Subject: RISKS DIGEST 9.79 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Monday 9 April 1990 Volume 9 : Issue 79 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Fixing Computer Error Cost $1,300 in Overtime (Chris McDonald) Computer problem delays Calif. Lotto payouts (Rodney Hoffman) Computer Glitch Cuts of Decco Sales (Mark Adams) Computer Animations in court testimony (Peter Scott) Re: Proposed UK Authority for Risk Management (Dan Franklin) Re: Intruders arrested (Mike McBain via Lee Naish) Re: More on Prodigy's Updating of a User's Disks (Leonard Erickson) Wonderfully mistaken letter generators (Frank Letts, Gary Cattarin) Re: Automated Fast Food (Webber) Re: Airbus Crash: Reports from the Indian Press (Dan Brahme) A320 press excerpts (Robert Dorsett) Indian A320 crash (Henry Spencer) The two A320 crashes show similarities (Martyn Thomas) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line (otherwise they may be ignored). REQUESTS to RISKS-Request@CSL.SRI.COM. TO FTP VOL i ISSUE j: ftp CRVAX.sri.comlogin anonymousAnyNonNullPW cd sys$user2:[risks]get risks-i.j . Vol summaries now in risks-i.0 (j=0) ---------------------------------------------------------------------- Date: Thu, 5 Apr 90 16:25:33 MDT From: Chris McDonald ASQNC-TWS-RA Subject: Fixing Computer Error Cost $1,300 in Overtime The Albuquerque Journal, Thursday, April 5, 1990, ran the subject headline. The article states that: A combination of errors erased thousands of computer docketing entries last week at state District Court, requiring 14 clerks to work Saturday to redocket the material at an estimated cost of $1,300 in overtime. Court Administrator Thomas Ruiz on Tuesday blamed the mishap on `human error' and `system error', meaning `we allowed it to happen through the format of the computer system', he said. He added that steps have been taken to avoid a repeat occurrence. [...] Docketing is the process by which clerks enter into the computer system summaries of all court documents filed, such as new cases, motions to dismiss, judges' orders and defendants' formal responses to lawsuits. Ruiz said every court document docketed March 27 in all four divisions--civil, criminal, domestic relations and Children's Court--was erased when an employee `went through the wrong sequence of procedures' while intending to perform a `backup' function. [...] ------------------------------ Date: 6 Apr 90 09:41:58 PDT (Friday) From: Rodney Hoffman Subject: Computer problem delays Calif. Lotto payouts Summarized from a story by Virginia Ellis in the Friday, March 30, 1990 'Los Angeles Times' and a small follow-up note on Saturday, March 31: A computer failure on Thursday, March 29, forced a one day delay in payoffs for the first time in the California Lottery's four-year history. On an average day, about 550,000 people redeem winning lottery game tickets which depend on computer verification (that is, not the scratch-off game tickets, but the Lotto and Decco games). Joanne McNabb, communications manager for the California State Lottery, said an equipment failure destroyed a small amount of the data on a computer file used to validate winning tickets. The problem was discovered when they tried to reconcile ticket sales in the validation file with the file in another computer. The lost data was reconstructed overnight from a master file that keeps duplicate information as a backup. Just one week earlier, some Decco winners in Southern California were unable for a few hours to cash their tickets because a computer file was overloaded with winners and had to be quickly expanded. ------------------------------ Date: 7 Apr 90 11:00:34 PST (Sat) From: mca%medicus@uunet.UU.NET (Mark Adams) Subject: Computer Glitch Cuts off Decco Sales [ From the San Francisco Chronicle, April 7 1990. ] "Computer Glitch Cuts Off Decco Sales" Sacramento - A computer programming glitch has cut off sales of certain Decco tickets containing popular card combinations six times since the California Lottery unveiled the new game last month, officials said yesterday. The problem was discovered two weeks ago when lottery computers rejected attempts by some gamblers to buy Decco tickets containing four aces - the game's hottest selling card combination, lottery director Chon Gutierrez said. Technicians discovered that computer programmers had built an unauthorized limit into the system that allowed only 8,000 tickets to be sold on any one card combination, Gutierrez said. The limit has been reached in six of the 28 draws since the game bagan March 5, preventing about 48,000 tickets from begin sold - or 1 percent of total Decco plays in the half-dozen affected draws, said lottery spokeswoman Joanne McNabb. Because California schools get at least 34 cents of every $1 spent on the lottery, the education system has been deprived of more than $16,300 in revenue because of the computer problem. Lottery officials are now studying ticket sale patterns to determine how much they will raise the limit. They do not want to erase the limit completely, however. State law restricts annual Decco prize payouts to 50 percent of ticket sales. If lottery officials were to remove the limit entirely, prize payouts could rise over 50 percent of ticket sales if a popular card combination were drawn several times in the game. [...] ------------------------------ Date: Fri, 6 Apr 90 18:46:04 PST From: Peter Scott Subject: Computer Animations in court testimony I've just seen a segment on ABC News Tonight which has me worried. It was about the use of computer animations in court testimony. They showed animations of plane and car crashes which used solid modelling and realistic rendering combined with animation to show what "really" happened. Nowhere in the segment did they suggest that it represented a synthesis of various points of view. One attorney asserted that he doubted he would have won his client's case without the animation of his client's ride on a roller coaster, which he claimed caused a stroke. Despite the fact that 8 million other people had ridden the coaster without ill effects, because this guy had an animation that looked like the real thing, showing g-forces on his client's head, he won his case. In another case, an animation of an accident claimed to be unavoidable was said by a juror to be convincing, because you could "really see what happened, and it was very colorful." The RISKs are obvious; going from circumstantial evidence of, say, a car crash, they animate the scene and necessarily make numerous assumptions in order to be able to produce a viewable animation. The jury is subliminally convinced that they are watching a video reenactment of the scene, and if the other side doesn't have a video of their own... the animations are likely to be viewed by jurors as direct evidence instead of indirect. The segment started with an animation of a plane crash married with the cockpit voice recorder, and the flight recorder telemetry (?) was used as input for the animation. That's a whole lot more reliable than taking evidence from casual witnesses to a car crash and translating it to position and velocity data. Peter Scott (pjs@grouch.jpl.nasa.gov) ------------------------------ Date: Thu, 05 Apr 90 19:32:13 -0400 From: dan@BBN.COM Subject: Re: Proposed UK Authority for Risk Management The Authority for Risk Management sounds like a good idea, but I can't help being a little put off by one comment: > ARM's rigorously independent scientists will not be allowed to become > purists. Their advice would have to be accompanied with the cost > implications of new policy. The minister, public and Parliament need to know > how much they are going to spend to live in a safer environment, and decide > if they want to pay the price. .... This paragraph presents risk management as though it must necessarily cost money, and the only issue is to decide whether to pay the price. But it should be obvious to any government, particularly one that runs a national health service, that reducing a risk can SAVE it money! If fewer people are poisoned or hurt, health costs go down. Governments lacking a national health service or other direct connection to health costs should consider the savings to society as a whole (that's theoretically why government does things, after all). Admittedly, once you start doing this, you often end up trying to decide just how valuable it is to save or prolong a given life. Not a great situation, but "not to decide is to decide" anyway. Dan Franklin ------------------------------ Date: Sun, 8 Apr 1990 10:50:13 +1000 From: lee@munmurra.cs.mu.OZ.AU (Lee Naish) Originally-From: mjm@foster.avid.oz (Mike McBain) Subject: Re: Intruders arrested Date: 6 Apr 90 03:17:32 GMT In article <862@sirius.ucs.adelaide.edu.au>, simon@ucs.Adelaide.EDU.AU (Simon Hackett) writes: > There is some (quite) recently enacted state law in SA which makes it > illegal to access a "restricted access" computer system without > authorization. Doesn't matter whether you do anything, this is simply > making it illegal to log into any system for which you require a > password, where you ain't a person who should be using it. Restricted > access is defined in the enactment of the law in a form of words which > means the above. > > There is a second offence defined, which equates to unauthorized > modification of information in a system. > > Both offences carry 2 years/$2000 fine as maximum penalties. In a related vein, here is an item from the Melbourne `Age' 3/4/90 `Man fined $750 for computer trespass', by Geoff Winestock A man who copied a confidential set of programs from the computer company where he worked became the first person convicted under a new computer trespass law yesterday. Alexander Belkin, 31, of Latona Avenue, Knoxfield, was fined $750 in Prahran Magistrate's Court for gaining access to a computer without lawful authority. He was also fined $250 for unlawful possession of a library book. On 1 April 1989, Belkin, who worked for GNA Computing Pty Ltd, copied some business record systems without specific authorisation from his employer. Mr David Bamber, for Belkin, said the computer trespass law should be viewed as analogous to ordinary trespass, for which it was necessary not just to prove an incident had occurred but that it was done with criminal intent. Otherwise, he said, the offence of computer trespass could extend to thousands of schoolchildren operating computers without permission or employees going about their business. But the magistrate, Mrs Heather Spooner, said the facts of the case were clearly covered by the legislation. The law applied not only to offences where there was criminal intent, such as computer hacking and theft, but also to regular users, such as employees. Mrs Spooner said the law was a response to calls from the computer industry and police to stop the harm caused by mere access or "intellectual voyeurism". Prosecution was necessary in a case such as this, which involved computer programs of great value. She said the application of the law would require considerable common sense. Schoolchildren operating computers should not be in jeopardy. Mrs Spooner said that Belkin's evidence on matters such as the workstations he was authorised to use and the copies he was allowed to make on floppy disks had been inconsistent with that of his employer. She concluded that he had not been honest. Belkin would bear the cost of his mistake for the rest of his life, especially in his standing in the industry, and she had taken this into account in sentencing him. Mike McBain, Avid Systems Pty Ltd, St Kilda, Australia 3182 ------------------------------ Date: Fri, 6 Apr 90 23:33:43 PDT From: leonard@nosun.West.Sun.COM (Leonard Erickson) Subject: Re: More on Prodigy's Updating of a User's Disks CompuServe has had the ability to do this for at least 9 years. Their L-Protocol was *specificly* designed so a user could enter a short BASIC program which would call in, download *and execute* a terminal program. The B-protocol description includes this feature *explicitly* in the protocol description, along with such features as "disable keyboard" and disable video upddates". I *think* the older A protocol also had these features. All of these CIS protocols include a whoami string that sends an identifier string that identifies the machine type, software version, and protocols supported in response to a remote query. This response is invisible to the user. I know that some people used programs like CIS's VIDTEX for their *only* terminal program. I once considered having a BBS check for such people and do something to their machine... it would be rather easy. This is not a new risk, but it is more widespread than some think. -- Leonard Erickson ...!tektronix!reed!percival!bucket!leonard CIS: [70465,203] "I'm all in favor of keeping dangerous weapons out of the hands of fools. Let's start with typewriters." -- Solomon Short ------------------------------ Date: Thu Apr 5 22:49:08 1990 From: letts@ficc.UUCP Subject: Wonderfully mistaken letter generators Several posts in RISKS-9.78 reminded me of a humorous incident down here in Sugar Land, Texas, in the early 1970's ('73, I think). A letter similar to the below arrived one day in the office of the Eldridge Road Church of Christ: Congratulations, Mr. Christ! Our computer has selected you as only one of a few to receive a set of lucky numbers in our (who rememebrs) sweepstakes! Yes, Mr. Christ, you and the entire Christ family may be the ones to enjoy a full expense paid trip to Hawaii, or a new Cadillac! Be sure to return your sweepstake numbers today and qualify for the early-bird bonus! And while you are at it, place your NO obligation order for our latest publication [some book named here], something that the Christ household certainly should not be without! That still cracks me up when I am reminded of it. Frank Letts, Sugar Land, Texas ------------------------------ Date: Fri, 6 Apr 90 13:35:08 edt From: Gary_Cattarin@DG_SUPPORT.MCEO.DG.COM Subject: Wonderfully mistaken letter generators CEO summary: The item from Yuri Rubinsky in RISKS 9.78 concerning the letter he received indicating that the letter he desired was backordered reminded me of a wonderful abuse of software I received several years ago. I was still a "minor" as they say, or "underage", and my grandmother had set up a "custodial account" money market. These accounts were addressed as: Granny Smith, Cust Joe Underage UGMA/NY Or, in English: , Custodian Uniform Gifts to Minors Act/ Well, I'm sure some of you see this coming. I received a letter one day, addressed as above, which started out: Dear Ms. Cust: To make it even better, this letter ended like this: Sincerely, Shareholder Services Yes, by I really do mean that a human being had picked up a ball-point pen and signed in cursive, "Shareholder Services". And to think they didn't understand when I called and asked for Ms. Services! [These tales continue to come out of the woodwork. Please don't take this as a challenge to submit still more of them. Thanks. PGN!] ------------------------------ Date: Fri, 6 Apr 90 17:13:56 EST From: webber@psych.toronto.edu Subject: Re: Automated Fast Food In RISKS Digest 9.78, Dave Curry (davy@itstd.sri.com) wrote about automation at his local Arby's. [...] It seems to me that what he's actually seen is the first phase of implementation and testing of this new system, and that the management of Arby's is sensibly keeping the old system in place. If this touch-screen stuff can be made to work properly and is accepted, he will probably not see staff members hanging around doing nothing for long: Arby's outlets will reduce staff to the minimum required to cook, deliver hot food, clean, and take money. I have read that the largest overhead for the operation of a fast-food restaurant (where they serve food which makes you feel that you might as well fast) is the cost of personnel. If this is true, then with increased automation profits have the potential to rise a great deal. Of course, there's a risk to the management and to other members of US society in this kind of change: not only may Arby's lose customers, due to decreased service quality, but some low-income families will have their incomes reduced even further as the pool of service jobs they've depended on dries up. ------------------------------ Date: 23 Mar 90 23:03:57 GMT From: brahme@vlsic2.ti.com (Dan Brahme) Subject: Re: Airbus Crash: Reports from the Indian Press henry@zoo.toronto.edu writes: >Aviation Week reports that India refused European airworthiness authorities' >request to participate, and also refused information requests from them and >from Airbus Industrie. Henry Spencer at U of Toronto Zoology Not really. The reason to exclude the Europeans from the investigation is to prevent doctoring or tampering with evidence. It is very surprising that the French have started talking about carelessness of the pilot. If they do not have access to the investigating teams report how can they talk about carelessness of the pilots. I fly all the time in North America and quiet often in Europe and India. In fact the quality of Indian pilots is very good and the average may in fact be better than the europeans judging by smoothness of the landings. The A320 has a lot of software in it. Anybody who has any knowledge of large software systems knows that it is often the source of many problems. A look at how many times the space shuttle launch had to be postponed due to some software problem should shed some light. Considering that, if there is a (or many) technical problem and Indian Airlines continues to fly the plane and there is another accident many more lives will be lost. On the other hand, if all the planes are grounded and later on it is found that there is no problem with the plane, then the cost to AIRBUS is at most a possible loss of sales for a short period. If this results in loss of some jobs, I am sure the engineers can find another job or live on their savings or welfare. Considering the alternative (1) few frenchmen losing jobs to (2) several indians dying, I don't think there is anything wrong with grounding. In fact if the airline had not grounded the rest of the planes I would have been one of the first to protest. The behavior of Airbus displays complete lack of concern for human life and shows that they care only for profits at all costs. It also shows that they are willing to introduce UNSUBSTANTIATED reports in an attempt to cover their ass. It is interesting to note that not a single message of condolence was sent by the airbus president to the families of those who died in the accident. If such an accident took place in the US and AIRBUS behaved the way it did it would loose credibility with the american public and it would suffer severe financial loss due to lawsuits filed in US courts. Dhananjay Brahme ------------------------------ Date: Fri, 30 Mar 90 21:44:34 -0600 From: rdd@walt.cc.utexas.edu (Robert Dorsett) Subject: A320 press excerpts The following are from the February 21st and 28th issues of FLIGHT INTERNATIONAL, and actually appear to be somewhat authoritative. They clarify various information/misinformation which has appeared on RISKS and sci.aeronautics over the past month. [I've interspersed my own comments (brackets). Take those with a grain of salt. :-)] * The airfield had no ILS approach. VOR/DME, NDB only. Runway length was 10850'. Field elevation 2914' No significant terrain nearby. Visibility was unlimited at the time. The crash occurred at 1300 local time [1PM]. * The approach was being made manually. There were no reported emergency communications between tower and aircraft. The landing gear was down. * Airplane collided with the ground approx. 500 meters from threshhold, in a golf course, bounced, and came to rest 100 meters from the end of the runway. FLIGHT characterizes the initial impact as "soft." [ note: bounces are generally the result of the aircraft having too much velocity, and not, as is often thought, testimony to the elastic characteristics of airplanes :-) ]. * There was no evidence of birdstrike on the engines [ V.2500's, a brand new engine model ]. The aircraft had 366 hours, over some 300 trips. * The article indicates that under 100', the automatic power-advance component of the alpha-floor flight protection system is inhibited. [ I am not convinced this is accurate. After the recent discussion with Pete Mellor, I have been conducting research; the evidence supports his claim that protections last to the ground--but most of the material I've been able to find is fairly old. Losing automatic engine authority would remove much of the benefit of having protections in the first place. ] * The entire India Airlines fleet was grounded. * Airbus is indicating India is withholding information from the manufacturer. India responds that they want a "fair" examination of the evidence, by no parties with economic interest. They're farming out analysis of the flight data recorder to the Canadian Aviation Safety Board. * Airbus has issued a safety bulletin, advising pilots not to fly too slow during approaches. The aircraft was reported to have had a "very steep" approach path. [ This may either reflect concern over the flight systems, or improper technique--the article is not clear on that. ] * The French flight technician's union has called for A320's to be grounded, worldwide. * The president of the union is specifically concerned about the lack of uniform control laws on the aircraft, as well as the general human interface. * The Mulhouse-Habsheim flight data recorder showed the aircraft hit the trees at 32', with the engines idled for most of the trip. After the crash, the crew complained that there was delayed engine response when they commanded full power. The FDR, however, stated that there was a 0.5 second delay [ I wonder, though--if the throttles are essentially electrical controls that *request* a service from the flight management system, and the FDR gets its inputs from said system, could it be possible that the FDR record only shows the difference between the time the throttle "request" was *posted* by the system, and the time it was *serviced* by the system? I.e., could the levers be positioned and followed by a subtantial "notification" lag? (followed by a quick "servicing" interval) Anyone know how the FDR works on the A320? ]. * There is a civil case on the A320 crash underway in France, which is expected to dispute the Mulhouse-Habsheim technical inquiry's findings (which found in favor of the aircraft and systems). Robert Dorsett Moderator, Internet: rdd@rascal.ics.utexas.edu Aeronautics Mailing List UUCP: ...cs.utexas.edu!rascal.ics.utexas.edu!rdd ------------------------------ Date: Mon, 2 Apr 90 00:06:35 EDT From: henry@zoo.toronto.edu Subject: Indian A320 crash One of the bigger problems in assessing the A320 is that almost everyone has vested interests to protect. Most European aircraft manufacturers are involved in building it, so they (and their governments) want it to be a commercial success. Their US competitors (and their government) would prefer it to be a commercial failure. Pilots' unions often oppose it because it is a 2-man-crew aircraft replacing 3-man-crew planes. And so on. The relevance of this to the Indian crash is that India, lacking its own facilities for reading modern crash recorders, sent the A320's recorder to Canada for analysis. They chose Canada specifically because it has no vested interest in the A320! Incidentally, the latest word in Flight International (21 March issue) is that informal reports -- admittedly thirdhand -- claim the approach was being flown at an excessively low speed, 106 knots as against a recommended speed of about 130 at that point, just before the crash. Henry Spencer at U of Toronto Zoology uunet!attcan!utzoo!henry henry@zoo.toronto.edu ------------------------------ Date: Mon, 2 Apr 90 12:48:45 BST From: Martyn Thomas Subject: A320 crashes show similarities Flight International, 4-10 April 1990, page 6: "Cockpit voice recorder (CVR) and digital flight data recorder (DFDR) information from the Bangalore accident made available to A320 operators indicates that the cause was remarkably similar to that which the Investigation Commission found for the A320 accident at Habsheim, France, in June 1988. The CVR makes it clear that the right-hand-seat pilot intentionally selected "idle" on the autothrottle as the aircraft decended through 500ft (150m) on Bangalore final approach. This increased the aircraft's rate of descent as intended, but reapplication of power came too late to arrest the vertical speed and prevent the aircraft hitting the ground short of the runway. According to the DFDR, full power was tripped in automatically by the Alpha Floor protection mode as the aircraft passed 135 ft. This implies that the handling pilot had selected maximum angle of attack to arrest vertical speed, but at low indicated airspeed (IAS). The IAE V2500 engines were not fast enough spooling up to full power to provide the additional IAS needed to generate the increased wing load factor to arrest the rate of descent. At Habsheim, the aircrew also selected power-up from idle too late and, as a result, failed to clear trees at the airfield edge." Martyn Thomas, Praxis plc, 20 Manvers Street, Bath BA1 1PX UK. Tel: +44-225-444700. Email: ...!uunet!mcvax!ukc!praxis!mct ------------------------------ End of RISKS-FORUM Digest 9.79 ************************