Summarized from an article by George White, `Los Angeles Times', 8 Jan 1991 Two former employees of Nissan Motor Corp. USA allege that they lost their jobs after a manager eaves-dropped on their electronic mail messages. Their lawsuit claims that they were illegally discharged and denied their constitutional right to privacy. The plaintiffs used electronic mail to track the needs of Nissan dealers, occasionally sending personal messages to dealerships. One of the messages was critical of a Nissan manager. The suit mantains that a Nissan manager intercepted their personal messages and threatened to dismiss the two. One was fired outright, the other was told to resign or be fired. Their attorney said Nissan was retaliating against the pair for filing an invasion of privacy complaint with Nissan's Human Resources Dept. on Dec. 28. Nissan denies the charges, calling them "unfounded."
>From RISKS 10.75 (7 Jan 91): Date: Sun, 7 Jan 90 11:18:14 CST [ <==== sic ===== ] From: smith@SCTC.COM (Rick Smith) Subject: Re: "Computer Age Causes Key U.S. Data To Be Lost Forever" I've been a packrat for most of my life and I've done historical research... It's ironic that a message about old data claimed to be one year older than it really was. No doubt the problem was a system administrator's error in entering a date after a reboot, the sort of thing that software should warn about but often doesn't. Beware of dates in early January. [See my Inside Risks column in the January 1991 CACM summarizing some of the more interesting clock problems discussed in the RISKS FORUM over the years (and over the years' ends), albeit familiar to long-time RISKS readers. PGN]
This really is a computer related problem. Given that it is a fuel-injection new car, the spark advance and fuel metering are under the control of a micro-controller. On many late model cars, the speedometer readings on the driver's console are derived from the output to the drive wheels (assuming front wheel drive) in the transmission and not from reading the rotation of the wheel! This is the only source for the micro-controller to know the approximate speed of the vehicle so that it can compute engine load and adjust fuel metering and spark advance. Additionally, several late models also put the automatic transmission under the control of a micro-controller (usually the same one as is controlling fuel). The RISKS are obvious. There is only one micro-controller in the system; the car will NOT operate without the controller working properly; there are no redundancies in most of the critical input systems. Additionally, the micro-controllers are overly sensitive in many cases to: changes in voltage delivered, electromagnetic interference from radio transmissions, electromagnetic interference from power distribution systems, EMI from other systems in the vehicle, and even EMI from traffic sensing devices embedded in the roadways. Further discussion is probably unnecessary. Gregory G. Woodbury @ The Wolves Den UNIX, Durham NC firstname.lastname@example.org UUCP: ...dukcds!wolves!ggw ...mcnc!wolves!ggw
A man has died and 348 people were hurt when a packed rush-hour train failed to stop at Cannon Street station in London, and ploughed into the end buffer. The train was packed with about 800 commuters. The accident happened on Jan 8th, 1991, at the height of the rush hour, at 8:45am. It appears that the brakes failed to work when the driver tried to slow down when entering the station. The train hit the buffer at the speed of 5 mph only, but some carriages got crushed because of its weight and age. The sixth carriage was pushed onto the fifth carriage. The train was 35-40 years old. The UK's Rail Minister promised a full enquiry. Ambulances, helicopters, and even a London red bus were used to carry the victims to hospital. Once again there is a major train crash in London. British Rail has had a pretty bad record of crashes. Lately there has been an average of 1 major crash per year. This year it seems that they are reaching their quota pretty early ! The main problem seems to be prolonged lack of investment into new rolling stock, and hence British rail ends up with old trains, old stations, etc. Cost-cutting measures brought more over-crowding during peak rush hours. I have often taken trains similar to the one invollved in yesterday's crash. Most local commuter routes are served using these trains. The ride is something of an experience. During the rush hour, most people stand-up between the seats. Carriages, although being good for natural history museum exhibitions, are crowded to their full load. Yes, carriages with inside walls still made of wood, and grey seats facing each other. The ride is anything but comfortable. One tends to bounce on the seats, as though the train was actually hopping from rail to another rail. 5 years ago British Rail started and extensive refurbishment of these trains. The only visible improvements were are new coat of paint outside, and the replacement of filament light bulbs with fluorescent. Oh, and yes, the logo on the trains was changed from British Rail to Network Southeast. There is no safety mechanism about opening doors. One can open a door whereas the train is in a station or speeding between 2 stations. Some London underground trains have also been built in the 1950's. They should have been replaced 2 years ago, but one of the new replacement trains went off the tracks during trials, and it was all back to the drawing board. London underground says that new trains should be introduced in 1992. Although there have been so many accidents, I guess I shall miss these British Rail carriages when the new ones replace them (when ? in a year's time I'm told ?). Travelling on Network Southeast was much of an adventurous experience. But like any thrill, it was only good in small doses. Olivier Crepin-Leblond, Imperial College, London, UK.
My father spent all morning Friday 4 January trying to return a phone call from his office near Chicago to a customer in the Dominican Republic. After endless "We're sorry, all circuits are busy. Please try your call later." messages, he heard on the news that a cable had been cut near New York, which affected some overseas calls. He continued trying all day Friday, and never got through. He spent all day Saturday trying to make a FAX call and never got through. A cable cut in Newark made it impossible to place a call from Chicago to the Dominican Republic for at least two full days. How's that for depending on a single point of failure? It brought back memories of the Hinsdale fire on Mothers Day a couple of years ago, when a fire in an unattended office took out most of Chicago for three weeks. At the time, I started to worry that fifty strategically placed terrorists with street gang incendiaries could cripple the entire country. It could even be done without receiving any return fire. The history of telephone service since then has done nothing to restore my confidence. Back in the bad old days of Ma Bell, they used to brag that the call might be routed through Arizona, Montana, and Guam, but it would get there. Why are today's telecommunications systems designed to depend on extremely vulnerable single points of failure?
I speak as an Australian Lift ( OZ for "elevator") manufacturer, and so cannot speak directly for USA lifts. However, the observed behaviour is consistent with OZ lifts. Historically, the door sensors have been a notoriously unreliable element, and whilst many improvements have occured over the years, being at the "working face" of lifts, they still fail regularly. To prevent the lift being out of commision without warrant, controller logic assumes that 4 or 5 retries is good enough if we have stuck people, and then assumes that it must be a sensor failure, and attempts to close. In Oz, this behaviour is often written into building specifications. However, things are not as bad as they look. Lifts are governed by a VERY large set of regulations, and door related regs are a good part. The door controller design MUST not allow more than a specified force to be applied in the event of a blockage. Whilst this force must be reasonably strong to cover day-to-day events, it is not sufficient to break a limb ( 130N: let the Regulators beware), although it could cause a broose(?) on the frail. Most door controllers will physically dis-engage the drive mechanism on a solid blockage, allowing even for uncontrolled torque on the closing motor. "Where the closing of doors is delayed by a period of not less than 10 s through the operation of the passenger-protection device ( door beams), the doors may power close with the passenger-protection device in-effective provided that the kinetic energy does not exceed 3.4J, and an audible warning is sounded in the car." Aus. Standards 1735.2 p64 The passenger's main fear is that the doors will close with unreasonable force, to sever the limb; or that the lift will leave the floor with the limb extended thru the door. Above and beyond the controllers S/W checks on timing and sensors, independant door sensors prevent this occurence, all covered by national standards. Mr Jackson implies that there is a hidden design risk in the behaviour of the doors. Whilst all may not agree on the fine print, it is an area of intense scrutiny and regulation. These opinions are my own, and although not different to the views of the Company, cannot be taken as an official voice. David Magnay, Boral Elevators (was: Johns Perry Lifts), 45 Wangara Road, Cheltenham 3192, Victoria, Australia (03) 584-3311 O/seas +61 3 584 3311
The few elevators ('lifts' in UK) of the London undergound system are now all operated by computers. They do have a warning beep, and they also have door sensors in case someone gets trapped. The idea has never come into my mind to try to block the doors, but from what I can recall about the commuter crowding during the rush hour, they also shut for good after a few aborted attempts. One can hold them back without trouble. However the doors of the underground trains are operated by the driver. The only sensor they have checks if the doors are closed or not so that the train cannot start if the doors are not properly shut. About a year ago, one sensor failed and a woman was dragged along the length of a platform. Fortunately other passengers stopped the train by pulling the emergency alarm system. Once, a friend of mine got his glasses broken when the train door slammed in his face. Drivers are supposed to keep doors open as long as passengers are boarding the train but during the rush hours, they slam them shut so as not to get delayed too much. Again, the doors can be held back, although here if you are not related to Arnold Schwarznegger, it is advisable to request the help from other passengers. So many people have had a bad experience getting trapped in underground train doors ! Personally, I would prefer computers and sensors to control the doors of any moving carriage. At least when you are trapped the doors open-up again, whereas when there is human interaction, it all depends on his mood. Olivier M.J. Crepin-Leblond, Elec. Eng. Dept., Imperial College London, UK.
Given all the comments on this topic I have a question: Since the elevator door is insisting on closing regardless of something interfering with its closing, what is to prevent the elevator from thinking that the door IS closed and start moving (remember the fact that no button in the elevator was pressed is immaterial since the elevator may be summoned from another floor)? If there is a final failsafe such that the elevator KNOWS that the door isn't fully closed and therefore that it mustn't start moving then the only concern (albeit a significant one) is the doors closing on a person. Seriousness of this depends upon the force the door exerts on the object blocking its full closing. If there ISN'T such a failsafe then this problem is a fatality (and a gruesome fatality) waiting to happen. Michael J. Chinni US Army Armament Research, Development, and Engineering Center Picatinny Arsenal, New Jersey ARPA: email@example.com UUCP: ...!uunet!pica.army.mil!mchinni
All of the elevators I've seen have some kind of door-edge safety device-- (officially called a "safety edge"). The older (and still most prevalent) style is the mechanical rubber bumper, which usually has to be pushed in by 1-2 inches to cause the door to retreat. Other elevators have a thin plastic (but still mechanical) edge which works much the same way. The newest Otis installations I've seen all have a proximity sensor, which is a plastic device mounted flush with the inner door (and usually has a small calibration light)-- most of the time, these reverse the door before it touches anything. In an event where it doesn't (such as when the OUTER door is blocked), you are protected by devices which limit the force that the door can apply. Both the closing speed (feet per minute) and closing force (pounds) of an elevator door are regulated by law (and is one of those things that should be checked when an elevator is inspected). Rather than a clutch, I believe that most modern elevators limit the closing force of the door electronically. The test is to resist the door WITHOUT tripping the safety edge or "electric eyes" (on elevators equipped with this). It's usually firm, but shouldn't be able to crush or otherwise injure someone. Most importantly, the elevator should not move with an obstruction in the door, even if the door is refusing to reopen. This is one place where I think that advanced technology has reduced RISKs to the public; modern elevators can detect "unreasonable" situations that mechanical controllers don't (such as: door does not close within a certain time limit), and take appropriate action. The safer we make something (elevator doors), the more people take this safety for granted, and, ironically, we end up with more types of unpredictable trouble. I've always been amused by the New York public service commercials which advertise the hazards of subway-train doors, and makes the point that "these doors mean business" and do not reopen (at one point, showing them with teeth). People know to stay out of the way, and this helps to avoid accidents. Imagine what would happen if you tried to introduce the first subway system based on the design that exists in most modern cities (including the very modern Washington D.C. "metro"): A crowded concrete platform ends at a five-foot drop to the tracks below; no walls or doors to prevent people from falling (or being shoved) off the edge; and no way back up once one falls. At the bottom are exposed metal rails carrying lethal voltages at huge currents. Whether or not one survives, the next train arriving at the station won't be able to stop in time to avoid hitting him. Even those passengers who remain on the platform and successfully board a train, avoiding those nasty teeth-bearing doors, will find themselves sitting or standing(!) in a boxful of glass windows, doors, metal rails, and with nothing particular to keep them in place when the train derails or smashes into another train, filling the dark tunnel with toxic smoke. Would you expect this design to be approved? Still, the greatest RISK to your health isn't the subway itself, but other passengers (especially in NYC). --- Russ McFatter [russ@alliant.Alliant.COM]
CALL FOR PAPERS JOURNAL OF COMPUTER SECURITY The Journal of Computer Security is a new archival research journal on computer security, to be published quarterly by IOS Press, Amsterdam. It will publish significant advances in the theory, architecture, design, implementation, analysis, and application of secure computer systems. Its scope encompasses all aspects of computer security, including confidentiality, integrity, and denial of service. Subject areas include computer architecture, operating systems, database systems, networks, distributed systems, formal models, verification, algorithms, mechanisms, and policies. Editors-in-Chief: Prof. Sushil Jajodia Dr. Jonathan Millen George Mason University The MITRE Corporation Department of Information Systems Mail Stop K325 and Systems Engineering Burlington Road Fairfax, VA 22030-4444, U.S.A. Bedford, MA 01730, U.S.A. firstname.lastname@example.org email@example.com (703) 764-6192 (617) 271-3580 Editorial Board Includes: Marshall Abrams, MITRE Carl Landwehr, NRL Thomas Beth, U. of Karlsruhe E. Stewart Lee, U. of Toronto Matt Bishop, Dartmouth Teresa Lunt, SRI John Dobson, Newcastle upon Tyne John McLean, NRL Gerard Eizenberg, ONERA/CERT Ravi Sandhu, George Mason Virgil Gligor, U. Maryland Marv Schaefer, TIS Bhavani Thuraisingham, MITRE Instructions to Authors: Submit six copies of your manuscript to one of the editors-in-chief with a submittal letter signed by one of the authors. In case of multiple authors, designate an author for correspondence. Please keep the editors informed of any changes of address. Submitted papers must be original and present a significant result, and must not have been previously published or submitted for publication elsewhere, although portions may have been published in conference proceedings. It will be assumed that all necessary clearances for publication have been obtained by the author(s) by the time a paper is submitted for publication. Papers will be refereed in a manner customary with scientific journals before being accepted for publication.
Please report problems with the web pages to the maintainer