RISKS-LIST: RISKS-FORUM Digest Saturday 24 September 1988 Volume 7 : Issue 57 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Faulty locks delay prison opening (Henry Cox) In the future, risks of purchasing handguns (Alan Kaminsky) Olympian RISKS (Henry Cox) [Another Willamette] Sewage Spill Linked to Computer (Nike Horton) Keep backups, risk job (James F. Carter) Computer failure shuts down several thousand telephones (Vince Manis) LA Times photo of humorous credit card maybe not so funny (Michael Coleman) Risks of Cellular Phones? (Chuck Weinstock) Auto Computer Risks (Chuck Weinstock) Volvo's and Electromagnetic Interference (Bill Welch) Scientific Safety (B.Littlewood) Computer Defaults (The Mental Tyrrany of Cash Registers) (Stephen Rickaby) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line (otherwise they may be ignored). REQUESTS to RISKS-Request@CSL.SRI.COM. FOR VOL i ISSUE j / ftp kl.sri.com / login anonymous (ANY NONNULL PASSWORD) / get stripe:risks-i.j ... (OR TRY cd stripe: / get risks-i.j ... Volume summaries in (i, max j) = (1,46),(2,57),(3,92),(4,97),(5,85),(6,95). ---------------------------------------------------------------------- Date: Thu, 22 Sep 88 19:59:46 edt From: Henry Cox Subject: Faulty locks delay prison opening LOCKS THAT WORK ARE KEY TO OPENING OF NEW JAIL Montreal Gazette, 22 Sept 1988 Placerville, Calif. (AP) - The new El Dorado County jail would be ready to open except for one problem: the cell doors won't lock. Faulty electronics have affected the high-technology locks, along with television monitors and a communication system, jail commander Ed Newman said. "These are very dramatic problems," said Newman, adding that 13 flawed electronic panels are "literally the hands and feet of the officers." The panels have been shipped to a Maryland electronics company to be reworked and won't be back for three weeks. The jail's design relies on a central control post from which guards can electronically open and close cell doors, communicate with prisoners and operate lights. The jail's contractor is paying a daily penalty of $1250 to compensate for the delays, county general services director Joe Winslow said. [ Kidding aside, one hopes that the jails designers were/are aware of the risks inherent in such a centralized system. Perhaps we ought to mail them a few back issues of RISKS. ] [Don't kid yourself. There are equally nasty risks with distributed control. PGN] ------------------------------ Date: Thu, 22 Sep 88 09:24:02 EDT From: ark%asgard@CS.RIT.EDU Subject: In the future, risks of purchasing handguns An excerpt from Time Magazine, September 26, 1988, p. 26. "Why Wait a Week to Kill? The gun lobby overwhelms an attempt to restrict handguns." [...The article begins with a description of the Brady Amendment that would have required gun dealers to wait seven days before completing a handgun sale, so police could do an identity check on the purchaser. The National Rifle Association lobbied hard against the amendment, and the House of Representatives defeated it, 228 to 182. Now for the computer risk...] "Florida Republican Congressman Bill McCollum Jr. offered a way out of the quandary. He proposed replacing the waiting-period requirement with a provision to give all 275,000 federally licensed gun dealers in the U.S. instant access to a nationwide list of convicted felons. Prospective gun buyers could be fingerprinted and the samples sent electronically to Washington for an instantaneous check against the FBI's millions of prints. "But there is no master list of convicted felons, no way to make such data quickly and widely available, and no speedy means of sending and matching fingerprints. A network to provide such information could take years to create and cost up to $500 million; making it available to gun dealers could violate civil liberties. Beyond that, McCollum's system would not prevent gun sales to illegal aliens and the mentally ill. "Still, a majority of House members reached for this fig leaf. They voted to kill the Brady amendment and replace it with McCollum's phantom plan. ..." Just imagine what could go wrong if this legislation ever got past the Senate and the President, and such a system were implemented ... Alan Kaminsky P.O. Box 9887 School of Computer Science Rochester, NY 14623 Rochester Institute of Technology 716-475-5255 ------------------------------ Date: Thu, 22 Sep 88 19:57:51 edt From: Henry Cox Subject: Olympian RISKS ROOF RIPS AGAIN [ From the Montreal Gazette, 9 Sept. 1988 ] The Olympic Stadium's fabric roof suffered yet another rip yesterday - this one three meters long. [ I have no idea how many other rips there have been. ] The Olympic Installations Board said in a statement it was disappointed by the mishap, which happened during tests of the roof's automatic retracting mechanism, because workers had got the roof-opening procedure down to below one hour. The board said computer controls on one winch weren't working, placing uneven tension on the fabric. Repairs should be done by tomorrow. [ Not a great story, but, after legendary cost over runs, an Olympic deficit that we are *still* paying off, and a roof that finally came 12 years late (and at approximately the cost of a *complete* covered stadium), I thought the Stadium roof deserved a mention in RISKS. ] Henry Cox ------------------------------ Date: Thu, 22 Sep 88 09:42:36 PDT From: Nike Horton Subject: Sewage Spill Linked to Computer [BTW, See RISKS-7.7] SPILL LINKED TO COMPUTER The Oregonian (Portland, OR) Sept 22, 1988 page B2 A computer programming error combined with a burned-out wire led to a sewage spill into the Willamette River this week, said J. Michael Read, supervisor of the Tri City Service District. District technicians estimated Wednesday 1.5 million gallons of sewage spilled into the Willamette near the mouth of the Clackamas River late Monday and early Tuesday, Read said. The district serves about 40,000 persons in Oregon City, West Linn and part of Gladstone. The state Department of Environmental Quality lifted its warning to stay out of the river below Willamette Falls at 7am Wednesday. While the burned-out wire stopped the sewage treatment pumps, he said, a programming error kept an automatic telephone dialing mechanism from signaling anyone that the machinery wasn't working, Read said. District employees will be checking other alarms to see if any similar problems exist in the system, which is less than 2 years old, Read said. A back-up alarm, which was being installed at the time of this week's spill, may be operating by the end of the week, the supervisor said. [Readers may recall earlier sewage spills into the Willamette River, also blamed on the computer, and noted in RISKS-7.7 in a contribution from Randal L. Schwartz: June 1988: "Sewage flows into river; computer failure blamed" -- The five-hour spill from the Sullivan Pump Station poured about 5.4 million gallons into the Willamette River downtown. June 1985: Another computer failure caused the dumping of more than 3 million gallons of raw sewage into the Willamette from the same pump station. Perhaps that is a new meaning for "garbage in, garbage out." PGN] ------------------------------ Date: Fri, 23 Sep 88 09:07:48 PDT From: jimc@math.ucla.edu Subject: Keep backups, risk job From Los Angeles Times, 9/23/88, page 1 (Mark Gladstone and Paul Jacobs, Times Staff Writers): "The day after the FBI raided [state] Capitol offices last month, a legislative employee noticed a tenfold increase in the purging of documents from the legislative computer system and acted quickly to save the material ... Paul Hueslkamp, who works in the legislative data center, confirmed that he and co-worker Michael E. Parr were suspended by the legislative counsel's office pending the outcome of an internal investigation. "Parr, a 15-year state employee and a data processing supervisor, refused an order by his superiors to erase the computer tapes, feeling it would be construed as an obstruction of justice, Huelskamp told The Times. ... "Instead of the typical 70 to 80 computer deletions, Huelskamp discovered 750 to 800. The employee quickly extended the life of backup tapes until the end of the year. Normally, they would have been automatically erased after 14 days. 'I thought it might be useful for the FBI,' said Huelskamp ... "The GOP sources said that the caucus staffers, aware it is illegal to conduct political campaigns with public resources, were worried that FBI agents would discover the material in the state computer. ... "The legislative counsel, according to the source, ordered the internal investigation because he felt the traditional lawyer-client relationship may have been violated by the employees. The legislative counsel is the lawyer for the legislature and also controls the computer system." [Disclaimer: Opinions herein are mine and are not to be construed as representing those of The Regents of the University of California.] James F. Carter (213) 825-2897 UCLA-Mathnet; 6608B MSA; 405 Hilgard Ave.; Los Angeles, CA 90024-1555 ------------------------------ Date: Thu, 22 Sep 88 11:38:52 PDT From: manis@grads.cs.ubc.ca (Vince Manis) Subject: Computer failure shuts down several thousand telephones According to a story in yesterday's Vancouver Sun, a failure at a telephone switching centre caused several thousand phones in an area on the west side of Vancouver to be inoperative for about 1 hour. Apparently, the phones would accept incoming calls (and ring), but would not permit outgoing calls to be made (including, one assumes, 911 calls). There was no report of any personal injury or loss as a result of the outage. A BC Telephone Co. spokesperson said that the failure was due to a `computer bug', but couldn't be more specific. The centre in question serves a number of exchanges, but only part of one exchange was affected. Vincent Manis, Department of Computer Science, University of British Columbia Vancouver, BC, Canada V6T 1W5 manis@cs.ubc.ca ------------------------------ Date: Thu, 22 Sep 88 12:49:35 PDT From: coleman@CS.UCLA.EDU (Michael Coleman) Subject: LA Times photo of humorous credit card maybe not so funny (Reproduced without permission from the Los Angeles Times, 9/22/88) Citibank Visa Gives Credit Where Credit Isn't Due by Douglas Frantz, Times Staff Writer Doris A. Stokes applied for a Visa credit card from Citibank over the telephone a few weeks ago. When a Citibank employee asked Stokes if she wanted a second card for another family member, she replied, "Maybe later." Her shiny new Citibank Visa card arrived at Stokes' Los Angeles home this week. So did one for Maube Later. "I brought it down to work, and everybody here was in tears laughing so hard about it," said Stokes, and administrative assistant at the Los Angeles Junior Chamber of Commerce. The response was more subdued at the New York headquarters of Citibank, the nation's largest bank and the world's biggest issuer of Visa and MasterCard credit cards. "Are you serious?" asked Susan Weeks, a bank spokeswoman in New York, when the incident was described to her. Assured that the talk was true, she groaned, "Oh, no." (rest deleted) (Appearing above the article is a large picture of a smiling Doris A. Stokes holding a Citibank Visa with the name Maube Later.) While the story itself is somewhat amusing, I wonder more about the wisdom of using that particular picture. In it we can clearly see everything on the card, including the number (xxx8 140 851 226), except for the first three digits, which are obscured by Stokes' finger. This apparently is to keep someone from using this information for illegal ends. But wait, if Citibank is "the world's biggest issuer of Visa ... cards", perhaps I have one laying around. Here it is: the bank number (the first four digits) is 4128. Oops. ------------------------------ Date: Mon, 19 Sep 88 10:14:00 EDT From: Chuck Weinstock Subject: Risks of Cellular Phones? While discussing radio triangulation last night, the question came up: If I dial a phone number attached to a cellular phone, how does the cellular system know which cell should send the ring signal to the phone? Is it a system wide broadcast, or does the cellular phone periodically broadcast a "here I am" signal? If the latter, a less than benevolent government (or phone company for that matter) could use that information to track its citizens' cars' whereabouts. In an industrial setting, a competitor with access to the right information could track a sales reps sales calls to develop a client list. Chuck Weinstock ------------------------------ Date: Mon, 19 Sep 88 10:09:06 EDT From: Chuck Weinstock Subject: Auto Computer Risks On occasional Sundays I participate in time-speed-distance (TSD) road rallies. The object is to follow a course (on public streets) driving it at exactly the right speed as given by the instructions. Your car is timed as it passes certain points not known to you in advance, and you are assessed a penalty for every 1/100th of a minute you are early or late. The person who creates the rally tries to write the instructions so that they are accurate but mistake prone, so course following can be tricky. To avoid the constant need for on-time calculations (to free up time for the navigator to help stay on course), many experienced rallyists run with special purpose digital computers hooked up to record distance and display timing information. These are hooked into the car's electrical system for power. A friend just purchased a new Ford Probe (Mazda) and the service manager told him to be careful how he wired anything into the electrical system as the car had its own computer on board. My friend decided one day to try his rally computer out and used a cigarette lighter adapter to hook up the power. The computer seemed to run ok, but when he later started the car, it would not idle. It would start fine, and he could drive it as long as he didn't take his foot of the gas. If he did the RPM's would drop to zero and the car would stall. He removed his computer and drove the car for about 10 minutes and things got back to normal. He has subsequenty wired his computer into the electrical system directly and has had no further problems. One wonders if a radar detector or a cb radio (two common appliances that use the cigarette lighter) would cause the same difficulty. Chuck Weinstock ------------------------------ Date: Mon, 19 Sep 88 15:22 EST From: "BILL WELCH, BCD COMPUTING CENTER, (614)424-7155" Subject: Volvo's and Electromagnetic Interference I own two Volvos - a 1984 and a 1988 DL245 station wagon. Both cars suffer strange effects to various computer/electronic systems in the present of radio signals. When I use my HAM radio transmitter on the 2 meter FM band (144..148 MHz) both have problems. The 1984 cruise control drops out, and on the 1988 the turn signals blink twice as fast as normal and the speedometer drops to zero. [We have had a bunch of messages on this subject in past issues, but the problem has evidently not gone away. PGN] ------------------------------ Date: 22 Sep 1988 15:43:24-WET DST From: B.Littlewood Subject: Scientific Safety I'm sorry William Murray has problems with my English. In the case of the Airbus A320 the notion of an "acceptable level of safety" is, unusually, spelled out by the manufacturers of the critical fly-by-wire system. They say that the reliability REQUIREMENT is 10**-9 failures per hour (see paper by Rouquet and Traverse in Proceedings of SAFECOMP 86). Their reason for adopting such a demending requirement is that (in their own words) " . . loss of . . function cannot be tolerated." In a case like this it would, I think, be perverse to regard the system as "acceptably safe" if it had not satisfied the manufacturer's own requirements. Let us be charitable and take it that this requirement is not merely necessary but but sufficient for the award of the coveted status of "acceptably safe". My assertion was simply that, in these terms, the A320 had NOT been demonstrated to be "acceptably safe". Indeed I believe that such cannot be demonstrated. I would go further and offer an opinion that the actual achieved reliability of the system is orders of magnitude less than this requirement. Murray goes on to say that such novel technology would not be tolerated in the US unless it could be "proved" to be safer than the technology in use. This seems to me a pretty acceptable way forward, and I assume that it would not require demonstration of the achievement of ludicrous figures such as that above. However, even this more modest goal has not been demonstrated and it is my understanding that it will not be required before the plane gets a US certificate. Given the role played by software in this system, and the absence of a fully functioning mechanical back-up, I do not believe that such a demonstration is possible. I have a lot of sympathy with Murray's comments on our blithe acceptance of the mayhem which results from automobiles, tobacco, etc., and the difficulty of getting this on the political agenda. It would be a pity, though, if manufacturers of aircraft were allowed to get away with building less safe systems than hitherto, merely by appealing to the fact that flying is safer than smoking! Bev Littlewood, Centre for Software Reliability, City University London EC1V 0HB ------------------------------ Date: Wed, 21 Sep 88 14:52:10 BST From: Stephen Rickaby Subject: Computer Defaults (was: The Mental Tyrrany of Cash Registers) Reading comments in RISKS about implicit belief in computers reminded me of a phenomenon I encountered in a previous job. Faced with the task of producing a large volume of related software, one of the tasks we undertook was the design of a common i/o library, partly for efficiency and partly to ensure a uniform `feel' across the software. As our terminals were pretty much glass teletype mode, one attempt to introduce an element of user-friendliness was to give as many interactive screen routines as possible 'hot defaults': a suitable value for the parameter being requested would be displayed in braces ([thus]), this convention (HP and others) meaning 'the value you will get if you press '. The slight touch of sophistication was that (valid) alternative values entered were swapped into the [braces], and alone was required to confirm them. The system worked quite well, particularly for largely numerical interfaces for programs with a large iterative content and small changes in parameters for each iteration, typical of mathematical modelling and similar applications. However, much of this software was for computer-assisted ATE work, performed by staff who had a very sound grasp of the work they were doing but not necessarily of computers. After a while, the following phenomenon was noted: when the default parameters were presented, they were often accepted even though the operator did not know a suitable value or even *thought they were wrong*. This was not out of laziness or a reluctance to use a keyboard, but because *the computer had suggested a value*, so it must be correct. We never solved this one, and I left before the megawatt RF amplifiers were automated... Steve Rickaby, Praxis Systems plc, 20 Manvers Street, Bath, BA1 1PX, UK, Tel: +44 225 444700 sfr%praxis.uuc@ukc.ac.uk !mcvax!ukc!praxis!sfr ------------------------------ End of RISKS-FORUM Digest 7.57 ************************