The RISKS Digest
Volume 7 Issue 49

Sunday, 11th September 1988

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


o Firmware bugs in Dutch gambling machines
P. Knoppers
o Soviets See Little Hope of Controlling Spacecraft
Gary Kremen
o Disinterest in disaster not based on probability estimates
Clifford Johnson
o What a Ticonderoga Combat System "records"
John Allred
o High-tech toilets
Robert Dorsett
o ANI/911 Misconceptions
Dave Robbins
o Re: Display of telephone numbers on receiving party's phone
Henry Spencer
o Social content of computer games
Eric Postpischil
Henry Spencer
o "Viruses Don't Exist" and the Marconi Mysteries...
Mark Moore
o Info on RISKS (comp.risks)

Firmware bugs in Dutch gambling machines

P. Knoppers <knop%dutesta%mcvax@uunet.UU.NET>
Sat, 10 Sep 88 17:21:03 -0200
In the Netherlands it is legal to exploit gambling machines if these
are approved by a government-operated test institution.

There is currently an approved machine in use that has a rather severe
problem in its firmware. This fault can be exploited by malicious players.
I will not reveal which machine type has the bug, there may even be
several models that have it.

The trick is as follows:
Use the machine until you have won a substantial price (call this price 1).
Pull the power plug BEFORE the machine has started to pay out.
Re-insert the power plug.
  The machine will self-test and pay out the pending price 1.
On the next price that you win (no matter how small) the machine
pays the amount of price 1.

The use of this trick can empty the coin buffer of the machine within
one hour.

It appears that a system that was designed to protect the players from
financial losses in case of a power failure introduced a risk.
Makes me  wonder what measures are built in ATMs to protect customers
in case of a power failure during a transaction...

P. Knoppers - knop@dutesta.UUCP
Delft Univ. of Technology, Faculty of Electrical Engineering, The Netherlands.

Soviets See Little Hope of Controlling Spacecraft

Gary Kremen (The Arb) <89.KREMEN@GSB-HOW.Stanford.EDU>
Sat 10 Sep 88 15:22:49-PDT
According to today's (Saturday, September 10, 1988) New York Times, the
Soviets lost their Phobos I spacecraft after it tumbled in orbit and the
solar cells lost power. The tumbling was caused when a ground controller
gave it an improper command.

This has to one of the most expensive system mistakes ever.

Gary Kremen, Stanford Graduate School of Business

  [Several people reported on radio items that attributed the problem to a
  console operator's single keystroke in error, which it was speculated might
  have triggered the Mars probe's self-destruct signal.  After the command was
  sent, contact with the probe was lost completely.  PGN]

Disinterest in disaster is not based on probability estimates.

"Clifford Johnson" <GA.CJJ@Forsythe.Stanford.EDU>
Sat, 10 Sep 88 18:18:00 PDT
A recent contributor noted disinterest is a planned conference
on disasters in Chicago.  Another noted:

 > John Cullyer of the British Royal Signals and Radar Establishment ...  said,
 > "Let's throw out the 10 ** -9" - and many of the audience responded with
 > enthusiastic applause. Someone asked if he would accept a failure
 > probability of only 10 ** -4 or 10 ** -5 for nuclear weapons safety.  He
 > responded, "In the weapons area there should be no room for probability. If
 > something is unthinkable, don't let it happen.  You either certify it or you
 > don't - one or zero."

Three months ago I was set for a 2-hour interview/call-in program on the San
Francisco CBS radio station.  My topic was the probability of computer-related
error causing accidental nuclear Armageddon, which even conservative
authorities (e.g. Hudson Institute) estimate to have a probability of the order
of 10**-3 per year.  I reckon it's higher, and can argue the point.

On arrival, I found my time reduced to one and a half hours because of a change
in the computerized California lottery which provided for a bigger
multi-million $ jackpot at even longer odds.  This topic was inserted as a
first interview/call-in feature, for half an hour before me.  The odds of
winning the jackpot per ticket must be of the order of 10**-8.  Even buying a
hundred tickets per year doesn't get the odds above 10**-6 per year.

Maybe you can guess the rest.  The station had a screen displaying the status
of the five incoming phone lines.  They were packed for the lottery call-in.
For example, animated callers complained that South California got more prizes
than the North, and the lottery official patiently responded that the prizes
were in fair proportion to money spent. Etc.  Clearly, the lowering of the odds
of success (which the official never quantified) was of scant concern to
callers agog at visions of the higher jackpot.  The lottery debate was extended
for a further half hour.  I didn't mind: one hour is more than enough for my

In the first 25 minutes of my call-in interview, there was not a single caller.
There were only three in the entire hour.

What a Ticonderoga Combat System "records"

John Allred <jallred@VAX.BBN.COM>
Fri, 9 Sep 88 17:36:05 EDT
  Jonathan Jacky, University of Washington, asks:
  >The effect of these misconceptions is to discourage thorough investigations
  >of possible problems.  I now doubt the frequently heard assertion that
  >the Vincennes actually did correctly identify the altitude and heading of
  >the Airbus...

First off, my credentials on this subject:  I worked on the Combat System of a
Spruance Class Destroyer, a direct predecessor of the Vincennes (and other
Ticonderoga Class Cruisers).  Indeed, a "Tico" has the same hull as a Spruance.
Add that nifty phased array radar (SPY-1), lots of missiles, and an enhanced
Combat System (5 tactical data computer (AN-UYK7), versus 2 on a Spruance), and
you get a Tico.  The Combat System on the Tico is also known as AEGIS.

The Combat System records, in real time and on magnetic tape, the symbology
seen by the radar operators anytime the "program" is up.  During training, it
was common to "play back" a canned scenario to exercise the troops and
equipment.  So, when the Investigation Officer's report says, "AEGIS reported
Iran Air 655 as ascending", the Investigation Team probably replayed the tapes
of the incident, and saw a display reporting Iran Air 655's status *AS THE CREW

John Allred, BBN Systems and Technologies, Inc.

High-tech toilets

Robert Dorsett <juniper!>
Sat, 10 Sep 88 19:17:27 edt
Pages 132-136 of the 9/3/88 issue of Flight International has a summary of the 
first six months of A320 service with British Airways (3 airplanes) and Air 
France (2 airplanes).  Mulhouse-Habsheim crash not withstanding, both airlines
claim a dispatch rate of approximately 97%.  Some highlights from the 

1.  Problems with air conditioning packs, which have resulted in BA restricting
fan output to 80% of suggested maximum.  This is listed as a supplier problem.

2.  The FADEC (full-authority digital engine control, a fancy term for a 
computer-controlled fuel metering system) has been reliable, although Air 
France claimed frequent replacements in the first few weeks of service.

3.  The computer-controlled cabin public address and lighting system does not
work very well.  Both airlines are disgusted at the sloppyness of it.  Again,
it is listed as a supplier problem.

4.  The toilets don't work very well (see excerpt below).

5.  There was mention of in-flight failures of the primary guidance system,
but the backup systems worked as advertised.

6.  There have been software modifications of the "flight management and 
guidance computer, fuel quantity indications computer, cargo compartment
ventilation computer, avionics equipment ventilation computer, window heat
computer, and bleed monitoring computer."  (One wonders when they will replace
a simple on/off switch with a computer).  The modifications were required
when some computers shut down after the power sources for the mains was 
switched from the APU to the engine generators.

7.  95% of all system faults have occurred after engine startup, before the
airplane got in the air.  En route failures are rare.

On the plus side, BA claims that the centralized fault display system, which is
a CRT and possibly a printer, intended for use by maintenance personnel, has
been quite successful in detecting faulty items and systems, improving
maintenance time considerably.  They have encountered the occasional
unintelligible message, though.  They look forward to incorporating the system
with a communications package to let it automatically call maintenance bases to
let maintenance personnel "get ready" for a quick repair job on the airplane
when it arrives.  The CFDS is based on the late 70's AIDS (Airborne Indicated
Data System), tested with mixed results on the 747, and later on the 757/767.
The device keeps track of data which is not normally of operational
significance.  The data can then be offloaded, catalogued, analyzed, etc.
Apparently Airbus has incorporated an expert system to form the latest version.

It should be observed that something Steve Philipson said, about the Airbus
being very much an "experimental aircraft," holds weight, even though the
concentration of problems has shifted.  Airbus is said to be keeping a full
staff of engineers on site at Air France and British Airways maintenance 
bases.  In addition, each airplane is carrying a set of computer "spares"
(spares for what, the article doesn't mention) in the event of failure.
The article does not indicate how long this arrangement is going to last. 

Now, about the toilets... (excerpted without permission, but let's say it's
for the purposes of review)

"The main concern about the A320 has been that so many functions are 
'computer-controlled,' and that this could lead to unforeseen problems.  The
use of the word 'computer' can be misleading, in fact, because many of the
devices referred to as computers are little more than digitally controlled
switches--like the window heat computer, whose software has now been

"The whole subject comes firmly down to earth in the Air France A320's, where
the high-tech vacuum toilet system chosen by that airline (but not by BA) has
suffered shutdown because of glitches caused by electrical transients.
Aircraft have been grounded by this problem from time to time.  You can get an
aircraft airborne safely without working toilets, but it is unwise to try to
get any passengers airborne under those conditions.

"Air France chose the vacuum toilet system for its single-point drainage and
the flexibility to move a toilet quickly for a short-notice cabin
reconfiguration.  However, its A320's have been subject to four different types
of toilet system malvunction: toilet overflow, toilet shutdown, system
shutodwn, and straightforward toilet drain blockage.  The latter may be a
matter of wastepipe diameter, though not everyone agrees on that.  It has
worked on other aircraft.

"Airbus, in its produce support department's technical review of Air
France's A320 toilets problem, devotes a page to the subject, with a chart
designating specific problems followed by progress towards rectification.
The toilet overflow was caused by a rinse-valve which was sticking open.
The temporary remedy is a valve modification, but a redesigned valve is on
the way.  The individual toilet shutdown and the whole-system shutdown have
been caused by electrical transients which affected the digital flush
control units (FCU--the minicomputer activated by the button which the user
pushes to flush the toilet) and the vacuum system controller (VSC--another
microprocessor).  The printed circuit boards for the FCU and VSC were under
study for modification, and new software should have been supplied for them
both by now.  As for the drain blockage, Airbus and the system vendors were
examining the suction unit in thorough system tests, and hoped to have a
result by the end of August."

It should be added that the A320's fuel efficiency is listed at 40% better
than that of the 727.  Overall efficiency has yet to be determined.  The order 
book stands at either 428 aircraft ("Flight") or 350 aircraft ("Aviation 
Week").  The word "computer" and the term "high-tech" is very clearly selling 
the airplane.  Flight lists eleven A320's currently in service.

Robert Dorsett                                    University of Texas at Austin
Organization: Austin UNIX Users' Group, Austin, TX

ANI/911 Misconceptions

Dave Robbins <>
Fri, 9 Sep 88 11:00:46 EDT
It may be worthwhile to clear up some small misconceptions that have been
appearing in the Automatic Number ID discussion.  More than one correspondent
has equated the 911 automatic identification with the calling-number
identification just now becoming available to local subscribers.  In fact, the
two are entirely different features — implemented differently and having
nothing little more than their general behavior in common.  In particular:

1) "Enhanced 911" (as it is properly called — regular 911 is nothing
   more than an easy-to-remember and quick-to-dial number; it does not
   identify the caller) is implemented by essentially the same
   mechanism as ANI for toll calls.  In both cases, the calling number
   is sent out over a trunk line, not over a local subscriber loop.  As
   far as I know, this type of calling number identification has never
   been made available to businesses, as one correspondent suggested it might.

2) Calling-number-identification (there is a marketing name for this, but
   I forget it offhand) is a feature available only from the newest
   ESS and competing switches, and requires special equipment on the
   subscriber's premises as well as special hardware and software on the
   switch (and of course more money from the subscriber :-).  As far as I
   know, each subscriber has the option of specifying — permanently --
   whether or not his number will be disclosed to others via this feature;
   the default value for this option would reflect the subscriber's current
   selection of a published or non-published number.  In addition, as
   mentioned by some correspondents, on a given call a subscriber may
   choose — via a dialed prefix — whether or not to allow the display
   of his number on the called phone.

Caveat: although I do work for a "phone company" my knowledge of the
above is not necessarily 100% accurate or up-to-date, since I have not
been directly involved with the gory details of these particular

RISKS relevance?  My concern is twofold:

1) Confusion between two apparently similar but in fact considerably
   different systems can result in the risks of the one being *assumed*
   to be identical to the risks of the other, when in fact this is not
   the case.  In the example at hand, there is no assumption of a right
   of privacy when calling 911, but there is an assumption of such a right
   when calling everyone else.  These assumptions are made by the respective
   systems, reflecting what is presumed to be the same assumptions made
   by the general public.  Viewing one system as though it were the other
   changes the perceived risks.

2) Much of the discussion in RISKS on this topic (and others, of course)
   is based upon incomplete information and therefore incorrect
   assumptions about the technology involved.  This is, I realize, a
   general problem, and perhaps unavoidable.  However, when discussing
   the risks of technology, computer or otherwise, we need to take
   particular care to base the discussion upon the facts, so that we can
   discuss the risks of the system as it actually is implemented.  

Dave Robbins, GTE Laboratories Incorporated, 40 Sylvan Rd., Waltham, MA 02254

Re: Display of telephone numbers on receiving party's phone

Sat, 10 Sep 88 00:25:03 EDT
People are missing an important issue here:  there is no one-to-one
correlation between the number you are calling from and your identity.
In particular, it is quite possible to have situations in which a call
is not anonymous — in the sense that the caller has no intent to hide
his identity — but does not want his location known.  This is also the
underlying problem behind having phone solicitors calling from uncallable
numbers:  what you want is identity and contact information, not just the
number used to make the call.
                                     Henry Spencer at U of Toronto Zoology

Social content of computer games

Thu, 8 Sep 88 08:38:56 PDT
Ed Nilges writes of the decline of the social and moral content of games.  But
he examines only a small number of games.  Consider chess, that game which
allows players to act the roles of strategists without teaching them either the
misery of dying under a horse's hooves or the evils of a caste system.  The
tactics are beautiful; the content is vile.  Clearly it is not technology
encouraging any moral or social decline here.  Perhaps parents should picket
chess clubs.

Nilges' examples are not representative of the games.  The top character of
Punch-Out is black.  Metroid features a character in a suit of high-tech armor.
If the player has done well enough at the end of the game, the character will
take her helmet off.  Many games take the form of a quest to defeat evil --
Ghosts 'N Goblins, Legend of Zelda, Solomon's Key, Super Mario Brothers.
Popeye is supportive of the underdog.  Games like Gauntlet or Mario Brothers
reward teamwork.  Penguin Land requires that one learn to take care with a
fragile egg.  There is a wide variety to be found in games, so one could find
examples of many things by concentrating on only certain features. 

Computers have made games flashier, more fun, faster, and more visible, but
they have not changed the social content.
                                Eric Postpischil

Social content of video games

Sat, 10 Sep 88 00:25:26 EDT
>How many computer professionals have noticed the continual technical
>improvement of video games in the past couple of years, and the
>concomitant decline of their social and moral content? ...

As has been pointed out in the past, this is silly.  The social and moral
content of chess or Monopoly is also deplorable, looked at from the same
viewpoint.  (Chess is a wargame; the objective of Monopoly is to drive
your friends and relatives into bankruptcy.)  Video games only make it a
bit more obvious.  Wargames, in particular, long predate video games.
Is it less moral to strafe the bad guys in a video game than to condemn
thousands of hypothetical troops to death by moving a counter on a board?
Which is more depersonalizing?
                                     Henry Spencer at U of Toronto Zoology

"Viruses Don't Exist" and the Marconi Mysteries...

Mark Moore <>
Wed, 07 Sep 88 17:30:40 EDT
I received one of those info-card packs (I forget from whom) as a result
of having my name and address sold by Dr. Dobb's.  I filled out a few of the
cards and received a catalog from Public Brand Software, which is a shareware/
freeware clearing house based in Indianapolis, IN.

Here are a few quotes on from the third page of their catalog entitled
'Topic: VIRUSES'

  'It seems like a couple of national magazines first thought up the concept
  of MS-DOS viruses.  Unfortunately, a lot of people read these magazines and
  believe everything that they read.  But let's get a couple of definitions
  clear first.

    virus, n. 1. a purposely destructive computer program that can
      propagate itself by modifying other computer programs (such
      as COMMAND.COM) to make them destructive.  2. a destructive
      myth perpetrated to sell a product and/or fill editorial

The article goes on to claim that viruses are myths akin to friend-of-a-friend
stories; popular magazines are perpetuating the myths to have something
sensational to print; engineers are doing the same in order to sell vaccines.
They claim that they've searched high and low and can find no such thing as a
virus.  'Simply put, there is no such thing as a virus.  There never has been.

Sounds like a dangerous attitude to me.

On a different note...  For those interested in a book which follows a plot
with a striking similarity to the Marconi incidents, try _The Chain of Chance_
by Stanislaw Lem.

Please report problems with the web pages to the maintainer