The RISKS Digest
Volume 7 Issue 57

Saturday, 24th September 1988

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


o Faulty locks delay prison opening
Henry Cox
o In the future, risks of purchasing handguns
Alan Kaminsky
o Olympian RISKS
Henry Cox
o [Another Willamette] Sewage Spill Linked to Computer
Nike Horton
o Keep backups, risk job
James F. Carter
o Computer failure shuts down several thousand telephones
Vince Manis
o LA Times photo of humorous credit card maybe not so funny
Michael Coleman
o Risks of Cellular Phones?
Chuck Weinstock
o Auto Computer Risks
Chuck Weinstock
o Volvo's and Electromagnetic Interference
Bill Welch
o Scientific Safety
o Computer Defaults (The Mental Tyrrany of Cash Registers)
Stephen Rickaby
o Info on RISKS (comp.risks)

Faulty locks delay prison opening

Henry Cox <>
Thu, 22 Sep 88 19:59:46 edt
Montreal Gazette, 22 Sept 1988 

Placerville, Calif. (AP) - The new El Dorado County jail would be ready to open
except for one problem:  the cell doors won't lock.  Faulty electronics have
affected the high-technology locks, along with television monitors and a
communication system, jail commander Ed Newman said.  "These are very dramatic
problems," said Newman, adding that 13 flawed electronic panels are "literally
the hands and feet of the officers."  The panels have been shipped to a
Maryland electronics company to be reworked and won't be back for three weeks.

The jail's design relies on a central control post from which guards can
electronically open and close cell doors, communicate with prisoners and
operate lights.  The jail's contractor is paying a daily penalty of $1250 to
compensate for the delays, county general services director Joe Winslow said.

[ Kidding aside, one hopes that the jails designers were/are aware of the risks
inherent in such a centralized system.  Perhaps we ought to mail them a few
back issues of RISKS. ]

     [Don't kid yourself.  There are equally nasty risks with distributed
     control.  PGN]

In the future, risks of purchasing handguns

Thu, 22 Sep 88 09:24:02 EDT
An excerpt from Time Magazine, September 26, 1988, p. 26.

  "Why Wait a Week to Kill?  The gun lobby 
  overwhelms an attempt to restrict handguns."

[...The article begins with a description of the Brady Amendment that would
have required gun dealers to wait seven days before completing a handgun
sale, so police could do an identity check on the purchaser.  The National
Rifle Association lobbied hard against the amendment, and the House of
Representatives defeated it, 228 to 182.  Now for the computer risk...]

"Florida Republican Congressman Bill McCollum Jr. offered a way out of the
quandary.  He proposed replacing the waiting-period requirement with a
provision to give all 275,000 federally licensed gun dealers in the U.S.
instant access to a nationwide list of convicted felons.  Prospective gun
buyers could be fingerprinted and the samples sent electronically to
Washington for an instantaneous check against the FBI's millions of prints.

"But there is no master list of convicted felons, no way to make such data
quickly and widely available, and no speedy means of sending and matching
fingerprints.  A network to provide such information could take years to
create and cost up to $500 million; making it available to gun dealers could
violate civil liberties.  Beyond that, McCollum's system would not prevent
gun sales to illegal aliens and the mentally ill.

"Still, a majority of House members reached for this fig leaf.  They voted
to kill the Brady amendment and replace it with McCollum's phantom plan. ..."

Just imagine what could go wrong if this legislation ever got past the
Senate and the President, and such a system were implemented ...

Alan Kaminsky               P.O. Box 9887
School of Computer Science      Rochester, NY  14623
Rochester Institute of Technology   716-475-5255

Olympian RISKS

Henry Cox <>
Thu, 22 Sep 88 19:57:51 edt
ROOF RIPS AGAIN [ From the Montreal Gazette, 9 Sept. 1988 ]

The Olympic Stadium's fabric roof suffered yet another rip yesterday - this one
three meters long. [ I have no idea how many other rips there have been. ]

The Olympic Installations Board said in a statement it was disappointed by the
mishap, which happened during tests of the roof's automatic retracting
mechanism, because workers had got the roof-opening procedure down to below one
hour.  The board said computer controls on one winch weren't working, placing
uneven tension on the fabric.  Repairs should be done by tomorrow.

[ Not a great story, but, after legendary cost over runs, an Olympic deficit
that we are *still* paying off, and a roof that finally came 12 years late (and
at approximately the cost of a *complete* covered stadium), I thought the
Stadium roof deserved a mention in RISKS.  ]
                                        Henry Cox

Sewage Spill Linked to Computer [BTW, See RISKS-7.7]

Nike Horton <horton%reed.uucp@RELAY.CS.NET>
Thu, 22 Sep 88 09:42:36 PDT
The Oregonian (Portland, OR) Sept 22, 1988 page B2

    A computer programming error combined with a burned-out wire led to a
sewage spill into the Willamette River this week, said J.  Michael Read,
supervisor of the Tri City Service District.  District technicians estimated
Wednesday 1.5 million gallons of sewage spilled into the Willamette near the
mouth of the Clackamas River late Monday and early Tuesday, Read said.  The
district serves about 40,000 persons in Oregon City, West Linn and part of
Gladstone.  The state Department of Environmental Quality lifted its warning to
stay out of the river below Willamette Falls at 7am Wednesday.
    While the burned-out wire stopped the sewage treatment pumps, he said,
a programming error kept an automatic telephone dialing mechanism from
signaling anyone that the machinery wasn't working, Read said.
    District employees will be checking other alarms to see if any similar
problems exist in the system, which is less than 2 years old, Read said.  A
back-up alarm, which was being installed at the time of this week's spill, may
be operating by the end of the week, the supervisor said.

    [Readers may recall earlier sewage spills into the Willamette River,
    also blamed on the computer, and noted in RISKS-7.7 in a contribution
    from Randal L. Schwartz:

      June 1988: "Sewage flows into river; computer failure blamed" --
      The five-hour spill from the Sullivan Pump Station poured about 5.4
      million gallons into the Willamette River downtown.

      June 1985: Another computer failure caused the dumping of more than 3
      million gallons of raw sewage into the Willamette from the same pump

   Perhaps that is a new meaning for "garbage in, garbage out."  PGN]

Keep backups, risk job

Fri, 23 Sep 88 09:07:48 PDT
From Los Angeles Times, 9/23/88, page 1 (Mark Gladstone and Paul Jacobs,
Times Staff Writers):

"The day after the FBI raided [state] Capitol offices last month, a
legislative employee noticed a tenfold increase in the purging of documents
from the legislative computer system and acted quickly to save the material
...  Paul Hueslkamp, who works in the legislative data center, confirmed
that he and co-worker Michael E. Parr were suspended by the legislative
counsel's office pending the outcome of an internal investigation.

"Parr, a 15-year state employee and a data processing supervisor, refused an
order by his superiors to erase the computer tapes, feeling it would be
construed as an obstruction of justice, Huelskamp told The Times. ...

"Instead of the typical 70 to 80 computer deletions, Huelskamp discovered 750
to 800.  The employee quickly extended the life of backup tapes until the
end of the year.  Normally, they would have been automatically erased after
14 days.  'I thought it might be useful for the FBI,' said Huelskamp ...

"The GOP sources said that the caucus staffers, aware it is illegal to
conduct political campaigns with public resources, were worried that FBI
agents would discover the material in the state computer.  ...

"The legislative counsel, according to the source, ordered the internal
investigation because he felt the traditional lawyer-client relationship may
have been violated by the employees.  The legislative counsel is the lawyer
for the legislature and also controls the computer system."

[Disclaimer: Opinions herein are mine and are not to be construed as
representing those of The Regents of the University of California.]

James F. Carter        (213) 825-2897
UCLA-Mathnet;  6608B MSA; 405 Hilgard Ave.; Los Angeles, CA  90024-1555

Computer failure shuts down several thousand telephones

Vince Manis <>
Thu, 22 Sep 88 11:38:52 PDT
According to a story in yesterday's Vancouver Sun, a failure at a telephone 
switching centre caused several thousand phones in an area on the west side
of Vancouver to be inoperative for about 1 hour. Apparently, the phones would 
accept incoming calls (and ring), but would not permit outgoing calls to be 
made (including, one assumes, 911 calls). There was no report of any personal
injury or loss as a result of the outage.

A BC Telephone Co. spokesperson said that the failure was due to a `computer
bug', but couldn't be more specific. The centre in question serves a number
of exchanges, but only part of one exchange was affected. 

Vincent Manis, Department of Computer Science, University of British Columbia
Vancouver, BC, Canada V6T 1W5      

LA Times photo of humorous credit card maybe not so funny

Michael Coleman <coleman@CS.UCLA.EDU>
Thu, 22 Sep 88 12:49:35 PDT
(Reproduced without permission from the Los Angeles Times, 9/22/88)

      Citibank Visa Gives Credit Where Credit Isn't Due
        by Douglas Frantz, Times Staff Writer

Doris A. Stokes applied for a Visa credit card from Citibank over the telephone
a few weeks ago.  When a Citibank employee asked Stokes if she wanted a second
card for another family member, she replied, "Maybe later."  Her shiny new
Citibank Visa card arrived at Stokes' Los Angeles home this week.  So did one
for Maube Later.  "I brought it down to work, and everybody here was in tears
laughing so hard about it," said Stokes, and administrative assistant at the
Los Angeles Junior Chamber of Commerce.  The response was more subdued at the
New York headquarters of Citibank, the nation's largest bank and the world's
biggest issuer of Visa and MasterCard credit cards.  "Are you serious?" asked
Susan Weeks, a bank spokeswoman in New York, when the incident was described to
her.  Assured that the talk was true, she groaned, "Oh, no."  (rest deleted)

  (Appearing above the article is a large picture of a smiling Doris A.
  Stokes holding a Citibank Visa with the name Maube Later.)

While the story itself is somewhat amusing, I wonder more about the wisdom of
using that particular picture.  In it we can clearly see everything on the
card, including the number (xxx8 140 851 226), except for the first three
digits, which are obscured by Stokes' finger.  This apparently is to keep
someone from using this information for illegal ends.  But wait, if Citibank is
"the world's biggest issuer of Visa ... cards", perhaps I have one laying
around.  Here it is: the bank number (the first four digits) is 4128.  Oops.

Risks of Cellular Phones?

Chuck Weinstock <weinstoc@SEI.CMU.EDU>
Mon, 19 Sep 88 10:14:00 EDT
While discussing radio triangulation last night, the question came up:
If I dial a phone number attached to a cellular phone, how does the
cellular system know which cell should send the ring signal to the
phone?  Is it a system wide broadcast, or does the cellular phone
periodically broadcast a "here I am" signal?

If the latter, a less than benevolent government (or phone company for
that matter) could use that information to track its citizens' cars'
whereabouts.  In an industrial setting, a competitor with access to
the right information could track a sales reps sales calls to develop
a client list.

Chuck Weinstock

Auto Computer Risks

Chuck Weinstock <weinstoc@SEI.CMU.EDU>
Mon, 19 Sep 88 10:09:06 EDT
On occasional Sundays I participate in time-speed-distance (TSD) road rallies.
The object is to follow a course (on public streets) driving it at exactly the
right speed as given by the instructions.  Your car is timed as it passes
certain points not known to you in advance, and you are assessed a penalty for
every 1/100th of a minute you are early or late.  The person who creates the
rally tries to write the instructions so that they are accurate but mistake
prone, so course following can be tricky.

To avoid the constant need for on-time calculations (to free up time for the
navigator to help stay on course), many experienced rallyists run with special
purpose digital computers hooked up to record distance and display timing
information.  These are hooked into the car's electrical system for power.

A friend just purchased a new Ford Probe (Mazda) and the service manager told
him to be careful how he wired anything into the electrical system as the car
had its own computer on board.  My friend decided one day to try his rally
computer out and used a cigarette lighter adapter to hook up the power.  The
computer seemed to run ok, but when he later started the car, it would not
idle.  It would start fine, and he could drive it as long as he didn't take his
foot of the gas.  If he did the RPM's would drop to zero and the car would
stall.  He removed his computer and drove the car for about 10 minutes and
things got back to normal.  He has subsequenty wired his computer into the
electrical system directly and has had no further problems.

One wonders if a radar detector or a cb radio (two common appliances that use
the cigarette lighter) would cause the same difficulty.
                                                                Chuck Weinstock

Volvo's and Electromagnetic Interference

Mon, 19 Sep 88 15:22 EST
I own two Volvos - a 1984 and a 1988 DL245 station wagon. Both cars suffer
strange effects to various computer/electronic systems in the present of
radio signals. When I use my HAM radio transmitter on the 2 meter FM band
(144..148 MHz) both have problems. The 1984 cruise control drops out, and on
the 1988 the turn signals blink twice as fast as normal and the speedometer
drops to zero.

    [We have had a bunch of messages on this subject in past issues, but the
    problem has evidently not gone away.  PGN]

Scientific Safety

B.Littlewood <sd396@CITY.AC.UK>
22 Sep 1988 15:43:24-WET DST
I'm sorry William Murray has problems with my English.  In the case of the
Airbus A320 the notion of an "acceptable level of safety" is, unusually,
spelled out by the manufacturers of the critical fly-by-wire system.  They
say that the reliability REQUIREMENT is 10**-9 failures per hour (see paper
by Rouquet and Traverse in Proceedings of SAFECOMP 86).  Their reason for
adopting such a demending requirement is that (in their own words) " . . loss
of . . function cannot be tolerated."

In a case like this it would, I think, be perverse to regard the system as
"acceptably safe" if it had not satisfied the manufacturer's own requirements.
Let us be charitable and take it that this requirement is not merely necessary
but but sufficient for the award of the coveted status of "acceptably safe".

My assertion was simply that, in these terms, the A320 had NOT been demonstrated
to be "acceptably safe".  Indeed I believe that such cannot be demonstrated.
I would go further and offer an opinion that the actual achieved reliability
of the system is orders of magnitude less than this requirement.

Murray goes on to say that such novel technology would not be tolerated in
the US unless it could be "proved" to be safer than the technology in use.
This seems to me a pretty acceptable way forward, and I assume that it would
not require demonstration of the achievement of ludicrous figures such as
that above.  However, even this more modest goal has not been demonstrated
and it is my understanding that it will not be required before the plane
gets a US certificate.  Given the role played by software in this system,
and the absence of a fully functioning mechanical back-up, I do not believe
that such a demonstration is possible.

I have a lot of sympathy with Murray's comments on our blithe acceptance of
the mayhem which results from automobiles, tobacco, etc., and the difficulty
of getting this on the political agenda.  It would be a pity, though, if
manufacturers of aircraft were allowed to get away with building less safe
systems than hitherto, merely by appealing to the fact that flying is safer
than smoking!

Bev Littlewood, Centre for Software Reliability, City University London EC1V 0HB

Computer Defaults (was: The Mental Tyrrany of Cash Registers)

Stephen Rickaby <sfr@praxis.UUCP>
Wed, 21 Sep 88 14:52:10 BST
Reading comments in RISKS about implicit belief in computers reminded me of a
phenomenon I encountered in a previous job. Faced with the task of producing a
large volume of related software, one of the tasks we undertook was the design
of a common i/o library, partly for efficiency and partly to ensure a uniform
`feel' across the software.

As our terminals were pretty much glass teletype mode, one attempt to introduce
an element of user-friendliness was to give as many interactive screen routines
as possible 'hot defaults': a suitable value for the parameter being requested
would be displayed in braces ([thus]), this convention (HP and others) meaning
'the value you will get if you press <return>'. The slight touch of
sophistication was that (valid) alternative values entered were swapped into
the [braces], and <return> alone was required to confirm them. The system
worked quite well, particularly for largely numerical interfaces for programs
with a large iterative content and small changes in parameters for each
iteration, typical of mathematical modelling and similar applications.

However, much of this software was for computer-assisted ATE work, performed by
staff who had a very sound grasp of the work they were doing but not
necessarily of computers. After a while, the following phenomenon was noted:
when the default parameters were presented, they were often accepted even
though the operator did not know a suitable value or even *thought they were
wrong*. This was not out of laziness or a reluctance to use a keyboard, but
because *the computer had suggested a value*, so it must be correct.

We never solved this one, and I left before the megawatt RF amplifiers were

Steve Rickaby, Praxis Systems plc, 20 Manvers Street, Bath, BA1 1PX, UK,
Tel: +44 225 444700  !mcvax!ukc!praxis!sfr        

Please report problems with the web pages to the maintainer