The RISKS Digest
Volume 2 Issue 46

Tuesday, 29th April 1986

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


o Martin J. Moore
on Challenger article
o TV "piracy"
Nicholas Spies
o HBO — Hacked Briefly Overnight
Mike McLaughlin
o The dangers of assuming too much — on TMI-2
J. Paul Holbrook
o A POST Script on Nuclear Power
Peter G. Neumann
o Info on RISKS (comp.risks)

Re: Challenger article

0 0 00:00:00 CDT
> From:     Rminnich@dewey.udel.EDU
>   [excerpts from article Phila. Inquirer of 4/24.]

>      "... It is now clear that there was no explosion ..."

Rubbish.  There was certainly an explosion; what do they think scattered
debris for miles and threw some so high it took an hour to impact?  That
it was not an all-consuming explosion as was originally thought, is now
obvious.  But I still wouldn't want to be anywhere around an explosion
like the one we saw.

>      "... The astronauts ... were probably making frantic efforts
>   to bring their craft under control as it hurtled downward. If the
>   craft had been equipped, as it should have been, with parachutes and
>   seat-ejection fail-safe systems they could have saved themselves. "

According to figures I have seen in the news media (AP stories, I think;
the newspapers are in the trashpile now) at the moment of downlink loss
the cabin pressure was 800 psi and the acceleration was 16g.  These were
extrapolated to be 2000 psi and 100g a few seconds later.  These are
obviously unsurvivable in themselves, not to mention that the cabin windows
would not have survived the overpressure, resulting in explosive
decompression, which is not exactly healthy either.

Of course, *if* anyone survived the initial blast and remained conscious,
I'm sure they would have made frantic efforts to bring the craft under
control (who wouldn't?).  On the subject of parachutes, I think that any
external parachute system would certainly have been burned away or ripped
away by the initial blast.  As for ejection seats, these may or may not
be useful; I believe there are severe technical problems (I'll have to pass
on the details — maybe an expert on the subject will speak up.)

>      "They died because of NASA's false economies and incompetence. "

The commission hasn't even made its report yet, but this reporter obviously
has all the facts and has completed the inquest.  It's true that NASA looks
less than pure based on what the media have reported, but this verges on
deliberate slander (can you slander a government agency? sorry, I digress.)
(Also, let's please *not* start the "whose fault was it" flamage here; those
of you who read SPACE are probably more than sick of it by now, as I am.)

>      "... Dr. William Doering, professor of chemistry at Harvard, pointed
>   out that ... was not an explosion at all. 'It is best described
>   as a fast fire ... If the fuel tank had exploded ... it would be
>   producing something much bigger ... They have stopped showing the
>   space module [sic] but I am confident that it is intact also or
>   was until it hit the water. '"

I haven't the chemistry knowledge to dispute this on technical grounds;
however, my point about debris scattering still holds.  Also, why did he
wait until the crew module was found?  Why didn't he say after seeing the
pictures, "That's not an explosion, it's just a fast fire."  Also, what is
"intact"? "More or less in one piece" or "completely sound"?  Apparently at
least the former was true.  But the 100g acceleration would pretty well rule
out the latter.

>      "... Terry J. Armentrout, director of the NTSB investigation,
>   told reporters that '... the shuttle Challenger, including the crew
>   compartment, apparently survived the blast mostly intact'".

Aw, c'mon!  The crew module stayed in one piece, but it was completely
separated from the rest of the Orbiter, which was wrecked (it's no surprise
that the crew module could maintain its integrity even if no other part
of the Orbiter did; it's the strongest part of the Orbiter.)
If the rest of the Orbiter survived "mostly intact" where did the bits of
Orbiter wreckage shown by the media (e.g., wing and stabilizer pieces,
tiles, etc.) come from?

>      Continues Shannon,
>      " ... the astronauts died from the force of the impact as the
>   craft hit the water ... There is no reason to believe that the crew died
>   because of sudden decompression ..."

Well, they probably died from 100g acceleration before they had a chance to
die from decompression; if not, decompression probably would have done it.
Maybe we'll never know for sure, but I believe the crew died within seconds of
the blast.

>   He goes on to hint that the down-link was lost as part of a
>cover-up rather than due to the fast fire.

This is so unbelievable that I don't even know what to say.  I don't suppose
he offers the least bit of proof?  (Speaking from personal experience,
which includes over 100 space launches including the first 8 shuttles,
I would say that there is *no* way such a coverup could be maintained for
long, given the large number of people involved in the launch process.)

As always, I express herein only my own personal opinions, and not the
official position of my employer or any government agency.

                Martin J. Moore

TV "piracy"

28 Apr 1986 19:48-EST
The recent "Captain Midnight" episode was, in my book, a completely
justified display of civil disobedience. I live in Pittsburgh, which has a
(pathetic) cable company to which I subscribe, so I am not an aggrieved dish
owner, but I sympathize with them. Why? Because cable program providers MUST
factor in ONLY wired-in subscribers when signing contracts to buy
programming (or else they are idiots) so the fringe viewers with discs (most
often far from any cable company) have little or nothing to do with their
financial situations. HBO's decision to scramble its signal to force people
who cost HBO, or cable systems, ABSOLUTELY NOTHING to "hook up" is
ridiculous; at least disc owners should be given a hefty credit for their
investment before having to buy a descrambler and pay monthly rates. Not
being a lawyer, it also seems that scambling makes a mockery of the 1934
Communications Act, which prevents encoded transmissions over public

This sort of problem may prevent another medium — videodiscs — from
fulfilling their promise of providing vast aounts of cheap information.
Consider: a 12" videodisc can store up to 108,000 frames of information.
What information? In the case of NASA, lots of planetary images. In the case
of the National Gallery of Art, 1645 art works and a couple of movies. But
what if a videodisc publisher wanted to provide a comprehensive collection
of ALL major works of western art, 65 TIMES the number of art works provides
on the NGA disc. As it stands, this would be impossible because each
provider of art images would want a royalty for each disk (to pay costs,
perhaps 1 cent per work per copy. But this would mean a $10,800 royalty PER
DISC for all suppliers, which would make the disc completely unsalable,
making a comprehensive history of art expert system all but impossible to
develop because the costs could not be amortized. (If you think this is
outlandish, consider that the Metropolitan Museum in New York wanted to
charge the US Marine Corps $50 for the LOAN of a photograph of an artifact
that the Marines wanted to include in their Bicentennial exhibit in
Washington DC in 1976. The Marines, to their credit, declined to pay.)

Some new paradigm will have to be worked out before mega-media will be
acceptable both to information providers and consumers.


HBO — Hacked Briefly Overnight

Mike McLaughlin <mikemcl@nrl-csr>
Mon, 28 Apr 86 21:51:15 edt
Overpowering a transmitter is essentially trivial.  If HBO was scrambling
its uplink, Captain Midnight's missive must have been similarly scrambled.
Perhaps HBO's scramble algorithm is also trivial.  Of course, if the uplink
is in the clear, Captain Midnight merely needed brute force.  Anyone know
how or where the signal is scrambled?  Or whether an HBO receiver set to
unscramble will pass an in-the-clear signal?  I realize that facts may set
limits to the discussion.  Regrettable.

The dangers of assuming too much

29 Apr 86 14:32:33 PDT (Tuesday)
[From "Three Mile Island: Thirty Minutes to Meltdown" by Daniel Ford;
Viking Press 1982.]

(The discussion preceeding this quote talks about how the temperature of the
fuel rod at Three Mile Island-2 increased from the normal 600 degrees to
over 4000 degrees during the 1979 accident, partially destroying the fuel
rods.  It also notes that instruments to measure core temperatures were not
standard equipment in reactors.)

  "Purely by chance, there were some thermocouples — temperature-measuring
  devices — present in the TMI-2 reactor when the accident occured.  Located
  about 12 inches above the top of the core, these thermocouples ... were
  installed as part of an experimental study of core performance, and were a
  temporary instrumentation feature of the plant, connected to the
  control-room computer for measuring temperatures during normal operation.
  Accordingly, if a control-room operator requested temperature data from the
  computer, he would receive useful information only when the temperature was
  within the normal 600 degree range.  When the temperature got above 700
  degrees, the computer, instead of reporting it, would simply print out a
  string of question marks — "???????."  Although the thermocouples could
  actually measure much higher temperatures, the computer was not programmed
  to pass these higher temperature readings on to the operators ... there was
  an urgent need for timely, reliable data about the temperature in the core
  in the critical period between 6am and 7am on March 28; what was available
  from the computer was mostly question marks."


A POST Script on Nuclear Power

Peter G. Neumann <Neumann@SRI-CSL.ARPA>
Tue 29 Apr 86 22:42:21-PDT
While we are on nuclear power plants, please let me know if anyone gets some
solid facts that involve the computer-control system in the Chernobyl
nuclear accident in the Soviet Union over the weekend ("partial meltdown",
"graphite explosion", or whatever it was).

By the way, today's Washington Post gave a chronology of some of the more
interesting previous nuclear-power accidents, which I summarize here:

  Dec 2 1952 Chalk River, Canada.  Million gals radioactive water built up.
      6 mos to clean up.  Human error.
  Nov 1955 EBR-1 experimental breeder, Idaho Falls.  Mishapen rods, human err.
  Oct 7-10 1957 Windscale Pile #1.  English coast of Irish Sea.  Largest
      known release of radioactive gases (20,000 curies of iodine).  Fire.
      .5 M gals milk destroyed.  Plant permanently shut down.
  Winter 1957-58 Kyshtym USSR.  400 mi contaminated?  Cities removed from maps.
  May 23 1958 Chalk River again.  Defective rod overheated during removal.
      Another long clean-up.
  Jul 24 1959 Santa Susana CA, 12 of 43 fuel elements melted.  Contained.
  Jan 3 1961 SL-1 Idaho Falls (military, experimental).  Fuel rods mistakenly
      removed.  3 killed.
  Oct 5 1966 Enrico Fermi, Michigan.  Malfunction melted part of core.
      Contained.  Plant closed in 1972.
  Jun 5 1970 Dresden II, Morris Illinois.  Meter gave false signal.  Iodine
      at 100x permissible.  Contained.
  Nov 19 1971 Monticello Minn.  50,000 gals radioactive waste spilled into
      Mississippi River, some into St Paul water supply.
  Mar 22 1975 Brown's Ferry, Decatur Alabama.  Insulation caught fire,
      disabled safety equipment.  $150 M cleanup.
  Mar 28 1979 Three Mile Island II.  NRC said, "within an hour of
      catastrophic meltdown".  4 equipment malfunctions plus human errors
      plus inadequate control monitors.
  Feb 11 1981 Sequoyah I, Tennessee.  8 workers contaminated, 110,000 gals
      radioactive coolant leaked.
  Jan 25 1982 Ginna plant, Rochester NY.  Steam-generator tube ruptured.
  Feb 22 & 25 1983 Salem I NJ.  Auto shutdown system failed twice.  Manual OK.
  Apr 19 1984 Sequoyah I again.  Contained.
  Jun 9 1985 Davis-Besse, Oak Harbor, Ohio. 16 pieces of equipment failed,
      at least one wrong button pushed.  Auxiliary pumps saved the day.

PGN (just off the plane from DC)

PS.  I hope you don't conclude that I am interested ONLY in catastrophes.  I
really have been professionally involved for many years in trying to develop
better computer systems.  But that does not mean that I have to trust them...

Please report problems with the web pages to the maintainer