The RISKS Digest
Volume 1 Issue 14

Monday, 16th September 1985

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

Pitfalls of a Fail-Safe Mail Protocol?
Peter G. Neumann
Some Ruminations on an Ideal Defense System
Bob Estell
SDI, feasibility is irrelevant
Gopal

Pitfalls of a Fail-Safe Mail Protocol?

Peter G. Neumann <Neumann@SRI-CSLA.ARPA>
Mon 16 Sep 85 20:25:57-PDT

After reading the case of the double posting of hundreds of millions of dollars in RISKS-1.11, some of you apparently experienced the multiple posting of RISKS-1.13 — all original mailings time-stamped Sat 14 Sep 85 23:43:07-PDT, all complete, and all identical. Brint Cooper, for example, received THREE identical copies at various time intervals. 

  Received: from brl-aos.arpa by TGR.BRL.ARPA id aa20274; 15 Sep 85 3:23 EDT
  Received: from sri-csl.arpa by AOS.BRL.ARPA id a017885; 15 Sep 85 3:18 EDT

  Received: from brl-aos.arpa by TGR.BRL.ARPA id a021160; 15 Sep 85 4:47 EDT
  Received: from sri-csl.arpa by AOS.BRL.ARPA id a018065; 15 Sep 85 4:35 EDT

  Received: from brl-aos.arpa by TGR.BRL.ARPA id a022055; 15 Sep 85 6:31 EDT
  Received: from sri-csl.arpa by AOS.BRL.ARPA id a018257; 15 Sep 85 6:17 EDT

The new ARPANET message protocols are supposed to be fail-safe (never losing a message, retrying sensibly after a failure, and eventually returning undeliverable mail with a NAK), network-efficient (transmitting single copies to each host and letting that host redistribute), and reliable (never garbling a message) -- although they cannot guarantee message authenticity in the presence of tampering.

After consulting with my Foonly-TOPS-20 gurus (Geoff Goodfellow, Mark Lotter, and Dwight Hare), we discovered that just after I mailed RISKS-1.13 late Saturday night, Foonly's David Poole brought our system down and up (several times?) after midnight PDT for installation of a 100% memory increment. Each time he brought it back up, the mailer seems to have restarted sending some of the previously queued messages -- how many I do not know. It is NOT SUPPOSED TO DO THAT, but that is the most plausible explanation at the moment. If you again receive multiple copies, please remail them back in their entirety to Geoff@SRI-CSL (and we'll hope that you don't blow his mailbox). Geoff insists the protocol is sound, so let's let him in on the glitch-hunt! Meanwhile, we'll follow a bunch of possibilities.

Sorry for the inconvenience. We will take several measures to try to prevent a recurrence, but if there is a real bug in the protocols or in their implementation, then we will just have to slug it out until it is found.

Peter

Some Ruminations on an Ideal Defense System

estell@NWC-143B
Mon, 16 Sep 85 12:21:52 PDT

SOME RUMINATIONS on AN IDEAL DEFENSE SYSTEM 16 SEP 85 [RGE]

WHAT ARE THE CHARACTERISTICS OF AN IDEAL DEFENSE SYSTEM?
(Never mind that it does NOT exist - and likely will not in my lifetime.)

  1. Useful ONLY on the defensive; incapable of use as an offensive weapon.
  2. Effectiveness: 100%.
  3. Reliability: 100%.
  4. Cost: Cheap. So economical to manufacture and deploy that everyone who needs one (or two) could have it.
  5. Simple to use; requires no training; requires no “technology base.”
  6. Easy to maintain; essentially never wears out, or breaks.
  7. Side effects of use or possession: None.

EXAMPLES OF SYSTEMS THAT DO NOT MEET THE IDEAL REQUIREMENTS.

  1. Planes, ships, tanks, guns, and bombs - of any size.
  2. Chemicals, gas, germs, etc.

EXAMPLES OF SYSTEMS THAT MIGHT - or might not - SUFFICE.
(They clearly won't satisfy all the above requirements.)

  1. SDI - whatever that turns out to be, a few billion $ from now.
  2. MX - NOT the expensive “new” systems recently voted, but simple modifications of older, reliable, affordable technology. The key is the nature of the modifications. This isn't the place to say more.

WHY THIS PROPOSAL IS WORTH LOOKING AT.

  1. The technology is mature, affordable, and operational.
  2. The super-powers can USE this proposal, this year, or next. Not just the USA and the USSR; but a few other nations, too.
  3. The "trouble makers" who haven't yet demonstrated the maturity to abstain from rash use of a "doomsday" device can't use this idea.
  4. It saves money; and buys time - precious time, in which we can learn to trust each other, and to respect our differences - accepting the fact that "... east is east and west is west, and never the twain shall meet ..." [Kipling]

WHY THIS PROPOSAL WILL BE RESISTED - perhaps EVEN DISCARDED.

  1. Not many vendors will win multi-year, multi-billion contracts to develop and manufacture these systems. That has largely been done.
  2. Not many career officers and bureaucrats will get multiple promotions for the development and deployment of these systems; again, that's done.

SOME CONFESSIONS ABOUT MY MOTIVES.

I believe that Americans and Russians, Christians, Moslems, Jews, Buddhists, atheists, agnostics, capitalists, communists, socialists, pacifists, hawks, doves, owls, and others CAN live together; not in "harmony" - but in some civility, with respect. My belief is based on two facts:

  1. The lion and the lamb may never lie down together, but the lion and the antelope presently share the veldt; blood is shed, but genocide does not occur. It's elsewhere called the "balance of nature." There is even some evidence that the process improves the strain of antelope - and lion.
  2. I cannot accept gross demeaning judgments made about a people who produce some of the world's really great classical music. Tchaikovsky, Borodin, and others have composed the best - in my opinion. I believe that the Russians love their country, their families, their music, and the Almighty - by whatever name He may be called - just as we do; and, like us, they fear (or at least don't enjoy the thought of) death, starvation, disease, hatred, suspicion, etc. Why are they so "defensive" - an enigma wrapped in a mystery, surrounded by a riddle? (or whatever exact phrase Churchill turned in '48) Their land was invaded twice in the lifetime of their most recent leaders - men born before WWI. The losses of life were catastrophic; almost 25% of the adult male population died each time - though the WWI figures get blurred with the totals from their own revolution. And those weren't the first times; Napoleon did it in the 19th century, and the Mongols did it earlier. That plus the oppressive cold of a lingering winter give them a somewhat different world view. But in a quarter century, they, like us, have NOT pushed the button. That speaks well for their responsibility.

Our REAL problem - in the USA and the USSR and the third world - indeed in the entire world - is NOT communists, not Arabs, not any organized government, nor religion; it is terrorists - criminals; men of desperation, who when armed will extract their needs by violence, and damn the consequences. We have more than our share of such trouble-makers; they have attacked many of our prominent citizens recently: John and Robert Kennedy, Martin Luther King, Jr., Ronald Reagan, Patty Hearst, and Malcolm X are examples easily remembered.

If some of the money spent now on weapons can be re-invested in research in medicine, in electronics for space exploration, in agriculture, etc. there will be no loss of income for the scientists and business men now supplying the Pentagon. True, many of them will have to adapt; but then, they do that now. The arms of WWII just don't sell today. A Technology Base that supports sophisticated weapons to kill people can adapt to kill viruses; to guide rockets to the distant galaxies, instead of missiles to distant cities; to detect bombs of terrorists, instead of bombs of military commandos. I will have to be one of those who adapt; my employer, the Naval Weapons Center, must adapt too. We are intellectually capable of doing that.

RGE

Re: SDI, Feasability is irrelevant

Gopal <Gopal.es@Xerox.ARPA>
16 Sep 85 11:09:56 PDT (Monday)

Your analogy to SDI of a duelling gunman putting on a bullet-proof vest seems slightly flawed, but your overall point is well taken:

The vest is far from being bullet proof...and the vest dose not exist yet. The gunman has just thought about making one, after many fruitless years of holding guns at each other. It is likely that he may not succeed in making a vest that stops any bullet. The other gunman knows this.

But IF he should succeed, THEN, the status quo is broken immediately: the very fact of possession of a bullet proof vest indicates that he can turn the outcome decisively in his favor. This clearly will be perceived as an act of hostility by the worst-case-strategists at the Kremlin. If I were them, I would not sit by idly, twiddling my thumb: I would launch.

Sure, the gunman trying to make the vest has promised to give one to the other gunman also, so there would be no hostility. But, WHEN he has one, he would not give it away. The strategists do not plan on the basis of goodwill. They would wait until a 'crisis' develops that forces them to make a hard choice: share SDI or die.

Would they get rid of the guns, once each one has a vest to stop bullets? Not likely. We all know that when he was the only gunslinger in town, he opted to keep that gun in case the other guy gets hold of one...but now he can't get rid of his gun BECAUSE the other guy has one too! If there is enough goodwill to get rid of the guns with vests, it should be even more feasible to get rid of them now, without having to incur the cost of the vests. Such goodwill simply does not exist while there is also fear.

If SDI should succeed, even partially, (that is, if the monkey should reach the moon, at least partially, by climbing the tree) then the only option would be to share SDI with the other guy. Even after sharing SDI, we are still bound by fear, of a different kind: what if one develops a way to take out the other guy's SDI somehow by first strike and tip the scales in his favour? Another president will come along to fund this project, because the other side "already started on it and we don't want to compromise national security". The other side, of course, needs no excuses like this. And, history will repeat...and repeat.

SDI does not solve the basic nature of the conflict in purpose that national leaders must exhibit: They must get rid of the guns to make peace and rid their people of fear, and they must protect national security. These are clearly not compatible goals in a world of hostile Governments. The Governments of the world hold the people hostage to fear and insecurity, much like a handful of gun-slinging gangsters holding a vast majority hostage to fear of crime.

I admit that it is much easier to shoot down an idea (like SDI) than to offer an easy alternative in a complex problem like this. But let this not be a reason to adopt a faulty approach like SDI.

Well, 'nuff ramblin' on SDI. By the way, October issue of Science '85 magazine has a cover story on "RISKS: How it is perceived" and I thought it was quite thought-provoking and may help us understand how SDI-like-risk is perceived by the people. I highly recommend reading it.

Gopal

Please report problems with the web pages to the maintainer

x
Top