Screening phishing messages does not require disabling links or HTML in email (though I'm not too opposed to that personally) -- it seems so easy to screen out that I am really having trouble seeing why email providers have not done it yet -- A universal feature of every phishing mail I have ever seen, that is not present in any non-phishing mail I have ever seen, is:

The message contains a link <a href="url1">url2</a> where url2 has the format http://... and is different from url1. This is very easy to screen for but right now I'm doing it by hand because I use GMail and they have not figured it out yet. Why?

Jeremy,

This may not be remarkably helpful to you personally, but MailScanner does just that with its Phishing detector. It replaces all URLS of this type with a big red warning. Of course there are a lot of false positives, so it supports whitelisting, and there's a growing default whitelist provided with the package. Now if only GMail would use MailScanner, we could all be happy.

"Don't send HTML email" doesn't help if the customers don't recognize it as HTML email and ignore it; banking customers would have to be more technically competent than most people to do that. Fairly simple changes to e-mail clients and a simple digital signature system, which I believe is already written up in RFCs would provide the necessary signals to general users, but MS, which after all provides most of the e-mail clients, has been ignoring this for years now.

"'Don't send HTML email' doesn't help if the customers don't recognize it as HTML email and ignore it"

You appear to be positing a class of email users who automatically ignore any email not formatted with HTML. Either that, or some critical portion of your reasoning has been accidentally omitted.

The point is that banks and other businesses that deal in secure data should foreswear HTML email as a means of contacting their customers. This hardly requires those customers to know the difference between HTML and plain text. Good grief.

Andy, I can't understand why there would be a high false positive rate. (Actually come to think of it Google does the same thing, a red warning box.) How can a legitimate message have the type of formatted link in it that occurs in phishing messages? It seems to me like: Legitimate HTML mail will have either (1) link text which is not a URL or (2) link text which is a URL and is the same as the link URL. It's really escaping me when that would not be the case.

(And I made a mistake in my previous posting -- url2 will often not have the http:// before it.)

Interestingly, I've gotten phishing emails that are formatted, in HTML, to look as if they're plaintext.

They're in 10-point Courier, and have links like the following:

http://www.whitehouse.gov

(That link will bring you back to this page, not to the White House web page.)

I suspect that these phishing tactics are aimed at people who have been told, by their technically savvier friends or relatives, never to click a link unless it's a full URL in a plain text email.

Josh,

Quite often email announcements will do things like:

Visit [a href="http://blahblah.mysite.com"]mysite.com[/a] for more info!

And that will trigger a phishing detector. Or even:

Visit [a href="http://mysite.newslettersite.com"]mysite.com[/a] to sign up for our newsletter!

Whether they should be doing this, and training users that redirects like that are okay, is of course another matter entirely. But it happens a lot, and building a phishing detector to decide which URLs are similar enough to each other is a heck of a lot harder...

Oops, previous post was for Jeremy, not Josh.

Patrick, I think what Randolph meant to say was that most people don't have any clue that *they* are sending email in HTML, nor would they be likely to fix that.

Maybe this will work. Require all the developers of email programs to put into their coding a function that makes all, with no exceptions, links automatically visible inside the email so that users can view where the link will take them regardless of what the phisher attempts to do.

That might work, but it could never be passed. Require all the makers of email programs to do something? You want to bring email programmers under federal regulation? And how would you enforce that? An approval process would make the programs take too long to get to market.

Having such a feature would be a competitive advantage - if more people understood phishing better. In this case the market really MIGHT drive in the right direction (hey, a stopped clock is right twice a day).

I've been banking online for more than 20 years. My bank does not send me any email at all, and any email I get purporting to be from them is something I can automatically ignore. If they wish to contact me, they telephone, or they leave me a message inside the secure online banking messaging system.

I must get two dozen phishing messages a day. They want my ebay account. They want my PayPal account. They want my bank account. I ignore all of them that get through the spam filters, unless I'm in the mood to report them. People who actually click through any of these phishing emails are idiots who should know better by now.

I had an advertising email from my ISP, sent on behalf of a major UK retailer.

That retailer does have its own domain name, its own web sales presence, but _none_ of the links in the email got to that domain. They seem to go through some 3rd party redirection service.

I had an email from a 3rd party company claiming to be employed by eBay to do a customer satisfaction survey.

No eBay addresses apart from links to a few standard eBay graphics, no mention of my name in the email body text, no apparent way of checking this with eBay (and they do now have their own message system, which genuine eBay emails recommend you use).

It's been reported that the phishing attacks are targeting banks which don't use the full range of checks available in the ATM and Credit Card systems. It is possible to put extra data on the magnetic stripe, something more than card number and customer name, something the customer can't give away because they don't know it.

These outfits just don't seem to care about security.

So why should some simple change make any difference?

I've gotten to where I no longer try to determine which emails are legit and which are phishing. I access my bank via my bookmarks; I (very rarely) visit PayPal by clicking the PayPal button on a trusted site.

I ignore all unsolicited email, whether legitimate or not. Is there any reason to think that my bank will start sending me unsolicited email I'm supposed to respond to? Because they haven't yet. (Mostly it's "Internet Banking just got easier!" which means that they've made arbitrary and capricious changes to their UI.)

OTOH, when my own employer's IT dept sent me an email telling me to change my password for security purposes, it was an HTML email with embedded ActiveX controls and blind links to unsecured Word documents with macros. And these clowns are worried about passwords?

"You want to bring email programmers under federal regulation?"

Why don't people believe in capitalism any more? All it takes is one or two of the NAMES making this kind of software to do it and it'll be the industry standard by lunch time next Tuesday.

It probably wouldn't take long before banks would include a little disclaimer at the bottom saying something like, "If you are using a True-Text (tm) e-mail reader Click Here. Otherwise withdraw all your money and throw it into the street."

Avery, if you read the rest of what I said, you'll see that I suggested that in this case the market might be the best arbiter.

You mean that Wahsinton Muatul Bnak hasn't relocated their security center to Turkey? Of course, it seems to also have branches in Roumania and Finland. Hurrah for globalization! Mousing over the links is one of the few amusements of this stuff.

The message contains a link url2 where url2 has the format http://... and is different from url1. This is very easy to screen for

Fastmail accounts (paid ones, at least) already screen for this.

Kaiser has a mailbox for each patient (and probably staff) online, after you sign in. You get an email message that there's a message for you on the website.

Oh -- thanks Andy -- I hadn't realized newsletter writers did that in legitimate emails. (Have never received one such myself but I don't subscribe to a lot of newsletters.) It seems positively psychotic to me -- "visit mysite.com" implies to me that I can type mysite.com into my address bar and be directed to the correct thing which is clearly not the case with this sort of link. But I suppose they have their reasons...

So, if I may sum up, all that is needed is: to individually convince the management of thousands of banks and financial institutions across the United States to entirely ignore their marketing departments (who want to send HTML mail) and pay attention only to security specialists; then to convince somewhere around a hundred million people in this country reading mail in Windows to use some other mail program than Outlook Express which comes on their computer, so that they can readily see the difference. Sounds swell! I'll be right here waiting...

Adam is quite right that there is no technical problem barring this solution. Most phishes look absolutely ridiculous when viewed in an ASCII text mail reader such as I use. But then, the difficulty of solving the problem has never been a technical difficulty, it has been the difficulty of changing individual and institutional behavior on a massive scale.

It would be a nice first step if perhaps banks were to stop sending out customer emails which look even to email professionals exactly like the phishes the banks are busy warning everyone against. John Levine of Internet for Dummies fame (and also of CAUCE and the IETF ASRG) gives some fine brain teasers here, under Phish or Phair?

"You appear to be positing a class of email users who automatically ignore any email not formatted with HTML. Either that, or some critical portion of your reasoning has been accidentally omitted."

The problem I see is contained in the sentence from the article: "Train your users to expect short and simple [non-HTML] messages." Problems are: (1) non-technical users have to distinguish HTML from non-HTML messages, something sometimes difficult for even technically astute users, (2) the bank's e-mail cannot use any of the bank's identifying graphics, and (3) users have to be trained to work with on-line banking. This is a plunge into the kind of thinking that marked pre-GUI personal computing: users "should" spend a lot of time and effort learning to do some simple day-to-day task. Problem was, of course, most general users, not unreasonably, wanted to do their day-to-day tasks with minimal additional training, and resented and ignored efforts to require anything more.

This problem of authenticating an e-mail sender is actually one that engineers have solved, and it seems to me likely that it could be easily made visible to users in a GUI mail client; it's just nearly impossible to get MS to deploy any solution unless they can make money from it--hence their anti-spam technology with patented elements.

FWIW, I've already seen many emails that use Javascript to defeat mousing over a link to see the "real" address on the status bar (the phisher just writes an onMouseOver function that sets the status bar text to whatever they want it to be). Of course, Mailscanner catches them, but "sophisticated" users who rely on the status bar can be fooled.

I've also seen a few emails that somehow defeat Mailscanner's checks. I haven't dug into the email source to see how they do it; I suspect there's an onClick method attached to the link which sends you to the phisher's site, even though the href text exactly matches the visible link text.

Basically, it's the same problem as stopping email viruses. No email client should be configured by default to trust executable content. It's not so much HTML that's the problem as Javascript.

More than that, even, I think digital signatures would best be made the rule, rather than the exception, and any message with an invalid one tagged with a great big "unknown author" by the email client.

But what do I know?

I use Opera, and mouseovers always work to show up the real url in emails.

In Mac OS X (from at least Panther on):

% defaults write com.apple.mail PreferPlainText -bool TRUE

This will force Mail.app to display the plaintext alternative (when available) from HTML emails.

I've notice that many spammers and phishers put in a rude admonishment to "upgrade" your email reader in place of the plaintext alternative: a useful spam detection signature.

Jeremy: in Mail.app's preferences (Cmd-,) you can switch off execution of JavaScript and image loading. Ought to be a default.

The basic issues include the Internet being a lab experiment gone kudzu, software companies that don't care how full of bugs and holes and annoyances their software is, no liability accruing to the lousy computing products' producers, users who feel entitled to be aggressively clueless, and a 30+ year acute lack of interest in--or even aversion to--"security" by the vasy majority of computer users and suppliers.

Microsoft did have C2 I think it was security level certification for Windows NT 3.5; Microsoft didn't bother thereafter because 99% of its customers didn't care about security. What's even worse is that the people who took over in the US government don't care, EITHER. "Multilevel security" or "trusted" operating systems were something the US Government had been championing and then punted on. Grrr.

The value of a trusted system is that there's protection both on the directories/files, and protection based on user permissions. That is, the user has to both be authorized to get into an area, and the material has to have the permissions set for that user or user class to even know the material exists.

Systems designed for greater reliability and security would have email systems which reflect that concern, and would check for code in incoming messages as part of the mailer features... "Oh, look, the reference that claims it's pointing at Ebay is actually linking into an Eastern European website!" There are checks that could be done automatically--email shows up asking for verification from Paypal or Ebay, and the system does a logon (from a secure part of the system...) over to the user's existing Ebay or Paypal account, AND automatically forwards the malicemail to the Authorities marked at criminal email....

The lab experiment gone kudzu comment--most development starts off with lab stuff that prove the concept can or can't have anything actually done with it, once that happens, the next step is development models which get played with to determine more along the lines of feasiblity, design goodness/badness, habits... then comes the "commercialization" where in hardware the manufacturing engineers would take development models and redesign the packaging etc. so that the end result is something that doesn't have wires sticking out, doesn't look like a Rube Goldberg device, can be put together effieciently, don't fall apart easily, etc.

That is, the development cycle takes something that starts off as a lab curiosity and turns it into a slick "end product" that can be booted around by "consumers' and still work--remember the old Timex watch commercials, "It takes a licking and keeps on ticking?" --it's that sort of thing. There's a huge different qualtitatively between the packaged old mechanical wristwatch, and the pile of components of a lab brassboard of something that will keep time. Lab models don;'t have nice packaging, don't have nice cases, have all sorts of kluges and wires hanging out of them for testing, are built for fingers to poke around in....

Computer systems are still unfortunately in the status of being designed for people who want to play around in their guts, instead of with the idea that the user is not interested in the computer and the software for their own sake, and is not amused to have to learn arcane whatevers.

Jobs had to my viewpoint a view of computing that was broken, always was broken, and always will be broken--I remember having to use that stupid piece of plastic for Mac rebooting on Mac-in-the-boxes. Every time I saw the "system bomb" graphic I wanted the smash the display screen in. I didn't need to be told with a graphic of a -bomb- that something had gone wrong. I didn't want something to go wrong, I wanted the machine to work, and to not have to take an arcane piece of arcaplastic to force it to do a hardware reboot!

Rule Number 1 -- the thing shouldn't have crashed... but that's not a reasonable rule, there's almost always something that's going to cause something to fail.

Rule Number 2, if something DOES crash, I need to be able to get it working again, as quickly and painlessly and inexpensively as possible. In the case of something that costs $1.00, replacing it is less expensive that repair. But, in the case of a computer system loaded with hundreds of hours of work of content and setting up, that's not a $1.00 piece of whatever, that's something that replacement of with reconfiguration is timeconsuming and expensive, even with backups.

Rule 3 -- hiding stuff critical to getting something working again, is nasty....

One of the most egregious examples of bad assumptions and cascaded design lameness, was in the F-4 Phantom II fighter jet. The design specs for the radio were hundreds of hours between failures. The reality fell far short of that. The assumption was that the radio was going to be the reliability spec for hundreds of hours between failures. McDonnell-Douglas' designers put the radio under the ejection seat--do you see where this is going?....

The ejection seat was armed with explosives, designed to send the ejection seat at very high velocity out of the airplane with the pilot and navigator strapped in and in parachute harnesses to eject from aircraft that were going to fall out of the sky. I knew at least one person who'd used that escape route successfully--and come to think of it, another who was partially successful, he had been an involuntary and badly treated "guest" at the Hanoi Hilton.

Anyway, there was the radio, sitting under the explosives-armed ejection seat. And the radio turned out to have abominable reliability statistics, the radios failed in far under 100 hours of operation on the average, and had to be removed by the unfortunate maintenance folks, who were first supposed to disarm the ejection seat before trying to remove it. Yeah, right. BOOM! It wasn't that uncommon an occurrence for the seat to literally go flying when the unfortunate maintenace types were intent on dealing with radio failures.

But, even with the explosive charge disarmed, getting at the radio was nontrivial. Ejection seats are not so easily moved out of the way in a fighter plane cockpit, they're not small, they weren't at the time of the F-4 at least lightweight, the area was cramped and up rather above the ground, the the radio was underneath, and the radio probably wasnt' all that lightweight, either--that was before modern semiconductor communications technology, miniaturization that allowed e.g. cellphones was -far- in the future.

So, first the tech has to disarm the ejection seat. Then the tech had to get the ejection seat out of the way (assuming that it hadn't gone shooting itself out of the plane from its explosive charge....). Then the tech had to get the radio out.... and having gotten it out, off the plane, and to be fixed, once fixed, it had to be put back in, the ejection seat put back, and the ejection seat armed again.

Bottom line -- bad bad bad bad design, based on an assumption that turned out to be incorrect. If the radio had met the spec, then the radio would only have had to have been removed very rarely... but again, that was not the case.

The next plane designed, the radio was NOT put under the ejection seat. It was someplace more accessible, that didn't have explosive in the way, an heavy unwieldy seat in the way, and could gotten as faster, much more safely, with a lot less trouble, and a lot less expense and danger.

The F-4 was, however, -designed-. It went through a full cycle of research and development before "deployment." There were pilots and techs trained for it, it was tested out by test pilots and test engineers who helped refine the design of the development models to generate the full "production" versions... the Internet, though, started off as an experiment, one that just kept having more nodes added to it. It was never -designed- to be a commercial system, and lacked any design features for commercial use.

And the results including things like phishing, spam, etc.

The problem with "computer as appliance" design, the reason why it hasn't happened so far (despite legions agitating for it since the early 1980s) and may in fact never happen, is that the microcomputer is a multi-purpose device on a scale never previously imagined. Indeed, new purposes are found for it every day. An appliance, on the other hand, generally does one thing; the more functions it serves, the less reliable it is, and the less like an appliance it becomes.

Microcomputers were originally designed for techies, and techies want features and flexibility (and are willing to sacrifice reliability and ease of use to get them). Companies like Microsoft grew up in an environment where the way to get market share was to add new features every five minutes. Now they spend hundreds of millions of dollars on advertising designed to convince users that the new version will solve problems they didn't know they had. It works well enough to keep the companies afloat, even if most users would really rather have something simpler and less flexible but more reliable.

My current best guess is that the market will not change substantially in that regard over the long term. As today's upper-middle-class teenagers, the vast majority of whom are entirely comfortable with mucking around inside their computers, mature and become business users and then business decision-makers, the desire for featurefulness and flexibility will become stronger than the desire for reliability and ease-of-use. The current model of marketing and product development is ideally suited for that mindset.

There is also the simple solution that I told my parents, which is *never* click on an e-mail hyperlink to access a company's resources. If someone wants you to access something, type in the website address in your browser and look for the information there. If that fails, find their phone number independently (like from a bill) and give them a call.

Sure, it's not as convienient, but it makes it far less likely that you'll fall for a phishing trick.

And if the e-mail is claiming to be about an account you didn't know you had, you might want to delete it before reading it. (I get a lot of stuff claiming to be about eBay and Paypal accounts, neither of which I have.) Also my bank doesn't e-mail me about problems; it calls me, generally within 24 hours of said problem.

I'd like an operating system that's reliable. [Windows, from my viewpoint, has not improved that much. Possibly the big network versions, like Win2K, are better, but they should fix the bugs they already have before trying to force upgrades on us.] Why I still have a computer running DR-DOS: it doesn't crash. Or hang when I go to shutdown.(No, it isn't my primary machine now; too much of my software requires Windows. But it isn't dead, and the software it does run works fine.)

Paula Lieberman:

You are very correct on every point. As I recall (and am too lazy to check online) the F-4 was slightly modified as the A-4, used by Americans in Vietnam and other venues, and continues to be sold today, retrofit (by Lockheed-Martin) with new software and weapon systems, for numerous customers around the world. True, being blown to bits is not a software problem as such. Bad design kills. Somehow it iseems fitting to consider both Vietnam and Microsoft in that context. And, ummm, the Axis of Evil that originates in the White House?

There have been deaths from software problems, there was at least one from a gyro flip that inverted the plane, for example. The software error was failing to be able to deal with flipping gyros... the software design ignored the fact that navigation gyros can flip, and assumed that the gyro wouldn't do that, it assumed the the orientation of the gyro in the plane always had the same direction of the gyro's spin axis consonant with the plane orientation. Uh-uh.... so, when the gyro inverted, the guidance and control software with the bug, assumed the plane was upside down when the plane wasn't upside down, and tried to "right" the plane....

Airbus had at least one of it early airliners crash due to software error.

========================

I don't think the F-4 was ever called an A-4. Originally the F-4 was a Navy plane, and then the Air Force got it, too. There were a lot of them made. I think the last production version of it were the F-4E and a reconnaissaince version I don't remember the designation of: RF-4 some-letter-or-other. There was the A-something Dragonfly used by the South Vietnamese, which was a modified "Tweetie Pie" aka "the two ton dogwhistle" aka the T-37 trainer, a side-by-side plane used as the subsonic jet trainer by the USAF, which had been beefed up a bit and had armament added to it. The A-4 I think was the A-4 Skyhawk, which was a different plane entirely.
The A designation is a ground attack plane, used typically for "close air support" -- dropping bombs on the heads on the other sides's ground combatants, close-in to your own side's ground combatants, with an controller directing the airstrike. Sometimes the bombs go awry. But the choice between getting demolished by enemy fire versus the chance that your own side's air to ground attack is going to turn you into hamburger from misreading maps/displays, misdrops on bombs, violent winds causing the ordance to land where it's not targeted, or the people on the ground being out of position and where the airstrike was called to drop the munitions, depends on what the situation is. If the enemy fire is overwhelming and the trooops on the ground are being massacred, there's a higher chance of survival with planes called in to drop bombs aimed in their direction, than there is without the airstrike, even given the probability of "friendly fire" lethality.

F = fighter, air to air combat. A = attack, as above, for "tactical" air to ground operations. B = bomber for dropping really large nasty things for "strategic" operations. Some planes such as the F/A-18 get the dual designation.

There are processors called ASICs and ASSPs -- Applications-specific integrated circuits, and applications specfic special purpose processors, designed in hardware to do a more limited range of appliations than general purpose microprocessors, and do them much fasters, with less "real estate," fewer transistors, and less expensive, faster time-to-market production. The get used in washing machines, refrigerators, maybe some personal organizers, games consoles, cable boxes, hard drives, industrial control systems, HVAC systems, assembly lines, communications equipment.. . any place that "special purpose computing" gets used in unit quantities of more than say a few thousand. The cost of the custom or semicustom design is offset by the lower cost per chip in volume and the lower expensive for interconnects and system design--there are fewer other parts and fewer "traces" needed--modern general purpose microprocessors have a LOT of "pin outs" or equivalents (BGA - ball grind array or bump grid array, as opposed to pins, as an example of one of the various types of non=actual-pin-out microprocessor packaging types. For that matter, there are chips that come with almost no packaging on them, I forget what it's called, that get plunked onto the circuit board nearly bare and not in a protective plastic or ceramic package.... they are not things for consumers to remove and replace!). Reducing the number of pins and lines to deal with, drastically can cut the design costs and materials costs and complexity and prduction costs and defect rates of electronics articles.

Military technology keeps coming up, so let's talk about military computers. They have a very limited set of functions, a very simple user interface (and generally no mice or windows), software that goes through an incredibly arduous review process, and hardware that's unbelievably overspecified. They're as close to an appliance as they can possibly be. And they still crash and kill people from time to time.

Don't hold your breath waiting for general-purpose PCs to do better than that.

Whosoever you be "Metal Fatigue," I think you are -years- out of date. GUIs showed up in military computers 30 years ago, and Windows NT and beyond have been on ships and elsewhere in the military in combat operations centers I believe for years--with just the reliability one might expect, too.

As for overspecifying and arduous review, -snort-. Most of what there used to be, went out the window. Ever hear the term "COTS"?? ....

As for "very limited set of functions," ha, ha, ha, ha.

"The problem with "computer as appliance" design, the reason why it hasn't happened so far (despite legions agitating for it since the early 1980s) and may in fact never happen."

Um, do cell phones and PDAs count? I suppose one could count web browsers as a kind of software appliance, as well.

Paula: OK, I'm wrong about current practice in military computing, but you've hardly disproven my point.

Randolph: Ever had your cell phone crash because you pushed the wrong buttons? I have. They used to be appliances; then they got complicated. Likewise, my father hates his PDA/cellphone combo and would gladly get rid of it if his employer allowed him, because its features are unnecessary for his needs and its user interface (for the phone functions) is wretched.

As for web browsers, don't make me laugh. First of all, that's like saying that the interior of a refrigerator is an appliance separate from the chassis, refrigerant tubes, mullion heater and condenser. Second of all, there's a small but non-negligible chance every time you open the refrigerator of finding a burglar in it. Not my idea of appliance design.

Oh, and I don't appreciate the snide remark about my nom de plume, Paula. Both online handles and fannish nicknames have a long and honorable history. My legal name is Seth L. Blumberg, but I see no reason why you should care.

What snide remark? "Whosoever you be," was because you gave no antecedents about what your credentials, if any, are regarding military computing and technology. I don't know you that I am aware of, nor your handle, and you were acting like you were Authoritative on the subject of military computing. I suspect my credentials in the area, though rather out of date, are a lot stronger than yours, I directly worked in military command, control, and communications areas or areas involving them, for fourteen years directly, did market research studies for several years that were related, and have had occasion since to use that background/hear about more current trends.

The "Whosever you be" equates to "what's your basis for claiming expertise/expert/informed stature in this area?"

Actually, there ARE appliance-type computers. They're called "industrial controllers" to keep IT (Information Technology) departments off manufacturing floors and out of e.g. oil refinery operations, out of HVAC systems, etc., but they are general purpose computer equipment which has been customized and set-up as dedicated use systems, with simplifed often graphical user interfaces, for factory operators and such to do operate production lines, run factories, run building HVAC systems, etc. The programming inside can be extremely sophisticated and have a lot of testing and NEMA or whatever the agencies are compliance and such -- one does NOT want a software error causing a refinery to blow up! -- but the user interfaces are deliberately limited and simple, so that ordinary factory workers can operate them and not put in settings that are out of bounds--the operator gets to look at readouts of values and be told if those are within or outside of acceptable limits, are heading out of bounds, etc., the operator can start/stop operatons, change allowed settings within allowed values for operational control... basically, the operators are monitoring the operations and doing a limited range of corrective actions, and anytyhing that goes outside what they're authorized for, it's call the supervisor time/note that the system is pulling an emergency shutdown/other such things -- it depends on what the operations are what happens.

The fact that there really aren't that many refinery fires or explosions, aren't that many plant fires or explosions, bears witness to the fact that that stuff works.

The general public doesn't see it, and that's just the way the industries want it. They don't want the general public involved, they want to run their plants and keep the IT noses out, the public noses out, and have operations go smoothly and profitably. They don't want plant fires, plant explosions, production stoppages (the production line stops unexpectedly and it costs one company I interviewed $10,000 immmediately and was it $10,000 minute or $10,00 a hour for any downtime beyond that? The semiconductor chip plant that has an emergency shutdown instantaneously loses million dollars of ruined product, and that doesn't include the costs of getting the production line working again, even!), or to have to spend years training people and hire people with doctorate educations to run factories.

So, there are the fields of manufacturing technology and industrial control electronics, and the heart of most of those systems are general purpose computers which have simple user interfaces for the operators to look at, interpret the results, record, and interact with.

Names of companies that I can think of without having to dig (probably out of date, I was doing market research in it last decade...): Rockwell Automation, Siemens, Square-D... they make most other electrical engineers look like generalists, and their idea of marketing is "tell us what you need us to make for you."

It wasn't quite the same branch of industry, but I remember the US marketing manager for one company that made OEM products (equipment manufactured by that company never had that company;s logo on it, it was essentially a contract manufacturer for other companies who sold those products as if those other companies had actually manufactured them) said, "How the hell did you find me?" when I called him up to phone interview him regarding the equipment his employer manufactured.... Basically, a lot of industrial businesses don't, again, want public visibility, they don't sell to the general public, they don't want to deal with the public, and they'd just rather deal with their customers and suppliers and business partners and stay "below the radar" doing their work.

Oh, I left out mentioning real time and embedded operating systems. The claims about "real time Windows" are misleading--what's running the equipment are things like VxWorks from WindRiver, LynxOS, and whatever the current flavors of realtime and embedded operating systems are, the Windows is eyewash involving a Windows system in front of a user communicating with an embedded computer that's running some realtime operating system. The marketing is done that way for e.g. IT departments (see "industrial controllers not called computers so that IT stays out of them," above).

Oh, I left out mentioning real time and embedded operating systems. The claims about "real time Windows" are misleading--what's running the equipment are things like VxWorks from WindRiver, LynxOS, and whatever the current flavors of realtime and embedded operating systems are, the Windows is eyewash involving a Windows system in front of a user communicating with an embedded computer that's running some realtime operating system.

The commuter train I ride has ticket machines run by Windows. They do crash, and I've seen the blue screen on them more than once. You only know what they're running when they go down and you see splash screens or blue screens.

RT-11 was at one time the OS of choice for a lot of real-time stuff; some more recent stuff has used DR-DOS. It's a different field from most programming, and I only know a few people who do it. (Paula - think Frisbie.)

Paula Lieberman:

You're right, even when you politely explain how I'm wrong.

Warbird Alley: McDonnell Douglas A-4 Skyhawk
"Initially dubbed 'Heinemann's Hot Rod' after chief design engineer Ed Heinemann, the A-4 Skyhawk is one of the best jet aircraft to have served with the US Navy and Marine Corps. Chosen to replace the A-1 Skyraider, the A-4's small design and light weight gave it the speed and power to exceed the Navy's specifications and fight on until today in air forces around the world."

"The delta wing aircraft houses its avionics in the nose, along with a pair of cannons for dealing with aerial adversaries. The wings hold the fuel tanks, and the Pratt & Whitney turbojet fits snugly in the fuselage. Ordered during the Korean War, the A-4 was delivered to the US Navy VA-72 attack squadron on October 26, 1956...."

Warbird Alley: Grumman F4F Wildcat

"In 1936 the US Navy evaluated a number of designs which were competing to be the Navy's new carrier-based fighter. Grumman built a design which, after several re-designations and airframe modifications, won the contract and eventually became the F4F Wildcat. The prototype, the XF4F-2, first flew on 2 September 1937. The prototype of an improved version, the XF4F-3, was renamed the F4F and was ordered by the Navy in August of 1939. The first five aircraft off the assembly line were sent to Canada, with the next 90 (designated 'Martlet Mk I' going to the 804 Squadron of the Royal Navy's Fleet Air Arm where, in December 1940, two Martlets made history by becoming the first American-made aircraft to down a German plane in WWII."

"The first US Navy F4F-3 was flown on 20 August 1940, powered by a Pratt & Whitney R-1830 engine with 1,200 horsepower. The subsequent F4F-4, incorporating several improvements including folding wings, six guns and self-sealing fuel tanks, was delivered in November 1941. It was then that the name "Wildcat" was first given to the F4F. As war raged around the world, the Wildcat's reputation and utilization grew immensely. It flew with the US Navy and US Marines in all of the major Pacific battles, and in North Africa with the Navy...."

Jonathan--the military started reusing designations... it got up to F-111 or so and then started over renumbering up again, sort of.

So, there were repeat numbers... there was the F-4 used in Vietnam, and the earlier F-4. I mentioned F-4 Phantom II initially to indicate uniqueness. The earlier F-4 was long out of the inventory before my time in the military.

It also started over with bomber numbers, etc.

The B-58 Hustler was a supersonic delta-winged jet, I worked with someone who had been an instructor pilot for it. The control systems available back when it was flying weren't capable of keeping the plane in stable flight at full throttle--he said there was one time that he put the plane in full throttle, when the student pilot was coming in too slow and too low on a landing, he went to full throttle to get the plane back up and the airspeed up to avoid stalling out into a crash. (Higher up one can drop the nose of a plane to help increase the airspeed to avoid stalling, too close to the ground and there's no room for that. Putting the nose of a plane up "bleeds off" the airspeed," and when the airspeed goes down to far, as noted above, the planes stalls, and stops being in controlled flight. If you're "out of speed and out of altitude" flying a plane, the results are a crash, often a tragic one.

The B-1 came years after the B-58, again, the numbers went into recycling, so they're non-unique.

Emendation--the renumbering went into effect I think rather before the F-111, I think that the F-4 Phantom II was around before the F-111... I might be wrong about that, thought. The F-111 was a product of the Robert S. McNamara era, it originally was going to be out in at least three different versions, a long range tactical Air Force "fighter" (it wasn't a fighter, it was actually a long range ground attack plane.... a boss of mine, who was the time was an 0-6, by the name of Lloyd Thomas, had flown in them as a navigator in Vietnam, he said that it was completely useless as a fighter, if some other plane attacked it, "you sweep the wings back and get the hell out of there" -- it was supersonic with the wings swept back), a long range Air Force fighter-bomber (larger in size), and a Navy plane. The Navy version was too heavy and the Navy got that version cancelled, and instead got the F-14 development going. The impetus I think for the "TFX" as it was originally designed while in the R&D phase, was the F-4 Phantom II which originally again was a Navy plane, but got adopted by the Air Force also... looking at the success of the F-4 in both Services the Department of Defense decided to try for the next "fighter" it developed to be a plane that would do as much as possible--naval aviation fighter and ground attack, Air Force fighter and ground attack, and in a larger size, a long range supersonic bomber with payload smaller than the B-52, but a lot faster and with a much smaller crew, and much newer and easier to maintain and less expensive to operate (the old joke 30+ years ago about B-52s was "What does does maintenance on a B-52 consist of?" Answer: "Replacing the parts that fall off in flight." It was and wasn't a joke, it happened to have a LOT of truth in it, B-52s DID drop parts off in flight, such as engines... it has what, eight of the things? and can continue flying despite "losing"--including not just shutdoff or shutdown, but phyically losing-with-the-engine-literally falling off (as opposed to disaster stricking DC-10s when that happened...) losing an engine.

While on the subject of aerial design - which it seems we are - is there any truth, does anyone know, to the story concerning the design of the safest, and one of the least economic, civil aircraft ever made, the (British) VC-10?

It would seem that this aircraft had massive redundancy built into it - doubled and tripled systems - and also was designed with assymetric components. Every part was unique, left and right sided, and therefore impossible to install incorrectly.

It proved a dog in operation, of course. Operating costs were way too much. It was safe, but not measurably better than its rivals.

There was one major emergency landing (at Heathrow) when the gear did not deploy. The reason was that a part in the landing gear hydraulic system had been replaced in Lagos. The mechanic, finding that the part he had did not fit - it was a right hand one, and he was installing it on the left side - had, rather than get the correct part, taken it to a bench and drilled new screw holes, and had then installed it upside-down.

Moral - there is no such thing as foolproof design, because fools are endlessly inventive.

Moral 2 - striving to be foolproof is bad design where it neglects other desirable objectives.

@46