The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 8 Issue 58

Monday 17 April 1989


o Cruise Missiles with "Polish"
Ralph Vartabedian via Nancy Leveson
o Computerized parts supply
Jim Haynes
o RFI and Elevators
Martin Ewing
o Aegis the almighty
Henry Spencer
o Thoreau and Navigation
Eric Roskos
o Risks of automatic order entry in restaurants
Daniel Klein
o Re: Most Accurate Clock
Clay Jackson
o Fuel Management/Mis-management
Mike Brown
o Companies mask ANI to calm callers
Bob Wallace via GEBM
o The dangers of electric windows
Martin Cooper
o Careless tape transfer procedures
Peter Jones
o Info on RISKS (comp.risks)

Cruise Missiles with "Polish"

Nancy Leveson <nancy@commerce.ICS.UCI.EDU>
Sat, 15 Apr 89 13:41:29 -0700
From the L.A. Times, Saturday, April 15, front page.

by Ralph Vartabedian, Times Staff Writer

On her very first day at Northrop's Western Services Department in El Monte,
which produced guidance devices for nuclear-armed cruise missiles, Florence
Castaneda said she knew that "something was terribly wrong."  In an electronics
"clean room," Northrop employees were smoking cigarettes, boiling water for
soup, eating lunch at their work stations and watching soap operas on a
television set mounted on the supervisor's desk, she recalled.  Castaneda
noticed that instead of using industrial solvents to clear and prepare circuit
boards for soldering, workers were using a jar of Tarn-X, a retail brand of
polish for silverware.  "There was a price tag on it from Thrifty Drug Store,"
she recalled.  "I hadn't seen this kind of work being done in the aerospace
industry."  ...

As a result of their efforts, a federal indictment was filed earlier this week,
charging their formal supervisor, Charles Gonsalves, with criminal fraud.
Tests were allegedly faked and in some cases not performed at all on cruise
missile guidance systems and on stabilization systems for Marine Corps jet
fighters, the indictment said.  Besides Gonsalves, criminal charges were filed
against Northrop itself, two high-ranking executives and two other supervisors.
Northrop has said the criminal changes against it and two current executives
are "unwarranted," but the firm has acknowledged that problems existed at the
plant and that Gonsalves and three other employees have been fired.  ...  Not
only was the plant manager, Gonsalves, charged with fraud, but the factory's
quality assurance supervisor and its chief engineer were indicted.

Unlike many other defense industry whistle-blowers, Castaneda has no financial
stake in any False Claims Act law suits, which individuals can bring on behalf
of the government and share in the damages.  She was motivated by a sense of
concern over "those nuclear missiles out there" that she always worried "could
be the start of World War II."  ...  "I called the FBI in November, 1986.  They
told me I sounded like a disgruntled employee and that it was a case of sour
grapes," Castaneda recalled. (Justice Department officials declined to comment
on Castaneda.)  It was not until a nephew in the Air National Guard arranged a
meeting with Air Force agents from the Office of Special Investigations that
anybody would listen to her story.

In January, 1987, an OSI agent [met with Castaneda and fellow workers Barajas
and Meyer].  "Florence had earlier attempted to contact Northrop, but nothing
ever happened," Barajas said. "Pat Meyer and Florence called back east to
Precision Products Divison [the corporate parent of Western Services
Department' to say problems were going on.  After that, absolutely nothing was
done.  It disgusted everybody.  We knew that if we tried to complain, nothing
would be done."  Barajas said that he wrote an anonymous letter to corporate
executives at Northrop, but the letter eventually ended up back with Gonsalves.
"He posted it on the bulletin board to tell everybody that it wouldn't do any
good to complain.  He laughed at it.  He said, "Whatever fool tried it, it
didn't get anywhere."

After the investigation was launched in 1987, however, government agents met
with the employees once every other week at Barajas' house.  Barajas provided
investigators with a computer tape used to falsify tests on cruise missile
systems built at the plant.

[The rest of the article describes details of the investigation including
wiring one of the employees with a tape recorder.  There is also a bizarre
story about a psychologist who had been assigned to Castaneda after a temporary
disability claim in April 1985, who visited Castaneda at home three times a
week for two hours each time for several months.  "She told me to forgive
Northrop and to forgive Mr. Gonsalves — to ask God to forgive them — and to
just go back to work," she said.]

Computerized parts supply

Jim Haynes <haynes@ucscc.UCSC.EDU>
Mon, 17 Apr 89 13:41:49 -0700
From a book review in Science magazine, 7 Apr 89

  "He even tells us about his disappointment upon learning that a part he was
  ordering from a catalogue couldn't be shipped until the next week, in spite
  of a promise in the catalogue of same-day service.
  `You must have a very old catalogue,' he was told, without a trace of
  irony.  `Now we have a computer.'"

The book reviewed is "Ideas and Information: Managing in a High-Tech
World" by Arno Penzias; Norton, New York, 1989. 224 pp. $17.95

RFI and Elevators (Morris, RISKS-8.57)

Martin Ewing <>
Sun, 16 Apr 89 23:30:05 PDT
[On the subject of radio amateurs transmitting in elevators:]

In fact, radio amateurs are allowed to do various things other than talk to
each other.  They may operate radio control aircraft, they may evaluate
antennas, and they may run RFI tests — usuallly to minimize interference from
their own transmissions to TVs, etc.  Horsfal's downfall [oops, no pun] might
come if he did not properly identify himself with his call sign.

The more interesting point for RISKS is that a 3-watt handitalkie is NOT an
especially unusual device to be found on an elevator.  Our buildings &
grounds people carry them around all the time, and they certainly aren't shy
about using them near elevators — or your pacemaker, for that matter.

Elevators and other 'smart' safety-critical gadgets like automotive
microcomputers must have a defined behavior in any likely electromagnetic
environment.  They don't have to work, but they should fail safe.

Martin Ewing, AA6E, Caltech Radio Astronomy

Aegis the almighty

Sun, 16 Apr 89 23:16:29 -0400
In the Feb 27 Aviation Week, in an article on US Navy antisubmarine warfare
and future plans for same:

    The fundamental problem with ASW is that it is very complicated.
    There is no single system that is a panacea, like Aegis is to
    air defense, Rear Adm. James R. Fitzgerald, director of the
    antisubmarine warfare division of naval warfare for the chief
    of naval operations, said.  "If there were, the Navy would buy
    a lot of them and declare the problem solved."

The view of Aegis that is revealed in this is, um, interesting.

                                     Henry Spencer at U of Toronto Zoology

Thoreau and Navigation (Harper, RISKS-8.56)

Eric Roskos <>
Mon, 17 Apr 89 13:04:31 E+
Thoreau had a considerable interest in this subject, actually.  In one of
his earlier works (I think "The Maine Woods") he tells in great detail the
story of the incident he's probably referring to here, in which a ship split
open after colliding with a rock called "The Grampus" ("grampus" being the
name of a kind of whale, the name coming from the Latin "crassus pisces," or
"fat fish").  He saw a large sign that advertised the disaster like a circus
poster, and he and his brother turned aside from their trip to go see.  He
ends up the story with the moral "The resolute man's purpose cannot be split
on any grampus," which was the cryptic quote in my signature line for a long
while on the Usenet, back when we subscribed to it here.

It is good to see someone reading Thoreau; he had a lot of comments on
the progress of technology, and had a great appreciation of telegraph wires
for reasons other than merely the fact that messages were sent down them.

    "... we will see that some will be riding, and the rest will
     be run over; and it will be called, and will be, `a
     melancholy accident'."

[His comment on public enthusiasm for new technology, and the fact that often
in the end it turns out not to be that useful, and sometimes harmful, for many
of the people who were most enthusiastic about it.  In this case, he was
talking about the new steam locomotive that was coming to Concord.]

Risks of automatic order entry in restaurants

Daniel Klein - 412/268-7791 <dvk@SEI.CMU.EDU>
Mon, 17 Apr 89 00:28:06 EDT
Last week I had the pleasure of eating in one of those restaurants that has an
automatic order entry system.  This is a system whereby the waitroid has a hand
held terminal onto which s/he enters the table's order, and this order is
relayed via infra-red to a pickup in the ceiling, thence to the central order
computer, and finally to the chefs in the kitchen.  It is a marvelous system,
as long as it works.

In this case, the chef stolidly maintained that he never received one of our
orders.  Since the computer had not told him to service an order, he refused to
do so.  The waiter was unable to convince him.  Similarly, the waiter refused
to resubmit the order, since his terminal informed him that it had been
processed, and if he resubmitted the order, he would be liable to collect
double the fare.

We waited for over two hours for our food, until we advised him that the
hand-held terminal would find a very uncomfortable location on his body if
*we* got our hands on it :-)  It took the intervention of the manager to get
the food (and why it took 2+ hours, I will never know).

In the end, the waiter apologized to us, graciously explaining that it was a
"computer error" that had caused all the delay.

Re: Most Accurate Clock (RISKS-8.56)

Mon Apr 17 08:35:05 1989
Here's a followup to the article I sent last week about HeathKit's "Most
Accurate Clock" and Daylight time.

After my problems with the clock being exactly 1 hour off, I checked with both
Heath and NBS (the folks who run WWV/WWVH) and discovered that the embedded
digital signal does indeed include a packet which indicates Daylight time.

The decision to send the packet is controlled by a manual switch at the 
WWV site in Ft Collins.  According the NBS, "...our people don't make
mistakes when using that switch..(paraprhased)".  According to Heath,
"We've had several complaints about this over the years".

I'm certainly glad that I don't have anything depending on the correct hourly
readout from that clock! (although I do have my computer system set up to set
it's time from the clock once a day).
                                                 Clay Jackson, Microsoft

Fuel Management/Mis-management

Brown <>
Thu, 13 Apr 89 16:41:48 EST
The discussion on the Boeing fuel management issue reminds me of an issue that
we delt with when I first came to work here at NSWC.  The first A6-E aircraft
delivered to the Navy had severe fuel management problems.  In fact, the first
A6-E I saw we dug out of the swamp near Norfolk VA.  The A6E has two wing tanks
and a main tank behind the cockpit.  However, to be used, the fuel in the wing
tank must be pumped into the main tank from which it is pumped into the engine.
The pilot took off with an indication of a full main tank and full wing tanks.
During ascent, the engines flamed out.  The pilot suspected that the main tank
was empty and started the transfer from the wing tanks to the main.  However,
the pumps were not fast enough and he could not restart the engines.  The
problem was a failure prone fuel level indicator.  The advantage that a
computer would have added is that it would have made the same error that the
pilot did - assuming that the indicator was correct.  Therefore, we can still
blame the pilot for not checking the tank prior to take-off.
                                                                 Mike Brown

Companies mask ANI to calm callers

Sat, 15 Apr 89 15:53:18 EDT
The following condensed from Bob Wallace, Network World v6#7 2/20/89 pg 1.

Fear of alienating customers has encouraged some companies to rethink the way 
 they use ISDN's automatic number identification (ANI) capability.

American Express Travel Related Services Co. (TRS), AT&T's first commercial 
 ISDN user, reportedly found that customers were startled when some of its 
 agents greeted them by name.  TRS has since prohibited the practice.
 Richard Zatarga [TRS employee], in a presentation at a "Preparing for ISDN"
 conference in Toronto (12/88), said TRS now avoids identifying callers by name.
 "We have changed the way we answer the [telephone].  We know who they are, but
 we still hunt for information" from callers as if we had to identify them. 

Although TRS has since denied that it used ANI to identify callers by name and 
 that it received negative feedback from cardholders, sources close to the 
 project who requested anonymity said numerous users reacted unfavorably to 
 personalized greetings.  TRS "learned that you don't answer the telephone with
 the customer's name."

American Transtech, a wholly owned subsidiary of AT&T (and the first company to
 test ISDN Primary Rate Interface [32B+D]), processes one million calls a day,
 making it the nation's fourth largest telemarketing company.  The company does
 not, however, greet callers by name. "We could do it, but we don't want to let
 customers know we can capture their telephone number," said a spokesman. "We 
 don't use [specialized greetings] because it would intimidate callers." 

Besides the RISK of alienating customers with ANI, there is a pervasive fear 
 among prospective ANI implementors that callers will raise legal objections to
 ANI once they know how it works.  People with unlisted phone numbers are 
 expected to spearhead that movement. 

According to Huel Halliburton, a communications manager with Centel Electric, 
 central office switches equipped to support equal access deliver the phone 
 numbers of callers with both listed and unlisted telephone numbers to 
 companies that use ANI.

The dangers of electric windows

15 Apr 89 14:54:22 PDT (Saturday)
J M Hicks' contribution on Central Locking Systems (RISKS 8.55) brings to mind
many other potential dangers of electrical control in autos. Most of these I
have seen discussed at various times within this forum, but there is one in
particular which concerns me.

Electric windows are becoming ubiquitous on new cars today, and unlike central
locking systems, there is no manual override. This is made very obvious by the
fact that such windows cannot be raised after the ignition has been turned off,
which is in itself a rather annoying attribute.

However, annoyance turns to danger when an emergency arises. In an auto
accident causing the doors to jam closed, the windows are the only means of
escape when waiting for a cutting crew could be fatal. Furthermore, it is well
known that the windows provide the best (only?) means of escape from a car
underwater. If the electrical system is shot, and the occupant is unable to
break the windows, what other options are there?

Certainly electric windows provide a great convenience in everyday driving, but
I wonder how many people consider the risks when they choose their options on a
new car. And I wonder if the auto manufacturers themselves realise the risks
and are merely cutting costs because nobody voices concern.

Martin F N Cooper, Xerox Corporation

Careless tape transfer procedures

Sun, 16 Apr 89 12:00:33 EDT
This morning, walking in a public area of a building, I noticed a messenger or
computer operator ahead of me in the same corridor casually wheeling an open
cart loaded with about a dozen tapes. Suddenly, he left his cart in front of an
overhead door, walked on about 50 feet to the next door off the corridor, and
disappeared. Curious, I waited in the vicinity of the cart to see what would
happen next. Some 30-60 seconds later, the overhead door opened, and the clerk
appeared from behind, pulled the cart in, and closed the overhead door again.
I continued on my way, with a few questions turning over in my mind:

1) What if someone had made off with a tape or two while the cart was

2) Why wasn't the messenger accompanied by, say, a security guard with a radio?
   The guard could have watched the cart while the messenger went to open the
   door. Also, this precaution would avoid the risk of the messenger being
   attacked by a gang (2 or 3 would be enough to steal a tape or two) while
   passing through the public areas.

3) Why weren't the tapes in an enclosed box, locked with a key at the beginning
   of the trip, and unlocked with a duplicate at the destination. (The
   messenger, of course, should not carry a key!) This would prevent tapes from
   disappearing or being substituted while in transit.

4) Do people still do stupid things like this in 1989? (Yes!)

Peter Jones   MAINT@UQAM   (514)-282-3542

Please report problems with the web pages to the maintainer