The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 12 Issue 9

Thursday 25 July 1991

Contents

o The limits of simulation
Henry Spencer
o RISKS vs. RISKS
Steve Bellovin
o Gottschalks rejects check
Todd Heberlein
o Proposed law on computer searches
Chris Hibbert
o New Jersey "software engineering" registration legislation
John M. Ritter via Arthur Rubin
o Info on RISKS (comp.risks)

The limits of simulation

<henry@zoo.toronto.edu>
Thu, 25 Jul 91 21:37:48 EDT
The May 27 Aviation Week, reporting on the April 1 test-stand failure of an
upgraded SRB for the Titan 4:

  Investigators determined that extensive three-dimensional computer
  simulations of the [motor's] firing dynamics did not reveal subtle factors
  that they now believe contributed to motor failure.  [Program director]
  Stirling said the full-scale test was essential precisely because computer
  analyses cannot accurately predict all nuances of solid rocket motor
  dynamics.  "That's why we test", he said.

For those who don't follow the space news, a few seconds into the test the
motor pressure rose rapidly and exceeded the limits of the casing, the result
being a large, spectacular explosion that destroyed the motor and much of the
Edwards AFB test stand.
                           Henry Spencer at U of Toronto Zoology  utzoo!henry


RISKS vs. RISKS!

<smb@ulysses.att.com>
Thu, 25 Jul 91 13:52:26 EDT
In the same issue of RISKS-12.08, we have (from PGN)
  > Dennis Perry, an Oakland truck driver, and his good friend, Yvonne ...
and from Mark Seecof:
  > However, the laws on the books assume the exercise of discretion.

The contradiction is, of course, obvious.  What isn't clear is what to do about
it.

Computers are great at making ``objective'' decisions.  Civil service rules and
government procurement regulations try to mimic this behavior.  The goal is not
to achieve the best, but to guard against the worst.  But even worse can be
``achieved'' when the regulations aren't drafted carefully enough, letting an
unscrupulous official finagle through a particular outcome.
                                                         --Steve Bellovin


Gottschalks rejects check

Todd <heberlei@iris.eecs.ucdavis.edu>
Thu, 25 Jul 91 12:05:57 -0700
I recently tried to purchase some merchandise at a local Gottschalks with a
check.  Before accepting my check, the clerk checked Shared Check Authorization
Network (SCAN) to see if I have had any returned checks.  The clerk then
informed me that they could NOT accept my check.

Having never bounced a check, and having more than ample money in my checking
account, I was very surprised.

After calling my credit union and SCAN, I was able to sort out the error.
Gottschalks entered the account number on my check BUT NOT the bank number.
SCAN apparently does a look up on just account numbers (as well as account and
bank numbers), and as it turned out, someone with the same account number at a
different bank had bounced checks.  SCAN then returned FAIL.

The result: I could not use a check because someone else at a different bank
bounced a check.

If other places only enter account numbers and not bank numbers, I will
probably have to get a new account number from my bank.  :-(
                                                                  Todd


Proposed law on computer searches

<xanadu!hibbert@uunet.UU.NET>
Thu, 25 Jul 91 14:53:15 PDT
Don Ingraham was one of the prosecutors who talked at the Conference on
Computers Freedom and Privacy in March.  At the last session, he said he would
write and propose new guidelines for prosecutors to follow that would take into
account the concerns that were brought up at the conference.  Last month, he
gave a talk at the first meeting of the Berkeley SIG on Freedom, Privacy, and
Technology (affiliated with BMUG and CPSR-Berkeley).  He mentioned at that
point that he had a draft, and I later asked him for a copy.  When I asked him
if I could redistribute it, he not only gave me permission, but encouraged me
to do so.

If you have suggestions on how to improve the draft, or if you represent a
relevant group (CPSR, EFF, ACLU, and ACM come to mind) and would like to offer
Don official support, he'd very much like to hear from you.  Don isn't
electronically connected, so you'll have to send him fax or paper mail, or call
him on the phone.  If there is interesting discussion here, I'll tell him about
it, but I don't promise to show him every word.

What follows is first Don Ingraham's summary, then the draft bill, and finally
his commentary on what it means, and what he'd like to have happen with it.
This is an important proposal, and it looks like quite a good law.
                                                                      Chris
        hibbert@xanadu.com              uunet!xanadu!hibbert

 = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

               PROPOSAL FOR PENAL CODE SECTION 1538.6:
                   ELECTRONICALLY STORED MATERIAL.

    Revised 11 June 1991
    Donald G. Ingraham, Assistant District Attorney, Alameda County,
    1225 Fallon Street, Oakland CA 94612 4292  (415) 272-6232  fax 271-5157

   The following is a proposal to add to the existing search warrant provisions
of the Penal Code some particular restraints on the issuance of warrants which
are required by federal law; it would also establish controls on the
examination of electronically stored evidence seized in the course of a
criminal investigation, and empower the Attorney General to monitor and
regulate compliance with this law.

There are four main aspects:
   first, it recognizes the existing restraints of federal law, in particular
the Privacy Protection Act (42 USC 2000aa) portion of the Civil Rights Act, and
also chapter 212 of the Electronic Communications Privacy Act (18 USC 2700 et
seq) dealing with stored electronic communications.  The portion of the ECPA
which addresses the interception of electronic communications is covered by
existing law.
   second, it establishes the Attorney General of California in a monitoring
and regulatory function, not unlike the function now performed in regard to
criminal offender record information.  In the following text, references to
federal law appear in parentheses.
   third, it establishes criteria for the inventory and analysis of
electronically stored evidence, and affords the person from whom it was seized
and other interested parties standing and information to present their
interests and concerns to the issuing magistrate.
   fourth, it balances law enforcement's necessary investigative authority with
the privacy and personal interests of persons affected by the investigation.

   This topic is of such significance that it is suggested there be a specific
legislative declaration such as this:

 = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Legislative finding:

    The legislature finds that investigation and prosecution of crimes in which
computers are involved engenders a risk to other rights, including those to
conduct a business, to publish, and to conduct private communications.  This
section clarifies existing requirements of the federal Electronic
Communications Privacy Act and the Privacy Protection Act, and also invests the
Attorney General with authority to regulate the analysis and examination of
electronic media seized under the authority of this chapter.

Addition to Chapter 3, Search Warrants, Title XII, Special Proceedings
of a Criminal Nature, California Penal Code.

Section 1536.5

   A search warrant for computer-related material cannot be authorized except
in compliance with the following restraints.  All electronically stored
material seized, under a search warrant or otherwise, shall be retained and
analyzed as follows:

  [a] if the content is reasonably apparently identifiable as intended for
publication, a search warrant may be authorized only if the affidavit to that
warrant specifically provides probable cause that the material is contraband or
the fruits of a crime or things otherwise criminally possessed, or is property
designed or intended for use, or which is or has been used as, the means of
committing a criminal offense.
     (This is directly from Title 42 USC 2000aa(7).]

  [b] if examination of electronically stored communications indicates that any
particular file is a communication intended to be private and neither party
thereto is named as a subject of the search warrant, and the material has been
in such storage for under 180 days, the investigating officer may not continue
the analysis nor proceed further without obtaining a search warrant for stored
electronic communication, as defined by regulations issued by the Attorney
General.
       (This is adapted from Title 18 USC 2703: the term
        'search warrant for stored electronic communication'
        appears in that Title as a term of art.]

 [c] within five court days of any seizure of stored electronic material, the
investigating officer will file a supplement to the inventory required by
section 1537 which will list all electronic material with all available
specificity, including but not limited to file names then identified, and
indicate what procedures for analysis are being taken.  A copy of that and any
subsequent inventories will be furnished to the subject of the search warrant.
A further supplement will be filed with the issuing magistrate every tenth
court day thereafter until all electronic material has been analyzed.  A copy
of all such inventories will be part of the court record and open to public
inspection.

 [d] Electronic stored media will be analyzed as expeditiously as possible and
in the following order: first, material recognizably necessary to the conduct
of legitimate business and private communications; second, material
recognizably central to the crime under investigation; third, material
reasonably suspected of relating to the crime under investigation.  The
magistrate shall direct the investigating office or prosecutor to return or
copy such material to the owner, providing a receipt for the court record.

 [e] After the filing of the initial inventory, any person who has reason to
believe that he or she would be unfairly adversely affected in business or
communications by the retention or analysis of the seized electronic material
may petition the issuing magistrate for a hearing to demonstrate that the
proposed retention and/or analysis would result in significant injury to a
legitimate purpose.

          [This provision expands upon existing Calif PC
          1538.5, but is specific to electronic media; there
          is no known federal counterpart.  The provision
          for return by DA, receipt to Court, regular
          accounting and standing to others affected is not
          fantasy: we did as much in our Draper prosecution
          with mutually beneficial effect.]

  [f] The Attorney General shall establish regulations for the seizure,
examination, and disposition of electronic material obtained in the process of
criminal investigations consistent with the intent of this section that
intrusion and disruption be as minimal as the requirements of an investigation
permit, and in keeping with federal regulation.

          [This section empowers the Attorney General to
          keep computer related criminal investigations by
          our law enforcement agencies consistent with
          federal law, without the need to go to the
          legislature to accommodate changes in the federal law.]

 = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

     Comment, primarily intended for prosecutors, but open to all

  This is the draft of a bill on search warrants for electronically stored
material, which will probably be introduced next session: I need to line up AG
and other support for it to fly.  To put the idea in context, please be aware
that Penal Code 1538.5 covers review of searches and is the basis of our
traverse motions.  It seemed the logical place to put this, rather than in our
Computer Crime section-502- or under privacy.

  The idea is to get a legislative purpose statement, and then flag areas of
concern and potential federal liability:

  (a) flags the First Amendment Privacy Protection Act, 42 USC

2000aa, which addresses : ... any work product materials possessed by a person
reasonably believed to have a purpose to disseminate to the public a newspaper,
book, broadcast, or other similar form of public communication, in or affecting
interstate or foreign commerce.." which I try to boil down by the phrase
"intended for publication", adding a prefatory qualification, that it be
"reasonably apparently identifiable" as such.  The federal act makes no such
allowance, although I cannot imagine a court imposing it: as it now reads it is
rather like forbidding us to open any cabinet that may contain more than one
paper clip, at our peril.

    (b) does the same flagging as to Chapter 212, Electronic Communications
Privacy Act, 18 USC 2700 et seq, again clarifying that it does not apply if one
of the parties is already named in the warrant.  This would assume that the
possibility of electronically stored communications was anticipated by the
warrant, which should always be the case.  The legislative history is barren on
this, but what standing would an intruder have to object?

    (c) through (e) create something new, not in the federal law.  This
basically is a response to the main complaint about the usual investigation,
which is that the gear and files disappear into the maw of the eagle, and are
seldom if ever heard from again.  Having someone say "we're working on it"
every other month is not what I think James Madison had in mind.  I think that
such limbo should not be imposed, assuming that it ever is, and the best way to
keep that from happening would be to require a regular accounting and progress
report.  This would not only be reasonable, but it would also accomplish two
other boons: it would give us a need to keep our investigation going instead of
watching our resources get reassigned, and it should forestall more draconian
controls if this perception gets any more widespread.  We did exactly this when
we prosecuted John "Captain Crunch" Draper, and it worked well.  I wouldn't try
to process evidence any other way.

   (f) would empower our Attorney General to establish regulations for the
search of electronically stored material much as the AG now sets the policies
on confidentiality and privacy of Criminal Offender Record Information/"rap
sheets".  Going by administrative regulation rather than by way of additional
legislation guarantees that we will not stray from federal rules, which should
keep civil rights prosecutions of prosecutors per 42 USC 1983 at a minimum.


    What is needed to bring this about?

    The basic hope is to have it debugged and ready to submit by October: ready
to submit means, among other things, that we have some organized support from
concerned citizens.  The immediate hope is that both law enforcement and civil
libertarians will see the wisdom of structuring what is now not as structured
and be willing to support it.  The idea is to keep it clean and simple; if
glitches later develop, we could amend it again, but the essential aspect at
this point is to get legislative recognition of the fact that search warrants
for electronic material are already different from search warrants for other
things.  If we do that, and can get the Attorney General to agree, it should
fly.  My fondest hope is that come October I could represent to the appropriate
legislator that the AG, the CDAA, the ACLU, the CPSR, and the academic and
business communities thought this a heck of an idea, and in their view
essential.
   In summary, and in particular regard to the concerns of prosecutors like me,
this proposal would avoid the need to develop an electronic privacy measure in
California by adopting the federal law, and giving the Attorney General the
responsibility to keep up with its amendments through the California Code of
Regulations.  Two other states, Utah and Florida, have crafted their own
versions of the federal Electronic Communications Privacy Act; that independent
course risks inconsistencies and uncertainties as the judicial process
construes the ECPA.  The enactment of this proposal would avoid that, while at
the same time providing all available guidelines to law enforcement and to
citizens concerned with the freedom to use computer technology and with
electronic privacy, who are, after all, a significant portion of the People in
whose behalf we prosecutors are privileged to appear.


New Jersey "software engineering" registration legislation (J.M.Ritter)

<a_rubin@dsg4.dse.beckman.com>
Wed, 24 Jul 91 09:27:28 PDT
  [Following are large excerpts from articles posted by jmr@motown.allied.com
  (John M. Ritter) on comp.{os.msdos,sys.ibm.pc,unix}.programmer.  ]

New Jersey, that state which has lately proved to be ``the toughest in the
nation'' by trampling on its residents is once again attempting to reach all
new lows. Now, what has this got to do with programming...?

A bill has passed in the assembly that would require the licensing of computer
programmers -- to protect the public interest, of course.  Lord knows the
number of times I've been accosted in pizza parlors, late at night, by renegade
bands of unlicensed programmers. Well, now we'll be able to control these
low-lifes.

If you think I'm kidding, read on. What follows is Assembly Bill A-4414, which
has already passed the assembly. AT&T has estimated that it would need to
license over 5,000 people in New Jersey alone, and there is nothing in the bill
that differentiates home from business use.

So watch out: besides being arrested for legally buying a gun 20 years ago, you
could also be arrested for modifying a DOS batch file!

New Jersey and you. Perfect together?

       John M. Ritter, Allied-Signal, Inc., Corporate Tax Department
       jmr@motown.Allied.COM {att,bellcore,clyde,princeton,rutgers}!motown!jmr

 = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

                  ASSEMBLY, No. 4414

                 STATE OF NEW JERSEY

             INTRODUCED JANUARY 24, 1991

          by Assemblywoman KALIK, Assemblymen CASEY,
                  Spadoro and Mazur


       AN ACT providing for the licensure of software 1[engineers] _________1, amending
       P.L.1971, c.60, P.L.1974, c.46 and P.L.1978, c.73, and supplementing Title 45 of
       the Revised Statues.

       BE IT ENACTED by the Senate and General Assembly of the State of New Jersey:

 1.  (New section) This act shall be known and may be cited as the  ``Software
     1[Engineers'] __________1 Licensing Act.''

 2.  (New section) The Legislature finds and declares that the public  interest
     requires the regulation of the practice of software 1[engineering] _______
     ___1 and the establishment  of  clear  licensure  standards  for  software
     1[engineers]  _________1, and  that  the welfare of the citizens of this
     State will be protected by identifying to the public those individuals who
     are  qualified  and legally authorized to practice software 1[engineering]
     _________1.

 3.  (New section) As used in this act:

     ``Board'' means the State Board of Software 1[Engineers] _________1  esta-
     blished pursuant to section 4 of this act.

     ``Licensed software 1[engineer] ________1'' means any person who practices
     software  1[engineering] _________1 and who represents himself to the pub-
     lic by title or by description of services under any  title  incorporating
     such  terms as ``software engineer,'' 1``________ ________,''1 ``chartered
     engineer,'' or ``CEng'' or any similar title or description  of  services,
     who is duly licensed pursuant to this act.

     ``Software 1[engineering] _________1''  means  the  process  of  creating
     software  systems and applies to techniques that reduce software cost and
     complexity while increasing reliability and modifiability, which includes,
     but is not limited to, the elements of requirements 1[engineering] _______
     ___1, design specification, implementation testing and validation,  opera-
     tion and maintenance and software management.

 4.  (New section) There is created within the Division of Consumer Affairs  in
     the  Department  of  Law  and  Public  Safety  the State Board of Software
     1[Engineers] _________1. The board shall consist of nine members  who  are
     residents of the State who shall be appointed by the Governor. Six members
     shall be licensed software 1[engineers] _________1 who have been  actively

                             ____________________________

   EXPLANATION--Matter enclosed in bold-faced brackets [thus] in the above bill
   is not enacted and is intended to be omitted in the law.

   Matter underlined ____ is new matter. Matter enclosed in superscript
   numerals has been adopted as follows:
   1 Assembly ACP committee amendments adopted June 13, 1991.

   2 Assembly floor amendments adopted June 24, 1991.
     engaged  in  software  1[engineering]  _________1 for at least five years
     immediately preceding their appointment, except that the members initially
     appointed shall  be  licensed  pursuant  to  this act within 18 months of
     appointment. Of the remaining members, two shall be  public  members,  and
     one  shall  be  a member of  the  executive branch, all of whom shall be
     appointed pursuant to section 2 of P.L.1971, c.60 (C.45:1-2.2).

 5.  (New  section)  Each  member  of  the  board,  except  the  members  first
     appointed,  shall serve  for  a  term of five years and shall hold office
     until the appointment and qualification  of  his  successor.  The initial
     appointment to the board shall be: two members for terms of two years, two
     members for terms of three years, two members for terms of four years, and
     three  members  for terms of five years. Vacancies shall be filled for the
     unexpired term only. No member may be appointed for more than two consecu-
     tive terms.

 6.  (New section) Members of the board shall be compensated and reimbursed for
     expenses  and provided with office and meeting facilities pursuant to sec-
     tion 2 of P.L.1977, c.285 (C.45:1-2.5).

 7.  (New section) The board shall annually elect  from  among its  members  a
     chair, vice-chair and a secretary. The board shall meet twice per year and
     may hold additional meetings as necessary to discharge its duties.

 8.  (New section) The board shall:

       a.  Review the qualifications of applicants for licensure;

       b.  Insure the proper conduct and standards for examinations;

       c.  Issue and renew licenses to software  1[engineers]  _________1  pur-
    suant to this act;

       d.  Refuse to admit to examination, refuse to issue, or suspend,  revoke
    or  fail  to  renew the license of a software 1[engineer] ________1
    pursuant to the provisions of P.L.1978, c.73 (C.45:1-14 et seq.);

       e.  Maintain a record of every software 1[engineer]  ________1  licensed
    in  the State, their places of business, places of residence and the
    date and number of their license;

       f.  Establish fees pursuant to P.L.1974, c.46 (C.45:1-3.1 et seq.);

       g.  Adopt and promulgate rules and regulations pursuant to the  ``Admin-
    istrative  Procedure  Act,''  P.L.1968,  c.410  (C.52:14B-1 et seq.)
    necessary to effectuate the purposes of this act.

 9.  (New section) No person shall practice, or  present  himself  as  able  to
     practice, software  1[engineering] _________1 unless he possesses a valid
     license as a software 1[engineer] ________1 in accordance with the  provi-
     sion of this act.

10.  (New section) The provisions of this act shall not be construed to prevent
     the following provided that no word, letter, abbreviation, insignia, sign,
     card or device is used to convey the impression that the person  rendering
     the service is a licensed software 1[engineer] ________1:

       a.  Any person licensed to practice in this State under any  other  law
    from engaging in the practice for which he is licensed;

       b.  Any person employed as  a  software 1[engineer]  ________1 by  the
    federal  government,  if the person provides software 1[engineering]
    _________1 services solely under the direction  or  control of  his
    federal employer; or

       c.  Any person pursuing a course of study leading to a degree or  certi-
    ficate  in  software  1[engineering]  _________1 at an accredited or
    approved educational program if the person is designated by a  title
    which clearly indicates status as a student or trainee.

11.  (New section) To be eligible for a licensure  as  a  software  1[engineer]
     ________1,  an  applicant shall submit to the board satisfactory evidence
     that he has:

       a.  2(1)2 Graduated from a program in software 1[engineering] _________1
    which  has  been approved for the education and training of software
    1[engineers] _________1 by an accrediting agency recognized by  the
    Council  on Post-Secondary Accreditation  and  the  United  States
    Department of Education; or

    (2) Work experience in a current or previous position of  employment
    utilizing the theory and procedures of software designing for a suf-
    ficient period of time as determined by the board; and

       b.  Successfully completed a written  examination  administered by  the
    board pursuant to section 14 of this act to determine his competence
    to practice software 1[engineering] _________1.

12.  (New section) An applicant for licensure who is a graduate  of  a foreign
     school of software 1[engineering] _________1 shall furnish evidence satis-
     factory to the board that he has:

       a.  Completed a course of study in  software  1[engineering]  _________1
    which  is substantially equivalent to that provided in an accredited
    program described in subsection a. of section 11 of this act; and

       b.  Successfully completed a written  examination  administered by  the
    board pursuant to section 14 of this act.

13.  (New section) A  fee  shall  accompany  each  application for  licensure.
     Licenses  shall  expire  biennially  on January 31 and may be renewed upon
     submission of a renewal application provided by the board and a payment of
     a fee.  If  the  renewal fee is not paid by that date, the license shall
     automatically expire, but may be renewed within two years of  its expira-
     tion  date  upon  payment to the board of a sum determined by it for each
     year or part thereof during which the license was expired  and  an  addi-
     tional restoration fee. If a license has not been renewed within two years
     of expiration, the license shall only be renewed  by  complying  with  the
     provisions of section 16 of this act or successfully completing the exami-
     nation administered pursuant to section 14 of this act.

14.  (New section) The written examination required in section 11, 12, or 13 of
     this  act shall test the applicant's knowledge of software 1[engineering]
     _________1 theory and procedures and any other subjects the board may deem
     useful to test the applicant's fitness to practice software 1[engineering]
     _________1. Examinations shall be held within  the  State at  least  once
     every  six  months  at a time and place to be determined by the board. The
     board shall give adequate written notice of the examination to  applicants
     for licensure and examination.

     If an applicant fails the examination twice,  the applicant  may take  a
     third  examination  not  less than one year nor more than three years from
     the date of the applicant's initial examination.  Additional  examinations
     shall be in accordance with standards set by the board.

15.  (New section) The board shall issue a license to each applicant for licen-
     sure  as  a  software  1[engineer] ________1 who qualifies pursuant to the
     provisions of this act and any rules and regulations  promulgated by  the
     board.

16.  (New section) Upon payment to the board of a fee and the submission  of  a
     written application on forms provided by it, the board shall issue without
     examination a license to a software  1[engineer]  ________1  who  holds  a
     valid  license  issued by another state or possession of the United States
     or the District of Columbia which has  standards  for  licensure  substan-
     tially equivalent to those of this State.

17.  (New section) Upon payment to the board of a fee and the submission  of  a
     written  application  on  forms  provided by  it, the board shall issue a
     temporary license to a person who has applied for licensure  pursuant  to
     this act who, in the judgment of the board, is eligible for examination. A
     temporary license shall be available to an applicant upon initial applica-
     tion  for examination.  A person holding a temporary license may practice
     software 1[engineering] designing only under the direct supervision  of  a
     licensed  software 1[engineer] ________1. A temporary license shall expire
     automatically upon failure of the licensure examination but may be renewed
     for an additional six-month period, until the date of the next examination
     at which time it shall automatically expire  and  be  surrendered to  the
     board.

Please report problems with the web pages to the maintainer

Top