Subject: RISKS DIGEST 11.17 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Tuesday 26 February 1991 Volume 11 : Issue 17 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: The RISKS of automatic payments (Olaf 'Rhialto' Seibert) "Autopilot malfunction causes engines to break off"! (Martyn Thomas) Re: Computer problems with MD-11 jumbo jet (Daniel Faigin, Henry Spencer) Reliability extrapolation (Martyn Thomas) Risks of EMI? (Finkel) Re: Risks of radiation treatment of cancer (Clark Savage Turner) Re: Accuracy in Movies and Newspapers (John Richard Bruni) Re: worse-is-better for the 1990s (Jerry Gitomer) Automatic download of patches (Bill J Biesty) Workshop on Designing Correct Circuits (Victoria Stavridou) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line. Others ignored! REQUESTS to RISKS-Request@CSL.SRI.COM. FTP VOL i ISSUE j: ftp CRVAX.sri.comlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j (where i=1 to 11, j is always TWO digits. Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Mon, 25 Feb 91 15:39:16 +0100 From: rhialto@cs.kun.nl Subject: The RISKS of automatic payments De Volkskrant" (a national daily newspaper in the Netherlands), 22 Feb 1991: "Inhabitant of Amsterdam lies dead in appartment for half a year" AMSTERDAM - In an apartment in Amsterdam-Southeast the police found the remains of a 51-year old man, who turned out to have died half a year ago. [...] The man, who lived alone, died a natural death. The police discovered the man accidentally. A police officer heard from the caretaker of the building that he recently removed a large pile of mail for the victim from his mailbox. The occupant, who did not wish to have contact with his neighbors, had not been seen for a long time. When the police forced the door of the man, the inanimate body of the man was found. The skin of the man "looked like leather". [This is the RISKy part:] Because the rent and [natural] gas [for heating] and electricity bills were automatically transferred, nobody missed him. The man also automatically received an amount transferred into his bank account every month. Also, not one institution missed the man." Need I say more? Olaf 'Rhialto' Seibert, University of Nijmegen, The Netherlands ------------------------------ Date: Tue, 26 Feb 91 11:07:33 GMT From: Martyn Thomas Subject: "Autopilot malfunction causes engines to break off"! According to Flight International [27 Feb-5 March 1991. Page 8]: A Boeing KC-135 apparently had two engines break off, shortly after take-off, during Desert Storm operations in the Gulf. Apparently, autopilot malfunction overstressed the airframe, causing one engine to break away and hit a second, which was also torn from the wing. The 'plane is repairable, which says a lot for the pilot's skill! According to the caption on the accompanying picture (of an undamaged, 4-engine USAF KC-135) "KC-135s have overstressed in the past because of autopilot disconnects". Apparently, the 'plane performed a dutch roll, which can lead to overstrain of the airframe because of the divergent coupling of roll and yaw. Martyn Thomas, Praxis plc, 20 Manvers Street, Bath BA1 1PX UK. Tel: +44-225-444700. Email: mct@praxis.co.uk ------------------------------ Date: Tue, 26 Feb 91 07:50:57 PST From: faigin@aerospace.aero.org Subject: Re: Computer problems with MD-11 jumbo jet Well, someone who did vendor software IV&V on a minor subsystem does remember a few "oddities" -- like the vendor for the main flight computer not conforming to the system ICD, and everyone else rewriting all interface software during integration testing (on a crash basis) because the flight control software was so kluged that everybody including MD was afraid to touch it. And that one of the hydraulic control LRUs does the ARINC bus monitor checks, and tells everyone else when to ignore the system (main flight) computers... ------------------------------ Date: Tue, 26 Feb 91 11:49:34 EST From: henry@zoo.toronto.edu Subject: Re: Computer problems with MD-11 jumbo jet As an interesting, and perhaps ominous, sideline on MD-11 computer problems, McDonnell Douglas recently decided that its next big airliner, the MD-12, will be fly-by-wire. Henry Spencer at U of Toronto Zoology ------------------------------ Date: Thu, 21 Feb 91 14:57:35 GMT From: Martyn Thomas Subject: Reliability extrapolation Henry Spencer comments that many systems which we currently trust (such as large buildings) rely on extrapolation as part of their safety case. He suggests that it may be reasonable to do the same for computer systems. Maybe. Isn't most extrapolation based on the assumption that the system behaviour is continuous? Chaos aside, most physical materials do exhibit continuous behaviour up to the point of catastophic failure, and materials science gives us some insight into where the catastrophic failure may occur. (And sometimes that insight turns out to be wrong ...). Digital systems are, by their nature, discontinuous. You cannot easily justify extrapolation *or interpolation* of behaviour. There are digital weighing machines which give the correct weights *except for a few specific values*. How do you assess the probability of failure of a weighing machine with these characteristics? So can we justify extrapolation? Under what circumstances? To what limits? ------------------------------ Date: Fri, 22 Feb 91 16:38:57 EST From: finkel@tartan.com Subject: Risks of EMI? As a mechanical engineer with a diverse career path, I have a few insights into the controversy over the "cancer causing" electromagnetic radiation. (I have enough statistics, chemistry, and analysis software experience to almost, sort-of, maybe know what I am talking about.) 1) POWER LINES CAUSE CANCER -- They most certainly do, but not because of EMR. To keep the access roads clear and to keep vines and other plants from growing around the power towers, the companies sprayed 2-4D, commonly known as dioxin or Agent Orange. (If you live near a power tower you have probably been exposed to a lot of agent orange). The possible carcinogenic effects of this chemical are well known. 2) HAIRDRYERS AND TVS CAUSE CANCER -- Again, I have no argument with the truth of this statement. However, the cause is likely a chemical one. A hairdryer, they have removed all asbestos, is still a potent source of vapors. The high heat release some amount of the plasticisers into the air. This vapor laden air is promptly breathed in. The vapors then reside in the lungs because the particles fall into that marvelous size that only floats, never settles. With TVs, you again have lump of plastic which give off continual emmissions. The transformer and "sealed" electronic components also give off toxic emissions. A warm PCB gives of a field of vapor that reaches a lot further than any stray RFI. 3) CRTS CAUSE CANCER -- The plastics argument still holds. All the hot cases and components on the PCBS give off toxic fumes. Yet another source of the vapors is the office itself. All those pretty sound deadening screens, particle-board desks, plastic counter tops, synthetic carpets, paint, ... give off significant amounts of vapor. The kicker is that a NON_SMOKING environment contributes to the problem. The American Society of Heating and Refrigeration Engineers (ASHRAE) has established "safe" airflows for smoking and non-smoking areas. The non-smoking airflow is roughly 1/3 that of a smoking area. Therefore, filtration is also about 1/3. The ducts are also smaller, and so on. SOOO, all those cute chemicals have a lot of time to sit in your lungs. The larger volume of air required for smokers also results in far more clean air coming into a building. Much of this new, clean air comes in by design, where air is drawn in by vents. Air also comes in through doors and windows. The increased incoming airflow also results in more air going out, along with all the stale, chemical laden air. Net result: smoking sort of helps air quality. Another direct CRT confound is that the screen creates an electrostatic field. This field draws particles (dust, stray plasticisers, ... ) which increase the concentration of hazardous chemicals around the CRT. The electrostatic field creates an airflow of garbage into your work environment. I have no easy solutions. Some of these links may be be tenuous, but they are no more tenuous than the possibly erroneous correlations already drawn. The only real difficulty with my arguments is that the problems are worse, more pervasive, and harder to fix than just setting up a Faraday cage around a terminal. ------------------------------ Date: Mon, 25 Feb 91 20:17:42 -0800 From: Clark Savage Turner - WA3JPG Subject: Re: Risks of radiation treatment of cancer I am keenly interested in the details of the Zaragoza, Spain accidents. I have spoken with Gordon Symonds of the Canadian Bureau of Radiation and Medical Devices (who investigated the AECL Therac-25 early on....) and he surmises that since GE is mentioned in the news bits, that the culprit could be the CGR Saturne. He explains that GE recently bought out CGR. The Saturne is the underpinning machine for the Therac-20, predecessor of the Therac-25. Of course, the Therac-25 is well known for its several elusive problems which caused massive overdoses. The Therac-20 is also known to have problems similar to those of its successor. Can anyone lend a hand in tracking down these incidents? - Clark Savage Turner, UC Irvine ------------------------------ Date: Tue, 26 Feb 91 09:59:13 PST From: John_Richard_Bruni@cup.portal.com Subject: Re: Accuracy in Movies and Newspapers I can understand the frustration that people feel when watching TV stories that extend into a field in which they are experts. But remember, the frustration may not be due to the *people* covering the story so much as the level of simplicity needed to convey a complex story to the general public. To claim the networks use ignorant people to cover the news is itself an ignorant statement. Speaking for my own network, it happens that our science correspondent has a doctorate in Immunology from a top-level school. Not too shabby considering how many stories on AIDS we have to do. One of our anchors is incredibly well-versed in statesmanship, coming from a long line of experts in the field and with more qualifications than you can imagine, both in terms of degrees and expertise. If he ever retires I`m sure any Political Science school in the country would vie for his time. It`s an easy thing to criticize the press. We don`t ballyhoo our credentials all over town but many of us have `em. How bright would you look in your field if you had to explain all your subject matter so the general public could understand you? Actually, you`d be a darned good teacher if you could do this. The best lecture I ever heard on relativistic effects was explained in a way that made the topic seem almost simple. That was a talented professor who gave that lecture! JRB ------------------------------ Date: 26 Feb 91 16:14:49 GMT From: jerry@TALOS.UUCP (Jerry Gitomer) Subject: Re: worse-is-better for the 1990s Perhaps what we are seeing is Gresham's Law as applied to computers: The operating systems and languages of lesser intrinsic value will drive the operating systems and languages of greater intrinsic value out of circulation, because those of greater intrinsic value will be hoarded. Now if I could only figure out how to hoard an operating system or high-level language :-) Jerry Gitomer at National Political Resources Inc, Alexandria, VA USA (703)683-9090 (UUCP: ...{uupsi,vrdxhq}!pbs!npri6!jerry ------------------------------ Date: Tue, 26 Feb 91 09:32:22 CST From: wjb@edsr.UUCP (Bill J Biesty) Subject: Automatic download of patches >From this week's Computerworld "HDS downloads disk code" by Jean S. Bozman Santa Clara, Calif. - Hitachi Data Systems Corp. (HDS) is not content to let its disk drives "call home" when they are not feeling well. Now, HDS engineering staff can send some prescription medicine down the modem line, the compandy said last week. HDS claimed that an enhanced version of its Hi-Track maintenance program adds the dimension of on-line repairs to a 5-year-old automatic failure-reporting system. "We can apply many microcode changes without taking the customer site down," said Jeff German, manager of technical support at HDS. The new feature, called Dynamic Microcode Download, adds to Hi-Track's existing capability to monitor, detect, diagnose and repair failing storage systems before they crash. "If you're reacting to the threshold of pain that people at you customer sites have, then you won't prevent failures," German said. After notifying customers of a device's impending failure, HDS technicians can send patched the software down a deadicated telelphone line. Payment for the Hi-Track service is included in the normal maintenance fee; the same automatic call-in service will be extended to the new generation of HDS EX mainframes later this year. < Hi-Track is installed in 3,000 disk drive and tape storage systems world-wide, according to HDS. The Right Approach? However, some industry analysts are unsure whether this kind of service can build HDS's market share relative to IBM and Amdahl Corp. "This feature is not by itself going to convince a customer to buy an HDS 7380 or 7390 disk drive," said Robert Callery, a senior storage analyst at Technology Investment Strategies Corp. in Framingham, Mass. Not all microcode changes will be simple enough to transmit over the wire, Callery added. [...] IBM has a service director plan that automatically relays disk drive errors to IBM field sevice centers [... which when ] recieved, IBM calls the customer site to schedule maintenance. [...] DEC and HP also offer automatic device-error tracking services.... --- The competitive market place is making a bigger push for reduced costs (customer service visits) and introducing greater risks. It will be interesting to see if any of the problems with the new service get reported in the press. Is anyone familiar witht he service and can give additional details about what kind of changes can be downloaded? I believe there was an earlier dicussion concerning the Prodigy service's ability to automatically download changes to the remote PC's communications software. I currently subscribe to America On-Line (AOL). We recently got a flyer in the mail saying that new features were going to be made available soon to users. I never got a disk in the mail. Then just last week when I signed on I got a dialog box saying "Updating software database" (or close to that). When I went to read postings on a bulletin board, there were new buttons to implement the announced features! My guess is that the data base changes were just the icon image and associated codes to transmit to the host computer rather than an executable. I haven't been able to find any documentation on this "feature" (which I'm sure saves AOL a ton of money avoiding mailings and disk duplication) much less an agreement that I permit AOL to change data on my disk drive! Bill Biesty, Electronic Data Systems Corp., Research and Advanced Development, 7223 Forest Lane, Dallas, TX 75230 edsr.eds.com!wjb ------------------------------ Date: Mon, 18 Feb 91 10:58:28 GMT From: Victoria.Stavridou@prg.oxford.ac.uk Subject: Workshop on Designing Correct Circuits IFIP WORKSHOP ON DESIGNING CORRECT CIRCUITS IFIP WG 10.5 Call for Papers WG 10.2 Lyngby, 6-8 January 1992 The purpose of this workshop is to bring together researchers interested in the design of provably correct hardware. The intention is to have a small informal workshop with focus on formal methods for designing correct circuits. In particular we would like to see presentations of methods that have been used in real designs. To keep this focus we will discourage papers which primarily discuss tools or the theoretical foundations. The program committee will be asked to observe these guidelines in their selection. Relevant topics include but are not limited to: - formal hardware design languages, - hardware design by transformation, - computing-aided design and verification of hardware, - methods of designing testable circuits, - analysis of circuit descriptions, - experience of the application of these techniques, - experience (good or bad) with formal methods. The workshop will be of interest to researchers in the area of formal methods for hardware design, and to engineers in industry wishing to keep abreast of this fast-moving and exciting field. Programme committee: Joergen Staunstrup, Lyngby (chairman), Luc Claesen, IMEC, Peter Denyer, Edinburgh, Hans Eveking, Darmstadt, Mike Fourman, Edinburgh, Geraint Jones, Oxford, Tom Melham, Cambridge, Mary Sheeran, Glasgow, Robin Sharp, Lyngby, P.A. Subrahmanyam, AT&T In addition to paper selection the program committee will find a "responder" to each paper selected for presentation. The responder will give a 5-10 minute criticism of a paper just after the presentation and the option of getting a 1-2 page contribution in the printed proceedings. Call for papers: You are invited to submit a draft full paper on a relevant subject by 15th August 1991. Four copies should be sent to the chairman of the program committee: Joergen Staunstrup. Notification of acceptance will be posted by 15th October, and revised copies of full papers must be received by 1st December in order to be distributed at the workshop. The proceedings will be published by North Holland. Local arrangements: The workshop will meet at the Technical University of Denmark in Lyngby. Robin Sharp is in charge of local arrangements. We intend to keep the cost of the workshop, meals and accommodation around Dkr. 2000 (US$ 350). Questions about the subjects of the workshop and other technical enquiries can be addressed to one of the organizers: J. Staunstrup or R. Sharp, Department of Computer Science, Building 344 Technical University of Denmark, DK-2800 Lyngby, Denmark e-mail: jst@id.dth.dk or robin@id.dth.dk tel: (+45) 45 93 33 32 fax: (+45) 42 88 45 30 ------------------------------ End of RISKS-FORUM Digest 11.17 ************************