RISKS-LIST: RISKS-FORUM Digest Tuesday 20 June 1989 Volume 8 : Issue 83 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Pacemakers, radios (Walter Roberson) 'Traffic monitoring system used for spying' (Walter Roberson) I am not a number... (unique postal codes) (Walter Roberson) Medical history-on-a-card? ; Another ATM Risks (Edward A. Ranzenbach) Re: Microcomputers in the operating theatre (Donald Lindsay, Keith Emanuel) Hartford Civic Center roof crash (Peter Desnoyers) Re: Risks of missiles (Jan Wolitzky, Gary Chapman, Bob Ayers) ---------------------------------------------------------------------- Date: Mon, 19 Jun 89 23:11:58 EST From: Walter_Roberson@CARLETON.CA Subject: pacemakers, radios A small article in The Ottawa Citizen, Fri. June 16, 1989, pg A18: "Stereo speaker risk to heart device BOSTON (Reuter) -- Doctors in Chicago have some advice for people whose hearts carry an electronic device for shocking the heart into its proper rhythm -- Don't hug a stereo speaker. Speakers apparently contain a magnet strong enough to deactivate an automatic implantable cardioverter-defibrillator. The device, usually given to people who have recovered from a heart attack, delivers a jolt to the heart when it begins beating too rapidly to pump blood." Walter Roberson ------------------------------ Date: Mon, 19 Jun 89 23:18:09 EST From: Walter_Roberson@CARLETON.CA Subject: 'Traffic monitoring system used for spying' NEW YORK (AFP) -- Chinese authorities are using a British surveillance system, developed to monitor road traffic, to spy on Chinese citizens and foreigners in the streets of Beijing, Time said in its latest edition. The weekly news magazine said the so-called SCOOT system had been purchased partially with development aid. Time also reported that the Beijing State Security Bureau had used the system to document charges against Associated Press reporter John Pomfret, who, the magazine added, was expelled last week after he was filmed meeting with a source in his car outside a hotel in Beijing. Because the SCOOT system can be used to film at night, it allowed authorities to film fighting outside Tiananmen Square during an army crackdown on pro-reform demonstrations in which western intelligence sources said about 3,000 people died. Chinese authorities said 100 civilians were killed and about 1,000 others wounded. The authorities edited the film to show only sequences of aggressive demonstrators attacking peaceful police, Time said. The sequences were shown on state television, which identified the protestors as counter-revolutionaries. SCOOT also allowed authorities to pick out individual faces in the crowd. These were also shown on television with a telephone number requesting help from watches in identifying those who participated in the demonstrations. [From The Ottawa Citizen, Mon. June 19, 1989, pg A6] [Please note: I'm not interested in discussing the politics of the situation in China. I have submitted this article based on the technological -> social implications ONLY. -- WDR] Walter Roberson [Also noted by Mike Olson .] ------------------------------ Date: Mon, 19 Jun 89 22:42:37 EST From: Walter_Roberson@CARLETON.CA Subject: I am not a number... (unique postal codes) A few weeks ago, the Canadian post office admitted to a secret "modernization" office they have established. The high-tech research division of the post office. One of the projects they were said to be working on was changing the postal codes from its current 3 letters + 3 numbers, to a 10 "digit" system (unclear whether it'd be pure numeric or not.) I was a little concerned about that at the time: Statistics Canada releases some non-trivial information (eg, the Canadian census) *broken down by postal code*. (As an aside, I've never been too comfortable with that. They do take care that each grouping includes at least 5 people -- but it isn't too hard to extract an individual's data from that, if you know something about the individual.) If StatsCan continued the practice of releasing such information by postal codes, then establishing extremely accurate postal codes is sure to make individual cases much easier to deduce. (And remember, its not only a crime to give incorrect data to the census people: its also a crime to refuse to answer the questions...) Anyhow, having many other things to occupy my mind, I haven't been thinking about the 10-digit scheme much. None-the-less, I did happen to notice the following, buried in an article about which firm was being favoured to provide some new sorting machines for the post office: The new equipment will incorperate many features tested by Canada Post in the Paradigm Project, a high-tech research program started about two years ago. The program, kept secret until last month when it was reported on by the Canadian Press, is being used to test a new 10-digit postal code system Canada Post hopes to introduce within the next few years. The system is so precise that all addresses in the country, and possibly all individuals, will be assigned individual codes." [The Ottawa Citizen, Mon. June 19, 1989, pg A4] After I thought about it for a few seconds, I realized this is a -real- possibility! Canada has about 25 million people, so an 8 digit scheme would be enough to number them all individually (our social insurance numbers are 9 digits, including the check digit). A 10-digit number, then, has more than enough capacity to identify individual people in Canada! You can have unpublished phone numbers, but will they allow you to have unpublished postal codes? (And if so, will you have to pay extra fo that?) Oh yes: although this story has a Canadian flavour, note that 10 digits would be enough to encompass all of North America. After-all, phone numbers within North America are only 10 digits, and they haven't run out of phone numbers yet (though they will soon have to expand the area code scheme, which currently only allows the second digit to be a 0 or a 1.) Walter Roberson ------------------------------ Date: Tue, 20 Jun 89 12:53 EDT From: Ranzenbach@DOCKMASTER.NCSC.MIL Subject: Medical history-on-a-card? ; Another ATM Risks In 1982, CII Honeywell Bull, France, unveiled the "CP-8" smart card. This card does indeed contain a tiny microprocessor and, I believe, 4K of memory. This was envisioned to have uses as an electronic payment card. For example, I would go to a compatible Automated Teller Machine (ATM) and transfer funds from my account to the card. I could then shop with the card at stores with CP-8 compatible readers and use the funds on the card to pay for my purchases. The major difference between this strategy and the Electronic Funds Transfers (EFT) that we see today is that the CP-8 was deemed as valuable as cash. The repository of account information was the card itself. Now some may say that EFTs are subject to per-transaction authorization over a network. I know however that my bank does not have a network connection but actually contracts to a larger bank for EFT services. Thus, there is no direct check of my account for authorization. Instead, my bank authorizes a maximum of $200.00 per 24 hours per customer. The contracted bank simply ensures that I do not exceed that authorization. An advantage of the CP-8 was its audit trail. All transactions made against the card are audited by the processor and the user can take the card to any CP-8 ATM and receive a printout that shows the date, time, location (machine ID) and amount of the last N transactions. Kind of like having your statement in your wallet. There were plans in Sweden to implement a scheme for the rationing of liquor purchases from state run liquor stores using the cards but I'm not sure this came to fruition. I'm not sure if this card has found any real uses or if it has been upgraded (4K of memory?). I saw a couple of risks here. The card is money in my pocket. Although I might not feel confident about walking around the streets of New York with several hundered dollars cash I might be lulled into a false sense of security and think nothing of transfering several hundred dollars to the card. Thus if the card was lost, stolen, or damaged it was the same as having my wallet full of money stolen. In addition to the standard means of damaging the card, we found that significant impact to the surface could damage the cards ability to process or store information (we hit it with a hammer, not very subtle but it showed a weakness). On a separate but related issue, I found that the password standard for the Cirrus, Star and New York Cash Exchange (NYCE) ATM networks is a four digit password. I was impressed by the BayBanks ATM network when it first came into being because it offered me a maximum eight (letter) digit password thus giving me 10**8 possible values. During use of my ATM card I noticed that the screen would always flicker as soon as I entered the fourth letter in my password. I decided to "play" a little and noticed that only the first four letters of my password were required to be entered (and thus were included in the validation of my authorization). Thus, there are only 10**4 possible passwords. Cirrus advertizes access to 20,000 ATMs nationwide. Interesting to note that there are twice as many ATMs as possible passwords to protect my account from being misused on them. Maybe someone should send them a copy of the NCSC Password Management Guideline, CSC-STD-002-85... Edward A. Ranzenbach, Gemini Computers Inc. All standard disclaimers apply. ------------------------------ Date: Tue, 20 Jun 1989 13:30-EDT From: Donald.Lindsay@MATHOM.GANDALF.CS.CMU.EDU Subject: Re: Microcomputers in the operating theatre In RISKS-8.82, Ken Howard says: >Martyn addresses the obvious risk from the hardware/software reliability >point of view here. The other not so obvious risk is that a BBC micro >is not certified for use in an environment containing explosive gasses >such as are used in anesthesia .... Actually, it's even worse. Operating theatres contain numerous devices, which shouldn't interfere with each other, but do. (An EEG in such a place can often detect brainwaves in lime jello.) There are also standards for electrical leakage - since the patient tends to be a common ground to numerous circuits. Hospitals also use equipment differently from other places. Suppliers learned years ago that equipment with a flat top will wind up at the bottom of a stack, for example. A flat top will also attract bags, bottles and bowls of fluid, which will get spilled. I'd also worry about the lack of professional design review. For example, what happens to the patient if there's a power glitch? How about reasonableness checks on dosage? How aware will the operator be of the computer's actions? How quickly could he stop it (emergency off)? My experience with beginning programmers hardly inspires confidence in an MD's first effort. Don ------------------------------ Date: 20 Jun 89 07:13 EDT From: Emanuel.henr@Xerox.COM Subject: Re: Microcomputers in the operating theatre (Thomas, RISKS-8.79) There is more than just performance here. In an operating room the anaesthetist is responsible for his own actions. He bares the consequences of his judgements as a responsible professional. In the case of a microcomputer malfunction who is responsible ? Is it the manufacturer ? The programmer ? Perhaps the technician who maintains the equipment ? Further, Electronics devices have recognized mean times to failure. Does this mean that we are installing a device in a life critical situation that we know will have a failure down the road ? Would we certify a doctor who we knew would fail ? Lastly, the state of the art in software expert systems is still a long way from being able to deal with the subtle differences between patients or subtle changes in a patient's condition during an operation. It is for that reason that the doctor is indispensible (no pun). Keith Emanuel, Xerox Corp. ------------------------------ Date: Tue, 20 Jun 1989 10:24:34 PDT From: desnoyer@apple.com (Peter Desnoyers) Subject: Hartford Civic Center roof crash (Desnoyers, RISKS-8.81) In RISKS Digest 8.81 Richard S. D'Ippolito writes: (in reference to the Hartford Civic Center roof crash of January '78) [joint was modelled incorrectly as having no eccentricity, when simulation was re-run correctly the roof did not hold.] >Quite simply, the problem here was: The structure analyzed was not the >structure built. This may have been only one aspect of a more wide-spread disregard for safety in the construction of the first Civic Center roof. It was widely reported in the local papers afterwards that there had been only one part-time weld inspector during construction - he was a high school math teacher and evidently only worked on Saturdays or something like that. [disclaimer - this is from memory and may not be completely accurate.] In other words, if they had cared about safety, they might have been more likely to catch errors in the simulation. Peter Desnoyers, Apple ATG (408) 974-4469 ------------------------------ Date: 20 Jun 89 18:32:28 GMT From: wolit@cbnewsm.ATT.COM (Jan Wolitzky) Subject: Re: Risks of missiles > ... At this > point it is gliding until it releases its warheads. The missile has no > mechanism for sensing where it is and aiming the warheads accordingly - it is > just told, BEFORE LAUNCH, "point here, release a warhead, point there, release > a warhead, etc." The point is that all errors in the launch are cumulative and > no mechanisms exist to correct them. This is incorrect. There certainly is an inertial guidance system aboard all versions of the Minuteman missile (only IIs and IIIs are currently active). And while is it true that the solid-fuel boosters on such missiles are not throttleable per se, any point up to the missile's maximum range can be targeted by changing the ballistic trajectory. Besides, there _are_ various thrust termination mechanisms available for solid rockets (blowing off the nozzle, venting the combustion chamber, etc.), though I am not aware which, if any, are used on the various Minuteman stages. Even after burnout of the last stage, the warheads of the Minuteman III still do not follow a purely ballistic trajectory. This missile carries three _independently_targetable_ re-entry vehicles, attached to a maneuverable "bus." The bus is powered, and changes its trajectory before releasing each of its warheads. I believe the maximum separation between targets of warheads on a single missile is classified information. Finally, more recent warheads (tested on the MX missile) are themselves maneuverable during re-entry, for evading ABMs. There is evidence that the D5 warhead being developed for the Trident II missile will use satellite navigation signals from the Navstar Global Positioning System (GPS) for terminal guidance. (The Pershing II warhead, incidentally used Terrain-Contour Matching (Tercom) radar for terminal guidance.) These mechanisms could remove much of the uncertainty involved in firing missile over previously unflown trajectories. Please forgive my lengthy response, especially since I am uncertain what this discussion is doing in comp.risks in the first place. Jan Wolitzky, AT&T Bell Labs, Murray Hill, NJ; 201 582-2998; mhuxd!wolit (Affiliation given for identification purposes only) ------------------------------ Date: Mon, 19 Jun 89 15:43:09 PDT From: chapman@csli.Stanford.EDU (Gary Chapman) Subject: Re: Risks of missiles I don't want to drag out a discussion of ICBMs, which probably belongs in ARMS-D, but just to offer an addendum, or a slight correction, to Steven Den Beste's recent posting (RISKS 8.82, Risks of Missiles). He said that all tests of Minuteman missiles have been conducted in flights from Vandenberg to Kwajalein atoll. Actually there have been four tests of Minuteman missiles launched from silos, and all four of them failed. -- Gary Chapman Executive Director, Computer Professionals for Social Responsibility ------------------------------ Date: Mon, 19 Jun 89 17:21:50 PDT From: ayers@src.dec.com (Bob Ayers) Subject: Re: Descriptions of Minuteman Missiles I am not an expert on missile systems, but even from the little knowledge tht I have, I do not believe the statements of denbeste@BBN.COM about the Minuteman system. He writes (in risks 8.82) "The missile has no mechanism for sensing where it is and aiming the warheads accordingly ... all errors in the launch are cumulative and no mechanisms exist to correct them." I suggest that, while the Minuteman has no mechanism that actually _looks_ to see where it is, it _does_ have positional feedback in the form of intertial mavigation subsystems. So it is _not_ travelling in a "dead reckoning" mode as the end of the above quotation asserts. And I find the bald statement that the Van Allen belt and the different "g" field in northern regions damage missle targeting, with no supporting remarks whatsoever, to be .. um .. curious. I don't know, and I doubt that he knows, either -- though I would be very surprised to learn that the U.S. military doesn't understand the Earth's gravitational field and its effects on bodies in icbm trajectories. ------------------------------ End of RISKS-FORUM Digest 8.83 ************************ -------