The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 7 Issue 20

Monday 11 July 1988

Contents

o "Computers may be at root of jet downing"
PGN
o Iran Airbus tragedy
Chris Moss
o Shooting down Flight 655
Herb Lin
o Ignoring the wolf
Andy Freeman
o Air France Airbus crash
Henry Spencer
o Re: Physical hazards - poorly designed switches
John Robert LoVerso
o PIN on PNB calling card
Mark Mandel
o Lockpicking
Henry Spencer
Robert Mathiesen
Doug Faunt
Chaz Heritage
o Info on RISKS (comp.risks)

"Computers may be at root of jet downing"

Peter G. Neumann <NEUMANN@csl.sri.com>
Mon 11 Jul 88 10:34:52-PDT
From the Washington Post, on the front page of the San Jose Mercury News,
11 July 1988:

WASHINGTON -- Computer-generated mistakes abourd the USS Vincennes may lie at
the root oooof the downing of Iran Air Flight 655 last week, according to
senior military officials being briefed on the disaster.  
  If this is the case, it raises the possibility that the 290 Iranian
passwngers and crew may have been the first known victims of "artificial
intelligence," the technique of letting machines go beyond monitoring to
actually making deductions and recommendations to humans.  
  The cruiser's high-tech radar system, receivers and computers -- known as
the Aegis battle management system -- not only can tell the skipper what is
out there in the sky or water beyond his eyesight but also can deduce for him
whether the unseen object is friend or foe and say so in words displayed on a
console.
  This time, said the military officials, the computers' programming could
not deal with the ambiguities of the airliner flight and made the wrong
deduction, reached the wrong conclusion and recommended the wrong solution to
the skipper of the Vincennes, Capt. Will Rogers III.
  The officials said Rogers believed the machines -- which wrongly identified
the approaching plane as hostile -- and fired two missiles at the passenger
plane, knocking it out of the sky over the Strait of Hormuz.  [...]

System `flawed' in tests

  On the question of the Vincennes' performance, Rep. Denny Smith, R-Ore.,
a longtime critic of the Aegis program, said Sunday on the ABC News program
"This Week With David Brinkley" that the type of phased-array radar system
carried on the Vincennes has proved "flawed almost every time" in a recent
series of Navy tests. [...]
  Military officers with combat experience stopped short of criticizing
Rogers for firing but said a skipper who relied more on human intelligence
than artificial intelligence might have doubted that the approaching plane
was an Iranian F-14 intent on attacking his ship for these reasons:
  / The approaching plane had not focused either its search or fire-control
radar system on the Vincennes and had identified itself at least once
electronically as an airliner as well as an F-14, an air-to-air fighter that
Iran has not used against ships.
  / The plane was descending from a high altitude, between 9,000 and 12,000
feet, making it vulnerable to the Vincennes' missiles and guns.  Rogers had
about four minutes -- enough time to handle a single threat -- to shoot the
Airbus down after it came within sight but before a hostile plane could use
its cannons or drop unguided bombs accurately.
  (The Iranian F-14 is not wired for anti-ship missiles, which would be
dropped during a different flight profile than the Airbus was flying, and has
not shown the ability to use laser-guided bombs in such a single-airplane
attack.
  / A single plane would be unlikely to attempt a kamikaze attack against
such a heavily armed and highly maneuverable ship as the Vincennes.

Newspaper disputes account

  The Pentagon's account of the incident came under fire from a new 
direction Sunday when the Sunday Times of London reported that the British
Government Communications Headquarters had determined from electronic
eavesdropping that the Iranian Airbus left Bandar Abbas only three minutes
behind schedule, was flying in the correct flight path south over the Strait
of Hormuz toward Dubai in the United Arab Emirates and was climbing when the
Vincennes shot it down.
  Adm. William J. Crowe Jr., chairman of the Joint Chiefs of Staff, said
July 3 that the Airbus was outside the commercial corridor, an assertion the 
Pentagon stepped away from Thursday, and was descending toward the ship in an
attack mode.  The Pentagon has said the airliner was 27 minutes late taking
off. 
  The newspaper said that the communications headquarters report was
"severely critical" of the U.S. Navy for shooting down the Airbus and
suggests that the initial confrontation between the Vincennes and three
Iranian gunboats may have been provoked by U.S. helicopters flying into
Iranian airspace.  The Pentagon has said a helicopter from the Vincennes was
fired on by the gunboats, triggering return fire from the cruiser.  Pentagon
officials declined to comment on the Times report.


Iran Airbus tragedy

<cdsm%DOC.IC.AC.UK@CUNYVM.CUNY.EDU>
Mon, 11 Jul 88 15:22:43 BST
[...]  Some people writing in the US may not realise that Dubai airport, to
which the flight was heading, is the busiest transit point in the region.
It would change a LOT of schedules if it were closed.

Chris Moss


Shooting down Flight 655

<LIN@XX.LCS.MIT.EDU>
Mon, 11 Jul 1988 00:47 EDT
I've just read the last few issues of commentary about this subject,
and I find the debate sadly misdirected.  The one really relevant
comment came from Gary Chapman, who says we should not look at just
the technical issues.

The point is not to learn why the Vincennes was unable to identify a
civilian airliner as such.  The US military has known for 20 years
that the IFF problem (Identification Friend or Foe) is a VERY tough
problem, and no good solutions exist as yet, other than visual
identification.   If you send ships into areas in which weapons will
be fired at other things in the area, sooner or later an innocent
target will be destroyed.  We can argue till the cows come home the
precise nature of this particular error, but in the larger scheme of
things, it really doesn't matter.  Whatever this reason is, the next
time it will be some other reason.

The real issue -- if you are determined to save innocent lives -- is
why the US Navy is in the Gulf at all.  The only sure way to make sure
you don't -- at some point -- have innocent blood on your hands is to
not send your weapons of war into an area where they could be used.
The technology doesn't matter; the policy does.

On the other hand, maybe RISKS isn't the right place for a strictly
policy debate.  Try ARMS-D for that, maybe?

Herb (ARMS-D moderator)


Ignoring the wolf

Andy Freeman <andy@polya.Stanford.EDU>
Fri, 8 Jul 88 23:03:45 PDT
The July 8 issue of the San Francisco Chronicle had an article by
Karen DeYoung of the Washington Post.  She reported on a news
conference by Brigadier General Mansour Satary, "the chief of Iran's
Air Force."  The last paragraph of the article was:

"Asked why the airbus failed to respond to what the Pentagon has said
were 12 separate radio queries, on both military and civilian
frequencies, to identify itself, Satary said that such communications
from the American ships in the gulf were so frequent that Iranian
pilots usually ignored them."

-andy


Air France Airbus crash

<mnetor!utzoo!henry@uunet.UU.NET>
Sun, 10 Jul 88 21:57:41 EDT
> Does the Airbus model in question display altitude in feet or meters?
    [Question raised regarding whether the Air France Airbus was at 30
    feet or 30 meters...]

Unless I am greatly mistaken, in feet.  Altitudes and airspeeds are not
quite the same situation as fuel volumes.  The latter are a matter for
individual aircraft; the former are of vital interest to air traffic
control and other aircraft, and units are internationally standardized
(altitude in feet, airspeed in knots).  I wouldn't even expect readouts
in both units, because altitude and airspeed are safety-critical items
and even the slightest confusion about which number is which is unacceptable.

It's kind of unfortunate that aviation standardized on units that are now
obsolete, but this is one of those cases where the actual units are not
very important so long as they're standard.  For navigation one needs to
turn airspeed into map distance, and for the initial phase of takeoff and
the final phase of landing the absolute altitude is significant, but
otherwise comparisons are usually relative and the units of measurement
don't matter much.  For example, what matters about airspeed is not its
absolute value, but its value relative to safe limits, optimal values
for the particular phase of flight, and the value requested by traffic
control.  Even near-ground altitudes are relative to some degree:  50 feet
of altitude is a good takeoff-obstacle clearance for a Cessna, a dangerously
small one for a 747 (which can't do a hard turn without sticking a wing
down farther than that), and a routine operating altitude for military
aircraft in wartime.
                  Henry Spencer at U of Toronto Zoology
                uunet!mnetor!utzoo! henry @zoo.toronto.edu


Re: Physical hazards - poorly designed switches

John Robert LoVerso <loverso%encore@multimax.ARPA>
Mon, 11 Jul 88 16:01:50 EDT
Dave Curry relates of some problems with a CCI Power 6/32:
> CCI also cleverly placed the "reboot" switch, an up/down toggle, on the
> front of the cabinet, not recessed, and at knee level.  Fortunately,
> UNIX seems to ignore the switch.

At SUNY/Buffalo, the Sperry 7000/40 there that I had running 4.3BSD-tahoe
beta did respond to that switch (I remember leaning over the front of the
processor once, only to end up rebooting it).

That machine suffered my worst abuse.  To the left of the front reboot switch
was the key switch for local/locked/off.  I once knocked into it, only to break
the end off of the key.

CCI also used a clever placement strategy with the "emergency shutoff"
switch, a large red push button.  This was on the back of the cabinet,
extending out 1" at waist level.  Pressing this would trip the main breaker
for the CPU and disks.  It was easy to lean on this button and then suddenly
notice the quiet in your end of the machine room.  Unfortunately, this
machine was far from the VAXen in the room, and behind it was one of the
quieter locales in the machine room, so I frequently stood in that area
while talking to people.  And, more than once, I accidentally hit that switch.

One day, I was imparting upon the field service tech how poorly designed
this switch was (and he was telling me how it was required by law to have
an easily accessible emergency cutoff?!) when I (accidentally) leaned on
darned thing again.

The very next day I took the mounting bracket apart and replaced it in such
a way that the switch was recessed 1" into the cabinet.  Never again did I
hit it accidentally.

Henry Spencer tells of a chair that liked RK05s.  I was told a story about
CU/Boulder, where they used to use munchkins (12 year olds) to do dumps.
They had the familiar RA81/TU80 combinations common to VAX 11/750s, where
the RA81 controls are about 18" from the ground.  One particular short
munchkin had the problem of repeatedly off-lining the drive while mounting
the tape to dump it.  As with Henry's chair, he was replaced by someone taller.

John R LoVerso, Encore Computer Corp


PIN on PNB calling card

Mark Mandel <Mandel@BCO-MULTICS.ARPA>
Mon, 11 Jul 88 09:26 EDT
Scott Peterson's reaction to Pacific Northwest Bell's encoding his
calling card PIN in the magstripe is simply to "hit [his] card with a
bulk tape eraser, and forget about using card reader phones until PNB
straightens this out".  Scott, have *you* called PNB's attention to this
monumental piece of stupidity?  Has anyone?  Or do you trust the same
crew that implemented this un-security measure to realize their mistake
unaided and take the initiative to correct it?  "Marketing sez the
customers want the convenience, and they haven't gotten any complaints,
so if it ain't broke [i.e., not causing us any grief] don't fix it."

                                        -- Mark Mandel


Re: Lockpicking

<mnetor!utzoo!henry@uunet.UU.NET>
Sat, 9 Jul 88 23:45:42 EDT
> Should I spend a fortune replacing the locks on my house, or are the risks
> low that a burglar will pick the locks?

A local insurance outfit might be able to tell you what the incidence of
such things is locally.  Do beware of one complication:  since picking
leaves no major physical traces, it is a convenient scapegoat for cases
where the *real* problem was the owner's carelessness.  Orthodox wisdom
is that most "burglar picked the lock" cases are really "burglar had a key"
or "door was not locked".

My understanding is that picking is perceived as difficult and possession
of lockpicks (aka "burglary tools") is perceived as too likely to be
incriminating.  I would be surprised if Arizona didn't have a possession-
of-burglary-tools law; before spending a fortune on locks, spend a
little asking a lawyer about this.  (Local officials are notorious for
being uninformed about the laws they are supposed to enforce, so I wouldn't
put too much faith in the negative results you got by asking them.)

Henry Spencer @ U of Toronto Zoology  {ihnp4,decvax,uunet!mnetor}!utzoo!henry


lockpicking

Robert Mathiesen <SL500000%BROWNVM.BITNET@MITVMA.MIT.EDU>
Mon, 11 Jul 88 08:37:45 EDT
Apropos of Randy D. Miller's surprise that information on lockpicking is so
readily available, I cannot resist quoting Charles Tomlinson's Rudimentary
Treatise on the Construction of Locks, published about 140 years ago.  His
words are also relevant to much of the discussion on computer security which
has gone on in this Forum.

"A commercial, and in some respects a social, doubt has been started within the
 last year or two, whether or not it is right to discuss so openly the security
 or insecurity of locks.  Many well-meaning persons suppose that the discus-
 sion respecting the means for baffling the supposed safety of locks offers a
 premium for dishonesty, by showing others how to be dishonest.  This is a fal-
 lacy.  Rogues are very keen in their profession, and already know much more
 than we can teach them respecting their several kinds of roguery.  Rogues knew
 a good deal about lockpicking long before locksmiths discussed it among them-
 selves, as they have lately done.  If a lock -- let it have been made in what-
 ever country, or by whatever maker -- is not so inviolable as it has hitherto
 been deemed to be, surely it is in the interest of *honest* persons to know
 this fact, because the *dishonest* are tolerably certain to be the first to
 apply the knowledge practically; and the spread of knowledge is necessary to
 give fair play to those who might suffer by ignorance.  It cannot be too ear-
 nestly urged, that an acquaintance with real facts will, in the end, be better
 for all parties.  Some time ago, when the reading public was alarmed at being
 told how London milk is adulterated, timid persons deprecated the exposure, on
 the plea that it would give istructions in the art of adulterating milk; a
 vain fear -- milkmen knew all about it before, whether they practised it or
 not; and the exposure only taught purchasers the necessity of a little
 scrutiny and caution, leaving them to obey this necessity or not, as they
 pleased.  .....  The unscrupulous have the command of much of this kind of
 knowledge without our aid; and there is moral and commercial justice in plac-
 ing on their guard those who might possibly suffer therefrom.  We employ
 these stray expressions concerning adulteration, debasement, roguery, and so
 forth, simply as a mode of illustrating a principle -- the advantage of pub-
 licity.  In respect to lock-making, there can scarcely be such a thing as dis-
 honesty of intention: the inventor produces a lock which he honestly thinks
 will possess such and such qualities; and he declares his belief to the world.
 If others differ from him in opinion concerning those qualities, it is open
 to them to say so; and the discussion, truthfully conducted, must lead to
 public advantage: the discussion stimulates curiosity, and curiosity stimu-
 lates invention.  Nothing but a partial and limited view of the question
 could lead to the opinion that harm can result: if there be harm, it will be
 much more than counterbalanced by good."

The subsequent development of lockmaking in the course of the next 140 years
has long since demonstrated the correctness of  Tomlinson's argument in his
own field.  I do not doubt that it is equally applicable in the area of com-
puter security.


re: lockpicking and burglars

Doug Faunt (phone (415) 496-4727) <faunt@spar.slb.com>
Fri, 8 Jul 88 22:44:02 PDT
I would like to point out that it might be worthwhile to improve your
locks to some degree, since an intruder who picked the lock probably
wouldn't leave any evidence of the intrusion, and at least one of my
insurance policies DOES NOT cover, "mysterious disappearance".  You may
not be able to keep them out, but you can make sure there's a record.
This has obvious applicability to computer security measures.

        ...{amdahl|decwrl|hplabs}!spar!faunt    faunt@spar.slb.com


Lockpicking

<"chaz_heritage.WGC1RX"@Xerox.COM>
7 Jul 88 09:31:26 PDT (Thursday)
In his Tue, 5 Jul 88 09:44:06 MST Randy D. Miller writes:

>I called some city and state offices, and one local locksmith, to see
if there are any laws regulating the possession and use of lockpicks in
Arizona.  No one I talked to seemed to know anything about any regulations!<

I feel that I ought to ask the Phoenix, Arizona Police Department how they would
feel about searching Mr. Miller's home for >$0.99 hacksaw blades and a Dremel
Tool grinder<.

Exactly this 'ban it all' attitude is very prevalent in UK. If someone is
murdered with a knife, the media howl for all knives to be 'banned'. What they
should howl about is that someone is motivated to murder - not that someone who
was so motivated chose a particular instrument.

Or perhaps Mr. Miller would be happy to live under a law that prohibited
possession of lockpicks - or the means to make them - or the knowledge of how to
make them........

Chaz Heritage

Please report problems with the web pages to the maintainer

Top