An upgrade to the Caltrain guarded crossing system was designed by SRI many years ago, and has been very effective at diminishing road-rage by re-opening up the forward gates when trains are stopped in the station. For the past few years, the Caltrain folks have been upgrading the tracks, adding sidings to enable high-speed trains to pass. To do so, they have shut down passenger service altogether on weekends, turning off the crossing controls. However, the rails have been used to move the needed construction materials (roadbed, ties, rails, etc.), with flagmen posted as needed. However, at 11:30pm on Sunday, 14 Dec 2003, just a few blocks from SRI in Menlo Park, a truck struck a slow-moving train already 3/4 of the way through the crossing. Why this happened was not known. [Source: *San Jose Mercury News* (Peninsula Edition), 16 Dec 2003, page 3B.]
Kevin Poulsen, SecurityFocus, 19 Dec 2003 A Cincinnati man who plead guilty Thursday to cracking and cloning giant consumer databases was only caught because he helped out a friend in the hacker community. Daniel Baas, 25, plead guilty on 18 Dec 2003 to a single federal felony count of "exceeding authorized access" to a protected computer for using a cracked password to penetrate the systems of Arkansas-based Acxiom Corporation -- a company known among privacy advocates for its massive collection and sale of consumer data. The company also analyzes in-house consumer databases for a variety of companies. From October 2000 until June 2003, Baas worked as the system administrator at the Market Intelligence Group, a Cincinnati data mining company that was performing work for Acxiom. As part of his job, he had legitimate access to an Acxiom FTP server. At some point, while poking around on that server, he found an unprotected file containing encrypted passwords. Some of those passwords proved vulnerable to a run-of-the-mill password cracking program, and one of them, "packers," gave Baas access to all of the accounts used by Acxiom customers -- credit card companies, banks, phone companies, and other enterprises -- to access or manage consumer data stored by Acxiom. He began copying the databases in bulk, and burning them onto CDs. ... http://www.securityfocus.com/news/7697
Your RISKS moderator is absolutely mortified. After my silly OMITTED MINUS ONE gaffe in RISKS-23.06 in the Mersenne prime item, I compounded it in RISKS-23.07. (Thanks to all of you who responded.) I started out having typed P>=1 and did not like how it looked, and meant to change it to P>0. Somehow I forgot to do so. In trying to keep many balls in the air at once, I unfortunately sometimes have to squeeze RISKS moderation in between handling the other balls. Having a ball sometimes becomes Halving a ball. The "notsp" Subject line experiment has been a tremendous help in allowing me to separate the wheat from the chaff. Thanks to those of you who picked up on it. (I continue to get over 1000 spams a day that are caught by SpamAssassin, and many more that are not.) Nevertheless, I regret that I cannot put out more issues and include more of your would-be postings. On the other hand, if we had more RISKS issues, I would have to do with even more responses, and you all would have even more e-mail to read as well, so perhaps you should be happy I cannot devote more time to moderating. So moderation in moderating may be a good thing after all. Incidentally, for those of you who have stumbled onto some of the annoying Majordomo glitches, I anticipate that RISKS will eventually be cutting over to Mailman -- which my lab is already using experimentally on other lists. Let me take this opportunity to wish you all a risk-free holiday season. PGN
*Science Magazine*, 12 Dec. 2003, Vol 302, No 5652, has a set of articles on the Tragedy of the Commons, one of which is very relevant to us. Tales from a Troubled Marriage: Science and Law in Environmental Policy by Oliver Houck, Pages 1926 to 1929 The section of this article that is most relevant to us is entitled: Four Cautionary Tales. There, he talks about how science has come to be used and abused in public policy debates surrounding environmental issues, but we're involved in a different public policy debate, and science is being used and abused here too. The 4 examples are: "The lure of a return to scientific management" should be viewed with suspicion. There are attractive and rational arguments that favor iterative, impact based and localized management strategies instead of "unrealistic" one-size-fits-all policies. Several people spoke in these terms at the NIST meeting on voting systems Dec 10 and 11, urging incrementalism and arguing against top-down approaches that attempted to look at the big picture and overall system architecture. "Good science" and "peer review" are sometimes invoked to set extremely high standards for the admissibility of scientific arguments that favor any change in current policy, but it is unusual to find such standards applied to the arguments favoring retention of the status quo. The head of the CS department at Kennesaw State cornered me recently using this argument against the Hopkins report on security flaws in Diebold's voting systems, despite the fact that the SAIC report had already come out confirming most of the flaws first reported in the Hopkins report; as far as he was concerned, the fact that the Hopkins report had not been subject to prepublication peer review was grounds for censure. "The lure of money" has biased science. There are good studies of this in the health care field as well as the environmental field. Researchers with industrial funds are less likely to publish results that reflect negatively on their source of funds. Who is supporting the different scientists who have engaged in the voting systems debate? We ought to be very open about this. The conflict of interest stories that popped up after the release of the Hopkins report touch on this issue, illustrating the extent to which bogus conflicts can be as important here as real ones. "The lure of the safe life" has led researchers to avoid drawing conclusions. We can do good science, confining ourselves to the technical and avoiding drawing conclusions that would engage us in public policy debate. Many of those on this list have elected to forgo this option, but many of our colleagues may be more reluctant to participate. This is unfortunate and I think we need regular reminders. When outrageous claims are made for what computer science can do, or when utterly incompetent security audits are brought forward into the public debate, those who have technical qualifications should not stand by idly.
In his argument for the view of Mike Smith (RISKS-23.04) and against that suggested by Dave Brunberg (RISKS-23.06) on Vicente's book The Human Factor, Don Norman invites us to consider two points of view on systems failure in which human operators are involved. He suggests that 75% of accidents with such systems are blamed on operator error (in aviation, the generally-aired figure says accident reports attribute probable cause to pilot error in 70% of cases), and that the cause should be taken to lie rather in the system design which affords those kinds of errors. He points out that this view has been around for some half a century. The other view is that of Brunberg, who gives hypothetical examples of the "Bubba factor", according to which operators engage in typically human but, in terms of their professional skills and requirements, inappropriate behavior when operating a system. Norman, prefers the first view. For example, it is a part of critical system design that hazards (defined as situations in which certain unwanted events, including accidents, are particularly afforded in some way or another) must be identified, and avoided or mitigated as far as possible. The classic statement of the "Bubba factor" position is a comment made in 1949 by Edsel Murphy, an engineer on the USAF project MX191: Human Deceleration Tests, after observing some incorrect wiring that had led to failure of measuring equipment. If there was a way for one of the technicians to make a mistake, observed Murphy, that would be the way things would be done. Murphy's Law, as its successor has come to be known, is also half a century old . So, Norman or Bubba? I believe with Norman that more attention could be paid to the system affordances that encourage inappropriate operator actions or inactions. I also suspect that the operator's cognitive state is systematically underemphasised in most accident investigations, and consider proof of this claim to be a significant research project. Some progress has been made. Let me give four examples, based on a particular conception of human cognitive capabilities. There are ways of defining an operator's "rational cognitive state" which do not depend on reconstructing hisher mental state, namely by looking at the information presented to the operator by the system and closing under simple inferences. This idea derives from (and may even be identical with) the "information theoretic" view proposed by Norman himself. One may consider such a state to be that of an ideal operator, and thereby somewhat unrealistic, but it suffices to highlight, in some significant cases, how a system afforded operator error. Consider the "Oops" series of aircraft-simulator runs, in which researchers at NASA Ames Research Center set up scenarios for pilots of an MD-80-series flight simulator. The pilots were led to "bust" (fly through) their cleared altitude on climb. John Rushby has published what I consider to be a seminal paper, in which he used the Mur(phi) model checker to demonstrate that the pilot's "mental model" (what I called above the rational cognitive state) did not match the system state at a crucial point in the proceedings . In other words, crucial information about the system was not presented to its operator. This is therefore a case in which the only prophylaxis is to design out the hazard situation. It amounts to a canonical example of Norman's contention. Sidney Dekker gave the Tuesday Luncheon talk at the 21st International System Safety Conference in Ottawa in August 2003, in which he showed a series of still photographs of the views available to the pilots of a Singapore Airlines B747-400, which attempted to take off from a closed runway in Taipei and collided with construction equipment. The accident was widely discussed in commercial aviation circles, particularly with respect to the ground guidance technology at the airport and the judicial treatment of the crew. Sidney's sequence of photographs gave me the impression that I would have made similar decisions in those circumstances to those which led to the accident (I am a pilot, though not a professional). This view had been promoted by some discussants since the accident, and I believe it is to be credited with keeping the crew out of jail. A similar case of "seeing what the operator saw" is made by the series of photographs shown by Marcus Mandelartz of the signalling en route to the train derailment at Brühl in the Rhineland in Germany, in which a driver of an intercity train went through a switching points at something over three times the appropriate speed . Finally, I have argued that the decision by the Russian pilot of one of the aircraft that collided over Lake Constance in July 2002 to descend in contravention of his ACAS "climb" advisory could well have been rational, given his "rational cognitive state" as defined above . I also pointed out that all participants in that unfortunate affair, the two crews and the air traffic controller, had distinct "rational cognitive states", a situation engendered by a cognitive slip by ATC. I believe this situation has been woefully incompletely analysed from the point of view of the ACAS system. To me, the situation represents a hazard that must be designed out or mitigated, as with any such system hazard. This view contrasts with that of, say, Eurocontrol, which advises that ACAS "resolution advisories" (RA) should be followed by pilots without exception, also a view propounded by many pilots. A more cautious view is expressed by the International Civil Aviation Organisation (ICAO), which advises that pilots should not manoeuvre against an RA, and an even more cautious view has been expressed by the UK Civil Air Authority, which advises that pilots should not manoeuvre against an RA without overwhelming reason. I believe the crew of the Russian aircraft had such reason, as shown by considering the "rational cognitive state" (I emphasise that the "rational cognitive state" is not to be identified with the actual mental state of the pilots, which we can no longer know). If so, only the UK CAA view is consistent with focusing on the system, and not the operator. This appears to me also to be a canonical example to which Norman's view applies. All this argues for Norman's view. What is there to argue for Brunberg's? Consider the following crude but general argument for the Bubba phenomenon. Operators have responsibilities. They are intended to perceive certain partial system states and to devise actions which depend on those partial states. These actions are stipulated by procedures. In the case of some systems, pilots flying airplanes for example, some of these actions and their consequences are unavoidably safety-critical. Human beings may freely choose their actions, and it is open to an operator of even the most carefully designed system, in such a situation, to choose an action which will lead to an unwanted event such as an accident. One may contravene such an argument in commercial aviation only by advocating pilotless commercial aircraft, a prospect that fills not only some passengers but also some systems people like myself with dread. To illustrate the situation which the argument highlights, consider an accident in November 2000 to a Luxair Fokker 50 turboprop on approach to Luxembourg Findel airport. The aircraft was on final approach using the ILS. The crew selected "ground fine-pitch" on the propellors while still airborne. This "low-speed fine-pitch regime [is] normally only usable on the ground" . Control was lost, the aircraft crashed on approach, and most on board died. An interlock prevents ground fine-pitch mode from being selected while the aircraft is airborne: power lever movement into this regime is inhibited. However, there was a known interlock failure mode in which the interlock does not function for some 16 seconds after the landing gear has locked down. A Notice to Operators concerning this phenomenon had been issued, and a system fix for this problem was available but had not been incorporated on the accident aircraft . Activating ground fine-pitch while airborne is obviously a big no-no. The big question is why this regime may have been selected. The report has recently been issued . It criticises the crew. "The captain put the power levers into the beta range while trying to regain the glidepath from above after beginning a go-around due to poor visibility, and then reversing his decision - all without communicating with the first officer. He had earlier begun what should have been a Category II [ILS] approach without informing his colleague" . The accident report says: "All applicable procedures as laid down in the operations manual were violated at some stage of the approach" . All this raises red flags to just about everyone involved with flight. The report "extensively questions the airline's hiring and training practices" as well as noting that the "design [of the aircraft] did not prevent the crew from selecting ground-idle while in flight - the final error in a chain that led to the crash" . The question. Norman or Bubba?, is ill-posed. Both Brunberg and Norman overstate their cases. As Norman says, people are still too ready to fault operators, even after 50 years. But operators must be allowed their free will, otherwise one doesn't need an operator. It is open to operators to freely choose wrongly, even catastrophically. And it happens. PBL References  John Rushby, Using Model Checking to Help Discover Mode Confusions and Other Automation Surprises, in Reliability Engineering and System Safety 75(2):167-77, February 2002, also available from http://www.csl.sri.com/users/rushby/  Robert A.J. Matthews, The Science of Murphy's Law, in Peter Day, ed., Killers in the Brain, Oxford U.P. 1999.  Marcus A. Mandelartz, Das Zugunglück in Brühl aus der Lokführerperspektive (The Train Accident in Brühl from the Perspective of the Driver), in German, http://www.online-club.de/~feba/br0.htm  Peter B. Ladkin, ACAS and the South German Midair, Technical Note RVS-Occ-02-02, available from http://www.rvs.uni-bielefeld.de  David Learmount, Propellors yield Lusair crash clue, Flight International, 26 November - 2 December 2002, p8.  Kieran Daly, Luxair crew slammed in crash report, Flight International, 16-22 December 2003, p6. Peter B. Ladkin University of Bielefeld, http://www.rvs.uni-bielefeld.de
Re: Over-reliance on PowerPoint leads to simplistic thinking Having read about this in the report and some coverage in eWeek and ComputerWorld, I need to argue that the real problem is not PowerPoint (as much as I dislike the program) --- the problem is that many engineers are simply poor verbal communicators. > Because only about 40 words fit on each slide, a viewer can zip through a > series of slides quickly, spending barely 8 seconds on each one. This seems like poor rationalization. Here's what you can do with 40 words: FALLING FOAM COULD DESTROY A SHUTTLE! (hm; that's just six words.) * Falling foam has been clocked at faster than 500 mph * Impact with wing could destroy fragile ceramic tiles on launch * Repair not possible in space; shuttle would burn-up on re-entry (that's another 30 words; total word count is 36) I just finished a semester of paper grading in a class at MIT. Many of the students were really angry that I took off points for poor writing, improper citations, etc. "This is a class in computer security, not writing," one student told me (paraphrased). I wrote a long e-mail back to that student that without the ability to write clearly, their security skills would be of little use.
Russell Cooper (RISKS-23.07) says that to raise voter turnout when people are broadly distributed, reducing the need for travel to a polling station is "highly desired" and a compelling reason for e-voting, and that this desired benefit is being neglected in common discussion. In fact, in the e-government world, which is populated by hordes of promoters of e-democracy and e-everything else, there is much attention paid to the benefits of making voting easier. (Too much? I might note parenthetically that we should probably ask ourselves if we really want disinterested people to vote more often, but that would be a distraction.) In the endless rounds of worldwide conferences and discussion papers on e-governance and the "democracy deficit," what there is not enough of is attention to risks and costs. We have difficulty in practice getting close to a verifiably accurate polling station implementation of e-voting, though as Rebecca Mercuri will tell you it is surely possible to do so. The risks and costs multiply when we contemplate e-voting from home. Of course we can get *close enough* to an acceptably accurate and verifiable home-based system; after all, we use similar systems in financial transactions representing many billions of dollars daily. Encryption and tunnelling protocols can be powerful tools. Observations: 1) *Close enough* is nonetheless a long way off, owing to technical requirements and the concomitant need to raise voters' comfort and skill levels. 2) It will be expensive owing to equipment needs on both ends, where that equipment would not otherwise be necessary. 3) It will be intrusive. I should think we would want to know, while you hold your eye to the scanner and your finger on the pad sensor, that your true voting wish is being expressed. And what to do about the possibility that someone is paying you and watching your vote, or holding a gun to your head? I don't know the answer to that one, just as I don't know now why some US states have so enthusiastically adopted the mail-in ballot. In any case, the costs of achieving a reasonably fair and verifiable e-vote-from-home are certainly large. What were the benefits again? [Remember, as other contributors have, that Internet voting and other remote voting schemes all suffer from the ability to sell your vote -- along with all of the other problems of whom and what can you trust. PGN]
[I may have missed a step in this thread, but the original subject seems to have been electronic voting machines vs paper voting. Somehow it moved to voting from the comfort of the home, which I think should be treated as a different subject.] Wed, 10 Dec 2003 05:09:05 -0500, "Russ" <Russ.Cooper@rc.on.ca> wrote: > Maybe I missed the comment, but it seems to me that one of the most > compelling reasons for e-voting, getting more people out to vote, is being > missed in these threads. Maybe voter turnout in the States is always >50%, > it isn't here (Canada). Technological security issues aside, it would mean giving up on secret voting. Not something to take lightly. Voting from the privacy of your home would make it even easier for people to force each other to vote for candidate x than the 'regular' abuse within the sacrecy of the home that's already happening on a grand scale. A public voting station, with secret voting, avoids that RISK. While discussing the issues with electronic voting machines, and the suggestion that a paper trail would fix most of that, I ran into this. Some people seem to present that paper trail as a receipt: the voter gets to take it with her. That would mean people can force each other to prove they voted for the candidate they were told to vote for. Dangerous. A paper trail is necessary (thus indeed: why electronic voting at all?), but it should not break secret voting. [Almost all of the sensible proposals for voter-verified paper trails retain the paper within the system. Voters do not take them home. However, David Chaum's proposal is somewhat different, allowing you to take a part of the audit trail with you from which you can verify your vote was correctly recorded.] > I fail to see how anything else could be as likely to increase voter > participation. If voter's can't be bothered to go to a voting station, maybe it's healthier for society to leave it at that. You don't want utterly uninformed voters to vote, just for the sake of voting. You'll just get more votes for whoever happens to have the most likeable TV-face of the day... (No doubt some politicians see that too and are therefore in favour of e-voting...) It would be nice to see more people participate. But I'm not sure what would be the way to make that happen. No doubt the causes and solutions will differ per country. In some countries better and more easily accessible education might help. But in countries that already have that you see many people still not voting. Sometimes as a (misguided) way of protest, sometimes because they think their one vote won't make a difference, sometimes because they feel things are fine as they are. > [...] in a country such as ours where people are broadly distributed, > reducing the need for people to go to a polling station is highly desired. Yes, different countries may need different solutions. In the (compared to Canada ;)) utterly overcrowded Netherlands a stroll to a voting station usually takes no more than 5 minutes. If that's too much work, then don't vote - and lose your right to complain about the government. (In Dutch national elections turnout is around 70% on average I think. For EU elections it is something like 40% or even just 30%.) Sander Tekelenburg, <http://www.euronet.nl/~tekelenb/>
Yale Law School's Information Society Project (ISP) invites you to the CyberCrime and Digital Law Enforcement conference, taking place on March 26-28, 2004 at Yale Law School. Registration and further information are available at: http://islandia.law.yale.edu/isp/digital_cops.htm Nimrod Kozlovski, Fellow, Information Society Project, Yale Law School
Please report problems with the web pages to the maintainer