The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 11 Issue 17

Tuesday 26 February 1991

Contents

o The RISKS of automatic payments
Olaf 'Rhialto' Seibert
o "Autopilot malfunction causes engines to break off"!
Martyn Thomas
o Re: Computer problems with MD-11 jumbo jet
Daniel Faigin
Henry Spencer
o Reliability extrapolation
Martyn Thomas
o Risks of EMI?
Finkel
o Re: Risks of radiation treatment of cancer
Clark Savage Turner
o Re: Accuracy in Movies and Newspapers
John Richard Bruni
o Re: worse-is-better for the 1990s
Jerry Gitomer
o Automatic download of patches
Bill J Biesty
o Workshop on Designing Correct Circuits
Victoria Stavridou
o Info on RISKS (comp.risks)

The RISKS of automatic payments

<rhialto@cs.kun.nl>
Mon, 25 Feb 91 15:39:16 +0100
De Volkskrant" (a national daily newspaper in the Netherlands), 22 Feb 1991:

"Inhabitant of Amsterdam lies dead in appartment for half a year"

  AMSTERDAM - In an apartment in Amsterdam-Southeast the police found the
remains of a 51-year old man, who turned out to have died half a year ago.
[...] The man, who lived alone, died a natural death.  The police discovered
the man accidentally.  A police officer heard from the caretaker of the
building that he recently removed a large pile of mail for the victim from his
mailbox.  The occupant, who did not wish to have contact with his neighbors,
had not been seen for a long time.  When the police forced the door of the man,
the inanimate body of the man was found. The skin of the man "looked like
leather".
  [This is the RISKy part:]
  Because the rent and [natural] gas [for heating] and electricity bills were
automatically transferred, nobody missed him. The man also automatically
received an amount transferred into his bank account every month.  Also, not
one institution missed the man."

Need I say more?

Olaf 'Rhialto' Seibert, University of Nijmegen, The Netherlands


"Autopilot malfunction causes engines to break off"!

Martyn Thomas <mct@praxis.co.uk>
Tue, 26 Feb 91 11:07:33 GMT
According to Flight International [27 Feb-5 March 1991. Page 8]:

A Boeing KC-135 apparently had two engines break off, shortly after
take-off, during Desert Storm operations in the Gulf. Apparently, autopilot
malfunction overstressed the airframe, causing one engine to break away and
hit a second, which was also torn from the wing. The 'plane is repairable,
which says a lot for the pilot's skill!

According to the caption on the accompanying picture (of an undamaged,
4-engine USAF KC-135) "KC-135s have overstressed in the past because of
autopilot disconnects".

Apparently, the 'plane performed a dutch roll, which can lead to overstrain
of the airframe because of the divergent coupling of roll and yaw.

Martyn Thomas, Praxis plc, 20 Manvers Street, Bath BA1 1PX UK.
Tel:    +44-225-444700.   Email:   mct@praxis.co.uk


Re: Computer problems with MD-11 jumbo jet

<faigin@aerospace.aero.org>
Tue, 26 Feb 91 07:50:57 PST
Well, someone who did vendor software IV&V on a minor subsystem does remember a
few "oddities" -- like the vendor for the main flight computer not conforming
to the system ICD, and everyone else rewriting all interface software during
integration testing (on a crash basis) because the flight control software was
so kluged that everybody including MD was afraid to touch it. And that one of
the hydraulic control LRUs does the ARINC bus monitor checks, and tells
everyone else when to ignore the system (main flight) computers...


Re: Computer problems with MD-11 jumbo jet

<henry@zoo.toronto.edu>
Tue, 26 Feb 91 11:49:34 EST
As an interesting, and perhaps ominous, sideline on MD-11 computer problems,
McDonnell Douglas recently decided that its next big airliner, the MD-12,
will be fly-by-wire.
                                         Henry Spencer at U of Toronto Zoology


Reliability extrapolation

Martyn Thomas <mct@praxis.co.uk>
Thu, 21 Feb 91 14:57:35 GMT
Henry Spencer comments that many systems which we currently trust (such as
large buildings) rely on extrapolation as part of their safety case. He
suggests that it may be reasonable to do the same for computer systems.

Maybe. Isn't most extrapolation based on the assumption that the system
behaviour is continuous? Chaos aside, most physical materials do exhibit
continuous behaviour up to the point of catastophic failure, and materials
science gives us some insight into where the catastrophic failure may occur.
(And sometimes that insight turns out to be wrong ...). Digital systems are,
by their nature, discontinuous. You cannot easily justify extrapolation *or
interpolation* of behaviour. There are digital weighing machines which give
the correct weights *except for a few specific values*. How do you assess
the probability of failure of a weighing machine with these
characteristics?

So can we justify extrapolation? Under what circumstances? To what limits?


Risks of EMI?

<finkel@tartan.com>
Fri, 22 Feb 91 16:38:57 EST
As a mechanical engineer with a diverse career path, I have a few insights into
the controversy over the "cancer causing" electromagnetic radiation. (I have
enough statistics, chemistry, and analysis software experience to almost,
sort-of, maybe know what I am talking about.)

1) POWER LINES CAUSE CANCER -- They most certainly do, but not because
    of EMR. To keep the access roads clear and to keep vines and other
    plants from growing around the power towers, the companies sprayed
    2-4D, commonly known as dioxin or Agent Orange. (If you live near a
    power tower you have probably been exposed to a lot of agent orange).
    The possible carcinogenic effects of this chemical are well known.

2) HAIRDRYERS AND TVS CAUSE CANCER -- Again, I have no argument with
    the truth of this statement. However, the cause is likely a chemical
    one. A hairdryer, they have removed all asbestos, is still a potent
    source of vapors. The high heat release some amount of the
    plasticisers into the air. This vapor laden air is promptly breathed
    in. The vapors then reside in the lungs because the particles fall
        into that marvelous size that only floats, never settles.

    With TVs, you again have lump of plastic which give off continual
    emmissions. The transformer and "sealed" electronic components also
    give off toxic emissions. A warm PCB gives of a field of vapor that
    reaches a lot further than any stray RFI.

3) CRTS CAUSE CANCER -- The plastics argument still holds. All the
    hot cases and components on the PCBS give off toxic fumes. Yet
    another source of the vapors is the office itself. All those pretty
    sound deadening screens, particle-board desks, plastic counter tops,
    synthetic carpets, paint, ... give off significant amounts of vapor.

    The kicker is that a NON_SMOKING environment contributes to the
    problem.  The American Society of Heating and Refrigeration Engineers
    (ASHRAE) has established "safe" airflows for smoking and non-smoking
    areas. The non-smoking airflow is roughly 1/3 that of a smoking area.
    Therefore, filtration is also about 1/3. The ducts are also smaller,
    and so on. SOOO, all those cute chemicals have a lot of time to
    sit in your lungs.

    The larger volume of air required for smokers also results in far more
    clean air coming into a building. Much of this new, clean air comes in
    by design, where air is drawn in by vents. Air also comes in through
    doors and windows. The increased incoming airflow also results in more
    air going out, along with all the stale, chemical laden air. Net
    result: smoking sort of helps air quality.

    Another direct CRT confound is that the screen creates an
    electrostatic field. This field draws particles (dust, stray
    plasticisers, ... ) which increase the concentration of hazardous
    chemicals around the CRT. The electrostatic field creates an airflow
    of garbage into your work environment.

    I have no easy solutions. Some of these links may be be tenuous, but
    they are no more tenuous than the possibly erroneous correlations
    already drawn. The only real difficulty with my arguments is that the
    problems are worse, more pervasive, and harder to fix than just
    setting up a Faraday cage around a terminal.


Re: Risks of radiation treatment of cancer

Clark Savage Turner - WA3JPG <turner@ICS.UCI.EDU>
Mon, 25 Feb 91 20:17:42 -0800
I am keenly interested in the details of the Zaragoza, Spain accidents.

I have spoken with Gordon Symonds of the Canadian Bureau of Radiation and
Medical Devices (who investigated the AECL Therac-25 early on....)  and he
surmises that since GE is mentioned in the news bits, that the culprit could be
the CGR Saturne.  He explains that GE recently bought out CGR.

The Saturne is the underpinning machine for the Therac-20, predecessor of the
Therac-25.  Of course, the Therac-25 is well known for its several elusive
problems which caused massive overdoses.  The Therac-20 is also known to have
problems similar to those of its successor.

Can anyone lend a hand in tracking down these incidents?

- Clark Savage Turner,   UC Irvine


Re: Accuracy in Movies and Newspapers

<John_Richard_Bruni@cup.portal.com>
Tue, 26 Feb 91 09:59:13 PST
I can understand the frustration that people feel when watching TV stories
that extend into a field in which they are experts.  But remember, the
frustration may not be due to the *people* covering the story so much as
the level of simplicity needed to convey a complex story to the general
public.  To claim the networks use ignorant people to cover the news is
itself an ignorant statement.  Speaking for my own network, it happens that
our science correspondent has a doctorate in Immunology from a top-level
school.  Not too shabby considering how many stories on AIDS we have to do.
One of our anchors is incredibly well-versed in statesmanship, coming from
a long line of experts in the field and with more qualifications than you
can imagine, both in terms of degrees and expertise.  If he ever retires I`m
sure any Political Science school in the country would vie for his time.
It`s an easy thing to criticize the press.  We don`t ballyhoo our credentials
all over town but many of us have `em.  How bright would you look in your
field if you had to explain all your subject matter so the general public
could understand you?

Actually, you`d be a darned good teacher if you could do this.  The best
lecture I ever heard on relativistic effects was explained in a way that made
the topic seem almost simple.  That was a talented professor who gave that
lecture!
                                        JRB


Re: worse-is-better for the 1990s

Jerry Gitomer <jerry@TALOS.UUCP>
26 Feb 91 16:14:49 GMT
Perhaps what we are seeing is Gresham's Law as applied to computers:

        The operating systems and languages of lesser intrinsic value
    will drive the operating systems and languages of greater
    intrinsic value out of circulation, because those of greater
    intrinsic value will be hoarded.

Now if I could only figure out how to hoard an operating system or high-level
language :-)

Jerry Gitomer at National Political Resources Inc, Alexandria, VA USA
         (703)683-9090      (UUCP:  ...{uupsi,vrdxhq}!pbs!npri6!jerry


Automatic download of patches

Bill J Biesty <wjb@edsr.UUCP>
Tue, 26 Feb 91 09:32:22 CST
>From this week's Computerworld

"HDS downloads disk code"  by Jean S. Bozman

Santa Clara, Calif. - Hitachi Data Systems Corp. (HDS) is not content to let its
disk drives "call home" when they are not feeling well.  Now, HDS engineering
staff can send some prescription medicine down the modem line, the compandy said
last week.
    HDS claimed that an enhanced version of its Hi-Track maintenance program
adds the dimension of on-line repairs to a 5-year-old automatic failure-reporting
system.  "We can apply many microcode changes without taking the customer site
down," said Jeff German, manager of technical support at HDS.
    The new feature, called Dynamic Microcode Download, adds to Hi-Track's
existing capability to monitor, detect, diagnose and repair failing storage
systems before they crash.
    "If you're reacting to the threshold of pain that people at you customer
sites have, then you won't prevent failures," German said.
    After notifying customers of a device's impending failure, HDS technicians
can send patched the software down a deadicated telelphone line.  Payment for
the Hi-Track service is included in the normal maintenance fee; the same automatic
call-in service will be extended to the new generation of HDS EX mainframes later
this year.
<    Hi-Track is installed in 3,000 disk drive and tape storage systems world-wide,
according to HDS.

The Right Approach?
    However, some industry analysts are unsure whether this kind of service
can build HDS's market share relative to IBM and Amdahl Corp.  "This feature is
not by itself going to convince a customer to buy an HDS 7380 or 7390 disk
drive," said Robert Callery, a senior storage analyst at Technology Investment
Strategies Corp. in Framingham, Mass.  Not all microcode changes will be simple
enough to transmit over the wire, Callery added.  [...]  IBM has a service
director plan that automatically relays disk drive errors to IBM field sevice
centers [... which when ] recieved, IBM calls the customer site to schedule
maintenance. [...] DEC and HP also offer automatic device-error tracking
services....
 ---

The competitive market place is making a bigger push for reduced costs (customer
service visits) and introducing greater risks.  It will be interesting to see if
any of the problems with the new service get reported in the press.

Is anyone familiar witht he service and can give additional details about what kind
of changes can be downloaded?

I believe there was an earlier dicussion concerning the Prodigy service's ability
to automatically download changes to the remote PC's communications software.

I currently subscribe to America On-Line (AOL).  We recently got a flyer in the
mail saying that new features were going to be made available soon to users.  I
never got a disk in the mail.  Then just last week when I signed on I got a
dialog box saying "Updating software database" (or close to that).  When I went
to read postings on a bulletin board, there were new buttons to implement the
announced features!  My guess is that the data base changes were just the icon
image and associated codes to transmit to the host computer rather than an
executable.  I haven't been able to find any documentation on this "feature"
(which I'm sure saves AOL a ton of money avoiding mailings and disk
duplication) much less an agreement that I permit AOL to change data on my disk
drive!

Bill Biesty, Electronic Data Systems Corp., Research and Advanced Development,
7223 Forest Lane, Dallas, TX 75230                  edsr.eds.com!wjb


Workshop on Designing Correct Circuits

<Victoria.Stavridou@prg.oxford.ac.uk>
Mon, 18 Feb 91 10:58:28 GMT
IFIP                WORKSHOP ON DESIGNING CORRECT CIRCUITS     IFIP
WG 10.5                      Call for Papers                   WG 10.2
                           Lyngby, 6-8 January 1992

The purpose of this workshop is to bring together researchers interested in the
design of provably correct hardware. The intention is to have a small informal
workshop with focus on formal methods for designing correct circuits. In
particular we would like to see presentations of methods that have been used in
real designs. To keep this focus we will discourage papers which primarily
discuss tools or the theoretical foundations. The program committee will be
asked to observe these guidelines in their selection.  Relevant topics include
but are not limited to:

           - formal hardware design languages,
           - hardware design by transformation,
           - computing-aided design and verification of hardware,
           - methods of designing testable circuits,
           - analysis of circuit descriptions,
           - experience of the application of these techniques,
           - experience (good or bad) with formal methods.

The workshop will be of interest to researchers in the area of formal methods
for hardware design, and to engineers in industry wishing to keep abreast of
this fast-moving and exciting field.

Programme committee: Joergen Staunstrup, Lyngby (chairman), Luc Claesen, IMEC,
Peter Denyer, Edinburgh, Hans Eveking, Darmstadt, Mike Fourman, Edinburgh,
Geraint Jones, Oxford, Tom Melham, Cambridge, Mary Sheeran, Glasgow, Robin
Sharp, Lyngby, P.A. Subrahmanyam, AT&T

In addition to paper selection the program committee will find a "responder" to
each paper selected for presentation. The responder will give a 5-10 minute
criticism of a paper just after the presentation and the option of getting a
1-2 page contribution in the printed proceedings.

Call for papers: You are invited to submit a draft full paper on a relevant
subject by 15th August 1991. Four copies should be sent to the chairman of the
program committee: Joergen Staunstrup.  Notification of acceptance will be
posted by 15th October, and revised copies of full papers must be received by
1st December in order to be distributed at the workshop. The proceedings will
be published by North Holland.

Local arrangements: The workshop will meet at the Technical University of
Denmark in Lyngby.  Robin Sharp is in charge of local arrangements.  We intend
to keep the cost of the workshop, meals and accommodation around Dkr. 2000 (US$
350).  Questions about the subjects of the workshop and other technical
enquiries can be addressed to one of the organizers:

           J. Staunstrup or R. Sharp,
           Department of Computer Science, Building 344
           Technical University of Denmark,
           DK-2800 Lyngby, Denmark
   e-mail: jst@id.dth.dk  or robin@id.dth.dk

   tel:    (+45) 45 93 33 32          fax:    (+45) 42 88 45 30

Please report problems with the web pages to the maintainer

Top