The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 4 Issue 82

Sunday, 10 May 1987


o Information Age Commission
o Another computer taken hostage
Joe Morris
o Larceny OF Computers, not BY Computers
Pete Kaiser
o Risks of superconductivity
Eugene Miya
o UK Liability Law (follow-up)
Brian Randell
o Info on RISKS (comp.risks)

Information Age Commission legislation in the works?

Peter G. Neumann <NEUMANN@CSL.SRI.COM>
Sun 10 May 87 18:41:52-PDT
The Information Age Commission Act is intended to ``create a forum for
discussions and targeted research on the present and future impact of
computer and communication systems on our nation and its citizens.''
This year's bill, S.786, is causing a lively controversy.  Sponsors
are Senators Sam Nunn (D-GA) and Frank R. Lautenberg (D-NJ).  (Last
year's bill passed the Senate, but did not make it through the House.)
Apparently most industry trade associations (except ADAPSO) are lining
up against it.  Some think that if such a commission must exist, then
it should represent industry views only.  The view of your RISKS
moderator (unofficially, of course, especially since RISKS does not
pretend to speak offically for the ACM) is that such a commission
COULD be wonderful — if it is not a case of the fox watching the
chicken coops, and if it does not become a bureaucratic tarpit.
Otherwise it could be a disaster.

There is much background on the issues in an article by Willie Schatz
in Datamation, 1 May 87, pp. 32,37,38,40, which quotes a CBEMA issue
paper saying ``there is no specific or even identifiable need,
purpose, or focus for this commission, that it would be a government
commission in search of a mission.  The paper also contends that the
commission could become a forum for "promoting sensational but
unfounded allegations about the societal effects of modern information
technology.  The commission would needlessly provide a highly visible
forum for those who retard the information age." ''

                   [Side note to Herb Lin: Herb, have you ever shown 
                   Senators Nunn and Lautenberg copies of OUR RISKS 
                   Forum???  Are we retarding (or retarded?)  PGN]

Another computer taken hostage

Joe Morris ( <jcmorris@mitre.ARPA>
Sun, 10 May 87 13:38:30 EDT
From the Washington Post, Sunday 10 May 87:


> Lakeland, Fla. — The former chief financial officer at an insurance company
> is holding the firm's computer files hostage with a coded password known only
> to himself, a lawsuit charges.

> Golden Eagle Group Ltd. wants a judge to order George C. Coker, Jr. to reveal
> the password he programmed a week ago into the company's computer, which
> Golden Eagle says contains current accounting in excess of $400,000 and 
> extensive background data.

> Coker contends that certain computer files are his property and says he will
> reveal the password only if allowed to keep an IBM personal computer, which
> he said was given to him in exchange for working overtime, plus his last
> paycheck, a letter of reference and a $100 fee.

That's the entire article, verbatim unless I've missed a typo.  It doesn't
say anything about the size of the company, whether there had been any
warning about disputes between Coker and the company, or any other data
we could use to figure out what measures should have been taken to answer
the risk which is now visible.  I suspect, however, that the RISK question
is in the same class as one I have never been able to answer for myself:
at what point is it appropriate to trust a single individual in a process,
as opposed to the cost of never letting one person do anything without
another qualified person present?  Should graveyard shifts with a single
operator be prohibited?  Should I double the number of system programmers
in my shop so that no programmer ever does anything alone?  There's no
question about the risk such situations cause; the question involves the
economic penalties of reducing the risk.

For that matter, the article doesn't say if the data is from a mainframe
or a micro.  How do you handle a no-solo policy on a personal computer?

And note that audit trails wouldn't help here; there's no question about
who did what to the system.  Offsite backups might help, but (a) Coker
might have been in a position to sabotage them, and (b) if the data
is more current than the backups, they're worthless.  Let's see a show
of hands of RISK-readers who can swear that all data in their systems
(mainframe AND micro, please) is currently backed up off-site...on second
thought, forget it.

Larceny OF Computers, not BY Computers

Systems Consultant; DTN 297-4445 <kaiser%renko.DEC@decwrl.DEC.COM>
08-May-1987 0837
A few days ago a computer seems to have been stolen from a laboratory I know
of.  It can't have been difficult to steal; it was a MicroVAX 2000, and if you
haven't seen one, they're 5.5" x 11.25" x 12.75", small enough to fit in an
athletic bag or a sample case.  I know; I've done it.

It's not known yet, of course, who took the machine, but it is known precisely
when it happened, because the machine was a member of a local area VAXcluster
whose boot member (home base, with the system disk, etc.) was elsewhere on the
Ethernet in another, better-secured laboratory; and when the MicroVAX 2000 was
turned off, its absence from the cluster was immediately registered by the boot

Hmm.  Does RISKS cover risks TO computers?   Pete  decwrl!!kaiser
DEC, 2 Iron Way (MRO3-3/G20), Marlboro MA 01752  617-467-4445

         [Sure, why not?  If a computer is stolen while involved in a
         critical application, that is part of the system risk...  PGN]

Risks of superconductivity

08 May 87 10:47:54 PDT (Fri)
The current issue of TIME has two articles of interest: the smaller is the 
battle of the "hard" versus "soft" scientists with Serge Lang in one corner and
Herbert Simon {indirectly} in another.  I tend to side with Lang in this case.

The cover story is about recent advances in superconductivity.  I am
surprised that RISKS has not jumped on this topical band-wagon.  I note
some interesting things in the omission (since we have had the argument
that the omission of computers we have regarded is a RISK).

1) computers were probably not used.

1a) If computers had been used could we not have had superconductivity sooner?
Could not people have been "saved" sooner if higher-temp superconductivity
was around sooner?
    {I doubt it and so does PGN.}

1b) Is this a sin of omission of computers?  {Probably not since there is more
to understanding this universe than what is simulated on computers.}

2) The use of the word "tinkering" was prominent.  I know Peter Denning does 
not regard tinkering as experimentation.  The theory around superconductivity 
is poorly understood.  Perhaps, physics should do less tinkering. 8-)

3) What are the risks to superconductivity?  Don't higher speed trains
means higher speed train crashes?  (Ah yes, but the benefits outweigh
the risks...)  The computer science people worry, but this does not stop
the physicists.  What about all that LN2 out there?  Will there be increased
cases of frostbite? 8-) (Assuming we don't make room-temperature.)

4) A social commentary about the rate of technological change was made
regarding the Super Collider (the SSC).  Should that project wait or should
it proceed?  Similarly, should computing people jump on the superconductor 
bandwagon?  Only ETA systems has LN2 cooled computer systems on the market.   
I think the reality is that we won't see this material in the computing arena 
for about 20 years because a) a lot of effort will have to be made to 
determine whether room temperature materials exists and b) that waiting will 
delay use of the current material (whether a) works or not): just like waiting
for a better computer.  Oh, on the 20 year time frame, the question is could 
existing computers shorten that time frame?

One more thought: I'm surprised there was no RISKy commentary on Fred
Brooks "Silver Bullet" article.

--eugene miya, NASA Ames

UK Liability Law (follow-up)

Brian Randell <>
Fri, 8 May 87 17:39:38 bst
The item I sent in recently from Datalink (of March 23) about proposed new 
Product Liability legislation in the UK contained a brief quote fromn  Martyn 
Thomas (Chairman of Praxis, a UK software house) which gave an over-simplified
view of his, and his company's, attitude to the use of formal methods. I
therefore thought it only fair to pass on a slightly fuller quote from a letter
by Thomas which appeared in the May 4 issue:

  "There are many mistaken views of formal methods, born from fear and
  ignorance.  Formal methods are no panacea. Their use does not guarantee 
  error-free systems.  They are intended to make reviewing and testing easier,
  not to make such activities unnecessary ... if a software developer chooses 
  to write down an important requirement or design decision using an imprecise 
  language, when a precise one is readily available, then he has acted 
  unprofessionally. If someone suffers damage as a result of that 
  unprofessional act, it is right that they should be compensated.  Customers 
  whose life or business depends on their computer systems working correctly 
  will increasingly want the assurance that their software developers are 
  applying the best available methods. In many cases, this will include the
  rigorous use of formal methods."

I can readily accept such comments - what concerns me is whether it will
ever be possible to make reasoned judgements about the risks attendant on 
using a given complex program, and about how best to apportion resources 
amongst the various different techniques, such as verification, testing 
and the use of design redundancy, which might assist in achieving some 
given required level of reliability from the program.

Brian Randell - Computing Laboratory, University of Newcastle upon Tyne

  UUCP  : <UK>!ukc!cheviot!brian    JANET :

Re: the Marconi deaths - an interesting fictional treatment

Jon Jacky <>
Fri, 08 May 87 09:13:25 PDT
I recommend the novel, THE WHISTLE BLOWER, by John Hale.  The plot
concerns a British computer specialist who dies in an unlikely
accident.  Much better written than the usual thriller - really
transcends the genre, as the critics like to say.

Sorry, I don't have the publisher, I returned the book to the public
library a few weeks ago, but it seems it was a U.S. reprint of a novel
originally published in the U.K.

- Jon Jacky, University of Washington

Please report problems with the web pages to the maintainer