The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 3 Issue 37

Thursday, 14 August 1986


o Computer Viruses
Robert Stroud
o On knowing how hard a system is to make work
Bob Estell
o COMSAT and the Nondelivery of Mail
Rob Austein
o Exploding Office Chairs
Jonathan Bowen
o Info on RISKS (comp.risks)

Computer Viruses

Robert Stroud <>
Wed, 13 Aug 86 20:29:54 bst
Here is something I found in the Times yesterday. Since it is marked
"Reuters" I assume it originated in the States so you may have seen it
already. What is your policy on posting copyrighted articles?  This is the
entire text and I have not made any excerpts. On the other hand, I have
acknowledged the copyright. There has been a fuss about this in net.unix
recently, so I am rather concerned not to get myself, the University or you
into trouble.

   [RISKS is a non-profit educational operation.  I believe that it is
    quite appropriate to quote an article under such circumstances -- with
    attribution.  There is a burden on all of us to use it accordingly.  PGN]

One of the "computer comics" (free journal made up of half news/features
and half job adverts) called Datalink has a front page story about the X-ray
machine in Texas killing a patient. I remember this coming up in RISKS some
time ago, and you are quoted in the article as follows:

"Specialists in the field of software reliability have long been predicting 
fatalities caused by bugs. Peter Neumann of the US ACM claimed that the ACM's
software engineering group had monitored 16 deaths caused by defective
programs. "This is just the tip of the iceberg", he said.

    [Actually I thought I mentioned to him that there were at least 16
     CASES of computer-related deaths (a subsequent closer count by me
     shows that there are 24 different cases in my files).  The total 
     number of deaths in those cases is over 716.  There were also three 
     Soviet nuclear sub accidents with unknown tolls.  PGN]

Manny Lehman is also quoted as being "not surprised - this is merely the
front-runner of a thing we're going to see a lot of".

The same issue of Datalink also contains a story about how a problem with
some new software led to rumours that Tetley's brewery had stopped
production - while they were installing it, they ran into problems and to
save time, tried to contact the programmer who was on holiday in Scotland.
Somehow the messages got distorted en-route...

It's a nice anecdote but perhaps not really a RISK! However, I'll send it
in if you're interested. People can take beer very seriously in the UK...

   [Please send it!  PGN]


Here is an article from yesterday's [London] Times (August 12th, "Computer
Horizons").  Although it is couched in somewhat exaggerated tones(!), the
consequences of failure are the same, whether induced by sinister bogeymen
or simply design faults.

By coincidence, I recently came across a reference to the paper by F. Cohen
of the University of Southern California entitled "Computer Viruses: Theory
& Experiments", which apparently suggests that a Unix virus could gain root
privileges within an hour, so maybe there is something to be worried about
after all!  [A few minutes is well within an hour...  PGN]

Perhaps some of the "sources who spoke on condition they would not be 
identified" will read this and would like to comment further, (anonymously
of course...)

Robert Stroud, Computing Laboratory, University of Newcastle upon Tyne.

ARPA robert%cheviot.newcastle@ucl-cs.ARPA, UUCP ...!ukc!cheviot!robert


"The 'virus' threat to defence secrets" (c) Times Newspapers Limited 1986

from Christopher Hanson in Washington

American Scientists are struggling to protect computer networks - vital in
areas ranging from national defence to banking and air traffic control -
against a potentially devastating weapon called a computer virus.

Computer security experts in the US government say the "virus" is a high
technology equivalent of germ warfare: a destructive electronic code that
could be inserted into a computer's program, possibly over a telephone line,
by a secret agent, terrorist or white collar criminal.

When a computer virus attacks it wipes out crucial memory data or otherwise
causes high technology equipment to behave erratically, according to sources
who spoke on condition they would not be identified.

They said a computer virus attack might bring a major weapons system to a
standstill, throw a computer-guided missile off course, or wipe out computer
stored intelligence. "The government is concerned and we are pursuing
solutions," one security official said.

Computer security experts have created experimental viruses in a bid to find
defences, but there had been no breakthroughs.

Both the military's computer nets and the highly automated US banking system 
are vulnerable to "catastrophic collapse", according to a recent Georgetown
University report by a group of government and private counter-terror experts.
Urging that the pace of defensive research be quickened, it said the computer
virus threat was "a matter of great concern...There do not appear to be any
quick and easy defences or overall solutions to the problem."

As to the banking system, the report warned: "The four major electronic
funds transfer networks alone carry the equivalent of the federal budget
every two to four hours. These almost incomprehensible sums of money are
processed solely between the memories of computers, using communications
systems that are vulnerable to physical disruption and electronic tampering."

Computer viruses are designed to replicate themselves like a living organism,
spreading throughout a computer netork, government scientists said. Viruses
can spread from one computer system to another during electronic linkups
and might lie undetected for months or years before going on the attack at a
pre-determined time.

Before it begins to disrupt a system, a computer virus would be inconspicuous,
containing only a few hundred "bytes" in a program that might total hundreds
of thousands. Even the most carefully designed computer security barriers can
be vulnerable, the Georgetown report said.

Another way the viruses could spread was through computer discs which computer
users often copy and share. Scientists say the computer virus idea may have
originated in a 1975 science fiction novel, "The Shockwave Rider". Intrigued
computer buffs began tinkering and by the early 1980s had turned fiction into
fact with experimental viruses. (Reuter)

On knowing how hard a system is to make work

<"SEFE::ESTELL" <estell%sefe.decnet@nwc-143b.ARPA> [or estell@nwc-143b]>
14 Aug 86 11:06:00 PST
I think there is a risk in solving computing problems too easily.  A San
Diego friend says that "The trouble with doing a project right the first
time is that no one knows how hard it was."  Though that happens
infrequently, he's got a point.  In most fields, accomplishment can be
measured by effort, along with talent, luck, and some other things.  The
scholar who breezes through school often knows how hard it is, based on the
hours spent in the library and the lab; the athlete whose graceful moves
seem effortless knows how close to the limit she plays.  But lots of "good"
computing systems are joint ventures between a hardware designer of generic
computer power, and a software designer of some particular algorithm;
neither really knows how hard the machine works to solve a particular
problem.  Often it's only after the system fails that we realize that it was
operating at its limit before we increased the load.  That's in part because
many programmers just write code, with little attention to thorough analysis
& design as urged by Don Knuth's work; and in part because hardware designer
and software end-user often never meet; and in part because the field is so
broad and demanding that one person can't know it all.

There's another old saying, that an expert is someone who avoids all the
minor errors on his way to the colossal blunder.  That points up the risk of
being so bright (or lucky?) that one never fails (or is even stressed) by
routine assignments; and finally assumes a prominent role in a major, high
risk program.

Maybe we should give some thought to having major computing projects headed
by people who have reached their limits at least once along the way; not
that they have failed, but that they have had to try again.  [A winner is
one who gets up one more time than he goes down.]  With that in mind, does 
anyone know the "track record" of the leaders of some high risk projects; 
e.g., SDI?  I'm sure these folks have impressive credentials;
I just wonder if they've ever explored their own limits.


[Nondelivery of RISKS-2.38 (8 April 1986) and other mail]

Rob Austein <SRA@XX.LCS.MIT.EDU>
Thu, 14 Aug 1986 03:16 EDT
    Date: Friday, 8 August 1986  19:43-EDT
    From: Communications Satellite <COMSAT@MC.LCS.MIT.EDU>
       "[For the past week or so, I have been getting sequential notices of
        undeliverable mail from "Communications Satellite" -- four
        months after the original mailings of RISKS, ... PGN ]"

COMSAT stopped being able to deliver messages of any serious length sometime
around last December, and didn't really get fixed until mid-May (changing of
the guard, had to scare up a new COMSAT hacker).  During that time a couple
of Really Dedicated People were faithfully saving all the messages that
COMSAT was dropping on the floor.  Ever since COMSAT was fixed these
messages have been being dribbled back into the mail queue, 10 or 20 at a
time (not practical to filter them, given the volume).  The fact that it is
now August and we still aren't done should give you some idea of the volume
of mail that MC handles.

We announced this on Arpanet-BBoards (and other places) when we started
dribbling the mail back in.  Of course, that was a while ago....


Exploding Office Chairs [A Peripheral Risk of Sitting Before a VDT?]

Jonathan Bowen <>
Thu, 14 Aug 86 15:16:30 GMT
Below are extracts from two reports in the Guardian; the first rather jokey
and the second less so, presumably after the journalist realised the
seriousness of the problem.

      Exploding chairs a pain in the office (Monday, 11th August 1986)

    A new hazard at work, the exploding office chair, is facing - or, rather,
  the reverse - Britain's white collar workers.  The problem is now under
  investigation so that up to 2 million minds, and a similar number of
  bottoms, may rest more easily.  So far, 11 swivel chairs around the country
  are known to have gone off with a bang.  In three cases the exploding chairs
  have caused injury, probably because the sitters have been sent sprawling as
  the bottom drops out of their world.

    The problem has cropped up with adjustable office chairs fitted with
  nitrogen gas cylinders in place of the conventional springs in their height
  control mechanism.  Preliminary findings suggest that metal fatigue cracks
  can develop in the cylinders, possibly caused by the poor chairs being asked
  to cope with more than they can bear.

      Exploding chairs' two-year history (Tuesday, 12th August 1986)

    The danger of office chairs exploding has not previously been made public
  because of official reluctance to raise an "alarmist scare," it emerged
  yesterday.  The public has not been warned about blasts scattering stell
  fragments and metal bolts caused by failures in adjustable chairs fitted
  with nitrogen cylinders instead of conventional springs. Cases of serious
  injury came to light two years ago. ...

    In September 1984, the Consumers' Association passed to the Health and
  Safety Executive (HSE) details reported by consumer organisations in Europe
  of incidents involving office chairs.  They included accounts of two deaths,
  one in Belgium and the other in West Germany, where, it was reported, a
  piece of steel had penetrated a victim's brain through the eye.  ....  The
  HSE has stressed that only 11 incidents, three of which caused injury, are
  known to have occurred in Britain - where up to 2 million of the chairs are
  in use.

Has this story broken in the US yet? How many of you are sitting at your VDU
on such a chair? This is the time to take a quick peek below you, and take
appropriate defensive action if necessary. You have been warned!

Jonathan Bowen, Research Officer, Distributed Computing Software Project
Oxford University Computing Laboratory, Programming Research Group
8-11 Keble Road, Oxford OX1 3QD, England, Tel:  +44-865-54141 x293
   UUCP:  ...seismo!mcvax!ukc!ox-prg!bowen (bowen@ox-prg.uucp)

                         [Some persons talked into buying this chair 
                          were evidently given a bum steer!  PGN]

Please report problems with the web pages to the maintainer