RISKS-LIST: RISKS-FORUM Digest Monday 8 August 1988 Volume 7 : Issue 31 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Software failures cost Britain $900M per year, study claims (Jon Jacky) Lightning strikes (twice) (PGN) Computer failure delays flights at Logan Airport (PGN) A320 & A300 safety, risks of so-called experts (Michael Pilling) RISKS of Electronic Cash-registers (Robin Kirkham) Computer terminals and dermatology (richard welty) Computer System Vulnerabilities (Rodney Hoffman) Disaster Exposition (Cliff Stoll) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line (otherwise they may be ignored). REQUESTS to RISKS-Request@CSL.SRI.COM. FOR VOL i ISSUE j / ftp kl.sri.com / login anonymous (ANY NONNULL PASSWORD) / get stripe:risks-i.j ... (OR TRY cd stripe: / get risks-i.j ... Volume summaries in (i, max j) = (1,46),(2,57),(3,92),(4,97),(5,85),(6,95). ---------------------------------------------------------------------- Date: Fri, 05 Aug 88 09:29:58 PDT From: jon@june.cs.washington.edu (Jon Jacky) Subject: Software failures cost Britain $900M per year, study claims This article appeared quite a while ago in ELECTRONICS ENGINEERING TIMES (June 13, 1988, p. 19): BRITAIN SCRUTINIZES SOFTWARE QUALITY by Roger Woolnough ...(Two) studies were commissioned last year from Price Waterhouse and Logica plc by the Department of Trade and Industry (DTI), the government department concerned with virtually the whole of British industry. The Price Waterhouse study sought to establish the costs and benefits of applying quality-management standards to software. The parallel study by Logica exmained the possibility of harmonizing the civil and military quality management standards. The failure costs are expensive. For British industry, the report estimates them conservatively at $900 million a year, and that includes only software produced domestically and sold on the open market. If imported and in-house software were included, the failure costs would be much higher. And on top of that there are substantial indirect costs, which Price-Waterhouse could not quantify. Price Waterhouse estimated that implementing a quality system would mean additional costs for a typical supplier with 50 to 100 employees of between $360,000 and $450,000 a year. Initial setup costs could be between $180,000 and $270,000, with no difference between large and small companies. The study was unable to estimate the reduction in failure costs that would result from wider use of quality systems but did work out the savings required to justify them - a 10 to 15 percent reduction in total failure costs over the life of a system. "If we consider costs and benefits to suppliers only," says the report, "a reduction in failure costs of 35 to 40 percent would be required to sustain the investment in a quality system. ... An improvement of this size is possible, but far from certain. Therefore it is possible that software suppliers could incur net costs as a result of introduction of a quality system. The evidence suggests that most users are not prepared to pay higher prices for software simply because a quality system was used by the supplier." (The Logica study compared various standards for software quality assurance, namely NATO's AQAP documents, used by the British Ministry of Defence, and international ISO9001. Logica found little difference in substance and recommended standardizing on ISO9001). - Jonathan Jacky, University of Washington ------------------------------ Date: Mon 8 Aug 88 14:33:09-PDT From: Peter G. Neumann Subject: Lightning strikes (twice) On 31 July 1988 lightning struck the drawbridge between Vineyard Haven and Oak Bluffs on Martha's Vineyard MA, paralyzing the three-phase controls and then ricocheting into the elevated transformer. As a result the Lagoon Pond access for 40 sailboats and tall powerboats was sealed off for almost three days. (This was the same weekend that the ferry Islander ripped a hole in its belly when it ran aground, backlogging 500 cars. And your moderator was there, finally getting a little vacation so that you all could get a little vacation from RISKS.) The previous lightning strike, only three weeks before, had closed the bridge for 24 hours. [Source: Martha's Vineyard Times, 4 August 1988, p. 1.] ------------------------------ Date: Mon 8 Aug 88 14:40:33-PDT From: Peter G. Neumann Subject: Computer failure delays flights at Logan Airport in Boston On 5 August 1988, air traffic was delayed because a new software tape designed to relay departure information to air traffic controllers sent data to the wrong controllers. It took an hour to replace the software. The delays at Logan lasted for about 6 hours, tapering off slowly from one-hour delays. Delays also propagated to nearby airports. [Source: Boston Globe, 6 August 1988] ------------------------------ Date: Thu, 4 Aug 88 15:39:47 EST From: munnari!banana.cs.uq.oz.au!bigm@uunet.UU.NET (Michael Pilling (Dr Chocberry)) Subject: A320 & A300 safety, risks of so-called experts This is from an article in the "Australian" 2-Aug-88 retyped and abbreviated without permission: Two pilots blamed for air crash Following an official report to the French transport minister last week, responsibility for the crash of an Airbus A320 into trees at an airshow in eastern France has been blamed on pilot Michel Asseline & co-pilot Pierre Mazieres. The A320 gets a clean bill of health. Cockpit talk recordings from the black box revealed startling over-confidence on the part of both men. Mr Asseline told Mr Mazieres on the ground he would not use the aircraft's sophisticated alpha-floor computer system, which automatically boosts the fuel supply to the engines when its speed, altitude and incline indicate a danger of stalling. He also disconnected a secondary system to boost power so he would have maximum manual control, boasting that he would fly the aircraft at 30m at low speed, with just enough power to keep the plane at maximum incline without losing height. Mr Asseline would then put on full throttle to climb away at a steep angle, he said. "You want to show off, huh?", the co-pilot said. Several times before the critical manoeuvre the crew contemptuously dismissed visual and aural wornings emitted by the onboard computers. The pilot responded to one by saying: "Knock that one off, it's getting on my nerves." Just before the fly past the co-pilot said:" `Right, you're coming down to 100 feet, do it, do it." "Right, I'm going for it, disconnect the fuel boost system." "Watch out for the pylons ahead, eh? You've seen them, yeah?" "Yeah, yeah, don't worry." The co-pilot then told the pilot to put on full throttle. As the aircraft failed to gain height the pilot was heard to curse. Neither pilot has been formally accused of causing the crash, although the transport ministry said a judicial investigation could still bring charges. Soon after the crash I saw an american TV report on the crash which featured a so called "COMPUTER EXPERT" (the caption on the screen, no mention of his field or qualification was made) stating that "if it's pilot error it must be systems failure", without knowing anything of the architecture of the software. Obviously there is a risk in trusting experts in a field you know nothing of, because you (in this case the NEWS service) are inclined to believe them. Eric Roskos (Risks 7.30) asks, is vibration a common problem in A300's. I have often experienced the throbbing you refer to, and have noticed that the wings virtually beat on take off. I think this intended or at least seen as an acceptable side effect of the wing geometry during take off. In general, I suspect aircraft maintenance in the US is taken far less seriously than here and this may be partly to blame. Michael Pilling (bigm@banana.cs.uq.oz) ------------------------------ Date: 08 Aug 88 15:37:14 EST (Mon) From: munnari!mimir.dmt.oz.au!rjk@magni Subject: RISKS of Electronic Cash-registers Years ago when cash-registers could only add, it was safe. Nowadays they can subtract as well, and so cash-register operators can't, and so you lose your change. It's been happening to me more and more often over the past couple of years. I explain: Formerly, the cash-register would add up all the prices of the things you bought, and at the end the operator would hit the `Total' button, and the till would pop open. You would proffer your money, and your change would be made up by counting out coins, then notes, adding to the total price and working up to the tendered value. Then you got the docket. But now, at the end of the sale, the operator punches in your tendered amount, and the cash register calculates the change, which is then counted out into your hand in the reverse order -- big notes first, then little ones, then the coins get balanced delicately on top. Then you get the docket shoved at you. The coins slide off the notes in you hand, fall and roll under the checkout counter. Gone forever. Can't give you any more change, till won't balance. Your own mistake. Get out of the way, your holding up the other customers. Australia has recently been inflicted with a $2 coin, and the old $2 note has benn withdrawn. The Treasury, in its infinite wisdom, made the coin smaller than most of the other coins and out of an exceptionally light aluminium alloy, which made the problem even worse. I once asked a checkout girl why they had reversed the order of counting out the change. She said they were told to do it that way, since they "made less mistakes" and it was "easier". Actually, I expect the reason was so that the supermarket could sweep under the counters and collect all the dropped change. Robin Kirkham CSIRO/DMT rjk@mimir.dmt.oz (My opinions, only) ------------------------------ Date: Fri, 5 Aug 88 17:19:22 edt From: steinmetz!welty@uunet.UU.NET (richard welty) Subject: Computer terminals and dermatology The following short article recently appeared in Cutis, a journal of dermatology (I don't know the exact issue.) A note indicates that the authors are with the Department of Dermatology, University of Maryland School of Medicine. Reprints are available from: Dr. Burnett Division of Dermatology University of Maryland Hospital 22 South Greene Street Baltimore Maryland 21201 This article is reprinted without permission. Figure 1 (omitted) is merely a picture of a user and an IBM PC. --- ``Dermatologic Manifestations in Users of Video Display Terminals'' Marline L. Cormier-Parry, MD Gary V. Karakashian, MD Joseph W. Burnett, MD It is not surprising that with new technological advances, new dermatologic entities also appear. Rosacea is a cutaneous reaction pattern thought to be provoked by many factors including foods, alcohol, heat, and cold. Recent reports have implicated exposure to video display terminals (VDT) as another causative factor (Figure 1). Since the first reports from northern Europe in 1982, when VDT exposure was related to the excerbation of rosacea, acne, seborrheic dermatitis, and poikiloderma of Civatte, more recent reports have appeared (references 1-3). The symptoms and dermatitis associated with VDT use are usually paresthesia or pruritus of the upper cheeks or perioral area with either solitary papules or a fine erythematous papular eruption. The typical features of most cases of VDT-associated dermatitis were onset of the eruptions two to three hours after daily use of the VDT, improvement of the dermatitis on days the unit was not used, and, low ambient relativie humidity at the time of the exposure. VDTs produce several types of electromagnetic radiation. The cathode ray tube emits low-energy x-rays. The phosphor material of the screen emits ultraviolet, visible, and infrared radiation. The electronic circuits produce radiofrequency and very-low-frequency radiation. Most electrical and electronic equipment can generate ``electrical noise,'' a low-level, broad-spectrum electromagnetic radiation. To date, no adverse biological effects in humans have been documented from these electromagnetic fields and the level of radiation emitted is far below the occupational standards set by federal authorities (references 2-4). The electrostatic fields, however, are more likely to be the causitive agent of VDT dermatitis. Electronic fields are noted around most VDTs at low humidity and tend to disappear at higher humidity (reference 5). Most cases of VDT dermatitis have occured in northern Europe and during the winter months, when the relative humidity is less than 40 percent. Further evidence for this hypothesis comes from obserrvations that when the electrostatic fields were reduced, operators' dermatitis and other symptoms were also reduced. Whether this is a direct effect of the field itself or an irritant dermatitis from airborne particles is unknown. Several female operators have reported the deposition of their makeup on the VDT screens at the end of a working day. However, the deposition of volatile and particulate air pollution on the skin can be induced by electrostatic field charge (reference 2). Furthermore, there have been several reports of patients who were able to prevent the dermatitis by the use of physical blocking agents, such as titanium dioxide or Duoderm. Recently, computer manufacturers have introduced VDTs that have no static electric fields as a means of preventing dermatitis. Electrostatic shields are also available and widely used in northern Europe. The shield, which is placed in front of the VDT screen, becomes conductive at relatively low humidity and thus eliminates the static field. Improvement with these shields, however, is usually temporary since their conductivity diminishes with time. In the United States, the use of a skin-colored ``sun-block'' cream containing 2 percent titanium dioxide with iron oxides was recommended. It showed some success in preventing VDT symptoms and the associated dermatitis (reference 4). Improvement in some Norwegian cases was noted after the substitution of antistatic floor carpeting in the work area (reference 3). References 1. Liden C, Wahlberg JE: Work iwth video display terminals among office employees. _Scand J Work Environ Health_ 11: 489-493, 1985. 2. Berg M, Liden S: Skin problems in video display terminal users. _J Am Acad Dermatol_ 17: 682-684, 1987. 3. Nilsen A: Facial rash in visual display unit operators. _Contact Dermatitis_ 8: 25-28, 1982. 4. Fisher A: ``Terminal'' dermatitis due to computers (video display units). Cutis 38: 153-154, 1986. 5. Berg M, Langlet I: Defective video displays, shields, and skin problems. _Lancet_ 1(4): 800, 1987. -- richard welty 518-387-6346 GE R&D, K1-5C39, Niskayuna, New York welty@ge-crd.ARPA {uunet,philabs,rochester}!steinmetz!welty ------------------------------ Date: 2 Aug 88 08:43:51 PDT (Tuesday) From: Rodney Hoffman Subject: Computer System Vulnerabilities RISKS Moderator Peter Neumann has an op-ed piece in the August 2 Los Angeles Times with the headline A GLITCH IN OUR COMPUTER THINKING We Create Powerful Systems With Pervasive Vulnerabilities. Although they are overly-familiar topics to RISKS readers, I trust the moderator will permit a few quotes: Our civilization seems to have developed an inherent craving for easy answers, especially regarding technology. In particular, we tend to anthropomorphize computers and endow them with human intelligence -- while at the same time we deify them and endow them with infalli- bility.... One of the most serious problems in computer-related systems is the inadequate protection of such valuable resources against unintended or malevolent misbehavior by authorized as well as unauthorized computer users -- and against malfunctions of the computer systems.... [Brief mentions of computer-related problems at Pacific Bell, NASA, banks, the Vincennes, false arrests....] Computers and their communications are frequently vulnerable, but they are also limited by the intelligence and wisdom of their developers, administrators and users. It is a common myth that the complexity of such systems deters mal- feasants. In fact, the attackers may understand the system better than many of the defenders. Digital technology is inherently finite -- there are only certain possible cases. The number may be large, but often there are shortcuts that eliminate the need to search exhaustively for a needed clue -- password, design flaw or code bug.... There are no guaranteed complete solutions that can prevent computer- system malfunctions, intrusions and both accidental and malevolent misuse. But there are prudent measures that can be taken to reduce the risks. [Better design and implementation, better laws, ...] Above all, we must have a computer-literate populace -- better educated, better motivated and more socially conscious. Computer security vulnerabilities are pervasive, but they are not usually evident to the general public. Depending on flawed computer systems will lead only to bigger disasters. Overall, we must work much harder to understand and openly consider the true risks of using computers. ------------------------------ Date: Wed, 3 Aug 88 21:59:02 PDT From: cliff@Csa4.LBL.Gov (Cliff Stoll) Subject: Disaster Exposition Hi Riskees! Last month's Computer Assurance conference -- COMPASS '88 was a gas -- really good talks on electronic voting systems, computer assisted automotive problems, fly-by-wire risks, and averting computer domino effects. Our illustrious hero, Peter Neumann, gave a couple outstanding talks. For those of you who haven't met him, he's just as quick with puns behind the podium as when moderating our forum. COMPASS dealt with averting disasters. On the flip side is the 1988 International Disaster Congress, Nov 9-11, in Chicago. Sounds weird to me: "How was your meeting?" "Complete disaster." It sounds neat, but I can't afford $675 admission, so if any of you Riskee's are going, could you post your notes to Risks? Keynote Speaker: Edward Teller (inventor of the H Bomb, promoter of Star Wars) "Gaining a Global Perspective of Disaster Control" Some session titles: Prior Planning for "Acts of God" Foreseeing Deliberate Acts of Violence Anticipation of Technology's Catastrophes Identifying Beforehand the Impact of Epidemics Success Stories of Disaster Preparedness Implemented Programs for Minimizing Natural Disaster Impact Preventive Approaches to Controlling Deliberate Violence Ventures for Mitigating Technological Accidents Restraining Threats of Mass Disease Sustaining Corporate Morale in Midst of Nature's Attack Allocating Resources while under Siege Damage Control at Accident Scenes Minimizing the Spread of Current Epidemics Cleanup Following Natural Disaster Recovery from Violence Induced Calamity Post Exposure Measures for Restoring Health Timely Action following International Incidents Eliminating All Effects of Sustained Disaster Replacing Resources Destroyed by Natural Catastrophe Restoring Order from Chaos of Deliberate Violence Total Recuperation from Epidemic Recovery Through Repossession and Reparations Speakers are from: Bay Area Earthquake Preparedness Project, Univ. Rome, Univ. Delaware Emergency Preparedness Council of Canada Int'l Assoc of Fire Chiefs Cincinnati Hazardous Materials Task Force Maryland Institute for Emergency Medical Services Disaster Services for American Red Cross National Governor's Association California National Guard Association of American Railroads Armed Forces Institute of Pathology Israeli National Police Association of Contingency Planners, American Savings/Loan Federal Insurance Administration Also, there'll be a Disaster Exposition, "A showing of products for anticipating, coping with, and recovering from disaster." Yikes -- what do you think they sell to recover from one of Teller's thermonuclear bombs? Registration/Details: Kotch & Poliak, 708 3rd Ave, NYC, 10017 212 557 6950 Cheers, Cliff Stoll Cliff@lbl.gov ------------------------------ End of RISKS-FORUM Digest 7.31 ************************