The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 7 Issue 10

Monday 27 June 1988

Contents

o Four killed as Airbus crashes
Duncan Baillie
o Laziness as an excuse
Matthew P Wiener
o Privacy vs. Security
Larry Hunter
o Re-using government databases
Amos Shapir
o Root Bloopers
Doug Krause
o Problems with VARs
Hal Norman
o Fail-safe ATMs
Steve Philipson
o Malicious Code Reports
Joseph M. Beckman
o Info on RISKS (comp.risks)

Four killed as Airbus crashes

Duncan Baillie <dmb%lfcs.edinburgh.ac.uk@NSS.Cs.Ucl.AC.UK>
27 Jun 1988 0953-WET (Monday)
This is how the Airbus crash in France was reported on the front page of the
Guardian. Unfortunately it is rather short on facts but no doubt these will
follow. 

From The Guardian, June 27 1988 (copied without permission).
by Paul Webster, Michael Smith, Peter Murtagh.

At least four people were killed and at least 30 more unaccounted for last
night after a European Airbus using a controversial computer controlled flying
system crashed into a forest during a demonstration flight at an airshow in
eastern France.

British Airways and Air France suspended further flights of the plane, the
A-320 which is Europe's most advanced passenger aircraft and is built by a
French, British, West German and Spanish consortium. British Airways has had
two A-320s in service since the spring and orders for a further eight.

The future of the aircraft, in which British Aerospace has a 20 per cent stake
worth 450 million pounds, and builds the wings and tailpiece, will be placed in
doubt after yesterday afternoon's crash, the first disaster to hit the new
generation of European Airbuses.

The plane, carrying 127 guests, airshow joyriders and journalists, was flying
low over the small airport at Habsheim, about 10 kilometres from Mulhouse in
southern Alsace when the pilot let down the undercarriage and made two passes
over the local aeroclub buildings. As he turned the plane the wheels caught the
tops of the pine trees and plunged into the forest.

It burst into flames shortly afterwards but many of those on board appeared to
have escaped. Reports of people trapped inside could not be confirmed but the
French authorities said that about 100 passenegers had been injured, two of
them seriously.

A policeman among the first on the scene said "The plane did not go into a
nose-dive. It belly flopped onto the trees." The pilot who had minor head
injuries, told a rescuer: "I tried to accelerate but the plane did not
respond." 

A photographer among the passengers said the aircraft was turning when there
was "a noise as if we were travelling along a bumpy road". He saw the tops of
the trees and the plane caught fire near the cockpit when it came to a
standstill.

He said: "There was no panic and I only saw one woman passenger who seemed
seriously hurt. She was quite badly burned," he added.

The narrow bodied plane, designed for short to medium-range flight, went into
service only last Thursday with Air Inter, the internal French airline, where
pilots have been protesting for more than three years about its safety. In
spite of warnings that the plane's two-man cockpit, without room for a flight
engineer, was potentially dangerous, 21 airlines have ordered 522 of the
planes. 

The crash could not have come at a worse time for the Aitbus whose reputation
has been built on an impressive safety record since its first model went into
production 18 years ago.

The A-320 is the first civilian aircraft to use a computer-controlled flying
system known as "fly-by-wire". This replaces the conventional stick and rudder
control with three computers and miles of electronic cables, leaving the pilot
with a "sidestick" like the control arm on a video game.

The pilot uses it to direct the computers but they direct most of the
instruments. However, if the pilot makes an error or unreasonable demands on
the engine, the computer can over-rule his command.

Last night Professor Bev Littlewood, of the software engineering department at
the City of London University, questioned the system's safety.

He said: "We have gone so far along the rocky road of computer control, it is
now hard to ask fundamental questions about critical safety areas."

Last year, the A-320 system was criticised by Mr Brian Perry, head of Avionics
and Electrical Systems for the Civil Aviation Authority. He said: "It's true we
are unable to establish a fully verifiable level that the A-320 software has no
errors. It's not satisfactory but it's a fact of life".

An Airbus spokesman said: "Airbus planes have flown over 5 million hours. In
all cases the aircraft was not to blame". There have been three crashes
involving Airbuses but none had caused casualties, he said.


Laziness as an excuse

Matthew P Wiener <weemba%garnet.Berkeley.EDU@violet.berkeley.edu>
Sat, 25 Jun 88 08:38:59 pdt
This is forwarded from Robert L Park's "What's New" in the physics
group, dated 24 June 88:

3.  RESTRICTIONS ON ACCESS TO UNCLASSIFIED DOE TECHNICAL REPORTS
came to light when the DOE's Office of Science and Technology
Information offered "some limited reports" to university
libraries if they would agree to grant access only to government
agencies and principal investigators on DOE contracts.  Most
libraries refused on principle, but they wanted to know what they
weren't getting.  In response to a Freedom of Information request
from the National Security Archive, however, DOE refused even to
provide a list of titles, claiming the information was stored in
a computer and thus could be retrieved only by writing a new
program!  The Office of Hearings and Appeals last week overruled
DOE, pointing out that agencies would otherwise be allowed to
conceal information simply by putting it in computerized form.

ucbvax!garnet!weemba    Matthew P Wiener/Brahms Gang/Berkeley CA 94720


Privacy vs. Security

Larry Hunter <hunter-larry@YALE.ARPA>
Thu, 23 Jun 88 11:52:00 EDT
I recently applied for a job that would require a security (Q) clearance.
I was handed a form for "pre-employment screening" that any job offer
would be contingent upon.  I was surprised by the invasiveness of the
form I was being asked to sign:

  "I hereby authorize the [employer] and its agents to inspect, copy or 
  photostat any or all documents pertaining to my financial records, my
  education records, my personal references, my employment records, and 
  local law enforcement records as they pertain to me. `Documents' shall    
  be construed in its broadest sense including any original, reproduction,
  or copy of any kind of written, printed, recorded, documentary material 
  (or drafts thereof), or graphic matter regardless of the medium on which
  it is produced, reproduced, or stored, including, but not limited to,
  correspondence, memoranda, inter or intra-office communications, notes,
  diaries, calendars, contract documents, publications, calculations,   
  estimates, vouchers, minutes of meetings, invoices, reports, studies,
  computer tapes, computer cards, photographs, negatives, slides, dictation
  belts, voice tapes, telegrams, notes of telephone conversations, and notes
  of any oral communications."

Note that there is no time limit on this authorization, and that this
is merely pre-employment screening, not yet an application for a clearance.

Have all of you folks with clearances agreed to something similar?  Is
national security incompatible with the personal privacy of those who
are aware of security matters?
                                         Larry Hunter, hunter@yale.edu


Re-using government databases

Amos Shapir <nsc!taux01!taux01.UUCP!amos@Sun.COM>
17 Jun 88 12:13:14 GMT
The Israel Broadcasting Authority is a semi-independed agency, funded in
part by a tax on radio and  TV sets (called, for historical reasons, 'TV
license fee'). Anyone  owning a TV or renting one  should inform the IBA
of  this fact,  so they  know where  to send  the bill.  Naturally, many
people evade the tax by not informing the IBA when they move.

This week, the IBA used a computerized database to send all people older
than 26 and listed as living  with their parents, letters informing them
that the law requires that any change of address be reported to the IBA.

The assumption  is that most of  these people no longer  live with their
parents, have  their own untaxed  TV sets,  and that their  parents will
forward the message. I don't know  what database they have used, since I
also got  such a letter,  but have not been  living with my  parents for
years.
                                Amos Shapir

National Semiconductor (Israel), 6 Maskit st. P.O.B. 3007, Herzlia 46104,
Israel Tel. +972 52 522261   amos%taux01@nsc.com


Root Bloopers

Doug Krause <dkrause@orion.cf.uci.edu>
Thu, 23 Jun 88 03:43:09 -0700
Try typing 'kill 1' when you really mean 'kill %1'.

Douglas Krause, University of California, Irvine


Problems with VARs

Hal Norman <norman@devvax.Jpl.Nasa.Gov>
Fri, 17 Jun 88 9:07:43 PDT
In response to Jerry Harper's troubles with a VAR, I have had (am currently
having) a similar problem.  I bought a XT clone for my home use from a
"reliable" VAR.  It came with a 1 year warranty.  About 4 months after I bought
it, it started making horrible noises.  I opened it up and it was the fan on
the power supply(PS) that was making the noise.  I called my VAR and was told
to return either the whole unit and they would replace the PS or just bring in
the PS and get a new one.  So I removed the PS and took it in for replacement.
The owner was not there at the time and an employee exchanged it for me.  I
made the mistake of not getting a receipt showing the serial numbers of both
power supplies (the bad one and the replacement).  About a week later I got a
call from the owner claiming that I had foisted a bogus PS off on him.  He was
quite irate, claiming he had never ever carried the brand of PS I had returned
and wanted me to pay him $60 for the replacement.  I copied my original receipt
(with the PS serial number) and sent him a copy, but he claims it doesn't match
the one I returned and still demands $60.  Meanwhile, the replacement PS
developed the same fan problem as the original and had to be replaced.  I took
it in and he replaced it, but is still irate and wants $60.  I told him to send
me a bill, and as soon I get the bill that I would file in small claims court
and we could let the Judge sort it all out and decide how much if any I owed
him.  I have not yet gotten the bill.  The point is, when you buy something as
complex as a computer, make sure you get a receipt signed by the VAR specifying
ALL the serial numbers of ALL the components and verify that the list is
correct.  Then, if you should have to take it back for warranty repair, make
sure you get a receipt for any swapouts indicating BOTH the serial number of
the new unit AND the serial number of the bad unit.

Hal Norman -
Disclaimer: These are my personal opinions and are NOT to be
construed as those of my employer.  


Fail-safe ATMs (RISKS-7.9)

Steve Philipson <steve@aurora.arc.nasa.gov>
Wed, 22 Jun 88 15:46:31 PDT
  In RISKS 7.9 dcatla!mclek@gatech.edu (Larry E. Kollar) writes:

> The ATMs around Atlanta always give you a receipt, whether or not ...

   In California, Security Pacific's ATMs (part of the STAR System) issue
a message that the machine is out of receipts, and ask if you want to
proceed.  You can still make transactions, but as we have seen, there 
is a higher degree of risk.  Many ATM transactions don't generate a 
receipt.  Account balances, for example, are displayed only on the 
electronic display and no receipt is given.  

   There is no way that receipts can cover all contingencies.  A machine
that will not operate if it is out of receipts reduces the magnitude of
the problem, but what happens when the receipt producing mechanism fails,
either by the print mechanism, feed mechanism, or receipt quantity
sensor failing?  A good design should try to minimize abnormal transaction
termination, but it must also have provisions for unanticipated failure
modes to be handled gracefully -- soft failures instead of hard failures.
Audit trails sometimes get screwed up, too.

   It seems that in order for all parties to get maximal protection from
errors, there should be multiple independent levels of redundancy and 
record keeping.  Independent video tapes of the customer AND display
screens would provide a mechanism for resolving discrepancies, but I know
of no systems that use this technique.  Many ATMs look like they have 
cameras to monitor customer (ab)use, but often it's just a dummy camera 
to discourage vandalism.

   Even telephone systems to report problems won't catch everything.
Failed transactions may not make it clear that a problem needing 
correction occurred, so there would be reason to report it.

   We're a long way from making automated systems foolproof.  Thus we
must monitor such systems and not let the service providers call all
the shots.


Malicious Code Reports

"Joseph M. Beckman" <Beckman@DOCKMASTER.ARPA>
Thu, 23 Jun 88 15:40 EDT
As a member of the National Computer Security Center, I am asking for
direct contributions of reports on malicious software.  Please report
computer viruses, trojan horses, or other forms of offensive software.
I and the Center will use this information to track attacks, gain an
understanding of system vulnerabilities, and develop defenses.  Please
send your reports to:

SOFTWARE @ DOCKMASTER.ARPA.

Joseph

P.S. If the information is proprietary or not-to-be-shared, please indicate on
the report. The NCSC shares some information with NBS.  I will try to release
summaries or abstracts to RISKS (of the non proprietary/secret variety);
although it may formally come through NBS.

Please report problems with the web pages to the maintainer