The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 10 Issue 26

Wednesday 29 August 1990


o Stonefish - the software strikes back?
Pete Mellor
o Computers at the Campus Bookstore
Gary McClelland
o Reverse Engineering - not always a copyright issue
Joe Morris
o Re: Electronic house arrest units
Martin Minow
o Re: Proposed ban on critical computerized systems
Perry Morrison MATH
o Caller ID Discussion List Started
Bruce Klopfenstein
o Info on RISKS (comp.risks)

Stonefish - the software strikes back?

Pete Mellor <>
Wed, 29 Aug 90 22:40:52 PDT
>From Channel 4 news last night (Tue. 28th Aug.):

It is reported that Iraq may be deploying some of the Royal Navy's latest
high-tech weaponry. Apparently this is causing US commanders to be reluctant
to send aircraft carriers into the northern area of the Gulf.

The villain of the piece is the smart mine 'Stonefish', developed by Marconi
Underwater Systems under contract to the Royal Navy. This little charmer is
so cute it listens to the engine noise of ships passing overhead, and can tell
what type of vessel is within range. It 'hides' from minesweepers, and
blows the backside off anything else.

At the heart of the system is (you've guessed it!) 'highly sophisticated and
classified' *software*.

The Channel 4 investigators have in their possession the 'Technical Description
and Specification' of Stonefish. The cover sheet and first few pages of this
document were actually shown on screen, and looked pretty authentic, with the
Marconi logo and classification 'UK restricted: commercial in confidence'
clearly visible.

C4's copy, however, comes not from Marconi's Watford HQ, but from a source not
a million miles removed from Cardoen International, a Chilean firm (no boring
restrictions on arms sales there!) described by an expert from Jane's as being
specialists in the 'laundering' of military technology for the benefit of third
world countries (at least, those with adequate oil revenues to pay for it).
Cardoen has well-established links with Iraq.

The implication is not that Stonefish has been sold bundled to Iraq, but enough
technical information is in dubious hands for the Iraqis to have a good go at
building a look-alike.

Carlos Cardoen, filmed at a news conference, said that he had a very close
relationship with Marconi, and some of their guys had visited him.

Marconi said 'We have no relationship with Cardoen.' and refused to be

An expert from an outfit called something like 'Naval Weapons Review' gave it
as his opinion that Iraq probably has 'a limited number of quite sophisticated
mines', but implied that we shouldn't worry too much, since 'the Navy would
not let a UK contractor simply hand over the software for a weapons system'.

So there you have it. Saddam Hussein is in the Stonefish plug-compatible
market, but our Navies are safe provided he can't get his hands on the
operating system.

All of which prompts me to wonder:-

 1. If the Iraqis have the software for a 'limited number' of mines, why
    haven't they got enough for an unlimited number?
    (Perhaps the blockade is working, and they haven't got enough floppy disks
    to make the copies. :-)

 2. How does Stonefish 'hide' from a minesweeper? The cylindrical object shown
    in the newsreel shots doesn't look as though it is capable of crawling
    under a rock. Perhaps it just switches off its disk drive to stop the noise
    and pretends to be an oil-drum. :-)

 3. How reliably can Stonefish identify ships by their engine noise signature?
    What happens if your cruiser's big ends are rattling?

 4. Does Stonefish rely on some sort of sonar transponder
    to distinguish friend from foe? (Remember the Falklands helicopter!)

 5. What are the chances that Iraq already has the software? (After all, we all
    know Arabs can't write programs, and software is rather difficult to
    smuggle through customs. :-)

 6. The sophistication of Stonefish's recognition system argues for some kind
    of artificial intelligence. If it's that smart, would it know who was
    winning and change sides accordingly? :-)

 7. Isn't it time that Jane's produced 'All the World's Software'?

Peter Mellor, Centre for Software Reliability, City University, Northampton Sq.
London EC1V 0HB +44(0)71-253-4399 Ext. 4162/3/1 (JANET)

Computers at the Campus Bookstore

"Gary McClelland" <>
28 Aug 90 22:49:00 MDT
RISKS readers will recognize this as an old risk but it made this
academic chuckle as we begin another semester.  The computer at the
campus bookstore prints out a tag for each required textbook
indicating the course number, instructor, number of copies ordered,
etc.  Given that textbooks are often used by more than one course, the
computer kindly prints out a cross-list of other courses using the
same text.  One card caught my eye with its unusually long list of
cross-listings.  Curious as to what textbook was so popular this term,
I looked closer to see the title.  Being an author I had hopes that
maybe it was mine :-)  Alas, the title of this very popular text was
NO TEXT REQUIRED.  I wonder who gets the royalties on that textbook? :-)

   --Gary McClelland, U. of Colorado

Reverse Engineering - not always a copyright issue

Joe Morris <>
Mon, 27 Aug 90 15:43:04 EDT
There have been several RISKS submissions recently discussing the legal
status of reverse-engineering of copyrighted material.  Reading them, however,
one could easily conclude that copyright law is the only governing issue
involved.  It isn't: in fact, most of the products I've seen (both mainframe
and personal computer) assert not only copyright but also contract rights.
For example, IBM's FY90 GSA schedule in Special Item 132-30, section 4(a)6
(page 44) includes the item:

  (6)  The Government shall not reverse assemble or reverse compile the
       licensed programs in whole or in part.

Almost all vendors have a corresponding clause in their software license
agreements, so the question of copyright law permitting reverse engineering
is usually moot.  Of course, we now have the issue of deciding which
parts of the contract are legally enforcable.  (Cf. Vault v. Quaid, in
which my memory says the court held that the shrink-wrap "license contract"
in PC software was unenforcable.)

Shakespeare was right: shoot all the lawyers.

re: Electronic house arrest units

"Martin Minow, ML3-5/U26 27-Aug-1990 1421" <>
Mon, 27 Aug 90 13:02:55 PDT
It was somewhat disturbing to discover that all of the people who took time
to comment on the "electronic house arrest" units focussed on the technology,
and none apparently noticed that this is a safety-critical application.
I.e., failure of the system may lead to the re-incarcenation of a parolee.

I would feel more comfortable if our court/prison/parole system were funded in
such a way as to permit personal contact between the parolee and parole
                                          Martin Minow

Proposed ban on critical computerized systems (Cameron, RISKS-10.24)

Perry Morrison MATH <>
28 Aug 90 04:33:45 GMT
#On page 63 of the August 1990 _World_Press_Review_:
#"Unreliable Computers", by Nick Nuttall, "The Times," London
#Two Australian scientists are calling for a world-wide ban on the use of
#computers in sensitive areas, such as hospital intensive-care wards, the
#nuclear-power industry, air-traffic control stations, and early-warning defense

The reference is- Forester, T., & Morrison, P. Computer Unreliability and
Social Vulnerability, Futures, June 1990, pages 462-474.

# 22 fatal crashes of the Black Hawk helicopter --
#which flies by computer — used by the U. S. Air Force

We refer to the death of 22 *servicemen* in *5* blackhawk crashes since 1982.
Our reference is B. Cooper and D. Newkirk, Risks, November 1987. We didn't
have a vol or issue no.

If this is incorrect, please let us know.

Perry Morrison

   [The item was from RISKS-5.58 (15 November 1987).  It reappeared in
   in Software Engineering Notes, vol 13, no 1 (January 1988), page 7.
   The original source was a wire service report from 12 November 1987.
   The RISKS issues on the Black Hawk also included RISKS-5.56 (9 Nov 87),
   5.59 (16 Nov 87), and 5.60 (18 Nov 87).  I hope that helps.  PGN]

Caller ID Discussion List Started

Bruce Klopfenstein <klopfens@bgsuvax.UUCP>
23 Aug 90 00:55:15 GMT
Date:     Tue, 21 Aug 90 9:31:25 EDT
From: Telecom Privacy List Moderator <telecom-priv-request@PICA.ARMY.MIL>
To: telecom-priv@PICA.ARMY.MIL
Subject:  Telecom Privacy List

    Hello, Everyone.  The caller id list is now up and running.  I have
anout 35 names on it currently.  The address is  Currently, the list will not be moderated or
digestified.  This might change due to volume.

  On Caller-Id ....

  I believe it should be available, however the following should apply:

1) It should be blockable at no charge for any number.
2) Name or address (or the fact it is a pay phone) should be made available.
3) Actual calling number should be used not billing number.
4) Under no circumstances should a third number be used shown as the
actual calling number (i.e. Law Enforcement Officer dailing from one
number having the id number showing up as a different number).

Optional - Show if number is listed as residental or business.

Bruce C. Klopfenstein          |
Radio-TV-Film Department       |  klopfenstein@bgsuopie.bitnet
318 West Hall                  |  klopfens@bgsuvax.UUCP
Bowling Green State University |  (419) 372-2138; 372-8690
Bowling Green, OH  43403       |  fax (419) 372-2300

    [We've probably had enough on this issue in RISKS, so here is a new
    outlet.  I've also been rejecting ATM and Electronic house arrest items
    unless they are particularly cogent.  PGN]

Please report problems with the web pages to the maintainer