The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 4 Issue 67

Tuesday, 24 March 1987

Contents

o Winch is the greatest risk in a theater?
Dave Wortman
o DC9 Computer Failure
Earl Boebert
o Health hazards associated with VDU use: eyestrain
John J. Mackin
o Who called?
Jerome M Lang
o Car Phone Intercept -- implications of captured data
Alex Dickinson
o Re: Increased Telephone Switching Capabilities
Michael Wagner
o Re: Telephone switches
Bjorn Freeman-Benson
o Re: ATM experience
Roy Smith
o Risks of ATM machines
Mike Linnig
o Bank troubles, M.E. magazine
David Chase
o Re: "The Choking Doberman..."
Elliott S. Frank
o Newspaper article on Audi 5000S
Mark Brader
o Info on RISKS (comp.risks)

Winch is the greatest risk in a theater?

Dave Wortman <dw@csri.toronto.edu>
Mon, 23 Mar 87 15:15:11 EST
Look up if you want to see the real RISKs in many theaters.  The failures in
computer lighting systems discussed recently may cause inconvenience or
economic loss, but failures in the computerized winch systems used to "fly"
scenery have the potential to cause serious bodily harm.

The typical arrangement for flying a piece of scenery is to attach several
lines (e.g. 3/16 wire rope) to it, run these lines up to the stage ceiling
around pulleys to the drum of an electrically powered winch.  The winch is
controlled remotely either manually or in more sophisticated systems by
small computers.  These computers can be preprogrammed with the flying
sequence for an entire performance in a way very similar to the programming
of lighting systems. The scenery being flown can be quite heavy.  The
electrical winches are supposed to be failsafe, i.e. a brake is
automatically applied if power or control is lost.

One of the first such systems was installed in the Loeb Theater at Harvard
in the early 1960s.  It had several interesting failure modes including one
in which the winch went into "full speed up" mode and tried to pull the
scenery through the pulleys in the ceiling.  This continued until the wire
rope snapped and the scenery went into free fall.

Dave Wortman, Computer Systems Research Institute, University of Toronto
  ex-stagehand and -theatrical-rigger

             [I presume there were no cases of rigger mortis.  But,
             perhaps there were winch-healed wipers on the motors.  PGN]


DC9 Computer Failure

<Boebert@HI-MULTICS.ARPA>
Mon, 23 Mar 87 11:16 CST
Somebody mentioned a NY Times article about our good 'ol Northworst Airlines
that described an incident in which there was an all-channel failure of the
computer system on a DC9 (must have been an MDA80) which led to the loss of
all attitude display.  Supposedly the airliner was led into Toledo airport
by a general aviation aircraft (!).  Anybody have any details on this?


Health hazards associated with VDU use: eyestrain

<munnari!basser.oz!john@seismo.CSS.GOV>
Sun, 22 Mar 87 14:18:57 EST
Gregory Sandell's submission prompted me to mention the main problem I have
had with VDU use; namely, eyestrain.  I used to find that after a day at
work my eyes would be very tired.  About a year and a half ago, I saw an
article on the net suggesting that a good way to reduce eyestrain associated
with terminal use was to reduce the amount of light striking the screen as
much as possible.  So, my office-mate and I implemented the following
measures (adapted from suggestions in the original article, which unhappily
I no longer seem to have):

    * Keep all windows well covered during daylight hours.

We have venetian blinds on our window and closing them completely is
reasonably satisfactory.  It would be better if we could exclude even more
light, though.

    * Turn off all overhead lighting.

Our room is lit by fluorescent lights which are quite bright.  With them
turned off and the blinds closed, it gets reasonably dark.  The darker the
better.

    * Use desk lamps, but _keep light from them OFF the screen!_

We each purchased two spring-arm type desk lamps to illuminate the work area
on our desks.  Reading material on the desk is probably easier than before,
as the desktop is actually better illuminated now than it was by the
overhead lighting.

Our experience with this has been very positive indeed.  Both of us have
completely ceased to suffer from eyestrain.  And I also find the dimly-lit
environment to be much more relaxing than it was when it was brightly
illuminated.

I would like to thank the poster of the original article, whose name I
unfortunately don't know, and thoroughly recommend this approach to anyone
who suffers from eyestrain due to VDU use.

John Mackin, Basser Department of Computer Science,
         University of Sydney, Sydney, Australia

john@basser.oz.AU (john%basser.oz@SEISMO.CSS.GOV)
{seismo,hplabs,mcvax,ukc,nttlab}!munnari!basser.oz!john

Copyright 1987 John J. Mackin.  Restricted redistribution prohibited.

   [As a related comment, I have some friends who are very sensitive
   to fluorescent lighting, which can give them monumental headaches.
   (Several of them have conducted reasonably careful experiments that
   seem to pinpoint that sensitivity.)  I will not speculate in this
   forum on what the possible neurophysiological causes might be, although
   the incomplete light spectrum is a likely candidate.  PGN]


Who called? (Re: RISKS DIGEST 4.66)

Jerome M Lang <jmlang%water.waterloo.edu@RELAY.CS.NET>
Tue, 24 Mar 87 12:19:53 est
In the last digest mention was made about the possibility of learning the
phone number of the caller.  This raises the question of what is done when
the caller has an unlisted phone number (usually for very good reasons).

Jerome M. Lang         ||    jmlang@water.bitnet        jmlang@water.uucp
Dept of Applied Math       ||             jmlang%water@waterloo.csnet
U of Waterloo          ||    jmlang%water%waterloo.csnet@csnet-relay.arpa

   [Clearly one would have to suppress that information -- under certain
   circumstances -- although it is clearly needed for the 911 computers.
   This gets into the problem of secure databases and how difficult it can be
   to prevent inferences from being drawn if you are going to hide information 
   selectively.  Lots of nice research has been done, but basically this is a
   very difficult problem once you take the blinders off.  PGN]


Car Phone Intercept -- implications of captured data

Alex Dickinson <munnari!augean.oz!alex@seismo.CSS.GOV>
Tue, 24 Mar 87 09:02:16 CST
On Sunday 22nd March an Australian activist group using a radio frequency
scanner intercepted and recorded an unencrypted car phone conversation
between a federal opposition shadow minister and a state opposition leader
(both members of the Australian Liberal Party). The conversation referred to
the Liberal Party federal leader in what has been euphemistically termed
`colourful language' and discussed his intended political demise.  The group
released the tape to a Melbourne newspaper that proceeded to publish a
number of juicy excerpts.

Today the federal shadow minister was fired from his party post, and the
chance of an election being called by the Prime Minister to take advantage
of opposition confusion was regarded as having doubled from 15 to 30%.

Federal police are considering whether to press charges under the
Telecommunications Act that broadly covers such interceptions. The fine?
$5000 maximum. Good value for altering the course of the country's politics,
although it's not clear that that was the intent.
                                Alex Dickinson


Re: Increased Telephone Switching Capabilities

Michael Wagner <wagner@gpu.utcs.utoronto>
Tue, 24 Mar 87 16:41:19 EST
I can offer two pieces of information, neither of which answer the questions
completely.

1) the 911 emergency number in Toronto displays the number from which a call
was made.  It does this for a wide variety of originating exchanges (but I
don't know if it does it for all exchanges).  I have been told, by people
who are more knowledgable about phones than I, that the number is sent on
the same circuit as the phone call.  They claim that almost no gymnastics
were required to make this work.

(The phone company also makes a database of phone numbers and addresses
available to the emergency service, so that numbers are quickly turned into
street addresses.  That clearly wouldn't be available to the average
business or home.  But that is a different matter.)

The implications are that (a) exchanges send the origination phone number
along with the call, and (b) exchanges can relatively trivially send the
information to the customer phone, and (c) the customer phone can decode
the information while the phone is still ringing, and (d) it's not illegal
in Canada for emergency use.

2) The University of Toronto recently switched over to a Centrex III system.
Certain (secretarial) phones can now display the number called and the
number calling.  The number calling works only if the call originated within
the centrex exchange.  It is not clear whether the restriction is technical
or legal.  The implication is that it's not illegal in Canada for calls
originating within an enterprise.

It is clear that, if such a telephone were to become a consumer item, it
would change the whole way we deal with telephones.  I could refuse to
answer calls from people I didn't want to speak to right now.  In fact, I
would probably program the micro in the telephone with a phone list of
people who were and weren't allowed to disturb me.  There would appear to be
many human engineering problems to solve there.  And many computer RISKS.

Michael


Re: Telephone switches

Bjorn Freeman-Benson <bnfb@beaver.cs.washington.edu>
Mon, 23 Mar 87 12:45:40 PST
>The issue of automatic callers releasing the phone line is actually 
>a people issue rather than a technology issue.

As far as I know it depends on the "office" (telephone company term for
switching equipment) connected to your phone.  In the NW US 
there are three types: mechanical, ?, and electronic.  A mechanical
office will hold the line open as long as the caller has his/her phone off the
hook regardless of the callee's actions.  An electronic office will close
the connection as soon as either party hangs up.

>Panic sets in and a feedback loop ensues.

However, I do agree that this can be a problem in any human system.

                        Bjorn N. Freeman-Benson


Re: ATM experience [Bruce McKenney, RISKS-4.66]

Roy Smith <cmcl2!phri!roy@seismo.CSS.GOV>
Mon, 23 Mar 87 21:31:56 EST
    Clearly, different banks do things different ways.  Some time ago I
wanted to make a mortgage payment at an ATM but couldn't find the right
menu item.  When I called for help, they told me to just pick any of the
"deposit to ..." or "payment to ..." items.  It seems that at least for the
case of you making a deposit or payment, they totally ignore which button
you pressed; it's what's on the slip that matters.  In fact, it doesn't
even matter which slip you use.  They type of account is encoded in the
account number.  When I needed a "deposit to X" slip once and they didn't
have any, I was told to just use a "deposit to Y" slip and write the proper
account number on it.

    The question is, doesn't this represent a real risk to the consumer
(although, maybe not truly a computer-related risk)?  I'm pretty ignorant
of the ways of banks, but I've learned how my bank works.  If I go to a
different bank, I'm probably going to assume they work the same way, which
probably means I'll get burned at some point.

Roy Smith, {allegra,cmcl2,philabs}!phri!roy
System Administrator, Public Health Research Institute
455 First Avenue, New York, NY 10016


Risks of ATM machines

Mike Linnig <LINNIG%ti-eg.csnet@RELAY.CS.NET>
Mon, 23 Mar 87 08:20 CDT
A year ago I happened on a remote gasoline station that allowed the
customer to pay with an ATM card.  After paying it occurred to
me that this scenario was ripe for fraud.

How do I know that this ATM reader is really part of the ATM network?

Think about it... 

First I let it read the bits off of my card and then I give it my secret
PIN number.  What is to stop some unscrupulous person from rigging a fake
reader and duplicating my card (they already have my PIN number)?

Hmmm..  a few scandals like this and I bet we see smart cards with
challenges and counter-challenges being exchanged between the card and the
banking system.
                    Mike Linnig, Texas Instruments

   [This is of course an example of the mutual suspicion problem that
   Mike Schroeder worked on in the 60s.  Yes, you must trust the ATM
   apparatus, whether it is trustworthy or not.  The same is true of
   any store that takes one of your credit cards, even with no computer
   in the loop.  This is an old risk, but if RISKS never included 
   discussions of old risks, our newer readers would be cheated.  The
   safest solution is to avoid using such facilties, the next safest is
   to audit the records carefully.  PGN]


Bank troubles, M.E. magazine

David Chase <rbbb@rice.edu>
Mon, 23 Mar 87 15:18:33 CST
Mechanical Engineering 2/1987 is the "What went wrong?" issue with
articles on the Thresher and Chernobyl.  Reading about Chernobyl makes me
cringe.  Again and again, "clear violation of operating procedures".

ME 2/1986 caught my eye with an article on space power and propulsion
systems, but within it were articles on "The Dangers of CAD" [In the past,
any discrepeancy between computer results and measured performance was
traced down with an almost religious fervor.  This zeal is still
appropriate], human guided industrial "robots" (with some remarks on safety
systems buried in there), and a study attempting to determine the safe speed
for an emergency vehicle to enter an intersection (can the siren be heard?).
Not all of these things are RISKS from computer systems, but I found it
made interesting reading.

For bank troubles, I sent a check paying part of my bill to the insurance
company, but they imprinted the entire amount on it for machine consumption
(about 6 times more than the amount I intended).  I actually figured this
out before bouncing any checks because my account dipped rather
surprisingly, but I spent a thin month trying to convince the bank or the
insurance company that there might have been a mistake ("No, no, that
couldn't have happened.").  My bank rather quickly corrected my account when
I showed them the cancelled check, but I'm sure it could happen again.  You
can be sure that I took my sweet time getting the rest of the money back to
the insurance company.  Of course, the source of this error was human, but
it was compounded by blind faith in computers (and the efficiency of
computerized check processing).
                                          David


Re: "The Choking Doberman..."

Elliott S. Frank <amdahl!esf00@Sun.COM>
Mon, 23 Mar 87 14:16:21 PST
I've gotten some mail from risks subscribers requesting a citation
for "The Choking Doberman...".  Here's the citation from
"Books in Print, 1986-1987" (courtesy the helpful folks at the
Computer Literacy Bookstore):

   The Choking Doberman & Other "New" Urban Legends. 
   Jan H. Brunvand, Norton, 1986, 256p. $6.95. ISBN 0-393-30321-7. 

Elliott S Frank    ...!{ihnp4,hplabs,amd,nsc}!amdahl!esf00     (408) 746-6384


Newspaper article on Audi 5000S

Mark Brader <msb@sq.com>
Mon, 23 Mar 87 18:30:56 EST
   [This is a longish "summary", but serves a useful purpose in putting in
   perspective some of the previous messages on this subject.  PGN]

Going through recent back issues of the Toronto Star, I found an article
of about one full page about the Audi 5000S controversy, by the Star's
automobile columnist Jim Kenzie.  It was printed March 7, pages E1 and E15.
At PGN's suggestion I supply a summary of the article's content.

* All the drivers interviewed on TV said the acceleration occurred upon
  shifting from P/N to D/R and that they had their foot hard on the brake.

* Paul Ast claims that failure of the idle stabilization valve can cause
  the engine to surge to 4000 rpm independent of the accelerator; William
  Rosenbluth claims that foreign matter in the transmission control valves
  can lead to a pressure buildup that pushes a rigid part of the throttle
  linkage that is only supposed to be pulled.  These explanations conflict.

* Audi says there were no skid marks in any of the incidents, accelerator
  pedals were bent, they can't reproduce Ast's problem, and Rosenbluth's
  would involve severe transmission damage but the affected cars are new.
  Therefore they claim driver error and have recalled the cars to fit an
  interlock so you can't shift out of P without applying the brake.

* Kenzie (the columnist) revved an Audi 5000S up to 4000 rpm and put it into
  D while holding the accelerator steady.  The car did not run away but took
  several seconds to reach 10 mph.  There was also a lot of noise from
  the 4000 rpm idling, and a loud thump when the transmission engaged,
  which none of the victims apparently reported.  So much for Ast's theory.

* Kenzie then pressed the brake and accelerator, all the way, simultaneously.
  The car revved up to 2700 rpm but stood still.  Finally he took it up to
  30 mph and did the same thing.  It stopped.  None of the victims, or their
  lawyers, has suggested a simultaneous temporary failure of braking, so it
  sure seems that Audi is right and the victims wrong.  Probably they are
  simply repeating the same mental error they made originally.

* Some past Audis did have a minor unwanted-acceleration problem due to floor
  mats fouling the accelerator.  Also, Audis used to have the brake and
  accelerator pedals close together and in the same plane so they could
  be "heel-and-toe" operated, but not since 1982 here, because most are
  sold with automatic transmission anyway.  But these things could tend to
  make people more likely to blame the car when it is an Audi... a bandwagon
  effect.  It is also possible that some "victims" are simply out for money
  in a class-action settlement.

* According to Tom Lankard of AutoWeek, the majority of Audis involved were
  newly bought, many by people switching from GM cars, which have the brake
  and accelerator much less close (so if you miss the brake you don't hit the
  accelerator).  Many drivers were short, which would aggravate any confusion.
  [Does "many" mean "a statistically significant fraction"? --MSB]

* Kenzie doesn't know why the accidents only happen when starting from rest,
  but points out that once people are driving they already have their foot
  on a pedal and this provides a reference point.  [He doesn't address at
  all the people who said they had BOTH feet on the brakes -- but at this
  point I'm willing to call them mistaken. --MSB]

The above is shortened about 80%.  Kenzie's conclusion is worth giving in full:

  There is one party who DOES have guilt dripping from every pore, and
  that's television journalism.  The 60 Minutes piece was shoddy in the
  extreme -- yellow journalism, in full color.  They had convicted Audi
  before the show even began.  Their story was grossly slanted, full of
  innuendo and witness-leading.

  The Today Show was only slightly better.  They at least identified the
  prosecuting "experts" by name on screen, and had them explain how their
  theories worked.  But Rosenbluth's credibility was destroyed when he
  "proved" how the Audi could accelerate due to hydraulic excess trans-
  mission pressure.

  First, without letting the audience know, he deliberately jammed both
  the normal pressure relief valves and the "fail-safe" backup ones in
  the car, which had been involved in two previous "incidents" and which
  still, for effect, had its left front fender missing.

  He tried to prove that it could happen -- not that it did happen.
  Second, he lightly brushed the brakes enough to turn the brake lights
  on for the camera, implying that the brakes couldn't stop the car from
  accelerating across the road into a ditch.  He said he had to shut the
  engine off to stop the car.  As I have previously noted, this is
  completely false.

  Only [the Canadian show] Market Place even attempted the tests that I
  did, which prove beyond a shadow of a doubt that the brakes will hold
  the car regardless of throttle opening.  Still, they devoted about 10
  seconds out of an eight minute piece to this vital fact.

  The public -- let alone Audi -- deserves better than this.

Please report problems with the web pages to the maintainer

Top