RISKS@CSL.SRI.COM (RISKS FORUM, Peter G. Neumann -- Coordinator) (08/28/86)
RISKS-LIST: RISKS-FORUM Digest, Wednesday, 14 August 1986 Volume 3 : Issue 44
FORUM ON RISKS TO THE PUBLIC IN COMPUTER SYSTEMS
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
Contents:
F-16 Problems (Bill Janssen)
Various clips from European Newspapers (Martin Minow)
Comment on Nancy Leveson's comment on... (Alan Wexelblat)
Words, words, words... (Herb Lin)
Software Safety (Paul Anderson)
The RISKS Forum is moderated. Contributions should be relevant, sound, in good
taste, objective, coherent, concise, nonrepetitious. Diversity is welcome.
(Contributions to RISKS@CSL.SRI.COM, Requests to RISKS-Request@CSL.SRI.COM)
(Back issues Vol i Issue j available in CSL.SRI.COM:<RISKS>RISKS-i.j.
Summary Contents in MAXj for each i; Vol 1: RISKS-1.46; Vol 2: RISKS-2.57.)
----------------------------------------------------------------------
Date: Wed, 27 Aug 86 14:31:45 CDT
From: Bill Janssen <janssen@mcc.com>
To: risks@csl.sri.com
Subject: F-16 Problems (from Usenet net.aviation)
A friend of mine who works for General Dynamics here in Ft. Worth wrote some
of the code for the F-16, and he is always telling me about some
neato-whiz-bang bug/feature they keep finding in the F-16:
o Since the F-16 is a fly-by-wire aircraft, the computer keeps the pilot from
doing dumb things to himself. So if the pilot jerks hard over on the
joystick, the computer will instruct the flight surfaces to make a nice and
easy 4 or 5 G flip. But the plane can withstand a much higher flip than that.
So when they were 'flying' the F-16 in simulation over the equator, the
computer got confused and instantly flipped the plane over, killing the
pilot [in simulation]. And since it can fly forever upside down, it would
do so until it ran out of fuel.
(The remaining bugs were actually found while flying, rather than in
simulation):
o One of the first things the Air Force test pilots tried on an early F-16
was to tell the computer to raise the landing gear while standing still on
the runway. Guess what happened? Scratch one F-16. (my friend says there
is a new subroutine in the code called 'wait_on_wheels' now...) [weight?]
o The computer system onboard has a weapons management system that will
attempt to keep the plane flying level by dispersing weapons and empty
fuel tanks in a balanced fashion. So if you ask to drop a bomb, the
computer will figure out whether to drop a port or starboard bomb in order
to keep the load even. One of the early problems with that was the fact
that you could flip the plane over and the computer would gladly let you
drop a bomb or fuel tank. It would drop, dent the wing, and then roll off.
There are some really remarkable things about the F-16. And some even more
remarkable things in the new F-16C and D models:
o They are adding two movable vents called 'canards' that will be installed
near the engine intake vent under where the pilot sits. By doing some
fancy things with the flight surfaces and slick programming, they can get
the F-16 to fly almost sideways through the air. Or flat turns (no
banking!). Or fly level with the nose pointed 30 degrees down or up (handy
for firing the guns at the ground or other aircraft).
I figured this stuff can't be too classified, since I heard the almost same
thing from two different people who work at GD. I hope the Feds don't get
too upset...
George Moore (gm@trsvax.UUCP)
------------------------------
Date: 27-Aug-1986 0835
From: minow%regent.DEC@decwrl.DEC.COM
(Martin Minow, DECtalk Engineering ML3-1/U47 223-9922)
To: risks@csl.sri.com
Subject: Various clips from European Newspapers
From The [London] Guardian, Aug. 20-22 1986 (not sure of the exact date):
Bank zaps `raid on computer'
Barclays Bank yesterday denied reports that computer experts had
"hacked" into its Whitehall computer and transferred 440,000 Lb.
Sterling to an overseas account.
----
From Dagens Nyheter [Stockholm], Aug. 22, 1986. My translation, abridged.
Shock billing of private person
Phone bill of 31,000 kronor [almost $2,600]
A woman in the Stockholm area received a record phone bill of 31,000
kronor. The amount is equivalent to local calls 24-hours per day for
nearly two years.
The phone company's computers raised an alarm that the amount was
unreasonably high, but human error resulted in the bill being sent out
anyways. The group that normally checks especially high invoices
never got to see this bill.
The woman and the phone company have reached an agreement, whereby she
pays an average bill based on previous invoices. Phone technicians
are now trying to discover whether an error occurred in the
computer-controlled phone exchange. ...
"It's completely our fault," says phone company spokesman Kjell Palmqvist.
"What are you doing about it?" [asked the reporter.]
"First, we've come to an agreement with the woman. She need not pay more
than normally. We've also started an examination of what could have caused
the problem.... There could have been a problem in the computerized phone
exchange, or a cable-error or other type of interference."
"Is this sort of bill common?"
"No, theoretically, we expect one error in 10,000 years. But no
technology is 100% perfect." ...
The telephone exchange, in Oestermalm in Stockholm, uses an
AXE-exchange, a computerized telephone exchange [manufactured by LM
Ericsson] that is very advanced and reliable.
----
From Dagens Nyheter [Stockholm], Aug. 22, 1986. My translation, abridged.
Battle over Databank
The chairman of the governmental data- and public-access committee
[offentlighetskommitt'en], Carl Axel Petri, rejects the criticisms which
have recently been brought by the moderate party [conservative] and
folk-party [liberal conservative] concerning sales of personal
information from computer data banks.
[Sweden has a "sunshine" law, almost 200 years old, that guarantees
public access to almost all government documents. As the information
in the manual registers were considered public, so too is the same
information in the computerised data bank. Information which is not
public is carefully controlled. Access is governed by the Swedish Data
Law, which is now over 10 years old.]
"It is important to quickly get a law that stops general sales. We
have allowed some exceptions, nine specified computer companies, but
even their sales shall, in the future, be controlled by parliament.
Nobody should be allowed to earn money by [selling] personal
information. Sales should have a public interest, in principle, the
new law will forbid sales" said Petri. ...
The leader of the Moderate Party, Gunnar Hoekmark, says that Petri is
incorrect when he claims that the law will forbid sales of personal
information.
"On the contrary," says Hoekmark, "the largest databases will continue
to be sold. Without the committee's discussing what effect sales of
different personal information will have on individual personal
integrity, they propose that the largest database, Spar, may continue
to sell information on individuals income, personal identity number,
wealth, civil status, address, age, etc."
Hoekmark points out that the majority [report?] of the inquiry didn't
answer the most basic questions on whether the government in general
shall have the right to sell information on private individuals'
economy and personal situation.
The majority includes the Center Party's [liberal conservative] Olof
Johansson, who says that the important issue for the future isn't
whether the information ought to be sold, but what information should
be collected. This includes, for example, the discussion on
limitations of use of the personal id number.
Constitutional questions [the Sunshine Law is part of the Swedish
Constitution] and the future of the personal id number will remain for
the inquiry to solve by next spring.
----
Sloppily translated by Martin Minow
[Peter, I also have a long article on computer controlled airplanes
(fly by wire) from the Observer. Mostly Sunday Paper background.
Too much to type in. "... the pilot must have enough confidence
in the flight control computer, and the men who programmed its software,
to take off in an aircraft he cannot fly without them" "there is
one more type of failure from which they [the pilots] cannot recover."]
------------------------------
Date: Wed, 27 Aug 86 09:33:11 CDT
From: Alan Wexelblat <wex@mcc.com>
To: risks@csl.sri.com
Subject: Comment on Nancy Leveson's comment on...
I agree in large part with Nancy Leveson's comments in RISKS-3.43.
Nevertheless, I find it interesting that she denies that there are "human
errors" but believes that there are "management errors." It seems that the
latter is simply a subset of the former (at least, until we get computer
managers). Also, it's not clear whether she includes things like `pushing
the wrong button' or `following the wrong procedure' under the category of
"operational errors."
--Alan Wexelblat (WEX@MCC.COM)
------------------------------
Date: Wed, 27 Aug 1986 15:05 EDT
From: LIN@XX.LCS.MIT.EDU
To: mikemcl@NRL-CSR.ARPA (Mike McLaughlin)
Cc: Arms-Discussion@XX.LCS.MIT.EDU, risks@CSL.SRI.COM
Subject: Words, words, words...
From: mikemcl at nrl-csr (Mike McLaughlin)
I do not know that "NO ONE in the scientific community believes that it is
possible to frustrate a deliberate Soviet attack on the U.S. population..."
If there is a PhD in a science who believes that, is that person de facto
excluded from the scientific community?
I should have been more precise. No person with technical credentials
has stated that it is possible to deny the Soviet Union the capability
to wreak significant damage on the U.S. population and industry.
I do not know what "frustrat[ing] a deliberate... attack" means.
If it means deterring the attack by reducing the cost/benefit ratio to
an unacceptable level, I believe that is possible (but I am not in the
scientific community and never have been).
If it means saving a significant number of civilian lives from an
inevitable attack, I believe that is possible (but... ).
I think the benchmark that Ashton Carter used in his Office of
Technology Assessment background paper on BMD was pretty good, and it
will serve as a starting point for discussion. "Frustrate a
deliberate attack..." is taken to mean "preventing the Soviet Union
from delivering by ballistic missile 100 megatons of nuclear warhead
on U.S. cities and industry." (Note well: WW II was a 5 MT war.)
------------------------------
Date: Wed, 27 Aug 86 09:43:03 edt
From: anderson (Paul Anderson)
To: RISKS@CSL.SRI.COM
Subject: Software Safety
I have received a copy of a proposed revision of MIL-STD-882B (System Safety
Hazard Analysis) Task 212, Software Safety Analysis, that has been
distributed for formal coordination. This task will be invoked on
contractors building systems containing software for DOD. This task will
require the contractor to conduct safety analyses and testing of the
software, both on the software alone, and when integrated with the overall
system.
If anybody has thoughts, comments, or suggestions (or even recommended
wording), on what should be included in this task, please let me know
(preferably within the next week or so).
Paul Anderson
anderson@nrl-csr
------------------------------
End of RISKS-FORUM Digest
************************
-------