The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 4 Issue 81

Thursday, 7 April 1987

Contents

o Cadillac to recall 57,000 for computer problem
Chuq Von Rospach
o Public E-Mail Risks?
Brian M. Clapper
o Wheels up (and simulators)
Eugene Miya
Doug Faunt
Matt Jaffe
o Subject: Re: the Marconi deaths (an update)
Brian Randell
o Info on RISKS (comp.risks)

Cadillac to recall 57,000 for computer problem

Chuq Von Rospach <chuq@Sun.COM>
Wed, 6 May 87 08:49:01 PDT
I heard this on the radio coming in:  

   Cadillac is recalling 57,000 84-86 cars for what they termed
   'problems with the headlight computer that would cause your 
   lights to go out unexpectedly'

Now, wouldn't THAT be fun.  What I want to know is whether it is hardware
or software.

[For reference, the GM car computer is the 68HC11, a custom CMOS chip based
on the 6809 with lots of bit operations added in.  They use two per car,
one for the engine, and one for the body operations.  Both are programmed
exclusively in assembler.]
                                               chuq

     [Presumably the two computers are totally independent and provide no
     redundancy -- with no possibility for alternate hosting or comparison.
     Does it matter whether WHAT is in hardware or software?  If the computer
     has to go back to Detroit for repairs, it doesn't matter.  If your garage 
     mechanic can download a new program it might, but then we get back to 
     an earlier RISKS discussion about whether you will trust your mechanic to
     mess with your software...  PGN]


Public E-Mail Risks?

<clapper@NADC>
7 May 1987 09:46:40-EDT
Excerpt from Federal Computer Week, Volume I, No. 6 (May 4, 1987):

             Ecom Resurrected (by M. J. Richter)

  The U.S. Postal Service's Electronic Computer-Originated Mail (Ecom)
  system, a short-lived and very unprofitable operation in the early
  1980s, has risen from the ashes and will go into operation in the
  private sector this September. TCOM System Inc. ...  plans to offer
  federal and commercial customers overnight to two-day mail delivery
  service via a data network.  Laser printers will produce hard copies
  of messages sent over the network ...  and the U.S. Postal Service
  will deliver the messages along with first class mail.  ...

  GTE Data Services of Tampa, Fla., just signed a five-year, $50-million
  contract to serve as TCOM's central processing and network management
  organization.  Customers will send their computer mail over telephone
  lines to one of the GTE Data Services' nine processing centers.

  At the data centers, the electronic mail messages will be sorted by
  ZIP code, furnished with ZIP+4 codes and then transmitted to one of 25
  TCOM regional operating centers.  There, the documents will be printed
  on high-speed laser printers, inserted by machine into envelopes and
  sent to the U.S. Postal Service for first class mail delivery.  A
  full-page letter will cost 65 cents, and each additional page will
  cost five cents. ...  TCOM trucks will transport the hard copies ...
  to regional post office hubs for delivery along with regular
  first-class mail. ...

  The TCOM "enhanced mail-distribution" operation, slated to start up on
  Sept.  1, is an exact private replica of the Postal Service Ecom
  system that opened up in January 1982. ... At the time Ecom operations
  began, the Postal Service said more than 80 business organizations had
  signed up for the service, and that four telecommunications carriers
  had contracted to provide the electronic transmission portion of Ecom.

  About two years later, protests by Congress and the Postal Service
  board of governors over Ecom's rising tide of red ink cause the Postal
  Service to discontinue the operation.  ...

I'm wondering how secure this mail will be.  While most computer "tech-ies"
are aware that electronic mail isn't necessarily private, many non-technical
people don't consider or aren't aware of the susceptibility of electronic 
communications (especially electronic mail) to interception.  Customers may 
well be mailing private or sensitive information (financial, personal, 
whatever), assuming it is as confidential as a traditional sealed-and-stamped 
letter.  Should one of the stuffing machines or laser printers jam, presumably 
some human must un-jam it.  What's to prevent him/her from casually reading 
the letter which was being processed?  After all, if an open letter just falls 
into *your* lap, don't you usually read at least part of it?  (Only to figure 
out what it is so you can return it, of course... :-) )
                                                            Brian M. Clapper

   [By the way, there were still more messages on spoofing mailers that are
   not included here.  I think you all get the idea that spoofing is amazingly 
   easy, and that most attempts to patch things up don't work.  PGN]


Wheels up (and simulators) (RISKS DIGEST 4.80)

Eugene Miya <eugene@ames-nas.arpa>
Wed, 6 May 87 00:30:31 PDT
I had a local ACM/SIGGRAPH core (staff) meeting this evening.  We will
be having a special tour for our local members.  A special
demonstration was offered to us by Ron Reisman of Singer-Link at the
Man-Vehicle Systems Research Facility (MVSRF).  This facility was
featured during the "why planes crash" episode of Nova and we "flew"
in the two simulators shown on Nova.

The first, Advanced Cab, simulates a non-existent plane of 1995 with all the
latest bells and whistles which are not flight certified: advanced CRTs,
checklists (not paper), side sticks, etc.  This system does not have a
motion base and is about a $2M image generation facility, it was pointed
out that the side stick alone costs $125K.  The whole thing is multiples
of $10M.  Scene is a Link Night scene by a DIG (Digital Image Generator).
We "took off from SFO" and flew thru the Transamerica Building. We reset
the system, and I dropped the question on Ron.  Just to let you know, the
knobs of the system are human engineered, the flaps know look like
little flaps, the landing gear gear looks like a little landing gear
(I learned the story of this at JPL: to avoid similar looking knobs and
pulling the wrong thing).  So we pulled the landing gear while on the ground.
Plane bounded up and down basically taking off: (oh yes, the engines
were on, we have to specify the test conditions while pulling
wheels up) not the wrong thing, but not the right thing (obviously),
it's a non-existent plane so they never cared, they knew).

The second simulator was a Class 2 727 simulator.  This simulator
is probably the most advance simulator in Northern CA (so says Ron).
We had a 727 pilot with us on this one.  This simulator has a live
motion base and we could not fly with it (against FAA regs).  We have had
injuries (broken arms) by unauthorized "flights" with a high turbulence
setting: you have to be a real 727 pilot to use it.  This is the real
simulator used by Boeing trained pilots.  The people (Ron and I can't
remember the pilot's name [HER name BTW]) assured me that the 727 had
interlocks to prevent gear retraction while on the ground.  Every
eventuality of this type has "been taken care of."  You can agree or
disagree with this, but  I hope you can see why we should not do
this type of test in this machine.  They were aware of the F-16 simulator
problems.  Just testing.

Basically, the MVSRF people thought the wheels up thing was a bit strange:
probably an easily related over simple, but obvious example of problems.
They are more concern about what makes plane crash: designs are written
on paper with ink, checklists are written on paper with blood (Ron).
They are worried about more subtle but complex problems.  I think
there is a bit of naive on both parts and would recommend suspending this
line of discussion.  If some one else gets a chance to try the the F-16
simulator at GD in the Mid-West, you might post, but the professionals
of this area think we are knit picking.

--eugene miya,   NASA Ames


Re: wheels up

Doug <Faunt@SPAR-20.ARPA>
Wed 6 May 87 12:17:38-PDT
I worked on A4's in the Navy, and we had a problem with the wheels up
interlock circuitry, and people.  There was an interlock so that the
wheels could not be raised with weight on them, however, this
interlock also disabled the radar altimeter.  To test the altimeter,
this interlock had to be defeated.  The proper procedure was for one
person to manually actuate the interlock switch, which was on one of
the main landing gear, while the testing was going on.  Since this
would mean four people were required to test the unit, work-arounds
were sought after by those of us on the line.  One of these workarounds 
called for removing a fuse from a panel in the forward nose gear well
while the test was in progress.  Sometimes the fuse didn't get
replaced, and didn't get noticed during preflight.  This caused the
up-and-locked indicator system to not indicate.  This annoyed pilots.
It never had any serious consequences that I knew of, but....


Re: Wheels Up

Matt Jaffe <jaffe%cf5.UCI.EDU@ROME.UCI.EDU>
Wed, 06 May 87 12:54:50 -0700
Many military aircraft have an override which permits the gear to be
raised even when there is weight on the main mounts.  There are
circumstances where safety requres one to raise the gear while on the
ground.  A typical example is when the aircraft has run off the runway
and is headed for uneven  or soft terrain.  Leaving the gear down may,
depending on the aircraft and terrain, result in the aircraft flipping
inverted on the ground.  For both the aircraft and any personnel on
board, that is generally worse than merely sliding along on the
fuselage.  (There was a fatal accident here - Los Angeles - in the
Sepulveda basin recently when a T-28 made an emergency landing on
terrain that looked decent but was not quite good enough.)

The relevant question for design engineers is, of course, under what
circumstances may system operators require overrides to defeat safety
mechanisms and how difficult can the override operation be made to be
(to prevent inadvertent activiation) before it becomes so difficult to
operate in times of stress that it presents more of a safety hazard
(because it consumes operator attention and effort under what are
obviously already stressful conditions) than if it were it not present
at all?


Re: the Marconi deaths (an update to RISKS-4.74)

Brian Randell <brian%kelpie.newcastle.ac.uk@Cs.Ucl.AC.UK>
Thu, 7 May 87 17:25:07 bst
   [The April 30 issue of Computer News (the magazine that ran alone with
   the story for months before the rest of the media noticed) carried the
   most complete summary I have seen to date. Here it is, slightly
   abridged.  Brian]

DEFENCE DEATHS: THE FACTS BEHIND THE STORY

The mysterious deaths of two Marconi systems experts first reported in Computer
News have sparked off intense speculation. Tony Collins clears up the confusion
surrounding this baffling series of events:

Late last year, a Bristol coroner, Donald Hawkins, spoke of a possible 'James
Bond' connection between the deaths of two computer experts involved in key
underwater defence projects.

Since then the mysterious deaths of five other defence workers have come to
light.  In addition, another scientist has disappeared and a senior ICL
employee is critically ill after an unexplained fall.

Most incidents have occurred after the men have successfully completed
important projects or left one job for another.

Although there are police suspicions that many of them were depressed for
different reasons, Computer News could establish no obvious motive for suicide
in any of the cases.....

Four of the dead men were employees of the GEC group - three at Marconi and one
at Easams. Two others worked at separate times at the Royal Military College of
Science at Shrivenham.

A Computer News investigation has established that most of the men were
involved in computer simulation, arguably the key which opens the door to some
of Britain's most secret defence technology.....

Marconi is Britain's only torpedo supplier and was last year awarded the
Ministry of Defence's largest weapons order - (pounds) 400m  for advanced
anti-submarine Sting Ray torpedoes.  The Sting Ray's computer aided guidance
system is so advanced it is being used in the development of Marconi's
strategic defence initiative (SDI) programmes.

The Royal Military College at Shrivenham is also involved in a number of
Britain's leading edge defence projects.  The college develops new testing
devices for the Ministry of Defence and is engaged as a sub-contractor to
defence companies on research and development.....

All the men involved were ambitious and demonstrated a special ability in their
particular field.  Marconi employee Vimal Dajibhai, 24, found dead beneath the
Clifton Suspension Bridge last August, was about to leave Marconi for a higher
paid job.

Ashad Sharif, another London programmer found dead in Bristol, was about to
take over the running of a department at Marconi's Stanmore headquarters.

David Sands, who died in March as his car loaded with two cans of petrol
exploded into flames as it crashed into a disused cafe, had just returned from
a family holiday in Venice to celebrate the ending of a three year command and
control systems project for Marconi's sister company Easams.

Marconi Space Systems employee Victor Moore (46) had just finished work on
infra-red satellites at Portsmouth when he was found dead from a drug overdose.
His death is said to have instigated an MI5 investigation, the results of
which will remain secret.

There is also a separate investigation into Marconi based at Portsmouth by the
Ministry of Defence Serious Crime Squad.

Early this year, two lecturers on top secret projects died in separate
'accidents' of carbon monoxide poisoning.  Both had recently returned from
America and had conducted research at the Royal Military College in Shrivenham.

The first, Peter Peapell, a lecturer and underwater acoustics expert, was found
dead under his car and the garage door was closed.  Although an inquest
returned a verdict of accidental death, police are unsure how the accident
happened.....

Despite reports that Peapell had no connections with electronics or computers
he had in fact written a book on basic computers.  He also had a paper
published on underwater acoustic emissions.

The second, Dr. John Brittan, a former computer science officer at the Royal
Military College was also inexplicably found dead in his car this year. He too
was involved in computer simulation.

A few weeks ago, Stuart Goody (23) a post graduate at the Royal Military
College at Shrivenham was killed in Cyprus while on holiday.  He died instantly
when his hired car collided head on with a lorry.  The lorry driver was said to
be unhurt.  At least one senior employee at the college considered that the
death could be significant.

Avtar Singh-Gida, a researcher working on an important Ministry of Defence
underwater project, disappeared just three weeks away from its successful
completion.....

About two weeks ago, Robert Greenhalgh, a contracts manager at ICL's defence
division at Winnersh near Reading, suffered multiple injuries after falling
from a railway bridge on his way to work.....

The firm admitted he had been positively vetted and may have had access to
secret UK and Nato data.....

After every death, police have given unofficial press briefings which provide
journalists with plausible though unconfirmed explanations for the accidents or
apparent suicides.

The major problem for police has been the lack of obvious signs of depression
in any of the cases.....

Several MPs have demanded a government inquiry although there are no signs that
ministers will agree.

The answer to the mystery may never be known, at least in the short term.  As
one policeman said: "We'll probably know all the answers when the papers are
released in 30 years time."

Please report problems with the web pages to the maintainer

Top