The Risks Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 3 Issue 44

Wednesday, 14 August 1986

Contents

o F-16 Problems
Bill Janssen
o Various clips from European Newspapers
Martin Minow
o Comment on Nancy Leveson's comment on...
Alan Wexelblat
o Words, words, words...
Herb Lin
o Software Safety
Paul Anderson
o Info on RISKS (comp.risks)

F-16 Problems (from Usenet net.aviation)

Bill Janssen <janssen@mcc.com>
Wed, 27 Aug 86 14:31:45 CDT
A friend of mine who works for General Dynamics here in Ft. Worth wrote some
of the code for the F-16, and he is always telling me about some
neato-whiz-bang bug/feature they keep finding in the F-16:

o Since the F-16 is a fly-by-wire aircraft, the computer keeps the pilot from 
  doing dumb things to himself. So if the pilot jerks hard over on the 
  joystick, the computer will instruct the flight surfaces to make a nice and 
  easy 4 or 5 G flip. But the plane can withstand a much higher flip than that. 
  So when they were 'flying' the F-16 in simulation over the equator, the 
  computer got confused and instantly flipped the plane over, killing the 
  pilot [in simulation].  And since it can fly forever upside down, it would
  do so until it ran out of fuel.

(The remaining bugs were actually found while flying, rather than in 
simulation):

o One of the first things the Air Force test pilots tried on an early F-16 
  was to tell the computer to raise the landing gear while standing still on
  the runway. Guess what happened? Scratch one F-16. (my friend says there
  is a new subroutine in the code called 'wait_on_wheels' now...) [weight?]

o The computer system onboard has a weapons management system that will
  attempt to keep the plane flying level by dispersing weapons and empty
  fuel tanks in a balanced fashion. So if you ask to drop a bomb, the
  computer will figure out whether to drop a port or starboard bomb in order
  to keep the load even. One of the early problems with that was the fact
  that you could flip the plane over and the computer would gladly let you
  drop a bomb or fuel tank. It would drop, dent the wing, and then roll off.

There are some really remarkable things about the F-16. And some even more
remarkable things in the new F-16C and D models: 

o They are adding two movable vents called 'canards' that will be installed
  near the engine intake vent under where the pilot sits. By doing some
  fancy things with the flight surfaces and slick programming, they can get
  the F-16 to fly almost sideways through the air. Or flat turns (no
  banking!). Or fly level with the nose pointed 30 degrees down or up (handy 
  for firing the guns at the ground or other aircraft).

I figured this stuff can't be too classified, since I heard the almost same
thing from two different people who work at GD. I hope the Feds don't get
too upset...

George Moore (gm@trsvax.UUCP)


<minow%regent.DEC@decwrl.DEC.COM>
27-Aug-1986 0835
                   (Martin Minow, DECtalk Engineering ML3-1/U47 223-9922)
To: risks@csl.sri.com
Subject: Various clips from European Newspapers

From The [London] Guardian, Aug. 20-22 1986 (not sure of the exact date):

    Bank zaps `raid on computer'

Barclays Bank yesterday denied reports that computer experts had
"hacked" into its Whitehall computer and transferred 440,000 Lb.
Sterling to an overseas account. 

----

From Dagens Nyheter [Stockholm], Aug. 22, 1986.  My translation, abridged.

    Shock billing of private person
    Phone bill of 31,000 kronor [almost $2,600]

A woman in the Stockholm area received a record phone bill of 31,000
kronor. The amount is equivalent to local calls 24-hours per day for
nearly two years. 

The phone company's computers raised an alarm that the amount was
unreasonably high, but human error resulted in the bill being sent out
anyways.  The group that normally checks especially high invoices
never got to see this bill. 

The woman and the phone company have reached an agreement, whereby she
pays an average bill based on previous invoices.  Phone technicians
are now trying to discover whether an error occurred in the
computer-controlled phone exchange.  ...

"It's completely our fault," says phone company spokesman Kjell Palmqvist.

"What are you doing about it?" [asked the reporter.]

"First, we've come to an agreement with the woman.  She need not pay more
than normally.  We've also started an examination of what could have caused
the problem.... There could have been a problem in the computerized phone
exchange, or a cable-error or other type of interference."

"Is this sort of bill common?"

"No, theoretically, we expect one error in 10,000 years.  But no
technology is 100% perfect."  ...

The telephone exchange, in Oestermalm in Stockholm, uses an
AXE-exchange, a computerized telephone exchange [manufactured by LM
Ericsson] that is very advanced and reliable. 

----

From Dagens Nyheter [Stockholm], Aug. 22, 1986.  My translation, abridged.

        Battle over Databank

The chairman of the governmental data- and public-access committee
[offentlighetskommitt'en], Carl Axel Petri, rejects the criticisms which
have recently been brought by the moderate party [conservative] and
folk-party [liberal conservative] concerning sales of personal
information from computer data banks. 

   [Sweden has a "sunshine" law, almost 200 years old, that guarantees
    public access to almost all government documents.  As the information
    in the manual registers were considered public, so too is the same
    information in the computerised data bank.  Information which is not
    public is carefully controlled.  Access is governed by the Swedish Data
    Law, which is now over 10 years old.]

"It is important to quickly get a law that stops general sales.  We
have allowed some exceptions, nine specified computer companies, but
even their sales shall, in the future, be controlled by parliament.
Nobody should be allowed to earn money by [selling] personal
information. Sales should have a public interest, in principle, the
new law will forbid sales" said Petri. ... 

The leader of the Moderate Party, Gunnar Hoekmark, says that Petri is
incorrect when he claims that the law will forbid sales of personal
information. 

"On the contrary," says Hoekmark, "the largest databases will continue
to be sold.  Without the committee's discussing what effect sales of
different personal information will have on individual personal
integrity, they propose that the largest database, Spar, may continue
to sell information on individuals income, personal identity number,
wealth, civil status, address, age, etc." 

Hoekmark points out that the majority [report?] of the inquiry didn't
answer the most basic questions on whether the government in general
shall have the right to sell information on private individuals'
economy and personal situation. 

The majority includes the Center Party's [liberal conservative] Olof
Johansson, who says that the important issue for the future isn't
whether the information ought to be sold, but what information should
be collected.  This includes, for example, the discussion on
limitations of use of the personal id number. 

Constitutional questions [the Sunshine Law is part of the Swedish
Constitution] and the future of the personal id number will remain for
the inquiry to solve by next spring. 

----

Sloppily translated by Martin Minow 

[Peter, I also have a long article on computer controlled airplanes
(fly by wire) from the Observer.  Mostly Sunday Paper background.
Too much to type in.  "... the pilot must have enough confidence
in the flight control computer, and the men who programmed its software,
to take off in an aircraft he cannot fly without them"  "there is
one more type of failure from which they [the pilots] cannot recover."]


Comment on Nancy Leveson's comment on...

Alan Wexelblat <wex@mcc.com>
Wed, 27 Aug 86 09:33:11 CDT
I agree in large part with Nancy Leveson's comments in RISKS-3.43.
Nevertheless, I find it interesting that she denies that there are "human
errors" but believes that there are "management errors."  It seems that the
latter is simply a subset of the former (at least, until we get computer
managers).  Also, it's not clear whether she includes things like `pushing
the wrong button' or `following the wrong procedure' under the category of
"operational errors."

--Alan Wexelblat    (WEX@MCC.COM)


Words, words, words...

<LIN@XX.LCS.MIT.EDU>
Wed, 27 Aug 1986 15:05 EDT
    From: mikemcl at nrl-csr (Mike McLaughlin)

    I do not know that "NO ONE in the scientific community believes that it is
    possible to frustrate a deliberate Soviet attack on the U.S. population..."
    If there is a PhD in a science who believes that, is that person de facto 
    excluded from the scientific community?

I should have been more precise.  No person with technical credentials
has stated that it is possible to deny the Soviet Union the capability
to wreak significant damage on the U.S. population and industry.  

    I do not know what "frustrat[ing] a deliberate... attack" means.

    If it means deterring the attack by reducing the cost/benefit ratio to
    an unacceptable level, I believe that is possible (but I am not in the
    scientific community and never have been).

    If it means saving a significant number of civilian lives from an 
    inevitable attack, I believe that is possible (but... ).

I think the benchmark that Ashton Carter used in his Office of
Technology Assessment background paper on BMD was pretty good, and it
will serve as a starting point for discussion.  "Frustrate a
deliberate attack..." is taken to mean "preventing the Soviet Union
from delivering by ballistic missile 100 megatons of nuclear warhead
on U.S. cities and industry."  (Note well: WW II was a 5 MT war.)


Software Safety

Paul Anderson <anderson>
Wed, 27 Aug 86 09:43:03 edt
I have received a copy of a proposed revision of MIL-STD-882B (System Safety
Hazard Analysis) Task 212, Software Safety Analysis, that has been
distributed for formal coordination.  This task will be invoked on
contractors building systems containing software for DOD.  This task will
require the contractor to conduct safety analyses and testing of the
software, both on the software alone, and when integrated with the overall
system.

If anybody has thoughts, comments, or suggestions (or even recommended
wording), on what should be included in this task, please let me know
(preferably within the next week or so).

Paul Anderson
anderson@nrl-csr

Please report problems with the web pages to the maintainer