The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 24 Issue 22

Saturday 1 April 2006


Motorist trapped in traffic circle for 14 hours
Don Norman
Airbus A380 Evacuation Test
Peter B. Ladkin
Boeing B777 flight control anomalies
Peter B. Ladkin
Cartography dream realized
Don Norman
On the SAT errors
Re: More SAT errors
Richard Outerbridge
Steve Schafer
Man is charged $4,334.33 for four burgers
Offshore outsourcing cited in Florida data leak
Robert McMillan
City Manager Confuses Default Error Message for "hack"
Ashlee Vance
The Spider of Doom
Alex Papadimoulis via Joe Loughry
The 2005 Helios B737 Crash - A test for Don Norman's Thesis?
Peter B. Ladkin
Don Norman
Info on RISKS (comp.risks)

Motorist trapped in traffic circle for 14 hours

<"Don Norman" <>>
Sat, 1 Apr 2006 00:36:53 -0800

April 1. Hampstead, MA.  Motorist Peter Newone said he felt as if a
nightmare had just ended. Newone, 53, was driving his newly purchased luxury
car when he entered the traffic circle in the city center around 9 AM
yesterday, Friday. The car was equipped with the latest safety features,
including a new feature called Lane Keeping.  "It just wouldn't let me get
out of the circle," said Newone. "I was in the inner-most lane, and every
time I tried to get out, the steering wheel refused to budge and a voice
kept saying over and over, 'warning, right lane is occupied.'  I was there
until 11 at night, when it finally let me out," Newone said from his
hospital bed, his voice still shaky. "I managed to get out of the circle and
to the side of the road, and then I don't remember what happened."

Police say they found Newone collapsed in his car, incoherent. He was taken
to the Memorial Hospital for observation and diagnosed with extreme shock
and dehydration. He was released early this morning.

A representative of the automobile company said that they could not explain
this behavior. "Our cars are very carefully tested," said Mr. Namron, "and
this feature has been most thoroughly vetted by our technicians. It is an
essential safety feature and it is designed so that it never exerts more
than 80% of the torque required, so the driver can always overrule the
system. We designed it that way as a safety precaution.  We grieve for
Mr. Newone, but we are asking our physicians to do their own evaluation of
his condition."

Police say they have never heard of a similar situation. Mr. Newone
evidently encountered a rare occurrence of continual traffic at that
location: there was a special ceremony in the local school system which kept
traffic high all day, and then there was an unusual combination of sports
events, a football game, and then a late concert, so traffic was unusually
heavy all day and evening.  Attempts to get statements from relevant
government officials were unsuccessful.  The National Transportation Safety
Board which is supposed to investigate all unusual automobile incidents says
that this is not officially an accident, so it does not fit into their
domain. Federal and state transportation officials were not available for

Airbus A380 Evacuation Test

<"Peter B. Ladkin" <>>
Sat, 01 Apr 2006 00:02:41 +0200

Airbus has successfully completed the evacuation test on the A380, as
reported in the news on 27 Mar 2006.  853 passengers were evacuated in less
than the required 90 seconds from half of the exit doors, at the expense of
minor injuries and one broken leg.

An Airbus spokesman said that the test had been successful: "In a group of
853 people, the chances that one person has a broken leg and doesn't yet know
it are substantial.  The test showed that everyone came out at least as
healthy as when they went in."

Peter B. Ladkin, Causalis Limited and  University of Bielefeld

Boeing B777 flight control anomalies

<"Peter B. Ladkin" <>>
Sat, 01 Apr 2006 00:01:11 +0200

I reported in RISKS-24.03 ("Flight Control System Software Anomalies") on a
partial-loss-of-control incident with a Boeing 777 aircraft that resulted in
a US emergency Airworthiness Directive to replace the software in the air
data inertial reference unit (ADIRU) with an earlier version, while the
manufacturer, Honeywell, developed a fix for the software.

It seems as if that is not the only problem at Honeywell. The *North German
Herald-Advocate* reported on 28 Mar 2006 that the well-known Easter Egg
writer and charter member of the International Aerobatic Club, Jody
K. Beltramina, had retired from her position as Lead Avionics Software
Developer in order to "spend more time with her family".

Peter B. Ladkin,  Causalis Limited and University of Bielefeld

Cartography dream realized

<"Don Norman" <>>
Thu, 30 Mar 2006 01:56:27 -0800

Cambridge, UK. An old dream of cartographers has finally been realized
through flat-panel displays and small, portable computational devices. For
centuries, cartographers have dreamed of full-scale maps, that is, a map
with a scale of 1:1, so that 1 Km. of the map would represent 1 Km. of the
world. Implementation difficulties made such a map impractical. But now,
scientists at Cambridge University have been able to display the full-scale
map on a flat-panel screen, scrolling the map as necessary to cover the

The new technique has already revealed important results: errors in the
existing geographical databases. These errors were revealed when geographers
in Cambridge compared the full scale map with the terrain and discovered
that they didn't fit precisely: Several structures, including a college
building and several roads were determined to be in the incorrect
location. "Rather interesting," said Lewis Carroll, spokesperson for the
university, "several college buildings are quite off their correct
location." Unfortunately, initial estimates for moving the buildings and
roads to correct these discrepancies are too expensive, so, as Carroll puts
it, "we will have to put up with these problems, but we will annotate the
map to show where these placement errors occur."

An unexpected positive finding is that the map serves both types of
map-users well: those who like to orient the maps so that North is always
up, regardless of their direction of travel, and those who like to orient
the map so that it corresponds to the positions of objects in the
world. Now, either type of map user can be accommodated, something which was
not possible when full-scale maps were implemented only on paper.

When asked what new developments might be expected from the college,
Mr. Carroll stated that they were working on full-scale biographies,
providing a much more realistic depiction of a person's life. This would
allow a biography, for example, to take place in the same time-scale as the
person's life, increasing the realism dramatically. Full scale renditions of
other phenomena are in the works, but Carroll said that confidentiality
restrictions prevented discussion until they were fully realized.

On the SAT errors (Epstein, RISKS-24.21)

<"Peter G. Neumann" <>>
Sat, 1 Apr 2006 00:00:00 PST

The SAT service is reportedly contemplating the development of paperless
Internet-accessible laptop-based SAT software that will in essence be like
DRE voting machines, presumably with no audit trails and no ability to do
rescoring apart from asking the SAT-taker to resubmit the answers!  All
students will most likely be required to use their own laptops or
school-supplied systems, typically over unencrypted wireless and local
networks.  RISKS readers might also suspect that the SAT exam will be
implemented as an unsigned ActiveX applet, and thus work only in IE.
Perhaps other constraints as well will make students with Macs ineligible
for college admission.  This would be most unSATisfying. We hope the system
will be more carefully designed and implemented, to level the playing field
and to avoid numerous opportunities for cheating, collusion, and even
malicious alterations of other students's exams.  However, on the whole this
item sounds too much like an April Fools' piece.

Re: More SAT errors (Epstein, RISKS-24.21)

<Richard Outerbridge <>>
Fri, 24 Mar 2006 20:58:23 -0500

OK, if these are the false NEGATIVES (scores less than deserved), how many
false POSITIVES were there (scores more than deserved)?

And how many admission decisions were thereupon based?

  [In reality, a bunch of overly high scores were reported, but those were
  apparently left unchanged.  PGN]

Re: More SAT errors (Epstein, RISKS-24.21)

<Steve Schafer <>>
Fri, 24 Mar 2006 00:10:00 -0500

I'm puzzled by the explanation put forth by Pearson regarding the cause of
the October SAT mis-scoring (namely, humidity-induced dimensional changes in
the test forms themselves). Everyone in the scanning business knows that the
size of a piece of paper can vary substantially with the weather; that's why
scannable test forms (e.g., Scantron) always include a number of
registration marks around the edges of the page.

Could it be that the SAT forms don't contain a sufficient quantity and/or
distribution of registration landmarks, or is the real problem somewhere

Man is charged $4,334.33 for four burgers

<"Peter G. Neumann" <>>
Tue, 28 Mar 2006 16:24:28 PST

Do you believe in sanity clauses!  Bounds checks?

An AP item datelined Palmdale, California notes that George Beane was
charged $4,334.33 for four burgers at Burger King.  To make a long story
short, the cashier entered $4.33 and then forgetfully reentered the same
amount again, resulting in a debit-card charge that instantly was paid out
of his Bank of America account, wiping out their balance.  After this was
discovered, the bank insisted the funds were on a three-day hold and the
debit could not be be reversed.  "For those three days, those were the most
expensive value burgers in history," Pat Beane said.

Offshore outsourcing cited in Florida data leak (Robert McMillan)

<"Peter G. Neumann" <>>
Mon, 27 Mar 2006 9:49:27 PST

Florida state employees who worked for the state during the 1.5 years
beginning 1 Jan 2003 are being told that their personal information from the
state's People First payroll and human resources system may have been
improperly transferred offshore by a subcontractor working for outsourcing
service provider Convergys Corp.  [Source: US laws may not help prevent PII
disclosure, Robert McMillan, *ComputerWorld*; PGN-ed],10801,109938,00.html

City Manager Confuses Default Error Message for "hack"

<Lizard <>>
Mar 27, 2006 10:28 AM

An Oklahoma town threatened to call in the FBI because its website was
hacked by Linux maker Cent OS.  However, it turns out CentOS didn't hack
Tuttle's web site.  The city's hosting provider had simply botched a web
server.  [Source: Oklahoma city threatens to call FBI over 'renegade' Linux
maker: Our mistake is YOUR problem, Ashlee Vance, *The Register*, 24 Mar
2006; PGN-ed, from item on John McMullen's list, John F. McMullen,
Lizard's blog: http:\\\lizard_sf]

The Spider of Doom (Alex Papadimoulis)

<"Loughry, Joe" <>>
Wed, 29 Mar 2006 11:35:38 -0700

The Daily WTF: Curious Perversions in Information Technology,
Alex Papadimoulis, 28 Mar 2006

Josh Breckman worked for a company that landed a contract to develop a
content management system for a fairly large government website. Much of the
project involved developing a content management system so that employees
would be able to build and maintain the ever-changing content for their

Because they already had an existing website with a lot of content, the
customer wanted to take the opportunity to reorganize and upload all the
content into the new site before it went live. As you might imagine, this
was a fairly time consuming process. But after a few months, they had
finally put all the content into the system and opened it up to the

Things went pretty well for a few days after going live. But, on day six,
things went not-so-well: all of the content on the website had completely
vanished and all pages led to the default "please enter content" page.

Josh was called in to investigate and noticed that one particularly
troublesome external IP had gone in and deleted *all* of the content on the
system. The IP didn't belong to some overseas hacker bent on destroying
helpful government information. It resolved to, Google's very
own web crawling spider. Whoops.

After quite a bit of research (and scrambling around to find a non-corrupt
backup), Josh found the problem. A user copied and pasted some content from
one page to another, including an "edit" hyperlink to edit the content on
the page. Normally, this wouldn't be an issue, since an outside user would
need to enter a name and password. But, the CMS authentication subsystem
didn't take into account the sophisticated hacking techniques of Google's
spider. Whoops.

As it turns out, Google's spider doesn't use cookies, which means that it
can easily bypass a check for the "isLoggedOn" cookie to be "false". It also
doesn't pay attention to Javascript, which would normally prompt and
redirect users who are not logged on. It does, however, follow every
hyperlink on every page it finds, including those with "Delete Page" in the
title. Whoops.

After all was said and done, Josh was able to restore a fairly older version
of the site from backups. He brought up the root cause -- that security
could be beaten by disabling cookies and javascript -- but management didn't
quite see what was wrong with that. Instead, they told the client to NEVER
copy paste content from other pages.

The 2005 Helios B737 Crash - A test for Don Norman's Thesis?

<"Peter B. Ladkin" <>>
Wed, 29 Mar 2006 10:53:48 +0200

PGN asked me some time ago (Oct 2005) about the Helios B737 aircraft
accident in Aug 2005. I felt then that not enough was known, but that it
likely had no connection with computers and little with digital
automation. It is now pretty much known what happened, and certain features
relate to the recent contribution by Don Norman in Risks 24.17. Don said

  "why not design things so that it [sic] can tolerate the well-known forms
  of human error?  ... I have tried to deliver this message many times
  before. I predict that I will have to give it many times again."

and PGN suggested

  "The RISKS archives themselves suggest that Don will have to continue
  this long-time consistent thread."

I think this accident provides a boundary case. An issue was raised in Nov
2005 about a possible crew confusion over the meaning of a warning tone. The
same tone was used for an on-ground warning as well as an in-air warning,
with different meanings. However, it is not at all clear that a different
tone for each warning would have helped this crew. There are reported to be
many other cases in which crews reacted appropriately, so this occurrence
has precedents, all with a different outcome. The relevant question is:
would one, as an engineer fully cognisant of Don's thesis, have designed
these warnings differently? I incline towards the answer: no, this accident
is an outlier. Others incline towards the answer yes. On with the story.

On 14 Aug 2005, a Helios Airways Boeing 737-300 on flight ZU 522 from
Lanarca, Cyprus to Athens ran out of fuel and collided with terrain at
Grammaticos, near Athens. The flight was scheduled to take about 1hr 20
minutes, and the aircraft had been airborne for nearly three hours.

The aircraft had been intercepted by Greek Air Force F-16s after being
alerted by ATC.  The interceptor pilots noted the copilot unconscious in his
seat, and two other people on the flight deck, but not the captain. The
cabin oxygen masks were deployed, but the copilot did not have his mask on
(Flight International, 23-29 Aug 2005, p4, report by David Learmount).

The aircraft had been serviced before the flight; engineers carried out an
on-ground pressurisation of the aircraft to see if the rear service door was
leaking, because of a report that it was "noisy" on a previous flight. This
check required the use, in manual mode, of the pressurisation control
panel. The engineers opened the pressure relief valves after the successful
check, to depressurise the aircraft. (Flight International, 13-19 Sep 2005,
p15, report by David Learmount).

Normal flight crew pre-take-off procedures would have them select cabin
altitude to 8,000 ft and the pressurisation switch to automatic (ibid. 13-19
Sep 2005).

The cabin altitude (CA) warning horn activated as the aircraft passed
through 14,000 ft out of Lanarca in climb to its cruising altitude of 34,000
ft, and it was not canceled for the rest of the flight. The captain called
the Helios engineering department on the company frequency.  Another alert
had sounded just after the CA warning had activated, warning that the
avionics bay cooling fans were not operating. Helios's engineering
department said that the captain's request was unclear. They asked him
whether the pressurisation panel had been reset to automatic from manual. He
responded by asking where the circuit breaker was for the avionics bay
fans. Engineering told him it was behind his seat. That was the last
communication of any sort from the aircraft. There is no recording of this
conversation; the report comes from the former Helios chief engineer.
(ibid., 13-19 Sep 2005).

The aircraft manufacturer Boeing issued a "multi-operator message" to B737
users in Sep 2005 to remind them that both the CA warning and takeoff
configuration warning horn are the same sound; that the takeoff
configuration warning can sound only when the aircraft's weight is on the
wheels; and that if the same alert sounds in flight, it is the CA warning.

The chief investigator told David Learmount at a safety seminar in Moscow in
Nov 2005 that the pressurisation was set to manual, so that the aircraft did
not pressurise as it climbed, and the crew failed to notice this in
pre-take-off checks; the crew thought the CA warning was an erroneous
takeoff configuration warning, and their "subsequent mindset and actions
were determined by this preconception until hypoxia overcame them as the
aircraft continued to climb." (Flight International, 15-21 Nov 2005, p9,
report by David Learmount).

I used to climb up mountains, and have been at altitude without oxygen in
small aircraft.  The symptoms and dangers of hypoxia should be known to
practioners of both activities.  Indeed, I get hypoxic when doing interval
training on my sport bicycle mounted on the home trainer. It is insidious,
in that gradually reducing ability to concentrate is accompanied by lowered
self-awareness and feelings of well-being - before, if it does too far, one
loses consciousness. But I had thought that any reasonably aware and
well-trained pilot would know how to recognise the symptoms before it got to
that stage. When I flew high, I used to write my signature regularly on my
kneeboard, the idea being that when it got hard, or the signature too
straggly, it was time for an immediate descent. I found that this view did
not resonate with many pilot colleagues. I talked about it in Oct 2005 to a
colleague who is a senior aviation accident investigator and human factors
specialist at one of the most respected accident investigation
organisations. He pointed out that in the situations in which I had
experienced hypoxia, I could have expected it and therefore was particularly
attuned to the symptoms. Also that I seemed to have had known and varied
experience with it and through this experience was likely more cognisant of
the symptoms as they start to occur.  He suggested that one could not
necessarily expect a flight crew with no altitude-chamber or other
experience to recognise hypoxia and get their masks on before passing
out. So it seems that my puzzlement over why the crew had not recognised
their hypoxia was misplaced.

It remains, though, that the CA warning sounded as it should, and the flight
crew did not react appropriately. Why not?

There have been "many other cases of a Boeing 737 aircraft climbing without
pressurisation set, but the crews recognised the alerts and averted crew
hypoxia and resultant disaster" (ibid., 15-21 Nov 2005).

A report in a German newspaper said that Greek television on 19 Sep 2005 had
reported that the coroner had said that the captain had 45% blockage of the
coronary arteries and the co-pilot had 90% blockage of the coronary arteries
(*Die Welt*, 20 Sep 2005).  That would render them particularly susceptible
to quick onset of hypoxia and resulting unconsciousness.

Fact remains that, under the influence of hypoxia, the crew appeared to be
confused over the meaning of the CA alert.

On the one hand, the warning is identical to that of the takeoff
configuration warning. On the other hand, these are professional pilots who
are required to know the meaning of the alerts that activate in their
aircraft. This alert is unambiguous: on the ground, it is the takeoff
configuration warning. In the air, it is the CA. And "many" other crews have
experienced the same sequence of warnings and reacted appropriately.

There were apparently serious communication problems within the crew and
between crew and their engineering departments. Both the German captain and
the Cypriot co-pilot had trouble with English (the engineers were British
and had trouble communicating with them about the problems); but that was
also the only language which they had in common.

The chief investigator, Capt. Akrivos Tsolakis, addressed the European
Aviation Safety Seminar in Athens in March 2005, and said that "latent
errors have lain there for years waiting for the pilot to pull the
trigger". He said that all the parties involved contributed to the systemic
latent faults that led to the accident He did not specify the faults or the
responsibilities. The draft report has been prepared; involved parties have
60 days to comment and the final report is likely to be ready for
publication in June or July 2006 (Flight International, 21-27 March 2006,
report by David Learmount).

It seems as if we will read a Reason-type "Swiss Cheese" explanation of the
accident; the vocabulary stems from e.g., his influential book Human Error
(Cambridge U.P., 1990).

One might speculate that, had the CA warning had a unique sound, the crew
could have recognised it for what it is, rather than confusing it with
another alert. If this speculation were to be correct, the Counterfactual
Test would lead us to conclude that the CA warning/takeoff configuration
warning doublet was a causal factor in the accident.  On the other hand, the
crew did not seem to know what it meant in any case; their engineering
department did know, but engineering's attempts to alert them directly to
possible pressurisation problems failed. A different sound does not help any
if one doesn't know what it means and cannot follow the appropriate advice
of those who do.

I doubt whether the final report will be able to give us much guidance on
which of these positions it is more reasonable to accept.

Peter B. Ladkin, Causalis Limited and University of Bielefeld

The 2005 Helios B737 Crash - A test for Don Norman's Thesis?

<"Don Norman" <>>
Wed, 29 Mar 2006 05:03:42 -0800

Peter Ladkin properly points out that the Helios 737 accident in 2005 is
complex, and so it can be attributed to multiple causes. But I happen to be
a fan both of Swiss Cheese and of Jim Reason: Reason and I have worked on
error theory together.

I agree that the circumstances described -- crew hypoxia -- makes it
impossible to know how much the modal characteristic of the warning signal
contributed to the accident. Nonetheless, I contend that modes in general
are a bad idea and are well-known sources of difficulty, whether they be in
computers, industrial controls, or as in this case, the meaning of a
particular warning signal. When something is modal, then its interpretation
depends upon the system state, which adds to the mental workload and has
been a known source of difficulty in many situations.  With the case of a
crew with diminished mental capacities (because of hypoxia), I suspect that
the extra workload required to interpret the modal warning signal increases
the likelihood of a misinterpretation.  Of course, in this particular case,
the crew may already have been so impaired that nothing would have helped.

We will never know. Errors by highly trained pilots are rare, and so
difficult to study.  Ladkin points out that other crews have properly
interpreted the signal. But those crews were not suffering from hypoxia to a
similar extent (although we don't really know for sure).  And in any event,
with low-probability events, a few successes does not mean that the system
is trustworthy. (I suspect we are in agreement on this point.)

But why take the chance? There is no harm in ensuring that all
safety-critical warning signals be unique and distinct (that is, modeless).
There may be no benefit either, but any cost analysis comes out in favor of
eliminating modes: Minimal cost to do so, possible huge loss if one does

But thanks to Peter Ladkin for once again providing us with a detailed
analysis of the many factors that go into accidents in commercial
aviation. Aviation today is so safe, that we have few accidents to
investigate, and each of these is always complex, filled with mitigating and
possibly causal sequences.  Any simple interpretation of such an accident is
bound to be wrong.

Don Norman, Nielsen Norman Group and Northwestern University

Please report problems with the web pages to the maintainer