5-Nov-86 19:43:41-PST,12343;000000000000 Mail-From: NEUMANN created at 5-Nov-86 19:41:53 Date: Wed 5 Nov 86 19:41:53-PST From: RISKS FORUM (Peter G. Neumann -- Coordinator) Subject: RISKS DIGEST 4.5 Sender: NEUMANN@CSL.SRI.COM To: RISKS-LIST@CSL.SRI.COM RISKS-LIST: RISKS-FORUM Digest, Wednesday, 5 November 1986 Volume 4 : Issue 5 FORUM ON RISKS TO THE PUBLIC IN COMPUTER SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Computer causes chaos in Brazilian Election (Jonathan Bowen) Risks of FAA Philosophy ? (Robert DiCamillo) Computers and Medical Charts (Christopher C. Stacy) Re: Insurgent Squirrel Joins No-Ways Arc (rsk) Micros in Car engines (Peter Stokes) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, nonrepetitious. Diversity is welcome. (Contributions to RISKS@CSL.SRI.COM, Requests to RISKS-Request@CSL.SRI.COM) (Back issues Vol i Issue j available in CSL.SRI.COM:RISKS-i.j. MAXj: Summary Contents Vol 1: RISKS-1.46; Vol 2: RISKS-2.57; Vol 3: RISKS-3.92.) ---------------------------------------------------------------------- Date: Tue, 4 Nov 86 15:23:54 GMT From: Jonathan Bowen To: RISKS@csl.sri.com Subject: Computer causes chaos in Brazilian Election From Daily Telegraph, Monday November 3rd: ``Hundreds of thousands of Brazilians may not be able to vote in the forthcoming general election because of bureacratic bungles. ... only 70% of the electorate have been issued with the essential voting card. .... queues and frayed tempers are a result of a 30 million pound [c $42 million] computerisation programme which was designed to streamline voting and eliminate fraud. ... Flaws in the system only became evident when distribution started three weeks ago. ... [the computer] has been programmed to cancel all duplicate applications in order to weed out fraudulent "phantom" voters. ... while it showed that 1,400 dead people had voted for the mayor in the north-eastern town of Teresinha last year, and 100,000 falsified cards were in circulation in the southern state of Santa Catarina, it also cancelled legitimate names. Programmers overlooked that twins are born on the same day to the same parents. Consequently, the voting rights of an estimated 70,000 twins were cancelled. The Federal Electoral Tribunal in Brasilia is currently wading through 140,000 appeals, including the case of a certain Jose Francisco, who says all his 14 brothers were baptised with identical names. ... It is hoped that all those eligible will have their cards by the 15th. Those that do not will have to pay a 4 pound [c $5.50] fine or brave more queues and bureacracy to prove that they both exist and have the right to vote.'' Surely these sorts of problems have occurred before in other countries. What methods are available, if any, the avoid such risks using computers without human intervention? Are such problems a result of there not being *enough* computerised information on the population to start with? ------------------------------ Date: Wed, 5 Nov 86 16:18:19 EST From: Robert DiCamillo Subject: Risks of FAA Philosophy ? To: risks@csl.sri.com The recent entries in the Risks Journal about collision avoidance systems reminds me of a comment a professor once made to me about the philosophy of the FAA. For many years this professor in the Engineering Design Department at Tufts University worked on a better engineered cockpit layout and display system. This included improvements in human factoring, multi-function graphic displays to eliminate the number of indicators needed, and more functionality in the cockpit to allow the pilot to detect and avoid other aircraft. After several years of work, where along the way many graduate students had also contributed, the system was presented to the FAA and turned down for what the inventors could not fathom as valid technical reasons. The system was better, easier to use, and provided the pilot with more functionality and autonomy over his aircraft and flight path. The professor noted that the catch was the FAA's "apparent" philosophy that they don't want the pilots to have more autonomy in determining their flight path and collision avoidance, as this task is considered the realm of the ground (air traffic) controllers. His opinion was that any system that included decentralization from ground control would be rejected because the FAA does not want to threaten the job security of air traffic controllers. This political "unspoken" philosophy of the FAA would still seem to be in effect, providing you are willing to believe that technical reasons (good or bad) will be used to defend such political objective(s). Perhaps the Honeywell System is just another casualty. This of course leads to the question of policy making. Does anyone know if the FAA charter contains any such implicit endorsement pro or con relative to evaluating technology ? Does the FAA even have an agreed upon philosophy in this regard that is published and accessible to the public ? Or does some high ranking, politically inclined, individual have the absolute veto power within the government (FAA or otherwise) ? This seems like one of those issues that will be difficult to substantiate, most suitable to think about while flying in planes. Note that the November 1986 issue of the IEEE Spectrum is devoted to "Our Burdened Skies". Although I haven't read it yet, I will be interested to see if there is any reflection (real or ghost) of such an FAA philosophy. - Robert DiCamillo ------------------------------ Date: Wed, 5 Nov 86 21:33 EST From: Christopher C. Stacy Subject: Computers and Medical Charts To: Elliott S. Frank cc: risks@sri-csl.ARPA I talked to an R.R.A. today to get an opinion on PIZZAMAN's story about taking the medical records information home on his computer. The hospital sets up regulations to control access to the medical records, which are carefully guarded as sensitive confidential information. The physical record is considered to be owned by the hospital, and the information is considered to be owned by the patient. Typically, physicians are allowed to take copies of medical records to their offices or home in order to perform work directly related to patient care. Preparing research reports is generally considered to be within that scope. People are generally not allowed to remove the original physical record from the hospital, but copies may be OK. The administrator I talked to didn't think that it was significant that the information was copied using a computer. Of course, the physician has a serious responsibility to protect the information from perusal by random persons, including his family, visitors to his office, people logging in to his computer over the phone, etc. So, the opinion of one medical records administrator seems to concur with that of Dr. Tessler; the people at that hospital probably were over-reacting inappropriately. I don't know how well most medical personnel understand what computers are; the person I talked to currently works for a company that writes software for hospital administration. So, this situation presents the familiar risk of paranoid confusion. However, I would identify the major risk here as related to computer and telecommunications security. This is the same concern as for the hospital which keeps their actual medical records online. The two risks can be related, of course. If people have other questions or thoughts about this, I would be glad to forward them along to my friend; she was interested that people were discussing this sort of thing. ------------------------------ Date: Wed, 5 Nov 86 21:31:22 EST From: Wombat To: risks@csl.sri.com Subject: Re: Insurgent Squirrel Joins No-Ways Arc Ross's story reminds me of a similar incident which took place at Purdue about five years ago; a misplaced rodent [in a power transformer] caused most of the campus to lose power for about half a day. The university physical plant crews actually aggravated the situation while trying to fix it by mis-diagnosing the trouble, in ways that have never been clear. One of the physical plant officials was quoted on the front page of the Exponent (Purdue's daily) as saying "You've got to understand, with electricity you never quite know what's going on". I'm sure he was thrilled when a group of EE students reprinted that quote on T-shirts and proceeded to sell them at a brisk pace for the rest of the semester. [I still wear mine!] Rich Kulawiec, rsk@j.cc.purdue.edu ------------------------------ Date: Wed, 5 Nov 86 11:46:07 pst From: Peter Stokes To: risks@CSL.SRI.COM Subject: Micros in Car engines My 1986 Ford Mustang has (according to the literature) a micro-processor controlled engine. When driving it, you can tell that the engine RPM's are contolled by something "intelligent" : - the high idle when cold to normal idle when warm transition has a distinctive change sequence as the engine warms up and this response is IDENTICAL every morning as I drive to work. - If you hit the accelerator pedal and let go quickly, the engine speed returns to normal in about 3 distinctive steps: 1: a sharp drop of several hundred RPM's, 2: a smoother drop to very near the idle speed, and finally, 3: a small adjustment to the true idle speed. - If you disengage the clutch while the car is moving (first step in gearing down), the engine speed drops quickly to a low of 200 RPM's (I can sometimes feel it shudder) and then the processor corrects this with a "shot of gas". If you leave your foot on the clutch and just coast, you can observe the tachometer settle on the idle speed after a small amount of overshoot and undershoot. - and finally, if you try to stall the car (starting off in first gear without pushing the gas for example), the processor responds by trying to keep the engine speed at idle speed. My Question... What are the risks in buying and driving an automobile with a computer controlled engine? Safety: What are the odds of a malfunction causing acceleration? Performance: Is this a feature? Will the benefits of the microprocessor control continue to serve as the engine grows old and changes? Service: Can a "Saturday Morning Mechanic" still tune his/her car or is specialized equipment now a pre-requisite for the job? Safety: Can the control over the engine be affected by an external source (e.g. radio transmitter)? I have noticed erratic engine idle while in an automatic car wash.... Peter Stokes Envoy100: cmc.vlsiic (...usual disclaimer...) CDNnet: stokes@cmc.cdn BITNET: stokes@qucdncmc.bitnet [...probably not much risk in BUYING one, but DRIVING ONE is another matter. Since you probably do not read every line of RISKS, let me remind you of the following cases, summarized in RISKS-4.1. (The Mercedes case was noted in RISKS-2.12.) PGN] AUTOMOBILES: Mercedes 500SE with graceful-stop no-skid brake computer left 368-foot skid marks; passenger killed (SEN 10 3) Sudden auto acceleration due to interference from CB transmitter (SEN 11 1); Microprocessors in 1.4M Fords, 100K Audis, 350K Nissans, 400K Alliances/ Encores, 140K Cressidas under investigation (SEN 10 3) El Dorado brake computer bug caused recall of that model [1979] (SEN 4 4) Ford Mark VII wiring fires: flaw in computerized air suspension (SEN 10 3) ------------------------------ End of RISKS-FORUM Digest ************************ -------