Previous IssueIndexNext IssueInfoSubmit ArticleFTPDo not even think about clicking on this button
 

The Risks Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 8: Issue 48

Monday 3 April 1989

Contents

o BMW's DWS system
Brian Randell
o Risks of insomnia
Roger H. Goun
o VDT Risks? No, Lead pipe cinch.
F. Baube
o Aircraft running out of fuel in flight
Dale Worley
o Yet another round of Airbus A320 discussions
Joe Morris
o Daylight savings change requires computer shutdown
Walter Roberson
o Elevator accident kills 13 year old
Walter Roberson
o Re: "Free Fall" -- new book on 1983 Air Canada near-disaster
Henry Spencer
o Newspapers' computer access to public records
Wm Randolph Franklin
o Computers and Property Revaluation: It's Great in Dayton, Ohio
John Karabaic
o Credit card magstripe-encoded pictures
Brian Randell
o Using Pre-release Software
David A. Honig
o Computer say, go to jail
Clifford Johnson
o Accidental erasure of magnetic media used by the public
Peter Jones
o Info on RISKS (comp.risks)
---------------------------------------------

BMW's DWS system

Brian Randell <Brian.Randell@newcastle.ac.uk>
Sat, 1 Apr 89 12:11:13 BST 
Today's Independent newspaper contains an advert by BMW which provides yet
further evidence of the automative industry's flagrant disregard for the
possible risks associated with new computer-based technology.  The main text of
the advert is reprinted below, in its entirety, followed by a brief note of
some of what I regard as the more obvious risks.

 BEFORE A BMW WILL START IT WEIGHS UP WHO'S DRIVING

 First BMW brought you ABS, for safer braking in the wet.  Then came ASC, to
 help counter wheelspin during acceleration.  Today, they can unveil DWS:
 probably the most significant advance in anti-theft technology to occur in
 recent years.

 DWS stands for Driver's Weight Sensor.  A unique system that compares the
 driver's weight with a pre-programmed value stored in the sensor's computer
 memory.  If the two values do not match, the car simply refuses to start.

 Clearly, this represents a whole new level of anti-theft sophistication.
 But one that has only be made possible thanks to recent advances in space
 satellite PHAT technology.  This remarkable new material - Poly Halide Anodal
 Tritium - exhibits a highly predictable change in electrical conductivity
 according to the pressure exerted upon it.  By harnessing these properties,
 BMW's engineers have devised a wafer-thin pressure pad that, when
 incorporated into the driver's seat, can electronically assess the occupant's
 weight to within 10 grams accuracy.

 Such is the system's intelligence, it will take account of bodyweight
 variations that occur according to the time of day, or even the time of year.
 This it achieves by interlocking with the car's on-board 365-day digital
 clock.  Accurate allowance can then be made for weight increases that may be
 expected immediately after meal times, and those that are caused by
 multi-layer clothing during the winter months.

 Despite its space age technology, the operation of DWS is simplicity itself.

 On entering the car, the driver inserts the ignition key, at which point the
 words `Code Enter' flash up on the dashboard LED display. Up to five of these
 codes can be stored for five different drivers.  The driver now enters his
 personal code on the key pad and his weight appears on the light-up display,
 expressed in either pounds or kilos.  (Lady drivers who would prefer this
 visible display switched off should consult their BMW dealer, who will carry
 out the small necessary adjustment free of charge.)

 The sensor weight reading is then compared to the programmed weight in the
 memory, and providing this falls to within +-5%, the car will start normally.
 If, however, the figure exceeds these tolerances, then a discreet gong
 sounds, and the entire ignition system shuts down.

 Should persistent attempts be made to restart the car, an alarm system is
 triggered, and the headlights flash alternately until the unauthorised person
 vacates the seat and re-closes the door.

 At the same time a pre-recorded message is transmitted on the standard
 police radio frequency, notifying all walkie-talkie equipped police officers
 within 350 metres of the car's registration number.

 If you'd like to know whether the Driver's Weight Sensor anti-theft system
 can be fitted to your car, contact your local BMW dealer, or post off the
 coupon below [to Hugh Phelfrett, BMW Information Service, PO Box 46,
 Hounslow, Middlesex, TW4 6NF].

Some likely risks:

Just when you have arrived back from a week-end backpacking, and are desperate
to get to MacDonald's before they close, the car is likely to refuse to
recognise you. (The opposite problem is perhaps not so bad - for example, it
would be good for you to be occasionally forced to walk or jog to
WeightWatcher's class.)

Suppose the car does consent to take you to MacDonald's, the weight display,
which I assume is dynamically updated, will be an additional and dangerous
distraction while you drive home eating your Big Mac. (A head-up display would
reduce this risk.)

A person's weight variations over the year are strongly correlated to cultural,
racial, and religious factors. Almost certainly, therefore, this system will
provide another example of "computerized discrimination".

There is even a security-related risk. By periodically dieting, a spy could use
the occasional transmissions of the pre-recorded message as a covert signalling
channel to a near-by embassy, say.

Brian Randell, Computing Laboratory, University of Newcastle upon Tyne
JANET=Brian.Randell@uk.ac.newcastle UUCP =...!ukc!newcastle.ac.uk!Brian.Randell
PHONE = +44 91 222 7923
---------------------------------------------

Risks of insomnia

Roger H. Goun <goun%evetpu.DEC@decwrl.dec.com>
30 Mar 89 14:04 
From The Wall Street Journal, Thursday, March 30, 1989, p. A1:

"DIAL-A-SNORE:  People having difficulty sleeping can dial the Lenox Hill
Hospital Sleepline in New York.  An answering machine plays an eight-minute
tape that includes a message designed to help insomniacs doze off while
listening."

Pity the poor insomniac who does fall asleep in the middle of such a call:

- After eight minutes, the Lenox Hill Hospital answering machine will hang
up and a loud, synthesized telephone company voice will say, "If you'd like
to make a call, please hang up and try again."

- If our insomniac manages to sleep through that, his or her phone might
well remain off-hook all night, blocking incoming (possibly emergency) calls.

                    -- Roger Goun
---------------------------------------------

VDT Risks ? No, Lead pipe cinch.

"F.Baube" <fbaube@note.nsf.gov>
Sun, 02 Apr 89 17:11:54 -0400 
There has been mention of a high incidence of miscarriages at the headquarters
of _USA Today_ in Rosslyn, Virginia.  The cause was suspected to be VDT usage.

The Washington DC _City Paper_ of March 31 states that the cause has since been
determined to be lead in the buildings pipes.
---------------------------------------------

Aircraft running out of fuel in flight

Dale Worley <worley@compass.com>
Mon, 3 Apr 89 11:44:32 EDT 
This is quoted from memory from a Wall Street Journal article on the event: The
manufacturer's "minimum equipment list" for the 767 includes two electronic
fuel guages.  Thus, technically, the pilot took the plane off with inadequate
equipment.  I can understand why both the pilots and the airline would consider
manually measuring the fuel level with a dipstick to be fully equivalent to the
electronic fuel guage, but this event shows that one should probably fly by the
book; infrequently performed manual backup activities have a high likelihood of
error.
                                        Dale Worley, Compass, Inc.
---------------------------------------------

Yet another round of Airbus A320 discussions

Joe Morris (jcmorris@mitre.arpa) <jcmorris@mitre.mitre.org>
Sun, 02 Apr 89 18:45:44 EST 
This morning's Washington _Post_ has a near-full-page article on fly-by-wire
aircraft and the safety issues involved.  It's a rather well-written piece
which (unlike too many of the so-called "news" reports) is not written to
prove that the FBW systems ("are absolutely safe"|"are not at all safe").
Choose your favorite ending; both types of "news" are available.

(The article is on page C-3; issue date is Sunday, 2 April)

The article cites the Airbus crash in France last 26 June.  That crash has been
the subject of numerous RISKS submissions which have explored many of the
issues, but the _Post_ article cites other Airbus problems I haven't seen
detailed.  They include "...engines unexpectedly throttling up on final
approach; inaccurate altimeter readings; sudden power loss prior to landing;
steering problems while taxiing."

The reports are credited to "the European press".  Can anyone elaborate
on the reports?

 [Nancy Leveson is in DC this week, and picked up a copy.  If no one else comes
  up with a fuller report, Nancy has promised one for Tuesday night.  PGN]
---------------------------------------------

Daylight savings change requires computer shutdown

<Walter_Roberson@carleton.ca>
Sun, 02 Apr 89 13:52:18 EST 
I found this on one of the systems I use (not the one I'm mailing from.)  The
times involved match exactly with those from previous time changes, so I begin
to suspect they're serious about how long it takes.
                                                         Walter Roberson


  VM/CMS downtime
  ---------------

  NEWS DOWNTIME provides information about scheduled and unscheduled shutdowns
  as well as extended crashes. [...]

  ----- 89.03.02 0800 - 89.03.02 1300

  On Sunday April 2 1989 VM/HPO will be down from 0800 to 1300 hours and TSS
  and MVS/XA will be down from 0800 to 1000 hours for the change to Daylight
  Saving Time.
---------------------------------------------

Elevator accident kills 13 year old

<Walter_Roberson@carleton.ca>
Sun, 02 Apr 89 14:29:56 EST 
The following was extracted from The Ottawa Citizen, Sunday April 2, 1989, pg
A1 + A2:

Elevator accident kills 13-year-old refugee
(By Dennis Foley, Citizen staff writer)

  A 13-year-old girl [...] was crushed to death Saturday in an Ottawa
apartment elevator that residents say has a history of malfunctioning.
  Segal Samanter jumped on the elevator and was caught between the closing
door and the door frame [...] She was crushed against the upper door frame.
  Several residents said all three elevators continually malfunction
and passengers are often jarred by their quick-closing doors.     [...]
  "If they break down, they're repaired immediately," he said. "There was
an elevator repairman here today." [building manager, Cliff Gray]
  He didn't know which of the three elevators had been repaired Saturday.  [...]
  "There is always something wrong with these elevators. They move when
they're not supposed to, and they stop between floors." [Afshin Adill]
  Ababdihakim Ali, 19, said that earlier in the day the door of the
elevator in which Samanter was killed would close only halfway. It
continued to operate this way, he said.    [...]
  Witnesses said the elevator had stopped several centimetres above the
floor level before Samater (sic) got on.
  Awleker Ahmed, 16, said he had been standing alongside Samanter in the
elevator lobby and had warned her against trying to jump on to the
elevator, which already contained several passangers.
  She ignored his warning, he said.   [...]
  Pat Baerg, the building's secretary, said problems with the elevators are
the result of tenant abuse.
  "If children didn't play on them and tenants didn't jam the doors open
with cardboard, we wouldn't have problems," she said.
  She also said many tenants didn't know how to properly use them.
  "It's a tenant problem, not an elevator problem," she said.     [...]'
---------------------------------------------

Re: "Free Fall" -- new book on 1983 Air Canada near-disaster

<attcan!utzoo!henry@uunet.UU.NET>
Sat, 1 Apr 89 22:06:32 -0500 
>(2) A "dipstick" procedure for measuring fuel supply by hand was done
>    incorrectly, leading the mechanics to conclude that the plane had
>    more fuel than was in fact the case (and, thus, that it was safe to
>    fly the plane without working fuel gauges!)...

Does the book (or the condensed version) address the question of whether
this "safe" procedure violated regulations?  My recollection of what was
said at the time is that it's okay to fly a 767 with both fuel gauges
operating, and it's okay to fly with one gauge operating plus the
dipstick check, but if both gauges are out [as in the 1983 case], the
plane is supposed to stay on the ground, period.

Whether my memory is correct or not, taking off with no fuel gauges strikes
me as a dangerous and foolhardy action.  Quite apart from reducing a
redundant system to a single failure point (the manual calculation), the
decision to take off without gauges also quietly assumed that nothing
would go wrong in such a way as to quietly reduce available fuel (e.g.
a leak).  The real problem here was not unit conversion, but the old
"it can't happen to me" syndrome.  Bet that pilot never takes off without
gauges again, ever, dipstick tests or no dipstick tests.

                                     Henry Spencer at U of Toronto Zoology
---------------------------------------------

Newspapers' computer access to public records

Wm Randolph Franklin <wrf@mab.ecse.rpi.edu>
Mon, 27 Mar 89 15:58:10 EST 
Some newspapers in the area are trying to obtain magtape copies of public
records that already available on paper, such as driver licenses, criminal
convictions, and land ownership.  They want to perform statistical tests and
cross-database matching.  This would seem to have all the dangers of
governmental database matching, e.g. that when a coincidence is found, the
victim is assumed guilty and must prove his innocence.

However, the newspapers might be harder on an innocent victim than the
government since they can publish anything, however false, if they can't be
proved to have been malicious.  Finding and printing an interesting
coincidence, perhaps that you own property next to someone accused of organized
crime, and also sold your previous car to another organized crime suspect,
wouldn't be malicious, just sensationalistic.
                           Wm. Randolph Franklin, RPI
---------------------------------------------

Computers and Property Revaluation: It's Great in Dayton, Ohio

John Karabaic <fuzzy%aruba.dnet@wpafb-avlab>
Fri, 31 Mar 89 08:52:31 EST 
From an informational notice entitled "Important Answers about PROPERTY
REVALUATION" hung on my doorknob by a representative of the Montgomery County
Auditor's Department (Dana A. Stamps, County Auditor):

    ... [previous Important Answers, to questions like {\bf What is
    the purpose of a revaluation program}]

    {\bf How is my property value determined}

    In the first phase, data collectors -- who are not appraisers --
    verify and update the County property data file by making an on-site
    visit to your property.  Using the information gathered by the data
    collector and sales data from the local market, the appraiser uses a
    computer to perform statistical analysis and mathematical calculations
    necessary in arriving at two basic approaches to value for residential
    property -- the Cost Approach and the Market Approach -- to compare
    your property to the current market trends and assist him in his final
    conclusion of value.

    The computer then produces an appraisal review card, from which a
    professional appraiser will determine the actual value in a final
    field review of each parcel.  All final value conclusions are made by
    an experienced appraiser during this review.  With the laborious tasks
    of statistical analysis and calculations being done by computer, the
    appraisers are now free to concentrate their talents on evaluating the
    results.  Through integration of the electronic efficiency and
    accuracy of the computer with the experience and sound judgement of
    professional appraisers, the auditor's office will save the taxpayers
    of this county many thousands of dollars on future revaluations and
    enhance the quality of the appraisal process.  ...
    [more Important Answers follow]

No news yet on any systems acquisition fiascos in the Auditor's
Office, but the tone of the letter shows that the Auditor expects
county property owners to sleep easy knowing that their tax bills are
being set with the help of "the electronic efficiency and accuracy of
the computer."  There is an appeal and review process for individuals,
but no mention of how the statistical model itself is validated.
{\em Quis custodiet ipsos custodes}?

Lt John S. Karabaic (fuzzy%aruba.dnet@wpafb-avlab.arpa) WPAFB, OH 45433-6543
---------------------------------------------

Credit card magstripe-encoded pictures (RISKS-8.45)

Brian Randell <Brian.Randell@newcastle.ac.uk>
Tue, 28 Mar 89 12:48:06 BST 
Regarding Mike Trout's query:

>But on a more important topic, is there any empirical
>evidence to suggest that credit card fraud could be significantly reduced by
>facial images, either true photographs or digitized images?

Several years ago I was told by the late Charles Read, who at the time was
Director of the Inter-Bank Research Organisation, here in the UK, that they had
run an experiment on the use of photographs on credit cards, as an aid to
reducing fraud. He told me that: "We sent out a dozen people, each with a
credit card bearing the same photograph of the same gorilla, and on average
they succeeded in passing the card eight times!" (I found the phrase "the same
photograph of the same gorilla" particularly memorable, and have often wondered
what the results would have been if they had used different gorillas!)

Brian Randell, Computing Laboratory, University of Newcastle upon Tyne
---------------------------------------------

Using Pre-release Software

"David A. Honig" <honig@BONNIE.ICS.UCI.EDU>
Sun, 02 Apr 89 15:20:45 -0700 
April's IEEE Spectrum contains an article about the design of the Intel i860
(aka "N10") RISC processor.  In a section called "Unauthorized Initiative" [p
26] the author (T. S. Perry) includes the following story:

  One of the designers heard from a friend in Intel's CAD department about a
  tool that would take a design from the logic-simulation level, optimize the
  circuit design, and generate an optimized layout.  The tool eliminated the
  time taken up by circuit schematics, as well as the checking for schematic
  errors.  It was still under development, however, and while it was even then
  being tested and debugged by the 486 team (who had several more months before
  deadline than did the N10 team), it was not considered ready for use.

  The N10 designer accessed the CAD department's mainframe through the
  in-house computer network and copied the program.  It worked, and the
  bus-control bottleneck was solved. 

  Said CAD manager Nave guardedly, "A tool at that stage definately has
  problems.  The specific engineer who took it was competent to overcome most
  of the problems himself, so it didn't have any negative impact, which it
  could have.  It may have worked well in the case of the N10, but we don't
  condone that as general practice."

A number of classic RISKs are apparent, but what stands out to me is the
lucidity in the last paragraph and the importance of engineers' *understanding*
their tools, not just *using* them.  (This also reminds me of how some
mathematicians get upset when they perceive engineers using mathematical tools
without a good understanding of their basis, e.g., using integration without
studying measure theory first...) Of course, it is not just electrical
engineers but social `engineers' and other planners, controllers, etc. that
need to understand their tools functions and limits.
---------------------------------------------

Computer say, go to jail [Re: Driscoll, RISKS-8.44]

"Clifford Johnson" <GA.CJJ@Forsythe.Stanford.EDU>
Wed, 22 Mar 89 15:52:49 PST 
Same problems in Silicon Valley.  I rear-ended a car in stop/go traffic in
December (my first ever collision).  I gave the guy I hit my insurance details,
and reported the matter to my insurance, who agreed to pay, no problems.

A month later I got a notice that my license would be suspended in two weeks
for being in an accident and not having insurance.  I was informed that after
that date I would be automatically jailed if any officer caught me driving.
How did the State hear of the accident, and how did it conclude I was
uninsured?  I've no idea.  The telephone number they gave was *permanently*
busy, I tried many times, but I *immediately* had sent them documentation which
proved I had been insured.

Two months later I got a notice informing me that my suspension had been
cancelled, after it had been in place for some weeks.  I'm glad I wasn't
stopped during that time is all I can say.
---------------------------------------------

Accidental erasure of magnetic media used by the public

Peter Jones <MAINT@UQAM.BITNET>
Thu, 30 Mar 89 12:10:48 EST 
I noted with interest the article on the erasure of floppy disks placed
vertically behind a child's car seat in an automobile equipped with seat
heaters.  I wonder if the data was made unreadable by the magnetic field
of the heater, or if the disk was raised to above the Curie temperature
(the point where a substance loses its magnetism because of thermal agitation.)

Today, there was a bulletin on the radio in which the Montreal Urban Community
Transportation Commission (MUCTC), the authority that operates the buses and
subway (Metro) in Montreal, announced a problem with the magnetic stripe at
the bottom of its monthly passes when used in automatic turnstiles. They claim
that some six hundred of the five hundred thousand issued monthly (0.12%) are
damaged by proximity to magnetic latches in purses and wallets.

Does anyone know if credit cards are subject to this problem?

Peter Jones   MAINT@UQAM.BITNET   (514)-282-3542

---------------------------------------------

Previous IssueIndexNext IssueInfoSubmit ArticleFTPDo not even think about clicking on this button
 

Report problems with the web pages to the maintainer