The RISKS Digest
Volume 6 Issue 18

Friday, 29th January 1988

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


o Amazing story about shuttle software whistle-blowers
Nancy Leveson
o AT&T computer billing error
Dave Curry
o A testing time for students
Dave Horsfall
o Re: RISKS in Cable TV?
Marty Moore
o Re: Calendar bomb in the Ada language
Robert I. Eachus
Marty Moore
o Technology Transfer Policy
Gordon S. Little
o The fine points of fixed points
Jim Horning
o Horrendous proliferation of BITNET barfmail
o Info on RISKS (comp.risks)

Amazing story about shuttle software whistle-blowers

Nancy Leveson <nancy@commerce.UCI.EDU>
Fri, 29 Jan 88 10:46:08 -0800
Time Magazine reports this week (1 Feb 1988, pp. 20-21) on a newly released
congressional study of safety problems with the Shuttle software and
hardware.  I recommend you all try to get the article.  It is horrifying.

Just in case you can not get it, I will try to summarize it.  Apparently, a
newly released report by a blue-ribbon committee of eight experts
commissioned to review NASA's safety procedures was highly critical about
NASA and its contractors.  Basically they charge that schedules are again
taking precedence over safety (as before the Challenger accident).  The
report also charges that NASA contractors have ignored and harassed
whistle-blowers.  Some were even threatened.

Some examples:

  Sylvia Robins was a system's engineer for Unisys who is one of the
contractors for shuttle software.  In March 1986 she was approached by
software experts at Rockwell (the prime contractor) for help to find out
whether Unisys had an adequatre system for testing the shuttle's backup
software.  She claims that she discovered that in order to save time, Unisys
was testing the main and backup software at the same time that changes were
being made in payload and other shuttle flight plans.  This saved a 3-week
hold for each test (until the changes were completed), but meant that the
test results were meaningless — since the software could not be adjusted
and tested simultaneously.

When she told her supervisors about it, she was told to drop the matter and
not tell Rockwell about it.  She says her bosses considered her a
trouble-maker because she had earlier complained that Unisys did not have
the proper facilities for protecting the software for secret DoD missions
assigned to shuttle flights.  She claims that her supervisor met with some
employees and tried to get them to falsify some documents in order to
provide "proof" that she had called some staff meetings without authorizing
overtime pay.  When one woman refused to make such a false claim, she was
fired.  Robins was also fired.  She was then hired by a Rockwell subsidiary
where she repeated her complaints to her new bosses, to the FBI, and to
NASA's inspector general.  She has received letters threatening her life.
Two other whistle blowers also contend that they have received anonymous
telephone threats against their children.

Another case involves a former Rockwell QA engineer who says that an audit
against Rockwell's shuttle hardware and software revealed that only 12% met
NASA's contract specifications.  His supervisor told him to change the number 
in his report to 96% or better.  He refused and five weeks later was fired.

A current Rockwell engineer reports that the company in June 1987 failed to
place a protective password on at least one shipment of shuttle software
tapes, allowing changes to be made without being recorded.  She produced a
record showing that one anonymous change had actually been made to the
software.  The whistle-blowers also claim that supposed confidentiality of
complaints is not being observed at Rockwell and that, in fact, they have
found themselves being followed by cars at night, some of whose license
plates have been traced to the Rockwell security force.

Rockwell denies all charges.  George Rodney, who was given responsibility for
safety at NASA after the Rogers' Commission report on the Challenger accident,
says that they are reorganizing safety and quality control.  I can give
personal testimony that I have been contacted by people involved in the new
Safety Office at NASA Headquarters and that they appear to be sincerely
interested in doing something about software safety for NASA programs.  I am
not so convinced that their contractors are as committed, at least from the
evidence given in the Time story.

I gave a talk in October at the CPSR Annual Meeting and suggested that we
could not call ourselves professionals until we accept responsibility for the
quality of the products we produce.  It looks like some computer professionals
are doing that, at great personal cost.  I have fears, however, that this is
all just the tip of the iceberg.  Frankly, I can see little justification for
worrying about software that won't work in the year 2099 because of some flaw
in the way Ada handles dates.  We should be spending our time discussing what
to do about the software that may not work now.
                                                       Nancy Leveson

            [TIME article by Ed Magnuson, reported by Jay Peterzell/Houston.]

AT&T computer billing error

Dave Curry <>
Fri, 29 Jan 88 11:09:43 EST
From the Lafayette (Indiana) Journal & Courier, 1-29-88:


  PROVIDENCE, R.I. - Up to 2 million AT&T telephone customers across the
country have been billed for payments they already made.  Some accounts have
mistakenly been referred to collection agencies.
  AT&T officials said Wednesday that the billing problem stemmed from a new
computer system.
  Company officials said payments for the residence and small business accounts
were received but not properly posted in the billing records.
  Those with billing complaints were asked to send copies of their canceled

A testing time for students

Dave Horsfall <munnari!!dave@uunet.UU.NET>
Thu, 28 Jan 88 10:53:16 est
  An article in "The Australian", Tuesday 19th January, 1988, is headlined "No
  one told system the school year had changed".  It goes on to say: "Education
  officials worked through the night to check 45,000 sets of exam results last
  week, after a computer error sent false results to more than 80 Victorian
  students.  More than 50 students who sat the Year 12 Victorian Certificate
  of Education (VCE) exam were wrongly told they had passed.  At least 30
  others were told they had failed when they had actually been successful.

  The Victorian Curriculum and Assessment Board, which administers the exam,
  said one of the causes for the error was the change from a three-term to a
  four-term school year, which the board's computer had not been ready for.

  ... The media liasion officer for the VACB, Ms Wendy Hunter, told [the paper]
  that the error only affected about 85 of those "borderline" cases whose
  results depended on compensation - though she said the board realised how
  important the results were to each person.

  The complex method of compensation includes credit for work done during the
  term (no-one told the computer the shortened term counted for less) as well
  as the chance for good passes in some subjects to make up for a narrow fail
  in others.

  Ms Hunter explained that in a three-term year, credit was given for units per
  term, but in a four-term year it was for units per semester - which meant a
  term's work only counted for half a unit."

The best bit came at the end of the story:

  "The head of Melbourne's Swinbourne Institute of Technology computer centre
  queried the board's original statement that the problem had been caused by
  'computer error'.  ''Computer error can mean just about anything'', the
  centre's manager, Mr Michael Plunkett, said."

Indeed it can.

Dave Horsfall (VK2KFU)      ACS:
STC Pty Ltd                 ARPA:
11th Floor, 5 Blue St       UUCP: {enea,hplabs,mcvax,uunet,ukc}!\
North Sydney NSW 2060 AUSTRALIA    munnari!!dave

Re: RISKS in Cable TV?

marty moore <>
Fri, 29 Jan 88 08:58 EST
It really is possible for the contents of a TV signal to affect the TV itself.
I once had a TV with one of the old sonic remote controls.  At that time there
was a cereal commercial (I don't recall which brand) which featured exploding
cereal boxes.  The explosion sound apparently contained the right frequency or
harmonic, because every time the explosion occurred, my TV changed channels.

I always thought this had great possibilities for unscrupulous TV station
programmers.  ("Let's buy some commercials through a dummy on the other 
stations...we'll bury the signal to change to our stations in the commercials.
The audience will never know the difference.")

Re: Calendar bomb in the Ada language

Eachus <eachus@mitre-bedford.ARPA>
Fri, 29 Jan 88 16:29:36 EST
    I hope to be around to celebrate the Ada Doom Date (January 1,
2100), but the situation is not as bad as has been indicated here.  In fact,
I would argue given recent experiences that the situation in Ada is much
better than the current state of the practice. The function TIME_OF will
raise CONSTRAINT_ERROR if called with a year outside the range 1901..2099,
and the "+" and "-" functions are required to raise TIME_ERROR if the
resulting TIME is outside the permitted range, but:

        None of  this  is  a  part of the   Ada language,  but a
        package  required    to  be    provided by  all    valid
        implementations.   In other words,  you can write or use
        your own.

    The  function CLOCK may return a time outside this range
    (assuming  the program  remains around  long  enough for
        that to be valid).

        All    Ada  implementations are  tested   as part of the
        validation   process to  see  that the  CALENDAR package
        functions correctly, and the  quality of these  tests is
        continually  being improved. There  shouldn't be any Ada
        time bombs for at least a hundred years, if then.

     Another doom date worth noting is January 1, 2028, the date when MS-DOS
goes belly up.  (Dates are represented internally in a 16-bit word, with
five bits for the day, four bits for the month and, you guessed it, a 7 bit
year).  Try putting in the wrong date on a machine with no clock and no hard
disk (and a spare copy of your system disk) sometime...
                                            Robert I. Eachus

Re: Calendar bomb in the Ada language

marty moore <>
Fri, 29 Jan 88 08:57 EST
I have always assumed that the Ada type YEAR was constrained to the range
1901..2099 in order to simplify leap year calculations.  All years in that
range which are divisible by 4 are leap years; however, 1900 and 2100 are
not leap years.  Does anyone know if this is true? 

I wonder how many systems will have problems in 2100 because they
incorrectly assume it is a leap year.

                [OK.  Probably enough speculation on this topic for a 
                few years.  But let's hear it when the alarm goes off.  PGN]

Technology Transfer Policy

"Gordon S. Little" <Littleg@HIS-PHOENIX-MULTICS.ARPA>
Thu, 28 Jan 88 18:09 MST
Paul Smee's statement about the application of US technology transfer
policy is nothing short of astounding.

    > Perhaps one of the lesser-known 'features' of the US technology
    > transfer policy is the fact that the US government applies it
    > internationally...

Political pressure we have with us always, and that is understandable
and a fact of life.  But what legal principle sanctions the right of
ANY country to enact laws governing the action of FOREIGN nationals
IN THEIR OWN (SOVEREIGN) COUNTRY?  This is hardly a technical RISK,
but if such unbelievable arrogance were to pass unchallenged and such
a principle were accepted internationally, the absurdities that could
result must be obvious to anyone.

The fine points of fixed points

Jim Horning <>
29 Jan 1988 1123-PST (Friday)
The year I moved back to Palo Alto from Canada I DID have an explicit
recursion in my tax calculation.  I had four kinds of income:

  1. Canadian income earned while a resident of Canada,
  2. American income earned while a resident of Canada,
  3. American income earned while a resident of America, and
  4. Canadian income earned while a resident of America.

The US claimed the right to tax all four kinds of income, but granted credits
FOR TAX REQUIRED TO BE PAID to Canada for kinds 1. and 4.  Canada only wanted
to tax kinds 1. and 2., and granted a credit FOR TAX REQUIRED TO BE PAID to
the US on kind 1.  The fixed point was reached in only two iterations because
of MIN and MAX occurring at strategic points in the calculation.

However, to complicate the situation, this was the year that treatment of
foreign earned income was "reformed," and Congress changed the law
RETROACTIVELY several times.  I filed a form 1040R to claim an increased
refund, and received two other small unsolicited US refunds.  I suppose I
should have recalculated my Canadian tax, too, but I didn't.

    [I note that the convergence in this case in the CA/fed case may not always
    result in a unique solution — a pair of oscillating solutions could arise,
    because of round-off...  By the way, several readers noted (again — see
    my comments in RISKS-6.17) that there is no actual iteration if you are
    happy with whatever state tax you estimated and paid in 1987.  So I keep
    responding that the iteration results from trying to refine the estimate,
    but that is not required by law.  PGN]

Horrendous proliferation of BITNET barfmail

Fri 29 Jan 88 17:00
  === HELP!   risks@hemuli.uucp vanished, CAUSING ALL BITNET READERS  ===
  === to get many (60 is the most reported yet) copies of BARFMAIL!   ===
  === dae@PSUVAX1 reported that this address has been invalid for     ===
  === quite a while and it cannot deliver the message since PSUVAX1   ===
  === doesn't know the path to that .UUCP node.  If anyone does know  ===
  === a node, please tell dae (mon). (Noted by Marc Shannon, to whom  ===
  === you BITNETters generally owe thanks for having volunteered to   ===
  === help you all stay in contact with RISKS, despite all the flaki- ===
  === ness of the interconnections.  I can't fix it.  Sorry.)  PGN    ===


By the way, many of you have recently requested to be added.  In some cases
I find I cannot get mail back to you! So, here once again is the procedure.

Please try to add yourself according to the following recipe.  (Any one of
the three locations should work — they are supposed to be interconnected.)
That way you will be able to handle future changes directly.  


                        BITNET SUBSCRIBERS: 
For subscription assistance, please observe the following instructions:

  For WISCVM, send mail to LISTSERV@CMUCCVMA, with a single line request:
SUBSCRIBE MD4H your name         or        UNSUBSCRIBE MD4H your name

  For FINHUTC, send mail to LISTSERV@FINHUTC, with a single line request:
SUBSCRIBE RISKS your name        or        UNSUBSCRIBE RISKS your name

  For UGA, send mail to LISTSERV@UGA, with a single line request:
SUBSCRIBE RISKS your name        or        UNSUBSCRIBE RISKS your name

The only mail to RISKS@CSL.SRI.COM should be RISKS contributions.


Please report problems with the web pages to the maintainer