RISKS-LIST: RISKS-FORUM Digest Monday 17 April 1989 Volume 8 : Issue 58 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Cruise Missiles with "Polish" (Ralph Vartabedian via Nancy Leveson) Computerized parts supply (Jim Haynes) RFI and Elevators (Martin Ewing) Aegis the almighty (Henry Spencer) Thoreau and Navigation (Eric Roskos) Risks of automatic order entry in restaurants (Daniel Klein) Re: Most Accurate Clock (Clay Jackson) Fuel Management/Mis-management (Mike Brown) Companies mask ANI to calm callers (Bob Wallace via GEBM) The dangers of electric windows (Martin Cooper) Careless tape transfer procedures (Peter Jones) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. * RISKS MOVES SOON TO csl.sri.com. FTPable ARCHIVES WILL REMAIN ON KL.sri.com. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line (otherwise they may be ignored). REQUESTS to RISKS-Request@CSL.SRI.COM. FOR VOL i ISSUE j / ftp KL.sri.com / login anonymous (ANY NONNULL PASSWORD) / get stripe:risks-i.j ... (OR TRY cd stripe: / get risks-i.j ... Volume summaries in (i.j)=(1.46),(2.57),(3.92),(4.97),(5.85),(6.95),(7.99). ---------------------------------------------------------------------- Date: Sat, 15 Apr 89 13:41:29 -0700 From: Nancy Leveson Subject: Cruise Missiles with "Polish" From the L.A. Times, Saturday, April 15, front page. HOW CONCERNED WORKERS BLEW WHISTLE AT NORTHROP by Ralph Vartabedian, Times Staff Writer On her very first day at Northrop's Western Services Department in El Monte, which produced guidance devices for nuclear-armed cruise missiles, Florence Castaneda said she knew that "something was terribly wrong." In an electronics "clean room," Northrop employees were smoking cigarettes, boiling water for soup, eating lunch at their work stations and watching soap operas on a television set mounted on the supervisor's desk, she recalled. Castaneda noticed that instead of using industrial solvents to clear and prepare circuit boards for soldering, workers were using a jar of Tarn-X, a retail brand of polish for silverware. "There was a price tag on it from Thrifty Drug Store," she recalled. "I hadn't seen this kind of work being done in the aerospace industry." ... As a result of their efforts, a federal indictment was filed earlier this week, charging their formal supervisor, Charles Gonsalves, with criminal fraud. Tests were allegedly faked and in some cases not performed at all on cruise missile guidance systems and on stabilization systems for Marine Corps jet fighters, the indictment said. Besides Gonsalves, criminal charges were filed against Northrop itself, two high-ranking executives and two other supervisors. Northrop has said the criminal changes against it and two current executives are "unwarranted," but the firm has acknowledged that problems existed at the plant and that Gonsalves and three other employees have been fired. ... Not only was the plant manager, Gonsalves, charged with fraud, but the factory's quality assurance supervisor and its chief engineer were indicted. Unlike many other defense industry whistle-blowers, Castaneda has no financial stake in any False Claims Act law suits, which individuals can bring on behalf of the government and share in the damages. She was motivated by a sense of concern over "those nuclear missiles out there" that she always worried "could be the start of World War II." ... "I called the FBI in November, 1986. They told me I sounded like a disgruntled employee and that it was a case of sour grapes," Castaneda recalled. (Justice Department officials declined to comment on Castaneda.) It was not until a nephew in the Air National Guard arranged a meeting with Air Force agents from the Office of Special Investigations that anybody would listen to her story. In January, 1987, an OSI agent [met with Castaneda and fellow workers Barajas and Meyer]. "Florence had earlier attempted to contact Northrop, but nothing ever happened," Barajas said. "Pat Meyer and Florence called back east to Precision Products Divison [the corporate parent of Western Services Department' to say problems were going on. After that, absolutely nothing was done. It disgusted everybody. We knew that if we tried to complain, nothing would be done." Barajas said that he wrote an anonymous letter to corporate executives at Northrop, but the letter eventually ended up back with Gonsalves. "He posted it on the bulletin board to tell everybody that it wouldn't do any good to complain. He laughed at it. He said, "Whatever fool tried it, it didn't get anywhere." After the investigation was launched in 1987, however, government agents met with the employees once every other week at Barajas' house. Barajas provided investigators with a computer tape used to falsify tests on cruise missile systems built at the plant. [The rest of the article describes details of the investigation including wiring one of the employees with a tape recorder. There is also a bizarre story about a psychologist who had been assigned to Castaneda after a temporary disability claim in April 1985, who visited Castaneda at home three times a week for two hours each time for several months. "She told me to forgive Northrop and to forgive Mr. Gonsalves -- to ask God to forgive them -- and to just go back to work," she said.] ------------------------------ Date: Mon, 17 Apr 89 13:41:49 -0700 From: haynes@ucscc.UCSC.EDU (Jim Haynes) Subject: Computerized parts supply From a book review in Science magazine, 7 Apr 89 "He even tells us about his disappointment upon learning that a part he was ordering from a catalogue couldn't be shipped until the next week, in spite of a promise in the catalogue of same-day service. `You must have a very old catalogue,' he was told, without a trace of irony. `Now we have a computer.'" The book reviewed is "Ideas and Information: Managing in a High-Tech World" by Arno Penzias; Norton, New York, 1989. 224 pp. $17.95 ------------------------------ Date: Sun, 16 Apr 89 23:30:05 PDT From: mse%b2red.caltech.edu@Iago.Caltech.Edu (Martin Ewing) Subject: RFI and Elevators (Morris, RISKS-8.57) [On the subject of radio amateurs transmitting in elevators:] In fact, radio amateurs are allowed to do various things other than talk to each other. They may operate radio control aircraft, they may evaluate antennas, and they may run RFI tests -- usuallly to minimize interference from their own transmissions to TVs, etc. Horsfal's downfall [oops, no pun] might come if he did not properly identify himself with his call sign. The more interesting point for RISKS is that a 3-watt handitalkie is NOT an especially unusual device to be found on an elevator. Our buildings & grounds people carry them around all the time, and they certainly aren't shy about using them near elevators -- or your pacemaker, for that matter. Elevators and other 'smart' safety-critical gadgets like automotive microcomputers must have a defined behavior in any likely electromagnetic environment. They don't have to work, but they should fail safe. Martin Ewing, AA6E, Caltech Radio Astronomy ------------------------------ Date: Sun, 16 Apr 89 23:16:29 -0400 From: henry@utzoo.UUCP Subject: Aegis the almighty In the Feb 27 Aviation Week, in an article on US Navy antisubmarine warfare and future plans for same: The fundamental problem with ASW is that it is very complicated. There is no single system that is a panacea, like Aegis is to air defense, Rear Adm. James R. Fitzgerald, director of the antisubmarine warfare division of naval warfare for the chief of naval operations, said. "If there were, the Navy would buy a lot of them and declare the problem solved." The view of Aegis that is revealed in this is, um, interesting. Henry Spencer at U of Toronto Zoology ------------------------------ Date: Mon, 17 Apr 89 13:04:31 E+ From: Eric Roskos Subject: Thoreau and Navigation (Harper, RISKS-8.56) Thoreau had a considerable interest in this subject, actually. In one of his earlier works (I think "The Maine Woods") he tells in great detail the story of the incident he's probably referring to here, in which a ship split open after colliding with a rock called "The Grampus" ("grampus" being the name of a kind of whale, the name coming from the Latin "crassus pisces," or "fat fish"). He saw a large sign that advertised the disaster like a circus poster, and he and his brother turned aside from their trip to go see. He ends up the story with the moral "The resolute man's purpose cannot be split on any grampus," which was the cryptic quote in my signature line for a long while on the Usenet, back when we subscribed to it here. It is good to see someone reading Thoreau; he had a lot of comments on the progress of technology, and had a great appreciation of telegraph wires for reasons other than merely the fact that messages were sent down them. "... we will see that some will be riding, and the rest will be run over; and it will be called, and will be, `a melancholy accident'." [His comment on public enthusiasm for new technology, and the fact that often in the end it turns out not to be that useful, and sometimes harmful, for many of the people who were most enthusiastic about it. In this case, he was talking about the new steam locomotive that was coming to Concord.] ------------------------------ Date: Mon, 17 Apr 89 00:28:06 EDT From: Daniel Klein - 412/268-7791 Subject: Risks of automatic order entry in restaurants Last week I had the pleasure of eating in one of those restaurants that has an automatic order entry system. This is a system whereby the waitroid has a hand held terminal onto which s/he enters the table's order, and this order is relayed via infra-red to a pickup in the ceiling, thence to the central order computer, and finally to the chefs in the kitchen. It is a marvelous system, as long as it works. In this case, the chef stolidly maintained that he never received one of our orders. Since the computer had not told him to service an order, he refused to do so. The waiter was unable to convince him. Similarly, the waiter refused to resubmit the order, since his terminal informed him that it had been processed, and if he resubmitted the order, he would be liable to collect double the fare. We waited for over two hours for our food, until we advised him that the hand-held terminal would find a very uncomfortable location on his body if *we* got our hands on it :-) It took the intervention of the manager to get the food (and why it took 2+ hours, I will never know). In the end, the waiter apologized to us, graciously explaining that it was a "computer error" that had caused all the delay. -Dan ------------------------------ Date: Mon Apr 17 08:35:05 1989 From: uunet!microsoft!clayj@lll-winken.llnl.gov Subject: Re: Most Accurate Clock (RISKS-8.56) Here's a followup to the article I sent last week about HeathKit's "Most Accurate Clock" and Daylight time. After my problems with the clock being exactly 1 hour off, I checked with both Heath and NBS (the folks who run WWV/WWVH) and discovered that the embedded digital signal does indeed include a packet which indicates Daylight time. The decision to send the packet is controlled by a manual switch at the WWV site in Ft Collins. According the NBS, "...our people don't make mistakes when using that switch..(paraprhased)". According to Heath, "We've had several complaints about this over the years". I'm certainly glad that I don't have anything depending on the correct hourly readout from that clock! (although I do have my computer system set up to set it's time from the clock once a day). Clay Jackson, Microsoft ------------------------------ Date: Thu, 13 Apr 89 16:41:48 EST From: Brown Subject: Fuel Management/Mis-management The discussion on the Boeing fuel management issue reminds me of an issue that we delt with when I first came to work here at NSWC. The first A6-E aircraft delivered to the Navy had severe fuel management problems. In fact, the first A6-E I saw we dug out of the swamp near Norfolk VA. The A6E has two wing tanks and a main tank behind the cockpit. However, to be used, the fuel in the wing tank must be pumped into the main tank from which it is pumped into the engine. The pilot took off with an indication of a full main tank and full wing tanks. During ascent, the engines flamed out. The pilot suspected that the main tank was empty and started the transfer from the wing tanks to the main. However, the pumps were not fast enough and he could not restart the engines. The problem was a failure prone fuel level indicator. The advantage that a computer would have added is that it would have made the same error that the pilot did - assuming that the indicator was correct. Therefore, we can still blame the pilot for not checking the tank prior to take-off. Mike Brown ------------------------------ Date: Sat, 15 Apr 89 15:53:18 EDT From: USER=GEBM@um.cc.umich.edu Subject: Companies mask ANI to calm callers The following condensed from Bob Wallace, Network World v6#7 2/20/89 pg 1. Fear of alienating customers has encouraged some companies to rethink the way they use ISDN's automatic number identification (ANI) capability. American Express Travel Related Services Co. (TRS), AT&T's first commercial ISDN user, reportedly found that customers were startled when some of its agents greeted them by name. TRS has since prohibited the practice. Richard Zatarga [TRS employee], in a presentation at a "Preparing for ISDN" conference in Toronto (12/88), said TRS now avoids identifying callers by name. "We have changed the way we answer the [telephone]. We know who they are, but we still hunt for information" from callers as if we had to identify them. Although TRS has since denied that it used ANI to identify callers by name and that it received negative feedback from cardholders, sources close to the project who requested anonymity said numerous users reacted unfavorably to personalized greetings. TRS "learned that you don't answer the telephone with the customer's name." American Transtech, a wholly owned subsidiary of AT&T (and the first company to test ISDN Primary Rate Interface [32B+D]), processes one million calls a day, making it the nation's fourth largest telemarketing company. The company does not, however, greet callers by name. "We could do it, but we don't want to let customers know we can capture their telephone number," said a spokesman. "We don't use [specialized greetings] because it would intimidate callers." Besides the RISK of alienating customers with ANI, there is a pervasive fear among prospective ANI implementors that callers will raise legal objections to ANI once they know how it works. People with unlisted phone numbers are expected to spearhead that movement. According to Huel Halliburton, a communications manager with Centel Electric, central office switches equipped to support equal access deliver the phone numbers of callers with both listed and unlisted telephone numbers to companies that use ANI. ------------------------------ Date: 15 Apr 89 14:54:22 PDT (Saturday) From: "Martin_Cooper.osbunorth"@Xerox.COM Subject: The dangers of electric windows J M Hicks' contribution on Central Locking Systems (RISKS 8.55) brings to mind many other potential dangers of electrical control in autos. Most of these I have seen discussed at various times within this forum, but there is one in particular which concerns me. Electric windows are becoming ubiquitous on new cars today, and unlike central locking systems, there is no manual override. This is made very obvious by the fact that such windows cannot be raised after the ignition has been turned off, which is in itself a rather annoying attribute. However, annoyance turns to danger when an emergency arises. In an auto accident causing the doors to jam closed, the windows are the only means of escape when waiting for a cutting crew could be fatal. Furthermore, it is well known that the windows provide the best (only?) means of escape from a car underwater. If the electrical system is shot, and the occupant is unable to break the windows, what other options are there? Certainly electric windows provide a great convenience in everyday driving, but I wonder how many people consider the risks when they choose their options on a new car. And I wonder if the auto manufacturers themselves realise the risks and are merely cutting costs because nobody voices concern. Martin F N Cooper, Xerox Corporation ------------------------------ Date: Sun, 16 Apr 89 12:00:33 EDT From: Peter Jones Subject: Careless tape transfer procedures This morning, walking in a public area of a building, I noticed a messenger or computer operator ahead of me in the same corridor casually wheeling an open cart loaded with about a dozen tapes. Suddenly, he left his cart in front of an overhead door, walked on about 50 feet to the next door off the corridor, and disappeared. Curious, I waited in the vicinity of the cart to see what would happen next. Some 30-60 seconds later, the overhead door opened, and the clerk appeared from behind, pulled the cart in, and closed the overhead door again. I continued on my way, with a few questions turning over in my mind: 1) What if someone had made off with a tape or two while the cart was unattended? 2) Why wasn't the messenger accompanied by, say, a security guard with a radio? The guard could have watched the cart while the messenger went to open the door. Also, this precaution would avoid the risk of the messenger being attacked by a gang (2 or 3 would be enough to steal a tape or two) while passing through the public areas. 3) Why weren't the tapes in an enclosed box, locked with a key at the beginning of the trip, and unlocked with a duplicate at the destination. (The messenger, of course, should not carry a key!) This would prevent tapes from disappearing or being substituted while in transit. 4) Do people still do stupid things like this in 1989? (Yes!) Peter Jones MAINT@UQAM (514)-282-3542 ------------------------------ End of RISKS-FORUM Digest 8.58 ************************