RISKS@KL.SRI.COM (RISKS FORUM, Peter G. Neumann -- Coordinator) (09/12/88)
RISKS-LIST: RISKS-FORUM Digest Sunday 11 September 1988 Volume 7 : Issue 49
FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
Contents:
Firmware bugs in Dutch gambling machines (P. Knoppers)
Soviets See Little Hope of Controlling Spacecraft (Gary Kremen)
Disinterest in disaster not based on probability estimates (Clifford Johnson)
What a Ticonderoga Combat System "records" (John Allred)
High-tech toilets (Robert Dorsett)
ANI/911 Misconceptions (Dave Robbins)
Re: Display of telephone numbers on receiving party's phone (Henry Spencer)
Social content of computer games (Eric Postpischil, Henry Spencer)
"Viruses Don't Exist" and the Marconi Mysteries... (Mark Moore)
The RISKS Forum is moderated. Contributions should be relevant, sound, in good
taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome.
CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line
(otherwise they may be ignored). REQUESTS to RISKS-Request@CSL.SRI.COM.
FOR VOL i ISSUE j / ftp kl.sri.com / login anonymous (ANY NONNULL PASSWORD) /
get stripe:<risks>risks-i.j ... (OR TRY cd stripe:<risks> / get risks-i.j ...
Volume summaries in (i, max j) = (1,46),(2,57),(3,92),(4,97),(5,85),(6,95).
----------------------------------------------------------------------
Date: Sat, 10 Sep 88 17:21:03 -0200
From: knop%dutesta%mcvax@uunet.UU.NET (P. Knoppers)
Subject: Firmware bugs in Dutch gambling machines
In the Netherlands it is legal to exploit gambling machines if these
are approved by a government-operated test institution.
There is currently an approved machine in use that has a rather severe
problem in its firmware. This fault can be exploited by malicious players.
I will not reveal which machine type has the bug, there may even be
several models that have it.
The trick is as follows:
Use the machine until you have won a substantial price (call this price 1).
Pull the power plug BEFORE the machine has started to pay out.
Re-insert the power plug.
The machine will self-test and pay out the pending price 1.
On the next price that you win (no matter how small) the machine
pays the amount of price 1.
The use of this trick can empty the coin buffer of the machine within
one hour.
It appears that a system that was designed to protect the players from
financial losses in case of a power failure introduced a risk.
Makes me wonder what measures are built in ATMs to protect customers
in case of a power failure during a transaction...
P. Knoppers - knop@dutesta.UUCP
Delft Univ. of Technology, Faculty of Electrical Engineering, The Netherlands.
------------------------------
Date: Sat 10 Sep 88 15:22:49-PDT
From: Gary Kremen (The Arb) <89.KREMEN@GSB-HOW.Stanford.EDU>
Subject: Soviets See Little Hope of Controlling Spacecraft
According to today's (Saturday, September 10, 1988) New York Times, the
Soviets lost their Phobos I spacecraft after it tumbled in orbit and the
solar cells lost power. The tumbling was caused when a ground controller
gave it an improper command.
This has to one of the most expensive system mistakes ever.
Gary Kremen, Stanford Graduate School of Business
[Several people reported on radio items that attributed the problem to a
console operator's single keystroke in error, which it was speculated might
have triggered the Mars probe's self-destruct signal. After the command was
sent, contact with the probe was lost completely. PGN]
------------------------------
Date: Sat, 10 Sep 88 18:18:00 PDT
From: "Clifford Johnson" <GA.CJJ@Forsythe.Stanford.EDU>
Subject: Disinterest in disaster is not based on probability estimates.
A recent contributor noted disinterest is a planned conference
on disasters in Chicago. Another noted:
> John Cullyer of the British Royal Signals and Radar Establishment ... said,
> "Let's throw out the 10 ** -9" - and many of the audience responded with
> enthusiastic applause. Someone asked if he would accept a failure
> probability of only 10 ** -4 or 10 ** -5 for nuclear weapons safety. He
> responded, "In the weapons area there should be no room for probability. If
> something is unthinkable, don't let it happen. You either certify it or you
> don't - one or zero."
Three months ago I was set for a 2-hour interview/call-in program on the San
Francisco CBS radio station. My topic was the probability of computer-related
error causing accidental nuclear Armageddon, which even conservative
authorities (e.g. Hudson Institute) estimate to have a probability of the order
of 10**-3 per year. I reckon it's higher, and can argue the point.
On arrival, I found my time reduced to one and a half hours because of a change
in the computerized California lottery which provided for a bigger
multi-million $ jackpot at even longer odds. This topic was inserted as a
first interview/call-in feature, for half an hour before me. The odds of
winning the jackpot per ticket must be of the order of 10**-8. Even buying a
hundred tickets per year doesn't get the odds above 10**-6 per year.
Maybe you can guess the rest. The station had a screen displaying the status
of the five incoming phone lines. They were packed for the lottery call-in.
For example, animated callers complained that South California got more prizes
than the North, and the lottery official patiently responded that the prizes
were in fair proportion to money spent. Etc. Clearly, the lowering of the odds
of success (which the official never quantified) was of scant concern to
callers agog at visions of the higher jackpot. The lottery debate was extended
for a further half hour. I didn't mind: one hour is more than enough for my
message.
In the first 25 minutes of my call-in interview, there was not a single caller.
There were only three in the entire hour.
------------------------------
Date: Fri, 9 Sep 88 17:36:05 EDT
From: John Allred <jallred@VAX.BBN.COM>
Subject: What a Ticonderoga Combat System "records"
Jonathan Jacky, University of Washington, asks:
>The effect of these misconceptions is to discourage thorough investigations
>of possible problems. I now doubt the frequently heard assertion that
>the Vincennes actually did correctly identify the altitude and heading of
>the Airbus...
First off, my credentials on this subject: I worked on the Combat System of a
Spruance Class Destroyer, a direct predecessor of the Vincennes (and other
Ticonderoga Class Cruisers). Indeed, a "Tico" has the same hull as a Spruance.
Add that nifty phased array radar (SPY-1), lots of missiles, and an enhanced
Combat System (5 tactical data computer (AN-UYK7), versus 2 on a Spruance), and
you get a Tico. The Combat System on the Tico is also known as AEGIS.
The Combat System records, in real time and on magnetic tape, the symbology
seen by the radar operators anytime the "program" is up. During training, it
was common to "play back" a canned scenario to exercise the troops and
equipment. So, when the Investigation Officer's report says, "AEGIS reported
Iran Air 655 as ascending", the Investigation Team probably replayed the tapes
of the incident, and saw a display reporting Iran Air 655's status *AS THE CREW
SAW IT*.
John Allred, BBN Systems and Technologies, Inc.
------------------------------
Date: Sat, 10 Sep 88 19:17:27 edt
From: juniper!mentat@emx.utexas.edu (Robert Dorsett)
Subject: High-tech toilets
Pages 132-136 of the 9/3/88 issue of Flight International has a summary of the
first six months of A320 service with British Airways (3 airplanes) and Air
France (2 airplanes). Mulhouse-Habsheim crash not withstanding, both airlines
claim a dispatch rate of approximately 97%. Some highlights from the
article:
1. Problems with air conditioning packs, which have resulted in BA restricting
fan output to 80% of suggested maximum. This is listed as a supplier problem.
2. The FADEC (full-authority digital engine control, a fancy term for a
computer-controlled fuel metering system) has been reliable, although Air
France claimed frequent replacements in the first few weeks of service.
3. The computer-controlled cabin public address and lighting system does not
work very well. Both airlines are disgusted at the sloppyness of it. Again,
it is listed as a supplier problem.
4. The toilets don't work very well (see excerpt below).
5. There was mention of in-flight failures of the primary guidance system,
but the backup systems worked as advertised.
6. There have been software modifications of the "flight management and
guidance computer, fuel quantity indications computer, cargo compartment
ventilation computer, avionics equipment ventilation computer, window heat
computer, and bleed monitoring computer." (One wonders when they will replace
a simple on/off switch with a computer). The modifications were required
when some computers shut down after the power sources for the mains was
switched from the APU to the engine generators.
7. 95% of all system faults have occurred after engine startup, before the
airplane got in the air. En route failures are rare.
On the plus side, BA claims that the centralized fault display system, which is
a CRT and possibly a printer, intended for use by maintenance personnel, has
been quite successful in detecting faulty items and systems, improving
maintenance time considerably. They have encountered the occasional
unintelligible message, though. They look forward to incorporating the system
with a communications package to let it automatically call maintenance bases to
let maintenance personnel "get ready" for a quick repair job on the airplane
when it arrives. The CFDS is based on the late 70's AIDS (Airborne Indicated
Data System), tested with mixed results on the 747, and later on the 757/767.
The device keeps track of data which is not normally of operational
significance. The data can then be offloaded, catalogued, analyzed, etc.
Apparently Airbus has incorporated an expert system to form the latest version.
It should be observed that something Steve Philipson said, about the Airbus
being very much an "experimental aircraft," holds weight, even though the
concentration of problems has shifted. Airbus is said to be keeping a full
staff of engineers on site at Air France and British Airways maintenance
bases. In addition, each airplane is carrying a set of computer "spares"
(spares for what, the article doesn't mention) in the event of failure.
The article does not indicate how long this arrangement is going to last.
Now, about the toilets... (excerpted without permission, but let's say it's
for the purposes of review)
"The main concern about the A320 has been that so many functions are
'computer-controlled,' and that this could lead to unforeseen problems. The
use of the word 'computer' can be misleading, in fact, because many of the
devices referred to as computers are little more than digitally controlled
switches--like the window heat computer, whose software has now been
spike-vaccinated.
"The whole subject comes firmly down to earth in the Air France A320's, where
the high-tech vacuum toilet system chosen by that airline (but not by BA) has
suffered shutdown because of glitches caused by electrical transients.
Aircraft have been grounded by this problem from time to time. You can get an
aircraft airborne safely without working toilets, but it is unwise to try to
get any passengers airborne under those conditions.
"Air France chose the vacuum toilet system for its single-point drainage and
the flexibility to move a toilet quickly for a short-notice cabin
reconfiguration. However, its A320's have been subject to four different types
of toilet system malvunction: toilet overflow, toilet shutdown, system
shutodwn, and straightforward toilet drain blockage. The latter may be a
matter of wastepipe diameter, though not everyone agrees on that. It has
worked on other aircraft.
"Airbus, in its produce support department's technical review of Air
France's A320 toilets problem, devotes a page to the subject, with a chart
designating specific problems followed by progress towards rectification.
The toilet overflow was caused by a rinse-valve which was sticking open.
The temporary remedy is a valve modification, but a redesigned valve is on
the way. The individual toilet shutdown and the whole-system shutdown have
been caused by electrical transients which affected the digital flush
control units (FCU--the minicomputer activated by the button which the user
pushes to flush the toilet) and the vacuum system controller (VSC--another
microprocessor). The printed circuit boards for the FCU and VSC were under
study for modification, and new software should have been supplied for them
both by now. As for the drain blockage, Airbus and the system vendors were
examining the suction unit in thorough system tests, and hoped to have a
result by the end of August."
It should be added that the A320's fuel efficiency is listed at 40% better
than that of the 727. Overall efficiency has yet to be determined. The order
book stands at either 428 aircraft ("Flight") or 350 aircraft ("Aviation
Week"). The word "computer" and the term "high-tech" is very clearly selling
the airplane. Flight lists eleven A320's currently in service.
Robert Dorsett University of Texas at Austin
Organization: Austin UNIX Users' Group, Austin, TX
------------------------------
Date: Fri, 9 Sep 88 11:00:46 EDT
From: Dave Robbins <dcr0%uranus@gte.com>
Subject: ANI/911 Misconceptions
It may be worthwhile to clear up some small misconceptions that have been
appearing in the Automatic Number ID discussion. More than one correspondent
has equated the 911 automatic identification with the calling-number
identification just now becoming available to local subscribers. In fact, the
two are entirely different features -- implemented differently and having
nothing little more than their general behavior in common. In particular:
1) "Enhanced 911" (as it is properly called -- regular 911 is nothing
more than an easy-to-remember and quick-to-dial number; it does not
identify the caller) is implemented by essentially the same
mechanism as ANI for toll calls. In both cases, the calling number
is sent out over a trunk line, not over a local subscriber loop. As
far as I know, this type of calling number identification has never
been made available to businesses, as one correspondent suggested it might.
2) Calling-number-identification (there is a marketing name for this, but
I forget it offhand) is a feature available only from the newest
ESS and competing switches, and requires special equipment on the
subscriber's premises as well as special hardware and software on the
switch (and of course more money from the subscriber :-). As far as I
know, each subscriber has the option of specifying -- permanently --
whether or not his number will be disclosed to others via this feature;
the default value for this option would reflect the subscriber's current
selection of a published or non-published number. In addition, as
mentioned by some correspondents, on a given call a subscriber may
choose -- via a dialed prefix -- whether or not to allow the display
of his number on the called phone.
Caveat: although I do work for a "phone company" my knowledge of the
above is not necessarily 100% accurate or up-to-date, since I have not
been directly involved with the gory details of these particular
technologies.
RISKS relevance? My concern is twofold:
1) Confusion between two apparently similar but in fact considerably
different systems can result in the risks of the one being *assumed*
to be identical to the risks of the other, when in fact this is not
the case. In the example at hand, there is no assumption of a right
of privacy when calling 911, but there is an assumption of such a right
when calling everyone else. These assumptions are made by the respective
systems, reflecting what is presumed to be the same assumptions made
by the general public. Viewing one system as though it were the other
changes the perceived risks.
2) Much of the discussion in RISKS on this topic (and others, of course)
is based upon incomplete information and therefore incorrect
assumptions about the technology involved. This is, I realize, a
general problem, and perhaps unavoidable. However, when discussing
the risks of technology, computer or otherwise, we need to take
particular care to base the discussion upon the facts, so that we can
discuss the risks of the system as it actually is implemented.
Dave Robbins, GTE Laboratories Incorporated, 40 Sylvan Rd., Waltham, MA 02254
------------------------------
Date: Sat, 10 Sep 88 00:25:03 EDT
From: attcan!utzoo!henry@uunet.UU.NET
Subject: Re: Display of telephone numbers on receiving party's phone
People are missing an important issue here: there is no one-to-one
correlation between the number you are calling from and your identity.
In particular, it is quite possible to have situations in which a call
is not anonymous -- in the sense that the caller has no intent to hide
his identity -- but does not want his location known. This is also the
underlying problem behind having phone solicitors calling from uncallable
numbers: what you want is identity and contact information, not just the
number used to make the call.
Henry Spencer at U of Toronto Zoology
------------------------------
Date: Thu, 8 Sep 88 08:38:56 PDT
From: postpischil%being.DEC@decwrl.dec.com
Subject: Social content of computer games
Ed Nilges writes of the decline of the social and moral content of games. But
he examines only a small number of games. Consider chess, that game which
allows players to act the roles of strategists without teaching them either the
misery of dying under a horse's hooves or the evils of a caste system. The
tactics are beautiful; the content is vile. Clearly it is not technology
encouraging any moral or social decline here. Perhaps parents should picket
chess clubs.
Nilges' examples are not representative of the games. The top character of
Punch-Out is black. Metroid features a character in a suit of high-tech armor.
If the player has done well enough at the end of the game, the character will
take her helmet off. Many games take the form of a quest to defeat evil --
Ghosts 'N Goblins, Legend of Zelda, Solomon's Key, Super Mario Brothers.
Popeye is supportive of the underdog. Games like Gauntlet or Mario Brothers
reward teamwork. Penguin Land requires that one learn to take care with a
fragile egg. There is a wide variety to be found in games, so one could find
examples of many things by concentrating on only certain features.
Computers have made games flashier, more fun, faster, and more visible, but
they have not changed the social content.
Eric Postpischil
------------------------------
Date: Sat, 10 Sep 88 00:25:26 EDT
From: attcan!utzoo!henry@uunet.UU.NET
Subject: Social content of video games
>How many computer professionals have noticed the continual technical
>improvement of video games in the past couple of years, and the
>concomitant decline of their social and moral content? ...
As has been pointed out in the past, this is silly. The social and moral
content of chess or Monopoly is also deplorable, looked at from the same
viewpoint. (Chess is a wargame; the objective of Monopoly is to drive
your friends and relatives into bankruptcy.) Video games only make it a
bit more obvious. Wargames, in particular, long predate video games.
Is it less moral to strafe the bad guys in a video game than to condemn
thousands of hypothetical troops to death by moving a counter on a board?
Which is more depersonalizing?
Henry Spencer at U of Toronto Zoology
------------------------------
Date: Wed, 07 Sep 88 17:30:40 EDT
From: Mark Moore <MARKO@s55.prime.com>
Subject: "Viruses Don't Exist" and the Marconi Mysteries...
I received one of those info-card packs (I forget from whom) as a result
of having my name and address sold by Dr. Dobb's. I filled out a few of the
cards and received a catalog from Public Brand Software, which is a shareware/
freeware clearing house based in Indianapolis, IN.
Here are a few quotes on from the third page of their catalog entitled
'Topic: VIRUSES'
'It seems like a couple of national magazines first thought up the concept
of MS-DOS viruses. Unfortunately, a lot of people read these magazines and
believe everything that they read. But let's get a couple of definitions
clear first.
virus, n. 1. a purposely destructive computer program that can
propagate itself by modifying other computer programs (such
as COMMAND.COM) to make them destructive. 2. a destructive
myth perpetrated to sell a product and/or fill editorial
space.'
The article goes on to claim that viruses are myths akin to friend-of-a-friend
stories; popular magazines are perpetuating the myths to have something
sensational to print; engineers are doing the same in order to sell vaccines.
They claim that they've searched high and low and can find no such thing as a
virus. 'Simply put, there is no such thing as a virus. There never has been.
Period.'
Sounds like a dangerous attitude to me.
On a different note... For those interested in a book which follows a plot
with a striking similarity to the Marconi incidents, try _The Chain of Chance_
by Stanislaw Lem.
------------------------------
End of RISKS-FORUM Digest 7.49
************************
-------