The RISKS Digest
Volume 7 Issue 36

Wednesday, 17th August 1988

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


o Package-deal arguments about VDT's
Philip E. Agre
o Blue Cube new software problems
Randy Neff
o Zero-balance dunning letter
Jerome H. Saltzer
o Chicago Disaster Conference
Lee S. Ridgway
o Car Electronics sensitive for atmospheric interference
Martin Minow
o 1 in 10 NATO software modules reported incorrect
Jon Jacky
o Mathematical Error Puts Deficit off by $1.2 billion
o Info on RISKS (comp.risks)

Package-deal arguments about VDT's

Philip E. Agre <Agre@WHEATIES.AI.MIT.EDU>
Mon, 15 Aug 88 17:31 EDT
When someone reports on the downsides of a technological artifact, they are
often labeled an `anti-technologist'.  They are then rhetorically asked if
they would prefer a world without electric lights and antibiotics.  We might
call this a `package-deal argument'.  It presents a monolithic entity called
`technology' and, by asking `are you for it or against it?', demands either
wholesale acceptance or wholesale rejection.

This technique can also be used on a smaller scale.  If someone has been
injured by working with a computer, one can make a package deal of a
monolithic entity called `computers' and say things like, to quote Brint
Cooper in RISKS 7(35),

    "Risks of using computers must be assessed against the risks of not
    using computers."

Frequently such arguments draw subtly bogus analogies to older, `lower'
technologies so as to portray the complainers as irrationally biased against
novelty and change.  Thus, 

    All my life, I have known people who read a great deal in their childhood
    and wound up with extreme nearsightedness.  I knew a chap who repaired
    small timepieces most of his life and, in his 60's was nearly blind.  No
    one suggested that books and precision repair are risky to one's vision.

Note the monolithic entities called `books' and `precision repair'.  Do
`books' cause nearsightedness?  Does `precision repair' cause blindness?
That's not the point.  `Books' and `precision repair' don't `do' anything, 
any more than computers `do' things.  What happens when people read books,
repair watches, or sit at VDT's depends on the context in which they do it.

When a human being is maimed at work, it is a complex social phenomenon.  If
`technology' can send people to the moon and keep track of huge inventories,
then `technology' can alleviate occupational hazards.  Technology is a tool.
The point about occupational visual damage connected to employers' workplace
practices regarding VDT's concerns the economics of industries that use
computers.  Do market forces encourage employers to protect employees or to
destroy them?  The answer to this question has varied at different places 
and times, but very often the answers have been sad ones.

Cooper is certainly correct that proper epidemiology is required with regard
to complaints of eye damage resulting from jobs involving VDT use.  I worry,
though, that in the context of Cooper's rhetoric, his painfully ironic demand
that these studies be `multiply blind', although perhaps methodologically
justified, might reflect a worldview in which `technology' is under attack
from `anti-technologists' who set up Video Display Terminal Eye Clinics in
order to generate pseudo-epidemiological propaganda.  This Manichean sort of
approach to debates about workplace organization is not going to help in
hearing the complaints of the maimed or in making offices and factories into
human places to work.

Blue Cube new software problems

Randy Neff <neff@anna.STANFORD.EDU>
Mon, 15 Aug 88 21:13:27 pdt
From San Francisco Chronicle, Friday, Aug 12, 1988.  pages 1 and A22
(without permission and condensed)

New Pentagon Satellite System Having Troubles
   by John Schneidawind     Chronicle Staff Writer

A program to renovate the Pentagon's super-secret "Blue Cube" satellite-control
system in Sunnyvale is way over budget and behind schedule, according to a
recent congressional report.
    The General Accounting Office estimates that the Air Force program's costs,
orignally pegged at about $600 million in 1980, have ballooned to $1.4 billion
and could rise an additional $450 million before the project is completed.
    The Blue Cube, a top secret computer facility at Onizuka Air Force Base,
just off Highway 101 and Mathilda Avenue, controls satellites transmitting
the nation's most vital military and intelligence secrets. [also next to
Navy's Moffett Field, NASA Ames Research, and Lockheed.]
    The GAO report was issued last Friday [Aug 5], but so far has been 
distributed to only a handful of military experts.   The Chronicle obtained a 
copy of the report.
    The project's problems include glitches in computer software being developed
to process the tremendous amounts of data generated by communications 
satellites orbiting the Earth.
    According to the GAO report, the new system originally was supposed to 
handle 5 million bits of data per second, but it will be able to handle only 
about 1 million.
    The project was originally scheduled to be completed in October 1987 and 
was to have included a facility in Colorado Springs that would help control
the satellites.
    The arrangement would have allowed Sunnyvale and Colorado Springs to 
function as backup operations for each other.
    But the GAO says software problems have pushed the completion of the 
project to 1989 at the earliest.
    "(The) Defense (Department) considers Sunnyvale to be vulnerable to 
failures from earthquakes or other threats such as direct military attack,"
the GAO report notes.
    Officials at the Air Force's Space Command in El Sequndo, which oversees 
operations at the Cube, were not available for comment yesterday.  Officials 
from IBM Corp.'s Federal Systems Division in Bethesda, Md. which built the new
computer equipment and software, also could not be reached.
    The space shuttle is about to return to service, and the main priority will
be to put dozens of military satellites into orbit.
    But unless problems with the new satellite control systems are corrected,
the extra satellites could create capacity problems that may disruput the Blue
Cube's existing satellite control system, the GAO report implies.
    The Blue Cube — so named because it is housed in a turquoise-colored 
building-- is maintained under contract by Lockheed Missiles and Space Co.
    According to the GAO, the facility monitors and controls 54 orbiting
satellites that provide critical defense communications, navigation, 
surveillance and weather information.   [more on what satellites do]
    However, some of the computer technology used to monitor and control 
orbiting satellites is more than 20 years old, and the Air Force since 1980
has been trying to come up with a new system.
    So great are the problems with the new system that the Air Force has yet
to fully test it successfully, let alone make it fully operational, the GAO
report states.
    As of February 1987, the GAO says, "the new system was averaging only a
69.6 percent success rate in performing satellite contact functions, where 95
percent success is the minimum requirement."
    The Air Force has told the GAO that the success rate is now 90 percent.

Zero-balance dunning letter

Jerome H. Saltzer <Saltzer@ATHENA.MIT.EDU>
Tue, 16 Aug 88 10:41:33 EDT
Just in case anyone thought those stories about dunning letters for zero
balances are apocryphal, yesterday's mail from Bloomingdale's provided a
certifiable example:

     Dear Mrs. Saltzer

     A review of your account shows the amount below to be past due.

     If you feel that this amount is incorrect, please enclose a
     remittance for the correct amount and give us an explanation of
     the deductions on the reverse side of this letter.  Otherwise we
     shall expect payment in full of the amount due.

     We would appreciate your prompt attention to this matter.

     Thank you.

     Very truly yours,

     K. George
     Divisional Credit Mgr.
     Amount due $******.00

Since the letter seemed very sincere and it requested prompt action, I
immediately called the computer-printed telephone number, and reached a
recording, which said, "The number you have reached, 239-0374, has been
disconnected.  No further information is available about 239-0374."

The people in Bloomingdale's customer service department were profusely
apologetic; "That letter should never have gone out."  "The credit department
moved to a new location about a month ago."  Apparently the computer hasn't
found out about the move yet, and NY Telephone has already forgotten about it.


Chicago Disaster Conference

Tue, 16 Aug 88 11:06:12 EDT
A boxed article in this morning's Boston Globe (8/16/88) noted that the
organizers of a conference on disasters, slated for Chicago's McCormack Place
in November, had to be cancelled due to lack of interest.

   [UPI in San Francisco Chronicle, 16 Aug 88 quoted the PR firm representative
   representing the organizers: ``It is absolutely amazing, given the things
   that have happened recently...''  ``Canceling this is a bit of a disaster 
   itself.'' ...   PGN]

Car Electronics sensitive for atmospheric interference

Martin Minow <>
16 Aug 88 11:01
From the Stockholm daily newspaper, Dagens Nyheter, 27-Jul-1988.  [My
quick translation.  My notes are in brackets.]

        Danger of Sensitive Car Electronics
            by Anders Lundqvist

Sensitive automobile electronics may be the explanation of the mystery of
"sudden acceleration." Interference in the atmosphere or a poor environment
under the hood can be sufficient to affect the electronics so that the
car unexpectedly speeds away out of control.

This theory was brought forth by the [Swedish Goverment] Traffic Safety
Board [TSV], which is worried about the development of electronics in cars.

"The development can be questioned.  What are the needs?  The engine
compartment is a difficult enviromnent for electronics; and how well
are the components isolated?" wonders Bo Jarleryd at TSV.

Mats Gunnerhed, a departmental director at the National Defense Research
Institute [FOA — a Swedish equivalent of Mitre] has studied the problem of
sudden acceleration in cars since the summer of 1987.  One explanation is,
according to Gunnerhed, that the circuitboard for the automatic speed control
can be easily damaged [in such a way that the device forces full acceleration.
Gunnerhed demonstrated that a break in a single circuit-board trace can cause
this problem.  There was a note on this in a recent Risks.]  ...

But "sudden acceleration" has even been seen in cars without automatic speed
controls, which caused TSV to become interested in all electronic equipment.
"Scientific reports from Japan show that robots have killed 8 or 9 people
because of errors in the electronics.  Interference from nearby machines has
affected the robot's microprocessors," says Bo Jarleryd.

"The question is how sensitive automobile electronics and their microprocessors
are?  We have received several reports from drivers whose automatic speed
controls have turned off when they are in the vicinity of Arlanda [Stockholm's
airport].  This suggests that atmospheric interference in an area with many
radio [and radar] transmitters may be sufficient to halt the electronics."
[quote not attributed.]

Sudden acceleration cannot be associated with a single brand of automobiles.
owever Audi has been associated with a number of accidents where the car has
unexpectedly sped away.  One accident occurred in Stockholm about two years
ago where a car rushed up on the sidewalk and drove over two pedestrians,
causing the death of an older woman.

The police examination couldn't find anything wrong with the car.

Nor could anyone in the United States find any technical problem with the
800 cars that were involved in accidents caused by sudden acceleration
up to January 1987.

In any case, Audi in the USA decided to recall 250,000 cars in the 1978-1986
model years with automatic transmissions to add an interlock in the
transmission that required the driver to step on the brake before putting
the car in drive.  Even though the problem was, and still is, unsolved.

Even Ford, GM, Volvo, Saab, and Mercedes have had problems since the 1970's.

The American government decided on Monday [25-Jul-1988] to examine a total
of 215,000 German-built Mercedes Benz in the 1984-1988 model years with
gasoline motors and automatic transmission.  This is due to an alarm raised
by the "Center for Automobile Safety" on "sudden acceleration" in the cars.

According to the group, 164 reports of sudden acceleration of Mercedes Benz
have come in.  125 accidents were reported, resulting in 46 injured and one

According to Philipsons, the importer of Mercedes Benz in Sweden, this is
primarily the 300E model with automatic speed control.

[I think there's an old Risks item noting a "sport" played by truckers with
high-powered CB radios, where they zap cars trying to pass them, causing
their electronic fuel injection to fail.  Also, note a recent Risks I posted
about the recall to fix the automatic speed control in my Volvo.]

[Translated by Martin Minow,]

1 in 10 NATO software modules reported incorrect (COMPASS '88 report)

Jon Jacky <>
Tue, 16 Aug 88 08:47:06 PDT
I attended COMPASS '88, held June 27 - July 1 at the National Bureau of
Standards in Maryland.  COMPASS (for "Computer Assurance") is an
annual meeting devoted to the safety and security aspects of computer systems.

John Cullyer from the Royal Signals and Radar Establishment (RSRE), the central
electronics research laboratory of the UK Ministry of Defence (MOD). gave a
paper on his group's VIPER microprocessor, a 32-bit RISC chip designed for
safety-critical applications.

The VIPER project fits into a larger computer safety program at RSRE, and
Cullyer tried to convince the audience of the necessity for developing systems
with a great deal of mathematical rigor. Cullyer explained that RSRE's safety
program derived from MOD's concern over the integrity and safety of its
computer-based weapons and vehicles.  RSRE performed a study of NATO software
in the early 80's, using a static analysis technique in which a program is
represented as a directed graph, various expressions are associated with the
arcs and conclusions regarding correctness are derived from them. (Several
automated tools based on the RSRE work are on the market, including MALPAS from
Rex, Thompson and Partners, and SPADE, from Program Validation Ltd.  Cullyer
said a similar idea was behind an American tool called DAVE).  Of the modules
(a program is composed of many modules) which 
RSRE sampled from the NATO inventory, 1 in 10 were
found to contain errors, and of those, 1 in 20 (or 1 in 200 overall) had errors
serious enough to result in loss of the vehicle or plant!  About the same
findings were made whether the code came from Britain, the USA, or West

But the MOD was really roused by several "near-miss" accidents which Cullyer
said he was not permitted to discuss.  He mentioned in conversation that one
incident involving "general ordnance" might have resulted in hundreds of
deaths. A military board of inquiry determined that computer problems were at
fault. Studies determined that incidents derived with approximately equal
frequency from three kinds of problems: incorrect or incomplete specifications,
errors in programs, and "unexpected functionality" from microprocessors. This
last item came as a bit of a surprise; what it meant was that the processor as
delivered simply did not behave as described in its assembly language
programming manual.  VIPER is an attempt to address this problem.  The project
was felt to be so urgent that it was funded within 48 hours of submission.

Cullyer closed his talk with a warning: "I don't think we have all pursuaded
our bosses that there is a problem.  If we do not implement these methods,
there will be a lot of accidents and a lot of people will die.  If we do
implement them there will still be accidents, but we will limit the
casualties." He also mentioned that new MOD software procurement standards
(which he helped draft) will require formal development techniques for critical
software.  He added that he thought British law and tradition were more
protective of people and sensitive to safety concerns than in the USA.  For
example, MOD regulations explicitly prohibit any cost saving that might
increase hazard to life — you are not allowed to trade lives off against

(This is an excerpt from a report on COMPASS '88 that will appear in the
October issue of ACM SOFTWARE ENGINEERING NOTES.  The conference proceedings
including Cullyer's paper on VIPER are available $30.00 from COMPASS '88, PO
Box 5314, Rockville, MD 20851)

- - Jonathan Jacky, University of Washington

Mathematical Error Puts Deficit off by $1.2 billion

Peter G. Neumann <>
Wed 17 Aug 88 16:48:47-PDT
WASHINGTON (AP) — A $1.2 billion mathematical error by the Reagan
administration in calculating the size of next year's federal deficit could
spark a fight within Congress when lawmakers return to the capital next month.
The mistaken estimate, which under the Gramm-Rudman balanced-budget law cannot
be rectified, is preventing the spending of $1.2 billion at a time when
legislators are struggling to decide which among several competing spending
bills they will pass. ...  OMB first made the error when calculating the rate
of spending in a foreign military sales program in an August 1987 deficit
report...  [From the San Jose Mercury News, 17 August 1988]

Please report problems with the web pages to the maintainer