The RISKS Digest
Volume 6 Issue 88

Thursday, 19th May 1988

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

Soviet Space Shuttle software problem
Tim Shimeall via Nancy Leveson
Re: Navigation
Charles Brunow
Re: moral obligations with security exposures
Rob van Hoboken
Voter registration records and risks to democracy
Philip E. Agre
Info on RISKS (comp.risks)

Soviet Space Shuttle software problem

Tim Shimeall <tim%safety.ics.uci.edu@ICS.UCI.EDU>
Wed, 18 May 88 15:47:03 -0700

From the Internet SPACE Digest, Volume 8, #224, dated 5/18

In a discussion of the Soviet Space shuttle, Glenn Chapman of the MIT Lincoln Lab made the following comment:

“ Also for what it is worth it appears now that the first Russian shuttle flight will be manned with two cosmonauts Igor Volk (Soyuz T12, July 17, 1984) and Anatoly Levchenko (Soyuz TM-4, Dec. 21, 1987). Pravda actually had a sketch of their shuttle about a week ago. They are still talking about a June flight. It has been known for some time that the cosmonaut corps were pushing for a manned first shuttle mission, and had trained for similar missions. One could speculate that the final factors pushing for this was two things. First it has been confirmed that the failure in the upper stage of Energiya was due to a software error which reversed the direction vectors of the stage during firing, not a failure of the engines or other guidance systems. Secondly the shuttle autolanding system development has been having some trouble. So when your robots fail you substitute humans for tasks humans have shown abilities to do. ”

Interesting, No?

Tim

Re: Navigation

Charles Brunow <ames!loci!clb@spam.istc.sri.com>
19 May 88 03:24:41 UTC (Thu)

The recent posting about  “Navigation” by Robert Dorsett exposed a relatedRISK. Since it was a tangential topic to his subject, I'd like to pick it up and describe it in more detail.

My subject is celestial navigation, who knows how to do it, and why should anyone care. It has been an important skill for thousands of years and it is directly responsible for the geo-political map of todays world. It has also proven to be the most useful method on the longest voyage ever made.

The method which I will describe is called  “St. Hilaire's ” by some, the“Sumner line” or position line by others. A more complete descriptioncan be found in the “Bowditch” navigation text, which should be in mostlibraries. To my knowledge, 1975 was the last year of publication.

The RISK involved with celestial navigation (referred to as “Astral” inthe referenced posting) is that it seems to be a lost art. The list of navigational aids described by Mr. Dorsett was indeed impressive but two limitations came to mind as I read it: one, all these methods are reliant on electricity and two, they aren't available for small private aircraft, boats, and ground transport.

Why should anyone be concerned by relying on electricity? Clearly the answer is that it can fail, and if it fails what can you do? Suppose that you are a frequent flyer, you've accumulated enough miles to take your family on a trip to Hawaii, and off you go. Further, suppose that as you cruise over the Pacific, there is a total electrical system failure. Can it happen? You know it can. What could be done? If the crew is totally reliant on the instrumentation, you may go swimming.

More important is the point that the high-tech methods are eclipsing traditional methods to the point that the skill is being lost. I have posed this question to many people: “how do you know where you are andhow do you know what time it is?” The response has been consistent: amomentary puzzled look as they search for an answer, and then anger for the foolish feeling they have. When I first asked myself these questions, I resolved to find the answers. What I found was a facinating history of exploring the seas and the land masses, and a story of truly creative thinking.

The method of celestial navigation is similar to the satellite methods: starting with an approximate observer position based on “dead reckoning”,successive approximations based on observations improve the estimate. More specifically, the DR position (and time) are used to compute the “expected” altitude of a celestial object and this value is comparedto the observed altitude. The difference angle is called the intercept and represents the amount of correction to apply. The direction of the correction is along a line between the observer and the object (the azimuth angle), toward it if observed angle is greater, away if the computed angle is greater. A second observation, at right angles to the first is required to really fix the location. Note that, in general, both longitude and latitude are affected, and the method finds both. Additional sighting can improve the approximation further, for an ultimate accuracy of a few hundred meters.

The “trick” in celestial navigation is computing the expected position,compensating for the motions of the Earth and other effects. The fact that these methods pre-date computers proves that it can be done. Military teams like the “Green Berets” included a member trained incommunications and navigation based on equipment that could be carried on their backs. But computers can also be used to great effect in celestial navigation. The longest voyage ever made, by spacecraft which have gone to the “gas giant” planets of our solar system, wereguided by computer based celestial navigation systems. And common desk-top computers can be “taught” everything needed in a matter ofseconds, by loading the appropriate software/database from a floppy. For example, a program set that I wrote, the Loci StarDB and Loci 3-Space Calculator, perform a sight reduction from an internal star database. With this tool, a sextant or astrolab, and a chronometer or WWV receiver, I can find my location on the Earth, for myself.

You may ask, “if my PC can do the navigation, why do I need to under-stand it?” The reason is that someone must understand it to write thesoftware when new applications arise (exploration of Mars ?), there must be people who understand the process to make the required upgrades to the software. And if the equipment should fail, only a thorough understanding will allow the operator to pick up where the hardware left off. This is similar to the car: you can drive a car without knowing how to repair it or how it works, but you run a RISK, so don't forget how to walk.

In addition, the future always holds exploration, at sea or in space. Robot spacecraft will need navigation software, even if manned missions don't. The same skills transfer to other disciplines such as astronomy, satellite defense and graphics. Jobs will be open for “navigators”though the title will be different (mission specialist, staff engineer, supreme commander, etc.).

Charles Brunow, mission specialist, communications/navigation clb@loci.uucp


Re: moral obligations with security exposures

Rob van Hoboken <RCOPROB%HDETUD1.BITNET@CUNYVM.CUNY.EDU>
Fri, 13 May 88 14:16:15 MET

I have found many bugs and/or security exposures in MVS and as such have had to think up a reaction to such finds. I have done the following:

  1. create a proof for submission to the manufacturer,
  2. send in a documented error report to the technical rep. and a high ranking management type of the manufacturer.

    When after several weeks nothing has happened:

  3. send the above mentioned trouble report to <trusted> colleages in other computer centers, and have them submit a similar report to the manufacturer.

I have made a policy of never going <public> with such exposures because of the seriousness of the situation. Consider a computing center being faced with an exposure in one of its key software systems (e.g. their transaction system). What options do they have?

  1. hey can not remove the software from their systems, that would lose them millions of dollars PER DAY.
  2. They could try to hack a fix for the exposure. Estimated time of success several weeks of
  3. Monitor abuse of the exposure. Difficult.
  4. Contact the supplier, explain the predicament and suggest you go looking for a replacement of his product. Usually successful, but it takes about half a year for a security fix to arrive.

I think it is immoral towards colleages in your site and other centers to publicly announce a security leak. Even discussing it with too many syspro types is risky, because one of them may be a blabbermouth and spill the news to an unfriendly hacker or newspaper type. It happens to be our reality that you cannot close down a system on account of a security exposure if that system is earning you money. Fixing it is risky and difficult, so waiting for you friendly supplier is the best you can do.

In this respect IBM has the best policy I know of: each contract contains a clause that a security exposure shall be dealt with within a specific time. I've seen it work and I am impressed. Of course some sites never apply the fix, so not everybody will be covered, but that is their risk. Other suppliers (on the IBM market) do not have a similar policy. I know of several instances where an exposure was not even fixed after three years. In one case I persuaded some of my friends to remove the product from their systems and terminate the contract with the supplier.

I don't want to sound too gloomy, but the morally acceptable method will not always yield results. The (in my view) immoral way <may> yield long term results, but in the period between public exposure and fix your systems are extremely vulnarable to practically every hacker with assembler knowledge. In no way can you guard against that many possible perpetrators.

The only argument I can come up with to defend a security through ignorance policy, is the small number of attempts that will be made on your system. I <may> be better to keep relatively inexperienced hackers unaware of exposures when knowledgable folks can find out. In the worst case it will save you unscheduled IPLs.


Voter registration records and risks to democracy

Philip E. Agre <Agre@AI.AI.MIT.EDU>
Thu, 19 May 88 07:50 EDT

The following paragraph appears in an article by Alfred Stepan of the Americas Watch committee (New York Review, June 2nd 1988, p 35) on his recent visit to Chile to report on human rights and on preparations by opposition political parties and citizens' groups for the plebiscite on military rule that is expected sometime in the next year:

An official in charge of running the elections, Ignacio Garcia, told me and my Americas Watch colleague Stephen Richard that he would release a notarized copy of the registration rolls. [Commander in chief of the Chilean air force] General [Fernando] Matthei went further, saying that not only would the registration rolls be “absolutely” available, but that giving the opposition access to the master computer disk on which all voters' names were entered was “crucial” to a fair plebiscite. I mentioned these statements by government officials in a press conference. The following day, Ricardo Lagos appeared at the elections office with a check and unsuccessfully tried to purchase a copy of the registration rolls. The list has now been made available, and there is a growing demand that the disk be released so that the names on the list can be checked against it. Lagos argues that if the disk is not released, the government will be vulnerable to a charge of voter fraud. However, if the disk is released, he and the citizens' free elections committees believe it could be used to verify the registration process more effectively than was possible either in the Korean presidential election or in the election called by Marcos.

It used to be that you could hope to verify something by checking paper files. File cabinets full of paper are so clumsy and inert that it is hard for a government to both operate from day to day and also falsify its own records in a massive and systematic way. Nowadays, however, one can use software and printers to generate an infinite amount of arbitrarily mendacious paper at minimal expense. Citizens who would deter systematic mendacity now need access to the computer records.

If the opposition has computers and technical expertise of its own, having the registration rolls in machine-readable form might make whatever checking they can do more efficient. But what does “access to the disk” mean? Is Sr. Garcia going to dismount the actual medium and hand it over to the opposition? Is he going to spin them a tape copy? Is he going to let opposition programmers sit at the console of the election commission computer and rummage around? Is he going to run a network cable across Santiago to the opposition headquarters? In any case, without effectively complete and continual monitoring of the computer's software and operations, how can the opposition know that it's getting the actual registration rolls and not simply the bogus sources that were used to print the paper listing they've already got?

The idea of the Chilean government owning computers at all is pretty repulsive. The same article also reports on the government's new, more sophisticated methods for inhibiting dissent. Fewer people disappear these days. Instead, people who engage in disapproved political activity receive a graded series of threats whose administration must require a formidable database facility. A typical series might run as follows (p 32):

For example, before a kidnapping 1) you receive a phone call at work noting with displeasure your involvement in a certain activity; 2) an unsigned letter at your home follows, using all three of your legal names [a footnote here explains that most Chileans never use their full names except on official documents; the letter thus suggests that its authors have access to official records]; 3) you get a short menacing phone call at home conveying information about your children; 4) in what appears to be an accident you are knocked to the ground on a crowded sidewalk; 5) a decapitated animal is placed on your doorstep [the juxtaposition of technology and primitive barbarity is weirdly unnerving here]; 6) another phone call — if you have moved it is noted that this move has been observed; 7) you hear a shot in the air near your home; 8) you hear an explosion or more often you find an explosive nearby that has not gone off; 9) people enter your house and tell your husband or wife that the activity you are engaged in is dangerous to them and to you and that they should convince you to stop; 10) you are kidnapped, interrogated, and released in a day; 11) you receive a death threat.

This pattern has become sufficiently institutionalized that a vocabulary has arisen around it. Having reached your “tenth gradation” of threat is considered very bad news: disappearances have certainly not stopped.

Please report problems with the web pages to the maintainer

x
Top