The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 9 Issue 79

Monday 9 April 1990


o Fixing Computer Error Cost $1,300 in Overtime
Chris McDonald
o Computer problem delays Calif. Lotto payouts
Rodney Hoffman
o Computer Glitch Cuts of Decco Sales
Mark Adams
o Computer Animations in court testimony
Peter Scott
o Re: Proposed UK Authority for Risk Management
Dan Franklin
o Re: Intruders arrested
Mike McBain via Lee Naish
o Re: More on Prodigy's Updating of a User's Disks
Leonard Erickson
o Wonderfully mistaken letter generators
Frank Letts
Gary Cattarin
o Re: Automated Fast Food
o Re: Airbus Crash: Reports from the Indian Press
Dan Brahme
o A320 press excerpts
Robert Dorsett
o Indian A320 crash
Henry Spencer
o The two A320 crashes show similarities
Martyn Thomas
o Info on RISKS (comp.risks)

Fixing Computer Error Cost $1,300 in Overtime

Chris McDonald ASQNC-TWS-RA <>
Thu, 5 Apr 90 16:25:33 MDT
The Albuquerque Journal, Thursday, April 5, 1990, ran the subject headline.
The article states that:

    A combination of errors erased thousands of computer docketing entries
last week at state District Court, requiring 14 clerks to work Saturday to
redocket the material at an estimated cost of $1,300 in overtime.  Court
Administrator Thomas Ruiz on Tuesday blamed the mishap on `human error' and
`system error', meaning `we allowed it to happen through the format of the
computer system', he said.  He added that steps have been taken to avoid a
repeat occurrence.  [...]

    Docketing is the process by which clerks enter into the computer system
summaries of all court documents filed, such as new cases, motions to dismiss,
judges' orders and defendants' formal responses to lawsuits.  Ruiz said every
court document docketed March 27 in all four divisions--civil, criminal,
domestic relations and Children's Court--was erased when an employee `went
through the wrong sequence of procedures' while intending to perform a `backup'
function.  [...]

Computer problem delays Calif. Lotto payouts

Rodney Hoffman <>
6 Apr 90 09:41:58 PDT (Friday)
Summarized from a story by Virginia Ellis in the Friday, March 30, 1990
'Los Angeles Times' and a small follow-up note on Saturday, March 31:

A computer failure on Thursday, March 29, forced a one day delay in payoffs
for the first time in the California Lottery's four-year history.  On an
average day, about 550,000 people redeem winning lottery game tickets which
depend on computer verification (that is, not the scratch-off game tickets,
but the Lotto and Decco games).

Joanne McNabb, communications manager for the California State Lottery,
said an equipment failure destroyed a small amount of the data on a
computer file used to validate winning tickets.  The problem was discovered
when they tried to reconcile ticket sales in the validation file with the
file in another computer.  The lost data was reconstructed overnight from a
master file that keeps duplicate information as a backup.

Just one week earlier, some Decco winners in Southern California were
unable for a few hours to cash their tickets because a computer file was
overloaded with winners and had to be quickly expanded.

Computer Glitch Cuts off Decco Sales

Mark Adams <mca%medicus@uunet.UU.NET>
7 Apr 90 11:00:34 PST (Sat)
[ From the San Francisco Chronicle, April 7 1990. ]

"Computer Glitch Cuts Off Decco Sales"

Sacramento - A computer programming glitch has cut off sales of certain Decco
tickets containing popular card combinations six times since the California
Lottery unveiled the new game last month, officials said yesterday.  The
problem was discovered two weeks ago when lottery computers rejected attempts
by some gamblers to buy Decco tickets containing four aces - the game's hottest
selling card combination, lottery director Chon Gutierrez said.

Technicians discovered that computer programmers had built an unauthorized
limit into the system that allowed only 8,000 tickets to be sold on any one
card combination, Gutierrez said.  The limit has been reached in six of the 28
draws since the game bagan March 5, preventing about 48,000 tickets from begin
sold - or 1 percent of total Decco plays in the half-dozen affected draws, said
lottery spokeswoman Joanne McNabb.

Because California schools get at least 34 cents of every $1 spent on the
lottery, the education system has been deprived of more than $16,300 in revenue
because of the computer problem.  Lottery officials are now studying ticket
sale patterns to determine how much they will raise the limit.  They do not
want to erase the limit completely, however. State law restricts annual Decco
prize payouts to 50 percent of ticket sales. If lottery officials were to
remove the limit entirely, prize payouts could rise over 50 percent of ticket
sales if a popular card combination were drawn several times in the game. [...]

Computer Animations in court testimony

Peter Scott <PJS@grouch.JPL.NASA.GOV>
Fri, 6 Apr 90 18:46:04 PST
I've just seen a segment on ABC News Tonight which has me worried.
It was about the use of computer animations in court testimony.
They showed animations of plane and car crashes which used solid
modelling and realistic rendering combined with animation to show
what "really" happened.  Nowhere in the segment did they suggest that
it represented a synthesis of various points of view.  One attorney
asserted that he doubted he would have won his client's case without
the animation of his client's ride on a roller coaster, which he claimed
caused a stroke.  Despite the fact that 8 million other people had
ridden the coaster without ill effects, because this guy had an animation
that looked like the real thing, showing g-forces on his client's head,
he won his case.  In another case, an animation of an accident claimed
to be unavoidable was said by a juror to be convincing, because you
could "really see what happened, and it was very colorful."

The RISKs are obvious; going from circumstantial evidence of, say,
a car crash, they animate the scene and necessarily make numerous
assumptions in order to be able to produce a viewable animation.
The jury is subliminally convinced that they are watching a video
reenactment of the scene, and if the other side doesn't have a
video of their own... the animations are likely to be viewed by
jurors as direct evidence instead of indirect.  The segment started
with an animation of a plane crash married with the cockpit voice
recorder, and the flight recorder telemetry (?) was used as input
for the animation.  That's a whole lot more reliable than taking
evidence from casual witnesses to a car crash and translating it
to position and velocity data.

Peter Scott (

Re: Proposed UK Authority for Risk Management

Thu, 05 Apr 90 19:32:13 -0400
The Authority for Risk Management sounds like a good idea, but I can't
help being a little put off by one comment:

> ARM's rigorously independent scientists will not be allowed to become
> purists. Their advice would have to be accompanied with the cost
> implications of new policy. The minister, public and Parliament need to know
> how much they are going to spend to live in a safer environment, and decide
> if they want to pay the price.   ....

This paragraph presents risk management as though it must necessarily cost
money, and the only issue is to decide whether to pay the price.  But it should
be obvious to any government, particularly one that runs a national health
service, that reducing a risk can SAVE it money!  If fewer people are poisoned
or hurt, health costs go down.  Governments lacking a national health service
or other direct connection to health costs should consider the savings to
society as a whole (that's theoretically why government does things, after

Admittedly, once you start doing this, you often end up trying to decide just
how valuable it is to save or prolong a given life.  Not a great situation, but
"not to decide is to decide" anyway.
                                            Dan Franklin

Re: Intruders arrested

Lee Naish <>
6 Apr 90 03:17:32 GMT
In article <>, simon@ucs.Adelaide.EDU.AU
(Simon Hackett) writes:
>    There is some (quite) recently enacted state law in SA which makes it
> illegal to access a "restricted access" computer system without
> authorization. Doesn't matter whether you do anything, this is simply
> making it illegal to log into any system for which you require a
> password, where you ain't a person who should be using it. Restricted
> access is defined in the enactment of the law in a form of words which
> means the above.
>    There is a second offence defined, which equates to unauthorized
> modification of information in a system.
>    Both offences carry 2 years/$2000 fine as maximum penalties.

In a related vein, here is an item from the Melbourne `Age' 3/4/90

`Man fined $750 for computer trespass', by Geoff Winestock

A man who copied a confidential set of programs from the computer company where
he worked became the first person convicted under a new computer trespass law
yesterday.  Alexander Belkin, 31, of Latona Avenue, Knoxfield, was fined $750
in Prahran Magistrate's Court for gaining access to a computer without lawful
authority.  He was also fined $250 for unlawful possession of a library book.
On 1 April 1989, Belkin, who worked for GNA Computing Pty Ltd, copied some
business record systems without specific authorisation from his employer.

Mr David Bamber, for Belkin, said the computer trespass law should be viewed as
analogous to ordinary trespass, for which it was necessary not just to prove an
incident had occurred but that it was done with criminal intent.  Otherwise, he
said, the offence of computer trespass could extend to thousands of
schoolchildren operating computers without permission or employees going about
their business.

But the magistrate, Mrs Heather Spooner, said the facts of the case were
clearly covered by the legislation. The law applied not only to offences where
there was criminal intent, such as computer hacking and theft, but also to
regular users, such as employees.  Mrs Spooner said the law was a response to
calls from the computer industry and police to stop the harm caused by mere
access or "intellectual voyeurism". Prosecution was necessary in a case such as
this, which involved computer programs of great value.  She said the
application of the law would require considerable common sense. Schoolchildren
operating computers should not be in jeopardy.  Mrs Spooner said that Belkin's
evidence on matters such as the workstations he was authorised to use and the
copies he was allowed to make on floppy disks had been inconsistent with that
of his employer.  She concluded that he had not been honest.

Belkin would bear the cost of his mistake for the rest of his life,
especially in his standing in the industry, and she had taken this
into account in sentencing him.

Mike McBain, Avid Systems Pty Ltd, St Kilda, Australia 3182

Re: More on Prodigy's Updating of a User's Disks

Leonard Erickson <leonard@nosun.West.Sun.COM>
Fri, 6 Apr 90 23:33:43 PDT
CompuServe has had the ability to do this for at least 9 years. Their
L-Protocol was *specificly* designed so a user could enter a short
BASIC program which would call in, download *and execute* a terminal

The B-protocol description includes this feature *explicitly* in the
protocol description, along with such features as "disable keyboard"
and disable video upddates". I *think* the older A protocol also had
these features.

All of these CIS protocols include a whoami string that sends an
identifier string that identifies the machine type, software version,
and protocols supported in response to a remote query. This response is
invisible to the user.

I know that some people used programs like CIS's VIDTEX for their
*only* terminal program. I once considered having a BBS check for such
people and do something to their machine... it would be rather easy.

This is not a new risk, but it is more widespread than some think.
Leonard Erickson        ...!tektronix!reed!percival!bucket!leonard
CIS: [70465,203]
"I'm all in favor of keeping dangerous weapons out of the hands of fools.
Let's start with typewriters." -- Solomon Short

Wonderfully mistaken letter generators

Thu Apr 5 22:49:08 1990
Several posts in RISKS-9.78 reminded me of a humorous incident down here in
Sugar Land, Texas, in the early 1970's ('73, I think).  A letter similar to the
below arrived one day in the office of the Eldridge Road Church of Christ:

    Congratulations, Mr. Christ!  Our computer has selected you as only
    one of a few to receive a set of lucky numbers in our (who rememebrs)

    Yes, Mr. Christ, you and the entire Christ family may be the ones to
    enjoy a full expense paid trip to Hawaii, or a new Cadillac!

    Be sure to return your sweepstake numbers today and qualify for the
    early-bird bonus! And while you are at it, place your NO obligation
    order for our latest publication [some book named here], something
    that the Christ household certainly should not be without!

That still cracks me up when I am reminded of it.

Frank Letts, Sugar Land, Texas

Wonderfully mistaken letter generators

Fri, 6 Apr 90 13:35:08 edt
CEO summary:
The item from Yuri Rubinsky in RISKS 9.78 concerning the letter he
received indicating that the letter he desired was backordered
reminded me of a wonderful abuse of software I received several years
ago.  I was still a "minor" as they say, or "underage", and my
grandmother had set up a "custodial account" money market.  These
accounts were addressed as:  Granny Smith, Cust
                             Joe Underage UGMA/NY
Or, in English: 

Re: Automated Fast Food

Fri, 6 Apr 90 17:13:56 EST
In RISKS Digest 9.78, Dave Curry ( wrote about automation at
his local Arby's.  [...]  It seems to me that what he's actually seen is the
first phase of implementation and testing of this new system, and that the
management of Arby's is sensibly keeping the old system in place.  If this
touch-screen stuff can be made to work properly and is accepted, he will
probably not see staff members hanging around doing nothing for long: Arby's
outlets will reduce staff to the minimum required to cook, deliver hot food,
clean, and take money.

I have read that the largest overhead for the operation of a fast-food
restaurant (where they serve food which makes you feel that you might as well
fast) is the cost of personnel.  If this is true, then with increased
automation profits have the potential to rise a great deal.  Of course, there's
a risk to the management and to other members of US society in this kind of
change: not only may Arby's lose customers, due to decreased service quality,
but some low-income families will have their incomes reduced even further as
the pool of service jobs they've depended on dries up.

Re: Airbus Crash: Reports from the Indian Press

Dan Brahme <>
23 Mar 90 23:03:57 GMT writes:
>Aviation Week reports that India refused European airworthiness authorities'
>request to participate, and also refused information requests from them and
>from Airbus Industrie.                 Henry Spencer at U of Toronto Zoology

Not really. The reason to exclude the Europeans from the investigation is to
prevent doctoring or tampering with evidence. It is very surprising that the
French have started talking about carelessness of the pilot. If they do not
have access to the investigating teams report how can they talk about
carelessness of the pilots. I fly all the time in North America and quiet often
in Europe and India. In fact the quality of Indian pilots is very good and the
average may in fact be better than the europeans judging by smoothness of the

The A320 has a lot of software in it. Anybody who has any knowledge of large
software systems knows that it is often the source of many problems. A look
at how many times the space shuttle launch had to be postponed due to some
software problem should shed some light.

Considering that, if there is a (or many) technical problem and Indian Airlines
continues to fly the plane and there is another accident many more lives will
be lost. On the other hand, if all the planes are grounded and later on it is
found that there is no problem with the plane, then the cost to AIRBUS is at
most a possible loss of sales for a short period.  If this results in loss of
some jobs, I am sure the engineers can find another job or live on their
savings or welfare. Considering the alternative (1) few frenchmen losing jobs
to (2) several indians dying, I don't think there is anything wrong with
grounding. In fact if the airline had not grounded the rest of the planes I
would have been one of the first to protest.

The behavior of Airbus displays complete lack of concern for human life and
shows that they care only for profits at all costs. It also shows that they are
willing to introduce UNSUBSTANTIATED reports in an attempt to cover their ass.

It is interesting to note that not a single message of condolence was sent by
the airbus president to the families of those who died in the accident. If such
an accident took place in the US and AIRBUS behaved the way it did it would
loose credibility with the american public and it would suffer severe financial
loss due to lawsuits filed in US courts.

Dhananjay Brahme

A320 press excerpts

Robert Dorsett <>
Fri, 30 Mar 90 21:44:34 -0600
The following are from the February 21st and 28th issues of FLIGHT
INTERNATIONAL, and actually appear to be somewhat authoritative.  They clarify
various information/misinformation which has appeared on RISKS and
sci.aeronautics over the past month.  [I've interspersed my own comments
(brackets).  Take those with a grain of salt. :-)]

* The airfield had no ILS approach.  VOR/DME, NDB only.  Runway length was
10850'.  Field elevation 2914'  No significant terrain nearby.  Visibility
was unlimited at the time.  The crash occurred at 1300 local time [1PM].

* The approach was being made manually.  There were no reported emergency
communications between tower and aircraft.  The landing gear was down.

* Airplane collided with the ground approx. 500 meters from threshhold, in
a golf course, bounced, and came to rest 100 meters from the end of the
runway.  FLIGHT characterizes the initial impact as "soft." [ note: bounces
are generally the result of the aircraft having too much velocity, and not,
as is often thought, testimony to the elastic characteristics of
airplanes :-) ].

* There was no evidence of birdstrike on the engines [ V.2500's, a brand
new engine model ].  The aircraft had 366 hours, over some 300 trips.

* The article indicates that under 100', the automatic power-advance component
of the alpha-floor flight protection system is inhibited.  [ I am not convinced
this is accurate.  After the recent discussion with Pete Mellor, I have been
conducting research; the evidence supports his claim that protections last to
the ground--but most of the material I've been able to find is fairly old.
Losing automatic engine authority would remove much of the benefit of having
protections in the first place. ]

* The entire India Airlines fleet was grounded.

* Airbus is indicating India is withholding information from the manufacturer.
India responds that they want a "fair" examination of the evidence, by
no parties with economic interest.  They're farming out analysis of the
flight data recorder to the Canadian Aviation Safety Board.

* Airbus has issued a safety bulletin, advising pilots not to fly too slow
during approaches.  The aircraft was reported to have had a "very steep"
approach path.  [ This may either reflect concern over the flight systems,
or improper technique--the article is not clear on that. ]

* The French flight technician's union has called for A320's to be grounded,

* The president of the union is specifically concerned about the lack of
uniform control laws on the aircraft, as well as the general human interface.

* The Mulhouse-Habsheim flight data recorder showed the aircraft hit the
trees at 32', with the engines idled for most of the trip.  After the crash,
the crew complained that there was delayed engine response when they commanded
full power.  The FDR, however, stated that there was a 0.5 second delay [ I
wonder, though--if the throttles are essentially electrical controls that
*request* a service from the flight management system, and the FDR gets its
inputs from said system, could it be possible that the FDR record only shows
the difference between the time the throttle "request" was *posted* by the
system, and the time it was *serviced* by the system?  I.e., could the
levers be positioned and followed by a subtantial "notification" lag?
(followed by a quick "servicing" interval)  Anyone know how the FDR works on
the A320? ].

* There is a civil case on the A320 crash underway in France, which is
expected to dispute the Mulhouse-Habsheim technical inquiry's findings (which
found in favor of the aircraft and systems).

Robert Dorsett                                        Moderator,
Internet:                   Aeronautics Mailing List

Indian A320 crash

Mon, 2 Apr 90 00:06:35 EDT
One of the bigger problems in assessing the A320 is that almost everyone
has vested interests to protect.  Most European aircraft manufacturers
are involved in building it, so they (and their governments) want it to
be a commercial success.  Their US competitors (and their government)
would prefer it to be a commercial failure.  Pilots' unions often oppose
it because it is a 2-man-crew aircraft replacing 3-man-crew planes.  And
so on.  The relevance of this to the Indian crash is that India, lacking
its own facilities for reading modern crash recorders, sent the A320's
recorder to Canada for analysis.  They chose Canada specifically because
it has no vested interest in the A320!

Incidentally, the latest word in Flight International (21 March issue)
is that informal reports -- admittedly thirdhand -- claim the approach
was being flown at an excessively low speed, 106 knots as against a
recommended speed of about 130 at that point, just before the crash.

                                Henry Spencer at U of Toronto Zoology

A320 crashes show similarities

Martyn Thomas <mct@praxis.UUCP>
Mon, 2 Apr 90 12:48:45 BST
Flight International, 4-10 April 1990, page 6:

"Cockpit voice recorder (CVR) and digital flight data recorder (DFDR)
information from the Bangalore accident made available to A320 operators
indicates that the cause was remarkably similar to that which the Investigation
Commission found for the A320 accident at Habsheim, France, in June 1988. The
CVR makes it clear that the right-hand-seat pilot intentionally selected "idle"
on the autothrottle as the aircraft decended through 500ft (150m) on Bangalore
final approach. This increased the aircraft's rate of descent as intended, but
reapplication of power came too late to arrest the vertical speed and prevent
the aircraft hitting the ground short of the runway.  According to the DFDR,
full power was tripped in automatically by the Alpha Floor protection mode as
the aircraft passed 135 ft. This implies that the handling pilot had selected
maximum angle of attack to arrest vertical speed, but at low indicated airspeed
(IAS). The IAE V2500 engines were not fast enough spooling up to full power to
provide the additional IAS needed to generate the increased wing load factor to
arrest the rate of descent. At Habsheim, the aircrew also selected power-up
from idle too late and, as a result, failed to clear trees at the airfield

Martyn Thomas, Praxis plc, 20 Manvers Street, Bath BA1 1PX UK.
Tel:    +44-225-444700.   Email:   ...!uunet!mcvax!ukc!praxis!mct

Please report problems with the web pages to the maintainer