Previous IssueIndexNext IssueInfoSearchingSubmit ArticleFTPDo not even think about clicking on this button

The Risks Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

 

Volume 2: Issue 2

Saturday, 1 Feb 1986

Contents

o More on Shuttle destruct systems
Martin J. Moore
Sean Malloy
Brint Cooper
o The Challenger [non]accident
Herb Lin
o Redundancy
D. Cook
o Galileo Plutonium power
Martin Schoffstall
James Tomayko
o VDT's and birth defects in mice
Dan Hoey
o ORCON dissemination constraint on RISKS 1.43
Ted Lee
o Info on RISKS (comp.risks)
---------------------------------------------

More on Shuttle destruct systems

"MARTIN J. MOORE" 
This morning I talked to my successor at the Cape, who was in the Range Safety
area during the launch.  I've got a few things to report and some questions to
answer from previous issues.  I found out that the Range Safety Officer
commanded the destruction of the SRBs approximately 20 sec after the main
explosion, as they were careening wildly away from the site.  Both SRBs did
explode on command.  The mood at the Cape is described as "devastated",
especially among those who went outside to watch live.  My successor also
reported that Range Safety had been officially cleared as of yesterday,
with respect to any responsibility for the accident; but that they expected
*much* closer scrutiny than before (which is, of course, perfectly fine.)
Interestingly, many of the media and a large percentage of the general public
were not aware of the existence of the destruct system.

The latest theory I have heard contains a "leak" in one of the SRBs resulting
in a 6000 C jet of flame cutting into the tank and igniting its fuel.

Now, individual responses:

> From: John Carpenter
> As I read the article [by Martin Moore in RISKS-1.43,] it occurred to me
> that as we discuss the risks of the destruct system we could be creating
> another risk by revealing the nature of it's operation...
> If the destruct system is public information, I would like to know why,
> If it isn't, it certainly has no place on the net.

Your point is well taken, and I did have some misgivings about posting the
original article; not because I was revealing anything I shouldn't, but
because I have no wish to be drawn into a national media controversy.  Hence
the restrictions on dissemination of the article.  None of the information in
the article was classified, and all of it was publicly available; and NASA is
very good about providing access to any information that isn't classified.
As to *why* it is public information...I think Neumann's response in 1-45
sums this up pretty well.  Also, if it's not public, then the question that
will be raised is "what are they hiding?"

Incidentally, my successor told me that there is an article in this morning's
(1/31) Orlando Sentinel about the destruct system, at about the same level
of detail as my article in 1-43.  Would some Central Florida reader be kind
enough to send me a summary or a copy of that article?

> From: Jeff Siegal <JBS%DEEP-THOUGHT@mit-eddie.MIT.EDU>
> Is there someone who knows enough about the security at NASA/KSC to be
> able to estimate the difficulty that a malicious party would have in
> getting getting physical access to the shuttle/SRB/MFT prior to the launch?

I'm not a physical security expert, but I believe that it would be
extraordinarily difficult to get physical access to the shuttle itself at
any time.  Regarding the possibility raised by Kyle of a rifle shot, NASA
maintains a "clear zone" 1.5 miles (I think) in radius around the shuttle when
it is on the pad.  This includes the closing of a public beach while the
shuttle is on the pad, invariably causing complaints from some local citizens.

> From: b-davis@utah-cs.ARPA (Brad Davis)
> It also brings up an important question.  If the hardware system is
> redundant, what about the software system?  Is the same software running
> on all of the redundant hardware systems or are there more than one
> software packages developed.  If there is only one software package then
> if one system fails due to a software failure then the other systems'
> software may fail since the same conditions may still be in effect.

Each member of a redundant set runs the same software (obviously, computers
with different functions run different software).  The danger you note is a
real one; however, I believe the best solution is to make each piece of
software as robust and fail-safe as possible.  Consider that if redundant
computers were running different software, you could have a failure of
computer A and switchover to computer B without being able to reliably predict
what computer B was doing at that instant!  The whole idea of redundancy is
that if a tool breaks in my hand, I want to be able to slap another one of the
same kind of tool into my hand and not miss a beat.  What your point leads to
is to have additional tools for cases where the first one doesn't apply; this
is a good idea, but it actually falls under the heading of "robustness" rather
than "redundancy."
                                       mjm

Re: Possible triggering of the self-destruct mechanism & (non)accident

Sean Malloy Fri, 31 Jan 86 07:05:50 pst 
  >Date: 30 Jan 86 09:23:53 PST (Thu)
  >From: Peter G. Neumann 



 Re: Possible triggering of the self-destruct mechanism


Brint Cooper 
Fri, 31 Jan 86 9:54:00 EST

But the news has consistently been reporting that, after the explosion that
destroyed Challenger, the Air Force used the destruct mechanism to destroy
the boosters (?) because one had gone off course and threatened populated
areas.  If this is true, can we not assume that the destruct mechanism did
not cause the accident?  Is it not a 'one time only' capability?

Brint

   [As Martin Moore said in RISKS-1.43, there are FIVE destruct receivers:
    one on the ET and two on each of the SRBs.  I was talking about the one
    on the ET; the SRBs somehow survived until they were intentionally
    destroyed.  PGN]



---------------------------------------------

 The Challenger [non]accident


Herb Lin 
Fri, 31 Jan 86 10:41:51 EST

    From: Jeff Siegal 
---------------------------------------------

 Redundancy



Fri, 31 Jan 86 10:49 EST

There is a point in the redundancy argument that has bothered me since I
interviewed at Stratus a year or so ago.

Using the Stratus example, they run two copies of what they call a dipole.
One copy is "live" and one is shadowing the live one.  Each dipole is two
mirror image processors with a high-speed comparator in the middle.  When
the live module gets a miscompare, it lights a LED and hands control over
to the backup module.  The operating system is able to do whatever clean
up has to be done to brief module 2 so that computing is essentially
non-stop.  (Oh, one little "goodie" is that the module connectors are
designed so that *the customer* can pull out the lighted module and put
in a new one without shutting off the machine.)  Now the $64,000 question:
isn't the compare logic a single point of failure?  (Note that because
in this example you have a total of 4 CPU's, this isn't necessarily
a crash.)  But in the shuttle version, as I understood it, the systems
were only redundant and therefore a comparator or checker failure could,
it seems, knock the system out.



---------------------------------------------

 Galileo Plutonium power


Martin Schoffstall 
Fri, 31 Jan 86 09:56:32 EST

I'm not sure how much information is publicly available on the generating
systems of various satellites but I would like to point out something that
has been published that is somewhat analogous:  cardiac pacemakers.

As I remember it the plutonium powered ones were designed such that
the containment device could not be penetrated by:

    - .38 special at 15 feet.
    - cremation temperatures (natural gas)
    - aircraft impact.

Obviously I am being very coarse here and I don't have the details but
I'm sure others do but if the above is "close" I'll throw out some
number estimates that I'm sure others will correct:

    - .38 special at 15 feet, say 1000 feet/sec 300 foot-lbs???
    - natural gas burns at 2000 degrees?
    - say 9gs at impact?

The point is as follows:  If pacemakers are designed to handle stresses
such as that I would assume that the satellites are designed much better,
especially since the Soviets dumped a load on Canada (did they ever pay
damages for that?).

marty schoffstall






 Galileo Plutonium power



Friday, 31 January 1986 13:41:14 EST

Re Larry Shilkoff's note on Galileo carrying plutonium:

Not only plutonium, but the spacecraft was to be deployed atop a
new version of the Centaur hydrogen/oxygen upperstage used on the
Atlas-Centaur and Titan III boosters. Therefore, aside from several
hundred pounds of plutonium the Shuttle would be carrying several
thousand pounds of highly volatile fuel 
---------------------------------------------

 VDT's and birth defects in mice


Dan Hoey 
31 Jan 1986 17:45:15 EST (Fri)

Yesterday I heard a radio report that a Swedish study found that video
display terminals increased the incidence of birth defects in mice.
Does anyone have more information on this?

I have not previously heard of any controlled research in the area that
has identified a hazard.  I am interested in trying to find out what
the results of the study indicated, whether it is a new result, and how
credible it is.

Dan



---------------------------------------------

 ORCON dissemination constraint on RISKS 1.43



Fri, 31 Jan 86 23:35 EST

You realize, of course, that Martin Moore's fascinating and worthwhile
piece is accessible to *ANYONE* on the net who is allowed to use FTP by
their home site since SRI-CSL supports anonymous FTP logons and since
you have the RISKS back-issues in a public file.

                [... or indeed from any BBOARD receiving RISKS,
                 not even necessarily on the ARPANET!  PGN]

Ted

(For readers not familiar with it, ORCON is a handling marking in some
circles that means "further distribution only with permission of the
originator, i.e., ORiginator CONtrolled." It is a non-trivial task to
get a computer system to implement that handling marking in a secure but
natural way, especially across a network.)

     [Yes, of course.  Less obscurely, someone can even ask to be put on
      the RISKS list, which I presume would permit me to send them the back
      issue within the spirit of Martin's constraints.  I think what Martin
      may have been more concerned about was wholesale rebroadcastings.
      So what we have is an experimental exercise in self-control, to see if
      our network community is mature enough to adhere to his constraints.
      I would be very interested in hearing of any postings contary to his
      caveat.  But you are very correct in suggesting that enforcing ORCON
      is a nasty problem that cannot be adequately addressed in most computer
      system environments today.  That is one reason why overclassification
      occurs.  PGN]




---------------------------------------------

Previous IssueIndexNext IssueInfoSearchingSubmit ArticleFTPDo not even think about clicking on this button


Report problems with the web pages to the maintainer