The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 21 Issue 33

Sunday 8 April 2001


Software direct cause of December 2000 Osprey crash
Peter B. Ladkin
Computer cords used in escape from police custody
Ulf Lindqvist
WRQ/Reflection and DST
Marc W. Mengel
Dutch government report on privacy
Peter Fokker
Proposed "open" development of voter data standards launched
David Marston
Re: MS Word: Ohm, SaveAs Watt
Markus Peuhkuri
Re: Windows 2000 source code
Dave Aronson
Re: April Fools items
Ursula Martin
Re: When security is based on trust
Ken Cox
What's in you server room?
Audun Arnesen Nordal
Re: tax returns
Wendy Grossman
Paul Ward
Re: identity theft
Chris Viles
Info on RISKS (comp.risks)

Software direct cause of December 2000 Osprey crash

<"Peter B. Ladkin" <>>
Sat, 07 Apr 2001 10:25:28 +0200

Two recent documents have appeared concerning the Osprey, the U.S. Marines'
V-22 tiltrotor aircraft intended as the replacement for certain of its aging
helicopter fleet. Various problems during Osprey development, including the
crash whose cause is related here, have already been reported in [Ladkin et
al, RISKS-21.20].

One document is the U.S. General Accounting Office (GAO) briefing material
on its inspection of the Osprey development program, GAO-01-369R "Defense
Acquisitions: Readiness of the Marine Corps' V-22 Aircraft for Full-Rate
Production", which may be found by searching at for term
"Osprey" and Keyword "V-22". I highly recommend reading this material to
anyone interested in the development of complex systems with crucial
computer-based components. It contains some astounding material. I shall not
comment further in this note on this document.

The other is the text of the briefing upon release of the JAG report into
the cause of the December 2000 Osprey crash during a training mission, at (thanks to
Ken Garlington for the link).

First, some details as to how the Osprey functions. It has an engine and a
propeller-rotor, bigger than a normal propeller and smaller than a normal
helicopter rotor, on the end of each wing. The engine nacelles (structures
holding engine and rotors) rotate between roughly vertical (when the
aircraft is said to be in "helicopter mode") and horizontal ("airplane
mode"). This configuration allows the advantages of a turboprop airplane,
such as speed, en-route, but those of a helicopter for take off and landing,
and other functions such as loading and offloading personnel and cargo while
hovering. This technology has been tested for over twenty years in
prototypes such as NASA's XV-15, and the MV-22 is the first attempt at a
large production tiltrotor vehicle for use in military missions.

Some words now about flight control. A helicopter rotor has two basic means
of adjustment. The angle of the blades can be adjusted relative to the plane
of rotation ("pitch"), either uniformly for all blades ("collective pitch"),
or differentially in a specific orientation relative to the aircraft body
("cyclic pitch"). This is accomplished by allowing the blades to pivot or
flex about their longitudinal axis, and controlling this flexing via rigid
connections from the blades to a "swash plate", which is like a large, loose
washer around the rotor spindle back of the rotor. To obtain "collective"
control, the swash plate is moved uniformly up and down the spindle to flex
the blades together into the desired position. To obtain "cyclic" control,
the swash plate is tilted on the spindle in a fixed direction relative to
the aircraft body, to produce differential lift in this orientation. An
airplane turns by producing differential lift on its wings (by altering
their shape via ailerons) but only has two directions in which to do this;
the helicopter has full 360-degree freedom in this regard. The third
helicopter flight control is the power generated by the engines.  In
addition, the Osprey has a flight control which consists in rotating the
nacelles to various positions between horizontal and a little past the

Much of the flight control has to be adjusted automatically for the
conditions of flight and is not freely controllable by the pilot.  It is a
"fly-by-wire" (FBW) machine. I find the technology remarkable, and wish it
every success, which success no longer appears to be guaranteed, thanks
amongst other things to the understanding of the causes, including
institutional ones, of the two crashes in 2000.

The briefer, General Berndt, explained what happened in December as
follows. The aircraft was flying at about 160kts and the nacelles were
transitioning from airplane to helicopter mode. At that point, a flight
control system hydraulic line the left nacelle ruptured under pressure. The
nacelle transition was stopped, as per design. These lines are titanium,
22/1000 inch thick, and operate at pressures of 5,000 psi (rather than the
more conventional 3,000 psi or so of modern helicopters. Specific
requirements other than those of flight control, for example weight and
payload requirements, apparently necessitate this high pressure design). The
rupture was caused under loading of the system to operate the swash plate,
at a weak point caused by chafing of the line against a wire bundle. (I
understand that titanium, whilst light and strong, is also quite brittle.)
Such chafing has been noted in maintenance reports since July 1999, and some
chafing was found on all remaining Ospreys during post-crash
inspection. This is apparently a generic problem that has not yet been
solved. The aircraft had been properly maintained, and it was ahead of its
maintenance schedule, having completed its 210-hour inspection already by
157 hours, its total time at crash. (General Berndt phrased this as being in
"excellent shape", but the aircraft evidently wasn't; I think he must have
meant that the aircraft was properly determined to be in "excellent shape"
by the maintenance procedures. It is becoming recognised in aviation
maintenance circles that the inability to inspect certain regions of wire
bundles and other lines often allows some dangerous deterioration to go

There are three partially-independent hydraulic systems for flight
control. The line that ruptured was common to both the number one and number
three systems at that point. The loss of fluid was rapid; the number one
system was taken off-line immediately and a shut-off valve isolated the
number three system on that side, rendering it inactive on the left,
although it remained active on the right side. The number two system carried
on as it should have. This form of partial redundancy likely means that it
takes two independent failures to cause a total hydraulic flight control
system loss. Losing your flight control is catastrophic; design principles
and regulations say there should be no possibility of a single point of
failure, so two is minimum. And an independently ruptured number two line at
that point would have caused total loss of swash plate control on the left,
so it seems that catastrophic failure can indeed be caused by certain
combinations of two failures.

The machine was left with one operating hydraulic swash plate control system
on one side, and two operating systems on the other, but should have been
able to fly normally without discernible disturbance to control.

However, there is a Primary Flight Control System (PFCS) reset button
available to the pilots. It illuminates under certain circumstances.  When
illuminated, it should be pressed, which resets the flight control system
computers to a known, "safe" state. It illuminated, the crew pressed it to
reset the system. This is intent, design, and correct standard
procedure. However, what happened then was unplanned, unforeseen, and
uncontrollable. The effect of the reset on the state of the actual flight
controls in these circumstances should have been nothing. It is easy to see
this: one has lost a hydraulic system, partially lost another, but one wants
to continue without interruption using the remaining "assets" whilst
isolated the problem as far as possible, and that happened up to that point
according to design plan.

However, "no change" is not what the PFCS computers commanded. They
apparently commanded changes in rotor pitch and thrust, which became rapid
fluctuations. The crew repeatedly recycled the reset. These flight control
changes happen via the swash plate. Because of the reduced control power on
one side (pressure from one hydraulic system) compared with the other
(pressure from two), the rotors responded at different rates to the rapid
command changes, as a matter of mechanics. This caused large fluctuations in
flight state, control was lost and the aircraft crashed, from an altitude of
around 1,600ft. All this happened inside about 30 seconds. The crew is
completely without fault in the accident.

General Berndt noted the JAG team was tasked only with determining the
course of events and the immediate causes. He therefore had no comments on
other aspects of the program, or how this crash will impact procedures in
particular or the program in general.

There are some general points to note. First, the aircraft crashed because
of two presumably independent failures: the hydraulic system failure and
then the PFCS command failure. So there is no apparent reason to question
the fundamental design principles, which both require two independent
failures for catastrophe, and (as we have noted) allow it. Second, the first
failure was dealt with as designed. The failed system component was isolated
as designed and the remaining systems were able to carry out the designed
task. Third, the PFCS command failure, which the JAG team has said is a
software failure, was completely unplanned and unexpected. The SW caused a
"control excursion" and it should not have. General Berndt has said it is
"an anomaly in the control logic in the computer software control laws"
which seems as if it would be a design failure. But in response to a
question, General Berndt suggested he couldn't actually be that specific.

General Berndt was asked who provided the SW. He said he didn't know.
A member of the audience said that Bell was the primary software
provider. He replied "but they may subcontract". According to James
Dao of the New York Times, reporting on 6 April, 2001, the software
was written by BAE Systems (the former British Aerospace) and
integrated with the hardware by Boeing. (Thanks to John Rushby for
this information.)

Peter B. Ladkin

Computer cords used in escape from police custody

<Ulf Lindqvist <>>
Sat, 7 Apr 2001 21:02:00 -0700 (PDT)

>From Swedish newspaper *Aftonbladet* April 7, 2001,,2789,46262,00.html

An 18-year old man arrested for kidnapping and several counts of aggravated
robbery escaped from his cell by breaking the window open and using computer
cords to climb down. He had been placed in solitary confinement because of
the risk that he could interfere with the investigation if in contact with
other suspects. The isolation affected his mental health, so the officers
let him play computer games for recreation. The computer was in the only
cell in the jail where the window could be partially opened. The suspect
used a chair to force the window open and used the cords from the computer
to climb down to the roof of another building. This was the second escape
ever from the police jail in central Stockholm, which has been in operation
since 1975.

I wonder whether this escape will be marked as a computer-related crime in
the statistics?

Translated and edited by
Ulf Lindqvist, System Design Lab, SRI International, 333 Ravenswood Ave,
Menlo Park CA 94025-3493, USA +1 650 859-2351

WRQ/Reflection and DST

<"Marc W. Mengel" <>>
Mon, 02 Apr 2001 12:20:03 -0500 (CDT)

Here at Fermilab we've been rolling out a Strong Authentication Project,
and for Windows NT systems we've been using a package called
Reflection from WRQ.  This morning, NT users were unable to authenticate
to the kerberos keyservers unless they disabled the Windows setting to
"automatically adjust for daylight savings time".  Of course, with this
setting off, all the time displays on the system are off by an hour, but
users can log in to our secure-realm systems with kerberos.

Note that the Windows2k software that does kerberos directly was
apparently not affected, only the third party software for Windows NT.

Marc Mengel <>

Dutch government report on privacy

<Peter Fokker <>>
Sat, 31 Mar 2001 14:21:17 +0200 (CEST)

Dutch government advised to give citizens Web access
to 'digital vault' with their personal information.

On 29 Mar 2001, Roger van Boxtel, the Dutch minister responsible for ICT
issues, received the first copy of the report prepared by the "Commissie
Modernisering van de GBA" (Committee for Modernising the Basic Municipal
Civil Registry). The committee's task was to present proposals to make the
Civil Registry more accessible and at the same time give citizens a stronger
position in their relationship with the government.

In this report, the committee advises the minister that all citizens should
be provided with a personal 'digital vault' which would contain selected
personal data, taken from a person's "administrative history" in the Civil
Registry, including name, address and SoFi number (SSN).  Citizens should be
able to add even more information to their vaults, such as financial
information or data regarding their health. Selected government agencies,
such as the Belastingdienst (IRS) and the police, would be given access to
these vaults. It is up to the citizen to give other institutions and/or
companies access.

The committee stipulates that no citizen should be forced to actually use
the digital vault and that citizens should not be forced by third parties to
provide information from the vault.

The digital vault is to be made accessible through the website of the
municipality where the citizen resides. In the future, the proposed
electronic Dutch Identitycard, with biometric authentication, could be used
as the key to unlock the vault.

More information (in Dutch) on Roger van Boxtel's own site:

Why do I have the feeling that many RISKS are lurking here?

I have a savings account and a safe to store valuables at a bank of my
choice. If I am not satisfied, I select another bank. Why would I want to
store valuable personal information in the town hall? How can I be sure that
my 'digital vault' is indeed safe and that my safe will not be cracked? How
can I be sure that there is no possibility that a third party (a cracker)
can take over my vault and hence my identity? How long will it take before
such a vault is mandatory? Will I be able to prevent the municipality from
creating a vault for me or will they do it anyway?

On the other hand: if ever one of these vaults is cracked and something
nasty happens with someone stealing my identity, I can always say it wasn't
my vault.

Peter Fokker <>

Proposed "open" development of voter data standards launched

<David Marston <>>
Thu, 29 Mar 2001 22:59:57 -0500 (EST)

The Organization for the Advancement of Structured Information Standards
(OASIS, is starting an effort to standardize an
XML vocabulary and related software concerning elections. There could be
RISKS of overly free interchange of voter registration data, as well as
previously-noted concerns about Internet-based voting. Further, some may
view this as a move by to gain early-entrant advantage that
could scare away development of competing technology, but I think the OASIS
process promotes competition where it matters. Quoting from the first

A new OASIS technical committee is being formed. The Election and Voter
Services Committee has been proposed by Gregg McGilvray,
(chair); Oliver Bell, Microsoft; and Ed McLaughlin, Accenture.

Purpose: To develop a standard for the structured interchange of data among
hardware, software, and service providers who engage in any aspect of
providing election or voter services to public or private organizations.
The services performed for such elections include but are not limited to
voter role/membership maintenance (new voter registration, membership and
dues collection, change of address tracking, etc.), citizen/membership
credentialing, redistricting, requests for absentee/expatriate ballots,
election calendaring, logistics management (polling place management),
election notification, ballot delivery and tabulation, election results
reporting and demographics.

Implementation: The standard under development by, Inc. will be
made available for review and revision and can be expanded upon as
necessary. A phased approach will be used to implement the standard due to
the number of aspects being considered by the standard.

David Marston <>

Re: MS Word: Ohm, SaveAs Watt

<Markus Peuhkuri <>>
27 Mar 2001 12:42:23 +0300

Kevin Rolph <> wrote:
> automagically converted the Omega symbols into 'W's (and not to mention ...

Just to complete list of "for user convenience" "features" of the very same
word mangler .. processor.  My wife wrote her doctoral thesis with Word 6.0.
After quite a few rounds of proof reading, it was considered error-free
(later found some :-{).  To make it ready for press and on-line publication
it had to be converted to PDF.

The computer which had Acrobat tools had also Word 97, with quite default
settings.  The document loaded quite nicely, expect some changes in page
layout.  We checked for that and then printed it out, sent to the press and
were satisfied.

Before dissertation, she took a closer look at her thesis and noted that
capitalization of some acronyms of compounds (thesis were about
pharmacology) were wrong.  In disbelief she checked last printouts from Word
6.0 version, and there they were right.

The only possibility is that the Word processor changed them "automatically"
in converting version.  I was aware of correct-when-you-type, but this was
new... too late.  No warning dialogue, nothing.

Ok, back to plan home automation... for family convince

Markus Peuhkuri            !

Re: Windows 2000 source code (Thorson, RISKS-21.32)

<Dave Aronson <>>
Mon, 02 Apr 2001 17:56:40 -0400

Suspending disbelief for a moment, let us suppose this WERE true.  (For
those whose disbelief was already suspended, consider the RISKS of glossing
over a spokesperson's name, not remembering certain traditions when April
rolls around [Lirpa Loof?], etc.)  I'm sure we can all envision it
happening, be it to Microslop or some other careless company.  Methinks we
should consider the effort to remove such things, or the embarrassment
resulting from not doing so, to be a RISK of not having coding standards,
including commandments to the effect that Thou Shalt Use Meaningful (And Not
Embarrassing to the Company) Variable Names -- and CODE REVIEWS to enforce
it!  Or at least code reviews, conducted by a humorless PHB....

Dave Aronson, Sysop of AirNSun free public Fidonet BBS @ +1-703-319-0714
The above opinions are MINE, ALL MINE, but for rent at reasonable rates.

Re: April Fools items (RISKS-21.31)

<Ursula Martin <>>
Sun, 1 Apr 2001 20:05:05 +0100

The foot-and-mouth item is indeed not RISKS-unrelated: it is suggested that
some of the spread is due to unrecorded trade in sheep to exploit profitable
loopholes in the subsidy regulations.

The Sunday Telegraph had one about new European legislation that threatens
impersonators who will have to pay royalties to their victims.  "Larip Loof,
the Finnish European commissioner, explained that the ruling on individuals
owning their own voices was "a logical progression" from the laws covering
intellectual property rights."
  [URL broken by PGN for readability]


Re: When security is based on trust

<"Ken Cox (11359)" <>>
Tue, 27 Mar 2001 14:42:28 -0600

Michael Sinz' note on Microsoft's ActiveX certification problem
(RISKS-21.30) prompted me to write of another Microsoft- related RISK that
I've noticed recently.  Microsoft has been running a television commercial
for one of their e-commerce servers.  As the video shows conveyor belts with
packages moving along them, the announcer is saying something like,

 "John Smith normally orders books about motorcycle racing and scuba diving.
  But today, his order included videos that feature a singing purple
  dinosaur.  The software quietly updates itself to be ready for John's next

Perhaps I am just overly suspicious, but I don't think that "quietly updates
itself for the next order" is the proper reaction.  "Loudly screams for a
service representative and reports this sudden, possibly fraud-related,
change in buying patterns" would be better.

Speaking of which, *The New York Times* reported on 26 Mar 2001 (Business
section) that US patent number 6,185,415 has been issued.  This patent
covers a class of fraud-detection algorithms that use a certain type of
profiling to detect unusual behavior.  The article says that the patent's
owner, @Comm Corporation, has started to pursue telecommunications companies
that use such software in their systems.

Ken Cox        

  [Interesting.  In my lab we have been doing profile-based anomaly
  detection since 1983.  PGN]

What's in you server room?

<Audun Arnesen Nordal <>>
Tue, 27 Mar 2001 11:22:47 +0200 (CEST)

I recently quit my job as a system administrator, but I still read the
messages and discussions between my former colleagues to help out the guy
that followed me in the position. A few days ago, one of my former
colleagues entered the server-room at my former employer and found it filled
with light smoke. Not seeing any fire and in doubt of how to handle the
situation, he consulted his boss in the neighboring room, who ordered an
immediate shutdown of all servers. This might seem like an overreaction, but
we had experienced some inexplainable hardware malfunction over the past six
months that has caused near catastrophic data losses, so tensions
wrt. hardware malfunction was high.

It turned out that it was simply an old vt420 terminal that was
practically never used that had started to malfunction and producing
smoke, but the immediate shutdown of all servers resulted in the client
users with for instance open word documents on the server or whatever they
were doing to lose any unsaved data.

The risk of putting non-reliable legacy equipment in the same room as your
$30,000 servers with hundreds of concurrent users is obvious. Such
server-rooms should not contain any equipment whose catching fire is
irrelevant to the operation of the servers. Alternatively, such equipment
should be shut off (and perhaps disconnected) when not in use.

Audun Nordal

Re: Tax returns (RISKS-21.30)

27 Mar 2001 10:47:15 GMT

> The IRS expects 42 million electronic returns this year -- 70% of all
> returns.

How is that possible?  70 percent of households don't even have computers!

  [There was an error in the report from which the RISKS item was created.
  It seemed strange to me, but it was their error, not mine.  PGN]

Re: Tax returns (RISKS-21.30)

Tue, 27 Mar 2001 10:39:48 -0500 (EST)

From the IRS Stats website at
I discovered that there were 124,770,662 tax returns filed in 1998 (so much
for the 10-1 rule).  That would make 42 million around 1/3.  If I assume
that the number of filers has gone up, probably the error was that 70% will
_not_ use electronic filing.

(I also discovered that it is really hard to read a spread sheet that uses
proportional fonts rather than fixed fonts.)


Re: identity theft (RISKS-21.30)

<Chris Viles <>>
Tue, 27 Mar 2001 15:28:58 -0600

By now, most RISKS readers are familiar with the discount cards that
seemingly every supermarket in the US offers.  For the small price of a few
bits of information you get a discount on your grocery bill every time you
buy something from a store in the same chain.

On a recent business trip to the Chicago area, I stopped into a supermarket
and was prompted for a discount card as was, I'm sure, everyone else who
purchases anything from that chain.  Since it's unlikely I'll be back
through a store in this chain any time in the near future, I declined their
polite offer to "Join and Save".  While I gathered my items and prepared to
leave, I overheard the clerk ask the person behind me for her card.
Unfortunately she had forgotten it, and asked if they could look her up by
her phone number.  The clerk apologized that no, they no longer could do
that and could *only* look up by SSN.  Which the woman promptly rattled off
for the clerk, myself, and 2 other strangers behind her.

Is your identity worth $1.45? (The discount I would have received if only I
had "Joined & Saved")

Please report problems with the web pages to the maintainer