The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 7 Issue 33

Wednesday 9 July 1988

Contents

o Cascaded Inference and the Vincennes affair
CFEEHRER
o "Virus" Bill
Joseph M. Beckman
o More RISKy ATM's
Dave Horsfall
o Keeping Autos and Drivers in Suspense
Joseph M. Beckman
o Airbus Cockpit Alarms
Fred Baube
o A-320 investigation
Steve Philipson
o Federal charges brought against accused teen-age hacker
Mike Linnig
o Orbit 100,000 self-guided "brilliant" weapons, Reagan advised
Jon Jacky
o Info on RISKS (comp.risks)

Cascaded Inference and the Vincennes affair

<CFEEHRER@G.BBN.COM>
2 Aug 1988 20:28-EDT
  I have become interested in the dialog lately re: Vincennes and the question
of thresholds for declaring radar blips hostile (see, for example, Wellman, 9
July; Johnson, 10 July; Estell, 12 July) and would enjoy some comments in
regard to the following proposition: "There's nothing wrong, in principle, with
"binary thinking/decision making" if ALL of the information available for a
choice among competing hypothesis is employed in the computation of posterior
odds."  What may have gone wrong in the Vincennes case is that not all of the
information that was available came to be used.  Most notably, perhaps, the
diagnostic value associated with target aspect ratio, which the press tells us
was more-or-less head-on and at short range relative to the design envelope of
Aegis, did not enter into the decision in a formal way.  It is interesting to
me that difficulties with interpreting an image formed under such circumstances
was one of the first explanatory notes to surface during coverage of the
encounter.  Thereon hangs the story below.


I'm suggesting that, however, accurate the Aegis sensor and signal processing
systems may be, the information presented to the human decisionmaker is
apparently equivocal ("unreliable") at certain combinations of range and aspect
and provides the basis for a very complex judgment even when a good estimate of
the priors can be made.  It seems to me that the situation, corresponds closely
to what has been called "cascaded inference" in behavioral decision theory.  In
prescriptive approaches to decision making in this kind of situation, there are
two sets of conditional probabilities: the probability of a datum conditional
upon an hypothesis, and the probability of a REPORT (verbally, electronically
or otherwise delivered) conditional jointly upon an hypothesis and a datum.  If
the components of these are known or can be estimated, then the probability of
a report conditional upon an hypothesis can be easily calculated.  In effect,
the decision maker is required first to adjust the nominal diagnosticity of the
report to reflect the reliability of the source -- "interpretability of the
image" is a better term here -- and then to apply this adjusted datum to the
hypotheses under evaluation using Bayes' rule.  In the scenario I'm conjuring,
the first task would have been to make a (cognitive) adjustment of the
diagnosticity of the displayed image (i) given the hypotheses, "(a)ttack",
"(n)o attack", and then to compute the posterior odds (p(a:i)/p(n:i) given
p(i:a) and p(i:n).  (Note that at optimal ranges/aspects, the diagnosticity
would be assumed to be nearly perfect, while at non-optimal ranges/aspects, it
would be considerably less than perfect -- a little circular but OK for now!
The point is that, while the electronics remain the same, the intrinsic value
of the image, its utility, for purposes of deciding between two (or more)
mutually exclusive hypotheses varies.)

When one compares the posterior odds achieved with an adjusted datum with those
achieved with an unadjusted datum, the results can be startlingly different!
(This is not a good forum for lengthy equations, so I'll simply ask you to
believe that assertion! I'd be happy to send along some references and a short
demonstration to anybody who's interested.  For a quick perspective, consider
that a likelihood ratio of 9:1 falls to approximately 4.3:1 when one reduces
the reliability of the reporting system from 1.0 to 0.9.  That can lead to
quite a different decision with the same set of priors.)

Research in decision making in medical, military command, process control/QC,
and trouble-shooting contexts regularly demonstrates two phenomena: (1)
Decision makers are typically not trained to make decisions "by the numbers",
even when that is possible -- it's not a skill that comes naturally; (2) The
few decision makers who are familiar with quantitative decision aids have
rarely been taught means for coping with unreliable data.  The sad thing is
that virtually ALL data, whether delivered through eyes and ears or complex
sensor systems are unreliable from time to time and/or for certain purposes.
So, is it surprising that, in situations characterized by high stakes and great
stress, wrong hypothesis are occasionally supported and correct ones
discarded?! (There is an interesting literature associated with attempts to
create descriptive models of what decision makers actually do which suggests
that optimal procedures for discounting equivocal information are rarely
intuited, but that they can be trained.  References on request.)


The "story" above is clearly a house of cards -- plausible maybe but
unverifiable at best.  Who knows if ANY quantitative reasoning went on at all
-- but I do want to suggest that binary decision frameworks may not be as
limiting as they may seem at first if they are properly implemented.  I'm a
strong supporter of neural net/fuzzy set approaches, but only if simpler
algorithms are found wanting and their alternatives are not.       cef


"Virus" Bill

"Joseph M. Beckman" <Beckman@DOCKMASTER.ARPA>
Fri, 5 Aug 88 10:36 EDT
"Computer Virus Eradication Act of 1988"

(a) Whoever knowingly --

          (1) inserts into a program for a computer information or commands,
knowing or having reason to believe that such information or commands will
cause loss to users of a computer on which such program is run or to those who
rely on information processed on such computer; and

          (2) provides such program to others in circumstances in which those
others do not know of the insertion or its effects;

or attempts to do so, shall, if any of such conduct affects interstate or
foreign commerce, be fined under this title or imprisoned not more than
10 years, or both.

Entered July 14th 1988 by Mr. Herger (congressman from CA) for himself and
Mr. Carr; referred to Committee on the Judiciary, to amend title 18.

Joseph                        [You can lead a Trojan horse to Waterloo, 
                              but you can't make his legislator think.  PGN]


More RISKy ATM's

Dave Horsfall <munnari!stcns3.stc.oz.au!dave@uunet.UU.NET>
Thu, 4 Aug 88 14:39:34 est
From Neville Angove's column in "Computerworld", 29th July:

``According to a number of sources in the systems programmer community,
the recent media noise concerning ATM fraud/failures indicates a number
of severe problems being faced by financial institutions with ATM
networks.  As the size and usage of these networks have increased, so
have the security risks, due to the fact that the knowledge of ATM
characteristics and network limitations have become more widespread.
The most serious rumour is that one bank has evidence that someone has
discovered a means to decode the PIN encrypted on to the magnetic strip
of stolen ATM and credit cards.  [It is not generally well-known that in
Australia at least, that strip encodes your PIN!] 

Another factor causing concern, especially to the more knowledgable
members of the public, is the increasing use of lower-cost -- and
probably lower-quality as a result -- ATMs by the smaller banks which
want to provide a competitive service but cannot justify the cost of
higher-quality equipment.  A model of the ATM favoured by one bank is so
lacking in "intelligence" that it can only run in on-host mode [?], and
circumvents the problems of storing transaction details by printing them
as they occur on to a paper cash register roll (an ironic solution,
since the manufacturer originally made its name as the giant of the cash
register business).  [Well, perhaps they need to use up a warehouse full
of rolls!] 

The increasing number of instances in which ATM networks have not
functioned as claimed, or where stolen cards have been used to milk the
victim's account in apparently impossible circumstances, is evidence
enough of some fundamental design faults or deficiencies in a number of
-- but not necessarily all -- ATM networks.  Public claims by the banks
that their networks are secure do not agree with concerns they have
expressed privately, but it is unlikely that the community will see any
improvement until the problems with ATM networks are brought to light
through the legal system.'' 

Dave Horsfall (VK2KFU), Alcatel-STC Australia, dave@stcns3.stc.oz
dave%stcns3.stc.OZ.AU@uunet.UU.NET, ...munnari!stcns3.stc.OZ.AU!dave


Keeping Autos and Drivers in Suspense

"Joseph M. Beckman" <Beckman@DOCKMASTER.ARPA>
Tue, 9 Aug 88 10:25 EDT
From "The History and Future of Automobile Suspension" by Rick Castelli in
CORRIDOR TODAY July 29 1988 p9 (No copyright or reprint directions on page)

"As a result of Japanese competition, all of the major American and German
automakers are racing to provide their own versions of 'smart' suspensions as
soon as possible...Both Lotus and Volvo's systems have eliminated the use of
springs, shocks, and antiroll bars, as well as other components.  Instead,
hydraulic cylinder devices are incorporated that detect various lateral and
vertical wheel motions.  Sensors are also used to detect other factors and
forces upon the car.  All of this data is fed into a computer which
subsequently inputs instructions to the hydraulic cylinder devices to adjust
wheel deflection and angle.  What results is that the wheels never leave
contact with the road, and the body of the car automatically leans precisely
into turns, thus maintaining a stable flatness, even through emergency
maneuvers.  This is a phenomenal advantage! In a sense, it makes the car feel
as if it's floating independently above the road.
          Likewise, this could be one disadvantage -- among others.
Drivers will lose that inner sense of knowing when a car is at its
limits of handling, and might get too confident for their own welfare."


The last point reminds me of some study done years ago.  Some researcher, S.
Peltzman, found that the mandatory use of seat belts would not save (net)
lives.  The reason given was that drivers feel 'invincible' (or more so) when
wearing them.  Consequently, they became less attentive to driving, increasing
the number of accidents.  Although they did a good job of protecting the
driver, many accidents killed pedestrians; more than the number of drivers and
passengers they saved.                                               Joseph


Airbus Cockpit Alarms

Fred Baube <fbaube@note.nsf.gov>
Tue, 09 Aug 88 13:24:58 -0400
munnari!banana.cs.uq.oz.au!bigm@uunet.UU.NET 
(Michael Pilling (Dr Chocberry)):

    Several times before the critical manoeuvre the crew
    contemptuously dismissed visual and aural wornings emitted by the
    onboard computers.
    The pilot responded to one by saying: "Knock that one off,
    it's getting on my nerves."

Pardon my naivete, but ..

This sounds like the Amtrak crash.  Any irritating+persistent
alarm that "cries wolf" gets defeated with whatever tools are at
hand.  If the condition causing the alarm is an everyday event
(Amtrak), or an event that was out of the ordinary but nonethe-
less intended (e.g. fancy airshow maneuver), and the same alarm
is to be used for a REAL problem, then the alarm won't be there
when it's needed.

Don't these guys that design alarms consider a "cry wolf" factor? 
Would they want to be trying to fly an airliner with an unneces-
sary racket disturbing their concentration ?


A-320 investigation

Steve Philipson <steve@aurora.arc.nasa.gov>
Tue, 9 Aug 88 12:26:56 PDT
Re: martin@bashful   <@RELAY.CS.NET:martin@bashful> posting on "Preliminary 
A320 Inquiry Results".

>* The pilot and copilot (apparently informally) planned to fly at 100 ft.
>  AGL for the flyby, with no planned airspeed (oops).  They ignored
>  three radar altimeter callouts below this altitude (the radar altimeter
>  gave six callouts in the 25 seconds between 100 ft. and impact, three
>  after the throttles were advanced).

   The warnings would have been expected, and the crew would have planned
to ignore them.  The whole point of this maneuver was a low altitude
fly-by.  Ground proximity warning systems would call the altitude, so
there would be no reason to be alerted to a "problem" that was part of
the intended flight path.

>* The pilot intentionally disabled the alpha floor protection mode in the
>  autothrust system; this mode is intended to provide protection against
>  windshear accidents.  ...

   This also seems reasonable for the flight path desired.  Manual control
of engines and AOA was desired, so again, this intentional disabling of
automatic systems seems reasonable.

>                         ...                           large aircraft
>  don't accelerate and climb very well (that is to say, at all) at low
>  speeds and high angles of attack.  It takes a long time to spool up
>  large high-bypass engines, and it takes even longer before that energy
>  input has any effect on the aircraft.

   This is not quite true.  Jetliners attain close to maximum climb
performance at high angles of attack, but with maximum thrust.  The
recommended windshear escape maneuver is to raise the nose to just
below stall AOA and hold maximum power.  The problem IS in spool-up
time of the engines.  What I'm most interested in is how two highly
experienced pilots allowed RPM to decrease below reasonable values
for this type of maneuver.  

   One of the first things you learn when flying jets is that you must 
keep RPM up if you will need a rapid application of power.  Did the 
engine control system retard power below the intended setting?  Did 
the combination of enabled and disabled systems cause the engine settings 
to go below what the pilots had intended?  

   The investigations into why the crew was unaware of their situation 
is critical to assesments of the safety of the A-320.  The unusual 
manuever and crew selected configuration may have had much to do with 
the cause of this accident.  We know that conditions not accounted for
in the design of complex systems are often the root of system failure.
Many of us are very concerned about digital control systems for just
this reason.  We will not know if this crash was really "pilot error"
until those elements of this accident are thoroughly explored.


Federal charges brought against accused teen-age hacker

Mike Linnig <linnig@skacsl.csc.ti.com>
Tue, 9 Aug 88 22:28:52 CDT
  CHICAGO (AP) -- A teen-age high school dropout is charged with using his
personal computer to break into AT&T and government computers and steal more
than $1 million worth of software.
  "This is not malicious mischief," U.S. Attorney Anton Valukas said in
announcing the federal charges Monday. "It's a felony."
  Herbert Zinn Jr., 18, also is accused of advertising on a computer bulletin
board how to electronically break into AT&T's computers.
  The charges against Zinn mark the start of "an aggressive position toward
computer crimes," Valukas said.
  Zinn allegedly committed the crimes when he was a juvenile, and could be sent
to prison until his 21st birthday in August 1991.
  Federal agents raided Zinn's home last year and confiscated three computers
and software allegedly stolen during the electronic break-ins.
  The telephone at Zinn's North Side residence went unanswered this morning.
  Zinn was quoted in today's editions of the Chicago Sun-Times as saying that
since the raid on his home, he had not pursued his computer techniques "with
quite the same vim and vigor."
  He said he nonetheless hoped eventually to resume his schooling and become an
electonics engineer, the newspaper said. Zinn would not discuss details of the
case, it said.
  The federal charges were brought after Zinn had been arrested several times,
including for alleged computer break-ins at the Keller Graduate School of
Management and at Commodity Perspective Inc., both in Chicago.
  "Before and after the computer break-ins (at Keller and Commodity
Perspective), Zinn was, by his own admission, breaking into AT&T computers,"
Valukas said.
  Court documents said Zinn broke into an AT&T computer at the North Atlantic
Treaty Organization's Maintenance and Supply Headquarters in Burlington, N.C.,
and an AT&T computer at Robins Air Force Base, Ga.
  Valukas said the software taken from NATO and the Air Force base were "low
level in terms of sensitivity."
  Agents raided Zinn's home after an AT&T security officer logged onto the
so-called Phreak Class-2600 computer bulletin board and spotted messages signed
by "Shadow Hawk," a code name the goverment said the teen-ager used.
  In the messages, Shadow Hawk bragged that he had gained access to AT&T
computer files. In a similar message, Shadow Hawk made the mistake of including
his telephone number, which the security officer spotted, the government said.
  The purpose of the Texas-based Phreak Class-2600 is "to educate computer
enthusiasts . . . to penetrate industrial and government sector computer
systems," said William J. Cook, an assistant U.S. attorney.
  The government said Zinn also tried to electonically break into computers at
the Washington Post's accounts payable department, a hospital in South Bend,
Ind.; and computers in Columbus, Ohio; Rye, N.Y. and Pipe Creek, Texas. 


Orbit 100,000 self-guided "brilliant" weapons, Reagan advised

Jon Jacky <jon@june.cs.washington.edu>
Wed, 10 Aug 88 08:53:39 PDT
The following story appeared in THE SEATTLE TIMES, Aug 9 1988, p. A3:

SDI OFFICIALS URGE 'PEBBLES' OVER 'ROCKS' by Dan Stober, Knight-Ridder News

A dozen high-ranking "Star Wars" officials met privately with President Reagan
two weeks ago to gain his backing for a new weapons idea: swarms of five-pound
rockets, known as "brilliant pebbles," that would orbit Earth and decide on 
their own to attack Soviet missiles.

The rockets, once launched, would not require a command from the ground to
attack.

"It's effectively a shield over the planet, consisting of these things, and if
anything pierces the shield that doesn't come from an allowed launch point
... it gets knocked off," said Bruce McWilliams, who headed a lab team that 
developed the optical sensors for "brilliant pebbles."

It would take 100,000 such rockets to defend against the next generation of
Soviet missiles, a Livermore study concluded.

...(the idea) was advanced by the Lawrence Livermore National Laboratory...
the classified White House briefing was given by Livermore physicist Lowell
Wood, a protege of the controverial Edward Teller.

- Jonathan Jacky, University of Washington

Please report problems with the web pages to the maintainer

Top