University of Bielefeld -  Faculty of technology
Networks and distributed Systems
Research group of Prof. Peter B. Ladkin, Ph.D.
Back to Abstracts of References and Incidents Back to Root
This page was copied from:

Previous Issue Index Next Issue Info Searching Submit Article

The Risks Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 16, Issue 22

Saturday 9 July 1994

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator


o Roller coaster accident -- computer blamed
Jonathan Moffett
Marcus Marr
o Re: Tax Software to Avoid: CA Simply Tax
Rick Smith
Barry Margolin
o Re: Risks of vote fraud
Lawrence Kestenbaum
o Literary treatment of street-corner cameras
Mark Seecof
o Re: Just the Facts, Ma'am
Bob Frankston
o Re: Mosaic risks
John R Levine
o Any data of Bill Gates's Info-highway book?
Richard Botting
o Re: A330 crash
Curtis Jackson
Peter Ladkin
o Re: ACM Crypto Policy Statement
Nap & Erik van Zuuren
o Re: Fraud on the Internet
D. Owen Rowley
o EMI of 'VW? NOT!
Chris Norloff
o Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc.

Re: Roller coaster accident -- computer blamed

Jonathan Moffett < >
Fri, 08 Jul 1994 11:32:16 +0100
     27 Hurt in Roller-Coaster Train Crash
     By Victoria Combe, London Daily Telegraph, 8 July 1994
     More than 20 people were hurt last night in an accident on the world's highest
     and fastest roller-coaster at Blackpool's Pleasure Beach.  Two trains on the
     new 12 million pounds ride, The Big One, collided 30 feet above ground.  Eight
     passengers, trapped by jammed safety bars, had to be cut free.  27 people were
     taken to hospital with minor injuries, while others were treated for shock.
     The ride's computer-driven trains reach 85 mph but had slowed to 40 mph when 
     the crash happened.
     The Pleasure Beach said "One train collided with the rear of another which had
     stopped in the braking system.  "At the moment we have no idea how this could
     have happened.  The fullest enquiries are being undertaken."  Mr Geoffrey
     Thompson, the Managing Director said: "I have asked the American designer to
     return as quickly as possible.  Until then the ride will be shut."
     On the roller-coaster's first day, May 28, 30 people were trapped 235 feet 
     up after a fault in the computer system.
       [Mr Thompson said on BBC Radio 4's Today programme this morning that the 
       collision had taken place at 5 or 6 mph, not 40 mph.  (quote from memory)]
     Jonathan Moffett  Dept of Computer Science  University of York, UK
        [5 or 6, not 40?  Big difference!  But probably not 50 or 60...  
        American designer, eh?  Perhaps the same one that did the Timber Wolf
        at KC's Worlds of Fun (RISKS-9.96) and Hercules at Dorney Park 
        (RISKS-14.83), both of which had crashes?  PGN]

Re: Roller coaster accident

Marcus Marr <>
Fri, 8 Jul 94 15:39:31 BST
        [More on same from television news (ITN, 10pm, 7th July)...]
     [...] Because the passengers needed to be cut out, I would assume that the
     safety bars worked as designed (they failed locked rather than failed open,
     especially important for the inverted loops), though an unlocking
     mechanisms may have been a useful addition.

Re: Tax Software to Avoid: CA Simply Tax (Craig, RISKS-16.21)

Rick Smith <smith@SCTC.COM >
Thu, 7 Jul 94 18:16:42 CDT
     The essence of this 1040PC RISK is that a signature on the 1040PC does not
     indicate that the filer understands and agrees with what it says.  A readable
     version is absolutely required to make an informed decision. I prepared my
     1040 with personal tax software this year and submitted 1040PC. I keep printed
     copies of the full return as well as the PC version for my records. They
     matched up well enough to sign.
     I find it incredible that a preparer only provided the PC version for review
     and signature.  At the very least the preparer should submit both versions for
     review. In Craig Smith's case, this would have flagged the fact that buggy tax
     prep software was being used.  If the two didn't match, he shouldn't have
     signed either, and perhaps should have looked for a different preparer.
     Today, the IRS accepts their own printed forms, facsimiles produced by
     particular software packages, 1040PC, and electronic filing.  For years, the
     IRS has accepted facsimile forms generated on "letter quality" dot matrix as
     well as plain laser printers. They have _never_ required reproduction the
     colors appearing on their original forms.  While I believe the IRS will widen
     their use of machine readable input, I don't believe the IRS could eliminate
     readable forms even if they wanted to.  There are too, too many people in this
     country that just don't get it when it comes to encoded line numbers and other
     such intangible stuff. They'd suffer a really sharp rise in compliance
     problems if they eliminated "real" forms (a similar argument applies to the
     likelihood of a completely cashless society).
     I have been a consumer of tax software for several years and have some
     perspective on the problem with "bugs." The bottom line is that the tax
     software vendor had better not sell buggy software two years in a row, or
     nobody will come back for Year 3. There is a competitive market for tax
     software and unreliable products suffer a deserved disadvantage.
     Regarding "endorsement" of tax programs, there does seem to be a process by
     which the IRS will "approve" the appearance of signable forms generated by
     various tax programs. There's no implication that they approve of the
     programs' tax computations, just the appearance of critical forms like 1040.
     Rick Smith      roseville, minnesota

Re: Tax Software to Avoid: CA Simply Tax (Craig, RISKS-16.21)

Barry Margolin <barmar@Think.COM>
Fri, 8 Jul 94 16:25:45 EDT
     >Apparently there is a preparer's code covering this.  CA, on the other hand,
     >is under no such obligation.  In most industries, a defective product is
     >exchanged, refunded or repaired by the seller.
     While there's no legal obligation, and CA may not have such a policy, note
     that some other tax software vendors do.  I believe ChipSoft promises to pay
     any penalties you incur due to a miscalculation by Macintax or Turbotax.
     Barry Margolin  System Manager, Thinking Machines Corp.    {uunet,harvard}!think!barmar

Re: Risks of vote fraud (Rushton, RISKS-16.14)

Lawrence Kestenbaum <>
Thu, 07 Jul 94 20:10:02 EDT
     It often seems to take people by surprise when they realize how lightly
     secured voter authentication is in most elections.  Thomas Rushton's note,
     and some of the replies in 16.15, are typical examples.  This concern,
     coupled with deep cynicism about politics, leads people to generalize
     this "lack" of security into a vision of a risky process open to easy
     fraud and stolen elections.  But this conclusion is wrong.
     I'm not specifically familiar with voter authentication and balloting
     practices in the UK, Canada or Massachusetts.  What is described, though,
     sounds substantially similar to practices here in Michigan, where I have
     been a voter, an election worker, and a county commissioner.
     Michigan voters receive a voter registration card, but it plays no role
     in the actual voting process.  Indeed, no identification card of any
     kind is required; if presented, it is waved away.
     The voter fills out a slip of paper with name, address and signature.
     Supposedly, the signature on the slip is verified against the signature
     in the voter files.  In truth, almost any signature will do.  The
     training for election workers doesn't discusses this step; especially
     in busy precincts, the signature may not even be glanced at.  In any
     case, the card with the voter's official signature is a public record,
     which anyone could have inspected prior to election day.
     Another way to "spoof" the process would be to register to vote multiple
     times -- no proof of identity is required.
     Thus, it would be easy for a miscreant to vote twice, three times, a
     dozen times.  So why aren't we worried about this?
     The fact is that Michigan's election laws have evolved over a century
     and a half of responding to different kinds of fraud and vote buying
     schemes.  (For example, if a voter reveals or displays his ballot in
     the polling place, it is invalid.)  Most other jurisdictions have had
     similar experiences.  Considering both the laws and the practicalities,
     effective vote fraud is very difficult to do.
     First, the law: vote fraud is a felony.  The penalties are in the same
     range with things like arson and armed robbery.  Certainly there are
     people who are willing to commit felonies, but most people are not.
     The public thinks of vote fraud as being a crime of serious moral
     turpitude, something more like stealing cars than exceeding the speed
     limit.  Moreover, a perpetrator of vote fraud is at serious risk of
     being caught; and the more people who are involved, the greater the
     risk.  On the other hand, the fewer people who are in on it, the more
     difficult it is to "spoof" a sizable number of false votes.
     The nature of the political scene magnifies this problem.  Practically
     by definition, someone who wants to commit vote fraud has to be a person
     with some investment in the political process.  Scoffing about politicos
     aside, practically all of them are strongly motivated to avoid any taint
     of criminal activity.  Though there have been cases where a sitting
     officeholder has been re-elected despite indictment or conviction, on
     the whole it usually spells the end to one's political career.  Further,
     a felony conviction in many states (though not Michigan) terminates
     one's voting rights as well.
     But there's still another problem: until the vote totals start to
     appear, it is never clear how many stolen votes would be needed, and
     for whom.  Polling can't tell you this -- not with the requisite
     degree of precision.  The costs and risks of vote fraud are pointless
     if your candidate is winning anyway, or losing by too wide a margin.
     Effective election stealing (with a minimum of co-conspirators) requires
     knowing exactly how many votes you need.  Thus, it has to be an "inside
     job" and happen AFTER the polls close.
     The most famous American vote fraud of all time, Lyndon Johnson's
     stolen victory in the 1948 Democratic primary runoff for U.S. Senator
     from Texas, took place AFTER it was known that Johnson was 115 votes
     behind his opponent, Coke Stevenson.  Word was passed to George Parr,
     the infamous "Duke of Duval," with a plea to come up with at least
     that number of votes; and Ballot Box #13, Alice TX (with 202 votes
     for Johnson and none for Stevenson) showed up THREE DAYS after the
     election.  LBJ was declared the winner by 87 votes.
     I'd guess that Texas in 1948 was far more corrupt than any state is today.  In
     any case, the political process *does* sometimes learn from experience; the
     most exacting safeguards in election law have been built around the
     (vulnerable) tabulation and reporting phase.
     Lawrence Kestenbaum, School of Criminal Justice, Michigan State University 

Literary treatment of street-corner cameras

Mark Seecof PSD x77605 < >
Thu, 7 Jul 1994 14:12:39 -0700
     The social implications of street-corner (etc.) cameras have been the subject
     of literary exploration for much longer than 10 years.  For a particularly
     deep (though not exceptionally old) fiction treatment I refer you to David
     Drake's stories about a character named Jed Lacey, last collected in full I
     believe in a paperback titled "Lacey and his Friends."  Drake explores the
     implications of cameras everywhere.  Just to name one, people might be forced
     to share their living and work space with many others to minimize the number
     of cameras required (separate offices would require many cameras, bullpens
     could be covered by a few).  Mark Seecof <>

Re: Just the Facts, Ma'am (was Re: AI to screen bad from good cops)

Thu, 7 Jul 1994 17:32 -0400
     The issue of screening is an old one. I've already pointed, in RISKS, that
     arrest records are probably a very good predictor of whether one is guilty.
     But arrest records are not conviction records! Some of the problems arise
     because such statistical analysis denies the individual's ability to depart
     from the stereotypes. If I was once mistaken for someone who robbed a liquor
     store because I happened to have a beard at some point in my life, am I now
     less entitled to protect from unreasonable searches? Or does my profile mean
     that I am now subject to extra scrutiny.
     I might accept the idea of a profile in airport security fallible thought the 
     approach is). I'm much more reluctant to accept it if it denies an individual 
     Of course, this assumes that the statistics and analysis are meaningful -- a 
     very big assumptions.

Re: Mosaic risks (Jawdat, RISKS-16.20)

John R Levine < >
Thu, 7 Jul 94 12:17 EDT
     [re the Spyglass version of Mosaic, and using it for credit card transactions]
     There are several licensees of Mosaic who are building their own enhanced
     versions of the program.  As far as I can tell, the primary security feature
     that is likely to be added is some sort of public key digital signature, so
     a client can send a message to a server in a presumably unforgeable way.
     >    Also, sources to various NCSA projects are not particularly difficult to
     >find (I found Telnet on wuarchive, and I've seen Mosaic at CMU) - with access
     >to Mosaic sources people could build fakes of the commercialized Mosaic to
     >trap credit card numbers.
     This Trojan Horse threat is indeed a possible one, although it seems to me
     that the same "safe software" techniques that one uses to avoid getting a
     virus with one's PC software would be appropriate to avoid getting Trojan
     John Levine,,,
     PS re Trojan Mosaics: Actually, most of the mosaics in that part of the world
     are Byzantine, but from what I've heard about the internals of the Mosaic
     source code, we have a Byzantine Mosaic now.

Any data of Bill Gates's Info-highway book?

"Dr. Richard Botting" < >
Sat, 9 Jul 1994 11:07:40 -0700
     In the July 6th 1994 issue of our local paper - The San Bernardino
     Sun-Telegram there is an odd letter from one Daniel Jeffs of Apple Valley,
     date June 29th.
     I'm not sure if I'm seeing evidence of the RISK of luddite paranoia or a
     useful early warning of a real risk to the public. It states that Bill Gates
     "is authoring a book about the information highway" which "will provide you
     with a left-handed warning about what's in the works for us" [...] "your PC
     will be miraculously be replaced and transformed into your PE(Personal
     enslaver) and PD (personal demon)"[...].
     So far I'd suspect a clever publicity stunt... but the letter ends with an
     appeal for "unselfish foresight and vision"[...]"traffic controls of
     public policy in the hands of all people"[...]
     (1) Does Bill Gates vision actually imply a RISK worse than any other
     (2) Have similar letters been appearing in other local papers - a mail
     		merged version of internet spamming?
     Dr. Richard J. Botting, California State University, San Bernardino, CA 92407
     Copyright(1994)Copy and use as long as you include this	copyright and signature.

A330 crash

Curtis Jackson < >
Fri, 8 Jul 1994 23:33:43 GMT
     The confirmation of the A330 crash stated that "the altitude of the aircraft
     was too low to avoid impact with the ground."
     Perhaps there is additional information that was withheld in the name of
     brevity, but why would Airbus conduct such an amazingly dangerous test so
     bloody close to the ground? If they were just after maximum aft centre of
     gravity, high angle of attack, and maximum climb, why couldn't they do the
     same at 2000 metres? At least until they got it right at altitude, and only
     *then* bring it down to ground level and simulate it shortly after a real
     Perhaps we in the software industry should take a cue from Airbus. For
     instance, network software developers should start testing their pre-alpha
     catastrophic failure recovery code on live heavily-trafficked networks...
     Curtis Jackson (preferred)	or

The Scoop on the A330 Accident [3rd Version - see 1st note]

Sat, 9 Jul 1994 19:09:39 +0200
     Air et Cosmos, 11-24 Juillet 1994, p15, contains an extensive report on the
     A330 accident of 30 June 1994 by Jean-Pierre Casamayou.  The general story has
     been reported by Peter Mellor (RISKS-16.19). The new info is highly relevant,
     and implies that control of the aircraft was lost while the aircraft was under
     automatic control.  This is the first case, to my knowledge, in which this has
     been proved to have happened to Airbus aircraft, without any concomitant pilot
     error.  Sadly, the test pilots allowed the departure from control to continue
     for up to 12 seconds in order to analyse the incident. This delay was gallant
     but fatal. That's the English for you (RIP Capt. Nick Warner).
     The autopilot was using experimental software. This A330 was
     undergoing a flight test required for certification of the autopilot
     for Category III operations with Pratt and Whitney 4168 engines (the
     other A330's already in operation use CF6-80E1's, and such equipment
     has already been through this particular flight test sequence).
     Category III operations mean use of the autopilot for landing, up to
     and including main gear on the runway, and requires special
     certification of both aircraft and crew. It follows that a Category
     III operation can potentially be aborted, i.e. the pilots can select
     go-around while under autopilot contol, with the main gear on the
     runway, and in the worst case an engine can fail at this point. One
     can see why it's required to conduct this test from an actual takeoff,
     rather than at altitude.
     The flight was supposed to test the mode SRS (speed reference system)
     of the autopilot, which should control the speed and angle of attack
     (AoA) of the aircraft in case of an engine-out. AoA is defined to be
     the angle that the wing makes with the undisturbed airflow in front of
     the wing. The test was performed at rearmost center-of-gravity.  
     Following is a translation of a continuous fragment of the article. I have
     included the originals of phrases I am unsure of. My thanks to Pete Mellor for
     confirmation of some of the meanings.  I don't have a dictionary of French
     aeronautical terms (although such exist, and they're quite large).  It refers
     to the following `V-speeds', defined in FAR Subchapter A Part 1 Para 1.2 for
     those in the US.  V_1 is takeoff decision speed (the speed at which the
     decision is made to abort or to continue takeoff in the case of engine
     failure); V_R is rotation speed (the speed at which the pilot commands
     nose-up); V_2 is takeoff safety speed (the speed at which the airplane may
     takeoff safely, even with one motor out); V_{mca} is the minimum single-engine
     control speed (the speed at which control of the aircraft may be maintained
     with one engine out).
     [begin translation] 
     The takeoff (V_1 = V_R = 126kts and V_2 = 135kts) took place at 136kts, 25
     seconds after full power was arrived at (`la mise en plein piussance des
     moteurs'], then the aircraft took its speed of climb of 150 kts. After the
     takeoff, an altitude of 600m QNH (roughly 460m QFE) was selected on the flight
     director FCU [the Flight Director on the A330 is called the FCU. pbl] This
     means that the aircraft should restore level flight [`retablir en palier'] at
     450m from the ground.
     Conforming to the test order, the pilot attained a speed of 150 kts, and 28
     degrees AoA in order to maintain this speed. Six seconds after takeoff, the
     autopilot was engaged, then the left engine retarded and the corresponding
     hydraulic pump cut to simulate a complete failure of the left engine. As
     predicted, the AoA began to diminish and passed from 29 degrees to 25 degrees,
     the limit authorised by the FMGES (Flight Management Guidance and Envelope
     System) which protects the flight envelope. But quickly, because of the low
     altitude selected on the FCU, the autopilot departed from mode SRS and entered
     mode ALT-STAR, the mode for acquisition and retention of altitude, in which
     mode the autopilot tries to attain altitude as quickly as possible, without
     taking into account the limiting conditions that the airplane was in: rearmost
     CoG, one engine retarded and the other at full power, high `incidence'
     [another word for AoA. pbl] [this is not a good explanation of ALT-STAR mode.
     pbl].  Result: the AoA started to increase again, and the speed decreased
     extremely quickly [`brutalement'].
     The flight team noted immediately the anomaly, but purposely let the situation
     degrade for about 12 seconds, in order to analyse it better, as is their role.
     The AoA attained 33 degrees with speed decaying to 100kts, which is 18kts less
     than V_{mca}, the minimum single engine control speed . At this moment, the
     pilot disconnected the autopilot and took over control.  But the speed
     continued to decrease. At about 90 kts, 28kts less than V_{mca}, the aircraft
     departed in a stall [`part en decrochage'] to the left with an angle of bank
     [`angle de roulis'] which attained 110 degrees.
     The pilot reacted quickly and well in retarding the right engine then bringing
     the wings horizontal. Unfortunately, because of the low altitude and fast
     rater of descent, he couldn't avoid impact with the ground, 35 seconds after
     [end translation]
     Peter Ladkin

Re: ACM Crypto Policy Statement (ACM, RISKS-16.20)

Nap & Erik van Zuuren <>
07 Jul 94 11:18:15 EDT
     On the ACM Crypto Policy Statement -- to which I strongly agree - and all the
     discussions on Clipper and associated phenomena, I would like to state my
     opinion with my European mind and my European trust in some of our
     authorities; in this case our Police authorities.  All the meddling of the
     National Security Agencies ( not only the U.S.A.'s NSA ) with reference to
     Sealing, Signing -- and last but certainly not least -- Encryption is very
     hard to understand, as for their own and MIL data/voice traffic these
     authorities up to now use their own means.  They want to go COTS ( Commercial
     Of The Shelf ), but have a problem in stating the categories of "time of
     protection" wanted for strategical, tactical and 'national interest'
     information, thereby making it difficult for COTS-suppliers to help them out
     the "COTS" way.
     RE: The "listening in" part: 
     1) For some purposes, one could even make a statement through "clear"
         telephone, which has a different meaning to the intended recipient; thus
         "listening in" is of 'no' use, even for a "clear" communication
     2) It is a "bloody shame", and the CEC-INFOSEC ( European Commission-
          INFOSEC ) people know my opinion on that for a log time now, that not
         all data-communications is enciphered in some "standardised" way, just to 
         have a 'general' barrier against 'criminal energy'. 
         The adversary then has to spend processing power = money to decipher
         and will loose out by using money on -- for him -- unuseable information.
     3) The only way, to solve the legal part, is NOT to forbid encryption, but
         provide legislation on the obligation of 'handing' over the required info
         on mechanism(s), algorithm(s), and key(s) used, if required -- case by 
         case -- in proven law cases [ to be edited by a lawyer, specialised on 
         the subject ]
     4) Just as a reaction on what is going on, the use of PGP ( even 2.6 ) is 
         exploding over here; and a European EFF will be there within short.
     5) Furthermore many European RSA-based, FEAL-based and "other"-based
         products are on the market, and in use ! 
     RE: Relation to "Police Forces", including e.g. Criminal Investigation Teams:
     Apparently the some European Police Forces, and related Forces, are still
     considered -- in general -- to be the "friends" of the population, by the
     population.  The requirements for reaching such a relation with the 'public'
     - to be "of assistance to the public"
     - trustworthy staff
     - to be a trustworthy organisation, accompanied by a free press and 
       political will
     - to be supported by the judicial apparatus, for the Forces to stay motivated
     - a "quality of life" worth defending it
     We will need a lot of "trustworthy" energy to protect us -- and our children
     -- against "criminal" energy.
     Our Police organisations use several means to protect access to their various
     Databases, and this protection has to be the strongest available, because of
     the 'real risks' involved.
     I fully agree with the following statements in the article by Ted Bunker in
     LAN Magazine of August 94:
     - "We must give our full support to the development of OPEN international
       security standards, that protect the interests of all parties fairly
     - There is a "constant" tension between the need for privacy and the need
       for protection
     - We do have serious privacy concerns
        - NOTE: e.g. when a Police official is performing an SQL request on a 
          number plate, the official in the van should only get information on:
                        - whether the car is looked for
                        - whether the probable driver is looked for
                        - whether the probable driver might be armed
                        and nothing more, surely not the address of the pretty lady-driver ! 
     Do NOT get me wrong:
     - I also fell victim to injustice ( to my opinion ) in a case versus an 
     - I even have been insulted in writing by a member of the Council of Ministers.
     But, we have to trust ( and at the same time: control ) the forces which
     should protect the "law-abiding" ( or = sullen ? ) citizen, and are paid by
     that same citizen to do so !  Might be the price of "democracy".
     Nap van Zuuren, CompuServe 100042,3164

Re: Fraud on the Internet (Barber, RISKS-16.21)

"D. Owen Rowley" <>
Thu, 7 Jul 1994 11:53:58 -0700
     > ...  Do we really need to require users to show their identification
     >papers before they can participate on the Internet?
     Your reaction is naive.  The short answer is yes.
     However, there is no *the internet*, what you refer to is an internetwork of
     internetworks. The current popular conception is to have one huge internetwork
     that serves all needs and desires of all participants all the time in all of
     its parts. In short - I don't think so.
     Just as we zone our physical space, we must zone our data-space.  Our
     internetworked services and data-spaces, must provide proper security in the
     form of authentication and authorization for those transactions that
     absolutely require such. Our internetworked services and data-spaces, need not
     provide over-zealous security with absolute authentication and authorization
     for those transactions that don't requier it. ( or where such is undesirable).
     This whole ball of wax falls into what I call The Un-real estate business.
     LUX ./. owen  Inner Zone Unrealty Co.

EMI of 'VW? NOT! (Elana, RISKS-16.17)

Fri Jul 8 07:59:16 1994
          [No, I did NOT make this post up!!!   Elana]
     > ...  I heard that if you had high enough RF power
     >you could disturb the electric fuel pump, so I tried this one day using
     >a 600 Watt PEP amp and keyed an AM carrier, and what did I see???
     SOMEBODY is making this up!  1963 VW Bugs had a MECHANICAL fuel pump (a fact I
     am totally certain of).  I believe VW Bugs at least until the 1970's had a
     mechanical fuel pump.
     Good story, but only a story.
     Chris Norloff

Previous Issue Index Next Issue Info Searching Submit Article

Report problems with the web pages to
This page was copied from:
Last modification on 1999-06-15
by Michael Blume