Subject: RISKS DIGEST 11.69 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Saturday 18 May 1991 Volume 11 : Issue 69 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: 42 die in Japanese train crash under manual standby operation (PGN) Electronic Ballot Voted Out in World's Largest Democracy (India) (Les Earnest) Central postal/banking computer failure in Japan [anonymous] Of Two Minds About Privacy??? (Mary Culnan) The Death of Privacy? (Jerry Leichter) Re: Horible Speling (Les Earnest, Brinton Cooper) (Bogus) IBM red switch (Mark Seecof) Emergency off switch - IBM 1620 (Stuart I Feldman) IBM Emergency pull switches (Gene Spafford) Re: Four-digit address causes NYC death (Scott Barman) Re: Transactional Records Acess Clearinghouse (Larry Hunter) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line. Others ignored! REQUESTS to RISKS-Request@CSL.SRI.COM. For vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 11, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1". =CarriageReturn; FTPs may differ; UNIX prompts for username, password. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Sat, 18 May 91 14:05:47 PDT From: "Peter G. Neumann" Subject: 42 die in Japanese train crash under manual standby operation Investigations of the head-on collision on 14 May 91 were apparently focusing on the railroad crews, who were supposedly using hand signals because of the malfunction of an automatic signalling system at a 100-foot long siding that had recently been installed especially for running trains from Kyoto to a world ceramic arts festival at Shigaraki, 215 miles south of Tokyo. 42 died, 415 were injured, 1.5 miles from the siding at which the trains were supposed to have passed. The train was carrying 2.5 times its normal capacity, "but packing trains is not illegal in Japan and is so common that big-city commuter lines assign workers to push the last few passengers through the doors at the daily rush hours." Source: John E. Woodruff, Baltimore Sun, datelined Tokyo, in the San Francisco Chronicle, 15 May 91. p.A7. ------------------------------ Date: 16 May 91 1424 PDT From: Les Earnest Subject: Electronic Ballot Voted Out in World's Largest Democracy By SRINIVASA PRASAD, Associated Press Writer BANGALORE, India (AP) - India has had the electronic voting machine for 10 years. But when parliamentary elections are held next week, vote counters will again be tallying more than 300 million slips of paper - one by one. Use of the machine previously was snagged by legal barriers, opposition by politicians, doubts about the ability of rural Indian voters to use it and fears it could be rigged. Those hurdles were finally cleared, but the national Election Commission decided the nine-week run-up to the surprise elections was not sufficient to teach the 3 million polling officers how to use the gadget. About 150,000 voting machines will remain stashed in government stores. ``We have faith in the machines, but we can't take risks by using it before properly training the officers first,'' Chief Election Commissioner T.N. Seshan told reporters. There are no professional polling officials in India. School and college teachers and government clerks are hired as part-time election supervisors. The three days of voting spread over next week were called hastily after the minority government of Prime Minister Chandra Shekhar resigned abruptly on March 6 because of difficulties in governing. He will remain in office until replaced. Indian voters elect their candidates by using rubber stamps to mark ballots, which are printed with election symbols of political parties or independent candidates. Emblems instead of names are used because 75 percent of India's 515 million voters cannot read. The emblem of former Prime Minister Rajiv Gandhi's Congress Party is an open palm. The Janata Dal party of his successor, V.P. Singh, uses a wheel. Chandra Shekhar's Janata Dal-Socialist party has a farmer with a plough inside a wheel. The Bharatiya Janata, or Indian People's Party, is identified with a lotus. Among the hundreds of symbols used by other parties and independent candidates are a bicycle, rising sun, two leaves, string cot and tree. The electronic voting machine displays the symbols on a screen with a button next to each picture. The button is pressed to register a vote and it can be used only once until the polling officer releases the mechanism. ``It is precisely to minimize rigging that the Indian machines have several features that are not there in the ones used in developing countries,'' said L.S. Anant of the state-owned Bharat Electronics Ltd., which makes the machine. Many observers say voting machines would cut costs and get faster results. They say the threat of election rigging is no worse than the current system, which brings frequent charges of ballot-box stuffing. National elections are time consuming and costly in India, the world's second most populous nation and the world's largest democracy with 844 million people. The number of voters is more than twice the United States' population, although only 310 million to 370 million people usually cast votes. Because of the vastness of the country polling is normally spread over three days to allow security forces to be shifted to protect the 600,000 polling stations. The votes will be counted continuously after the first day of elections Monday and final results will be announced three days after the last day of polling, May 26. ------------------------------ Date: Thu, 16 May 91 09:12:39 xxx From: [anonymous] Subject: Central postal/banking computer failure in Japan Computer failure hits post office banking in 6 prefectures Sendai, May 16 (Kyodo) - A large postal banking computer went down Thursday at a computer center in Sendai, putting banking machines out of action for more than three hours throughout Hokkaido and five prefectures in northern Honshu. Computer technicians had the main computer, one of three at the ministry of posts and telecommunications East Japan no. 2 computing center, back on line shortly before noon but postal authorities could not say what had caused the computer to fail. A total of 1,200 post offices throughout Hokkaido and the northern prefectures were affected, with 1,300 automatic teller machines and cash dispensers out of action. Another 3,000 transaction machines used by counter clerks at 2,900 post offices were also inoperable. According to postal bureau officials, the automatic teller operations can be shifted to an auxiliary computer if one of the three main computers goes down but this failed after thursday's breakdown. Counter clerks in the post offices processed transactions by hand during the failure, the authorities said. Until last week, postal banking services in the four northern regional bureaus were handled by three computer centers in Sendai, Nagano, and Otaru in Hokkaido. To improve efficiency, however, operations were concentrated at the center in Sendai from May 6. ------------------------------ Date: 16 May 91 21:49:00 EDT From: "Mary Culnan" Subject: Of Two Minds About Privacy ??? (RISKS 11.68) Unfortunately, I think our privacy rights have already BEEN undermined-- at least when it comes to credit information. There are three ways in which the privacy of credit reports is/can be violated: 1) Because credit reports are online, it is relatively easy for unauthorized people to pull your report (recall Jeff Rothfeder, the Business Week reporter, who got access to Dan Quayle's credit report thru a Super Bureau). 2) The big 3 credit bureaus will prescreen your credit report for unsolicited (by you) offers of credit and/or sell mailing lists against a different database consisting of summarized data from your credit report. 3) TRW and Equifax will also do list enhancement with the marketing database, that is, match their database against a tape another firm sends in and add information about you from their marketing databse to the tape that was sent in (assuming you are on the tape that was sent in). For example, a bank wants to learn more about its customers--it could have its customer file enhanced with summarized credit data. At least one firm has the Equifax marketing database running on its own mainframe. The credit bureaus will let you opt out of the marketing applications by writing to them. However, in the case where the database itself has gone to a third party, it's hard to see how an individual can exert any control over this information. Much of this sadly reminds me of problems raised by the Lotus MarketPlace. Further, this is all legal due to giant loopholes in the FCRA. Mary Culnan ------------------------------ Date: Fri, 17 May 91 00:17:42 EDT From: Jerry Leichter Subject: The Death of Privacy? In a recent RISKS, David States quotes a Scientific American article stating that "privacy legislation has been nickeled and dimed to death" - but that most Americans, according to an Equifax survey, don't seem to mind. He wonders whether this is an opening salvo in further attempts to limit privacy. I think there's something much deeper going on. The more I look around me, the more I come to the conclusion that we, as a society, have almost lost the very idea of privacy. Consider what would, 30 years ago, have been considered "private" by most people. A list might include such things as financial matters - particularly how much money they make/have, health records, family relationships, sexual matters, personal opinions about other people. Today, huge numbers of people have access to our financial and health information, we're encouraged to be "open" about our feelings, sex is widely discussed (note that 30 years ago, "privacy" about sex INCLUDED not having OTHER people's sex live discussed in public), etc. We can blame some of the changes, particularly about things like financial and health records, on business or government. It's hard to see how we could have medical insurance on today's scale without such records and their relatively wide availability, and in trade for much wider availability of information on our financial affairs we got credit cards and such things; so even here, the story is complex. But much of the "baggage" of privacy we threw away with great enthusiasm during the sexual revolution and the general "opening up" of society in the late '60's. "Let it all hang loose" doesn't mesh well with keeping things private. "Privacy" is closely connected to "shame," but most of the things traditionally associated with "shame" no longer are either. About the only things we are "supposed" to be ashamed of now are legal or ethical violations. These are deep-seated and profound changes in our social outlook. They happen to coincide with the emergence of a technology that is able to pierce the anonymity of "mass living". Residents of small communities have never had very much privacy - everyone knew what everyone else was doing. (There was often a tacit social agreement to look the other way, of course.) But large cities were anonymous, and people could get lost in them. Increasingly, they no longer can. Computerized record-keeping systems have a long history of allowing access to "unauthorized" personnel. When this happens, it should be brought to light and repaired. However, it's important to realize how much of our loss of privacy is intimately connected with the DESIRED operation of our systems. Of cases I can think of from my own personal experience where I felt my own sense of privacy to be violated, one of the most vivid involved having to discuss details of medical treatment with a clerk for some insurance company. By the very nature of the insurance, this clerk was authorized to determine whether I was making a proper claim; but my gut reaction was "this is none of your damn business, I talk to my doctor about that". -- Jerry ------------------------------ Date: Thu, 16 May 91 21:55:45 -0700 From: Les Earnest Subject: Horible Speling (RISKS-11.66) Unfortunately, I can't blame computers for my spelling lapses, having grown up before they were invented. In fact I invented the spelling checker in 1967 as a cover-up. I had created a list of the 10,000 most common English words on paper tape when I was at MIT for use by my program that read cursive writing. A year or so after I came to the Stanford Artificial Intelligence Lab, I got a graduate student to write a spelling checker using this word list. He did it in Lisp, which clanked a bit on the DEC PDP-6 that we were using. A few years later I got another student, Ralph Gorin, to write a faster and better machine language version for the SAIL computer, which by that time was a dual processor DEC-10/PDP-6 system. Freeware was the norm then -- no one even _thought_ of patenting software. From SAIL, the spelling checker spread via Arpanet throughout the DEC-10/20 world, then on to other timesharing systems. When personal computers appeared later, these meddlesome programs became ubiquitous. (I note, however, that the one running here under emacs doesn't recognize "meddlesome.") Unfortunately, spelling checkers don't deal with another composition problem of mine -- fingers that often spell phonetically when I go fast -- because homophones pass the spelling test. Incidentally, though the venerable SAIL computer now appears to be the oldest living timesharing system in the world, it hasn't been maintained for a long time and is beginning to show Alzheimer symptoms. On the afternoon of June 7 we plan to have a party celebrating its 25th birthday, last rites, and wake. Anyone who would like to receive SAIL's last words, which are likely to include a boastful summary of its accomplishments, should send a message (content unimportant) to Farewell@SAIL.Stanford.edu. Les Earnest, 12769 Dianne Drive, Los Altos Hills, CA 94022 415 941-3984 Internet: Les@cs.Stanford.edu UUCP: . . . decwrl!cs.Stanford.edu!Les ------------------------------ Date: Thu, 16 May 91 15:05:19 EDT From: Brinton Cooper Subject: Re: Horible Speling (Engst, RISKS-11.66) My wife's pupils (grade 4) use a spell checker in connection with a word processor that's only a little more than an electronic typewriter. Targeted for children, the spell checker will flag homophones (homonyms?) and ask the user if he/she knows which one he/she really wants. This feature seems to be in the spirit of Adam's point. However, if the teachers of today cannot spell without that electronic crutch, I'd be more likely to complain to (1) them, (2) the school district who hired them, (3) the "university" which trained them, and (4) the public schools where they didn't learn to spell. _Brint ------------------------------ Date: Thu, 16 May 91 13:44:21 -0700 From: Mark Seecof Subject: (bogus) IBM red switch Okay, I can't resist adding to the red-switch discussion. I used an IBM 1401 in high school. It had an "emergency" power-off switch--which no one ever pulled. It also had a 1403 600-LPM line printer. If you placed an invalid character in the carriage-control column of a FORTRAN output record, the line printer would spazz out and feed paper continuously at high speed. The printer would emit a loud and distinctive scream as paper shot dramatically from the back. Of course, inexperienced student programmers who provoked this behaviour would try to stop the printer by punching the large red STOP button on its console. Ha! That button, like its twins on the read/punch unit and CPU cabinet, would halt the processor but have no effect on the printer. There was a transparent button with some innocuous label (I don't remember the exact wording and my manual is at home) which would actually stop the printer. Because panicky students weren't likely to find the proper button before hundreds of feet of paper were propelled through the printer, the official technique for dealing with the situation was to step on the paper in the paper box (which stood open beneath the front of the printer). The printer would tear the paper off neatly at a page-perf and then sit there whining until someone punched the proper button. Moral? The large red STOP button on the front of a machine should stop THAT MACHINE, not some other machine on the other side of the room. This is even more important when the machine in question is a mechanical device which could injure someone (suppose your regulation IBM computer-programmer's tie got caught in the tractor feed mechanism as you were peering at some output...). (Also on the subject of red switches, I have been informed that the reason the newer IBM PS/2's and RS/6000's have white power switches is because of a German government regulation which demands that the ONLY red switch in an entire computer room be one which turns off all power to all equipment in the room, and it was easier for IBM to fit all small computers with white power switches than to fit some with red and some--for sale in Germany--with white. Note also that the Germans have proposed that their (sometimes silly) rules be adopted by the whole EEC.) Mark Seecof, Publishing Systems Department, Los Angeles Times, Times-Mirror Square, Los Angeles, California 90053 Voice: 213-237-7605 Fax: 213-327-3119 ------------------------------ Date: Fri May 17 21:40:58 1991 From: sif@lachesis.bellcore.com (Stuart I Feldman) Subject: Emergency off switch - IBM 1620 (RISKS-11.67) If we are reminiscing about ancient unsafe designs, consider the IBM 650, which had both `AC power off' and `DC power off' buttons. The DC power off turned off the active logic (vacuum tubes!). AC power off didn't actually do that, but initiated the power down sequence, which included putting on the braking rotors for the magnetic drum (cylinder rotating at 12,500 rpm). The corresponding `AC power on' button started the spin-up motors. For lack of a relay, there was no interlock between these functions, and it was possible (or so I was warned as a tyke) to warm up the drum by having the two motors fight each other. So what's so strange about a guillotine for the power cord? ------------------------------ Date: 17 May 91 02:26:32 GMT From: spaf@cs.purdue.edu (Gene Spafford) Subject: IBM Emergency pull switches Back in the 1981-1983 timeframe (the exact year escape me), IBM donated some equipment to the School of Information and Computer Science (now the College of Computing) at Georgia Tech. Included in this donation were 3 IBM Series 1 machines. Each of these was equipped, in the upper right-hand corner, with a bright red "Emergency Pull" switch. Those of us using the Primes, Vaxen, and AT&T gear made jokes about the switch (and about the IBM gear in general). Little did we know at first.... In the 7 years I was at Tech, I saw lots of equipment pass through the lab. We had, other than the IBM gear, AT&T 3bX's, Primes, HP systems, Data General, Xerox, Symbolics, and various other bits & pieces, including lots of telecommunications gear. In all that time, with over 100 machines, we had 4 fires in the lab. One was caused when a CDC disk drive on one of our Prime 400 machines had its bearings seize (the disk had been on-line for something like 6 years with no maintenance, and the machine had been up for over a year without a reboot, as I remember -- the most reliable collection of hardware I've ever seen). The fire was well-behaved and put itself out; the Prime continued to run, but the first command typed at the console that caused a page fault caused a panic halt. The other 3 fires were all IBM Series 1 machines. These weren't just little blow-a-capacitor-and-create-smoke fires, either. They were burn-up-the-power-supply type fires that took controller boards with them. One was so complete, we had to dispose of the machine as there was too little to salvage, as I remember. We concluded that the pulls were not there out of tradition, but were installed because experience or choice with the design indicated that they were necessary to deal with the tendency towards self-immolation. Ever since then, I have believed that any machine that has an emergency pull probably needs one. Computers that are likely to catch fire or electrocute me (see the old Risks posting about the jealous computer electrocuting the scientist) are not high on my list of preferred computing platforms. I also tend to flinch when a sales-critter tells me his cpu really smokes; it took me a while to even tolerate the idea of using a SPARC. :-) Gene Spafford, NSF/Purdue/U of Florida Software Engineering Research Center, Dept. of Computer Sciences, Purdue University, W. Lafayette IN 47907-1398 ------------------------------ Date: Thu, 16 May 91 13:56:27 EDT From: Scott Barman Subject: Re: Four-digit address causes NYC death (Pellett, RISKS-11.60) The original posting (Nilges, RISKS-11.55) came from a report aired on WNBC in New York. To find out more about this, I spoke with a director I know who is familiar with the story (he did not work on the story and the original reporter/director is out on assignment). I was reminded of something that Mr. Ravin forgets; a large parts of Queens was not fully developed until after World War II. There are a lot of addresses that look like they would cause a conflict when given, such as an 83rd Street vs an 83rd Avenue address as well as cross streets with names (the incident in the report happened off of Queens Blvd.). Over that time, the city assigned different address numbers on some of these and nearby streets to hopefully avoid conflicts and give emergency services a better chance of finding these places. Unfortunatly, over the years the city has never properly adjusted the "official" city specifications for addresses and this specification is what they used for designing the 911 system. Bob Frankston writes: >Representation is a nontrivial issue. While it may be "obvious" that one >should allow for five digit addresses, what about fractional addresses due to >subdivided lots (how do you say "384 3/8e 1St SW" in ASCII, how does it >sort?? Apartment addresses? Alternative addresses (6th Ave vs Avenue of the >Americas)? Why not require full color graphics and then discover you can't >present it on a belt-mounted radio? Curious about the 6th Avenue vs. Avenue of the Americas differences (since part of this building is on 6th Ave.), we contacted the NYC Emergency Services Bureau and were told that the system understands the addresses at 6th Avenue and the operators are trained to use 6th Avenue instead of Avenue of the Americas in the computer and when dispatching assistance. Oh, and there are no "3/8" addresses. There are halves and they are addressed in the system (albeit badly I have been informed). Also, NYC does not use compass directions like SE or SW but does used an address like "40 W. 50th Street" and these are addressed as well. Another problem the report didn't cover, and nobody did either, is that there is a problem (again in Queens) with Harry Van Arsdale Drive. This street name was changed a few years ago from Jewel Avenue and is entered in the Emergency Services Bureau computer as two different addresses because there is no way to properly link these addresses in that system. So a person can call and report a fire at (for example) 80-15 Jewel Avenue and another person can call and report one at 80-15 Harry Van Arsdale Drive and two dispatches will be sent. We were told the one time something like this happened, the local fire house understood it to be the same address eventhough the 911 operators didn't. ESB uses the same procedure as the 6th Ave vs. Ave. of the Americas problem but since this is a newer change and since some of the ESB operators are not from NYC (20% are New Jersey residents) they leave it up to area fire and police not to dupicate the calls. This is something ESB is looking to fix. scott barman ------------------------------ Date: Fri, 17 May 91 10:07:41 EDT From: hunter@nlm.nih.gov (Larry Hunter) Subject: Transactional Records Acess Clearinghouse I have been inundated with messages asking me for more information about David Burnham's Transactional Records Access Clearinghouse (note the correction of the name from my posting in RISKS-11.60). Here is contact information for those of you who would like to know more about the organization: Transactional Records Access Clearinghouse, 999 Pennsylvania Ave., SE, Suite 303, Washington, DC 20003 (202) 544-8722 ------------------------------ End of RISKS-FORUM Digest 11.69 ************************