The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 11 Issue 69

Saturday 18 May 1991


o 42 die in Japanese train crash under manual standby operation
o Electronic Ballot Voted Out in World's Largest Democracy (India)
Les Earnest
o Central postal/banking computer failure in Japan
o Of Two Minds About Privacy???
Mary Culnan
o The Death of Privacy?
Jerry Leichter
o Re: Horible Speling
Les Earnest
Brinton Cooper
o (Bogus) IBM red switch
Mark Seecof
o Emergency off switch - IBM 1620
Stuart I Feldman
o IBM Emergency pull switches
Gene Spafford
o Re: Four-digit address causes NYC death
Scott Barman
o Re: Transactional Records Acess Clearinghouse
Larry Hunter
o Info on RISKS (comp.risks)

42 die in Japanese train crash under manual standby operation

"Peter G. Neumann" <>
Sat, 18 May 91 14:05:47 PDT
Investigations of the head-on collision on 14 May 91 were apparently focusing
on the railroad crews, who were supposedly using hand signals because of the
malfunction of an automatic signalling system at a 100-foot long siding that
had recently been installed especially for running trains from Kyoto to a world
ceramic arts festival at Shigaraki, 215 miles south of Tokyo.  42 died, 415
were injured, 1.5 miles from the siding at which the trains were supposed to
have passed.  The train was carrying 2.5 times its normal capacity, "but
packing trains is not illegal in Japan and is so common that big-city commuter
lines assign workers to push the last few passengers through the doors at the
daily rush hours."

Source: John E. Woodruff, Baltimore Sun, datelined Tokyo, in the San Francisco
Chronicle, 15 May 91. p.A7.

Electronic Ballot Voted Out in World's Largest Democracy

Les Earnest <LES@SAIL.Stanford.EDU>
16 May 91 1424 PDT
By SRINIVASA PRASAD, Associated Press Writer
   BANGALORE, India (AP) - India has had the electronic voting machine for 10
years.  But when parliamentary elections are held next week, vote counters will
again be tallying more than 300 million slips of paper - one by one.  Use of
the machine previously was snagged by legal barriers, opposition by
politicians, doubts about the ability of rural Indian voters to use it and
fears it could be rigged.  Those hurdles were finally cleared, but the national
Election Commission decided the nine-week run-up to the surprise elections was
not sufficient to teach the 3 million polling officers how to use the gadget.
About 150,000 voting machines will remain stashed in government stores.  ``We
have faith in the machines, but we can't take risks by using it before properly
training the officers first,'' Chief Election Commissioner T.N. Seshan told
   There are no professional polling officials in India.  School and college
teachers and government clerks are hired as part-time election supervisors.
The three days of voting spread over next week were called hastily after the
minority government of Prime Minister Chandra Shekhar resigned abruptly on
March 6 because of difficulties in governing.  He will remain in office until
   Indian voters elect their candidates by using rubber stamps to mark ballots,
which are printed with election symbols of political parties or independent
candidates.  Emblems instead of names are used because 75 percent of India's
515 million voters cannot read.  The emblem of former Prime Minister Rajiv
Gandhi's Congress Party is an open palm.  The Janata Dal party of his
successor, V.P. Singh, uses a wheel.  Chandra Shekhar's Janata Dal-Socialist
party has a farmer with a plough inside a wheel.  The Bharatiya Janata, or
Indian People's Party, is identified with a lotus.  Among the hundreds of
symbols used by other parties and independent candidates are a bicycle, rising
sun, two leaves, string cot and tree.
   The electronic voting machine displays the symbols on a screen with a button
next to each picture.  The button is pressed to register a vote and it can be
used only once until the polling officer releases the mechanism.  ``It is
precisely to minimize rigging that the Indian machines have several features
that are not there in the ones used in developing countries,'' said L.S. Anant
of the state-owned Bharat Electronics Ltd., which makes the machine.
 Many observers say voting machines would cut costs and get faster results.
They say the threat of election rigging is no worse than the current system,
which brings frequent charges of ballot-box stuffing.
   National elections are time consuming and costly in India, the world's
second most populous nation and the world's largest democracy with 844 million
people.  The number of voters is more than twice the United States' population,
although only 310 million to 370 million people usually cast votes.  Because of
the vastness of the country polling is normally spread over three days to allow
security forces to be shifted to protect the 600,000 polling stations.
   The votes will be counted continuously after the first day of elections
Monday and final results will be announced three days after the last day of
polling, May 26.

Central postal/banking computer failure in Japan

Thu, 16 May 91 09:12:39 xxx
Computer failure hits post office banking in 6 prefectures

    Sendai, May 16 (Kyodo) - A large postal banking computer went down Thursday
at a computer center in Sendai, putting banking machines out of action for more
than three hours throughout Hokkaido and five prefectures in northern Honshu.
Computer technicians had the main computer, one of three at the ministry of
posts and telecommunications East Japan no. 2 computing center, back on line
shortly before noon but postal authorities could not say what had caused the
computer to fail.  A total of 1,200 post offices throughout Hokkaido and the
northern prefectures were affected, with 1,300 automatic teller machines and
cash dispensers out of action.  Another 3,000 transaction machines used by
counter clerks at 2,900 post offices were also inoperable.

    According to postal bureau officials, the automatic teller operations can
be shifted to an auxiliary computer if one of the three main computers goes
down but this failed after thursday's breakdown.  Counter clerks in the post
offices processed transactions by hand during the failure, the authorities
said.  Until last week, postal banking services in the four northern regional
bureaus were handled by three computer centers in Sendai, Nagano, and Otaru in
Hokkaido.  To improve efficiency, however, operations were concentrated at the
center in Sendai from May 6.

Of Two Minds About Privacy ??? (RISKS 11.68)

"Mary Culnan" <>
16 May 91 21:49:00 EDT
Unfortunately, I think our privacy rights have already BEEN undermined--
at least when it comes to credit information.  There are three
ways in which the privacy of credit reports is/can be violated:

1) Because credit reports are online, it is relatively easy for
unauthorized people to pull your report (recall Jeff Rothfeder,
the Business Week reporter, who got access to Dan Quayle's credit
report thru a Super Bureau).

2) The big 3 credit bureaus will prescreen your credit report for unsolicited
(by you) offers of credit and/or sell mailing lists against a different
database consisting of summarized data from your credit report.

3) TRW and Equifax will also do list enhancement with the marketing database,
that is, match their database against a tape another firm sends in and add
information about you from their marketing databse to the tape that was sent in
(assuming you are on the tape that was sent in).  For example, a bank wants to
learn more about its customers--it could have its customer file enhanced with
summarized credit data.  At least one firm has the Equifax marketing database
running on its own mainframe.

The credit bureaus will let you opt out of the marketing applications by
writing to them.  However, in the case where the database itself has gone to a
third party, it's hard to see how an individual can exert any control over this

Much of this sadly reminds me of problems raised by the Lotus MarketPlace.
Further, this is all legal due to giant loopholes in the FCRA.
                                                                Mary Culnan

The Death of Privacy?

Jerry Leichter <>
Fri, 17 May 91 00:17:42 EDT
In a recent RISKS, David States quotes a Scientific American article stating
that "privacy legislation has been nickeled and dimed to death" - but that most
Americans, according to an Equifax survey, don't seem to mind.  He wonders
whether this is an opening salvo in further attempts to limit privacy.

I think there's something much deeper going on.  The more I look around me,
the more I come to the conclusion that we, as a society, have almost lost the
very idea of privacy.  Consider what would, 30 years ago, have been considered
"private" by most people.  A list might include such things as financial
matters - particularly how much money they make/have, health records, family
relationships, sexual matters, personal opinions about other people.  Today,
huge numbers of people have access to our financial and health information,
we're encouraged to be "open" about our feelings, sex is widely discussed
(note that 30 years ago, "privacy" about sex INCLUDED not having OTHER
people's sex live discussed in public), etc.

We can blame some of the changes, particularly about things like financial and
health records, on business or government.  It's hard to see how we could have
medical insurance on today's scale without such records and their relatively
wide availability, and in trade for much wider availability of information on
our financial affairs we got credit cards and such things; so even here, the
story is complex.  But much of the "baggage" of privacy we threw away with
great enthusiasm during the sexual revolution and the general "opening up" of
society in the late '60's.  "Let it all hang loose" doesn't mesh well with
keeping things private.  "Privacy" is closely connected to "shame," but most
of the things traditionally associated with "shame" no longer are either.
About the only things we are "supposed" to be ashamed of now are legal or
ethical violations.

These are deep-seated and profound changes in our social outlook.  They
happen to coincide with the emergence of a technology that is able to pierce
the anonymity of "mass living".  Residents of small communities have never
had very much privacy - everyone knew what everyone else was doing.  (There
was often a tacit social agreement to look the other way, of course.)  But
large cities were anonymous, and people could get lost in them.  Increasingly,
they no longer can.

Computerized record-keeping systems have a long history of allowing access to
"unauthorized" personnel.  When this happens, it should be brought to light and
repaired.  However, it's important to realize how much of our loss of privacy
is intimately connected with the DESIRED operation of our systems.  Of cases I
can think of from my own personal experience where I felt my own sense of
privacy to be violated, one of the most vivid involved having to discuss
details of medical treatment with a clerk for some insurance company.  By the
very nature of the insurance, this clerk was authorized to determine whether I
was making a proper claim; but my gut reaction was "this is none of your damn
business, I talk to my doctor about that".
                              — Jerry

Horible Speling (RISKS-11.66)

Les Earnest <>
Thu, 16 May 91 21:55:45 -0700
Unfortunately, I can't blame computers for my spelling lapses, having grown up
before they were invented.  In fact I invented the spelling checker in 1967 as
a cover-up.

I had created a list of the 10,000 most common English words on paper tape when
I was at MIT for use by my program that read cursive writing.  A year or so
after I came to the Stanford Artificial Intelligence Lab, I got a graduate
student to write a spelling checker using this word list.  He did it in Lisp,
which clanked a bit on the DEC PDP-6 that we were using.  A few years later I
got another student, Ralph Gorin, to write a faster and better machine language
version for the SAIL computer, which by that time was a dual processor
DEC-10/PDP-6 system.

Freeware was the norm then — no one even _thought_ of patenting software.
From SAIL, the spelling checker spread via Arpanet throughout the DEC-10/20
world, then on to other timesharing systems.  When personal computers appeared
later, these meddlesome programs became ubiquitous.  (I note, however, that the
one running here under emacs doesn't recognize "meddlesome.")  Unfortunately,
spelling checkers don't deal with another composition problem of mine --
fingers that often spell phonetically when I go fast — because homophones pass
the spelling test.

Incidentally, though the venerable SAIL computer now appears to be the oldest
living timesharing system in the world, it hasn't been maintained for a long
time and is beginning to show Alzheimer symptoms.  On the afternoon of June 7
we plan to have a party celebrating its 25th birthday, last rites, and wake.
Anyone who would like to receive SAIL's last words, which are likely to include
a boastful summary of its accomplishments, should send a message (content
unimportant) to

Les Earnest, 12769 Dianne Drive, Los Altos Hills, CA 94022        415 941-3984
Internet:           UUCP: . . . decwrl!!Les

Re: Horible Speling (Engst, RISKS-11.66)

Brinton Cooper <abc@BRL.MIL>
Thu, 16 May 91 15:05:19 EDT
My wife's pupils (grade 4) use a spell checker in connection with a word
processor that's only a little more than an electronic typewriter.  Targeted
for children, the spell checker will flag homophones (homonyms?) and ask the
user if he/she knows which one he/she really wants.  This feature seems to be
in the spirit of Adam's point.

However, if the teachers of today cannot spell without that electronic crutch,
I'd be more likely to complain to (1) them, (2) the school district who hired
them, (3) the "university" which trained them, and (4) the public schools where
they didn't learn to spell.

(bogus) IBM red switch

Mark Seecof <>
Thu, 16 May 91 13:44:21 -0700
Okay, I can't resist adding to the red-switch discussion.  I used an IBM 1401
in high school.  It had an "emergency" power-off switch--which no one ever
pulled.  It also had a 1403 600-LPM line printer.  If you placed an invalid
character in the carriage-control column of a FORTRAN output record, the line
printer would spazz out and feed paper continuously at high speed.  The printer
would emit a loud and distinctive scream as paper shot dramatically from the

Of course, inexperienced student programmers who provoked this behaviour would
try to stop the printer by punching the large red STOP button on its console.
Ha!  That button, like its twins on the read/punch unit and CPU cabinet, would
halt the processor but have no effect on the printer.  There was a transparent
button with some innocuous label (I don't remember the exact wording and my
manual is at home) which would actually stop the printer.  Because panicky
students weren't likely to find the proper button before hundreds of feet of
paper were propelled through the printer, the official technique for dealing
with the situation was to step on the paper in the paper box (which stood open
beneath the front of the printer).  The printer would tear the paper off neatly
at a page-perf and then sit there whining until someone punched the proper

Moral?  The large red STOP button on the front of a machine should stop THAT
MACHINE, not some other machine on the other side of the room.  This is even
more important when the machine in question is a mechanical device which could
injure someone (suppose your regulation IBM computer-programmer's tie got
caught in the tractor feed mechanism as you were peering at some output...).

(Also on the subject of red switches, I have been informed that the reason the
newer IBM PS/2's and RS/6000's have white power switches is because of a German
government regulation which demands that the ONLY red switch in an entire
computer room be one which turns off all power to all equipment in the room,
and it was easier for IBM to fit all small computers with white power switches
than to fit some with red and some--for sale in Germany--with white.  Note also
that the Germans have proposed that their (sometimes silly) rules be adopted by
the whole EEC.)

Mark Seecof, Publishing Systems Department, Los Angeles Times, Times-Mirror
Square, Los Angeles, California 90053 Voice: 213-237-7605 Fax: 213-327-3119

Emergency off switch - IBM 1620 (RISKS-11.67)

Stuart I Feldman <>
Fri May 17 21:40:58 1991
If we are reminiscing about ancient unsafe designs, consider the IBM 650, which
had both `AC power off' and `DC power off' buttons.  The DC power off turned
off the active logic (vacuum tubes!).  AC power off didn't actually do that,
but initiated the power down sequence, which included putting on the braking
rotors for the magnetic drum (cylinder rotating at 12,500 rpm).  The
corresponding `AC power on' button started the spin-up motors.  For lack of a
relay, there was no interlock between these functions, and it was possible (or
so I was warned as a tyke) to warm up the drum by having the two motors fight
each other.

So what's so strange about a guillotine for the power cord?

IBM Emergency pull switches

Gene Spafford <>
17 May 91 02:26:32 GMT
Back in the 1981-1983 timeframe (the exact year escape me), IBM donated some
equipment to the School of Information and Computer Science (now the College of
Computing) at Georgia Tech.

Included in this donation were 3 IBM Series 1 machines.  Each of these was
equipped, in the upper right-hand corner, with a bright red "Emergency Pull"

Those of us using the Primes, Vaxen, and AT&T gear made jokes about the switch
(and about the IBM gear in general).  Little did we know at first....

In the 7 years I was at Tech, I saw lots of equipment pass through the lab.  We
had, other than the IBM gear, AT&T 3bX's, Primes, HP systems, Data General,
Xerox, Symbolics, and various other bits & pieces, including lots of
telecommunications gear.  In all that time, with over 100 machines, we had 4
fires in the lab.

One was caused when a CDC disk drive on one of our Prime 400 machines had its
bearings seize (the disk had been on-line for something like 6 years with no
maintenance, and the machine had been up for over a year without a reboot, as I
remember — the most reliable collection of hardware I've ever seen).  The fire
was well-behaved and put itself out; the Prime continued to run, but the first
command typed at the console that caused a page fault caused a panic halt.

The other 3 fires were all IBM Series 1 machines.  These weren't just little
blow-a-capacitor-and-create-smoke fires, either.  They were
burn-up-the-power-supply type fires that took controller boards with them.  One
was so complete, we had to dispose of the machine as there was too little to
salvage, as I remember.

We concluded that the pulls were not there out of tradition, but were installed
because experience or choice with the design indicated that they were necessary
to deal with the tendency towards self-immolation.

Ever since then, I have believed that any machine that has an emergency pull
probably needs one.  Computers that are likely to catch fire or electrocute me
(see the old Risks posting about the jealous computer electrocuting the
scientist) are not high on my list of preferred computing platforms.  I also
tend to flinch when a sales-critter tells me his cpu really smokes; it took me
a while to even tolerate the idea of using a SPARC. :-)

Gene Spafford, NSF/Purdue/U of Florida  Software Engineering Research Center,
Dept. of Computer Sciences, Purdue University, W. Lafayette IN 47907-1398

Re: Four-digit address causes NYC death (Pellett, RISKS-11.60)

Scott Barman <>
Thu, 16 May 91 13:56:27 EDT
The original posting (Nilges, RISKS-11.55) came from a report aired on WNBC in
New York.  To find out more about this, I spoke with a director I know who is
familiar with the story (he did not work on the story and the original
reporter/director is out on assignment).  I was reminded of something that Mr.
Ravin forgets; a large parts of Queens was not fully developed until after
World War II.  There are a lot of addresses that look like they would cause a
conflict when given, such as an 83rd Street vs an 83rd Avenue address as well
as cross streets with names (the incident in the report happened off of Queens
Blvd.).  Over that time, the city assigned different address numbers on some of
these and nearby streets to hopefully avoid conflicts and give emergency
services a better chance of finding these places.  Unfortunatly, over the years
the city has never properly adjusted the "official" city specifications for
addresses and this specification is what they used for designing the 911

Bob Frankston <> writes:
>Representation is a nontrivial issue.  While it may be "obvious" that one
>should allow for five digit addresses, what about fractional addresses due to
>subdivided lots (how do you say "384 3/8e 1St SW" in ASCII, how does it
>sort??  Apartment addresses?  Alternative addresses (6th Ave vs Avenue of the
>Americas)?  Why not require full color graphics and then discover you can't
>present it on a belt-mounted radio?

Curious about the 6th Avenue vs. Avenue of the Americas differences (since part
of this building is on 6th Ave.), we contacted the NYC Emergency Services
Bureau and were told that the system understands the addresses at 6th Avenue
and the operators are trained to use 6th Avenue instead of Avenue of the
Americas in the computer and when dispatching assistance.

Oh, and there are no "3/8" addresses.  There are halves and they are addressed
in the system (albeit badly I have been informed).  Also, NYC does not use
compass directions like SE or SW but does used an address like "40 W. 50th
Street" and these are addressed as well.

Another problem the report didn't cover, and nobody did either, is that there
is a problem (again in Queens) with Harry Van Arsdale Drive.  This street name
was changed a few years ago from Jewel Avenue and is entered in the Emergency
Services Bureau computer as two different addresses because there is no way to
properly link these addresses in that system. So a person can call and report a
fire at (for example) 80-15 Jewel Avenue and another person can call and report
one at 80-15 Harry Van Arsdale Drive and two dispatches will be sent.  We were
told the one time something like this happened, the local fire house understood
it to be the same address eventhough the 911 operators didn't.  ESB uses the
same procedure as the 6th Ave vs. Ave. of the Americas problem but since this
is a newer change and since some of the ESB operators are not from NYC (20% are
New Jersey residents) they leave it up to area fire and police not to dupicate
the calls.  This is something ESB is looking to fix.
                                                            scott barman

Transactional Records Acess Clearinghouse

Larry Hunter <>
Fri, 17 May 91 10:07:41 EDT
I have been inundated with messages asking me for more information about David
Burnham's Transactional Records Access Clearinghouse (note the correction of
the name from my posting in RISKS-11.60).  Here is contact information for
those of you who would like to know more about the organization:

   Transactional Records Access Clearinghouse,   999 Pennsylvania Ave., SE,
   Suite 303,        Washington, DC 20003                    (202) 544-8722

Please report problems with the web pages to the maintainer