The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 8 Issue 83

Tuesday 20 June 1989


o Pacemakers, radios
Walter Roberson
o 'Traffic monitoring system used for spying'
Walter Roberson
o I am not a number... (unique postal codes)
Walter Roberson
o Medical history-on-a-card? ; Another ATM Risks
Edward A. Ranzenbach
o Re: Microcomputers in the operating theatre
Donald Lindsay
Keith Emanuel
o Hartford Civic Center roof crash
Peter Desnoyers
o Re: Risks of missiles
Jan Wolitzky
Gary Chapman
Bob Ayers
o Info on RISKS (comp.risks)

pacemakers, radios

Mon, 19 Jun 89 23:11:58 EST
A small article in The Ottawa Citizen, Fri. June 16, 1989, pg A18:

  "Stereo speaker risk to heart device

  BOSTON (Reuter) — Doctors in Chicago have some advice for people
whose hearts carry an electronic device for shocking the heart into
its proper rhythm — Don't hug a stereo speaker.
  Speakers apparently contain a magnet strong enough to deactivate an automatic
implantable cardioverter-defibrillator. The device, usually given to people who
have recovered from a heart attack, delivers a jolt to the heart when it begins
beating too rapidly to pump blood."
                                                Walter Roberson 

'Traffic monitoring system used for spying'

Mon, 19 Jun 89 23:18:09 EST
  NEW YORK (AFP) — Chinese authorities are using a British surveillance
system, developed to monitor road traffic, to spy on Chinese citizens and
foreigners in the streets of Beijing, Time said in its latest edition.
  The weekly news magazine said the so-called SCOOT system had been purchased
partially with development aid.
  Time also reported that the Beijing State Security Bureau had used the system
to document charges against Associated Press reporter John Pomfret, who, the
magazine added, was expelled last week after he was filmed meeting with a
source in his car outside a hotel in Beijing.
  Because the SCOOT system can be used to film at night, it allowed authorities
to film fighting outside Tiananmen Square during an army crackdown on
pro-reform demonstrations in which western intelligence sources said about
3,000 people died.
  Chinese authorities said 100 civilians were killed and about 1,000 others
  The authorities edited the film to show only sequences of aggressive
demonstrators attacking peaceful police, Time said.
  The sequences were shown on state television, which identified the protestors
as counter-revolutionaries.
  SCOOT also allowed authorities to pick out individual faces in the crowd.
These were also shown on television with a telephone number requesting help
from watches in identifying those who participated in the demonstrations.
  [From The Ottawa Citizen, Mon. June 19, 1989, pg A6]

[Please note: I'm not interested in discussing the politics of the
 situation in China. I have submitted this article based on the
 technological -> social implications ONLY. — WDR]

  Walter Roberson <Walter_Roberson@Carleton.CA>

                      [Also noted by Mike Olson <mao@postgres.Berkeley.EDU>.]

I am not a number... (unique postal codes)

Mon, 19 Jun 89 22:42:37 EST
A few weeks ago, the Canadian post office admitted to a secret "modernization"
office they have established. The high-tech research division of the post
office. One of the projects they were said to be working on was changing the
postal codes from its current 3 letters + 3 numbers, to a 10 "digit" system
(unclear whether it'd be pure numeric or not.) I was a little concerned about
that at the time: Statistics Canada releases some non-trivial information (eg,
the Canadian census) *broken down by postal code*. (As an aside, I've never
been too comfortable with that. They do take care that each grouping includes
at least 5 people — but it isn't too hard to extract an individual's data from
that, if you know something about the individual.) If StatsCan continued the
practice of releasing such information by postal codes, then establishing
extremely accurate postal codes is sure to make individual cases much easier to
deduce. (And remember, its not only a crime to give incorrect data to the
census people: its also a crime to refuse to answer the questions...)

Anyhow, having many other things to occupy my mind, I haven't been thinking
about the 10-digit scheme much. None-the-less, I did happen to notice the
following, buried in an article about which firm was being favoured to provide
some new sorting machines for the post office:

   The new equipment will incorperate many features tested by Canada Post in
the Paradigm Project, a high-tech research program started about two years ago.
   The program, kept secret until last month when it was reported on by
the Canadian Press, is being used to test a new 10-digit postal code
system Canada Post hopes to introduce within the next few years.
   The system is so precise that all addresses in the country, and
possibly all individuals, will be assigned individual codes."
   [The Ottawa Citizen, Mon. June 19, 1989, pg A4]

After I thought about it for a few seconds, I realized this is a -real-
possibility! Canada has about 25 million people, so an 8 digit scheme would be
enough to number them all individually (our social insurance numbers are 9
digits, including the check digit). A 10-digit number, then, has more than
enough capacity to identify individual people in Canada!

You can have unpublished phone numbers, but will they allow you to have
unpublished postal codes? (And if so, will you have to pay extra fo that?)

  Oh yes: although this story has a Canadian flavour, note that 10 digits
would be enough to encompass all of North America. After-all, phone numbers
within North America are only 10 digits, and they haven't run out of phone
numbers yet (though they will soon have to expand the area code scheme,
which currently only allows the second digit to be a 0 or a 1.)

  Walter Roberson <Walter_Roberson@Carleton.CA>

Medical history-on-a-card? ; Another ATM Risks

Tue, 20 Jun 89 12:53 EDT
In 1982, CII Honeywell Bull, France, unveiled the "CP-8" smart card.  This card
does indeed contain a tiny microprocessor and, I believe, 4K of memory.  This
was envisioned to have uses as an electronic payment card.  For example, I
would go to a compatible Automated Teller Machine (ATM) and transfer funds from
my account to the card.  I could then shop with the card at stores with CP-8
compatible readers and use the funds on the card to pay for my purchases.  The
major difference between this strategy and the Electronic Funds Transfers (EFT)
that we see today is that the CP-8 was deemed as valuable as cash.  The
repository of account information was the card itself.

Now some may say that EFTs are subject to per-transaction authorization over a
network.  I know however that my bank does not have a network connection but
actually contracts to a larger bank for EFT services.  Thus, there is no direct
check of my account for authorization.  Instead, my bank authorizes a maximum
of $200.00 per 24 hours per customer.  The contracted bank simply ensures that
I do not exceed that authorization.

An advantage of the CP-8 was its audit trail.  All transactions made against
the card are audited by the processor and the user can take the card to any
CP-8 ATM and receive a printout that shows the date, time, location (machine
ID) and amount of the last N transactions.  Kind of like having your statement
in your wallet.

There were plans in Sweden to implement a scheme for the rationing of
liquor purchases from state run liquor stores using the cards but I'm
not sure this came to fruition.  I'm not sure if this card has found any
real uses or if it has been upgraded (4K of memory?).

I saw a couple of risks here.  The card is money in my pocket.  Although I
might not feel confident about walking around the streets of New York with
several hundered dollars cash I might be lulled into a false sense of security
and think nothing of transfering several hundred dollars to the card.  Thus if
the card was lost, stolen, or damaged it was the same as having my wallet full
of money stolen.  In addition to the standard means of damaging the card, we
found that significant impact to the surface could damage the cards ability to
process or store information (we hit it with a hammer, not very subtle but it
showed a weakness).

On a separate but related issue, I found that the password standard for
the Cirrus, Star and New York Cash Exchange (NYCE) ATM networks is a
four digit password.

I was impressed by the BayBanks ATM network when it first came into being
because it offered me a maximum eight (letter) digit password thus giving me
10**8 possible values.  During use of my ATM card I noticed that the screen
would always flicker as soon as I entered the fourth letter in my password.  I
decided to "play" a little and noticed that only the first four letters of my
password were required to be entered (and thus were included in the validation
of my authorization).  Thus, there are only 10**4 possible passwords.  Cirrus
advertizes access to 20,000 ATMs nationwide.  Interesting to note that there
are twice as many ATMs as possible passwords to protect my account from being
misused on them.  Maybe someone should send them a copy of the NCSC Password
Management Guideline, CSC-STD-002-85...

Edward A. Ranzenbach, Gemini Computers Inc.  All standard disclaimers apply.

Re: Microcomputers in the operating theatre

Tue, 20 Jun 1989 13:30-EDT
In RISKS-8.82, Ken Howard says:

>Martyn addresses the obvious risk from the hardware/software reliability
>point of view here. The other not so obvious risk is that a BBC micro
>is not certified for use in an environment containing explosive gasses
>such as are used in anesthesia .... 

Actually, it's even worse. Operating theatres contain numerous
devices, which shouldn't interfere with each other, but do. (An EEG
in such a place can often detect brainwaves in lime jello.) There are
also standards for electrical leakage - since the patient tends to be
a common ground to numerous circuits.

Hospitals also use equipment differently from other places. Suppliers
learned years ago that equipment with a flat top will wind up at the
bottom of a stack, for example. A flat top will also attract bags,
bottles and bowls of fluid, which will get spilled.

I'd also worry about the lack of professional design review. For example, what
happens to the patient if there's a power glitch?  How about reasonableness
checks on dosage?  How aware will the operator be of the computer's actions?
How quickly could he stop it (emergency off)? My experience with beginning
programmers hardly inspires confidence in an MD's first effort.

Re: Microcomputers in the operating theatre (Thomas, RISKS-8.79)

20 Jun 89 07:13 EDT
    There is more than just performance here.  In an operating room the
anaesthetist is responsible for his own actions. He bares the consequences of
his judgements as a responsible professional.
    In the case of a microcomputer malfunction who is responsible ?  Is it
the manufacturer ? The programmer ? Perhaps the technician who maintains the
equipment ?  Further, Electronics devices have recognized mean times to
failure. Does this mean that we are installing a device in a life critical
situation that we know will have a failure down the road ?  Would we certify a
doctor who we knew would fail ?
    Lastly, the state of the art in software expert systems is still a long
way from being able to deal with the subtle differences between patients or
subtle changes in a patient's condition during an operation.  It is for that
reason that the doctor is indispensible (no pun).
                                                  Keith Emanuel,  Xerox Corp. 

Hartford Civic Center roof crash (Desnoyers, RISKS-8.81)

Peter Desnoyers <>
Tue, 20 Jun 1989 10:24:34 PDT
In RISKS Digest 8.81 Richard S. D'Ippolito writes:
  (in reference to the Hartford Civic Center roof crash of January '78)

  [joint was modelled incorrectly as having no eccentricity, when 
   simulation was re-run correctly the roof did not hold.]

>Quite simply, the problem here was: The structure analyzed was not the
>structure built.

This may have been only one aspect of a more wide-spread disregard for 
safety in the construction of the first Civic Center roof. It was widely 
reported in the local papers afterwards that there had been only one 
part-time weld inspector during construction - he was a high school math
teacher and evidently only worked on Saturdays or something like that. 
[disclaimer - this is from memory and may not be completely accurate.]

In other words, if they had cared about safety, they might have been more
likely to catch errors in the simulation. 

Peter Desnoyers, Apple ATG                               (408) 974-4469

Re: Risks of missiles

Jan Wolitzky <wolit@cbnewsm.ATT.COM>
20 Jun 89 18:32:28 GMT
>                                                             ... At this
> point it is gliding until it releases its warheads. The missile has no
> mechanism for sensing where it is and aiming the warheads accordingly - it is
> just told, BEFORE LAUNCH, "point here, release a warhead, point there, release
> a warhead, etc." The point is that all errors in the launch are cumulative and
> no mechanisms exist to correct them.

This is incorrect.  There certainly is an inertial guidance system aboard all
versions of the Minuteman missile (only IIs and IIIs are currently active).
And while is it true that the solid-fuel boosters on such missiles are not
throttleable per se, any point up to the missile's maximum range can be
targeted by changing the ballistic trajectory.  Besides, there _are_ various
thrust termination mechanisms available for solid rockets (blowing off the
nozzle, venting the combustion chamber, etc.), though I am not aware which, if
any, are used on the various Minuteman stages.

Even after burnout of the last stage, the warheads of the Minuteman III
still do not follow a purely ballistic trajectory.  This missile
carries three _independently_targetable_ re-entry vehicles, attached
to a maneuverable "bus."  The bus is powered, and changes its
trajectory before releasing each of its warheads.  I believe the
maximum separation between targets of warheads on a single missile
is classified information.

Finally, more recent warheads (tested on the MX missile) are themselves
maneuverable during re-entry, for evading ABMs.  There is evidence
that the D5 warhead being developed for the Trident II missile will
use satellite navigation signals from the Navstar Global Positioning
System (GPS) for terminal guidance.  (The Pershing II warhead,
incidentally used Terrain-Contour Matching (Tercom) radar for terminal
guidance.)  These mechanisms could remove much of the uncertainty
involved in firing missile over previously unflown trajectories.

Please forgive my lengthy response, especially since I am uncertain
what this discussion is doing in comp.risks in the first place.

Jan Wolitzky, AT&T Bell Labs, Murray Hill, NJ; 201 582-2998; mhuxd!wolit
(Affiliation given for identification purposes only)

Re: Risks of missiles

Gary Chapman <chapman@csli.Stanford.EDU>
Mon, 19 Jun 89 15:43:09 PDT
I don't want to drag out a discussion of ICBMs, which probably belongs in
ARMS-D, but just to offer an addendum, or a slight correction, to Steven Den
Beste's recent posting (RISKS 8.82, Risks of Missiles).  He said that all tests
of Minuteman missiles have been conducted in flights from Vandenberg to
Kwajalein atoll.  Actually there have been four tests of Minuteman missiles
launched from silos, and all four of them failed.  

-- Gary Chapman
   Executive Director, Computer Professionals for Social Responsibility

Re: Descriptions of Minuteman Missiles

Bob Ayers <>
Mon, 19 Jun 89 17:21:50 PDT
I am not an expert on missile systems, but even from the little knowledge
tht I have, I do not believe the statements of denbeste@BBN.COM about the
Minuteman system. He writes (in risks 8.82) "The missile has no mechanism
for sensing where it is and aiming the warheads accordingly ... all errors
in the launch are cumulative and no mechanisms exist to correct them."

I suggest that, while the Minuteman has no mechanism that actually _looks_
to see where it is, it _does_ have positional feedback in the form of
intertial mavigation subsystems. So it is _not_ travelling in a "dead
reckoning" mode as the end of the above quotation asserts.

And I find the bald statement that the Van Allen belt and the different
"g" field in northern regions damage missle targeting, with no supporting
remarks whatsoever, to be .. um .. curious.  I don't know, and I doubt
that he knows, either — though I would be very surprised to learn that
the U.S. military doesn't understand the Earth's gravitational field and
its effects on bodies in icbm trajectories.

Please report problems with the web pages to the maintainer