RISKS-LIST: RISKS-FORUM Digest Monday 3 April 1989 Volume 8 : Issue 48 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: BMW's DWS system (Brian Randell) Risks of insomnia (Roger H. Goun) VDT Risks? No, Lead pipe cinch. (F. Baube) Aircraft running out of fuel in flight (Dale Worley) Yet another round of Airbus A320 discussions (Joe Morris) Daylight savings change requires computer shutdown (Walter Roberson) Elevator accident kills 13 year old (Walter Roberson) Re: "Free Fall" -- new book on 1983 Air Canada near-disaster (Henry Spencer) Newspapers' computer access to public records (Wm Randolph Franklin) Computers and Property Revaluation: It's Great in Dayton, Ohio (John Karabaic) Credit card magstripe-encoded pictures (Brian Randell) Using Pre-release Software (David A. Honig) Computer say, go to jail (Clifford Johnson) Accidental erasure of magnetic media used by the public (Peter Jones) ---------------------------------------------------------------------- Date: Sat, 1 Apr 89 12:11:13 BST From: Brian Randell Subject: BMW's DWS system Today's Independent newspaper contains an advert by BMW which provides yet further evidence of the automative industry's flagrant disregard for the possible risks associated with new computer-based technology. The main text of the advert is reprinted below, in its entirety, followed by a brief note of some of what I regard as the more obvious risks. BEFORE A BMW WILL START IT WEIGHS UP WHO'S DRIVING First BMW brought you ABS, for safer braking in the wet. Then came ASC, to help counter wheelspin during acceleration. Today, they can unveil DWS: probably the most significant advance in anti-theft technology to occur in recent years. DWS stands for Driver's Weight Sensor. A unique system that compares the driver's weight with a pre-programmed value stored in the sensor's computer memory. If the two values do not match, the car simply refuses to start. Clearly, this represents a whole new level of anti-theft sophistication. But one that has only be made possible thanks to recent advances in space satellite PHAT technology. This remarkable new material - Poly Halide Anodal Tritium - exhibits a highly predictable change in electrical conductivity according to the pressure exerted upon it. By harnessing these properties, BMW's engineers have devised a wafer-thin pressure pad that, when incorporated into the driver's seat, can electronically assess the occupant's weight to within 10 grams accuracy. Such is the system's intelligence, it will take account of bodyweight variations that occur according to the time of day, or even the time of year. This it achieves by interlocking with the car's on-board 365-day digital clock. Accurate allowance can then be made for weight increases that may be expected immediately after meal times, and those that are caused by multi-layer clothing during the winter months. Despite its space age technology, the operation of DWS is simplicity itself. On entering the car, the driver inserts the ignition key, at which point the words `Code Enter' flash up on the dashboard LED display. Up to five of these codes can be stored for five different drivers. The driver now enters his personal code on the key pad and his weight appears on the light-up display, expressed in either pounds or kilos. (Lady drivers who would prefer this visible display switched off should consult their BMW dealer, who will carry out the small necessary adjustment free of charge.) The sensor weight reading is then compared to the programmed weight in the memory, and providing this falls to within +-5%, the car will start normally. If, however, the figure exceeds these tolerances, then a discreet gong sounds, and the entire ignition system shuts down. Should persistent attempts be made to restart the car, an alarm system is triggered, and the headlights flash alternately until the unauthorised person vacates the seat and re-closes the door. At the same time a pre-recorded message is transmitted on the standard police radio frequency, notifying all walkie-talkie equipped police officers within 350 metres of the car's registration number. If you'd like to know whether the Driver's Weight Sensor anti-theft system can be fitted to your car, contact your local BMW dealer, or post off the coupon below [to Hugh Phelfrett, BMW Information Service, PO Box 46, Hounslow, Middlesex, TW4 6NF]. Some likely risks: Just when you have arrived back from a week-end backpacking, and are desperate to get to MacDonald's before they close, the car is likely to refuse to recognise you. (The opposite problem is perhaps not so bad - for example, it would be good for you to be occasionally forced to walk or jog to WeightWatcher's class.) Suppose the car does consent to take you to MacDonald's, the weight display, which I assume is dynamically updated, will be an additional and dangerous distraction while you drive home eating your Big Mac. (A head-up display would reduce this risk.) A person's weight variations over the year are strongly correlated to cultural, racial, and religious factors. Almost certainly, therefore, this system will provide another example of "computerized discrimination". There is even a security-related risk. By periodically dieting, a spy could use the occasional transmissions of the pre-recorded message as a covert signalling channel to a near-by embassy, say. Brian Randell, Computing Laboratory, University of Newcastle upon Tyne JANET=Brian.Randell@uk.ac.newcastle UUCP =...!ukc!newcastle.ac.uk!Brian.Randell PHONE = +44 91 222 7923 ------------------------------ Date: 30 Mar 89 14:04 From: goun%evetpu.DEC@decwrl.dec.com (Roger H. Goun) Subject: Risks of insomnia From The Wall Street Journal, Thursday, March 30, 1989, p. A1: "DIAL-A-SNORE: People having difficulty sleeping can dial the Lenox Hill Hospital Sleepline in New York. An answering machine plays an eight-minute tape that includes a message designed to help insomniacs doze off while listening." Pity the poor insomniac who does fall asleep in the middle of such a call: - After eight minutes, the Lenox Hill Hospital answering machine will hang up and a loud, synthesized telephone company voice will say, "If you'd like to make a call, please hang up and try again." - If our insomniac manages to sleep through that, his or her phone might well remain off-hook all night, blocking incoming (possibly emergency) calls. -- Roger Goun ------------------------------ Date: Sun, 02 Apr 89 17:11:54 -0400 From: "F.Baube" Subject: VDT Risks ? No, Lead pipe cinch. There has been mention of a high incidence of miscarriages at the headquarters of _USA Today_ in Rosslyn, Virginia. The cause was suspected to be VDT usage. The Washington DC _City Paper_ of March 31 states that the cause has since been determined to be lead in the buildings pipes. ------------------------------ Date: Mon, 3 Apr 89 11:44:32 EDT From: worley@compass.com (Dale Worley) Subject: Aircraft running out of fuel in flight This is quoted from memory from a Wall Street Journal article on the event: The manufacturer's "minimum equipment list" for the 767 includes two electronic fuel guages. Thus, technically, the pilot took the plane off with inadequate equipment. I can understand why both the pilots and the airline would consider manually measuring the fuel level with a dipstick to be fully equivalent to the electronic fuel guage, but this event shows that one should probably fly by the book; infrequently performed manual backup activities have a high likelihood of error. Dale Worley, Compass, Inc. ------------------------------ Date: Sun, 02 Apr 89 18:45:44 EST From: Joe Morris (jcmorris@mitre.arpa) Subject: Yet another round of Airbus A320 discussions This morning's Washington _Post_ has a near-full-page article on fly-by-wire aircraft and the safety issues involved. It's a rather well-written piece which (unlike too many of the so-called "news" reports) is not written to prove that the FBW systems ("are absolutely safe"|"are not at all safe"). Choose your favorite ending; both types of "news" are available. (The article is on page C-3; issue date is Sunday, 2 April) The article cites the Airbus crash in France last 26 June. That crash has been the subject of numerous RISKS submissions which have explored many of the issues, but the _Post_ article cites other Airbus problems I haven't seen detailed. They include "...engines unexpectedly throttling up on final approach; inaccurate altimeter readings; sudden power loss prior to landing; steering problems while taxiing." The reports are credited to "the European press". Can anyone elaborate on the reports? [Nancy Leveson is in DC this week, and picked up a copy. If no one else comes up with a fuller report, Nancy has promised one for Tuesday night. PGN] ------------------------------ Date: Sun, 02 Apr 89 13:52:18 EST From: Walter_Roberson@carleton.ca Subject: Daylight savings change requires computer shutdown I found this on one of the systems I use (not the one I'm mailing from.) The times involved match exactly with those from previous time changes, so I begin to suspect they're serious about how long it takes. Walter Roberson VM/CMS downtime --------------- NEWS DOWNTIME provides information about scheduled and unscheduled shutdowns as well as extended crashes. [...] ----- 89.03.02 0800 - 89.03.02 1300 On Sunday April 2 1989 VM/HPO will be down from 0800 to 1300 hours and TSS and MVS/XA will be down from 0800 to 1000 hours for the change to Daylight Saving Time. ------------------------------ Date: Sun, 02 Apr 89 14:29:56 EST From: Walter_Roberson@carleton.ca Subject: Elevator accident kills 13 year old The following was extracted from The Ottawa Citizen, Sunday April 2, 1989, pg A1 + A2: Elevator accident kills 13-year-old refugee (By Dennis Foley, Citizen staff writer) A 13-year-old girl [...] was crushed to death Saturday in an Ottawa apartment elevator that residents say has a history of malfunctioning. Segal Samanter jumped on the elevator and was caught between the closing door and the door frame [...] She was crushed against the upper door frame. Several residents said all three elevators continually malfunction and passengers are often jarred by their quick-closing doors. [...] "If they break down, they're repaired immediately," he said. "There was an elevator repairman here today." [building manager, Cliff Gray] He didn't know which of the three elevators had been repaired Saturday. [...] "There is always something wrong with these elevators. They move when they're not supposed to, and they stop between floors." [Afshin Adill] Ababdihakim Ali, 19, said that earlier in the day the door of the elevator in which Samanter was killed would close only halfway. It continued to operate this way, he said. [...] Witnesses said the elevator had stopped several centimetres above the floor level before Samater (sic) got on. Awleker Ahmed, 16, said he had been standing alongside Samanter in the elevator lobby and had warned her against trying to jump on to the elevator, which already contained several passangers. She ignored his warning, he said. [...] Pat Baerg, the building's secretary, said problems with the elevators are the result of tenant abuse. "If children didn't play on them and tenants didn't jam the doors open with cardboard, we wouldn't have problems," she said. She also said many tenants didn't know how to properly use them. "It's a tenant problem, not an elevator problem," she said. [...]' ------------------------------ Date: Sat, 1 Apr 89 22:06:32 -0500 From: attcan!utzoo!henry@uunet.UU.NET Subject: Re: "Free Fall" -- new book on 1983 Air Canada near-disaster >(2) A "dipstick" procedure for measuring fuel supply by hand was done > incorrectly, leading the mechanics to conclude that the plane had > more fuel than was in fact the case (and, thus, that it was safe to > fly the plane without working fuel gauges!)... Does the book (or the condensed version) address the question of whether this "safe" procedure violated regulations? My recollection of what was said at the time is that it's okay to fly a 767 with both fuel gauges operating, and it's okay to fly with one gauge operating plus the dipstick check, but if both gauges are out [as in the 1983 case], the plane is supposed to stay on the ground, period. Whether my memory is correct or not, taking off with no fuel gauges strikes me as a dangerous and foolhardy action. Quite apart from reducing a redundant system to a single failure point (the manual calculation), the decision to take off without gauges also quietly assumed that nothing would go wrong in such a way as to quietly reduce available fuel (e.g. a leak). The real problem here was not unit conversion, but the old "it can't happen to me" syndrome. Bet that pilot never takes off without gauges again, ever, dipstick tests or no dipstick tests. Henry Spencer at U of Toronto Zoology ------------------------------ Date: Mon, 27 Mar 89 15:58:10 EST From: Wm Randolph Franklin Subject: Newspapers' computer access to public records Some newspapers in the area are trying to obtain magtape copies of public records that already available on paper, such as driver licenses, criminal convictions, and land ownership. They want to perform statistical tests and cross-database matching. This would seem to have all the dangers of governmental database matching, e.g. that when a coincidence is found, the victim is assumed guilty and must prove his innocence. However, the newspapers might be harder on an innocent victim than the government since they can publish anything, however false, if they can't be proved to have been malicious. Finding and printing an interesting coincidence, perhaps that you own property next to someone accused of organized crime, and also sold your previous car to another organized crime suspect, wouldn't be malicious, just sensationalistic. Wm. Randolph Franklin, RPI ------------------------------ Date: Fri, 31 Mar 89 08:52:31 EST From: fuzzy%aruba.dnet@wpafb-avlab (John Karabaic) Subject: Computers and Property Revaluation: It's Great in Dayton, Ohio From an informational notice entitled "Important Answers about PROPERTY REVALUATION" hung on my doorknob by a representative of the Montgomery County Auditor's Department (Dana A. Stamps, County Auditor): ... [previous Important Answers, to questions like {\bf What is the purpose of a revaluation program}] {\bf How is my property value determined} In the first phase, data collectors -- who are not appraisers -- verify and update the County property data file by making an on-site visit to your property. Using the information gathered by the data collector and sales data from the local market, the appraiser uses a computer to perform statistical analysis and mathematical calculations necessary in arriving at two basic approaches to value for residential property -- the Cost Approach and the Market Approach -- to compare your property to the current market trends and assist him in his final conclusion of value. The computer then produces an appraisal review card, from which a professional appraiser will determine the actual value in a final field review of each parcel. All final value conclusions are made by an experienced appraiser during this review. With the laborious tasks of statistical analysis and calculations being done by computer, the appraisers are now free to concentrate their talents on evaluating the results. Through integration of the electronic efficiency and accuracy of the computer with the experience and sound judgement of professional appraisers, the auditor's office will save the taxpayers of this county many thousands of dollars on future revaluations and enhance the quality of the appraisal process. ... [more Important Answers follow] No news yet on any systems acquisition fiascos in the Auditor's Office, but the tone of the letter shows that the Auditor expects county property owners to sleep easy knowing that their tax bills are being set with the help of "the electronic efficiency and accuracy of the computer." There is an appeal and review process for individuals, but no mention of how the statistical model itself is validated. {\em Quis custodiet ipsos custodes}? Lt John S. Karabaic (fuzzy%aruba.dnet@wpafb-avlab.arpa) WPAFB, OH 45433-6543 ------------------------------ Date: Tue, 28 Mar 89 12:48:06 BST From: Brian Randell Subject: Credit card magstripe-encoded pictures (RISKS-8.45) Regarding Mike Trout's query: >But on a more important topic, is there any empirical >evidence to suggest that credit card fraud could be significantly reduced by >facial images, either true photographs or digitized images? Several years ago I was told by the late Charles Read, who at the time was Director of the Inter-Bank Research Organisation, here in the UK, that they had run an experiment on the use of photographs on credit cards, as an aid to reducing fraud. He told me that: "We sent out a dozen people, each with a credit card bearing the same photograph of the same gorilla, and on average they succeeded in passing the card eight times!" (I found the phrase "the same photograph of the same gorilla" particularly memorable, and have often wondered what the results would have been if they had used different gorillas!) Brian Randell, Computing Laboratory, University of Newcastle upon Tyne ------------------------------ Date: Sun, 02 Apr 89 15:20:45 -0700 From: "David A. Honig" Subject: Using Pre-release Software April's IEEE Spectrum contains an article about the design of the Intel i860 (aka "N10") RISC processor. In a section called "Unauthorized Initiative" [p 26] the author (T. S. Perry) includes the following story: One of the designers heard from a friend in Intel's CAD department about a tool that would take a design from the logic-simulation level, optimize the circuit design, and generate an optimized layout. The tool eliminated the time taken up by circuit schematics, as well as the checking for schematic errors. It was still under development, however, and while it was even then being tested and debugged by the 486 team (who had several more months before deadline than did the N10 team), it was not considered ready for use. The N10 designer accessed the CAD department's mainframe through the in-house computer network and copied the program. It worked, and the bus-control bottleneck was solved. Said CAD manager Nave guardedly, "A tool at that stage definately has problems. The specific engineer who took it was competent to overcome most of the problems himself, so it didn't have any negative impact, which it could have. It may have worked well in the case of the N10, but we don't condone that as general practice." A number of classic RISKs are apparent, but what stands out to me is the lucidity in the last paragraph and the importance of engineers' *understanding* their tools, not just *using* them. (This also reminds me of how some mathematicians get upset when they perceive engineers using mathematical tools without a good understanding of their basis, e.g., using integration without studying measure theory first...) Of course, it is not just electrical engineers but social `engineers' and other planners, controllers, etc. that need to understand their tools functions and limits. ------------------------------ Date: Wed, 22 Mar 89 15:52:49 PST From: "Clifford Johnson" Subject: Computer say, go to jail [Re: Driscoll, RISKS-8.44] Same problems in Silicon Valley. I rear-ended a car in stop/go traffic in December (my first ever collision). I gave the guy I hit my insurance details, and reported the matter to my insurance, who agreed to pay, no problems. A month later I got a notice that my license would be suspended in two weeks for being in an accident and not having insurance. I was informed that after that date I would be automatically jailed if any officer caught me driving. How did the State hear of the accident, and how did it conclude I was uninsured? I've no idea. The telephone number they gave was *permanently* busy, I tried many times, but I *immediately* had sent them documentation which proved I had been insured. Two months later I got a notice informing me that my suspension had been cancelled, after it had been in place for some weeks. I'm glad I wasn't stopped during that time is all I can say. ------------------------------ Date: Thu, 30 Mar 89 12:10:48 EST From: Peter Jones Subject: Accidental erasure of magnetic media used by the public I noted with interest the article on the erasure of floppy disks placed vertically behind a child's car seat in an automobile equipped with seat heaters. I wonder if the data was made unreadable by the magnetic field of the heater, or if the disk was raised to above the Curie temperature (the point where a substance loses its magnetism because of thermal agitation.) Today, there was a bulletin on the radio in which the Montreal Urban Community Transportation Commission (MUCTC), the authority that operates the buses and subway (Metro) in Montreal, announced a problem with the magnetic stripe at the bottom of its monthly passes when used in automatic turnstiles. They claim that some six hundred of the five hundred thousand issued monthly (0.12%) are damaged by proximity to magnetic latches in purses and wallets. Does anyone know if credit cards are subject to this problem? Peter Jones MAINT@UQAM.BITNET (514)-282-3542 ------------------------------ End of RISKS-FORUM Digest 8.48 ************************ -------