RISKS@KL.SRI.COM (RISKS FORUM, Peter G. Neumann -- Coordinator) (06/27/88)
RISKS-LIST: RISKS-FORUM Digest Monday 27 June 1988 Volume 7 : Issue 10
FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
Contents:
Four killed as Airbus crashes (Duncan Baillie)
Laziness as an excuse (Matthew P Wiener)
Privacy vs. Security (Larry Hunter)
Re-using government databases (Amos Shapir)
Root Bloopers (Doug Krause)
Problems with VARs (Hal Norman)
Fail-safe ATMs (Steve Philipson)
Malicious Code Reports (Joseph M. Beckman)
The RISKS Forum is moderated. Contributions should be relevant, sound, in good
taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome.
Contributions to RISKS@CSL.SRI.COM, Requests to RISKS-Request@CSL.SRI.COM.
PLEASE use a relevant "Subject:" line, not just "RISKS DIGEST i.j...". THANKS.
For Vol i issue j / ftp kl.sri.com / get stripe:<risks>risks-i.j ... .
Volume summaries in (i, max j) = (1,46),(2,57),(3,92),(4,97),(5,85),(6,95).
----------------------------------------------------------------------
Date: 27 Jun 1988 0953-WET (Monday)
From: Duncan Baillie <dmb%lfcs.edinburgh.ac.uk@NSS.Cs.Ucl.AC.UK>
Subject: Four killed as Airbus crashes
This is how the Airbus crash in France was reported on the front page of the
Guardian. Unfortunately it is rather short on facts but no doubt these will
follow.
From The Guardian, June 27 1988 (copied without permission).
by Paul Webster, Michael Smith, Peter Murtagh.
At least four people were killed and at least 30 more unaccounted for last
night after a European Airbus using a controversial computer controlled flying
system crashed into a forest during a demonstration flight at an airshow in
eastern France.
British Airways and Air France suspended further flights of the plane, the
A-320 which is Europe's most advanced passenger aircraft and is built by a
French, British, West German and Spanish consortium. British Airways has had
two A-320s in service since the spring and orders for a further eight.
The future of the aircraft, in which British Aerospace has a 20 per cent stake
worth 450 million pounds, and builds the wings and tailpiece, will be placed in
doubt after yesterday afternoon's crash, the first disaster to hit the new
generation of European Airbuses.
The plane, carrying 127 guests, airshow joyriders and journalists, was flying
low over the small airport at Habsheim, about 10 kilometres from Mulhouse in
southern Alsace when the pilot let down the undercarriage and made two passes
over the local aeroclub buildings. As he turned the plane the wheels caught the
tops of the pine trees and plunged into the forest.
It burst into flames shortly afterwards but many of those on board appeared to
have escaped. Reports of people trapped inside could not be confirmed but the
French authorities said that about 100 passenegers had been injured, two of
them seriously.
A policeman among the first on the scene said "The plane did not go into a
nose-dive. It belly flopped onto the trees." The pilot who had minor head
injuries, told a rescuer: "I tried to accelerate but the plane did not
respond."
A photographer among the passengers said the aircraft was turning when there
was "a noise as if we were travelling along a bumpy road". He saw the tops of
the trees and the plane caught fire near the cockpit when it came to a
standstill.
He said: "There was no panic and I only saw one woman passenger who seemed
seriously hurt. She was quite badly burned," he added.
The narrow bodied plane, designed for short to medium-range flight, went into
service only last Thursday with Air Inter, the internal French airline, where
pilots have been protesting for more than three years about its safety. In
spite of warnings that the plane's two-man cockpit, without room for a flight
engineer, was potentially dangerous, 21 airlines have ordered 522 of the
planes.
The crash could not have come at a worse time for the Aitbus whose reputation
has been built on an impressive safety record since its first model went into
production 18 years ago.
The A-320 is the first civilian aircraft to use a computer-controlled flying
system known as "fly-by-wire". This replaces the conventional stick and rudder
control with three computers and miles of electronic cables, leaving the pilot
with a "sidestick" like the control arm on a video game.
The pilot uses it to direct the computers but they direct most of the
instruments. However, if the pilot makes an error or unreasonable demands on
the engine, the computer can over-rule his command.
Last night Professor Bev Littlewood, of the software engineering department at
the City of London University, questioned the system's safety.
He said: "We have gone so far along the rocky road of computer control, it is
now hard to ask fundamental questions about critical safety areas."
Last year, the A-320 system was criticised by Mr Brian Perry, head of Avionics
and Electrical Systems for the Civil Aviation Authority. He said: "It's true we
are unable to establish a fully verifiable level that the A-320 software has no
errors. It's not satisfactory but it's a fact of life".
An Airbus spokesman said: "Airbus planes have flown over 5 million hours. In
all cases the aircraft was not to blame". There have been three crashes
involving Airbuses but none had caused casualties, he said.
------------------------------
Date: Sat, 25 Jun 88 08:38:59 pdt
From: weemba%garnet.Berkeley.EDU@violet.berkeley.edu (Matthew P Wiener)
Subject: Laziness as an excuse
This is forwarded from Robert L Park's "What's New" in the physics
group, dated 24 June 88:
3. RESTRICTIONS ON ACCESS TO UNCLASSIFIED DOE TECHNICAL REPORTS
came to light when the DOE's Office of Science and Technology
Information offered "some limited reports" to university
libraries if they would agree to grant access only to government
agencies and principal investigators on DOE contracts. Most
libraries refused on principle, but they wanted to know what they
weren't getting. In response to a Freedom of Information request
from the National Security Archive, however, DOE refused even to
provide a list of titles, claiming the information was stored in
a computer and thus could be retrieved only by writing a new
program! The Office of Hearings and Appeals last week overruled
DOE, pointing out that agencies would otherwise be allowed to
conceal information simply by putting it in computerized form.
ucbvax!garnet!weemba Matthew P Wiener/Brahms Gang/Berkeley CA 94720
------------------------------
Date: Thu, 23 Jun 88 11:52:00 EDT
From: Larry Hunter <hunter-larry@YALE.ARPA>
Subject: Privacy vs. Security
I recently applied for a job that would require a security (Q) clearance.
I was handed a form for "pre-employment screening" that any job offer
would be contingent upon. I was surprised by the invasiveness of the
form I was being asked to sign:
"I hereby authorize the [employer] and its agents to inspect, copy or
photostat any or all documents pertaining to my financial records, my
education records, my personal references, my employment records, and
local law enforcement records as they pertain to me. `Documents' shall
be construed in its broadest sense including any original, reproduction,
or copy of any kind of written, printed, recorded, documentary material
(or drafts thereof), or graphic matter regardless of the medium on which
it is produced, reproduced, or stored, including, but not limited to,
correspondence, memoranda, inter or intra-office communications, notes,
diaries, calendars, contract documents, publications, calculations,
estimates, vouchers, minutes of meetings, invoices, reports, studies,
computer tapes, computer cards, photographs, negatives, slides, dictation
belts, voice tapes, telegrams, notes of telephone conversations, and notes
of any oral communications."
Note that there is no time limit on this authorization, and that this
is merely pre-employment screening, not yet an application for a clearance.
Have all of you folks with clearances agreed to something similar? Is
national security incompatible with the personal privacy of those who
are aware of security matters?
Larry Hunter, hunter@yale.edu
------------------------------
Date: 17 Jun 88 12:13:14 GMT
From: nsc!taux01!taux01.UUCP!amos@Sun.COM (Amos Shapir)
Subject: Re-using government databases
The Israel Broadcasting Authority is a semi-independed agency, funded in
part by a tax on radio and TV sets (called, for historical reasons, 'TV
license fee'). Anyone owning a TV or renting one should inform the IBA
of this fact, so they know where to send the bill. Naturally, many
people evade the tax by not informing the IBA when they move.
This week, the IBA used a computerized database to send all people older
than 26 and listed as living with their parents, letters informing them
that the law requires that any change of address be reported to the IBA.
The assumption is that most of these people no longer live with their
parents, have their own untaxed TV sets, and that their parents will
forward the message. I don't know what database they have used, since I
also got such a letter, but have not been living with my parents for
years.
Amos Shapir
National Semiconductor (Israel), 6 Maskit st. P.O.B. 3007, Herzlia 46104,
Israel Tel. +972 52 522261 amos%taux01@nsc.com
------------------------------
Date: Thu, 23 Jun 88 03:43:09 -0700
From: Doug Krause <dkrause@orion.cf.uci.edu>
Subject: Root Bloopers
Try typing 'kill 1' when you really mean 'kill %1'.
Douglas Krause, University of California, Irvine
------------------------------
Date: Fri, 17 Jun 88 9:07:43 PDT
From: norman@devvax.Jpl.Nasa.Gov (Hal Norman)
Subject: Problems with VARs
In response to Jerry Harper's troubles with a VAR, I have had (am currently
having) a similar problem. I bought a XT clone for my home use from a
"reliable" VAR. It came with a 1 year warranty. About 4 months after I bought
it, it started making horrible noises. I opened it up and it was the fan on
the power supply(PS) that was making the noise. I called my VAR and was told
to return either the whole unit and they would replace the PS or just bring in
the PS and get a new one. So I removed the PS and took it in for replacement.
The owner was not there at the time and an employee exchanged it for me. I
made the mistake of not getting a receipt showing the serial numbers of both
power supplies (the bad one and the replacement). About a week later I got a
call from the owner claiming that I had foisted a bogus PS off on him. He was
quite irate, claiming he had never ever carried the brand of PS I had returned
and wanted me to pay him $60 for the replacement. I copied my original receipt
(with the PS serial number) and sent him a copy, but he claims it doesn't match
the one I returned and still demands $60. Meanwhile, the replacement PS
developed the same fan problem as the original and had to be replaced. I took
it in and he replaced it, but is still irate and wants $60. I told him to send
me a bill, and as soon I get the bill that I would file in small claims court
and we could let the Judge sort it all out and decide how much if any I owed
him. I have not yet gotten the bill. The point is, when you buy something as
complex as a computer, make sure you get a receipt signed by the VAR specifying
ALL the serial numbers of ALL the components and verify that the list is
correct. Then, if you should have to take it back for warranty repair, make
sure you get a receipt for any swapouts indicating BOTH the serial number of
the new unit AND the serial number of the bad unit.
Hal Norman -
Disclaimer: These are my personal opinions and are NOT to be
construed as those of my employer.
------------------------------
Date: Wed, 22 Jun 88 15:46:31 PDT
From: Steve Philipson <steve@aurora.arc.nasa.gov>
Subject: Fail-safe ATMs (RISKS-7.9)
In RISKS 7.9 dcatla!mclek@gatech.edu (Larry E. Kollar) writes:
> The ATMs around Atlanta always give you a receipt, whether or not ...
In California, Security Pacific's ATMs (part of the STAR System) issue
a message that the machine is out of receipts, and ask if you want to
proceed. You can still make transactions, but as we have seen, there
is a higher degree of risk. Many ATM transactions don't generate a
receipt. Account balances, for example, are displayed only on the
electronic display and no receipt is given.
There is no way that receipts can cover all contingencies. A machine
that will not operate if it is out of receipts reduces the magnitude of
the problem, but what happens when the receipt producing mechanism fails,
either by the print mechanism, feed mechanism, or receipt quantity
sensor failing? A good design should try to minimize abnormal transaction
termination, but it must also have provisions for unanticipated failure
modes to be handled gracefully -- soft failures instead of hard failures.
Audit trails sometimes get screwed up, too.
It seems that in order for all parties to get maximal protection from
errors, there should be multiple independent levels of redundancy and
record keeping. Independent video tapes of the customer AND display
screens would provide a mechanism for resolving discrepancies, but I know
of no systems that use this technique. Many ATMs look like they have
cameras to monitor customer (ab)use, but often it's just a dummy camera
to discourage vandalism.
Even telephone systems to report problems won't catch everything.
Failed transactions may not make it clear that a problem needing
correction occurred, so there would be reason to report it.
We're a long way from making automated systems foolproof. Thus we
must monitor such systems and not let the service providers call all
the shots.
------------------------------
Date: Thu, 23 Jun 88 15:40 EDT
From: "Joseph M. Beckman" <Beckman@DOCKMASTER.ARPA>
Subject: Malicious Code Reports
As a member of the National Computer Security Center, I am asking for
direct contributions of reports on malicious software. Please report
computer viruses, trojan horses, or other forms of offensive software.
I and the Center will use this information to track attacks, gain an
understanding of system vulnerabilities, and develop defenses. Please
send your reports to:
SOFTWARE @ DOCKMASTER.ARPA.
Joseph
P.S. If the information is proprietary or not-to-be-shared, please indicate on
the report. The NCSC shares some information with NBS. I will try to release
summaries or abstracts to RISKS (of the non proprietary/secret variety);
although it may formally come through NBS.
------------------------------
End of RISKS-FORUM Digest 7.10
************************
-------