The RISKS Digest
Volume 3 Issue 31

Tuesday, 5th August 1986

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Another cruise missile lands outside Eglin test range
Martin J. Moore
Aircraft simulators and risks
Gary Wemmerus
Re: Comment on Hartford Civic Roof Design
Brad Davis
Expert system to catch spies (RISKS-3.30)
Chris McDonald
Computer and Human Security
Henry Spencer
Ozone Reference
Eugene Miya
Financial risks
Robert Stroud
Mail Load Light(e)ning?
SRI-CSL Mail Daemon
Info on RISKS (comp.risks)

Another cruise missile lands outside Eglin test range

0 0 00:00:00 CDT
An unarmed Tomahawk cruise missile malfunctioned and landed unexpectedly
during a test launch at Eglin AFB last Saturday (8/2/86).  The missile,
launched from the battleship Iowa at 10:15 am CDT, flew successfully for 69
minutes before deploying its recovery parachute for reasons not yet
determined.  The missile made a soft landing in an uninhabited area 16 miles
west of Monroeville, Alabama.  No injuries or property damage were reported. 

The cause of the failure is not yet known.  The missile, which suffered no
apparent external damage, was recovered and returned to the General Dynamics
works in San Diego for investigation.  The missile was the second in four
launches to land outside the 800-square-mile Eglin reservation.  Last December 
8, the first Tomahawk launched at Eglin landed near Freeport, Florida.  The 
cause of that failure was a procedural problem which caused portions of the 
missile's flight control program to be erased during loading.

Saturday's failure followed a successful Tomahawk launch on the previous day.
A missile launched from the destroyer Conolly successfully flew a 500-mile
zigzag course over southern Alabama and the Florida Panhandle before landing
at the designated recovery point on the Eglin range.

                — Martin J. Moore

To: Art Evans <>
Subject: Re: Aircraft simulators and risks
Date: Tue, 05 Aug 86 09:45:51 -0800
From: Gary Wemmerus <gfw@ICSE.UCI.EDU>

    I heard a story about the DC-10 crash at O'Hare in 1979 that might
be the one you mentioned.
    After the crash, they programmed that sequence of events into the
simulator and tried out pilots on it.  Every one of the pilots that followed
the correct procedures as listed in the MANUAL for that sequence of events
CRASHED.  The problem was that the sequence of events did not include loss
of an engine, just loss of engine power, and did not take into account total
loss of hydraulic power.  I have heard that there are no instruments on the
DC-10 that would tell a pilot that the engine was gone, just that there was
no power from it.
    When pilots tried a different way or responding to the sequence of
events, I believe that a successful landing was achieved 80% of the time.  I
think that there was no problem with the simulator, but there were two sets
of events that led to one set of indicators to the pilot, and the manual
listed the correct procedure for the other set of events.  My guess is that
they never expected the sequence that occurred and have now come up with a
way to distinguish between the two events.  

PS. A lot of this is from second-hand sources, so I cannot totally vouch for
its accuracy.

Re: Comment on Hartford Civic Roof Design

Brad Davis <>
Tue, 5 Aug 86 13:18:08 MDT
Along with the problems of wrong model is the problems with not
testing at proper extremes or making bad assumptions.  About 15 years
ago a new shopping mall was being built in Salt Lake City.  The
engineers (and architects?)  from California consulted their data
books (or ran their CAD systems) and determined the amount of weight
the building needed to support to make it through a desert winter.
Even though Utah is a desert, we get 1 foot snowfalls in twelve-hour
periods.  The roof caved in at the first big snowfall of the season.
Luckily the mall hadn't opened yet.  They did fix it and the mall
hasn't had any problems since.
                    Brad Davis

Expert system to catch spies (RISKS-3.30)

Chris McDonald SD <>
Tue, 5 Aug 86 7:31:33 MDT
 Larry Van Sickle asks the question "Is it doable?" regarding the use of an
"expert system" to screen out or to identify potential espionage agents.  From
my sixteen years of experience in positions which require a security clearance
and actually access to classified defense information, I conclude "NO!"  The
reason is that potentially millions of government as well as contractor
employees have clearances with access to national defense information.  I find
it incredible to belive that any "expert system" could realistically factor in
all the variables which might cause an individual to be recruited for espionage
or to recruit him or herself for such activity.  

Second, while the news media has reported the apparent "greed" of the most
recent batch of US citizens involved in espionage against their country, I
would surmise that there were probably equally compelling personnel and
philosophical reasons for their actions.  Whenever there is an in-depth damage
assessment of espionage cases "after the fact," it seems historically that
there are many motivations at work.  

Third, if "disaffection" might be one of the causes of a successful espionage
recruitment, then the problem is magnified by the very bureaucracy that
employs individuals with security clearances.  For example, there has not been
a President or Executive Branch since 1970 which has not proposed that the
Federal workforce is a collection of lazy, misfits who could not be employed
anywhere else.  There has never been a sustained call for "excellence" in the
government on the assumption that this is a contradiction in terms.  How could
any "expert system" factor in cuts in salary, retirement and benefits without--
perhaps with some exaggeration-- potentially disqualifying the entire 
workforce.  The defense contractor side of the house experiences the same sort
of problems as it goes through one cycle after another in which today we build
the B-1 bomber and the next day we shut down the line.

Finally, although I do not have the benefit of reading the actually article
which Larry mentions, it does appear that the so-called "former intelligence
analyst" has confused the issues of "suitability" and "loyalty".  Just because
an individual has financial problems does not necessarily mean that he will spy
against the US.  While "suitability" factors may appear in actual espionage
cases to have had some influence on "loyalty," they are usually never the sole
reason.  Indeed, if "greed" alone were a factor, why have so many people
"sold" themselves so cheaply?

Date: Tue, 5 Aug 86 21:41:12 edt
From: decwrl!decvax!LOCAL!utzoo!henry@ucbvax.Berkeley.EDU
Subject: Computer and Human Security

Lindsay F. Marshall writes, in part:

> I feel that there are significant differences between the quality of the two
> sorts of security... there are many instances where computer
> security seems very much more superficial than human security...

The other side of this coin is that there are many instances where human
security is very much more superficial than computer security.  How many
times have you been waved through a gate by a guard who knows you?  Does
he really consider the possibility that your pass might have been revoked
yesterday?  Yes, I know, they're supposed to always check, but it often
doesn't work that way in practice.  Especially if there is something else
distracting them at the time.  An electronic pass-checker box, on the other
hand, does not get distracted and doesn't get to know you.  Human security
can be bribed, coerced, or tricked; these tactics generally don't work on
computers.  Their single-minded dedication to doing their job precisely
correctly and ignoring everything else blinds them to "out-of-band" signs
that subversion is taking place, but it also blinds them to "out-of-band"
methods of subversion.

The best approach is to combine the virtues of the two systems:  use
computers for mindless zero-defects jobs like checking credentials, and
use humans to watch for improper use of credentials, attempts to bypass
credential checking, and anomalies in general.  One gray area is checking
the match between credentials and credential-holders:  this generally has
to be done by humans unless the credentials are something like retinagrams.

                Henry Spencer @ U of Toronto Zoology

Ozone Reference

Eugene Miya <eugene@AMES-NAS.ARPA>
Tue, 5 Aug 86 10:51:50 pdt
I talked to one of our bio-geo-chemists.  There is a popular article which
he feels is a good introduction to the players of this research including
good references:
                    Nature, 321, June 19, 1986, pp. 729-730

To reiterate: all of the postings I have seen on Risks almost make this
sound like either a conspiracy or foot dragging by the earth science
community.  Eight years is nothing in the span of research in the earth
sciences.  That was also the length of time involved in the Palmdale Bulge
research which turned out to be erroneous.

My contact, Greg, has seen papers suggesting natural mechanisms for ozone
depletion in the Antarctic.  There is insufficient money and time to
research long-period phenomena.  Note: this brings up the issue of fast
developing trends with slow thinking scientific communities, but that is
another issue.
                                       --eugene miya, NASA Ames

    [The AAAS Science article is on page 1602 of the 27 June 1986 issue.
     It points out the increasing depletion (now 50%) in the ozone layer 
     for a short period in October compared with the 1979 norm.  It does
     not deal with the reported software problem.  PGN]

Financial risks

Robert Stroud <>
Tue, 5 Aug 86 16:17:45 bst
There was an item on the ITV News at Ten last night about the record
62-point fall of the Dow Jones Index about a month ago. Since it was on TV,
I can't report it verbatim, but the gist was as follows:

  "Experts are convinced that the record fall was almost entirely due to the
  use of computer programs that automatically sell stock when certain
  conditions are triggered.  [...stuff about the cash index falling below the
  futures index...]  Whereas a fall of this magnitude would have been
  disastrous a few years ago, nowadays it hardly causes a hiccup. The big
  shareholders are quite capable of withstanding a swing of 40 points or more
  in a day, although the small investor suffers. Although computers are blamed
  for this sort of instability, they are also credited with keeping the market
  at its high level over the last 6 months.  However, members of the public
  would be concerned if they were aware of the increasing use of technology,
  not just because of the problems of the small investor but also because
  decisions are now being taken based solely on movements within the market,
  without consideration of external economic factors."

I also saw something in The Times suggesting that the fall was "aggravated"
by the use of such programs a few days after the incident occurred - maybe ITV
were reporting the result of an investigation into the causes.

There has been a recent trend towards relaxing controls and regulations in
the financial markets. There will shortly be what is known as the Big Bang
in the UK and this has caused a great deal of activity in the City with
companies that have traditionally performed separate functions being allowed
to merge, and several giant financial organisations forming. There has been
a lot of headhunting with astronomical (by British standards :-) salaries
being offered, first for dealers but more recently for those with computing
experience. Sophisticated computer systems are planned, and apart from just
displaying information, I expect there will be more programs to buy and sell
automatically. Another aspect of the mergers will be the need to establish what
are called Chinese Walls within institutions to prevent the unethical use
of confidential information. For example, one part of an institution may be
giving financial advice to some company which another part of the same
institution could use to speculate - the same institution would not have been 
allowed to perform both roles under the regulations before the Big Bang.

The Chinese Wall problem is really a standard security problem with the
computing system being divided up into multiple partitions between which
information flow is not allowed. Human leakage is likely to be more of a
problem. Increasing dependence on technology has obvious reliability
implications, but I am more concerned about whether automatic trading
is likely to have a destabilising influence. Modern telecommunication has made 
it possible to have a 24 hour world currency futures market in which vast sums 
(1 billion/day) are traded rapidly for minute gains. This is pure speculation, 
creating money out of nothing with no connection to the outside world, (unlike 
other futures markets which at least have some basis in reality providing a 
guaranteed market for some commodity). I feel that programs will be able to 
react too quickly for the wrong reasons with possibly disastrous consequences.
Equally, they could create a false sense of security and an artificially
inflated market by buying instead of selling.

Although some of these concerns are political rather than technical, and I
am in no sense a financial expert, I would appreciate a discussion of these 
issues and some information about the heuristics and safeguards built into 
these automatic trading programs.

Robert Stroud, Computing Laboratory, University of Newcastle upon Tyne.

ARPA robert%cheviot.newcastle@ucl-cs.ARPA
UUCP ...!ukc!cheviot!robert
JANET robert@newcastle.cheviot

The Mailer Daemon <Mailer@CSL.SRI.COM>
Tue 5 Aug 86 19:37:04-PDT
Message undelivered after 14 days — will try for another 1 day:
RISKS@DOCKMASTER.ARPA: Cannot connect to host

    [The Dockmaster IMP was hit by lightning several weeks ago.  It still
     has not recovered.  The thundering of undelivered mail messages
     rains down upon me as my mailer merrily retries at intervals.  PGN]

Please report problems with the web pages to the maintainer