The Risks Digest, Volume 7, Issue11

Peter G. Neumann

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 7: Issue 11

Wednesday 29 June 1988

Risks of answering machines: Dave Horsfall
Airline reservation crash: Dave Horsfall
Updates on Airbus crash: Duncan Baillie
Klaus Brunnstein
Laura Halliday
root typos: Joe Eykholt
"large-scale" disasters (Hinsdale, Ill.): Tom Perrine
Info on RISKS (comp.risks)

Risks of answering machines

Dave Horsfall <munnari!stcns3.stc.oz.au!dave@uunet.UU.NET>

Sat, 25 Jun 88 16:19:31 est

From the Sydney Morning Herald, 13 June 1988:

``Careless talk: it's a message machine

  Alan wasn't at home when his girlfriend Donna called him yesterday
  morning.  Nor could he take his father's call.  Or a call from his other
  girlfriend, Jenny.  I know this because Alan owns an answering machine
  just like mine.  It is so similar, in fact, that my remote control unit
  _lets_me_listen_to_his_messages_ [emphasis mine!].

  The machine in question is a Tandy, but the 'Herald' has discovered
  that anyone can listen to messages left on most of thre many thousands
  of answering machines already in people's homes.  This is because most
  remote-control answering machines have primitive codes, and many have
  none at all.  [ ... 14,000 like this sold in a three-week sale ... ]

  [ ... how the remote tone coders work - just one of four tones ]

  [ ... Tandy had sold "tens and tens of thousands" of this model - the
  TAD-212 - and similar machines in 2 years ... ]

  Dick Smith Stores [a consumer electronics chain] also sell answering
  machines which are activated by voice pattern.  [The product manager]
  said the group had sold more than 20,000 such machines.  By talking for
  a set period of time, keeping quiet for a set period of time, and then
  talking again, the machines can be activated.  He said every machine
  responded to the same voice code.  "You would not recommend that
  anybody leave vital information on an answering machine," he said.

  Ms.  Phillipa Smith of the Consumers' Association said the privacy and
  security problems associated with these machines were "quite obvious".
  "I think most consumers would assume there was a built-in personal-
  identification system," she said.  "This really is an area where
  technology has outstipped the law."

Dave Horsfall (VK2KFU), Alcatel-STC Australia, dave@stcns3.stc.oz

Airline reservation crash (A new definition of "virus" ?)

Dave Horsfall <munnari!stcns3.stc.oz.au!dave@uunet.UU.NET>

Sat, 25 Jun 88 14:33:39 est

The following appeared in "Computing Australia" (affectionately known
as "Confusing Australia") 20 June 1988 and appears to define a new
form of virus:

``Virus shoots down flight reservations

  Hundreds of travel agents in two states went offline after a virus
  caused a system crash.  Staffs of Travel Industry Automated Systems
  (TIAS) last week told of their "organised panic" as the virus spread
  through the Multi Access Airline Reservation System (MAARS), which
  covers agents in New South Wales and Queensland.

  TIAS technical manager Michel Radecki said the virus appeared in the
  form of corupted statistical data on June 9 soon after software
  changes.  Software supplier Memorex Telex said an onsite power
  interruption on the night of June 8 was believed to have caused the
  problem.  The company's manager of airline applications and support,
  Alan Sitters, said data was not disk-converted [?] during the
  interruption, resulting in incomplete information entry into the
  network.  He said the cause was external and the MAARS software was not
  at fault.

  Radecki said about 450 users were offline for several hours over two
  days as Memorex Telex trouble-shooters joined inhouse staff to fix the
  problem.  TIAS staff had staff shut the 275-user queuing system to
  pinpoint the fault, but the virus quickly spread to the reservation
  system and information database, he said.

  [...]

  He said the software changes had been made about one week before the
  crash to test the integration of American Airlines [!] into the
  system.  The TIAS network already had access to 35 airlines'
  reservation systems.''

So, a power failure causes corruption of input data, and with no
apparent sanity-checking, goes on to corrupt other data.  Is this a
virus?  If it looks like a crow, and sounds like a crow...

-- Dave Horsfall (VK2KFU), Alcatel-STC Australia, dave@stcns3.stc.oz
dave%stcns3.stc.OZ.AU@uunet.UU.NET, ...munnari!stcns3.stc.OZ.AU!dave

Update on Airbus crash

Duncan Baillie <dmb%lfcs.edinburgh.ac.uk@NSS.Cs.Ucl.AC.UK>

29 Jun 1988 0950-WET (Wednesday)

The airbus story seems to have been dropped from today's news, probably being
overshadowed by the Paris Train crash (which killed 57). There were some more
details yesterday, but I don't have them to hand. It seems however that the
blame for the crash is being placed squarely on pilot error. Apparently the
pilot had TURNED OFF the computer for the demonstration flight and was flying
the aircraft at 30 feet, 70 feet below the minimum safety level. The pilot has
said that he requested more power from the engines but it arrived to late (from
film of the accident you can hear the power coming on just when the plane
clipped the top of the trees). I believe that manslaughter proceedings may be
brought against the pilot.

British Airways have stated that they are satisfied the cause of the crash was
not any design fault in the aircraft and have resumed service with their own
A-320s.

It is amazing that more lives were not lost in the crash as there was a large
explosion a few seconds after the planes came down. The only recognizable
features in the burnt out wreckage are the tailfin and part of the left wing.
The planes automatic escape chutes, which opened as soon as the plane crashed,
seem to have been the reason that so many people were able to leave the plane
so quickly. Many people clearly have their lives to thank for this safety
feature. 

In accidents such as this there are usually some other contributory factors
but for the moment pilot (and co-pilot) error is the main source of blame. The
risks: perhaps the major risk was the lack of faith the pilot had in the
computer (French pilots have been voicing concerns for some time about the
aircraft's safety) so the major question is why was the computer turned off?

Re: Airbus A 320 crash - risk of `Fly by Wire'?

Klaus Brunnstein <brunnstein%rz.informatik.uni-hamburg.dbp.de@RELAY.CS.NET>

West German newsmedia began to report about possible risks of the
Fly-by-wire technology of the Airbus A-320 only after a spokesman of
Cockpit, an international pilots association, said that his organisation had
severe doubt about the `official' version (as having been published by the
responsible French minister a few hours after the accident) that the pilot
made severe mistakes. In the meantime, public authorities in France, UK and
Germany as well as Airbus Industries (through the chairman of the board, MP
Strauss from Bavaria) interprete video-films showing the `demonstration
flight' including the final phase with the following arguments:

   1. `demonstration flights' aimed at demonstrating the
      aerodynamic limits (e.g. low height, low velocity)
      are only allowed without passengers, with small
      amount of kerosene and only with specially educated
      test pilots; since Mulhouse airport is only a very
      small airport, a demonstration flight would have
      never been allowed by the French authorities; the
      two French pilots, though Air France's most experienced
      Airbus pilots, were not properly educated;

   2. the pilots have (against rules) switched to `manual
      control'; as can been seen in the videos, the plane
      was as low as 30 feet at a velocity of only 140 Knots;
      the trees shortly after the end of the runway were about
      40 feet tall, but the pilots could not see the tree-tops 
      because of the elevation of the plane's nose in the
      simulated landing procedure;

   3. while the pilots say, that the engines didnot follow
      their signal `speed-up', the officials say, that this 
      signal was given too late; assuming that the simulated
      approach was done under `running idle' conditions, the
      engines need 8-10 seconds to accelerate to max. RPM;
      from the moment where the engines really began to
      accelerate, until the moment where the plane reached at
      top of the first trees, only 5-6 seconds were past.

Despite the official version (which allowed the French, UK and
German Airbus A-320 planes to be in the air again after 1 day
of flight prohibition), several questions are un-answered:

   a. Did the pilots fly under `manual control'(as the
      officials argue, while some experts said that such
      a mode doesnot exist for simulated landing)?

   b. If under manual control, did the pilots fly (contrary to
      experienced behaviour) with the engines running idle (then
      needing 8-10 seconds to accelerate the engines), or did they
      run with `drag gas' (German: Schleppgas) after which the
      engines need only 2-4 seconds for maximum RPM? In both cases,
      why did the engines only react on gas-giving with retardation?

      (Cockpit officials say, that experienced pilots fly such
      manoevers with drag gas: this reaction time would have
      allowed to avoid the accident when all other technical
      conditions are in good orfer; they trust their colleagues
      statement that the engines didnot react instantaneously,
      and they continue to speek of a technical problem)

   c. Was the demonstration flight authorized? The Airbus was
      transferred to Air France only 2 days before, and evidently
      this was its public maiden flight.

The very fast reaction of government and industry is not surprising:
Airbus Industries hopes to build and sell more than 500 Airbus
A-320 models in the next 10 years. Though the governments of France,
UK and FRG are responsible for airtraffic safety, they have also 
invested more than 10 Billion Dollars into the diverse models, and
they are interested in minimizing the risks from prize guarantees
which they have overtaken also for A-320. It seems rather doubtful
whether guaranteed security was the reason that the responsible
French minister excluded any technical risk before technical
investigations could have given enough evidence.

Though severe problems with computerized equipment in military
aircraft have recently drawn public interest to safety in airtraffic,
the A-320 accident for the first time draws public attention to 
risks of overreliance on computers. Officials as well as technicians
argue that the technical system is much safer than any other plane
before or even today; if there is any risk, than it is `only the
risk of the human operators'. If you leave the `holistic approach'
aside (according to which the security of a system consisting of 
humans and machine is not greater than the least secure component),
there remain also design considerations to be analysed:

    If a pilot cannot see, in the typical approach configuration
    `nose up', the ground several 100 meters before his nose,
    is it responsible to have a `manual landing mode' at all?
    (In this case, the demonstration of slow, low flight would
    have been impossible, but also no victims!)

    As pilots control involves human errors, automatic control
    also involves human decisions, namely those of designers and
    programmers; even if they were flight experts, they cannot
    foresee (not only in todays limitations, gut generally) all
    situations of the `real application situation'. A totally
    computerized system like the A-320 where no mechanical aid
    helps to correct electronic shortcomings is by its very
    design principles less adaptible to unforeseen real world
    events.

Unfortunately, it is not so unprobable that several more accidents
may falsify the official optimism which describes this plane as
`the most secure plane ever built'; but fortunately, public media
begin (at least in FRG) to wake up from such dreams.

Klaus Brunnstein    Univ.Hamburg       FRG

re: Four killed as Airbus crashes [Actually Three?]

<Laura_Halliday@mtsg.ubc.ca>

Mon, 27 Jun 88 09:48:58 PDT

In an interview on the BBC World Service this morning, an aviation expert
commented that some pilot errors cannot be easily remedied by computer. In
particular, once the landing gear is down, the on-board computers assume that
the pilot intends to fly the plane down to ground level, otherwise the A320
could not land until it ran out of fuel.

This implies the existence of elaborate lockouts - what if the
pilot intends to make a wheels-up landing (for whatever reason)?

Laura Halliday                     laura_halliday@mtsg.ubc.ca

root typos (could happen to anyone)

Joe Eykholt <jre@Sun.COM>

Tue, 28 Jun 88 17:38:51 PDT

How about "rm *>o"  instead of  "rm *.o"  this can be caused on many
keyboards by holding the shift key down a little bit too long.

Don Sterk at Amdahl pointed this one out to me, after it happened to him once.
The shell creates the file "o" then rm removes it and everything else.

    Joe Eykholt

"large-scale" disasters (Hinsdale, Ill.)

Tom Perrine <hamachi!tots!helix!tep@nosc.mil>

Tue, 28 Jun 88 14:16:18 PDT

A few questions and comments about disaster planning and the recent
Illinois Bell central-office (C)) fire in Hinsdale Ill.

This seems to be the first time that such a relatively small fire has
destroyed so much communications capability. The Hinsdale CO was
apparently carrying most (if not all) of the communications traffic
for lots of large, information-intensive businesses.
***Is this CO typical of others around the country?

Many (or most) of the companies involved had placed the probability of
interruption of the carrier's service as fairly low.
***Is this typical of companies that depend on communications common-carriers?

According to interviews in "Network World," many of the network managers
of the affected companies were "shocked" at the lack of a fire-control
system. This has led to threats of litigation.
*** Any comments?

Even though this was a communications failure, and no customer's equipment was
damaged, several companies were forced into their full-scale disaster plans,
because they either had not addressed loss of communications separately or
these "mini-disaster-plans" were not workable (e.g. the backup phone lines also
went through the same CO).  This is *much* more expensive than just restoring
communications would have been (United Stationers, Inc. spent nearly $600,000
to move to its backup data center).  
*** How many companies would be in the same situation if this happened to them?

Has anyone (or any organization) announced plans to try to conduct a
large-scale multi-company post-mortem examination of the incident?  This would
appear to be a golden opportunity to examine a wide range of disaster plans,
produced by many different organizations and determine which features of each
plan were most or least useful. This could lead to better overall disaster
planning for the industry as a whole.

Tom Perrine    hamachi!tots!tep@NOSC.MIL (last resort:Perrine@DOCKMASTER.ARPA)
Logicon(Tactical and Training Systems Division) San Diego CA (619) 455-1330

Report problems with the web pages to the maintainer