The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 15 Issue 44

Weds 2 February 1994

Contents

o Canada to monitor phone calls, fax, etc.?
Walter C. Daugherity
o Risks of cliche collisions on the information superhighway
Phil Agre
o Irrational risk research
Phil Agre
o Czech computer fraud
Mich Kabay
o Clipper Petition
Dave Banisar
o "Digital Woes" by Lauren Wiener
Rob Slade
o Info on RISKS (comp.risks)

Canada to monitor phone calls, fax, etc.?

Walter C. Daugherity <daugher@chisholm.cs.tamu.edu>
Wed, 2 Feb 94 09:04:52 -0600
>From EDUPAGE:

HIGH-TECH SNOOP GADGET.  A super-secret branch of the Canadian Security
Intelligence Service has awarded three contracts to a Montreal firm to make
equipment that can quickly isolate key words and phrases from millions of
airborne phone, fax, radio signals and other transmissions. The hardware has
the "Orwellian potential to sweep through ... and keep records of all
conversations," said one CSIS critic.  (CTV National News, 01/31/94 11:00 pm).

Walter C. Daugherity, Texas A & M University, College Station, TX 77843-3112
Internet, NeXTmail: daugher@cs.tamu.edu      uucp: uunet!cs.tamu.edu!daugher


Risks of cliche collisions on the information superhighway

Phil Agre <pagre@weber.ucsd.edu>
Tue, 1 Feb 1994 12:06:51 -0800
The 1 Feb 1994 Wall Street Journal's front page center column is about the
metaphors generated by the phrase "information superhighway", which (all are
reported to agree) Al Gore coined by analogy to the US interstate highway
system.  What the article, like the vast majority of recent articles on the
topic, is the whole point of the "highway" metaphor, which is the proposition
that long-distance vehicle/information transfer may well be a natural
monopoly, thus calling for the creation of some kind of public utility.  This
is a fairly spectacular example of the organized forgetting that goes on in
the "agenda setting" process in US politics (and those, no doubt, of other
countries, in their own ways).  The risk here is that these semantical magic
tricks may in the end deprive the public of the information infrastructure
they deserve.

Evidence on this count is readily available, it so happens, in the 2/1/94 New
York Times (business section, page C6), where we are told that investors are
terrified that the Bell Atlantic - TCI merger might actually "lead to a
destructively competitive "two-wire world", where phone and cable companies"
would construct competing networks.  Although the analysts are alarmed, Bell
Atlantic has reassured its investors that it will be doing its best to avoid
that scenario by focusing first on relatively high-profit (i.e.,
uncompetitive) markets.

Heads up.

Phil Agre, UCSD

   [We are going to see all sorts of metaphors springing up on the
   InfoSuperhighway, such as speeding (illicit acts), speedtraps (network
   monitoring to detect misuse), parking lots (traffic congestion),
   StopAndShop (overload from 300 channels of home shopping), deprogramming
   services (for the compulsive shopper), and designated drivers (the
   device drivers you can trust).  Maybe even BurmaShave signs scattering
   doggerel poetry along the way for the oldtimers.  PGN]


irrational risk research

Phil Agre <pagre@weber.ucsd.edu>
Tue, 1 Feb 1994 20:09:14 -0800
The 1 Feb 1994 New York Times (science section) includes an article by Daniel
Goleman entitled "Hidden rules often distort ideas of risk".  It's about a set
of social psychological ideas about "perceptions" of risk that become
newsworthy about once a year despite never seeming to change.  These include
the following:

 * Risks that are imposed loom larger than those that are voluntary.
 * Risks that seem unfairly shared are also seen as more hazardous.
 * Risks that people can take steps to control are more acceptable
   than those they feel are beyond their means to control.
 * Natural risks are less threatening than man-made ones.
 * Risks that are associated with catastrophes are especially frightening.
 * Risks from exotic technologies cause more dread than do those
   involving familiar ones.

The article reports a spectrum of views about the best explanation of these
results and the best policies to deal with them.  This spectrum might be
categorized as follows:

  Conservative:  People are irrational, so forget 'em.
  Moderate:      People are irrational, but we can persuade them.
  Liberal:       People are irrational, but hey, everyone has faults,
                 so let's humor them a little.

The common element, of course, is that is a view of ordinary people as
irrational because their rankings of the risks from various technologies are
considerably different from those of the experts.

What somehow never ceases to me is that all three approaches neglect a
perfectly obvious explanation, which is that people distrust the institutions
that seek to reassure them about unfamiliar technologies, having been
repeatedly and egregiously lied to in the past by many of those same
institutions (they were feeding plutonium to *whom*?), and they resent living
in a world dominated by such institutions, so they refuse to acknowledge the
claims of any technological project that has not been organized and evaluated
in a democratic way.  (The article does remark that people don't trust the
numbers, but that's apparently because people irrationally fail to weigh the
nuclear power plants that blow up against all the ones that don't.)  Probably
that's too simple, but it explains the data much more straightforwardly than
the known alternatives.

The interesting sociological question is how this feat of conceptual
constriction actually *works*.  Does this explanation literally never occur to
the people who do this research and write these articles?  How can that be?
Is it a conscious PR thing?  That would be disappointing in a way (too
straightforward), but it's certainly true enough with numerous other issues.

Clearly, as articles on the science pages so often conclude, further research
is needed.

Phil Agre, UCSD


Czech computer fraud (More on RISKS-15.22)

"Mich Kabay / JINBU Corp." <75300.3232@CompuServe.COM>
30 Jan 94 14:53:20 EST
>From the Associated Press newswire via Executive News Service (GO ENS) on
CompuServe:

Czech-Computer Fraud

    PRAGUE, Czech Republic (AP, 19 Jan 1994) -- A bank employee was sentenced
  to eight years in prison for stealing nearly $1.2 million in the Czech
  Republic's first major computer fraud, a newspaper reported Wednesday.
  Martin Janku, an employee of the Czech Savings Bank in Sokolov, transferred
  money to his own account in the bank with the help of his own computer
  program between September 1991 and April 1992, the daily Mlada Fronta Dnes
  said.

The article continues with a few details:

o    Janku arrested when he tried to withdraw money from a branch where a
     teller recognized him as a programmer she'd met during training;

o    sentenced to 8 years in jail;

o    claims he was testing bank security;

o    returned about $1 million of money he stole; rest, he says, was stolen
     from his car.

     [Moral: never test someone's security systems without written
     authorization from the right people.]

Michel E. Kabay, Ph.D., Director of Education, National Computer Security Assn


Clipper Petition

Dave Banisar <banisar@washofc.cpsr.org>
Mon, 31 Jan 1994 15:59:20 EST
                Electronic Petition to Oppose Clipper
                      Please Distribute Widely

On January 24, many of the nation's leading experts in cryptography
and computer security wrote President Clinton and asked him to
withdraw the Clipper proposal.

The public response to the letter has been extremely favorable,
including coverage in the New York Times and numerous computer and
security trade magazines.

Many people have expressed interest in adding their names to the
letter.  In  response to these requests, CPSR is organizing an
Internet petition drive to oppose the Clipper proposal.  We will
deliver the signed petition to the White House, complete with the
names of all the people who oppose Clipper.

To sign on to the letter, send a message to:

     Clipper.petition@cpsr.org

with the message "I oppose Clipper" (no quotes)

You will receive a return message confirming your vote.

Please distribute this announcement so that others may also express
their opposition to the Clipper proposal.

CPSR is a membership-based public interest organization.  For
membership information, please email cpsr@cpsr.org.  For more
information about Clipper, please consult the CPSR Internet Library -
FTP/WAIS/Gopher CPSR.ORG /cpsr/privacy/crypto/clipper

=====================================================================

The President
The White House
Washington, DC  20500

Dear Mr. President:

     We are writing to you regarding the "Clipper" escrowed encryption
proposal now under consideration by the White House.  We wish to express our
concern about this plan and similar technical standards that may be proposed
for the nation's communications infrastructure.

     The current proposal was developed in secret by federal agencies
primarily concerned about electronic surveillance, not privacy protection.
Critical aspects of the plan remain classified and thus beyond public review.

     The private sector and the public have expressed nearly unanimous
opposition to Clipper.  In the formal request for comments conducted by the
Department of Commerce last year, less than a handful of respondents supported
the plan.  Several hundred opposed it.

     If the plan goes forward, commercial firms that hope to develop new
products will face extensive government obstacles. Cryptographers who wish to
develop new privacy enhancing technologies will be discouraged.  Citizens who
anticipate that the progress of technology will enhance personal privacy will
find their expectations unfulfilled.

     Some have proposed that Clipper be adopted on a voluntary basis and
suggest that other technical approaches will remain viable.  The government,
however, exerts enormous influence in the marketplace, and the likelihood that
competing standards would survive is small.  Few in the user community believe
that the proposal would be truly voluntary.

     The Clipper proposal should not be adopted.  We believe that if this
proposal and the associated standards go forward, even on a voluntary basis,
privacy protection will be diminished, innovation will be slowed, government
accountability will be lessened, and the openness necessary to ensure the
successful development of the nation's communications infrastructure will be
bthreatened.

     We respectfully ask the White House to withdraw the Clipper proposal.


<"Rob Slade, Ed. DECrypt & ComNet, VARUG rep, 604-984-4067">
Mon, 31 Jan 1994 15:09:40 -0600 (MDT)
 <ROBERTS@decus.ca>
Subject: "Digital Woes" by Lauren Wiener

Lauren Wiener, "Digital Woes", Addison-Wesley Publishing Co., 1993,
0-201-62609-8, U$22.95/C$29.95

When reviewing books on technical topics, one quickly learns to dread the work
of those who do not actually practice in the field.  (Yes, we are told that
Wiener is a technical writer.  They may very well be professionals, but the
overwhelming majority are not technical professionals.)  With this prejudice
firmly in place, it came as a delightful surprise to find that "Digital Woes"
is an accurate, well-researched, and thoroughly engaging treatment of the
subject of software risks.

Chapter one is a list of specific examples of software failures, large and
small.  The stories are thoroughly documented and well told.  The choice of
examples is careful, and useful as well, covering a variety of problems.  One
could, of course, add to the list.  In the virus field programs are extremely
limited in function and rarely exceed 3000 bytes in length, yet almost every
viral strain shows some programming pathology; most of the damage seems to be
done by mistake.  The user interfaces of antivirals are subject to hot debate,
perhaps more importantly than in other systems because of the risks involved in
misunderstanding.  In regard to decision support, I recall the assumption, on
the part of Excel, that everyone wants to use linear forecasting.  Everyone
involved in technical fields will be able to add other specific examples.  For
those uninvolved, Wiener's work is quite sufficient and convincing.

Chapter two is an explanation of why software contains bugs, and why software
errors are so deadly.  Techies will feel somewhat uncomfortable with the lack
of jargon, but persevere.  Initially, I thought she had missed the point of the
difference between analogue and digital systems--until I realized I was in the
middle of a complete and clear explanation that never had to use the word
"analog".  (Technopeasants will, of course, appreciate the lack of jargon.
Rest assured that the same ease of reading and clarity of language holds
throughout the book.)

Chapter three examines the various means used to try to ensure the reliability
of software--usually with a depressing lack of success.  As with all who have
worked in the field, I can relate to the comments regarding the difficulty of
testing.  At one point I uncovered a bug in the third minor variant of the
fourth major release of the fifth generation of a communications program.
Apparently I was the first person on staff who had ever wanted to keep a
running log between sessions--and the functions I used combined to completely
lock up the computer.

Most RISKS-FORUM readers will by now be nodding and muttering, "So what else
is new".  However, Wiener here proves herself capable of some valuable and
original contributions beyond the pronouncements of those working in the
field.  Noting that she is familiar with programmers who have never, in twenty
years of work, had their code incorporated into a delivered product, she
raises the issue of what this type of work environment does to the psyche of
the worker.  My grandfather carved the wooden decorations in our church, and,
fifty years after his death, I can still point that out.  However, in a career
of analysis, training and support, I can point to little beyond an amount of
Internet bandwidth consumed.  (Many would say "wasted".)  To the ephemeral
nature of the craft, though, one must add the legacy of constant failure.
Martin Seligman's "Learned Helplessness" points out the danger quite clearly.
A similar thought was voiced some years ago over the impact on developing
youth of the then new video games, and the fact that you could advance through
levels but never, ultimately, win.  These children are grown now.  You may
know them as "Generation X".

Chapter four deals with means to prevent failure.  Actually most of the
material discusses recovery--assuming that the system will eventually fail, how
to ensure that the failure causes the least damage.

Chapter five is entitled "Big Plans" and looks at various proposed new
technologies and the risks inherent in them.  In this discussion Wiener warns
against those who are overly thrilled with the promises of the new technology.
I agree, but I would caution that public debate is also dominated by those
strident with fear.  The arguments of both sides tend to entrench to defeat the
opposition, while the public, itself, sits bemused in the middle without
knowing whom to believe.  It is a major strength of Wiener's work that the
field is explored thoroughly and in an unbiased manner.

Many books which try to present an objective view of a controversial problem
tend to trail off into meaningless weasel-words, but the final chapter here
concerns "The Wise Use of Smart Stuff."  Wiener lists a good set of criteria to
use in evaluating a proposed system.  The one item I would recommend be toned
down is the axiom that personal care be excluded.  I keep an old Berke Breathed
"Bloom County" cartoon in my office wherein Opus, the Penguin, berates a
computer for depriving him of his humanity until the bemused machine attempts
to confirm that Opus is human.  The perceived coldness of our institutions is
often illusory.  I once worked in a geriatric hospital and thought it a shame
that our culture did not keep aging parents at home.  Until, that is, I lived
in a culture that did, and found that the "technology" of our hospitals
provided more human contact to the old folks than did the "organic" home care.
I also note that the belittled ELIZA is the only program to have passed the
Turing test so far.  A limited, unexpected, and hilarious pass, perhaps, but a
pass nonetheless.

I note, as I am reviewing this book, a press release by a headhunting agency
that half of all executives are computer illiterate.  The survey method is
extremely suspect, and I assume these figures are so kind as to be ridiculous.
I would heartily recommend this work to technical and non-technical workers
alike.  Particularly, though, I recommend it to those executives who are the
ones to make the ultimate decisions on major projects.  Please re-read it after
the next vendor demo you attend.

copyright Robert M. Slade, 1993   BKDGTLWO.RVW  931223

Postscriptum - my wife agrees with Peter Denning that I tend to editorialize in
my reviews.  This is likely true.  "Digital Woes", however, deals with a topic
which has prompted many editorials--and deals with it well.
Permission granted to distribute with unedited copies of the Digest
======================
DECUS Canada Communications, Desktop, Education and Security group newsletters
Editor and/or reviewer ROBERTS@decus.ca, RSlade@sfu.ca, Rob Slade at 1:153/733
DECUS Symposium '94, Vancouver, BC, Mar 1-3, 1994, contact: rulag@decus.ca

Please report problems with the web pages to the maintainer

Top