RISKS@KL.SRI.COM (RISKS FORUM, Peter G. Neumann -- Coordinator) (06/30/88)
RISKS-LIST: RISKS-FORUM Digest Wednesday 29 June 1988 Volume 7 : Issue 11
FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
Contents:
Risks of answering machines (Dave Horsfall)
Airline reservation crash (Dave Horsfall)
Updates on Airbus crash (Duncan Baillie, Klaus Brunnstein, Laura Halliday)
root typos (Joe Eykholt)
"large-scale" disasters (Hinsdale, Ill.) (Tom Perrine)
The RISKS Forum is moderated. Contributions should be relevant, sound, in good
taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome.
Contributions to RISKS@CSL.SRI.COM, Requests to RISKS-Request@CSL.SRI.COM.
PLEASE use a relevant "Subject:" line, not just "RISKS DIGEST i.j...". THANKS.
For Vol i issue j / ftp kl.sri.com / get stripe:<risks>risks-i.j ... .
Volume summaries in (i, max j) = (1,46),(2,57),(3,92),(4,97),(5,85),(6,95).
----------------------------------------------------------------------
Date: Sat, 25 Jun 88 16:19:31 est
From: Dave Horsfall <munnari!stcns3.stc.oz.au!dave@uunet.UU.NET>
Subject: Risks of answering machines
From the Sydney Morning Herald, 13 June 1988:
``Careless talk: it's a message machine
Alan wasn't at home when his girlfriend Donna called him yesterday
morning. Nor could he take his father's call. Or a call from his other
girlfriend, Jenny. I know this because Alan owns an answering machine
just like mine. It is so similar, in fact, that my remote control unit
_lets_me_listen_to_his_messages_ [emphasis mine!].
The machine in question is a Tandy, but the 'Herald' has discovered
that anyone can listen to messages left on most of thre many thousands
of answering machines already in people's homes. This is because most
remote-control answering machines have primitive codes, and many have
none at all. [ ... 14,000 like this sold in a three-week sale ... ]
[ ... how the remote tone coders work - just one of four tones ]
[ ... Tandy had sold "tens and tens of thousands" of this model - the
TAD-212 - and similar machines in 2 years ... ]
Dick Smith Stores [a consumer electronics chain] also sell answering
machines which are activated by voice pattern. [The product manager]
said the group had sold more than 20,000 such machines. By talking for
a set period of time, keeping quiet for a set period of time, and then
talking again, the machines can be activated. He said every machine
responded to the same voice code. "You would not recommend that
anybody leave vital information on an answering machine," he said.
Ms. Phillipa Smith of the Consumers' Association said the privacy and
security problems associated with these machines were "quite obvious".
"I think most consumers would assume there was a built-in personal-
identification system," she said. "This really is an area where
technology has outstipped the law."
Dave Horsfall (VK2KFU), Alcatel-STC Australia, dave@stcns3.stc.oz
------------------------------
Date: Sat, 25 Jun 88 14:33:39 est
From: Dave Horsfall <munnari!stcns3.stc.oz.au!dave@uunet.UU.NET>
Subject: Airline reservation crash (A new definition of "virus" ?)
The following appeared in "Computing Australia" (affectionately known
as "Confusing Australia") 20 June 1988 and appears to define a new
form of virus:
``Virus shoots down flight reservations
Hundreds of travel agents in two states went offline after a virus
caused a system crash. Staffs of Travel Industry Automated Systems
(TIAS) last week told of their "organised panic" as the virus spread
through the Multi Access Airline Reservation System (MAARS), which
covers agents in New South Wales and Queensland.
TIAS technical manager Michel Radecki said the virus appeared in the
form of corupted statistical data on June 9 soon after software
changes. Software supplier Memorex Telex said an onsite power
interruption on the night of June 8 was believed to have caused the
problem. The company's manager of airline applications and support,
Alan Sitters, said data was not disk-converted [?] during the
interruption, resulting in incomplete information entry into the
network. He said the cause was external and the MAARS software was not
at fault.
Radecki said about 450 users were offline for several hours over two
days as Memorex Telex trouble-shooters joined inhouse staff to fix the
problem. TIAS staff had staff shut the 275-user queuing system to
pinpoint the fault, but the virus quickly spread to the reservation
system and information database, he said.
[...]
He said the software changes had been made about one week before the
crash to test the integration of American Airlines [!] into the
system. The TIAS network already had access to 35 airlines'
reservation systems.''
So, a power failure causes corruption of input data, and with no
apparent sanity-checking, goes on to corrupt other data. Is this a
virus? If it looks like a crow, and sounds like a crow...
-- Dave Horsfall (VK2KFU), Alcatel-STC Australia, dave@stcns3.stc.oz
dave%stcns3.stc.OZ.AU@uunet.UU.NET, ...munnari!stcns3.stc.OZ.AU!dave
------------------------------
Date: 29 Jun 1988 0950-WET (Wednesday)
From: Duncan Baillie <dmb%lfcs.edinburgh.ac.uk@NSS.Cs.Ucl.AC.UK>
Subject: Update on Airbus crash
The airbus story seems to have been dropped from today's news, probably being
overshadowed by the Paris Train crash (which killed 57). There were some more
details yesterday, but I don't have them to hand. It seems however that the
blame for the crash is being placed squarely on pilot error. Apparently the
pilot had TURNED OFF the computer for the demonstration flight and was flying
the aircraft at 30 feet, 70 feet below the minimum safety level. The pilot has
said that he requested more power from the engines but it arrived to late (from
film of the accident you can hear the power coming on just when the plane
clipped the top of the trees). I believe that manslaughter proceedings may be
brought against the pilot.
British Airways have stated that they are satisfied the cause of the crash was
not any design fault in the aircraft and have resumed service with their own
A-320s.
It is amazing that more lives were not lost in the crash as there was a large
explosion a few seconds after the planes came down. The only recognizable
features in the burnt out wreckage are the tailfin and part of the left wing.
The planes automatic escape chutes, which opened as soon as the plane crashed,
seem to have been the reason that so many people were able to leave the plane
so quickly. Many people clearly have their lives to thank for this safety
feature.
In accidents such as this there are usually some other contributory factors
but for the moment pilot (and co-pilot) error is the main source of blame. The
risks: perhaps the major risk was the lack of faith the pilot had in the
computer (French pilots have been voicing concerns for some time about the
aircraft's safety) so the major question is why was the computer turned off?
------------------------------
Received: from RELAY.CS.NET by KL.SRI.COM with TCP; Wed, 29 Jun 88 06:10:07 PDT
From: Klaus Brunnstein <brunnstein%rz.informatik.uni-hamburg.dbp.de@RELAY.CS.NET>
Subject: Re: Airbus A 320 crash - risk of `Fly by Wire'?
West German newsmedia began to report about possible risks of the
Fly-by-wire technology of the Airbus A-320 only after a spokesman of
Cockpit, an international pilots association, said that his organisation had
severe doubt about the `official' version (as having been published by the
responsible French minister a few hours after the accident) that the pilot
made severe mistakes. In the meantime, public authorities in France, UK and
Germany as well as Airbus Industries (through the chairman of the board, MP
Strauss from Bavaria) interprete video-films showing the `demonstration
flight' including the final phase with the following arguments:
1. `demonstration flights' aimed at demonstrating the
aerodynamic limits (e.g. low height, low velocity)
are only allowed without passengers, with small
amount of kerosene and only with specially educated
test pilots; since Mulhouse airport is only a very
small airport, a demonstration flight would have
never been allowed by the French authorities; the
two French pilots, though Air France's most experienced
Airbus pilots, were not properly educated;
2. the pilots have (against rules) switched to `manual
control'; as can been seen in the videos, the plane
was as low as 30 feet at a velocity of only 140 Knots;
the trees shortly after the end of the runway were about
40 feet tall, but the pilots could not see the tree-tops
because of the elevation of the plane's nose in the
simulated landing procedure;
3. while the pilots say, that the engines didnot follow
their signal `speed-up', the officials say, that this
signal was given too late; assuming that the simulated
approach was done under `running idle' conditions, the
engines need 8-10 seconds to accelerate to max. RPM;
from the moment where the engines really began to
accelerate, until the moment where the plane reached at
top of the first trees, only 5-6 seconds were past.
Despite the official version (which allowed the French, UK and
German Airbus A-320 planes to be in the air again after 1 day
of flight prohibition), several questions are un-answered:
a. Did the pilots fly under `manual control'(as the
officials argue, while some experts said that such
a mode doesnot exist for simulated landing)?
b. If under manual control, did the pilots fly (contrary to
experienced behaviour) with the engines running idle (then
needing 8-10 seconds to accelerate the engines), or did they
run with `drag gas' (German: Schleppgas) after which the
engines need only 2-4 seconds for maximum RPM? In both cases,
why did the engines only react on gas-giving with retardation?
(Cockpit officials say, that experienced pilots fly such
manoevers with drag gas: this reaction time would have
allowed to avoid the accident when all other technical
conditions are in good orfer; they trust their colleagues
statement that the engines didnot react instantaneously,
and they continue to speek of a technical problem)
c. Was the demonstration flight authorized? The Airbus was
transferred to Air France only 2 days before, and evidently
this was its public maiden flight.
The very fast reaction of government and industry is not surprising:
Airbus Industries hopes to build and sell more than 500 Airbus
A-320 models in the next 10 years. Though the governments of France,
UK and FRG are responsible for airtraffic safety, they have also
invested more than 10 Billion Dollars into the diverse models, and
they are interested in minimizing the risks from prize guarantees
which they have overtaken also for A-320. It seems rather doubtful
whether guaranteed security was the reason that the responsible
French minister excluded any technical risk before technical
investigations could have given enough evidence.
Though severe problems with computerized equipment in military
aircraft have recently drawn public interest to safety in airtraffic,
the A-320 accident for the first time draws public attention to
risks of overreliance on computers. Officials as well as technicians
argue that the technical system is much safer than any other plane
before or even today; if there is any risk, than it is `only the
risk of the human operators'. If you leave the `holistic approach'
aside (according to which the security of a system consisting of
humans and machine is not greater than the least secure component),
there remain also design considerations to be analysed:
If a pilot cannot see, in the typical approach configuration
`nose up', the ground several 100 meters before his nose,
is it responsible to have a `manual landing mode' at all?
(In this case, the demonstration of slow, low flight would
have been impossible, but also no victims!)
As pilots control involves human errors, automatic control
also involves human decisions, namely those of designers and
programmers; even if they were flight experts, they cannot
foresee (not only in todays limitations, gut generally) all
situations of the `real application situation'. A totally
computerized system like the A-320 where no mechanical aid
helps to correct electronic shortcomings is by its very
design principles less adaptible to unforeseen real world
events.
Unfortunately, it is not so unprobable that several more accidents
may falsify the official optimism which describes this plane as
`the most secure plane ever built'; but fortunately, public media
begin (at least in FRG) to wake up from such dreams.
Klaus Brunnstein Univ.Hamburg FRG
------------------------------
Date: Mon, 27 Jun 88 09:48:58 PDT
From: Laura_Halliday@mtsg.ubc.ca
Subject: re: Four killed as Airbus crashes [Actually Three?]
In an interview on the BBC World Service this morning, an aviation expert
commented that some pilot errors cannot be easily remedied by computer. In
particular, once the landing gear is down, the on-board computers assume that
the pilot intends to fly the plane down to ground level, otherwise the A320
could not land until it ran out of fuel.
This implies the existence of elaborate lockouts - what if the
pilot intends to make a wheels-up landing (for whatever reason)?
Laura Halliday laura_halliday@mtsg.ubc.ca
------------------------------
Date: Tue, 28 Jun 88 17:38:51 PDT
From: jre@Sun.COM (Joe Eykholt)
Subject: root typos (could happen to anyone)
How about "rm *>o" instead of "rm *.o" this can be caused on many
keyboards by holding the shift key down a little bit too long.
Don Sterk at Amdahl pointed this one out to me, after it happened to him once.
The shell creates the file "o" then rm removes it and everything else.
Joe Eykholt
------------------------------
Date: Tue, 28 Jun 88 14:16:18 PDT
From: hamachi!tots!helix!tep@nosc.mil (Tom Perrine)
Subject: "large-scale" disasters (Hinsdale, Ill.)
A few questions and comments about disaster planning and the recent
Illinois Bell central-office (C)) fire in Hinsdale Ill.
This seems to be the first time that such a relatively small fire has
destroyed so much communications capability. The Hinsdale CO was
apparently carrying most (if not all) of the communications traffic
for lots of large, information-intensive businesses.
***Is this CO typical of others around the country?
Many (or most) of the companies involved had placed the probability of
interruption of the carrier's service as fairly low.
***Is this typical of companies that depend on communications common-carriers?
According to interviews in "Network World," many of the network managers
of the affected companies were "shocked" at the lack of a fire-control
system. This has led to threats of litigation.
*** Any comments?
Even though this was a communications failure, and no customer's equipment was
damaged, several companies were forced into their full-scale disaster plans,
because they either had not addressed loss of communications separately or
these "mini-disaster-plans" were not workable (e.g. the backup phone lines also
went through the same CO). This is *much* more expensive than just restoring
communications would have been (United Stationers, Inc. spent nearly $600,000
to move to its backup data center).
*** How many companies would be in the same situation if this happened to them?
Has anyone (or any organization) announced plans to try to conduct a
large-scale multi-company post-mortem examination of the incident? This would
appear to be a golden opportunity to examine a wide range of disaster plans,
produced by many different organizations and determine which features of each
plan were most or least useful. This could lead to better overall disaster
planning for the industry as a whole.
Tom Perrine hamachi!tots!tep@NOSC.MIL (last resort:Perrine@DOCKMASTER.ARPA)
Logicon(Tactical and Training Systems Division) San Diego CA (619) 455-1330
------------------------------
End of RISKS-FORUM Digest 7.11
************************
-------