The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 7 Issue 16

Wednesday 6 July 1988

Contents

o Air France Airbus A320 Crash Story In Aviation Week
Karl Lehenbauer
o Common failure path in A320
Lee Naish
o Reply to Hugh Miller about Iran Flight 655
Michael Mauldin
o The Iranian airliner tragedy
Bob Estell
o Aegis and the Iran Airbus
PGN
o The "F-14" attacking the Vincennes... But the F-14 is for air defense
Jonathan Crone
o It's easy to make decisions if you don't have the facts
Martin Minow
o Re: A300 using F14 transponder
Bruce O'Neel
o Iran Flight 655 and the Vincennes
James P. Anderson
o Lockpicking
Randy D. Miller
o Re: The Eyes Have It
Tracey Baker
o RISK of PIN's - PNB calling card
Scott Peterson
o Info on RISKS (comp.risks)

Air France Airbus A320 Crash Story In Aviation Week

Karl Lehenbauer <sugar!karl@uunet.UU.NET>
6 Jul 88 01:19:18 GMT
(quoted without permission from the July 4, 1988 issue of Aviation Week)

"The investigation into the June 26 crash of an Air France Airbus Industrie
A320 is focusing on the pilots' judgment in performing a slow-speed air show
flyby with a fully loaded transport that they allowed to descend well below
their filed minimum altitude."

[background information on the crash deleted for brevity]

"Video images of the accident showed that the A320 was stabilized in a nose-
high attitude throughout the flyby, and that the mid/aft section of the
aircraft struck the outermost row of trees at the perimeter of the airport.
The aircraft then settled into the wooded area and burned.

The pilots said they thought the aircraft was at an altitude of 100 ft. based
on the flight instruments, and stated that the A320's two CFM International
CFM56 turbofan engines did not respond correctly when they moved the throttles
forward for full power."

[The article goes on to quote the French Transport Minister Louis Mermaz
and later the Director of the Direction Generale de l'Aviation Civile (DGAC)
as saying that the aircraft's 30-ft. flyby altitude and its reduced airspeed
"were confirmed by both the cockpit voice recorder and the cockpit data
recorder."]

"'When the pilot advanced the throttles, the thrust was increase was normal,
but it [the power increase] apparently was made too late,' Tenenbaum said.
'This is important because the pilot reported after the accident that the
engines did not respond.  ... According to the data, the thrust increase
to the full available power should have occured within 8 sec., and we
saw it in approximately 5 sec.,', he said."

[The article then describes the renewal of a long debate in France over
the minimum crew requirements for the A320.]

"'Based on the cockpit conversations we heard [on the cockpit voice recorder],
the crew was perfectly aware of what was going on,' Tenenbaum said.  'They
were perfectly lucid, they knew what altitued they were at because there
were [computer-generated] voice callouts from the radar altimiter during
the low pass, including an audible callout of 30 ft.'"

[The article proceeds to describe the orientation of the aircraft during
its low pass and as it struck the trees (nose-high level flight), the 
history of Air France's operations of the aircraft, that Air France has 
decided to suspend all further demonstration flights and that British
Airways and Air France substituted other aircraft for their scheduled
A320 flights for two days after the accident.]

"Officials at British Airways said the airline had experienced no significant
mechanical or electronic problems with the aircraft since they entered
service earlier this year.

Several European test and company pilots questioned the crew's reasoning
in attempting to perform an air show-type low, slow flyby without apparent
advanced training and with a passenger payload."


Common failure path in 320

Lee Naish <munnari!mulga.oz.au!lee@uunet.UU.NET>
Wed, 6 Jul 88 19:00:14 EST
Though the A320 Airbus has redundant computer systems, they all use the
same air conditioning system.  Does anyone know what the expected
failure rate of that system is, or how critical a failure would be?

    Lee Naish


Reply to Hugh Miller about Iran Flight 655

<Michael.Mauldin@NL.CS.CMU.EDU>
Tue, 5 Jul 1988 22:38-EDT
I can't match Mr Miller's polemic, but I can point out that he got just
about every fact wrong about flight 655.  All of the information below
is from the Pittsburgh Post Gazette, Monday July 4.  Their text comes
from an article by Stephen Engelberg of the New York Times News Service.

>           So from now on it's hair-trigger 24 hours a day, and since I can't
> be sure my BOZO QZ999 Battlesys can knock down a missile once it's fired
> my only recourse is to knock the launchers down before they fire.  They're
> bigger & slower & better targets anyway.

    Do you have a problem with that?  You criticize "the system" for
    overreliance on technology and then fault the captain for his
    caution?

> Shoot first and ask questions later.

    3 warnings were radioed on civilian distress frequencies
    4 warnings were radioed on military frequencies
    A nearby Italian vessel reported hearing at least 4 of these warnings

    All of the discussion I've heard said that he should have fired
    2 minutes earlier, and would have been justified in doing so,
    given the information available.  Captain Rogers was very
    forgiving to have waited as long as he did.

> The hell if I'm gonna be the next one to lose his Florida retirement condo to
> keep Marconi's rep clean."  I can't find it in my heart to blame the man,
> either.  Who wants to be the fall guy for a gigabuck defense contractor and a
> desperate, freebooting White House in an election year? 

    How about a more likely line of reasoning:

    "Gee whiz, just after we sank two of those gunboats this plane
    takes off from a nearby civilian/military air base and is
    closing directly on my ship.  It has no transponder and won't
    answer my radio challenge.  Maybe I should shoot it down to save
    my ship and the men in my command."

> So along comes a jumbo jet, 25,000 feet, 430 mph

    An A300 is much smaller than a jumbo jet.
    It was flying at 9,000 feet and descending.  It was shot down
      at an altitude of 7,500 according to Iranian press releases.
    It was traveling 450 knots (518 mph) and gaining speed.

> radar cross-section size of a football field.

    The wingspan of an A300 is 147 feet, less than half the size of a
    football field.  That's a little more than twice the 64 foot wingspan
    of an F-14.  In any event the bottom line is that you can't reliably
    identify planes from a head-on cross section.  No one has ever said
    they could.

> Software library in the EW battle computers says it's an F-14, kind that
> dinged the Stark.

    The plane was tentatively identified as an F-14 not from radar
    but from five other facts:

    1. There were reports of 10 F-14's operating out of Bandar Abbas.
    2. The flight took off from Bandar Abbas immediately after the
       Vincennes fired on the three gunboats.
    3. It had no transponder (a requirement for all civil aviation).
    4. It was 4 miles outside of the commercial air corridor and
       14,000 feet lower than a commercial plane should have been.
    5. The plane was broadcasting on a military "mode 2" (I'm not
       sure whether that's a radar or a radio).  These were the
       "electronic indications" the Admiral Crowe spoke of in his
       press conference. (This comes from CNN news Tuesday, July 5).

    Also, Flight 655 took off about an hour after it's scheduled
    departure time; the captain had requested information about
    scheduled commercial flights, but this search was not completed
    before the decision to fire was made.  Even if they'd had the
    time, all they would have found was that it was the wrong time
    to be a commercial flight. (Also from CNN News).

   It may well be true that the Iranian pilot thought our technology
was so good that we could identify him properly despite the fact that he
was in the wrong place at the wrong altitude at the wrong time ignoring
(or unable to hear) frequencies he was required to monitor.  To that
extent there may well have been an over-reliance on our technology.


the Iranian airliner tragedy

"FIDLER::ESTELL" <estell%fidler.decnet@nwc.arpa>
6 Jul 88 08:21:00 PDT
The "target is destroyed" note in RISKS 7.15 of 5 Jul 88 was not pleasing to
MY tastes; whether it was in good taste or not is a question that I won't
raise; tastes are far too personal for rational debate.  I know our
moderator personally, and I trust his judgment.

But I also know CAPT Will Chapel Rogers III; we had two years together 
at Baylor a long time ago.  The traits that made Will a friend and
a good student are ones that the Navy seeks in recruits, and develops
in officers; I cannot believe that the goodness has been trained out him.

I also know a thing or two about Aegis radar systems, F-14's, C3 systems
used in Navy combatants.  I know for instance that the "radar signature" of
a "loaded fighter-bomber" [or other medium aircraft, carrying missiles] can
look as large as a jet liner, for much the same reasons that a sequined
bikini will reflect as much footlight as a white satin gown.  And I learned
Tues 5 Jul p.m. that the Iranian airliner was identifying itself as an F-14.
The Vincennes fired for much the same reasons that the police in many cities
fire at apparently armed assailants almost every day: self defense.  When it
sometimes happens that afterwards the attacker turns out to be relatively
innocent [e.g., kid with a water gun], that's a "tragedy."

One of the RISKS of using computers is that we sit in our cubicles and deal
with machines - that feel no pain, leave no widows nor orphans; we come to
think of human loss as statistics, which we compute so easily.  The loss of
one life is tragic; 290 at a stroke only serves to awaken our dulled senses!

Tragedy is one thing; justification is another.  I happen to believe in self-
defense, an adequate army [and navy], and capital punishment.  But I repeat,
the loss of human life is tragic.  Let's not rush to judgment just because the
statistics get our attention.  Instead, let us resolve [in Lincoln's words]
that these 290 will not have died in vain: Let us rethink both our
[computerized] weapons systems designs, AND their use.

Bob
p.s. The opinions herein, as always, are personal; NO conclusions
  can be drawn about my employer's concurrence or lack thereof.


It's easy to make decisions if you don't have the facts

Martin Minow THUNDR::MINOW ML3-5/U26 223-9922 <minow%thundr.DEC@decwrl.dec.com>
6 Jul 88 13:34
Idle speculation:  sometimes it's more interesting to listen to what wasn't
said.  In the recent attack on the Iranian airliner, why do I get the feeling
that nobody on the Vincennes was monitoring tower-plane radio communications.
(And the vague suspicion that there wasn't anyone on the ship fluent in Farsi.)

Martin Minow  


Re: A300 using F14 transponder

Bruce O'Neel <XRBEO%VPFVM.BITNET@CUNYVM.CUNY.EDU>
Wed, 06 Jul 88 08:09:10 EDT
                              [Referring to the Mode 2 / Mode 3 
                              confusion, and belief in the transponder:]
Seems it might be a good idea in a war to equip all the fighters with
transponders saying that they are say 767s?


Aegis and the Iran Airbus

Peter G. Neumann <Neumann@KL.SRI.COM>
Wed, 6 Jul 88 10:40:16 PDT
An article in this morning's San Francisco Chronicle (p. A-12) is titled

   "Electronic Errors 
    -----------------
    Star Wars Planners' Lesson in the Gulf", by David Perlman

[...] The cruiser's Aegis system linking its radar with a battery of advanced
comptuers and missile launchers, had been hailed as "Star Wars at Sea" by the
Navy.  But David L. Parnas [...] held a different view.  "It is obvious," he
said in an interview, "that if you can't discriminate at close range between
an Airbus and an F-14 fighter, it would surely be even more difficult if not
impossible to discriminate between a Soviet warhead and a decoy baloon flying
on the same ballistic trajectory in outer space." ... "The Aegis system was
always presented to me in briefings as a defensive system only against
high-speed, low-flying missiles," Parnas said.  "But, while I have no reason
to believe that it was the Aegis computer system that failed on Sunday, the
fact is that discriminating targets is vital for any defense."


The "F-14" attacking the Vincennes... But the F-14 is for air defense

Jonathan Crone <CRONEJP%UREGINA1.BITNET@CORNELLC.CCS.CORNELL.EDU>
Wed, 06 Jul 88 10:30:47 CST
I basically have a comment to make about the supposed response about
the Vincennes defending itself against an attack from an inbound F-14.

Were the F-14's that were sold to Iran during the 1970's stock F-14's
or were they supplied with upgraded avionics and attack systems.

The reason I'm questioning this, is because Grumman designed the F-14 to
support the Navy's requirement for a powerful Air Defense Fighter.

This explains the F-14's exceptional ""capabilities"" in this area...  (such
as the supposed ability to maintain lock on 24 inbound targets and to attack 6
of those targets using a mix of Phoenix Sparrow/AMRAAM, and Sidewinder
missiles.)

However, and I recall this from reading material published during the late
seventies when Canada was looking to purchase a new all purpose fighter for
the Canadian Airforce, the F-14 has very limited Air to Ground capabilities...
its radar and attack systems aren't really designed to do it. (thats why
Canada purchased F-18s instead, because it had multipurpose radars to deal
with both modes of combat.)  (The Canadian Air Force required a single type of
aircraft that would be capable of dealing both with the close ground support
environment of NATO commitments, as well as the long ranging Air Defence
requirements over North America)

Presumably the crew of the Vincennes would know about this wouldn't they???
(from news reports, Iran, is still using F-14's as Air to Air units, and
not as ground attack birds.)

If I were the Commander of the Vincennes, I would be worried if the Aegis was
saying that the inbound aircraft was a Mirage or a Super Etenard (a Mirage is
the aircraft that launched the two Exocet missiles that holed the Stark).

So perhaps the big question is, why are they saying that they
were worried about the possibility of an attack from an F-14?

Jonathan P. Crone


Iran Flight 655 and the Vincennes

<JPAnderson@DOCKMASTER.ARPA>
Tue, 5 Jul 88 23:03 EDT
The Captain of the Vincennes did the correct thing. If he can be faulted for
anything, it is that he waited so long before acting.  All the breast-beating
in world and appeals to castigate the military notwithstanding, the correct
action was taken.  If a human failure took place, it was in the Iranian
decision to fly a commercial aircraft over an area where a fire-fight was in
progress, and in not responding to the reported 7 (repeat seven) attempts to
raise the aircraft and have it identify itself.  The loss of life was indeed
tragic. The attempt to picture the U.S.  Navy or U.S. policy as irresponsible
is even more tragic.

Mr. Miller seems genuinely confused over what is 'national interest'.  I would
submit 'national interest' is Canada selling its wheat to anyone it chooses
regardless of what other nations; ostensible allies and maybe even friends,
think. It is also an assertion that a tin-horn dictator, operating under the
guise of religious leader cannot prevent free ship movement in the Gulf area.
It is possibly also a belief that the rest of the world, maybe even Canada
might suffer if oil does not move freely from the Middle East. [I guess the
view of 'national interest' is crystal clear from the lofty towers of academe.]

Let's get the forum back to technical risks and off of the political beat.  Jim


Lockpicking

Randy D. Miller <sun!sunburn!gtx!randy@ucbvax.Berkeley.EDU>
Tue, 5 Jul 88 09:44:06 MST
     I never imagined that picking locks could be so easy.  A couple months
ago, I went to the Phoenix Public Library (!) and checked out a few books on
locksmithing.  Surprise!  The books all had chapters on how to pick locks for
fun and profit.  One book explained how to make homemade lockpicks by
grinding down hacksaw blades.  Using $0.99 hacksaw blades and a Dremel Tool
grinder, I made an assortment of lockpicks.  K-Mart supplied me with an
assortment of locks to practice on and disassemble.

     After a few days of practice, I found that I could pick open any disk
tumbler lock that I could find - these are the cheap locks found on desk
drawers, cabinet locks, window locks, and a few cheap padlocks and old door
locks.  Most disk tumber locks take me less than 10 seconds to get open.
I've also picked open every pin tumber lock that I've tried, but they're
harder; most of them take about two minutes to get open.  These are the locks
found on most doorlocks.  The most difficult lock I've tried is the expensive
Master brand pin-tumbler padlock, which required about twenty minutes of
delicate work to pick open.  (I disassembled it to see why it was so hard.
Master uses smaller pins than usual, made to very tight tolerances, without
the bevelled ends found on most pins.)  There are such things as pick
resistant locks, but they are pretty rare.  It seems that 99 per cent of the
locks in my life are pickable disk tumbler or pin tumbler locks.  (I haven't
yet begun practicing on automobile locks;  from the diagrams in the books,
they seem to have extra features that may make them harder to pick.)

     I called some city and state offices, and one local locksmith, to see
if there are any laws regulating the possession and use of lockpicks in
Arizona.  No one I talked to seemed to know anything about any regulations!

     If it's so easy to pick open locks, why do burglars resort to harder and
messier ways of entering buildings, desks, cabinets, etc.?  Are most burglars
incapable of learning such a skill, or does it just not occur to them?
Should I spend a fortune replacing the locks on my house, or are the risks
low that a burglar will pick the locks?

Randy D. Miller             (602) 870-1696
GTX Corp., 8836 N. 23rd Ave., Phoenix, AZ 85021
{cbosgd,decvax,hplabs,amdahl,nsc}!sun!sunburn!gtx!randy

     [One of the imperative themes in the RISKS Forum is that protection
     measures are inherently compromisable.  The myth of technology as a
     panacea continues to haunt us.  Most car-door locks are TRIVIAL to 
     break.  Skeleton keys for house locks are simple to fabricate.  Cyclic
     redundancy checks and crypto seals are simple to break if the underlying
     system is not adequately secure.  Thus using a complicated mechanism
     on top of a flawed mechanism invites compromise.  The more sophisticated
     the lock mechanism, the more challenges for the sophisticated attacker.
     But the belief in technology as a magic wand is perhaps the most
     dangerous of all -- whether it is locks or automated defense systems. PGN]


Re: The Eyes Have It (RISKS DIGEST 7.14)

<tab@mhuxu.att.com>
Tue, 5 Jul 88 17:32 EDT
  I had to laugh at "The Eyes Have It".  The last five digits of my NJ
driver's license number are 61664.  This is supposed to represent my
date of birth and eye color.  I was born on 11-22-66, and the last time
I checked my calendar, we didn't even have 61 months!

  This made me think about PGN's comment about three extra "eye color"
values not being enough to prevent data collisions.  Since it is
obviously possible to have the first "DOB" digit not match the actual
DOB, why not use 2-9 in that field?  That, combined with the extra eye
color values, would leave room for almost eight times as many "identical"
people ("almost" because Jan-Nov and Feb-Dec birth dates would have to
share the extra numbers).  They could still retain the DOB information
if 2-5 in the first digit = 0 and 6-9 = 1.

  It also makes me wonder about the NJ DMV.  I know they've had many
problems with their computer system (and their offices, and their
personnel, and ... :-), but this is ridiculous - not only do the two DOB
fields not match (they did get it right in the DOB space on the license),
but one of them isn't even a valid date!

(If the NJ DMV already uses different DOB #'s for data collisions, I apologize
 for this entire article.  I've *never* heard of anyone else with something
 other than the DOB in those 4 digits.  In fact, everything I have heard
 makes my nuber look like a unique case.  If there were a reliable way to
 get information from the DMV I'd ask them, but they can't even tell me
 what forms I need to register my car, so I'm afraid there's not much hope
 of getting a correct answer to a question like this.)

Tracey Baker  {att, rutgers!moss}!mhuxu!tab or tab@mhuxu.att.com  (201)582-5357
Rm. 2F-211,  AT&T Bell Laboratories, 600 Mountain Ave., Murray Hill NJ 07974


RISK of PIN's - PNB calling card

<littlei!foobar!sdp!sdp@uunet.UU.NET>
Tue Jul 5 20:46:53 1988
After noting charges on my last phone bill for calls made from places I've
never been, I called Pacific Northwest Bell (PNB) and changed the PIN on my
calling card.  (I decided to pay the $3 in long distance charges since I had
given my PIN to an old girlfriend about a year ago.)

I was mildly surprised to find that the procedure for changing my PIN was to
tell the PNB representative on the phone what I wanted my new PIN to be.  I
already (have to) trust the phone company, so this risk was acceptable to
me.

I was REALLY surprised by what I found out when I received a new calling
card in the mail today.  (Probably sent automatically because I changed my
PIN.) Here are some of the "features" of my new calling card as explained in
the letter sent along with it:


                  "Exclusive extra security

     When you look at your Card, you'll notice that your four-digit security
     number is not shown.  That means _extra security for you_, because only
     you know the Security Code.


                  Maximum convenience

     Turn your card over.  The magnetic stripe on the back lets you use many
     of the new Card Reader phones.  _You don't need to enter your card
     number or your security code_.  Just slide your Card through the
     special slot and dial!  ...  "


Identifying the problem with this is left as an exercise for the reader.

I think I'll just hit my card with a bulk tape eraser, and forget about
using card reader phones until PNB straightens this out.


Scott Peterson, OMSO Software Engineering, Intel,  Hillsboro OR
sdp@sdp.hf.intel.com     uunet!littlei!foobar!sdp!sdp

Please report problems with the web pages to the maintainer

Top