risks@CSL.SRI.COM (RISKS Forum) (09/27/90)
RISKS-LIST: RISKS-FORUM Digest Wednesday 26 September 1990 Volume 10 : Issue 45
FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
Contents:
Computergate in New Jersey? (Steve Bellovin)
Whitehall rebuked for 121 million pound Retail Price Index blunder
(Dorothy Graham)
Hi-tech advertising (Dave Turner)
Students taking exams by remote hookups (PGN)
Sun C2 system (Stephanie Zakrzewski)
Arbiters (Brian Randell)
Re: Expert system in the loop (Amos Shapir, Jim Horning, R Horn)
Reliability of the Space Shuttle (Peter da Silva)
Illinois Bill (Mark Brader)
The RISKS Forum is moderated. Contributions should be relevant, sound, in good
taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome.
CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line
(otherwise they may be ignored). REQUESTS to RISKS-Request@CSL.SRI.COM.
TO FTP VOL i ISSUE j: ftp CRVAX.sri.com<CR>login anonymous<CR>AnyNonNullPW<CR>
cd sys$user2:[risks]<CR>GET RISKS-i.j <CR>; j is TWO digits. Vol summaries in
risks-i.00 (j=0); "dir risks-*.*<CR>" gives directory; bye logs out.
ALL CONTRIBUTIONS ARE CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY.
The most relevant contributions may appear in the RISKS section of regular
issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise.
----------------------------------------------------------------------
Date: Tue, 25 Sep 90 08:20:58 EDT
From: smb@ulysses.att.com
Subject: Computergate in New Jersey?
A political scandal, known variously as ``Trentongate'' or ``Computergate'', is
brewing here in New Jersey. A staff member employed by the Republicans in the
state legislature has admitted to breaking into a computer system used by the
Democrats; reportedly, the number of documents obtained is in the thousands.
His activities were known to the staff director; he recently admitted as much
and resigned. But the Democrats aren't making too much of a fuss over this --
allegedly, they don't want the contents of the filched documents disclosed,
since they are reported to deal with improper use of state facilities for
political purposes. (Were Nixon's tapes 9-track, and was the 18 minute gap
really part of the tape drive error recovery processing...? And Haig's
``sinister force'' was just an ordinary reboot.)
--Steve Bellovin
/
[Donkey haute and pancho sans a ba(s)bar tilting at winned spills?
(Please pardon my espanofranglais, Sir Vantes!) PGN]
------------------------------
Date: Tue, 25 Sep 1990 11:50:53 PDT
From: "Peter G. Neumann" <neumann@csl.sri.com>
Subject: Whitehall rebuked for 121 million pound Retail Price Index blunder
A 1% error in the British RPI cost the government 121M pounds in compenstation
to pension and benefit losers, donations to charities, and administrative
costs. The problem was discovered after a computer error caused the RPI to be
understated from February 1986 to October 1987. The programs had been tested,
but the tests did not reveal the error.
Source: Computing (UK), 20 September 1990, submitted via airmail by Dorothy R.
Graham, Grove Consultants, 40 Ryles Park Rd., Macclesfield, Cheshire SK11 8AH.
------------------------------
Date: Mon, 24 Sep 90 22:16:39 PDT
From: dmt@ptsfa.pacbell.com (Dave Turner)
Subject: Hi-tech advertising
The San Francisco Chronicle had a front page article today (09/20) headlined:
High-Tech Advertising
Better Junk in New Junk Mail
A few quotes:
Junk mail is going high tech.
Across the nation, well-heeled consumers are being bombarded with
expensive computer diskettes, elaborate video-tapes of car
commercials and even catalogs that play Christmas carols. ...
+ Compaq Computers mailed 40,000 floppy disks to possible
customers last summer to introduce a new line of computers that
cost as much as $20,000. ...
Kevin Bohren, a spokesman for Compaq Computers in Houston, said
his company tripled its response rate last year when it mailed
"interactive diskettes" as a promotion for its new line of
personal computers. "People responded because we weren't just
sending out another pamphlet," he said.
If people become accustomed to inserting every floppy received in the mail into
their computers thinking that it is just another form of advertising, the risk
of viruses spreading will increase rapidly. A few thousand deviant floppies
sent to several large corporations and schools will produce marvelous results.
------------------------------
Date: Tue, 25 Sep 1990 11:44:07 PDT
From: "Peter G. Neumann" <neumann@csl.sri.com>
Subject: Students taking exams by remote hookups
An AP item today was called to my attention, datelined CHICAGO (AP).
"Thank you for calling Telequiz. After the tone, please leave the
answers to your college exam."
In what is believed to be the national debut of student testing via
push-button phone, students at Governors State University telephoned in the
answers to their Psychology 519 quiz from the comfort of home.
[True-false answers are recorded with computerized voice-mail equipment. A
professor was quoted as how this saves everyone time, effort, and travel, and
provides considerable convenience because students can be tested when they wish
-- although in its present implementation only one student can call in at a
time. No reentrant exam programs (as opposed to reentrance exams) yet! RISKS
readers do not need to be reminded of the security/integrity problems. PGN]
------------------------------
Date: Tue, 25 Sep 90 09:59 EDT
From: Stephanie Zakrzewski <Zakrzewski@DOCKMASTER.NCSC.MIL>
Subject: Sun C2 system
I'm amazed by recent references to Sun's "C2" system. What system is this?
There has been no Sun product evaluated by the National Computer Security
Center, so there is no such thing as a "Sun C2 system". Like the Good
Housekeeping Seal of Approval can be awarded by only Good Housekeeping, a
rating against the Trusted Computer System Evaluation Criteria (the Orange
Book, which defines C2 and the other levels of trust) can be awarded only by
the National Computer Security Center, which authored the Orange Book.
Each product which has been evaluated and thus earned a rating is announced in
the Information Systems Security Products and Services Catalog, chapter four,
the Evaluated Products List. So if you are in doubt in future, check this
source. Anything not in there is, at best, DESIGNED TO MEET C2. At worst, it
provides no trust at all. Don't be misled by premature or misleading claims.
Relying on false security is far more dangerous than having no security - at
least in the latter case you stay on guard!
------------------------------
Date: Tue, 25 Sep 90 10:47:26 BST
From: Brian Randell <Brian.Randell@newcastle.ac.uk>
Subject: Arbiters
Nearly twenty years ago David Wheeler of Cambridge University, lectured here on
this subject in our Annual International Seminar on the Teaching of Computing
Science at University Level (7-10 Sept. 1971). RISKS readers might enjoy this
quote from the Seminar Report:
"The Problem of Synchronisation
Dr Wheeler devoted the rest of his talk to a discussion of a
particular problem in logical design. He chose to do this, rather than
give a more general talk, because he considers that discussion of this
point should form part of every course on hardware or logical design.
His reasons for emphasising this point, which he calls the problem of
synchronisation, are as follows:
(a) Many existing computers have faults because of neglect of this
point. (Dr Wheeler found that at least 50% of the computers whose
logical design he has studied in detail have faults of this kind.)
(b) The point is rarely taught well and only occasionally appears in
text books.
(c) It is apparently difficult to to appreciate. Furthermore, people
trained in switching theory or logical design find it especially
difficult.
(d) The problem is general. It is common to all forms of logic and may
also be present in systems programs. It touches many disciplines, for
example circuit theory, logical design, systems programming and
information theory.
(e) The occasional malfunctioning of all practical computers and
peripherals is to be expected if this point is neglected."
[The report then goes on to give a detailed account of David Wheeler's
lecture.]
(Younger RISKS readers may not be aware that David Wheeler, who I'm pleased to
say is still very active, was in 1949/50 the principal source of such concepts
as closed subroutines, assemblers, post mortems, and much else, in his
pioneering programming work on EDSAC, and went on to do much hardware design,
for example of EDSAC2 and of the Cambridge Ring.)
Brian Randell, Computing Laboratory, University of Newcastle upon Tyne, UK
PHONE = +44 91 222 7923 FAX = +44 91 222 8232 Brian.Randell@newcastle.ac.uk
------------------------------
Date: 25 Sep 90 15:50:52 GMT
From: amos@taux01.nsc.com (Amos Shapir)
Subject: Re: Expert system in the loop (Thomas, RISKS-10.37)
[Quoted from the referenced article by jaffe@safety.ICS.UCI.EDU]
>The point is that the issue of designing Aegis to handle commercial flight data
>was addressed and rejected as not cost-effective. Whether one agrees with this
>specific decision or not, the general point is that no military system (or any
>system) can be designed to deal with all contigencies that someone thinks of as
>appropriate.
The point is, I don't think Aegis had to be designed to keep track of
all aerial traffic in the area; I'm pretty sure that *Air Force* systems
in the area did have a positive ID on everything that was flying at
the time. The trouble is, I also suspect that there was no way the captain
could just call somebody and ask "Hey, what's that on my screen?"
Amos Shapir, National Semiconductor (Israel) P.O.B. 3007, Herzlia 46104, Israel
Tel. +972 52 522255 TWX: 33691, fax: +972-52-558322 amos@nsc.nsc.com
------------------------------
Date: 25 Sep 1990 1252-PDT (Tuesday)
From: horning@src.dec.com (Jim Horning)
Subject: Expert system in the loop (Aegis display)
The renewed discussion of the Vincennes incident brought back some 25-year-
old memories about displaying aircraft tracking data. I don't think this
problem has been discussed in RISKS (at least not recently):
The risk of displaying data that was computed for a different purpose.
*I have no reason to believe that there's any direct connection between
the following story and the Aegis system--I'm only saying that the Aegis
developers must have faced the same kind of problems.*
At that time, I was supporting myself in graduate school by programming
for a major aerospace manufacturer. I worked on a weapons guidance system
that I've heard is still used in top-of-the-line US combat aircraft.
I was responsible for displaying the tracking data. Newsweek published
a picture of an Aegis display that included the same track symbols as we
were using, but that probably just means they are some kind of a military
standard.
Before testing our software with real sensor data, we ran numerous tests
with simulated data. It quickly became apparent that the velocity displays
were unacceptably erratic, and didn't have much connection to the velocities
of the simulated targets. So we simplified the data to a single target
moving in a straight line with no acceleration. Still looked awful.
So we reduced the simulated sensor noise, and finally eliminated it.
The velocity display was a lot smoother, but it showed target velocities
and maneuvers that just weren't in the input.
Finally I decided to do a little mathematical analysis. I was able to
identify two sources of error in the second-order difference equations used
to smooth and extrapolate track data:
- Sensor data was supplied in polar coordinates, and all calculations
were done in polar coordinates. In general, unaccelerated straight-line
motion produces non-zero derivatives of all orders in polar coordinates.
At the ranges and velocities for which the system was designed, these
virtual velocities and accelerations were not negligible.
- The smoothing algorithm initialized the first and second difference
estimates on all coordinates of a track to 0. At the ranges and
velocities for which the system was designed, the differences could
start from zero, overshoot, overshoot in the other direction, ... and
not stabilize within the time a straight-line target remained in range.
I was able to show that a straight-line target 60 miles away that was moving
perpendicular to the tracking plane could have an indicated velocity 90
degrees off its true velocity, i.e., the display would show its velocity
as being straight towards the tracking plane. I didn't think that such
a velocity display was likely to help the Missile Control Officer make
good decisions.
Our department was only responsible for the software. I wrote up my
analysis, including a demonstration of the improvements that would result
from smoothing and extrapolating in a cartesian coordinate system and from
initializing the differences more reasonably. I sent my analysis off to
the department that had supplied the smoothing algorithm, feeling very
proud of my young self for having caught the problem and figured out the
solution before it caused any real trouble. But the answer from that
department was: "We don't understand your mathematics. We optimized the
algorithm using Z-transforms, and it's not your job to second-guess us."
(This was one of several reasons why my career in aerospace was brief.)
Later, I learned that the algorithm was not as unreasonable as it had seemed
to me. The primary purpose for maintaining the track files was to lock
a missile's sensors onto a particular target before launch, and the sensors
had to be aimed in polar coordinates.
The real problem was that someone designing the man-machine interface had
seen that the track file format contained fields R, RDOT, RDDOT, etc.,
and decided that, since the velocity information was available, it would
be a good idea to display it for the MCO. But it wasn't a good estimator
of velocity, and was never designed to be.
To me it is entirely plausible that the junior officer on the Vincennes who
made errors in reading the altitude and speed of the approaching aircraft was
in fact being misled by the displayed velocity, and not just by stress. I
doubt that the logging data for the Aegis records enough of what is displayed
at each instant to settle this. Doubtless some readers of RISKS know enough
about the Aegis software to know whether this is possible, but they may not be
free to comment on the subject.
Jim H.
------------------------------
Date: Wed, 26 Sep 90 10:57 EST
From: HORN%HYDRA@sdi.polaroid.com
Subject: Re: Expert systems in combat
Various people have commented on Vincennes incident without noting the
applicable international law. This law, which has counterparts running back
over a century, places the responsibility for identification upon the
*CIVILIAN*. The military is permitted to presume hostile intent from all
unidentified people or things in a combat area. The civilians must demonstrate
by words and actions that they are non-combatant. Transponder codes are
explicitly listed as not sufficient.
In the particular case of the Vincennes, the military did comply with the law
by issuing a challenge and demand for course change. Unfortunately the
aircraft ignored this challenge (probably because it was to ``unidentified
aircraft'' and in nautical phraseology). And for these reasons there has been
no real effort to condemn the action in any court of international law.
This is not to say that problems and errors did not occur. One problem that an
expert system might have resolved would be a more universal and internationally
understandable challenge terminology. It took the shooting down of two
airliners by the Soviets to force general installation of mutually usable
radios in both military and civilian aircraft. This accident reveals that
despite mutually usable radios, there remain significant communications
difficulties. (Not the original mentioned use for expert systems, but much
easier and well within the present state of the art.)
The other risk that this shows is the danger of fundamental ignorance of
overall environment. International law and treaties do exist, and do matter,
but both within this group and within the developers of the expert systems
there is profound ignorance of these rules. When the rules are in software or
hardware what do you do when treaties change?
R Horn horn%hydra@polaroid.com
------------------------------
Date: 25 Sep 90 15:29:32 CDT (Tue)
From: dasilva@ficc.ferranti.com (Peter da Silva) [dasilva@ficc.UUCP??]
Subject: Reliability of the Space Shuttle
Not attempting to address other issues involved in the article by Perry
Morrison in comp.risks 10.40, I would like to simply point out that the space
shuttle has had many more successful launches than any other launch system
employed to date. The shuttle, as a whole, is extremely reliable... it can
only be considered a failure in comparison with the outrageous levels of
reliability *claimed* for it by NASA prior to the Challenger accident.
------------------------------
Date: Tue, 25 Sep 1990 22:31:19 -0400
From: Mark Brader <msb@sq.com>
Subject: Illinois Bill
> The bill from Illinois Bell should have read $87.98, not $8,709,800.33.
Hmph. That's only 5 orders of magnitude.
Mark Brader, Toronto utzoo!sq!msb, msb@sq.com
[So what's an order of magnitude here or there?
Thank goodness it wasn't an earthquate. PGN]
------------------------------
End of RISKS-FORUM Digest 10.45
************************