Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Two recent documents have appeared concerning the Osprey, the U.S. Marines'
V-22 tiltrotor aircraft intended as the replacement for certain of its aging
helicopter fleet. Various problems during Osprey development, including the
crash whose cause is related here, have already been reported in [Ladkin et
al, RISKS-21.20].
One document is the U.S. General Accounting Office (GAO) briefing material
on its inspection of the Osprey development program, GAO-01-369R "Defense
Acquisitions: Readiness of the Marine Corps' V-22 Aircraft for Full-Rate
Production", which may be found by searching at http://www.gao.gov for term
"Osprey" and Keyword "V-22". I highly recommend reading this material to
anyone interested in the development of complex systems with crucial
computer-based components. It contains some astounding material. I shall not
comment further in this note on this document.
The other is the text of the briefing upon release of the JAG report into
the cause of the December 2000 Osprey crash during a training mission, at
http://www.defenselink.mil/news/Apr2001/t04052001_t405mv22.html (thanks to
Ken Garlington for the link).
First, some details as to how the Osprey functions. It has an engine and a
propeller-rotor, bigger than a normal propeller and smaller than a normal
helicopter rotor, on the end of each wing. The engine nacelles (structures
holding engine and rotors) rotate between roughly vertical (when the
aircraft is said to be in "helicopter mode") and horizontal ("airplane
mode"). This configuration allows the advantages of a turboprop airplane,
such as speed, en-route, but those of a helicopter for take off and landing,
and other functions such as loading and offloading personnel and cargo while
hovering. This technology has been tested for over twenty years in
prototypes such as NASA's XV-15, and the MV-22 is the first attempt at a
large production tiltrotor vehicle for use in military missions.
Some words now about flight control. A helicopter rotor has two basic means
of adjustment. The angle of the blades can be adjusted relative to the plane
of rotation ("pitch"), either uniformly for all blades ("collective pitch"),
or differentially in a specific orientation relative to the aircraft body
("cyclic pitch"). This is accomplished by allowing the blades to pivot or
flex about their longitudinal axis, and controlling this flexing via rigid
connections from the blades to a "swash plate", which is like a large, loose
washer around the rotor spindle back of the rotor. To obtain "collective"
control, the swash plate is moved uniformly up and down the spindle to flex
the blades together into the desired position. To obtain "cyclic" control,
the swash plate is tilted on the spindle in a fixed direction relative to
the aircraft body, to produce differential lift in this orientation. An
airplane turns by producing differential lift on its wings (by altering
their shape via ailerons) but only has two directions in which to do this;
the helicopter has full 360-degree freedom in this regard. The third
helicopter flight control is the power generated by the engines. In
addition, the Osprey has a flight control which consists in rotating the
nacelles to various positions between horizontal and a little past the
vertical.
Much of the flight control has to be adjusted automatically for the
conditions of flight and is not freely controllable by the pilot. It is a
"fly-by-wire" (FBW) machine. I find the technology remarkable, and wish it
every success, which success no longer appears to be guaranteed, thanks
amongst other things to the understanding of the causes, including
institutional ones, of the two crashes in 2000.
The briefer, General Berndt, explained what happened in December as
follows. The aircraft was flying at about 160kts and the nacelles were
transitioning from airplane to helicopter mode. At that point, a flight
control system hydraulic line the left nacelle ruptured under pressure. The
nacelle transition was stopped, as per design. These lines are titanium,
22/1000 inch thick, and operate at pressures of 5,000 psi (rather than the
more conventional 3,000 psi or so of modern helicopters. Specific
requirements other than those of flight control, for example weight and
payload requirements, apparently necessitate this high pressure design). The
rupture was caused under loading of the system to operate the swash plate,
at a weak point caused by chafing of the line against a wire bundle. (I
understand that titanium, whilst light and strong, is also quite brittle.)
Such chafing has been noted in maintenance reports since July 1999, and some
chafing was found on all remaining Ospreys during post-crash
inspection. This is apparently a generic problem that has not yet been
solved. The aircraft had been properly maintained, and it was ahead of its
maintenance schedule, having completed its 210-hour inspection already by
157 hours, its total time at crash. (General Berndt phrased this as being in
"excellent shape", but the aircraft evidently wasn't; I think he must have
meant that the aircraft was properly determined to be in "excellent shape"
by the maintenance procedures. It is becoming recognised in aviation
maintenance circles that the inability to inspect certain regions of wire
bundles and other lines often allows some dangerous deterioration to go
undetected.)
There are three partially-independent hydraulic systems for flight
control. The line that ruptured was common to both the number one and number
three systems at that point. The loss of fluid was rapid; the number one
system was taken off-line immediately and a shut-off valve isolated the
number three system on that side, rendering it inactive on the left,
although it remained active on the right side. The number two system carried
on as it should have. This form of partial redundancy likely means that it
takes two independent failures to cause a total hydraulic flight control
system loss. Losing your flight control is catastrophic; design principles
and regulations say there should be no possibility of a single point of
failure, so two is minimum. And an independently ruptured number two line at
that point would have caused total loss of swash plate control on the left,
so it seems that catastrophic failure can indeed be caused by certain
combinations of two failures.
The machine was left with one operating hydraulic swash plate control system
on one side, and two operating systems on the other, but should have been
able to fly normally without discernible disturbance to control.
However, there is a Primary Flight Control System (PFCS) reset button
available to the pilots. It illuminates under certain circumstances. When
illuminated, it should be pressed, which resets the flight control system
computers to a known, "safe" state. It illuminated, the crew pressed it to
reset the system. This is intent, design, and correct standard
procedure. However, what happened then was unplanned, unforeseen, and
uncontrollable. The effect of the reset on the state of the actual flight
controls in these circumstances should have been nothing. It is easy to see
this: one has lost a hydraulic system, partially lost another, but one wants
to continue without interruption using the remaining "assets" whilst
isolated the problem as far as possible, and that happened up to that point
according to design plan.
However, "no change" is not what the PFCS computers commanded. They
apparently commanded changes in rotor pitch and thrust, which became rapid
fluctuations. The crew repeatedly recycled the reset. These flight control
changes happen via the swash plate. Because of the reduced control power on
one side (pressure from one hydraulic system) compared with the other
(pressure from two), the rotors responded at different rates to the rapid
command changes, as a matter of mechanics. This caused large fluctuations in
flight state, control was lost and the aircraft crashed, from an altitude of
around 1,600ft. All this happened inside about 30 seconds. The crew is
completely without fault in the accident.
General Berndt noted the JAG team was tasked only with determining the
course of events and the immediate causes. He therefore had no comments on
other aspects of the program, or how this crash will impact procedures in
particular or the program in general.
There are some general points to note. First, the aircraft crashed because
of two presumably independent failures: the hydraulic system failure and
then the PFCS command failure. So there is no apparent reason to question
the fundamental design principles, which both require two independent
failures for catastrophe, and (as we have noted) allow it. Second, the first
failure was dealt with as designed. The failed system component was isolated
as designed and the remaining systems were able to carry out the designed
task. Third, the PFCS command failure, which the JAG team has said is a
software failure, was completely unplanned and unexpected. The SW caused a
"control excursion" and it should not have. General Berndt has said it is
"an anomaly in the control logic in the computer software control laws"
which seems as if it would be a design failure. But in response to a
question, General Berndt suggested he couldn't actually be that specific.
General Berndt was asked who provided the SW. He said he didn't know.
A member of the audience said that Bell was the primary software
provider. He replied "but they may subcontract". According to James
Dao of the New York Times, reporting on 6 April, 2001, the software
was written by BAE Systems (the former British Aerospace) and
integrated with the hardware by Boeing. (Thanks to John Rushby for
this information.)
Peter B. Ladkin
>From Swedish newspaper *Aftonbladet* April 7, 2001, http://www.aftonbladet.se/vss/nyheter/story/0,2789,46262,00.html An 18-year old man arrested for kidnapping and several counts of aggravated robbery escaped from his cell by breaking the window open and using computer cords to climb down. He had been placed in solitary confinement because of the risk that he could interfere with the investigation if in contact with other suspects. The isolation affected his mental health, so the officers let him play computer games for recreation. The computer was in the only cell in the jail where the window could be partially opened. The suspect used a chair to force the window open and used the cords from the computer to climb down to the roof of another building. This was the second escape ever from the police jail in central Stockholm, which has been in operation since 1975. I wonder whether this escape will be marked as a computer-related crime in the statistics? Translated and edited by Ulf Lindqvist, System Design Lab, SRI International, 333 Ravenswood Ave, Menlo Park CA 94025-3493, USA +1 650 859-2351 http://www.sdl.sri.com/
Here at Fermilab we've been rolling out a Strong Authentication Project, and for Windows NT systems we've been using a package called Reflection from WRQ. This morning, NT users were unable to authenticate to the kerberos keyservers unless they disabled the Windows setting to "automatically adjust for daylight savings time". Of course, with this setting off, all the time displays on the system are off by an hour, but users can log in to our secure-realm systems with kerberos. Note that the Windows2k software that does kerberos directly was apparently not affected, only the third party software for Windows NT. Marc Mengel <mengel@fnal.gov>
Dutch government advised to give citizens Web access to 'digital vault' with their personal information. On 29 Mar 2001, Roger van Boxtel, the Dutch minister responsible for ICT issues, received the first copy of the report prepared by the "Commissie Modernisering van de GBA" (Committee for Modernising the Basic Municipal Civil Registry). The committee's task was to present proposals to make the Civil Registry more accessible and at the same time give citizens a stronger position in their relationship with the government. In this report, the committee advises the minister that all citizens should be provided with a personal 'digital vault' which would contain selected personal data, taken from a person's "administrative history" in the Civil Registry, including name, address and SoFi number (SSN). Citizens should be able to add even more information to their vaults, such as financial information or data regarding their health. Selected government agencies, such as the Belastingdienst (IRS) and the police, would be given access to these vaults. It is up to the citizen to give other institutions and/or companies access. The committee stipulates that no citizen should be forced to actually use the digital vault and that citizens should not be forced by third parties to provide information from the vault. The digital vault is to be made accessible through the website of the municipality where the citizen resides. In the future, the proposed electronic Dutch Identitycard, with biometric authentication, could be used as the key to unlock the vault. More information (in Dutch) on Roger van Boxtel's own site: http://www.ministervanboxtel.nl/asp/page.asp?id=i000673&version=nl Why do I have the feeling that many RISKS are lurking here? I have a savings account and a safe to store valuables at a bank of my choice. If I am not satisfied, I select another bank. Why would I want to store valuable personal information in the town hall? How can I be sure that my 'digital vault' is indeed safe and that my safe will not be cracked? How can I be sure that there is no possibility that a third party (a cracker) can take over my vault and hence my identity? How long will it take before such a vault is mandatory? Will I be able to prevent the municipality from creating a vault for me or will they do it anyway? On the other hand: if ever one of these vaults is cracked and something nasty happens with someone stealing my identity, I can always say it wasn't my vault. Peter Fokker <peter@berestijn.nl>
The Organization for the Advancement of Structured Information Standards (OASIS, http://www.oasis-open.org) is starting an effort to standardize an XML vocabulary and related software concerning elections. There could be RISKS of overly free interchange of voter registration data, as well as previously-noted concerns about Internet-based voting. Further, some may view this as a move by election.com to gain early-entrant advantage that could scare away development of competing technology, but I think the OASIS process promotes competition where it matters. Quoting from the first announcement: A new OASIS technical committee is being formed. The Election and Voter Services Committee has been proposed by Gregg McGilvray, election.com (chair); Oliver Bell, Microsoft; and Ed McLaughlin, Accenture. Purpose: To develop a standard for the structured interchange of data among hardware, software, and service providers who engage in any aspect of providing election or voter services to public or private organizations. The services performed for such elections include but are not limited to voter role/membership maintenance (new voter registration, membership and dues collection, change of address tracking, etc.), citizen/membership credentialing, redistricting, requests for absentee/expatriate ballots, election calendaring, logistics management (polling place management), election notification, ballot delivery and tabulation, election results reporting and demographics. Implementation: The standard under development by election.com, Inc. will be made available for review and revision and can be expanded upon as necessary. A phased approach will be used to implement the standard due to the number of aspects being considered by the standard. David Marston <marston@mv.mv.com>
Kevin Rolph <kevin@kgames.demon.co.uk> wrote:
> automagically converted the Omega symbols into 'W's (and not to mention ...
Just to complete list of "for user convenience" "features" of the very same
word mangler .. processor. My wife wrote her doctoral thesis with Word 6.0.
After quite a few rounds of proof reading, it was considered error-free
(later found some :-{). To make it ready for press and on-line publication
it had to be converted to PDF.
The computer which had Acrobat tools had also Word 97, with quite default
settings. The document loaded quite nicely, expect some changes in page
layout. We checked for that and then printed it out, sent to the press and
were satisfied.
Before dissertation, she took a closer look at her thesis and noted that
capitalization of some acronyms of compounds (thesis were about
pharmacology) were wrong. In disbelief she checked last printouts from Word
6.0 version, and there they were right.
The only possibility is that the Word processor changed them "automatically"
in converting version. I was aware of correct-when-you-type, but this was
new... too late. No warning dialogue, nothing.
Ok, back to plan home automation... for family convince
Markus Peuhkuri ! http://www.iki.fi/puhuri/
Suspending disbelief for a moment, let us suppose this WERE true. (For those whose disbelief was already suspended, consider the RISKS of glossing over a spokesperson's name, not remembering certain traditions when April rolls around [Lirpa Loof?], etc.) I'm sure we can all envision it happening, be it to Microslop or some other careless company. Methinks we should consider the effort to remove such things, or the embarrassment resulting from not doing so, to be a RISK of not having coding standards, including commandments to the effect that Thou Shalt Use Meaningful (And Not Embarrassing to the Company) Variable Names — and CODE REVIEWS to enforce it! Or at least code reviews, conducted by a humorless PHB.... Dave Aronson, Sysop of AirNSun free public Fidonet BBS @ +1-703-319-0714 The above opinions are MINE, ALL MINE, but for rent at reasonable rates.
The foot-and-mouth item is indeed not RISKS-unrelated: it is suggested that some of the spread is due to unrecorded trade in sheep to exploit profitable loopholes in the subsidy regulations. The Sunday Telegraph had one about new European legislation that threatens impersonators who will have to pay royalties to their victims. "Larip Loof, the Finnish European commissioner, explained that the ruling on individuals owning their own voices was "a logical progression" from the laws covering intellectual property rights." http://www.telegraph.co.uk:80/et ?ac=000125824864271&rtmo=gjNZZZnu&atmo=gjNZZZnu&pg=/et/01/4/1/nimp01.html [URL broken by PGN for readability] Ursula
Michael Sinz' note on Microsoft's ActiveX certification problem (RISKS-21.30) prompted me to write of another Microsoft- related RISK that I've noticed recently. Microsoft has been running a television commercial for one of their e-commerce servers. As the video shows conveyor belts with packages moving along them, the announcer is saying something like, "John Smith normally orders books about motorcycle racing and scuba diving. But today, his order included videos that feature a singing purple dinosaur. The software quietly updates itself to be ready for John's next order." Perhaps I am just overly suspicious, but I don't think that "quietly updates itself for the next order" is the proper reaction. "Loudly screams for a service representative and reports this sudden, possibly fraud-related, change in buying patterns" would be better. Speaking of which, *The New York Times* reported on 26 Mar 2001 (Business section) that US patent number 6,185,415 has been issued. This patent covers a class of fraud-detection algorithms that use a certain type of profiling to detect unusual behavior. The article says that the patent's owner, @Comm Corporation, has started to pursue telecommunications companies that use such software in their systems. Ken Cox kcc@research.bell-labs.com [Interesting. In my lab we have been doing profile-based anomaly detection since 1983. PGN]
I recently quit my job as a system administrator, but I still read the messages and discussions between my former colleagues to help out the guy that followed me in the position. A few days ago, one of my former colleagues entered the server-room at my former employer and found it filled with light smoke. Not seeing any fire and in doubt of how to handle the situation, he consulted his boss in the neighboring room, who ordered an immediate shutdown of all servers. This might seem like an overreaction, but we had experienced some inexplainable hardware malfunction over the past six months that has caused near catastrophic data losses, so tensions wrt. hardware malfunction was high. It turned out that it was simply an old vt420 terminal that was practically never used that had started to malfunction and producing smoke, but the immediate shutdown of all servers resulted in the client users with for instance open word documents on the server or whatever they were doing to lose any unsaved data. The risk of putting non-reliable legacy equipment in the same room as your $30,000 servers with hundreds of concurrent users is obvious. Such server-rooms should not contain any equipment whose catching fire is irrelevant to the operation of the servers. Alternatively, such equipment should be shut off (and perhaps disconnected) when not in use. Audun Nordal
> The IRS expects 42 million electronic returns this year — 70% of all > returns. How is that possible? 70 percent of households don't even have computers! [There was an error in the report from which the RISKS item was created. It seemed strange to me, but it was their error, not mine. PGN]
From the IRS Stats website at http://www.irs.gov/prod/tax_stats/soi/ind_agi.html I discovered that there were 124,770,662 tax returns filed in 1998 (so much for the 10-1 rule). That would make 42 million around 1/3. If I assume that the number of filers has gone up, probably the error was that 70% will _not_ use electronic filing. (I also discovered that it is really hard to read a spread sheet that uses proportional fonts rather than fixed fonts.) Paul
By now, most RISKS readers are familiar with the discount cards that seemingly every supermarket in the US offers. For the small price of a few bits of information you get a discount on your grocery bill every time you buy something from a store in the same chain. On a recent business trip to the Chicago area, I stopped into a supermarket and was prompted for a discount card as was, I'm sure, everyone else who purchases anything from that chain. Since it's unlikely I'll be back through a store in this chain any time in the near future, I declined their polite offer to "Join and Save". While I gathered my items and prepared to leave, I overheard the clerk ask the person behind me for her card. Unfortunately she had forgotten it, and asked if they could look her up by her phone number. The clerk apologized that no, they no longer could do that and could *only* look up by SSN. Which the woman promptly rattled off for the clerk, myself, and 2 other strangers behind her. Is your identity worth $1.45? (The discount I would have received if only I had "Joined & Saved")
Please report problems with the web pages to the maintainer