RISKS-LIST: RISKS-FORUM Digest Wednesday 17 August 1988 Volume 7 : Issue 36 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Package-deal arguments about VDT's (Philip E. Agre) Blue Cube new software problems (Randy Neff) Zero-balance dunning letter (Jerome H. Saltzer) Chicago Disaster Conference (Lee S. Ridgway) Car Electronics sensitive for atmospheric interference (Martin Minow) 1 in 10 NATO software modules reported incorrect (Jon Jacky) Mathematical Error Puts Deficit off by $1.2 billion (PGN) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line (otherwise they may be ignored). REQUESTS to RISKS-Request@CSL.SRI.COM. FOR VOL i ISSUE j / ftp kl.sri.com / login anonymous (ANY NONNULL PASSWORD) / get stripe:risks-i.j ... (OR TRY cd stripe: / get risks-i.j ... Volume summaries in (i, max j) = (1,46),(2,57),(3,92),(4,97),(5,85),(6,95). ---------------------------------------------------------------------- Date: Mon, 15 Aug 88 17:31 EDT From: Philip E. Agre Subject: Package-deal arguments about VDT's When someone reports on the downsides of a technological artifact, they are often labeled an `anti-technologist'. They are then rhetorically asked if they would prefer a world without electric lights and antibiotics. We might call this a `package-deal argument'. It presents a monolithic entity called `technology' and, by asking `are you for it or against it?', demands either wholesale acceptance or wholesale rejection. This technique can also be used on a smaller scale. If someone has been injured by working with a computer, one can make a package deal of a monolithic entity called `computers' and say things like, to quote Brint Cooper in RISKS 7(35), "Risks of using computers must be assessed against the risks of not using computers." Frequently such arguments draw subtly bogus analogies to older, `lower' technologies so as to portray the complainers as irrationally biased against novelty and change. Thus, All my life, I have known people who read a great deal in their childhood and wound up with extreme nearsightedness. I knew a chap who repaired small timepieces most of his life and, in his 60's was nearly blind. No one suggested that books and precision repair are risky to one's vision. Note the monolithic entities called `books' and `precision repair'. Do `books' cause nearsightedness? Does `precision repair' cause blindness? That's not the point. `Books' and `precision repair' don't `do' anything, any more than computers `do' things. What happens when people read books, repair watches, or sit at VDT's depends on the context in which they do it. When a human being is maimed at work, it is a complex social phenomenon. If `technology' can send people to the moon and keep track of huge inventories, then `technology' can alleviate occupational hazards. Technology is a tool. The point about occupational visual damage connected to employers' workplace practices regarding VDT's concerns the economics of industries that use computers. Do market forces encourage employers to protect employees or to destroy them? The answer to this question has varied at different places and times, but very often the answers have been sad ones. Cooper is certainly correct that proper epidemiology is required with regard to complaints of eye damage resulting from jobs involving VDT use. I worry, though, that in the context of Cooper's rhetoric, his painfully ironic demand that these studies be `multiply blind', although perhaps methodologically justified, might reflect a worldview in which `technology' is under attack from `anti-technologists' who set up Video Display Terminal Eye Clinics in order to generate pseudo-epidemiological propaganda. This Manichean sort of approach to debates about workplace organization is not going to help in hearing the complaints of the maimed or in making offices and factories into human places to work. ------------------------------ Date: Mon, 15 Aug 88 21:13:27 pdt From: neff@anna.STANFORD.EDU (Randy Neff) Subject: Blue Cube new software problems From San Francisco Chronicle, Friday, Aug 12, 1988. pages 1 and A22 (without permission and condensed) New Pentagon Satellite System Having Troubles by John Schneidawind Chronicle Staff Writer A program to renovate the Pentagon's super-secret "Blue Cube" satellite-control system in Sunnyvale is way over budget and behind schedule, according to a recent congressional report. The General Accounting Office estimates that the Air Force program's costs, orignally pegged at about $600 million in 1980, have ballooned to $1.4 billion and could rise an additional $450 million before the project is completed. The Blue Cube, a top secret computer facility at Onizuka Air Force Base, just off Highway 101 and Mathilda Avenue, controls satellites transmitting the nation's most vital military and intelligence secrets. [also next to Navy's Moffett Field, NASA Ames Research, and Lockheed.] The GAO report was issued last Friday [Aug 5], but so far has been distributed to only a handful of military experts. The Chronicle obtained a copy of the report. The project's problems include glitches in computer software being developed to process the tremendous amounts of data generated by communications satellites orbiting the Earth. According to the GAO report, the new system originally was supposed to handle 5 million bits of data per second, but it will be able to handle only about 1 million. The project was originally scheduled to be completed in October 1987 and was to have included a facility in Colorado Springs that would help control the satellites. The arrangement would have allowed Sunnyvale and Colorado Springs to function as backup operations for each other. But the GAO says software problems have pushed the completion of the project to 1989 at the earliest. "(The) Defense (Department) considers Sunnyvale to be vulnerable to failures from earthquakes or other threats such as direct military attack," the GAO report notes. Officials at the Air Force's Space Command in El Sequndo, which oversees operations at the Cube, were not available for comment yesterday. Officials from IBM Corp.'s Federal Systems Division in Bethesda, Md. which built the new computer equipment and software, also could not be reached. The space shuttle is about to return to service, and the main priority will be to put dozens of military satellites into orbit. But unless problems with the new satellite control systems are corrected, the extra satellites could create capacity problems that may disruput the Blue Cube's existing satellite control system, the GAO report implies. The Blue Cube -- so named because it is housed in a turquoise-colored building-- is maintained under contract by Lockheed Missiles and Space Co. According to the GAO, the facility monitors and controls 54 orbiting satellites that provide critical defense communications, navigation, surveillance and weather information. [more on what satellites do] However, some of the computer technology used to monitor and control orbiting satellites is more than 20 years old, and the Air Force since 1980 has been trying to come up with a new system. So great are the problems with the new system that the Air Force has yet to fully test it successfully, let alone make it fully operational, the GAO report states. As of February 1987, the GAO says, "the new system was averaging only a 69.6 percent success rate in performing satellite contact functions, where 95 percent success is the minimum requirement." The Air Force has told the GAO that the success rate is now 90 percent. ------------------------------ Date: Tue, 16 Aug 88 10:41:33 EDT From: Jerome H. Saltzer Subject: Zero-balance dunning letter Just in case anyone thought those stories about dunning letters for zero balances are apocryphal, yesterday's mail from Bloomingdale's provided a certifiable example: Dear Mrs. Saltzer A review of your account shows the amount below to be past due. If you feel that this amount is incorrect, please enclose a remittance for the correct amount and give us an explanation of the deductions on the reverse side of this letter. Otherwise we shall expect payment in full of the amount due. We would appreciate your prompt attention to this matter. Thank you. Very truly yours, K. George Divisional Credit Mgr. 212-239-0374 Amount due $******.00 Since the letter seemed very sincere and it requested prompt action, I immediately called the computer-printed telephone number, and reached a recording, which said, "The number you have reached, 239-0374, has been disconnected. No further information is available about 239-0374." The people in Bloomingdale's customer service department were profusely apologetic; "That letter should never have gone out." "The credit department moved to a new location about a month ago." Apparently the computer hasn't found out about the move yet, and NY Telephone has already forgotten about it. Jerry ------------------------------ Date: Tue, 16 Aug 88 11:06:12 EDT From: "Lee S. Ridgway" Subject: Chicago Disaster Conference A boxed article in this morning's Boston Globe (8/16/88) noted that the organizers of a conference on disasters, slated for Chicago's McCormack Place in November, had to be cancelled due to lack of interest. [UPI in San Francisco Chronicle, 16 Aug 88 quoted the PR firm representative representing the organizers: ``It is absolutely amazing, given the things that have happened recently...'' ``Canceling this is a bit of a disaster itself.'' ... PGN] ------------------------------ Date: 16 Aug 88 11:01 From: minow%thundr.DEC@decwrl.dec.com (Martin Minow) Subject: Car Electronics sensitive for atmospheric interference From the Stockholm daily newspaper, Dagens Nyheter, 27-Jul-1988. [My quick translation. My notes are in brackets.] Danger of Sensitive Car Electronics by Anders Lundqvist Sensitive automobile electronics may be the explanation of the mystery of "sudden acceleration." Interference in the atmosphere or a poor environment under the hood can be sufficient to affect the electronics so that the car unexpectedly speeds away out of control. This theory was brought forth by the [Swedish Goverment] Traffic Safety Board [TSV], which is worried about the development of electronics in cars. "The development can be questioned. What are the needs? The engine compartment is a difficult enviromnent for electronics; and how well are the components isolated?" wonders Bo Jarleryd at TSV. Mats Gunnerhed, a departmental director at the National Defense Research Institute [FOA -- a Swedish equivalent of Mitre] has studied the problem of sudden acceleration in cars since the summer of 1987. One explanation is, according to Gunnerhed, that the circuitboard for the automatic speed control can be easily damaged [in such a way that the device forces full acceleration. Gunnerhed demonstrated that a break in a single circuit-board trace can cause this problem. There was a note on this in a recent Risks.] ... But "sudden acceleration" has even been seen in cars without automatic speed controls, which caused TSV to become interested in all electronic equipment. "Scientific reports from Japan show that robots have killed 8 or 9 people because of errors in the electronics. Interference from nearby machines has affected the robot's microprocessors," says Bo Jarleryd. "The question is how sensitive automobile electronics and their microprocessors are? We have received several reports from drivers whose automatic speed controls have turned off when they are in the vicinity of Arlanda [Stockholm's airport]. This suggests that atmospheric interference in an area with many radio [and radar] transmitters may be sufficient to halt the electronics." [quote not attributed.] Sudden acceleration cannot be associated with a single brand of automobiles. owever Audi has been associated with a number of accidents where the car has unexpectedly sped away. One accident occurred in Stockholm about two years ago where a car rushed up on the sidewalk and drove over two pedestrians, causing the death of an older woman. The police examination couldn't find anything wrong with the car. Nor could anyone in the United States find any technical problem with the 800 cars that were involved in accidents caused by sudden acceleration up to January 1987. In any case, Audi in the USA decided to recall 250,000 cars in the 1978-1986 model years with automatic transmissions to add an interlock in the transmission that required the driver to step on the brake before putting the car in drive. Even though the problem was, and still is, unsolved. Even Ford, GM, Volvo, Saab, and Mercedes have had problems since the 1970's. The American government decided on Monday [25-Jul-1988] to examine a total of 215,000 German-built Mercedes Benz in the 1984-1988 model years with gasoline motors and automatic transmission. This is due to an alarm raised by the "Center for Automobile Safety" on "sudden acceleration" in the cars. According to the group, 164 reports of sudden acceleration of Mercedes Benz have come in. 125 accidents were reported, resulting in 46 injured and one death. According to Philipsons, the importer of Mercedes Benz in Sweden, this is primarily the 300E model with automatic speed control. [I think there's an old Risks item noting a "sport" played by truckers with high-powered CB radios, where they zap cars trying to pass them, causing their electronic fuel injection to fail. Also, note a recent Risks I posted about the recall to fix the automatic speed control in my Volvo.] [Translated by Martin Minow, minow%thundr.dec@decwrl.dec.com] ------------------------------ Date: Tue, 16 Aug 88 08:47:06 PDT From: jon@june.cs.washington.edu (Jon Jacky) Subject: 1 in 10 NATO software modules reported incorrect (COMPASS '88 report) I attended COMPASS '88, held June 27 - July 1 at the National Bureau of Standards in Maryland. COMPASS (for "Computer Assurance") is an annual meeting devoted to the safety and security aspects of computer systems. John Cullyer from the Royal Signals and Radar Establishment (RSRE), the central electronics research laboratory of the UK Ministry of Defence (MOD). gave a paper on his group's VIPER microprocessor, a 32-bit RISC chip designed for safety-critical applications. The VIPER project fits into a larger computer safety program at RSRE, and Cullyer tried to convince the audience of the necessity for developing systems with a great deal of mathematical rigor. Cullyer explained that RSRE's safety program derived from MOD's concern over the integrity and safety of its computer-based weapons and vehicles. RSRE performed a study of NATO software in the early 80's, using a static analysis technique in which a program is represented as a directed graph, various expressions are associated with the arcs and conclusions regarding correctness are derived from them. (Several automated tools based on the RSRE work are on the market, including MALPAS from Rex, Thompson and Partners, and SPADE, from Program Validation Ltd. Cullyer said a similar idea was behind an American tool called DAVE). Of the modules (a program is composed of many modules) which RSRE sampled from the NATO inventory, 1 in 10 were found to contain errors, and of those, 1 in 20 (or 1 in 200 overall) had errors serious enough to result in loss of the vehicle or plant! About the same findings were made whether the code came from Britain, the USA, or West Germany. But the MOD was really roused by several "near-miss" accidents which Cullyer said he was not permitted to discuss. He mentioned in conversation that one incident involving "general ordnance" might have resulted in hundreds of deaths. A military board of inquiry determined that computer problems were at fault. Studies determined that incidents derived with approximately equal frequency from three kinds of problems: incorrect or incomplete specifications, errors in programs, and "unexpected functionality" from microprocessors. This last item came as a bit of a surprise; what it meant was that the processor as delivered simply did not behave as described in its assembly language programming manual. VIPER is an attempt to address this problem. The project was felt to be so urgent that it was funded within 48 hours of submission. Cullyer closed his talk with a warning: "I don't think we have all pursuaded our bosses that there is a problem. If we do not implement these methods, there will be a lot of accidents and a lot of people will die. If we do implement them there will still be accidents, but we will limit the casualties." He also mentioned that new MOD software procurement standards (which he helped draft) will require formal development techniques for critical software. He added that he thought British law and tradition were more protective of people and sensitive to safety concerns than in the USA. For example, MOD regulations explicitly prohibit any cost saving that might increase hazard to life -- you are not allowed to trade lives off against money. (This is an excerpt from a report on COMPASS '88 that will appear in the October issue of ACM SOFTWARE ENGINEERING NOTES. The conference proceedings including Cullyer's paper on VIPER are available $30.00 from COMPASS '88, PO Box 5314, Rockville, MD 20851) - - Jonathan Jacky, University of Washington ------------------------------ Date: Wed 17 Aug 88 16:48:47-PDT From: Peter G. Neumann Subject: Mathematical Error Puts Deficit off by $1.2 billion WASHINGTON (AP) -- A $1.2 billion mathematical error by the Reagan administration in calculating the size of next year's federal deficit could spark a fight within Congress when lawmakers return to the capital next month. The mistaken estimate, which under the Gramm-Rudman balanced-budget law cannot be rectified, is preventing the spending of $1.2 billion at a time when legislators are struggling to decide which among several competing spending bills they will pass. ... OMB first made the error when calculating the rate of spending in a foreign military sales program in an August 1987 deficit report... [From the San Jose Mercury News, 17 August 1988] ------------------------------ End of RISKS-FORUM Digest 7.36 ************************