Subject: RISKS DIGEST 16.31 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Tuesday 9 August 1994 Volume 16 : Issue 31 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for information on RISKS (comp.risks) ***** Contents: Unda(u)nted exploration: DANTE II (PGN) Denver "solves" hi-tech baggage handling problems (Lauren Weinstein) Re: Squirrels again bring down Nasdaq (Joe Morris, Bob Frankston) More than squirrels: Newbridge Networks (Bob Frankston) Re: RISKs of electrical wiring (Lauren Weinstein) Re: The Cult of Information (Steven Tepper) Rapid Application Development (RAD) (Rebecca Mercuri) Intel plant in Albuquerque (Phil Agre) Madcap world of modern banking (Ross Anderson) A330 Crash investigation report: Pilot error blamed for crash (Erik Hollnagel) Workshop Announcements PDCS2 and SCSC (Barry Hodgson) CSR Software Reliability & Metrics Club - Meeting Announcement (Pete Mellor) Washington DC ACM Seminar (John Sheckler) Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc. ---------------------------------------------------------------------- Date: Tue, 9 Aug 94 7:41:18 PDT From: "Peter G. Neumann" Subject: Unda(u)nted exploration: DANTE II The Dante II robot (successor to Dante I, whose fiber cable snapped only 21 feet down into Mt Erebus in 1993) has been exporing the volcanic crater of Mt Spurr in Alaska, apparently with great success in gathering information in a human-risky environment after the 1992 eruption. En route to the bottom, Dante II survived being hit by rocks and slopping through mud and snow; prior to its descent its satellite dish antenna was chewed on by a bear. However, the last few days have provided grist for the RISKS mill as to what can go wrong going wrong. Last Wednesday (3 Aug 1994) the robot lost power, and then its transmitter went dead. On Thursday, a short-circuit (due to condensation) was fixed in a connector to the 1000-volt power and communications cable. The robot then was able to begin its ascent (at three feet per minute). On Friday night, the 1700-pound Dante II lost its footing when one of its eight legs malfunctioned, and it toppled over. Plans are now afoot (no pun intended) to hoist it out by helicopter, or if that fails for a geologist (John Laskeivitch of the Alaska Volcano Observatory) to climb down and attach a tether -- using the knowledge obtained from Dante II that there are lots of rocks but that the expected hot gases are no longer present. The robotic software seems to have functioned well throughout. [SOURCES: PGN News Service from articles by Charles Petit in the San Francisco Chronicle, 4-5 Aug 1994, and AP items, 7 and 9 Aug 1994.] ------------------------------ Date: Thu, 4 Aug 94 23:40:23 PDT From: lauren@vortex.com (Lauren Weinstein) Subject: Denver "solves" hi-tech baggage handling problems It looks as if the folks in Denver have figured out what they need to do to finally get their new airport open. As you may recall, it has failed to open for quite sometime because the amazing, computer-controlled, $200 million baggage handling system simply doesn't work. Nor does it appear that there is much hope of making it work quickly. The more deeply the system is inspected, the more problems are found. Videos of the failing system under test are great fun to watch. Bags being flung at carts that aren't where they're supposed to be, carts flying off tracks, bags flying through the air smashing into the ground, and so on. Quite a show. So how to open the airport? Simple! They've apparently decided to spend more bucks and build *another* baggage handling system--the conventional kind with conveyer belts. After they build this new, old-style system, they'll finally be able to open the airport, which is currently losing something like $1 million/day just sitting there. The plan is to shift back to the computerized system when (if?) they get all the bugs out of it. --Lauren-- ------------------------------ Date: Tue, 02 Aug 94 12:15:04 -0400 From: Joe Morris Subject: Re: Squirrels again bring down Nasdaq (Neumann, RISKS 16.30 ) >Nasdaq once again was shut down by an energetic squirrel ... To many people interested in commercial power (including computer center managers such as yours truly was at one time) the word "squirrel" is often defined as "a self-propelled short circuit". Joe Morris / MITRE ------------------------------ Date: Sat, 6 Aug 1994 14:54 -0400 From: Bob_Frankston@frankston.com Subject: Re: Squirrels again bring down Nasdaq There was a followup article (which I don't have handy) in the times noting that this the outage caused trade reconciliation algorithms to fail. A general problem is cascading failures when interacting timeouts start going off. ------------------------------ Date: Mon, 8 Aug 1994 14:20 -0400 From: Bob_Frankston@frankston.com Subject: More than squirrels: Newbridge Networks Squirrels aren't Nasdaq's only problem. According to an article in New York Times, there are also some race conditions in their procedures. The article describes attempts to stop trading in Newbridge Networks stock. Apparently the attempt to stop trading was entered at 9:32 instead of 9:30 due to an error entering a command. Many options (more highly leveraged than shares) got through and were confirmed. They were retroactively cancelled. There are two basic problems. One, as the article noted, is that a confirmation is not a confirmation. The other is the contrast between human speeds and computer speeds. Two minutes is a very very long time. ------------------------------ Date: Tue, 2 Aug 94 11:01 PDT From: lauren@vortex.com (Lauren Weinstein) Subject: Re: RISKs of electrical wiring Regarding the electrician who blew out some equipment by dropping the neutral from a circuit, causing a power leg to go to around 220V (about double the North American standard of ~117V). One might suggest that (even though it can be inconvenient) turning *off* the power to areas that could be directly affected by ongoing electrical work would be a simple and mandated procedure. No fancy protective gear is needed in this case. Just turn off the breakers until the work is done. --Lauren-- ------------------------------ Date: Tue, 2 Aug 94 14:41:50 PDT From: greep@datatools.com (Steven Tepper) Subject: The Cult of Information (RISKS-16.30) > Roszak, in this book, is not attacking the idea of computerization He already did that in a novel called "Bugs". ------------------------------ Date: Fri, 5 Aug 1994 17:49:27 +0500 From: mercuri@gradient.cis.upenn.edu (Rebecca Mercuri) Subject: Rapid Application Development (RAD) I am writing an article on Rapid Application Development (RAD) and would like to include a risky horror story or two, if anyone has one they want to share. If you can BRIEFLY describe a project where RAD techniques were used to develop a system or software which resulted in quantifiable losses (in terms of time, money, etc.) to an individual or organization, I will consider quoting you (with proper citation of course). The anecdote must be traceable to an organization or individual involved (there can be some anonymity, but some person or group must be identifiable so the story can be verified). Please send replies DIRECTLY to mercuri@gradient.cis.upenn.edu Sorry, I don't have time to address other matters (like "what is RAD?" -- if you don't know then you probably weren't using it). BTW, I'm especially interested in projects where an outside consulting team came in, used RAD, developed something and left it either unfinished, undocumented, untested, and/or unsupportable. Hope someone wants to go on the record with their experience(s). Thanks in advance, Rebecca Mercuri ------------------------------ Date: Fri, 5 Aug 1994 16:27:24 -0700 From: Phil Agre Subject: Intel plant in Albuquerque The SouthWest Organizing Project is engaged in a campaign against the Intel chip fabrication plant in Albuquerque, New Mexico. They allege excessive water use, chemical hazards to workers, and large expenditures of public funds for small numbers of jobs for local people. Their report is available from them (US$10 plus $1.50 p/h) at SWOP, 211 10th St SW, Albuquerque NM 87102, USA. Phil Agre, UCSD ------------------------------ Date: Sun, 7 Aug 1994 16:36:01 +0100 From: Ross.Anderson@cl.cam.ac.uk Subject: Madcap world of modern banking The Sunday Times reports on 7th August that one of its readers in Hertfordshire, England, paid a cheque for a thousand pounds into her account with Barclays Bank in June. The cheque bounced, and Barclays did not credit it to her account; but for no reason they also removed a further thousand, causing her to go overdrawn. After writing letters and waiting for weeks, she got a letter from Barclays explaining that the loss was ``a quirk in our accounts processing system which is effectively debiting twice the amount of a customer's unpaid in cheque''. It goes on: ``Your helpful comments are valuable to us in prioritising the resolution of difficulties such as those experienced by you''. I suspect that many firms only fix software bugs when enough customers have complained about them. But how many make a virtue out of it? Ross Anderson Cambridge University Computer Laboratory rja14@cl.cam.ac.uk ------------------------------ Date: Fri, 05 Aug 1994 10:45 +0200 From: Erik Hollnagel HRA Subject: A330 Crash investigation report: Pilot error blamed for crash [Erik provided an article from the U.K. *Times*, 3 Aug 1994, p.7, which is omitted here. The article noted confusion on the flight deck and three seconds of hesitation by a tired chief pilot as being responsible for seven deaths on the test-flight takeoff of an Airbus A330. PGN] My comment is that in the absence of an obvious single fault in the hardware (which in this case mostly is software) the default explanation is "human error". It looks rather as if the combination of automation, ill-defined tasks, and an unsupportive organisation were the real causes. But I would not expect Airbus to ever acknowledge that. erik.hollnagel.hra@eurokom.ie Erik Hollnagel, Technical Director, Human Reliability Associates Ltd., School House, Higher Lane, Dalton, Lancs. WN8 7RP, UK +44.257.463.121 ------------------------------ Date: Wed, 3 Aug 1994 16:16:28 +0000 From: Barry Hodgson Subject: Workshop Announcement PDCS2 2nd Open Workshop Safety-Critical Systems Club (Predictably Dependable Computing Systems 2) & 14th Meeting and Seminar on New Technologies Newcastle upon Tyne Leeds 19-21 September 1994 22-23 September 1994 Introduction The issues addressed by the PDCS2 research project and SCSC members are closely related. It is because of this, and the geographic proximity of the locations, that we hope to facilitate attendance, by interested parties, to both events. PDCS2 2nd Open Workshop The 2nd Predictably Dependable Computing Systems (PDCS2) Open Workshop will be held on 19-21 September, at the University of Newcastle upon Tyne, starting at 2.00 p.m. (with registration and lunch from 12.30 p.m.). The PDCS2 Workshop will comprise technical presentations of the year's work. There will also be demonstrations of prototype software and systems developed by the project. Further details are provided in the preliminary programme shown below. PDCS2 builds on, and takes significantly further, the work of ESPRIT Basic Research Action PDCS on the problems of making the process of designing and constructing adequately dependable computing systems much more predictable and cost-effective than at present. In particular, it addresses the problems of producing dependable distributed real-time systems and especially those where the dependability requirements centre on issues of safety and/or security. The research programme is concentrated on a number of carefully selected topics in fault prevention, fault tolerance, fault removal and fault forecasting. It ranges in nature from theoretical to experimental and in a number of cases the acquisition or implementation, in prototype form, of software tools, and their experimental interconnection. SCSC 14th Meeting and Seminar on New Technologies The 14th meeting of the Safety-critical Systems Club will be held on 22-23 September at The Marriott Hotel in Leeds, starting at 10.00 a.m. with registration and coffee from 9.30 a.m. On Thursday 22 September the theme will be "New Technologies for Safety-critical Systems" and the programme will address the application of technologies such as formal methods, neural networks, knowledge based systems, and robotics to the safety critical domain, enquiring into their readiness for this role, and examining actual experience. On Friday 23 September the event will focus on "Introducing Formal Techniques" and will provide an overview presentation on how to manage the introduction of formality, together with talks describing real case histories. The Safety-critical Systems Club was formed in 1991 with support from the DTI and SERC. It provides a regular forum for presentations and interaction on a wide range of topics concerning the use of computing systems in safety-critical applications. The majority of participants are practitioners and users of such systems, but developers and research workers are also represented in the membership of almost 2,000. Each year the club holds a series of meetings and seminars, circulates a regular newsletter and organises a three day conference on the theme of safety-critical systems. PDCS2 - ESPRIT Basic Research Project 6362 Predictably Dependable Computing Systems 2ND PDCS2 OPEN WORKSHOP WORKSHOP PROGRAMME 19-21 September 1994 University of Newcastle upon Tyne MONDAY 19 SEPTEMBER 12.30-14.00 Registration and Lunch 14.00-14.15 INTRODUCTION Brian Randell (Univ. Newcastle) 14.15-15.45 FAULT PREVENTION & FAULT TOLERANCE:ARCHITECTURAL ISSUES A Systematic Approach for the Analysis of Safety Requirements for Process Control Systems - Tom Anderson (Univ. Newcastle) A TTP Solution to an Automotive Control System Benchmark - Hermann Kopetz (TU Wien) 15.45-16.10 COFFEE 16.10-18.00 DEMONSTRATIONS - - - TUESDAY 20 SEPTEMBER 09.00-10.30 INVITED SPEAKERS FROM INDUSTRY 10.30-11.00 COFFEE 11.00-12.30 FAULT TOLERANCE: LANGUAGE ISSUES Implementing Fault-tolerant Applications: an approach based on reflective object-oriented programming - Jean-Charles Fabre (LAAS-CNRS, Toulouse) Object-Oriented Environmental Fault Tolerance - Cecilia Calsavara (Univ. Newcastle) 12.30-14.00 LUNCH 14.00-15.30 FAULT FORECASTING: METHODOLOGY ISSUES AND MARKOV MODELS Engineering Judgement about Dependability: pitfalls and defences - Lorenzo Strigini (CNR, Pisa) Availability Bounds for Large Markovian Models of Fault Tolerant Systems - Pierre-Jacques Courtois (UC Louvain) 15.30-16.00 COFFEE 16.00-18.00 DEMONSTRATIONS 20.00 WORKSHOP BANQUET - - - WEDNESDAY 21 SEPTEMBER 09.00-10.30 FAULT FORECASTING: RELIABILITY AND AVAILABILITY MODELLING Software Reliability Analysis of Three Successive Generations of a Switching System - Karama Kanoun (LAAS-CNRS, Toulouse) Relativistic Reliability Modelling for Highly Reliable Systems - Bernard de Neumann (City Univ., London) 10.30-11.00 COFFEE 11.00-12.30 FAULT FORECASTING: FAULT INJECTION Comparison of Two Fault Injection Techniques Supported by the MEFISTO Tool - Marcus Rimen (Chalmers UT, Goeteborg) Comparison and Integration of Three Diverse Physical Fault Injection Techniques - Johan Karlsson (Chalmers UT, Goeteborg) 12.30-14.00 LUNCH 14.00-15.30 INVITED SPEAKERS FROM INDUSTRY AND CONCLUSION Including closing address by Jean-Claude Laprie (LAAS-CNRS, Toulouse) [PLEASE CONTACT BARRY DIRECTLY FOR THE FULL ANNOUNCEMENT. IT IS TOO LONG FOR RISKS. PGN] Dept. of Computing Science, Claremont Tower, University of Newcastle, Newcastle upon Tyne, NE1 7RU, UK EMAIL = j.b.hodgson@newcastle.ac.uk PHONE = +44 91 222 7948 FAX = +44 91 222 8232 ------------------------------ Date: Tue, 9 Aug 94 13:40:05 BST From: Pete Mellor Subject: CSR Software Reliability & Metrics Club - Meeting Announcement CSR Software Reliability & Metrics Club announces its forty-second meeting, to be held at Brighton on 12th October 1994, a seminar on ========================= || Process Improvement || ========================= Learn from the practitioners The morning session will be devoted to talks by leading experts in the increasingly important field of software process improvement, dealing with significant practical issues: * How to measure software process improvement * Identifying opportunities for process improvement * Defining and describing processes * Reasoning about process effectiveness * Achieving and quantitatively demonstrating improvement Explore the key issues After meeting with their peers over lunch, groups of delegates will work together, sharing their collective experience, and discussing some of the topical issues in the field of process improvement: * Bottom-up or top-down? * How to get started * Which comes first - the process or measurement? Delegates are encouraged to suggest other topics for discussion in this part of the meeting; to do so, fill in the relevant part of the tear-off slip on the next page. The working session will be followed by reports back to the main meeting, and an open discussion of the issues raised. Discover the future Following informal discussion over tea, the final session of the day will be led by one of the key players in determining the future development of this important field. This perspective will be important for all who are planning to be, or are already, involved in the software process improvement area. Who should attend This meeting is aimed at anyone with a professional interest in improving software development processes, including: * software engineers, project managers and quality personnel wishing to learn about the practice of process improvement * experienced process improvers who wish to broaden their knowledge and keep in touch with the latest developments * researchers wishing to learn from the practical application of process improvement ideas. Why you should attend The benefits of attendance at this meeting include: * exposure to the practical experience of other professionals who have successfully applied software process improvement within their companies and for the benefit of their clients * opportunities to share your experiences and problems with other professionals, both during the formal sessions and informally during the breaks * updating on the practice of the leaders in the process improvement field, and on likely short term future developments which will have implications for the whole industry. Where, when and how to attend The meeting will be held in Brighton, at the Bedford Hotel, on 12 October 1994, starting at 10.30 am, with registration from 10.00 am onwards. The cost of this one day meeting will be L.165.50 which covers lunch and refreshments during the day and includes L.60 Club membership fee with L.10.50 VAT; if you are already a Club member the charge is only L.90. If you would like to attend, please complete the tear-off slip below and return with your remittance; early registration would be much appreciated and may help to avoid disappointment. Maps and suggested train times will be sent to registered delegates, who are responsible for arranging their own accommodation (if required). FOR FURTHER INFORMATION, CONTACT Joan Atkinson, Centre for Software Reliability, Bedson Building, University, Newcastle upon Tyne, NE1 7RU Tel: 091 221 2222; Fax: 091 222 7995; e-mail: csr@newcastle.ac.uk ------------------------------ Date: 4 Aug 1994 12:20 EST From: ndqajds@atscv1.atsc.allied.com (John Sheckler, ATSC, 301/805-3258) Subject: Washington DC ACM Seminar The next Washington DC ACM Professional Development Seminar series is scheduled for November 14 through November 18, 1994. The following topics and presenters have been scheduled. Monday, November 14 Mr. Allen S. Perper - Business Process Engineering/Reengineering Mr. Will Tracz - Domain-Specific Software Architectures -- Process, Products, and Infrastructure Tuesday, November 15 Dr. Cy Svoboda - Information Engineering Mr. Mike Gorman - Managing the Development of Client/Server Applications Wednesday, November 16 Mr. Ed Krol - The Whole Internet -- Archie, Veronica and the Gopher Explore the World Wide Web Mr. William Durell - Data Administration and Management Thursday, November 17 Dr. Robert N.Charette - Profiting from Risk Management Mr. Watts S. Humphrey - Personal Process Improvement Friday, November 18 Dr. Robert S. Arnold - Legacy System Migration Mr. Edward V. Berard - Testing Object-Oriented Software In addition to the regular twice yearly seminar series, the WDC-ACM also hosts a distinguished international lecturer. This year, Mr. Philip Zimmerman, developer of the well known Pretty Good Privacy encryption algorithm, will discuss Public Key Cryptography on Thursday November 10, 1994. The seminar series and international known lecturer presentation are held at the University of Maryland Adult Education Center on the campus near the intersection of Adelphi Road and University Boulevard (Route 193). REGISTRATION Advance Walk-in Purchase Category Cash, Cash, Orders Check, Check, Training Credit Card Credit Card Requests ACM Chapter Member $170 $205 $230 Non-Member $175 $205 $230 Full-Time Student $ 80 $110 $230 Sr. Citizen $ 80 $110 $230 (age 60 or over) Attendance at each course will be limited to the capacity of the room being used (check with the ACM/PDC answering machine, (202) 462-1215, for availability). We are planning on using the largest rooms available for Mr. Krol, Zimmerman and Humphrey. Detailed registration information and assistance can be obtained by calling Mrs. Nora Taylor at (301)229-2588. ------------------------------ Date: 31 May 1994 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc. The RISKS Forum is a moderated digest. Its USENET equivalent is comp.risks. Undigestifiers are available throughout the Internet, but not from RISKS. SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) on your system, if possible and convenient for you. BITNET folks may use a LISTSERV (e.g., LISTSERV@UGA): SUBSCRIBE RISKS or UNSUBSCRIBE RISKS. U.S. users on .mil or .gov domains should contact (Dennis Rears ). UK subscribers please contact . Local redistribution services are provided at many other sites as well. Check FIRST with your local system or netnews wizards. If that does not work, THEN please send requests to (which is not automated). CONTRIBUTIONS: to risks@csl.sri.com, with appropriate, substantive Subject: line, otherwise they may be ignored. Must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. PLEASE DO NOT INCLUDE ENTIRE PREVIOUS MESSAGES in responses to them. Contributions will not be ACKed; the load is too great. **PLEASE** include your name & legitimate Internet FROM: address, especially from .UUCP and .BITNET folks. Anonymized mail is not accepted. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. All other reuses of RISKS material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using RISKS material should obtain permission from the contributors. ARCHIVES: "ftp crvax.sri.comlogin anonymousYourName cd risks: Issue j of volume 16 is in that directory: "get risks-16.j". For issues of earlier volumes, "get [.i]risks-i.j" (where i=1 to 15, j always TWO digits) for Vol i Issue j. Vol i summaries in j=00, in both main directory and [.i] subdirectory; "dir" (or "dir [.i]") lists (sub)directory; "bye" logs out. CRVAX.SRI.COM = [128.18.30.65]; =CarriageReturn; FTPs may differ; UNIX prompts for username, password; bitftp@pucc.Princeton.EDU and WAIS are alternative repositories. See risks-15.75 for WAIS info. To search back issues with WAIS, use risks-digest.src. With Mosaic, use http://www.wais.com/wais-dbs/risks-digest.html. FAX: ONLY IF YOU CANNOT GET RISKS ON-LINE, you may be interested in receiving it via fax; phone +1 (818) 225-2800, or fax +1 (818) 225-7203 for info regarding fax delivery. PLEASE DO NOT USE THOSE NUMBERS FOR GENERAL RISKS COMMUNICATIONS; as a last resort you may try phone PGN at +1 (415) 859-2375 if you cannot E-mail risks-request@CSL.SRI.COM . ------------------------------ End of RISKS-FORUM Digest 16.31 ************************