The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 2 Issue 32

Thursday, 20 Mar 1986


o Om/Comm-ission, and analysis of risks
Niall Mansfield
o RSO's and IIP's
Dave Curry
o Complex systems ru(i|n)ning our cities
Mike Mc Namara
o Re: Two more mailer problems
Bernard S. Greenberg
o Banknotes for the visually handicapped
Nigel Roberts
Barbara E. Rice
o Psychological and sociological consequences
Harald Baerenreiter
o Info on RISKS (comp.risks)

Om/Comm-ission, and analysis of risks

Thu, 20 Mar 86 12:30:42 n
It is often difficult to decide whether an action carried out really is a
fault of omission or commission. As is so often said, many program failures
are due to not considering a possible set of circumstances, which when it
occurs causes the program to act improperly. In such cases, the damage is
certainly an act of commission, but the real failure is the omission to
predict the failure. I think that any attempt to distinguish formally
between om/comm-ission is likely to lead to sophistic arguments distracting
attention from the real cause of the problem.

Another unproductive approach seems to be suggested by something PGN said in

  > A fine example of the risks having to include people, not just
  > computers, and of a more pervasive role of the computer than meets
  > the eye -- indeed a more human-oriented computer system might have
  > helped!  Thus, even though it appears NOT to be a computer problem,
  > we discover that the computer could have done better!

There are very few cases where a system which has failed could NOT have done
better, so saying it doesn't advance our understanding. It seems that
because RISKS is about computer risks, then we will do our best to find a
computer cause for every failure. (Remember the immediate speculation after
the Shuttle disaster about how a computer could be shown to be responsible).

Surely RISKS should concentrate on failures that occur because of computer
involvement but which would not have occurred with a human-only system,
because systems are always going to fail. As pointed out in
RISKS-2.21, there are risks involved in not using computers, where such use
can lead to saving lives: if a system is doing superb work 99% of the time,
it is fruitless to pick on the 1% failure, and jump on the bandwagon saying
"Ohhhhhh, the computer's run amok, isn't it terrible". We must keep risks
and benefits in perspective. As PGN finished off:

  > But, of course, don't blame the computer system.
  > Blame the people who specified, designed, and
  > implemented it -- not JUST the train operator(s).

This is the heart of the matter - we are looking at the risks (presumably)
so that we humans, the makers of systems, can avoid the same mistakes, not
just for the malicious pleasure of beating the drum about somebody else's

(So maybe I don't disagree with PGN after all).

RSO's and IIP's

Dave Curry <>
Thu, 20 Mar 86 07:44:56 EST
One thing keeps nagging at me after reading your explanation of RSOs and
IIPs.  I suspect it's more from my lack of knowledge about trajectories and
launching things and such than anything else.  Anyway, here goes...

You said several times that if the IIP ever crosses the "safety lines" then
the missile should be destroyed.  What I'm confused about is this:  does
this mean that under "normal" circumstances the IIP never crosses these
lines, or do you mean the missile should be destroyed only if something is
"wrong"?  It seems to me (again I know very little about launching things
and such) that if the IIP can never go "that way" then you are limited in
the directions you can send a rocket (come to think of it I guess I've never
heard of a launch going "back" over the U.S. to get somewhere...).

Also, where does the consideration of the IIP stop?  Something sticks in the
back of my mind that the shuttle flies over land masses (isn't there
someplace in Rota, Spain where they can abort?).  If it does, does this mean
the IIP itself never touches the land masses, or does the IIP become less
important after the missile reaches a certain speed/altitude/trajectory?

--Dave Curry

Complex systems ru(i|n)ning our cities

Mike Mc Namara at ESL Sunnyvale Ca <lll-lcc!tflop!mac@lll-crg.ARPA>
Wed, 19 Mar 86 19:07:42 pst
    In pursuit of new directions for the RISKS forum, and in response to
a recent article in the New Yorker Magazine, I bring up the subject of the
risks inherent in the complex systems in which we live.  We've probably all
heard talk about how few hours New York City could survive without power/
water/subway/ etc, but perhaps it is worth discussing in this forum.

    The article in the NYM is written from the perspective of a resident
of a self-sufficient rent controlled apartment in the Village, who feeling
quite smug about his castle, suddenly notices all the holes in the wall.
There is the hole letting in electricity, the one for natural gas; there are
lines for taking out the sewage, and lines bringing in fresh water.

    This writer wonders where these lines lead.  He then takes us along
in his search to James Bay in Canada, where New York gets some of its
electricity from hydroelectric plants.  He takes us to Arizona, where some
of the uranium for the Indian Point reactors is mined.  He takes us to
Brazil, where Con Ed gets the low quality diesel oil to burn to make

    Similarily, he takes us upstate to the many reservoirs which supply
New York with its world famous water.  He follows the gas mains to Louisiana.

    And so on.

    I offer to the risk readers the question, How intelligently are we
managing the risks assumed by the creation of our complex cities?  We build
systems so that millions of people can live in areas that are really
deserts.  What risks exists because of the creation of a L. A.  that relies
on 500 mile aqueducts to supply life-critical water?  Who is in charge of
insuring adequate safe guards?  Budget conscious, 2 year term politicians,
or life time members of water boards?  The ramifications of any single
failure of a utility system can probably be maintained via such a board that
takes the long view and has the capitol to implement long term strategies.

    But what about the interdependencies of utilities?  What would a
water shortage do to a nuclear power plant, that perhaps required cooling
water that simply wasn't available?  What would a collapse of the telephone
system do to a natural gas distribution system that used remote pressure
regulators that were controlled via telephone links?

    What organizations exist to worry about such things, so I rest assured
that there is no problem, and get some sleep at night?

    What inter-system crashes are the readers aware of, that they might
share with this list?

Re: Two more mailer problems

Bernard S. Greenberg <BSG@SCRC-STONY-BROOK.ARPA>
Thu, 20 Mar 86 11:15 EST
    Date: Wed 19 Mar 86 17:54:33-PST
    From: RISKS FORUM    (Peter G. Neumann, Coordinator) <RISKS@SRI-CSL.ARPA>

    Date: Wed 19 Mar 86 16:34:28-EST
    From: "Sidney Markowitz" <SIDNEY%OZ.AI.MIT.EDU@XX.LCS.MIT.EDU>
    Subject: Two more mailer problems
    To: risks@SRI-CSL.ARPA

    1) I did not personally see this, but I was told that Symbolics briefly
    introduced a new feature in their mail program with the current release of
    the operating system. It was a new header line that a sender could use to
    include graphics as part of the mail message.  This was implemented by
    having the header line include a lisp expression that would be evaluated
    (executed) when the receiving mailer loaded the message for display.
    Somebody pointed out the other possible ways in which an arbitrary piece of
    executed code in a mail message could be used, and that feature was dropped
    very quickly.

This is utterly and wholly false.  No one here would be so naive.

Bernard S. Greenberg, Symbolics, Inc., Cambridge, Mass.

Banknotes for the visually handicapped (RISKS-2.31)

Thursday, 20 Mar 1986 01:59:05-PST
The Netherlands uses a similar system of raised impressions.  High
denominations are distinguished by different symbols (e.g.  the H.Fl 50 note
has a raised triangle, while lower notes such as the 10 and 25 have dots).
I'm afraid I don't know what the new H.Fl 1000 notes have --- I don't see
them very often :-). Britain, on the other hand simply uses different sizes
of paper for different denominations, as does West Germany.

Nigel Roberts, Reading, England
       [Different sizes of paper don't help the visually handicapped
        discriminate copy-machine products from originals....  PGN]

Banknotes for the visually handicapped

Barbara E. Rice <rice@nrl-csr>
Thu, 20 Mar 86 10:51:27 est
     With all the talk about fooling the visually impaired by altering
raised marks on bills or the magnetic ink, has anyone considered how small a
population they are dealing with?  My uncorected vision went beyond legally
blind twenty years ago and has continued to go down hill since then.
Without my glasses I can not see the eyechart much less any letters on it
(with my glasses I can just scrape by a driver's eye exam).  So I conducted a
test here with my glasses off I was able to distinguish between a five and a
one dollar bill at 6 feet (much further than arm's length).

   So the population that could be fooled by such means I would say is
relativlysmall, too small to it be worth anyones time and effort to steal
from them.  It would also be risky. Most people remember where it is that
they get money from and where they have bought things. Anything larger than
a $20 I definitely know where I got it. The error would be picked up by any
sighted person dealing with the blind person not just an expert in
conterfeit detection thus the altered bill would be rapidly discovered.  So
a person using this scheme would have to be constantly on the move and not
collecting very much for his efforts.  For most large puchases people use
creditcards or cashiers check.  Purse snatching or mugging would yield a
better risk and effort vs profit ratio.

     The point I hope I made is that thinking of methods to get around
marking intended to help the blind is an interesting mental excercise but
none of the methods thought up is a reason for not putting aids to the blind
on currency.  (really a blind customs agent? How many are there and how
would you guarentee you got him? With my luck he would call in sick that
morning and then I would really be in trouble.)  A better reason for not
using such aids is the small number of people who would benefit by it, but
then you should consider the number of would be conterfeiters it might
frustrate into trying other means of getting rich quick.  That would be a
good systems trade off problem.

   [Come on, now.  You think the example of the blind customs agent was
    serious?  I was trying to give you an example where reducing the value
    consituted a risk.  The problem is one of vulnerabilities.   Pacemakers
    and automobile microprocessors are fine.  But there are some very
    serious risks that must not remain unconsidered.  Of course there are
    advantages to currency interpreters.  But are they designed so poorly
    that they accept blank pieces of paper with funny symbols embossed on
    them?  Do they introduce new risks that never existed before?  PGN]

Psychological and sociological consequences

Thu, 20 Mar 86 11:27:54 cet
We are preparing a study about the psychological and sociological consequences
if young people have intensive contacts with (home-) computers.  So, we are
looking for empirical studies (in wide spread) dealing with that subject.

Especially we are searching for articles about
  - different methodological approaches (e.g. analytical, ethnological,
    qualitative and quantitative aspects ...)
  - empirical designs and ideas
  - results.
If you have any information (or know anyone who has) please help us.

Contact HARALD BAERENREITER, Fernuniversitaet, Arbeitsbereich Allgemeine
Soziologie, Postfach 940, D-5800 Hagen, F.R.G., or NETMAIL to FROM: field.
Thank you for being so helpful.    Harald.

Please report problems with the web pages to the maintainer