Subject: RISKS DIGEST 13.19 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Thursday 27 February 1992 Volume 13 : Issue 19 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: The long arm of the law fingers old fingerprint (PGN) $300,000 budget error at The Whig Standard (Jim Carroll) Patriot missiles misled by `accidental' decoys (Lord John) More on the Airbus A320 (Andrew Marchant-Shapiro) Re: Italian crooks let others pay phone bill (Ralph Moonen) Two Cornell Students Arrested for Spreading Virus (PGN) Re: Calculator Use During Exams (Bob Frankston, Brinton Cooper, Li Gong, Jeffrey Siegal, mathew) Re: Carpal Tunnel Syndrome etc. (Steve Bellovin, Brinton Cooper, Ralph Moonen, Jeremy Barth, Simona Nass, Brinton Cooper, Torsten Lif, Claire Jones) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line. Others may be ignored! Contributions will not be ACKed. The load is too great. **PLEASE** INCLUDE YOUR NAME & INTERNET FROM: ADDRESS, especially .UUCP domain folks. REQUESTS please to RISKS-Request@CSL.SRI.COM. Vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 13, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1". =CarriageReturn; FTPs may differ; UNIX prompts for username, password. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Thu, 27 Feb 92 14:51:23 PST From: "Peter G. Neumann" Subject: The long arm of the law fingers old fingerprint A fingerprint found in an unsolved 1984 murder of an 84-year-old woman was kept in the San Francisco police database all these years. Recently the SF print database was linked with the Alameda County database. The old print matched a new one taken in connection with a petty theft case, and so eight years later the police were able to solve the old case (burglary, arson, homicide). The two girls implicated were 12 and 15 at the time. [Source: Article by Stephen Schwartz, Chronicle Staff Writer, San Francisco Chronicle, 22 Feb 1992, p.A16] ------------------------------ Date: Thu, 27 Feb 1992 09:00:16 -0500 From: "Jim Carroll" Subject: $300,000 budget error at The Whig Standard From the Feb. 21 Toronto Globe and Mail... "A misplaced computer byte has forced a daily newspaper in Kingston to chew a sizeable hunk out of its budget for 1992. The $300,000 glitch, discovered last month, means the Whig Standard will be hiring only two students to work as reporters or editors this summer instead of five, and also has forced it to reduce its spending for freelance stories, editor Neil Reynolds says. The computer in the newspapers accounting department somehow managed to understate editorial cost by $300,000 when it spewed out editorial budget planning numbers last fall..... The newspaper is thoght to have a total editorial budget of about $3 million a year." What is interesting about this particular error is the size of the error compared to the budget : 10%. Surely some cursory review should have identified an error of this magnitude. Jim Carroll, J.A. Carroll Consulting, Mississauga, Canada jcarroll@jacc.uucp Voice/Fax +1.416.274.5605 MCI, Bix JCarroll ------------------------------ Date: 27 Feb 92 13:01:00 EST From: "UKAV03::W0400" Subject: Patriot missiles misled by `accidental' decoys Quotes from an article in the New Scientist 15 Feb 1992: The US Army's Patriot missiles missed many of the Iraqi missiles that the US thought they had shot down during the Gulf War, according to a new analysis. Iraqi's modified Scud missile, called the Al-Husayn, was difficult to hit because it was so unstable that it broke into pieces when it reentered the atmosphere, creating a confusing barrage of debris. Ted Postol, a professor at MIT, re-examined the Patriot's war record at the request of a Congressional committee. He found that deploying Patriot missiles defences did not reduce damage during Iraq's missile attacks on Israel and Saudi Arabia. Postol then examined videotapes recored by TV journalists that seemed to show the Patriot missiles successfully intercepting Al-Husayn missiles. Paytheon, the Patriot's manufacturer, has used this footage to promote its missile. Incoming Iraqi missiles are visible on the videotapes because of their velocity, about two metres per second, {that must be a mistype in the article, I expect it should be two kilometers per second W.} makes them glow incandescently as they re-enter the athmosphere. The videotape also captures the explosions of the Patriot interceptors. Postol played these videotapes in slow motion to an audience of the AAAS. As the Patriot detonations flashed on the screen, Postol stopped the tape to show how far these explosions were from the glowing Al-Husayn warheads. In most cases, the Iraqi Al-Husayn warhead appeared to fly straight on unharmed. In one case, there was a fireball as the Iraqi warhead exploded on impact with the ground. The army claims that the Patriots successfully intercepted 45 of the 47 missiles they tried to shoot down. But Postol says the tapes show that in some of these cases, the Patriots missed their targets by at least a kilometer. Postal measures this distance by comparing the relative motions of the Patriot fireball, which stays in one place, and the Al-Husayn warhead. The Patriot had a particularly hard time hitting the Al-Husayn because of problems with the Iraqi missile. Iraqi engineers had extended the range of the Soviet Scud-B missile by lengthening its fuel tanks and making its warhead much lighter. The changes made the missile unstable, and caused the Al-Husayn to flop belly-first as it re-entered the athmosphere, often breaking up in the process. the Patriot missile had to distinguish between the Al-Husayn's warhead and other debris such as the empty fuel tank and tail fins which rained from from the sky. In effect, the Iraqi missile released unintended but effective "decoys" to distract the Patriot, said Postol. Ther Patriot had its own problems as well. One software bug could have directed the Patriot to attempt to intercept an incoming missile at a point below ground. In one case this bug may have caused a Patriot to turn back and dive into the ground. Postol argues that the effectiveness of the Al-Husayn's unintended decoys shows how extremely simple factors can frustrate attempts to shoot down ballistics missiles. This could teach scepticism when it comes to evaluating the claims made for missile defence technologies, such as plans for the US Star Wars system. Raytheon disputes Postol's conclusions, but has not yet made public a detailed analysis that would rebut his claims. Defenders of the Patriot believe the damage on the ground could have come from falling debris rather than from detonations of the Iraqi missile's warhead. [It is funny how what starts as a great success, turns out less than so, when investigated. It also demonstrates that very simple systems can (and do) prevent the high technology systems working, as well as showing that designers of such systems get a mindset as assumes the opponents have the same mindset. This is not always so... Lord John - The Programming Peer] ------------------------------ Date: 25 Feb 92 13:55:00 EDT From: "MARCHANT-SHAPIRO, ANDREW" Subject: More on the Airbus A320 On National Public Radio's Morning Edition program this AM, one report concerned the series of crashes that have plagued the Airbus 320. According to this report, MOST 320 aircraft have an alarm that informs the pilot that s/he is flying too low, but France does not require this alarm and so aircraft sold to and/or operated by French companies do not have this alarm installed. I don't even qualify as a dabbler in this area, but if I recall correctly, at least 2 out of 3 crashes, and possibly all 3, involved French aircraft. Since they have also been somewhat similar (an apparently _unnoticed_ loss of altitude), could this help to explain what happened? If so, this points to a particularly interesting human interface problem -- perhaps the A320 tends to drop faster than other aircraft, but, since there is no alarm, [some] pilots do not realize what is happening until they're too low to do anything about it. Any comments from qualified persons? Andrew Marchant-Shapiro, Depts of Sociology and Political Science, Union College, Schenectady NY 12308 518-370-6225 marchana@union.bitnet ------------------------------ Date: Tue, 25 Feb 92 11:14 MET From: rmoonen@hvlpa.att.com Subject: Re: Italian crooks let others pay phone bill (Weber, RISKS-13.16) There was a big case in the Netherlands over 5 years ago where they did the same. The scheme involved renting a mobile phone from the Dutch PTT, copying the EPROM, transfering the EPROM to a mobile phone which had been stolen, and then returning the rented phone. This way, as the phone gets re-rented again to various persons, the bill gets spread out, and it will be less obvious. BTW, what inferior kind of ATM's do they have in Italy that let you tamper with the EPROMS inside? Maybe we have some over here in Holland too? :-) ------------------------------ Date: Tue, 25 Feb 92 13:12:23 PST From: "Peter G. Neumann" Subject: Two Cornell Students Arrested for Spreading Virus 2 Cornell Students Arrested for Spreading Computer Virus LEE A. DANIELS, N.Y. Times News Service Two Cornell University undergraduates were arrested Monday night and charged with developing and spreading a computer virus that disrupted computers as far away as California and Japan, Cornell officials said. M. Stewart Lynn, vice president for information technologies at the university in Ithaca, N.Y., identified the students as David Blumenthal and Mark Pilgrim. Lynn said that both Blumenthal, who is in the engineering program, and Pilgrim, in the college of arts and sciences, were 19-year-old sophomores. They were arrested Monday night by Cornell and Ithaca police officers. Lynn said the students were arraigned in Ithaca City Court on charges of second-degree computer tampering, a misdemeanor, and taken to the county jail. Lynn said authorities believed that the two were responsible for a computer virus planted in three Macintosh games on Feb. 14. [...] He identified the games as Obnoxious Tetris, Tetricycle and Ten Tile Puzzle. The virus may have first appeared in a Stanford University public computer archive and spread from there through computer users who loaded the games into their own computers. Lynn said officials at Cornell and elsewhere became aware of the virus last week and quickly developed what he described as ``disinfectant'' software to eradicate it. He said officials traced the virus to Cornell last week, but he would not specify how that was done or what led officials to the two students. Lynn said he did not yet know how much damage the virus had caused. ``At Cornell we absolutely deplore this kind of behavior,'' he said. [reference to RTM deleted.] AP item notes both are being held in the Tompkins County Jail on $10,000 bail. ------------------------------ Date: Tue 25 Feb 1992 20:14 -0500 From: Subject: Re: Proposal for policy on calculator use during exams (Bezenek 13.16) The long term issues are challenging. In a very few years, the subtablet-size portable computer will have replaced the calculator as the issue for exams. These systems will have a few megabytes (32, 64, 1GB?) of space (between the paging devices and the primary memory) and a full GUI interface. They will be preferable to notepaper (especially the pen or its successors complementing the keyboard). Even more so than the current personal computers, these systems will be an integral part of how people solve problems. Since they are also the reference devices, it is unclear what the distinction will be between and open book exam and a closed book (def: a device for presenting information) exam. Of course, one can ban them from closed book exams, but that would reduce closed book exams to an abstract exercise unrelated to actual practice. The problems become worse when we have the WAN infrastructure so that the systems have builtin packet radio connections that are an integral part of their operation. While we can still have Faraday Cage exams, they too would be useful for testing the ability to survive without intellectual assists, but would not test the more important ability to take full advantage of the technologic infrastructure. While I sometimes go off the technical deepend in predicting what is going to happen, I'm already working with the early forms of these technologies so the issue is one of timing rather than possibility. Considering that computers have still had little impact on the educational system, once these systems drop below crucial price points they will rapidly overwhelm the schools. I'm presuming the appropriate UI's will be available and that the impediments are mainly economic. ------------------------------ Date: Tue, 25 Feb 92 9:12:19 EST From: Brinton Cooper Subject: Re: Proposal for policy on calculator use during exams (Bezenek 13.16) Todd M. Bezenek KO0N communicates his proposed policy regarding the use of calculators on closed note university exams. In brief, he would take possession of a device which he (the proctor) believes to have been used to violate the intent of closed-note examinations. He would have a faculty member judge whether the calculating machine and its memory content provided an illegal aid to the test-taking student. I guess he never heard of "due process." If you try that in universities supported by public funds, you run the risk of being sued by the student. His procedure sets up a couple of faculty as a "kangaroo court" (what does that mean, anyhow?) to judge whether a student cheated. High-tech times may call for low-tech solutions. I simply do not permit the use of calculating devices on Computer Science examinations and quizzes. The reasoning is simple: Programmers should be proficient, personally, in computation. a. Having to work out a few numerical examples by hand can help budding programmers hone their ability to see more than one way to do a computation. b. Using this ability can provide "sanity checks" on their software. c. Programmers should be able to get the answer even when their batteries have run down. I fear that at least some of the human-induced software faults discussed so often in this forum can be traced to the lack of computational skill on the part of the programmer involved. _Brinton Cooper abc@brl.mil cooper@udel.edu ab.cooper@compmail.com ------------------------------ Date: Wed, 26 Feb 92 14:47:31 EST From: li@cambridge.oracorp.com (Li Gong) Subject: Re: Proposal for policy on calculator use during exams (Bezenek 13.16) In RISKS-13.16 Todd M. Bezenek proposed a policy for dealing with "the use of calculators on university exams." His posting "demonstrates the risk of introducing computing power into the classroom where it may be misused." Unfortunately, such a policy, short of banning a student from using his/her *own* calculator, could not beat technology. For example, it is easy to imagine a calculator that can be activated only by a (say 10 digit) PIN. Today's photocopiers can operate in this fashion. The new trick is to require periodical input (say every 3 minute) of the PIN. If PIN is not typed in in time, the calculator locks itself, and starts scrambling some parts of the memory (using the PIN as key). then erase the key from memory afterwards. To find any evidence of wrong doings, the memory section in question has to be examined within 3 minutes. The basic point is that if a student has his/her own Trusted Computing Base, no one can beat him/her. If this is not true, nobody would work in the field of computer security today. So ban the calculators, or supply "official" ones during exams. Li Gong, ORA Corp, 675 Mass Ave, Cambridge, MA, USA. ------------------------------ Date: Tue, 25 Feb 92 11:16:44 EST From: jbs@congruent.com Subject: Re: Proposal for policy on calculator use during exams (Bezenek 13.16) You might want to consider portable computing devices with wireless communications capabilities (packet, cellular, etc.)! Jeffrey Siegal ------------------------------ Date: Wed, 26 Feb 92 17:25:43 GMT From: From A to B Subject: Re: Proposal for policy on calculator use during exams (Bezenek 13.16) At the risk of starting a lengthy and somewhat off-topic debate, I'd like to remark that I don't think there's actually any technological risk involved here. The "problem" is that calculators with memories enable students to store data and retrieve it during the exam. The only reason this is a "problem" at all is that almost all exams are based around parrot-style repetition of memorized "facts". The solution to the "problem" is to allow all students to take in whatever reference materials they like. Then the examination will necessarily have to be a real test of problem-solving ability rather than a test of the candidate's ability to regurgitate memorized data. Of course, the problem then is that ability in examinations might in some way tally with the candidate's ability to work in real-world situations. > The calculating device shall remain in the possession of the > proctor until the contents of its memory--both vendor supplied and user > programmed--can be examined. What exactly are you going to do about the "vendor-supplied" part of the memory? Many calculators now have common physical constants stored in their ROMs; is that unfair to those who aren't allowed to take in a databook? If so, doesn't that mean that allowing people to take in a calculator which performs logarithms or statistical functions is unfair to those not allowed to take in log tables or statistical analysis reference books? mathew ------------------------------ Date: Mon, 24 Feb 92 20:32:00 EST From: smb@ulysses.att.com Subject: Re: Carpal Syndrome reports rise sharply (Cooper) Brint Cooper states that all sufferers from carpal tunnel syndrome that he knows are cashiers, and that none of the computer folks he knows suffer from it. He goes on to wonder if stress may play a role. I can't answer that question, but I can state, from both first-hand and second-hand knowledge, that computer users do indeed suffer from carpal tunnel syndrome. In my own case, the carpal tunnel syndrome is fairly mild -- but I have bad problems with tendonitis. Nor was the orthopedist in any doubt about what caused my symptoms -- his first question to me was ``do you use a computer keyboard much?'' He went on to state that most of his patients with tendonitis of the wrist or elbow, or carpal tunnel syndrome, were heavy computer users. That aside, I also know of several others who have suffered from both problems, including at least one who needed surgery. Psychological stress may contribute -- but don't discount the purely-mechanical. --Steve Bellovin ------------------------------ Date: Tue, 25 Feb 92 0:24:28 EST From: Brinton Cooper Subject: Re: Carpal Syndrome reports rise sharply No, I don't discount the physical causes of carpal syndrome, tendonitis, and other occupational risks of keyboards. But I must tell you of my daughter who had such a case of tendonitis at age 14 that her hand literally locked up at the (piano) keyboard during a music lesson. I don't believe I'm violating her privacy to relate that this was a very stressful time for her for many reasons. Today, 15 years later, she's got a handle on the stress. Also, she can and does play piano for 5-6 hours at a time. It's necessary; it's how she makes her living. Physicians and others who are looking for the connection between computer keyboards and orthopaedic disease must consider the stress factors. I'd HATE to spend 8-9 hours per day keyboarding credit card information for VISA, but I've often spent that much time and more at keyboards building software, doing computations, and writing scientific reports. If we're going to build a low-risk workplace, we must address *all* the risks, not merely those that are fashionable. _Brint ------------------------------ Date: Tue, 25 Feb 92 11:14 MET From: rmoonen@hvlpa.att.com Subject: Carpal Syndrome (Cooper) I know several sufferers of CTS, and all of them are musicians. My mother was operated on both wrists, and she never had any problems with it any more. Likewise with the other musicians I know. (Most notedly string players) Here at wotk also I know of at least one case, in which the sufferer was a programmer. So also keyboard action can give it you for sure. I am pretty sure that stress and other psychological factors are involved, but bad muscular techniques are the no. 1 cause. --Ralph Moonen ------------------------------ Date: Tue, 25 Feb 92 10:34:25 EST From: pubmail!barth@uu2.psi.com (Jeremy Barth) Subject: Carpal Syndrome: Is it just psychosomatic? (Cooper) I detect a dangerous elitism in this kind of observation. The author makes a sociological generalization based upon a tiny, non-random observational sample with no controls. We all tend to do this, but let's recognize that it's sloppy thinking. Just two points (the first about the social categories affected, the second about cultural anthropology): 1. The syndrome occurs in all kinds of work environments. In my own personal sphere, which again is non-representative, two of my friends suffer from the syndrome. They're Associated Press reporters in a fancy, white-collar New York office who work on outmoded, non-ergonomic keyboards that are holdovers from AP's early computerization efforts. There's a potentially precedent-setting class action suit wending its way through the courts involving numerous AP reporters who report the syndrome. There are people in their early 30's who can't do simple things without pain, like raising a full cup of coffee to their lips. 2. If you've studied anthropology, you know how hard it is to "see your own kind." All social theorizing has built into it lots of preconceptions we're only minimally aware of. Brinton says he's not aware of reports among his colleagues of CT syndrome; having worked for 2 years in a fast-paced immunology research lab, I would suggest that many hard-driven people choose to ignore substantial pain in pursuit of their goals. (Ever heard about the football player who had his pinkie cut off, rather than submit to a lengthy course of surgery, so he wouldn't have to miss 4 weeks of the season?) Jeremy Barth ------------------------------ Date: Tue, 25 Feb 1992 19:34:31 GMT From: simona@panix.com (Simona Nass) Subject: Risks of making judgments about job satisfaction (Helegesen) Do harp players have low job satisfaction? Are they doing it only for the money? It's probably inaccurate to say that all cashiers/secretaries/etc. are unhappy in their jobs. While these exceptions may not entirely refute your anecdotal evidence, I think a better causal explanation can be found. Even if most people getting CTS are not satisfied with their jobs, you need something that explains why those who are satisfied also develop it. Something involving the type of repetitive movement is probably a more proximate cause of the injury. I wonder if the low incidence of CTS among your computer lab friends is explained by the way they type? Do most programmers touch-type using all ten fingers? Also, how fast do they really type, anyway? I type between 50 and 90, depending on the keyboard. Someone can manage to type fairly quickly (tho' not 90 wpm) using a few fingers, but the TYPE of repetitive movement is different. Also, most computer programmers can't type as quickly when they actually have to compose what they are typing. Some of their time is also spent searching, scanning the text, compiling, munching M&Ms ... :) -S. -- Disclaimer: I am not an attorney, though I do have an opinion on everything. ( simona@panix.com or {apple,cmcl2}!panix!simona ) ------------------------------ Date: Tue, 25 Feb 92 16:25:58 EST From: Brinton Cooper Subject: Carpal Risks I didn't expect the reaction that my piece on the relative risks of the physical act of repetitive keyboarding and of the psychological pressure under which many keyboard users must work. Clearly, the risks attributable purely to repetitive keyboarding, improper terminal and chair adjustments, lack of breaks, poor lighting, etc overwhelmingly dominate the issue. While I remain committed to being alert to the effects of stress, I yield to the many thoughtful people who wrote to me and spoke, often sadly, of colleagues and associates who live with chronic pain directly attributable to such work. A few have even been ruled permanently disabled. This is worse than unfortunate, and I fear I misguided myself on the issue. _Brint ------------------------------ Date: Wed, 26 Feb 92 08:52:16 +0100 From: Torsten.Lif@eos.ericsson.se Subject: Re: Carpal Syndrome reports rise sharply (Cooper) Let me then point out another major group of CTS sufferers who are (at least) as highly motivated as any hacker: Cyclists. Especially the ones who also do a lot of keyboard work, but even some who do no keyboard/computer work have been afflicted. [...] Having worked in a similar environment without any ill effects, I was more than dismayed when I started showing the classical symptoms of repetitive motion syndromes after I transferred to computer support. A period of very informal empirical studies (I experimented :-), indicated that the culprit was the type of work, not the system hardware. In essence: Using my SUN workstation as a word processor to enter large amounts of text (on subjects I find interesting and stimulating) is very prone to give me various pains and numbness symptoms in neck, shoulders, arms and hands. Using the same workstation to edit and debug programs is much less fatiguing. I can easily do programming work for a full workday without problems. Just a couple of hours of word processing is enough to give me back all the problems. I started looking at how I work in these two situations and came to the conclusion that the difference is quite large. Entering text I type for long unbroken periods, moving my arms very little. Editing source code (even when entering it the first time), I move about much more. I use the mouse and/or cursor keys to go back and correct an indentation; I copy a chunk of code I'm too lazy to write again; I look at the debugger, resting my chin in my hand while I try to figure what's wrong; I click the "Step" button and stare in disbelief as the program takes the wrong branch in a "switch"; I scratch my head and take a sip of tea. In other words, programming work is much less (physically) monotonous. |> What part does psychological or emotional stress play in the |> development of repetitive-motion disorders? It wouldn't surprise me if the presence of stress hormones in the body aggreviates the problems but my belief is that the nature of the work is much more important. And it is possible that I like programming better than documenting (who doesn't? :-) to the extent where this causes part of the difference for me. But I don't think this accounts for all of it. If it did, why would writing articles for UseNet cause similar pains? Torsten Lif, Ericsson Telecom AB, EO/ETX/TX/ZD, S-126 25 STOCKHOLM, SWEDEN Phone: +46 8 719 4881 ------------------------------ Date: Wed, 26 Feb 92 15:00:16 GMT From: ccmj@dcs.edinburgh.ac.uk Subject: (More on) Carpal Syndrome (Cooper) I disagree with the theory. I spend a lot of time *sitting* at a keyboard and so do many others here. But we don't spend a lot of time bashing keys with our fingers because we frequently stop to think. I'm sure other computing labs are the same. People like us don't come anywhere near the kind of keystrokes an hour achieved by people doing repetitive keyboarding jobs like copy-typists, data entry clerks etc. If a job requires some tedious keyboarding, we typically have the freedom, knowledge and hardware required to automate it. Mostly people here complain about eyestrain and backache, not carpal tunnel syndrome. I would also caution Mr Cooper that his theory is liable to misinterpretation by those who would like to dismiss such injuries as malingering by people who want to get out of boring jobs. -- Claire Jones ccmj@dcs.ed.ac.uk ------------------------------ End of RISKS-FORUM Digest 13.19 ************************