24-Mar-87 17:38:38-PST,22675;000000000000 Mail-From: NEUMANN created at 24-Mar-87 17:36:41 Date: Tue 24 Mar 87 17:36:41-PST From: RISKS FORUM (Peter G. Neumann -- Coordinator) Subject: RISKS DIGEST 4.67 Sender: NEUMANN@CSL.SRI.COM To: RISKS-LIST@CSL.SRI.COM RISKS-LIST: RISKS-FORUM Digest Tuesday, 24 March 1987 Volume 4 : Issue 67 FORUM ON RISKS TO THE PUBLIC IN COMPUTER SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Winch is the greatest risk in a theater? (Dave Wortman) DC9 Computer Failure (Earl Boebert) Health hazards associated with VDU use: eyestrain (John J. Mackin) Who called? (Jerome M Lang) Car Phone Intercept -- implications of captured data (Alex Dickinson) Re: Increased Telephone Switching Capabilities (Michael Wagner) Re: Telephone switches (Bjorn Freeman-Benson) Re: ATM experience (Roy Smith) Risks of ATM machines (Mike Linnig) Bank troubles, M.E. magazine (David Chase) Re: "The Choking Doberman..." (Elliott S. Frank) Newspaper article on Audi 5000S (Mark Brader) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, nonrepetitious. Diversity is welcome. (Contributions to RISKS@CSL.SRI.COM, Requests to RISKS-Request@CSL.SRI.COM) (Back issues Vol i Issue j available in CSL.SRI.COM:RISKS-i.j. MAXj: Summary Contents Vol 1: RISKS-1.46; Vol 2: RISKS-2.57; Vol 3: RISKS-3.92.) ---------------------------------------------------------------------- Date: Mon, 23 Mar 87 15:15:11 EST From: Dave Wortman To: risks@csl.sri.com Subject: Winch is the greatest risk in a theater? Look up if you want to see the real RISKs in many theaters. The failures in computer lighting systems discussed recently may cause inconvenience or economic loss, but failures in the computerized winch systems used to "fly" scenery have the potential to cause serious bodily harm. The typical arrangement for flying a piece of scenery is to attach several lines (e.g. 3/16 wire rope) to it, run these lines up to the stage ceiling around pulleys to the drum of an electrically powered winch. The winch is controlled remotely either manually or in more sophisticated systems by small computers. These computers can be preprogrammed with the flying sequence for an entire performance in a way very similar to the programming of lighting systems. The scenery being flown can be quite heavy. The electrical winches are supposed to be failsafe, i.e. a brake is automatically applied if power or control is lost. One of the first such systems was installed in the Loeb Theater at Harvard in the early 1960s. It had several interesting failure modes including one in which the winch went into "full speed up" mode and tried to pull the scenery through the pulleys in the ceiling. This continued until the wire rope snapped and the scenery went into free fall. Dave Wortman, Computer Systems Research Institute, University of Toronto ex-stagehand and -theatrical-rigger [I presume there were no cases of rigger mortis. But, perhaps there were winch-healed wipers on the motors. PGN] ------------------------------ Date: Mon, 23 Mar 87 11:16 CST From: Boebert@HI-MULTICS.ARPA Subject: DC9 Computer Failure To: Risks@CSL.SRI.COM Somebody mentioned a NY Times article about our good 'ol Northworst Airlines that described an incident in which there was an all-channel failure of the computer system on a DC9 (must have been an MDA80) which led to the loss of all attitude display. Supposedly the airliner was led into Toledo airport by a general aviation aircraft (!). Anybody have any details on this? ------------------------------ From: munnari!basser.oz!john@seismo.CSS.GOV Date: Sun, 22 Mar 87 14:18:57 EST To: RISKS@csl.sri.com Subject: Health hazards associated with VDU use: eyestrain Gregory Sandell's submission prompted me to mention the main problem I have had with VDU use; namely, eyestrain. I used to find that after a day at work my eyes would be very tired. About a year and a half ago, I saw an article on the net suggesting that a good way to reduce eyestrain associated with terminal use was to reduce the amount of light striking the screen as much as possible. So, my office-mate and I implemented the following measures (adapted from suggestions in the original article, which unhappily I no longer seem to have): * Keep all windows well covered during daylight hours. We have venetian blinds on our window and closing them completely is reasonably satisfactory. It would be better if we could exclude even more light, though. * Turn off all overhead lighting. Our room is lit by fluorescent lights which are quite bright. With them turned off and the blinds closed, it gets reasonably dark. The darker the better. * Use desk lamps, but _keep light from them OFF the screen!_ We each purchased two spring-arm type desk lamps to illuminate the work area on our desks. Reading material on the desk is probably easier than before, as the desktop is actually better illuminated now than it was by the overhead lighting. Our experience with this has been very positive indeed. Both of us have completely ceased to suffer from eyestrain. And I also find the dimly-lit environment to be much more relaxing than it was when it was brightly illuminated. I would like to thank the poster of the original article, whose name I unfortunately don't know, and thoroughly recommend this approach to anyone who suffers from eyestrain due to VDU use. John Mackin, Basser Department of Computer Science, University of Sydney, Sydney, Australia john@basser.oz.AU (john%basser.oz@SEISMO.CSS.GOV) {seismo,hplabs,mcvax,ukc,nttlab}!munnari!basser.oz!john Copyright 1987 John J. Mackin. Restricted redistribution prohibited. [As a related comment, I have some friends who are very sensitive to fluorescent lighting, which can give them monumental headaches. (Several of them have conducted reasonably careful experiments that seem to pinpoint that sensitivity.) I will not speculate in this forum on what the possible neurophysiological causes might be, although the incomplete light spectrum is a likely candidate. PGN] ------------------------------ Date: Tue, 24 Mar 87 12:19:53 est From: Jerome M Lang To: RISKS@CSL.SRI.COM Subject: Who called? (Re: RISKS DIGEST 4.66) In the last digest mention was made about the possibility of learning the phone number of the caller. This raises the question of what is done when the caller has an unlisted phone number (usually for very good reasons). Jerome M. Lang || jmlang@water.bitnet jmlang@water.uucp Dept of Applied Math || jmlang%water@waterloo.csnet U of Waterloo || jmlang%water%waterloo.csnet@csnet-relay.arpa [Clearly one would have to suppress that information -- under certain circumstances -- although it is clearly needed for the 911 computers. This gets into the problem of secure databases and how difficult it can be to prevent inferences from being drawn if you are going to hide information selectively. Lots of nice research has been done, but basically this is a very difficult problem once you take the blinders off. PGN] ------------------------------ Date: Tue, 24 Mar 87 09:02:16 CST From: munnari!augean.oz!alex@seismo.CSS.GOV (Alex Dickinson) To: risks@csl.sri.com Subject: Car Phone Intercept -- implications of captured data On Sunday 22nd March an Australian activist group using a radio frequency scanner intercepted and recorded an unencrypted car phone conversation between a federal opposition shadow minister and a state opposition leader (both members of the Australian Liberal Party). The conversation referred to the Liberal Party federal leader in what has been euphemistically termed `colourful language' and discussed his intended political demise. The group released the tape to a Melbourne newspaper that proceeded to publish a number of juicy excerpts. Today the federal shadow minister was fired from his party post, and the chance of an election being called by the Prime Minister to take advantage of opposition confusion was regarded as having doubled from 15 to 30%. Federal police are considering whether to press charges under the Telecommunications Act that broadly covers such interceptions. The fine? $5000 maximum. Good value for altering the course of the country's politics, although it's not clear that that was the intent. Alex Dickinson ------------------------------ Date: Tue, 24 Mar 87 16:41:19 EST From: Michael Wagner Subject: Re: Increased Telephone Switching Capabilities X-To: risks@sri-csl.arpa I can offer two pieces of information, neither of which answer the questions completely. 1) the 911 emergency number in Toronto displays the number from which a call was made. It does this for a wide variety of originating exchanges (but I don't know if it does it for all exchanges). I have been told, by people who are more knowledgable about phones than I, that the number is sent on the same circuit as the phone call. They claim that almost no gymnastics were required to make this work. (The phone company also makes a database of phone numbers and addresses available to the emergency service, so that numbers are quickly turned into street addresses. That clearly wouldn't be available to the average business or home. But that is a different matter.) The implications are that (a) exchanges send the origination phone number along with the call, and (b) exchanges can relatively trivially send the information to the customer phone, and (c) the customer phone can decode the information while the phone is still ringing, and (d) it's not illegal in Canada for emergency use. 2) The University of Toronto recently switched over to a Centrex III system. Certain (secretarial) phones can now display the number called and the number calling. The number calling works only if the call originated within the centrex exchange. It is not clear whether the restriction is technical or legal. The implication is that it's not illegal in Canada for calls originating within an enterprise. It is clear that, if such a telephone were to become a consumer item, it would change the whole way we deal with telephones. I could refuse to answer calls from people I didn't want to speak to right now. In fact, I would probably program the micro in the telephone with a phone list of people who were and weren't allowed to disturb me. There would appear to be many human engineering problems to solve there. And many computer RISKS. Michael ------------------------------ Date: Mon, 23 Mar 87 12:45:40 PST From: bnfb@beaver.cs.washington.edu (Bjorn Freeman-Benson) To: RISKS@CSL.SRI.COM Subject: Re: Telephone switches >The issue of automatic callers releasing the phone line is actually >a people issue rather than a technology issue. As far as I know it depends on the "office" (telephone company term for switching equipment) connected to your phone. In the NW US there are three types: mechanical, ?, and electronic. A mechanical office will hold the line open as long as the caller has his/her phone off the hook regardless of the callee's actions. An electronic office will close the connection as soon as either party hangs up. >Panic sets in and a feedback loop ensues. However, I do agree that this can be a problem in any human system. Bjorn N. Freeman-Benson ------------------------------ Date: Mon, 23 Mar 87 21:31:56 EST From: cmcl2!phri!roy@seismo.CSS.GOV (Roy Smith) To: RISKS@csl.sri.com Subject: Re: ATM experience [Bruce McKenney, RISKS-4.66] Clearly, different banks do things different ways. Some time ago I wanted to make a mortgage payment at an ATM but couldn't find the right menu item. When I called for help, they told me to just pick any of the "deposit to ..." or "payment to ..." items. It seems that at least for the case of you making a deposit or payment, they totally ignore which button you pressed; it's what's on the slip that matters. In fact, it doesn't even matter which slip you use. They type of account is encoded in the account number. When I needed a "deposit to X" slip once and they didn't have any, I was told to just use a "deposit to Y" slip and write the proper account number on it. The question is, doesn't this represent a real risk to the consumer (although, maybe not truly a computer-related risk)? I'm pretty ignorant of the ways of banks, but I've learned how my bank works. If I go to a different bank, I'm probably going to assume they work the same way, which probably means I'll get burned at some point. Roy Smith, {allegra,cmcl2,philabs}!phri!roy System Administrator, Public Health Research Institute 455 First Avenue, New York, NY 10016 ------------------------------ Date: Mon, 23 Mar 87 08:20 CDT From: Mike Linnig To: risks@CSL.SRI.COM Subject: Risks of ATM machines A year ago I happened on a remote gasoline station that allowed the customer to pay with an ATM card. After paying it occurred to me that this scenario was ripe for fraud. How do I know that this ATM reader is really part of the ATM network? Think about it... First I let it read the bits off of my card and then I give it my secret PIN number. What is to stop some unscrupulous person from rigging a fake reader and duplicating my card (they already have my PIN number)? Hmmm.. a few scandals like this and I bet we see smart cards with challenges and counter-challenges being exchanged between the card and the banking system. Mike Linnig, Texas Instruments [This is of course an example of the mutual suspicion problem that Mike Schroeder worked on in the 60s. Yes, you must trust the ATM apparatus, whether it is trustworthy or not. The same is true of any store that takes one of your credit cards, even with no computer in the loop. This is an old risk, but if RISKS never included discussions of old risks, our newer readers would be cheated. The safest solution is to avoid using such facilties, the next safest is to audit the records carefully. PGN] ------------------------------ Date: Mon, 23 Mar 87 15:18:33 CST From: David Chase Subject: Bank troubles, M.E. magazine To: risks@csl.sri.com Mechanical Engineering 2/1987 is the "What went wrong?" issue with articles on the Thresher and Chernobyl. Reading about Chernobyl makes me cringe. Again and again, "clear violation of operating procedures". ME 2/1986 caught my eye with an article on space power and propulsion systems, but within it were articles on "The Dangers of CAD" [In the past, any discrepeancy between computer results and measured performance was traced down with an almost religious fervor. This zeal is still appropriate], human guided industrial "robots" (with some remarks on safety systems buried in there), and a study attempting to determine the safe speed for an emergency vehicle to enter an intersection (can the siren be heard?). Not all of these things are RISKS from computer systems, but I found it made interesting reading. For bank troubles, I sent a check paying part of my bill to the insurance company, but they imprinted the entire amount on it for machine consumption (about 6 times more than the amount I intended). I actually figured this out before bouncing any checks because my account dipped rather surprisingly, but I spent a thin month trying to convince the bank or the insurance company that there might have been a mistake ("No, no, that couldn't have happened."). My bank rather quickly corrected my account when I showed them the cancelled check, but I'm sure it could happen again. You can be sure that I took my sweet time getting the rest of the money back to the insurance company. Of course, the source of this error was human, but it was compounded by blind faith in computers (and the efficiency of computerized check processing). David ------------------------------ Date: Mon, 23 Mar 87 14:16:21 PST From: amdahl!esf00@Sun.COM (Elliott S. Frank) To: RISKS@CSL.SRI.COM Subject: Re: "The Choking Doberman..." I've gotten some mail from risks subscribers requesting a citation for "The Choking Doberman...". Here's the citation from "Books in Print, 1986-1987" (courtesy the helpful folks at the Computer Literacy Bookstore): The Choking Doberman & Other "New" Urban Legends. Jan H. Brunvand, Norton, 1986, 256p. $6.95. ISBN 0-393-30321-7. Elliott S Frank ...!{ihnp4,hplabs,amd,nsc}!amdahl!esf00 (408) 746-6384 ------------------------------ Date: Mon, 23 Mar 87 18:30:56 EST From: msb@sq.com (Mark Brader) To: risks@csl.sri.com Subject: Newspaper article on Audi 5000S [This is a longish "summary", but serves a useful purpose in putting in perspective some of the previous messages on this subject. PGN] Going through recent back issues of the Toronto Star, I found an article of about one full page about the Audi 5000S controversy, by the Star's automobile columnist Jim Kenzie. It was printed March 7, pages E1 and E15. At PGN's suggestion I supply a summary of the article's content. * All the drivers interviewed on TV said the acceleration occurred upon shifting from P/N to D/R and that they had their foot hard on the brake. * Paul Ast claims that failure of the idle stabilization valve can cause the engine to surge to 4000 rpm independent of the accelerator; William Rosenbluth claims that foreign matter in the transmission control valves can lead to a pressure buildup that pushes a rigid part of the throttle linkage that is only supposed to be pulled. These explanations conflict. * Audi says there were no skid marks in any of the incidents, accelerator pedals were bent, they can't reproduce Ast's problem, and Rosenbluth's would involve severe transmission damage but the affected cars are new. Therefore they claim driver error and have recalled the cars to fit an interlock so you can't shift out of P without applying the brake. * Kenzie (the columnist) revved an Audi 5000S up to 4000 rpm and put it into D while holding the accelerator steady. The car did not run away but took several seconds to reach 10 mph. There was also a lot of noise from the 4000 rpm idling, and a loud thump when the transmission engaged, which none of the victims apparently reported. So much for Ast's theory. * Kenzie then pressed the brake and accelerator, all the way, simultaneously. The car revved up to 2700 rpm but stood still. Finally he took it up to 30 mph and did the same thing. It stopped. None of the victims, or their lawyers, has suggested a simultaneous temporary failure of braking, so it sure seems that Audi is right and the victims wrong. Probably they are simply repeating the same mental error they made originally. * Some past Audis did have a minor unwanted-acceleration problem due to floor mats fouling the accelerator. Also, Audis used to have the brake and accelerator pedals close together and in the same plane so they could be "heel-and-toe" operated, but not since 1982 here, because most are sold with automatic transmission anyway. But these things could tend to make people more likely to blame the car when it is an Audi... a bandwagon effect. It is also possible that some "victims" are simply out for money in a class-action settlement. * According to Tom Lankard of AutoWeek, the majority of Audis involved were newly bought, many by people switching from GM cars, which have the brake and accelerator much less close (so if you miss the brake you don't hit the accelerator). Many drivers were short, which would aggravate any confusion. [Does "many" mean "a statistically significant fraction"? --MSB] * Kenzie doesn't know why the accidents only happen when starting from rest, but points out that once people are driving they already have their foot on a pedal and this provides a reference point. [He doesn't address at all the people who said they had BOTH feet on the brakes -- but at this point I'm willing to call them mistaken. --MSB] The above is shortened about 80%. Kenzie's conclusion is worth giving in full: There is one party who DOES have guilt dripping from every pore, and that's television journalism. The 60 Minutes piece was shoddy in the extreme -- yellow journalism, in full color. They had convicted Audi before the show even began. Their story was grossly slanted, full of innuendo and witness-leading. The Today Show was only slightly better. They at least identified the prosecuting "experts" by name on screen, and had them explain how their theories worked. But Rosenbluth's credibility was destroyed when he "proved" how the Audi could accelerate due to hydraulic excess trans- mission pressure. First, without letting the audience know, he deliberately jammed both the normal pressure relief valves and the "fail-safe" backup ones in the car, which had been involved in two previous "incidents" and which still, for effect, had its left front fender missing. He tried to prove that it could happen -- not that it did happen. Second, he lightly brushed the brakes enough to turn the brake lights on for the camera, implying that the brakes couldn't stop the car from accelerating across the road into a ditch. He said he had to shut the engine off to stop the car. As I have previously noted, this is completely false. Only [the Canadian show] Market Place even attempted the tests that I did, which prove beyond a shadow of a doubt that the brakes will hold the car regardless of throttle opening. Still, they devoted about 10 seconds out of an eight minute piece to this vital fact. The public -- let alone Audi -- deserves better than this. ------------------------------ End of RISKS-FORUM Digest ************************ -------