9-Aug-86 17:28:28-PDT,14766;000000000000 Mail-From: NEUMANN created at 9-Aug-86 17:26:13 Date: Sat 9 Aug 86 17:26:13-PDT From: RISKS FORUM (Peter G. Neumann -- Coordinator) Subject: RISKS-3.34 Sender: NEUMANN@CSL.SRI.COM To: RISKS-LIST@CSL.SRI.COM RISKS-LIST: RISKS-FORUM Digest, Saturday, 9 August 1986 Volume 3 : Issue 34 FORUM ON RISKS TO THE PUBLIC IN COMPUTER SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Non-Flying Airplanes and Flying Glass (Jim Horning) Failure Recovery, Simulations, and Reality (Danny Cohen) Ottawa Power Failure (Dan Craigen) Liability for Software Problems (Peter G. Neumann) Ozone hole (Hal Perkins) Re: Survey of Trust in Election Computers (Chris Hibbert) Nondelivery of RISKS-2.38 (8 April 1986) and other mail (Communications Satellite [and PGN]) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, nonrepetitious. Diversity is welcome. (Contributions to RISKS@CSL.SRI.COM, Requests to RISKS-Request@CSL.SRI.COM) (Back issues Vol i Issue j available in CSL.SRI.COM:RISKS-i.j. Summary Contents in MAXj for each i; Vol 1: RISKS-1.46; Vol 2: RISKS-2.57.) ---------------------------------------------------------------------- Date: Fri, 8 Aug 86 14:45:04 pdt From: horning@src.DEC.COM (Jim Horning) To: RISKS@CSL.SRI.COM Subject: Non-Flying Airplanes and Flying Glass A number of people sent me information about the myth that the design flaw in the Electras wasn't caught because of an undetected overflow. (The most detailed information came from someone who wishes to remain anonymous.) Putting it all together, I am now convinced that the problem was not undetected overflow. Rather, it was a failure to simulate a dynamic effect (gyroscopic coupling) that had never been significant in piston-engined planes. So another myth bites the dust. But the true story should remind us that simulations are only as good as the assumptions on which they are based. I solicit similar clarification of the story of the (then) new John Hancock Building in Boston (the one that resonated and shed many of its exterior glass panes when the wind came from a certain direction). I know that there was litigation about who was responsible for the additional costs: replacing the glass; installing a huge lead deadweight mounted on shock absorbers in an upper story to damp the oscillation; etc. I don't recall the final outcome. I do remember reading that there was a very narrow range of wind directions that would excite the resonance, and that the simulations of the design had unluckily missed that range. Maybe some readers of Risks know the details? Has there been a book or magazine article that explored the computer angle (if indeed there is one)? Jim H. ------------------------------ Date: 8 Aug 1986 18:38:58 PDT Subject: Failure Recovery, Simulations, and Reality From: COHEN@B.ISI.EDU To: RISKS FORUM (Peter G. Neumann -- Coordinator) In RISKS-3.27 Stephen Little, Computing & Information Studies, of Griffith Uni, Qld, Australia. reported that: I have been told of one major accident in which the pilot followed the drill for a specific failure, as practiced on the simulator, only to crash because a critical common-mode feature of the system was neither understood, or incorporated in the simulation. Being a pilot I find this report most important and interesting. I am sure that the readers of RISKS would be better served by having evidence to support such reports. Major (and responsible) newspapers have a verification procedures. Since RISKS cannot afford this I'd be delighted to help this process. The best way to verify such a report is by a reference to the official accident investigation report. I'd be delighted to pursue this reference myself if anyone can give me details like the date (approximately), place (country, for example), or the make and type of the aircraft. This is a plea to provide me with this information. Danny Cohen. [This is a very nice offer, and I hope someone can provide enough details to take you up on it! PGN] ------------------------------ Date: Sat 9 Aug 86 14:47:36-CDT From: Dan Craigen Subject: Ottawa Power Failure To: risks@CSL.SRI.COM A brief fire at Ottawa Hydro's Slater Street station on the morning of August 7th resulted in a loss of power to a substantial section of the downtown core. Even after 48 hours of effort, sections of the city were still without power. [From the Ottawa Citizen (Friday, 8 August 1986)] Top officials from Ontario and Ottawa Hydro today [Friday] are re-examining long accepted system reliability standards... Ottawa Hydro engineering manager Gordon Donaldson said ``the system is built to be 99.99 per cent reliable ... now we will be looking at going to another standard of reliability -- 99.999 per cent.'' He also said that the cost would be huge -- many times the $10 million cost of the Slater Street station -- and hydro customers may not be prepared to accept the cost. ... The Slater station is the biggest and was considered the most reliable of the 12 across the city. It has three units, each of which is capable of carrying the whole system in an emergency. But ... all three were knocked out. ... The culprit, an Ontario Hydro board [called a ``soupy board''] which monitors the equipment at the substation, didn't even have anything directly to do with providing power to the thousands of people who work and live in the area. ... its job is to make the system safer, cheaper and more reliable.... The board is considered so reliable that it doesn't have its own backup equipment. [!] The economic costs of the power failure are expected to be in the millions of dollars. It is unlikely that the Ottawa birthrate will increase. As columnist Charles Lynch noted: ``The Ottawa power failure took place during the breakfast hour, not normally a time when Ottawans are being polite to one another, let alone intimate.'' We, at I.P. Sharp (Ottawa), lost both our VAXs; I have been unable to get onto Tymnet for the past two days; ATMs as far as a 100 miles distant from Ottawa were knocked out of commission -- the central computer that controls them is in the area of outage; Many traffic signals are still out; and a number of businesses still shut. Dan Craigen [Add this to the growing collection of problems in which a redundant system failed because of a weakest link in the redundancy itself! PGN] ------------------------------ Date: Sat 9 Aug 86 11:48:40-PDT From: Peter G. Neumann Subject: Liability for Software Problems To: RISKS@CSL.SRI.COM All week long I have been waiting for either someone else to submit it or for me to have a few spare moments to enter it: an item from the Wall Street Journal of last Monday, 4 August 1986, "Can Software Firms Be Held Responsible When a Program Makes a Costly Error", by Hank Gilman and William M. Bulkeley. A few excerpts are in order. Early last year, James A. Cummings Inc. used a personal computer to prepare a construction bid for a Miami office-building complex. But soon after the bid was accepted, the Fort Lauderdale firm realized that its price didn't include $254,000 for general costs. Cummings blamed the error on the program it had used, and last October filed suit in federal court in Miami against the software maker, Lotus Development Corp. The suit, which seeks $254,000 in damages, contends that Lotus' "Symphony" business program didn't properly add the general expenses, resulting in a loss in completing the contract. Lotus, based in Cambridge, Mass., disputes that contention, araguing that Cummings made the error. The case, however, has had a chilling effect on the software industry. For the first time, industry officials say, a case ma go to court that could determine if makers of software for personal computers are liable for damages when the software fails. Some software makers also worry that such a case, regardless of the outcome, may lead to other suits by disgruntled consumers. [...] Software makers are particularly concerned about paying for damages resulting from faulty software -- rather than just replacing the software. Such "consequential" damages have been awarded in suits involving larger computers. Other types of damages from computer disputes "come from saying what benefits you were supposed to get compared with what benefits you didn't get," says Richard Perez, an Orinda, Calif., lawyer. Mr. Perez won a $2.3 million judgment against NCR Corp. for Glovatorium, Inc., a dry cleaner that said its computers didn't work as promised. The article goes on to note that most PC software comes on an "as-is" basis, which doesn't provide for correction of errors. Under the limited warranties, the buyer does not even "own" the program. Illinois and Louisiana have passed "shrink-wrap" laws which imply that when you open the package, that is equivalent to signing a contract that lacks guarantee and prevents copying. In the case of Cummings, they noticed they had left out the general costs, and added them as the top line of a column of figures. The new entry showed on the screen, but was not included in the total. Keep your eyes open for whether the blame is placed on a naive user not following his instructions, or on the software not doing what it was supposed to (or both). ------------------------------ Date: Fri, 8 Aug 86 03:17:48 EDT From: hal@gvax.cs.cornell.edu (Hal Perkins) To: risks@csl.sri.com Subject: Ozone hole In response to PGN's request for sources on the ozone hole... The New York Time's Science Times section on July 29, 1986 had a long story on this (it starts on page C1). The gist of the story is that there's a big hole in the ozone layer over the south pole, nobody knows how it got there, nobody knows what it means, it could be a very serious problem, and scientists are investigating the situation. As for computers and such, here are a couple of relevant paragraphs: "The initial report of the hole by British scientists in March 1985 caused little excitement, partly because the British team in Antarctica was not well known among atmospheric scientists. Also, since their data came from ground instruments measuring the ozone in a direct line upward, they did not show the extent of the hole. "But later last year, scientists at the National Aeronautics and Space Administration produced satellite data confirming the British findings and showing how big the hole was. NASA scientists found that the depletion of ozone was so severe that the computer analyzing the data had been suppressing it, having been programmed to assume that deviations so extreme must be errors. The scientists had to go back and reprocess the data going back to 1979." ------------------------------ Date: Fri, 8 Aug 86 10:30:03 PDT From: Hibbert.pa@Xerox.COM Subject: Re: Survey of Trust in Election Computers To: hyde%vax4.DEC@decwrl.DEC.COM cc: risks@CSL.SRI.COM I'm afraid your questions are too vague for me to give yes or no answers. (I hope you'll give a count of non-respondents when you tell us how many YESes and NOs you got.) I'm not at all sure what it would mean for a voting system to allow me to monitor how it worked. Would it print out a trace of its execution? Would it let me know the running total of votes it had collected? What would it mean for the system to allow me to inspect the ballot it cast for me? Does that mean the "computerized" aspect is merely a printer for ballots that will be counted later by hand or some other computer? Or does that mean that before I accept my votes it displays a summary for me to approve, and it then adds them into its running total? I'm not convinced I would ever trust a system that only kept running tallys in software. If there aren't paper ballots printed, then there is no way to recheck the results. In this situation, the machine that later counts the paper ballots is much more important, and your questions don't address this part of the process. Chris [We await Kurt Hyde's results...] ------------------------------ Date: Fri, 8 Aug 86 19:43:54 EDT From: Communications Satellite Subject: [Nondelivery of RISKS-2.38 (8 April 1986) and other mail] To: RISKS@CSL.SRI.COM ============ A copy of your message is being returned, because: ============ "HEWITT-RISKS" at MC.LCS.MIT.EDU is an unknown recipient. ============ Failed message follows: ============ Received: from MX.LCS.MIT.EDU by MC.LCS.MIT.EDU via Chaosnet; 8 AUG 86 19:42:12 EDT Date: Tue 8 Apr 86 21:15:55-PST From: RISKS FORUM (Peter G. Neumann, Coordinator) [REST OF MESSAGE TRUNCATED...] [For the past week or so, I have been getting sequential notices of undeliverable mail from "Communications Satellite" -- four months after the original mailings of RISKS, and just another risk of running a forum. There was a news item last week about an entire bag of US mail from aboard the Liberty Ship Caleb Strong from World War II (May 1944) that was just found undelivered by an exterminator in an attic in North Carolina. The Postal Service is trying to find the addressees, but was quick to add that it did not happen on their shift! (It blamed a soldier, who has since died.) Here are two related items that I just happen to have filed away. Herb Caen's SF Chron column of 18 December 1973 noted a 1940 calendar mailed in 1939 to a customer in Utah that was returned "Addressee Unknown" during that week in 1973. The Martha's Vineyard Gazette of 30 March 1973 noted a postcard mailed in Asbury Park NJ, postmarked 11 August 1914, addressed to West Summit NJ and forwarded to Edgartown, Mass. It arrived at that post office on 26 March 1973. With sleet and snow and dark of night, now computers are doing it, too -- and they don't even need to find excuses. PGN] ------------------------------ End of RISKS-FORUM Digest ************************ -------