28-Oct-86 16:06:13-PST,12966;000000000000 Mail-From: NEUMANN created at 28-Oct-86 16:04:07 Date: Tue 28 Oct 86 16:04:07-PST From: RISKS FORUM (Peter G. Neumann -- Coordinator) Subject: RISKS-3.89 DIGEST Sender: NEUMANN@CSL.SRI.COM To: RISKS-LIST@CSL.SRI.COM RISKS-LIST: RISKS-FORUM Digest, Tuesday, 28 October 1986 Volume 3 : Issue 89 FORUM ON RISKS TO THE PUBLIC IN COMPUTER SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Airplanes and risks (Alan Wexelblat) TSE, Air Canada (Matthew Kruk) Big Bang (Robert Stroud) Physicists on SDI and engineering.. (Herb Lin) ABM, SDI, and Freeman Dyson (Peter Denning) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, nonrepetitious. Diversity is welcome. (Contributions to RISKS@CSL.SRI.COM, Requests to RISKS-Request@CSL.SRI.COM) (Back issues Vol i Issue j available in CSL.SRI.COM:RISKS-i.j. Summary Contents in MAXj for each i; Vol 1: RISKS-1.46; Vol 2: RISKS-2.57.) ---------------------------------------------------------------------- Date: Tue, 28 Oct 86 11:23:52 CST From: Alan Wexelblat To: risks@csl.sri.com Subject: Airplanes and risks Today's paper has a couple of airplane-related items that got me to thinking. One item is a story on how the FAA is going to adopt strict rules for small aircraft in busy airspaces and establish a system to find an punish pilots who violate these rules. The question this brought to mind is: is this the right approach for the FAA's problem? How about for computer systems? Can (or should) we manipulate the user so that he uses the system the way we designers intended it to be used? Is training the answer (as suggested by the Navy emergency stories)? The next item is an analysis of the emergency aboard the Thai jet. Apparently the fault is similar to the one that doomed the JAL 747 that crashed recently in Japan. The factor that made the difference -- according to Hiroshi Fujiwara who is deputy chief investigator of Japan's Aviation Accident Investigation Commission -- was that the Thai Airbus A-300 retained hydraulic control of the flaps and rudder on the tail. Both the 747 and the A-300 have triply-redundant hydraulic systems, but on the 747 all three pass through the rear bulkhead in the same opening. Thus all three were ruptured at once. On the A-300 there are three separate openings and while two of the systems were ruptured in the Thai jet, the third remained usable. The related question is: can we make use of this feature in computer systems (hardware or software)? That is, if a program has three ways of doing something can we isolate them so that a bug somewhere doesn't simultaneously cripple all three? Can we (given needs like security) separate computer hardware so that it is much more difficult to simultaneously destroy primary and backup hardware? Comments and discussion welcomed. Alan Wexelblat ARPA: WEX@MCC.ARPA or WEX@MCC.COM UUCP: {seismo, harvard, gatech, pyramid, &c.}!ut-sally!im4u!milano!wex ------------------------------ Date: Mon, 27 Oct 86 10:46:30 PST From: Matthew_Kruk%UBC.MAILNET@MIT-MULTICS.ARPA To: NEUMANN@CSL.SRI.COM Subject: TSE, Air Canada ReSent-To: RISKS@CSL.SRI.COM No doubt you will hear more about these items from better informed sources. I merely heard brief summaries on the morning news today (Monday, 27th). 1. The Toronto Stock Exchange computer went down for about 5 minutes this morning. No cause given (yet). 2. A fire in a building, which houses the main computer (reservations?) of Air Canada, in Montreal. An Air Canada official cannot predict the effect on people holding advance registration. Damage cost estimates run in the millions. Presumably there will be more information in tonight's paper. I'll try to get a summary out as soon as I can. ------------------------------ From: Robert Stroud Date: Tue, 28 Oct 86 19:42:40 gmt To: risks@csl.sri.com Subject: Big Bang [Also noted by Martin Minow. Thanks.] Yesterday, October 27th, was the day of the Big Bang in the City - a revolution in the way in which the Stock Exchange is organised. Basically, three things happened - the market was opened to foreigners, the distinction between jobbers (who trade on their own account) and brokers (who buy and sell on behalf of clients) was abolished (thereby introducing potential conflicts of interest and necessitating the erection of so-called Chinese Walls to prevent this), and finally, guaranteed minimum commissions were removed, making things much more competitive. Wall Street went through something like this on May Day a few years ago. Anyway, these three changes led to the introduction of new computing systems developed in something of a rush to meet yesterday's deadline. Most important of these was the Stock Exchange Automated Quotation system (SEAQ) which several companies had to switch to by default at the last minute when they realised that their in-house systems would not be working in time. SEAQ provides information over the Topic network to 10,000 terminals about share prices - dealing is still done manually (at least until next year) although the SEAQ system is supposed to be updated continuously to reflect the trading. There was a full-scale rehearsal last week when the Stock Exchange opened on a Saturday for the first time in its history. Not everything went smoothly and there were complaints about prices not being updated for as long as 20 minutes, making it possible to buy at one price and simultaneously sell at another. However, as late as Sunday afternoon, the chairman of the Stock Exchange Council was defiantly challenging anyone to demonstrate that this was still a problem. Well, I'm sure that RISKS readers can guess what happened on Monday morning. The system lasted half an hour before it broke down at 8.30am! Although it was later up and running, and the problem was with the antiquated Topic network rather than the SEAQ system itself, there are fears that it could happen again under crisis. Apparently, this failure was caused by curiosity - everybody wanted to try out the new system at once, and it couldn't cope. Curiosity is an interesting example of human behaviour causing a computer system to fail. I believe the telephone companies have a similar problem on Mother's Day when the pattern of usage is abnormal. Another example of human behaviour has been the reaction of the dealers to the new system, to some extent invalidating the whole concept. Only time will tell whether this is just suspicion of a new technology or a real problem. However, at present the dealers are rather wary and are therefore only offering small deals on the system (up to 1000 shares) so that the big deals (100,000) are still negotiated over the telephone. This is partly a defensive move because the system is (rightly or wrongly) perceived as being slow, making it possible to offer unrealistic prices not in line with the market - the real market is off the screen. Equally, some market makers "are playing complicated games to test their competitors and this is likely to become a feature of the new markets". One dealer has even gone so far as to describe the SEAQ terminals as "useless". [This paragraph extracted from an interesting article in today's Times entitled "New screens 'fail to catch full deals'" by Richard Thomas] Naturally, there has been a wealth of material about all this in the media recently, and today, all the papers are competing with each other for puns on Big Bang! When the dust settles on this most public of failures, RISKS archaeologists will have plenty of relics to excavate. Here is one of the more technical articles, reproduced without permission from today's Times, (28th October p.21) Robert Stroud, Computing Laboratory, University of Newcastle upon Tyne. ARPA robert%cheviot.newcastle@ucl-cs.ARPA (or cs.ucl.ac.uk if you trust domains!) UUCP ...!ukc!cheviot!robert ++++++++++++++++++++++++++++++++++++++++ "Big Bang shambles as computer breaks down - Goodison blames Topic subscriber's curiosity" by Michael Clark (c) Times Newpapers PLC Yesterday's disastrous debut for the Stock Exchange Automatic Quotations system was a prime example of Murphy's Law: "If something can go wrong, it will". But the problems encountered by dealers on the trading floor stemmed from technical problems at Topic, the Stock Exchange's own tried-and-tested screen-based information system. Topic went off the air at 8.30am - a crucial time for traders hoping to establish the price of stocks ahead of the official start of dealings at 9am - and stayed down for more than an hour, apart from one intermission. The break also resulted in all operations on SEAQ being suspended for the same period. Stock Exchange officials blamed a breakdown in the link between Topic and SEAQ. Market-makers feed their prices into the SEAQ computer which are then updated and displayed on the 10,000 Topic terminals situated in the City offices of brokers and fund managers. Sir Nicholas Goodison, chairman of the Stock Exchange Council, described Topic as the world's eye on the market and said that although it had enjoyed a high level of reliability, it was six years old and considered fairly antiquated by today's standards. A Stock Exchange spokesman quickly blamed curiosity for the failure: "The system cannot handle all the Topic sets being used at the same time." Topic was operating at maximum capacity yesterday, receiving 12,000 page requests a minute, or 200 per second. [SEAQ itself is designed to handle 40 transactions per second, but the maximum demand yesterday was 22 per second.] Sir Nicholas said that the system had suffered a small setback which had been put right. He said that Topic had been overwhelmed by the number of page changes which, normally, it would not have to cope with. Most of it was simply curiosity by subscribers. "If you want to put a monkey, or a dodo in a zoo, everyone will want to look at it on the first day," he said. But it is still possible the breakdown could happen again. SEAQ encourages dealers and fund managers to use its screens more and a sudden surge of business may overload Topic. The Stock Exchange's technical officers say there are only a few adjustments that can be made to Topic. One may be to introduce an automatically triggered queuing system which limits the number of subscribers using the system at any one time. But many dealers fear this could lose them business. Meanwhile, there were still complaints from market makers about the time it took for a price change to appear on Topic after dealing. There were reports of delays up to one hour. Sir Nicholas said these would be checked but still blamed market makers' own internal systems for the delay. ------------------------------ Date: Mon, 27 Oct 1986 20:01 EST From: LIN@XX.LCS.MIT.EDU To: risks@CSL.SRI.COM Subject: Physicists on SDI and engineering.. From: decvax!utzoo!henry at ucbvax.Berkeley.EDU Hmmm. If a group of aerospace and laser engineers were to express an opinion on, say, the mass of the neutrino, physicists would ridicule them. But when Nobel Laureates in Physics and Chemistry express an opinion on a problem of engineering, well, *that's* impressive. I simply point out that the Manhattan Project was run by a bunch of physicists. The H bomb was transformed from an 80 ton clunker to a practical device by physicists. These were "mere" engineering problems too. ------------------------------ Date: Tue, 28 Oct 86 11:10:29 pst From: Peter Denning Subject: ABM, SDI, and Freeman Dyson To: neumann@sri-csl ReSent-To: RISKS@CSL.SRI.COM In RISKS 3.83, Ken Dymond noted that the ABM (anti ballistic missile system) debate of the early 1970s is similar to the SDI debate of the mid 1980s, and asked for sources that might shed light on the past debate. Here's one source known to me: Chapter 7 in Freeman Dyson's WEAPONS AND HOPE is an excellent analysis of the ABM debate. He compares that debate with the ``star wars'' debate and finds both similarities and differences. He sees a role for (nonnuclear) ABM systems in a nuclear-free world, and expresses the hope that the ABM debate will one day be reopened. In contrast, he considers ``star wars'' a technical folly, for reasons having little to do with the reliability of the software systems. Peter Denning ------------------------------ End of RISKS-FORUM Digest ************************ -------