The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 9 Issue 69

Tuesday 20 February 1990


o A320 accident
Nancy Leveson
George Michaelson
o Ferry line replaces "sail-by-wire" with pneumatic controls
Jon Jacky
o Now Prodigy Can Read You
Donald B Wechsler
o 3 KGB Wily Hackers convicted, mild sentences
Klaus Brunnstein
o Problems/risks due to programming language, stories requested. [Item Includes AT&T "do...while"..."switch"..."if"..."break" tale]
Gerald Baumgartner
o AT&T Says New Goof Wiped Out Many Toll-Free Calls
David B. Benson
o Re: Computerized Collect Calls
Adam Gaffin via Mark Brader
o RISKS of ANI blocking
James C Blasius
o "Brilliant Pebbles"
Gary Chapman
o Info on RISKS (comp.risks)

A320 accident

Nancy Leveson <nancy@murphy.ICS.UCI.EDU>
Wed, 14 Feb 90 12:09:11 -0800
>From the AP wire: by Sharon Herbaugh, Associated Press Writer,

NEW DELHI, India (AP) - An Indian Airlines jet with 146 people aboard crashed
and burst into flames while attempting to land at a southern Indian airport
today and 91 people were killed, authorities said.  The Airbus 320 crashed at 1
p.m. while on final approach to the runway at Bangalore airport, airline and
airport officials said.  The plane apparently grazed a grove of trees and
crashed about 50 yards from the runway, they said.

State-run television showed shots of the crash site, a grassy plain on a golf
course adjacent to the airport.  The craft's tail was intact, but its fusilage
was shattered and charred and the nose smashed.  "The crash occurred before the
plane touched the runway, and it caught fire as soon as it crashed, said P..S.
Ghetty, airport manager in Bombay, where the hourlong flight had originated.

The crash was the first by the sophisticated Airbus 320 on a commercial flight.
One of the planes crashed in a demonstration flight at an airshow in eastern
France in 1988 killing three people and injuring 50.  Airline officials said
the plane, which was an hour behind schedule, carried 139 passengers and a crew
of seven.

[More about injuries]

Airline officials did not know what caused the crash, but they said weather
was not a factor.  The jet was acquired by the nation's government-run
domestic carrier about three months ago for $38 million.

After Indian Airlines announced it was adding 31 Airbus 320s to its aging fleet
of Boeing, Fokker, and Avro planes, news reports criticized the airline for
failing to adequately train pilots to fly the sophisticated aircraft, the first
civilian airliner with a fully computerized flight control system.  The carrier
also was criticized for failing to provide adequate hangar space to house and
maintain the planes.

[more about some previous Indian Airlines accidents]

Indian Airlines, the major domestic carrier, flies to 73 cities nationwide
and to nine nearby countries.  It has come under criticism for allegedly
failing to maintain pre-flight safety procedures on its fleet and to adequately
supervise its pilots.  Delays in flight schedules are also endemic.

The A320, built by the European consortium Airbus Industrie, is the first
civilian airliner equipped with a fuly computerized flight control system,
which the manufacturer says permits safer, electronically controlled flight.
Developed at a cost of nearly $2 billion, the A320 was certified for flight on
Feb. 26, 1988, and went into service in April 1988.

[There have also been some unofficial radio reports that suggested that the
flight control system was involved in this crash.  My friends in the
industry say that this cannot possibly be known for a while. nancy]

   [Also noted by Robert Dorsett (
   and David B. Benson (benson@cs2.cs.WSU.EDU), Steve Milunovic
   <>.    PGN]

yet another A320 problem

George Michaelson <>
Thu, 15 Feb 90 16:39:16 +1100
[...] Doubts were expressed about the ability of the airline to maintain the
complex flight control equipment, and the effects of dust on the system, both
with explicit reference to computing systems.

I find it hard to raise any possible risks in technology transfer to developing
countries (does that label apply to India?) given the overtones of chauvinism
if not downright racism, but it seems from this interview as if the Indian
engineers themselves question their ability to handle this package.

I suspect other parallels exist with well-meaning donation/supply of IT
infrastructure that failed to match local conditions eg lack of tropical
"hardening", availaibility of spike-free UPS, spares, training.

sort-of comp.society but has some RISKy overtones...    -George

Ferry line replaces "sail-by-wire" with pneumatic controls

Mon, 19 Feb 1990 20:02:49 PST
This article appeared in IEEE SPECTRUM, vol 27, no 2, Feb. 1990, page 54:

with John R. Devaney and Robert Thomas

In a seeming reversal of progress, Washington State Ferries, the agency that
manages the United States' largest ferry transportation system, has begun
replacing the electronic control systems of six of its boats with pneumatic
controls.  A string of failures, beginning in the early 1980's after the
Issaquah-class ferries were introduced, eventually forced the change.  Ferries
rammed docks, for instance, or puttered away from them even though no command
was given.  In a few instances, a ferry shifted  from forward to reverse with
no warning.  In contrast, an Issaquah boat retrofitted last June with a hybrid
electro-pneumatic system has outstripped all expectations, according to vessel
maintenance engineer Ben Davis.

[ Here the article includes a photo of an Issaquah ferry.  They are large,
carrying several hundred cars, their passengers, and hundreds of walk-on
passengers - JJ ]

As part of the state's Department of Transportation, Washington State Ferries
in Seattle operates 24 vessels, encompassing a variety of control systems.  No
others have had the problems of the six boats in the Issaquah class, which
are unique in having variable-pitch propellors, one at each end of the boat.
When the captain sets the control handle positions for transit or movement
near the dock, the control system must set the appropriate propellor speed,
pitch, and clutch engagement.  Variable pitch makes the craft extremely
maneuverable, able to move sideways and turn on the spot.

Many of the problems could be traced to the vendor, Propulsion Systems Inc.
(PSI), which went bankrupt in 1981 and was then bought by the ferry builder,
the now-defunct Marine Power and Equipment Co.  "The problem is not so much
with digital controls," said Davis, "as with horribly shoddy control system

[ Here the SPECTRUM article describes examples, including poor understanding
of the propulsion system, grounding and shielding problems, poor protection
against power supply dropouts and transients, poor documentation and
configuration control, and incorrect assembly ]

... a 1986 Lockheed Shipbuilding Co. study recommended switching to pneumatics
to improve reliability. ... The agency chose a hybrid control system that
operates electrically from control handles to control cabinet ... but operates
pneumatically from cabinet to propellors and engine governors ...  (the
replacement control system is) supplied by Mathers Control Inc., Seattle. ...

- Jon Jacky, University of Washington (in Seattle)

Now Prodigy Can Read You

Wechsler, Donald B <>
Thursday, 15 Feb 1990 17:11:22 EST
The Prodigy Services publication, PRODIGY STAR, (Volume III, No. 1) recently
showcased a "major benefit".  The Prodigy system accesses remote subscribers'
disks to check the Prodigy software version used, and when necessary, downloads
the latest programs.  This process is automatic when subscribers link to the

I asked Prodigy how they protect against the possibility of altering
subscribers' non-Prodigy programs, or reading their personal data.  Prodigy's
less-than-reassuring response was essentially (1) we don't look at other
programs, and (2) you can boot from a floppy disk.  According to Prodigy, the
feature cannot be disabled.

3 KGB Wily Hackers convicted, mild sentences

Klaus Brunnstein <>
15 Feb 90 15:50 +0100
A court in Celle (a small town near Hannover, FRG) today (Thursday 15,1990)
convicted 3 KGB hackers of espionage (=to work for a foreign service against
the interests of the country) for the KGB. Sentences were mild and partly
significantly below the recommendation of the public prosecutor.  Markus H.
(whom Clifford Stoll regarded as 'the Wily hacker') was found guilty of having
intruded US military computer systems 30 times (out of 450 attempts); his
sentence: 20 month prison (for 3 years on probation) and to pay 10,000 DM; Dirk
B. was sentenced to 14 months and has to pay back 5,000 DM. And finally, former
croupier Peter C. (who essentially connected the links to KGB but has no
knowledge in computing) was sentenced to 2 years and has to pay back 3,000 DM.
All of them lost the `citizen rights' (e.g. to participate in elections, either
passively or actively) for 2-3 years. The prison sentences are deferred for 3
years probation time. They were immediately released from detention pending

The chairman of the 2nd senate of the Nether Saxonian Criminal Court said in
his oral argumantation, that the Federal Republic didnot suffer seriously from
the hack, but that US military institutions and a large manufacturer were
damaged. (As the German law has not the same universality as US law, damage tu
US instutions couldnot be prosecuted). Moreover, the court expressed strong
doubts that a real damage was done: 'only' a security package of a large
manufacturer and the source code for a UNIX system were mentioned.  (the large
manufacturer evidently prepares a civil case). Independent of whether the
sentences are accepted and will become valid, the estimations in media about
billions DM of damage were rather premature.

It will be interesting to analyse (in the written argumentation) why the court
didnot convince the hackers on the hacker attacks (the German penal law
recently was updated by a new paragraph on computer espionage which was not
applied). The defenders tried (evidently successfully) to show that Cliff
Stoll's proofs were insufficient to show that the guy in Hannover (H.)  really
was the guy whose commands were executed 10,000 miles away. With a court
without any knowledge (the chairman asked the hackers more than once: `What
means' questions on e-mail etc), with public prosecutors and with criminalists
which evidently lacked the basic knowledge, it may not surprise that the
defenders succeeded in put the material in question (Cliff Stoll's book was
forbidden to be sold in its German version, due to several statements which the
defenders neglected).

I apologize for any misformulations esp. regarding legal language (I am not
educated as a lawyer); moreover, I hope that my personal doubts about the
competence of the criminal agencies, the prosecutor and the court are not
overstated here. On the other side, the 2 hackers (a 3rd one committed suicide
last year, and the defenders tried to load all the guilt on him) and the 4th
one, `Pengo' who may face another process (in Berlin), all belonging to the
so-called `Leitstelle 511' (due to the telephone prefix of Hannover) of Chaos
Computer Club are not those professionals as they are regarded by the media and
the lawyers.           Klaus Brunnstein

problems/risks due to programming language, stories requested

Gerald Baumgartner <>
19 Feb 90 07:42:16 GMT
    [Gerald is collecting stories on the risks of choosing the wrong
    programming language, including problems that could have been avoided if
    another (a better) programming language would have been used.  He cited
    the Mariner (but hadn't seen the newer explanations in RISKS-8.75 or
    RISKS-9.75), the Internet Worm fingerd problem, and the 15 Jan 90 AT&T
    slowdown.  But he included the following text on the AT&T problem.  PGN]

| | Subject: AT&T Bug
| | Date: Fri Jan 19 12:18:33 1990
| |
| | This is the bug that cause the AT&T breakdown
| | the other day (no, it wasn't an MCI virus):
| |
| | In the switching software (written in C), there was a long
| | "do . . . while" construct, which contained
| |    a "switch" statement, which contained
| |       an "if" clause, which contained a
| |          "break," which was intended for
| |       the "if" clause, but instead broke from
| |    the "switch" statement.
| |

    Again it looks like this bug wouldn't have occurred in another
    programming language.

You C what I mean? Do you know other stories like these, if possible with
references? I don't want to praise Ada or pick at C and Fortran; I am looking
for any story where a provably inappropriate/insecure programming language has
been used.

Gerald Baumgartner   ...!{decwrl,gatech,ucbvax}!purdue!gb

AT&T Says New Goof Wiped Out Many Toll-Free Calls

David B. Benson <dbenson@cs2.cs.WSU.EDU>
Wed, 14 Feb 90 11:36:41 PST
The Wall Street Journal, Tuesday, February 13, 1990
By John J. Keller, Staff Reporter of The Wall Street Journal

New York -- American Telephone & Telegraph Co., still reeling from a cripling
network outage less than a month ago, suffered another accident on Friday that
wiped out toll-free 800 service to tens of thousands of callers nationwide.

AT&T blamed the latest disruption on a service technician who had forgotten to
program some information on a group of 800 numbers into a network computer.

Only companies subscribing to 800 numbers using the prefix 424 were affected,
said AT&T.  That included the Internal Revenue Service's toll-free, tax-service
number 1-800-424-1040.  Another IRS line that allows callers to order forms by
phone was also cut off.

AT&T declined to identify business and government agency customers other than
the IRS that were affected by the Friday shutdown, which lasted about 90
minutes, from 12:40 p.m. EST to a little after 2 p.m.

While that's nowhere near the nine hours that AT&T's network had problems on
the afternoon and evening of Jan. 15, it was an embarrassing epilogue to the
earlier breakdown.  Until the January problem, AT&T hadn't experienced a major
network problem in its 114-year history.  The January outage was caused by a
software programming error in the company's network signaling system.

"AT&T offers the most modern services, but this latest accident was at the
lowest level of sophistication," said Jack B.  Grubman, an analyst at
PaineWebbber Inc.  "Thats not good."

The AT&T spokesman blamed Friday's accident, which he called a "very small
mishap" and a "minor inconvenience," on a network service technician who was
"load balancing" or making network routing changes to some 800 numbers.  The
technician was supposed to transfer the list of these 800 numbers from one
network control point to another, he said.  But apparently the technician
forgot to program the routing changes into one of the control points, shutting
down service on as many as 200 toll-free lines, including those leased by the

An IRS spokesman said the agency didn't have a clear idea of how many people
were affected by the shutdown, but "obviously it was in the thousands.  We hope
it didn't cause too much of a problem."

Re: Computerized Collect Calls

Mark Brader <>
Wed, 14 Feb 90 14:23:01 EST
On Jan. 7, New England Telephone began switching over to a new computerized
system for handling collect calls from touch-tone pay phones. Instead of an
operator, you get a computerized voice telling you to punch "one one" for a
collect call. Then you say your name, the computer dials the other number,
tells the person it's a collect call and then plays you back as you state your

Just one problem. One of the reporters where I work was negotiating a sensitive
interview and needed to talk to the editor-in-chief. He didn't have any change,
so he tried calling collect. Another editor picked up the phone, thought it was
one of those "goddamned computer telemarketing things" and promptly hung up.

Adam Gaffin, Middlesex News

RISKS of ANI blocking

James C Blasius <>
Thu, 15 Feb 90 20:44:34 EST
AT&T has recently seen fit to start using Illinois Bell ISDN at my location,
replacing thousands of individual answering machines (that don't work with
digital phones) with an AUDIX answering system.

We have automatic number identification inside the complex, displaying the
caller's name on an LCD screen on the phone.  We can block ANI when we call
somebody, then the name shows up as PRIVATE.

However, if your ANI-blocked call goes to AUDIX, AUDIX leaves your phone number
along with your message!  Leaves me wondering how much I can trust commercial
ANI blocking if Illinois Bell even offers it.

(The other nifty feature of AUDIX is that it leaves a message of your call even
when you don't want it to.  Only fix I've found to this is to type *** and
confuse it).

James C. Blasius

"Brilliant Pebbles"

Gary Chapman <chapman@csli.Stanford.EDU>
Mon, 19 Feb 90 10:42:30 PST
The San Francisco Chronicle reports today that the Jasons, a group of
technically-oriented defense intellectuals who study weapons systems as
consultants to the Pentagon, have prepared a report on the "Brilliant Pebbles"
program that is highly critical of the concept.  Although the report was
delivered to the Pentagon last fall after the Jasons' summer study session, the
general thrust of the report was not revealed until yesterday, Sunday, February
18, at a symposium at the annual convention of the American Association for the
Advancement of Science, being held in San Francisco.  A summary of the Jasons'
findings was presented by John M. Cornwall, professor of physics at UCLA and a
member of the Jasons group.  Also part of the symposium was Lieutenant General
George Monahan, director of the SDIO.

General Monahan told the audience that it will cost between $50 and $60 billion
to develop and deploy "Brilliant Pebbles," although others have put the cost at
$100 billion.  General Monahan said, "We could have a very robust first-phase
defense" with "Brilliant Pebbles."  "And the technology is at hand to deploy
such a system, so the major considerations now are political."

Cornwall, however, said that the Jasons do not consider the technology to be at
hand, and he outlined a number of problems with the "Brilliant Pebbles"
concept.  He said that the system would be "a somewhat leaky defense," and the
"pebbles" would be vulnerable to countermeasures.  They would also be
ineffective against hostile missiles using fast-burn boosters. Cornwall also
reported that the lasers proposed as guidance mechanisms for the projectiles
are currently inadequate for the job.

Cornwall concluded, "This design is not ready to be locked into place."  He did
recommend further support, however, because the system may eventually prove to
be a "near-term" possibility.  The Bush administration's proposed budget for
the "Brilliant Pebbles" program has increased from $129 million in FY 90 to
$329 million in FY 91.
                                        -- Gary

Please report problems with the web pages to the maintainer