RISKS-LIST: RISKS-FORUM Digest Friday, 29 January 1988 Volume 6 : Issue 18 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Amazing story about shuttle software whistle-blowers (Nancy Leveson) AT&T computer billing error (Dave Curry) A testing time for students (Dave Horsfall) Re: RISKS in Cable TV? (Marty Moore) Re: Calendar bomb in the Ada language (Robert I. Eachus, Marty Moore) Technology Transfer Policy (Gordon S. Little) The fine points of fixed points (Jim Horning) Horrendous proliferation of BITNET barfmail (BITNETters PLEASE READ) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, nonrepetitious. Diversity is welcome. Contributions to RISKS@CSL.SRI.COM, Requests to RISKS-Request@CSL.SRI.COM. > > > > > > > > > PLEASE LIST SUBJECT in SUBJECT: LINE. < < < < < < < < < For Vol i issue j, FTP SRI.COM, CD STRIPE:, GET RISKS-i.j. Volume summaries in (i, max j) = (1,46),(2,57),(3,92),(4,97),(5,85). ---------------------------------------------------------------------- Subject: Amazing story about shuttle software whistle-blowers Date: Fri, 29 Jan 88 10:46:08 -0800 From: Nancy Leveson Time Magazine reports this week (1 Feb 1988, pp. 20-21) on a newly released congressional study of safety problems with the Shuttle software and hardware. I recommend you all try to get the article. It is horrifying. Just in case you can not get it, I will try to summarize it. Apparently, a newly released report by a blue-ribbon committee of eight experts commissioned to review NASA's safety procedures was highly critical about NASA and its contractors. Basically they charge that schedules are again taking precedence over safety (as before the Challenger accident). The report also charges that NASA contractors have ignored and harassed whistle-blowers. Some were even threatened. Some examples: Sylvia Robins was a system's engineer for Unisys who is one of the contractors for shuttle software. In March 1986 she was approached by software experts at Rockwell (the prime contractor) for help to find out whether Unisys had an adequatre system for testing the shuttle's backup software. She claims that she discovered that in order to save time, Unisys was testing the main and backup software at the same time that changes were being made in payload and other shuttle flight plans. This saved a 3-week hold for each test (until the changes were completed), but meant that the test results were meaningless -- since the software could not be adjusted and tested simultaneously. When she told her supervisors about it, she was told to drop the matter and not tell Rockwell about it. She says her bosses considered her a trouble-maker because she had earlier complained that Unisys did not have the proper facilities for protecting the software for secret DoD missions assigned to shuttle flights. She claims that her supervisor met with some employees and tried to get them to falsify some documents in order to provide "proof" that she had called some staff meetings without authorizing overtime pay. When one woman refused to make such a false claim, she was fired. Robins was also fired. She was then hired by a Rockwell subsidiary where she repeated her complaints to her new bosses, to the FBI, and to NASA's inspector general. She has received letters threatening her life. Two other whistle blowers also contend that they have received anonymous telephone threats against their children. Another case involves a former Rockwell QA engineer who says that an audit against Rockwell's shuttle hardware and software revealed that only 12% met NASA's contract specifications. His supervisor told him to change the number in his report to 96% or better. He refused and five weeks later was fired. A current Rockwell engineer reports that the company in June 1987 failed to place a protective password on at least one shipment of shuttle software tapes, allowing changes to be made without being recorded. She produced a record showing that one anonymous change had actually been made to the software. The whistle-blowers also claim that supposed confidentiality of complaints is not being observed at Rockwell and that, in fact, they have found themselves being followed by cars at night, some of whose license plates have been traced to the Rockwell security force. Rockwell denies all charges. George Rodney, who was given responsibility for safety at NASA after the Rogers' Commission report on the Challenger accident, says that they are reorganizing safety and quality control. I can give personal testimony that I have been contacted by people involved in the new Safety Office at NASA Headquarters and that they appear to be sincerely interested in doing something about software safety for NASA programs. I am not so convinced that their contractors are as committed, at least from the evidence given in the Time story. I gave a talk in October at the CPSR Annual Meeting and suggested that we could not call ourselves professionals until we accept responsibility for the quality of the products we produce. It looks like some computer professionals are doing that, at great personal cost. I have fears, however, that this is all just the tip of the iceberg. Frankly, I can see little justification for worrying about software that won't work in the year 2099 because of some flaw in the way Ada handles dates. We should be spending our time discussing what to do about the software that may not work now. Nancy Leveson [TIME article by Ed Magnuson, reported by Jay Peterzell/Houston.] ------------------------------ From: davy@intrepid.ecn.purdue.edu (Dave Curry) Subject: AT&T computer billing error Date: Fri, 29 Jan 88 11:09:43 EST From the Lafayette (Indiana) Journal & Courier, 1-29-88: NEW AT&T COMPUTER BILLS CUSTOMERS TWICE PROVIDENCE, R.I. - Up to 2 million AT&T telephone customers across the country have been billed for payments they already made. Some accounts have mistakenly been referred to collection agencies. AT&T officials said Wednesday that the billing problem stemmed from a new computer system. Company officials said payments for the residence and small business accounts were received but not properly posted in the billing records. Those with billing complaints were asked to send copies of their canceled checks. ------------------------------ Date: Thu, 28 Jan 88 10:53:16 est From: munnari!stcns3.stc.oz.au!dave@uunet.UU.NET (Dave Horsfall) Subject: A testing time for students An article in "The Australian", Tuesday 19th January, 1988, is headlined "No one told system the school year had changed". It goes on to say: "Education officials worked through the night to check 45,000 sets of exam results last week, after a computer error sent false results to more than 80 Victorian students. More than 50 students who sat the Year 12 Victorian Certificate of Education (VCE) exam were wrongly told they had passed. At least 30 others were told they had failed when they had actually been successful. The Victorian Curriculum and Assessment Board, which administers the exam, said one of the causes for the error was the change from a three-term to a four-term school year, which the board's computer had not been ready for. ... The media liasion officer for the VACB, Ms Wendy Hunter, told [the paper] that the error only affected about 85 of those "borderline" cases whose results depended on compensation - though she said the board realised how important the results were to each person. The complex method of compensation includes credit for work done during the term (no-one told the computer the shortened term counted for less) as well as the chance for good passes in some subjects to make up for a narrow fail in others. Ms Hunter explained that in a three-term year, credit was given for units per term, but in a four-term year it was for units per semester - which meant a term's work only counted for half a unit." The best bit came at the end of the story: "The head of Melbourne's Swinbourne Institute of Technology computer centre queried the board's original statement that the problem had been caused by 'computer error'. ''Computer error can mean just about anything'', the centre's manager, Mr Michael Plunkett, said." Indeed it can. Dave Horsfall (VK2KFU) ACS: dave@stcns3.stc.OZ.AU STC Pty Ltd ARPA: dave%stcns3.stc.OZ.AU@uunet.UU.NET 11th Floor, 5 Blue St UUCP: {enea,hplabs,mcvax,uunet,ukc}!\ North Sydney NSW 2060 AUSTRALIA munnari!stcns3.stc.OZ.AU!dave ------------------------------ Date: Fri, 29 Jan 88 08:58 EST From: marty moore Subject: Re: RISKS in Cable TV? It really is possible for the contents of a TV signal to affect the TV itself. I once had a TV with one of the old sonic remote controls. At that time there was a cereal commercial (I don't recall which brand) which featured exploding cereal boxes. The explosion sound apparently contained the right frequency or harmonic, because every time the explosion occurred, my TV changed channels. I always thought this had great possibilities for unscrupulous TV station programmers. ("Let's buy some commercials through a dummy on the other stations...we'll bury the signal to change to our stations in the commercials. The audience will never know the difference.") ------------------------------ Date: Fri, 29 Jan 88 16:29:36 EST From: eachus@mitre-bedford.ARPA (Eachus) Posted-From: The MITRE Corp., Bedford, MA Subject: Re: Calendar bomb in the Ada language I hope to be around to celebrate the Ada Doom Date (January 1, 2100), but the situation is not as bad as has been indicated here. In fact, I would argue given recent experiences that the situation in Ada is much better than the current state of the practice. The function TIME_OF will raise CONSTRAINT_ERROR if called with a year outside the range 1901..2099, and the "+" and "-" functions are required to raise TIME_ERROR if the resulting TIME is outside the permitted range, but: None of this is a part of the Ada language, but a package required to be provided by all valid implementations. In other words, you can write or use your own. The function CLOCK may return a time outside this range (assuming the program remains around long enough for that to be valid). All Ada implementations are tested as part of the validation process to see that the CALENDAR package functions correctly, and the quality of these tests is continually being improved. There shouldn't be any Ada time bombs for at least a hundred years, if then. Another doom date worth noting is January 1, 2028, the date when MS-DOS goes belly up. (Dates are represented internally in a 16-bit word, with five bits for the day, four bits for the month and, you guessed it, a 7 bit year). Try putting in the wrong date on a machine with no clock and no hard disk (and a spare copy of your system disk) sometime... Robert I. Eachus ------------------------------ Date: Fri, 29 Jan 88 08:57 EST From: marty moore Subject: Re: Calendar bomb in the Ada language I have always assumed that the Ada type YEAR was constrained to the range 1901..2099 in order to simplify leap year calculations. All years in that range which are divisible by 4 are leap years; however, 1900 and 2100 are not leap years. Does anyone know if this is true? I wonder how many systems will have problems in 2100 because they incorrectly assume it is a leap year. [OK. Probably enough speculation on this topic for a few years. But let's hear it when the alarm goes off. PGN] ------------------------------ Date: Thu, 28 Jan 88 18:09 MST From: "Gordon S. Little" Subject: Technology Transfer Policy Paul Smee's statement about the application of US technology transfer policy is nothing short of astounding. > Perhaps one of the lesser-known 'features' of the US technology > transfer policy is the fact that the US government applies it > internationally... Political pressure we have with us always, and that is understandable and a fact of life. But what legal principle sanctions the right of ANY country to enact laws governing the action of FOREIGN nationals IN THEIR OWN (SOVEREIGN) COUNTRY? This is hardly a technical RISK, but if such unbelievable arrogance were to pass unchallenged and such a principle were accepted internationally, the absurdities that could result must be obvious to anyone. ------------------------------ From: horning@src.dec.com (Jim Horning) Date: 29 Jan 1988 1123-PST (Friday) Subject: The fine points of fixed points The year I moved back to Palo Alto from Canada I DID have an explicit recursion in my tax calculation. I had four kinds of income: 1. Canadian income earned while a resident of Canada, 2. American income earned while a resident of Canada, 3. American income earned while a resident of America, and 4. Canadian income earned while a resident of America. The US claimed the right to tax all four kinds of income, but granted credits FOR TAX REQUIRED TO BE PAID to Canada for kinds 1. and 4. Canada only wanted to tax kinds 1. and 2., and granted a credit FOR TAX REQUIRED TO BE PAID to the US on kind 1. The fixed point was reached in only two iterations because of MIN and MAX occurring at strategic points in the calculation. However, to complicate the situation, this was the year that treatment of foreign earned income was "reformed," and Congress changed the law RETROACTIVELY several times. I filed a form 1040R to claim an increased refund, and received two other small unsolicited US refunds. I suppose I should have recalculated my Canadian tax, too, but I didn't. [I note that the convergence in this case in the CA/fed case may not always result in a unique solution -- a pair of oscillating solutions could arise, because of round-off... By the way, several readers noted (again -- see my comments in RISKS-6.17) that there is no actual iteration if you are happy with whatever state tax you estimated and paid in 1987. So I keep responding that the iteration results from trying to refine the estimate, but that is not required by law. PGN] ------------------------------ Subject: Horrendous proliferation of BITNET barfmail Date: Fri 29 Jan 88 17:00 From: Neumann@SRI.COM ======================================================================= === HELP! risks@hemuli.uucp vanished, CAUSING ALL BITNET READERS === === to get many (60 is the most reported yet) copies of BARFMAIL! === === dae@PSUVAX1 reported that this address has been invalid for === === quite a while and it cannot deliver the message since PSUVAX1 === === doesn't know the path to that .UUCP node. If anyone does know === === a node, please tell dae (mon). (Noted by Marc Shannon, to whom === === you BITNETters generally owe thanks for having volunteered to === === help you all stay in contact with RISKS, despite all the flaki- === === ness of the interconnections. I can't fix it. Sorry.) PGN === ======================================================================= *FOR PROSPECTIVE BITNET SUBSCRIBERS* By the way, many of you have recently requested to be added. In some cases I find I cannot get mail back to you! So, here once again is the procedure. (PLEASE DON'T SEND BITNET REQUEST MAIL TO ME.) Please try to add yourself according to the following recipe. (Any one of the three locations should work -- they are supposed to be interconnected.) That way you will be able to handle future changes directly. <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> BITNET SUBSCRIBERS: DO NOT NOTIFY RISKS OF FUTURE ADDRESS CHANGES. For subscription assistance, please observe the following instructions: For WISCVM, send mail to LISTSERV@CMUCCVMA, with a single line request: SUBSCRIBE MD4H your name or UNSUBSCRIBE MD4H your name For FINHUTC, send mail to LISTSERV@FINHUTC, with a single line request: SUBSCRIBE RISKS your name or UNSUBSCRIBE RISKS your name For UGA, send mail to LISTSERV@UGA, with a single line request: SUBSCRIBE RISKS your name or UNSUBSCRIBE RISKS your name The only mail to RISKS@CSL.SRI.COM should be RISKS contributions. <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ------------------------------ End of RISKS-FORUM Digest ************************