The RISKS Digest
Volume 7 Issue 31

Monday, 8th August 1988

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


o Software failures cost Britain $900M per year, study claims
Jon Jacky
o Lightning strikes (twice)
o Computer failure delays flights at Logan Airport
o A320 & A300 safety, risks of so-called experts
Michael Pilling
o RISKS of Electronic Cash-registers
Robin Kirkham
o Computer terminals and dermatology
richard welty
o Computer System Vulnerabilities
Rodney Hoffman
o Disaster Exposition
Cliff Stoll
o Info on RISKS (comp.risks)

Software failures cost Britain $900M per year, study claims

Jon Jacky <>
Fri, 05 Aug 88 09:29:58 PDT
This article appeared quite a while ago in ELECTRONICS ENGINEERING TIMES
(June 13, 1988, p. 19):


...(Two) studies were commissioned last year from Price Waterhouse and 
Logica plc by the Department of Trade and Industry (DTI), the government
department concerned with virtually the whole of British industry.  The 
Price Waterhouse study sought to establish the costs and benefits of 
applying quality-management standards to software. The parallel study by
Logica exmained the possibility of harmonizing the civil and military 
quality management standards.

The failure costs are expensive.  For British industry, the report estimates
them conservatively at $900 million a year, and that includes only software
produced domestically and sold on the open market.  If imported and in-house
software were included, the failure costs would be much higher.  And on top
of that there are substantial indirect costs, which Price-Waterhouse could
not quantify.

Price Waterhouse estimated that implementing a quality system would mean
additional costs for a typical supplier with 50 to 100 employees of between
$360,000 and $450,000 a year.  Initial setup costs could be between $180,000
and $270,000, with no difference between large and small companies.

The study was unable to estimate the reduction in failure costs that would 
result from wider use of quality systems but did work out the savings
required to justify them - a 10 to 15 percent reduction in total failure
costs over the life of a system.

"If we consider costs and benefits to suppliers only," says the report, 
"a reduction in failure costs of 35 to 40 percent would be required to
sustain the investment in a quality system.  ... An improvement of this size
is possible, but far from certain.  Therefore it is possible that software 
suppliers could incur net costs as a result of introduction of a quality
system.  The evidence suggests that most users are not prepared to pay higher
prices for software simply because a quality system was used by the

(The Logica study compared various standards for software quality assurance,
namely NATO's AQAP documents, used by the British Ministry of Defence, and
international ISO9001.  Logica found little difference in substance and
recommended standardizing on ISO9001).

- Jonathan Jacky, University of Washington

Lightning strikes (twice)

Peter G. Neumann <>
Mon 8 Aug 88 14:33:09-PDT
On 31 July 1988 lightning struck the drawbridge between Vineyard Haven and Oak
Bluffs on Martha's Vineyard MA, paralyzing the three-phase controls and then
ricocheting into the elevated transformer.  As a result the Lagoon Pond access
for 40 sailboats and tall powerboats was sealed off for almost three days.
(This was the same weekend that the ferry Islander ripped a hole in its belly
when it ran aground, backlogging 500 cars.  And your moderator was there,
finally getting a little vacation so that you all could get a little vacation
from RISKS.)  The previous lightning strike, only three weeks before, had
closed the bridge for 24 hours.  [Source: Martha's Vineyard Times, 4 August
1988, p. 1.]

Computer failure delays flights at Logan Airport in Boston

Peter G. Neumann <>
Mon 8 Aug 88 14:40:33-PDT
On 5 August 1988, air traffic was delayed because a new software tape
designed to relay departure information to air traffic controllers
sent data to the wrong controllers.  It took an hour to replace the
software.  The delays at Logan lasted for about 6 hours, tapering off
slowly from one-hour delays.  Delays also propagated to nearby airports.
[Source: Boston Globe, 6 August 1988]

A320 & A300 safety, risks of so-called experts

Dr Chocberry) Thu, 4 Aug 88 15:39:47 EST
This is from an article in the "Australian" 2-Aug-88 retyped and
abbreviated without permission:

    Two pilots blamed for air crash

    Following an official report to the French transport minister
    last week, responsibility for the crash of an Airbus A320 into trees
    at an airshow in eastern France has been blamed on pilot Michel
    Asseline & co-pilot Pierre Mazieres. The A320 gets a clean bill of
    Cockpit talk recordings from the black box revealed startling
    over-confidence on the part of both men. Mr Asseline told Mr Mazieres on
    the ground he would not use the aircraft's sophisticated alpha-floor
    computer system, which automatically boosts the fuel supply to the
    engines when its speed, altitude and incline indicate a danger of stalling.
    He also disconnected a secondary system to boost power so he
    would have maximum manual control, boasting that he would fly the
    aircraft at 30m at low speed, with just enough power to keep the plane
    at maximum incline without losing height.
    Mr Asseline would then put on full throttle to climb away at a
    steep angle, he said.
    "You want to show off, huh?", the co-pilot said.
    Several times before the critical manoeuvre the crew
    contemptuously dismissed visual and aural wornings emitted by the
    onboard computers.
    The pilot responded to one by saying: "Knock that one off,
    it's getting on my nerves."
    Just before the fly past the co-pilot said:" `Right, you're
    coming down to 100 feet, do it, do it."
    "Right, I'm going for it, disconnect the fuel boost system."
    "Watch out for the pylons ahead, eh? You've seen them, yeah?"
    "Yeah, yeah, don't worry."
    The co-pilot then told the pilot to put on full throttle. As
    the aircraft failed to gain height the pilot was heard to curse.
    Neither pilot has been formally accused of causing the crash,
    although the transport ministry said a judicial investigation could
    still bring charges.

    Soon after the crash I saw an american TV report on the crash
which featured a so called "COMPUTER EXPERT" (the caption on the
screen, no mention of his field or qualification was made) stating
that "if it's pilot error it must be systems failure", without knowing
anything of the architecture of the software. Obviously there is a
risk in trusting experts in a field you know nothing of, because you
(in this case the NEWS service) are inclined to believe them.

Eric Roskos (Risks 7.30) asks, is vibration a common problem in A300's. I have
often experienced the throbbing you refer to, and have noticed that the wings
virtually beat on take off.  I think this intended or at least seen as an
acceptable side effect of the wing geometry during take off. In general, I
suspect aircraft maintenance in the US is taken far less seriously than here
and this may be partly to blame.

Michael Pilling (bigm@banana.cs.uq.oz)

RISKS of Electronic Cash-registers

08 Aug 88 15:37:14 EST (Mon)
Years ago when cash-registers could only add, it was safe. Nowadays they can
subtract as well, and so cash-register operators can't, and so you lose your
change. It's been happening to me more and more often over the past couple of
years. I explain:

Formerly, the cash-register would add up all the prices of the things you
bought, and at the end the operator would hit the `Total' button, and the till
would pop open. You would proffer your money, and your change would be made up
by counting out coins, then notes, adding to the total price and working up
to the tendered value. Then you got the docket.

But now, at the end of the sale, the operator punches in your tendered amount,
and the cash register calculates the change, which is then counted out into
your hand in the reverse order — big notes first, then little ones, then the 
coins get balanced delicately on top. 

Then you get the docket shoved at you. The coins slide off the notes in you 
hand, fall and roll under the checkout counter. Gone forever. Can't give you
any more change, till won't balance. Your own mistake. Get out of the way, 
your holding up the other customers.

Australia has recently been inflicted with a $2 coin, and the old $2 note has
benn withdrawn. The Treasury, in its infinite wisdom, made the coin smaller
than most of the other coins and out of an exceptionally light aluminium
alloy, which made the problem even worse.

I once asked a checkout girl why they had reversed the order of counting out
the change. She said they were told to do it that way, since they "made less
mistakes" and it was "easier". Actually, I expect the reason was so that the
supermarket could sweep under the counters and collect all the dropped change.

Robin Kirkham   CSIRO/DMT   rjk@mimir.dmt.oz    (My opinions, only)

Computer terminals and dermatology

richard welty <steinmetz!welty@uunet.UU.NET>
Fri, 5 Aug 88 17:19:22 edt
The following short article recently appeared in Cutis, a journal
of dermatology (I don't know the exact issue.)  A note indicates
that the authors are with the Department of Dermatology, University
of Maryland School of Medicine.  Reprints are available from:

Dr. Burnett
Division of Dermatology
University of Maryland Hospital
22 South Greene Street
Baltimore Maryland 21201

This article is reprinted without permission.
Figure 1 (omitted) is merely a picture of a user and an IBM PC.

``Dermatologic Manifestations in Users of Video Display Terminals''

Marline L. Cormier-Parry, MD
Gary V. Karakashian, MD
Joseph W. Burnett, MD

  It is not surprising that with new technological advances, new dermatologic
entities also appear.  Rosacea is a cutaneous reaction pattern thought to be
provoked by many factors including foods, alcohol, heat, and cold.  Recent
reports have implicated exposure to video display terminals (VDT) as another
causative factor (Figure 1).  Since the first reports from northern Europe
in 1982, when VDT exposure was related to the excerbation of rosacea, acne,
seborrheic dermatitis, and poikiloderma of Civatte, more recent reports
have appeared (references 1-3).

The symptoms and dermatitis associated with VDT use are usually paresthesia or
pruritus of the upper cheeks or perioral area with either solitary papules or
a fine erythematous papular eruption.  The typical features of most cases of
VDT-associated dermatitis were onset of the eruptions two to three hours after
daily use of the VDT, improvement of the dermatitis on days the unit was not
used, and, low ambient relativie humidity at the time of the exposure.

VDTs produce several types of electromagnetic radiation.  The cathode ray tube
emits low-energy x-rays.  The phosphor material of the screen emits
ultraviolet, visible, and infrared radiation.  The electronic circuits
produce radiofrequency and very-low-frequency radiation.  Most electrical
and electronic equipment can generate ``electrical noise,'' a low-level,
broad-spectrum electromagnetic radiation.  To date, no adverse biological
effects in humans have been documented from these electromagnetic fields
and the level of radiation emitted is far below the occupational standards
set by federal authorities (references 2-4).

The electrostatic fields, however, are more likely to be the causitive
agent of VDT dermatitis.  Electronic fields are noted around most VDTs at low
humidity and tend to disappear at higher humidity (reference 5).  Most cases
of VDT dermatitis have occured in northern Europe and during the winter
months, when the relative humidity is less than 40 percent.  Further
evidence for this hypothesis comes from obserrvations that when the
electrostatic fields were reduced, operators' dermatitis and other symptoms
were also reduced.  Whether this is a direct effect of the field itself or
an irritant dermatitis from airborne particles is unknown.  Several female
operators have reported the deposition of their makeup on the VDT screens at
the end of a working day.  However, the deposition of volatile and
particulate air pollution on the skin can be induced by electrostatic field
charge (reference 2).  Furthermore, there have been several reports of
patients who were able to prevent the dermatitis by the use of physical
blocking agents, such as titanium dioxide or Duoderm.

Recently, computer manufacturers have introduced VDTs that have no static
electric fields as a means of preventing dermatitis.  Electrostatic shields
are also available and widely used in northern Europe.  The shield, which is
placed in front of the VDT screen, becomes conductive at relatively low
humidity and thus eliminates the static field.  Improvement with these
shields, however, is usually temporary since their conductivity diminishes
with time.  In the United States, the use of a skin-colored ``sun-block''
cream containing 2 percent titanium dioxide with iron oxides was recommended.
It showed some success in preventing VDT symptoms and the associated
dermatitis (reference 4).  Improvement in some Norwegian cases was noted
after the substitution of antistatic floor carpeting in the work area
(reference 3).


1. Liden C, Wahlberg JE: Work iwth video display terminals among office
employees.  _Scand J Work Environ Health_ 11: 489-493, 1985.

2. Berg M, Liden S: Skin problems in video display terminal users.  _J Am
Acad Dermatol_ 17: 682-684, 1987.

3. Nilsen A: Facial rash in visual display unit operators.  _Contact 
Dermatitis_ 8: 25-28, 1982.

4. Fisher A: ``Terminal'' dermatitis due to computers (video display units).
Cutis 38: 153-154, 1986.

5. Berg M, Langlet I: Defective video displays, shields, and skin problems.
_Lancet_ 1(4): 800, 1987.
richard welty  518-387-6346  GE R&D, K1-5C39, Niskayuna, New York
   welty@ge-crd.ARPA  {uunet,philabs,rochester}!steinmetz!welty

Computer System Vulnerabilities

Rodney Hoffman <>
2 Aug 88 08:43:51 PDT (Tuesday)
RISKS Moderator Peter Neumann has an op-ed piece in the August 2 Los Angeles
Times with the headline 

                       A GLITCH IN OUR COMPUTER THINKING
         We Create Powerful Systems With Pervasive Vulnerabilities.  

Although they are overly-familiar topics to RISKS readers, I trust the moderator
will permit a few quotes:

   Our civilization seems to have developed an inherent craving for easy 
   answers, especially regarding technology.  In particular, we tend to
   anthropomorphize computers and endow them with human intelligence — 
   while at the same time we deify them and endow them with infalli-

   One of the most serious problems in computer-related systems is the 
   inadequate protection of such valuable resources against unintended 
   or malevolent misbehavior by authorized as well as unauthorized 
   computer users — and against malfunctions of the computer systems....

   [Brief mentions of computer-related problems at Pacific Bell, NASA,
   banks, the Vincennes, false arrests....]

   Computers and their communications are frequently vulnerable, but they 
   are also limited by the intelligence and wisdom of their developers,
   administrators and users.

   It is a common myth that the complexity of such systems deters mal-
   feasants.  In fact, the attackers may understand the system better 
   than many of the defenders.  Digital technology is inherently finite 
   — there are only certain possible cases.  The number may be large, 
   but often there are shortcuts that eliminate the need to search 
   exhaustively for a needed clue — password, design flaw or code bug....

   There are no guaranteed complete solutions that can prevent computer-
   system malfunctions, intrusions and both accidental and malevolent 
   misuse.  But there are prudent measures that can be taken to reduce 
   the risks.  [Better design and implementation, better laws, ...] 
   Above all, we must have a computer-literate populace — better 
   educated, better motivated and more socially conscious.

   Computer security vulnerabilities are pervasive, but they are not 
   usually evident to the general public.  Depending on flawed computer 
   systems will lead only to bigger disasters.  Overall, we must work 
   much harder to understand and openly consider the true risks of 
   using computers.

Disaster Exposition

Cliff Stoll <cliff@Csa4.LBL.Gov>
Wed, 3 Aug 88 21:59:02 PDT
Hi Riskees!

Last month's Computer Assurance conference — COMPASS '88 was a gas --
really good talks on electronic voting systems, computer assisted automotive
problems, fly-by-wire risks, and averting computer domino effects.  Our
illustrious hero, Peter Neumann, gave a couple outstanding talks.  For those
of you who haven't met him, he's just as quick with puns behind the podium
as when moderating our forum.

COMPASS dealt with averting disasters.  On the flip side is the
1988 International Disaster Congress, Nov 9-11, in Chicago.
Sounds weird to me:   
   "How was your meeting?"   "Complete disaster."

It sounds neat, but I can't afford $675 admission, 
so if any of you Riskee's are going, could you post your notes to Risks?  

Keynote Speaker:
    Edward Teller (inventor of the H Bomb, promoter of Star Wars)
    "Gaining a Global Perspective of Disaster Control"

Some session titles:
Prior Planning for "Acts of God"
Foreseeing Deliberate Acts of Violence
Anticipation of Technology's Catastrophes
Identifying Beforehand the Impact of Epidemics
Success Stories of Disaster Preparedness
Implemented Programs for Minimizing Natural Disaster Impact
Preventive Approaches to Controlling Deliberate Violence
Ventures for Mitigating Technological Accidents
Restraining Threats of Mass Disease
Sustaining Corporate Morale in Midst of Nature's Attack
Allocating Resources while under Siege
Damage Control at Accident Scenes
Minimizing the Spread of Current Epidemics
Cleanup Following Natural Disaster
Recovery from Violence Induced Calamity
Post Exposure Measures for Restoring Health
Timely Action following International Incidents
Eliminating All Effects of Sustained Disaster
Replacing Resources Destroyed by Natural Catastrophe
Restoring Order from Chaos of Deliberate Violence
Total Recuperation from Epidemic
Recovery Through Repossession and Reparations

Speakers are from:
Bay Area Earthquake Preparedness Project, 
Univ. Rome, Univ. Delaware
Emergency Preparedness Council of Canada
Int'l Assoc of Fire Chiefs
Cincinnati Hazardous Materials Task Force
Maryland Institute for Emergency Medical Services
Disaster Services for American Red Cross
National Governor's Association
California National Guard
Association of American Railroads
Armed Forces Institute of Pathology
Israeli National Police
Association of Contingency Planners, American Savings/Loan
Federal Insurance Administration

Also, there'll be a Disaster Exposition, "A showing of products for 
anticipating, coping with, and recovering from disaster."  
Yikes — what do you think they sell to recover from
one of Teller's thermonuclear bombs?

Kotch & Poliak, 708 3rd Ave, NYC, 10017   212 557 6950

Cheers,  Cliff Stoll 

Please report problems with the web pages to the maintainer