The RISKS Digest
Volume 25 Issue 82

Tuesday, 20th October 2009

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Toyota uncontrolled acceleration
David Lesher
Another Therac-25 rerun
Jeremy Epstein
Custom license plate lands man a database full of fines
Rob McCool
Risks of namespace conflicts among city names
Cody Boisclair
More on hospital error leads to radiation overdoses
Gene Spafford
Internet Pioneers Speak Out on Net Neutrality
Lauren Weinstein
Accessing your legacy
Peter Bernard Ladkin
Re: A Time Machine time bomb
Alan J Rosenthal
Re: Microsoft's Danger Data Service
David Lesher
John Murrell via John F. McMullen
Inexcusable Complexity, Re: The risks of being cute
Ed Lowry
Re: The risks of being cute
Curt Sampson
Re: System diversity helps in power control system
Ian Botham
Rethinking What Leads the Way: Science, or New Technology?
John Markoff on W. Brian Arthur
via PGN
Computers, Freedom and Privacy 2010 Conference: Call for Proposals

Info on RISKS (comp.risks)

Toyota uncontrolled acceleration

"David Lesher" <>
Mon, 19 Oct 2009 17:10:15 -0400 (EDT)

There have been several recent cases where Toyotas have suddenly accelerated
out of control.

The most notable had a passenger who called 911 and reported her spouse, a
Calf. Highway Patrol officer who taught driving safety, was unable to stop
their car. They crashed with all on board killed.

Toyota has recalled several million cars to replace a floor mat that may jam
the accelerator.

But the crash raises the question: why couldn't an experienced officer stop
a runaway car?

a) It was a loaner from the dealer.
b) It was equipped with a keyless RFID ignition lock. To force such off, you
   must *hold* the Start button down for 3+ seconds; touching it is
c) The transmission was some mix of manual and automatic, with a series of
   gates to keep you from mis-shifting. Apparently there is no clutch petal.
d) There were passerby reports the car brakes were on fire as it went by.

I see two big risks here. The first is changing longstanding,
well-understood, user interfaces without considering the uninitiated
driver. While Windows may have taught some of us that of course we use the
Start button to stop; it's not clear such learning transfers to driving.
And when you hide a vital safety function behind a time delay....

The second is more alarming. I thought that there was a {?unwritten}
requirement that no US road-legal car could even overpower its own brakes;
i.e., given full throttle and full brakes; the car stops, period. (This may
not be the case for a dedicated race car...)

Is this no longer true?  Are there production cars where the brakes can't
stop a runaway? (That does not say you couldn't fade the brakes into
worthlessness, but we can assume the driver knew that.)

There are obvious add-ons that could reduce the possibility of a recurrence
[Tie brake activation to a throttle cutoff, add a real STOP button to the
dash, etc.] but those add complexity or direct costs...and may provoke new

While Toyota's head is now on the chopping block; they won't be the last.

Another Therac-25 rerun (Re: Lesher, RISKS-25.81)

Jeremy Epstein <>
Sun, 18 Oct 2009 09:00:52 -0400

David Lesher noted a recent Cedars-Sinai Therac-25-like failure.

*WiReD* is reporting another one at an unnamed Cleveland hospital, where
medical staff noticed that the patient was out of position and hit the
emergency stop button, but the machine didn't correctly put the shielding in
place or move the patient out of the machine.  The problem was a "known bug"
which had been deferred to a future release.  Just to be clear, unlike the
Therac incident, there was no significant excess radiation involved, and it
does not appear that anyone was harmed.

No word on whether the bug was in the application software designed for the
instrument, or something inherent in the system (e.g., a buggy operating

Still, the RISKS of software-controlled medical instruments are pretty
clear, and are likely to increase as high tech equipment becomes more

Custom license plate lands man a database full of fines

Rob McCool <>
Fri, 16 Oct 2009 22:54:23 -0700 (PDT)

An Alabama man ordered a license plate with seven occurrences of the letter
X, to pay homage to Racer X, a favorite character of his. He is now getting
as many as 10 tickets a day because the city's traffic enforcement division
uses this as a placeholder in their database for cars with no license
plates. Yet another instance of an information system failing to account for
the unexpected, people working around that limitation, and an edge case
arriving some time later to cause trouble.

  [Apparently $19,000 thus far.
  Craig Reise suggested that ``Maybe a `missing license plate' checkbox or
  drop-down would been a good idea in this application...
  Bob Frankston said, ``Reminds me of people with the name Ng vs. payroll
  systems.''  RISKS has had a few similar stories in the past.  PGN]

Risks of namespace conflicts among city names

Cody Boisclair <>
Sat, 17 Oct 2009 21:07:38 -0400

It's not just GPSes that get confused by multiple locations having the same
name; even weather forecasts can be surprisingly deceptive for the same

I recently upgraded my MacBook from OS X 10.5 (Leopard) to 10.6 (Snow
Leopard). The weather widget included in the OS changed its information
provider with the update; in 10.5 it used AccuWeather, while in 10.6 it gets
its information from The Weather Channel.

To make the transition as seamless as possible, Apple designed it so that
the widget in 10.6 would import its information from the 10.5 version. Or
more accurately, it imports the name of the city-- and *nothing else*, even
though it's very much possible to enter one's location as a postal code in
the widget.

You've probably already guessed at the sort of problems this could cause --
and sure enough, it did.

In 10.5, I entered my location into the weather widget as the ZIP code
30605, representing the city of Athens, Georgia in the US. This seemed the
most unambiguous way of doing it, given the sheer number of towns out there
called Athens.

Upon upgrading to 10.6, nothing seemed incredibly out of the ordinary at
first glance during the summer and the beginning of fall — any glitches
could easily have been excused by the cached weather information being a
couple hours stale. As fall weather began to arrive, however, I noticed more
and more discrepancies between what the weather widget claimed and the
actual weather I encountered outside. And yet, the widget was still showing
"Athens" as the location, as if nothing had changed.

I decided today to take a look at the properties for the widget... and sure
enough, despite the fact that I originally entered the location as a postal
code, the stored location had been changed to Athens, *Greece*. Oops.

Judging from the order in which The Weather Channel lists its
disambiguations for these city names, I imagine the same thing would occur
for anyone living in Rome, Georgia; Birmingham, England; Portland, Maine;
Paris, Texas; London, Ontario... and, depending on weather patterns, could
easily have gone unnoticed for as long as it did for me.

Cody "codeman38" Boisclair

More on hospital error leads to radiation overdoses

Gene Spafford <>
Wed, 14 Oct 2009 19:44:01 -0400
  (Re: Lesher, RISKS-25.81)

206 people received 8 times the expected dose of X-rays as a result of a
misunderstanding setting a CT machine...and then not finding it for 18
months.  It was finally found when one of the patient complained about his
hair falling out after a test.  "You have to be pretty confident to think
you know more than the guys who designed the equipment."  [Source:, 13 Oct 2009],0,1200257.story

Internet Pioneers Speak Out on Net Neutrality

Lauren Weinstein <>
Fri, 16 Oct 2009 14:58:43 -0700

           Internet Pioneers Speak Out on Net Neutrality

15 October 2009

Honorable Julius Genachowski
Chairman, Federal Communications Commission
Washington, DC

Dear Mr. Chairman:

We appreciate the opportunity to send you this letter.  As individuals who
have worked on the Internet and its predecessors continuously beginning in
the late 1960s, we are very concerned that access to the Internet be both
open and robust.  We are very pleased by your recent proposal to initiate a
proceeding for the consideration of safeguards to that end.

In particular, we believe that your network neutrality proposal's key
principles of "nondiscrimination" and "transparency" are necessary
components of a pro-innovation public policy agenda for this nation.  This
initiative is both timely and necessary, and we look forward to a
data-driven, on-the-record proceeding to consider all of the various

We understand that your proposal, while not even yet part of a public
proceeding, already is meeting with strong and vocal resistance from some of
the organizations that the American public depends upon for broadband access
to the Internet.  As you know, the debate on this topic has been lengthy,
and many parties opposing the concept have systematically mischaracterized
the views of those who endorse and support your position.

We believe that the existing Internet access landscape in the U.S. provides
inadequate choices to discipline the market through facilities-based
competition alone.  Your network neutrality proposals will help protect
U.S. Internet users' choices for and freedom to access all available
Internet services, worldwide, while still providing for responsible network
operation and management practices, including appropriate privacy-preserving
protections against denial of service and other attacks.

One persistent myth is that "network neutrality" somehow requires that all
packets be treated identically, that no prioritization or quality of service
is permitted under such a framework, and that network neutrality would
forbid charging users higher fees for faster speed circuits.  To the
contrary, we believe such features are permitted within a "network neutral"
framework, so long they are not applied in an anti-competitive fashion.

We believe that the vast numbers of innovative Internet applications over
the last decade are a direct consequence of an open and freely accessible
Internet. Many now-successful companies have deployed their services on the
Internet without the need to negotiate special arrangements with Internet
Service Providers, and it's crucial that future innovators have the same
opportunity.  We are advocates for "permissionless innovation" that does not
impede entrepreneurial enterprise.

We commend your initiative to protect and maintain the Internet's unique
openness, and support the FCC process for considering the adoption of your
proposed nondiscrimination and transparency principles.


Vinton G. Cerf, Internet Pioneer
Stephen D. Crocker, Internet Pioneer
David P. Reed, Internet Pioneer
Lauren Weinstein, Internet Pioneer
Daniel Lynch, Internet Pioneer

Accessing your legacy

Peter Bernard Ladkin <>
Sun, 18 Oct 2009 08:58:37 +0200

People who use computers and the Internet as major professional tools are
all getting closer to dying. The organiser (organiser? provoker) of our
traditional music group died suddenly last year and his professional and
personal correspondence was inaccessible. Nobody could find out who Mario
knew or whom he was encouraging to come to our sessions. And not just us --
he organised a lot for concertina players throughout Germany. (I wrote a
couple of poems in tribute, one in English and one in German, accessible
through ) Today I heard belatedly about the death
of one of my most extensive correspondents of the last 17 years. His son
found the e- mail address of a mailing-list correspondent of ours in his
papers. Not on his machine, mind — in his A4 bleached- wood-fibre Nachlass.

Which leads to the moral:

* Please leave access details to computerised personal and professional
information in a secure place to which your executors will have access when
you fall over.

The question is precisely how you organise your computerised life so that
your executors can find out, for example, whom you know, and how to pass on
info to others if you organised groups, while keeping those things
inaccessible which you don't wish to bequeath to posterity. I don't think
there are obvious general answers. But telling your executor about the most
obvious stuff is not hard.

Peter Bernard Ladkin, Causalis Limited and University of Bielefeld

Re: A Time Machine time bomb (Ron Garret, RISKS-25.81)

Alan J Rosenthal
Sat, 17 Oct 2009 11:56:08 -0400 (EDT)

This seems to me to be an inherent risk of any automated backup aging
process: adding a bunch of new data to be backed up will cause a bunch of
old backups to be deleted.

If you want the computer to decide without consulting you how many of your
backups to keep, then you relinquish the power to decide how many of your
backups to keep.

Re: Microsoft's Danger Data Service (Re: RISKS-25.81)

"David Lesher" <>
Tue, 13 Oct 2009 14:24:26 -0400 (EDT)

Re: Cloud Danger, literally... M$ loses T-mobile data

One aspect of Sidekick's design that was not directly Microsoft's fault is
both a caution, and maybe a lesson, for the design and legal communities.

Unlike most of the competition; the Sidekick user allegedly had no way to do
her/his own backups, and still doesn't. Palms, iPhones, etc not just allow
such but make it simple to do so to a local computer. But from what I've
read, Sidekick users had no such option bundled with their purchase. (There
was reportedly some extra cost add-on that could back up *Danger's* copy of
same to a user machine, but no direct way. And with the Danger database's too late now.)

Now we know that many many [but not all] of the customers would never bother
to perform a local backup. [I'm hard pressed to imagine Sidekick's most
famous user, Paris Hilton, on the phone to Tech Support asking for backup
help....] But if it's true that their users had no real option to do so,
that surely dilutes one legal excuse for Microsoft, that backups were really
the users' responsibility.

Another dimension of the saga... where do such cloud based devices fall in
the world of Carnivore err DCS-1000? I suspect the legal stance DoJ takes is
the user voluntarily shared the data (be it calendar data, pictures, or
voice recordings) with Microsoft/Danger; ergo she had no expectations of
privacy. Hmm, I wonder if users can FOIA their lost data back from the FBI?

Re: Microsoft's Danger Data Service (Re: RISKS-25.81)

"John F. McMullen" <>
Thu, 15 Oct 2009 12:16:00 -0400

John Murrell <>
Sidekick depression eases; Microsoft says recovery under way

The prospects for recovering the personal data lost by T-Mobile Sidekick
customers in a server snafu at Microsoft's Danger unit have gone from bleak
to hazy to substantially brighter.

In a post early today, Roz Ho, Microsoft's VP for (ideally) Premium Mobile
Experiences, said "We are pleased to report that we have recovered most, if
not all, customer data for those Sidekick customers whose data was affected
by the recent outage. We plan to begin restoring users' personal data as
soon as possible, starting with personal contacts, after we have validated
the data and our restoration plan. We will then continue to work around the
clock to restore data to all affected users, including calendar, notes,
tasks, photographs and high scores, as quickly as possible. We now believe
that data loss affected a minority of Sidekick users."

She went on: "We have determined that the outage was caused by a system
failure that created data loss in the core database and the back-up. We
rebuilt the system component by component, recovering data along the way.
This careful process has taken a significant amount of time, but was
necessary to preserve the integrity of the data. ... We have made changes to
improve the overall stability of the Sidekick service and initiated a more
resilient backup process to ensure that the integrity of our database
backups is maintained."

That said, Microsoft continued to run away from Danger lest its other cloud
computing efforts be injured. Microsoft spokeswoman Tonya Klause said
Wednesday, "The Danger Service platform, which experienced the outage, is a
standalone service operating on non-Microsoft technologies, and is not
related to Microsoft's cloud services platform or Windows Live.  Other and
future Microsoft mobile products and services are entirely based on
Microsoft technologies and Microsoft's cloud service platform and software."

The good news on the recovery front arrived too late to stop the first wave
of the inevitable lawsuits including a pair in Northern California that seek
class action status and assert negligence and false claims by Microsoft and

[Source: MediaNews Group, 1560 Broadway, Ste. 2100, Denver, CO 80202]

Inexcusable Complexity, Re: The risks of being cute (RISKS-25.80)

Ed Lowry <>
Thu, 15 Oct 2009 15:08:33 -0400

In RISKS-25.80 Donald Norman lectures us on simplicity versus complexity
issues and admonishes "please don't write about topics on which you are not
an expert". In software, that would lead to almost total silence on
software's biggest challenge, expressing it simply.

At present there is no software language technology available which provides
for simplicity of expression as advanced as what was designed at IBM in the
early 1970s and implemented at Digital Equipment Corporation in the early
1980s. I have seen no evidence of organizations or leadership in software
that aspire to expertise that advanced. If there is I would like to hear
about it.  The capabilities of the most advanced facilities for executing
simply-expressed software have moved backwards over the past 20 years. The
expertise has been fading too.

Twenty five years ago, expressions such as:
 * count every person whose spouse is veteran;
 * sum revenue of every year after 1981;
 * every element of where some isotope of it is stable;
could be executed as part of general purpose programming and database
language, but not today.

There are three sources of inexcusable complexity plaguing software today
where software leaders have mostly obstructed progress. They can be
eliminated by: — combining structural with functional expressiveness, -
using data objects that are designed to be easily arranged, — increasing
language generality.  They are described in "Inexcusable Complexity" at .

One result of neglecting simplification is that students everywhere are
routinely taught how to arrange pieces of information by teachers who have
little idea what is a reasonable structure for well-designed pieces of

Decades of obstructing simplification has undermined public safety and some
currently high priorities of the US government:
 * technical education,
 * innovation,
 * cyber security,
 * reducing health care costs,
 * reducing government spending.

The risks of neglecting progress in a fundamental part of information
technology for 35 years: a widening swath of death destruction, ignorance,
agony, waste, criminality, and dangers to national security.

Re: The risks of being cute (RISKS-25.79,80,81)

Curt Sampson <>
Fri, 16 Oct 2009 22:39:12 +0900

>> The more complex the machinery, the simpler the interface will be."

> This last sentence, without more context, explanation, or scope of
> applicability, is worse than a simple conundrum; it is a disservice to
> public understanding of the perils of complexity that the RISKS forum, as
> I've known it, serves to explore.

Indeed. But even if we take the sentiment as a whole, rather than focusing
on the last sentence, I think I'd go further than you and say that this way
of looking at things is not only a disservice to the public, but a danger to
the public, and even each of us in our private lives. It's not only wrong on
occasion; it's wrong frequently enough that I believe we should never think
about things this way: we should be appropriately suspicious when we do ever
think about it this way.

How wrong this idea can go was made most viscerally clear to me when, after
some years of film photography on '60s- and '70s-era cameras, I bought a
digital SLR. I spent quite some time (almost two hours, actually) writing up
a detailed example of the differences, but it became too large for a RISKS
post. When you start analyzing in detail the use of the three simple
settings (focus, aperture and shutter speed) that are the primary controls
on both digital and analogue cameras, you run into huge, unforeseen (and
often not seen terribly clearly afterward) differences well before you even
reach those modes on the dial beyond 'M', 'A', 'S' and 'P' that instead have
funny pictures (and even more mysterious effects on those three settings
--though those setting are all that they affect).

Through thinking about this a bit more, I now have great sympathy for any
Airbus pilot who pushed a little hard on the rudders. How was he to know?
I'd do the same.

I think it comes down to Fred Brooks' essential vs. inessential complexity;
the essential doesn't go away: it just gets disguised, and in the disguising
of it, we lose the instincts we've developed and have to relearn them,
perhaps without realising, in the moment, that we need to do so.

> It may have been wrong of me to call it exactly as I saw it, an
> unintended parody, suggesting that complexity of machinery and the
> complexity of its interface are inversely related.

No, they are proportionally related. As I now know too well, and yet not
well enough.

Curt Sampson <> +81 90 7737 2974

Re: System diversity helps in power control system

Ian Botham <>
Sat, 17 Oct 2009 00:43:10 +1100

This article missed the major issue, which was that a virus outbreak
crippled the Windows desktops of a large government utility.  I have talked
to some insiders, and thought the facts might be of interest to Risks

The organisation is a large electrical distribution utility in Australia.
It has around 2700 Windows desktops in a head office, and some dozen
regional offices, all connected via a WAN.  I haven't heard how the virus
( got into the internal network initially (if anybody knows),
but I heard that the anti-virus software was out of date, and while it could
recognise infected exe's it couldn't kill the virus process or stop it
spreading via Windows file shares. The virus infected exe files, then the
anti-virus software detected this and quarantined the files — with the
result that soon there were no exe's left to run, and the desktop boxes were

Initially the scale and seriousness of the situation wasn't realised, and
after several days a high percentage of the organisation's desktops were
close to useless. The effect on day to day operations was crippling. As the
original article mentioned, the SCADA system is on Solaris and so was not at
risk. However, the trouble ticket system runs on Windows servers, and while
not affected was at risk. Eventually the decision was made that all desktops
had to be re-imaged to get rid of the virus, and it took more than 2 weeks
from the initial detection of the virus to get most of the desktops back in

The most obvious risk is that of letting anti-virus software get out of
date. However, that shouldn't blind us to the bigger risk of having the day
to day operation of a large organisation dependent on a large collection of
Windows computers — which will always be vulnerable to a zero-day exploit
of some kind. I know there's no easy fix for this risk, but that doesn't
make the risk go away.

Finally, I'm not an anti-Windows zealot, but I just can't resist ! How will
the Windows marketing droids spin the lower TCO of Windows, and discount the
cost of thousands of employees twiddling their thumbs for a few weeks ?

Rethinking What Leads the Way: Science, or New Technology?

"Peter G. Neumann" <>
Tue, 20 Oct 2009 11:24:52 PDT
  (John Markoff on W. Brian Arthur)

John Markoff has a very interesting column in The New York Times' Science
Times, 20 Oct 2009, on what appears to be a very interesting new book:

  W. Brian Arthur
  The Nature of Technology: What It Is and How it Evolves
  Free Press, 246 pages, 2009

Markoff notes that this book "reframes the relationship between science and
technology as part of an effort to come up with a comprehensive theory of
innovation.  The relationship is more symbiotic than is generally conceded."
Arthur was trained as an engineer, mathematician, and economist, and those
disciplines are all brought to bear.  Markoff concludes with this paragraph:
"Dr. Arthur's view is that technology is something that defines us as human
and that, in the end, we will be able to control a set of technologies that
rather than conquering us will extend our humanity."  This has of course
been an ongoing topic here in one guise or another, and can benefit from
Arthur's analysis — particularly as it might (or might not) relate to the
computer field.  (That might be a subject for John Markoff's blog!)

Computers, Freedom and Privacy 2010 Conference: Call for Proposals

Mon, 19 Oct 2009 13:36:16 -0400

Organizers of the 20th annual ACM Computers, Freedom, and Privacy
conference, which takes place June 15-18, 2010, in San Jose, have announced
a call for proposals to help shape the program for next year's gathering.
The theme of the conference is Computers, Freedom, and Privacy in the
Networked Society and seeks to address how constant connection in social,
communication, information, and physical environments impacts freedom and
privacy, and how computers can be used to improve freedom and privacy.
Organizers are seeking suggestions for speakers, topics, workshops,
tutorials, and panel sessions.  The proposals should take advantage of the
location of the conference, include a diverse set of panelists and new
voices, offer a number of perspectives on challenging issues, and explore
cutting-edge technology, legal, and policy issues.  Possible topics include
social networks, cloud computing, surveillance networks, anonymity in a
networked world, ethics and computing, accessibility, open source, and media
concentration, advertising, and political campaigning on the Internet.  The
final program will be assembled partly from the proposals.  The early bird
deadline for proposals is Dec. 1, 2009, and the final deadline is Jan. 31,

Please report problems with the web pages to the maintainer