The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 3 Issue 08

Sunday, 15 June 1986


o Challenger, SDI, and management risks
Dick Dunn
o Re: Risks from inappropriate scale of energy technologies
Chuck Ferguson
o Distributed versus centralized computer systems
Peter G. Neumann
o Privacy legislation
Michael Wagner
o Info on RISKS (comp.risks)

Challenger, SDI, and management risks

Dick Dunn <nbires!rcd@ucbvax.Berkeley.EDU>
Fri, 13 Jun 86 12:24:29 mdt
The Challenger failure has an implication for SDI that I've not seen
discussed much.  I regard the solid-rocket failure as primarily a management
failure and only secondarily an engineering failure.  Why?  Because
according to the Rogers group reports, there had been serious concern with
the possibility of failure of the O-ring seals, but it got lost or
suppressed along the way.  Challenger's ill-fated launch was apparently made
in spite of best engineering advice to the contrary.

How does this apply to SDI?  I'll give a sketch; I hope that other people
will add more.  SDI is under fire from several places (substantial part of
Congress, various public-interest groups, many influential technical
people).  It is therefore important for the supporters (willing and/or
appointed) of SDI to present a convincing case that SDI can "do the job."
There is tremendous pressure to justify SDI.  Translate this into "there is
tremendous pressure to argue the case that SDI can be built and can work--
whether or not it really can."  To be blunt, there is a tremendous incentive
to cover up any potential inability to build an SDI system or any inadequacy
once it is built.  Of course, if the SDI system is built, and is used, and
fails, there will be much more lost than seven lives and some megabucks of
hardware.  (I have a hard time typing the word "terabucks":-) There probably
Wouldn't even be a presidentially-appointed blue-ribbon investigative

The hard questions:  Do we have a way to manage a project of the magnitude
of SDI that will give us any halfway-reasonable assurance that the project
will work?  Is there any technique that can be applied to reward those who
discover problems and punish those who cover them up, instead of the other
way around?

(My own experience, unfortunately, tells me that these aren't really hard
questions.  Rather, they are questions which are easily answered "no!"  The
difficulty in managing any large project, particularly one which involves a
lot of software, is legendary.)

In summary, I'm saying that Challenger failed not for technical reasons--
I believe that the technical problems are real but surmountable--but for
managerial reasons.  Further, I think that we need to talk about SDI
feasibility in more than technical terms; we need to address whether we
could manage the project even if all of the technical problems were
surmountable.  The answer is anything but a clear "yes".

Dick Dunn

     [From The New York Times, Sunday, 15 June 1986:

     New York - The ''Star Wars'' anti-missile plan has been seriously and
     extensively damaged by the Challenger disaster and other setbacks in
     the American space program, aerospace analysts say.  Officials of the
     anti-missile defense program, formally called the Strategic Defense
     Initiative, deny any serious damage to the program, but aerospace
     experts say the problems within the space program have sent shock waves
     through research programs. ...  ]

Re: Risks from inappropriate scale of energy technologies

Chuck Ferguson - SCTC <CTFerguson@HI-MULTICS.ARPA>
Thu, 12 Jun 86 20:06 CDT
In RISKS-3.6, Michael Natkin states:

  The public has long been duped into the idea that centralized energy
  management has its best interest in mind as we develop ever increasing
  electrical capacity.  But centralized reactors and other "hard" technologies
  are extremely susceptible to terrorist attack and other failures, as has
  been mentioned before.

Centralized power supplies may be "extremely susceptible" to terrorists but
their susceptibility to failure is not as high as being claimed.  It is true
that the consequences of a failure might be great; however, for a large
centralized power plant it is economical to expend greater resources to
prevent their failure (e.g., redundancy) than for the components of a
distributed system.  Furthermore, I submit that all current power systems
have some degree of distributed or redundant functionality to allow periodic
maintenance shutdowns if for no other reason.

I further submit that there is a significant risk associated with
distributed systems which is being ignored.  Many such systems are
themselves dangerous when poorly maintained or operated improperly.  There
are also hazards associated with storing combustible fuels near a dwelling
or other populated area.  Witness the following:

  o  How many chimney fires have you heard about since the "energy
     crisis" began?  A fireplace is a relatively low-tech device yet
     some people manage to make them dangerous.

  o  Why is it that several houses burn down at the start of every
     cold season?  An oil-fired furnace is a relatively low-tech
     item also, yet every year someone's gets choked with soot and
     catches fire.

  o  Ever heard of a methane gas explosion in a sewer system?  I
     recently heard an amusing story about a manure fire at a horse
     ranch - ten years worth of horse manure had been piled in one
     place until one day it spontaneously caught fire.

One would be surprised how much damage some people can do with low-tech
alternative energy.  To paraphrase one of the better known 'computer
security experts' [emphasis added], "Terrorists can never compete with
incompetents".  I wonder whether more people lose their lives each year in
the commercial production of power or in incidents similar to the above.

With respect to the public "being duped" - sounds like another
conspiracy theory to me (yawn).

         Chuck Ferguson, Honeywell, Inc., Secure Computing Technology Center

Distributed versus centralized computer systems

Peter G. Neumann <Neumann@SRI-CSL.ARPA>
Sun 15 Jun 86 22:32:04-PDT
Although Chuck's note does not seem as closely related to RISKS as some of
his past contributions, it suggests various additional comments.  A myth of
distributed computing systems is that distribution avoids centralized
vulnerabilities.  WRONG! The 1980 ARPANET collapse gave us an example of an
accidentally propagated virus that contaminated the entire network.  The
first shuttle synchronization problem is a further example.

By distributing what has to be trusted, there may be more vulnerabilities --
unless the distributed components are TOTALLY autonomous -- in which case we
are not really talking about DISTRIBUTED systems, but rather SEPARATE
systems.  Security flaws in the systems and networks can result in
transitive vulnerabilities, or permit global compromises by iteration.

Further, the point raised by Chuck regarding maintenance is an important one
in distributed computer systems, especially if some of the distributed sites
are remote.  Well, then, you say, let the field engineers dial up the remote
site.  But then that path provides a monstrous new vulnerability.  Then we
get solutions like the remote backup scheme proposed a while back that gets
special privileges...  Also, remember the fundamental flaws in the standard
two-phase commit protocols, three-clock algorithms, and so on.  Once again
it might be useful to consider truly robust algorithms such as interactive
consistency and Byzantine agreement.  However, for every more complex
would-be technical solution there are often further technical problems
introduced.  For every assumption that things have gotten better there seem
to be even grosser counterexamples and further vulnerabilities outside of
the computer systems.  Thus,

  It is folly to trust software and hardware if an end-run can bypass or
  compromise the trusted components.  But it is also folly to assume that
  sabotage is significantly less dangerous just because a system is
  distributed.  That may be true in certain cases, but not generally.

Peter                 [Please excuse me if I have repeated some things that
                       I said in earlier RISKS in a different context.]

Privacy legislation (RISKS-3.6)

Michael Wagner <ubc-vision!utcs!wagner@seismo.CSS.GOV>
Sat, 14 Jun 86 11:26:37 edt
  >A news clipping from this morning's "Los Angeles Times" (page 2, The News
  >in Brief):
  >   The House Judiciary Committee voted 34 to 0 for a bill seeking to
  >   bring constitutional guarantees of the right to privacy into the
  >   electronic age.  The legislation would extend laws that now protect
  >   the privacy of the mails and land-line telephone conversations to also
  >   cover electronic mail and some telephones that use radio waves.

Does anyone have any idea how the last part (radio telephones) could be
legally supported in view of other legal freedoms?  I thought that one
was free to listen to any frequency one wished in the US (Canada too).
You don't have to trespass to receive radio signals.

Contrast this with the mails. The privacy of the mails is supported by
property laws.  That is, you put your mail into a box which belongs to
the post office.  If anyone breaks into that box (or the van which
picks up the mail, etc) they are breaking property laws.  Similarly for
land lines.  One has to 'trespass' to tap a land line.

It seems to me that the legislators have 'extended' the laws over an
abyss.  Or have I missed something?

The relevancy to RISKS, of course, is that most people don't think about
the technology that radio-telephones use.  I'm sure most people assume
"it's a phone - it's (relatively) safe".  Not true, of course.  In fact,
some people have used their own handsets to make phone calls on other
peoples phones!

Michael Wagner

  [I do not recall having pointed out in this forum the ease with which
   the cellular phone schemes can be spoofed, e.g., getting someone else
   to pay for your calls.  There is another security/integrity problem
   waiting to be exploited.  PGN]

Please report problems with the web pages to the maintainer