The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 17 Issue 03

Tuesday 4 April 1995


o Chunnel has ghost trains
Lord Wodehouse
o Overzealous clock correction?
Robert Rhode
o Israelis cough at the name of "Kaf"
Edward P Ravin
o A Tale of Two Organs...
Matthew D. Healy
o Mysteries of the Mind psychological SW advertisement
Rodney D. Van Meter
o Police cop it from computer
Jon Hunt
o Japanese transcription (was Re: Patent searchers)
Rodney D. Van Meter
o OSHA Ergonomics draft
Jim Horning
o Software safety, new handbook, standards
Archibald McKinlay via Jim Horning
o Andersen Law Suit Report
Bernard Robertson-Dunn via Jim Horning
o Complexity (was RISKS of non-standard interfaces)
Bob English
o Re: More on German Train Problems
o Is there a RISK in misremembering SF novels?
Peter da Silva
o Re: Self-Censorship of NetPorn
Jerry Leichter
o Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc.

Chunnel has ghost trains

Lord Wodehouse <>
Sun, 2 Apr 1995 16:25:15 +0100 (BST)

It was probably to be expected, but the Chunnel trains are in trouble because of sea water. In today's Sunday Times (3rd April 1995), John Harlow writes that because of unexpectedly (really?!) high levels of sea water, rogue signals are sent to the drivers and controllers of trains. The drivers get 3 red flashing lights and have to do an emergency stop and wait until controllers have checked the position of all trains in the tunnel, radio back and reset the signals, which takes up to about 20 minutes.

A driver for Le Shuttle said there were about 5 emergency stops a week. They are running about 100 trains a day, so this is not many, but there should be no ghost trains at all.

Safety inspectors are worried. On March 17th a train had to stop so quickly, glasses fell off tables, and another time a lorry moved forward into another vehicle (the trains carry cars and lorries).

The action of the train at 100mph going through the tunnel raises a mist of salt water behind it and this short circuits a low-voltage connection between the rails, which mimics a train.

It appears that engineers have underestimated the effect of sea water, an excellent conductor of electricity, on trackside electronic equipment.

It is also my belief that they also may have underestimated the corrosive effects of salt water. This will have the opposite effect and thus cause other problems.

We wait, for the next ``advanced technology meets old-fashioned, well-known problem and fails again.''

Lord John - The Programming Peer +44 181 966 2109

Overzealous clock correction?

Robert Rhode <>
Sat, 1 Apr 1995 17:32:47 -0500 (EST)

I run an extension on my Mac that compensates for the error in the computer's realtime clock by occasionally calling up the Naval Observatory and checking the difference. It also has the option of automatically adjusting the clock by an hour for Daylight Savings Time. Apparently, so does the new System 7.5. Anyone want to guess when I'll arrive at work on Monday?

- Bob

Israelis cough at the name of "Kaf"

Wed, 29 Mar 1995 21:49:02 EST

Israeli military censorship forbids the local press from publishing the name of the person who heads the internal security police (known as Shin Bet or "Shabak"). He can only be referred to as "Kaf" (a letter of the Hebrew alphabet). But the Jerusalem Report of 6 April 1995 says that the chief's name and address were published in a mid-March message on the Internet (presumably a Usenet post) "circulated freely to millions of net-users all over the world." The message, probably circulated by opponents of the man newly appointed to the post, invited "Internet readers to send 'letters of congratulation' to the new head man" and gave his correct name and address. The article went on to note the "anachronism of trying to keep the secret-service chief's name under wraps in an era when the flow of information can no longer be controlled." Opponents of "Kaf" have also "daubed his name in bold letters on the censor's office in Jerusalem."

[A Feted Kaf or a Fated Kaf? PGN]
On the same page, another story mentions 104 year old Yosef Tzadok, who has 24 grandchildren and 36 great-grandchildren, but also just got a notice to register at a Jerusalem kindergarten because his birthday was recorded in a computer somewhere as "December '90"...
[Not the first, but yet another premonition of things to come. PGN]

Police cop it from computer

Sun, 2 Apr 95 14:17:07 PST

[This incident is amusing and bizarre, but I doubt that it is very uncommon.]

Police cop it from computer (Eugene Bingham, NZ Herald, Thursday 30 March 1995)

A police information-gathering exercise turned into a matchmaking fiasco as a computer system went haywire. Printouts sent to staff this week as part of the police department census have recorded as fact a large number of nonsensical living arrangements.

If the census forms are to be believed:

"It is obviously a real big screw-up," a police source said yesterday. "Everyone thinks it is hilarious."

The problems arose when staff began opening the census forms and read a page of personal information supposedly held on police records. It is understood hundreds of errors are contained in the section recording next-of-kin details. Embarrassed police officials said yesterday that a computer glitch had led to the mistakes.

Superintendent Jon White, in charge of human resources planning, said the computer became confused when no information appeared in a staff member's next-of-kin file. "It picked up other records and inserted them in their place." Mr White said the mistake was "most unfortunate and regrettable." "Fortunately, most of the staff see the amusing side."

Those affected by the glitch have simply been told to cross out the wrong information and send the corrected form back. Mr White said the problem highlighted the fact that many officers had let their personal information file become out of date. It was important to keep the next-of-kin information up to date. The census, covering sworn and non-sworn staff, aims to establish a databank of information about the police department. Christchurch, New Zealand

Mysteries of the Mind psychological SW advertisement

Rodney D. Van Meter < >
Wed, 29 Mar 1995 18:17:25 -0800

I received in the mail yesterday an advertisement for a CD ROM called "Mysteries of the Mind". It includes several (apparently) Eliza-like programs that provide you with psychological counseling. While it is referred to as edutainment software, the advertising makes some extraordinary claims. For example:

Exiting [sic] new technology gives you...advantage in...relationships and even sex!

No More:

* Hopelessness in your life
* Horrible sensation of Stress and Depression"

Thoughts of liability when somebody kills themself after an unproductive session with MotM cross my mind.

It refers later to the "loving, personal guidance of World's best psychological software". Now we get into the issues of falling in love with your computer (or robot) that is a popular topic in science fiction.

It may be entertaining to use, and perhaps be relaxing, both of which are good, but the thought of people with real problems relying on this rather than seeking professional human help ought to cause the authors to lose sleep at night.

Still, is it any worse than the multimillion-dollar self-help book business? Does this potentially represent a fundamentally different problem, or is it only a matter of degree?

Perhaps it is even a good thing (self-help books arguably are), but it's certainly not without a downside.


A Tale of Two Organs...

Matthew D. Healy < >
Mon, 03 Apr 1995 12:19:43 -0500

{The New York Times}, 3 Apr 1995, has an interesting article about two organ restorations in Paris.

In late 1992, a much-ballyhooed renovation of the organ at Notre-Dame in Paris was declared complete, to much publicity. About a year earlier, to much less fanfare another Paris organ (at St Sulphice and nearly as large) had been put into service after it was renovated.

The St Sulphice restoration was done in a very traditional manner; the president of the firm doing the job told the {Times} that if there was any difference in sound (except for fixing actual problems) after his work, then he'd failed. He saw his company's job as nothing more or less than making the organ work precisely as it had the day it was built. The only electrical part in the restored organ is the air pump. And everyone agrees that the company did a most competent job, exactly as planned.

Notre Dame is a very different story. They installed a new high-tech computer system that allows unheard-of flexibility:

Literally any combination of pipes can be programmed to operate with any key -- total freedom of registration, so a "stop" is just a subroutine

A performance can be recorded, then played back with microsecond accuracy at any later time

etc., etc. -- lots of bells and whistles (so to speak :-)

And it has been a disaster! Only after months of debugging has it reached the point of being able to get through a Sunday service without glitches.

Now there's talk of replacing the computer with a more conventional electronic control system -- one that does nothing more or less than did the old relays that had been used before the renovation. The pipes and valves are all working perfectly, so once they sort out the control system, they'll be in good shape.

The basic problem was a classic indeed: going directly to full-scale implementation of new and untested technology without first building a prototype! This should be familiar to all regular RISKS readers. Postdoc, Genetics & Medical Informatics

Japanese transcription (was Re: Patent searchers)

Rodney D. Van Meter < >
Wed, 29 Mar 1995 17:56:35 -0800

In risks 17.01, John Gray <> wrote, quoting from New Scientist:

entries in the EPO's international Inpadoc database for patent applicants called Robaato Uiraaton Furemingu, Uiriamu Bii Reisufuiirudo, Bii Oo Shii Guruupu and Kuringe Fuarama... Japanese tapes contain names which have been translated from Western originals into pictorial characters and back again by computer.
First, to correct a point: Japanese writing consists of three complementary character sets: the kanji borrowed from Chinese, hiragana, and katakana. Only the first is pictogram-derived, the other two are phonetic. Foreign loan words are always written using katakana. Thus, the statement above misrepresents the source of the problem.

In addition, the "corrected" name Laceford, from looking at the above, seems more likely to have been Lacefield (because of the double-i).

In Japanese (both written and spoken) there are a number of limitations that make it impossible to render every English word or name correctly (or even unambiguously): for example, 'th', 'w', and 'v' are essentially impossible to represent; the sound 'shi' is made to work for the English equivalents of 'si', 'shi' and 'thi'; 'v' and 'b', sometimes 'j' and 'z', and of course the infamous 'r' and 'l' cannot be distinguished.

This leads to an entire field of (sometimes amusing) problems well known among language students. One of my favorites from even before they filed Chapter 11 is that Thinking Machines rendered in katakana becomes (roughly) "shinkingu mashiinzu" -- which can then be reread in English as either "Thinking Machines" or "Sinking Machines".

Because of the ambiguities introduced, even if heuristics were developed for translating Japanese katakana words back into English (or other languages), they could never be 100% perfect. Seeing the katakana for the above Laceford(field?), it could be reread as Raceford or perhaps even Raysford. Even in relatively unambiguous cases, English variations in spelling (Jon or John?) and homonyms (bite or byte?) are troublesome without using context, where "context" may have to include _a priori_ knowledge of the correct spelling of individuals' names.

The problem is not one-way; seeing Japanese or Chinese words rendered in the Roman alphabet often leaves their corresponding Chinese characters ambiguous, and without the help of diacritics Chinese pronunciation cannot be fully represented in the Roman alphabet.

The problem extends to further levels that are related to the overall difficulties of searching and indexing free text as well as the difficulties of translation; I have seen the name of the religious sect likely to be charged with last week's Tokyo (toukyou, if you transliterate the Japanese pronunciation) subway attack written in English newspapers as variously Oom Shinri Kyo (roughly the Japanese pronunciation), Aum Shinri Kyo and Aum Supreme Truth.

And of course for Chinese there are several methods of romanizing names; is a search engine supposed to equate Qing and Ching? And how many automated indexing systems will correctly work with, for example, the name !Kung?

It goes up another ugly level when you begin to discuss translating articles originally written in Japanese about Chinese persons, places or historical events; the Japanese use the Chinese characters but their own pronunciation, while we use (roughly) the Chinese pronunciation but know nothing about the characters.

None of this is news to language students or developers or users of machine translation systems, and these fundamental problems are likely unsolvable, despite the progress of machine translation systems. But with the huge volumes of material to be translated, how can we do any better than living with what the best machine translators produce? For that matter, accurate human translation often requires the active participation of the original author.

The risks, besides the above problems of search and index? How about international banking and medical records never getting correctly reconciled, or worse, getting improperly reconciled? Are we going to have to go above the U.S. Social Security Number to an internationally valid identifier? Talk about Orwellian consequences...


OSHA Ergonomics draft

Wed, 29 Mar 95 17:52:53 -0800
[Anyone concerned with RSI and the like might be interested in this, available via the University of Utah starting at URL
and probably various other places. Jim H.]
Note from OSHA

These draft pre-proposal materials are intended to facilitate informed discussion as the Occupational Safety and Health Administration (OSHA) develops an Ergonomic Protection Standard. These materials are not being promulgated as a rule or standard. They do not constitute either a Notice of Proposed Rulemaking or a source of official OSHA guidance on ergonomics. Until such time that a final Ergonomic Protection Standard is adopted, OSHA will continue to rely on Section 5(a)(1) of the Occupational Safety and Health Act (the "General Duty Clause") for enforcement authority. Failure to adhere to any draft requirement or guideline in these materials is not a violation of the General Duty Clause; use of these materials to assist in ergonomic protection may indicate that workplace hazards are receiving adequate attention.

Software safety, new handbook, standards [Fwd from]

Wed, 29 Mar 95 17:58:52 -0800

From: (Archibald McKinlay)
Subject: Software safety, new handbook, standards
Date: Tue, 28 Mar 1995 12:47:28 -0600

Software Safety Engineering

New software safety handbook:
sponsored by the US military services, pending NASA, FAA and Coast Guard joining. Book is structured to be compatible with process oriented software development (ISO 12207, DOD-STD-498, IEEE 1498/EIA IS-640) in similarly oriented system engineering life cycle (EIA 632, IEEE 120) and usable for inspections and reviews (IEEE 1028, ISO 9000-3 and/or TickIT). Any acquisition, development and fielding life cycle, including re-use, can be configured/tailored from the "building block" approach. A list of "best practices" is envisioned as an appendix. Possible CD ROM version under investigation. A display will be given at the System Safety Society meeting in July in San Jose, CA, and at the American Society of Safety Engineers Technology 2000 in Orlando, FL, in June. A similar tutorial is hoped for at COMPASS in Gaitherberg, MD, in late June 95. An industry review period is expected beginning in Sept 1995.

IEC 1508 "Functional Safety: Safety related systems". Work began and otherwise known as IEC/SC65A working groups 9 & 10 now re-named IEC 1508. Standard will be released for review in mid 1995 in seven parts. Part 1 is general requirements, part 2 requirements for electrical/electronic/ programmable electronic systems, part 3 software requirements, part 4 definitions, part 5 guidelines on application of part 1, part 6 guidelines on application of parts 2 and 3, part 7 bibliography of techniques. This standard will apply to industrial and consumer goods. Extension standards for specific industries is encouraged, hence a medical device and software (databases?) standard has already been formed. Robotics, fire detection and suppression, elevators, off shore rigs, automobile and aircraft parts are expected to be effected.

UL 1998 (Underwriter's Laboratory) Standard for Safety-related Software "Standard is to be used in conjunction with current methods used to investigate hardware. The standard covers both software that directly controls safety-related functions and software that has the potential to pose a risk of injury to persons or loss of property. (quoted from UL cover letter)". This standard is appended to end product standards, which include: solid state controls for appliances, primary safety controls for gas and oil fired appliances, molded case circuit breakers and enclosures, industrial control equipment, temperature indicating and regulating equipment, burglar alarm communicator systems, and information technology equipment.

System Safety Society and commercial STD-882 The System Safety Society is working with a standards group to make available a commercial version of MIL-STD-882. This standard is in work and a rough draft has been produced for the committee use. There is currently no commercial equivalent that covers all aspects of a system safety program. This will be usable for safety V&V and audits. Software safety should be included. ---------------------------------------------

Andersen Law Suit Report [Fwd from]

Wed, 29 Mar 95 18:46:19 -0800

From: Bernard Robertson-Dunn <>
Subject: Andersen Law Suite Report
Date: 27 Mar 1995 09:33:02 GMT

The following report appeared today (Monday 27 March 1995) in the Australian Financial Review.

Andersen Charged

Andersen Consulting is charged with fraud, incompetence and neglect in a $US100 million lawsuit filed by UOP, a US-based engineering company. In its lawsuit, which also seeks unspecified punitive damages, UOP said Andersen Consulting bungled the development of computer systems it needed to help manage its business. The company's complaint alleges that after winning the contract, Andersen Consulting's "ineptitude and deception" caused late deliveries, "bilked millions" of dollars from UOP and wound up supplying a computer system that was largely unusable. Bloomberg
[Anyone know any more? brd]

Complexity (was RISKS of non-standard interfaces, Cook, RISKS-17.01)

Bob English < >
28 Mar 1995 19:50:26 GMT

: ... much of the problem we have with medical devices is the result of
: designers attempting to produce a device surface that _appears_ simple
: but actually hides a wealth of complexity...

The same comment applies to most of the "computer-" and "software-" related risks discussed in this forum. Computer and software risks are not fundamentally different from other types of risks. In all cases, the root cause of unexpected behavior lies in the complexity of the total system, not in the nature of its components. And when we build systems to perform complex functions, the systems we build are necessarily complex.

There are, of course, reasons to build complex systems. Consider the often attacked practice of using software in safety-critical systems, like airplanes. Aircraft companies compete with one another to build the most efficient planes, and as in so many cases, squeezing the last bit of efficiency out of a plane introduces a great deal of complexity into the design. In order to realize the gains, manufacturers have to find ways to allow the planes to be flown with a minimum amount of crew, so they turn to computers to help them manage the complexity, a step that increases (rather than decreases) the complexity of the plane.

The fact that something is complex and sometimes behaves unexpectedly does not mean that it's overall performance is not more beneficial than a less complex alternative. A more complex, more efficient plane, for example, may reduce the cost of air travel, allowing more people to choose air travel over other, riskier modes of transportation (it could be argued, for example, that air travel is currently too safe, because the close attention to safety raises the cost of short-haul flights and encourages people to drive instead). An infuser interface that hides complexity from the user may allow infusers to be used beneficially in more circumstances than they otherwise would, and those benefits may outweigh the costs of the cases where the infuser causes harm.

With sufficiently complex systems and sufficiently large stakes, however, it is very difficult to make reasonable judgements about the tradeoffs, and even if we make good judgements, we are unlikely to be comfortable depending on systems whose behavior we will never fully understand.


Re: More on German Train Problems (Weber-Wulff, RISKS-17.02)

3 Apr 1995 16:50:59 GMT

In RISKS-17.02, Debora Weber-Wulff indicates surprise at the use of a stack and "dynamic data structures in a safety-critical system", the Deutsche Bahn's new train control system. While my experience with real-time development is limited, and I have no experience whatsoever in safety-critical systems, I would not fault them for using a stack-based architecture. Dynamic data structures, whether stack or heap, are a reasonable means for managing limited memory resources, provided there is a means for storing critical data in permanent, recoverable structures in an atomic fashion.

Where I would fault them is for not being aware of the behavior and capacity requirements of their system under load and overload conditions. Were they unaware of the depth of their deepest routine call tree? Or, since this was apparently related to the number of trains being managed, was it a recursive algorithm run amok? A little more modeling and testing by a few paranoid personalities would be in order (my belief is that every project should have a "token pessimist" to combat the general Barney-like optimism that pervades most development work). Further, I would expect a railroad to have done significant capacity planning (how many trains on the tracks at different hours, etc.), which would be used as input into the design and test phases. It's not like they haven't seen rush hour and holiday loads before.

Running out of memory is a common risk in dynamic memory management. The naive programmer will simply assume that all allocations are successful (or that the system will deal with allocation failures in a benign and acceptable manner), and is generally unaware of this latent bug because he fails to test the system under sufficient load. The defensive programmer will assume that all allocations will fail, and structure the software to handle such a case. This is a critical decision that can totally alter the design of a program; it is not easy to retrofit defensive code into software that was not built with a defensive frame of mind. ---------------------------------------------

Is there a RISK in misremembering SF novels?

Peter da Silva <peter@Starbase.NeoSoft.COM >
3 Apr 1995 11:03:22 -0500

The Stars My Destination is an excellent book, and the descriptions of the methods people used to prevent folks jaunting into their houses are analogous to the current use of firewalls, but I don't recall this particular RISK being brought up in that book.

So far as my own poor memory recalls, the "Flash Crowd" idea is Niven's. It was first brought up in the short stories "Flash Crowd", "All the Bridges Rusting" and "The Last Days of the Permanent Floating Riot Club". Many of Niven's other transfer booths stories like "A Kind of Murder" are equally appropriate to the Internet.

[Martin Poole <> also noted TLDotPFRC. PGN]

re: Self-Censorship of NetPorn

Jerry Leichter <>
Sun, 2 Apr 95 12:02:11 EDT

Peter Wayner suggests that providers of Web pages (and presumably other on- line resources) follow in the footsteps of the movie industry and rate their own materials, so that viewers could be written to limit access by children.

It's a nice idea, but Mr. Wayner fails to understand how the movie rating system works. First of all, ratings are not, as in Wayner's suggestion, provide by the producers of movies. Rather, there is a central organization, composed mainly of non-industry people, who set the standards, preview each movie, and provide a rating. The rating is subject to negotiation, and producers can make suggested modifications to get a different rating if they like. The rating system has been the subject of significant debate between producers and the rating board. In particular, the "X" rating, originally meant to describe movies with "adult" themes - "Urban Cowboy" and "Blow Up" are probably significant early examples of mainstream X-rated movies - soon came to apply only to pornographic material, and in fact fell into complete disuse, except for self-ratings by those who made frankly pornographic material. The ratings board added a trademarked "NC-17" rating a few years back to have some way to rate non-pornographic but adult material, but it hasn't seen much use.

The second error is that the movie rating system is in meaningful sense "voluntary". The vast majority of movie theatres in the US, other than those specializing in pornographic material, will not show non-rated material. The reason the X rating fell into disuse was that they wouldn't show X-rated material either. NC-17 is in trouble because it is avoided by some of the larger chains, too. More recently, the largest video stores refuse to rent non-rated or X-rated (or perhaps NC-17-rated) material.

So ... the rating system is "voluntary", so long as you don't mind being shut out of the market.

As a result, I see little similarity between what Mr. Wayner proposes and the movie rating system as it actually exists, and little reason to use the success of one, such as it is, as evidence for the workability of the other.

More generally, I see little reason to believe that "netiquette" will be sufficient to restrain anyone interested in providing material to the net - as it has had little effect on flaming, inappropriate commercial postings, or many other net problems.

-- Jerry

Please report problems with the web pages to the maintainer