fault within FMGEC No 1. The
investigation was complicated by the involvement of several sub-contractors
in the manufacture of the FMGEC and its database.


Airbus Industrie were aware of the double FMGS failure mode that had first
emerged on the A320 series aircraft. On A320/330/340 aircraft, each FMGEC is
linked to its own set of peripherals and inertial reference system. Both
FMGECs achieve their own computations and exchange data through a cross talk
bus. One FMGEC is declared as master and the other as slave; the master
FMGEC is related to the engaged autopilot. Some data in the slave FMGEC is
synchronised to the master but all data inserted on any MCDU is transferred
to both FMGECs and to all peripherals.

According to Airbus Industrie, there are several ways in which the exchange
of data and/or a problem in one computer can affect the other computer.
Often the computers reset themselves after a few seconds but occasionally a
fault results in repetitive resets or attempts to resynchronise. The fifth
reset relatches the computer, which will not recover without a power
interrupt. Reset breakers for manual power interrupts are on the flight deck
overhead panel. Dual resets occur when both FMGECs encounter failures at the
same time.  They generally occur after a pilot entry that involves use of
the navigation database or to an event synchronised between both flight
management systems. Latched double failures usually occur if pilots
successively perform three inputs that cause a reset, or if an `impossible'
computation of predictions occurs.

Airbus Industrie have succeeded in radically reducing the frequency of
double FMGS failures on the A320 series aircraft; they are also addressing
the problem on the A330 and A340 series. [...]

[end quote]

I point out that so-called Byzantine failure modes and algorithms for
avoiding them in distributed systems were first identified and studied in
the 70s by my former SRI colleagues Lamport, Shostak and Pease under the
auspices of the SIFT project, and since then by many, many others. As for
other such topics in computer science, this was regarded as `theory' for a
few years. I could hazard a guess that many aerospace engineers still have
not heard about this area. The account above of the problems with the
A320/330/340 master/slave FMGECs may give RISKS readers reason to inform
themselves about the `theory' of how all this anomalous and possibly
dangerous behavior can be avoided in the first place. Many papers in the
January 1994 issue of the Proceedings of the IEEE speak about the current
state of the art.

Finally, the story.

On the ground in Tokyo before departure, one FCMC indicated numerous faults.
It is accepted procedure to depart with only one FCMC operative - they did
so, and followed the appropriate procedures for calculating fuel with only
one FCMC. Early in cruise, the map symbology on the commander's EFIS
(Electronic Flight Instrument System) disappeared and his MDCU
(Multifunction Control and Display Unit) ceased calculating.  They slaved
both off the copilot's DMC (Display Management Computer).  The EFIS is the
pretty screen in front of the pilot that tells himher which way is up, which
way is forward, and which way, as well as how fast (in three dimensions),
and where heshe is.  The MDCU displays flight plan info, and a bunch of
other things. About an hour later, they found that the commander's EFIS had
restored. Logical indications from the No.2 FCMC were also restored later by
`resetting the computer'.

Now come a few things which one should really think about hard.

Getting close to home (Heathrow), the copilot tuned in the Lambourne VOR (a
radio beacon) manually, to ensure that the EFIS displays were still
accurate. They were cleared to fly direct to the beacon, but a few miles
east, "the commander's EFIS map display symbology froze and lost all
computed data [..]. His MDCU displayed the message `PLEASE WAIT' together
with a page normally seen only when loading in data before flight. He was
unable to obtain any other display. At [roughly the same time], the
[copilot's] EFIS and MCDU exhibited identical behavior."

Notice that not all flight control info was lost from the EFIS - they could
still fly the airplane. They `dialed in' the ILS using a "back-up method",
and while doing so received an ECAM warning of low fuel state and
instructions to open crossfeeds (airplanes like this have many tanks and
fuel is pumped around between them). The warning reoccurred and readings
indicated they had some 2 tonnes (2000kgs) of fuel less than expected.  They
discussed traffic density with ATC, and eventually declared an emergency in
order to get priority for landing.

They had the autopilot automatically capture the ILS, which is when they hit
the sidelobe. `The glidepath bar moved rapidly down the ILS display before
moving rapidly up once again; the autopilot's attempt to follow the
glidepath resulting in unusually high pitch rates and so the autopilot was
disconnected.' The commander informed the tower they were having problems
with the glideslope and requested an SRA (Surveillance Radar Approach). In
an SRA, the controller talks the airplane down localiser and glideslope
continuously, by giving an uninterrupted stream of position information
relative to the glideslope/localiser pair. It's very impressive.

Aircraft are on `final approach' when they're lined up with the runway
centerline and heading down the glideslope to land. (This should not be
confused with when the flight attendant says `final approach' to the
passengers, which is usually when the aircraft is even before *initial*
approach phase.) The approach was for Runway 09 Right at LHR (the `09' means
that it's pointing roughly 90\deg to North). The crew were on the SRA, being
vectored (given magnetic headings to fly) to intercept the final approach
course. They were flying a heading of 180\deg and were commanded to change
to 130\deg.  When they turned the heading selector knob on the autopilot,
both commander's and copilot's heading `bugs' moved correctly (that's an
indication on the directional gyroscope of which heading you want the
autopilot to fly to and hold - I had a lower-tech version on my Piper
Archer), but the flight director bars went in opposite directions and the
airplane followed the false movement of the copilot's bar, and turned right
instead of left. At this stage, the copilot disconnected autopilot and
flight directors and flew the plane `manually' (see first paragraph for why
this is not quite an accurate expression for these aircraft).

They landed without further incident; after taxiing in and shutting down,
the fuel indications recovered; and thankfully everyone lived happily ever

Peter Ladkin

Re: A340 incident at Heathrow (Ladkin, RISKS-16.96)

John Rushby <>
Wed 22 Mar 95 14:06:55-PST
I'm not sure you need to invoke Byzantine failures to explain the problems
reported with the double FMGS failures in the Airbus A340 and its relatives,
though Byzantine-fault-tolerant architectures are simpler and more regular
than others -- and might therefore be less prone to bugs.

A Byzantine failure is usually interpreted as a hardware fault that cases
the errant device (e.g., a sensor) to provide conflicting information to the
systems that interrogate it.  These faults can be masked by suitable
Byzantine-fault-tolerant algorithms (invented, as Peter correctly points
out, by Pease, Shostak and Lamport during the SIFT project at SRI.
Incidentally, you can retrieve a picture of SIFT, and of Pease, Shostak, and
Lamport via WWW at URL ).

However, Byzantine hardware faults don't seem to be the problem with the
A340 FMGS--rather, it seems to have been a plain bug in the redundancy
management.  And from the description, it seems that the reason there are
bugs is that the design of the system is not amenable to comprehensive
analysis and thorough comprehension.  The great contribution of Lamport et
al. was the "state-machine" approach to fault-tolerant system design
(tutorial reference at bottom).  The advantage of this approach is that it
provides a relatively simple architecture that can provably tolerate ANY
KIND of fault, up to some number.  In contrast, the type of architecture
used in most aircraft systems is based on FMEA, where you explicitly try to
anticipate and counter each specific kind of fault.  This leads to
complexity, and thence to bugs, and also to the possibility of overlooked
fault modes (and, more likely, overlooked COMBINATIONS of faults).  The
disadvantage of the state-machine approach is that it requires a lot of
redundancy (3n+1 channels to withstand n simultaneous faults).  This is
overcome, to some extent, by the "hybrid" fault-models introduced by the
people at Allied Signal who developed the MAFT architecture.  (There's a
paper by them in the issue of the IEEE proceedings that Peter mentions).
MAFT is the only architecture for primary flight control developed by a
manufacturer of these things that uses the state-machine approach.  It was
proposed for the 7J7 and 767X, but Allied dropped out of the bidding after
Boeing cancelled these and then invited new proposals for the 777.

Systems above the PFC (primary flight control/computer) level usually seem
to use dual, or dual-dual redundancy rather than the quad-and-above found in
PFCs.  The state-machine approach may not be appropriate here, but I'd hope
that ideas from modern fault-tolerant design, and from formal
state-exploration and verification could add something.

As an aside, the mechanisms of fault tolerance, distributed coordination,
concurrency management, etc. employed in aircraft systems owe little to
those studied by academic researchers.  For example,

  Not far from there (CNRS-LAAS a research center concerned with
  fault-tolerance), Airbus Industries builds the Airbus
  A320s.  These are the first commercial aircraft controlled solely by a
  fault-tolerant, diverse computing system.   Strangely enough this
  development owes little to academia.  (IEEE Micro, April 1989, p.6)

Of course, there is little reason to suppose that academic researchers know
more about fault-tolerant architectures for avionics systems than those who
actually develop them, but it does mean that the architectures and
mechanisms used in aircraft systems cannot draw on the extensive analyses
and (in some cases mechanically checked) proofs that have been published and
subjected to peer review in computer science journals.


Introduction to the state-machine approach:

    AUTHOR = {Fred B. Schneider},
    TITLE = {Implementing Fault-Tolerant Services Using the State
        Machine Approach: A Tutorial},
    JOURNAL = {ACM Computing Surveys},
    YEAR = 1990,
    VOLUME = 22,
    NUMBER = 4,
    PAGES = {299--319},
    MONTH = Dec

We've done lots of work applying formal methods to algorithms for
state-machine replication under hybrid fault models.
[You can get the redundancy down to about n >3a+2s+m where a, s, and m are
the numbers of arbitrary (Byzantine), symmetric (wrong but consistent),
and manifest (obvious, or crash) faults to be tolerated simultaneously.]

Examples, if you're interested:

See also NASA's overall program and their own work in this area:

John Rushby                   Email:
Computer Science Laboratory   Tel: (415) 859-5456 (hit #0 to escape voice-mail)
SRI International             Fax: (415) 859-2844
333 Ravenswood Avenue         WWW:
Menlo Park, CA 94025, USA     ftp:{reports|pvs}


Mike Crawford <>
Wed, 22 Mar 1995 12:45:33 -0800
Regarding FBOI having an account on Netcom...

While I can understand a startup company "renting cheap office space", one
would think that a new financial institution wouldn't keep its valuables
in the electronic equivalent of a public square.  There are many, many
ways to break Unix security - at the very least, any netcom sysadmin could
read and alter FBOI's files, and very likely there are many hackers who know
about holes in netcom's system.

If the PGP decryption is to take place on netcom's computers, rather than a
private CPU within FBOI's "offices", then the cleartext passphrase will exist
in memory where it can be accessed by anyone who can acquire root privileges.
In addition, the encrypted secret key would have to be stored online, so it
can be copied by an intruder, and one can use a program (trace? I don't
recall) that displays all the system calls that a program makes in order to
monitor the keystrokes that FBOI's operators make while entering the
passphrase to decrypt the secret key.

I consider it the height of irresponsibility to operate a financial service
on a public access Unix system.  Netcom might consider whether they would be
liable in the event of a security breach.

If you could make $100,000 by hacking an OS known to be as impregnable as
swiss cheese, and you didn't have the ethical sense to stop you, wouldn't you
put some effort into making off with the goods?

Mike Crawford

Please report problems with the web pages to the maintainer