info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Risks Digest 30.34
77 views
Skip to first unread message
RISKS List Owner
Jun 24, 2017, 7:13:51 PM6/24/17
to ri...@csl.sri.com
RISKS-LIST: Risks-Forum Digest Saturday 24 June 2017 Volume 30 : Issue 34
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.34>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
U.S., Russia, and Kaspersky (The Washington Post)
Researcher finds Georgia voter records exposed on the Internet
(Seattle Times)
European Parliament Committee Recommends End-To-End Encryption For All
Electronic Communications (TomsHardware)
FCC makes net neutrality commenters' e-mail addresses public (Ars Technica)
News Corp CEO attacks Google and more (Fox News)
Hong Kong privacy watchdog blasts electoral office for massive data breach
(SCMP)
How hackers can steal your 2FA email account by getting you to sign
up for another website (BoingBoing)
Espionage suspect totally thought messages to Chinese intel were deleted
(Ars Technica)
Risks of Overflow Department (Slashdot via Chuck Weinstock)
Y2K problem causes earthquake aftershock 92 years later (Henry Baker)
Sundry items (Monty Solomon)
Re: The tech world is rallying around a young developer who made a huge
embarrassing mistake (Amos Shapir)
Re: Voice synthesis (Richard Bos)
David Owen: Air Accident Investigation: How science is making flying safer
(Robert Dorsett)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Thu, 15 Jun 2017 11:30:50 PDT
From: "Peter G. Neumann" <neu...@csl.sri.com>
Subject: U.S., Russia, and Kaspersky
In an era of Russian Hacks, the US is still installing Russian Software on
Government Systems.
http://www.nextgov.com/cybersecurity/2017/06/era-russian-hacks-us-still-installing-russian-software-government-systems/138683/
https://www.washingtonpost.com/news/post-politics/wp/2017/05/11/full-transcript-acting-fbi-director-mccabe-and-others-testify-before-the-senate-intelligence-committee/?utm_term=.4256455dd381
This is the basic paradox: On one hand, top intelligence officials at the
FBI, CIA and the National Security Agency tell members of Congress that
Kaspersky Lab can't be trusted, that they wouldn't put its products on their
personal computers, let alone the nation's. On the other hand, federal
agencies still use the Moscow-headquartered anti-virus software. During the
past decade, it's plugged into systems at the Consumer Product Safety
Commission, the Treasury Department, the National Institutes of Health and
U.S. embassies, among other locations, contracting data shows.
Kaspersky anti-virus also frequently protects state, local and tribal
government computers, former officials told *Nextgov*.
It may even be on some non-national security systems at the Homeland
Security Department, according to testimony from Homeland Security Secretary
John Kelly, though it's generally barred from intelligence and national
security systems throughout government, according to official testimony.
<http://www.nextgov.com/cybersecurity/2017/05/dhs-secretary-promises-report-russian-antivirus-software-agency/138183/>
------------------------------
Date: Thu, 15 Jun 2017 07:14:45 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Researcher finds Georgia voter records exposed on the Internet
NNSquad
http://www.seattletimes.com/business/researcher-finds-georgia-voter-records-exposed-on-internet/
A security researcher disclosed a gaping security hole at the outfit that
manages Georgia's election technology, days before the state holds a
closely watched congressional runoff vote on June 20. The security
failure left the state's 6.7 million voter records and other sensitive
files exposed to hackers, and may have been left unpatched for seven
months. The revealed files might have allowed attackers to plant malware
and possibly rig votes or wreak chaos with voter rolls during elections.
Georgia is especially vulnerable to such disruption, as the entire state
relies on antiquated touchscreen voting machines that provide no hardcopy
record of votes, making it all but impossible to tell if anyone has
manipulated the tallies.
------------------------------
Date: Fri, 16 Jun 2017 10:45:15 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: European Parliament Committee Recommends End-To-End Encryption For
All Electronic Communications (TomsHardware)
NNSquad
http://www.tomshardware.com/news/european-parliament-end-to-end-encryption-communications,34809.html
The European Parliament's (EP's) Committee on Civil Liberties, Justice,
and Home Affairs released a draft proposal for a new Regulation on Privacy
and Electronic Communications. The draft recommends a regulation that
will enforce end-to-end encryption on all communications to protect
European Union citizens' fundamental privacy rights. The committee also
recommended a ban on backdoors.
Hilarious -- meanwhile, EU governments are moving to demand bans on strong
crypto -- and requiring backdoors! Which shows you what a paper tiger this
EU committee is.
------------------------------
Date: Thu, 15 Jun 2017 10:56:13 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: FCC makes net neutrality commenters' e-mail addresses public
through API
NNSquad
https://arstechnica.com/information-technology/2017/06/psa-commenting-on-fcc-net-neutrality-plan-could-make-your-e-mail-public/
If you're one of the many people filing comments on the Federal
Communications Commission plan to gut net neutrality rules, be aware that
your e-mail address and any other information you submit could be made
public.
------------------------------
Date: Thu, 15 Jun 2017 15:25:00 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: News Corp CEO attacks Google and more
NNSquad
News Corp. CEO: The Almighty Algorithm
http://www.foxnews.com/opinion/2017/06/15/news-corp-ceo-almighty-algorithm-fake-news-and-other-consequences-google-amazon-and-facebooks-relentless-focus-on-quantity-over-quality.html
We are here to pay homage to the almighty algorithm. Algorithmic alchemy
is redefining our commercial and social experiences, turning base matter
into noble metals. But like the alchemists of old, algorithms are also a
charlatan's charter, allowing claims of pure science when human
intervention is clearly doctoring results to suit either commercial
imperatives or political agendas.
The News Corp CEO slamming Google, etc., is like Adolph Hitler ranting
about people who eat meat.
------------------------------
Date: Thu, 15 Jun 2017 16:58:18 PDT
From: "Peter G. Neumann" <neu...@csl.sri.com>
Subject: Hong Kong privacy watchdog blasts electoral office for massive data
breach (SCMP)
"Officials under fire for keeping details of all city's 3.78 million on
voters on laptop that was stolen the day after chief executive election"
http://www.scmp.com/news/hong-kong/politics/article/2098002/hong-kong-privacy-watchdog-blasts-electoral-office-massive
------------------------------
Date: Thu, 22 Jun 2017 10:33:39 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: How hackers can steal your 2FA email account by getting you to sign
up for another website (BoingBoing)
NNSquad
https://boingboing.net/2017/06/22/security-questions-suck.html
In a paper for IEEE Security, researchers from Cyberpion and Israel's
College of Management Academic Studies describe a "Password Reset
Man-in-the-Middle Attack" that leverages a bunch of clever insights into
how password resets work to steal your email account (and other kinds of
accounts), even when it's protected by two-factor authentication.
[Also noted by Gabe Goldberg. PGN]
------------------------------
Date: Sat, 24 Jun 2017 22:26:31 +0800
From: Dan Jacobson <jid...@jidanni.org>
Subject: Espionage suspect totally thought messages to Chinese intel were
deleted (Ars Technica)
Mallory, a 60-year-old former Central Intelligence Agency employee living in
Leesburg, Virginia, had thought the documents were in messages that had been
deleted automatically from the device. Mallory faces life in prison if
convicted.
https://arstechnica.com/tech-policy/2017/06/former-intelligence-employee-caught-selling-top-secret-docs-to-chinese/
------------------------------
Date: Thu, 15 Jun 2017 13:12:40 +0000
From: Chuck Weinstock <wein...@sei.cmu.edu>
Subject: Risks of Overflow Department (Slashdot)
I guess it's futile to expect things to change, but this particular problem
is so old that one would hope that it would. It seems that chess.com no
longer works in 32-bit iPads because their game-id overflowed a 32-bit
field. The following was on Slashdot today (italics mine):
The reason that some iOS devices are unable to connect to live chess games
is because of a limit in 32-bit devices, which cannot handle gameIDs above
2,147,483,647. So, literally, once we hit more than 2 billion games,
older iOS devices fail to interpret that number! This was *obviously an
unforeseen bug* that was nearly impossible to anticipate and we apologize
for the frustration. We are currently working on a fix and should have it
resolved within 48 hours. (Italics mine.)
One of the places we've seen this bug before is when Comair (the no longer
extant Delta airlines commuter operation) was unable to schedule flights
towards the end of December 2004 because, due to bad weather they had
already had to make 32,767 crew changes during the month.
------------------------------
Date: Thu, 22 Jun 2017 20:38:02 -0700
From: Henry Baker <hba...@pipeline.com>
Subject: Y2K problem causes earthquake aftershock 92 years later
This story has it all: Y2K bugs create fake news that is distributed by
automated alert systems, and picked up by robot news readers. The only
thing missing: this "fake earthquake alert" *could have* tripped a large
number of remotely-triggered "Seismic Gas Shutoff Valves", many of which
must be reset manually at the shutoff valve itself.
Heisenberg's Uncertainty principle at work: making the location more precise
by 6 miles increased the uncertainty of the time by 92 years. :-)
http://www.earthquakestore.com/valve-regulations-la.html
"LOS ANGELES REGION ORDINANCE NO. 171874
An ordinance amending section 94.1219 of the Los Angeles Municipal Code
relating to the installation of seismic gas shutoff valves in new
construction and existing buildings"
http://www.latimes.com/local/lanow/la-me-earthquakesa-earthquake-68-quake-strikes-near-isla-vista-calif-jyhw-htmlstory.html
Revenge of Y2K? A software bug might have caused false alert for big (and
very old) earthquake
The error happened when someone tried to correct the exact location of the
earthquake. (June 22, 2017)
By Rong-Gong Lin II
Remember Y2K, that hyped computer bug and harbinger of digital apocalypse
that never happened when the year 2000 arrived?
Well, 17 years later, it appears something like a Y2K bug played a role in a
mistaken alert sent out Wednesday about a magnitude 6.8 earthquake off the
Santa Barbara coast  back in 1925.
The error happened when someone at Caltech tried to correct the exact
location recorded for the Prohibition-era Santa Barbara earthquake, which
happened 92 years ago.
The erroneous report was issued around 4:49 p.m., according to the
U.S. Geological Survey, and began arriving in quake-trackers' email in-boxes
around 4:51 p.m. A closer look at the alert, however, would have shown that
something was amiss. The time of the alert was dated June 29, 2025, at 7:42
a.m. But it corresponds with a real earthquake that occurred a century
earlier.
The false alert also did not show up on the USGS website that maps new
earthquakes.
"That's a mistake. It's not real," said Caltech seismologist Egill Hauksson.
He said that a seismologist at UC Santa Barbara had recently complained to
the USGS National Earthquake Information Center that the precise location of
Santa Barbara's 1925 earthquake was not correct and about 6 miles off from
where records actually indicated.
Hauksson's team was asked by the National Earthquake Information Center to
update the location of the historic event in the Advanced National Seismic
System database. Someone on Hauksson's team did so. If everything had gone
right, almost no one should have noticed the change.
The USGS Web pages were updated correctly. But in the USGS email
notification system, the year got changed from 1925 to 2025, which caused an
email to be sent from the server that typically distributes alerts of new
earthquakes.
"Apparently, there is a software bug around somewhere," a summary of the
incident provided by Hauksson said.
The bug was related to something called "Unix epoch time," which starts in
1970, Hauksson said in an email. "The year of 1925 wrapped around in the
software and became 2025," he said.
In a statement posted on Twitter, the USGS said the revision of the 1925
earthquake was "misinterpreted by software as a current event. We are
working to resolve the issue."
As to whether an earthquake off the Santa Barbara coast of that magnitude
would have been felt in downtown L.A., Hauksson said: "Yes, it would have
been very lightly felt. Particularly, people in high-rises would have felt
swaying back and forth for a while."
If the quake had just occurred, the L.A. area would have felt the shaking
before the USGS alert arrived in local email boxes, Hauksson said. For
instance, Pasadena, which is about 96 miles from the origin of the 1925
Santa Barbara earthquake, would be expected to feel shaking about 40 seconds
after the earthquake would have begun in the Santa Barbara Channel  fast
enough to outpace the existing USGS email alert system.
The expected intensity in Pasadena for a magnitude 6.8 quake that originated
96 miles away would be a 3.3 on the Modified Mercalli Intensity scale.
Here is what intensity 3 and intensity 4 quakes feel like, according to the
USGS:
Intensity 3: "Felt quite noticeably by persons indoors, especially on upper
floors of buildings. Many people do not recognize it as an earthquake.
Standing motor cars may rock slightly. Vibrations similar to the passing of
a truck."
Intensity 4: "Felt indoors by many, outdoors by few during the day. At
night, some awakened. Dishes, windows, doors disturbed; walls make cracking
sound. Sensation like heavy truck striking building. Standing motor cars
rocked noticeably."
https://twitter.com/USGS/status/877685556003692545
nhttps://twitter.com/alxxdes/status/877677727301554176
UPDATES:
11:55 a.m.: This article was updated with additional details about the
software bug and how, if there had been a quake, the Los Angeles area
would have felt shaking before the the USGS notifications arrived in email
boxes.
10:10 a.m., June 22: This article was updated with more information about
the origin of the error, involving USGS email notification.
7:35 p.m.: This article was updated with information on what showed up on
the USGS website.
5:55 p.m.: This article was updated with a statement from the USGS.
4:55 p.m.: This article was updated with information that the report was
erroneous.
------------------------------
Date: Wed, 14 Jun 2017 23:53:35 -0700
From: Monty Solomon <mo...@roscom.com>
Subject: Sundry items (PGN culled)
* The driver who died in a Tesla crash using Autopilot ignored at least 7
safety warnings
https://www.washingtonpost.com/news/the-switch/wp/2017/06/20/the-driver-who-died-in-a-tesla-crash-using-autopilot-ignored-7-safety-warnings/
* Obama's secret struggle to retaliate against Putin
https://www.washingtonpost.com/graphics/2017/world/national-security/obama-putin-election-hacking/
* Homeland Security official: Russian government actors potentially tried to
hack election systems in 21 states. Most of the hacking was just scanning
for vulnerabilities, though a few were successfully exploited.
https://www.washingtonpost.com/world/national-security/homeland-security-official-russian-government-actors-potentially-tried-to-hack-election-systems-in-21-states/2017/06/21/33bf31d4-5686-11e7-ba90-f5875b7d1876_story.html
* Under pressure, Western tech firms bow to Russian demands to share
cybersecrets
http://www.reuters.com/article/us-usa-russia-tech-insight-idUSKBN19E0XB
* How the CIA infects air-gapped networks
https://arstechnica.com/security/2017/06/leaked-documents-reveal-secret-cia-operation-for-infecting-air-gapped-pcs/
* Found: "Crash Override" malware that triggered Ukrainian power outage
https://arstechnica.com/security/2017/06/crash-override-malware-may-sabotage-electric-grids-but-its-no-stuxnet/
https://www.nytimes.com/2017/06/19/technology/britain-encryption-privacy-hate-speech.html
* Using Texts as Lures, Government Spyware Targets Mexican Journalists and
Their Families
https://www.nytimes.com/2017/06/19/technology/britain-encryption-privacy-hate-speech.html
* Computational Propaganda Worldwide: Executive Summary
http://comprop.oii.ox.ac.uk/2017/06/19/computational-propaganda-worldwide-executive-summary/
* Move Over, Bitcoin. Ether Is the Digital Currency of the Moment.
https://www.nytimes.com/2017/06/19/business/dealbook/ethereum-bitcoin-digital-currency.html
* U.S. Tech Firm The Bitfury Group in Blockchain Tie-Up With Insurance
Advisory Firm
https://www.nytimes.com/reuters/2017/06/16/business/16reuters-bitfury-blockchain-insurance.html
* Scammer who made 96 million robocalls should pay $120M fine, FCC says
https://arstechnica.com/information-technology/2017/06/scammer-who-made-96-million-robocalls-should-pay-120m-fine-fcc-says/
* AES-256 keys sniffed in seconds using EU200 of kit a few inches away,
covertly stealing keys for 200 euros.
https://www.theregister.co.uk/2017/06/23/aes_256_cracked_50_seconds_200_kit/
------------------------------
Date: Sat, 17 Jun 2017 11:00:57 +0300
From: Amos Shapir <amo...@gmail.com>
Subject: Re: The tech world is rallying around a young developer who made
a huge embarrassing mistake (RISKS-30.33)
Every Risks reader should see the original note of this incident, and post
it on every wall (https://np.reddit.com/r/cscareerquestions/comments/
6ez8ag/accidentally_destroyed_production_database_on/):
---Quote ---
I was basically given a document detailing how to setup my local
development environment. Which involves run a small script to create my
own personal DB instance from some test data. After running the command i
was supposed to copy the database url/password/username outputted by the
command and configure my dev environment to point to that database.
Unfortunately instead of copying the values outputted by the tool, i
instead for whatever reason used the values the document had.
Unfortunately apparently those values were actually for the production
database (why they are documented in the dev setup guide i have no idea).
Then from my understanding that the tests add fake data, and clear
existing data between test runs which basically cleared all the data from
the production database...
---End Quote ---
The young developer's mistake was actually small and entirely predictable --
note that the only clear credentials given were those of the production DB!
In a document intended for first day rookies!
Then they made the poor guy believe it was his fault. They should have
fired instead those responsible for the document, and everyone on their
chain of command...
------------------------------
Date: Sun, 18 Jun 2017 11:09:32 GMT
From: ral...@xs4all.nl (Richard Bos)
Subject: Re: Voice synthesis (Brader, RISKS-30.32)
The risk goes the other way, too: your voice might not sound like your
voice. Mine, for instance, sounds deeper the more alcohol I've had this
evening... Not being allowed into your bank account when you're sloshed
might sound like a good idea, but being locked out because you have the
'flu wouldn't make anyone happier.
------------------------------
Date: Fri, 23 Jun 2017 17:40:00 -0500
From: Robert Dorsett <r...@dorsett.us>
Subject: Air Accident Investigation: How science is making flying safer.
(David Owen)
David Owen
Air Accident Investigation: How science is making flying safer.
Patrick Stephens Ltd, 1998
ISBN: 1-85260-583-9
Paperback, 194 pages
Air Accident Investigation is a collection of horror stories, a recounting
of several dozen airliner crashes. It seeks to illustrate each crash
significantly affected the evolution of safety in the air transport system.
It necessarily focuses on many crashes in the distant past, and has a
somewhat refreshing UK-centric bent to it all.
Thematically, it's split into broad causal factors:
- Metal fatigue
- CAT and mountain waves.
- Windshear
- Freezing weather
- Mid-Airs
- Pilot Error
- ATC
- Human error
- Systems Failures
- Terrorism
The metal fatigue section focuses on the Comet disasters: how the rollout of
the airplane happened, when the crashes happened, and how the root causes
were eventually discovered. It also touches on the 1985 JAL 747 crash
resulting from the failure of the aft pressure bulkhead. It also discusses
the Aloha convertible. Basic results: increased focus and competence in
metallurgy.
The CAT section has some eye-openers. Owen briefly touches on a Comet crash
in 1953, in an airplane departing Calcutta, which apparently involved
overstressing the airplane to fight turbulence. The 1966 BOAC 911 707 crash
near Mt. Fuji is covered in detail. Also a 1966 Braniff BAC-111 crash, from
Kansas City to Minneapolis. Both were victims of extremely strong lateral
wind loads, causing tail empennage separation and engine separation and
failure. The author also touches on a BA 747 volcanic ash incident, near
Java. Basic result: control authority modifications and better weather
forecasting and understanding of meteorology.
The windshear section touches on the physics of microbursts, a 1975 EAL 727
crash at JFK on approach and a PAA 727 crash on takeoff from New Orleans.
This chapter also covers a southern Airways DC-9 crash in 1977, resulting
from dual flameouts. It wraps up with the Delta L-1011 crash at DFW in 1985.
Basic result: forecasting, windshear technology, appreciation of limitations
of weather radar.
The freezing weather section focuses on a Capital Airlines Viscount 746D,
which experienced in-flight icing. Most of the chapter deals with a BEA
Airspeed Ambassador, which crashed on takeoff from Munich in 1958, carrying
the Manchester United football team. There was deep slush on the runway,
which the crew tried to muscle through, while dealing with a temperamental
engine. After the third try, they overran the runway. When the
investigators arrived, they discovered ice on the wings, which was likely
due to snow contacting the warm wing after the crash, then freezing. They
blamed the pilots, but the Brits blamed the slush. The captain was fired,
then eventually exonerated. We then go on to the Air Florida 737 crash in
1982. The author wraps up with the 1974 crash of a Northwest Orient 727,
which was likely due to icing over of the pitot-static system, due to
failure to engage the probe heat. Basic results: refinement of anti-icing
procedures; understanding of effects of slush on performance.
Next up, mid-airs. Grand Canyon crash of 1956, the 1960 crash of a Connie
and DC-8 over Staten Island. The author also briefly discusses a 1965
midair between an PAA 707 Eastern DC-7B; and a F-4 Phantom and a DC-4. It
wraps up with more in-depth treatment of the PSA/Cessna mid-air in 1978, and
the 1986 Aeromexico DC-9 crash. Results: positive radar control, ATC
improvements, navaid improvements, TCAS.
Pilot error: The next chapter is called CLosing the plot, and is also kind
of where the book loses the plot. Up through this point, most of the crews
did their jobs correctly. In this chapter, the author posits that accident
investigation was so effective in cleaning up the engineering landscape that
the only thing left is pilot error. And this leads us to a series of CFIT,
fuel exhaustion accidents, get-there-itis, and poor CRM. Owen also throws
in KAL 007 and the Erebus crash. Results: CRM.
ATC: Another midair in 1967 (Piedmont 727 and a Cessna 310); the BEA/Inex
midair over Zagreb. Tenerife. These descriptions focus more on
ATC/systemic issues.
Human error: a Victor crash in 1959 (paint job caused a pitot tube failure
in weather); Kegworth. The Kegworth discussion takes as a given the theory
that the captain confused air sources in his decision to shut down the wrong
engine. As I recall, this theory was eventually deprecated, and a quick
review of the accident report confirms this. There is also one black hole
727 crash, though the author doesn't really connect the dots as to this
phenomenon. Despite the weaknesses in this chapter, there is also an
interesting discussion of an uncontained engine failure on a National DC-10
in 1973, following the flight crew's in-flight experimentation with
circuit breakers. Apparently this caused an overspeed condition in the
engine, causing blade separation, explosive decompression, and a passenger
fatality. The chapter concludes with the China Airlines flipover near Los
Angeles in 1985, an in-pattern wake turbulence accident between a DC-10 and
DC-9, and the crash of a Trident on takeoff, in 1972.
Systems: a 1964 crash of an EAL DC-8 in Lake Pontchartrain (autopilot pitch
trim/elevator problem); crash of an Argonaut in 1967 (engine failure
followed by control issues); the 737 disaster in Manchester in 1985 (engine
fire followed by bad evacuation procedures); the 1972 AA DC-10 cargo hold
door failure and decompression; subsequent Turkish Airlines DC-10 crash; the
1979 DC-10 crash at ORD; UAL 232.
Terrorism: bomb in the lav in a Continental 707 in 1962; cabin bomb in a
Comet in 1967; Lockerbie.
Overall:
The book is an interesting technical summary of air accidents, but:
- It has the sense of an engineer's determinism. There's barely anything on
human factors or training issues, or any of the myriad other soft, systemic
issues. The risks of cockpit automation in the final chapter are merely
summarized as GIGO.
- There's not really much about the science of accident investigation. The
opening chapter has a well-written summary of forensic clues and how they
might be interpreted, but we don't learn how crash investigations are
structured. Instead, the crashes are presented as black-and-white, this
happened, this was discovered, this is reality. There's little ambiguity.
Even the discussion of the Indian Airlines A320 crash at Bangalore is just a
couple of short paragraphs concluding the captain screwed up! The book is
basically a collection of vignettes: this crash, and this is why. Not a lot
about the process of discovery, with some good exceptions.
- There's similarly no sense of ambiguity in the political context. Very
black and white, no hint of the negotiation that goes into the final
reports. Manufacturer and airline input, political input. The closest we
get is the Munich crash, where the Brits locked horns with the Germans over
their probable cause statement and findings.
- And needless to say, nothing at all on the legalities of accident
investigation. Nothing on how the accident process should be used.
- Occasionally, the author writes strange things, like claiming the airplane
is moving at high velocity while simultaneously claiming it was in a flat
spin. Or that an airplane at an airport used its radar to check out the
thunderstorm immediately above the airport. This demonstrates a limit to
the author's familiarity with flight operations.
- There is a strange bibliography. 17 pop-market books, and doesn't cite
individual AARs. I wonder if that contributed to the Kegworth description.
- Structurally, it shares the fundamental formatting issue of virtually all
niche-market books, namely full justification. I just don't get it.
Overall, the book is kind of a distilled summary of a few dozen aircraft
accident reports, events all pilots should be familiar with. I kind of
liked it. It's an easy read. A dark, disturbing read.
------------------------------
Date: Tue, 10 Jan 2017 11:11:11 -0800
From: RISKS-...@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
=> SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!
=> OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-30.00
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
<http://the.wiretapped.net/security/info/textfiles/risks-digest/>
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 30.34
************************
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.34>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
U.S., Russia, and Kaspersky (The Washington Post)
Researcher finds Georgia voter records exposed on the Internet
(Seattle Times)
European Parliament Committee Recommends End-To-End Encryption For All
Electronic Communications (TomsHardware)
FCC makes net neutrality commenters' e-mail addresses public (Ars Technica)
News Corp CEO attacks Google and more (Fox News)
Hong Kong privacy watchdog blasts electoral office for massive data breach
(SCMP)
How hackers can steal your 2FA email account by getting you to sign
up for another website (BoingBoing)
Espionage suspect totally thought messages to Chinese intel were deleted
(Ars Technica)
Risks of Overflow Department (Slashdot via Chuck Weinstock)
Y2K problem causes earthquake aftershock 92 years later (Henry Baker)
Sundry items (Monty Solomon)
Re: The tech world is rallying around a young developer who made a huge
embarrassing mistake (Amos Shapir)
Re: Voice synthesis (Richard Bos)
David Owen: Air Accident Investigation: How science is making flying safer
(Robert Dorsett)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Thu, 15 Jun 2017 11:30:50 PDT
From: "Peter G. Neumann" <neu...@csl.sri.com>
Subject: U.S., Russia, and Kaspersky
In an era of Russian Hacks, the US is still installing Russian Software on
Government Systems.
http://www.nextgov.com/cybersecurity/2017/06/era-russian-hacks-us-still-installing-russian-software-government-systems/138683/
https://www.washingtonpost.com/news/post-politics/wp/2017/05/11/full-transcript-acting-fbi-director-mccabe-and-others-testify-before-the-senate-intelligence-committee/?utm_term=.4256455dd381
This is the basic paradox: On one hand, top intelligence officials at the
FBI, CIA and the National Security Agency tell members of Congress that
Kaspersky Lab can't be trusted, that they wouldn't put its products on their
personal computers, let alone the nation's. On the other hand, federal
agencies still use the Moscow-headquartered anti-virus software. During the
past decade, it's plugged into systems at the Consumer Product Safety
Commission, the Treasury Department, the National Institutes of Health and
U.S. embassies, among other locations, contracting data shows.
Kaspersky anti-virus also frequently protects state, local and tribal
government computers, former officials told *Nextgov*.
It may even be on some non-national security systems at the Homeland
Security Department, according to testimony from Homeland Security Secretary
John Kelly, though it's generally barred from intelligence and national
security systems throughout government, according to official testimony.
<http://www.nextgov.com/cybersecurity/2017/05/dhs-secretary-promises-report-russian-antivirus-software-agency/138183/>
------------------------------
Date: Thu, 15 Jun 2017 07:14:45 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Researcher finds Georgia voter records exposed on the Internet
NNSquad
http://www.seattletimes.com/business/researcher-finds-georgia-voter-records-exposed-on-internet/
A security researcher disclosed a gaping security hole at the outfit that
manages Georgia's election technology, days before the state holds a
closely watched congressional runoff vote on June 20. The security
failure left the state's 6.7 million voter records and other sensitive
files exposed to hackers, and may have been left unpatched for seven
months. The revealed files might have allowed attackers to plant malware
and possibly rig votes or wreak chaos with voter rolls during elections.
Georgia is especially vulnerable to such disruption, as the entire state
relies on antiquated touchscreen voting machines that provide no hardcopy
record of votes, making it all but impossible to tell if anyone has
manipulated the tallies.
------------------------------
Date: Fri, 16 Jun 2017 10:45:15 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: European Parliament Committee Recommends End-To-End Encryption For
All Electronic Communications (TomsHardware)
NNSquad
http://www.tomshardware.com/news/european-parliament-end-to-end-encryption-communications,34809.html
The European Parliament's (EP's) Committee on Civil Liberties, Justice,
and Home Affairs released a draft proposal for a new Regulation on Privacy
and Electronic Communications. The draft recommends a regulation that
will enforce end-to-end encryption on all communications to protect
European Union citizens' fundamental privacy rights. The committee also
recommended a ban on backdoors.
Hilarious -- meanwhile, EU governments are moving to demand bans on strong
crypto -- and requiring backdoors! Which shows you what a paper tiger this
EU committee is.
------------------------------
Date: Thu, 15 Jun 2017 10:56:13 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: FCC makes net neutrality commenters' e-mail addresses public
through API
NNSquad
https://arstechnica.com/information-technology/2017/06/psa-commenting-on-fcc-net-neutrality-plan-could-make-your-e-mail-public/
If you're one of the many people filing comments on the Federal
Communications Commission plan to gut net neutrality rules, be aware that
your e-mail address and any other information you submit could be made
public.
------------------------------
Date: Thu, 15 Jun 2017 15:25:00 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: News Corp CEO attacks Google and more
NNSquad
News Corp. CEO: The Almighty Algorithm
http://www.foxnews.com/opinion/2017/06/15/news-corp-ceo-almighty-algorithm-fake-news-and-other-consequences-google-amazon-and-facebooks-relentless-focus-on-quantity-over-quality.html
We are here to pay homage to the almighty algorithm. Algorithmic alchemy
is redefining our commercial and social experiences, turning base matter
into noble metals. But like the alchemists of old, algorithms are also a
charlatan's charter, allowing claims of pure science when human
intervention is clearly doctoring results to suit either commercial
imperatives or political agendas.
The News Corp CEO slamming Google, etc., is like Adolph Hitler ranting
about people who eat meat.
------------------------------
Date: Thu, 15 Jun 2017 16:58:18 PDT
From: "Peter G. Neumann" <neu...@csl.sri.com>
Subject: Hong Kong privacy watchdog blasts electoral office for massive data
breach (SCMP)
"Officials under fire for keeping details of all city's 3.78 million on
voters on laptop that was stolen the day after chief executive election"
http://www.scmp.com/news/hong-kong/politics/article/2098002/hong-kong-privacy-watchdog-blasts-electoral-office-massive
------------------------------
Date: Thu, 22 Jun 2017 10:33:39 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: How hackers can steal your 2FA email account by getting you to sign
up for another website (BoingBoing)
NNSquad
https://boingboing.net/2017/06/22/security-questions-suck.html
In a paper for IEEE Security, researchers from Cyberpion and Israel's
College of Management Academic Studies describe a "Password Reset
Man-in-the-Middle Attack" that leverages a bunch of clever insights into
how password resets work to steal your email account (and other kinds of
accounts), even when it's protected by two-factor authentication.
[Also noted by Gabe Goldberg. PGN]
------------------------------
Date: Sat, 24 Jun 2017 22:26:31 +0800
From: Dan Jacobson <jid...@jidanni.org>
Subject: Espionage suspect totally thought messages to Chinese intel were
deleted (Ars Technica)
Mallory, a 60-year-old former Central Intelligence Agency employee living in
Leesburg, Virginia, had thought the documents were in messages that had been
deleted automatically from the device. Mallory faces life in prison if
convicted.
https://arstechnica.com/tech-policy/2017/06/former-intelligence-employee-caught-selling-top-secret-docs-to-chinese/
------------------------------
Date: Thu, 15 Jun 2017 13:12:40 +0000
From: Chuck Weinstock <wein...@sei.cmu.edu>
Subject: Risks of Overflow Department (Slashdot)
I guess it's futile to expect things to change, but this particular problem
is so old that one would hope that it would. It seems that chess.com no
longer works in 32-bit iPads because their game-id overflowed a 32-bit
field. The following was on Slashdot today (italics mine):
The reason that some iOS devices are unable to connect to live chess games
is because of a limit in 32-bit devices, which cannot handle gameIDs above
2,147,483,647. So, literally, once we hit more than 2 billion games,
older iOS devices fail to interpret that number! This was *obviously an
unforeseen bug* that was nearly impossible to anticipate and we apologize
for the frustration. We are currently working on a fix and should have it
resolved within 48 hours. (Italics mine.)
One of the places we've seen this bug before is when Comair (the no longer
extant Delta airlines commuter operation) was unable to schedule flights
towards the end of December 2004 because, due to bad weather they had
already had to make 32,767 crew changes during the month.
------------------------------
Date: Thu, 22 Jun 2017 20:38:02 -0700
From: Henry Baker <hba...@pipeline.com>
Subject: Y2K problem causes earthquake aftershock 92 years later
This story has it all: Y2K bugs create fake news that is distributed by
automated alert systems, and picked up by robot news readers. The only
thing missing: this "fake earthquake alert" *could have* tripped a large
number of remotely-triggered "Seismic Gas Shutoff Valves", many of which
must be reset manually at the shutoff valve itself.
Heisenberg's Uncertainty principle at work: making the location more precise
by 6 miles increased the uncertainty of the time by 92 years. :-)
http://www.earthquakestore.com/valve-regulations-la.html
"LOS ANGELES REGION ORDINANCE NO. 171874
An ordinance amending section 94.1219 of the Los Angeles Municipal Code
relating to the installation of seismic gas shutoff valves in new
construction and existing buildings"
http://www.latimes.com/local/lanow/la-me-earthquakesa-earthquake-68-quake-strikes-near-isla-vista-calif-jyhw-htmlstory.html
Revenge of Y2K? A software bug might have caused false alert for big (and
very old) earthquake
The error happened when someone tried to correct the exact location of the
earthquake. (June 22, 2017)
By Rong-Gong Lin II
Remember Y2K, that hyped computer bug and harbinger of digital apocalypse
that never happened when the year 2000 arrived?
Well, 17 years later, it appears something like a Y2K bug played a role in a
mistaken alert sent out Wednesday about a magnitude 6.8 earthquake off the
Santa Barbara coast  back in 1925.
The error happened when someone at Caltech tried to correct the exact
location recorded for the Prohibition-era Santa Barbara earthquake, which
happened 92 years ago.
The erroneous report was issued around 4:49 p.m., according to the
U.S. Geological Survey, and began arriving in quake-trackers' email in-boxes
around 4:51 p.m. A closer look at the alert, however, would have shown that
something was amiss. The time of the alert was dated June 29, 2025, at 7:42
a.m. But it corresponds with a real earthquake that occurred a century
earlier.
The false alert also did not show up on the USGS website that maps new
earthquakes.
"That's a mistake. It's not real," said Caltech seismologist Egill Hauksson.
He said that a seismologist at UC Santa Barbara had recently complained to
the USGS National Earthquake Information Center that the precise location of
Santa Barbara's 1925 earthquake was not correct and about 6 miles off from
where records actually indicated.
Hauksson's team was asked by the National Earthquake Information Center to
update the location of the historic event in the Advanced National Seismic
System database. Someone on Hauksson's team did so. If everything had gone
right, almost no one should have noticed the change.
The USGS Web pages were updated correctly. But in the USGS email
notification system, the year got changed from 1925 to 2025, which caused an
email to be sent from the server that typically distributes alerts of new
earthquakes.
"Apparently, there is a software bug around somewhere," a summary of the
incident provided by Hauksson said.
The bug was related to something called "Unix epoch time," which starts in
1970, Hauksson said in an email. "The year of 1925 wrapped around in the
software and became 2025," he said.
In a statement posted on Twitter, the USGS said the revision of the 1925
earthquake was "misinterpreted by software as a current event. We are
working to resolve the issue."
As to whether an earthquake off the Santa Barbara coast of that magnitude
would have been felt in downtown L.A., Hauksson said: "Yes, it would have
been very lightly felt. Particularly, people in high-rises would have felt
swaying back and forth for a while."
If the quake had just occurred, the L.A. area would have felt the shaking
before the USGS alert arrived in local email boxes, Hauksson said. For
instance, Pasadena, which is about 96 miles from the origin of the 1925
Santa Barbara earthquake, would be expected to feel shaking about 40 seconds
after the earthquake would have begun in the Santa Barbara Channel  fast
enough to outpace the existing USGS email alert system.
The expected intensity in Pasadena for a magnitude 6.8 quake that originated
96 miles away would be a 3.3 on the Modified Mercalli Intensity scale.
Here is what intensity 3 and intensity 4 quakes feel like, according to the
USGS:
Intensity 3: "Felt quite noticeably by persons indoors, especially on upper
floors of buildings. Many people do not recognize it as an earthquake.
Standing motor cars may rock slightly. Vibrations similar to the passing of
a truck."
Intensity 4: "Felt indoors by many, outdoors by few during the day. At
night, some awakened. Dishes, windows, doors disturbed; walls make cracking
sound. Sensation like heavy truck striking building. Standing motor cars
rocked noticeably."
https://twitter.com/USGS/status/877685556003692545
nhttps://twitter.com/alxxdes/status/877677727301554176
UPDATES:
11:55 a.m.: This article was updated with additional details about the
software bug and how, if there had been a quake, the Los Angeles area
would have felt shaking before the the USGS notifications arrived in email
boxes.
10:10 a.m., June 22: This article was updated with more information about
the origin of the error, involving USGS email notification.
7:35 p.m.: This article was updated with information on what showed up on
the USGS website.
5:55 p.m.: This article was updated with a statement from the USGS.
4:55 p.m.: This article was updated with information that the report was
erroneous.
------------------------------
Date: Wed, 14 Jun 2017 23:53:35 -0700
From: Monty Solomon <mo...@roscom.com>
Subject: Sundry items (PGN culled)
* The driver who died in a Tesla crash using Autopilot ignored at least 7
safety warnings
https://www.washingtonpost.com/news/the-switch/wp/2017/06/20/the-driver-who-died-in-a-tesla-crash-using-autopilot-ignored-7-safety-warnings/
* Obama's secret struggle to retaliate against Putin
https://www.washingtonpost.com/graphics/2017/world/national-security/obama-putin-election-hacking/
* Homeland Security official: Russian government actors potentially tried to
hack election systems in 21 states. Most of the hacking was just scanning
for vulnerabilities, though a few were successfully exploited.
https://www.washingtonpost.com/world/national-security/homeland-security-official-russian-government-actors-potentially-tried-to-hack-election-systems-in-21-states/2017/06/21/33bf31d4-5686-11e7-ba90-f5875b7d1876_story.html
* Under pressure, Western tech firms bow to Russian demands to share
cybersecrets
http://www.reuters.com/article/us-usa-russia-tech-insight-idUSKBN19E0XB
* How the CIA infects air-gapped networks
https://arstechnica.com/security/2017/06/leaked-documents-reveal-secret-cia-operation-for-infecting-air-gapped-pcs/
* Found: "Crash Override" malware that triggered Ukrainian power outage
https://arstechnica.com/security/2017/06/crash-override-malware-may-sabotage-electric-grids-but-its-no-stuxnet/
https://www.nytimes.com/2017/06/19/technology/britain-encryption-privacy-hate-speech.html
* Using Texts as Lures, Government Spyware Targets Mexican Journalists and
Their Families
https://www.nytimes.com/2017/06/19/technology/britain-encryption-privacy-hate-speech.html
* Computational Propaganda Worldwide: Executive Summary
http://comprop.oii.ox.ac.uk/2017/06/19/computational-propaganda-worldwide-executive-summary/
* Move Over, Bitcoin. Ether Is the Digital Currency of the Moment.
https://www.nytimes.com/2017/06/19/business/dealbook/ethereum-bitcoin-digital-currency.html
* U.S. Tech Firm The Bitfury Group in Blockchain Tie-Up With Insurance
Advisory Firm
https://www.nytimes.com/reuters/2017/06/16/business/16reuters-bitfury-blockchain-insurance.html
* Scammer who made 96 million robocalls should pay $120M fine, FCC says
https://arstechnica.com/information-technology/2017/06/scammer-who-made-96-million-robocalls-should-pay-120m-fine-fcc-says/
* AES-256 keys sniffed in seconds using EU200 of kit a few inches away,
covertly stealing keys for 200 euros.
https://www.theregister.co.uk/2017/06/23/aes_256_cracked_50_seconds_200_kit/
------------------------------
Date: Sat, 17 Jun 2017 11:00:57 +0300
From: Amos Shapir <amo...@gmail.com>
Subject: Re: The tech world is rallying around a young developer who made
a huge embarrassing mistake (RISKS-30.33)
Every Risks reader should see the original note of this incident, and post
it on every wall (https://np.reddit.com/r/cscareerquestions/comments/
6ez8ag/accidentally_destroyed_production_database_on/):
---Quote ---
I was basically given a document detailing how to setup my local
development environment. Which involves run a small script to create my
own personal DB instance from some test data. After running the command i
was supposed to copy the database url/password/username outputted by the
command and configure my dev environment to point to that database.
Unfortunately instead of copying the values outputted by the tool, i
instead for whatever reason used the values the document had.
Unfortunately apparently those values were actually for the production
database (why they are documented in the dev setup guide i have no idea).
Then from my understanding that the tests add fake data, and clear
existing data between test runs which basically cleared all the data from
the production database...
---End Quote ---
The young developer's mistake was actually small and entirely predictable --
note that the only clear credentials given were those of the production DB!
In a document intended for first day rookies!
Then they made the poor guy believe it was his fault. They should have
fired instead those responsible for the document, and everyone on their
chain of command...
------------------------------
Date: Sun, 18 Jun 2017 11:09:32 GMT
From: ral...@xs4all.nl (Richard Bos)
Subject: Re: Voice synthesis (Brader, RISKS-30.32)
The risk goes the other way, too: your voice might not sound like your
voice. Mine, for instance, sounds deeper the more alcohol I've had this
evening... Not being allowed into your bank account when you're sloshed
might sound like a good idea, but being locked out because you have the
'flu wouldn't make anyone happier.
------------------------------
Date: Fri, 23 Jun 2017 17:40:00 -0500
From: Robert Dorsett <r...@dorsett.us>
Subject: Air Accident Investigation: How science is making flying safer.
(David Owen)
David Owen
Air Accident Investigation: How science is making flying safer.
Patrick Stephens Ltd, 1998
ISBN: 1-85260-583-9
Paperback, 194 pages
Air Accident Investigation is a collection of horror stories, a recounting
of several dozen airliner crashes. It seeks to illustrate each crash
significantly affected the evolution of safety in the air transport system.
It necessarily focuses on many crashes in the distant past, and has a
somewhat refreshing UK-centric bent to it all.
Thematically, it's split into broad causal factors:
- Metal fatigue
- CAT and mountain waves.
- Windshear
- Freezing weather
- Mid-Airs
- Pilot Error
- ATC
- Human error
- Systems Failures
- Terrorism
The metal fatigue section focuses on the Comet disasters: how the rollout of
the airplane happened, when the crashes happened, and how the root causes
were eventually discovered. It also touches on the 1985 JAL 747 crash
resulting from the failure of the aft pressure bulkhead. It also discusses
the Aloha convertible. Basic results: increased focus and competence in
metallurgy.
The CAT section has some eye-openers. Owen briefly touches on a Comet crash
in 1953, in an airplane departing Calcutta, which apparently involved
overstressing the airplane to fight turbulence. The 1966 BOAC 911 707 crash
near Mt. Fuji is covered in detail. Also a 1966 Braniff BAC-111 crash, from
Kansas City to Minneapolis. Both were victims of extremely strong lateral
wind loads, causing tail empennage separation and engine separation and
failure. The author also touches on a BA 747 volcanic ash incident, near
Java. Basic result: control authority modifications and better weather
forecasting and understanding of meteorology.
The windshear section touches on the physics of microbursts, a 1975 EAL 727
crash at JFK on approach and a PAA 727 crash on takeoff from New Orleans.
This chapter also covers a southern Airways DC-9 crash in 1977, resulting
from dual flameouts. It wraps up with the Delta L-1011 crash at DFW in 1985.
Basic result: forecasting, windshear technology, appreciation of limitations
of weather radar.
The freezing weather section focuses on a Capital Airlines Viscount 746D,
which experienced in-flight icing. Most of the chapter deals with a BEA
Airspeed Ambassador, which crashed on takeoff from Munich in 1958, carrying
the Manchester United football team. There was deep slush on the runway,
which the crew tried to muscle through, while dealing with a temperamental
engine. After the third try, they overran the runway. When the
investigators arrived, they discovered ice on the wings, which was likely
due to snow contacting the warm wing after the crash, then freezing. They
blamed the pilots, but the Brits blamed the slush. The captain was fired,
then eventually exonerated. We then go on to the Air Florida 737 crash in
1982. The author wraps up with the 1974 crash of a Northwest Orient 727,
which was likely due to icing over of the pitot-static system, due to
failure to engage the probe heat. Basic results: refinement of anti-icing
procedures; understanding of effects of slush on performance.
Next up, mid-airs. Grand Canyon crash of 1956, the 1960 crash of a Connie
and DC-8 over Staten Island. The author also briefly discusses a 1965
midair between an PAA 707 Eastern DC-7B; and a F-4 Phantom and a DC-4. It
wraps up with more in-depth treatment of the PSA/Cessna mid-air in 1978, and
the 1986 Aeromexico DC-9 crash. Results: positive radar control, ATC
improvements, navaid improvements, TCAS.
Pilot error: The next chapter is called CLosing the plot, and is also kind
of where the book loses the plot. Up through this point, most of the crews
did their jobs correctly. In this chapter, the author posits that accident
investigation was so effective in cleaning up the engineering landscape that
the only thing left is pilot error. And this leads us to a series of CFIT,
fuel exhaustion accidents, get-there-itis, and poor CRM. Owen also throws
in KAL 007 and the Erebus crash. Results: CRM.
ATC: Another midair in 1967 (Piedmont 727 and a Cessna 310); the BEA/Inex
midair over Zagreb. Tenerife. These descriptions focus more on
ATC/systemic issues.
Human error: a Victor crash in 1959 (paint job caused a pitot tube failure
in weather); Kegworth. The Kegworth discussion takes as a given the theory
that the captain confused air sources in his decision to shut down the wrong
engine. As I recall, this theory was eventually deprecated, and a quick
review of the accident report confirms this. There is also one black hole
727 crash, though the author doesn't really connect the dots as to this
phenomenon. Despite the weaknesses in this chapter, there is also an
interesting discussion of an uncontained engine failure on a National DC-10
in 1973, following the flight crew's in-flight experimentation with
circuit breakers. Apparently this caused an overspeed condition in the
engine, causing blade separation, explosive decompression, and a passenger
fatality. The chapter concludes with the China Airlines flipover near Los
Angeles in 1985, an in-pattern wake turbulence accident between a DC-10 and
DC-9, and the crash of a Trident on takeoff, in 1972.
Systems: a 1964 crash of an EAL DC-8 in Lake Pontchartrain (autopilot pitch
trim/elevator problem); crash of an Argonaut in 1967 (engine failure
followed by control issues); the 737 disaster in Manchester in 1985 (engine
fire followed by bad evacuation procedures); the 1972 AA DC-10 cargo hold
door failure and decompression; subsequent Turkish Airlines DC-10 crash; the
1979 DC-10 crash at ORD; UAL 232.
Terrorism: bomb in the lav in a Continental 707 in 1962; cabin bomb in a
Comet in 1967; Lockerbie.
Overall:
The book is an interesting technical summary of air accidents, but:
- It has the sense of an engineer's determinism. There's barely anything on
human factors or training issues, or any of the myriad other soft, systemic
issues. The risks of cockpit automation in the final chapter are merely
summarized as GIGO.
- There's not really much about the science of accident investigation. The
opening chapter has a well-written summary of forensic clues and how they
might be interpreted, but we don't learn how crash investigations are
structured. Instead, the crashes are presented as black-and-white, this
happened, this was discovered, this is reality. There's little ambiguity.
Even the discussion of the Indian Airlines A320 crash at Bangalore is just a
couple of short paragraphs concluding the captain screwed up! The book is
basically a collection of vignettes: this crash, and this is why. Not a lot
about the process of discovery, with some good exceptions.
- There's similarly no sense of ambiguity in the political context. Very
black and white, no hint of the negotiation that goes into the final
reports. Manufacturer and airline input, political input. The closest we
get is the Munich crash, where the Brits locked horns with the Germans over
their probable cause statement and findings.
- And needless to say, nothing at all on the legalities of accident
investigation. Nothing on how the accident process should be used.
- Occasionally, the author writes strange things, like claiming the airplane
is moving at high velocity while simultaneously claiming it was in a flat
spin. Or that an airplane at an airport used its radar to check out the
thunderstorm immediately above the airport. This demonstrates a limit to
the author's familiarity with flight operations.
- There is a strange bibliography. 17 pop-market books, and doesn't cite
individual AARs. I wonder if that contributed to the Kegworth description.
- Structurally, it shares the fundamental formatting issue of virtually all
niche-market books, namely full justification. I just don't get it.
Overall, the book is kind of a distilled summary of a few dozen aircraft
accident reports, events all pilots should be familiar with. I kind of
liked it. It's an easy read. A dark, disturbing read.
------------------------------
Date: Tue, 10 Jan 2017 11:11:11 -0800
From: RISKS-...@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
=> SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!
=> OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-30.00
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
<http://the.wiretapped.net/security/info/textfiles/risks-digest/>
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 30.34
************************
0 new messages