Subject: RISKS DIGEST 10.76
REPLY-TO: risks@csl.sri.com

RISKS-LIST: RISKS-FORUM Digest  Wednesday 9 January 1991 Volume 10 : Issue 76

        FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS 
   ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

  Contents:
Suit says Nissan Fired 2 After reading e-mail (Rodney Hoffman)
Email flash from the past (Paul Eggert)
Re: Cars and Automation: Yes, a computer problem! (Gregory G. Woodbury)
Another train crash in London (Olivier M.J. Crepin-Leblond)
Re: NY area fiber-optic telephone cable severed (Tony Scandora)
Re: Vicious elevator door failure recovery (David Magnay, 
  Olivier M.J. Crepin-Leblond, Michael J. Chinni, Russell McFatter)
Journal of Computer Security, Call for papers (Sushil Jajodia)

 The RISKS Forum is moderated.  Contributions should be relevant, sound, in 
 good taste, objective, coherent, concise, and nonrepetitious.  Diversity is
 welcome.  CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive 
 "Subject:" line.  Others ignored!  REQUESTS to RISKS-Request@CSL.SRI.COM.
 FTP VOL i ISSUE j: ftp CRVAX.sri.com<CR>login anonymous<CR>AnyNonNullPW<CR>
 CD RISKS:<CR>GET RISKS-i.j<CR> (where i=1 to 10, j is always TWO digits. Vol
 i summaries in j=00; "dir risks-*.*<CR>" gives directory; "bye" logs out.
 ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY.
 Relevant contributions may appear in the RISKS section of regular issues
 of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise.

----------------------------------------------------------------------

Date: 	Wed, 9 Jan 1991 07:30:07 PST
From: Rodney Hoffman <Hoffman.El_Segundo@Xerox.com>
Subject: Suit says Nissan Fired 2 After reading e-mail

Summarized from an article by George White, `Los Angeles Times', 8 Jan 1991

Two former employees of Nissan Motor Corp. USA allege that they lost their jobs
after a manager eaves-dropped on their electronic mail messages.  Their lawsuit
claims that they were illegally discharged and denied their constitutional
right to privacy.

The plaintiffs used electronic mail to track the needs of Nissan dealers,
occasionally sending personal messages to dealerships.  One of the messages was
critical of a Nissan manager.  The suit mantains that a Nissan manager
intercepted their personal messages and threatened to dismiss the two.  One was
fired outright, the other was told to resign or be fired.  Their attorney said
Nissan was retaliating against the pair for filing an invasion of privacy
complaint with Nissan's Human Resources Dept. on Dec. 28.

Nissan denies the charges, calling them "unfounded."

------------------------------

Date: Mon, 7 Jan 91 14:01:34 PST
From: eggert@twinsun.com (Paul Eggert)
Subject: Email flash from the past

>From RISKS 10.75 (7 Jan 91):

  Date: Sun, 7 Jan 90 11:18:14 CST        [ <==== sic ===== ]
  From: smith@SCTC.COM (Rick Smith)
  Subject: Re: "Computer Age Causes Key U.S. Data To Be Lost Forever"

  I've been a packrat for most of my life and I've done historical research...

It's ironic that a message about old data claimed to be one year older than it
really was.  No doubt the problem was a system administrator's error in
entering a date after a reboot, the sort of thing that software should warn
about but often doesn't.  Beware of dates in early January.

   [See my Inside Risks column in the January 1991 CACM summarizing some
   of the more interesting clock problems discussed in the RISKS FORUM
   over the years (and over the years' ends), albeit familiar to long-time
   RISKS readers.  PGN]

------------------------------

Date: Wed, 9 Jan 1991 04:27:34 GMT
From: ggw%wolves@cs.duke.edu (Gregory G. Woodbury)
Subject: Re: Cars and Automation: Yes, a computer problem! (RISKS-10.75)

	This really is a computer related problem.  Given that it is a
fuel-injection new car, the spark advance and fuel metering are under the
control of a micro-controller.  On many late model cars, the speedometer
readings on the driver's console are derived from the output to the drive
wheels (assuming front wheel drive) in the transmission and not from reading
the rotation of the wheel!
	This is the only source for the micro-controller to know the
approximate speed of the vehicle so that it can compute engine load and adjust
fuel metering and spark advance.
	Additionally, several late models also put the automatic transmission
under the control of a micro-controller (usually the same one as is controlling
fuel).
	The RISKS are obvious.  There is only one micro-controller in the
system; the car will NOT operate without the controller working properly; there
are no redundancies in most of the critical input systems.  Additionally, the
micro-controllers are overly sensitive in many cases to: changes in voltage
delivered, electromagnetic interference from radio transmissions,
electromagnetic interference from power distribution systems, EMI from other
systems in the vehicle, and even EMI from traffic sensing devices embedded in
the roadways.  Further discussion is probably unnecessary.

Gregory G. Woodbury @ The Wolves Den UNIX, Durham NC  ggw%wolves@mcnc.mcnc.org
UUCP: ...dukcds!wolves!ggw   ...mcnc!wolves!ggw 

------------------------------

Date: Wed, 9 Jan 91 13:09 BST
From: "Olivier M.J. Crepin-Leblond" <UMEEM37@vaxa.cc.imperial.ac.uk>
Subject: Another train crash in London

	A man has died and 348 people were hurt when a packed rush-hour train
failed to stop at Cannon Street station in London, and ploughed into the end
buffer.
	The train was packed with about 800 commuters. The accident happened on
Jan 8th, 1991, at the height of the rush hour, at 8:45am.  It appears that the
brakes failed to work when the driver tried to slow down when entering the
station. The train hit the buffer at the speed of 5 mph only, but some
carriages got crushed because of its weight and age. The sixth carriage was
pushed onto the fifth carriage. The train was 35-40 years old. The UK's Rail
Minister promised a full enquiry. Ambulances, helicopters, and even a London
red bus were used to carry the victims to hospital.

	Once again there is a major train crash in London. British Rail has had
a pretty bad record of crashes. Lately there has been an average of 1 major
crash per year. This year it seems that they are reaching their quota pretty
early !  The main problem seems to be prolonged lack of investment into new
rolling stock, and hence British rail ends up with old trains, old stations,
etc. Cost-cutting measures brought more over-crowding during peak rush hours. I
have often taken trains similar to the one invollved in yesterday's crash.
Most local commuter routes are served using these trains. The ride is something
of an experience. During the rush hour, most people stand-up between the seats.
Carriages, although being good for natural history museum exhibitions, are
crowded to their full load. Yes, carriages with inside walls still made of
wood, and grey seats facing each other. The ride is anything but comfortable.
One tends to bounce on the seats, as though the train was actually hopping from
rail to another rail. 5 years ago British Rail started and extensive
refurbishment of these trains. The only visible improvements were are new coat
of paint outside, and the replacement of filament light bulbs with fluorescent.
Oh, and yes, the logo on the trains was changed from British Rail to Network
Southeast.  There is no safety mechanism about opening doors. One can open a
door whereas the train is in a station or speeding between 2 stations.  Some
London underground trains have also been built in the 1950's.  They should have
been replaced 2 years ago, but one of the new replacement trains went off the
tracks during trials, and it was all back to the drawing board. London
underground says that new trains should be introduced in 1992.

	Although there have been so many accidents, I guess I shall miss these
British Rail carriages when the new ones replace them (when ? in a year's time
I'm told ?). Travelling on Network Southeast was much of an adventurous
experience. But like any thrill, it was only good in small doses.

Olivier Crepin-Leblond, Imperial College, London, UK.

------------------------------

Date:    Tue, 8 Jan 1991 11:36:49 CST
From: B35048@ANLCMT.CMT.ANL.GOV (Tony Scandora 708-972-7541)
Subject: Re: NY area fiber-optic telephone cable severed; extensive effects (PGN)

My father spent all morning Friday 4 January trying to return a phone call from
his office near Chicago to a customer in the Dominican Republic.  After endless
"We're sorry, all circuits are busy.  Please try your call later." messages, he
heard on the news that a cable had been cut near New York, which affected some
overseas calls.  He continued trying all day Friday, and never got through.  He
spent all day Saturday trying to make a FAX call and never got through.  A
cable cut in Newark made it impossible to place a call from Chicago to the
Dominican Republic for at least two full days.

How's that for depending on a single point of failure?  It brought back
memories of the Hinsdale fire on Mothers Day a couple of years ago, when a fire
in an unattended office took out most of Chicago for three weeks.  At the time,
I started to worry that fifty strategically placed terrorists with street gang
incendiaries could cripple the entire country.  It could even be done without
receiving any return fire.  The history of telephone service since then has
done nothing to restore my confidence.  Back in the bad old days of Ma Bell,
they used to brag that the call might be routed through Arizona, Montana, and
Guam, but it would get there.  Why are today's telecommunications systems
designed to depend on extremely vulnerable single points of failure?

------------------------------

Date: Tue, 8 Jan 1991 11:04:58 +1100
From: david@marvin.jpl.oz.au
Subject: Re: Vicious elevator door failure recovery [RISKS-10.76]

I speak as an Australian Lift ( OZ for "elevator") manufacturer, and so cannot
speak directly for USA lifts. However, the observed behaviour is consistent
with OZ lifts.

Historically, the door sensors have been a notoriously unreliable element, and
whilst many improvements have occured over the years, being at the "working
face" of lifts, they still fail regularly. To prevent the lift being out of
commision without warrant, controller logic assumes that 4 or 5 retries is good
enough if we have stuck people, and then assumes that it must be a sensor
failure, and attempts to close. In Oz, this behaviour is often written into
building specifications.

However, things are not as bad as they look. Lifts are governed by a VERY large
set of regulations, and door related regs are a good part. The door controller
design MUST not allow more than a specified force to be applied in the event of
a blockage. Whilst this force must be reasonably strong to cover day-to-day
events, it is not sufficient to break a limb ( 130N: let the Regulators
beware), although it could cause a broose(?) on the frail. Most door
controllers will physically dis-engage the drive mechanism on a solid blockage,
allowing even for uncontrolled torque on the closing motor.

"Where the closing of doors is delayed by a period of not less than 10 s
through the operation of the passenger-protection device ( door beams), the
doors may power close with the passenger-protection device in-effective
provided that the kinetic energy does not exceed 3.4J, and an audible warning
is sounded in the car."	Aus. Standards 1735.2 p64

The passenger's main fear is that the doors will close with unreasonable force,
to sever the limb; or that the lift will leave the floor with the limb extended
thru the door. Above and beyond the controllers S/W checks on timing and
sensors, independant door sensors prevent this occurence, all covered by
national standards.

Mr Jackson implies that there is a hidden design risk in the behaviour of the
doors. Whilst all may not agree on the fine print, it is an area of intense
scrutiny and regulation.

These opinions are my own, and although not different to the views of the
Company, cannot be taken as an official voice.

David Magnay, Boral Elevators (was: Johns Perry Lifts), 45 Wangara Road, 
Cheltenham 3192, Victoria, Australia    (03) 584-3311 O/seas	+61 3 584 3311

------------------------------

Date: Tue, 8 Jan 91 18:24 BST
From: "Olivier M.J. Crepin-Leblond" <UMEEM37@vaxa.cc.imperial.ac.uk>
Subject: RE: Vicious elevator door failure recovery (RISKS-10.74)

	The few elevators ('lifts' in UK) of the London undergound system
are now all operated by computers. They do have a warning beep, and they 
also have door sensors in case someone gets trapped. The idea has
never come into my mind to try to block the doors, but from what
I can recall about the commuter crowding during the rush hour, they 
also shut for good after a few aborted attempts. One can hold them
back without trouble.
	However the doors of the underground trains are operated by the
driver. The only sensor they have checks if the doors are closed or not
so that the train cannot start if the doors are not properly shut.
About a year ago, one sensor failed and a woman was dragged along the
length of a platform. Fortunately other passengers stopped the train
by pulling the emergency alarm system.
	Once, a friend of mine got his glasses broken when the train door
slammed in his face. Drivers are supposed to keep doors open as long as
passengers are boarding the train but during the rush hours, they slam them
shut so as not to get delayed too much. Again, the doors can be held back,
although here if you are not related to Arnold Schwarznegger, it is advisable
to request the help from other passengers. So many people have had a bad
experience getting trapped in underground train doors !
	Personally, I would prefer computers and sensors to control the doors
of any moving carriage. At least when you are trapped the doors open-up again,
whereas when there is human interaction, it all depends on his mood.

Olivier M.J. Crepin-Leblond, Elec. Eng. Dept., Imperial College London, UK.

------------------------------

Date:     Tue, 8 Jan 91 9:43:50 EST
From: "Michael J. Chinni, SMCAR-CCS-E" <mchinni@PICA.ARMY.MIL>
Subject:  Re: Vicious elevator door failure recovery

Given all the comments on this topic I have a question:

	Since the elevator door is insisting on closing regardless of something
interfering with its closing, what is to prevent the elevator from thinking
that the door IS closed and start moving (remember the fact that no button in
the elevator was pressed is immaterial since the elevator may be summoned from
another floor)?

	If there is a final failsafe such that the elevator KNOWS that the door
isn't fully closed and therefore that it mustn't start moving then the only
concern (albeit a significant one) is the doors closing on a person.
Seriousness of this depends upon the force the door exerts on the object
blocking its full closing.

	If there ISN'T such a failsafe then this problem is a fatality (and a
gruesome fatality) waiting to happen.

			    Michael J. Chinni
	 US Army Armament Research, Development, and Engineering Center
                       Picatinny Arsenal, New Jersey  
     ARPA: mchinni@pica.army.mil     UUCP: ...!uunet!pica.army.mil!mchinni

------------------------------

Date: Tue, 8 Jan 91 10:02:49 EST
From: russ@alliant.com (Russell McFatter)
Subject: Re: Vicious Elevators

All of the elevators I've seen have some kind of door-edge safety device--
(officially called a "safety edge").  The older (and still most prevalent)
style is the mechanical rubber bumper, which usually has to be pushed in by 1-2
inches to cause the door to retreat.  Other elevators have a thin plastic (but
still mechanical) edge which works much the same way.  The newest Otis
installations I've seen all have a proximity sensor, which is a plastic device
mounted flush with the inner door (and usually has a small calibration light)--
most of the time, these reverse the door before it touches anything.  In an
event where it doesn't (such as when the OUTER door is blocked), you are
protected by devices which limit the force that the door can apply.  Both the
closing speed (feet per minute) and closing force (pounds) of an elevator door
are regulated by law (and is one of those things that should be checked when an
elevator is inspected).  Rather than a clutch, I believe that most modern
elevators limit the closing force of the door electronically.  The test is to
resist the door WITHOUT tripping the safety edge or "electric eyes" (on
elevators equipped with this).  It's usually firm, but shouldn't be able to
crush or otherwise injure someone.  Most importantly, the elevator should not
move with an obstruction in the door, even if the door is refusing to reopen.
This is one place where I think that advanced technology has reduced RISKs to
the public; modern elevators can detect "unreasonable" situations that
mechanical controllers don't (such as: door does not close within a certain
time limit), and take appropriate action.

The safer we make something (elevator doors), the more people take this safety
for granted, and, ironically, we end up with more types of unpredictable
trouble.  I've always been amused by the New York public service commercials
which advertise the hazards of subway-train doors, and makes the point that
"these doors mean business" and do not reopen (at one point, showing them with
teeth).  People know to stay out of the way, and this helps to avoid accidents.
Imagine what would happen if you tried to introduce the first subway system
based on the design that exists in most modern cities (including the very
modern Washington D.C. "metro"): A crowded concrete platform ends at a
five-foot drop to the tracks below; no walls or doors to prevent people from
falling (or being shoved) off the edge; and no way back up once one falls.  At
the bottom are exposed metal rails carrying lethal voltages at huge currents.
Whether or not one survives, the next train arriving at the station won't be
able to stop in time to avoid hitting him.  Even those passengers who remain on
the platform and successfully board a train, avoiding those nasty teeth-bearing
doors, will find themselves sitting or standing(!) in a boxful of glass
windows, doors, metal rails, and with nothing particular to keep them in place
when the train derails or smashes into another train, filling the dark tunnel
with toxic smoke.  Would you expect this design to be approved?

Still, the greatest RISK to your health isn't the subway itself, but
other passengers (especially in NYC).

--- Russ McFatter [russ@alliant.Alliant.COM]

------------------------------

Date: Tue, 8 Jan 91 09:27:01 -0500
From: jajodia@gmuvax2.gmu.edu (Sushil Jajodia)
Subject: call-for-papers, Journal of Computer Security

                       CALL  FOR  PAPERS
                  JOURNAL OF COMPUTER SECURITY

The Journal of Computer Security is a new archival research journal on computer
security, to be published quarterly by IOS Press, Amsterdam.  It will publish
significant advances in the theory, architecture, design, implementation,
analysis, and application of secure computer systems.  Its scope encompasses
all aspects of computer security, including confidentiality, integrity, and
denial of service.  Subject areas include computer architecture, operating
systems, database systems, networks, distributed systems, formal models,
verification, algorithms, mechanisms, and policies.

Editors-in-Chief:

Prof. Sushil Jajodia                 Dr. Jonathan Millen
George Mason University 	     The MITRE Corporation
Department of Information Systems    Mail Stop K325       
and Systems Engineering              Burlington Road
Fairfax, VA 22030-4444, U.S.A.       Bedford, MA 01730, U.S.A.
jajodia@gmuvax2.gmu.edu  	     jkm@mbunix.mitre.org
(703) 764-6192  	             (617) 271-3580

Editorial Board Includes:

Marshall Abrams, MITRE               Carl Landwehr, NRL
Thomas Beth, U. of Karlsruhe         E. Stewart Lee, U. of Toronto
Matt Bishop, Dartmouth	             Teresa Lunt, SRI
John Dobson, Newcastle upon Tyne     John McLean, NRL
Gerard Eizenberg, ONERA/CERT         Ravi Sandhu, George Mason
Virgil Gligor, 	U. Maryland          Marv Schaefer, TIS
Bhavani Thuraisingham, MITRE

Instructions to Authors:

Submit six copies of your manuscript to one of the editors-in-chief with a
submittal letter signed by one of the authors.  In case of multiple authors,
designate an author for correspondence.  Please keep the editors informed of
any changes of address.

Submitted papers must be original and present a significant result, and must
not have been previously published or submitted for publication elsewhere,
although portions may have been published in conference proceedings.  It will
be assumed that all necessary clearances for publication have been obtained by
the author(s) by the time a paper is submitted for publication.

Papers will be refereed in a manner customary with scientific journals before
being accepted for publication.

------------------------------

End of RISKS-FORUM Digest 10.76
************************