precedence: bulk Subject: Risks Digest 21.33 RISKS-LIST: Risks-Forum Digest Sunday 8 April 2001 Volume 21 : Issue 33 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at and by anonymous ftp at ftp.sri.com, cd risks . Contents: Software direct cause of December 2000 Osprey crash (Peter B. Ladkin) Computer cords used in escape from police custody (Ulf Lindqvist) WRQ/Reflection and DST (Marc W. Mengel) Dutch government report on privacy (Peter Fokker) Proposed "open" development of voter data standards launched (David Marston) Re: MS Word: Ohm, SaveAs Watt (Markus Peuhkuri) Re: Windows 2000 source code (Dave Aronson) Re: April Fools items (Ursula Martin) Re: When security is based on trust (Ken Cox) What's in you server room? (Audun Arnesen Nordal) Re: tax returns (Wendy Grossman, Paul Ward) Re: identity theft (Chris Viles) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Sat, 07 Apr 2001 10:25:28 +0200 From: "Peter B. Ladkin" Subject: Software direct cause of December 2000 Osprey crash Two recent documents have appeared concerning the Osprey, the U.S. Marines' V-22 tiltrotor aircraft intended as the replacement for certain of its aging helicopter fleet. Various problems during Osprey development, including the crash whose cause is related here, have already been reported in [Ladkin et al, RISKS-21.20]. One document is the U.S. General Accounting Office (GAO) briefing material on its inspection of the Osprey development program, GAO-01-369R "Defense Acquisitions: Readiness of the Marine Corps' V-22 Aircraft for Full-Rate Production", which may be found by searching at http://www.gao.gov for term "Osprey" and Keyword "V-22". I highly recommend reading this material to anyone interested in the development of complex systems with crucial computer-based components. It contains some astounding material. I shall not comment further in this note on this document. The other is the text of the briefing upon release of the JAG report into the cause of the December 2000 Osprey crash during a training mission, at http://www.defenselink.mil/news/Apr2001/t04052001_t405mv22.html (thanks to Ken Garlington for the link). First, some details as to how the Osprey functions. It has an engine and a propeller-rotor, bigger than a normal propeller and smaller than a normal helicopter rotor, on the end of each wing. The engine nacelles (structures holding engine and rotors) rotate between roughly vertical (when the aircraft is said to be in "helicopter mode") and horizontal ("airplane mode"). This configuration allows the advantages of a turboprop airplane, such as speed, en-route, but those of a helicopter for take off and landing, and other functions such as loading and offloading personnel and cargo while hovering. This technology has been tested for over twenty years in prototypes such as NASA's XV-15, and the MV-22 is the first attempt at a large production tiltrotor vehicle for use in military missions. Some words now about flight control. A helicopter rotor has two basic means of adjustment. The angle of the blades can be adjusted relative to the plane of rotation ("pitch"), either uniformly for all blades ("collective pitch"), or differentially in a specific orientation relative to the aircraft body ("cyclic pitch"). This is accomplished by allowing the blades to pivot or flex about their longitudinal axis, and controlling this flexing via rigid connections from the blades to a "swash plate", which is like a large, loose washer around the rotor spindle back of the rotor. To obtain "collective" control, the swash plate is moved uniformly up and down the spindle to flex the blades together into the desired position. To obtain "cyclic" control, the swash plate is tilted on the spindle in a fixed direction relative to the aircraft body, to produce differential lift in this orientation. An airplane turns by producing differential lift on its wings (by altering their shape via ailerons) but only has two directions in which to do this; the helicopter has full 360-degree freedom in this regard. The third helicopter flight control is the power generated by the engines. In addition, the Osprey has a flight control which consists in rotating the nacelles to various positions between horizontal and a little past the vertical. Much of the flight control has to be adjusted automatically for the conditions of flight and is not freely controllable by the pilot. It is a "fly-by-wire" (FBW) machine. I find the technology remarkable, and wish it every success, which success no longer appears to be guaranteed, thanks amongst other things to the understanding of the causes, including institutional ones, of the two crashes in 2000. The briefer, General Berndt, explained what happened in December as follows. The aircraft was flying at about 160kts and the nacelles were transitioning from airplane to helicopter mode. At that point, a flight control system hydraulic line the left nacelle ruptured under pressure. The nacelle transition was stopped, as per design. These lines are titanium, 22/1000 inch thick, and operate at pressures of 5,000 psi (rather than the more conventional 3,000 psi or so of modern helicopters. Specific requirements other than those of flight control, for example weight and payload requirements, apparently necessitate this high pressure design). The rupture was caused under loading of the system to operate the swash plate, at a weak point caused by chafing of the line against a wire bundle. (I understand that titanium, whilst light and strong, is also quite brittle.) Such chafing has been noted in maintenance reports since July 1999, and some chafing was found on all remaining Ospreys during post-crash inspection. This is apparently a generic problem that has not yet been solved. The aircraft had been properly maintained, and it was ahead of its maintenance schedule, having completed its 210-hour inspection already by 157 hours, its total time at crash. (General Berndt phrased this as being in "excellent shape", but the aircraft evidently wasn't; I think he must have meant that the aircraft was properly determined to be in "excellent shape" by the maintenance procedures. It is becoming recognised in aviation maintenance circles that the inability to inspect certain regions of wire bundles and other lines often allows some dangerous deterioration to go undetected.) There are three partially-independent hydraulic systems for flight control. The line that ruptured was common to both the number one and number three systems at that point. The loss of fluid was rapid; the number one system was taken off-line immediately and a shut-off valve isolated the number three system on that side, rendering it inactive on the left, although it remained active on the right side. The number two system carried on as it should have. This form of partial redundancy likely means that it takes two independent failures to cause a total hydraulic flight control system loss. Losing your flight control is catastrophic; design principles and regulations say there should be no possibility of a single point of failure, so two is minimum. And an independently ruptured number two line at that point would have caused total loss of swash plate control on the left, so it seems that catastrophic failure can indeed be caused by certain combinations of two failures. The machine was left with one operating hydraulic swash plate control system on one side, and two operating systems on the other, but should have been able to fly normally without discernible disturbance to control. However, there is a Primary Flight Control System (PFCS) reset button available to the pilots. It illuminates under certain circumstances. When illuminated, it should be pressed, which resets the flight control system computers to a known, "safe" state. It illuminated, the crew pressed it to reset the system. This is intent, design, and correct standard procedure. However, what happened then was unplanned, unforeseen, and uncontrollable. The effect of the reset on the state of the actual flight controls in these circumstances should have been nothing. It is easy to see this: one has lost a hydraulic system, partially lost another, but one wants to continue without interruption using the remaining "assets" whilst isolated the problem as far as possible, and that happened up to that point according to design plan. However, "no change" is not what the PFCS computers commanded. They apparently commanded changes in rotor pitch and thrust, which became rapid fluctuations. The crew repeatedly recycled the reset. These flight control changes happen via the swash plate. Because of the reduced control power on one side (pressure from one hydraulic system) compared with the other (pressure from two), the rotors responded at different rates to the rapid command changes, as a matter of mechanics. This caused large fluctuations in flight state, control was lost and the aircraft crashed, from an altitude of around 1,600ft. All this happened inside about 30 seconds. The crew is completely without fault in the accident. General Berndt noted the JAG team was tasked only with determining the course of events and the immediate causes. He therefore had no comments on other aspects of the program, or how this crash will impact procedures in particular or the program in general. There are some general points to note. First, the aircraft crashed because of two presumably independent failures: the hydraulic system failure and then the PFCS command failure. So there is no apparent reason to question the fundamental design principles, which both require two independent failures for catastrophe, and (as we have noted) allow it. Second, the first failure was dealt with as designed. The failed system component was isolated as designed and the remaining systems were able to carry out the designed task. Third, the PFCS command failure, which the JAG team has said is a software failure, was completely unplanned and unexpected. The SW caused a "control excursion" and it should not have. General Berndt has said it is "an anomaly in the control logic in the computer software control laws" which seems as if it would be a design failure. But in response to a question, General Berndt suggested he couldn't actually be that specific. General Berndt was asked who provided the SW. He said he didn't know. A member of the audience said that Bell was the primary software provider. He replied "but they may subcontract". According to James Dao of the New York Times, reporting on 6 April, 2001, the software was written by BAE Systems (the former British Aerospace) and integrated with the hardware by Boeing. (Thanks to John Rushby for this information.) Peter B. Ladkin ------------------------------ Date: Sat, 7 Apr 2001 21:02:00 -0700 (PDT) From: Ulf Lindqvist Subject: Computer cords used in escape from police custody >From Swedish newspaper *Aftonbladet* April 7, 2001, http://www.aftonbladet.se/vss/nyheter/story/0,2789,46262,00.html An 18-year old man arrested for kidnapping and several counts of aggravated robbery escaped from his cell by breaking the window open and using computer cords to climb down. He had been placed in solitary confinement because of the risk that he could interfere with the investigation if in contact with other suspects. The isolation affected his mental health, so the officers let him play computer games for recreation. The computer was in the only cell in the jail where the window could be partially opened. The suspect used a chair to force the window open and used the cords from the computer to climb down to the roof of another building. This was the second escape ever from the police jail in central Stockholm, which has been in operation since 1975. I wonder whether this escape will be marked as a computer-related crime in the statistics? Translated and edited by Ulf Lindqvist, System Design Lab, SRI International, 333 Ravenswood Ave, Menlo Park CA 94025-3493, USA +1 650 859-2351 http://www.sdl.sri.com/ ------------------------------ Date: Mon, 02 Apr 2001 12:20:03 -0500 (CDT) From: "Marc W. Mengel" Subject: WRQ/Reflection and DST Here at Fermilab we've been rolling out a Strong Authentication Project, and for Windows NT systems we've been using a package called Reflection from WRQ. This morning, NT users were unable to authenticate to the kerberos keyservers unless they disabled the Windows setting to "automatically adjust for daylight savings time". Of course, with this setting off, all the time displays on the system are off by an hour, but users can log in to our secure-realm systems with kerberos. Note that the Windows2k software that does kerberos directly was apparently not affected, only the third party software for Windows NT. Marc Mengel ------------------------------ Date: Sat, 31 Mar 2001 14:21:17 +0200 (CEST) From: Peter Fokker Subject: Dutch government report on privacy Dutch government advised to give citizens Web access to 'digital vault' with their personal information. On 29 Mar 2001, Roger van Boxtel, the Dutch minister responsible for ICT issues, received the first copy of the report prepared by the "Commissie Modernisering van de GBA" (Committee for Modernising the Basic Municipal Civil Registry). The committee's task was to present proposals to make the Civil Registry more accessible and at the same time give citizens a stronger position in their relationship with the government. In this report, the committee advises the minister that all citizens should be provided with a personal 'digital vault' which would contain selected personal data, taken from a person's "administrative history" in the Civil Registry, including name, address and SoFi number (SSN). Citizens should be able to add even more information to their vaults, such as financial information or data regarding their health. Selected government agencies, such as the Belastingdienst (IRS) and the police, would be given access to these vaults. It is up to the citizen to give other institutions and/or companies access. The committee stipulates that no citizen should be forced to actually use the digital vault and that citizens should not be forced by third parties to provide information from the vault. The digital vault is to be made accessible through the website of the municipality where the citizen resides. In the future, the proposed electronic Dutch Identitycard, with biometric authentication, could be used as the key to unlock the vault. More information (in Dutch) on Roger van Boxtel's own site: http://www.ministervanboxtel.nl/asp/page.asp?id=i000673&version=nl Why do I have the feeling that many RISKS are lurking here? I have a savings account and a safe to store valuables at a bank of my choice. If I am not satisfied, I select another bank. Why would I want to store valuable personal information in the town hall? How can I be sure that my 'digital vault' is indeed safe and that my safe will not be cracked? How can I be sure that there is no possibility that a third party (a cracker) can take over my vault and hence my identity? How long will it take before such a vault is mandatory? Will I be able to prevent the municipality from creating a vault for me or will they do it anyway? On the other hand: if ever one of these vaults is cracked and something nasty happens with someone stealing my identity, I can always say it wasn't my vault. Peter Fokker ------------------------------ Date: Thu, 29 Mar 2001 22:59:57 -0500 (EST) From: David Marston Subject: Proposed "open" development of voter data standards launched The Organization for the Advancement of Structured Information Standards (OASIS, http://www.oasis-open.org) is starting an effort to standardize an XML vocabulary and related software concerning elections. There could be RISKS of overly free interchange of voter registration data, as well as previously-noted concerns about Internet-based voting. Further, some may view this as a move by election.com to gain early-entrant advantage that could scare away development of competing technology, but I think the OASIS process promotes competition where it matters. Quoting from the first announcement: A new OASIS technical committee is being formed. The Election and Voter Services Committee has been proposed by Gregg McGilvray, election.com (chair); Oliver Bell, Microsoft; and Ed McLaughlin, Accenture. Purpose: To develop a standard for the structured interchange of data among hardware, software, and service providers who engage in any aspect of providing election or voter services to public or private organizations. The services performed for such elections include but are not limited to voter role/membership maintenance (new voter registration, membership and dues collection, change of address tracking, etc.), citizen/membership credentialing, redistricting, requests for absentee/expatriate ballots, election calendaring, logistics management (polling place management), election notification, ballot delivery and tabulation, election results reporting and demographics. Implementation: The standard under development by election.com, Inc. will be made available for review and revision and can be expanded upon as necessary. A phased approach will be used to implement the standard due to the number of aspects being considered by the standard. David Marston ------------------------------ Date: 27 Mar 2001 12:42:23 +0300 From: Markus Peuhkuri Subject: Re: MS Word: Ohm, SaveAs Watt Kevin Rolph wrote: > automagically converted the Omega symbols into 'W's (and not to mention ... Just to complete list of "for user convenience" "features" of the very same word mangler .. processor. My wife wrote her doctoral thesis with Word 6.0. After quite a few rounds of proof reading, it was considered error-free (later found some :-{). To make it ready for press and on-line publication it had to be converted to PDF. The computer which had Acrobat tools had also Word 97, with quite default settings. The document loaded quite nicely, expect some changes in page layout. We checked for that and then printed it out, sent to the press and were satisfied. Before dissertation, she took a closer look at her thesis and noted that capitalization of some acronyms of compounds (thesis were about pharmacology) were wrong. In disbelief she checked last printouts from Word 6.0 version, and there they were right. The only possibility is that the Word processor changed them "automatically" in converting version. I was aware of correct-when-you-type, but this was new... too late. No warning dialogue, nothing. Ok, back to plan home automation... for family convince Markus Peuhkuri ! http://www.iki.fi/puhuri/ ------------------------------ Date: Mon, 02 Apr 2001 17:56:40 -0400 From: Dave Aronson Subject: Re: Windows 2000 source code (Thorson, RISKS-21.31) Suspending disbelief for a moment, let us suppose this WERE true. (For those whose disbelief was already suspended, consider the RISKS of glossing over a spokesperson's name, not remembering certain traditions when April rolls around [Lirpa Loof?], etc.) I'm sure we can all envision it happening, be it to Microslop or some other careless company. Methinks we should consider the effort to remove such things, or the embarrassment resulting from not doing so, to be a RISK of not having coding standards, including commandments to the effect that Thou Shalt Use Meaningful (And Not Embarrassing to the Company) Variable Names -- and CODE REVIEWS to enforce it! Or at least code reviews, conducted by a humorless PHB.... Dave Aronson, Sysop of AirNSun free public Fidonet BBS @ +1-703-319-0714 The above opinions are MINE, ALL MINE, but for rent at reasonable rates. [Typo 31 not 32 corrected in archive copy. PGN] ------------------------------ Date: Sun, 1 Apr 2001 20:05:05 +0100 From: Ursula Martin Subject: Re: April Fools items (RISKS-21.31) The foot-and-mouth item is indeed not RISKS-unrelated: it is suggested that some of the spread is due to unrecorded trade in sheep to exploit profitable loopholes in the subsidy regulations. The Sunday Telegraph had one about new European legislation that threatens impersonators who will have to pay royalties to their victims. "Larip Loof, the Finnish European commissioner, explained that the ruling on individuals owning their own voices was "a logical progression" from the laws covering intellectual property rights." http://www.telegraph.co.uk:80/et ?ac=000125824864271&rtmo=gjNZZZnu&atmo=gjNZZZnu&pg=/et/01/4/1/nimp01.html [URL broken by PGN for readability] Ursula ------------------------------ Date: Tue, 27 Mar 2001 14:42:28 -0600 From: "Ken Cox (11359)" Subject: Re: When security is based on trust Michael Sinz' note on Microsoft's ActiveX certification problem (RISKS-21.30) prompted me to write of another Microsoft- related RISK that I've noticed recently. Microsoft has been running a television commercial for one of their e-commerce servers. As the video shows conveyor belts with packages moving along them, the announcer is saying something like, "John Smith normally orders books about motorcycle racing and scuba diving. But today, his order included videos that feature a singing purple dinosaur. The software quietly updates itself to be ready for John's next order." Perhaps I am just overly suspicious, but I don't think that "quietly updates itself for the next order" is the proper reaction. "Loudly screams for a service representative and reports this sudden, possibly fraud-related, change in buying patterns" would be better. Speaking of which, *The New York Times* reported on 26 Mar 2001 (Business section) that US patent number 6,185,415 has been issued. This patent covers a class of fraud-detection algorithms that use a certain type of profiling to detect unusual behavior. The article says that the patent's owner, @Comm Corporation, has started to pursue telecommunications companies that use such software in their systems. Ken Cox kcc@research.bell-labs.com [Interesting. In my lab we have been doing profile-based anomaly detection since 1983. PGN] ------------------------------ Date: Tue, 27 Mar 2001 11:22:47 +0200 (CEST) From: Audun Arnesen Nordal Subject: What's in you server room? I recently quit my job as a system administrator, but I still read the messages and discussions between my former colleagues to help out the guy that followed me in the position. A few days ago, one of my former colleagues entered the server-room at my former employer and found it filled with light smoke. Not seeing any fire and in doubt of how to handle the situation, he consulted his boss in the neighboring room, who ordered an immediate shutdown of all servers. This might seem like an overreaction, but we had experienced some inexplainable hardware malfunction over the past six months that has caused near catastrophic data losses, so tensions wrt. hardware malfunction was high. It turned out that it was simply an old vt420 terminal that was practically never used that had started to malfunction and producing smoke, but the immediate shutdown of all servers resulted in the client users with for instance open word documents on the server or whatever they were doing to lose any unsaved data. The risk of putting non-reliable legacy equipment in the same room as your $30,000 servers with hundreds of concurrent users is obvious. Such server-rooms should not contain any equipment whose catching fire is irrelevant to the operation of the servers. Alternatively, such equipment should be shut off (and perhaps disconnected) when not in use. Audun Nordal ------------------------------ Date: 27 Mar 2001 10:47:15 GMT From: wendyg@cix.compulink.co.uk Subject: Re: Tax returns (RISKS-21.30) > The IRS expects 42 million electronic returns this year -- 70% of all > returns. How is that possible? 70 percent of households don't even have computers! [There was an error in the report from which the RISKS item was created. It seemed strange to me, but it was their error, not mine. PGN] ------------------------------ Date: Tue, 27 Mar 2001 10:39:48 -0500 (EST) From: Subject: Re: Tax returns (RISKS-21.30) From the IRS Stats website at http://www.irs.gov/prod/tax_stats/soi/ind_agi.html I discovered that there were 124,770,662 tax returns filed in 1998 (so much for the 10-1 rule). That would make 42 million around 1/3. If I assume that the number of filers has gone up, probably the error was that 70% will _not_ use electronic filing. (I also discovered that it is really hard to read a spread sheet that uses proportional fonts rather than fixed fonts.) Paul ------------------------------ Date: Tue, 27 Mar 2001 15:28:58 -0600 From: Chris Viles Subject: Re: identity theft (RISKS-21.30) By now, most RISKS readers are familiar with the discount cards that seemingly every supermarket in the US offers. For the small price of a few bits of information you get a discount on your grocery bill every time you buy something from a store in the same chain. On a recent business trip to the Chicago area, I stopped into a supermarket and was prompted for a discount card as was, I'm sure, everyone else who purchases anything from that chain. Since it's unlikely I'll be back through a store in this chain any time in the near future, I declined their polite offer to "Join and Save". While I gathered my items and prepared to leave, I overheard the clerk ask the person behind me for her card. Unfortunately she had forgotten it, and asked if they could look her up by her phone number. The clerk apologized that no, they no longer could do that and could *only* look up by SSN. Which the woman promptly rattled off for the clerk, myself, and 2 other strangers behind her. Is your identity worth $1.45? (The discount I would have received if only I had "Joined & Saved") ------------------------------ Date: 12 Feb 2001 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, SEND DIRECT E-MAIL REQUESTS to with one-line, SUBSCRIBE (or UNSUBSCRIBE) which now requires confirmation to majordomo@CSL.sri.com (not to risks-owner) [with option of E-mail address if not the same as FROM: on the same line, which requires PGN's intervention -- to block spamming subscriptions, etc.] or INFO [for unabridged version of RISKS information] .MIL users should contact (Dennis Rears). .UK users should contact . => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks [volume-summary issues are in risks-*.00] [back volumes have their own subdirectories, e.g., "cd 20" for volume 20] http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. Lindsay Marshall has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r http://the.wiretapped.net/security/info/textfiles/risks-digest/ . http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/ ==> PGN's comprehensive historical Illustrative Risks summary of one liners: http://www.csl.sri.com/illustrative.html for browsing, http://www.csl.sri.com/illustrative.pdf or .ps for printing ------------------------------ End of RISKS-FORUM Digest 21.33 ************************