The RISKS Digest
Volume 16 Issue 31

Tuesday, 9th August 1994

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Unda(u)nted exploration: DANTE II
Denver "solves" hi-tech baggage handling problems
Lauren Weinstein
Re: Squirrels again bring down Nasdaq
Joe Morris
Bob Frankston
More than squirrels: Newbridge Networks
Bob Frankston
Re: RISKs of electrical wiring
Lauren Weinstein
Re: The Cult of Information
Steven Tepper
Rapid Application Development (RAD)
Rebecca Mercuri
Intel plant in Albuquerque
Phil Agre
Madcap world of modern banking
Ross Anderson
A330 Crash investigation report: Pilot error blamed for crash
Erik Hollnagel
Workshop Announcements PDCS2 and SCSC
Barry Hodgson
CSR Software Reliability & Metrics Club - Meeting Announcement
Pete Mellor
Washington DC ACM Seminar
John Sheckler
Info on RISKS (comp.risks)

Unda(u)nted exploration: DANTE II

"Peter G. Neumann" <>
Tue, 9 Aug 94 7:41:18 PDT
The Dante II robot (successor to Dante I, whose fiber cable snapped only 21
feet down into Mt Erebus in 1993) has been exporing the volcanic crater of Mt
Spurr in Alaska, apparently with great success in gathering information in a
human-risky environment after the 1992 eruption.  En route to the bottom,
Dante II survived being hit by rocks and slopping through mud and snow; prior
to its descent its satellite dish antenna was chewed on by a bear.  However,
the last few days have provided grist for the RISKS mill as to what can go
wrong going wrong.  Last Wednesday (3 Aug 1994) the robot lost power, and then
its transmitter went dead.  On Thursday, a short-circuit (due to condensation)
was fixed in a connector to the 1000-volt power and communications cable.  The
robot then was able to begin its ascent (at three feet per minute).  On Friday
night, the 1700-pound Dante II lost its footing when one of its eight legs
malfunctioned, and it toppled over.  Plans are now afoot (no pun intended) to
hoist it out by helicopter, or if that fails for a geologist (John Laskeivitch
of the Alaska Volcano Observatory) to climb down and attach a tether — using
the knowledge obtained from Dante II that there are lots of rocks but that the
expected hot gases are no longer present.  The robotic software seems to have
functioned well throughout.  [SOURCES: PGN News Service from articles by
Charles Petit in the San Francisco Chronicle, 4-5 Aug 1994, and AP items, 7
and 9 Aug 1994.]

Denver "solves" hi-tech baggage handling problems

Lauren Weinstein <>
Thu, 4 Aug 94 23:40:23 PDT
It looks as if the folks in Denver have figured out what they need to do to
finally get their new airport open.  As you may recall, it has failed to open
for quite sometime because the amazing, computer-controlled, $200 million
baggage handling system simply doesn't work.  Nor does it appear that there is
much hope of making it work quickly.  The more deeply the system is inspected,
the more problems are found.

Videos of the failing system under test are great fun to watch.  Bags being
flung at carts that aren't where they're supposed to be, carts flying off
tracks, bags flying through the air smashing into the ground, and so on.
Quite a show.

So how to open the airport?  Simple!  They've apparently decided to spend more
bucks and build *another* baggage handling system--the conventional kind with
conveyer belts.  After they build this new, old-style system, they'll finally
be able to open the airport, which is currently losing something like $1
million/day just sitting there.

The plan is to shift back to the computerized system when (if?) they get all
the bugs out of it.


Re: Squirrels again bring down Nasdaq (Neumann, RISKS 16.30 )

Joe Morris <>
Tue, 02 Aug 94 12:15:04 -0400
>Nasdaq once again was shut down by an energetic squirrel ...

To many people interested in commercial power (including computer center
managers such as yours truly was at one time) the word "squirrel" is often
defined as "a self-propelled short circuit".

Joe Morris / MITRE

Re: Squirrels again bring down Nasdaq

Sat, 6 Aug 1994 14:54 -0400
There was a followup article (which I don't have handy) in the times noting
that this the outage caused trade reconciliation algorithms to fail.

A general problem is cascading failures when interacting timeouts start going

More than squirrels: Newbridge Networks

Mon, 8 Aug 1994 14:20 -0400
Squirrels aren't Nasdaq's only problem. According to an article in New York
Times, there are also some race conditions in their procedures.

The article describes attempts to stop trading in Newbridge Networks stock.
Apparently the attempt to stop trading was entered at 9:32 instead of 9:30 due
to an error entering a command. Many options (more highly leveraged than
shares) got through and were confirmed. They were retroactively cancelled.

There are two basic problems. One, as the article noted, is that a
confirmation is not a confirmation. The other is the contrast between human
speeds and computer speeds. Two minutes is a very very long time.

Re: RISKs of electrical wiring

Lauren Weinstein <>
Tue, 2 Aug 94 11:01 PDT
Regarding the electrician who blew out some equipment by dropping the neutral
from a circuit, causing a power leg to go to around 220V (about double the
North American standard of ~117V).  One might suggest that (even though it can
be inconvenient) turning *off* the power to areas that could be directly
affected by ongoing electrical work would be a simple and mandated procedure.
No fancy protective gear is needed in this case.  Just turn off the breakers
until the work is done.


The Cult of Information (RISKS-16.30)

Steven Tepper <>
Tue, 2 Aug 94 14:41:50 PDT
> Roszak, in this book, is not attacking the idea of computerization

He already did that in a novel called "Bugs".

Rapid Application Development (RAD)

Rebecca Mercuri <>
Fri, 5 Aug 1994 17:49:27 +0500
I am writing an article on Rapid Application Development (RAD) and would like
to include a risky horror story or two, if anyone has one they want to share.
If you can BRIEFLY describe a project where RAD techniques were used to
develop a system or software which resulted in quantifiable losses (in terms
of time, money, etc.) to an individual or organization, I will consider
quoting you (with proper citation of course). The anecdote must be traceable
to an organization or individual involved (there can be some anonymity, but
some person or group must be identifiable so the story can be verified).

Please send replies DIRECTLY to

Sorry, I don't have time to address other matters (like "what is RAD?" — if
you don't know then you probably weren't using it).

BTW, I'm especially interested in projects where an outside consulting team
came in, used RAD, developed something and left it either unfinished,
undocumented, untested, and/or unsupportable. Hope someone wants to go on
the record with their experience(s).

Thanks in advance, Rebecca Mercuri

Intel plant in Albuquerque

Phil Agre <>
Fri, 5 Aug 1994 16:27:24 -0700
The SouthWest Organizing Project is engaged in a campaign against the Intel
chip fabrication plant in Albuquerque, New Mexico.  They allege excessive
water use, chemical hazards to workers, and large expenditures of public funds
for small numbers of jobs for local people.  Their report is available from
them (US$10 plus $1.50 p/h) at SWOP, 211 10th St SW, Albuquerque NM 87102,

Phil Agre, UCSD

Madcap world of modern banking

Sun, 7 Aug 1994 16:36:01 +0100
The Sunday Times reports on 7th August that one of its readers in
Hertfordshire, England, paid a cheque for a thousand pounds into her account
with Barclays Bank in June. The cheque bounced, and Barclays did not credit it
to her account; but for no reason they also removed a further thousand,
causing her to go overdrawn.

After writing letters and waiting for weeks, she got a letter from Barclays
explaining that the loss was ``a quirk in our accounts processing system which
is effectively debiting twice the amount of a customer's unpaid in cheque''.
It goes on: ``Your helpful comments are valuable to us in prioritising the
resolution of difficulties such as those experienced by you''.

I suspect that many firms only fix software bugs when enough
customers have complained about them. But how many make a virtue
out of it?

Ross Anderson  Cambridge University Computer Laboratory

A330 Crash investigation report: Pilot error blamed for crash

Erik Hollnagel HRA <>
Fri, 05 Aug 1994 10:45 +0200
   [Erik provided an article from the U.K. *Times*, 3 Aug 1994, p.7, which
   is omitted here.  The article noted confusion on the flight deck and
   three seconds of hesitation by a tired chief pilot as being responsible
   for seven deaths on the test-flight takeoff of an Airbus A330.  PGN]

My comment is that in the absence of an obvious single fault in the hardware
(which in this case mostly is software) the default explanation is "human
error". It looks rather as if the combination of automation, ill-defined
tasks, and an unsupportive organisation were the real causes. But I would not
expect Airbus to ever acknowledge that.
Erik Hollnagel, Technical Director, Human Reliability Associates Ltd.,
School House, Higher Lane, Dalton, Lancs. WN8 7RP, UK   +44.257.463.121

Workshop Announcement

Barry Hodgson <>
Wed, 3 Aug 1994 16:16:28 +0000
PDCS2 2nd Open Workshop         Safety-Critical Systems Club
(Predictably Dependable
Computing Systems 2)    &       14th Meeting and Seminar on
                                New Technologies
Newcastle upon Tyne             Leeds
19-21 September 1994            22-23 September 1994


The issues addressed by the PDCS2 research project and SCSC members are
closely related.  It is because of this, and the geographic proximity of
the locations, that we hope to facilitate attendance, by interested
parties, to both events.

PDCS2 2nd Open Workshop

The 2nd Predictably Dependable Computing Systems (PDCS2) Open Workshop will
be held on 19-21 September, at the University of Newcastle upon Tyne,
starting at 2.00 p.m. (with registration and lunch from 12.30 p.m.).

The PDCS2 Workshop will comprise technical presentations of the year's
work.  There will also be demonstrations of prototype software and systems
developed by the project. Further details are provided in the preliminary
programme shown below.

PDCS2 builds on, and takes significantly further, the work of ESPRIT Basic
Research Action PDCS on the problems of making the process of designing and
constructing adequately dependable computing systems much more predictable
and cost-effective than at present.  In particular, it addresses the
problems of producing dependable distributed real-time systems and
especially those where the dependability requirements centre on issues of
safety and/or security.  The research programme is concentrated on a number
of carefully selected topics in fault prevention, fault tolerance, fault
removal and fault forecasting.  It ranges in nature from theoretical to
experimental and in a number of cases the acquisition or implementation, in
prototype form, of software tools, and their experimental interconnection.

SCSC 14th Meeting and Seminar on New Technologies

The 14th meeting of the Safety-critical Systems Club will be held on 22-23
September at The Marriott Hotel in Leeds, starting at 10.00 a.m. with
registration and coffee from 9.30 a.m.  On Thursday 22 September the theme
will be "New Technologies for Safety-critical Systems" and the programme
will address the application of technologies such as formal methods, neural
networks, knowledge based systems, and robotics to the safety critical
domain, enquiring into their readiness for this role, and examining actual
experience.  On Friday 23 September the event will focus on "Introducing
Formal Techniques" and will provide an overview presentation on how to
manage the introduction of formality, together with talks describing real
case histories.

The Safety-critical Systems Club was formed in 1991 with support from the
DTI and SERC.  It provides a regular forum for presentations and
interaction on a wide range of topics concerning the use of computing
systems in safety-critical applications.  The majority of participants are
practitioners and users of such systems, but developers and research
workers are also represented in the membership of almost 2,000.  Each year
the club holds a series of meetings and seminars, circulates a regular
newsletter and organises a three day conference on the theme of
safety-critical systems.

PDCS2 - ESPRIT Basic Research Project 6362
Predictably Dependable Computing Systems



19-21 September 1994
University of Newcastle upon Tyne


12.30-14.00     Registration and Lunch

14.00-14.15     INTRODUCTION
                Brian Randell (Univ. Newcastle)

14.15-15.45     FAULT PREVENTION &
                A Systematic Approach for the Analysis of Safety
                Requirements for Process Control Systems
                        -  Tom Anderson
(Univ. Newcastle)
                A TTP Solution to an Automotive Control System
                        - Hermann Kopetz (TU Wien)

15.45-16.10     COFFEE

16.10-18.00     DEMONSTRATIONS

- - -


10.30-11.00     COFFEE

                Implementing Fault-tolerant Applications: an
                approach based on reflective object-oriented
                        - Jean-Charles Fabre (LAAS-CNRS, Toulouse)
                Object-Oriented Environmental Fault Tolerance
                        - Cecilia Calsavara (Univ. Newcastle)

12.30-14.00     LUNCH

                Engineering Judgement about Dependability: pitfalls
                and defences
                        - Lorenzo Strigini (CNR, Pisa)
                Availability Bounds for Large Markovian Models of
                Fault Tolerant Systems
                        - Pierre-Jacques Courtois (UC Louvain)

15.30-16.00     COFFEE

16.00-18.00     DEMONSTRATIONS

20.00           WORKSHOP BANQUET

- - -

                Software Reliability Analysis of Three Successive
                Generations of a Switching System
                        - Karama Kanoun (LAAS-CNRS, Toulouse)
                Relativistic Reliability Modelling for Highly
                Reliable Systems
                        - Bernard de Neumann (City Univ., London)

10.30-11.00     COFFEE

                Comparison of Two Fault Injection Techniques
                Supported by the MEFISTO Tool
                        - Marcus Rimen (Chalmers UT, Goeteborg)
                Comparison and Integration of Three Diverse
                Physical Fault Injection Techniques
                        - Johan Karlsson (Chalmers UT, Goeteborg)

12.30-14.00     LUNCH

                Including closing address
                by Jean-Claude Laprie (LAAS-CNRS, Toulouse)


Dept. of Computing Science, Claremont Tower, University of Newcastle,
Newcastle upon Tyne, NE1 7RU, UK
EMAIL =   PHONE = +44 91 222 7948
FAX = +44 91 222 8232

CSR Software Reliability & Metrics Club - Meeting Announcement

Pete Mellor <>
Tue, 9 Aug 94 13:40:05 BST
                    Software Reliability & Metrics Club
                    announces its forty-second meeting,
               to be held at Brighton on 12th October 1994,
                               a seminar on
                        ||  Process Improvement  ||

Learn from the practitioners

The morning session will be devoted to talks by leading experts in the
increasingly important field of software process improvement, dealing
with significant practical issues:

   *  How to measure software process improvement
   *  Identifying opportunities for process improvement
   *  Defining and describing processes
   *  Reasoning about process effectiveness
   *  Achieving and quantitatively demonstrating improvement

Explore the key issues

After meeting with their peers over lunch, groups of delegates will work
together, sharing their collective experience, and discussing some of
the topical issues in the field of process improvement:

   *  Bottom-up or top-down?
   *  How to get started
   *  Which comes first - the process or measurement?

Delegates are encouraged to suggest other topics for discussion in this
part of the meeting; to do so, fill in the relevant part of the tear-off
slip on the next page.  The working session will be followed by reports
back to the main meeting, and an open discussion of the issues raised.

Discover the future

Following informal discussion over tea, the final session of the day
will be led by one of the key players in determining the future
development of this important field.  This perspective will be important
for all who are planning to be, or are already, involved in the software
process improvement area.

Who should attend

This meeting is aimed at anyone with a professional interest in
improving software development processes, including:

   *  software engineers, project managers and quality personnel wishing
      to learn about the practice of process improvement
   *  experienced process improvers who wish to broaden their knowledge
      and keep in touch with the latest developments
   *  researchers wishing to learn from the practical application of
      process improvement ideas.

Why you should attend

The benefits of attendance at this meeting include:

   *  exposure to the practical experience of other professionals who
      have successfully applied software process improvement within
      their companies and for the benefit of their clients
   *  opportunities to share your experiences and problems with other
      professionals, both during the formal sessions and informally
      during the breaks
   *  updating on the practice of the leaders in the process improvement
      field, and on likely short term future developments which will
      have implications for the whole industry.

Where, when and how to attend

The meeting will be held in Brighton, at the Bedford Hotel, on 12
October 1994, starting at 10.30 am, with registration from 10.00 am
onwards.  The cost of this one day meeting will be L.165.50 which covers
lunch and refreshments during the day and includes L.60 Club membership
fee with L.10.50 VAT; if you are already a Club member the charge is only
L.90.  If you would like to attend, please complete the tear-off slip
below and return with your remittance; early registration would be much
appreciated and may help to avoid disappointment.  Maps and suggested
train times will be sent to registered delegates, who are responsible
for arranging their own accommodation (if required).

      Joan Atkinson, Centre for Software Reliability, Bedson Building,
      University, Newcastle upon Tyne, NE1 7RU
      Tel:  091 221 2222;  Fax:  091 222 7995;

Washington DC ACM Seminar

John Sheckler, ATSC, 301/805-3258 <>
4 Aug 1994 12:20 EST
The next Washington DC ACM Professional Development Seminar
series is scheduled for November 14 through November 18, 1994.
The following topics and presenters have been scheduled.

Monday, November 14
    Mr. Allen S. Perper      -    Business Process Engineering/Reengineering
    Mr. Will Tracz           -    Domain-Specific Software Architectures
                                   — Process, Products, and Infrastructure

Tuesday, November 15
    Dr. Cy Svoboda           -    Information Engineering
    Mr. Mike Gorman          -    Managing the Development
                                  of Client/Server Applications

Wednesday, November 16
    Mr. Ed Krol              -    The Whole Internet — Archie, Veronica and
                                  the Gopher Explore the World Wide Web
    Mr. William Durell       -    Data Administration and Management

Thursday, November 17
    Dr. Robert N.Charette    -    Profiting from Risk Management
    Mr. Watts S. Humphrey    -    Personal Process Improvement

Friday, November 18
    Dr. Robert S. Arnold     -    Legacy System Migration
    Mr. Edward V. Berard     -    Testing Object-Oriented Software

In addition to the regular twice yearly seminar series, the WDC-ACM also hosts
a distinguished international lecturer.  This year, Mr. Philip Zimmerman,
developer of the well known Pretty Good Privacy encryption algorithm, will
discuss Public Key Cryptography on Thursday November 10, 1994.

The seminar series and international known lecturer presentation are held at
the University of Maryland Adult Education Center on the campus near the
intersection of Adelphi Road and University Boulevard (Route 193).

                     Advance      Walk-in         Purchase
Category             Cash,        Cash,           Orders
                     Check,       Check,          Training
                     Credit Card  Credit Card     Requests
ACM Chapter Member   $170         $205            $230
Non-Member           $175         $205            $230
Full-Time Student    $ 80         $110            $230
Sr. Citizen          $ 80         $110            $230
(age 60 or over)

Attendance at each course will be limited to the capacity of the
room being used (check with the ACM/PDC answering machine, (202)
462-1215, for availability).  We are planning on using the
largest rooms available for Mr. Krol, Zimmerman and Humphrey.
Detailed registration information and assistance can be obtained
by calling Mrs. Nora Taylor at (301)229-2588.

Please report problems with the web pages to the maintainer