From: CSBVAX::MRGATE!NEUMANN@KL.SRI.COM@SMTP 11-AUG-1988 19:14 To: ARISIA::EVERHART Subj: RISKS DIGEST 7.33 Date: Wed, 10 Aug 88 15:34:59 PDT From: RISKS FORUM (Peter G. Neumann -- Coordinator) Subject: RISKS DIGEST 7.33 Sender: NEUMANN@KL.SRI.COM To: RISKS-LIST@KL.SRI.COM Message-ID: <12421415818.14.NEUMANN@KL.SRI.COM> RISKS-LIST: RISKS-FORUM Digest Wednesday 9 July 1988 Volume 7 : Issue 33 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Cascaded Inference and the Vincennes affair (CFEEHRER) "Virus" Bill (Joseph M. Beckman) More RISKy ATM's (Dave Horsfall) Keeping Autos and Drivers in Suspense (Joseph M. Beckman) Airbus Cockpit Alarms (Fred Baube) A-320 investigation (Steve Philipson) Federal charges brought against accused teen-age hacker (Mike Linnig) Orbit 100,000 self-guided "brilliant" weapons, Reagan advised (Jon Jacky) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line (otherwise they may be ignored). REQUESTS to RISKS-Request@CSL.SRI.COM. FOR VOL i ISSUE j / ftp kl.sri.com / login anonymous (ANY NONNULL PASSWORD) / get stripe:risks-i.j ... (OR TRY cd stripe: / get risks-i.j ... Volume summaries in (i, max j) = (1,46),(2,57),(3,92),(4,97),(5,85),(6,95). ---------------------------------------------------------------------- Date: 2 Aug 1988 20:28-EDT From: CFEEHRER@G.BBN.COM Subject: Cascaded Inference and the Vincennes affair I have become interested in the dialog lately re: Vincennes and the question of thresholds for declaring radar blips hostile (see, for example, Wellman, 9 July; Johnson, 10 July; Estell, 12 July) and would enjoy some comments in regard to the following proposition: "There's nothing wrong, in principle, with "binary thinking/decision making" if ALL of the information available for a choice among competing hypothesis is employed in the computation of posterior odds." What may have gone wrong in the Vincennes case is that not all of the information that was available came to be used. Most notably, perhaps, the diagnostic value associated with target aspect ratio, which the press tells us was more-or-less head-on and at short range relative to the design envelope of Aegis, did not enter into the decision in a formal way. It is interesting to me that difficulties with interpreting an image formed under such circumstances was one of the first explanatory notes to surface during coverage of the encounter. Thereon hangs the story below. I'm suggesting that, however, accurate the Aegis sensor and signal processing systems may be, the information presented to the human decisionmaker is apparently equivocal ("unreliable") at certain combinations of range and aspect and provides the basis for a very complex judgment even when a good estimate of the priors can be made. It seems to me that the situation, corresponds closely to what has been called "cascaded inference" in behavioral decision theory. In prescriptive approaches to decision making in this kind of situation, there are two sets of conditional probabilities: the probability of a datum conditional upon an hypothesis, and the probability of a REPORT (verbally, electronically or otherwise delivered) conditional jointly upon an hypothesis and a datum. If the components of these are known or can be estimated, then the probability of a report conditional upon an hypothesis can be easily calculated. In effect, the decision maker is required first to adjust the nominal diagnosticity of the report to reflect the reliability of the source -- "interpretability of the image" is a better term here -- and then to apply this adjusted datum to the hypotheses under evaluation using Bayes' rule. In the scenario I'm conjuring, the first task would have been to make a (cognitive) adjustment of the diagnosticity of the displayed image (i) given the hypotheses, "(a)ttack", "(n)o attack", and then to compute the posterior odds (p(a:i)/p(n:i) given p(i:a) and p(i:n). (Note that at optimal ranges/aspects, the diagnosticity would be assumed to be nearly perfect, while at non-optimal ranges/aspects, it would be considerably less than perfect -- a little circular but OK for now! The point is that, while the electronics remain the same, the intrinsic value of the image, its utility, for purposes of deciding between two (or more) mutually exclusive hypotheses varies.) When one compares the posterior odds achieved with an adjusted datum with those achieved with an unadjusted datum, the results can be startlingly different! (This is not a good forum for lengthy equations, so I'll simply ask you to believe that assertion! I'd be happy to send along some references and a short demonstration to anybody who's interested. For a quick perspective, consider that a likelihood ratio of 9:1 falls to approximately 4.3:1 when one reduces the reliability of the reporting system from 1.0 to 0.9. That can lead to quite a different decision with the same set of priors.) Research in decision making in medical, military command, process control/QC, and trouble-shooting contexts regularly demonstrates two phenomena: (1) Decision makers are typically not trained to make decisions "by the numbers", even when that is possible -- it's not a skill that comes naturally; (2) The few decision makers who are familiar with quantitative decision aids have rarely been taught means for coping with unreliable data. The sad thing is that virtually ALL data, whether delivered through eyes and ears or complex sensor systems are unreliable from time to time and/or for certain purposes. So, is it surprising that, in situations characterized by high stakes and great stress, wrong hypothesis are occasionally supported and correct ones discarded?! (There is an interesting literature associated with attempts to create descriptive models of what decision makers actually do which suggests that optimal procedures for discounting equivocal information are rarely intuited, but that they can be trained. References on request.) The "story" above is clearly a house of cards -- plausible maybe but unverifiable at best. Who knows if ANY quantitative reasoning went on at all -- but I do want to suggest that binary decision frameworks may not be as limiting as they may seem at first if they are properly implemented. I'm a strong supporter of neural net/fuzzy set approaches, but only if simpler algorithms are found wanting and their alternatives are not. cef ------------------------------ Date: Fri, 5 Aug 88 10:36 EDT From: "Joseph M. Beckman" Subject: "Virus" Bill "Computer Virus Eradication Act of 1988" (a) Whoever knowingly -- (1) inserts into a program for a computer information or commands, knowing or having reason to believe that such information or commands will cause loss to users of a computer on which such program is run or to those who rely on information processed on such computer; and (2) provides such program to others in circumstances in which those others do not know of the insertion or its effects; or attempts to do so, shall, if any of such conduct affects interstate or foreign commerce, be fined under this title or imprisoned not more than 10 years, or both. Entered July 14th 1988 by Mr. Herger (congressman from CA) for himself and Mr. Carr; referred to Committee on the Judiciary, to amend title 18. Joseph [You can lead a Trojan horse to Waterloo, but you can't make his legislator think. PGN] ------------------------------ Date: Thu, 4 Aug 88 14:39:34 est From: Dave Horsfall Subject: More RISKy ATM's From Neville Angove's column in "Computerworld", 29th July: ``According to a number of sources in the systems programmer community, the recent media noise concerning ATM fraud/failures indicates a number of severe problems being faced by financial institutions with ATM networks. As the size and usage of these networks have increased, so have the security risks, due to the fact that the knowledge of ATM characteristics and network limitations have become more widespread. The most serious rumour is that one bank has evidence that someone has discovered a means to decode the PIN encrypted on to the magnetic strip of stolen ATM and credit cards. [It is not generally well-known that in Australia at least, that strip encodes your PIN!] Another factor causing concern, especially to the more knowledgable members of the public, is the increasing use of lower-cost -- and probably lower-quality as a result -- ATMs by the smaller banks which want to provide a competitive service but cannot justify the cost of higher-quality equipment. A model of the ATM favoured by one bank is so lacking in "intelligence" that it can only run in on-host mode [?], and circumvents the problems of storing transaction details by printing them as they occur on to a paper cash register roll (an ironic solution, since the manufacturer originally made its name as the giant of the cash register business). [Well, perhaps they need to use up a warehouse full of rolls!] The increasing number of instances in which ATM networks have not functioned as claimed, or where stolen cards have been used to milk the victim's account in apparently impossible circumstances, is evidence enough of some fundamental design faults or deficiencies in a number of -- but not necessarily all -- ATM networks. Public claims by the banks that their networks are secure do not agree with concerns they have expressed privately, but it is unlikely that the community will see any improvement until the problems with ATM networks are brought to light through the legal system.'' Dave Horsfall (VK2KFU), Alcatel-STC Australia, dave@stcns3.stc.oz dave%stcns3.stc.OZ.AU@uunet.UU.NET, ...munnari!stcns3.stc.OZ.AU!dave ------------------------------ Date: Tue, 9 Aug 88 10:25 EDT From: "Joseph M. Beckman" Subject: Keeping Autos and Drivers in Suspense From "The History and Future of Automobile Suspension" by Rick Castelli in CORRIDOR TODAY July 29 1988 p9 (No copyright or reprint directions on page) "As a result of Japanese competition, all of the major American and German automakers are racing to provide their own versions of 'smart' suspensions as soon as possible...Both Lotus and Volvo's systems have eliminated the use of springs, shocks, and antiroll bars, as well as other components. Instead, hydraulic cylinder devices are incorporated that detect various lateral and vertical wheel motions. Sensors are also used to detect other factors and forces upon the car. All of this data is fed into a computer which subsequently inputs instructions to the hydraulic cylinder devices to adjust wheel deflection and angle. What results is that the wheels never leave contact with the road, and the body of the car automatically leans precisely into turns, thus maintaining a stable flatness, even through emergency maneuvers. This is a phenomenal advantage! In a sense, it makes the car feel as if it's floating independently above the road. Likewise, this could be one disadvantage -- among others. Drivers will lose that inner sense of knowing when a car is at its limits of handling, and might get too confident for their own welfare." The last point reminds me of some study done years ago. Some researcher, S. Peltzman, found that the mandatory use of seat belts would not save (net) lives. The reason given was that drivers feel 'invincible' (or more so) when wearing them. Consequently, they became less attentive to driving, increasing the number of accidents. Although they did a good job of protecting the driver, many accidents killed pedestrians; more than the number of drivers and passengers they saved. Joseph ------------------------------ Date: Tue, 09 Aug 88 13:24:58 -0400 From: Fred Baube Subject: Airbus Cockpit Alarms munnari!banana.cs.uq.oz.au!bigm@uunet.UU.NET (Michael Pilling (Dr Chocberry)): Several times before the critical manoeuvre the crew contemptuously dismissed visual and aural wornings emitted by the onboard computers. The pilot responded to one by saying: "Knock that one off, it's getting on my nerves." Pardon my naivete, but .. This sounds like the Amtrak crash. Any irritating+persistent alarm that "cries wolf" gets defeated with whatever tools are at hand. If the condition causing the alarm is an everyday event (Amtrak), or an event that was out of the ordinary but nonethe- less intended (e.g. fancy airshow maneuver), and the same alarm is to be used for a REAL problem, then the alarm won't be there when it's needed. Don't these guys that design alarms consider a "cry wolf" factor? Would they want to be trying to fly an airliner with an unneces- sary racket disturbing their concentration ? ------------------------------ Date: Tue, 9 Aug 88 12:26:56 PDT From: Steve Philipson Subject: A-320 investigation Re: martin@bashful <@RELAY.CS.NET:martin@bashful> posting on "Preliminary A320 Inquiry Results". >* The pilot and copilot (apparently informally) planned to fly at 100 ft. > AGL for the flyby, with no planned airspeed (oops). They ignored > three radar altimeter callouts below this altitude (the radar altimeter > gave six callouts in the 25 seconds between 100 ft. and impact, three > after the throttles were advanced). The warnings would have been expected, and the crew would have planned to ignore them. The whole point of this maneuver was a low altitude fly-by. Ground proximity warning systems would call the altitude, so there would be no reason to be alerted to a "problem" that was part of the intended flight path. >* The pilot intentionally disabled the alpha floor protection mode in the > autothrust system; this mode is intended to provide protection against > windshear accidents. ... This also seems reasonable for the flight path desired. Manual control of engines and AOA was desired, so again, this intentional disabling of automatic systems seems reasonable. > ... large aircraft > don't accelerate and climb very well (that is to say, at all) at low > speeds and high angles of attack. It takes a long time to spool up > large high-bypass engines, and it takes even longer before that energy > input has any effect on the aircraft. This is not quite true. Jetliners attain close to maximum climb performance at high angles of attack, but with maximum thrust. The recommended windshear escape maneuver is to raise the nose to just below stall AOA and hold maximum power. The problem IS in spool-up time of the engines. What I'm most interested in is how two highly experienced pilots allowed RPM to decrease below reasonable values for this type of maneuver. One of the first things you learn when flying jets is that you must keep RPM up if you will need a rapid application of power. Did the engine control system retard power below the intended setting? Did the combination of enabled and disabled systems cause the engine settings to go below what the pilots had intended? The investigations into why the crew was unaware of their situation is critical to assesments of the safety of the A-320. The unusual manuever and crew selected configuration may have had much to do with the cause of this accident. We know that conditions not accounted for in the design of complex systems are often the root of system failure. Many of us are very concerned about digital control systems for just this reason. We will not know if this crash was really "pilot error" until those elements of this accident are thoroughly explored. ------------------------------ Date: Tue, 9 Aug 88 22:28:52 CDT From: linnig@skacsl.csc.ti.com (Mike Linnig) Subject: Federal charges brought against accused teen-age hacker CHICAGO (AP) -- A teen-age high school dropout is charged with using his personal computer to break into AT&T and government computers and steal more than $1 million worth of software. "This is not malicious mischief," U.S. Attorney Anton Valukas said in announcing the federal charges Monday. "It's a felony." Herbert Zinn Jr., 18, also is accused of advertising on a computer bulletin board how to electronically break into AT&T's computers. The charges against Zinn mark the start of "an aggressive position toward computer crimes," Valukas said. Zinn allegedly committed the crimes when he was a juvenile, and could be sent to prison until his 21st birthday in August 1991. Federal agents raided Zinn's home last year and confiscated three computers and software allegedly stolen during the electronic break-ins. The telephone at Zinn's North Side residence went unanswered this morning. Zinn was quoted in today's editions of the Chicago Sun-Times as saying that since the raid on his home, he had not pursued his computer techniques "with quite the same vim and vigor." He said he nonetheless hoped eventually to resume his schooling and become an electonics engineer, the newspaper said. Zinn would not discuss details of the case, it said. The federal charges were brought after Zinn had been arrested several times, including for alleged computer break-ins at the Keller Graduate School of Management and at Commodity Perspective Inc., both in Chicago. "Before and after the computer break-ins (at Keller and Commodity Perspective), Zinn was, by his own admission, breaking into AT&T computers," Valukas said. Court documents said Zinn broke into an AT&T computer at the North Atlantic Treaty Organization's Maintenance and Supply Headquarters in Burlington, N.C., and an AT&T computer at Robins Air Force Base, Ga. Valukas said the software taken from NATO and the Air Force base were "low level in terms of sensitivity." Agents raided Zinn's home after an AT&T security officer logged onto the so-called Phreak Class-2600 computer bulletin board and spotted messages signed by "Shadow Hawk," a code name the goverment said the teen-ager used. In the messages, Shadow Hawk bragged that he had gained access to AT&T computer files. In a similar message, Shadow Hawk made the mistake of including his telephone number, which the security officer spotted, the government said. The purpose of the Texas-based Phreak Class-2600 is "to educate computer enthusiasts . . . to penetrate industrial and government sector computer systems," said William J. Cook, an assistant U.S. attorney. The government said Zinn also tried to electonically break into computers at the Washington Post's accounts payable department, a hospital in South Bend, Ind.; and computers in Columbus, Ohio; Rye, N.Y. and Pipe Creek, Texas. ------------------------------ Date: Wed, 10 Aug 88 08:53:39 PDT From: jon@june.cs.washington.edu (Jon Jacky) Subject: Orbit 100,000 self-guided "brilliant" weapons, Reagan advised The following story appeared in THE SEATTLE TIMES, Aug 9 1988, p. A3: SDI OFFICIALS URGE 'PEBBLES' OVER 'ROCKS' by Dan Stober, Knight-Ridder News A dozen high-ranking "Star Wars" officials met privately with President Reagan two weeks ago to gain his backing for a new weapons idea: swarms of five-pound rockets, known as "brilliant pebbles," that would orbit Earth and decide on their own to attack Soviet missiles. The rockets, once launched, would not require a command from the ground to attack. "It's effectively a shield over the planet, consisting of these things, and if anything pierces the shield that doesn't come from an allowed launch point .... it gets knocked off," said Bruce McWilliams, who headed a lab team that developed the optical sensors for "brilliant pebbles." It would take 100,000 such rockets to defend against the next generation of Soviet missiles, a Livermore study concluded. ....(the idea) was advanced by the Lawrence Livermore National Laboratory... the classified White House briefing was given by Livermore physicist Lowell Wood, a protege of the controverial Edward Teller. - Jonathan Jacky, University of Washington ------------------------------ End of RISKS-FORUM Digest 7.33 ************************ -------