| University of Bielefeld - Faculty of technology | |
|---|---|
|
Networks and distributed Systems
Research group of Prof. Peter B. Ladkin, Ph.D. |
|
| Back to Abstracts of References and Incidents | Back to Root |
| This page was copied from: http://catless.ncl.ac.uk/Risks/16.35.html | |
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
Fraud and Identity
Summary of Der Speigel interview with Airbus' Bernard Ziegler
CORRECTION, Report on the *1993* Gatwick near-miss
Re: pi = 3
Re: The new Cray and Unix passwords...
According to the U.K. Press Association newswire (94.08.10), the final culprit
has been jailed for defrauding the British social security administration of a
small fortune:
LAWYER'S DAUGHTER JAILED FOR BENEFITS FRAUD
By Melvyn Howe, PA News
`The daughter of a wealthy and respected lawyer was jailed for three and a
half years today for her part in a massive countrywide social security fraud.
Public school educated Olu Atobatele, regarded as a "pariah" by her
"shamed" family, took a leading role in a highly sophisticated operation which
involved 2,000 false identities and was the largest benefits conspiracy of its
kind in Britain.'
Key points from the article:
o Part of a gang of 11 who defrauded the Crown of 1 million pounds.
o She herself stole 90,000 pounds in 20 months.
o The gang members used "details of students' identities" and fabricated
identities using information "from the Death Register at St Katherine's House,
as well as identities from the British and African edition of Who's Who to
make more than 240 bogus claims for income support between early 1992 and
August last year."
o The Department of Social Security "has instituted new procedures" to
reduce fraud as a result of this scam.
[Comments from MK:
Please skip on to the next message if you're not in the mood for a leisurely
stroll through some speculation. I got to thinking about this case of a
Saturday afternoon and wrote down this little essay on identity in the real
world and in cyberspace.
Impersonation is one of the techniques used by criminals, including criminal
hackers, to acquire goods and services belonging to or due to others. Many
people will be familiar with the techniques of "social engineering" (properly
called "lying, cheating and extorting") used by criminal hackers to obtain
information need in penetrating restricted systems. Such techniques include
impersonating journalists, technicians and high-ranking personnel.
High-resolution colour scanners, photocopiers, printers and image-processing
software, have been turned to evil effect by high-tech forgers of currency and
of authenticating documents.
In the case above, criminals were able to bamboozle human beings into entering
false information into computerized systems--a kind of data diddling at one
remove.
Disproportionate public outrage over much-publicized social services fraud by
immigrants is pushing many jurisdictions towards insisting on biometric
pattern recognition (e.g., fingerprints) to authenticate claims on social
entitlements. Such a system would preclude inventing identities to be claimed
by the same human being, since the "different" people would all have the same
fingerprints.
However, biometric systems do not solve the fundamental problem: the
difficulty of authentication of identity in today's world of fragmented
communities and highly mobile individuals. Consider the true story underlying
the film "Le Retour de Martin Guerre" (severely distorted in the US remake
called "Sommersby"). A young man in mid-Renaissance France is forced to marry
an even younger woman against their wishes because of family pressures. After
seven years of unconsummated marriage, he runs away, only to reappear many
years later. With his detailed knowledge of everything he ought to know as
Martin Guerre, he is re-integrated into his village despite oddities like the
wrong shoe size and hostility from his own dog. Even his wife welcomes him
back to the conjugal bed. However, envious relatives eventually challenged
him as an imposter. The real Martin Guerre reappears and the imposter is
hanged.
This story has been part of French history for centuries precisely because
successful imposture was so unusual in agrarian Europe. Most people never
travelled more than a day's journey from their place of birth in their entire
lives. They married the people they had known all their lives; they were no
more likely to take on other identities than to learn to read.
Now contrast today's world: there would be nothing unusual about being born in
Tucson, growing up in San Francisco, going to college in Boston, taking the
first job in Chicago, moving to Denver, and ending up in Syracuse with a
spouse from Edmonton. In such a society it's a wonder that there aren't
_more_ impersonations--and who knows, maybe there are lots but they're real
successful <g>.
Benjamin Wright, author of _The Law of Electronic Commerce_ and instructor in
the National Computer Security Association's online seminar on _EDI Security_
has often commented that we seem to demand more of identity in cyberspace than
we do in reality. Suppose Able Baker carries on a discussion with Charlie
Delta; does it matter to either "who" the other is in another context? What
_would_ matter is for an imposter to pretend to be Able or Charlie and
interfere in their communication by inserting fraudulent messages or
intercepting legitimate messages.
Real-world authentication fails because of reliance on paper documents which
are just too easy to falsify; perhaps computer-based authentication could
reduce such fraud. Despite relatively poor reliability for any one biometric
technique, the error rates for combinations are very low. Combining any two
of, say, fingerprints, retinal scans and signature dynamics, for example,
would provide trustworthy authentication. The question will be
cost-effectiveness; would the enormous expense of installing huge numbers of
biometric input devices and the network and database infrastructure be seen as
justified? And would the costs of protecting the "cyberspace shadow" (as some
writers are calling it) against tampering exceed the reduction in fraud?
The remaining difficulty is the bridge between social identity and identity in
cyberspace. How does one ensure that the person registering as Echo Foxtrot
_really is_ Echo Foxtrot in other aspects of his life? And how much do we
care? Enough to implant a non-forgeable device in the person's body at birth
or upon receiving legal immigration status? Yuk! Sounds like the basis for a
police state, doesn't it?
I predict that under the increasing pressures of immigration (legal and
illegal), increasing economic disparities, and continuing entitlement
programs, the occurrence of impersonation will increase. At some point,
fingerprinting will become mandatory for all claims on the social welfare
systems; eventually, pressures will mount for authentication even in the
initial claims for entitlements. At that point, societies will turn to
mechanisms of authentication familiar to computer system users. Will the time
come when microprocessors will be implanted under people's skin to transfer
their cryptographically-sound identifiers on demand? And what will the
consequences of such institutionalized scepticism be on social relations?
Will people meeting in person for the first time press their wrists together
to exchange public keys? Will those who refuse to participate in rituals of
authentication be frowned upon? And will such tokens become valuable
commodities--valuable enough to steal and trade in the underworld? Sounds
like the subject for an interesting science fiction novel.]
M.E.Kabay/DirEd/Natl Computer Security Assn (Carlisle, PA)
The German newsweekly Der Spiegel, issue 33 (1994) dated 15 Aug 94, contains
an interview with Bernard Ziegler, described as Technical Director of Airbus
Industrie, responsible for flight test and certification (`Zulassung') of all
Airbus aircraft. There is a short background statement concerning the
accidents on pp160-161, and the interview is on pp161-164.
The interview focuses on the reliability of Airbus aircraft, in the light of
the following crashes: Bangalore, Feb 90 (A320: landed short of the runway in
clear weather, 92 dead); Strasbourg, Jan 92 (A320 descended into a hill in
clouds on a backcourse approach to the airport, 87 dead); Warsaw, Sep 93
(A320, landing in a thunderstorm, overran the runway, 2 dead, many injured);
Nagoya, Apr 94 (A300, copilot and autopilot in control conflict, eventually
nose rose at an extreme angle and the plane stalled, crashing tail first onto
the ground, 246 dead); Toulouse-Blagnac Jun 94 (A330, testing engine-out
go-arounds, stalled and crashed, 7 dead including the Airbus chief test
pilot). The Habsheim A320 accident is not mentioned. The header to the intro
says:
"Airbus Industrie is under pressure. Twelve total-losses since 1987 with 815
dead have awakened doubts about the concept of airplanes dependent on
electronics [`elektronisch hochgeruesteten Flugzeuge']. Do technical failures
contribute to the series of accidents? Or are pilots overextended by the
`flying computers'?"
Here is a summary of what I surmise are the salient parts of the interview for
RISKS readers.
[begin summary]
Ziegler says they've had a lot of bad luck recently, contrasted with the first
14 accident-free years (except for the Iranian Airbus shot down by the US
Navy). But he suggests comparing the record of the A320 with that of the B727,
B737 or DC9 when they were introduced. He says that Airbus is 30 per cent
better than the average of all builders - but he wants to be 100 per cent
better. He says there's no reason to change the Airbus `philosophy' of taking
over some of the pilot's tasks by computer, pointing out that all of the new
technology developed by Airbus, from `glass cockpit' to new types of
autopilot, has been followed by `all the others'. And, `[..] the pilot still
has the last decision. Whoever suggests the contrary doesn't know what they're
talking about.'
They discuss the problems in Warsaw concerning the late deployment of
airbrakes and thrust reverse, concerning which he points out that (a) it's a
requirement for all modern airplanes that deployment is not enabled until the
plane is firmly on the ground; and (b) there are particular limits on landing,
for example not when a tailwind is stronger than 10 knots, or when the landing
speed is too high. In Warsaw, these boundaries, which were carefully
ascertained in test flights, were crossed. Also, runway overrun is one of the
`classical' airplane accidents, regardless of type. When asked why the Polish
investigators singled out late deployment of airbrakes and reversers, he noted
that the report also misses important details, including the problem with the
false weather information given to the pilots, and notes that many of the
Polish recommendations contradict various requirements of the air transport
supervisory authorities. He said that the level of the compression sensors on
the landing gear, and the landing logic, has been changed for Lufthansa at the
request of the client, but that only an expert can tell the difference between
the old and the new landing logic.
There follows a discussion about computers vs other kinds of flight control,
during which he says that there is in principle no difference between more
traditional methods of control and the fly-by-wire of the A320, and that it's
an illusion to believe that there's ever a direct connection between the
pilot's hand and the behavior of an airplane - flying is in this sense
something artificial.
He says that there are always ways to improve airplanes, and they remain in
close contact with the clients to make such improvements.
He is asked about the involvement of the autopilot in Nagoya, and about a
prima facie similar problem with an autopilot in 1991 in Moscow (an A310), and
why Airbus had not modified all the autopilots of these types. He replies that
requiring expensive modifications is not a simple matter, and must first be
thoroughly investigated to see if they cause more problems than they solve
[not his phrase - I am paraphrasing. pbl]. He notes that Boeing has waited
twelve years before recommending modifications in one case. He says that in
conjunction with the certification authorities, Airbus had developed an
autopilot modification and recommended that A300-600 clients perform it, and
after the Moscow incident had notified everyone officially of the correct use
of the autopilot [there are standard procedures for doing these things - he's
pointing out that the standard procedures for clarification of operating
procedure were vigorously pursued. pbl] After the Nagoya accident, Airbus
decided that the modifications they had recommended to A300-600 and A310
aircraft should be mandatory. It will take about 2 years and $60m to alter the
fleet.
When asked about the `spectacular crashes' in India, he rejects the
categorisation and points out the statistics for India show that it's a
difficult environment for airlines, and that the A320 crash happened right
after two B737 crashes. There's then some discussion of pilot training and
capabilities.
Concerning the A330 test flight crash in Toulouse, he points out that it was a
difficult but not dangerous test, and in response to a question concerning
entering the right autopilot `flight level', he points out that it was
mistakenly left at 2000ft but should have been at 7000ft according to the
checklist. He says that the fundamental error was that the crew let the
nose-high, low-speed situation persist too long, and speculates why: because
they took the nose-high situation for an anomaly and they wanted to see what
would develop [according to the preliminary report, it was pilot commanded.
They were confused as to which mode the flight control was in. pbl]; because
the test engineer trusted the pilot to know when to return to normal; and Nick
Warner [the chief test pilot of Airbus, one of the two pilots. pbl] had been
critised before by test engineers for retaking control too quickly, and maybe
was sensitive to potential criticism in this case also. It was a question just
of two seconds delay.
The consequences, he says, will be that automatic protection will be developed
that will rule out such extremely unlikely accidents, and that the A330 and
A340 will be the first aircraft to be protected automatically against the
development of such a flight condition (`entsprechend ueberzogenen
Flugzustand').
[end summary]
A few comments -
Warsaw: Ziegler correctly points out regulations concerning thrust reverse and
airbrakes. However, no mention was made by the interviewer or Ziegler of the
wheel brakes themselves. The wheels did not spin up on landing to the required
speed to allow the anti-skid system to function as designed. Ziegler's
selection of the tailwind for commentary raises some hypothetical
considerations. At the given landing speed, with the tail wind, the wings
were developing less lift than they would have been without the tail wind,
making it more likely that the braking functions would have been enabled by
the sensors. On the other hand, had there been no tailwind, the pilots would
have landed at the same indicated airspeed, which would have given them 10 kts
slower ground speed, but the same amount of lift preventing the sensors from
indicating ground contact. For similar problems not to have occurred in this
situation, the wheels would have not to have aquaplaned at this slower landing
speed. But in the accident situation, they did not appear to spin up to speed
until the ground speed was well below this, and much more of the airplane
weight was on the wheels.
It's a simple consequence of the landing logic that braking systems did not
deploy under the landing condition in Warsaw, as may be seen from an
inspection of the description of the logic in the Flight Crew Operating
Manual. The sensor settings and landing logic has apparently been changed
sufficiently so that A320s landing in similar conditions, in a similar manner
to the accident airplane, will not suffer a lengthy delay in activation of
braking systems (brakes, airbrakes, thrust reversers). The logic is written
in the Flight Crew Operating Manual which your local A320 pilot might be happy
to show you.
Bangalore: it appears the pilots were confused as to which control mode the
airplane was in. Under the particular conditions of flight, the engines went
to flight-idle and the airplane descended rapidly into the ground while the
pilots were trying to figure out what was going on.
Nagoya: The autopilot appears to have been engaged and in `go-around' mode
(`abort landing, gain altitude quickly'). The copilot, who was flying, was
pushing hard forward on the control column trying to land the airplane. The
autopilot was counteracting this by configuring the airplane aerodynamically
for full nose-up (this `trim' feature is a standard control in all airplanes).
When the copilot eventually let go of the column, the airplane's nose rapidly
rotated upwards to an extremely high angle (given the trim condition, this is
what one would expect) and the speed decayed severely, causing the aircraft to
stall nose-high, close to the ground. It hit the ground tail-first. The
standard procedure in which pilots are trained (on this and all other
transport airplanes) is to disconnect the autopilot and ensure it is
disconnected if they want to hand-fly the plane onto the runway. There are
numerous puzzles concerning this accident.
Toulouse: Under the correct checklist settings, the pitch (nose-upward angle)
of the aircraft on takeoff would have been automatically controlled when the
autopilot was engaged. The co-pilot who was flying rotated on take-off to a
high angle. Meanwhile, Warner engaged the autopilot (which took three tries)
and `failed' the left engine. It's surmised they were expecting the autopilot
to return the aircraft to a precise pitch as it handled the situation, as
planned. The aircraft was flying in a different control regime than planned
due to the mistaken altitude-capture setting of 2000ft rather than 7000ft on
the autopilot. Pitch was not `protected' by the autopilot in this regime.
Speed decayed rapidly since the nose did not go down, the aircraft was unable
to maintain lateral control when it was below the airspeed required to do so,
and yawed and rolled. After this situation had developed, Warner throttled
back the right engine to regain lateral control, as well as regaining
wings-level and nose-level. When control was regained, the ground was just a
little too close. There are a couple of important reports on this accident in
Flight International for 10-16 Aug and 17-23 Aug.
The Strasbourg crash was reported in RISKS-13.06, with follow-ups in numerous
immediately following RISKS-13 numbers. The official verdict was reported in
RISKS-14.74, with follow-ups in 14.76 and 14.77. Warsaw, Nagoya and Toulouse
accidents have been discussed in RISKS-15.13, 15.30, 15.31, 15.32, 15.36,
16.07, 16.13, 16.14, 16.15, 16.16, 16.22 and 16.23. For a survey of these
accidents (except for the A330), see RISKS contributor Peter Mellor's paper:
`CAD: Computer-Aided Disaster'.
Additional comments on Airbus aircraft may also be found in RISKS-13 numbers
06,07,08,09,11,12,16,19,20,21,22,23,24,27,64,67; and RISKS-14 numbers
01,07,74,76,77.
Peter Ladkin
I must apologize for an overzealous attempt to correct what appeared to be an
error. Peter Ladkin's message explicitly referred to the *1993* Gatwick
near-miss. I was reading some out-of-band communications in which there
had been a date error that made it appear that the *1993* was incorrect,
so I miscorrected it miscorrectly. Sorry. Mea culpa. PGN
Actually, my home state of Indiana did try to legislate that the value of pi
should be 3. Here is some information from the alt.folklore.urban archives
from an article written by Mark Bader (msb@sq.com) (Further information can
be found in "Mathematical Cranks", Underwood Dudley, The Mathematical
Association of America, Washington D.C.). James Dudley
THE STORY
The author of the bill was Dr. Edwin J. Goodwin, an M.D., of Solitude,
Indiana. It seems that he was a crank mathematician. He contacted his
Representative, one Taylor I. Record, with his epoch-making suggestion: if the
State would pass an Act recognizing his discovery, he would allow all Indiana
textbooks to use it without paying him a royalty.
Nobody in the Indiana Legislature knew enough mathematics to know that the
"discovery" was nonsense. In due course the bill had its third House reading,
and passed 67-0. At this point the text of the bill was published "and, of
course, became the target for ridicule", "in this and other states".
By this time a real mathematician, Prof. C. A. Waldo, had learned what was
going on. In fact, he was present when the bill was read on February 5, 1897.
("...imagine [the author's] surprise when he discovered that he was in the
midst of a debate upon a piece of mathematical legislation. An ex-teacher was
saying ... 'The case is perfectly simple. If we pass this bill which
establishes a new and correct value for Pi, the author offers ... its free
publication in our school text books, while everyone else must pay him a
royalty'", Waldo wrote in a 1916 article.) But the House had passed the bill.
Fortunately, Indiana has a bicameral legislature. The bill came up for first
reading in the Senate on Thursday, February 11. Apparently in fun, they
referred it to the Committee on Temperance. The Committee reported back on
Friday, February 12, approving the bill, which then had its second reading.
The Indianapolis Journal reported what happened: "The Senators made bad puns
about it, ridiculed it, and laughed over it. The fun lasted half an hour.
Senator Hubbell said that it was not meet for the Senate, which was costing
the State $250 a day [!], to waste its time in such frivolity ... He moved the
indefinite postponement of the bill, and the motion carried. ... All of the
senators who spoke on the bill admitted that they were ignorant of the merits
of the proposition. [In the end,] it was simply regarded as not being a
subject for legislation."
ANNOTATED TEXT OF THE BILL
/* Following is the text of Indiana House Bill #246 of 1897, with my
* own annotations (in comment signs and exdented, like this text).
* In my annotations, A, r, d, c, and s are respectively the circle's
* area, radius, diameter, circumference, and the side of the inscribed
* square. */
A bill for an act introducing a new mathematical
truth and offered as a contribution to education to be
used only by the State of Indiana free of cost by paying
any royalties whatever on the same, provided it is ac-
cepted and adopted by the official action of the leg-
islature of 1897.
/* You normally have to pay royalties on mathematical truths?
* The Pythagoras estate must be doing well by now... */
SECTION 1.
Be it enacted by the General Assembly of the State
of Indiana: It has been found that a circular area is to
the square on a line equal to the quadrant of the cir-
cumference, as the area of an equilateral rectangle is
to the square on one side.
/* The part after the last comma is a remarkable way of saying
* "as 1 is to 1". In other words, this says A = (c/4)^2, which
* is the same as A = (pi*r/2)^2 = (pi^2/4)*r^2 instead of the
* actual A = pi*r^2. */
The diameter employed as the linear
unit according to the present rule in computing the
circle's area is entirely wrong, as it represents the
circle's area one and one-fifth times the area of a
square whose perimeter is equal to the circumference of
the circle.
/* The formula A = pi*r^2 is interpreted as A = d*(c/4), which is correct.
* The author claims that the d factor should be c/4, so the ratio of
* the area by the author's formula to the area by the real formula
* is c/(4*d), that is, pi/4. Since he believes pi = 3.2, this ratio
* is 3.2/4, which is 4/5. Therefore the area by the author's rule
* is 1/5 smaller than the actual area. Now he apparently thinks that
* the reciprocal of 1-1/5 is 1+1/5, and thus that the other area is
* 1/5 larger than his area, which of course would actually require
* the ratio to be 5/6. */
This is because one-fifth of the di-
ameter fails to be represented four times in the
circle's circumference.
/* In other words, c = (1-1/5) * (4*d); consistent with pi = 3.2. */
For example: if we multiply the per-
imeter of a square by one-fourth of any line one-fifth
greater than one side, we can in like manner make the
square's area to appear one fifth greater than the fact,
as is done by taking the diameter for the linear unit
instead of the quadrant of the circle's circumference.
/* He says that if we consider the area of a square of side x to be
* (4*x)*(x/4) and we replace the second x by (1+1/5)*x, we get an
* area 1/5 too large, and this is analogous to using d in place of
* c/4 with the circle. */
SECTION 2.
It is impossible to compute the area of a circle
on the diameter as the linear unit without trespassing
upon the area outside the circle to the extent of in-
cluding one-fifth more area than is contained within the
circle's circumference, because the square on the diame-
ter produces the side of a square which equals nine when
the arc of ninety degrees equals eight.
/* I can only assume that "nine" is a mistake for "ten". See also
* the annotation after the next one. */
By taking the quadrant of the
circle's circumference for the linear unit, we fulfill
the requirements of both quadrature and rectification of
the circle's circumference.
/* Getting repetitive here... */
Furthermore, it has revealed the ra-
tio of the chord and arc of ninety degrees, which is as
seven to eight, and also the ratio of the diagonal and
one side of a square which is as ten to seven, disclos-
ing the fourth important fact, that the ratio of the di-
ameter and circumference is as five-fourths to four; and
because of these facts and the further fact that the rule
in present use fails to work both ways mathematically,
it should be discarded as wholly wanting and misleading
in its practical applications.
/* The meat of the bill. He says that s/(c/4) = 7/8, and d/s = 10/7,
* therefore d/c = (10/7)*(7/8)/4, which he reduces only as far as
* (5/4)/4. Of course this is 5/16, and gives pi = c/d = 16/5 = 3.2.
* It also implies that the square root of 2 is 10/7. */
SECTION 3.
In further proof of the value of the author's pro-
posed contribution to education, and offered as a gift
to the State of Indiana, is the fact of his solutions of
the trisection of the angle, duplication of the cube and
quadrature of the circle having been already accepted as
contributions to science by the American Mathematical
Monthly, the leading exponent of mathematical thought in
this country.
/* When I first posted this I assumed that the A.M.M. must have had a
* policy of politely acknowledging crankish submissions, but apparently
* at one time they simply printed whatever they were sent. I haven't
* checked this out. */
And be it remembered that these not-
ed problems had been long since given up by scientific
bodies as unsolvable mysteries and above man's ability
to comprehend.
/* "Given up" is not the same as "proved insoluble"! */
[Also noted by
pcw@access.digex.net (Peter Wayner),
"Tom Zmudzinski" <zmudzint@cc.ims.disa.mil>, who suggests using 355/113,
mhaynes@bgsu.edu (Michael F. Haynes),
clark@cpd125.cpd.ford.com (Andrew Clark),
nhy@panix.com (Nina H. Yuan),
George Jansen <gjansen@seas.gwu.edu>,
dalamb@qucis.queensu.ca (David Lamb), and
cc32859@vantage.fmrco.com (Donald Sharp), who wonders
``how many other technically flawed ideas have actually been codified
into law because not enough people in the legislature understood
flaw? And what is the risk involved in trying to implement laws that
contradict the fundamental truths of nature?''.
(However, two of those remembered the state incorrectly.) I am delighted
to have this urban nonlegend put to rest. Thanks. PGN]
There are two biblical verses that show PI to have a value of three.
They seem to be the same information repeated, but from the King James
version as reported in the Library of the Future CDROM, which seems to
be filled with texts from the past:
Kings-1 verse 7:23 And he made a molten sea, ten cubits from the one
brim to he other: [it was] round all about, and his height [was] five
cubits and a line of thirty cubits did compass it round about.
Chronicles-2 verse 4:2 Also he made a molten sea of ten cubits from
brim to brim, round in compass, and five cubits the height thereof; and
a line of thirty cubits did compass it round about.
Leonard P. Levine, Professor, Computer Science, Univ. of Wisconsin-Milwaukee
Box 784, Milwaukee, WI 53201 levine@cs.uwm.edu 1-414-229-5170
Mr. Wayner neglects to consider the "salt" values used to hash the passwords
which prevent this type of attack. All 1000 passwords would likely require
independent encryption with unique salt values.
Chris Ransom chris@quests.com
| This page was copied from: | http://catless.ncl.ac.uk/Risks/16.35.html |
| COPY! | |
| COPY! | |
|
by Michael Blume |